This preview shows page 1. Sign up to view the full content.
Unformatted text preview: p) Alice can also disavow a signature, z, for a message, m. See [329] for details. Additional protocols for undeniable signatures can be found in [584,344]. Lein Harn and Shoubao Yang proposed a group undeniable signature scheme [700]. Convertible Undeniable Signatures
An algorithm for a convertible undeniable signature, which can be verified, disavowed, and also converted to a conventional digital signature is given in [213]. It’s based on the ElGamal digital signature algorithm. Like ElGamal, first choose two primes, p and q, such that q divides p 1. Now you have to create a number, g, less than q. First choose a random number, h, between 2 and p 1. Calculate g = h( p1)/q mod p If g equals the 1, choose another random h. If it doesn’t, stick with the g you have. The private keys are two different random numbers, x and z, both less than q. The public keys are p, q, g, y, and u, where y = gx mod p u = gz mod p To compute the convertible undeniable signature of message m (which is actually the hash of a message), first choose a random number, t, between 1 and q 1. Then compute T = gt mod p and m' = Ttzm mod q. Now, compute the standard ElGamal signature on m'. Choose a random number, R, such that R is less than and relatively prime to p 1. Then compute r =gR mod p, and use the extended Euclidean algorithm to compute s, such that m' a rx + Rs (mod q) The signature is the ElGamal signature (r, s), and T. Here’s how Alice verifies her signature to Bob: (1) Bob generates two random numbers, a and b. He computes c = TTmagb mod p and sends that to Alice. (2) Alice generates a random number, k, and computes h1 = cgk mod p, and h2 = h1 z mod p, and sends both of those numbers to Bob. (3) Bob sends Alice a and b. (4) Alice verifies that c = TTmagb mod p. She sends k to Bob. (5) Bob verifies that h1 = TTmagb+k mod p, and that h2 = yrarsaub+k mod p. Alice can convert all of her undeniable signatures to normal signatures by publishing z. Now, anyone can verify her signature without her help. Undeniable signature sch...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details