Provably Secure and Efficient ID-based Strong Designated Verifier Signature
Scheme with Message Recovery
Min Li
College of Computer Science,
Sichuan Normal University
Chengdu, China
lm_turnip@126.com
Tao Fang
College of Fundamental Education
Sichuan Normal University
Chengdu, China
f_fangtao@163.com
Abstract—Many ID-based strong designated verifier signature
schemes have been proposed in recent years. However, most of
them did not give the rigorous security proofs and did not
satisfy the strongness property that anyone except the
designated verifier cannot check the validity of a designated
verifier signature, In addition, considering some special
applications, these schemes have larger data size of
communication. To overcome those problems, exploiting
message recovery techniques which are regarded as a useful
method to shorten ID-based signatures' size, we put forward
an efficient ID-based strong designated verifier signature
schemes with message recovery and give its rigorous security
proof in the random oracle model based on the hardness
assumptions of the computational Bilinear Diffie-Hellman
problem in this paper. To the best of our knowledge, it is the
first ID-based strong designated verifier signature schemes
with message recovery and rigorous security proofs. Due to its
merits, it can be used in some special environments where the
bandwidth is one of the main concerns, such as PDAs, cell
phones, RFID etc.
Keywords-Identity-based cryptography; Designated verifier
signature; Message recovery; Bilinear pairings; Random oracle
model
I. INTRODUCTION
Digital signature as one important primitive in
cryptography, which can provide data integrity,
authentication and non-repudiation, has many practical
applications in the real world, such as electronic commerce,
electronic government etc. However, in some special
environments, signatures with special properties are always
desirable. For example, in some scenarios such as E-voting,
call for tenders and software licensing, the public verification
of an ordinary signature is not desired, since the signer may
not want to the recipient of a digital signature to transfer the
conviction to a third party at will.
To address this problem above, Chaum and Van
Antwerpen introduced undeniable signatures [1, 2] which
allowed a signer to completely control his signatures. In
undeniable signatures, the verifier (Bob) can not check the
validity of the signature given by the signer (Alice) by
himself. Instead, Alice participates in the scheme to prove
the validity (or invalidity) of the signature to Bob by means
of an interactive protocol. Nevertheless, Alice can only
decide when to prove, but not who to verify. Hence, the
conviction can be transferred to anyone else. Motivated by
the above problem, Jakobsson et al. [3] introduced the
concept of designated verifier signature (DVS) scheme in
Eurocrypt 1996. A DVS scheme makes it possible for a
signer Alice to convince a designated verifier Bob that Alice
has signed a message in such a way that Bob can not transfer
the conviction to a third party Cindy. This is called non-
transferability, and is usually achieved by enabling Bob the
capability of efficiently simulating a signature which is
indistinguishable from Alice's.
In order to enhance the signer's privacy, Jakobsson et al.
also introduced a stronger version of DVS in the same work
[3]. It is usually called strong designated verifier signature
(SDVS) scheme, in which no third party can even check the
validity of a designated verifier signature, since the
verification of the signature requires the designated verifier's
private key.
Since the notion of SDVS proposed by Jakobsson et al. in
[3], many SDVS schemes have been put forward in the
literature. In 2003, Saeednia et al. [4] firstly formalized the
notion of SDVS and proposed an efficient scheme in the
same paper. In 2004, Susilo et al. [5] proposed the first
strong designated verifier signature scheme in identity-based
public key cryptosystem that was first introduced by Shamir
[6] in 1984 to solve the problems of certificate management
in public key infrastructure (PKI). Due to its advantage in
contrast to PKI, several new ID-based SDVS (IBSDVS)
have been proposed in the new setting recently. In 2008,
Zhang et al. [7] proposed a novel IBSDVS scheme by
combining ID-based public key cryptosystem with the
designated verifier signature. In their work, they claimed that
their scheme was a strong designated verifier signature, that
is to say, no third party can check the validity of a designated
verifier signature generated by the signer. In 2009, however,
Kang et al. [8] found that Zhang et al.'s scheme can not
satisfy the strongness property as they claimed in [7]. In the
same paper [8], they presented a new IBSDVS scheme and
ID-based designated verifier proxy signature scheme
(IBDVPS) based on the new IBSDVS scheme. In the
meanwhile, they also put forward a novel IBSDVS scheme
[9] with security proofs in the random oracle model based on
Bilinear Diffie-Hellman assumption. Unfortunately, Lee et
al. [10] showed that Kang et al.'s new schemes in [8] are
universally forgeable in 2010, that is, anyone can generate a
signature on an arbitrarily chosen message without the secret
2014 International Conference on Network-Based Information Systems
978-1-4799-4224-4/14 $31.00 © 2014 IEEE
DOI 10.1109/NBiS.2014.20
287