University of Technology

Chemnitz

Department of Computer Science

Theoretical Computer Science and

Information Security

Technical Rep ort

TRF

Breaking and repairing a convertible

undeniabl e signature scheme

Markus Michels Holger Petersen Patrick Horster

June

Strae der Nationen Phone

D Fax

Limited distribution notes

This rep ort has b een issued as a Research Rep ort for early dissemination of its contents

In view of the transfer of copyright to the outside publisher its distribution outside the

University of Technology ChemnitzZwickau prior to publication should b e limited to p eer

communications and sp ecic requests After outside publication requests should b e lled

only by reprints or legally obtained copies of the article

Breaking and repairing a convertible

undeniabl e signature scheme

Markus Michels Holger Petersen Patrick Horster

Theoretical Computer Science and Information Security

University of Technology ChemnitzZwickau

Strae der Nationen D Chemnitz Germany

Email fmmihp ephoginformatiktuchemnitzde

Novemb er

Abstract

In Boyar Chaum Damgard and Pedersen intro duced the concept of con

vertible undeniable signatures They proved that those schemes exist i oneway

functions exist and further gave an example of a practical convertible undeniable

scheme which is based on the ElGamal signature scheme

In this pap er we present an attack on this signature scheme After the conver

sion that means the signer releases the secret parameter so that his signature

can b e checked by any verier we can show that there is no security at all A key

onlyattacker can forge the signature scheme universally Thus this scheme might

still b e used as an undeniable signature scheme but it p ossesses only selective

but no total convertibility The attack can also b e applied to Pedersens mo dica

tion of that scheme We further show how the convertible undeniable signature

scheme can b e repaired so that the attack do esnt fails and discuss a p ossibility

to strengthen the security of the scheme

Intro duction

A prop erty of conventional digital signature schemes is that once a signature is released

by the signer everyb o dy can check its validity There are situations where this prop erty is

not desirable Here the signer should b e able to determine which verier should b e able to

verify a sp ecial signature and without limiting the set of p ossible veriers

In Chaum and van Antwerp en suggested the notation of undeniable signature

schemes which are characterized by the following prop erties

The signer can decide freely at any time to whom he wants to prove the validity of

his signature on a do cument

The signer can prove that a wrong signature is not valid disavowal proto col

The signer can prove that a valid signature is indeed valid conrmation proto col

The signer cant prove that a valid signature is not valid

The signer cant prove that an invalid signature is valid

As a result the signer cant deny signatures he has issued b efore Chaum and van Antwer

p en prop osed the rst undeniable signature scheme later Chaum presented another scheme

with zeroknowledge conrmation and disavowal proto cols

However a disadvantage of the scheme given in is that several veriers not trusting each

other are able to verify a signature simultaneously This attack was prop osed by Desmedt

and Yung criticized by Chaum and later strengthened by Jakobsson Furthermore

Jakobsson p ointed out that in the proto col given in the prover never knows what signa

ture is b eing veried This can b e used by a blackmailer to show the validity of a signed

compromising message to the signers enemies if the signer agrees to prove the validity of

an inno cent signed message However there are ways to overcome these weaknesses By

proving that either the signature is valid or the prover is the chosen verier its imp ossible

for this verier to convince other veriers later this mechanism is called designated verier

pro of see for details

Additionally mo died concepts were presented Fujioka Okamoto and Ohta suggested

to combine the disavowal and conrmation proto col and Boyar Chaum Damgard and

Pedersen prop osed the concept of selectively convertible undeniable signatures In the

later concept undeniable signature schemes can b e converted into conventional signature

schemes for all messages or in the selective case only for chosen signatures They proved that

secure convertible undeniable signature schemes exist if oneway functions do Furthermore

they presented an ElGamallike selectively convertible undeniable signature scheme

In this pap er we review this ElGamallike selectively convertible undeniable signature

scheme show how to break this signature scheme after it is converted for all messages and

how to repair it Furthermore we discuss how to strengthen the security of the repaired

scheme

An ElGamallike convertible signature scheme

Now we briey review the signature scheme describ ed in

Initialization

The certication authority cho oses large primes p q with q jp and a generator with

order q These parameters are common to all users

Key generation

x 

and computes y mo d p Further Each user generates secret parameters x z Z

q

z

more he calculates u mo d p His secret keys are x z and his corresp onding public

keys are y u

Signature generation

 t

To sign a message m a signer picks random t k Z and computes T mo d p and

q

k

r mo d p He solves the signature equation

T t hm z x r k s mo d q

for the parameter s using the collision free public hash function h The triple T r s is the

signature on the message m

Conrmation proto col

The signer can convince any verier of his choice of the validity of a signature As the

verication equation

T h(m) z r s

T y r mo d p

r s

holds if a signature is valid the signer can prove that the discrete logarithm of y r mo d p

T h(m)

to the base T mo d p is the same as the discrete logarithm of u to the base using

the zeroknowledge proto col of the equality of two discrete logarithms due to Chaum

