Componente arbóreo para cercas vivas o cortinas rompevientos

This part mainly offers a short overview of the different contributions dedicated to undeniable signatures and designated confirmer signatures. Of course, it is not intended to be exhaustive but we aim at recalling the most important achievements made in these fields. Although a few results are related to both topics, we prefer to provide separate treatments in order to make a clear distinction between the contributions of both respective subjects.

Undeniable Signatures

Introduction of undeniable signatures dates back to 1989 with the article of Chaum and van Antwerpen [40] presented at the CRYPTO conference. Their original mo- tivation was to protect the signer’s privacy and argued that this property may be particularly important in applications where commercially or personally sensitive data are signed. Namely, using classical digital signatures in such a context may lead to the dissemination of sensitive information verifiable by anybody due to the universal verifiability of ordinary signatures.

One year later, Chaum [36] proposed a new version of this scheme with modified confirmation and denial protocols satisfying zero-knowledge property. Contrary to the previous protocols, one is then ensured that no information (except validity or invalidity of the signature) leaks to a possible malicious verifier. In particular, a verifier cannot convince another party that a given signature is valid by attaching the transcript of the confirmation protocol.

The same year, Boyar et al. [23] introduced the concept of convertible undeniable signature for which the signer can turn all the previous signature into universally verifiable ones by releasing some additional information. They also introduce the concept of selective convertibility and proposed a generic construction of a convert- ible undeniable signature with selective convertibility. In addition, this construction shows that convertible undeniable signatures exist if and only if one-way functions exist. They furthermore developed a practical scheme based on the ElGamal sig- nature scheme [56]. As it sometimes turns out in cryptography, this scheme was later shown insecure in 1996 by Michels et al. [103]. More precisely, the signature scheme becomes forgeable once the information to convert all signatures is released by the signer. A way to repair this scheme was also developed in [103], but the authors did not give a formal proof. Also based on ElGamal signatures, Damg˚ard

3.4. Related Work

and Pedersen [49] presented at Eurocrypt ’96 two provably secure schemes with con- vertibility property. Finally, following the tradition of designing discrete logarithm based scheme, Michels and Stadler [104] proposed a convertible undeniable signa- ture scheme based on the Schnorr signature scheme [137] which is also suitable for a threshold variant, i.e., where several signers share the signing ability.

First undeniable signature schemes which are not based on discrete logarithms were developed by Gennaro et al. [65, 66] in 1997. The signature generation works like for an RSA ordinary signature where the modulus is composed of safe primes. A variant of this RSA based signature with a general modulus were done by Galbraith et al. [63] and a detailed analysis of invisibility properties of RSA based signatures were studied by Galbraith and Mao in [62].

A few years ago, topic of undeniable signatures has become quite active and sev- eral new schemes were published. In 2004, Biehl et al. [15] used quadratic orders to design a new scheme and Libert and Quisquater [98] introduced an identity-based undeniable signature scheme using bilinear pairings. These ones allowed Laguil- laumie and Vergnaud [89] to design in 2005 a scheme offering the possibility of converting all signatures pertaining at a given period of time. Using again some pairings, the same authors have been able to get rid of the use of random oracles in [88].

Original scheme of Chaum [36] was further studied last few years. In 2001, Okamoto and Pointcheval [119] introduced some “gap-problems” and showed that the security of the Chaum’s scheme can be based on the Gap Diffie-Hellman problem. Later, Ogata et al. [116] showed that one can actually prove the security of this scheme using the Computational Diffie-Hellman problem. Finally, Kurosawa and Heng [86] proposed some 3-move verification protocols which are not zero-knowledge. They showed that unforgeability and invisibility still holds. However, their Chaum’s scheme variant does not achieve non-transferability.

