Available online at www.sciencedirect.com

ces 30 (2008) 288–295www.elsevier.com/locate/csi

Computer Standards & Interfa

Identity-based universal designated multi-verifiers signature schemes

Seung-Hyun Seoa,⁎, Jung Yeon Hwangb, Kyu Young Choib, Dong Hoon Leeb,⁎

a Financial Security Agency, 36-1 Yoido-Dong, Youngdeungpo-Gu, Seoul 150-886, Koreab Graduate School of Information Securities, Center for Information Security Technologies (CIST), Korea University, Seoul, 136-701, Korea

Received 3 April 2007; accepted 29 August 2007Available online 7 September 2007

Abstract

An identity-based (ID-based) universal designated verifier signature (ID-UDVS) scheme allows a signature holder to designate a specificverifier of the signature by using a simplified public identity such as e-mail address. In the paper, we present an efficient identity-based universaldesignated multi-verifiers signature (ID-UDMVS) scheme by extending a single verifier to a set of multi-verifiers for verification of a signature.To achieve our goal, we construct an ID-based signature scheme providing batch verification and then, using this scheme as a building block, wefirstly propose an ID-UDMVS scheme with constant signature size. Interestingly our construction method can be used as a generic methodtransforming an ID-UDVS scheme, which is defined in a bilinear version of the so-called ∑ protocol, to an ID-UDMVS scheme.© 2007 Elsevier B.V. All rights reserved.

Keywords: ID-based signature; Designated multi-verifier signature; Signature

1. Introduction

In 1996, Jakobsson et al. firstly introduced a new primitivecalled designated-verifier signature (DVS) scheme [9]. In theDVS scheme, the signature provides authentication of amessage without providing a non-repudiation property oftraditional signatures. As pointed out in [14], this propertycan be viewed as a “light signature scheme”. The DVS schemecan be used to convince a single third party, i.e., the designated-verifier, and only the designated-verifier can be convincedabout its validity or invalidity. It is due to the fact that thedesignated verifier himself can efficiently simulate signaturesthat are indistinguishable from signer's signatures. Suchsignature schemes have numerous applications for tenders,electronic voting or electronic auction. Jakobsson et al. alsobriefly discussed a stronger notion called a strong designated-verifier signature (SDVS) scheme. The strongness propertyrequired in this notion refers to the requirement of thedesignated-verifier to use his secret key to verify the validityor invalidity of a signature. This notion was formally defined by

⁎ Corresponding author.E-mail addresses: seosh@ewhain.net (S.-H. Seo), videmot@korea.ac.kr

(J.Y. Hwang), young@cist.korea.ac.kr (K.Y. Choi), donghlee@korea.ac.kr(D.H. Lee).

0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved.doi:10.1016/j.csi.2007.08.020

Saeednia et al. [17] and strengthen by Laguillaumie andVergnaud [10]. Given a SDVS signature and two potentialsigning public keys, it is computationally infeasible for aneavesdropper to determine under which of the two secret keysthe signature was performed.

At Crypto'03 rump session [6], Desmedt raised the problemof generalizing the designated-verifier signature concept. It wasto allow several designated-verifiers. This new primitive,designated multi-verifiers signature scheme, may have interestsin a multi-users setting, for instance it seems promising for thedesign of fair distributed contract signing. In [11], Laguilaumieet al. proposed a construction of designated multi-verifierssignatures where the signer chooses to sign a message for afixed numbers of specific designated-verifiers.

In 2003, Steinfeld et al. directly addressed user privacy issuein user certification systems and introduced Universal Desig-nated-Verifier Signature (UDVS) scheme by extending thenotion of DVS scheme [16]. The UDVS scheme is a digitalsignature scheme with additional functionality which allowsany holder of a signature to designate any desired verifier. Thedesignated-verifier can verify that the message was signed bythe signer. Nevertheless, the designated-verifier cannot con-vince anyone else of this fact, because his secret key allows himto forge the designated-verifier signature without the signer'scooperation. Based on their ideas, Steinfeld et al. [16] proposed

289S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

how to extend the classical Schnorr or RSA signature schemesinto UDVS schemes. Laguillaumie and Vergnaud [10] proposeda generic construction of DVS scheme from any bilinear maps.Ng et al. [12] extend the notion of UDVS scheme to UniversalDesignated Multi-Verifiers Signature (UDMVS) scheme.

