Efficient Convertible Undeniable Signatures with Delegatable Verification


IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E94-A    No.1    pp.71-83
Publication Date: 2011/01/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E94.A.71
Print ISSN: 0916-8508
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
Category: Identification
undeniable signatures,  universal/selective convertibility,  provable security,  

Full Text: PDF(428.3KB)>>
Buy this Article

Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures, introduced by Boyar, Chaum, Damgård, and Pedersen, furthermore allow the signer to convert signatures to publicly verifiable ones by publicizing a verification token, either for individual signatures or for all signatures universally. In addition, the original definition allows the signer to delegate the ability to prove validity and convert signatures to a semi-trusted third party by providing a verification key. While this functionality is implemented by the early convertible undeniable signature schemes, most recent schemes do not consider this form of delegation despite its practical appeal. In this paper we present an updated definition and security model for schemes allowing delegation, and furthermore highlight a new essential security property, token soundness, which is not formally treated in the previous security models for convertible undeniable signatures. We then propose a new convertible undeniable signature scheme. The scheme allows delegation of verification and is provably secure in the standard model assuming the computational co-Diffie-Hellman problem, a closely related problem, and the decisional linear problem are hard. Furthermore, unlike the recently proposed schemes by Phong et al. and Huang et al., our scheme provably fulfills all security requirements while providing short signatures.