Server-Aided Verification Signature with Privacy for Mobile Computing

With the development of wireless technology,much data communication and processing has been conducted inmobile devices with wireless connection.Aswe know that themobile deviceswill always be resource-poor relative to static ones though theywill improve in absolute ability, therefore, they cannot process some expensive computational tasks due to the constrained computational resources. According to this problem, server-aided computing has been studied in which the power-constrainedmobile devices can outsource some expensive computation to a server with powerful resources in order to reduce their computational load. However, in existing server-aided verification signature schemes, the server can learn some information about the message-signature pair to be verified, which is undesirable especially when the message includes some secret information. In this paper, we mainly study the server-aided verification signatures with privacy inwhich themessage-signature pair to be verified can be protected from the server. Two definitions of privacy for server-aided verification signatures are presented under collusion attacks between the server and the signer.Then based on existing signatures, two concrete server-aided verification signature schemeswith privacy are proposedwhich are both proved secure.


Introduction
Recent advances in wireless technology have led to mobile computing [1,2] which is a technology that enables access to digital resources at any time, from any location. In mobile computing, much data communication and processing is conducted in mobile devices with wireless connection such as cell-phones, security access-cards, and sensors. Therefore, mobile computing represents the elimination of time-andplace restrictions imposed by desktop computers and wired networks. As we know mobile devices must be light and small to be easily carried around. Such considerations, in conjunction with a given cost and level of technology, will exact a penalty in computational resources of mobile devices such as processor speed. While mobile devices will improve in absolute ability, they will always be computationally weak in relation to static ones. As a consequence there are tasks, which potentially could enlarge a device's range of application, which are beyond its reach. A natural solution is to outsource computations that are too expensive for one device, to other devices which are more powerful or numerous and connected to the device. For example, consider a sensor that is presented with an access-card, sends it a random challenge, and receives a digital signature of the random challenge. The computation is required to verify the signature involves public-key operations which are too expensive in both time and space for the sensor to run. Instead, it could outsource the verification to a powerful device in order to reduce its computational load. Recently, with the development of cloud computing, serveraided computation has received widespread attention which enables power-constrained devices to outsource expensive computational tasks to a server. The related works such as server-aided delegated computation [3][4][5][6][7][8] and server-aided verification signatures [9][10][11][12][13][14][15][16] have been widely studied. Delegated computation is a protocol between two polynomialtime parties, a client, and a server, to collaborate on the computation of a function . Concretely, the client wants the server to compute ( ) for any input instance by 2 Mobile Information Systems the delegated computation protocol and verify the correctness of the results that is returned by the server. A key requirement is that the amount of work performed by the client to generate and verify work instances must be substantially cheaper than performing the computation on its own. A server-aided verification signature scheme consists of a digital signature scheme and a server-aided verification protocol. Signatures can be verified by executing the server-aided verification protocol with the server, where the verification requires less computation than the original verification algorithm of the digital signature. Different to delegated computation, the existing server-aided verification signature schemes can achieve the soundness of the server-aided verification protocol under their security definitions, namely, a trusted server cannot convince the verifier that an invalid signature is valid, and the verifier cannot directly verify the results computed by the server. The notion of server-aided verification signature was first introduced by Quisquater and de Soete [10] for speeding up RSA verification with a small exponent. Then, Lim and Lee [11] extended this idea into discrete-logarithm based schemes, by proposing efficient protocols for speeding up the verification of discrete-logarithm based identity proofs and signatures. Girault and Quisquater [13] introduced a different approach for server-aided verification signature which does not require precomputation or randomization. Its security remains computational, based on the hardness of a subproblem (viz. factorization) of the initial underlying problem (viz. composite discrete logarithm). Hohenberger and Lysyanskaya [17] addressed the situation in which the server is made of two untrusted softwares, which are assumed not to communicate with each other. Girault and Lefranc [14] presented a generic server-aided verification protocol for digital signatures from bilinear maps which has been used to construct many digital signature schemes such as [18][19][20][21][22][23].
