A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party can even verify the validity of a designated verifier signature. In 2005, Lipmaa, Wang, and Bao identified a new essential security property, non delegatability, of designated verifier signature schemes. Briefly, in a non delegatability designated verifier signature scheme, neither a signer nor a designated verifier can delegate the signing rights to any third party without revealing their secret keys. However, this paper shows that four recently proposed strong designated verifier signature schemes are delegatable. These schemes do not satisfy non delegatability secure requirement of strong designated verifier signature schemes.
1. Introduction
Ensuring the integrity and the authenticity of the origin of a message is one of the goals of cryptography, and standard authentication tools are digital signatures. Digital signature schemes allow a receiver of a signature, Bob, to verify that the signature received is indeed sent by the sender, Alice. And Bob can convince any third party that Alice has indeed sent him the message. This is also referred to as nonrepudiation in the sense that Alice cannot deny the fact that she has sent a signature to Bob. Nonrepudiation is a very useful property for the authenticity of the origin of a message when dispute could occur at some later time. On the other hand, in numerous applications such as tender, electronic voting, or electronic auctions, the public verification and nonrepudiation properties of a signature are not desired. Let us consider the following example [1].
Suppose that a public institution initiates a call for tenders, asking some companies to propose their prices for a set of instruments and tasks to be accomplished. The institution may require the companies to sign their offers in order to make sure that they are actually authentic and originated from whom they claim to be. This is a valid requirement, but no company involved in this process desires its offer to affect other tenders’ decisions. That is, a company may capture a competitor’s signed offer on the transmission line (to the institution) and prepares its offer consequently in order to increase its chance to be selected by the institution. The here raised question is about the conflict between authenticity and privacy.
To satisfy the above requirements in signature schemes, Jakobsson et al. [2] firstly proposed the concept of strong designated verifier signatures (SDVS). A SDVS scheme is special type of digital signature which provides message authentication without nonrepudiation. In a SDVS scheme, suppose Alice, the signer, has sent a signature to Bob, the designated verifier. Bob can use his private key to verify the validity of the signature. But Bob cannot prove to a third party that Alice has created the signature. Since Bob can efficiently simulate signatures that are indistinguishable from Alice’s signature. The SDVS fit into various cryptographic applications such as privacy preserving cloud computing [3] and social networks [4]. They also are useful in some new fields, such as cognitive computing [5], where a brainy robot needs to authenticate its owner and keeps no evidences of its owner’s authentication.
After Saeednia et al. [1] formalized the notion of SDVS in 2003, many SDVS schemes have been proposed [6–18]. Based on nondelegatability proposed by Lipmaa, Wang, and Bao in 2005, an essential security property of designated verifier signature schemes, Huang et al. [14] proposed a security model for SDVS scheme. The model is stricter than the previous one [11]. All schemes [6–13] are insecure in Huang et al.’s model. In a nondelegatability designated verifier signature scheme, neither a signer nor a designated verifier can delegate the signing rights to any third party without revealing their secret keys. Recently, four strong designated verifier signature schemes are proposed [15–18]. However, in this work, we show that the four schemes are delegatable. So, they are insecure.
The remainder of this paper is organized as follows. Some basic concepts are introduced in Section 2. In Section 3, we review four designated verifier signature schemes and present delegation attacks on them. Finally, Section 4 concludes the paper.
2. Preliminaries
In this section, we briefly review the basic concepts of bilinear pairings and model of strong designated verifier signatures.
2.1. Basic Concepts on Bilinear Pairings
Let G1 be a cyclic additive group and G2 a cyclic multiplicative group of the same order q. An admissible bilinear pairing is a map e:G1×G1→G2, which satisfies the following properties.
Bilinearity. One has e(aP,bQ)=e(P,Q)ab for all P,Q∈G1, a,b∈Zq*. This can also be stated as e(P+Q,R)=e(P,R)e(Q,R) and e(P,Q+R)=e(P,Q)e(P,R) for all P,Q,R∈G1.
Nondegeneracy. There exists P,Q∈G1, such that e(P,Q)≠1.
Computability. There is an efficient algorithm to compute e(P,Q) for all P,Q∈G1.
Given randomly chosen P∈G1, as well as aP,bP,cP (for unknown randomly chosen a,b,c∈Zq*), compute e(P,P)abc.
Definition 2 (BDH assumption).
The BDH assumption (t,ε) holds in the bilinear setting (G,G2,e,q,P), if there is no probabilistic polynomial-time adversary A that runs in time at most t and Pr[a,b,c∈Zq*:e(P,P)abc←A(aP,bP,cP)]>ε.
2.3. Model of Strong Designated Verifier Signature Scheme
Here, we introduce the concept of strong designated verifier signature in identity-based setting. An identity-based strong designated verifier signature scheme (IDSDVS) consists of five algorithms (that may be randomized) as follows.
