Weaknesses of Undeniable Signature Schemes

Extended Abstract
  • Yvo Desmedt
  • Moti Yung
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 547)

Abstract

The nice concept of undeniable signatures was presented by Chaum and van Antwerpen [10]. In [7] Chaum mentioned that “with undeniable signatures only paying customers are able to verify the signature.” Using methods based on “divertible zero-knowledge proofs” and “distributed secure mental games played among cooperating users”, we show that in certain contexts non-paying verifiers can check the signature as well, thus demonstrating that the applicability of undeniable signatures is somewhat restricted and must rely on the physical (or other) isolation of the verifying customer. In addition, we show that the first undeniable signature schemes suffer from certain security problems due to their multiplicative nature (similar to problems the RSA signature scheme has).

Keywords

Signature Scheme Software Pirate Verification Phase Choose Plaintext Attack Secure Function Evaluation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full conference paper text

References

  1. [1]
    M. Blum. Coin flipping by telephone — a protocol for solving impossible problems. In digest of papers COMPCON82, pp. 133–137. IEEE Computer Society, February 1982.Google Scholar
  2. [2]
    J. Boyar, D. Chaum, I. Damgard, and T. Pedersen. Convertible undeniable signatures. Presented at Crypto’ 90, August 12–15, 1990, Santa Barbara, California, U.S.A., to appear in: Advances in Cryptology. Proc. of Crypto’ 90 (Lecture Notes in Computer Science), Springer-Verlag, 1990.Google Scholar
  3. [3]
    D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2), pp. 84–88, February 1981.CrossRefGoogle Scholar
  4. [4]
    D. Chaum. The dining cryptographers problem: unconditional sender and recipient untraceability. Journal of Cryptology, 1(1), pp. 65–75, 1988.MATHCrossRefMathSciNetGoogle Scholar
  5. [5]
    D. Chaum. On weaknesses of ‘weaknesses of undeniable signatures’. Presented at the rump session of Eurocrypt’ 91, Brighton, U.K., April (Communicated to us by Gus Simmons.) 1991.Google Scholar
  6. [6]
    D. Chaum. Personal Communication (over the phone, no coin flipping!).Google Scholar
  7. [7]
    D. Chaum. Zero-knowledge undeniable signatures. In I. Damgård, editor, Advances in Cryptology, Proc. of Eurocrypt’ 90 (Lecture Notes in Computer Science 473), pp. 458–464. Springer-Verlag, 1991. Åarhus, Denmark, May 21–24.Google Scholar
  8. [8]
    D. Chaum, C. Crépeau, and I. Damgård. Multiparty unconditionally secure protocols. In Proceedings of the twentieth annual ACM Symp. Theory of Computing, STOC, pp. 11–19, May 2–4, 1988.Google Scholar
  9. [9]
    D. Chaum, I. Damgård, and J. van de Graaf. Multiparty computations ensuring privacy of each party’s input and correctness of the result. In C. Pomerance, editor, Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293), pp. 87–119. Springer-Verlag, 1988. Santa Barbara, Ca., August 16–20, 1987.Google Scholar
  10. [10]
    D. Chaum and H. van Antwerpen. Undeniable signatures. In G. Brassard, editor, Advances in Cryptology — Crypto’ 89, Proceedings (Lecture Notes in Computer Science 435), pp. 212–216. Springer-Verlag, 1990. Santa Barbara, California, U.S.A., August 20–24.CrossRefGoogle Scholar
  11. [11]
    G. I. Davida. Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem. Tech. Report TR-CS-82-2, University of Wisconsin-Milwaukee, October 1982.Google Scholar
  12. [12]
    W. de Jonge and D. Chaum. Attacks on some RSA signatures. In Advances in Cryptology: Crypto’ 85, Proceedings (Lecture Notes in Computer Science 218), pp. 18–27. Springer-Verlag, New York, 1986. Santa Barbara, California, U.S.A., August 18–22, 1985.CrossRefGoogle Scholar
  13. [13]
    W. de Jonge and D. Chaum. Some variations on RSA signatures & their security. In A. Odlyzko, editor, Advances in Cryptology, Proc. of Crypto’ 86 (Lecture Notes in Computer Science 263), pp. 49–59. Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August 11–15.Google Scholar
  14. [14]
    R. A. DeMilo, and M. J. Merritt Chosen signature cryptanalysis of public key cryptosystems. Technical Memorandum, Georgia Institute of Technology, October 1982.Google Scholar
  15. [15]
    D. E. R. Denning. Digital signatures with RSA and other public-key cryptosystems. Comm. ACM 27, pp. 388–392, 1984.Google Scholar
  16. [16]
    Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat-Shamir passport protocol. In C. Pomerance, editor, Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293), pp. 21–39. Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16–20.Google Scholar
  17. [17]
    Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In Hugh C. Williams, editor, Advances in Cryptology: Crypto’ 85, Proceedings (Lecture Notes in Computer Science 218), pp. 516–522. Springer-Verlag, 1986. Santa Barbara, California, U.S.A., August 18–20.CrossRefGoogle Scholar
  18. [18]
    O. Dolev and A. Yao. On the security of public key cryptography. IEEE Trans. Inform. Theory, 29, pp. 198–208, March 1983.MATHCrossRefMathSciNetGoogle Scholar
  19. [19]
    Z. Galil, S. Haber, and M. Yung. Cryptographic computations: secure fault-tolerant protocols and the public-key model In C. Pomerance, editor, Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293), pp. 135–155. Springer-Verlag, 1988. Santa Barbara, Ca., August 16–20, 1987.Google Scholar
  20. [20]
    O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In Proceedings of the Nineteenth annual ACM Symp. Theory of Computing, STOC, pp. 218–229, May 25–27, 1987.Google Scholar
  21. [21]
    S. Micali. Public announcement at Crypto’ 89.Google Scholar
  22. [22]
    J. H. Moore. Protocol failures in cryptosystems. Proc. IEEE, 76(5), pp. 594–602, May 1988.CrossRefGoogle Scholar
  23. [23]
    T. Okamoto and K. Ohta. Divertible zero knowledge interactive proofs and commutative random self-reducibility. In J.-J. Quisquater and J. Vandewalle, editors, Advances in Cryptology, Proc. of Eurocrypt’ 89 (Lecture Notes in Computer Science 434), pp. 134–149. Springer-Verlag, 1990. Houthalen, Belgium, April 10–13.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1991

Authors and Affiliations

  • Yvo Desmedt
    • 1
  • Moti Yung
    • 2
  1. 1.Dept. of EE & CSMilwaukeeUSA
  2. 2.IBM T. J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations