Hindawi Security and Communication Networks Volume 2017, Article ID 7921782, 9 pages https://doi.org/10.1155/2017/7921782
Research Article Strong Designated Verifier Signature Schemes with Undeniable Property and Their Applications Xiaoming Hu,1 Wenan Tan,1 Huajie Xu,2 Jian Wang,1 and Chuang Ma1 1
College of Computer and Information Engineering, Shanghai Polytechnic University, Shanghai 201209, China School of Computer and Electronic Information, Guangxi University, Nanning 530004, China
2
Correspondence should be addressed to Xiaoming Hu;
[email protected] Received 1 August 2016; Revised 21 November 2016; Accepted 22 December 2016; Published 24 January 2017 Academic Editor: Muhammad Khurram Khan Copyright Β© 2017 Xiaoming Hu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Most of the strong designated verifier signature (SDVS) schemes cannot tell the real signature generator when the signer and the designated verifier dispute on a signature. In other words, most of the SDVS schemes do not have the undeniability property. In this paper, we propose two SDVS schemes which hold the undeniability property, namely, strong designated verifier signature with undeniability property (SDVSUP). Our two schemes are called SDVSUP-1 and SDVSUP-2. In our two SDVSUP schemes, the signer not only can designate a verifier but also can designate an arbiter who can judge the signature when the signer and the designated verifier dispute on the signature. What is more, the judgment procedure can be performed by the arbiter alone without help from the signer or the designated verifier, which increases the judgment efficiency and reduces the complexity of signature confirmation. We also demonstrate a real instance of applying our SDVSUP scheme to electronic bidding system.
1. Introduction In traditional digital signature (TDS), anyone who knows the public key of the signer can verify the validity of a signature. However, the public verification of TDS is not a desirable property in some applications. For example, the owner of some privacy information such as a health report from hospital or a bill from company and so on wishes that the signature on these privacy information can only be verified by himself. There are some solutions to this problem. One of them is to use the undeniable signature which was proposed first by Chaum and Antwerpen [1, 2]. In undeniable signature (US) [3β7], the signature verification needs the help from the signer. In other words, the validity verification of a signature is an interactive proof between the signer and the verifier which leads to the inefficiency and infeasibility if the signer rejects to cooperate. Another solution is to use the designated verifier signature (DVS) which was proposed first by Jakobsson et al. [8]. In DVS, the signer can designate a person as the signature verifier called designated verifier who can convince the signature to be generated by the signer. But the designated verifier cannot transfer the conviction to any third party
since the designated verifier can generate a indistinguishable signature with the signer. This is called nontransferability. Therefore, though a signature is publicly verifiable in DVS but no one can tell that the signature is generated by the signer or the designated verifier. Jakobsson et al. also proposed a variant of DVS called strong designated verifier signature (SDVS) [8]. In SDVS, the signature verification needs the private key of the designated verifier. Thus, no one other than the signer and the designated verifier can verify the validity of signature which further protects the privacy information of the signer. However, if the signer and the designated verifier dispute on a signature, no one can tell the real generator of the signature either the signer or the designated verifier. Yang et al. [9, 10] gave an instance on this situation. In an electronic bidding system, some companies use SDVS to submit their prices to the institution for a project. Using the SDVS, the institution can confirm the submission but cannot transfer the submission to other companies for lower price since the institution also can generate an indistinguishable submission with the company. But if the winning company denies the submission due to some reasons, such as economic crisis,
2 bankrupt, and even malicious competition. The institution can do nothing on it. This is undesirable to the institution. However, in almost all SDVS schemes [11β17] proposed till now this problem exists. Namely, these SDVS schemes have no undeniability property. Without undeniability property, SDVS is like more a message authentication code rather than a digital signature [9, 10]. 1.1. Related Work. Jakobsson et al. first proposed the concept of DVS and presented a DVS scheme which was based on trapdoor commitments [8]. In Jakobsson et al.βs DVS scheme, a signature generated by the signer with the form of π = ππ₯π while π was a random element in the signature generated by the designated verifier. Therefore, with the help from the signer, a person could distinguish the signature by an interactive proof between the signer and this person. So, Jakobsson et al.βs DVS scheme held the undeniability property. However, Jakobsson et al. did not explain the property explicitly and consider it as a necessary property. What is more, Lipmaa et al. [18] showed that Jakobsson et al.βs DVS scheme was not undeniable since the signer could construct a valid signature where π was a random element which made the third party confirm the signature from the designated verifier. Lipmaa et al. also proposed a DVS scheme based on Decisional Diffie-Hellman problem. However, their DVS scheme yet did not have the undeniability property. In order to protect the identity of the signer further, Jakobsson et al.βs [8] extended DVS to present the concept of SDVS. In Jakobsson et al.βs SDVS scheme, the designated verifier must use the private key of himself to verify the validity of the signature. From then, many SDVS were proposed [15, 19β21]. Some other variants of DVS included universal designated verifier signature (UDVS) [7, 22, 23], in which the owner of the standard signature could designate any third party as the designated verifier, identitybased designated verifier signature (IBDVS) [13, 16, 24], in which the private keys of the signer and the designated verifier were generated by the Key Generator Center (KGC), and so on. In 2012, Yang et al. [9, 10] proposed an SDVS scheme with the undeniability property based on Chameleon hash function [25]. In their SDVS scheme, when the signer and the designated verifier disputed on a signature, the signer confirmed a signature (π, π , π, β) if the following two situations held: (1) the signer could find Μπ to hold π = π»(Μπ), where π was one component of the signature and Μπ was the preimage of π and was stored by the signer in advance; (2) the signer could find an original signature (πσΈ , π σΈ , πσΈ , βσΈ ) of (π, π , π, β) where πσΈ =ΜΈ π, π σΈ =ΜΈ π , πσΈ = π, βσΈ = β, and (πσΈ , π σΈ , πσΈ , βσΈ ) was stored by the signer in advance. Thus, the signer needed to store all original signature data in order to confirm the signature later which added a large storage cost. What is more, anyone could distinguish a signature by the above similar method as the signer, that is, collecting and storing all signature data. And the confirmation procedure of signature was performed only by the signer alone. It was unfair to the designated verifier. What is more, if the signer did not want to cooperate for some reasons, the confirmation procedure could not continue and was forced to stop.
Security and Communication Networks 1.2. Our Work. To our knowledge, Jakobsson et al.βs SDVS scheme [8] and Yang et al.βs SDVS scheme [9, 10] are only two SDVS schemes with undeniability property. However, in the two SDVS schemes, it needs a complex judgment procedure when the signer and the designated verifier dispute on a signature. What is more, the judgment needs the help from the signer. In other words, the judgment is an interactive procedure between the signer and the judger. If the signer rejects to cooperate, the judgment procedure cannot be continued and must be stopped. In our work, we propose two SDVS schemes which can solve the above problem. In other words, in our SDVS schemes, the judger or the arbiter can alone complete the judgment: who generates the signature? Either the signer or the designated verifier does. We also make a comparison between our schemes and other similar schemes in terms of computational cost, signature size, and other aspects. At the same time, we present one application instance of our schemes in the electronic bidding system. The remainder of this paper is organized as follows. In Section 2, some preliminaries are given including Computational Diffie-Hellman problem and assumption, the concept of SDVS, and the security properties of SDVS. In Section 3, two SDVSUP schemes are proposed. The security analysis of two SDVSUP schemes and the comparison are presented. Section 4 concludes this paper.
2. Preliminaries 2.1. Computational Diffie-Hellman (CDH) Problem and CDH Assumption. Let π and π be two large primes which hold π = 2π + 1. Let ππ be a subgroup of ππβ with the prime order π and
a generator π. Given (π, ππ , ππ ) where π and π belong to ππβ are two unknown elements, the CDH problem is to compute πππ . The CDH assumption (π‘, π) holds in ππβ if there is not any algorithm π΄ which can solve the CDH problem with running time at most π‘ and the probability at least π.
2.2. Strong Designated Verifier Signature. A strong designated verifier signature (SDVS) consists of four algorithms, including System Setup, Key Generate, Signature Generate, and Signature Verify. System Setup (SetSDV). Inputting 1π where π is a security parameter, the SetSDV algorithm outputs the system parameter ππππππ and publishes ππππππ publicly. Key Generate (KeySDV). Inputting the system parameter ππππππ , the KeySDV algorithm outputs the public and private key pair (ππ , π‘π ) of the signer π, the one (πV , π‘V ) of the designated verifier π, and the one (ππ , π‘π ) of the arbiter π΄. Signature Generate (SigSDV). Inputting ππππππ , the public keys of π, π, and π΄, the private key π‘π of π, and a message π, the SigSDV algorithm outputs a signature π on π. Signature Verify (VerSDV). Inputting ππππππ , the public keys of π, π, and π΄, the private key π‘V of π, and a signature π on a
Security and Communication Networks message π, the VerSDV algorithm outputs βAcceptβ if π is a valid signature or βReject.β If one can verify a signature without the private key π‘V of π, then it is called designated verifier signature (DVS) not strong DVS. Namely, inputting ππππππ , the public keys of π, π, and π΄ and a signature π on a message π, the VerSDV algorithm outputs βAcceptβ if π is a valid signature or βReject.β A secure strong designated verifier signature with undeniable property (SDVSUP) should hold unforgeability, computationally nontransferability, and undeniability. 2.3. Unforgeability. The unforgeability of an SDVSUP scheme is defined by the following game between the challenger πΆ and an adversary π
. The game includes three stages: setup, query, and output. Setup. The challenger πΆ creates the public system parameter ππππππ and the public/private key pair (ππ , π‘π ) of the signer π, the one (πV , π‘V ) of the designated verifier π, and the one (ππ , π‘π ) of the arbiter π΄. Then, send ππππππ and (ππ , πV , ππ ) to the adversary π
. Query. Next, π
makes the following oracle queries. (1) Signing Query: π
submits a message π to request a signature on π; πΆ generates a valid signature π on π and returns π to π
. (2) Verifying Query: π
submits a signature π on a message π; πΆ returns βTrueβ to π
if the signature π is valid. Otherwise, it returns βFalseβ to π
. Output. Finally, π
outputs a forged signature πβ on a message πβ . π
wins the above game if (1) πβ is a valid signature on πβ , (2) πβ has never been queried to Signing Query. An SDVSUP scheme is (π‘, π, ππ , πV ) unforgeable if no adversary π
can win the above game with the time at most π‘, the probability at least π, making at most ππ signing queries, and making at most πV verifying queries. 2.4. Nontransferability. According to the work of [18, 22], the nontransferability of SDVSUP can be classified into two types: computational nontransferability and perfect nontransferability. Based on the concept of nontransferability for SDVS given by [18, 22], we add a participator called arbiter π΄ into the original definition to present a description of nontransferability for SDVSUP. An SDVSUP scheme is computationally nontransferable if given a pair of message and signature (π, π); it is infeasible for any probabilistic polynomial-time (PPT) algorithm to distinguish that the signature π is generated by the signer π or the designated verifier π without the knowledge of the secret key of the signer π, the secret key of the designated verifier π, and the secret key of the arbiter π΄. An SDVSUP scheme is perfectly nontransferable if one cannot distinguish the signature π from the signer or the
3 designated verifier even if one knows the secret keys of the signer π, the designated verifier π, and the arbiter π΄. Next, we give a definition of computationally nontransferable for SDVSUP scheme. An SDVSUP scheme is computationally nontransferable if there exists a PPT algorithm: Simulate Signature (SimSDV) in which the designated verifier π can use SimSDV to simulate a signature π1 . π1 is indistinguishable from the real signature which is generated by the signer π without knowing the secret key π‘π of π, the secret key π‘V of π, and the secret key π‘π of π΄. In other words, there is not any PPT distinguisher π΅ that is inputting the public key ππ of π, the public key πV of π, the public key ππ of the arbiter A, and a signature ππ₯ to tell the signature ππ₯ from π or π with a nonnegligible probability π, namely, [ [ [ [ σΈ Pr [ [π₯=π₯ [ [ [ [
(ππ , π‘π ) βσ³¨ KeySDV (1π ) , π β {π , V, π} , π0 βσ³¨ SigSDV (ππ , πV , ππ , π‘π , π) , π1 βσ³¨ SimSDV (ππ , πV , ππ , π‘V , π) , π₯ βσ³¨π
{0, 1} , π₯σΈ βσ³¨ π΅ (ππ , πV , ππ , ππ₯ )
] ] ] ] ] ] ] ] ]
(1)
]
= π.
Similarly, we can define the perfectly nontransferable of SDVSUP scheme with changing the inputting of π΅ into the public/private key (ππ , π‘π ) of π, the public/private key (πV , π‘V ) of π, the public/private key (ππ , π‘π ) of the arbiter π΄, and a signature ππ₯ . Since there is not any trapdoor information that can be used by the arbiter π΄ even if π and π are in perfect nontransferability, an SDVSUP scheme only holds the computational nontransferability not perfect nontransferability [18]. 2.5. Undeniability. An SDVSUP scheme holds the undeniability property if there exists a PPT algorithm: Arbitrate Signature (ArbSDV) with inputting the signature π on π, the public keys of the signer π and the designated verifier π, and the private key of the arbiter π΄; the ArbSDV outputs βπβ if the signature is generated by the signer π or returns βπβ that denotes the signature from the designated verifier π; that is, π βσ³¨ ArbSDV (ππ , πV , π‘π , π) , π β {π, π} .
