PROXIABLE DESIGNATED VERIFIER SIGNATURE
Mebae Ushida, Kazuo Ohta
Graduate School of Information and Communication Engineering, University of Electro Communication, Chofu, Tokyo, Japan
Yutaka Kawai
Department of Mathematical Engineering and Information Physics, Faculty of Engineering
The University of Tokyo, Chiba, Japan
Kazuki Yoneyama
NTT Information Sharing Platform Laboratories, Tokyo, Japan
Keywords:
Designated verifier signature, Proxy, Strong unforgeability.
Abstract:
Designated Verifier Signature (DVS) guarantees that only a verifier designated by a signer can verify the
“validity of a signature”. In this paper, we propose a new variant of DVS; Proxiable Designated Verifier
Signature (PDVS) where the verifier can make a third party (i.e. the proxy) substitute some process of the
verification. In the PDVS system, the verifier can reduce his computational cost by delegating some process
of the verification without revealing the validity of the signature to the proxy. In all DVS systems, the validity
of a signature means that a signature satisfies both properties that (1) the signature is judged “accept” by a
decision algorithm and (2) the signature is confirmed at it is generated by the signer. So in the PDVS system,
the verifier can make the proxy substitute checking only the property of (1). In the proposed PDVS model, we
divide verifier’s secret keys into two parts; one is a key for performing the decision algorithm, and the other
is a key for generating a dummy signature, which prevents a third party from convincing the property (2).
We also define security requirements for the PDVS, and propose a PDVS scheme which satisfies all security
requirements we define.
1 INTRODUCTION
1.1 Background
Designated Verifier Signature (DVS) was first intro-
duced by Jakobsson, Sako and Impagliazzo (Jakobs-
son et al., 1996). In the DVS system, a signer desig-
nates a verifier and only the verifier designated by the
signer can verify the validity of a signature.
DVS is useful for a situation where a signer ex-
pects that the validity of the signature is confirmed by
only specific person and is not confirmed by the oth-
ers.
We consider the situation of public procedures.
The person sends his personal information (a report
of one’s removal etc.) to the government office. And
he hopes that this information cannot be leaked to oth-
ers. He must generate his signature for this document,
but he worries about leaking and being confirmed his
personal information. If he uses the DVS, he can in-
form his personal information to the government and
not have to worry about leaking it.
Another kind of signature where the signer can re-
strict to verify the validity of the signature is the Un-
deniable Signature (US) (Chaum and van Antwerpen,
1990). In the US system, the verifier needs the inter-
action with the signer to perform the verification. The
signer designates the verifier by selecting the person
whom the signer interacts with for verification. The
third party who does not interact with the signer can
not confirm the validity of the signature, and the ver-
ifier cannot convince the third party of validity of the
signature which the verifier verified before by reveal-
ing the records of verification process.
In the US system, the verifier must interact with
the signer whenever he verifies the signature. On the
other hand in the DVS system, the signer designates
the verifier when he generates the signature, and the
verifier can verify the validity of the signature at any
time without interaction with the signer.
344
Ushida M., Ohta K., Kawai Y. and Yoneyama K. (2010).
PROXIABLE DESIGNATED VERIFIER SIGNATURE.
In Proceedings of the International Conference on Security and Cryptography, pages 344-353
DOI: 10.5220/0002979403440353
Copyright
c
SciTePress
By using Message Authenticate Code (MAC), the
prover can also designate the verifier. MAC is also
verified the validity without interaction. However the
prover and the verifier must share a common secret
key before using MAC. In the DVS system, the signer
can designate the verifier using only the verifier’s pub-
lic key.
In the DVS system, the validity of a signature is
checked by following two procedures: Decision and
Distinction. By Decision, the signature is checked
whether it is “accepted” by the decision procedure.
By Distinction, the signature is checked whether it is
exactly generated by the signer. In this paper, we call
a signature which is accepted by Decision an accept-
able signature, and a signature which is acceptable
signature and generated by the signer a valid signa-
ture. The meaning of verifying the validity of a sig-
nature is confirming that the signature is valid by per-
forming Decision and Distinction.
In the DVS system, the verifier can also generate
an acceptable signature. We call such an acceptable
signature a dummy signature, while we call a signa-
ture generated by a signer an original signature. Only
the original signature must be confirmed as the valid
signature. Any third party should be unable to distin-
guish the original signature from dummy signatures.
Even if a third party accepts a signature, he is unable
to confirm that the signature is the original signature
because it could be a dummy signature. Therefore,
a third party is unable to verify the validity of the
signature. On the other hand, the verifier can decide
whether the signature is the original signature by us-
ing his own list of dummy signatures generated by
himself. Hence, the verifier cannot convince a third
party the validity of the signature.
In several DVS systems (Jakobsson et al., 1996;
Rivest et al., 2001; Lipmaa et al., 2005; Shahandashti
and Safavi-Naini, 2008), anyone can perform the De-
cision. However, a third party cannot confirm the va-
lidity of a signature because he can not perform Dis-
tinction. We call those DVS systems ordinary DVS.
In the ordinary DVS system, a third party can nar-
row the signer to two candidates. On the other hand,
strong DVS (Saeednia et al., 2004; Laguillaumie and
Vergnaud, 2005; Steinfeld et al., 2003) in which only
the verifier can perform the Decision was proposed.
In the strong DVS system, a third party cannot even
narrow two signer candidates.
1.2 A Motivating Problem
In a strong DVS system, all processes of the verifica-
tion can be performed by only a verifier. If one person
is designated by large numbers of signers, he must
proceed large amount of the task of the verification
procedure by himself.
This situation will often occur if the DVS system
is applied to the situation of public procedures. In
this case, a lot of people would send their documents
with DVSs to one government office. Then, the offi-
cer must verify large amount of DVSs. Hence, the of-
ficer would like to entrust other organizations to some
processes of verification.
1.3 Contribution
In order to reduce the computational cost for verifi-
cation, we will propose Proxiable Designated Verifier
Signature (PDVS) where the verifier can make a third
party (i.e. the proxy) substitute some process of the
verification. In previous DVS systems, if the third
party can perform the Decision, but he cannot con-
firm the validity of a signature. Hence in the PDVS
system, the Decision is delegated to the proxy and the
verifier performs only the Distinction. If the verifier
does not issue any dummy signature for message m,
he verifies that (m, σ) is valid immediately when he is
reported that (m, σ) is acceptable by the proxy. Hence
the verifier can reduce his computational cost.
