What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution Conclusion. Outline. What is ...
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
A Generic Construction for Universally-Convertible Undeniable Signatures Xinyi Huang
Yi Mu
Willy Susilo
Wei Wu
Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University of Wollongong, Australia
CANS 2007 8-10 December 2007, Singapore
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Undeniable Signature
Undeniable signature is a concept introduced by Chaum and van Antwerpen in Cypto’89 [ChaumAntwerpen, 1989]. • Undeniable signatures are not publicly verifiable. • The validity or invalidity of an undeniable signature can
only be verified with the help of the signer. • Confirmation and Disavowal Protocols
[ChaumAntwerpen, 1989] Chaum, D., Antwerpen, H.v. Undeniable Signatures CRYPTO’89, LNCS 435, 212–216
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Undeniable Signature
Undeniable signature is a concept introduced by Chaum and van Antwerpen in Cypto’89 [ChaumAntwerpen, 1989]. • Undeniable signatures are not publicly verifiable. • The validity or invalidity of an undeniable signature can
only be verified with the help of the signer. • Confirmation and Disavowal Protocols
[ChaumAntwerpen, 1989] Chaum, D., Antwerpen, H.v. Undeniable Signatures CRYPTO’89, LNCS 435, 212–216
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Undeniable Signature
Undeniable signature is a concept introduced by Chaum and van Antwerpen in Cypto’89 [ChaumAntwerpen, 1989]. • Undeniable signatures are not publicly verifiable. • The validity or invalidity of an undeniable signature can
only be verified with the help of the signer. • Confirmation and Disavowal Protocols
[ChaumAntwerpen, 1989] Chaum, D., Antwerpen, H.v. Undeniable Signatures CRYPTO’89, LNCS 435, 212–216
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Convertible Undeniable Signature
The concept of convertible undeniable signature was introduced in [Boyar et al., 1990]. • The “Convertible" refers to the ability of the signer to
convert one or more his undeniable signatures into publicly verifiable. [Boyar et al., 1990] Boyar, J., Chaum, D., Damgård, I.B., Pedersen. T.P. Convertible Undeniable Signatures. CRYPTO’90: LNCS 537. 189–205
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Convertible Undeniable Signature
The concept of convertible undeniable signature was introduced in [Boyar et al., 1990]. • The “Convertible" refers to the ability of the signer to
convert one or more his undeniable signatures into publicly verifiable. [Boyar et al., 1990] Boyar, J., Chaum, D., Damgård, I.B., Pedersen. T.P. Convertible Undeniable Signatures. CRYPTO’90: LNCS 537. 189–205
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Selectively Convert “Convert" in the undeniable signatures has two types: Selectively Convert and Universally Convert.
Selectively Convert • Signer can generate a selective proof for an undeniable
signature. • One can check the validity of this signature using the proof
and signer’s public key. • The validity of other undeniable signatures remains
unknown and can only be verified via the Confirmation (or, Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Selectively Convert “Convert" in the undeniable signatures has two types: Selectively Convert and Universally Convert.
Selectively Convert • Signer can generate a selective proof for an undeniable
signature. • One can check the validity of this signature using the proof
and signer’s public key. • The validity of other undeniable signatures remains
unknown and can only be verified via the Confirmation (or, Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Selectively Convert “Convert" in the undeniable signatures has two types: Selectively Convert and Universally Convert.
Selectively Convert • Signer can generate a selective proof for an undeniable
signature. • One can check the validity of this signature using the proof
and signer’s public key. • The validity of other undeniable signatures remains
unknown and can only be verified via the Confirmation (or, Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Selectively Convert “Convert" in the undeniable signatures has two types: Selectively Convert and Universally Convert.
Selectively Convert • Signer can generate a selective proof for an undeniable
signature. • One can check the validity of this signature using the proof
and signer’s public key. • The validity of other undeniable signatures remains
unknown and can only be verified via the Confirmation (or, Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Universally Convert
• A signer can generate a selective proof for an undeniable
signature. • A signer can also generate a universal proof for all his
undeniable signatures. • All the undeniable signatures are publicly verifiable: one
can check the validity of any signature using the universal proof and signer’s public key.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Motivation
• Most constructions of undeniable signatures are
selectively-convertible. • Not all of them are universally-convertible. • How to obtain a universally-convertible undeniable
signature scheme from selectively convertible undeniable signature scheme?