(2)
3. The Proposed Strong Designated Verifier Signature Schemes with Undeniable Property In this section, we provide two strong designated verifier signature schemes with undeniable property. The first one is called SDVSUP-1 scheme and the another is called SDVSUP-2 scheme. 3.1. The Proposed SDVSUP-1 Scheme. Based on Jakobsson et al.βs scheme [8], we propose a new strong designated verifier signature scheme with undeniable property (SDVSUP-1 scheme). In our SDVSUP-1 scheme, there exists three participators: the signer π, the designated verifier π, and the
4
Security and Communication Networks
arbiter π΄. Our SDVSUP-1 scheme performs according to the following process. System Setup (SetSDV). Let π and π be two large primes which hold π = 2π + 1. Let ππ be a subgroup of ππβ with the prime order π and a generator π. Define three hash functions which hold πΉ1 : {0, 1}β β ππβ , πΉ2 : {0, 1}β Γ ππβ β ππβ , and πΉ3 : (ππβ )5 Γ {0, 1}β β ππβ . Then, the system parameters are πΏ = (π, π, π, πΉ1 , πΉ2 , and πΉ3 ). Key Generate (KeySDV). The signer π selects randomly two numbers π‘π ,1 and π‘π ,2 β ππβ as the private keys of π. And compute ππ ,1 = ππ‘π ,1 mod π and ππ ,2 = ππ‘π ,1 mod π as its public keys. Similarly, the designated verifier π generates its public keys (πV,1 , πV,2 ) and private keys (π‘V,1 , π‘V,2 ), where π‘V,1 and π‘V,2 β ππβ are two random numbers, and πV,1 = ππ‘V,1 mod π; πV,2 = ππ‘V,2 mod π. The arbiter π΄ generates its public keys (ππ,1 , ππ,2 ) and private keys (π‘π,1 , π‘π,2 ), where π‘π,1 and π‘π,2 β ππβ are two random numbers, and ππ,1 = ππ‘π,1 mod π and ππ,2 = ππ‘π,2 mod π. Signature Generate (SigSDV). The signer π constructs a signature on a message π as follows. π selects randomly π1 , π2 , π3 β ππβ and computes
π ππ,1 πβ(β+π2 ) mod π π +(πΉ1 (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )(β+π2 )
= ππ,11
πβ(β+π2 ) mod π
(πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )(β+π2 )
π
= ππ,11 ππ,11
πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 β(β+π2 )
β
(ππ,11
)
πΉ (π) πΉ2 (π,π) β(β+π2 ) ππ ,2 )
ππ (ππ ,11
π
mod π = ππ,11 mod π.
mod π πΉ (π) πΉ2 (π,π) β(β+π2 ) ππ ,2 )
= ππ1 +(πΉ1 (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )(β+π2 ) (ππ ,11 β
mod π
πΉ (π) πΉ2 (π,π) β(β+π2 ) ππ ,2 )
= ππ1 π(πΉ1 (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )(β+π2 ) (ππ ,11
πΉ (π) πΉ2 (π,π) (β+π2 ) ππ ,2 )
β
mod π = ππ1 (ππ ,11
πΉ (π) πΉ2 (π,π) β(β+π2 ) ππ ,2 )
β
(ππ ,11 π‘
mod π = ππ1 mod π.
π‘
πV,1π ,1 = ππ ,1V,1 mod π. π π ππ,1 πβ(β+π2 ) mod π = ππ,1 πβ(β+π₯1 ββ) mod π
πΎ2 = ππ1 mod π
π = ππ,1 πβπ₯1 mod π.
π
πΎ3 = ππ2 πV,13 mod π πΉ (π)π‘ +πΉ (π,π)π‘π ,2 ππ,11 π ,1 2 mod π
(3)
πΉ (π) πΉ2 (π,π) β(β+π2 ) ππ ,2 )
ππ (ππ ,11
mod π
πΉ (π) πΉ2 (π,π) β(β+π₯1 ββ) ππ ,2 )
= ππ (ππ ,11
π‘
π1 = πV,1π ,1 mod π β = πΉ3 (πΎ1 , πΎ2 , πΎ3 , π, π1 , π)
=π
π = π1 + (πΉ (π) π‘π ,1 + πΉ (π β π) π‘π ,2 ) (β + π2 ) mod π.
π
πΉ (π) πΉ (π,π) βπ₯1 (ππ ,11 ππ ,22 )
mod π
= ππ₯1 ββ π(π₯2 βπ2 ) mod π = ππ₯1 ββ ππ₯2 β(π₯1 ββ) mod π
Signature Verify (VerSDV). The designated verifier π checks the validity of a signature π = (π2 , π3 , β, π, π) on message π as follows. π computes
= ππ₯2 mod π.
πΉ (π) πΉ2 (π,π) β(β+π2 ) ππ ,2 )
mod π
π
πΎ3σΈ = ππ2 πV,13 mod π =
π‘ πV,1π ,1 mod π
βσΈ = πΉ3 (πΎ1σΈ , πΎ2σΈ , πΎ3σΈ , π, π1σΈ , π) . If β = βσΈ , then π accepts the signature or rejects it.
3.3. Security Analysis of SDVSUP-1 Scheme Theorem 1. If the CDH assumption (π‘ππβ , πππβ ) holds, then our proposed SDVSUP-1 scheme is (π‘π πV1 , ππ1 , ππ2 , ππ3 , ππ , πV , and ππ πV1 ) unforgeable, where
π πβ(β+π2 ) mod π πΎ1σΈ = ππ,1
πΎ2σΈ = ππ (ππ ,11
(6)
mod π.
β1 (π₯ βπ2 )π‘V,1
π
ππ2 πV,13 mod π = ππ₯1 ββ πV,12
mod π
The final signature on the message π is π = (π2 , π3 , β, π, π).
π1σΈ
(5)
The above signature simulated by π is correct because
π
πΎ1 = ππ,11 mod π.
