New (security) properties. The first security notions that were required in undeniable signatures were: (1) security for the verifier, which refers to the soundness of the confirmation/denial proto- cols, (2) unforgeability of the signatures, which refers to the hardness of producing a valid unde- niable signature on an arbitrary message, (3) non-transferability and invisibility of the signatures, where non-transferability means the inability of the signature verifier to transfer his knowledge about the signature status to a third party, and invisibility connotes the difficulty of telling whether a signature is valid or not. The invisibility property had many variants; the first one requires that any polynomial adversary is incapable of distinguishing a signature based on the underlying mes- sage (the adversary outputs two messagesm0andm1and receives a signature on one of those two
messages; he is then required to tell the message underlying the challenge signature). There exists also the stronger notion [Galbraith & Mao, 2003] which requires the difficulty of distinguishing the signature on a message, chosen by the adversary, from a random signature in the signature space. In the same paper [Galbraith & Mao, 2003], Galbraith and Mao suggested to consider a further security property, that is anonymity, which informally means the infeasibility of determin- ing whether a user is or is not the signer of a given message. Such a property can be the source of abuse by the signer in some situations, thus the introduction of the notion of revocable anonymity in [Yeung & Han, 2003; Han et al., 2004] to denote the possibility of revoking the anonymity, by some trusted authority, of some signer who has done illegal actions.
Another security property that needs to be satisfied by convertible undeniable signatures was in- troduced in [Huang & Wong, 2009] and named resilience to claimability attacks, where a dis-
honest/malicious signer both disavows a signature via the disavowal protocol and confirms it via selective conversion. Always in the case of convertible undeniable signatures, it is desirable in some situations to delegate the ability to prove the validity and convert signatures to a semi-trusted third party by providing a verification key [Schuldt & Matsuura, 2010].
Finally, Kurosawa and Furukawa introduced in [Kurosawa & Furukawa, 2008] the notion of uni- versal composability which informally captures the maintenance of the undeniable signature of its security properties under a general protocol composition. This notion is motivated by the fact that undeniable signatures are often used as a building block in a more complicated protocol.
Relations among security notions. The first work that addresses the relations among the differ- ent security notions of undeniable signatures is [Galbraith & Mao, 2003], where the authors prove that their notion of invisibility implies their notion of anonymity and the invisibility notion con- sidered in [Camenisch & Michels, 2000]. They also specify some properties to be satisfied by the undeniable signature scheme in order to have invisibility in the sense of [Camenisch & Michels, 2000] and anonymity in the sense of [Galbraith & Mao, 2003] imply the strong invisibility in the sense of [Galbraith & Mao, 2003].
Besides, Kurosawa and Heng conduct in [Kurosawa & Heng, 2006] a thorough study on the un- forgeability and invisibility notions of undeniable signatures in the two attack models, namely chosen message attack and full attack. In particular, they show that unforgeability against a chosen message attack (where the adversary is allowed to query adaptively the signing oracle) is equiva- lent to unforgeability against a full attack (where the adversary is allowed to query adaptively both the signing and the confirmation/denial oracles), and invisibility against a chosen message attack is equivalent to invisibility against a full attack.
Different types of conversion. Traditionally, the convertibility property in undeniable signa- tures refers to the possibility of converting an individual undeniable signature into an ordinary one (selective conversion), or publish a universal receipt that turns all undeniable signatures into pub- licly verifiable ones (universal conversion). Recently, convertibility in undeniable signatures has been widened to cover further features. The first example is the time-selective conversion property which was introduced in [Laguillaumie & Vergnaud, 2005] to circumvent the problem caused by the universal conversion of undeniable signatures. In fact, after the signer has revealed the uni- versal trapdoor, all (past and future) undeniable signatures will be publicly verifiable and thus he cannot issue further undeniable signatures with his present key. As a consequence, he needs to (in case he wants to issue new undeniable signatures) generate a new key pair which has to be certified by an authority (PKI) and where the corresponding certificate needs to be generated by all the verifiers. Time-selective conversion is a notion which supports the signer to universally convert chronologically signatures pertaining only to a specific time period: given a time-selective convertible undeniable signatureσ for a time period p, it is computationally infeasible to determine which signing secret key was used to generateσ; but with the knowledge of a matching universal receipt for some time periodp′ ≥ p, it is easy to determine whether σ is a valid time-selective con-
vertible undeniable signature or not. Next, the gradual conversion was introduced in [El Aimani & Vergnaud, 2007] to generalize the concept of time-selective convertible undeniable signatures to
event-selective convertible undeniable signatures where a signature becomes universally verifiable
if a specific event happens and makes the signer publish the corresponding receipt information. In other words, gradual conversion enables the signer to gradually convert signatures achronously (i.e. with time periods made completely independent of each other).