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Contributions
We propose a generic construction for universally-convertible undeniable signatures from • A strongly existentially unforgeable classic signature
scheme, • A selectively-convertible undeniable signature scheme, • A collision-resistant hash function.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Applications of Our Construction 1. Pairing-free universally-convertible undeniable signature in standard model: Apply our construction to Kurosawa-Takagi’s scheme [Kurosawa-Takagi, 2006]. 2. Fix the flaws in some known constructions [Boyar et al., 1990]. 3. Apply to other variants of undeniable signatures: designated confirmer signature, directed signature. K. Kurosawa and T. Takagi. New Approach for Selectively Convertible Undeniable Signature Schemes. ASIACRYPT 2006, LNCS 4284, pp. 428-443.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Undeniable Signature An ID-based undeniable signature scheme is defined as:
1. UC-US-Setup • Input: ` • Output: UC-US-Params
2. US-KeyGen • Input: UC-US-Params • Output: (PKUC , SKUC )
3. UC-US-Sign • Input: SKUC , m • Output: σUC
4. UC-US-Verify • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: {0,1}.
5. Confirmation/Disavowal Protocol • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: Trans
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Undeniable Signature An ID-based undeniable signature scheme is defined as:
1. UC-US-Setup • Input: ` • Output: UC-US-Params
2. US-KeyGen • Input: UC-US-Params • Output: (PKUC , SKUC )
3. UC-US-Sign • Input: SKUC , m • Output: σUC
4. UC-US-Verify • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: {0,1}.
5. Confirmation/Disavowal Protocol • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: Trans
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Undeniable Signature An ID-based undeniable signature scheme is defined as:
1. UC-US-Setup • Input: ` • Output: UC-US-Params
2. US-KeyGen • Input: UC-US-Params • Output: (PKUC , SKUC )
3. UC-US-Sign • Input: SKUC , m • Output: σUC
4. UC-US-Verify • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: {0,1}.
5. Confirmation/Disavowal Protocol • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: Trans
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Undeniable Signature An ID-based undeniable signature scheme is defined as:
1. UC-US-Setup • Input: ` • Output: UC-US-Params
2. US-KeyGen • Input: UC-US-Params • Output: (PKUC , SKUC )
3. UC-US-Sign • Input: SKUC , m • Output: σUC
4. UC-US-Verify • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: {0,1}.
5. Confirmation/Disavowal Protocol • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: Trans
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Undeniable Signature An ID-based undeniable signature scheme is defined as:
1. UC-US-Setup • Input: ` • Output: UC-US-Params
2. US-KeyGen • Input: UC-US-Params • Output: (PKUC , SKUC )
3. UC-US-Sign • Input: SKUC , m • Output: σUC
4. UC-US-Verify • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: {0,1}.
5. Confirmation/Disavowal Protocol • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: Trans
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Undeniable Signature An ID-based undeniable signature scheme is defined as:
1. UC-US-Setup • Input: ` • Output: UC-US-Params
2. US-KeyGen • Input: UC-US-Params • Output: (PKUC , SKUC )
3. UC-US-Sign • Input: SKUC , m • Output: σUC
4. UC-US-Verify • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: {0,1}.
5. Confirmation/Disavowal Protocol • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: Trans
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Universally-Convertible Undeniable Signature 6. UC-US-SConvert • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: SelectiveProof
7. Selectively Verify • Input: UC-US-Params,
PKUC , (M, σUC ), SelectiveProof • Output: decision
d ∈ {Acc, Rej}.
8. Universally Convert • Input: UC-US-Params,
SKUC • Output:
UniversalProof{PKUC }
9. Universally Verify • Input: UC-US-Params,
PKUC , (M, σUC ), UniversalProof{PKUC } • Output: decision
d ∈ {Acc, Rej}.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Universally-Convertible Undeniable Signature 6. UC-US-SConvert • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: SelectiveProof
7. Selectively Verify • Input: UC-US-Params,
PKUC , (M, σUC ), SelectiveProof • Output: decision
d ∈ {Acc, Rej}.
