Undeniable signature
Undeniable signature is a digital signature scheme and implementation invented by David Chaum and Hans van Antwerpen in 1989.[1]
In this scheme, a signer possessing a private key can publish a signature of a messages. However, the signature reveals nothing to a recipient/verifier of the message and signature without taking part in either of two interactive protocols:
- Confirmation protocol, which confirms that a candidate is a valid signature of the message issued by the signer, identified by the public key.
- Disavowal protocol, which confirms that a candidate is not a valid signature of the message issued by the signer.
The motivation for the scheme is to allow the signer to determine to whom he verifies or disavows a signature, and it is the interactive nature of the protocols that allows this; i.e., the result of each protocol is non-transferable. However, if there were only a confirmation protocol, there would be no way to distinguish between:
- the case that the signature is not a valid signature by the signer at issue, and
- the case that the signature was a valid signature by the signer at issue, but the signer now chooses not to take part in verification.
The disavowal protocol provides an interactive (i.e., non-transferable) proof of the former case.
The designated verifier signature scheme improves upon deniable signatures by allowing, for each signature, the interactive portion of the scheme to be offloaded onto another party, a designated verifier, reducing the burden on the signer.
Chaum's implementation
The following protocol was suggested by David Chaum.[2]
A group, G, is chosen in which the discrete logarithm problem is intractable, and all operation in the scheme take place in this group. Commonly, this will be the (finite) cyclic group or order p, Z/nZ, with p being a large prime number; this group is equipped with the group operation of integer multiplication modulo p. An arbitrary primitive element (or generator), g, of G is chosen; computed powers of g then combine obeying fixed axioms.
Alice generates a key pair, randomly choosing a private key, x, and the deriving the public key, y = gx.
Message signing
- Alice signs the message, m, by computing and publishing z = mx
Confirmation (i.e., avowal) protocol
Bob wishes to verify the message.
- Bob picks two random numbers: a and b, and then sends to Alice: c = magb.
- Alice picks a random number, q, and, using her private key, sends to Bob: s1 = cgq and s2 = s1x. Note that s1x = (cgq)x = (magb)xgqx = (mx)a(gx)b+q.
- Bob reveals a and b.
- Alice verifies that c is not dishonest and was computed from a and b, then reveals q.
- Bob verifies s1 = cgq, proving q has not been chosen dishonestly, and s2 = zayb+q, proving z is valid signature issued by Alice's key. Note that zayb+q = (mx)a(gx)b+q.
Alice can cheat at step 2 by attempting to randomly guess s2.
Disavowal protocol
Alice wishes to convince Bob that z is not a valid signature under the key, gx; i.e., z ≠ mx. Alice and Bob are both aware of m and z and have agreed an integer, k, which sets the computational burden on Alice and likelihood that she should succeed by chance.
- Bob picks random values, s ∈ {0, 1, ..., k} and a, and sends: v1 = msga and v2 = zsya, where exponentiating by a is used to blind the sent values. Note that zsya = zs(gx)a.
- Alice, using her private key, computes v1x and then the quotient v1xv2−1. Note that v1xv2−1 = (msga)x(zsgxa)−1 = msxz−s = (mxz−1)s and, if z = mx, v1xv2−1 = 1.
- Alice conjectures sA to be s by testing (mxz−1)i = v1xv2−1 for i ∈ {0, 1, ..., k}; (mxz−1)i can be calculated efficiently by repeated multiplication rather than exponentiating for each i. If the tests are inconclusive, she conjectures random value; this is the case when z = mx, and (mxz−1)i = v1xv2−1 = 1 for all i.
- Alice commits to sA: she picks a random r and sends hash(r, sA) to Bob.
- Bob reveals a.
- Alice confirms v1 and v2 are honest (i.e., can be generated using a) then reveals r.
- Bob checks hash(r, sA) = hash(r, s); knowing s proves z ≠ mx.
If Alice attempts to cheat at step 3 by guessing s at random, the probability of succeeding is 1/(k + 1). So, if k = 1023 and the protocol is conducted ten times, her chances are 1 to 2100.