In previous strong DVS systems (Saeednia et al.,
2004; Laguillaumie and Vergnaud, 2005; Steinfeld
et al., 2003), there is only one kind of verifier’s se-
cret key which is used for performing the Decision al-
gorithm and for generating dummy signatures. If the
verifier gives his secret key in order to delegate the
Decision, the proxy can also generate a dummy sig-
nature. In this case, the verifier cannot perform the
Distinction. Thus in the previous strong DVS systems,
the verifier cannot delegate the verification task to the
proxy.
Hence in the PDVS system, there are two kinds of
verifier’s keys; one is a key for performing the Deci-
sion and the other is for generating dummy signatures.
The verifier can delegate the Decision to the proxy by
giving only the secret key for performing the Deci-
sion, and the verifier keeps the both of keys; a key
for performing the Decision and a key for generating
dummy signatures.
Unlike the previous DVS systems, there is the new
entity proxy in the PDVS system. Hence we consider
the requirements for each position, not only the veri-
fier and the third party but also the proxy. We define
security requirements for PDVS scheme by capturing
following requirements. (1) The verifier can surely
verify the validity of the signature at any time. (2) The
proxy can perform the Decision, but cannot generate
any acceptable signature. (3) The third party cannot
perform even the Decision. We describe the definition
PROXIABLE DESIGNATED VERIFIER SIGNATURE
345
of security requirements in Sect 3.2.
In this paper, we formalize PDVS, and define se-
curity requirements for PDVS in Sect 3. We propose
a concrete PDVS scheme and prove that our PDVS
scheme satisfies security requirements we define in
Sect 3.2.
1.4 Related Works
In 1996, DVS (Jakobsson et al., 1996) was firs in-
troduced and is the first ordinary DVS. After that,
strong DVS (Saeednia et al., 2004) was proposed, and
several security requirements for DVS was defined
(Saeednia et al., 2004; Laguillaumie and Vergnaud,
2005; Lipmaa et al., 2005).
At the same time, several variants of DVS was
proposed. multi-DVS (Laguillaumie and Vergnaud,
2004) is the DVS where the signer can designate sev-
eral verifiers in one signature, and the verifiers can
verify the signature individually. Universal DVS (Ste-
infeld et al., 2003; Steinfeld et al., 2004; Baek et al.,
2005; Shahandashti and Safavi-Naini, 2008) is a sys-
tem that a basic digital signature can convert a des-
ignated verifier signature. designated proxy signature
(DVPS) (Wang, 2005) is the DVS where the signer
can delegate his signing capacity to the third party
(i.e. the proxy).
In all of the DVS system which was proposed be-
fore, the verifier have to verify the validity of the sig-
nature himself.
2 PRELIMINARIES
We will provide several definitions which are building
blocks of our PDVS scheme.
Definition 1 (Bilinear Map). Let (G,+), and (H,·) be
two groups of the same prime order q. Let P be a
generator of G. A bilinear map is a mapping e : G ×
G → H satisfying the following properties:
• bilinear: e(aQ, bR) = e(Q,R)
ab
, for all(Q,R) ∈
G
2
, and all (a,b) ∈ Z
2
;
• non-degeneration: e(P,P) 6= 1;
• computability: there exists an efficient algorithm
to compute e;
Definition 2 (Prime Order BDH Parameter Gen-
erator). Prime-order-BDH-parameter-generator is a
probabilistic algorithm that takes on input a security
parameter k, and outputs a 5-tuple (q,P,G,H, e) sat-
isfying the following conditions:
• q is a prime with 2
k−1
< q < 2
k
;
• G and H are groups of order q;
• e : G × G −→ H is a bilinear map;
Definition 3 (Computational Diffie-Hellman As-
sumption). Let Gen be a Prime-order-BDH-
parameter-generator. Let A be an adversary that
takes on input 5-tuple (q, P,G, H,e) generated by Gen
and (X,Y) ∈ G
2
, and returns an elements of Z ∈
G. We consider the following random experiments,
where k is a security parameter;
Experiment Exp
cdh
Gen,A
(k)
(q,P,G,H,e)
R
← Gen(k)
(x,y)
R
← Z
∗2
q
,X := xP,Y := yP
Z ← A (q,P,G,H, e,X,Y)
Return 1 iff Z = xyP
We define the corresponding success probability
of A via
Succ
cdh
Gen,A
(k) = Pr[Exp
cdh
Gen,A
(k) = 1].
Let t ∈ N. CDH is said to be (k,t,ε)-hard if no adver-
sary A running in time t has Succ
cdh
Gen,A
(k) ≥ ε.
Definition 4 (Gap-Bilinear Diffie-Hellman As-
sumption). Let Gen be a Prime-order-BDH-
parameter-generator. Let A be an adversary that
takes on input 5-tuple (q, P,G, H,e) generated by Gen
and (X,Y,Z) ∈ G
3
, and returns an elements of h ∈
H. We consider the following random experiments,
where k is a security parameter;
Experiment Exp
gbdh
Gen,A
(k)
(q,P,G,H,e)
R
← Gen(k)
(x,y, z)
R
← Z
∗3
q
,X := xP,Y := yP,Z := zP
h ← A
DBDH
(q,P,G,H,e,X,Y,Z)
Return 1 iff h = e(P,P)
xyz
where A
DBDH
denotes that the adversary A has
access to a DBDH oracle. A DBDH oracle is an
oracle that for input aP,bP,cP,and e(P,P)
d
, decides
whether d = abc or not. We define the corresponding
success probability of A via
Succ
gbdh
Gen,A
(k) = Pr[Exp
gbdh
Gen,A
(k) = 1].
Let t ∈ N. GBDH is said to be (k,t,ε)-hard if no ad-
versary A running in time t has Succ
gbdh
Gen,A
(k) ≥ ε.
SECRYPT 2010 - International Conference on Security and Cryptography
346
3 DEFINITIONS OF PROXIABLE
DVS
In this section, we will propose the definition of
the PDVS and will several security properties of the
PDVS.
