Computers and Mathematics with Applications 57 (2009) 1352–1364
Contents lists available at ScienceDirect
Computers and Mathematics with Applications journal homepage: www.elsevier.com/locate/camwa
Designated verifier proxy signature scheme without random oracles Yong Yu a,b,∗ , Chunxiang Xu a , Xiaosong Zhang a , Yongjian Liao a a
School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, 610054, PR China
b
State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing, 100080, PR China
article
info
Article history: Received 3 June 2008 Received in revised form 21 November 2008 Accepted 13 January 2009 Keywords: Cryptography Digital signature Proxy signature Bilinear pairings Provable security
a b s t r a c t In a designated verifier proxy signature scheme, one can delegate his or her signing capability to another user in such a way that the latter can sign messages on behalf of the former, but the validity of the resulting signatures can only be verified by the designated verifier. Several designated verifier proxy signature schemes have been proposed so far. However, most of the schemes were proven secure in the random oracle model, which has received a lot of criticism since the security proofs in the random oracle model are not sound with respect to the standard model. In this paper, we propose a new construction of designated verifier proxy signature whose security can be proven without using the random oracle model. Our scheme is inspired by Waters’ Identity-based encryption. The unforgeability of our scheme is based on the hardness of Gap Bilinear Diffie–Hellman problem. As far as we know, this is the first designated verifier proxy signature secure in the standard model. © 2009 Elsevier Ltd. All rights reserved.
1. Introduction The concept of proxy signature was first introduced by Mambo et al. [1] in 1996. In a proxy signature scheme, the original signer can delegate his or her signing capability to a proxy signer and then the proxy signer can create valid signatures on behalf of the original signer. When a verifier receives a proxy signature, he should not only verify the correctness by a given verification procedure, but also be convinced of the original signer’s agreement on the signed message. Proxy signature schemes have been suggested for use in a number of applications, including electronic commerce, e-cash and distributed shared object systems. According to the type of delegation, proxy signatures can be classified into three types: full delegation, partial delegation and delegation by warrant. Based on the knowledge of the proxy private key, proxy signatures can be classified into proxy-protected and proxy-unprotected. In a proxy-protected scheme, only the proxy signer can generate valid proxy signatures, while in a proxy-unprotected scheme, either the original signer or the proxy signer can produce proxy signatures since both of them have a knowledge on the proxy private key. In many applications, proxy-protected proxy signature schemes are required to avoid the potential dispute between the original signer and the proxy signer. Many new proxy signature schemes [2–10] have been proposed till now and moreover, combined with other signatures with particular properties, some new kinds of proxy signature have been proposed, such as proxy blind signature [11], proxy multi-signature [12], threshold proxy signature [13], proxy ring signature [14] and so on. Jakobsson, Sako and Impagliazzo [15] introduced a new primitive named designated verifier proofs in 1996. Such a proof enables a prover Alice to convince a designated verifier Bob that a statement is true, while Bob cannot use the proof to convince others of this fact, since Bob himself can simulate such a proof. Furthermore, Jakobsson et al. proposed a designated
∗ Corresponding author at: School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, 610054, PR China. E-mail address:
[email protected] (Y. Yu). 0898-1221/$ – see front matter © 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.camwa.2009.01.032
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
1353
verifier signature scheme in the sense that only the designated verifier can be convinced that a signature is produced by the claimed signer. In this scheme, anyone can validate a signature, although he cannot determine whether this signature was produced by the signer or simulated by the designated verifier. Jakobsson et al. also discussed a stronger concept called strong designated verifier signature in the same paper. In 2004, Saeednia, Kremer and Markowitch [16] formally defined the notion of strong designated verifier signature and proposed a concrete scheme. In Saeednia et al.’s scheme, anyone, without the knowledge of the designated verifier’s secret key, can not check the validity of a signature. We refer the readers to [15–17] for more details about designated verifier signatures. Let us consider a scenario where the proxy signer wishes to protect his signing privilege from knowing by other parties. In other words, the proxy signer only wants to convince the designated receiver that he has signed the specific message. In 2003, Dai et al. [18] proposed such a scheme called designated verifier proxy signature, which provides authentication of a message without providing a non-repudiation property of traditional digital signature. A designated verifier proxy signature scheme can be used to convince the designated verifier and only the designated verifier whether a signature is valid or not. This is due to the fact that the designated verifier can always generate a valid signature intended for himself that is indistinguishable from an original signature. This kind of signature is useful in electronic commerce applications, such as the sale of digital products [19]. For instance, when a customer Cindy wants to buy a digital book from an Internet vender Bob, she needs a digital receipt from Bob to guarantee the quality, authenticity and legality of the book. This is reasonable since Cindy does not completely trust Bob and his goods. Moreover, Cindy would expect that the receipt is bounded with not only the identity of Bob but also that of the book producer, say Alice. With such a receipt, Cindy will be convinced that the digital book is produced by Alice and sold by Bob. At the same time, to prevent Cindy illegally distributes the digital book to others, Alice and Bob want the validity of Cindy’s receipt can only be verified by Cindy. Designated verifier proxy signature can be used as such a receipt. That is, Alice delegates her signing capability to Bob so that he can generate designated verifier proxy signatures for all customers as digital receipts. Unfortunately, Wang [19] pointed out there exists a forgery attack in Dai et al.’s scheme. Huang et al. [20] proposed a short designated verifier proxy signature from pairings to improve the communication efficiency. Lu et al. [21] proposed a designated verifier proxy signature scheme with message recovery in 2005 and a new designated verifier proxy signature scheme from bilinear pairings in 2006. Zhang and Mao [22] proposed a novel ID-based designated verifier signature scheme very recently. Provable security is very essential for designated verifier proxy signature schemes. However, to our knowledge, only Huang et al.’s scheme [20] and Lu et al.’s scheme [23] provide the security proof in the random oracle model proposed by Bellare and Rogaway [24]. Although the model is efficient and useful, it has received a lot of criticism that the proofs in the model are not perfect. They are simply a design validation methodology capable of spotting defective or erroneous designs when they fail. Therefore, to find a secure designated verifier proxy signature scheme secure in the standard model is an interesting research problem. Our contribution: Most existing proxy signature schemes were constructed as follows. The original signer Alice sends a warrant and the corresponding signature to the proxy signer Bob. Bob derives his proxy secret key using his secret key and the information sent by Alice. With this proxy secret key, Bob can generate proxy signatures on behalf of Alice by using a standard signature scheme. When a proxy signature is given, a verifier first recovers the proxy public key, and then validates its correctness by employing the corresponding standard signature verification procedure. However, as shown by many papers [19,3,6], this kind of method should be carefully used since some security drawbacks may exist. Those attacks mainly result from the fact that a valid proxy key pair can be forged by an adversary, including the original signer and the proxy signer. In this paper, we propose the first designated verifier proxy signature scheme whose security does not rely on the random oracles. By employing Waters’ hashing technique [25] carefully, we obtain a concrete secure designated verifier proxy signature scheme. As for the security, we classify the potential adversaries into three kinds according to their attack power, and prove that the proposed scheme is unforgeable against all kinds of adversaries in the standard model. Roadmap: The rest of this paper is organized as follows. Some preliminary works are given in Section 2. The formal models of designated verifier proxy signature scheme is described in Section 3. Our designated verifier proxy signature scheme without random oracles is presented in Section 4. We analyze the proposed scheme in Section 5. Finally, conclusions are given in Section 6. 2. Preliminaries In this section, we will review some fundamental backgrounds used in this paper, including bilinear pairings and complexity assumptions. 2.1. Bilinear pairings Let G and GT be two cyclic multiplicative groups of prime order p and g be a generator of G. The map e : G × G → GT is said to be an admissible bilinear pairing if the following conditions hold true. (1) e is bilinear, i.e. e(g a , g b ) = e(g , g )ab for all a, b ∈ Zp . (2) e is non-degenerate, i.e. e(g , g ) 6= 1GT . (3) e is efficiently computable.
