An Efficient Strong Designated Verifier Signature Scheme

2004

Universal Designated-Verifier Signature (UDVS) schemes are digital signature schemes with additional functionality which allows any holder of a signature to designate the signature to any desired designated-verifier such that the designated-verifier can verify that the message was signed by the signer, but is unable to convince anyone else of this fact. Since UDVS schemes reduce to standard signatures when no verifier designation is performed, it is natural to ask how to extend the classical Schnorr or RSA signature schemes into UDVS schemes, so that the existing key generation and signing implementation infrastructure for these schemes can be used without modification. We show how this can be efficiently achieved, and provide proofs of security for our schemes in the random oracle model.

Universal Designated-Verifier Signature (UDVS) schemes are digital signature schemes with additional functionality which allows any holder of a signature to designate the signature to any desired designatedverifier such that the designated-verifier can verify that the message was signed by the signer, but is unable to convince anyone else of this fact. Since UDVS schemes reduce to standard signatures when no verifier designation is performed, it is natural to ask how to extend the classical Schnorr or RSA signature schemes into UDVS schemes, so that the existing key generation and signing implementation infrastructure for these schemes can be used without modification. We show how this can be efficiently achieved, and provide proofs of security for our schemes in the random oracle model.

The problem of generalization of (single) designated verifier schemes to several designated verifiers was proposed by Desmedt in 2003. The paper proposes eight new Identity Based Strong Bi-Designated Verifier Signature Schemes in which the two designated verifiers may not know each other. The security and the computational efficiency of the schemes are also analyzed.

Information Technology And Control, 2013

A designated verifier scheme can protect information from uncertainty. Only the designated verifier can verify the signature and make sure that the information is correct. In addition, a strong designated verifier scheme allows the verifier to maintain a transcript signature of the verifier's secret key. Recently, Yoon proposed an identitybased strong designated verifier signature scheme to solve the problems of some previously proposed schemes. Unfortunately, Yoon's scheme still has some weaknesses, such as inefficiency in the verifying phase and being vulnerable to replay-attack. To overcome these, we propose a novel designated verifier signature scheme in this paper.

International Journal of Information Security, 2011

Designated verifier signature (DVS) is a cryptographic primitive that allows a signer to convince a verifier the validity of a statement in a way that the verifier is unable to transfer the conviction to a third party. In DVS, signatures are publicly verifiable. The validity of a signature ensures that it is from either the signer or the verifier. Strong DVS (SDVS) enhances the privacy of the signer so that anyone except the designated verifier cannot verify the signer's signatures.

Automata, Languages and Programming, 2005

We show that the signer can abuse the disavowal protocol in the Jakobsson-Sako-Impagliazzo designated-verifier signature scheme. In addition, we identify a new security property-non-delegatability-that is essential for designated-verifier signatures, and show that several previously proposed designated-verifier schemes are delegatable. We give a rigorous formalisation of the security for designated-verifier signature schemes, and propose a new and efficient designated-verifier signature scheme that is provably unforgeable under a tight reduction to the Decisional Diffie-Hellman problem in the nonprogrammable random oracle model, and non-delegatable under a loose reduction in the programmable random oracle model. As a direct corollary, we also get a new efficient conventional signature scheme that is provably unforgeable under a tight reduction to the Decisional Diffie-Hellman problem in the nonprogrammable random oracle plus common reference string model. Keywords. Designated verifier signature scheme, non-delegatability, nonprogrammable random oracle model, signature scheme.

20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06), 2006

Designated verifier signature schemes allow a signer to convince a designated verifier, in such a way that only the designated verifier will believe with the authenticity of such a signature. The previous constructions of designated verifier signature rely on the underlying Public Key Infrastructure, that requires both signer and verifier to verify the authenticity of the public keys, and hence, the certificates are required. In contrast to the previous constructions, in this paper, we propose the first notion and construction of the certificateless designated verifier signature scheme. In our new notion, the necessity of certificates are eliminated. We show that our scheme satisfies all the requirements of the designated verifier signature schemes in the certificateless system. We also provide complete security proofs for our scheme and prove that our scheme is unforgeable under the assumption of the Gap Bilinear Diffie-Hellman Problem in the random oracle model.

2008

Multi-Designated Verifier Signatures (MDVS) are privacy-oriented signatures that can only be verified by a set of users specified by the signer. We propose two new generic constructions of MDVS from variants of existing cryptographic schemes, which are ring signature from anonymous subset and multi-chameleon hash. We first devise a single add-on protocol which enables many existing identity-based (ID-based) ring signature schemes to support anonymous subset, which gives us three ID-based MDVS schemes.

2003

Motivated by privacy issues associated with dissemination of signed digital certificates, we define a new type of signature scheme called a ‘Universal Designated-Verifier Signature’ (UDVS). A UDVS scheme can function as a standard publicly-verifiable digital signature but has additional functionality which allows any holder of a signature (not necessarily the signer) to designate the signature to any desired designated-verifier (using the verifier’s public key). Given the designated-signature, the designated-verifier can verify that the message was signed by the signer, but is unable to convince anyone else of this fact. We propose an efficient deterministic UDVS scheme constructed using any bilinear group-pair. Our UDVS scheme functions as a standard Boneh-Lynn-Shacham (BLS) signature when no verifier-designation is performed, and is therefore compatible with the key-generation, signing and verifying algorithms of the BLS scheme. We prove that our UDVS scheme is secure in the sense of our unforgeability and privacy notions for UDVS schemes, under the Bilinear Diffie-Hellman (BDH) assumption for the underlying group-pair, in the random-oracle model. We also demonstrate a general constructive equivalence between a class of unforgeable and unconditionally-private UDVS schemes having unique signatures (which includes the deterministic UDVS schemes) and a class of ID-Based Encryption (IBE) schemes which contains the Boneh-Franklin IBE scheme but not the Cocks IBE scheme.

