Undeniable signature

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Undeniable signature is a digital signature scheme and implementation invented by David Chaum and Hans van Antwerpen in 1989.[1]

In this scheme, a signer possessing a private key can publish a signature of a messages. However, the signature reveals nothing to a recipient/verifier of the message and signature without taking part in either of two interactive protocols:

  • Confirmation protocol, which confirms that a candidate is a valid signature of the message issued by the signer, identified by the public key.
  • Disavowal protocol, which confirms that a candidate is not a valid signature of the message issued by the signer.

The motivation for the scheme is to allow the signer to determine to whom he verifies or disavows a signature, and it is the interactive nature of the protocols that allows this; i.e., the result of each protocol is non-transferable. However, if there were only a confirmation protocol, there would be no way to distinguish between:

  • the case that the signature is not a valid signature by the signer at issue, and
  • the case that the signature was a valid signature by the signer at issue, but the signer now chooses not to take part in verification.

The disavowal protocol provides an interactive (i.e., non-transferable) proof of the former case.

The designated verifier signature scheme improves upon deniable signatures by allowing, for each signature, the interactive portion of the scheme to be offloaded onto another party, a designated verifier, reducing the burden on the signer.

Chaum's implementation[edit]

The following protocol was suggested by David Chaum.[2]

A group, G, is chosen in which the discrete logarithm problem is intractable, and all operation in the scheme take place in this group. Commonly, this will be the finite cyclic group of order p contained in Z/nZ, with p being a large prime number; this group is equipped with the group operation of integer multiplication modulo n. An arbitrary primitive element (or generator), g, of G is chosen; computed powers of g then combine obeying fixed axioms.

Alice generates a key pair, randomly chooses a private key, x, and then derives and publishes the public key, y = gx.

Message signing[edit]

  1. Alice signs the message, m, by computing and publishing the signature, z = mx.

Confirmation (i.e., avowal) protocol[edit]

Bob wishes to verify the signature, z, of m by Alice under the key, y.

  1. Bob picks two random numbers: a and b, and uses them to blind the message, sending to Alice:
    c = magb.
  2. Alice picks a random number, q, uses it to blind, c, and the signing this using her private key, x, sending to Bob:
    s1 = cgq and
    s2 = s1x.
    Note that
    s1x = (cgq)x = (magb)xgqx = (mx)a(gx)b+q = zayb+q.
  3. Bob reveals a and b.
  4. Alice verifies that c is not dishonest and was computed from a and b, then reveals q.
  5. Bob verifies s1 = cgq, proving q has not been chosen dishonestly, and
    s2 = zayb+q,
    proving z is valid signature issued by Alice's key. Note that
    zayb+q = (mx)a(gx)b+q.

Alice can cheat at step 2 by attempting to randomly guess s2.

Disavowal protocol[edit]

Alice wishes to convince Bob that z is not a valid signature of m under the key, gx; i.e., z ≠ mx. Alice and Bob have agreed an integer, k, which sets the computational burden on Alice and the likelihood that she should succeed by chance.

  1. Bob picks random values, s ∈ {0, 1, ..., k} and a, and sends:
    v1 = msga and
    v2 = zsya,
    where exponentiating by a is used to blind the sent values. Note that
    v2 = zsya = (mx)s(gx)a = v1x.
  2. Alice, using her private key, computes v1x and then the quotient,
    v1xv2−1 = (msga)x(zsgxa)−1 = msxz−s = (mxz−1)s.
    Thus, v1xv2−1 = 1, unless zmx.
  3. Alice then tests v1xv2−1 for equality against the values:
    (mxz−1)i for i ∈ {0, 1, …, k};
    which are calculated by repeated multiplication of mxz−1 (rather than exponentiating for each i). If the test succeeds, Alice conjectures the relevant i to be s; otherwise, she conjectures random value. Where z = mx, (mxz−1)i = v1xv2−1 = 1 for all i, s is unrecoverable.
  4. Alice commits to i: she picks a random r and sends hash(r, i) to Bob.
  5. Bob reveals a.
  6. Alice confirms v1 and v2 are honest (i.e., can be generated using a) then reveals r.
  7. Bob checks hash(r, i) = hash(r, s), proving Alice knows s, hence zmx.

If Alice attempts to cheat at step 3 by guessing s at random, the probability of succeeding is 1/(k + 1). So, if k = 1023 and the protocol is conducted ten times, her chances are 1 to 2100.

See also[edit]


  1. ^ Chaum, David; van Antwerpen, Hans (1990). "Undeniable Signatures". LNCS. 435: 212–216. 
  2. ^ Chaum, David (1991). "Zero-Knowledge Undeniable Signatures". Advances in Cryptology EUROCRYPT '90 Proceedings: 458–462.