Anonymous yet Traceable Strong Designated Verifier Signature
Olivier Markowitch2018, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In many privacy-preserving protocols, protection of the user's identity, called anonymity, is a desirable feature. Another issue is that, if a signed document is leaked then anyone can be convinced of the authenticated data, which is strictly not allowed for sensitive data, instead the authentication only by a designated receiver is recommended. There are many scenarios in real life, for example e-auction, where both the functionalities-anonymity and designated verification are required simultaneously. For such an objective, in this paper we introduce a compact scheme of identity-based strong designated verifier group signature (ID-SDVGS) by combining the good features of strong designated verifier signature and group signature in ID-based setting. This scheme provides anonymity to the signer of a designated verifier signature with the feature of the revocation of signer's identity in case of misuse or dispute. Moreover, our scheme fulfils all the security properties of the individual components. We have obtained an ID-based instantiation of the generic group signature given by Bellare et al. in Eurocrypt 2003, and have proposed our scheme on that framework. To the best of our knowledge, this is the first construction of ID-SDVGS.
Related papers
Short designated verifier signature scheme and its identity-based variant
2008
The notion of strong designated verifier signature was put forth by Jakobsson, Sako and Impagliazzo in 1996, but the formal definition was defined recently by Saeednia, Kremer and Markowitch in 2003 and revisited by Laguillaumie and Vergnaud in 2004. In this paper, we firstly propose the notion of short strong designated verifier signature scheme, and extend it to the short identity-based strong designated verifier scheme. Then, we propose the first construction of short strong designated verifier signature scheme. We also extend our scheme to construct a short identity-based strong designated verifier signature scheme. The size of the signature of our schemes is the shortest compared to any existing schemes reported in the literature. We provide formal security proofs for our schemes based on the random oracle model. Finally, we also discuss an extension of our scheme to construct a short strong designated verifier signature without random oracle. Keywords: Designated verifier signature, identity based, random oracle model, short signature, strong designated verifier signature scheme 1) A didn't submit ID A0 , ID A1 or ID B during the Key Extraction Queries.
Universal Designated-Verifier Signatures
2003
Motivated by privacy issues associated with dissemination of signed digital certificates, we define a new type of signature scheme called a ‘Universal Designated-Verifier Signature’ (UDVS). A UDVS scheme can function as a standard publicly-verifiable digital signature but has additional functionality which allows any holder of a signature (not necessarily the signer) to designate the signature to any desired designated-verifier (using the verifier’s public key). Given the designated-signature, the designated-verifier can verify that the message was signed by the signer, but is unable to convince anyone else of this fact. We propose an efficient deterministic UDVS scheme constructed using any bilinear group-pair. Our UDVS scheme functions as a standard Boneh-Lynn-Shacham (BLS) signature when no verifier-designation is performed, and is therefore compatible with the key-generation, signing and verifying algorithms of the BLS scheme. We prove that our UDVS scheme is secure in the sense of our unforgeability and privacy notions for UDVS schemes, under the Bilinear Diffie-Hellman (BDH) assumption for the underlying group-pair, in the random-oracle model. We also demonstrate a general constructive equivalence between a class of unforgeable and unconditionally-private UDVS schemes having unique signatures (which includes the deterministic UDVS schemes) and a class of ID-Based Encryption (IBE) schemes which contains the Boneh-Franklin IBE scheme but not the Cocks IBE scheme.
Identity Based Public Verifiable Signcryption Scheme
2010
Signcryption as a cryptographic primitive that offers both confidentiality and authentication simultaneously. Generally, in signcryption schemes, the message is hidden and thus the validity of the signcryption can be verified only after the unsigncryption process. Thus, a third party will not be able to verify whether the signcryption is valid or not. Signcryption schemes that allow any one to verify the validity of signcryption without the knowledge of the message are called public verifiable signcryption schemes. Third party verifiable signcryption schemes allow the receiver of a signcryption, to convince a third party that the signcryption is valid, by providing some additional information along with the signcryption. This information can be anything other than the receiver’s private key and the verification may or may not require the exposure of the corresponding message. This paper shows the security weaknesses in two such existing schemes namely [14] and [4]. The scheme in [14] is Public Key Infrastructure (PKI) based scheme and the scheme in [4] is an identity based scheme. More specifically, [14] is based on elliptic curve digital signature algorithm (ECDSA). We also, provide a new identity based signcryption scheme that provides both public verifiability and third party verification. We formally prove the security of the newly proposed scheme in the random oracle model.