Clearly it is assumed that proving the equality of two discrete logarithms cant b e done

without the help of the signer

Disavowal proto col

The signer can convince any verier of his choice of the invalidity of a wrong signature As

the verication equation

T h(m) z r s

T y r mo d p

does not hold if a signature is invalid the signer can prove that the discrete logarithm of

r s T h(m)

y r mo d p to base T mo d p is dierent to the discrete logarithm of u to base

using the zeroknowledge proto col of the inequality of two discrete logarithms due to Chaum

Here it is assumed that proving the inequality of two discrete logarithms cant b e done

without the help of the signer

Selective conversion

By releasing the secret value t exactly the signature which uses t can b e checked by any

verier using the equations

tT h(m) r s

u y r mo d p

and

t

T mo d p

Total conversion

By releasing the secret parameter z every signature can b e checked by any verier by equation

Clearly the authenticity of z can b e checked by

z

u mo d p

Breaking the totally converted scheme

We demonstrate how the signature scheme can b e forged universally if the secret parameter

z is released Then the underlying conventional signature scheme is insecure The task of an

attacker is to nd T r s for a given message m such that

T h(m) z r s

T y r mo d p

 a

As he knows z and y he picks a random a Z and computes r y mo d p and

q

d 

T r mo d p using an arbitrary integer d Z Then the verication equation is

q

transformed to

1

r (T dh(m)z s)

mo d p r y

1

Therefore a r T d hm z s mo d q This equation can b e solved for parameter

s by

1

s T d hm z a r mo d q

As a result T r s is a signature on the message m b ecause

T h(m) z dT h(m)z

T r

1

adT h(m)z a(s+a r ) s r

y y r y mo d p

Thus the signature scheme might b e used as a selectively convertible undeniable signature

scheme but is not totally convertible into a conventional one

Clearly the same attack can b e applied to Pedersens mo dication of this scheme after

the scheme is totally converted by the signer Again if the conversion is only selectively done

by distributing pieces of the parameter t to several agents and this is the main contribution

of that pap er the attack do esnt work and the scheme is still secure in this case

Discussion

The design problem of the scheme describ ed in section after total conversion is the following

By cho osing the parameter T in relation to r the scheme can b e transformed into an insecure

variant of the Metasignature scheme where one co ecient more precisely co ecient A

is chosen equal to zero see for details As a result it is necessary that there are at

least two authentically known parameters used as bases in the verication equation In the

conventional ElGamallike signature schemes these are the generator and the public key of

the signer According to this fact it is p ossible to countermeasure attacks similar to the one

describ ed in section as we will show in the next section Furthermore an implication of the

attack is that additional nonauthentic parameters here the parameter T do not increase the

security of a signature scheme but might even weaken the system Such a signature scheme

based on the discrete logarithm can b e regarded as a variant of a further extension of the

Metasignature scheme However it can always b e reduced to a variant of the Metasignature

scheme by substituting every nonauthentic parameter except r and s by a multiplicative

u v w 

combination of y and r eg T y r mo d p with suitable u v w Z dierent

q

for each nonauthentic parameter The eciency to generate or verify a signature with more

authentic parameters is slightly decreased and the size of the signature is bigger Thus adding

an additional nonauthentic parameter in such signature schemes can only b e recommended

in those concepts in which additional prop erties can b e gained by these additional parameters

How to repair the scheme using heuristic metho ds

The scheme describ ed in section two can b e repaired in a heuristic way such that the attack

describ ed ab ove is prevented Clearly as in all ElGamallike scheme the security cant b e

proven The proto cols for initialization key generation total conversion and selective con

version are the same as b efore while the proto col for signature generation the conrmation

and disavowal proto col are mo died in the following way

Signature generation

 t

To sign a message m a signer cho oses t k Z at random and computes T mo d p

q

k

and r mo d p He solves the signature equation

T t hm z x r k s mo d q

for the parameter s using the collision free public hash function h Then T r s is the

signature on the message m

Conrmation proto col

The signer can convince any verier of his choice of the validity of a signature As the

verication equation

T h(m) z r s

T y r mo d p

holds if a signature is valid the signer can prove that the discrete logarithm of

r s T h(m)

y r mo d p to the base T mo d p is the same as the discrete logarithm of u

to the base using a zeroknowledge proto col of the equality of two discrete logarithms

Disavowal proto col

The signer can convince any verier of his choice of the invalidity of an invalid signature As

the verication equation

T h(m) z r s

T y r mo d p

does not hold if a signature is invalid the signer can prove that the discrete logarithm of

r s T h(m)

y r mo d p to the base T mo d p is dierent to the discrete logarithm of u

to the base using a zeroknowledge proto col of the inequality of two discrete logarithms