So far, even if there have been a wide range of research fordesignated verifier signatures, most works have been based on acertificate-based PKI (Public Key Infrastructure). In thecertificate-based public key cryptographic systems, however,a user should obtain a certificate of a long-lived public key fromthe CA and the participants must firstly verify the user'scertificate before a user's public key is used. Therefore,certificated-based public key cryptographic systems require alarge storage for each user's public key and certificate, andmuch computing time to verify the users certificate. In 1984,Shamir [15] proposed a new model for public key cryptography,called identity-based encryption and signature scheme. Themain idea of identity-based cryptosystem is that the identityinformation of each user serves as his public key. That is, in anidentity-based system, the participants just have to know thepublic identity of the user such as email address, IP address, etc.Thus, compared to certificate-based PKI systems, identity-based authenticated systems simplify the key managementprocedures [1]. Since Shamir's work, there have been manyworks for identity-based encryption and signature schemes.Recently, several papers have attempted to construct identity-based DVS schemes. Susilo et al. [18] proposed an identity-based strong designated verifier signature scheme, and Huanget al. [8] proposed an identity-based short strong designatedverifier signature scheme. Zhang et al. [19] proposed twoconcrete constructions of identity-based universal designatedverifier signature (ID-UDVS) scheme. One is the ID-UDVSbased on bilinear pairings using Cha-Cheon signature scheme.The other is ID-UDVS based on a chameleon hash function.

1.1. Contributions

In this paper, we propose the first construction of an Identity-based Universal Designated Multi-Verifiers Signature (ID-UDMVS) scheme which generalizes an ID-UDVS scheme. Wepresent a formalmodel for an ID-UDMVS scheme and its securityrequirements, and concretely construct an ID-UDMVS scheme.

To achieve our goal, we first construct an Identity-basedSignature (ID-S) scheme providing a batch verificationtechnique which verifies the validity of signatures simulta-neously. This batch verification is a useful technique to improvecomputational efficiency in our construction of ID-UDMVSscheme where many signatures need to be generated or verifiedtogether. We show that ID-S is existentially unforgeable againstadaptive chosen message and ID attacks in the random oraclemodel under the computational DH (CDH) assumption.

Next, using this ID-S scheme as a building block, wepropose an ID-UDVS scheme and then propose ID-UDMVSscheme by extending the ID-UDVS for multi-verifier setting.Like the underlying ID-S scheme, our ID-UDVS and ID-UDMVS schemes provide batch verification technique. We alsoprove that ID-UDVS and ID-UDMVS scheme are existentially

unforgeable against adaptive chosen message and ID attacks inthe random oracle model under the bilinear CDH assumption.Interestingly our approach provides a generic method whichderives an ID-UDMVS scheme from an ID-UDVS scheme welldefined in a bilinear version of the so-called∑ protocol [4,7] ofwhich a signature typically consists of two parts, a commitmentof a random number and a linear combination between therandom number, a private signing key and a message digest.

1.2. Organization

The remainder of this paper is organized as follows. InSection 2 we review some definitions and cryptographic hardproblems which our schemes rely on. In Section 3 we present asecurity model for ID-UDMVS scheme. In Section 4 we presentan ID-based signature scheme with batch verification, and wepropose an ID-UDVS scheme and prove its security. In Section5, we propose an ID-UDMVS scheme and prove its security.We conclude in Section 6.

2. Definitions

In this section, we review the basic concept of bilinear mapsand some assumptions related to our schemes. Through thepaper, we assume that G1 is a cyclic additive group of primeorder q and G2 is a cyclic multiplicative group of same order q,and the discrete logarithm problem (DLP) in bothG1 andG2 areintractable.

2.1. Bilinear maps

We briefly review the necessary facts about bilinear mapsand bilinear map groups. We use the following standardnotation:

2.1.1. Admissible bilinear mapWe call e:G1 �G1YG2 an admissible bilinear map if it

satisfies the following properties:

(1) Bilinear: e(aP,bQ)=e(P,Q)ab for all P,Q∈G1 and a,b∈Z⁎

q.(2) Non-degenerate: There exist a P∈G1 such that e(P,P)≠1.(3) Computable: There exists an efficient algorithm to

compute e(P,Q) for all P,Q∈G1.

In our setting of prime order groups, the Non-degenerateproperty is equivalent to e(P,Q)≠1 for all P,Q∈G1. So, whenP is a generator of G1, e (P,P) is a generator of G2.

2.2. Complexity assumptions

2.2.1. Computational Diffie-Hellman (CDH) problemA CDH parameter generator IGCDH is a probabilistic

polynomial time (PPT) algorithm that takes as input securityparameter 1λ, runs in polynomial time, and outputs an additivegroup G of prime order q. Informally the CDH problem is tocompute abP when given a generator P of G and aP, bP for

290 S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

random numbers a,b∈Z⁎q. More formally, the advantage of A

with respect to IGCDH is defined to be

Pr abPpA G;P; aP; bPð ÞjGpIGCDH 1k� �

;PpRG; a; bpRZ⁎q

h i:

IGCDH is said to satisfy the CDH assumption if any PPTadversary A has negligible advantage in solving CDH problem.