π=
3.2. Correctness of SDVSUP-1 Scheme. The above signature generated by π is correct because
(4)
π‘ππβ β π‘π πV1 + πππ₯π (6ππ + 6πV + 7) + 4πππ’π (ππ + πV + 1) , πππβ β₯ ππ πV1 β
ππΉ3 ππ π
(7)
2 β . π
And πππ₯π is one exponent operation in ππβ and πππ’π is one multiplication operation in ππβ . ππ1 , ππ2 , ππ3 , ππ , and πV
Security and Communication Networks
5
denote, respectively, that the adversary π
is allowed to make at most ππ1 πΉ1 queries, ππ2 πΉ2 queries, ππ3 πΉ3 queries, ππ signing queries, and πV verifying queries. Proof. Given a CDH problem instance (π, ππ₯ , ππ¦ ), the aim of challenger πΆ is to obtain ππ₯π¦ . Next, πΆ performs the following process with the adversary π
. Setup. πΆ selects randomly π 1 , π 2 , π 3 , π 4 , π 5 , π 6 β ππβ and sets
ππ ,1 = ππ₯π 1 mod π, ππ ,2 = ππ 2 mod π, πV,1 = ππ¦π 3 mod π, πV,2 = ππ 4 mod π, ππ,1 = ππ 5 mod π, and ππ,2 = ππ 6 mod π. πΆ publishes the system parameters πΏ = (π, π, π, πΉ1 , πΉ2 , πΉ3 ) and the public keys (ππ ,1 , ππ ,2 ), (πV,1 , πV,2 ), and (ππ,1 , ππ,2 ).
σΈ ) If there exists a tuple (πΎ1,π , πΎ2,π , πΎ3,π , ππ , π1,π , ππ , π3,π σΈ in π3 and π3,π =ΜΈ π3,π , then πΆ fails and aborts. Otherwise, πΆ records (ππ , π2,π , π3,π , βπ , ππ , ππ ) in π4 and returns (π2,π , π3,π , βπ , ππ , ππ ) to π
. And record (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β₯, ππ , π3,π ) in π3 . The probability of failure for πΆ is ππΉ3 ππ /π.
Verifying Query (i) When π
asks a signature verification query with π = (π2,π , π3,π , βπ , ππ , ππ ) on the message ππ , πΆ searches (π2,π , π3,π , βπ , ππ , ππ ) in table π4 . If there exists a tuple (ππ , π2,π , π3,π , βπ , ππ , ππ ) in π4 , πΆ returns βtrue.β Otherwise, πΆ computes π
Query. The adversary π
makes the following queries to πΆ.
π πΎ1,π = ππ,1 πβ(βπ +π2,π ) mod π
Random Oracle Query
πΎ2,π = πππ (ππ ,11
πΉ (ππ ) πΉ2 (ππ ,π) β(βπ +π2,π ) ππ ,2 )
(i) When π
asks a query on πΉ1 oracle with inputting ππ , πΆ searches ππ in table π1 that is empty initially. If there exists a tuple (ππ , π1,π ) in π1 , πΆ returns π1,π to π
as the value of πΉ1 (ππ ). Otherwise, πΆ selects randomly π1,π β ππβ and records (ππ , π1,π ) in π1 and returns π1,π to π
. (ii) When π
asks a query on πΉ2 oracle with inputting (ππ , π), πΆ searches (ππ , π) in table π2 that is empty initially. If there exists a tuple (ππ , π, π2,π ) in π2 , πΆ returns π2,π to π
as the value of πΉ2 (ππ , π). Otherwise, πΆ selects randomly π2,π β ππβ and records (ππ , π, π2,π ) in π2 and returns π2,π to π
. (iii) When π
asks a query on πΉ3 oracle with inputting (πΎ1,π , πΎ2,π , πΎ3,π , ππ , π1,π , ππ ), πΆ searches (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β, ππ ) in table π3 that is empty initially. If there exists a tuple (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β, ππ , π3,π ) in π3 , πΆ returns π3,π to π
as the value of πΉ2 (πΎ1,π , πΎ2,π , πΎ3,π , ππ , π1,π , ππ ). Otherwise, πΆ selects randomly π3,π β ππβ and records (πΎ1,π , πΎ2,π , πΎ3,π , ππ , π1,π , ππ , π3,π ) in π3 and returns π3,π to π
. Signing Query (i) When π
asks a signature query with inputting ππ , πΆ searches ππ in table π4 that is empty initially. If there exists a tuple (ππ , π2,π , π3,π , βπ , ππ , ππ , β₯) in π4 , πΆ returns (π2,π , π3,π , βπ , ππ , ππ ) to π
as the signature on message ππ . Otherwise, πΆ searches π1 on ππ and π2 on (ππ , π). If ππ and (ππ , π) have not existed in π1 and π2 , then πΆ performs the above πΉ1 oracle and πΉ2 oracle to obtain π1,π and π2,π . Then, πΆ chooses randomly ππ , π2,π , π3,π , π3,π β ππβ , and ππ β ππβ . Compute π
β(π3,π +π2,π )
π πΎ1,π = ππ,1 ππ
π
π
1,π 2,π πΎ2,π = πππ (ππ ,1 ππ ,2 )
πΎ3,π = π
π2,π
mod π
β(π3,π +π2,π )
mod π
π
πΎ3,π = ππ2,π πV,13,π mod π. Then πΆ searches (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β, ππ , βπ ) in π3 . If (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β, ππ , βπ ) exits in π3 , then πΆ returns ππππ π. Otherwise, (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β, ππ , βπ ) has not existed in π3 ; then πΆ outputs βfalseβ and aborts. The probability which π = (π2,π , π3,π , βπ , ππ , ππ ) is a valid signature and did not make a πΉ3 query is 1/π. Forge. Finally, π
outputs a forged signature πβ = (π2β , π3β , ββ , πβ , πβ ) on a message πβ . After πΆ gets πβ , πΆ first computes β
β
π πΎ1β = ππ,1 πβ(β
+π2β )
mod π
β β πΉ (πβ ) πΉ2 (πβ ,π) β(β +π2 ) ππ ,2 )
β
πΎ2β = ππ (ππ ,11 β
mod π
π πV,13,π mod π
and set πΉ3 (πΎ1,π , πΎ2,π , πΎ3,π , ππ , β₯, ππ ) = π3,π .
(8)
(10)
πβ
πΎ3β = ππ2 πV,13 mod π. Then, πΆ searches (πΎ1β , πΎ2β , πΎ3β , πβ , πβ , ββ ) in π3 . Because πβ is a valid signature, π
must query πΉ3 on (πΎ1β , πΎ2β , πΎ3β , πβ , π1β , π‘ πβ , ββ ) previously. Thus, πΆ can get π1β = πV,1π ,1 mod π = ππ¦π 3 π₯π 1 β(π π )β1
mod π. So, ππ₯π¦ mod π = π1 1 3 mod π. The probability which πβ = (π2β , π3β , ββ , πβ , πβ ) is a valid signature and did not make a πΉ3 query previously is 1/π. Theorem 2. The proposed SDVSUP-1 scheme is computationally nontransferable.
