While anybody can verify usual digital signatures, in some cases
the signer wants the power to decide who can check his signature.
It is the role of undeniable signatures to make this possible.
The signer can prove the validity of his signature by using
a so called confirmation protocol.
However, there is also a need for a (disavowal) protocol
the signer uses to deny his authorship of a particular signature.
There are two main security requirements for undeniable signatures:
first, nobody can forge a signature and, second,
this signature must be indistinguishable from a randomly chosen one.
Therefore, nobody can verify a signature without the signer's cooperation.
For security reasons it is also important that both protocols are
zero-knowledge proofs.
In this thesis we present security requirements
and provide two examples of an undeniable signature scheme.
Finally, we give proofs of unforgeability and invisibility.
|