# Weaknesses of Undeniable Signature Schemes

- 33 Citations
- 2.6k Downloads

## Abstract

The nice concept of undeniable signatures was presented by Chaum and van Antwerpen [10]. In [7] Chaum mentioned that “with undeniable signatures only paying customers are able to verify the signature.” Using methods based on “divertible zero-knowledge proofs” and “distributed secure *mental* games played among cooperating users”, we show that in certain contexts *non*-paying verifiers can check the signature as well, thus demonstrating that the applicability of undeniable signatures is somewhat restricted and must rely on the physical (or other) isolation of the verifying customer. In addition, we show that the first undeniable signature schemes suffer from certain security problems due to their multiplicative nature (similar to problems the RSA signature scheme has).

## Keywords

Signature Scheme Software Pirate Verification Phase Choose Plaintext Attack Secure Function Evaluation## References

- [1]M. Blum. Coin flipping by telephone — a protocol for solving impossible problems. In
*digest of papers COMPCON82*, pp. 133–137. IEEE Computer Society, February 1982.Google Scholar - [2]J. Boyar, D. Chaum, I. Damgard, and T. Pedersen. Convertible undeniable signatures. Presented at Crypto’ 90, August 12–15, 1990, Santa Barbara, California, U.S.A., to appear in: Advances in Cryptology. Proc. of Crypto’ 90 (Lecture Notes in Computer Science), Springer-Verlag, 1990.Google Scholar
- [3]D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms.
*Commun. ACM*, 24(2), pp. 84–88, February 1981.CrossRefGoogle Scholar - [4]D. Chaum. The dining cryptographers problem: unconditional sender and recipient untraceability.
*Journal of Cryptology*, 1(1), pp. 65–75, 1988.zbMATHCrossRefMathSciNetGoogle Scholar - [5]D. Chaum. On weaknesses of ‘weaknesses of undeniable signatures’. Presented at the rump session of Eurocrypt’ 91, Brighton, U.K., April (Communicated to us by Gus Simmons.) 1991.Google Scholar
- [6]D. Chaum. Personal Communication (over the phone, no coin flipping!).Google Scholar
- [7]D. Chaum. Zero-knowledge undeniable signatures. In I. Damgård, editor,
*Advances in Cryptology, Proc. of Eurocrypt’ 90 (Lecture Notes in Computer Science 473)*, pp. 458–464. Springer-Verlag, 1991. Åarhus, Denmark, May 21–24.Google Scholar - [8]D. Chaum, C. Crépeau, and I. Damgård. Multiparty unconditionally secure protocols. In
*Proceedings of the twentieth annual ACM Symp. Theory of Computing, STOC*, pp. 11–19, May 2–4, 1988.Google Scholar - [9]D. Chaum, I. Damgård, and J. van de Graaf. Multiparty computations ensuring privacy of each party’s input and correctness of the result. In C. Pomerance, editor,
*Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293)*, pp. 87–119. Springer-Verlag, 1988. Santa Barbara, Ca., August 16–20, 1987.Google Scholar - [10]D. Chaum and H. van Antwerpen. Undeniable signatures. In G. Brassard, editor,
*Advances in Cryptology — Crypto’ 89, Proceedings (Lecture Notes in Computer Science 435)*, pp. 212–216. Springer-Verlag, 1990. Santa Barbara, California, U.S.A., August 20–24.CrossRefGoogle Scholar - [11]G. I. Davida. Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem. Tech. Report TR-CS-82-2, University of Wisconsin-Milwaukee, October 1982.Google Scholar
- [12]W. de Jonge and D. Chaum. Attacks on some RSA signatures. In
*Advances in Cryptology: Crypto’ 85, Proceedings (Lecture Notes in Computer Science 218)*, pp. 18–27. Springer-Verlag, New York, 1986. Santa Barbara, California, U.S.A., August 18–22, 1985.CrossRefGoogle Scholar - [13]W. de Jonge and D. Chaum. Some variations on RSA signatures & their security. In A. Odlyzko, editor,
*Advances in Cryptology, Proc. of Crypto’ 86 (Lecture Notes in Computer Science 263)*, pp. 49–59. Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August 11–15.Google Scholar - [14]R. A. DeMilo, and M. J. Merritt Chosen signature cryptanalysis of public key cryptosystems. Technical Memorandum, Georgia Institute of Technology, October 1982.Google Scholar
- [15]D. E. R. Denning. Digital signatures with RSA and other public-key cryptosystems.
*Comm. ACM 27*, pp. 388–392, 1984.Google Scholar - [16]Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat-Shamir passport protocol. In C. Pomerance, editor,
*Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293)*, pp. 21–39. Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16–20.Google Scholar - [17]Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In Hugh C. Williams, editor,
*Advances in Cryptology: Crypto’ 85, Proceedings (Lecture Notes in Computer Science 218)*, pp. 516–522. Springer-Verlag, 1986. Santa Barbara, California, U.S.A., August 18–20.CrossRefGoogle Scholar - [18]O. Dolev and A. Yao. On the security of public key cryptography.
*IEEE Trans. Inform. Theory*, 29, pp. 198–208, March 1983.zbMATHCrossRefMathSciNetGoogle Scholar - [19]Z. Galil, S. Haber, and M. Yung. Cryptographic computations: secure fault-tolerant protocols and the public-key model In C. Pomerance, editor,
*Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293)*, pp. 135–155. Springer-Verlag, 1988. Santa Barbara, Ca., August 16–20, 1987.Google Scholar - [20]O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In
*Proceedings of the Nineteenth annual ACM Symp. Theory of Computing, STOC*, pp. 218–229, May 25–27, 1987.Google Scholar - [21]S. Micali. Public announcement at Crypto’ 89.Google Scholar
- [22]J. H. Moore. Protocol failures in cryptosystems.
*Proc. IEEE*, 76(5), pp. 594–602, May 1988.CrossRefGoogle Scholar - [23]T. Okamoto and K. Ohta. Divertible zero knowledge interactive proofs and commutative random self-reducibility. In J.-J. Quisquater and J. Vandewalle, editors,
*Advances in Cryptology, Proc. of Eurocrypt’ 89 (Lecture Notes in Computer Science 434)*, pp. 134–149. Springer-Verlag, 1990. Houthalen, Belgium, April 10–13.Google Scholar