As to the security of server-aided verification signature, many efforts have been devoted to defining strong security models for it. The schemes [10,11,13,14] considered the security property based on the assumption that the malicious server does not have any valid signatures on the message when it tries to prove an invalid signature of that message to be valid. Among them, the scheme [13] is computationally secure based on the hardness of a subproblem of the underlying complexity problem in the original signature scheme. To give stronger definition of this property, Wu et al. [15] formally defined this security assuming that the malicious server may collude with the signer and obtain the secret key of the signer. They first introduced and defined the existential unforgeability of server-aided verification signatures and considered collusion between a signer and a server, who collaboratively prove an invalid signature to be valid. In addition, under their security models, they introduced the server-aided verification for the Waters signature [21] and the BLS signature [18], respectively.
Though the existing server-aided verification signature schemes above have been devoted many efforts to their security models, they only considered the soundness to protect the malicious server who may try to prove an invalid signature of a message to be valid. However, in some applications where the message-signature to be verified contains some sensitive information, for example, the message contains important business secrets or is related to medical information, the verifier does not want the server learn anything about the message and/or the signature to protect its privacy. So, the message privacy of the server-aided verification protocol is also desired besides the soundness. Though in Wu et al. [15], based on Waters Signature [21] and BLS signature [18], two SA verification signature schemes (see Section 4 in [15]) were presented in which the message to be verified is not revealed to the server, the schemes cannot achieve the soundness under collusion and adaptively chosen message attacks.
In this paper, we will present two privacy definitions for server-aided verification signature under collusion by the server and the signer and adaptive chosen message attacks. A server-aided verification signature scheme with privacy also consists of a digital signature scheme and a server-aided verification protocol.
(1) The first privacy definition for the server-aided verification signature is about message privacy; namely, the server cannot learn anything about the message to be verified during the server-aided verification protocol even if it possesses the secret key of the signer. Generally, when the verifier wants the server to verify a message-signature pair, it will "blind" this message at the beginning of the server-aided verification protocol so that the server cannot obtain any information about this message, while it can verify the validity of the message-signature pair by using the server's responses.
(2) The second privacy definition for the server-aided verification signature is about message-signature privacy which is stronger than the first one, and in this definition, the server can learn nothing about the message-signature pair to be verified even if it colludes with the signer. To achieve this privacy, similarly, the verifier will "blind" the message-signature pair at the beginning of the server-aided verification protocol so that the server cannot obtain any information about the message or the signature; however it can verify the validity of the message-signature pair after the server responds.
For the two privacy notions, we present detailed and strict security models. Then, under the security models, we present two concrete constructions for server-aided verification signature based on Waters signature [21] and BLS signature [18] which, respectively, achieve message privacy and messagesignature privacy. The soundness of the two constructions is proved under the strong definition of [15] assuming that the malicious server may collude with the signer and obtain the secret key of the signer. In addition, the efficiency analysis of the server-aided verification protocols shows that our two concrete server-aided verification signature schemes are both computation saving. Computation saving is probably the most obvious property that can distinguish a server-aided verification signature scheme SAV-Σ from an ordinary signature scheme Σ. This property enables the verifier in SAV-Σ Mobile Information Systems 3 to check the validity of signatures in a more computationally efficient way than that in Σ.
Organization. This paper is organized as follows. In Section 2, we will review some fundamental backgrounds, the definition of server-aided verification signatures and the security notions defined in [15] including existential unforgeability and soundness against collusion and adaptive chosen message attacks. In Section 3, we will present the message privacy of server-aided verification signatures, give a concrete construction based on Waters signature scheme, and prove its security under our security model for message privacy. In Section 4, a stronger privacy of server-aided verification signatures named message-signature privacy will be defined and a provably secure concrete construction will be presented based on BLS signature scheme. Finally we conclude in Section 5.