1354
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
We refer the reader to [26] for more details on the construction of such pairings. 2.2. Complexity assumptions Definition 1 (Bilinear Diffie–Hellman (BDH) Problem in (G, GT )). Given (g , g a , g b , g c ∈ G) for some unknown a, b, c ∈ Zp , compute w = e(g , g )abc ∈ GT . Definition 2 (Decisional Bilinear Diffie–Hellman (DBDH) Problem in (G, GT )). Given (g , g a , g b , g c ∈ G) for some unknown a, b, c ∈ Zp and w ∈ GT , decide whether w = e(g , g )abc . A DBDH oracle ODBDH is that on input (g , g a , g b , g c ∈ G) and w ∈ GT , output 1 if w = e(g , g )abc and 0 otherwise. Definition 3 (Gap Bilinear Diffie–Hellman (GBDH) Problem in (G, GT )). Given (g , g a , g b , g c ∈ G) for some unknown a, b, c ∈ Zp , compute w = e(g , g )abc ∈ GT with the help of DBDH oracle ODBDH . The probability that a polynomial bounded algorithm A can solve the GBDH problem is defined as GBDH SuccA = Pr [e(g , g )abc ← A(G, GT , g , g a , g b , g c , ODBDH )].
Definition 4 (Gap Bilinear Diffie–Hellman (GBDH) Assumption in (G, GT )). Given (g , g a , g b , g c ∈ G) for some unknown GBDH a, b, c ∈ Zp , SuccA is negligible. 3. Formal models of designated verifier proxy signature In this section, we will describe the outline and the security requirements of designated verifier proxy signature schemes. 3.1. Outline of designated verifier proxy signature There exists three participants in a designated verifier proxy signature scheme, namely Alice, Bob and Cindy, who act as the original signer, the proxy signer and the designated verifier respectively. A designated verifier proxy signature scheme consists of the following algorithms.
• Setup: Given a security parameter k, this algorithm outputs the system parameters. • KeyGen: It takes as input the security parameter k and outputs the secret-public key pair (ski , pki ) for i ∈ {a, b, c } denotes Alice, Bob and Cindy.
• DelegationGen: Given the system’s parameter, the original signer’s private key and the warrant W to be signed, this algorithm outputs the delegation σW . • ProxySign: This algorithm takes as input the proxy signer’s private key skb , the delegation σW , the designated verifier’s public key pkc and a message m to generate a signature σ . • Verify: A deterministic algorithm that accepts a message m, the warrant W , a signature σ , the original signer and the proxy signer’s public key (pka , pkb ), the designated verifier’s private key skc and returns > if the signature is valid, otherwise returns ⊥ indicating the signature is invalid. • Transcript simulation: An algorithm that accepts a message m, a warrant W and the verifier’s private key skc to produce an identically distributed transcript σ ∗ that is indistinguishable from the original designated verifier proxy signature σ . 3.2. Security notions There are three types adversaries in the system. Type 1 adversary A1 only has the public keys of Alice and Bob. Type 2 adversary A2 has the public keys of Alice and Bob, he additionally has the secret key of the original signer Alice. Type 3 adversary A3 has the public keys of Alice and Bob, he additionally has the secret key of the proxy signer Bob. One can find that if a designated verifier proxy signature scheme is unforgeable against Type 2 and Type 3 adversary, it is also unforgeable against Type 1 adversary. In a warrant-based proxy signature scheme, the delegation is original signer’s standard signature on the warrant which contains proxy’s public key, a period of validity, the restrictions on the messages that the signer can sign and so on. Therefore, this kind of proxy signature can prevent the misuse of the delegation.
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
1355
3.3. Attack model
Existential unforgeability against adaptive A2 adversary The existential unforgeability of a designated verifier proxy signature scheme under a type 2 adversary requires that it is difficult for the original signer to generate a valid proxy signature of a message M ∗ under the warrant W ∗ that has not been signed by the proxy signer. It is defined using the following game between the challenger C and a type 2 adversary A2 .
• Setup: The challenger C runs the setup algorithm to obtain system’s parameters, runs KeyGen algorithm to obtain the secret-public key pairs (ska , pka ), (skb , pkb ), (skc , pkc ) of the original signer Alice, proxy signer Bob and the designated verifier Cindy, respectively. C then sends (pka , pkb , pkc , ska ) to the adversary A2 . • ProxySign queries: A2 can request a proxy signature on the message M under the warrant W with the original signer Alice, the proxy signer Bob and the designated verifier Cindy. In response, C outputs a signature σ and returns it to A2 . • Verify queries: A2 can request a signature verification on a pair (M , W , σ ) with the original signer Alice, the proxy signer Bob and the designated verifier Cindy. C outputs > if σ is a valid designated verifier proxy signature on M, or ⊥ otherwise. • Output: Finally, A2 outputs a new pair (M ∗ , W ∗ , σ ∗ ), such that (1) (M ∗ , W ∗ ) has never been queried during the ProxySign queries. (2) σ ∗ is a valid designated verifier proxy signature of message M ∗ under warrant W ∗ for the original signer Alice, proxy signer Bob and the designated verifier Cindy. The success probability of an adversary A2 wins the above game is defined as SuccA2 . We say that a type 2 adversary A2 can (t , qps , qv , ) break a designated verifier proxy signature scheme if A2 makes at most qps proxy signature queries, qv verification queries in time at most t and SuccA2 is at least . Existential unforgeability against adaptive A3 adversary Inspired by the work of [20], we provide a formal definition of existential unforgeability of a designated verifier proxy signature scheme against Type 3 adversary. It is defined using the following game between an adversary A3 and a challenger C.