3.1 The Models of PDVS Scheme
A PDVS scheme consists of seven algorithms : Let k
be a security parameter. Each definition is described
as follows.
Common parameter generation (SetUp): A proba-
bilistic algorithm, on input k, outputs the public
parameters params.
Signer’s key generation (SKeyGen): A probabilis-
tic algorithm, on input params, outputs the public
and secret signer’s key PKs and SKs.
Verifier’s key generation (VKeyGen): A probabilis-
tic algorithm, on input params, outputs verifier’s
secret key SKv and SKp, and the verifier’s public
key PKv. SKv is kept by only the verifier. SKp is
given to the proxy by the verifier.
Designated signing (DSign): A probabilistic algo-
rithm, on input params, message m, signer’s se-
cret key SKs and signer’s and verifier’s public keys
PKs,PKv, outputs a original signature σ.
Transcript simulation (TSim): A probabilistic algo-
rithm, on input params, message m, verifier’s se-
cret key SKv, and signer’s and verifier’s public
keys PKs,PKv, outputs a dummy signature σ’.
Designated verifying 1 (Decision): A deterministic
algorithm, on input params, message m, a signa-
ture σ, public key’s PKs,PKv and verifier’s secret
key SKp, outputs a verification decision, accept or
reject.
Designated verifying 2 (Distinction): A determinis-
tic algorithm, on input params, message m, an ac-
ceptable signature σ, PKs,PKv, verifier’s secret
key SKv and the list of dummy signatures which
the verifier issued before, outputs a verification
decision, valid or invalid.
3.2 Definitions of Security Properties of
PDVS
In this section, we propose definitions of security re-
quirements for the PDVS.
3.2.1 Strong Unforgeability
We point out that Existential Unforgeability (EUF)
is not sufficient and Strong Existential Unforgeability
(sEUF) must be satisfied for secure PDVS schemes.
In the PDVS system satisfying EUF but not sat-
isfying sEUF, the proxy is also able to confirm the
validity of the signature.
We consider a following strong-forgery-attack.
The strong-forgery-attacker generates an acceptable
message/signature pair (m,σ
∗
) from another accept-
able message/signature pair (m,σ). Anyone can not
distinguish whether (m,σ
∗
) is generated by formal
procedures (DSign or TSim) or the strong-forgery-
attack. Such an attacker could exist in the PDVS sys-
tem satisfying just EUF, because EUF only guaran-
tees that anyone is unable to generate an acceptable
(m
∗
,σ
∗
) where m
∗
is different from any acceptable
signed message m.
If such a strong-forgery-attacker exists, the fol-
lowing situation occurs. The verifier generates a
dummy signature σ
TSim
for a message m, and issues
(m,σ
TSim
). Then the strong-forgery-attacker can gen-
erate a forgery (m, σ
∗
TSim
) by using (m,σ
TSim
). After
that, the signer generates an original signature σ
DSign
for the message m. In this case, even if the verifier
can decide that (m,σ) is acceptable, he cannot con-
firm where σ is the original signature σ
DSign
or the
forgery σ
∗
TSim
. Then even the verifier is unable to con-
firm the validity of the signature by the Distinction. So
the verifier is unable to issue any dummy signature to
confirm the validity of the signature in any cases. In
the above situation, the proxy is able to confirm the
validity of the signature by performing the Decision,
because the acceptable signature is surely the original
signature. Hence, if the PDVS does not satisfy sEUF,
the proxy is able to confirm the validity of the signa-
ture. So, the PDVS must satisfy sEUF.
The PDVS requires that not only an arbitrary third
party but the proxy, who has verifier’s secret key SKp,
is not able to forge a signature.
Definition 5 (Strong Unforgeability).
1
Let A be a
strong-forgery against adaptive chosen message at-
tack (sEUF-CMA)-adversary against PDVS, Σ
S
be
the original signing oracle, Σ
T
be the dummy sign-
ing oracle, and ϒ be the distinction oracle
2
. Let
{(m
1
,σ
1
),··· ,(m
q
Σ
S
,σ
q
Σ
S
)} be a set of message and
signature pair which is given to A by oracle Σ
S
,
1
In the basic digital signature, the security notion of
strong unforgeability is proposed by (An et al., 2002).
We define strong unforgeability for the PDVS by adapting
strong unforgeability to the PDVS system.
2
The Decision oracle does not need in this experiment,
because the adversary who has SKp can execute the Deci-
sion by himself.
PROXIABLE DESIGNATED VERIFIER SIGNATURE
347
{(m
′
1
,σ
′
1
),··· ,(m
′
q
Σ
T
,σ
′
q
Σ
T
)} be a set of message and
signature pair which is given to A by oracle Σ
T
. Let
k be a security parameter. We consider the following
random experiment:
Experiment Exp
seuf−cma
PDVS,A
(k)
params
R
← Setup(k)
(PKs,SKs)
R
← SKeyGen(params)
(PKv, SKv,SKp)
R
← VKeyGen(params)
(m
∗
,σ
∗
) ← A
Σ
S
,Σ
T
,ϒ
(params,PKs,PKv, SKp)
s.t. (m
∗
,σ
∗
)
6∈ {(m
1
,σ
1
),· · · ,(m
q
Σ
S
,σ
q
Σ
S
)}
∪{(m
′
1
,σ
′
1
),· · · , (m
′
q
Σ
T
,σ
′
q
Σ
T
)}
Return 1
if Decision(params,m
∗
,σ
∗
,PKs,PKv, SKp) =
= accept
We define the success probability of the adversary A
by
Succ
seuf−cma
PDVS,A
(k) = Pr[Exp
seuf−cma
PDVS,A
(k) = 1].
A PDVS scheme is said to be (k,τ,ε)-sEUF-CMA
secure, if no adversary A running in time τ has a
Succ
seuf−cma
PDVS,A
(k) ≥ ε.
3.2.2 Privacy of Signer’s Identity
In the PDVS system, a third party who has only public
keys must be unable to confirm whether a signature is
acceptable or not. To capture this requirement, we de-
fine Privacy of signer’s identity (PSI) that “there are
two possible signers. An adversary sees a signature σ,
he is not able to distinguish the signer who generates
σ.” This condition can be described as follows.
