Advertisement

Journal of Cryptology

, Volume 24, Issue 3, pp 545–587 | Cite as

Short Undeniable Signatures Based on Group Homomorphisms

  • Jean MonneratEmail author
  • Serge Vaudenay
Article

Abstract

This paper is devoted to the design and analysis of short undeniable signatures based on a random oracle. Exploiting their online property, we can achieve signatures with a fully scalable size depending on the security level. To this end, we develop a general framework based on the interpolation of group homomorphisms, leading to the design of a generic undeniable signature scheme called MOVA with batch verification and featuring nontransferability. By selecting group homomorphisms with a small group range, we obtain very short signatures. We also minimize the number of moves of the verification protocols by proposing some variants with only two moves in the random oracle model. We provide a formal security analysis of MOVA and assess the security in terms of the signature length. Under reasonable assumptions and with some carefully selected parameters, the MOVA scheme makes it possible to consider signatures of about 50 bits.

Key words

Undeniable signatures Short signatures Group homomorphisms Interpolation Interactive proofs 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    R.J. Anderson, S. Vaudenay, B. Preneel, K. Nyberg, The Newton channel, in Information Hiding: 1st International Workshop. Lecture Notes in Computer Science, vol. 1174 (Springer, Berlin, 1996), pp. 151–156 Google Scholar
  2. [2]
    S. Arora, C. Lund, R. Motwani, M. Sudan, M. Szegedy, Proof verification and hardness of approximation problems, in 33rd Annual IEEE Symposium on Foundations of Computer Science, FOCS ’92 (IEEE Computer Society, Los Alamitos, 1992), pp. 14–23 CrossRefGoogle Scholar
  3. [3]
    L. Babai, L. Fortnow, L.A. Levin, M. Szegedy, Checking computations in polylogarithmic time, in 23rd Annual ACM Symposium on Theory of Computing, STOC ’91 (Assoc. Comput. Mach., New York, 1991), pp. 21–31 CrossRefGoogle Scholar
  4. [4]
    B. Barak, Y. Lindell, S.P. Vadhan, Lower bounds for non-black-box zero knowledge, in 44th Annual IEEE Symposium on Foundations of Computer Science, FOCS ’03 (IEEE Computer Society, Los Alamitos, 2003), pp. 384–393 CrossRefGoogle Scholar
  5. [5]
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in 1st ACM Conference on Computer and Communications Security (Assoc. Comput. Mach., New York, 1993), pp. 62–73 CrossRefGoogle Scholar
  6. [6]
    I. Biehl, S. Paulus, T. Takagi, Efficient undeniable signature schemes based on ideal arithmetic in quadratic orders. Des. Codes Cryptogr. 31(2), 99–123 (2004) CrossRefzbMATHMathSciNetGoogle Scholar
  7. [7]
    D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—CRYPTO ’01. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229 Google Scholar
  8. [8]
    D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003). Full version of [7] CrossRefzbMATHMathSciNetGoogle Scholar
  9. [9]
    J. Boyar, D. Chaum, I. Damgård, T.P. Pedersen, Convertible undeniable signatures, in Advances in Cryptology—CRYPTO ’90. Lecture Notes in Computer Science, vol. 537 (Springer, Berlin, 1991), pp. 189–205 Google Scholar
  10. [10]
    C. Boyd, E. Foo, Off-line fair payment protocols using convertible signatures, in Advances in Cryptology—ASIACRYPT ’98. Lecture Notes in Computer Science, vol. 1514 (Springer, Berlin, 1998), pp. 271–285 Google Scholar
  11. [11]
    G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988) CrossRefzbMATHGoogle Scholar
  12. [12]
    E. Bresson, D. Catalano, D. Pointcheval, A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications, in Advances in Cryptology—ASIACRYPT ’03. Lecture Notes in Computer Science, vol. 2894 (Springer, Berlin, 2003), pp. 37–54 Google Scholar
  13. [13]
    L.M. Butler, A unimodality result in the enumeration of subgroups of a finite Abelian group. Proc. Am. Math. Soc. 101(4), 771–775 (1987) CrossRefzbMATHGoogle Scholar
  14. [14]
    J. Camenisch, M. Michels, Confirmer signature schemes secure against adaptive adversaries, in Advances in Cryptology—EUROCRYPT ’00. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 243–258 Google Scholar
