In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existentially unforgeable under the Bilinear Diffie-Hellman assumption in the random oracle model. We also prove that it has the invisibility property under the Decisional Bilinear Diffie-Hellman assumption and we discuss about the efficiency of the scheme.

Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log 2 t standard crypto operations, the correctness of (a e ) 2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously. Keywords Timed-release cryptography, Time-lock puzzles, Non-parallelisability, Efficient zero-knowledge protocols. 1

Chameleon signatures are based on well established hashand -sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of non-repudiation and non-transferability for the signed message, i.e., the designated recipient is capable of verifying the validity of the signature, but cannot disclose the contents of the signed information to convince any third party without the signer's consent.

In this paper, we first introduce a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum's undeniable signature scheme according to three dimensions, the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols. We finally relate each security to some well-known computational problem. In particular, we prove...

Undeniable signatures were introduced in 1989 by Chaum and van Antwerpen to limit the self-authenticating property of digital signatures. An extended concept -- the convertible undeniable signatures -- proposed by Boyar, Chaum, Damgard and Pedersen in 1991, allows the signer to convert undeniable signatures to ordinary digital signatures. We present a new e#cient convertible undeniable signature scheme based on bilinear maps. Its unforgeability is tightly related, in the random oracle model, to the computational Diffie-Hellman problem and its anonymity to a non-standard decisional assumption. The advantages of our scheme are the short length of the signatures, the low computational cost of the signature and the receipt generation. Moreover, a variant of our scheme permits the signer to universally convert signatures pertaining only to a specific time period. We formalize this notion as the time-selective conversion.

Abstract. Motivated by the conflict between authenticity and privacy in the digital signature, the notion of limited verifier signature was introduced [1]. The signature can be verified by a limited verifier, who will try to preserve the privacy of the signer if the signer follows some specified rules. Also, the limited verifier can provide a proof to convince a judge that the signer has indeed generated the signature if he violated the predetermined rule. However, the judge cannot transfer this proof to convince any other party. Also, the limited verifier signature should be converted into an ordinary one for public verification if required. In this paper, we first present the precise definition and clear security notions for (convertible) limited verifier signature, and then propose two efficient (convertible) limited verifier signature schemes from bilinear pairings. Our schemes were proved to achieve the desired security notions under the random oracle model.

Abstract. How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UC-security, where UC means universal composability. We next show that there exists a UC-secure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does note satisfy the invisibility defined by [19]. We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UC-security against non-adaptive adversaries is equivalent to this definition of invisibility and the strong unforgeability in FZK-hybrid model, where FZK is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeniable signature schemes (including Chaum’s scheme) are UC-secure if the confirmation/disavowal protocols are both UC zero-knowledge.

We say that an encryption scheme or a signature scheme provides anonymity when it is infeasible to determine which user generated a ciphertext or a signature. To construct the schemes with anonymity, it is necessary that the space of ciphertexts or signatures is common to each user. In this paper, we focus on the techniques which can be used to obtain this anonymity property, and propose a new technique for obtaining the anonymity property on RSA-based cryptosystem, which we call “sampling twice. ” It generates the uniform distribution over [0, 2 k) by sampling the two elements from ZN where |N | = k. Then, by applying the sampling twice technique, we construct the schemes for encryption, undeniable and confirmer signature, and ring signature, which have some advantages to the previous schemes.

These days it is rather common in cryptology to see ideas which originated in the setting of nite elds being extended to Z N . However, the security results do not necessarily generalise to Z N . In this paper we illustrate this phenomenon by pointing out a aw in the soundness proof of a zero-knowledge protocol in a timed commitment scheme of Boneh and Naor.

We introduce a new undeniable signature scheme which is existentially unforgeable and anonymous under chosen message attacks in the standard model. The scheme is an embedding of Boneh and Boyen's recent short signature scheme in a group where the decisional Di#eHellman problem is assumed to be di#cult. The anonymity of our scheme relies on a decisional variant of the strong Di#e-Hellman assumption, while its unforgeability relies on the strong Di#e-Hellman assumption.