Definition 6 (Privacy of Signer’s Identity). Let A be
a PSI-CMA-adversary against PDVS, Σ
S
0
and Σ
S
1
be
original signing oracles, Σ
T
be the dummy signing or-
acle, Γ be the Decision oracle, and ϒ be the Distinc-
tion oracle. Let k be a security parameter. We con-
sider the following random experiment for i ∈ {0, 1}.
Experiment Exp
psi−cma−i
PDVS,A
(k)
params
R
← Setup(k)
(PKs0,SKs0)
R
← SKeyGen(params)
(PKs1,SKs1)
R
← SKeyGen(params)
(PKv, SKv,SKp)
R
← VKeyGen(params)
m
∗
← A
Σ
S
0
,Σ
S
1
,Σ
T
,Γ,ϒ
(params,PKs0,PKs1,PKv)
σ
∗
← DSign(params,m
∗
,SKsi,PKv)
Return i
′
← A
Σ
S
,Σ
T
,Γ,ϒ
(params,m
∗
,σ
∗
,PKs0, PKs1, PKv)
We define the advantage of the adversary A by
Adv
psi−cma
PDVS,A
(k) =
|Pr[Exp
psi−cma−0
PDVS,A
(k) = 1] − Pr[Exp
psi−cma−1
PDVS,A
(k) = 1]|
A PDVS scheme is said to be (k,τ,ε)-PSI-CMA
secure, if no adversary A running in time τ has
Adv
psi−cma
PDVS,A
(k) ≥ ε.
3.2.3 Source Hiding
In the PDVS system, anyone except the verifier who
has all secret keys must be unable to confirm whether
a signature is valid signature or not in order to guar-
antee that the Distinction is able to be performed by
only the verifier. In this paper, Source Hiding (SH)
means “even if any adversary A has all secret and
public keys, he can not distinguish the original sig-
nature from the dummy signature.”
It is clear that if a PDVS scheme satisfies SH, A
who has a part of secret keys can not distinguish the
original signature from the dummy signature. Thus if
a scheme satisfies SH, the proxy can not confirm the
validity of the signature.
Definition 7 (Source Hiding). Let A be an arbitrary
completely source hiding (SH)-adversary against a
PDVS scheme. Let k be a security parameter. We con-
sider the following random experiment:
Experiment Exp
sh
PDVS,A
(k)
params
R
← Setup(k)
(PKs,SKs)
R
← SKeyGen(params)
(PKv, SKv,SKp)
R
← VKeyGen(params)
m
∗
← A (params,PKs,PKv, SKs,SKv, SKp)
r ←
R
{0,1}
if r = 1 : σ
∗
← DSign(params,m
∗
,SKs,PKs,PKv)
otherwise : σ
∗
← TSim(params,m
∗
,SKv, PKs,PKv)
r
′
← A (params,m
∗
,σ
∗
,PKs,PKv, SKs, SKv, SKp)
Return 1 iff r
′
= r
We define the advantage of the adversary A by
Adv
sh
PDVS,A
(k) = |Pr[Exp
sh
PDVS,A
(k) = 1] −
1
2
|.
A PDVS scheme is said to be (k, τ,ε)-SH-CMA secure,
if no adversary A running time τ has Adv
sh
PDVS,A
(k) ≥
ε.
3.2.4 Non-coincidental Property
For message m, if the probability that
σ
DSign
= σ
TSim
such that σ
DSign
←
DSign(params,m
∗
,SKs,PKs,PKv) and σ
TSim
←
SECRYPT 2010 - International Conference on Security and Cryptography
348
TSim(params,m
∗
,SKv,PKs,PKv) is non-negligible,
the verifier cannot confirm the validity of the sig-
nature. Since he cannot confirm that (m,σ
DSign
) is
the original signature because he cannot distinguish
(m,σ
DSign
) from the dummy signature (m,σ
TSim
) he
issued before.
Hence, the PDVS must satisfy the property that
the provability that the original signature is identical
with the dummy signature is negligible. In this pa-
per, we call this property Non-coincidental Property
(NCP).
Definition 8 (Non-coincidental Property). A PDVS
scheme is said to be (k,ε)-NCP secure, if for any m,
Pr[σ
DSign
= σ
TSim
|params ← SetUp(k);
(SKs,PKs) ← SKeyGen(params);
(PKv,SKv,SKp)
R
← VKeyGen(params)
σ
DSign
← DSign(params, m
∗
,SKs,PKs,PKv);
σ
TSim
← TSim(params,m
∗
,SKv,PKs,PKv)]
≤ ε
4 OUR PROPOSED PDVS
SCHEME
In this section, we propose a PDVS scheme satis-
fying all security requirements which we defined in
Sect 3.2.
First, we propose a naive PDVS scheme. But
the naive PDVS scheme does not satisfy sEUF. Next,
we show a strong-forgery attack for the naive PDVS
scheme. Finally, we propose a PDVS scheme which is
improved from the naive PDVS scheme and satisfies
sEUF and other security requirements.
4.1 Naive PDVS Scheme
4.1.1 Idea
We achieve the naive PDVS scheme by using
the bi-DVS scheme proposed by Laguillaumie and
Vergnaud (Laguillaumie and Vergnaud, 2004). In the
Bi-DVS, a signer designates two verifiers in one sig-
nature. The bi-DVS system does not capture dummy
signatures and the validity of the signature is con-
firmed by only checking the Decision. Two verifiers
havetheir ownsecret key respectively and can execute
the Decision by using only his secret key
3
.
3
If each of verifiers can generate a dummy signature, the
other verifier cannot confirm the validity of the signature.
Because if it is so, there are more than two entities who
We find that the bi-DVS scheme has a property
where a person who has both two verifiers’ secret keys
can generate an acceptable signature without using
signer’s secret keys, and such acceptable signature is
not distinguished from the signature generated by the
signer. That is he can generate a dummy signature.
We achieve the PDVS scheme by correspondinga key
for performing the Decision to one of two verifiers’
keys in the bi-DVS and keys for generating dummy
signatures to both of two verifiers’ keys.
4.1.2 Naive PDVS Scheme
Let k be a security parameter.
SetUp: Let Gen be a prime-order-BDH-generator
and let (q,P,G, H,e) be an output of Gen(k). Let
H : G × G −→ H be a hash function family and
H
be a random member of H .
