Cryptography Reference
In-Depth Information
k
−
1
σ
mod
n
.
•
σ
σ
:=
The sender computes the RSA signature
of
m
,
•
,
)
The signature may be publicly verified by using the signer's public key (
n
e
.If
e
σ
≡
m
(
mod
n
)
then the signature is declared valid, otherwise it is declared
invalid.
Observe that the signer knows the identity of the sender and may associate the
signed message
m
,σ
)
(
with the sender. However, if later presented with the signed
message
, the signer is unable to associate it with the sender because this pair
does not reveal any information about the pair
(
m
,σ)
m
,σ
)
(
. This is due to the fact that
k
is chosen uniformly at random in
Z
n
, which means that, from the point of view of
the signer—which does not know
k
—
m
=
mk
e
mod
n
is uniformly distributed in
σ
.
Z
n
and the same happens to
The scheme in the previous example is not secure because of the insecurity of the
underlying plain RSA signatures and, furthermore, UF-CMA security is no longer
adequate for blind signatures, as the sender must be able to perform an existential
forgery. A security notion adequate for this context was proposed in [156] where
also some secure blind signature schemes (based on RSA or discrete logarithms) are
proposed.
9.6.2 Other Signatures with Added Functionality
An interesting kind of signatures are
undeniable signatures
, which were introduced
by Chaum and van Antwerpen in 1989 and whose main peculiarity is that they have
to be verified interactively with the cooperation of the signer, so that verification
with the public key alone is impossible. This feature protects the signer against the
possibility that the signed documents might later be distributed without the signer's
consent. In [140] a couple of examples where this property is useful are given,
including one where a bank customer is required by the bank to sign a time and date
document in order to access a safe box. If an undeniable signature is used, the bank
is later unable to prove that the customer had access to the box on the specified date,
because verifying the signature requires the signer's cooperation. On the other hand,
a dishonest signer might take advantage of this to claim that a valid signature is a
forgery or, simply, refuse to verify it. To prevent this from happening, an undeniable
signature scheme must come along with a
disavowal protocol
that can be used to
prove that a given signature is a forgery.
We refer to [140] and to [189] for a description of the Chaum-van Antwerpen
undeniable signature scheme as well as of other kinds of signatures with added
functionality such as, for example,
fail
-
stop signature schemes
which, essentially,
are digital signatures that allow the signer to prove that a signature purportedly (but
not actually) signed by itself is a forgery.
