The security of the FDH variant of Chaum's undeniable signature scheme

In this paper, a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes is introduced. Note that forgeability does not necessarily imply impersonation ability. The security of the full-domain hash (FDH) variant of Chaum's undeniable signature scheme is then classified according to three dimensions, the goal of adversaries, the attacks, and the zero-knowledge (ZK) level of confirmation and disavowal protocols. Each security is then related to some well-known computational problem. In particular, the security of the FDH variant of Chaum's scheme with noninteractive zero-knowledge (NIZK) protocol confirmation and disavowal protocols is proven to be equivalent to the computational Diffie-Hellman (CDH) problem, as opposed to the gap Diffie-Hellman (GDH) problem as claimed by Okamoto and Pointcheval.

[1]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[2]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[3]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[4]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[5]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[6]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.

[7]  Ivan Damgård,et al.  New Convertible Undeniable Signature Schemes , 1996, EUROCRYPT.

[8]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[9]  Alexander May,et al.  Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring , 2004, CRYPTO.

[10]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[11]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[12]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 2007, Journal of Cryptology.

[13]  Kenneth G. Paterson,et al.  RSA-Based Undeniable Signatures for General Moduli , 2002, CT-RSA.

[14]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[15]  Chanathip Namprempre,et al.  The Power of RSA Inversion Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme , 2002, Financial Cryptography.

[16]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[17]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[18]  David Chaum,et al.  Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer , 1991, CRYPTO.

[19]  David Chaum,et al.  Designated Confirmer Signatures , 1994, EUROCRYPT.

[20]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[21]  Steven D. Galbraith,et al.  Invisibility and Anonymity of Undeniable and Confirmer Signatures , 2003, CT-RSA.

[22]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[23]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[24]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[25]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[26]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[27]  Kaoru Kurosawa,et al.  3-Move Undeniable Signature Scheme , 2005, EUROCRYPT.