SKeyGen : Pick a
R
← Z
∗
q
and compute P
A
= aP. The
signer’s public key PKs is P
A
and the secret key
SKs is a.
VKeyGen: Pick b
R
← Z
∗
q
and compute P
B
= bP. Pick
c
R
← Z
∗
q
and compute P
c
= cP. The verifiers’ pub-
lic key PKv is P
B
and P
C
. The secret keys SKv
which the verifier keeps are b and c, and the secret
key SKp which the proxy is given by the verifier
is c.
DSign : Given a message m ∈ {0,1}
∗
, pick (r,l)
R
←
Z
∗2
q
, compute P
BC
= P
B
+ P
C
, u = e(P
B
,P
C
)
a
and
M = H(m,u
l
) and set Q
A
= a
−1
(M − rP
BC
) and
Q
BC
= rP. The signature σ of m is (Q
A
,Q
BC
,l).
TSim: Given a message m ∈ {0,1}
∗
, pick (r
′
,l
′
)
R
←
Z
∗2
q
. Compute P
BC
= P
B
+ P
C
, u = e(P
A
,P
C
)
b
and
M
′
= H(m,u
l
′
), and set Q
′
A
= r
′
P and Q
′
BC
= (b+
c)
−1
(M
′
− r
′
P
A
). The dummy signature σ
′
of m is
(Q
′
A
,Q
′
BC
,l
′
).
Decision : Given m and σ, compute u = e(P
A
,P
B
)
c
and M = H(m,u
l
). Finally, check whether
e(Q
A
,P
A
)e(Q
BC
,P
BC
) = e(M,P). If it does, return
accept. Otherwise return reject.
Distinction : Given an acceptable message/signature
pair (m,σ), check whether (m = m
′
)∧(σ = σ
′
) for
any message/dummy signature pair (m
′
,σ
′
) which
was issued before. If it does not, return valid.
Otherwise return invalid.
can generate an acceptable signature and the verifier cannot
confirm that the signature is generated by the signer. In the
bi-DVS system, the validity of the signature is confirmed by
only checking the Decision. So, each of verifiers can trans-
fer the validity of the signature to a third party. Therefore,
to be exact, the bi-DVS is not DVS.
PROXIABLE DESIGNATED VERIFIER SIGNATURE
349
4.1.3 Strong-forgery-attack for Naive PDVS
Scheme
We describe the strong-forgery-attack for the naive
PDVS scheme.
Select ε
R
← Z
∗
q
for accepted (m,σ), and com-
pute Q
∗
A
= Q
A
− εP
BC
, Q
∗
B
= Q
BC
+ εP
A
and out-
put forgery (Q
∗
A
,Q
∗
BC
,l). Then (Q
∗
A
,Q
∗
BC
,l) satisfies
e(Q
∗
A
,P
A
)e(Q
∗
BC
,P
BC
) = e(M,P). Therefore anyone
can generate forgery (Q
∗
A
,Q
∗
B
,l) by using an accept-
able message/signature pair.
4.2 Proposed PDVS Scheme
4.2.1 Idea
To prevent the strong-forgery attack in Sect 4.1.3, we
add a signing procedure for generating a new part of
signature ch corresponding to (m,σ). ch is computed
only by using signer’s or verifier’s secret key. A valid
signature consists of σ and ch. Even if a third party
generates (m,σ
∗
), he cannot generate ch
′
correspond-
ing to (m,σ
∗
). Hence a third party never generates
strong-forgery (m,σ
∗
,ch
∗
).
4.2.2 PDVS Scheme
Let σ be a signature which is generated by DSign or
TSim in the naive PDVS scheme and Σ be a family of
σ.
SetUp: Let be the same as SetUp in the naive PDVS.
Besides let G :{0, 1}
∗
× Σ × H −→ H be a hash
function family and
G
be a random member of G .
SKeyGen : Pick (a,a
′
)
R
← Z
∗2
q
and compute P
A
= aP
and P
A
′
= a
′
P. The signer’s public keys PKs are
P
A
and P
A
′
, and the secret keys SKs are a and a
′
.
VKeyGen: Pick (b,b
′
)
R
← Z
∗2
q
and compute P
B
= bP
and P
B
′
= b
′
P. Pick c
R
← Z
∗
q
and compute P
c
= cP.
The verifiers’ public keys PKv are P
B
,P
B
′
and P
C
.
The secret keys SKv that the verifier keeps are b,
b’ and c. The secret key SKp that the proxy is
given by the verifier is c.
DSign : Given m, generate σ by DSign in the naive
PDVS scheme and compute ch = G(m,σ,a
′
P
B
′
).
The original signature σ
new
of m is (σ,ch).
TSim: Given m, generate σ
′
by TSim in the naive
PDVS scheme and compute ch
′
= G(m,σ
′
,b
′
P
A
′
).
The dummy signature σ
′
new
of m is (σ
′
,ch
′
).
Decision : Let be the same as Decision in the naive
PDVS scheme.
Distinction : Given an acceptable message/signature
pair (m, σ, ch), if m 6= m
′
for any m
′
which
was issued with dummy signature before, output
valid. Else if (m = m
′
) ∧ (σ = σ
′
) for any mes-
sage/dummy signature pair (m
′
,σ
′
) which was
issued before, output invalid. Otherwise check
whether ch = G(m,σ,b
′
P
A
′
), if it does, output
valid.
4.3 Comparison
In this section, we compare previous DVS schemes
with our proposed PDVS scheme in terms of the com-
putational cost of the verification task for the verifier.
We describe the cost of computing modulo expo-
nentiation as E and the cost of computing pairing cal-
culation as P.
In previous strong DVS systems, Decision is per-
formed only by the verifier. The cost of performing
the Decision of the scheme by Saeednia et al. (Saeed-
nia et al., 2004) is 3E, and the scheme by Laguil-
laumie et al. (Laguillaumie and Vergnaud, 2004) is
E+4P.
