Previous | Table of Contents | Next |
Like the previous protocol, a group of signers use a shared public large prime, p, and a primitive element, g. Alice has a unique private key, x, and a public key, gx mod p. To sign a message, Alice computes z =mx mod p.
To verify a signature:
Alice can also disavow a signature, z, for a message, m. See [329] for details.
Additional protocols for undeniable signatures can be found in [584,344]. Lein Harn and Shoubao Yang proposed a group undeniable signature scheme [700].
Convertible Undeniable Signatures
An algorithm for a convertible undeniable signature, which can be verified, disavowed, and also converted to a conventional digital signature is given in [213]. Its based on the ElGamal digital signature algorithm.
Like ElGamal, first choose two primes, p and q, such that q divides p -1. Now you have to create a number, g, less than q. First choose a random number, h, between 2 and p -1. Calculate
If g equals the 1, choose another random h. If it doesnt, stick with the g you have.
The private keys are two different random numbers, x and z, both less than q. The public keys are p, q, g, y, and u, where
To compute the convertible undeniable signature of message m (which is actually the hash of a message), first choose a random number, t, between 1 and q -1. Then compute
and
Now, compute the standard ElGamal signature on m'. Choose a random number, R, such that R is less than and relatively prime to p -1. Then compute r =gR mod p, and use the extended Euclidean algorithm to compute s, such that
The signature is the ElGamal signature (r, s), and T.
Heres how Alice verifies her signature to Bob:
Alice can convert all of her undeniable signatures to normal signatures by publishing z. Now, anyone can verify her signature without her help.
Undeniable signature schemes can be combined with secret-sharing schemes to create distributed convertible undeniable signatures [1235]. Someone can sign a message, then distribute the ability to confirm that the signature is valid. He might, for example, require three out of five people to participate in the protocol in order to convince Bob that the signature is valid. Improvements on this notion deleted the requirement for a trusted dealer [700,1369].
Heres how Alice can sign a message and Bob can verify it, such that Carol can verify Alices signature at some later time to Dave (see Section 4.4) [333].
First, a large prime, p, and a primitive element, g, are made public and used by a group of users. The product of two primes, n, is also public. Carol has a private key, z, and a public key is h =gx mod p.
In this protocol Alice can sign m such that Bob is convinced that the signature is valid,but cannot convince a third party.
Bob cannot use a transcript of this proof to convince Dave that the signature is genuine, but Dave can conduct a protocol with Alices designated confirmer, Carol. Heres how Carol convinces Dave that a and bconstitute a valid signature.
In another protocol Carol can convert the designated-confirmer protocol into a conventional digital signature. See [333] for details.
Previous | Table of Contents | Next |