Besides the development of the design of new schemes, additional work about dif- ferent issues related to undeniable signatures has been achieved. In 1991, Desmedt and Yung [51] (see also some Chaum’s criticisms in [37]) presented some weaknesses of undeniable signatures. In particular, they showed that several verifiers can be convinced during a verification protocol, while the signer believes that he is inter- acting only to one legitimate verifier. This may cause some problems in applications where the verification is valuable, for instance, if this is used to check the authentic- ity of a software to customers who paid for a license. In 1994, Jakobsson [80] showed that similar attacks can be performed to blackmail the signer. In order to prevent these kinds of attacks, Jakobsson et al. [81] introduced non-transferable protocols which ensures that a verifier cannot transfer the validity/invalidity proof of a given signature to another party during a confirmation or denial protocol. To achieve this, they developed so-called designated verifier proofs in which the prover desig- nate the verifier he is going to convince on a given statement. Moreover, a generic

3. Overview on Undeniable and Designated Confirmer Signatures

construction based on trapdoor commitments [26] is also given in this article. Before to conclude this overview, we would like to mention a few additional results. In 1991, Pedersen [126] developed a threshold variant of undeniable signa- ture. The signer’s secret key is shared among several provers and the recipient of a message can verify a signature by interacting with a subset of enough many (with respect to the threshold) provers. Another useful contribution is due to Fujioka et al. [61] who introduced the bi-proof concept which allows to prove in one sole pro- tocol whether the signature is valid or invalid. So, one bi-proof protocol can replace both the confirmation and denial protocols at the same time. Finally, Chaum et al. [41] have investigated undeniable signatures which are unconditionally secure for the signer, i.e., even against a computationally unbounded forger, the signer will be able to deny forged signatures.

For another overview on the development of undeniable signatures, we refer to the PhD thesis of Laguillaumie [87].

Designated Confirmer Signatures

Designated confirmer signatures were introduced in 1994 in an article of Chaum [38]. The main motivation was that undeniable signatures do not offer an ideal solution when the signer may become unavailable. In his original article, Chaum proposed a scheme with verification protocols similar to those of his undeniable signature scheme [36]. Yet, he did not provide any formal proof of his scheme nor a security model for a designated confirmer signature. The same year, Okamoto [118] presented a formal security model for this cryptographic primitive and proposed a generic way of constructing a designated confirmer signature. This allowed him to prove that a primitive equivalent to public-key encryption is required to achieve a secure designated confirmer signature. More practical results are also given in his article, where he developed practical constructions based on 3-move identification protocols without any formal security proof.

In 1998, Michels and Stalder [105] pointed out that practical constructions of Okamoto succumb under a forgery attack if the adversary is given the confirmer’s secret key. A countermeasure is proposed without a security proof. They intro- duced the notion of confirmer commitments allowing to construct designated con- firmer signatures. However, two years later Camenisch and Michels [30] showed that adaptive attacks can break the invisibility of this scheme as well as that of Chaum [38]. They also proposed a construction based on verifiable encryption but with an inefficient denial protocol. The efficiency has been strongly improved and made practical by Camenisch and Shoup in [31]. Recently, Goldwasser and Wais- bard [77] developed a general construction without random oracles using general (inefficient) zero-knowledge proofs. Finally, Gentry et al. [67] used commitments and techniques of Camenisch and Shoup to design a scheme with some practical

3.4. Related Work

confirmation and denial protocols without making use of random oracles.

Chapter

4

MOVA Undeniable Signature

Up until now, undeniable signature schemes did not fully exploit online security properties towards the design of schemes offering very short signatures. One of the main contributions of this thesis is to remedy to this situation. To this goal, we de- velop a very general framework based on the sole notion of the interpolation of group homomorphisms. Based on this, we define a decisional and computational problem, which generalize several fundamental problems related to public-key cryptography. Among them, we find the decision and computational Diffie-Hellman problems as well as the quadratic residuosity problem.

The interest of this new perspective to undeniable signatures is twofold. First, group homomorphisms allow to express the well-known Chaum’s undeniable sig- nature [36] and the RSA undeniable signature of Gennaro et al. [66] in a unified formalism. Secondly, our technique allows to develop very short signatures in a quite natural way, namely by instantiating our scheme with group homomorphisms with a range group of small size.

In what follows, we introduce the concept of interpolation of group homomor- phisms and related problems. We then dedicate a part of this chapter to deal with interactive proof protocols related to the interpolation of group homomorphisms. In particular, we consider two protocols in which the prover proves to a verifier that a given set of points interpolates (resp. does not interpolate) in a group homo- morphism. From this, we develop the MOVA undeniable signature scheme whose confirmation and denial protocols are directly based on the previously defined pro- tocols. Finally, we develop the security properties of MOVA by providing security reductions to some supposedly hard problems. These results allow to quantify dif- ferent parameters of the scheme given the security level of the different security properties.

4. MOVA Undeniable Signature