Strong Designated Verifier Signature Schemes with Undeniable Property and Their Applications

Most of the strong designated verifier signature (SDVS) schemes cannot tell the real signature generator when the signer and the designated verifier dispute on a signature. In other words, most of the SDVS schemes do not have the undeniability property. In this paper, we propose two SDVS schemes which hold the undeniability property, namely, strong designated verifier signature with undeniability property (SDVSUP). Our two schemes are called SDVSUP-1 and SDVSUP-2. In our two SDVSUP schemes, the signer not only can designate a verifier but also can designate an arbiter who can judge the signature when the signer and the designated verifier dispute on the signature. What is more, the judgment procedure can be performed by the arbiter alone without help from the signer or the designated verifier, which increases the judgment efficiency and reduces the complexity of signature confirmation. We also demonstrate a real instance of applying our SDVSUP scheme to electronic bidding system.


Introduction
In traditional digital signature (TDS), anyone who knows the public key of the signer can verify the validity of a signature.However, the public verification of TDS is not a desirable property in some applications.For example, the owner of some privacy information such as a health report from hospital or a bill from company and so on wishes that the signature on these privacy information can only be verified by himself.There are some solutions to this problem.One of them is to use the undeniable signature which was proposed first by Chaum and Antwerpen [1,2].In undeniable signature (US) [3][4][5][6][7], the signature verification needs the help from the signer.In other words, the validity verification of a signature is an interactive proof between the signer and the verifier which leads to the inefficiency and infeasibility if the signer rejects to cooperate.Another solution is to use the designated verifier signature (DVS) which was proposed first by Jakobsson et al. [8].In DVS, the signer can designate a person as the signature verifier called designated verifier who can convince the signature to be generated by the signer.But the designated verifier cannot transfer the conviction to any third party since the designated verifier can generate a indistinguishable signature with the signer.This is called nontransferability.Therefore, though a signature is publicly verifiable in DVS but no one can tell that the signature is generated by the signer or the designated verifier.Jakobsson et al. also proposed a variant of DVS called strong designated verifier signature (SDVS) [8].In SDVS, the signature verification needs the private key of the designated verifier.Thus, no one other than the signer and the designated verifier can verify the validity of signature which further protects the privacy information of the signer.
However, if the signer and the designated verifier dispute on a signature, no one can tell the real generator of the signature either the signer or the designated verifier.Yang et al. [9,10] gave an instance on this situation.In an electronic bidding system, some companies use SDVS to submit their prices to the institution for a project.Using the SDVS, the institution can confirm the submission but cannot transfer the submission to other companies for lower price since the institution also can generate an indistinguishable submission with the company.But if the winning company denies the submission due to some reasons, such as economic crisis, 2 Security and Communication Networks bankrupt, and even malicious competition.The institution can do nothing on it.This is undesirable to the institution.However, in almost all SDVS schemes [11][12][13][14][15][16][17] proposed till now this problem exists.Namely, these SDVS schemes have no undeniability property.Without undeniability property, SDVS is like more a message authentication code rather than a digital signature [9,10].
1.1.Related Work.Jakobsson et al. first proposed the concept of DVS and presented a DVS scheme which was based on trapdoor commitments [8].In Jakobsson et al. 's DVS scheme, a signature generated by the signer with the form of  =    while  was a random element in the signature generated by the designated verifier.Therefore, with the help from the signer, a person could distinguish the signature by an interactive proof between the signer and this person.So, Jakobsson et al. 's DVS scheme held the undeniability property.However, Jakobsson et al. did not explain the property explicitly and consider it as a necessary property.What is more, Lipmaa et al. [18] showed that Jakobsson et al. 's DVS scheme was not undeniable since the signer could construct a valid signature where  was a random element which made the third party confirm the signature from the designated verifier.Lipmaa et al. also proposed a DVS scheme based on Decisional Diffie-Hellman problem.However, their DVS scheme yet did not have the undeniability property.
In order to protect the identity of the signer further, Jakobsson et al. 's [8] extended DVS to present the concept of SDVS.In Jakobsson et al. 's SDVS scheme, the designated verifier must use the private key of himself to verify the validity of the signature.From then, many SDVS were proposed [15,[19][20][21].Some other variants of DVS included universal designated verifier signature (UDVS) [7,22,23], in which the owner of the standard signature could designate any third party as the designated verifier, identitybased designated verifier signature (IBDVS) [13,16,24], in which the private keys of the signer and the designated verifier were generated by the Key Generator Center (KGC), and so on.
In 2012, Yang et al. [9,10] proposed an SDVS scheme with the undeniability property based on Chameleon hash function [25].In their SDVS scheme, when the signer and the designated verifier disputed on a signature, the signer confirmed a signature (, , , ℎ) if the following two situations held: (1) the signer could find r to hold  = (r), where  was one component of the signature and r was the preimage of  and was stored by the signer in advance; (2) the signer could find an original signature (  ,   ,   , ℎ  ) of (, , , ℎ) where   ̸ = ,   ̸ = ,   = , ℎ  = ℎ, and (  ,   ,   , ℎ  ) was stored by the signer in advance.Thus, the signer needed to store all original signature data in order to confirm the signature later which added a large storage cost.What is more, anyone could distinguish a signature by the above similar method as the signer, that is, collecting and storing all signature data.And the confirmation procedure of signature was performed only by the signer alone.It was unfair to the designated verifier.What is more, if the signer did not want to cooperate for some reasons, the confirmation procedure could not continue and was forced to stop.