• Setup: The challenger C runs the Setup algorithm to obtain system’s parameters, runs KeyGen algorithm to obtain the secret-public key pairs (ska , pka ), (skb , pkb ), (skc , pkc ) of the original signer Alice, proxy signer Bob and the designated verifier Cindy, respectively. C then sends (pka , pkb , pkc , skb ) to the adversary A3 . • Delegation queries: A3 can request the delegation on the warrant W . The challenger C runs the DelegationGen algorithm to obtain σW and returns it to A3 . • ProxySign queries: A3 can request a designated proxy signature on the pair (M , W ) with the original signer Alice, the proxy signer Bob and the designated verifier Cindy. In response, C outputs a signature σ and returns it to A3 . • Verify queries: A3 can request a signature verification query on a pair (M , W , σ ) with the original signer Alice, the proxy signer Bob and the designated verifier Cindy. C outputs > if σ is a valid designated verifier proxy signature on M, or ⊥ otherwise.
• Output: Finally, A3 outputs a new pair (M ∗ , W ∗ , σ ∗ ), such that
(1) W ∗ has not been requested as one of the delegation queries. (2) (M ∗ , W ∗ ) has not been requested as one of the proxy signature queries. (3) σ ∗ is a valid designated verifier proxy signature of the message M ∗ under the warrant W ∗ for the original signer Alice, the proxy signer Bob and the designated verifier Cindy.
The success probability of an adversary A3 wins the above game is defined as SuccA3 . We say that a type 3 adversary A3 can (t , qw , qps , qv , ) break a designated verifier proxy signature scheme if A3 makes at most qw delegation queries, qps proxy signature queries, qv verification queries in time at most t and SuccA3 is at least . 4. Designated verifier proxy signature scheme without random oracles In this section, we describe our designated verifier proxy signature scheme. As assumed earlier, there are three participants in the system, namely Alice, Bob and Cindy, who act as the original signer, the proxy signer and the designated verifier. In the following, all the messages to be signed will be represented as bit strings of length n. To construct a more flexible scheme which allows messages of arbitrary length, a collision resistant Hash function H : {0, 1}∗ → {0, 1}n should be employed. Our scheme consists of the following algorithms. Setup: The system parameters are as follows. Let (G, GT ) be bilinear groups where |G| = |GT | = p for some prime p, g is the E = (ui ), m E = (mi ) of length n, generator of G. e denotes an admissible pairing G × G → GT . Pick u0 , m0 ∈ G and vectors u E, m E ). whose entries are random elements from G. The public parameters are (G, GT , e, u0 , m0 , u Keygen: Alice picks randomly xa , ya ∈ Zp∗ and sets her secret key ska = (xa , ya ). Then she computes her public key pka = (pkax , pkay ) = (g xa , g ya ). Similarly, Bob’s secret key is skb = (xb , yb ) and the public key is pkb = (pkbx , pkby ) = (g xb , g yb ). Cindy’s secret key is skc = (xc , yc ) and her public key is pkc = (pkcx , pkcy ) = (g xc , g yc ).
1356
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
DelegationGen: Let W be an n-bit message called warrant to be signed by the original signer and Wi denotes the i-bit of W , and W ⊆ {1, 2, . . . , n} be the set of all i for which Wi = 1. The original signer picks a random ra ∈ Zp and computes the delegation σW = (σW1 , σW2 ) and sends it to the proxy signer Bob, where
!r a σW1 = g
xa ya
u
0
Y
σW2 = g ra .
,
ui
i∈W
ProxySign: Let M be an n-bit message to be signed by the proxy signer Bob and Mi denotes the i-bit of M, and M ⊆
{1, 2, . . . , n} be the set of all i for which Mi = 1, the proxy signature is generated as follows. First, the proxy signer Bob picks two random values ra0 , rb ∈ Zp . Then the proxy signature σ = (σ1 , σ2 , σ3 ) on M is constructed as: !r b !ra0 Y Y 0 0 x y , pkcx , mi ui g b b m σ1 = e σW1 u i∈M
i∈W r0
σ3 = g rb .
σ2 = σW2 g a ,
Verification: To check whether σ = (σ1 , σ2 , σ3 ) is a valid proxy signature on the message M under the warrant W , Cindy uses her secret key to verify whether the following equation holds.
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u xc
xc
0
Y
ui , σ2
!x c e m
0
i∈W
Y
mi , σ3
.
i∈M
If the equality holds, Cindy accepts the signature σ , otherwise rejects it. Transcript simulation Cindy can use her private key to compute a signature on an arbitrary message M ∗ with the warrant W ∗ . She picks two random value r1 , r2 ∈ Zp∗ and computes σ ∗ = (σ1∗ , σ2∗ , σ3∗ ) where σ2∗ = g r1 , σ3∗ = g r2 and
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u ∗
xc
xc
0
Y
ui , σ2
∗
!x c e m
i∈W ∗
0
Y
mi , σ3
.
∗
i∈M ∗
5. Analysis of the scheme In this section, we will firstly show the correctness of our scheme. Then we prove that our scheme is secure against all types of adversaries. 5.1. Correctness The correctness of the scheme can be directly verified by the following equations.