Preliminaries
2.1. Syntax. Throughout the paper, if A is a randomized algorithm, then ← A( ) denotes the assignment to of the output of A on input . Unless noted, all algorithms are probabilistic polynomial-time (PPT) and we implicitly assume that they take an extra parameter in their input, where is a security parameter.
We say that (G 1 , G ) are bilinear groups if there exists the bilinear map : G 1 ×G 1 → G as above, and the group action in G 1 and G can be computed efficiently. Such groups can be built from Weil pairing or Tate pairing on elliptic curves.

Server-Aided Verification Signature.
A server-aided verification signature scheme SAV-Σ consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in an ordinary signature scheme Σ. SAV-Σ contains three parties, respectively, a signer, a verifier, and a server.
← ParamGen. This algorithm takes a security parameter and returns a string as input, which denotes the common scheme parameters, including the description of the message space M and the signature space Ω.
(ii) ( , ) ← KeyGen( ). This algorithm takes as input and outputs a key pair ( , ), where is the signing key and is the verification key.
(iii) ← Sign( , , , ). The signer takes a message ∈ M, the system parameter and the key pair ( , ) as inputs, outputs a signature .
(iv) {Valid, Invalid} ← Verify( , , , ). The verifier takes the parameter , a messagesignature pair ( , ) and the public key , outputs Valid/Invalid to indicate that is a valid/ invalid signature on under .
(v) VString ← SA-Verifier-Setup( ). The verifier takes as input the system parameter and outputs a string VString which contains the information which can be precomputed by it.
Verifier ( , , ,VString) ). This is an interactive protocol between the server and the verifier where the server takes as input and the verifier takes ( , , , VString) as inputs. Finally, the verifier outputs Valid if the server can convince it that is a valid signature on . Otherwise, the verifier outputs Invalid.
In a SA verification signature scheme, we assume that the verifier has a limited computational ability and is not able to perform all computations in Verify alone. So, a SA verification signature scheme must satisfy an important property called computation saving property, which requires that the computations performed by the verifier in SA-Verify must be less than those performed in Verify.

Security Model for Server-Aided Verification Signature.
In the following, we will first present the security model for SAV-Σ with message privacy. As for the existential unforgeability of SAV-Σ, we will adopt existential unforgeability of SAV-Σ defined in [15], including the existential unforgeability against adaptive chosen message attacks of Σ defined in [24] and the soundness against collusion and adaptive chosen message attacks of SA-Verify. In the following, we will present the existential unforgeability of SAV-Σ as [15]. It requires that the adversary should not be (computationally) capable of producing a signature of a new message which can be proved as valid by SA-Verify, even if the adversary acts as a server.
Definition 1 (existential unforgeability against adaptive chosen message attacks of Σ). The adversary A and the challenger C play the following game.
(i) Setup. The challenger C runs the algorithms ParamGen and KeyGen to obtain system parameter and one key pair ( , ). The adversary A is given and .
(ii) Queries. The adversary A is allowed to make at most sign queries. For each sign query ∈ { 1 , . . . , }, the challenger C returns = Sign( , , , ) as the response.

Mobile Information Systems
An adversary A is said to ( , , )-break a signature scheme Σ if A runs in time at most and makes at most signature queries and the success probability Σ−Adv A to win the game above is at most .
We say that Σ is existentially unforgeable against adaptive chosen message attacks if there exists an adversary that ( , , )-breaks it.
In the following, we will present the soundness against collusion and adaptive chosen message attacks of SA-Verify which means that the server cannot prove an invalid signature to be valid even if it colludes with the signer.
Definition 2 (soundness against collusion and adaptive chosen message attacks of SA-Verify). The adversary A and the challenger C play the following game.
(i) Setup. The challenger C runs the algorithms ParamGen, KeyGen and SA-Verifier-Setup to obtain the system parameter , one key pair ( , ) and VString. The adversary A is given and ( , ).
(ii) Queries. Proceeding adaptively, the adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A, where the adversary A acts as the server and the challenger C acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary A.
(iii) Output. Eventually, the adversary A outputs a message * . The challenger C chooses a random invalid signature * on the message * . Namely, it chooses a random element * in Ω\Ω * , where Ω and Ω * are, respectively, the signature space and the set of valid signatures of * . We say that A wins the game if An adversary A is said to ( , V , )-break SA-Verify's soundness against collusion and chosen message attacks if A runs in time at most , makes at most V server-aided verification queries and the success probability Adv A to win the game above is at least .
We say that SA-Verify is ( , V , )-sound against collusion and chosen message attacks if there exists no adversary that ( , V , )-breaks it.

Server-Aided Verification Signature with Message Privacy
In this section, we will present the definition of message privacy for SA-Verify, and then, based on Waters signature scheme [21], present a concrete server-aided verification scheme with this privacy property. This privacy property is called message privacy against collusion and adaptive chosen message attacks. In this definition, the server is allowed to collude with the signer. Concretely, the server can obtain the key pair ( , ) of the signer and therefore can create the signature on any message. In addition, we will assume that the server cannot obtain the message-signature pairs that have been created by the signer before, alternatively, the signer will not store any message-signature pair that it has created. (Actually, this can be achieved by performing blind signature scheme presented in [25] between the signer and the verifier instead of performing the ordinary signature scheme. After the blind signature scheme, the verifier can obtain the ordinary message-signature pair without the signer learning anything about this pair. Then the verifier lets the server to verify the message-signature pair by performing SA-Verify. In this sense, even if the server colludes with the signer, it cannot obtain more information about the signed messages from the signer than it can obtain on its own. To clarify our privacy definition below more clearly, we simply assume that the server cannot obtain any message-signature pair which the signer has created for the verifier before.)

