Research Article
ID-Based Strong Designated Verifier Signature over
R-SIS Assumption
Jie Cai ,
1
Han Jiang ,
2
Pingyuan Zhang ,
1
Zhihua Zheng,
3
Hao Wang ,
3
Guangshi Lü,
1
and Qiuliang Xu
2
1
School of Mathematics, Shandong University, Ji’nan, Shandong, China
2
School of Soware, Shandong University, Ji’nan, Shandong, China
3
School of Information Science and Engineering, Shandong Normal University, Ji’nan, Shandong, China
Correspondence should be addressed to Han Jiang; jianghan@sdu.edu.cn
Received 23 April 2019; Accepted 18 June 2019; Published 15 July 2019
Academic Editor: Clemente Galdi
Copyright © 2019 Jie Cai et al. is is an open access article distributed under the Creative Commons Attribution License, which
permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
In this paper, we propose an ID-based strong designated verier signature (SDVS) over R−SIS assumption in the random model.
We remove pre-image sampling function and Bonsai trees such complex structures used in previous lattice-based SDVS schemes.
We only utilize simple rejection sampling to protect the security of our scheme. Hence, we will show our design has the shortest
signature size comparing with existing lattice-based ID-based SDVS schemes. In addition, our scheme satises anonymity (privacy
of signer’s identity) proved in existing schemes rarely, and it can resist side-channel attacks with uniform sampling.
1. Introduction
e rst designated verier signature scheme was proposed
by Jakobsson, Sako, and Impagliazzo [1] in 1996. is
signature scheme satises that only the designated verier
can verify correctness of generated signatures and he can’t
convince others to believe in the validity of these signatures.
e main reason for satisfying this property is that the
designated verier can generate an indistinguishable tran-
script from the real signatures. In [1], they also provided
a notion of strong designated verier signature (SDVS) to
resist an online eavesdropper’s attack. In a SDVS, anyone can
create an identical transcript which is indistinguishable from
real signatures. Generally speaking, a SDVS needs to satisfy
unforgeability and untransferability which were provided
by Saeednia, Kremer, and Markowitch in [2] formally. In
[3], Laguillaumie and Vergnaud added a property, that is,
privacy of signer’s identity (anonymity), which means any
adversary can’t distinguish Alice’s signature for Bob from
Cindy’s signature for Bob without Bob’s secret key.
An advantage of identity-based scheme is that the verier
doesn’t need to generate his public key setup before receiving
authenticated message from signer. In [4], Susilo, Zhang, and
Mu rst introduced the notion of identity-based SDVS (ID-
based SDVS). ey gave an eciently generic construction of
such schemes which were based on bilinear Die-Hellman
assumption.
2. Related Work
2.1. Classical ID-Based SDVS Schemes. Several classical ID-
based SDVS have been provided since the rst general con-
struction is introduced in [4]. In [5], Huang et al. proposed
a short ID-based SDVS based on bilinear pairing. eir
contributions of paper are not merely their shorter signature
size, but having two security proofs in random model and in
standard model. In addition, the scheme of [5] has anonymity
compared with [4]. Recently, Blazy et al. provided an ID-
based SDVS [6] under CDH assumption in the standard
model.
However, classical ID-based SDVS schemes can’t resist
against quantum adversaries. Hence, people try to design
postquantum ID-based SDVS schemes. With the collection of
postquantum algorithms by NIST, lattice-based cryptography
is widely studied.
Hindawi
Security and Communication Networks
Volume 2019, Article ID 9678095, 8 pages
https://doi.org/10.1155/2019/9678095