!ra0
σ1 = e σW1 u0
Y
m0
g xb yb
ui
!rb Y
i∈W
, pkcx
mi
i∈M
!rb =e g
xa ya
(u
0
Y
ra +ra0
ui )
g
0
xb yb
m
i∈W
Y
mi
! ,g
xc
i∈M
!xc = e(pkax , pkay ) e(pkbx , pkby ) e u xc
xc
0
Y i∈W
ui , σ2
!x c 0
e m
Y
mi , σ3
.
i∈M
5.2. Unforgeability Unforgeability against type 2 adversary Theorem 1. If there exists a type 2 adversary A2 who can (t , qps , qv , ) breaks our designated verifier proxy signature scheme, then there exists another algorithm B who can use A2 to solve an instance of the GBDH problem in (G, GT ) with probability GBDH SuccB ≥
8(n + 1)qps
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
1357
in time t 0 ≤ ((2n + 4)qps + nqv + 2)t1 + 5qv t2 + (3n + 7qps + qv + 5)T1 + 3qv T2 + (qps + 4qv )te where t1 , t2 are the time for a multiplication in G and GT respectively, T1 , T2 are the time for an exponentiation in G and GT respectively, and te is the time for a paring computation in (G, GT ). Proof. Assume that B receives a random GBDH problem instance (g , g a , g b , g c ) of a bilinear group (G, GT ) whose orders are both a prime number p, his goal is to output e(g , g )abc with the help of the DBDH oracle ODBDH . B will run A2 as a subroutine and act as A2 ’s challenger. B will response A2 ’s queries in the following way. Setup: B sets an integer l = 4qps and chooses an integer k, uniformly at random between 0 and n. B then chooses some random numbers (xa , ya , r0 , r1 , . . . , rn ) ∈ Zp . Additionally, B chooses a value x0 and a random n-vector, E x = (xi ) where E = (yi ) where y0 , yi ∈ Zp . These values are kept x0 , xi ∈ Zl . Finally, B picks randomly a value y0 and a random n-vector, y internal to B . Again, for a message M and a warrant W , we let M ⊆ {1, 2, . . . , n} and W ⊆ {1, 2, . . . , n} be the set of all i for which Mi = 1 and Wi = 1. For ease of analysis, we define three functions F (M ), J (M ) and K (M ) just as in Waters’ scheme [25]. (1) F (M ) = (p −P lk) + x0 + (2) J (M ) = y0 + i∈M yX i (3) K (M ) =
n
0, 1,
P
i∈M
xi
if x0 + x = 0 (mod l); i∈M i otherwise.
Then B sets the public keys of the users and common parameters as follows.
E = (u1 , u2 , . . . , un ). (1) B assigns u0 = g r0 , ui = g ri (i = 1, 2, . . . , n) and u (2) B assigns the public key of the original signer (pkax , pkay ) = (g xa , g ya ). (3) B assigns the public key of the proxy signer (pkbx , pkby ) = (g a , g b ) and designated verifier’s public key pkcx = g c where g a , g b , g c are the inputs of the GBDH problem. x p−kl+x0 y0 E = (m1 , m2 , . . . , mn ). (4) B assigns m0 = pkby g and mi = pkbyi g yi and sets m F (M )
Note that at this time, m0 i∈M mi = pkby g J (M ) . E, m0 , m E ) and (pkax , pkay , pkbx , pkby , pkcx , xa , ya ) to A2 . B returns (G, GT , e, p, g , u0 , u Proxy signature queries: Suppose A2 issues a designated verifier proxy signature query for an n-bit message M under the warrant W .
Q
• If K (M ) = 0, B terminates the simulation and reports failure. • If K (M ) 6= 0, which indicates that F (M ) 6= 0 (mod p), since we can assume p > nl for any reasonable values of p, n, l [25], B can construct a valid designated verifier proxy signature by picking r1 , r2 ∈ Zp randomly and computes σ = (σ1 , σ2 , σ3 ) where !r2 !r1 ! −J (M ) Y Y F (M ) xa ya 0 0 σ1 = e pkbx mi ui g m u , pkcx i∈M
σ2 = g r2 ,
σ3 =
i∈W
−1 F (M ) pkbx g r1
.
Correctness
σ1 = e
!r1
−J (M ) F (M ) pkbx
m
0
Y
!r2
mi
u
0
i∈M
=e
−J (M ) F (M ) pkbx
Y
!
ui
g
xa y a
g
xa ya
, pkcx
i∈W
!r 2
F (M ) pkby g J (M ) r1
(
)
u
0
Y
!
ui
, pkcx
i∈W
=e
(
pkaby
−a F (M ) pkby g J (M ) F (M )
)
(
!r2
F (M ) pkby g J (M ) r1
)
u
0
Y
ui
g
i∈W
=e
(
pkaby
!r 2
r − a F (M ) pkby g J (M ) 1 F (M )
)
0
u
Y
ui
! g
xa ya
, pkcx
i∈W F (M ) pkby g J (M ) rˆ g xa ya
=e g ( ab
)
!r 2 u
0
Y
ui
! , pkcx
i∈W
= e g ab u0
!rˆ
!r2 Y i∈W
ui
g xa ya
m0
Y i∈M
mi
, pkcx .
! xa ya
, pkcx
1358
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
Note that σ3 =
−1 F (M ) pkbx g r1
=g
r1 − F (aM )
= g rˆ .
Verify queries: Suppose A2 issues a verify query for the message/signature pair (M , W , σ1 , σ2 , σ3 ).
• If F (M ) = 0, B submits g , g a , g b , g c ,
σ1 P
r0 +
e(g c , g ya )xa e(g c , σ2 )
ri
i∈W
e(g c , σ3 )J (M )
to the DBDH oracle ODBDH . B outputs ‘‘Valid’’ if ODBDH returns 1. Otherwise, B outputs ‘‘Invalid’’. Correctness If (M , W , σ1 , σ2 , σ3 ) is a valid designated verifier proxy signature, then we have
!xc σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u xc
xc
0
Y
ui , σ2
!x c 0
e m
i∈W
= e(g , g ) e(g , g ) e g xa
ya c
a
b c
P
r0 +
ri
i∈W
, σ2 P
r0 +
= e(g , g )abc e(g c , g ya )xa e(g c , σ2 )
ri
mi , σ3
i∈M
c
i∈W
Y
e(g J (M ) , σ3 )c
e(g c , σ3 )J (M )
which indicates
g , g , g , g , a
b
σ1
c
e(
gc
,
)
g y a xa e
r0 +
( , σ2 ) gc
P
ri
i∈W
e(
gc
J (M )
, σ3 )
is a valid BDH tuple.