Proof. The designated verifier π can simulate a valid signature πσΈ on the message π by the following SimSDV algorithm. π chooses randomly π₯1 , π₯2 , π β ππβ , and π β ππβ . Then compute π πβπ₯1 mod π πΎ1 = ππ,1
mod π
(9)
πΉ (π) πΉ2 (π,π) βπ₯1 ππ ,2 )
πΎ2 = ππ (ππ ,11
πΎ3 = ππ₯2 mod π π‘
π1 = ππ ,1V,1 mod π.
mod π
6
Security and Communication Networks β = πΉ3 (πΎ1 , πΎ2 , πΎ3 , π, π1 , π)
and more convenient. Next, we show the construction of our SDVSUP-2 scheme which is a modification of SDVSUP-1 scheme.
π2 = π₯1 β β mod π β1 π3 = (π₯2 β π2 ) π‘V,1 mod π.
(11) The simulating signature of π is πσΈ = (π2 , π3 , β, π, π). Since π‘ we need the private key of π or π to verify ππ ,1V,1 and need the private key of π or π΄ to verify π, anyone cannot distinguish the original signature π and the simulating signature πσΈ without knowing the private keys of π, π, and π΄. Theorem 3. The proposed SDVSUP-1 scheme is undeniable. Proof. When the signer π and the designated verifier π dispute who generates the signature π on the message π, π or π submits the signature π = (π2 , π3 , β, π, π) on π to the arbiter π΄. Then, π΄ runs the following ArbSDV algorithm. Namely, compute σΈ
π =
π‘ πΉ (π) π‘ πΉ (π,π) ππ ,1π,1 1 ππ ,2π,1 2 mod π.
(12)
Then, π΄ checks if π = πσΈ . If it is true, then π΄ confirms that the signature π on the message π is generated by the signer π. Otherwise, the signature π is generated by the designated verifier π. Since π is a random number in simulating πΉ (π)π‘ +πΉ (π,π)π‘π ,2 mod π in the real signature πσΈ while π = ππ,11 π ,1 2 signature π. Therefore, the arbiter π΄ can use the ArbSDV algorithm to tell the real signer. 3.4. The Proposed SDVSUP-2 Scheme. The above SDVSUP1 scheme is a strong designated verifier signature scheme which has the undeniable property. In the SDVSUP-1 scheme, the arbiter π΄ judges the signature generator by checking the format of π in the signature π = (π2 , π3 , β, π, π) on π because πΉ(π)π‘ +πΉ(πβπ)π‘π ,2 only π from the signer π has the format ππ,1 π ,1 , while π from the designated verifier π is a random number in ππβ . Because of this fact βonly π from the signer π has the πΉ(π)π‘ +πΉ(πβπ)π‘π ,2 special format, namely, ππ,1 π ,1 , while π from the designated verifier π is a random number in ππβ .β Thus, the arbiter A only can check the format of π with the public key (ππ ,1 , ππ ,2 ) of the signer to judge the result, which is a little unfair to the designated verifier π. In other words, the designed verifier can do nothing and it even has some doubts on the judge result. Therefore, in this subsection, we present another scheme where π and π can both construct π with their own characteristic respectively. Namely, in our SDVSUP-2 scheme, π generated by the signer π is the format πΉ (π)π‘ +πΉ (π,π)π‘π ,2 , while π generated by the designated π = ππ,11 π ,1 2 πΉ (π)π‘ +πΉ (π,π)π‘V,2 ππ,11 V,1 2 .
verifier π is the format π = Thus, the arbiter π΄ can check the format of π with the public key (ππ ,1 , πΉ (π) πΉ (π,π) π‘π,1 ππ ,2 ) of the signer (by computing π = (ππ ,11 ππ ,22 ) ) or with the public key (πV,1 , πV,2 ) of the designated verifier (by πΉ (π) πΉ (π,π) π‘π,1 computing π = (πV,11 πV,22 ) ) to judge the result, which make the arbiter π΄ distinguish the signature easier, fairer,
SetSDV. The algorithm works as the above SDVSUP-1 scheme except πΉ3 : (ππβ )4 Γ {0, 1}β β ππβ . Finally, the system parameters are πΏ = (π, π, π, πΉ1 , πΉ2 , πΉ3 ). KeySDV. The algorithm works as the SDVSUP-1 scheme. Finally, π, π, and π΄ obtain their private keys and public keys ((π‘π ,1 , π‘π ,2 ), (ππ ,1 , ππ ,2 )), ((π‘V,1 , π‘V,2 ), (πV,1 , πV,2 )), ((π‘π,1 , π‘π,2 ), and (ππ,1 , ππ,2 )), respectively. SigSDV. π chooses randomly π‘2 , π2 β ππβ and computes πΉ (π) πΉ2 (π,π) π‘2 ππ ,2 )
πΎ1 = (ππ ,11
πΉ (π) πΉ2 (π,π) π2 πV,2 )
(πV,11
(πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )(π2 +π‘2 )
πΎ2 = ππ,11
πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2
π = ππ,11
mod π
mod π
mod π
(13)
π‘
π1 = πV,1π ,1 mod π β = πΉ3 (πΎ1 , πΎ2 , π, π1 , π) β1
π1 = π‘2 + β (πΉ1 (π) π‘π ,1 + πΉ2 (π, π) π‘π ,2 ) mod π. The final signature on the message π is π = (π1 , π2 , β, π). VerSDV. For a signature π = (π1 , π2 , β, π) on the message π, π computes πΉ (π) πΉ2 (π,π) π1 ππ ,2 )
πΎ1σΈ = πββ (ππ ,11
πΉ (π) πΉ2 (π,π) π2 πV,2 )
(πV,11
mod π
ββ π1 +π2 π mod π πΎ2σΈ = ππ,1
(14)
π‘
π1 = ππ ,1V,1 mod π βσΈ = πΉ3 (πΎ1σΈ , πΎ2σΈ , π, π1 , π) . If β = βσΈ , then π accepts the signature or rejects it. Note that if we drop the inputting π1 in the πΉ3 () of the above SDVSUP-2 scheme, namely, β = πΉ3 (πΎ1 , πΎ2 , π, π), then the SDVSUP-2 scheme can become a designated verifier signature not a strong scheme (namely, designated verifier signature with undeniability property (DVSUP), we call it DVSUP-2 scheme) because anyone can check the validity of the signature π generated by DVSUP-2 scheme. Similarly, the SDVSUP-1 scheme also can become a designated verifier scheme (we call it DVSUP-1 scheme) by dropping the π1 , namely, β = πΉ3 (πΎ1 , πΎ2 , πΎ3 , π, π). 3.5. Correctness of SDVSUP-2 Scheme. The above signature π generated by π of SDVSUP-2 scheme is correct because πΉ (π) πΉ2 (π,π) π1 ππ ,2 )
πββ (ππ ,11
πΉ (π) πΉ2 (π,π) π2 πV,2 )
(πV,11
mod π
β1 πΉ (π) πΉ2 (π,π) π‘2 +β(πΉ1 (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 ) ππ ,2 )
= πββ (ππ ,11
πΉ (π) πΉ2 (π,π) π2 πV,2 )
β
(πV,11
mod π
Security and Communication Networks πΉ (π) πΉ2 (π,π) π‘2 ππ ,2 )
= πββ (ππ ,11
πΉ (π) πΉ2 (π,π) π‘2 ππ ,2 )
= (ππ ,11
7
πΉ (π) πΉ2 (π,π) π2 πV,2 )
πβ (πV,11
πΉ (π) πΉ2 (π,π) π2 πV,2 )
(πV,11
πΉ (π)π‘V,1 +πΉ2 (π,π)π‘V,2
π = ππ,11
mod π
π‘
π1 = ππ ,1V,1 mod π
mod π.
