The aim of the invention is to propose an undeniable signature which is a size smaller than the currently available undeniable signatures, i.e. less than 80 bits. The size could be an issue in several applications such as bank payments, in which the cardholder wishes to keep a trace of each transaction in the card.

1.
A method for generating an undeniable signature on a set of data, the method comprising the following steps: transforming the set of data to a se...

- A method for generating an undeniable signature on a set of data, the method comprising the following steps: transforming the set of data to a sequence of a predetermined number of blocks, the blocks being members of an Abelian group, the transformation being a one way function; applying to each block a group homomorphism to obtain a resulting value, in which a number of elements of an initial group is larger than the number of elements of a destination group; and storing the resulting value in a memory.
- The method of claim 1, wherein the initial group is formed by invertible integers modulo n, denoted as Z
_{n}*. - The method according to claim 2, wherein the group homomorphism computation is based on computation of a residue character (χ) on the set of invertible integers Z
_{n}*. - The method according to claim 3, wherein the residue character (χ) computation in based on a parameter (π) serving as a key.
- The method according to the claim 4, wherein this key parameter (π) is determined by: π· π=n, π being the complex conjugate of π.
- The method according to claim 4, wherein the parameter is a secret key on an asymmetric key pair public/secret.
- The method according to claim 2, wherein the group homomorphism computation is determined by raising an element of Z
_{n}* to the power of r(q−1), in which n=p·q such that p=rd+1 and q are prime, gcd(r, d)=1, gcd(q−1, d)=1, then by computing a discrete logarithm. - The method according to claim 7, wherein the group homomorphism is calculated using a factorization of n.
- The method according to claim 1, wherein the length of the signature is dependent of the number of elements of the destination group and the number of blocks.
- A method of confirming by a Verifier an undeniable signature (y
_{1}, . . . , y_{t}) of a set of data (m) generated by a Signer taking into account a predefined security parameter of the confirmation protocol, this Signer having a public/secret key pair, this method comprising the following steps: obtaining a personal value (ρ) from the Signer, this personal value being part of the public key (G, H, d, ρ, (e_{1}, . . . e_{s})) of the Signer; extracting a first sequence of elements (e_{1}, . . . e_{s}) from the public key, generating a second sequence of elements (g_{1}, . . . g_{s}) from the personal value (ρ), generating a third sequence of elements (x_{1}, . . . , x_{t}) from the set of data (m); randomly picking challenge parameters r_{i}∈G and a_{ij}∈Z_{d }for i=1, . . . , k and j=1, . . . , s+t and computing a challenge value u_{i}=dr_{i}+a_{i1}g_{1}+ . . . a_{is}g_{s}+a_{is+1}x_{1}+ . . . +a_{is+t}x_{t}; sending by the Verifier the challenge value u_{j }to the Signer; receiving from the Signer a commitment value (i>), this commitment value ( i>) being calculated by the Signer based on a response value v _{i}=f(u_{i}); sending by the Verifier the challenge parameters r_{i }and a_{ij }to the Signer; verifying by the Signer whether u_{i}=dr_{i}+a_{i1}g_{1}+ . . . a_{is}g_{s}+a_{is+1}x_{1}+ . . . +a_{is+t}x_{t}, and in a positive event, opening by the Signer the commitment on the response value (v_{i}); and verifying by the Verifier whether v_{i}=a_{i1}e_{1}+ . . . a_{is}e_{s}+a_{is+1}x_{1}+ . . . +a_{is+t}x_{t}. - A method for denying to a Verifier by a Signer on an alleged non-signature (z1, . . . , zt) of a set of data (m), this signature being supposedly generated according to claim 1 by the Signer, this Signer having a public/secret key pair, this method taking into account a predefined security parameter (l) of the denial protocol and comprising the following steps: obtaining by the Verifier a personal value (ρ) of the Signer, this personal value being part of the public key (G, H, d, ρ, (e
_{1}, . . . e_{s})) of the Signer; extracting by the Verifier a first sequence of elements (e_{1}, . . . e_{s}) from the public key; generating by the Verifier and the Signer a second sequence of elements (g_{1}, . . . g_{s}) from the personal value (ρ); generating by the Verifier and the Signer a third sequence of elements (x_{1}, . . . , x_{i}) from the set of data (m); calculating by the Signer the true signature (y_{1}, . . . , y_{t}); and repeating the following steps l times, l being the predetermined security parameter; randomly picking by the Verifier challenge parameters r_{j}∈G and a_{ji}∈Z_{d }for i=1, . . . , s and j=1, . . . , t and λ∈Z_{p}* where p is the smallest prime dividing d; computing u_{j}: =dr_{j}+a_{j1}g_{1}+ . . . a_{js}g_{s}+λx_{j}, and w_{j}: =a_{j1}e_{1}+ . . . a_{js}e_{s}+λz_{j }for j=1 . . . t; sending by the Verifier the challenge values u_{j }and w_{j }to the Signer; computing by the Signer a response test value TV_{j}: =(z_{j}-y_{j})·; for each j=1 to t, determining whether the test value TV_{j}=0; in a negative event, calculating a test parameter λ_{j }according to the following formula: w_{j}-v_{j},=λ_{j}(z_{j}-y_{j}); determining an intermediate value (IV), the intermediate value (IV) being equal to one valid test parameter (λ) and in case of no valid test parameter is found, selecting as the intermediate value (IV) a random value; sending a commitment value CT based on the intermediate value (IV), to the Verifier; sending by the Verifier the challenge parameters r_{j}, a_{ji }and test parameter (λ)to the Signer; verifying by the Signer whether u_{j}=dr_{j}+a_{j1}g_{1}+ . . . a_{js}g_{s}+λx_{j }and w_{j}:=a_{j1}e_{1}+ . . . a_{js}e_{s}+λz_{j }for j=1 . . . t hold, in a positive event, the Signer opens the commitment on the intermediate value (IV) to the Verifier; and verifying by the Verifier that the test parameter (λ) is equal to the intermediate value (IV). - The method of claim 11, in which the determination of the valid test parameter comprises a check whether (w
_{j}-v_{j,}) and (z_{j}-y_{j}) are not equal to 0. - The method of claim 11, in which j>1, the determination of the valid test parameter comprises the check whether (w
_{j}-v_{j,}) and (z_{j}-y_{j}) are not equal to 0, and that all of the test parameters are the same.

The aim of the invention is to propose the generation, verification and denial of an undeniable signature which has a size smaller than the currently ...

The aim of the invention is to propose the generation, verification and denial of an undeniable signature which has a size smaller than the currently available undeniable signatures, i.e. less than 80 bits. This aim is achieved by the method to generate an undeniable signature (y1,...,y) on a set of data, this method comprising the following steps: (1) transforming the set of data (m) to a sequence of a predetermined number (t) of blocks (X, ..., X), these blocks being members of an Abelian group, this transformation being a one way function, and (2) applying to each block (x,) a group homomorphism (f) to obtain a resulting value(y), in which the number of elements of the initial group (G) is larger than the number of elements (d) of the destination group (H).

read more
Write Review