• If F (M ) 6= 0, B can compute a valid proxy signature on this message M under the same warrant W just as he responses to proxy signature queries. Let (M , W , σ10 , σ20 , σ30 ) be the signature computed by B . Then B submits P ! ri 0 r 0 + Y σ3 c σ1 i∈W 0 c σ2 mi , 0 , g , 0 e g , g, m σ3 σ1 σ2 i∈M to the DBDH oracle. B outputs ‘‘Valid’’ if ODBDH returns 1. Otherwise, B outputs ‘‘Invalid’’. Correctness If (M , W , σ1 , σ2 , σ3 ) is a valid designated verifier proxy signature, then we have
!x c σ1 = e(pkax , pkay )xc e(pkbx , pkby )xc e u0
Y
ui , σ2
!x c e m0
i∈W
Y
mi , σ3
.
i∈M
Similarly, since (M , W , σ10 , σ20 , σ30 ) is another valid proxy signature computed by B , then
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u 0
xc
xc
0
Y
ui , σ2 0
i∈W
We can obtain
x mi , σ3 ) c σ1 i∈W i∈M Q = 0Q σ10 e(u ui , σ20 ) e(m0 mi , σ30 )
e(u0
Q
ui , σ2 )
xc
e(m0
i∈W
Q
i∈M
!x c σ 3 = e g i∈W e m mi , 0 σ3 i∈M !c r0 + P ri Y σ3 i∈W c σ2 0 =e g , 0 e m mi , 0 . σ2 σ3 i∈M
r0 +
P
ri
σ2 , 0 σ2
xc
0
Y
Therefore, P !c ri 0 r 0 + Y σ1 σ3 i∈W c σ2 0 e g , =e m mi , 0 σ10 σ2 σ3 i∈M
!x c e m
0
Y i∈M
mi , σ3 0
.
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
1359
which indicates that P ! ri 0 r0 + σ3 c σ1 i∈W c σ2 g, m mi , 0 , g , 0 e g , σ3 σ1 σ2 i∈M 0
Y
is a valid BDH tuple. If B does not abort during the simulation, A2 will output a valid designated verifier proxy signature σ ∗ = (σ1∗ , σ2∗ , σ3∗ ) under the message M ∗ and warrant W ∗ with success probability . (1) If F (M ∗ ) 6= 0, B will abort. (2) Otherwise, F (M ∗ ) = 0, B computes and outputs
σ1∗ e(
gc
,
)
r0 +
( , σ2 )
g ya xa e
∗
gc
P i∈W ∗
ri
∗ e(g c , σ3∗ )J (M )
as the value of e(g , g )abc . This completes the description of the simulation. Now we have to assess B ’s probability of success. B will not abort if both the following conditions hold. A: B does not abort during the ProxySign queries. B: F (M ∗ ) = 0 (mod p). GBDH The success probability of B is SuccB = Pr[A ∧ B] .
Pr[A ∧ B] = Pr [A]Pr [B|A] = Pr
"q ps \
#
#
"
K (Mi ) 6= 0 Pr x +
xi = lk|A
i∈M ∗
i=1
=
X
1 − Pr
"q ps [
#! K (Mi ) = 0
#
" Pr x +
≥ 1−
#
"
qps
X
Pr x +
l
xi = lk|A
i∈M ∗
i =1
X
xi = lk|A
i∈M ∗
1
qps
1
qps
Pr[K [M ∗ ] = 0|A] n+1 l 1 qps Pr[K (M ∗ ) = 0] = Pr[A|K [M ∗ ] = 0] 1− n+1 l Pr(A) 1 qps ≥ 1− Pr[A|K [M ∗ ] = 0] (n + 1)l l
=
≥ = ≥ GBDH Therefore, SuccB ≥ (n+11)l (1 − GBDH SuccB ≥
8(n + 1)qps
n+1
1−
1−
1
(n + 1)l 1
qps 2
2qps
1− 1−
#! K (Mi ) = 0|K (M ) = 0 ∗
i=1
(n + 1)l
2qps l
1 − Pr
l
"q ps [
l l
.
) . We can optimize it by setting l = 4qps , then
.
Unforgeability against type 3 adversary Theorem 2. If there exists a type 3 adversary A3 who can (t , qw , qps , qv , ) breaks our designated verifier proxy signature scheme, then there exists another algorithm B who can use A3 to solve an instance of the GBDH problem in (G, GT ) with probability GBDH SuccB ≥
3(n + 1) (3(qw + qps ))qv +2 3
1360
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
in time t 0 ≤ ((n + 2)qw + (5n + 9)qps + (n + 3)qv )t1 + 3qv t2 + (4qw + 10qps + 4qv )T1 + 3qv T2 + (2qps + 6qv )te where t1 , t2 are the time for a multiplication in G and GT respectively, T1 , T2 are the time for an exponentiation in G and GT respectively, and te is the time for a paring computation in (G, GT ). Proof. Assume that B receives a random GBDH problem instance (g , g a , g b , g c ) of a bilinear group (G, GT ) whose orders are both a prime number p, his goal is to output e(g , g )abc with the help of the GBDH oracle ODBDH . B will run A3 as a subroutine and act as A3 ’s challenger. B will response A3 ’s queries as follows. Setup: B chooses two integers `a , `b , and other two integers, ka , kb , uniformly at random between 0 and n. Then it chooses two values x0a , x0b and two random n-vectors, xEa = (xai ), xEb = (xbi ) where x0a , xai ∈R Z`a , x0b , xbi ∈R Z`b . Additionally, B chooses two values y0a , y0b and two random n-vectors yEa = (yai ), yEb = (ybi ) where y0a , y0b , yai , ybi ∈R Zp . B keeps all the values secret. Again, for a message M and a warrant W , we let M ⊆ {1, 2, . . . , n} and W ⊆ {1, 2, . . . , n} be the set of all i for which Mi = 1 and Wi = 1. For ease of analysis, we define six functions Fa (W ), Fb (M ), Ja (W ), Jb (M ) and Ka (W ), Kb (M ) just as in [25,9]. (1) Fa (W ) = (p − `a ka ) + x0a + 0,
if x0a +
( Ka ( W ) =
i∈W
X
P xai , Ja (W ) = y0a + i∈W yai ,
xai ≡ 0 (mod `a )
i∈X
1,
otherwise
(2) Fb (M ) = (p − `b kb ) + x0b + 0,
P
i∈M
if x0b +
( Kb ( M ) =
P
X
P xbi , Jb (M ) = y0b + i∈M ybi ,
xbi ≡ 0 (mod `b )
i∈X
1,
otherwise.
