Chameleon Hashing and Signatures

We introduce chameleon signatures that provide with an undeniable commitment of the signer to the contents of the signed document (as regular digital signatures do) but, at the same time, do not allow the recipient of the signature to disclose the contents of the signed information to any third party without the signer's consent. These signatures are closely related to \undeniable signatures", but chameleon signatures allow for simpler and more eecient realizations than the latter. In particular, they are essentially non-interactive and do not involve the design and complexity of zero-knowledge proofs on which traditional undeniable signatures are based. Instead, chameleon signatures are generated under the standard method of hash-then-sign. Yet, the hash functions which are used are chameleon hash functions. These hash functions are characterized by the non-standard property of being collision-resistant for the signer but collision tractable for the recipient. We present simple and eecient constructions of chameleon hashing and chameleon signatures. The former can be constructed based on standard cryptographic assumptions (such as the hardness of factoring or discrete logarithms) and have eecient realizations based on these assumptions. For the signature part we can use any digital signature (such as RSA or DSS) and prove the unforgeability property of the resultant chameleon signatures solely based on the unforgeability of the underlying digital signature in use. 1 El Camalee on, Mamm a, el Camalee on, cambia de colores seg un la ocasii on.

[1]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[2]  David Chaum,et al.  Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer , 1991, CRYPTO.

[3]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[4]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[5]  Tatsuaki Okamoto,et al.  Designated Confirmer Signatures and Public-Key Encryption are Equivalent , 1994, CRYPTO.

[6]  Markus Jakobsson,et al.  Proving Without Knowing: On Oblivious, Agnostic and Blindolded Provers , 1996, CRYPTO.

[7]  Ivan Damgård,et al.  New Convertible Undeniable Signature Schemes , 1996, EUROCRYPT.

[8]  Atsushi Fujioka,et al.  Interactive Bi-Proof Systems and Undeniable Signature Schemes , 1991, EUROCRYPT.

[9]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[10]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[11]  Patrick Horster,et al.  Breaking and repairing a convertible undeniable signature scheme , 1996, CCS '96.

[12]  Moti Yung,et al.  Weaknesses of undeniable signature schemes , 1991 .

[13]  Ross J. Anderson,et al.  Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[14]  Birgit Pfitzmann,et al.  Fail-Stop Signatures , 1997, SIAM J. Comput..

[15]  Torben P. Pedersen Distributed Provers with Applications to Undeniable Signatures , 1991, EUROCRYPT.

[16]  James H. Burrows,et al.  Secure Hash Standard , 1995 .