Definition of Message Privacy.
A server-aided verification signature scheme with message privacy SAV-Σ also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The following is the definition of message privacy for the server-aided verification protocol under the collusion and adaptive chosen message attacks. In this definition, the server cannot obtain any information about the message to be verified under the collusion and adaptive chosen message attacks.
Definition 3 (message privacy of SA-Verify). We say that SA-Verify satisfies ( , V , )-message privacy against collusion and adaptive chosen message attacks if there exists no adversary A who runs in time at most , makes at most V server-aided verification queries, and succeeds with probability at least in the following game with the challenger C. The game is defined as follows.
(i) Setup. The challenger C runs the algorithms ParamGen, KeyGen and SA-Verifier-Setup to obtain system parameter param, one key pair ( , ), and VString. The adversary A is given param and ( , ). Note that A can generate any messagesignature pair with the secret-public key pair ( , ); however as we assumed, it cannot obtain any message-signature pair that has been created by the signer before.
(ii) Queries. Proceeding adaptively, the adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A, where the adversary A acts as the server and the challenger C acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary A.
(iii) Challenge. A outputs two messages 0 , 1 , and sends them to the challenger C. C chooses a bit ∈ {0, 1} at random and also chooses an element either randomly from Ω 0 or randomly from Ω 1 , where Ω 0 and Ω 1 are, respectively, the signature Mobile Information Systems 5 space of 0 and 1 . Then C and A interact with each other by running SA-Verify(A, C ( , , ,VString) ), where A plays as a server and C plays as a verifier. After the interaction, C sends the output of SA-Verify(A, C ( , , ,VString) ) to A.
(iv) Output. Finally, A outputs a bit ∈ {0, 1}. We say that A wins the game with probability if Similar to Wu et al. [15], in the protocol Setup of the game above, VString is not provided to the adversary who now is acting as a server since VString might contain some private information of the verifier, which must be kept secret in server-aided verification signatures. In the definition, adversary A acts as the server and the challenger C acts as the verifier which will help A to extract some information from VString.

