• No results found

Recent trends

We summarize in the following section the main directions of research on undeniable signatures.

Revisiting previous constructions. There have been a number of works devoted to the analy- sis of previous constructions of undeniable signatures. The first of such projects dates back to 2001 [Okamoto & Pointcheval, 2001] where the authors introduce a novel class of computational problems, namely the gap problems. They further show how a particular instance based on the Diffie-Hellman problems, namely the GDH problem, can serve to solve a more than 10-year old open security problem: Chaum’s undeniable signature. Later, in [Ogata et al., 2005], the authors improved the analysis in [Okamoto & Pointcheval, 2001], and showed that the security of the FDH variant of Chaum’s scheme with NIZK confirmation and disavowal protocols is equivalent to the CDH problem. They achieve this by introducing a new kind of adversarial goal called forge- and-impersonate in undeniable signature schemes, classifying the security of the FDH variant of Chaum’s undeniable signature scheme according to three dimensions, i.e. the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols, and finally relating each security to some well-known computational problem.

The next two schemes that were revisited are those by Damg˚ard and Pederesen [Damg˚ard & Ped- ersen, 1996] and by Michels et al. [Michels et al., 1996], which were addressed in [El Aimani, 2008] and [El Aimani & Vergnaud, 2007] and will be subjects of the two upcoming chapters resp. Finally, we mention the claimed attack [Li et al., 2007] on Libert and Quisquater [Libert & Quisquater, 2004]’s ID-based undeniable signature; the authors show that if a valid message- signature pair has been revealed, an adversary can forge the signer’s signature on any arbitrary message for which the signer has no way to deny it. This attack turns out to be flawed as the authors confuse points on an elliptic curve with elements inZ×

q, whereq is the order of the group

formed by the elliptic curve points.

Generic constructions. The next direction of research was dedicated to the design of generic constructions of undeniable signatures. The first result in this line is the MOVA construction [Mon-

nerat & Vaudenay, 2004b,a; Monnerat et al., 2005] described earlier in Section 6.6. Next, there is the result due to Galindo et al. [Galindo et al., 2006] where the authors propose a technique for building identity based schemes with further properties. For instance, they provide a generic con- struction for ID-based undeniable signatures from a digital and an undeniable signature schemes. Later, the result in [Huang et al., 2007a] proposes a generic construction for universally-convertible undeniable signatures; the construction is based on three building blocks: a strongly unforgeable classic signature scheme, a selectively-convertible undeniable signature scheme and a collision- resistant hash function. Finally, in [El Aimani, 2008, 2009a], we propose a generic construction of convertible undeniable signatures (both selectively and universally) from any digital signature scheme and any encryption scheme obtained from the hybrid encryption paradigm. We must also cite the construction [Zhu, 2004] which realizes the “signature of an encryption” paradigm.

Efficient signatures with strong security properties. Alleviation or removal of the idealized models and basing the security on popular and reasonable security properties was a tangible pur- pose in the recent proposals of undeniable signatures. We note as examples [Huang et al., 2007b; El Aimani, 2008, 2009a; Le Trieu et al., 2009, 2010; Schuldt & Matsuura, 2010; Huang & Wong, 2009]. It is worth noting that most of these proposals are based on the sign-then-encrypt paradigm. Moreover, efficiency, which translates in having short signatures with small generation, verification and conversion cost, was also a main intent in the recent proposals of undeniable signatures. All the previously mentioned schemes achieve also these properties as their underlying encryption layer relies on an IND-CPA secure encryption scheme. Finally, we note that it is was also desirable recently to reach a minimal number of moves between the signer and the verifier of an undeniable signature. The already mentioned signatures have constant nay four round confirmation/denial protocols. Fewer moves have been achieved by [Kurosawa & Heng, 2005; Monnerat & Vaudenay, 2005] but at the expense of security; both constructions have recourse to the random oracle model for the security analysis.

6.8

Conclusion

In this chapter, we browsed quickly through the different realizations in the area of undeniable signatures. We will continue in the next two chapters by having a closer look at two proposals, namely [Damg˚ard & Pedersen, 1996] and [Michels et al., 1996]; we will disprove the conjecture on the invisibility of the former and provide a recast of the underlying construction which achieves strong security features. Moreover, we redefine the security model of the latter so that it captures a new property, namely the gradual conversion, and we provide a formal security analysis of the scheme in this new model.

Chapter 7

Damg˚ard-Pedersen’s Undeniable Signatures

Revisited

Abstract. Damg˚ard-Pedersen’s [Damg˚ard & Pedersen, 1996] undeniable signa-

tures were proposed in 1996, and consist in first generating a provably secure variant of ElGamal’s signature, e.g. the Modified ElGamal signature scheme [Pointcheval & Stern, 2000], on the given message, then encrypting the message-key-dependent part using either Rabin’s or ElGamal’s encryption. These signatures were proven to have their unforgeability resting on the discrete logarithm problem. Concerning invisibility, it is conjectured to rest on the factorization problem in case the Rabin encryption is used, and on the DDH problem otherwise. This conjectural security was reported recently in [Kurosawa & Takagi, 2006] as the authors used a similar approach to devise their undeniable signatures.

In this chapter, we focus on the variant using ElGamal’s encryption; we disprove the speculative invisibility in the model defined in [Damg˚ard & Pedersen, 1996], and we provide a complete attack on the scheme in a very popular model. Besides, we propose a fix to the scheme which allows to achieve very strong security features; the security analysis is done in a more general framework where the refined scheme is seen as a special instantiation of this framework.

Parts of the results in this chapter appeared in the publication [El Aimani, 2009a] in the proceedings of Africacrypt 2009.