8. Universally Convert • Input: UC-US-Params,
SKUC • Output:
UniversalProof{PKUC }
9. Universally Verify • Input: UC-US-Params,
PKUC , (M, σUC ), UniversalProof{PKUC } • Output: decision
d ∈ {Acc, Rej}.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Universally-Convertible Undeniable Signature 6. UC-US-SConvert • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: SelectiveProof
7. Selectively Verify • Input: UC-US-Params,
PKUC , (M, σUC ), SelectiveProof • Output: decision
d ∈ {Acc, Rej}.
8. Universally Convert • Input: UC-US-Params,
SKUC • Output:
UniversalProof{PKUC }
9. Universally Verify • Input: UC-US-Params,
PKUC , (M, σUC ), UniversalProof{PKUC } • Output: decision
d ∈ {Acc, Rej}.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Universally-Convertible Undeniable Signature 6. UC-US-SConvert • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: SelectiveProof
7. Selectively Verify • Input: UC-US-Params,
PKUC , (M, σUC ), SelectiveProof • Output: decision
d ∈ {Acc, Rej}.
8. Universally Convert • Input: UC-US-Params,
SKUC • Output:
UniversalProof{PKUC }
9. Universally Verify • Input: UC-US-Params,
PKUC , (M, σUC ), UniversalProof{PKUC } • Output: decision
d ∈ {Acc, Rej}.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline of Universally-Convertible Undeniable Signature 6. UC-US-SConvert • Input: UC-US-Params,
SKUC , (M, σUC ) • Output: SelectiveProof
7. Selectively Verify • Input: UC-US-Params,
PKUC , (M, σUC ), SelectiveProof • Output: decision
d ∈ {Acc, Rej}.
8. Universally Convert • Input: UC-US-Params,
SKUC • Output:
UniversalProof{PKUC }
9. Universally Verify • Input: UC-US-Params,
PKUC , (M, σUC ), UniversalProof{PKUC } • Output: decision
d ∈ {Acc, Rej}.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Completeness and Soundness Completeness • Valid signatures can always be proved valid. • Invalid signatures can always be proved invalid
Soundness • A malicious signer himself cannot convince a verifier V
that a valid signature is invalid. • A malicious signer himself cannot convince a verifier V
that an invalid signature is valid.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Completeness and Soundness Completeness • Valid signatures can always be proved valid. • Invalid signatures can always be proved invalid
Soundness • A malicious signer himself cannot convince a verifier V
that a valid signature is invalid. • A malicious signer himself cannot convince a verifier V
that an invalid signature is valid.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Non-Transferability and Unforgeability Non-Transferability of the Confirmation/Disavowal Protocol • The transcript Trans wrt the designated verifier V can only
convince V . • No one else could be convinced by this Trans even if V
shares all his secret information (including his secret key) with this party.
Unforgeability The adversary, equipped with the knowledge of the selective proofs and universal proof, cannot generate a valid signature of a new message m.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Non-Transferability and Unforgeability Non-Transferability of the Confirmation/Disavowal Protocol • The transcript Trans wrt the designated verifier V can only
convince V . • No one else could be convinced by this Trans even if V
shares all his secret information (including his secret key) with this party.
Unforgeability The adversary, equipped with the knowledge of the selective proofs and universal proof, cannot generate a valid signature of a new message m.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Invisibility and Non-Impersonation Invisibility Given a message-signature pair (M, σUC ) and the public key PKUC , it is difficult to decide whether or not it is a valid message-signature pair.
Non-Impersonation 1. It should be difficult for an impersonator to generate the selective proof for a message-signature pair. 2. It should be difficult for an impersonator to generate the universal proof. 3. It should be difficult for an impersonator to generate a transcript of the Confirmation (Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Invisibility and Non-Impersonation Invisibility Given a message-signature pair (M, σUC ) and the public key PKUC , it is difficult to decide whether or not it is a valid message-signature pair.
Non-Impersonation 1. It should be difficult for an impersonator to generate the selective proof for a message-signature pair. 2. It should be difficult for an impersonator to generate the universal proof. 3. It should be difficult for an impersonator to generate a transcript of the Confirmation (Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Invisibility and Non-Impersonation Invisibility Given a message-signature pair (M, σUC ) and the public key PKUC , it is difficult to decide whether or not it is a valid message-signature pair.