Concrete SA Verification Signature with Message Privacy.
In the following, we will first present a concrete SA verification signature scheme with message privacy based on Waters signature [21]. The SA verification signature scheme with message privacy SAV-Σ consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in Waters signature scheme [21]. As we know that, due to the elegant properties of pairing computation on elliptic curves, pairing has been widely employed as a building block for lots of cryptographic schemes, in particular in the construction of digital signatures. However, performing a pairing on an elliptic curve requires much more computational cost than executing both an exponentiation and a multiplication [16,[26][27][28][29][30], and for a power-constrained verifier who must execute multiple pairing computations during the verification of a message-signature pair, reducing the computational load of it is a meaningful task. In Waters signature [21], the verifier has to compute two pairings; however in SAV-Σ, its computational load is reduced and it will not compute any pairing. The concrete SA verification signature with message privacy based on Waters signature is described in detail as follows.
In the following, by Theorems 4 and 5, we will show that our SA verification signature scheme above is secure under our security model; namely, the SA verification protocol described in Algorithm 1 is sound against collusion and adaptive chosen message attacks and also satisfies message privacy against collusion and adaptive chosen message attacks.
Since Waters signature scheme has been proved existentially unforgeable against adaptive chosen message attacks, in order to prove that our SA verification signature scheme above is secure, we need only to prove that the SA verification protocol described in Algorithm 1 satisfies soundness against collusion and adaptive chosen message attacks defined in Definition 2 and message privacy against collusion and adaptive chosen message attacks. Proof. In order to prove that the SA verification protocol in Algorithm 1 is ( , V , 1/( − 1))-sound against collusion and adaptive chosen message attacks, we will show that the adversary can only prove an invalid signature as valid with at most probability 1/( − 1). The challenger and the adversary play the following game.
(ii) Queries. The adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A, where the adversary A acts as the server and the challenger C acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary A.
The challenger sends ( , 1 , 2 ) to A such that Since the adversary can only obtain ( , 1 , 2 ) from the challenger, from the equation set (5), we can see that the adversary can only obtain * with probability 1/( − 1). Furthermore, from (6) below, we can directly deduce (7) as follows: * Since the adversary can only guess * with probability 1/( − 1), and ( * 2 / * 3 ) is uniquely determined by * , the adversary can only give out a pair ( * 2 , * 3 ) satisfying (6) with probabitity 1/( − 1). This completes the proof of Theorem 4. Proof. In order to prove that the SA verification protocol in Algorithm 1 satisfies ( , V , 1/2)-message privacy against collusion and adaptive chosen message attacks, we will show that the adversary can only succeed with at most the probability 1/2 in the game with the challenger described as follows.
Mobile Information Systems 7 (ii) Queries. The adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A, and, at the end of each execution, returns the output of SA-Verify to the adversary A.
(iii) Challenge. A outputs two messages 0 and 1 and sends them to the challenger C. C chooses a bit ∈ {0, 1} at random and also chooses = ( 1 , 2 ) either randomly from Ω 0 or randomly from Ω 1 , where Ω 0 and Ω 1 are, respectively, the signature spaces of 0 and 1 . Then C and A interact with each other by running SA-Verify (A, C ( , , ,VString) ), where A plays as a server and C plays as a verifier. Concretely, the challenger chooses two random elements * , * ∈ Z * , computes = 0 ∏ ∈M , = ⋅ * , and 1 = 1 ⋅ * ⋅ * 2 , and sends ( , 1 , 2 ) to the adversary. Then the adversary returns * 2 and * 3 to the challenger. After the interaction, C sends the output of SA-Verify(A, C ( , , ,VString) ) to A.
(iv) Output. Finally, A outputs a bit ∈ {0, 1}. We will show that A can only succeed with probability 1/2. Efficiency Analysis. The SA verification signature with privacy based on Waters signature above is computation saving and efficient. In the following, we will analyze the efficiency of SA-Verify algorithm by comparing that of Waters signature scheme. In Waters signature scheme [21], to verify a message-signature pair ( , = ( 1 , 2 )), the verifier needs to compute = 0 ∏ ∈M which takes multiplications in G 1 , ⋅ ( , 2 ) which takes 1 multiplication in G , and two pairings ( , 2 ) and ( 1 , ). However, in our server-aided verification signature scheme, the verifier can first precompute a pairing ( , ) which can be used by multiple SA-Verify protocols. Then in a SA-Verify protocol, we can see that the verifier needs to compute totally 3 exponentiations in G 1 and 1 exponentiation in G as well as 3 + multiplications in G 1 and 3 multiplications in G . As we know that, performing a pairing on an elliptic curve requires much more computational cost than executing both an exponentiation and a multiplication. So our SA verification signature scheme based on Waters signature is computation saving and efficient.

Server-Aided Verification Signature with Message-Signature Privacy
In this section, we will present a stronger definition of privacy, namely, message-signature privacy against collusion and adaptive chosen message attacks. Then based on BLS signature scheme [18], a concrete server-aided verification scheme with this privacy property will be presented. We assume that the server can obtain the key pair ( , ) of the signer and cannot obtain the message-signature pairs that have been created by the signer. Under this assumption, the server cannot obtain anything about the message-signature pair.

Definition of Message-Signature Privacy.
A server-aided verification signature scheme with message-signature privacy SAV-Σ also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify.
Definition 6 (message-signature privacy of SA-Verify). We say that SA-Verify satisfies ( , V , )-message-signature privacy against collusion and adaptive chosen message attacks if there exists no adversary A who runs in time at most , makes at most V server-aided verification queries, and succeeds with probability at least in the following game with the challenger C. The game is defined as follows.
(i) Setup. The challenger C runs the algorithms ParamGen, KeyGen and SA-Verifier-Setup to obtain the system parameter , one key pair ( , ), and VString. The adversary A is given and ( , ). Similar to the definition of message privacy for SA verification signature, A can generate any message-signature pair with the key pair ( , ); however as we assumed, it cannot obtain any message-signature pair that has been created by the signer before.
(ii) Queries. Proceeding adaptively, the adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A, where the adversary A acts as the server and the challenger C acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary A.
(iii) Challenge. A outputs two pairs ( 0 , 0 ) and ( 1 , 1 ), where is a valid signature on for = 1, 2. Then A sends them to the challenger C. C chooses a bit ∈ {0, 1} at random and interacts with A by running SA-Verify(A, C ( , , ,VString) ) where A plays as a server and C plays as a verifier. After the interaction, C sends the output of SA-Verify(A, C ( , , ,VString) ) to A.