Our Work.
To our knowledge, Jakobsson et al. 's SDVS scheme [8] and Yang et al. 's SDVS scheme [9,10] are only two SDVS schemes with undeniability property.However, in the two SDVS schemes, it needs a complex judgment procedure when the signer and the designated verifier dispute on a signature.What is more, the judgment needs the help from the signer.In other words, the judgment is an interactive procedure between the signer and the judger.If the signer rejects to cooperate, the judgment procedure cannot be continued and must be stopped.In our work, we propose two SDVS schemes which can solve the above problem.In other words, in our SDVS schemes, the judger or the arbiter can alone complete the judgment: who generates the signature?Either the signer or the designated verifier does.We also make a comparison between our schemes and other similar schemes in terms of computational cost, signature size, and other aspects.At the same time, we present one application instance of our schemes in the electronic bidding system.
The remainder of this paper is organized as follows.In Section 2, some preliminaries are given including Computational Diffie-Hellman problem and assumption, the concept of SDVS, and the security properties of SDVS.In Section 3, two SDVSUP schemes are proposed.The security analysis of two SDVSUP schemes and the comparison are presented.Section 4 concludes this paper.

Computational Diffie-Hellman (CDH) Problem and CDH
Assumption.Let  and  be two large primes which hold  = 2 + 1.Let   be a subgroup of  *  with the prime order  and a generator .Given (,   ,   ) where  and  belong to  *  are two unknown elements, the CDH problem is to compute   .
The CDH assumption (, ) holds in  *  if there is not any algorithm  which can solve the CDH problem with running time at most  and the probability at least .message , the VerSDV algorithm outputs "Accept" if  is a valid signature or "Reject." If one can verify a signature without the private key  V of , then it is called designated verifier signature (DVS) not strong DVS.Namely, inputting , the public keys of , , and  and a signature  on a message , the VerSDV algorithm outputs "Accept" if  is a valid signature or "Reject." A secure strong designated verifier signature with undeniable property (SDVSUP) should hold unforgeability, computationally nontransferability, and undeniability.