Multi-Designated Verifiers Signatures Revisited
2008
Multi-Designated Verifier Signatures (MDVS) are privacy-oriented signatures that can only be verified by a set of users specified by the signer. We propose two new generic constructions of MDVS from variants of existing cryptographic schemes, which are ring signature from anonymous subset and multi-chameleon hash. We first devise a single add-on protocol which enables many existing identity-based (ID-based) ring signature schemes to support anonymous subset, which gives us three ID-based MDVS schemes.
Identity-based universal designated verifier signatures
2005
The notion of Universal Designated Verifier Signatures (UDVS) was introduced in the seminal paper of Steinfeld et. al. in [6]. In this paper, we firstly propose a model of identity-based (ID-based) UDVS schemes. We note that there are two methods to achieve an ID-based UDVS scheme. We provide two constructions of ID-based UDVS schemes based on bilinear pairings that use the two methods that we have identified. We provide our security proof based on the random oracle model.
An Efficient Strong Designated Verifier Signature Scheme
Lecture Notes in Computer Science, 2004
This paper proposes a designated verifier signature scheme based on the Schnorr signature and the Zheng signcryption schemes. One of the advantages of the new scheme compared with all previously proposed schemes is that it achieves the "strong designated verifier" property without encrypting any part of the signatures. This is because the designated verifier's secret key is involved in the verification phase. Another advantage of the proposed scheme is the low communication and computational cost. Generating a signature requires only one modular exponentiation, while this amount is two for the verification. Also, a signature in our scheme is more than four times shorter than those of known designated verifier schemes.
Generic Constructions for Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures
IET Information Security, 2009
We give a generic construction for universal designated-verifier signature schemes from a large class, C, of signature schemes. The resulting schemes are efficient and have two important properties. Firstly, they are provably DV-unforgeable, non-transferable and also non-delegatable. Secondly, the signer and the designated verifier can independently choose their cryptographic settings. We also propose a generic construction for identity-based signature schemes from any signature scheme in C and prove that the construction is secure against adaptive chosen message and identity attacks. We discuss possible extensions of our constructions to hierarchical identity-based signatures, identity-based universal designated verifier signatures, and identitybased ring signatures from any signature in C.
Some Identity Based Strong Bi-Designated Verifier Signature Schemes
The problem of generalization of (single) designated verifier schemes to several designated verifiers was proposed by Desmedt in 2003. The paper proposes eight new Identity Based Strong Bi-Designated Verifier Signature Schemes in which the two designated verifiers may not know each other. The security and the computational efficiency of the schemes are also analyzed.
Separable and Anonymous Identity-Based Key Issuing
11th International Conference on Parallel and Distributed Systems (ICPADS'05)
In identity-based (ID-based) cryptosystems, a local registration authority (LRA) is responsible for authentication of users while the key generation center (KGC) is responsible for computing and sending the private keys to users and therefore, a secure channel is required. For privacy-oriented applications, it is important to keep in secret whether the private key corresponding to a certain identity has been requested. All of the existing ID-based key issuing schemes have not addressed this anonymity issue. Besides, the separation of duties for authentication and private key computation has not been discussed as well. In this paper, based on a signature scheme similar to a short blind signature, we propose a novel separable and anonymous ID-based key issuing scheme without secure channel. Our protocol supports the separation of duties between LRA and KGC. The private key computed by the KGC can be sent to the user in an encrypted form such that only the legitimate key requester authenticated by LRA can decrypt it, and any eavesdropper cannot know the identity corresponding to the secret key.
Designated verifier signature schemes: Attacks, new security notions and a new construction
Automata, Languages and Programming, 2005
We show that the signer can abuse the disavowal protocol in the Jakobsson-Sako-Impagliazzo designated-verifier signature scheme. In addition, we identify a new security property-non-delegatability-that is essential for designated-verifier signatures, and show that several previously proposed designated-verifier schemes are delegatable. We give a rigorous formalisation of the security for designated-verifier signature schemes, and propose a new and efficient designated-verifier signature scheme that is provably unforgeable under a tight reduction to the Decisional Diffie-Hellman problem in the nonprogrammable random oracle model, and non-delegatable under a loose reduction in the programmable random oracle model. As a direct corollary, we also get a new efficient conventional signature scheme that is provably unforgeable under a tight reduction to the Decisional Diffie-Hellman problem in the nonprogrammable random oracle plus common reference string model. Keywords. Designated verifier signature scheme, non-delegatability, nonprogrammable random oracle model, signature scheme.