Security considerations

We argue that even a more generalized attack describ ed ab ove do esnt work any more Again

the task of an attacker is to nd T r s for a given message m so that

T h(m) z r s

T y r mo d p

holds As he knows z and y he can x r and T by

a b

r y mo d p

and

c d

T y mo d p



with some a b c d Z

q

With f T hm z mo d q the verication equation can b e transformed to

r +cf as 1df +bs

y mo d p

We assume that the exp onents on b oth sides of this equation are equal to mo dulo q to

full the equation any nontrivial exp onents known to the attacker would enable him to

compute the secret key Therefore we get

r c f a s mo d p

and

d f b s mo d p

By eliminating the parameter s we obtain

a b r a d b c f mo d q

As its not known how to cho ose a b and r c d and T simultaneously the goal of the

attacker is to eliminate r and T from the equation Note that neither a b nor c d should

b e b oth b ecause otherwise r or T are equal to The attack of section can b e transformed

to such an attack Here the attacker cho oses b to eliminate r and ad bc to eliminate

T which determines f As a must hold we have d Now the equation simplies

to a which is a contradiction

Clearly nothing can b e proved here but it should b e noted that eg the security of the

DSA relies on a similar problem which is sucient but not neccessary to forge a DSA

a b

signature universally If r y mo d p mo d q for a given m and the attacker is

able to nd a b r such that

1

r a b hm mo d q

1

holds he could compute s hm a mo d q As a result the congruence

1 1

h(m)s r s

r y mo d p mo d q

would hold Therefore he could nd a DSAsignature r s for the message m

How to strengthen the security of the repaired scheme

The security of the repaired scheme can b e strengthend in the case where the signer is

honest Let the signer additionally prove in zeroknowledge in the conrmation proto col that

he knows the discrete logarithms of the parameters r and T using the proto col given in

If the signer proves the validity of a valid signature and the verier accepts the pro of then

the verier knows that the signer knows the parameter k t and z and therefore the secret key

x If an attacker has forged a signature for a even nonsencial message and can convince the

verier in the conrmation proto col that this signature is valid then the verier knows that

the attacker must know the secret keys x and z Therefore existential forgery is equivalent

to a total break of the scheme in this case However if the signer claims a signature to b e

wrong but cant prove it it is not p ossible to prove anything ab out the attackers knowledge

or strength Thus the security of the scheme is still heuristic It would b e desirable to obtain

an ecient convertible undeniable signature scheme which is provably secure in the sense of

Goldwasser Micali and Rivest

Conclusion

We have p ointed out that the ElGamallike convertible undeniable signature scheme prop osed

by Boyar Chaum Damgard and Pedersen is insecure if it is converted totally We have further

shown that the scheme can b e repaired so that the attack do esnt work any more and discussed

some ways to strengthen the security of the repaired scheme However the security of the

mo died scheme cant b e proven and is only heuristic Further work should b e done to develop

a provably secure ecient convertible undeniable signature scheme

Acknowledgement

The authors would like to thank Markus Jakobsson for helpful comments

References

JBoyar DChaum IDamgard TPedersen Convertible undeniable signatures Lecture Notes

in Computer Science Advances in Cryptology Pro c Crypto Springer Verlag

pp

DChaum Zeroknowledge undeniable signatures Lecture Notes in Computer Science

Advances in Cryptology Pro c Euro crypt Springer Verlag pp

DChaum Some weakness of Weaknesses of Undeniable Signatures Lecture Notes in Com

puter Science Advances in Cryptology Pro c Euro crypt Springer Verlag

pp

DChaum H van Antwerp en Undeniable Signatures Lecture Notes in Computer Science

Advances in Cryptology Pro c Crypto Springer Verlag pp

YDesmedt MYung Weaknesses of undeniable signature schemes Lecture Notes in Computer

Science Advances in Cryptology Pro c Euro crypt Springer Verlag pp

WDie MHellmann New directions in cryptography IEEE Transactions on Information

Theory Vol IT No Novemb er pp

TElGamal A public key cryptosystem and a signature scheme based on discrete logarithms

IEEE Transactions on Information Theory Vol IT No July pp

AFujioka TOkamoto KOhta Interactive BiPro of Systems and undeniable signature

schemes Lecture Notes in Computer Science Advances in Cryptology Pro c Euro crypt

Springer Verlag pp

SGoldwasser SMicali RRivest A digital signature scheme secure against adaptive chosen

message attacks SIAM Journal on Computing Vol No pp

PHorster MMichels HPetersen MetaElGamal signature schemes Pro c of the nd ACM

Conference on Computer and Communication Security Fairfax pp

MJakobsson Blackmailing using undeniable signatures Lecture Notes in Computer Science

Advances in Cryptology Pro c Euro crypt Springer Verlag pp

MJakobsson Designated verier pro ofs or making pro ofs of knowledge nontransferable

manuscript available at httpwwwcseucsdeduusersmarkus

National Institute of Standards and Technology Federal Information Pro cessing Standards Pub

lication FIPS Pub Digital Signature Standard DSS May pages

TPPedersen Distributed provers with applications to undeniable signatures Lecture Notes

in Computer Science Advances in Cryptology Pro c Euro crypt Springer Verlag

pp

CPSchnorr Ecient signature generation for smart cards Journal of Cryptology Vol

pp