Abstract—We present a new model for undeniable signatures: fair-anonymous undeniable signatures. This protocol can not only preserve the privacy of the signer (i.e. anonymity) but also track the illegal utilization of the valid signatures. In addition, our model prevents the trusted centre from forging a valid signature for any signer. Keywords—Cryptography, Fair Anonymity, Information Security, RSA Signatures, Undeniable Signatures. I. INTRODUCTION s the Information Technology’s presence gets larger and more pronounced, we can expect to see some changes. Many of those changes have already started to happen. The most attractive characteristics for those changes are: Multi-user electronic commerce is more and more concerning the issue of security and privacy. Various solutions were proposed for this issue, for example, encryption technique, digital signature technique (including general signature scheme, blind signature scheme, undeniable signature scheme, group signature scheme, etc.), and other cryptographic techniques [16], as well as steganography techniques. Anonymity and fair anonymity are one of the important goals achieved by some of these techniques. Undeniable signatures are one of the techniques, which can help to achieve anonymity and fair anonymity. Undeniable signatures, first devised by David Chaum and Hans van Antwerpen [4], are non self-authenticating (i.e. non universal verifiability) signature schemes, where signatures can only be verified with the consent of the signer (e.g. a company). However, if a signature is only verifiable with the aid of a signer, a dishonest signer may refuse to authenticate a genuine document. Undeniable signatures solve this problem by adding a new component called the denial protocol in addition Manuscript received November 3, 2004. This work was supported in part by a research fellowship and ARC funding at CEEBI and Curtin, and a research funding of Hong Kong Research Grant Council. Song Han is with the School of Information Systems and the Department of Computing, Curtin University of Technology (e-mail: hans@cs.curtin.edu.au). He will join the Centre for Extended Enterprises and Business Intelligence. Elizabeth Chang is with the School of Information Systems, Curtin University of Technology. Winson Yeung, Xiaotie Deng are with the Department of Computer Science, City University of Hong Kong . Li Gao is currently with the College of Applied Science, Beijing University of Technology. to the normal components of signature and verification. That is, undeniable signatures have two distinctive features: 1. The verification process is interactive, so the signer can limit who (e.g. payee) can verify their signature. 2. A disavowal protocol, that is a cryptographic protocol which will allow them to prove that a given signature is a forgery. The first property means that a signer can allow only those who are authorized to access the document to verify their signature. If the document were to be leaked to a third party, the third party would be unable to verify that the signature is genuine. However because of this property it means that the signer may deny a signature which was valid. To prevent this we have the second property, a method to prove that a given signature is a forgery. The protection of signatures from being verified without the permission of the signer is not only justified by confidentiality and privacy concerns but it also opens a wide range of applications where verifying a signature is a valuable operation by itself. A typical scenario is the case of a software company that uses signature confirmation as a means to provide a proof of authenticity of their software to authorized (e.g., paying) customers only. This example illustrates the core observation on which the notion of undeniable signatures stands: verification of signatures, and not only their generation, is a valuable resource to be protected. So far, various undeniable signatures have been created, [2]-[5], [7], [9], [11]-[13], [15], [17]. Those schemes provided undeniability analysis (including completeness, soundness, and zero-knowledge). However, it will be more interesting if anonymity for undeniable signatures are proposed in today's electronic commerce. Galbraith and Mao [7] constructed such a scheme and provided the anonymity analysis. However, their scheme only proposed perfect anonymity. That is, their scheme always preserves the privacy of signers in any case and the signers have perfect privacy. Therefore, users may ask such an interesting problem: how can we identify the signer who did anything illegal by taking advantage of the undeniable signature scheme. In this paper, we solve the above problem. Moreover, the proposed undeniable signature scheme has the significant properties of undeniability and fair anonymity, simultaneously. In addition, we also have improved the result reported in [18]. In our scheme, a trusted center is involved. In practical scenario, a bank or a government will play the role Practical Fair Anonymous Undeniable Signatures Song Han, Elizabeth Chang, Xiaotie Deng, Li Gao and Winson Yeung A INTERNATIONAL JOURNAL OF SIGNAL PROCESSING VOLUME 1 NUMBER 4 2004 ISSN:1304-4494 IJSP VOLUME 1 NUMBER 4 2004 ISSN:1304-4494 291 COPYRIGHT © 2004 ENFORMATIKA