Then B sets the public keys of the users and common parameters as follows. (1) B assigns the public keys of the original signer and designated verifier as pkax = g a ,
pkay = g b ,
pkcx = g c
where g a , g b , g c are the input of the Gap Diffie–Hellman problem. (2) B chooses two random numbers xb , yb ∈ Zp∗ and sets the proxy signer’s public key as pkbx = g xb ,
pkby = g yb . p−ka `a +x0a
(3) B assigns u0 = pkay (4) B assigns, m0 =
0
x
E = ( u1 , u2 , . . . , un ) g ya , ui = pkayai g yai , u
p−kb `b +x0b y0 pkay g b
x
E = (m1 , m2 , . . . , mn ). , mi = pkbybi g ybi , m
E , u0 , m E , m0 ) and (pkax , pkay , pkbx , pkby , pkcx , xb , yb ) to A3 . B returns (G1 , GT , e, p, g , u Note that, at this time, u0
Y
Fa (W ) Ja (W ) ui = pkay g ,
Y
m0
i∈W
mi = pkFayb (M ) g Jb (M ) .
i∈M
Delegation queries: Suppose A3 issues a delegation query for an n-bit warrant W . (1) If Ka (W ) = 0, B terminates the simulation and reports failure. (2) If Ka (W ) 6= 0, which implies Fa (W ) 6= 0 (mod p) [25], B can construct the delegation of this warrant by choosing a random ra ∈ Zp and computing:
σW = (σW1 , σW2 ) =
!ra
−Ja (W ) F (W ) pkaxa
u
0
Y
−1 Fa (W )
, pkax
ui
i∈W
Correctness
σW1 =
−Ja (W ) F (W ) pkaxa −Ja (W )
!ra u
0
Y
ui
i∈W
= pkaxFa (W ) (pkFaya (W ) g Ja (W ) )ra −a
= pkaay (pkFaya (W ) g Ja (W ) ) Fa (W ) (pkFaya (W ) g Ja (W ) )ra r − F (aW ) a
= pkaay (pkFaya (W ) g Ja (W ) ) a
!rˆa =
pkaay
pkFaya (W ) g Ja (W ) rˆa
(
) =
pkaay
u
0
Y i∈M
ui
! g
ra
.
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
σW2 =
−1 F (W ) pkaxa g ra
−a
= g Fa (W ) g ra = g
ra − F (aW ) a
1361
= g rˆa .
ProxySign queries: Suppose A3 issues a designated verifier proxy signature query for an n-bit message M under the warrant W. (1) If Ka (W ) = 0, Kb (M ) = 0, B terminates the simulation and reports failure. (2) If Ka (W ) = 0, Kb (M ) 6= 0, B can construct a proxy signature by choosing randomly ra , rb ∈ Zp and computing σ = (σ1 , σ2 , σ3 ), where
σ1 = e
!ra
−Jb (M ) F (M ) pkaxb
u
Y
0
ui
!rb g
v
xb yb
Y
0
i∈W
vi
, pkcx
i∈M
−1 F (M )
σ2 = g ra ,
!
σ3 = pkaxb
g rb .
Correctness
!ra
−Jb (M ) F (M ) pkaxb
σ1 = e
u
0
Y
ui
!r b g
v
xb y b
0
!
vi
, pkcx
i∈M
i∈W
!ra
−Jb (M ) F (M ) pkaxb
=e
Y
u
0
Y
ui
! g
pkFayb (M ) g Jb (M ) rb
xb y b
(
(u
Y
) , pkcx
i∈W
pkaay
=e
−a pkFayb (M ) g Jb (M ) Fb (M )
(
)
! 0
ui ) g ra
xb yb
(
pkFayb (M ) g Jb (M ) rb
) , pkcx
i∈W
!ra = e pkaay u0
Y
rb − F (aM ) b g xb yb pkFayb (M ) g Jb (M )
(
ui
)
! , pkcx
i∈W
!rb −
!ra = e(g
ab
u
0
Y
ui
g
xb yb
v
0
i∈W
Y
vi
!rˆb skax skay
(u
, pkcx )
i∈M
= e g
a Fb (M )
0
Y
ui ) g ra
xb yb
v
i∈W −1 F (M )
and σ2 = g ra , σ3 = pkaxb
0
Y
vi
, pkcx .
i∈M rb − F (aM ) b
= g rˆb . Therefore !x c !x c Y Y xc xc 0 0 σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u ui , σ2 vi , σ3 e v . g rb = g
i∈W
i∈M
(3) If Ka (W ) 6= 0, B can compute the delegation of the warrant W as he does in response to the delegation queries. Since B knows the secret key xb , yb of the proxy signer, B can run the ProxySign algorithm to compute the proxy signature and return it to A3 . Verify queries: Suppose A3 issues a verify query for the message/signature pair σ = (M , W , σ1 , σ2 , σ3 ). (1) If Fa (W ) 6= 0 and Fb (M ) 6= 0, B terminates the simulation. (2) If Fa (W ) = 0, Fb (M ) = 0, B submits
g , g a, g b, g c ,
σ1 e(g c , g yb )xb e(g c , σ2 )Ja (W ) e(g c , σ3 )Jb (M )
to the DBDH oracle ODBDH . B outputs ‘‘Valid’’ if ODBDH returns 1. Otherwise, B outputs ‘‘Invalid’’. Correctness If (M , W , σ1 , σ2 , σ3 ) is a valid designated verifier proxy signature and Fa (W ) = 0, Fb (M ) = 0, we have
!xc σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u xc
xc
0
Y
ui , σ2
!x c 0
e m
i∈W
= e(g a , g b )c e(g xb , g yb )c e(g Ja (W ) , σ2 )c e(g Jb (M ) , σ3 )c
Y i∈M
mi , σ3
1362
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
which indicates that
g , g a, g b, g c ,
σ1 c y x c b b e(g , g ) e(g , σ2 )Ja (W ) e(g c , σ3 )Jb (M )
is a valid BDH tuple. (3) If Fa (W ) = 0, Fb (M ) 6= 0, B can compute a valid proxy signature on this message M under the same warrant W just as the second case that he responses to proxy signature queries. Let (M , W , σ10 , σ20 , σ30 ) be the signature computed by B . B submits b Fb (M ) Jb (M )
(g )
g
! 0 Ja (W ) σ3 c σ1 c σ2 e g , , 0,g , σ3 σ10 σ2
to the DBDH oracle ODBDH . B outputs ‘‘Valid’’ if ODBDH returns 1. Otherwise, B outputs ‘‘Invalid’’. Correctness If (M , W , σ1 , σ2 , σ3 ) is a valid designated verifier proxy signature, then
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u xc
xc
0
Y
ui , σ2
!xc e m
0
i∈W
Y
mi , σ3
.
i∈M
Similarly, since (M , W , σ10 , σ20 , σ30 ) is another valid proxy signature computed by B , then
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u 0
xc
xc
0
Y
ui , σ2 0
!xc e m
0
i∈W
Y
mi , σ3
.