Non-Impersonation 1. It should be difficult for an impersonator to generate the selective proof for a message-signature pair. 2. It should be difficult for an impersonator to generate the universal proof. 3. It should be difficult for an impersonator to generate a transcript of the Confirmation (Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Invisibility and Non-Impersonation Invisibility Given a message-signature pair (M, σUC ) and the public key PKUC , it is difficult to decide whether or not it is a valid message-signature pair.
Non-Impersonation 1. It should be difficult for an impersonator to generate the selective proof for a message-signature pair. 2. It should be difficult for an impersonator to generate the universal proof. 3. It should be difficult for an impersonator to generate a transcript of the Confirmation (Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Invisibility and Non-Impersonation Invisibility Given a message-signature pair (M, σUC ) and the public key PKUC , it is difficult to decide whether or not it is a valid message-signature pair.
Non-Impersonation 1. It should be difficult for an impersonator to generate the selective proof for a message-signature pair. 2. It should be difficult for an impersonator to generate the universal proof. 3. It should be difficult for an impersonator to generate a transcript of the Confirmation (Disavowal) protocol.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Setup
• UC-US-Setup: UC-US-Params consists of 1. CS-Params: parameters of a strongly unforgeable classic signature scheme; 2. SC-US-Params: parameters of a selectively undeniable signature scheme; 3. Hk : collision-resistent hash function.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Key Generation
• UC-US-KeyGen: Each signer has two public-secret key
pairs: (PKCS , SKCS ) and (PKSC , SKSC ) where 1. (PKCS , SKCS ): key pair in the classic signature scheme. 2. (PKSC , SKSC ): key pair in the selective undeniable signature scheme.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Sign and Verify
• UC-US-Sign: σUC = (σSC , σCS ) where 1. σSC : a selectively-convertible undeniable signature on the message M. 2. σCS is a classic signature on the message Hk (MkσSC kUndeniable). • UC-US-Verify: Given (M, σSC , σCS ) and the user’s secret
key, outputs Accept if both two signatures are valid.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Sign and Verify
• UC-US-Sign: σUC = (σSC , σCS ) where 1. σSC : a selectively-convertible undeniable signature on the message M. 2. σCS is a classic signature on the message Hk (MkσSC kUndeniable). • UC-US-Verify: Given (M, σSC , σCS ) and the user’s secret
key, outputs Accept if both two signatures are valid.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Confirmation/Disavowal Protocol
• UC-US-Confirmation (UC-US-Confirmation): Given
(M, σSC , σCS ), 1. If σcs is invalid, nothing is to be carried out between the verifier and the signer. 2. Otherwise, execute the confirmation (disavowal) protocol in the underlying selectively undeniable signatures.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Selectively-Convert
• UC-US-SConvert: Given (M, σSC , σCS ) and signer’s secret
key, generate the selective-proof for the selectively convertible undeniable signature σSC • UC-US-SVerify: Given (M, σSC , σCS ) and its
selective-proof: 1. Check σCS with PKCS 2. Check σSC with its selective-proof.
Output Accept if both are valid.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Generic Construction: Universally-Convert
• UC-US-UConvert: The universal proof is SKSC , which is
the secret key of the underlying selectively-convertible undeniable signature. • UC-US-UVerify: Given (M, σSC , σCS ) and SKSC 1. Check σCS with PKCS 2. Check σSC with SKSC
Output Accept if both are valid.
