A Note on a Convertible Undeniable Signature Scheme with Delegatable Verification

Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures, introduced by Boyar, Chaum, Damg̊ard, and Pedersen, furthermore allow the signer to convert signatures to publicly verifiable ones by publicizing a verification token, either for individual signatures or for all signatures universally. In addition, the signer is able to delegate the ability to prove validity and convert signatures to a semi-trusted third party by providing a verification key. While the latter functionality is implemented by the early convertible undeniable signature schemes, the recent schemes do not consider this despite its practical appeal. In this note we present an updated definition and security model for schemes allowing delegation, and highlight a security property, token soundness, which is often implicitly assumed but not formally treated in the description of the security model for convertible undeniable signatures. We also note that the straightforward implementations of the efficient convertible undeniable signature schemes recently proposed by Phong, Kurosawa and Ogata do not allow a verifier to check the correctness of a public key, which essentially allows a malicious signer to break the token soundness of the schemes. We then propose a convertible undeniable signature scheme inspired by the recent designated confirmer signature scheme by Schuldt and Matsuura. The scheme allows delegation of verification, does not require verifiers to hold public/private key pairs, and is provably secure in the standard model assuming the computational co-Diffie-Hellman problem, a closely related problem, and the decisional linear problem are hard. Compared to the most efficient scheme by Phong et al., our scheme has slightly larger signatures, but allows delegation of verification, is based on arguably more natural security assumptions, and has significantly shorter tokens for individual conversion of signatures. Lastly, our scheme does not require tokens to be verifier specific or the presence of a trusted third party, which seems to be needed to guarantee the token soundness of the schemes by Phong et al.