Summary: With blackmailing we mean a situation where after a signature has been verified, the conviction of its correctness can be either kept to the verifier or, at his sole discretion, be shared with some predetermined set of cooperating co-verifiers. We show how a weakness in the protocol for undeniable signatures allows blackmailing of a signer of an undeniable signature, or several verifiers simultaneously to verify several signatures. Also, we discuss how multiple verifiers can be convinced about the correctness of a signature in similar protocols, like designated confirmer signatures, although no blackmailing attack is found for them here.
For the entire collection see [Zbl 0847.00061].