In our proposed PDVS scheme, the verification
cost of the verifier is at most E. But this calculation
is performed when only the message/signature pair
(m,σ) satisfies (m = m
′
) ∧ (σ 6= σ
′
) for any (m
′
,σ
′
)
which the verifier issued before. In the PDVS system,
indeed, the verifier need not issue any dummy signa-
ture. In this case, the verifier verifies that (m,σ) is
valid immediately when he is reported that (m,σ) is
acceptable by the proxy. Hence, in practice, the veri-
fication cost of the verifier is very smaller than that of
previous DVS systems.
4.4 Security Proofs
4.4.1 Strong Unforgeability
We will prove that PDVS is satisfies sEUF-CMA.
Theorem 1 (Strong Unforgeability). For any
sEUF-CMA-adversary A in the random oracle
model, with security parameter k, which has the
success probability ε = Succ
seuf−cma
PDVS,A
(k), and makes
q
G
queries to the random oracle, q
Σ
S
queries to the
original signing oracle, q
Σ
T
queries to the dummy
signing oracle, q
ϒ
queries to the Distinction oracle,
there exists an adversary A for CDH which has the
advantage Succ
cdh
Gen,A
(k) upper-bounded by ε
′
such
that
ε
′
≥ ε −
(q
G
+q
ϒ
)(q
Σ
S
+q
Σ
T
)
2
4k
−
1
2
k
.
SECRYPT 2010 - International Conference on Security and Cryptography
350
Proof. Suppose A is an adversary that (k,t,ε)-breaks
sEUF-CMA of the PDVS scheme. A who is given in-
formation params, PKs,PKv and SKp can query mes-
sages for original singing and dummy signing ora-
cle and obtains signatures (σ,ch) for any message
m. (m
i
,σ
i
,ch
i
) for i ∈ {1,· · · ,q
Σ
S
+ q
Σ
T
} are mes-
sage/signature pairs which A obtains by signing or-
acles. A also can ask the Distinction oracle whether
message and the signature pairs are valid or not. Fi-
nally A outputs a forgery (m
∗
,σ
∗
,ch
∗
).
We construct B which solves CDH problem by us-
ing A . Let (X,Y) be an inputs for B where X = xP
and Y = yP in G for uniformly random (x, y) in Z
∗
q
. B
computes xyP. Let σ be a triple(Q
A
,Q
BC
,l) and Σ be
a family of σ.
Input. B picks (a,b,c)
R
← Z
∗3
q
, sets P
A
=
aP,P
B
= bP,P
C
= cP, P
A
′
= X,P
B
′
= Y, and inputs
P
A
,P
B
,P
C
,P
A
′
,P
B
′
,c to A .
G-Queries. For any query (m,σ,ω) ∈ {0, 1}
∗
×
Σ × H, B checks whether e(ω,P) = e(P
A
′
,P
B
′
), if
it does, B outputs ω and halt. Else if there exist
(m,σ,ω,ch,0, ⊥) in G-List, B return ch. Otherwise B
picks ch
R
← H, returns to A and adds (m,σ,ω,ch,0, ⊥)
to G-List.
DSign-Queries. For any m, B computes σ ←
DSign(m) by using a and picks ch
R
← H. If there
exists (m,σ, ∗,ch,0, ⊥) in G-List, B abort the sim-
ulation. Otherwise B returns (σ,ch) to A and add
(m,σ,⊥,ch,1, DSign) to G-List.
TSim-Queries. For any m, B computes σ ←
TSim(m) by using b and c, and picks ch
R
← H. If there
exists (m,σ,∗,ch,0,⊥) in G-List, B abort the simula-
tion. B picks ch
R
← H and returns (σ,ch) to A and
adds (m,σ,⊥,ch,1,TSim) to G-List.
Distinction-Queries. For any (m,σ,ch), if an out-
put of Decision(m,σ) is reject, B returns invalid.
If there does not exist (m, σ, ∗,ch,∗, ∗), B returns
invalid and adds (m, σ,⊥,ch,0, ⊥) Else if there ex-
ists (m,σ, ∗,ch,1, TSim) in G-List, B returns invalid.
Otherwise B returns valid.
The above simulation is perfectly indistinguish-
able from the real forgery unless the following events
happen:
• The simulation is aborted in DSign-Queries or
TSim-Queries. This happens with the probabil-
ity at most (q
G
+ q
ϒ
)(q
Σ
S
+ q
Σ
T
)2
−4k
through the
entire simulation.
If the adversary outputs strong forgery
(m
∗
,σ
∗
,ch
∗
), B does not query to the random
oracle, then fails to solve CDH problem. This
happens with the probability at most 2
−k
.
Thus, we obtains the following probability:
ε
′
≥ ε −
(q
G
+q
ϒ
)(q
Σ
S
+q
Σ
T
)
2
4k
−
1
2
k
.
4.4.2 Privacy of Signer’s Identity
We will prove that PDVS scheme satisfies PSI in the
random oracle model, assuming that GBDH is hard.
Theorem 2 (Privacy of Signer’s Identity). For any
PSI-CMA-adversary A , in the random oracle model,
with security parameter k, which has the success
probability ε = Succ
psi−cma
PDVS,A
(k), and makes q
H
and q
G
queries to the random oracle, q
Σ
S
queries to the orig-
inal signing oracle, q
Σ
T
queries to the dummy signing
oracle, q
Γ
queries to the Decision oracle, q
ϒ
queries
to the Distinction oracle, there exist an adversary
A for GBDH which has the advantage Succ
gbdh
Gen,A
(k)
upper-bounded by ε
′
such that
ε
′
≥
ε
2
−
q
Γ
+q
ϒ
2
k
−
(q
H
+q
Σ
S
+q
Σ
T
)(q
Σ
S
+q
Σ
T
)
2
k
−
(q
G
+q
ϒ
)(q
Σ
S
+q
Σ
T
)
2
4k
Proof. We construct B which solves GBDH by
using A . Let (X,Y,Z) be an inputs for B where X =
xP, Y = yP and Z = zP in G for uniformly random
(x,y, z) in Z
q
. B computes e(P, P)
xyz
by using DBDH
oracle.
In order to simulate the environment of A , B per-
forms as follows:
Input. B picks α
R
← Z
∗
q
, (a
′
0
,a
′
1
,b
′
)
R
← Z
∗3
q
, sets
P
A
0
= X, P
A
′
0
= a
′
0
P, P
A
1
= αX, P
A
′
1
= a
′
1
P, P
B
= Y,
P
B
′
= b
′
P, P
C
= Z, and inputs P
A
0
,P
A
′
0
,P
A
1
,P
A
′
1
,P
B
,P
B
′
and P
C
to A .