β = πΉ3 (πΎ1 , πΎ2 , π, π1 , π)
ββ π1 +π2 π mod π ππ,1 β1
ββ π‘2 +β(πΉ1 (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 ) = ππ,1 π
=
ββ ππ,1
+π2
β1
π2 = π‘2 + β (πΉ1 (π) π‘V,1 + πΉ2 (π, π) π‘V,2 ) mod π.
mod π
(17)
πΉ (π)π‘ +πΉ (π,π)π‘π ,2 π‘2 +π2 (ππ,11 π ,1 2 )
The final simulating signature on the message π is πσΈ = (π1 , π2 , β, π). Since we need the private key of π or π to verify π‘ ππ ,1V,1 and need the private key of π or π΄ to verify π, anyone cannot distinguish the original signature π and the simulating signature πσΈ without knowing the private keys of π, π, and π΄.
β1
πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 β(πΉ1 (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )
β
(ππ,11
)
πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 π‘2 +π2
ββ (ππ,11 = ππ,1
(πΉ (π)π‘π ,1 +πΉ2 (π,π)π‘π ,2 )(π‘2 +π2 )
mod π
β ππ,1 mod π
)
= ππ,11
mod π. (15)
The above signature π simulated by π of SDVSUP-2 scheme is correct because πΉ (π) πΉ2 (π,π) π1 ππ ,2 )
πββ (ππ ,11 =
πΉ (π) πΉ2 (π,π) π2 πV,2 )
(πV,11
mod π
β1
πΉ (π) πΉ2 (π,π) π‘2 +β(πΉ1 (π)π‘V,1 +πΉ2 (π,π)π‘V,2 ) πV,2 )
β
(πV,11
πΉ (π) πΉ2 (π,π) π1 ππ ,2 )
= πββ (ππ ,11
=π
πΉ (π) πΉ (π,π) π1 (ππ ,11 ππ ,22 )
πΉ (π) πΉ2 (π,π) π1 ππ ,2 )
= (ππ ,11
σΈ σΈ
π =
mod π
mod π
πΉ (π) πΉ (π,π) π‘2 (πV,11 πV,22 )
πΉ (π) πΉ2 (π,π) π‘2 πV,2 )
(πV,11
π mod π (16)
β1
ββ π1 +π‘2 +β(πΉ1 (π)π‘V,1 +πΉ2 (π,π)π‘V,2 ) = ππ,1 π mod π
=
β1 πΉ (π)π‘V,1 +πΉ2 (π,π)π‘V,2 β(πΉ1 (π)π‘V,1 +πΉ2 (π,π)π‘V,2 )
)
πΉ (π)π‘V,1 +πΉ2 (π,π)π‘V,2 π1 +π‘2
ββ (ππ,11 = ππ,1
)
(πΉ (π)π‘V,1 +πΉ2 (π,π)π‘V,2 )(π1 +π‘2 )
= ππ,11
mod π
β ππ,1 mod π
mod π.
Theorem 4. The proposed SDVSUP-2 scheme is computationally nontransferable. Proof. In order to simulate a valid signature on the message π, the designated verifier π chooses randomly π‘2 , π1 β ππβ and computes πΉ (π) πΉ2 (π,π) π1 ππ ,2 )
πΎ1 = (ππ ,11
πΉ (π) πΉ2 (π,π) π‘2 πV,2 )
(πV,11
(πΉ (π)π‘V,1 +πΉ2 (π,π)π‘V,2 )(π1 +π‘2 )
πΎ2 = ππ,11
mod π
Theorem 6. If the CDH assumption (π‘ππβ , πππβ ) holds, then the proposed SDVSUP-2 scheme is (π‘π πV1 , ππ1 , ππ2 , ππ3 , ππ , πV , ππ πV1 ) unforgeable. Proof. The proof method is very similar to the Theorem 1. So, we omit it.
πΉ (π)π‘ +πΉ (π,π)π‘V,2 π1 +π‘2 (ππ,11 V,1 2 )
β
(ππ,11
mod π.
πΉ (π)π‘ +πΉ (π,π)π‘
ββ π1 +π2 π mod π ππ,1
ββ ππ,1
(18)
π ,2 in the simulating signature πσΈ , π = ππ,11 π ,1 2 mod π in the real signature π. Therefore, the arbiter π΄ can use the ArbSDV algorithm to tell the real signer.
β
mod π.
πΉ (π) πΉ (π,π) π‘π,1 (πV,11 πV,22 )
mod π
Then, π΄ checks if π = πσΈ or π = πσΈ σΈ . If π = πσΈ , then π΄ confirms the signature π on the message π is generated by the signer π. If π = πσΈ σΈ , then the signature π is generated by πΉ (π)π‘ +πΉ (π,π)π‘V,2 the designated verifier π. Since π = ππ,11 V,1 2 mod π
πΉ (π) πΉ2 (π,π) π‘2 πV,2 )
β1 πΉ (π) πΉ2 (π,π) β(πΉ1 (π)π‘V,1 +πΉ2 (π,π)π‘V,2 ) πV,2 )
Proof. The arbiter π΄ adapts the following method to judge the signature. π΄ first gets the public keys of the signer and the designated verifier. Then, π΄ uses the private π‘π,1 to compute πΉ (π) πΉ2 (π,π) π‘π,1 ππ ,2 )
(πV,11
β
(πV,11
Theorem 5. The proposed SDVSUP-2 scheme is undeniable.