Information Security, IET, 2009

We give a generic construction for universal designated-verifier signature schemes from a large class, C, of signature schemes. The resulting schemes are efficient and have two important properties. Firstly, they are provably DV-unforgeable, non-transferable and also non-delegatable. Secondly, the signer and the designated verifier can independently choose their cryptographic settings. We also propose a generic construction for identity-based signature schemes from any signature scheme in C and prove that the construction is secure against adaptive chosen message and identity attacks. We discuss possible extensions of our constructions to hierarchical identity-based signatures, identity-based universal designated verifier signatures, and identitybased ring signatures from any signature in C.

Computer Standards & Interfaces, 2008

An identity-based (ID-based) universal designated verifier signature (ID-UDVS) scheme allows a signature holder to designate a specific verifier of the signature by using a simplified public identity such as e-mail address. In the paper, we present an efficient identity-based universal designated multi-verifiers signature (ID-UDMVS) scheme by extending a single verifier to a set of multi-verifiers for verification of a signature. To achieve our goal, we construct an ID-based signature scheme providing batch verification and then, using this scheme as a building block, we firstly propose an ID-UDMVS scheme with constant signature size. Interestingly our construction method can be used as a generic method transforming an ID-UDVS scheme, which is defined in a bilinear version of the so-called ∑ protocol, to an ID-UDMVS scheme.

International Journal of Information Security, 2008

In Asiacrypt 2003, the concept of universal designated verifier signature (UDVS) was introduced by Steinfeld, Bull, Wang and Pieprzyk. In the new paradigm, any signature holder (not necessarily the signer) can designate the publicly verifiable signature to any desired designated verifier (using the verifier's public key), such that only the designated verifier can believe that the signature holder does have a valid publicly verifiable signature, and hence, believes that the signer has signed the message. Any other third party cannot believe this fact because this verifier can use his secret key to create a valid UDVS which is designated to himself. In ACNS 2005, Zhang, Furukawa and Imai proposed the first UDVS scheme without random oracles. In this paper, we give a security analysis to the scheme of Zhang et al. and propose a novel UDVS scheme without random oracles based on Waters' signature scheme, and prove that our scheme is secure under the Gap Bilinear Diffie Hellman assumption.

Lecture Notes in Computer Science

In many privacy-preserving protocols, protection of the user's identity, called anonymity, is a desirable feature. Another issue is that, if a signed document is leaked then anyone can be convinced of the authenticated data, which is strictly not allowed for sensitive data, instead the authentication only by a designated receiver is recommended. There are many scenarios in real life, for example e-auction, where both the functionalities-anonymity and designated verification are required simultaneously. For such an objective, in this paper we introduce a compact scheme of identity-based strong designated verifier group signature (ID-SDVGS) by combining the good features of strong designated verifier signature and group signature in ID-based setting. This scheme provides anonymity to the signer of a designated verifier signature with the feature of the revocation of signer's identity in case of misuse or dispute. Moreover, our scheme fulfils all the security properties of the individual components. We have obtained an ID-based instantiation of the generic group signature given by Bellare et al. in Eurocrypt 2003, and have proposed our scheme on that framework. To the best of our knowledge, this is the first construction of ID-SDVGS.

Lecture Notes in Computer Science, 2011

After the introduction of designated confirmer signatures (DCS) by Chaum in 1994, considerable researches have been done to build generic schemes from standard digital signatures and construct efficient concrete solutions. In DCS schemes, a signature cannot be verified without the help of either the signer or a semi-trusted third party, called the designated confirmer. If necessary, the confirmer can further convert a DCS into an ordinary signature that is publicly verifiable. However, there is one limit in most existing schemes: the signer is not given the ability to disavow invalid DCS signatures. Motivated by this observation, in this paper we first propose a new variant of DCS model, called designated confirmer signatures with unified verification, in which both the signer and the designated confirmer can run the same protocols to confirm a valid DCS or disavow an invalid signature. Then, we present the first DCS scheme with unified verification and prove its security in the random oracle (RO) model and under a new computational assumption, called Decisional Coefficient Linear (D-co-L) assumption, whose intractability in pairing settings is shown to be equivalent to the well-known Decisional Bilinear Diffie-Hellman (DBDH) assumption. The proposed scheme is constructed by encrypting Boneh, Lynn and Shacham's pairing based short signatures with signed ElGamal encryption. The resulting solution is efficient in both aspects of computation and communication. In addition, we point out that the proposed concept can be generalized by allowing the signer to run different protocols for confirming and disavowing signatures.

Annotation: This paper presents a threshold designated receiver signature scheme that includes certain characteristic in which the signature can be verified by the assistance of the signature recipient only. The aim of the proposed signature scheme is to protect the privacy of the signature recipient. However, in many applications of such signatures, the signed document holds data which is sensitive to the recipient personally and in these applications usually a signer is a single entity but if the document is on behalf of the company the document may need more than one signer. Therefore, the threshold technique is employed to answer this problem. In addition, we introduce its use to shared signature scheme by threshold verification. The resultant scheme is efficient and dynamic.