H-Queries. For any query (m,v) ∈ {0, 1}
∗
× H
• B checks whether H-List includes a quadruple
(m,v,⊥, M). If it does, B returns M.
• Else B browses H-List and checks for all quadru-
ple (m,⊥,l,M) whether v
1/l
= e(P,P)
xyz
by using
DBDH oracle. If it does, B returns M.
• Otherwise, B picks M
R
← Z
∗
q
, records (m,v,⊥, M)
in H-List, and returns M.
G-Queries. For any query (m, Q
A
,Q
BC
,l,ω) ∈
{0,1}
∗
× H
2
× Z
∗
q
× H, B checks whether ω = a
′
i
b
′
P.
If it does, there exists (m, Q
A
,Q
BC
,l,ω,ch,0, ⊥) in G-
List, B returns ch. Otherwise B picks ch
R
← H, returns
to A and adds (m,Q
A
,Q
BC
,l,ω,ch,0, ⊥) to G-List.
DSign-Queries (resp. TSim-Queries). For any
m, whose signature is queried to Σ
Si
(resp. Σ
Ti
) corre-
sponding to Signer S
i
, by either the adversary or the
challenger, B picks (q
A
,q
B
)
R
← Z
∗2
q
, l
R
← Z
∗
q
, and com-
putes M = q
A
α
i
P
A
i
+ q
B
P
B
, and sets Q
A
= q
A
α
i
P and
Q
BC
= q
B
P.
PROXIABLE DESIGNATED VERIFIER SIGNATURE
351
• If H-List includes a quadruple (m, ⊥,l
α
i
,∗), B
aborts the simulation,
• Else B browses H-List and checks for each
quadruple (m,v,⊥, M), whether v
1/l
= e(P,P)
xyz
by using DBDH oracle. If it does, B aborts the
simulation.
• Otherwise B adds the quadruple (m, ⊥,l
α
i
,M) to
H-List and returns (Q
A
,Q
BC
,l).
B picks ch
R
← H. If there exist
(m,Q
A
,Q
BC
,l,∗,ch,0,⊥) in G-List, abort the
simulation. Otherwise return (Q
A
,Q
BC
,l,ch)
to A and add (m,Q
A
,Q
BC
,l,⊥,ch,1,DSign
i
)
(resp.(m,Q
A
,Q
BC
,l,⊥,ch,1,TSim
i
)) in G-List.
DVerify-Queries. For any inputs
(m,Q
A
,Q
BC
,l,ch,S
i
), the followings are queried
• B checks whether H-List includes a quadruple
(m,∗,∗, M). If it does not, B returns reject.
• If H-List includes a quadruple (m, ⊥,l,M), B re-
turns accept if e(Q
A
i
,P
A
i
)e(Q
BC
,P
B
) = e(M, P).
• If H-List includes a quadruple (m,v, ⊥,M), B
returns accept if both v
1/lα
i
= e(P,P)
xyz
and
e(Q
A
i
,P
A
i
)e(Q
BC
,P
B
) = e(M,P).
Distinction-Queries. For any
(m,Q
A
,Q
BC
,l,ch,S
i
), B checks whether
(m,Q
A
,Q
BC
,l,ch) is acceptable or not by performing
the DVerify-Queries, if it does not, returns invalid.
If there does not exist (m,Q
A
,Q
BC
,l,∗,ch,∗,∗), B
returns invalid and adds (m,Q
A
,Q
BC
,l,⊥,ch,0,⊥)
Else if there exist (m,Q
A
,Q
BC
,l,∗,ch,1,TSim
i
) in
G-List, return invalid. Otherwise B returns valid.
For m
∗
that A outputs, B picks i
R
← {0, 1} and
generates σ
∗
= (Q
∗
A
i
,Q
∗
BC
,l
∗
,ch
∗
) by using the above
DSign-Queries or TSim-Queries of S
i
. B returns σ
∗
to A .
After receiving σ
∗
, A outputs i
′
. B obtains
(m
∗
,v
∗
,⊥,M
∗
) in H-List and outputs C = v
∗1/lα
i
.
Otherwise, B outputs a random element of G.
The above simulation is perfectly indistinguish-
able from the real attack unless the following events
happen:
• The simulation aborts in DSign-Queries or
TSim-Queries. This happens with the probability
at most (q
H
+ q
Σ
S
+ q
Σ
T
)(q
Σ
S
+ q
Σ
T
)2
−k
+ (q
G
+
q
ϒ
)(q
Σ
S
+ q
Σ
T
)2
−4k
through the entire simulation.
• The valid signature of m, (Q
A
,Q
BC
,l), was gen-
erated without querying (m,u
l
) to H oracle, and
was queried to Γ or ϒ oracle. Since H(m,u
l
) is
uniformly distributed, this happens with the prob-
ability at most (q
Γ
+ q
ϒ
)2
−k
through the entire
simulation.
The signature σ
∗
provides A no information about
i if (m
∗
,v
∗
,⊥,M
∗
) was not queried to H-Queries.
Therefore, in this case A succeeds with the probabil-
ity 1/2
4
.
Thus,we obtains the following probability:
ε
′
≥
ε
2
−
q
Γ
+q
ϒ
2
k
−
(q
H
+q
Σ
S
+q
Σ
T
)(q
Σ
S
+q
Σ
T
)
2
k
−
(q
G
+q
ϒ
)(q
Σ
S
+q
Σ
T
)
2
4k
4.4.3 Source Hiding
We will show that PDVS satisfies SH.
Theorem 3 (Source Hiding). In the PDVS scheme
we propose, the following expression holds.
Adv
sh
PDVS,A
(k) = 0
Proof. We prove the following fact. Given public
keys of P
A
,P
A
′
,P
B
,P
B
′
and P
C
, secret keys of a,a
′
,b,b
′
and c, arbitrary message m
∗
, and signature for m
∗
,
(Q
∗
A
,Q
∗
BC
,l
∗
,ch
∗
), A can not distinguish by which
procedure of DSign or TSim (Q
∗
A
,Q
∗
BC
,l
∗
,ch
∗
) is gen-
erated.