Related papers
Identity-based universal designated multi-verifiers signature schemes
Computer Standards & Interfaces, 2008
An identity-based (ID-based) universal designated verifier signature (ID-UDVS) scheme allows a signature holder to designate a specific verifier of the signature by using a simplified public identity such as e-mail address. In the paper, we present an efficient identity-based universal designated multi-verifiers signature (ID-UDMVS) scheme by extending a single verifier to a set of multi-verifiers for verification of a signature. To achieve our goal, we construct an ID-based signature scheme providing batch verification and then, using this scheme as a building block, we firstly propose an ID-UDMVS scheme with constant signature size. Interestingly our construction method can be used as a generic method transforming an ID-UDVS scheme, which is defined in a bilinear version of the so-called ∑ protocol, to an ID-UDMVS scheme.
An efficient strong designated verifier proxy signature scheme for electronic commerce
Journal of Information Science and Engineering, 2012
A strong designated verifier signature (SDVS) scheme only allows the designated verifier to validate the signer's signature for ensuring the confidentiality. At the same time, the designated verifier can not transfer the signature to any third party, since he can also generate another computationally indistinguishable SDVS, which is referred to as non-transferability. A proxy signature scheme is a special type of digital signature scheme, which enables an authorized proxy signer to create a valid proxy signature on behalf of the original one. The resulted proxy signature is publicly verifiable by anyone. In this paper, we elaborate on the merits of SDVS schemes and proxy signature schemes to propose an efficient strong designated verifier proxy signature (SDVPS) scheme in which only the designated verifier can be convinced of the proxy signer's identity. The proposed scheme has crucial benefits in the organizational operation and the electronic commerce. Compared with related schemes, ours has not only shorter signature length, but also lower computational costs. Moreover, the security requirement of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) is proved in the random oracle model.
Non-delegatable Identity-based Designated Verifier Signature
2000
Designated verifier signature is a cryptographic primitive which allows a signer to convince a designated verifier of the validity of a statement but in the meanwhile prevents the verifier from transferring this conviction to any third party. In this work we present an identity-based designated verifier signature scheme that supports non-delegatability, and prove its security in the random oracle model,
A New Approach to Keep the Privacy Information of the Signer in a Digital Signature Scheme
Information
In modern applications, such as Electronic Voting, e-Health, e-Cash, there is a need that the validity of a signature should be verified by only one responsible person. This is opposite to the traditional digital signature scheme where anybody can verify a signature. There have been several solutions for this problem, the first one is we combine a signature scheme with an encryption scheme; the second one is to use the group signature; and the last one is to use the strong designated verifier signature scheme with the undeniable property. In this paper, we extend the traditional digital signature scheme to propose a new solution for the aforementioned problem. Our extension is in the sense that only a designated verifier (responsible person) can verify a signer’s signature, and if necessary (in case the signer refuses to admit his/her signature) the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually generated the signatu...
Identity Based Strong Bi-Designated Verifier Proxy Signature Schemes
2005
Abstract: Proxy signature schemes allow delegation of signing rights. The paper proposes the notion of Identity Based Strong Bi-Designated Verifier Proxy Signature (IDSBDVPS) schemes. In such schemes, only the two designated verifiers can verify that the proxy ...
Construction of universal designated-verifier signatures and identity-based signatures from standard signatures
Information Security, IET, 2009
We give a generic construction for universal designated-verifier signature schemes from a large class, C, of signature schemes. The resulting schemes are efficient and have two important properties. Firstly, they are provably DV-unforgeable, non-transferable and also non-delegatable. Secondly, the signer and the designated verifier can independently choose their cryptographic settings. We also propose a generic construction for identity-based signature schemes from any signature scheme in C and prove that the construction is secure against adaptive chosen message and identity attacks. We discuss possible extensions of our constructions to hierarchical identity-based signatures, identity-based universal designated verifier signatures, and identitybased ring signatures from any signature in C.
A Secure Designated Signature Scheme
Annotation: This paper presents a threshold designated receiver signature scheme that includes certain characteristic in which the signature can be verified by the assistance of the signature recipient only. The aim of the proposed signature scheme is to protect the privacy of the signature recipient. However, in many applications of such signatures, the signed document holds data which is sensitive to the recipient personally and in these applications usually a signer is a single entity but if the document is on behalf of the company the document may need more than one signer. Therefore, the threshold technique is employed to answer this problem. In addition, we introduce its use to shared signature scheme by threshold verification. The resultant scheme is efficient and dynamic.
