1. 3-Move Undeniable Signature Scheme
Advances in Cryptology – EUROCRYPT 2005
Kaoru Kurosawa and Swee-Huay Heng
Ibaraki University, 4-12-1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan
Multimedia University, Jalan Ayer Keroh Lama, 75450 Melaka, Malaysia
林彥賓
2021/06/13
2. The FDH Variant of Chaum’s Scheme
Let be an Abelian group of prime order , and let be a generator of .
We say that is a DH-tuple if .
The DDH problem is to decide if is a DH-tuple.
The CDH problem is to compute from and the DLOG problem is to
compute from .
G q g G
(g, g , g , g )
u v w
w = uv (mod q)
(g, gu, gv, gw)
guv (g, gu, gv)
u gu
2
3. Unforgeability
The forger wins the game if outputs a valid message-signature pair that has
never been queried
F’s advantage in this game is defined to be wins .
F F m∗
Adv(F) = Pr[F ]
3
6. 3-move honest verifier zero-knowledge proof system
prover knows u of a DH-tuple
(z =
1 g )(U =
r
g ) =
u c
g =
r+uc
gd
(z =
2 V )(W =
r
V ) =
u c
V =
r+uc
V d 6
7. prover knows u of a Non DH-tuple
(z =
1 V /W )(A =
α β
(V /W) ) =
u r c
V /W =
α+urc β+cr
z
A
1
c
g /U =
d
1 d
2
g =
α+cur−uβ−cur
g =
α−uβ
z
2
7
8. 3-move WI protocol
witness indistinguishable: the verifier cannot tell which witness the prover is using
WI Protocol for DH-Tuple
the prover knows (but not )
u v
8
10. Proof of Unforgeability
if there exists an algorithm that solves the CDH problem with advantage
then one can construct a forger that can forge in the universal way with
advantage
Suppose the input to is . M then starts running by feeding with
the public key
simulate random oracle , the signing oracle and the
confirmation/disavowal oracle
Let and be the number of signing queries and queries that issues
respectively. Assume that when requests a signature on a message , it
has already made the corresponding query on
Let be the number of queries that issues to the confirmation/disavowal
oracle
M ϵ
M
F
ϵ
F
M (g, g , g )
x z
F F
(g, y = g , H)
x
M H
q
S qH H F
F m
i
H m
i
q
v F
10
11. query for a message :
with probability
with probability
where is chosen randomly from and is a fixed probability
signing query for a message :
If has responded with to the query for a message , then
returns as the valid signature (since ).
Otherwise, aborts and it fails to solve the CDH problem
H m
i
h =
i H(m
) =
i gv
i
δ
h =
i H(m
) =
i (g )
z v
i
1−δ
v
i Z
q δ
m
i
M h =
i gv
i
H m
i M
σ =
i yv
i
y =
v
i
(g ) =
x v
i
h =
i
x
H(m
)
i
x
M
11
12. confirmation/disavowal query:
consider that the final output of is the th query
assume a valid message-signature pair queried by F to the
confirmation/disavowal oracle such that mi has never been queried to the signing
oracle
F (q +
v 1)
(m
, σ
)
i i
′
12
13. chooses randomly
:
If has never made a signing query for , then returns and runs
the disavowal protocol with
Otherwise, answered with a valid signature with probability (with
probability aborts)
If then returns and runs the confirmation protocol
with
Otherwise, returns and runs the disavowal protocol with
If has queried to the signing oracle, then aborts
otherwise, assume then we have .
Consequently, outputs and thus it solves the CDH
problem. Otherwise, M aborts and it fails to solve the CDH problem
M Guess ∈ {1, 2,⋅⋅⋅, q +
v 1}
i < Guess
F m
i M μ = 0
F
M σ
i δ
(1−δ)M
σ =
i σ
i
′
M μ = 1
F
M μ = 0 F
i = Guess
F m
i M
h =
i (g )
z v
i
σ =
i h =
i
x
(g )
zv
i x
M g =
xz
(σ
)
i
1/v
i
13
14. guesses the first special query with probability
The probability that answers to all the signing queries is
outputs with probability
the probability that does not abort during the simulation is
This value is maximized at
This shows that 's advantage is at least
M 1/(q +
v 1)
M δq
S
M gzr
1−δ
M δ (1 −
q
S
δ)/ q + 1
( v )
δ =
opt 1 − 1/(q +
S 1)
M ϵ
M
1 − 1/ q + 1 ) ϵ
/ q + 1
(( ( S ))
q
−1
S
) F ( v )
14