Parameter Generation (Setup) is an algorithm that accepts a security parameter k and outputs a string consisting of system parameters and master key.
Key Extraction (Extract) is an algorithm that accepts system parameters and master key and an arbitrary string ID∈{0,1}* outputs a private key UID. Here ID is the user's identity and will be used as the user's public key.
Signature Generation (Sign) is an algorithm that accepts system parameters, the signer's private key UID, a message m, and the designated verifier's public key IDV and outputs the signature δ on the message m.
Designated Verification (Ver) is an algorithm that accepts system parameters, the signer's identity IDS, a message m, the designated verifier's public key IDV, and private key uV and the signature δ on the message m outputs either accept or reject as the verification decision.
Transcript Simulation is the algorithm that the designated verifier runs to produce identically distributed transcripts which are indistinguishable from the signature produced by the signer.
The IDSDVS scheme should satisfy the following security properties.
Correctness. A properly formed IDSDVS must be accepted by the verifying algorithm.
Nontransferability. We require an IDSDVS scheme to be nontransferable. The nontransferability property is ensured by a transcript simulation algorithm that can be performed by all designated verifiers to produce an indistinguishable signature from the one that should be produced by the signature holder.
Unforgeability. It is computationally infeasible to construct a valid IDSDVS signature without the knowledge of the private key of either the signer or the designated verifier.
Nondelegatability. It requires an adversary to “know” a secret key of a signer or a designated verifier if the adversary can produce a valid signature on a message.
3. Four Designated Verifier Signature Schemes and Attacks on Them3.1. Lee et al.’s Scheme
Lee et al.’s scheme [16] can be described as follows.
Let p and q be two large primes such that q∣p-1 and g an element of Zp* of order q. The message to be signed is m∈Zp. Let signer Alice’s public key be yA=gxAmodp, where xA∈Zq* is her secret key, and designated verifier Bob’s public key be yB=gxBmodp, where xB∈Zq* is his secret key. One-way hash function H outputs values in Zq. Suppose that Alice wants to send a strong designated verifier signature (t,c,r,s) with a message m to Bob.
Signature generation. Alice chooses two random numbers k1 from Zq* and k2 from Zq and generates a signature (t,c,r,s) as follows:
(1)t=gk1modp,c=myBk2modp,r=H(m,gk2),s=k1-1(xAr-k2)modq.
Message Recovery and Verification. Upon receiving (t,c,r,s) from Alice, Bob recovers the message and verifies the signature by computing
(2)m=c(tsyA-r)xBmodp,r=?H(m,yArt-s).
Transcript Simulation. Bob can simulate the designated verifier signature (t,c,r,s) of m. Bob selects two random values w1∈Zq* and w2∈Zq. Then he computes (t,c,r,s) as follows:
(3)t=yAw1-1modp,c=myAxBw1-1w2modp,r=H(m,yAw1-1w2)s=w1r-w2modq.
Attack on Lee et al.’s Scheme. Assume that the signer discloses D=yBxA or the designated verifier discloses yAxB(=yBxA) to any third party T. Given any message m*, T selects two random values d1∈Zq* and d2∈Zq. Then he computes (t*,c*,r*,s*) as follows:
(4)t*=yAd1-1modp,c*=m*Dd1-1d2modp,r*=H(m,yAd1-1d2),s*=d1r*-d2modq.Tgenerates a simulated signature (t*,c*,r*,s*). Bob verifies whether r*=H(m,yAr*t*-s*) and recovers message m*=c*(t*s*yA-r*)xBmodp. The verification accepts since
(5)c*(t*s*yA-r*)xB=m*Dd1-1d2(yAd1-1(d1r*-d2)yA-r*)xB=m*Dd1-1d2(yA-d1-1d2)xB=m*,H(m*,yAr*t*-s*)=H(m*,yAr*(yAd1-1)-(d1r*-d2))=H(m*,yAd1-1d2)=r*.
Therefore, Lee et al.’s scheme is delegatable.
3.2. Yang et al.’s Scheme
Yang et al.’s certificateless strong designated verifier signature scheme [18] consists of the following six algorithms.
Setup. Given a security parameter l, a KGC chooses two groups G1 and G2 of the same prime order q>2l and a modified Tate pairing map e: G1×G1→G2. P is a generator of group G1; then the KGC selects two distinct cryptographic hash functions H1:{0,1}*→G1, H2:{0,1}*×G13→Zq*, picks a random s∈Zq* as the master key, computes the system public key P0=sP, and publishes params≔{l,G1,G2,e,q,P,P0,H1,H2} but keeps s secret.