For N ∈ G in DSign and N
′
∈ G in TSim, there
exists n,n
′
∈ Z
∗
q
such that N = nP,N
′
= n
′
P.
Using this arbitrary n and n
′
, we prove that
Q
A
,Q
BC
,Q
′
A
and Q
′
BC
have the same distribution.
Since r in DSign and r
′
in TSim are random values in
{1,..., q − 1}, Q
BC
= rP and Q
′
A
= r
′
P have the uni-
form distribution on the set {P,...,(q− 1)P}.
Let f(r) := a
−1
{n−r(b+c)}, then Q
A
= a
−1
(N−
rP
BC
) describes Q
A
= f(r) · P. Since f(r) is bi-
jective, f(r) has the uniform distribution on the set
{1,..., q − 1}. So Q
A
has the uniform distribution on
the set {P, ..., (q− 1)P}. Similarly, let f
′
(r
′
) := (b +
c)
−1
(n
′
− r · a), then Q
′
BC
= a
−1
(N − r
′
P
A
) describes
Q
′
BC
= f
′
(r
′
) · P. Since f
′
(r
′
) is bijective, f
′
(r
′
) has
the uniform distribution on the set {1,...,q − 1}. So
Q
′
BC
has the uniform distribution on the set {P,..., (q−
1)P}. Therefore Q
A
,Q
BC
,Q
′
A
and Q
′
BC
have the same
distribution. Moreover values of Q
A
,Q
BC
,Q
′
A
and
Q
′
BC
depend on a random values r or r
′
. Hence,
it is not distinguished whether a triple Q
∗
A
,Q
∗
BC
,l
∗
is generated by DSign or TSim. Besides, ch
∗
=
G(m
∗
,Q
∗
A
,Q
∗
BC
,l
∗
,a
′
P
B
′
) = G(m
∗
,Q
∗
A
,Q
∗
BC
,l
∗
,b
′
P
A
′
),
so it is also not distinguished whether ch
∗
is gener-
ated by DSign or TSim.
Therefore even if the values of all secret keys
a,a
′
,b,b
′
and c are revealed, it is not distinguished
whether a signature is generated by DSign or TSim
procedures.
4
ch
∗
is given by random oracle and does not depend on
any secret keys. So ch
∗
does not give any information of S
i
to A .
SECRYPT 2010 - International Conference on Security and Cryptography
352
4.4.4 Non-coincidental Property
We will show that PDVS satisfies NCP.
We consider the probability that σ = σ
′
where σ ← DSign(m,SKs,PKv),σ
′
←
TSim(m,SKv,SKp, PKs) in the random oracle model.
We represent an original signature as σ = (Q
A
,Q
BC
,l)
and a dummy signature as σ
′
= (Q
′
A
,Q
′
BC
,l
′
). We
also denote that r ∈ Z
∗
q
is a random string the signer
selects and r
′
∈ Z
∗
q
is a random string the verifier
selects. Pr[σ = σ
′
] = Pr[l = l
′
] · Pr[Q
A
,Q
BC
=
Q
′
A
,Q
′
BC
|l = l
′
] = (q − 1)
−2
. Hence, Pr[σ = σ
′
] is
negligible.
5 CONCLUSIONS
In this paper, we proposed concepts and definitions of
the PDVS that a verifier can delegate some computa-
tional cost of the verification to the proxy. We defined
new security requirements for the PDVS, and pro-
posed a concrete PDVS scheme. Finally we proved
that our PDVS scheme satisfies all security require-
ments for the PDVS under CDH and GBDH assump-
tions.
REFERENCES
An, J., Dodis, Y., and Rabin, T. (2002). On the security of
joint signature and encryption. In Advances in Cryp-
tology — EUROCRYPT 2002. Springer.
Baek, J., Safavi-Naini, R., and Susilo, W. (2005). Univer-
sal designated verifier signature proof (or how to effi-
ciently prove knowledge of a signature). In Advances
in Cryptology — ASIACRYPT 2005. Springer.
Chaum, D. and van Antwerpen, H. (1990). Undeniable sig-
natures. In Advances in Cryptology — CRYPTO 1989.
Springer.
Jakobsson, M., Sako, K., and Impagliazzo, R. (1996).
Designated verifier proofs and their applications.
In Advances in Cryptology — EUROCRYPT 1996.
Springer.
Laguillaumie, F. and Vergnaud, D. (2004). Multi-
designated verifiers signatures. In International Con-
ference on Information and Communications Security
— ICICS 2004. Springer.
Laguillaumie, F. and Vergnaud, D. (2005). Designated ver-
ifier signatures: Anonymity and efficient construction
from any bilinear map. In Security in Communication
Networks — SCN 2004. Springer.
Lipmaa, H., Wang, G., and Bao, F. (2005). Designated ver-
ifier signature schemes: Attacks, new security notions
and a new construction. In Automata, Languages and
Programming — ICALP 2005. Springer.
Rivest, R., Shamir, A., and Tauman, Y. (2001). How to leak
a secret. In Advances in Cryptology — ASIACRYPT
2001. Springer.
Saeednia, S., Kremer, S., and Markowitch, O. (2004). An
efficient strong designated verifier signature scheme.
In Information Security and Cryptology—ICISC 2003.
Springer.
Shahandashti, S. and Safavi-Naini, R. (2008). Construc-
tion of universal designated-verifier signatures and
identity-based signatures from standard signatures. In
Public Key Cryptography — PKC 2008. Springer.
Steinfeld, R., Bull, L., Wang, H., and Pieprzyk, J. (2003).
Universal designated-verifier signatures. In Advances
in Cryptology — ASIACRYPT 2003. Springer.
Steinfeld, R., Wang, H., and Pieprzyk, J. (2004). Efficient
extension of standard schnorr/rsa signatures into uni-
versal designated-verifier signatures. In Public Key
Cryptography — PKC 2004. Springer.
Wang, G. (2005). Designated-verifier proxy signature
schemes. In Security and Privacy in the Age of Ubiq-
uitous Computing (IFIP/SEC 2005). Springer.
PROXIABLE DESIGNATED VERIFIER SIGNATURE
353