Hidden identity-based signatures
IET Information Security, 2009
This paper introduces Hidden Identity-based Signatures (Hidden-IBS), a type of digital signatures that provide mediated signer-anonymity on top of Shamir's Identity-based signatures. The motivation of our new signature primitive is to resolve an important issue with the kind of anonymity offered by "group signatures" where it is required that either the group membership list is public or that the opening authority is dependent on the group manager for its operation. Contrary to this, Hidden-IBS do not require the maintenance of a group membership list and they enable an opening authority that is totally independent of the group manager. As we argue this makes Hidden-IBS much more attractive than group signatures for a number of applications. In this paper, we provide a formal model of Hidden-IBS as well as two efficient constructions that realize the new primitive. Our elliptic curve construction that is based on the SDH/DLDH assumptions produces signatures that are merely half a Kbyte long and can be implemented very efficiently.
An identity-based ring signature scheme with enhanced privacy
… and Workshops, 2006, 2006
There are many applications in which it is necessary to transmit authenticatable messages while achieving certain privacy goals such as signer ambiguity. The emerging area of vehicular ad-hoc network is a good example application domain with this requirement. The ring signature technique that uses an ad-hoc group of signer identities is a widely used method for generating this type of privacy preserving digital signatures. The identity-based cryptographic techniques do not require certificates. The construction of ring signatures using identity-based cryptography allow for privacy preserving digital signatures to be created in application when certificates are not readily available or desirable such as in vehicle area networks. We propose a new designated verifier identitybased ring signature scheme that is secure against full key exposure attacks even for a small group size. This is a general purpose primitive that can be used in many application domains such as ubiquitous computing where signer ambiguity is required in small groups. We consider the usefulness of identity-based cryptographic primitives in vehicular adhoc networks and use a specific example application to illustrate the use of identity-based ring signatures as a tool to create privacy preserving authenticatable messages.
A Robust Identity-Based Signature Scheme that Avoids Key Escrow Problem
Proceedings of the 6th ETSI Annual Security Workshop, January 19 – 20, 2011, Sophia Antipolis, France. docbox.etsi.org, 2011
The notion of identity-based cryptography was put forth by Shamir to simplify the authentication of a public key by merely using an identity string as the public key. From the verifier’s or the encryptor’s point of view, only the identity of the other party is required. Hence, there is no necessity to ensure the validity of the public key. Due this nice property, a series of identity-based schemes have subsequently been proposed including identity-based signatures, identity-based encryption, and hierarchical identity-based cryptography. In these identity-based cryptosystems, there is a trusted party called the private key generator (PKG) who generates the secret key for each user identity. As the PKG generates and holds the secret key for all users, a complete trust must be placed on the PKG. However, this may not be a desirable approach in a real world scenario, where a malicious PKG can sell users’ keys, sign messages or decrypt ciphertexts on behalf of users without being confronted in a court of law. This is known as the key escrow problem. This problem seems to be inherent in identity-based cryptosystems. Some propositions have been made for employing multiple PKGs to solve this problem. The master secret key is jointly computed by a number of PKGs, such that no single PKG has the knowledge of it. However, this approach requires an extra infrastructure and communication cost between users and different PKGs. A user needs to run the key extraction protocol with different PKGs by proving his identity to them. Furthermore, maintaining multiple PKGs for a commercially used infrastructure is a daunting task. In this work, we introduce the concept of escrow-free identity-based signatures to reduce the trust in the PKG. In this model, each signer has his own public key and secret key. The PKG generates the identity-based secret key for the signer with respect to the user public key. Then the signer uses both secret keys to sign a message. Therefore, the signer is protected against a malicious PKG that may attempt to release a signature by itself on the behalf of the user. To verify the signature, it only requires the signer’s identity and the message. This is the main difference between the proposed protocol with existing certificate-based signatures (CBS), certificate-less signatures (CLS), self-certificated signatures (SCS). The verification protocols of these currently existing schemes require signer’s public key to be verified. The proposed protocol is therefore an identity-based signature (IBS) scheme and solves the key escrow problem. We also show that the proposed escrow-free IBS is more efficient than CBS, CLS and SCS since the user public key is not involved and is not sent to the verifier. """
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.