Partial-Private-Key-Extract. Given an identity IDi∈(0,1)*, i∈{A,B}, this paper assumes that user A is the signer and B is the designated verifier, the KGC computes Qi=H1(IDi), di=sQi, and sends di to a user with identity IDi as his partial private key by a secure channel.
User-Key-Extract. On inputs params and the user’s identity IDi(i∈{A,B}), the algorithm picks a random xi∈Zq* as the user’s secret value and computes pki=xiP as his public key.
CLSDVS-Sign. On inputs params, signer A’s identity IDA, his private key pair (dA,xA), and a message m∈(0,1)*, the algorithm works as follows.
Pick a random value r∈Zq* and compute U=rP.
Compute h=H2(m,U,pkA,xApkB)∈Zq*.
Compute V=rP0+hdA and T=e(V,QB).
The signature on message m is σ=(U,T).
CLSDVS-Verify. To verify a signature σ on a message m for an identity IDA with public key pkA, the designated verifier B acts as follows.
Parse σ=(U,T).
Compute h=H2(m,U,pkA,xBpkA)∈Zq*.
Accept the signature and return 1 if and only if the following equation holds:
(6)T=?e(U+hQA,dB).
CLSDVS-Simulation. The designated verifier B cannot prove to a third party that a signature σ=(U,T) on a message m has been produced by signer A since he can also create an indistinguishable signature σ on m by the following means.
Pick randomly r′∈Zq*, and compute U′=r′P.
Set h′=H2(m,U′,pkA,xBpkA).
Compute T′=e(U′+h′QA,dB).
The signature on the message m is σ′=(U′,T′).
Attack on Yang et al.’s Scheme. Since in CLSDVS-Verify algorithm,
(7)T=e(U+hQA,dB)=e(U,dB)e(QA,dB)h.
When one third party W gets (V1,V2)=(xApkB,e(QA,dB)), W picks a random value r*∈Zq*, and computes
(8)U*=r*P,h*=H2(m*,U*,pkA,V1),T*=V2h*e(P0,r*QB).
W can obtain a simulated signature σ*=(U*,T*). Because
(9)h*=H2(m*,U*,pkA,V1)=H2(m*,U*,pkA,xBpkA),T*=V2h*e(P0,r*QB)=e(h*QA,dB)e(r*P,dB)=e(h*QA+U*,dB).
So, σ*=(U*,T*) is a valid signature. Therefore, Lee et al.’s scheme is delegatable.
3.3. Lee et al.’s Scheme
Lee et al.’s strong designated verifier signature scheme [15] is as follows.
Let p and q be two large primes such that q∣p-1 and g an element of Zp* of order q. Let the signer Alice’s public key be yA=gxAmodp, where xA∈Zq* is her secret key, and designated verifier Bob’s public key yB=gxBmodp, where xB∈Zq* is his secret key. One-way hash function H outputs values in Zq. Suppose that Alice wants to send a strong designated verifier signature with a message m to Bob.
Signature Generation. Alice selects a random value k∈Zq*. She computes r, s, and t as follows:
(10)r=gkmodp,s=k+xArmodq,t=H(m,yBsmodp).
Then, the signature is σ=(r,t).
Signature Verification. Upon receiving m and σ, Bob can verify the validity of the signature by checking whether t=H(m,(ryAr*)xBmodp).
Signature Simulation. Bob can simulate the transcript σ′=(r′,t′) for the message m by selecting a random number k′∈Zq* and compute r′ and t′ as follows:
(11)r′=gk′modp,t′=H(m,(r′yAr′)xBmodp).
Attack on Lee et al.’s Scheme. Assume that the signer discloses yBxA or the designated verifier yAxB(=yBxA) to any third party T. Given any message m*, T selects a random number k*∈Zq* and computes
(12)r*=gk*t*=H(m*,yBk*(yAxB)r*modp).T generates a simulated signature (t*,r*). Bob verifies whether t*=H(m*,(r*yAr*)xBmodp). The verification accepts since
(13)H(m*,(r*yAr*)xBmodp)=H(m*,(gk*yAr*)xBmodp)=H(m*,yBk*(yAxB)r*modp).
Therefore, Lee et al.’s scheme is delegatable.
3.4. Ki et al.’s Scheme
Ki et al.’s strong designated verifier signature scheme [17] is as follows.
Setup. Let G be an additive group and GT a multiplicative group. Let e:G×G→GT be a symmetric bilinear map, where G and GT have prime order q. P is a random generator of G. The algorithm selects s∈Zq* at random and computes Ppub←sP∈G. It also selects two collision-resistant cryptographic hash functions, H0:{0,1}→G and H:{0,1}*→{0,1}λ. The algorithm outputs the master secret key, msk=s, and its corresponding public parameters, params=(G,GT,q,e,P,Ppub,H0,H).