πσΈ = (ππ ,11
πΉ (π) πΉ (π,π) π1 ) πββ (ππ ,11 ππ ,22
ββ
mod π
mod π
3.6. Comparison. In Tables 1 and 2, we compare our schemes with other similar schemes in terms of performance and security features. βComputational costβ denotes the totally computational cost of signing and verifying. βSignature lengthβ denotes the signature size. βUnforg.β denotes if the scheme satisfies the unforgeability property. βNontransf.β denotes if the scheme holds the nontransferability property. βUnden.β denotes if the scheme holds the undeniability property. βHelp from signerβ denotes if it needs the help from the signer when the arbiter judges a signatureβs generator. βπΈβ denotes one exponentiation computation in ππβ . βπΊπΈ β denotes one exponentiation computation in πΊ where πΊ is a bilinear group. βπβ denotes one paring computation in πΊ. β|ππ |β, β|ππ |,β and β|πΊ|β denote the length of one element from βππ β, βππ ,β and βπΊ,β respectively. From Table 2, it can be seen that our schemes including SDVSUP-1 and SDVSUP-2 not only hold the features of
8
Security and Communication Networks Table 1: Performance comparison with other schemes.
Scheme Jakobsson et al. [8] Yang et al. [10] Tian et al. [11] Islam and Biswas [12] SDVSUP-1 SDVSUP-2
Computational cost 11πΈ 9πΈ 11πΊπΈ + 2π 6πΊπΈ + 4π 14πΈ 15πΈ
Signature length σ΅¨ σ΅¨ σ΅¨ σ΅¨ 3 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ + 3 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ σ΅¨σ΅¨ σ΅¨σ΅¨ 4 σ΅¨σ΅¨ππ σ΅¨σ΅¨ σ΅¨ σ΅¨σ΅¨ σ΅¨ 1 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ + 4 |πΊ| σ΅¨ σ΅¨ 1 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ + 2 |πΊ| σ΅¨ σ΅¨ σ΅¨σ΅¨ σ΅¨σ΅¨ 4 σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨ + 1 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ σ΅¨ σ΅¨ σ΅¨ σ΅¨ 3 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ + 1 σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨
Table 2: Security features comparison with other schemes. Unforg. Non-transf. Unden. Help from signer Scheme Jakobsson Γ β β β et al. [8] Γ β β β Yang et al. [10] Γ Γ β β Tian et al. [11] Islam and Γ Γ β β Biswas [12] Γ β β β SDVSUP-1 Γ β β β SDVSUP-2
unforgeability and nontransferability but also have the undeniability property. What is more, the arbiter can alone judge the generator in our two schemes, while any other schemes do not have the property. Therefore, our two schemes have better security features. In terms of signature size, from Table 1, it can be seen that our schemes outperform the schemes in [8, 11] and also are comparable with the schemes in [10, 12]. In terms of computational cost, our schemes can perform many π‘ recomputations on some operations such as ππ ,1V,1 . Therefore, our schemes also have comparable computational complexity as other schemes [8, 10β12]. 3.7. Applications. SDVS has many applications such as electronic voting (e-voting) system, bidding system in business, and electronic will. Next, we demonstrate an example on how to apply our SDVSUP scheme to the bidding system in business. We assume that π΅π is a bidder on behalf of a company to make a project compete with other bidders, π is the tenderee on behalf of the enterprise to choose the most suitable company for performing the project. π½ is a trust third party to perform judging. Then, the bidding system consists of the following components. Initialization Phase. Generate the system parameter πΏ according to the SetSDV. π΅π , π, and π½ obtain the public/private keys ((ππ΅π ,1 , ππ΅π ,2 ), (π‘π΅π ,1 , π‘π΅π ,2 )), ((ππ,1 , ππ,2 ), (π‘π,1 , π‘π,2 )), ((ππ½,1 , ππ½,2 ), and (π‘π½,1 , π‘π½,2 )), respectively, according to the KeySDV. π publishes the notice on the project for bidding. Bidding Phase. The company π΅π who wants to perform the project prepares the biding document ππ and signs on ππ with the private (π‘π΅π ,1 , π‘π΅π ,2 ) to obtain the signature ππ according to the SigSDV. Then π΅π sends ππ to π.
Choosing Phase. π verifies the validity of ππ for all receiving biding documents. Then π chooses the most suitable bidder as the winner according to the price or other reasons presented in biding document. Note. In order to obtain lowest price, π maybe show the bidding document of π΅π to π΅π . Thus, π΅π must set lower price than π΅π to obtain the project. By the similar method, π can show the bidding document of π΅π to π΅π who is forced to set lower price than π΅π and so on, which causes a vicious cycle. An SDVS scheme can solve this problem since the π also can generate a valid signature on ππ which is indistinguishable from the original signature generated by π΅π . However, if π΅π and π dispute the signature ππ on ππ or both deny the signature, then the ordinary SDVS scheme cannot solve the judge problem. But there is no such problem in our SDVSUP schemes. Judging Phase. Given a signature ππ on ππ , the judger π½ determines the signature by computing πσΈ = πΉ (π ) πΉ (π ,π) πΉ (π ) πΉ (π ,π) (ππ΅π1,1 π ππ΅π2,2 π )π‘π½,1 mod π and πσΈ σΈ = (ππ,11 π ππ,22 π )π‘π½,1 mod π. If π = πσΈ , then ππ is generated by the π΅π . If π = πσΈ σΈ , then ππ is generated by the π. Using the similar method to the above, our SDVSUP can be applied in electronic voting (e-voting) system, electronic will, and so on.
4. Conclusion In this paper, we propose two strong designated verifier signature schemes including SDVSUP-1 and SDVSUP-2. Our two SDVS schemes achieve the unforgeability property, the undeniability property, and the nontransferability property. Specially, our SDVS schemes can solve the dispute of the signature ownership between the signer and the designated verifier by introducing a third party as the arbiter. The whole procedure of judgment removes the dependence on the signer and can be completed by the arbiter alone. We also present an instance on how to apply our SDVS schemes in a real situation.
Competing Interests The authors declare that they have no competing interests.
Acknowledgments This work is supported by the Innovation Program of Shanghai Municipal Education Commission (no. 14ZZ167), the National Natural Science Foundation of China (nos. 61103213, 61272036, and 61672022), the Guangxi Natural Science Foundation (no. 2014GXNSFAA11838-2), and the Key Disciplines of Computer Science and Technology of Shanghai Polytechnic University (no. XXKZD1604).