0
i∈M
We can obtain
!x c !x c Y Y σ1 σ2 σ3 0 0 ui , 0 mi , 0 =e u e m σ10 σ2 σ3 i∈W i∈M xc σ3 xc σ2 e pkFayb (M ) g Jb (M ) , 0 = e g Ja (W ) , 0 σ2 σ3 Ja (W ) c b Fb (M ) Jb (M ) σ3 c σ2 e (g ) g , 0 =e g , 0 σ2 σ3 which indicates that b Fb (M ) Jb (M )
(g )
g
! 0 Ja (W ) σ3 c σ1 c σ2 e g , , 0,g , σ3 σ10 σ2
is a valid BDH tuple. (4) If Fb (M ) = 0, Fa (W ) 6= 0, B can compute a valid proxy signature on this message M under the same warrant W just as the third case that he responses to a proxy signature query. Let (M , W , σ10 , σ20 , σ30 ) be the signature computed by B . B submits b Fa (W ) Ja (W )
(g )
g
! 0 Jb (M ) σ2 c σ1 c σ3 , 0,g , e g , σ2 σ10 σ3
to the DBDH oracle ODBDH . B outputs ‘‘Valid’’ if ODBDH returns 1. Otherwise, B outputs ‘‘Invalid’’. Correctness If (M , W , σ1 , σ2 , σ3 ) is a valid designated verifier proxy signature, then
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u xc
xc
0
Y
ui , σ2
!xc e m
0
i∈W
Y
mi , σ3
.
i∈M
Similarly, since (M , W , σ10 , σ20 , σ30 ) is another valid proxy signature computed by B , then
!x c σ1 = e(pkax , pkay ) e(pkbx , pkby ) e u 0
xc
xc
0
Y
ui , σ2
i∈W
!x c
σ3 e m mi , 0 σ3 i∈M 0
Y
!xc e m
0
Y i∈M
We can obtain
Y σ1 σ2 0 ui , 0 0 = e u σ1 σ 2 i∈W
0
!x c
mi , σ3 0
.
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
σ2 σ20
Fa (W ) Ja (W ) = e pkay g ,
b Fa (W ) Ja (W )
= e (g )
g
xc
e g Jb (M ) ,
σ2 , 0 σ2
c
e gc,
σ3 σ30
1363
σ3 σ30 Jb (M ) xc
which indicates that b Fa (W ) Ja (W )
(g )
g
! 0 Jb (M ) σ2 c σ1 c σ3 e g , , 0,g , σ2 σ10 σ3
is a valid BDH tuple. If B does not abort during the simulation, A3 will output a valid designated verifier proxy signature σ ∗ = (σ1∗ , σ2∗ , σ3∗ ) of the message M ∗ under the warrant W ∗ with success probability . (1) If Fa (W ∗ ) 6= 0, Fb (M ∗ ) 6= 0, B will abort. (2) Otherwise, Fa (W ∗ ) = 0, Fb (M ∗ ) = 0, B computes and outputs
σ1∗ ∗ ∗ e(g c , g yb )xb e(g c , σ2∗ )Ja (W ) e(g c , σ3∗ )Jb (M ) as the value of e(g , g )abc . This completes the description of the simulation. Now we have to assess B ’s probability of success. B will not abort if the following conditions hold. A: Ka (W ) 6= 0 (mod `a ) during Delegation queries B: Ka (W ) 6= 0 (mod `a ) or Kb (M ) 6= 0 (mod `b ) during ProxySign queries C: Fa (W ) = 0 (mod p) or Fb (M ) = 0 (mod p) during Verify queries D: Fa (W ∗ ) = 0 (mod p) and Fb (M ∗ ) = 0 (mod p) in output phase. GBDH The success probability is SuccB = Pr[A ∧ B ∧ C ∧ D]ε . Now we compute this probability using Waters’ technique [25].
Pr[A ∧ B ∧ C ∧ D] = Pr
" qw \
Ka (Wi ) 6= 0
i=1 qv
\
Fa (Wi ) = 0 (mod p)
qps \
Ka (Wi ) 6= 0
[
Kb (Mi ) 6= 0
i=1
[
Fb (M ) = 0 (mod p)
\
Fa (W ) = 0 (mod p) ∗
\
Fb (M ) = 0 (mod p) ∗
#
i=1
"q
w +qps
\
≥ Pr
qv \
Ka (Wi ) 6= 0
i =1
"q = Pr
Fa (Wi ) = 0 (mod p)
# Ka (Wi ) 6= 0 Pr
" qv \
i=1
\
Fa (W ) = 0 (mod p) ∗
\
Fb (M ) = 0 (mod p) ∗
i=1
w +qps
\
# \
Fa (Wi ) = 0 (mod p)
\
Fa (W ∗ ) = 0 (mod p)
i =1
#
qw +qps
Fb (M ) = 0 (mod p)| ∗
\
Ka (Wi ) 6= 0
i =1
≥
=
1
(n + 1)3
1−
1
(n + 1)3
1−
qw + qps
Pr
`a
" qv \
Ka (Wi ) = 0
\
Ka ( W ) = 0 ∗
\
qw +qps
Kb (M ) = 0| ∗
i=1
qw + qps
Pr[
qv T
i=1
Ka (Wi ) = 0
T
Ka (W ∗ ) = 0
T
Kb (M ∗ ) = 0]
i=1
`a
qw +qps
Pr[
T
Ka (Wi ) 6= 0]
i=1
"q
w +qps
Pr
\
Ka (Wi ) 6= 0|
qv \
i =1
≥
1
(n + 1)3 `qav +1 `b
# Ka (Wi ) = 0
i=1
1−
qw + qps
`a
\
\
Ka (W ) = 0 ∗
\
Kb (M ) = 0 ∗
# Ka (Wi ) 6= 0
1364
Y. Yu et al. / Computers and Mathematics with Applications 57 (2009) 1352–1364
"q ×
1 − Pr
w +qps
[
Ka (Wi ) 6= 0|
i=1
≥ ≥
1−
(n + 1)3 `aqv +1 `b
1
1−
(n + 1)3 `aqv +1 `b
GBDH Therefore, SuccB ≥
then GBDH SuccB ≥
#! Ka (Wi ) = 0
\
Ka ( W ) = 0 ∗
\
Kb (M ) = 0 ∗
i=1
1
qv \
qw + qps
2
`a 2(qw + qps )
`a
.
