Undeniable signature

Undeniable signature is a digital signature scheme and implementation which extends the ability for the signer to select to whom they verify the signature. The scheme adds signature repudiation preventing the signer from simply refusing to verify signatures. It was invented by David Chaum and Hans van Antwerpen in 1989.[1]

Overview

In this scheme, a signer possessing a private key can publish a signature of a messages. However, the signature reveals nothing to a recipient/verifier of the message and signature without taking part in either of two interactive protocols:

The motivation for the scheme is to allow the signer to determine to whom he verifies or disavows a signature, and it is the interactive nature of the protocols that allows this; i.e., the result of each protocol is non-transferable. However, if there were only a confirmation protocol, there would be no way to distinguish between:

The disavowal protocol provides an interactive (i.e., non-transferable) proof of the former case.

The designated verifier signature scheme improves upon deniable signatures by allowing, for each signature, the interactive portion of the scheme to be offloaded onto another party, a designated verifier, reducing the burden on the signer.

Zero-knowledge

A zero-knowledge undeniable signature scheme has the additional property that both parties can create transcripts of both confirmation and disavowal that are indistinguishable, to a third-party, of correct exchanges.

Protocol

The following protocol was suggested by David Chaum.[2]

A group, G, is chosen in which the discrete logarithm problem is intractable, and all operation in the scheme take place in this group. Commonly, this will be the finite cyclic group of order p contained in Z/nZ, with p being a large prime number; this group is equipped with the group operation of integer multiplication modulo n. An arbitrary primitive element (or generator), g, of G is chosen; computed powers of g then combine obeying fixed axioms.

Alice generates a key pair, randomly chooses a private key, x, and then derives and publishes the public key, y = gx.

Message signing

  1. Alice signs the message, m, by computing and publishing the signature, z = mx.

Confirmation (i.e., avowal) protocol

Bob wishes to verify the signature, z, of m by Alice under the key, y.

  1. Bob picks two random numbers: a and b, and uses them to blind the message, sending to Alice:
    c = magb.
  2. Alice picks a random number, q, uses it to blind, c, and then signing this using her private key, x, sending to Bob:
    s1 = cgq and
    s2 = s1x.
    Note that
    s1x = (cgq)x = (magb)xgqx = (mx)a(gx)b+q = zayb+q.
  3. Bob reveals a and b.
  4. Alice verifies that c is not dishonest and was computed from a and b, then reveals q.
  5. Bob verifies s1 = cgq, proving q has not been chosen dishonestly, and
    s2 = zayb+q,
    proving z is valid signature issued by Alice's key. Note that
    zayb+q = (mx)a(gx)b+q.

Alice can cheat at step 2 by attempting to randomly guess s2.

Disavowal protocol

Alice wishes to convince Bob that z is not a valid signature of m under the key, gx; i.e., z ≠ mx. Alice and Bob have agreed an integer, k, which sets the computational burden on Alice and the likelihood that she should succeed by chance.

  1. Bob picks random values, s ∈ {0, 1, ..., k} and a, and sends:
    v1 = msga and
    v2 = zsya,
    where exponentiating by a is used to blind the sent values. Note that
    v2 = zsya = (mx)s(gx)a = v1x.
  2. Alice, using her private key, computes v1x and then the quotient,
    v1xv2−1 = (msga)x(zsgxa)−1 = msxz−s = (mxz−1)s.
    Thus, v1xv2−1 = 1, unless zmx.
  3. Alice then tests v1xv2−1 for equality against the values:
    (mxz−1)i for i ∈ {0, 1, …, k};
    which are calculated by repeated multiplication of mxz−1 (rather than exponentiating for each i). If the test succeeds, Alice conjectures the relevant i to be s; otherwise, she conjectures random value. Where z = mx, (mxz−1)i = v1xv2−1 = 1 for all i, s is unrecoverable.
  4. Alice commits to i: she picks a random r and sends hash(r, i) to Bob.
  5. Bob reveals a.
  6. Alice confirms v1 and v2 are honest (i.e., can be generated using a) then reveals r.
  7. Bob checks hash(r, i) = hash(r, s), proving Alice knows s, hence zmx.

If Alice attempts to cheat at step 3 by guessing s at random, the probability of succeeding is 1/(k + 1). So, if k = 1023 and the protocol is conducted ten times, her chances are 1 to 2100.

See also

References

  1. Chaum, David; van Antwerpen, Hans (1990). "Undeniable Signatures". LNCS. 435: 212–216.
  2. Chaum, David (1991). "Zero-Knowledge Undeniable Signatures". Advances in Cryptology EUROCRYPT '90 Proceedings: 458–462.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.