Undeniable signature
Undeniable signature is a digital signature scheme and implementation which extends the ability for the signer to select to whom they verify the signature. The scheme adds signature repudiation preventing the signer from simply refusing to verify signatures. It was invented by David Chaum and Hans van Antwerpen in 1989.[1]
Overview
In this scheme, a signer possessing a private key can publish a signature of a messages. However, the signature reveals nothing to a recipient/verifier of the message and signature without taking part in either of two interactive protocols:
- Confirmation protocol, which confirms that a candidate is a valid signature of the message issued by the signer, identified by the public key.
- Disavowal protocol, which confirms that a candidate is not a valid signature of the message issued by the signer.
The motivation for the scheme is to allow the signer to determine to whom he verifies or disavows a signature, and it is the interactive nature of the protocols that allows this; i.e., the result of each protocol is non-transferable. However, if there were only a confirmation protocol, there would be no way to distinguish between:
- the case that the signature is not a valid signature by the signer at issue, and
- the case that the signature was a valid signature by the signer at issue, but the signer now chooses not to take part in verification.
The disavowal protocol provides an interactive (i.e., non-transferable) proof of the former case.
The designated verifier signature scheme improves upon deniable signatures by allowing, for each signature, the interactive portion of the scheme to be offloaded onto another party, a designated verifier, reducing the burden on the signer.
Zero-knowledge
A zero-knowledge undeniable signature scheme has the additional property that both parties can create transcripts of both confirmation and disavowal that are indistinguishable, to a third-party, of correct exchanges.
Protocol
The following protocol was suggested by David Chaum.[2]
A group, G, is chosen in which the discrete logarithm problem is intractable, and all operation in the scheme take place in this group. Commonly, this will be the finite cyclic group of order p contained in Z/nZ, with p being a large prime number; this group is equipped with the group operation of integer multiplication modulo n. An arbitrary primitive element (or generator), g, of G is chosen; computed powers of g then combine obeying fixed axioms.
Alice generates a key pair, randomly chooses a private key, x, and then derives and publishes the public key, y = gx.
Message signing
- Alice signs the message, m, by computing and publishing the signature, z = mx.
Confirmation (i.e., avowal) protocol
Bob wishes to verify the signature, z, of m by Alice under the key, y.
- Bob picks two random numbers: a and b, and uses them to blind the message, sending to Alice:
- c = magb.
- Alice picks a random number, q, uses it to blind, c, and then signing this using her private key, x, sending to Bob:
- s1 = cgq and
- s2 = s1x.
- s1x = (cgq)x = (magb)xgqx = (mx)a(gx)b+q = zayb+q.
- Bob reveals a and b.
- Alice verifies that c is not dishonest and was computed from a and b, then reveals q.
- Bob verifies s1 = cgq, proving q has not been chosen dishonestly, and
- s2 = zayb+q,
- zayb+q = (mx)a(gx)b+q.
Alice can cheat at step 2 by attempting to randomly guess s2.
Disavowal protocol
Alice wishes to convince Bob that z is not a valid signature of m under the key, gx; i.e., z ≠ mx. Alice and Bob have agreed an integer, k, which sets the computational burden on Alice and the likelihood that she should succeed by chance.
- Bob picks random values, s ∈ {0, 1, ..., k} and a, and sends:
- v1 = msga and
- v2 = zsya,
- v2 = zsya = (mx)s(gx)a = v1x.
- Alice, using her private key, computes v1x and then the quotient,
- v1xv2−1 = (msga)x(zsgxa)−1 = msxz−s = (mxz−1)s.
- Alice then tests v1xv2−1 for equality against the values:
- (mxz−1)i for i ∈ {0, 1, …, k};
- Alice commits to i: she picks a random r and sends hash(r, i) to Bob.
- Bob reveals a.
- Alice confirms v1 and v2 are honest (i.e., can be generated using a) then reveals r.
- Bob checks hash(r, i) = hash(r, s), proving Alice knows s, hence z ≠ mx.
If Alice attempts to cheat at step 3 by guessing s at random, the probability of succeeding is 1/(k + 1). So, if k = 1023 and the protocol is conducted ten times, her chances are 1 to 2100.