New Constructions of Convertible Undeniable Signature Schemes without Random Oracles

In Undeniable Signature, a signature\u27s validity can only be confirmed or disavowed with the help of an alleged signer via a confirmation or disavowal protocol. A Convertible undeniable signature further allows the signer to release some additional information which can make an undeniable signature become publicly verifiable. In this work we introduce a new kind of attacks, called \emph{claimability attacks}, in which a dishonest/malicious signer both disavows a signature via the disavowal protocol and confirms it via selective conversion. Conventional security requirement does not capture the claimability attacks. We show that some convertible undeniable signature schemes are vulnerable to this kind of attacks. We then propose a new efficient construction of fully functional convertible undeniable signature, which supports both selective conversion and universal conversion, and is immune to the claimability attacks. To the best of our knowledge, it is the most efficient convertible undeniable signature scheme with provable security in the standard model. A signature is comprised of three elements of a bilinear group. Both the selective converter of a signature and the universal converter consist of one group element only. Besides, the confirmation and disavowal protocols are also very simple and efficient. Furthermore, the scheme can be extended to support additional features which include the delegation of conversion and confirmation/disavowal, threshold conversion and etc. We also propose an alternative generic construction of convertible undeniable signature schemes. Unlike the conventional sign-then-encrypt paradigm, the signer encrypts its (standard) signature with an identity-based encryption instead of a public key encryption. It enjoys the advantage of short selective converter, which is simply an identity-based user private key, and security against claimability attacks

An Efficient Convertible Undeniable Signature Scheme with Delegatable Verification

Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures, introduced by Boyar, Chaum, Damg\aa{}rd, and Pedersen, furthermore allow the signer to convert signatures to publicly verifiable ones by publicizing a verification token, either for individual signatures or for all signatures universally. In addition, the signer is able to delegate the ability to prove validity and convert signatures to a semi-trusted third party by providing a verification key. While the latter functionality is implemented by the early convertible undeniable signature schemes, most recent schemes do not consider this despite its practical appeal. In this paper we present an updated definition and security model for schemes allowing delegation, and highlight a new essential security property, token soundness, which is not formally treated in the previous security models for convertible undeniable signatures. We then propose a new convertible undeniable signature scheme. The scheme allows delegation of verification and is provably secure in the standard model assuming the computational co-Diffie-Hellman problem, a closely related problem, and the decisional linear problem are hard. Our scheme is, to the best of our knowledge, the currently most efficient convertible undeniable signature scheme which provably fulfills all security requirements in the standard model

Practical fair anonymous undeniable signatures

We present a new model for undeniable signatures: fair-anonymous undeniable signatures. This protocol can not only preserve the privacy of the signer (i.e. anonymity) but also track the illegal utilization of the valid signatures. In addition, our model prevents the trusted centre from forging a valid signature for any signer

Improvement of a convertible undeniable partially blind signature scheme

Undeniable signatures are the digital signatures that should be verified with the help of the signer. A signer may disavow a genuine document, if the signature is only verifiable with the aid of the signer under the condition that the signer is not honest. Undeniable signatures solve this problem by adding a new feature called the disavowal protocol in addition to the normal components of signature and verification. Disavowal protocol is able to prevent a dishonest signer from disavowing a valid signature. In some situations, an undeniable signature should be converted into a normal digital signature in order that the signature can be universally verified. Blind signatures are the digital signatures that help a user to get a signature on a message without revealing the content of the message to a signer. For the blind signatures, if the signer is able to make an agreement with the user, then the underlying signer may include some common information that is known to the user, then such signatures are partially blind signatures. Convertible undeniable partially blind signatures are of the features of undeniable signatures, blind signatures, convertible undeniable signatures, and partially blind signatures. Recently, a convertible undeniable partially blind signature scheme was presented. In this paper, we first analyse a security flaw of the convertible undeniable partially blind signature scheme. To address the security flaw, we present an improvement on the disavowal protocol. The improved scheme can prevent the signer from either proving that a given valid signature as invalid, or cheating the verifier

Key-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems

Chameleon signatures simultaneously provide the properties of non-repudiation and non-transferability for the signed message. However, the initial constructions of chameleon signatures suffer from the problem of key exposure. This creates a strong disincentive for the recipient to forge signatures, partially undermining the concept of non-transferability. Recently, some specific constructions of discrete logarithm based chameleon hashing and signatures without key exposure are presented, while in the setting of gap Diffile-Hellman groups with pairings. \indent \,\, In this paper, we propose the first key-exposure free chameleon hash and signature scheme based on discrete logarithm systems, without using the gap Diffile-Hellman groups. This provides more flexible constructions of efficient key-exposure free chameleon hash and signature schemes. Moreover, one distinguishing advantage of the resulting chameleon signature scheme is that the property of ``message hiding or ``message recovery can be achieved freely by the signer, $i.e.,$ the signer can efficiently prove which message was the original one if he desires