(1− 2(qW`+a qPS ) ). We can get a simplified result by reasonably setting `a q +1 (n+1)3 `av `b
3(n + 1) (3(qw + qps ))qv +2 3
= `b = 3(qw +qps ),
.
6. Conclusion We have proposed a new designated verifier proxy scheme and have proven that the scheme is secure without random oracles. To the best of our knowledge, this is the first designated verifier proxy signature scheme that can be proven secure in the standard model. The security of our scheme relies on the hardness of Gap Bilinear Diffie–Hellman problem. Acknowledgements The authors would like to thank the anonymous reviewers for their valuable comments of the manuscript. This work was supported by the National Natural Science Foundation of China under Grants 60773175, 60803133, 60873233, 60873268, the open fund of the state key lab of information security and Youth Science and Technology Foundation of UESTC. References [1] M. Mambo, K. Usuda, E. Okamoto, Proxy signature: Delegation of the power to sign messages, IEICE Transactions on Fundamentals, E79-A 9 (1996) 1338–1353. [2] A. Boldyreva, A. Palacio, B. Warinschi, Secure proxy signature scheme for delegation of signing rights, 2003. IACR ePrint Archive, available at http://eprint.iacr.org/2003/096. [3] J.Y. Lee, J.H. Cheon, S. Kim, An analysis of proxy signatures: Is a secure channel necessary? in: CT-RSA 2003, in: LNCS, vol. 2612, Springer-Verlag, Berlin, 2003, pp. 68–79. [4] B. Lee, H. Kim, K. Kim, Secure mobile agent using strong nondesignated proxy signature, in: ACISP01, in: LNCS, vol. 2119, Springer-Verlag, Berlin, 2001, pp. 474–486. [5] S. Kim, S. Park, D. Won, Proxy signatures, revisited, in: ICICS97, in: LNCS, vol. 1334, Springer-Verlag, Berlin, 1997, pp. 223–232. [6] G. Wang, F. Bao, J. Zhou, Robert H. Deng, Security analysis of some proxy signatures, in: ICICS 2003, in: LNCS, vol. 2971, Springer-Verlag, Berlin, 2003, pp. 305–319. [7] T. Okamoto, M. Tada, E. Okamoto, Extended proxy signatures for smart cards, in: ISW 99, in: LNCS, vol. 1729, Springer-Verlag, Berlin, 1999, pp. 247–258. [8] X. Huang, Y. Mu, W. Susilo, F. Zhang, X. Chen, A short proxy signature scheme: Efficient authentication in the ubiquitous world, in: UISW2005, in: LNCS, vol. 3823, Springer-Verlag, Berlin, 2005, pp. 480–489. [9] X. Huang, Y. Mu, W. Susilo, W. Wu, Proxy signature without random oracles, in: MSN 2006, in: LNCS, vol. 4325, Springer-Verlag, Berlin, 2006, pp. 473–484. [10] F. Cao, Z. Cao, Secure proxy signature in the standard model, Computer Standards & Interfaces (2008) doi:10.1016/j.csi.2008.01.001. [11] W. Lin, J. Jan, A secure personal learning tools using a proxy blind signature scheme, in: Proc. of International Conference on Chinese Language Computing, Illinois, USA, 2000, pp. 273–277. [12] L. Yi, G. Bai, G. Xiao, Proxy multi-signature scheme: A new type of proxy signature scheme, Electronic Letters 36 (6) (2000) 527–528. [13] K. Zhang, Threshold proxy signature scheme, in: Proceedings of 1997 Information Security Workshop, 1997, pp. 191–197. [14] F. Zhang, R.S. Naini, C. Lin, Some new proxy signature schemes from bilinear pairings, in: Progress on Cryptography: 25 Years of Cryptography in China, in: Kluwer International Series in Engineering and Computer Science, vol. 769, 2004, pp. 59–66. [15] M. Jakobsson, K. Sako, R. Impagliazzo, Designated verifier proofs and their applications, in: Eurocrypt’96, in: LNCS, vol. 1070, 1996, pp. 143–154. [16] S. Saeednia, S. Kremer, O. Markowitch, An efficient strong designated verifier signature scheme, in: ICISC 2003, in: LNCS, vol. 2971, 2004, pp. 40–54. [17] X. Huang, W. Susilo, Y. Mu, F. Zhang, Short (identity-based) strong designated verifier signature schemes, in: ISPEC 2006, in: LNCS, vol. 3903, 2006, pp. 214–225. [18] J.Z. Dai, X.H. Yang, J.X. Dong, Designated-receiver proxy signature scheme for electronic commerce, in: Proc. of IEEE International Conference on Systems, Man and Cybernetics, vol. 1, IEEE Press, 2003, pp. 384–389. [19] G. Wang, Designated-receiver proxy signatures for e-commerce, in: Proc. of ICME 2004, IEEE Press, 2004, pp. 1731–1734. [20] X. Huang, Y. Mu, W. Susilo, F. Zhang, Short designated verifier proxy signature from pairings, in: EUC Workshops 2005, in: LNCS, vol. 3823, 2005, pp. 835–844. [21] R.X. Lu, Z.F. Cao, Designated verifier proxy signature scheme with message recovery, Applied Mathematics and Computation 169 (2) (2005) 1237–1246. [22] J. Zhang, J. Mao, A novel ID-based designated verifier signature scheme, Information Sciences 178 (3) (2008) 766–773. [23] R.X. Lu, Z.F. Cao, X.L. Dong, Designated verifier proxy signature scheme from bilinear pairings, in: Proc of the First International Multi-Symposiums on Computer and Computational Sciences 2006, IEEE Press, 2006, pp. 40–47. [24] M. Bellare, P. Rogaway, The exact security of digital signatures - how to sign with RSA and Rabin, in: Eurocrypt’96, in: LNCS, vol. 950, Springer-Verlag, Berlin, 1996, pp. 399–416. [25] B. Waters, Efficient identity based encryption without random oracles, in: Eurocrypt 2005, in: LNCS, vol. 3494, Springer-Verlag, Berlin, 2005, pp. 114–127. [26] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairings, in: Advances in Cryptology–Crypto, in: LNCS, vol. 3494, Springer-Verlag, Berlin, 2001, pp. 213–229.