In order to prevent others from learning the secret keys, we propose a fully public-key traitor-tracing scheme. Perfect long-livedness and anonymity are achieved. Further-more, it is a simple task to recompute the encryption key if needed. By the choice of parameters, our scheme can be plaintext-secure or semantically secure against a passive generic adversary. The tracing algorithm is n-traceable and captures all and only traitors. This holds even if the pirate decoder is a black box.
Group Undeniable Signatures with Convertibility
Group undeniable signatures are like group signatures except that verifying signa-tures requires the cooperation of the group manager. A convertible group undeniable signature scheme allows the group manager to turn select group undeniable signatures into universally verifiable group signatures. In this chapter we propose such a scheme and discuss its efficiency and security.
5.1 Introduction
Digital signatures are used to verify whether one message really comes from the al-leged signer. In general, the signer keeps a secret value to generate his signature and publicizes the corresponding public information for verification purpose. Like handwritten signatures, standard digital signatures are nonrepudiatable and univer-sally verifiable. Nonrepudiation guarantees that a signer cannot deny his signature at a later time. Universal verifiability allows everybody to verify a signature with the signer’s public information. However, universal verifiability might not suit the situation, for example, where signatures are generated for sensitive, nonpublic data.
Consider two parties striking a confidential deal. Each party wants the other to sign the contract but does not want the contents of the contract released with signatures that can be universally verified. What they need is a signature scheme whose
ver-90
ification requires interaction with the signers, who then have some control over the sensitive data.
In 1989, Chaum and van Antwerpen [51] introduce undeniable signatures by which anyone must interact with the signer to verify a valid signature through a confirmation protocol and the signer must be able to disavow an invalid signature through a denial protocol. That is, undeniable signatures require that signature verification must be done with the signer’s participation. Subsequent works on undeniable signatures include [22, 48, 49, 46, 70, 75, 94, 98, 124, 125, 126, 163, 164, 175, 179]
Convertible undeniable signatures offer an additional flexibility on signature veri-fication. By releasing appropriate verification keys, the signer can convert all or select undeniable signatures into standard digital signatures without compromising the se-curity of the secret key used to generate the signatures. Furthermore, the signer can also give the verification keys to trusted parties so that they can help handle the ver-ification task. As an example that convertible undeniable signatures are preferable to undeniable signatures, consider the problem of keeping digital archives of confidential political or diplomatic documents. Authenticating such records with standard digital signatures is hardly acceptable: If the data are leaked to the press, anyone can verify the signatures and thus the authenticity of the records. Undeniable signatures are clearly more suitable here. However, such records usually become publicly accessible after some years by freedom-of-information laws and should therefore become publicly verifiable. However, at this point the signers who generate the original undeniable signatures may no longer be alive, or physically fit to handle the vast amount of veri-fication requests. This can be solved with convertibility: The signers could make the verification keys public, or give them to trusted parties, who would assume the job of verifying the signatures.
In 1990, Boyar et al. [22] introduce the concept of convertible undeniable signa-tures. The convertible schemes in [22, 70] consider converting valid undeniable sig-natures to universally verifiable ones. Michels and Stadler [164] present a convertible undeniable signature scheme in which the signer can convert not only valid undeni-able signatures into standard digital signatures but also invalid undeniundeni-able signatures into universally verifiable statements about the fact that signatures are invalid.
In contrast to individual signatures, a group signature scheme allows a group
member to sign messages anonymously on behalf of a group. Analogous to stan-dard digital signatures, group signatures are both nonrepudiatable and universally verifiable. In case of later disputes, a designated group manager can use the group signature to trace the actual identity of the signer. But, no one—including the group manager—can attribute a valid signature to a nonsigner. Group signatures have many practical applications such as authenticating price quotes and digital contracts. The concept of group signatures is introduced by Chaum and van Heyst [44]. Camenisch and Stadler [38] present the first scheme in which the sizes of the public key and signatures are independent of the group size. More works on group signatures include [4, 5, 6, 34, 35, 39, 55, 54, 180]
However, as mentioned above, if group signatures are for sensitive and nonpublic data, the group manager may hope that no one can verify the signatures without his participation. For example, when an employee signs a digital contract about a confidential business deal, it is desirable that no one can authenticate the contract without the help of the manager even if the contract is leaked to competitors. The signature is regarded simply as evidence that the contract has been signed by some group member and the signature can not be denied later. We will call these signatures group undeniable signatures. Lyuu and Wu [145, 147] are the first to introduce group undeniable signatures satisfying the following requirements: (1) only group members can anonymously sign on behalf of the group (anonymity); (2) a verifier must interact with the group manager to verify the signature (nontransferability); (3) the group manager can identify the signer of a valid signature (traceability). In addition, we will propose the first convertible group undeniable signature scheme such that the group manager can convert all or select group undeniable signatures into universally verifiable ones without compromising the security of the secret signing key. The proposed scheme also allows the group manager to delegate the ability to confirm and deny signatures to trusted parties without providing them the capability of generating signatures.
The convertibility feature is very useful in practice. Consider the situation of a software company. The software engineer signs off a software product on behalf of the company. When asked, a company manager can prove to the buyer that the product is authentic by verifying the signature’s validity. For nonbuyers, in contrast,
the manager may refuse to prove to them the authenticity of the software. But once the company goes bankrupt, authenticity is no longer provable. Now suppose the group undeniable signatures are convertible. Then the manager can convert select signatures into group signatures when the company is still in business; thus buyers can continue to validate the software if necessary. Even after conversion, no one is able to derive the secret key used to generate signatures; thus the original company’s signatures cannot be forged. In addition, the manager can delegate the capability of verifying signatures to trusted parties to share the load or to step in if the company fails.
In this chapter, we use signatures of knowledge [38] and undeniable signatures [48] to construct a convertible group undeniable signature scheme. Under reasonable cryptographic assumptions, our signature scheme will be proved to be anonymous, nontransferable, traceable, unforgeable, exculpable, and unlinkable. Moreover, any colluding subset of group members cannot generate valid signatures that cannot be traced. The signature confirmation and denial protocols can be further made zero-knowledge. Finally, the sizes of the public key and signatures are independent of the group size. This desirable feature means the system remains efficient as the group grows.
This chapter is organized as follows. In Section 5.2, useful facts and cryptographic assumptions in number theory are described. In addition, signatures of knowledge that are used as building blocks of our scheme are reviewed. In Section 5.3, the convertible group undeniable signature model and the proposed scheme are presented.
Section 5.4 discusses its security. Conclusions are given in Section 5.5.