Threshold cryptography with Chinese remainder theorem

Ankara : The Department of Computer Engineering and the Institute of Engineering and Science of Bilkent University, 2009.Thesis (Master's) -- Bilkent University, 2009.Includes bibliographical references leaves 84-91.Information security has become much more important since electronic communication is started to be used in our daily life. The content of the term information security varies according to the type and the requirements of the area. However, no matter which algorithms are used, security depends on the secrecy of a key which is supposed to be only known by the agents in the first place. The requirement of the key being secret brings several problems. Storing a secret key on only one person, server or database reduces the security of the system to the security and credibility of that agent. Besides, not having a backup of the key introduces the problem of losing the key if a software/hardware failure occurs. On the other hand, if the key is held by more than one agent an adversary with a desire for the key has more flexibility of choosing the target. Hence the security is reduced to the security of the least secure or least credible of these agents. Secret sharing schemes are introduced to solve the problems above. The main idea of these schemes is to share the secret among the agents such that only predefined coalitions can come together and reveal the secret, while no other coalition can obtain any information about the secret. Thus, the keys used in the areas requiring vital secrecy like large-scale finance applications and commandcontrol mechanisms of nuclear systems, can be stored by using secret sharing schemes. Threshold cryptography deals with a particular type of secret sharing schemes. In threshold cryptography related secret sharing schemes, if the size of a coalition exceeds a bound t, it can reveal the key. And, smaller coalitions can reveal no information about the key. Actually, the first secret sharing scheme in the literature is the threshold scheme of Shamir where he considered the secret as the constant of a polynomial of degree t − 1, and distributed the points on the polynomial to the group of users. Thus, a coalition of size t can recover the polynomial and reveal the key but a smaller coalition can not. This scheme is widely accepted by the researchers and used in several applications. Shamir’s secret sharing scheme is not the only one in the literature. For example, almost concurrently, Blakley proposed another secret sharing scheme depending on planar geometry and Asmuth and Bloom proposed a scheme depending on the Chinese Remainder Theorem. Although these schemes satisfy the necessary and sufficient conditions for the security, they have not been considered for the applications requiring a secret sharing scheme. Secret sharing schemes constituted a building block in several other applications other than the ones mentioned above. These applications simply contain a standard problem in the literature, the function sharing problem. In a function sharing scheme, each user has its own secret as an input to a function and the scheme computes the outcome of the function without revealing the secrets. In the literature, encryption or signature functions of the public key algorithms like RSA, ElGamal and Paillier can be given as an example to the functions shared by using a secret sharing scheme. Even new generation applications like electronic voting require a function sharing scheme. As mentioned before, Shamir’s secret sharing scheme has attracted much of the attention in the literature and other schemes are not considered much. However, as this thesis shows, secret sharing schemes depending on the Chinese Remainder Theorem can be practically used in these applications. Since each application has different needs, Shamir’s secret sharing scheme is used in applications with several extensions. Basically, this thesis investigates how to adapt Chinese Remainder Theorem based secret sharing schemes to the applications in the literature. We first propose some modifications on the Asmuth-Bloom secret sharing scheme and then by using this modified scheme we designed provably secure function sharing schemes and security extensions.Kaya, KamerM.S

The Security of the FDH Variant of Chaum’s Undeniable Signature Scheme

In this paper, a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes is introduced. Note that forgeability does not necessarily imply impersonation ability. The security of the full-domain hash (FDH) variant of Chaum's undeniable signature scheme is then classified according to three dimensions, the goal of adversaries, the attacks, and the zero-knowledg (ZK) level of confirmation and disavowal protocols. Each security is then related to some well-known computational problem. In particular, the security of the FDH variant of Chaum's scheme with noninteractive zero-knowledge (NIZK) protocol confirmation and disavowal protocols is proven to be equivalent to the computational Diffie-Hellman (CDH) problem, as opposed to the gap Diffie-Hellman (GDH) problem as claimed by Okamoto and Pointcheval

Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers

We give an overview of our critiques of “proofs” of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples and a few updates and errata

Design and Analysis of Opaque Signatures

Digital signatures were introduced to guarantee the authenticity and integrity of the underlying messages. A digital signature scheme comprises the key generation, the signature, and the verification algorithms. The key generation algorithm creates the signing and the verifying keys, called also the signer’s private and public keys respectively. The signature algorithm, which is run by the signer, produces a signature on the input message. Finally, the verification algorithm, run by anyone who knows the signer’s public key, checks whether a purported signature on some message is valid or not. The last property, namely the universal verification of digital signatures is undesirable in situations where the signed data is commercially or personally sensitive. Therefore, mechanisms which share most properties with digital signatures except for the universal verification were invented to respond to the aforementioned need; we call such mechanisms “opaque signatures”. In this thesis, we study the signatures where the verification cannot be achieved without the cooperation of a specific entity, namely the signer in case of undeniable signatures, or the confirmer in case of confirmer signatures; we make three main contributions. We first study the relationship between two security properties important for public key encryption, namely data privacy and key privacy. Our study is motivated by the fact that opaque signatures involve always an encryption layer that ensures their opacity. The properties required for this encryption vary according to whether we want to protect the identity (i.e. the key) of the signer or hide the validity of the signature. Therefore, it would be convenient to use existing work about the encryption scheme in order to derive one notion from the other. Next, we delve into the generic constructions of confirmer signatures from basic cryptographic primitives, e.g. digital signatures, encryption, or commitment schemes. In fact, generic constructions give easy-to-understand and easy-to-prove schemes, however, this convenience is often achieved at the expense of efficiency. In this contribution, which constitutes the core of this thesis, we first analyze the already existing constructions; our study concludes that the popular generic constructions of confirmer signatures necessitate strong security assumptions on the building blocks, which impacts negatively the efficiency of the resulting signatures. Next, we show that a small change in these constructionsmakes these assumptions drop drastically, allowing as a result constructions with instantiations that compete with the dedicated realizations of these signatures. Finally, we revisit two early undeniable signatures which were proposed with a conjectural security. We disprove the claimed security of the first scheme, and we provide a fix to it in order to achieve strong security properties. Next, we upgrade the second scheme so that it supports a iii desirable feature, and we provide a formal security treatment of the new scheme: we prove that it is secure assuming new reasonable assumptions on the underlying constituents