RSA-Based Undeniable Signatures

We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signatures to generate undeniable signatures. In this new setting, both the signature and verification exponents of RSA are kept secret by the signer, while the public key consists of a composite modulus and a sample RSA signature on a single public message. Our scheme possesses several attractive properties. First, provable security, as forging the undeniable signatures is as hard as forging regular RSA signatures. Second, both the confirmation and denial protocols are zero-knowledge. In addition, these protocols are efficient (particularly, the confirmation protocol involves only two rounds of communication and a small number of exponentiations). Furthermore, the RSA-based structure of our scheme provides with simple and elegant solutions to add several of the more advanced properties of undeniable signatures found in the literature, including convertibility of the undeniable signatures (into publicly verifiable ones), the possibility to delegate the ability to confirm and deny signatures to a third party without giving up the power to sign, and the existence of distributed (threshold) versions of the signing and confirmation operations. Due to the above properties and the fact that our undeniable nsignatures are identical in form to standard RSA signatures, the scheme we present becomes a very attractive candidate for practical implementations.

[1]  Markus Jakobsson,et al.  Proving Without Knowing: On Oblivious, Agnostic and Blindolded Provers , 1996, CRYPTO.

[2]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[3]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[4]  Torben P. Pedersen Distributed Provers with Applications to Undeniable Signatures , 1991, EUROCRYPT.

[5]  Kevin S. McCurley,et al.  A key distribution system equivalent to factoring , 1988, Journal of Cryptology.

[6]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[7]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[8]  Patrick Horster,et al.  Breaking and repairing a convertible undeniable signature scheme , 1996, CCS '96.

[9]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[10]  Ivan Damgård,et al.  New Convertible Undeniable Signature Schemes , 1996, EUROCRYPT.

[11]  Atsushi Fujioka,et al.  Interactive Bi-Proof Systems and Undeniable Signature Schemes , 1991, EUROCRYPT.

[12]  David Chaum,et al.  Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer , 1991, CRYPTO.

[13]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[14]  Tatsuaki Okamoto,et al.  Designated Confirmer Signatures and Public-Key Encryption are Equivalent , 1994, CRYPTO.

[15]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[16]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[17]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[18]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[19]  David Chaum,et al.  Designated Confirmer Signatures , 1994, EUROCRYPT.

[20]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[21]  Moti Yung,et al.  Weaknesses of undeniable signature schemes , 1991 .

[22]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[23]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[24]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[25]  Markus Jakobsson,et al.  Blackmailing using Undeniable Signatures , 1994, EUROCRYPT.

[26]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.