On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension

Probabilistic signature scheme has been widely used in modern electronic commerce since it could provide integrity, authenticity, and nonrepudiation. Recently, Wu and Lin proposed a novel probabilistic signature (PS) scheme using the bilinear square Diffie-Hellman (BSDH) problem. They also extended it to a universal designated verifier signature (UDVS) scheme. In this paper, we analyze the security of Wu et al.'s PS scheme and UDVS scheme. Through concrete attacks, we demonstrate both of their schemes are not unforgeable. The security analysis shows that their schemes are not suitable for practical applications.


Introduction
Signature scheme is an important modern cryptographic mechanism of the public key cryptosystem. In the signature scheme, the signer uses his private key to sign a message and generate a signature, which could be verified by other users using the signer's public key. The signature could provide integrity, authenticity, and nonrepudiation; then it could be used in modern electronic commerce [1][2][3][4][5].
The undeniable signature (US) scheme is a variation of the signature scheme, which was first introduced by Chaum and van Antwerpen [6]. In the US scheme, the verifier should get the signer's cooperation to finish the verification. In order to remove the complicated cooperation between the signer and the verifier, Jakobsson et al. [7] introduced the concept of the designated verifier signature (DVS) scheme and proposed a concrete DVS scheme. However, Wang [8] found that there is serious security vulnerability in Jakobsson et al. 's scheme. Later, Steinfeld et al. [9,10] introduced the concept of the universal designated verifier signature (UDVS) scheme to generate the concept of the DVS scheme. In the UDVS scheme, the signer could generate a signature and only the designated verifier could verify the signature using his private key.
Later, Zhang et al. [11] used Diffie-Hellman problem to construct a UDVS scheme and demonstrated that their scheme is provably secure in the standard model. Unfortunately, Cheon [12] found that Zhang et al. 's scheme had a security flaw. To enhance security, Huang et al. [13] presented a new UDVS scheme using the gap bilinear Diffie-Hellman problem. In order to satisfy applications in identity-based systems, Chen et al. [14] proposed the first identity-based UDVS scheme. In order to improve efficiency, Wu and Lin [15] proposed a probabilistic signature (PS) scheme using the bilinear square Diffie-Hellman (BSDH) problem. Then, they extended this PS scheme to a UDVS scheme. They also demonstrated that both of their schemes are provably secure in the random oracle. In this paper, we analyze the security of both Wu and Lin's PS scheme and UDVS scheme. Through concrete attacks, we show that neither of their schemes is unforgeable. We will also propose efficient countermeasures to withstand those attacks.
The organization of the paper is sketched as follows. Section 2 gives a brief review of Wu et al. 's PS scheme and UDVS scheme. Section 3 presents our attacks against Wu et al. 's PS scheme and UDVS scheme. Section 4 presents our countermeasures to withstand the proposed attacks. At last, Section 5 presents some conclusion of the paper.

Review of Wu and Lin's Schemes
In this section, we will give the details of Wu et al. 's PS scheme and UDVS scheme.

Review of Wu and Lin's PS Scheme.
There are two participants in Wu and Lin's PS scheme, that is, a signer and a verifier, where the signer generates a publicly verifiable signature (PV-signature) using his private key and the verifier could verify the validity of the PV-signature using the signer's public key. There are three algorithms in Wu and Lin's PS scheme, that is, Setup, PV-Signature-Generation, and PV-Signature-Verification.
Setup. Taking a security parameter as input, the system authority (SA) runs the following steps to generate system parameters. Besides, the user registers his public key.
(1) SA chooses a random number and selects two multiplicative groups ( 1 , ×) and ( 2 , ×) with the same order , where the bit length of is .

(5) chooses a random number
∈ as his private key and registers his public key = .
PV-Signature-Generation. Upon receiving the message , the signer runs the following steps to generate a PV-signature Ω.
PV-Signature-Verification. Upon receiving the message , the PV-signature Ω, and the signer's public key , the verifier V runs the following steps to verify the validity of the PVsignature.
(2) If the equation holds, V confirms the PV-signature is valid; otherwise, V confirms that the PV-signature is not valid.

Review of Wu and Lin's UDVS Scheme.
There are two participants in Wu and Lin's UDVS scheme, that is, a signer and a verifier, where the signer generates a designated verifiable signature (DV-signature) using his private key and only the designated verifier could verify the validity of the DV-signature using the signer's public key. There are five algorithms in Wu and Lin's UDVS scheme, that is, Setup, PV-Signature-Generation, PV-Signature-Verification, DV-Signature-Generation, and DV-Signature-Verification. Because the first three algorithms are the same as those in PS scheme, only the last two algorithms will be described in detail.
DV-Signature-Generation. Upon receiving a message and the designated verifier V 's public key V , the signer runs the following steps to generate a DV-signature Ω.
DV-Signature-Verification. Upon receiving a message , the DV-signature Ω, and the signer's public key , the designated verifier V runs the following steps to verify the validity of the DV-signature.
(1) V checks whether the equation ( (2) If the equation holds, V confirms the DV-signature is valid; otherwise, V confirms that the PV-signature is not valid.

Security Analysis of Wu and Lin's Schemes
In this section, we will give the security analysis of Wu et al. 's PS scheme and UDVS scheme.

Security Analysis of Wu and Lin's PS Scheme. Wu and
Lin claimed that their PS scheme was unforgeable against various attacks. Through concrete attack, we will show that an adversary without the signer 's private key could forge a legal PV-signature of any message. Given a message , the adversary could forge a legal PV-signature through the following steps.

Security Analysis of Wu and Lin's UDVS Scheme. Wu and
Lin claimed that their UDVS scheme was unforgeable against various attacks. Through concrete attack, we will show that an adversary without the signer 's private key could forge a legal DV-signature of any message. Given a message and the designated verifier V 's public key V , the adversary could forge a legal DV-signature through the following steps.

Countermeasure for Wu and Lin's PS Scheme.
From the details of Wu and Lin's PS scheme, we know that the value has no relation with the value of . Then the adversary could choose the value freely to remove the relation between and . To withstand the attack described in Section 3.1, we just need to modify Wu and Lin's PS scheme slightly.
DV-Signature-Generation. Upon receiving a message , the signer runs the following steps to generate a PV-signature Ω.
DV-Signature-Verification. Upon receiving a message , the PV-signature Ω, and the signer's public key , the verifier V runs the following steps to verify the validity of the PVsignature.
(2) If the equation holds, V confirms the PV-signature is valid; otherwise, V confirms that the PV-signature is not valid.

Countermeasure for Wu and Lin's UDVS Scheme.
From the details of Wu and Lin's UDVS scheme, we know that the value has no relation to the value of . Then the adversary could choose the value freely to remove the relation between and . To withstand the attack described in Section 3.2, we just need to modify Wu and Lin's UDVS scheme slightly.
DV-Signature-Generation. Upon receiving a message and the designated verifier V 's public key V , the signer runs the following steps to generate a DV-signature Ω.
DV-Signature-Verification. Upon receiving a message , the DV-signature Ω, and the signer's public key , the designated verifier V runs the following steps to verify the validity of the DV-signature.
(1) V checks whether the equation (  The Scientific World Journal (2) If the equation holds, V confirms the DV-signature is valid; otherwise, V confirms that the PV-signature is not valid.

Conclusion
Recently, Wu and Lin proposed a PS scheme using the bilinear square Diffie-Hellman problem and extended it to a UDVS scheme. They also demonstrated that their scheme is provably secure in the random oracle. Through concrete attacks, we demonstrate that neither of their schemes is unforgeable against common adversary. To improve security, we also propose efficient countermeasures to withstand the proposed attacks.