Concrete SA Verification
Signature with Message-Signature Privacy. In this section, we will present a SA verification signature scheme which satisfies messagesignature privacy against collusion and adaptive chosen message attacks. This scheme is constructed based on BLS signature [18], which also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in BLS signature scheme [18]. By executing the SA-Verifier-Setup and SA-Verify algorithms, the computational load of the verifier can be reduced. In BLS signature [18], the verifier has to compute two pairings; however in the following SAV-Σ, it needs only to compute a pairing.
(vi) {Valid, Invalid} ← SA-Verify(Server (  ) , and Verifier ( , , ,VString) ). This is an interactive protocol between the server and the verifier which is shown in Algorithm 2.
In the following, by Theorems 7 and 8, we will show that our SA verification signature scheme above is secure under our security model; namely, the SA verification protocol described in Algorithm 2 is sound against collusion and adaptive chosen message attacks and also satisfies messagesignature privacy against collusion and adaptive chosen message attacks. Theorem 7. The SA verification protocol described in Algorithm 2 satisfies soundness against collusion and adaptive chosen message attacks.
Proof. In order to prove that the SA verification protocol in Algorithm 2 is ( , V , 1/( − 1))-sound against collusion and adaptive chosen message attacks, we will show that the adversary can only prove an invalid signature as valid with at most probability 1/( − 1). The challenger and the adversary play the following game.
(ii) Queries. The adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A. At the end of each execution, the challenger returns the output of SA-Verify to the adversary.
From (10), we can directly deduce (11): Since ( * , * ) is chosen randomly from Z * , from the equation set (7), we can see that the adversary can only obtain and with probability 1/( − 1). Furthermore, from the following, (13) can be deduced: * We can see that * 3 / * 4 is determined by * and * . Since Proof. In order to prove that the SA verification protocol in Algorithm 2 satisfies ( , V , 1/2)-message-signature privacy against collusion and adaptive chosen message attacks, we will show that the adversary can only succeed with at most probability 1/2 in the game with the challenger described as follows.
(i) Setup. The challenger generates the system parameter ( , G 1 , G , , , , ), and the secret key = and the public key = .
Then it also computes 1 = ( , ). Finally the challenger sends ( , G 1 , G , , , , , , ) to the adversary.  [18] 2 0 0 1 Our scheme 1 2(G 1 ) + 2(G ) 2(G 1 ) + 2(G ) 1 (ii) Queries. The adversary A is allowed to make at most V server-aided verification queries. The challenger C responds by executing SA-Verify with the adversary A, and, at the end of each execution, returns the output of SA-Verify to the adversary A.
(iv) Output. Finally, A outputs a bit ∈ {0, 1}. We will show that A can only succeed with probability 1/2. Efficiency Analysis. In the following, we will show that our SA verification signature scheme based on BLS signature above is computation saving and efficient. We will analyze the efficiency of SA-Verify algorithm by comparing that of BLS Signature scheme [18]. In BLS signature scheme [18], to verify a message-signature pair ( , ), the verifier needs to compute ( ) which takes 1 hash function and two bilinear pairings ( ( ), ) and ( , ). However, in our server-aided verification signature scheme, the verifier can first precompute a pairing ( , ) which can be used by multiple SA-Verify protocols. Then in a SA-Verify protocol, the verifier needs to compute totally 2 exponentiations in G 1 and 2 exponentiation in G as well as 2 multiplications in G 1 and 2 multiplications in G and 1 hash function. From the comparison, we can see that our SA verification signature scheme based on BLS signature is computation saving. The concrete computation cost comparison of the verifier in the verification of BLS signature and SA-Verify in Algorithm 2 is shown in Table 2.

Conclusion
In this paper, we studied the SA verification signature schemes with message-signature privacy for mobile computing. A power-constrained mobile device can outsource the verification of a signature to a server with powerful resources in order to reduce its computational load. We first present two definitions for privacy of server-aided verification protocol, respectively, named message privacy and message-signature privacy under collusion and adaptive chosen message attacks. Then under our security models, two concrete constructions based on existing signature schemes were presented and proved secure. By efficiency analysis, we showed that the two concrete schemes are both computation saving and efficient.