References [1] D. Chaum and H. Antwerpen, βUndeniable signatures,β in Proceedings of the 9th Annual International Cryptology Conference,
Security and Communication Networks
[2]
[3]
[4] [5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
Advances in Cryptology (CRYPTO β89), pp. 212β216, Springer, Santa Barbara, Calif, USA, August 1989. D. Chaum, βZero-knowledge undeniable signatures (extended abstract),β in Workshop on the Theory and Application of of Cryptographic Techniques EUROCRYPT 1990: Advances in CryptologyβEUROCRYPT β90, vol. 473 of Lecture Notes in Computer Science, pp. 458β464, Springer, Berlin, Germany, 1991. R. Gennaro, T. Rabin, and R. Impagliazzo, βRSA-based undeniable signatures,β Journal of Cryptology, vol. 13, no. 4, pp. 357β384, 2000. S. S. Duan, βCertificateless undeniable signature scheme,β Information Sciences, vol. 178, no. 3, pp. 742β755, 2008. G. Bleumer, βUndeniable signatures,β in Encyclopedia of Cryptography and Security, pp. 1347β1348, Springer, Berlin, Germany, 2011. M. Srinath and V. Chandrasekaran, βIsogeny-based quantumresistant undeniable blind signature scheme,β Cryptology ePrint Archive: Report 2016/148, 2016. W. Ogata, K. Kurosawa, and S.-H. Heng, βThe security of the FDH variant of Chaumβs undeniable signature scheme,β IEEE Transactions on Information Theory, vol. 52, no. 5, pp. 2006β 2017, 2006. M. Jakobsson, K. Sako, and R. Impagliazzo, βDesignated verifier proofs and their applications,β in Advances in Cryptologyβ EUROCRYPT β96, vol. 1070 of Lecture Notes in Computer Science, pp. 143β154, Springer, Berlin, Heidelberg, 1996. B. Yang, Y. Sun, Y. Yu, and Q. Xia, βA strong designated verifier signature scheme with secure disavowability,β in Proceedings of the 4th International Conference on Intelligent Networking and Collaborative Systems (INCoS β12), pp. 286β291, IEEE, Bucharest, Romania, September 2012. B. Yang, Y. Yu, and Y. Sun, βA novel construction of SDVS with secure disavowability,β Cluster Computing, vol. 16, no. 4, pp. 807β815, 2013. H. Tian, Z. Jiang, Y. Liu, and B. Wei, βA systematic method to design strong designated verifier signature without random oracles,β Cluster Computing, vol. 16, no. 4, pp. 817β827, 2013. S. H. Islam and G. P. Biswas, βProvably secure and pairingbased strong designated verifier signature scheme with message recovery,β Arabian Journal for Science and Engineering, vol. 40, no. 4, pp. 1069β1080, 2015. J. Ki, J. Y. Hwang, D. Nyang, B.-H. Chang, D. H. Lee, and J.I. Lim, βConstructing strong identity-based designated verifier signatures with self-unverifiability,β ETRI Journal, vol. 34, no. 2, pp. 235β244, 2012. H.-Y. Lin, T.-S. Wu, and S.-K. Huang, βAn efficient strong designated verifier proxy signature scheme for electronic commerce,β Journal of Information Science and Engineering, vol. 28, no. 4, pp. 771β785, 2012. Y. Ming, Q. Jin, and X. Zhao, βDesignated verifier proxy signature scheme with multi-warrant in the standard model,β Journal of Information & Computational Science, vol. 10, no. 7, pp. 2097β2107, 2013. S. H. Islam and G. Biswas, βA provably secure identity-based strong designated verifier proxy signature scheme from bilinear pairings,β Journal of King Saud UniversityβComputer and Information Sciences, vol. 26, no. 1, pp. 55β67, 2014. J. Wang, Q. Guo, and Y. Wang, βSecurity analysisi of a designated-verifier proxy signature scheme,β Journal of Northwest Normal University (Natural Science), vol. 51, no. 5, pp. 55β 58, 2015.
9 [18] H. Lipmaa, G. Wang, and F. Bao, βDesignated verifier signature schemes: attacks, new security notions and a new construction,β in Automata, Languages and Programming, vol. 3580 of Lecture Notes in Computer Science, pp. 459β471, Springer, Berlin, Germany, 2005. [19] Q. Huang, G. Yang, D. S. Wong, and W. Susilo, βIdentity-based strong designated verifier signature revisited,β Journal of Systems and Software, vol. 84, no. 1, pp. 120β129, 2011. [20] Q. Huang, G. Yang, D. S. Wang, and W. Susilo, βEfficient strong designated verifier signature schemes without random oracle or with non-delegability,β International Journal of Information Security, vol. 10, no. 6, pp. 373β385, 2011. [21] H.-Y. Lin, T.-S. Wu, and S.-K. Huang, βAn efficient strong designated verifier proxy signature scheme for electronic commerce,β JISE. Journal of Information Science and Engineering, vol. 28, no. 4, pp. 771β785, 2012. [22] R. Steinfeld, L. Bull, H. Wang, and J. Pieprzyk, βUniversal designated verifier signatures,β in International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2003: Advances in CryptologyβASIACRYPT 2003, vol. 2894 of Lecture Notes in Computer Science, pp. 523β542, Springer, Berlin, Germany, 2003. [23] X. Huang, W. Susilo, Y. Mu, and W. Wu, βSecure universal designated verifier signature without random oracles,β International Journal of Information Security, vol. 7, no. 3, pp. 171β183, 2008. [24] X. Huang, W. Susilo, Y. Mu, and F. Zhang, βShort designated verifier signature scheme and its identity-based variant,β International Journal of Network Security, vol. 6, no. 1, pp. 82β93, 2008. [25] H. Krawczyk and T. Rabin, βChameleon hashing and signatures,β in Proceedings of the Network and Distributed System Security Symposium, pp. 143β154, San Diego, Calif, USA, 2000.
International Journal of
Rotating Machinery
Engineering Journal of
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
International Journal of
Distributed Sensor Networks
Journal of
Sensors Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Journal of
Control Science and Engineering
Advances in
Civil Engineering Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Submit your manuscripts at https://www.hindawi.com Journal of
Journal of
Electrical and Computer Engineering
Robotics Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
VLSI Design Advances in OptoElectronics
International Journal of
Navigation and Observation Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Chemical Engineering Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Active and Passive Electronic Components
Antennas and Propagation Hindawi Publishing Corporation http://www.hindawi.com
Aerospace Engineering
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
International Journal of
International Journal of
International Journal of
Modelling & Simulation in Engineering
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Shock and Vibration Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Advances in
Acoustics and Vibration Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014