Key-Extract. For given identity ID, it computes QID=H0(ID)∈G and skID←sQID.
IDSig. For given message m∈{0,1}*, verifier’s identity IDV, and signer’s secret key skIDS=sH0(IDS), it computes QIDV←H0(IDV)∈G and TK←e(skIDS,QIDV)∈GT. It selects r∈Zq* and computes θ←rP∈G and kd←e(rPpub,QIDV). It computes η←H(kd∥TK) and τ←H(η∥θ∥m). The signature on a message is σ=(θ,τ).
IDVerify. For a given signature σ=(θ,τ), message m, and verifier’s secret key skIDV, it computes QIDS←H0(IDS), TK′←e(QIDS,skIDV), kD′←e(θ,skIDV), and η′←H(kD′∥TK′). It tests if H(η′∥θ∥m)?=τ holds. If the equality holds, then it outputs valid; otherwise, it outputs invalid.
Attack on Ki et al.’s Scheme. Obviously any third party T can generate valid signature when they get TK=e(skIDS,QIDV). So, Ki et al.’s scheme is delegatable.
4. Conclusion
Strong designated verifier signatures provide authentication of a message, without, however, having the nonrepudiation property of traditional signatures. They convince one and only one specified recipient that they are valid, but unlike standard digital signature, nobody else can be convinced about their validity or invalidity. The reason is that the designated verifier in these schemes is able to create a signature intended to himself, that is, indistinguishable from a “real” signature. Strong designated verifier signatures fit into various cryptographic applications where privacy preservation is needed. Recently, four strong designated verifier signature schemes are proposed. However, in this work, we show that the four schemes are delegatable. That is to say, in their scheme the signer or the designated verifier can delegate the signing right to any third party by releasing a piece of information related to but different from their secret keys. This enables a third party to simulate the signer's signatures. So, these schemes do not satisfy nondelegatability secure requirement of strong designated verifier signature scheme.
Conflict of Interests
The authors of the paper do not have any conflict of interests.
SaeedniaS.KramerS.MarkovitchO.An efficient strong designated verifier signature schemem2003Berlin, GermanySpringer4054JakobssonM.SakoK.ImpagliazzoR.Designated verifier proofs and their applications19961070Springer143154Lecture Notes in Computer ScienceLuY.TsudikG.Privacy-preserving cloud database querying20111524Gal-ozN.GrinshpounT.GudesE.Privacy issues with sharing and computing reputation across communities201111634OgielaL.OgielaM. R.Fundamentals of cognitive informatica201217Springer1949Cognitive System MonographsHuangX.SusiloW.MuY.ZhangF.Short designated verifier signature scheme and its identity-based variant2003618293KumarK.ShailajaG.SaxenaA.Identity based strong designated verifier signature scheme20071822392522-s2.0-34547579290SusiloW.ZhangF.MuY.Identity-based strong designated verifier signature schemes20043108313324Lecture Notes in Computer ScienceZhangJ.MaoJ.A novel ID-based designated verifier signature scheme200817837667732-s2.0-3594896368510.1016/j.ins.2007.07.005LalS.VermaV.Identity Base Strong Designated Verifier Proxy Signature SchemesCryptography eprint Archive Report 2006/394, http://eprint.iacr.org/2006/394KangB.BoydC.DawsonE.A novel identity-based strong designated verifier signature scheme20098222702732-s2.0-5844912937010.1016/j.jss.2008.06.014KangB.BoydC.DawsonE.Identity-based strong designated verifier signature schemes: attacks and new construction200935149532-s2.0-5784911683810.1016/j.compeleceng.2008.05.004LeeJ.-S.ChangJ. H.LeeD. H.Forgery attacks on Kang et al.'s identity-based strong designated verifier signature scheme and its improvement with security proof20103659489542-s2.0-7804931123110.1016/j.compeleceng.2010.02.001HuangQ.YangG.WongD. S.SusiloW.Identity-based strong designated verifier signature revisited20118411201292-s2.0-7864931694110.1016/j.jss.2010.08.057LeeJ.-S.ChangJ. H.Comment on Saeednia et al.'s strong designated verifier signature scheme20093112582602-s2.0-5434911003210.1016/j.csi.2008.02.003LeeJ.ChangJ.Strong designated verifier signature scheme with message recovery20071801803KiJ.HwangJ. Y.NyangD.ChangB.-H.LeeD. H.LimJ.-I.Constructing strong identity-based designated verifier signatures with self-unverifiability20123422352442-s2.0-8486020869910.4218/etrij.12.0111.0597YangB.HuZ.XiaoZ.Efficient certificateless strong designated verifier signature schemeProceedings of the International Conference on Computational Intelligence and Security (CIS '09)December 2009IEEE Computer Society4324362-s2.0-7794928861210.1109/CIS.2009.191