  15. [15]
    D. Chaum, Zero-knowledge undeniable signatures, in Advances in Cryptology—EUROCRYPT ’90. Lecture Notes in Computer Science, vol. 473 (Springer, Berlin, 1990), pp. 458–464 Google Scholar
  16. [16]
    D. Chaum, T.P. Pedersen, Wallet databases with observers, in Advances in Cryptology—CRYPTO ’92. Lecture Notes in Computer Science, vol. 740 (Springer, Berlin, 1993), pp. 89–105 Google Scholar
  17. [17]
    D. Chaum, H. van Antwerpen, Undeniable signatures, in Advances in Cryptology—CRYPTO ’89. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 212–217 Google Scholar
  18. [18]
    D. Chaum, E. van Heijst, B. Pfitzman, Cryptographically strong undeniable signatures, unconditionally secure for the signer, in Advances in Cryptology—CRYPTO ’91. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 470–484 Google Scholar
  19. [19]
    J.-S. Coron, On the exact security of full domain hash, in Advances in Cryptology—CRYPTO ’00. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 229–235 Google Scholar
  20. [20]
    I. Damgård, T.P. Pedersen, New convertible undeniable signature schemes, in Advances in Cryptology—EUROCRYPT ’96. Lecture Notes in Computer Science, vol. 1070 (Springer, Berlin, 1996), pp. 372–386 Google Scholar
  21. [21]
    Y. Desmedt, M. Yung, Weaknesses of undeniable signature schemes, in Advances in Cryptology—EUROCRYPT ’91. Lecture Notes in Computer Science, vol. 547 (Springer, Berlin, 1991), pp. 205–220 Google Scholar
  22. [22]
    W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976) CrossRefzbMATHMathSciNetGoogle Scholar
  23. [23]
    S.D. Galbraith, W. Mao, Invisibility and anonymity of undeniable and confirmer signatures, in Topics in Cryptology—CT–RSA ’03. Lecture Notes in Computer Science, vol. 2612 (Springer, Berlin, 2003), pp. 80–97 Google Scholar
  24. [24]
    R. Gennaro, H. Krawczyk, T. Rabin, RSA-based undeniable signatures. J. Cryptol. 13(4), 397–416 (2000) CrossRefzbMATHMathSciNetGoogle Scholar
  25. [25]
    The GNU Multiple Precision Arithmetic Library. http://www.swox.com/gmp/
  26. [26]
    O. Goldreich, Foundations of Cryptography, Volume I Basic Tools (Cambridge University Press, Cambridge, 2001) CrossRefGoogle Scholar
  27. [27]
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984) CrossRefzbMATHMathSciNetGoogle Scholar
  28. [28]
    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) CrossRefzbMATHMathSciNetGoogle Scholar
  29. [29]
    M. Jakobsson, Blackmailing using undeniable signatures, in Advances in Cryptology—EUROCRYPT ’94. Lecture Notes in Computer Science, vol. 950 (Springer, Berlin, 1995), pp. 425–427 Google Scholar
  30. [30]
    M. Jakobsson, K. Sako, R. Impagliazzo, Designated verifier proofs and their applications, in Advances in Cryptology—EUROCRYPT ’96. Lecture Notes in Computer Science, vol. 1070 (Springer, Berlin, 1996), pp. 143–154 Google Scholar
  31. [31]
    P. Junod, On the optimality of linear, differential, and sequential distinguishers, in Advances in Cryptology—EUROCRYPT ’03. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 17–32 Google Scholar
  32. [32]
    K. Kurosawa, Universally composable undeniable signature, in Automata, Languages and Programming: 35th International Colloquium, ICALP ’08. Lecture Notes in Computer Science, vol. 5126 (Springer, Berlin, 2008), pp. 524–535 CrossRefGoogle Scholar
  33. [33]
    K. Kurosawa, S.-H. Heng, 3-Move undeniable signature scheme, in Advances in Cryptology—EUROCRYPT ’05. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 181–197 Google Scholar
  34. [34]
    F. Laguillaumie, D. Vergnaud, Short undeniable signatures without random oracles: the missing link, in Progress in Cryptology—INDOCRYPT ’05. Lecture Notes in Computer Science, vol. 3797 (Springer, Berlin, 2005), pp. 283–296 Google Scholar
  35. [35]
    F. Laguillaumie, D. Vergnaud, Time-selective convertible undeniable signatures, in Topics in Cryptology—CT–RSA ’05. Lecture Notes in Computer Science, vol. 3376 (Springer, Berlin, 2005), pp. 154–171 Google Scholar
