Talk:Undeniable signature

"However, because of this property it means that the signatory may deny a signature which was valid. To prevent this, there is the second property, a method to prove that a given signature is a forgery."

A method to prove that a given signature is a forgery is not sufficient to prevent denial of a signature. What is necessary is a method to prove that a given signature is not a forgery.

I won't change the text before waiting to learn if I am mistaken. If I am not mistaken, then I'll probably change the text to read:

"To prevent this, there is the second property, a method to prove that a given signature is valid (if indeed it is)."

   Joaquin Miller (talk) 21:26, 25 May 2010 (UTC)joaquin[reply]

This article needs some expert attention[edit]

I'm trying to copy edit, but I can't because it's unclear what's being said.

"The scheme adds explicit signature repudiation" This sounds like the scheme includes an opportunity for the signer to repudiate their signature. Or does it mean that the scheme explicitly tries to deal with signature repudiation?
"the signature reveals nothing to a recipient/verifier of the message and signature without taking part in either of two interactive protocols" In what sense does the signature reveal nothing? Looking at someone's signature on paper reveals to me what their signature looks like. This sentence should be more specific about what is revealed after the protocols, and also how the protocols are "interactive".
"The disavowal protocol distinguishes these cases removing the signer's plausible deniability." Is "distinguishes" the right word here? How is plausible deniability removed?
"the confirmation and disavowal exchanges are not transferable." What would be transferred between who?
"They achieve this by having the property of zero-knowledge; both parties can create transcripts of both confirmation and disavowal that are indistinguishable, to a third-party, of correct exchanges." Exchanges of what? Correct in what way?

I will try to provide some explanations based on the general crypto/ZK background I have; if I have some free time I might also try to modify the text. From my understanding the current text is correct, but it's a bit too close to being a crypto paper. Let me try to explain the points you mentioned:

regarding 1); my understanding is that these signatures replace implicit non-repudiation as it exists in normal digital signatures with two explicit protocols. A bit more explanation is given in the overview.
regarding 2); reveals nothing means that a receiver cannot distinguish the signature from garbage. The analogy with a paper signature breaks here, because every digital signature looks different. I'm not sure how to reformulate, though. Interactive simply means that the two protocol participants (signer and verifier) have to talk to each other. This means that both have to be on-line, which is also a contrast with regular digital signatures; those can be verified without talking to the signer.
regarding 3); I *think* it is removed because if a signer does not participate in the protocol, it is assumed that they did sign, but do not wish to reveal it. If they do participate, then the protocol outcome will be that the signer did indeed not sign.
regarding 4); I have no idea.
regarding 5); this is a "standard" thing in zero knowledge protocols. The basic idea is the following: if either party records all the exchanged messages in the protocol, they cannot prove to a third party that this protocol exchange actually happened. This is usually done by making sure that at the end of a valid protocol run, either party could have generated the entire exchange independently. I didn't look into this specific protocol in enough detail to really refomulate most of this, though.

I hope this helps! Namnatulco (talk) 05:23, 1 August 2018 (UTC)[reply]