Unforgeability.
The unforgeability of an SDVSUP scheme is defined by the following game between the challenger  and an adversary .The game includes three stages: setup, query, and output.
Setup.The challenger  creates the public system parameter  and the public/private key pair (  ,   ) of the signer , the one ( V ,  V ) of the designated verifier , and the one (  ,   ) of the arbiter .Then, send  and (  ,  V ,   ) to the adversary .
Query.Next,  makes the following oracle queries.
(1) Signing Query:  submits a message  to request a signature on ;  generates a valid signature  on  and returns  to .
(2) Verifying Query:  submits a signature  on a message ;  returns "True" to  if the signature  is valid.Otherwise, it returns "False" to .
Output.Finally,  outputs a forged signature  * on a message  * . wins the above game if (1)  * is a valid signature on  * , (2)  * has never been queried to Signing Query.
An SDVSUP scheme is (, ,   ,  V ) unforgeable if no adversary  can win the above game with the time at most , the probability at least , making at most   signing queries, and making at most  V verifying queries.

Nontransferability.
According to the work of [18,22], the nontransferability of SDVSUP can be classified into two types: computational nontransferability and perfect nontransferability.Based on the concept of nontransferability for SDVS given by [18,22], we add a participator called arbiter  into the original definition to present a description of nontransferability for SDVSUP.
An SDVSUP scheme is computationally nontransferable if given a pair of message and signature (, ); it is infeasible for any probabilistic polynomial-time (PPT) algorithm to distinguish that the signature  is generated by the signer  or the designated verifier  without the knowledge of the secret key of the signer , the secret key of the designated verifier , and the secret key of the arbiter .
An SDVSUP scheme is perfectly nontransferable if one cannot distinguish the signature  from the signer or the designated verifier even if one knows the secret keys of the signer , the designated verifier , and the arbiter .
Next, we give a definition of computationally nontransferable for SDVSUP scheme.An SDVSUP scheme is computationally nontransferable if there exists a PPT algorithm: Simulate Signature (SimSDV) in which the designated verifier  can use SimSDV to simulate a signature  1 . 1 is indistinguishable from the real signature which is generated by the signer  without knowing the secret key   of , the secret key  V of , and the secret key   of .In other words, there is not any PPT distinguisher  that is inputting the public key   of , the public key  V of , the public key   of the arbiter A, and a signature   to tell the signature   from  or  with a nonnegligible probability , namely, Similarly, we can define the perfectly nontransferable of SDVSUP scheme with changing the inputting of  into the public/private key (  ,   ) of , the public/private key ( V ,  V ) of , the public/private key (  ,   ) of the arbiter , and a signature   .
Since there is not any trapdoor information that can be used by the arbiter  even if  and  are in perfect nontransferability, an SDVSUP scheme only holds the computational nontransferability not perfect nontransferability [18].

2.5.
Undeniability.An SDVSUP scheme holds the undeniability property if there exists a PPT algorithm: Arbitrate Signature (ArbSDV) with inputting the signature  on , the public keys of the signer  and the designated verifier , and the private key of the arbiter ; the ArbSDV outputs "" if the signature is generated by the signer  or returns "" that denotes the signature from the designated verifier ; that is, (2)

The Proposed Strong Designated Verifier Signature Schemes with Undeniable Property
In this section, we provide two strong designated verifier signature schemes with undeniable property.The first one is called SDVSUP-1 scheme and the another is called SDVSUP-2 scheme.
3.1.The Proposed SDVSUP-1 Scheme.Based on Jakobsson et al. 's scheme [8], we propose a new strong designated verifier signature scheme with undeniable property (SDVSUP-1 scheme).In our SDVSUP-1 scheme, there exists three participators: the signer , the designated verifier , and the arbiter .Our SDVSUP-1 scheme performs according to the following process.

Security Analysis of SDVSUP-1 Scheme
Theorem ) Then  searches ( ) is a valid signature and did not make a  3 query previously is 1/.