  36. [36]
    B. Libert, J.-J. Quisquater, Identity based undeniable signatures, in Topics in Cryptology—CT–RSA ’04. Lecture Notes in Computer Science, vol. 2964 (Springer, Berlin, 2004), pp. 112–125 Google Scholar
  37. [37]
    I.G. Macdonald, Symmetric Functions and Hall Polynomials (Oxford University Press, London, 1979) zbMATHGoogle Scholar
  38. [38]
    M. Michels, M. Stadler, Efficient convertible undeniable signature schemes, in Selected Areas in Cryptography—SAC ’97 (1997), pp. 231–243 Google Scholar
  39. [39]
    M. Michels, H. Petersen, P. Horster, Breaking and repairing a convertible undeniable signature, in 3rd ACM Conference on Computer and Communications Security (Assoc. Comput. Mach., New York, 1996), pp. 148–152 CrossRefGoogle Scholar
  40. [40]
    J. Monnerat, Short undeniable signatures: design, analysis, and applications. PhD thesis, Thèse N° 3691, EPFL, Lausanne, Switzerland (2006) Google Scholar
  41. [41]
    J. Monnerat, S. Vaudenay, Generic homomorphic undeniable signatures, in Advances in Cryptology—ASIACRYPT ’04. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004), pp. 354–371 Google Scholar
  42. [42]
    J. Monnerat, S. Vaudenay, Undeniable signatures based on characters: how to sign with one bit, in Public Key Cryptography—PKC ’04. Lecture Notes in Computer Science, vol. 2947 (Springer, Berlin, 2004), pp. 69–85 Google Scholar
  43. [43]
    J. Monnerat, S. Vaudenay, Short 2-move undeniable signatures, in VIETCRYPT ’06. Lecture Notes in Computer Science, vol. 4341 (Springer, Berlin, 2006), pp. 19–36 CrossRefGoogle Scholar
  44. [44]
    J. Monnerat, Y.A. Oswald, S. Vaudenay, Optimization of the MOVA undeniable signature scheme, in Progress in Cryptology—MYCRYPT ’05. Lecture Notes in Computer Science, vol. 3715 (Springer, Berlin, 2005), pp. 196–209 Google Scholar
  45. [45]
    W. Ogata, K. Kurosawa, S.-H. Heng, The security of the FDH variant of Chaum’s undeniable signature scheme, in Public Key Cryptography—PKC ’05. Lecture Notes in Computer Science, vol. 3386 (Springer, Berlin, 2005), pp. 328–345. Extended version available on: Cryptology ePrint Archive, Report 2004/290, http://eprint.iacr.org/ Google Scholar
  46. [46]
    T. Okamoto, D. Pointcheval, The gap-problems: a new class of problems for the security of cryptographic schemes, in Public Key Cryptography—PKC ’01. Lecture Notes in Computer Science, vol. 1992 (Springer, Berlin, 2001), pp. 104–118 CrossRefGoogle Scholar
  47. [47]
    Y.A. Oswald, Generic homomorphic undeniable signature scheme: optimizations. Semester project, EPFL, LASEC, Lausanne, Switzerland (2005) Google Scholar
  48. [48]
    P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in Advances in Cryptology—EUROCRYPT ’99. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 223–238 Google Scholar
  49. [49]
    R. Pass, On deniability in the common reference string and random oracle model, in Advances in Cryptology—CRYPTO ’03. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 316–337 CrossRefGoogle Scholar
  50. [50]
    D. Pointcheval, Self-scrambling anonymizers, in Financial Cryptography, FC ’00. Lecture Notes in Computer Science, vol. 1962 (Springer, Berlin, 2001), pp. 259–275 CrossRefGoogle Scholar
  51. [51]
    R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978) CrossRefzbMATHMathSciNetGoogle Scholar
  52. [52]
    K. Sakurai, S. Miyazaki, An anonymous electronic bidding protocol based on a new convertible group signature scheme, in Information Security and Privacy, ACISP ’00. Lecture Notes in Computer Science, vol. 1841 (Springer, Berlin, 2000), pp. 385–399 CrossRefGoogle Scholar
  53. [53]
    V. Shoup, Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004). http://eprint.iacr.org/
  54. [54]
    S. Vaudenay, Digital signature schemes with domain parameters: yet another parameter issue in ECDSA, in Information Security and Privacy, ACISP ’04. Lecture Notes in Computer Science, vol. 3108 (Springer, Berlin, 2004), pp. 188–199 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.SwissSign AGGlattbruggSwitzerland
  2. 2.EPFLLausanneSwitzerland

Personalised recommendations