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Outline What is (Convertible) Undeniable Signature? Undeniable Signature Convertible Undeniable Signature Security Notions of Universally-Convertible Undeniable Signatures Outline of Universally-Convertible Undeniable Signatures Security Requirements Our Contribution Generic Construction Analysis Conclusion
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Strong Unforgeability Our scheme is strong unforgeable if the underlying classic signature scheme is strong unforgeable and the hash function is collision-resistent. Let (σSC , σCS ) be our undeniable signature, • If A can output a new message-signature pair of our
scheme, • then B can use A to break the strong-unforeability of the
classic signature σCS , or • break the collision-resistent of hash function H; • We do not require the unforgeability of the selectively
undeniable signature σSC .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Strong Unforgeability Our scheme is strong unforgeable if the underlying classic signature scheme is strong unforgeable and the hash function is collision-resistent. Let (σSC , σCS ) be our undeniable signature, • If A can output a new message-signature pair of our
scheme, • then B can use A to break the strong-unforeability of the
classic signature σCS , or • break the collision-resistent of hash function H; • We do not require the unforgeability of the selectively
undeniable signature σSC .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Strong Unforgeability Our scheme is strong unforgeable if the underlying classic signature scheme is strong unforgeable and the hash function is collision-resistent. Let (σSC , σCS ) be our undeniable signature, • If A can output a new message-signature pair of our
scheme, • then B can use A to break the strong-unforeability of the
classic signature σCS , or • break the collision-resistent of hash function H; • We do not require the unforgeability of the selectively
undeniable signature σSC .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Strong Unforgeability Our scheme is strong unforgeable if the underlying classic signature scheme is strong unforgeable and the hash function is collision-resistent. Let (σSC , σCS ) be our undeniable signature, • If A can output a new message-signature pair of our
scheme, • then B can use A to break the strong-unforeability of the
classic signature σCS , or • break the collision-resistent of hash function H; • We do not require the unforgeability of the selectively
undeniable signature σSC .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Strong Unforgeability Our scheme is strong unforgeable if the underlying classic signature scheme is strong unforgeable and the hash function is collision-resistent. Let (σSC , σCS ) be our undeniable signature, • If A can output a new message-signature pair of our
scheme, • then B can use A to break the strong-unforeability of the
classic signature σCS , or • break the collision-resistent of hash function H; • We do not require the unforgeability of the selectively
undeniable signature σSC .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Invisibility Our scheme is invisible if the underlying classic signature scheme is strong unforgeable and the selectively convertible undeniable signature scheme is invisible. For a message M and an undeniable signature (σSC , σCS )of our scheme, • If there is a distinguisher D who can tell whether or not
(σSC , σCS ) is a valid universally-convertible undeniable signature of M, then • there is another algorithm that can use D to tell whether or
not σSC is a valid selectively-convertible undeniable signature of M, under assumption that 0 : • D can not compute another valid classic signature σCS
strong-unforgeability of σCS .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Invisibility Our scheme is invisible if the underlying classic signature scheme is strong unforgeable and the selectively convertible undeniable signature scheme is invisible. For a message M and an undeniable signature (σSC , σCS )of our scheme, • If there is a distinguisher D who can tell whether or not
(σSC , σCS ) is a valid universally-convertible undeniable signature of M, then • there is another algorithm that can use D to tell whether or
not σSC is a valid selectively-convertible undeniable signature of M, under assumption that 0 : • D can not compute another valid classic signature σCS
strong-unforgeability of σCS .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Invisibility Our scheme is invisible if the underlying classic signature scheme is strong unforgeable and the selectively convertible undeniable signature scheme is invisible. For a message M and an undeniable signature (σSC , σCS )of our scheme, • If there is a distinguisher D who can tell whether or not
(σSC , σCS ) is a valid universally-convertible undeniable signature of M, then • there is another algorithm that can use D to tell whether or
not σSC is a valid selectively-convertible undeniable signature of M, under assumption that 0 : • D can not compute another valid classic signature σCS
strong-unforgeability of σCS .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Analysis: Invisibility Our scheme is invisible if the underlying classic signature scheme is strong unforgeable and the selectively convertible undeniable signature scheme is invisible. For a message M and an undeniable signature (σSC , σCS )of our scheme, • If there is a distinguisher D who can tell whether or not
(σSC , σCS ) is a valid universally-convertible undeniable signature of M, then • there is another algorithm that can use D to tell whether or
not σSC is a valid selectively-convertible undeniable signature of M, under assumption that 0 : • D can not compute another valid classic signature σCS
strong-unforgeability of σCS .
What is (Convertible) Undeniable Signature? Security Notions of Universally-Convertible Undeniable Signatures Our Contribution
Conclusion
• We proposed a generic construction for
universally-convertible undeniable signatures. • Security is based on the underlying building blocks:
classical signature, selectively-convertible undeniable signature and collision-resistent hash.