6
Security and Communication Networks The simulating signature of  is   = ( 2 ,  3 , ℎ, , ).Since we need the private key of  or  to verify ,1 and need the private key of  or  to verify , anyone cannot distinguish the original signature  and the simulating signature   without knowing the private keys of , , and .Theorem 3. The proposed SDVSUP-1 scheme is undeniable.
Proof.When the signer  and the designated verifier  dispute who generates the signature  on the message ,  or  submits the signature  = ( 2 ,  3 , ℎ, , ) on  to the arbiter .Then,  runs the following ArbSDV algorithm.Namely, compute Then,  checks if  =   .If it is true, then  confirms that the signature  on the message  is generated by the signer .Otherwise, the signature  is generated by the designated verifier .Since  is a random number in simulating signature   while  = mod  in the real signature .Therefore, the arbiter  can use the ArbSDV algorithm to tell the real signer.

3.4.
The Proposed SDVSUP-2 Scheme.The above SDVSUP-1 scheme is a strong designated verifier signature scheme which has the undeniable property.In the SDVSUP-1 scheme, the arbiter  judges the signature generator by checking the format of  in the signature  = ( 2 ,  3 , ℎ, , ) on  because only  from the signer  has the format  () ,1 +(‖) ,2 ,1 , while  from the designated verifier  is a random number in  *  .
Because of this fact "only  from the signer  has the special format, namely, , while  from the designated verifier  is a random number in  *  ."Thus, the arbiter A only can check the format of  with the public key ( ,1 ,  ,2 ) of the signer to judge the result, which is a little unfair to the designated verifier .In other words, the designed verifier can do nothing and it even has some doubts on the judge result.Therefore, in this subsection, we present another scheme where  and  can both construct  with their own characteristic respectively.Namely, in our SDVSUP-2 scheme,  generated by the signer  is the format , while  generated by the designated verifier  is the format . Thus, the arbiter  can check the format of  with the public key ( ,1 ,  ,2 ) of the signer (by computing  = ( )  ,1 ) or with the public key ( V,1 ,  V,2 ) of the designated verifier (by computing  = ( )  ,1 ) to judge the result, which make the arbiter  distinguish the signature easier, fairer, and more convenient.Next, we show the construction of our SDVSUP-2 scheme which is a modification of SDVSUP-1 scheme.

Correctness of SDVSUP-2 Scheme.
The above signature  generated by  of SDVSUP-2 scheme is correct because ) ) The above signature  simulated by  of SDVSUP-2 scheme is correct because ) ) ) ) The final simulating signature on the message  is   = ( 1 ,  2 , ℎ, ).Since we need the private key of  or  to verify ,1 and need the private key of  or  to verify , anyone cannot distinguish the original signature  and the simulating signature   without knowing the private keys of , , and .
Proof.The arbiter  adapts the following method to judge the signature. first gets the public keys of the signer and the designated verifier.Then,  uses the private  ,1 to compute  mod  in the real signature .Therefore, the arbiter  can use the ArbSDV algorithm to tell the real signer.Theorem 6.If the CDH assumption ( ℎ ,  ℎ ) holds, then the proposed SDVSUP-2 scheme is ( V1 ,   1 ,   2 ,   3 ,   ,  V ,  V1 ) unforgeable.
Proof.The proof method is very similar to the Theorem 1. So, we omit it.

Comparison.
In Tables 1 and 2, we compare our schemes with other similar schemes in terms of performance and security features."Computational cost" denotes the totally computational cost of signing and verifying."Signature length" denotes the signature size."Unforg."denotes if the scheme satisfies the unforgeability property."Nontransf."denotes if the scheme holds the nontransferability property."Unden."denotes if the scheme holds the undeniability property."Help from signer" denotes if it needs the help from the signer when the arbiter judges a signature's generator."" denotes one exponentiation computation in  *  ."  " denotes one exponentiation computation in  where  is a bilinear group."" denotes one paring computation in ."|  |", "|  |," and "||" denote the length of one element from "  ", "  ," and "," respectively.
From Table 2, it can be seen that our schemes including SDVSUP-1 and SDVSUP-2 not only hold the features of