1. Technical Field
The present invention relates generally to securing communications using cryptography. More particularly, the present invention provides a method for enhancing the security of communications using chameleon signatures and is especially useful in preventing the receiver of a signed document from disclosing its contents to third parties.
2. Discussion of the Prior Art
Typical business relationships between companies or individuals involve commitments assumed by the parties in the form of agreements and contracts. Increasingly paper documents are being usurped by electronic information exchange with the transaction never taking paper form. An associated risk of electronic information exchange, however, is that the digital data may be much more easily duplicated and/or modified without limit and with insignificant cost. To exclude digital forgeries and impersonators, signer authentication and document authentication safeguards are utilized by the information security profession. Digital signature protocols represent the main cryptographic tool employed to provide document and signer authentication, integrity, and the nonrepudiation property. Authentication makes it possible for the receiver of a message to ascertain its origin. Integrity allows the receiver of a message to verify that it has not been modified in transit or while in storage. Nonrepudiation prevents a sender from falsely denying later that he sent a message.
Digital signature protocols achieve these results through key-based algorithms. All the security in these algorithms is based in the key (or keys); none is based in the details of the algorithm. This means that the algorithm may be freely published and analyzed. There are two general types of key based algorithms well known in the art: symmetric and public-key. In most symmetric algorithms the encryption key and the decryption key are the same. Digital signatures are derived through the use of "Public key algorithms". Public key algorithms, also called asymmetric algorithms, are designed so that the key used for signing is different from the key used for verification. The algorithms are called "public-key" because the verification key can be made public. In contrast, the signature key needs to be kept secret by its owner, the signer. Furthermore, the signing key cannot, in any reasonable amount of time, be calculated from the verification key. In practical implementations, public-key algorithms are often too inefficient to digitally sign long documents. To save time, digital signature protocols (i.e., RSA, DSA) are often implemented with secure (one-way) hash functions. Instead of signing a document, the signer signs the hash of the document. A hash function is a function that maps a variable-length input string (i.e. document) and converts it to a fixed-length output string, usually smaller, called a hash-value. The hash-value serves as a compact representative image of the input string. Due to their functionality hash functions exhibit collision behaviour, i.e. they represent a many-to-one mapping. In order to preserve the non-repudiation and unforgeability properties of digital signatures when used in conjunction with a hash function, the hash function needs to be collision resistant. That is, it is computationally infeasible to find two messages which the hash maps to the same value.
Using digital signatures involves two processes, one performed by the signer, which is the generation of the signature, and the other by the receiver of the digital signature, which is the verification of the signature. The signer creates a digital signature by using his private signing key, and applying it through some computation to the hash result derived from the message. The second part of the process involves digital signature verification. Verification is the process of checking the digital signature by reference to the original message m and a given public verification key.
By the properties of cryptographic digital signatures there is no way to extract someone's digital signature from one document and attach it to another, nor is it possible to alter a signed message in any way without the change being detected. The slightest change in the signed document will cause the digital signature verification process to fail. However, digital signatures also allow any party to disclose, and prove, the signer's commitment to an outsider. This may be undesirable in many business situations. For example, disclosing a signed contract to a journalist or a competitor can benefit one party but jeopardize the interests of the other; early dissemination of confidential agreements can be used to achieve illegitimate earnings in the stock market; a losing bidder may want to prevent disclosure of his bid even after an auction is over. These and many other examples show how privacy, confidentiality and legal issues pose the need to prevent the arbitrary dissemination of the contents of some agreements and contracts by third parties or even by the recipient of a signature. Still in all these cases it is essential to preserve the non-repudiation property in the event of legal disputes. In such a case, an authorized arbitrator (i.e., judge, mediator) should be able to determine the validity of a contract, an agreement or commitment. In an attempt to bridge between the contradictory requirements of non-repudiation and controlled dissemination presented above, Chaum and van Antwerpen, "Undeniable signatures" In G. Brassard, editor, "Advances in Cryptology"--Crypto '89, pages 212-217, Berlin, 1989. Springer-Verlag. Lecture Notes in Computer Science No. 435, introduced undeniable signatures, which were subsequently the subject of many research works. A precursor of this type of signatures was already suggested in 1976 by Michael Rabin, "Digitalized Signatures", In R. Demillo and et. al, editors, Foundations of Secure Computations, pages 155-165, Academic Press, 1978, based on one-time signatures. The basic paradigm behind undeniable signatures is that verification of a signature requires the collaboration of the signer, so that the latter can control to whom the signed document is being disclosed. A crucial requirement for undeniable signatures is that the signature string will be non-transferable, i.e., will not convey any information on the contents of the signed document to anyone except for those parties that engage in some specified protocol directly with the signer. Such a protocol enables the signer to confirm a valid signature or deny an invalid one. To prevent leaking of information these protocols are based on zero-knowledge proofs. As it is natural to expect, the added properties and techniques relative to regular digital signatures also add to the complexity of the schemes, both conceptually and in computational and communication costs. Therefore it would be highly desirable to provide a method which bridges between the conflicting requirements of non-repudiation and controlled disclosure at a significantly lower cost and complexity while departing from the zero-knowledge paradigm of undeniable signatures which require a communication protocol between a sender and a receiver.