2.2.2. Computational bilinear Diffie-Hellman (CBDH) problemA CBDH parameter generator IGCDH is a PPT algorithm that

takes as input security parameter 1λ, runs in polynomial time,and outputs the description of two groups G1 and G2 of thesame order q and an admissible bilinear map e:G1 ×G1→G2.Informally the CBDH problem is to compute e(P,P)abc∈G2 forgiven a random generator P of G1 and aP, bP, cP or randomnumbers a,b,c∈Z⁎

q. More formally, the advantage of A withrespect to IGCBDH is defined to be

Pr e P;Pð ÞabcpA G1;G2; e;P; aP; bP; cPð Þ j G1;G2; eð ÞpIGCBDH 1k� �

;

PpRG1; a; b; cpRZ⁎q

" #

IGCBDH is said to satisfy the CBDH assumption if any PPTadversaryA has negligible advantage in solving CBDH problem.

As noted in [1], CBDH parameter generators satisfying theCBDH assumption is believed to be constructed from Weil andTate pairings associated with super-singular eliptic curves orAbelian varieties.

3. Model

In this section, we formally define a notion of Identity-basedUniversal Designated Multi-Verifiers Signature (ID-UDMVS)scheme. The ID-UDMVS scheme consists of a tuple of sixalgorithms, setup algorithm SetUp, identity-based signaturegeneration algorithm ID-Sign, identity-based public verificationalgorithm ID-PV, identity-based universal multi-designationalgorithm ID-UMDS, identity-based universal multi-designatedverification ID-UMDV as follows:

• SetUp is a PPT algorithm that on input security parameter 1λ,outputs a string consisting of common parameters para thatare publicly shared by all users and a private master key msk.

• Extract is a PPT algorithm that on input common parameterspara, master key msk, and an ID∈{0,1}⁎, outputs a privatekey SID for user UID. SID may be used as a private signingkey or a private verification key.

• ID-Sign is a PPTalgorithm that on input common parameterspara, a signer's private key SIDS and a message m, outputs apublic verifiable (PV) signature σ for m.

• ID-PV is a deterministic polynomial time algorithm that oninput common parameter para, a signer's identity IDS, amessage m and a PV-signature σ, outputs accept or reject.

• ID-UMDS is possibly a probabilistic algorithm that on inputcommon parameters para, signer's identity IDS, a set ofverifiers' identities DV={IDV1

,…, IDVn} and a message/

signature pair (m,σ), outputs a designated multi-verifiers(DMV) signature σbDV for m.

• ID-UMDV is a deterministic polynomial time algorithmthat on input common parameters para, a signer's identityIDS, a set of verifiers' identities DV={IDV1

,…, IDVn}, a set

of verifiers' private keys SIDVifor IDVi

∈DV and amessage/DMV-signature pair (m,σbDV), outputs accept orreject.

Informally, in the above description SetUp and Extract arerun by a trusted Key Generation Center (KGC). The fouralgorithms SetUp, Extract, ID-Sign, ID-PV denote an ordinaryID-based signature scheme [3].

Next we define security requirements for ID-UDMVSscheme: completeness, existential unforgeability under adaptivechosen message and ID attacks, non-transferability.

Completeness. A properly formed ID-based universaldesignated multi-verifiers signature must be accepted by theidentity-based multi-designated verification algorithm ID-UMDV. That is, ID-UDMVS scheme should satisfy the fol-lowing probability equation:

(para, msk) ← SetUp (1λ),∀ SIDS

← Extract (para, msk IDS), σ ← ID–Sign (para, SIDS,

IDS, m),accept ← ID–PV (para, IDS, m, σ),For all DV = {IDV1

,…, IDVn},∀ SIDVi

← Extract (para, msk IDVi), σbDV ← ID–UMDS ( para,

IDS, DV, m, σ),accept ← ID–UMDV (para, IDS, DV, SIDV1

,…, SIDVn, m, σ̂DV)

ID-UDMVS unforgeability. In our model a forgerF succeedsin breaking the scheme if it can output a valid new pair of (m,σbDV). We call this security definition Existential Unforgeabilityfor Identity-Based Universal Designated Multi-Verifiers Signa-ture against Adaptive Chosen Message and ID Attack (EUF-ID-UDMVS-CMAID). We define it via the following game: LetID-UDMVS= (SetUp, Extract, ID-Sign, ID-PV, ID-UMDS, ID-UMDV) be a ID-UDMVS scheme. F is a forger attacking theID-UDMVS-Unforgeability of UDMVS that plays the follow-ing game with a challenger C.

SetUp. The challenger C runs SetUp and gives the resultingpublic parameters para to F . But F does not know the masterkey. It is kept secret from F .

Queries. F may adaptively issue the following queriesto C.

− Extract (ID) query: Given an ID, C outputs the private keySID corresponding to ID by running Extract.

− Sign (IDS,m) query: Given an IDS and a message m, Creturns the corresponding signature σ on m by running ID-Sign.

Forgery. F outputs (IDS,DV⁎={ID⁎V1,…,ID⁎Vn}, m⁎, σbDV)where IDS is a signer's identity, ID⁎V1 (1≤ i≤n) are designatedverifiers' identities, σbDV is a DMV-signature on m⁎.

We say that F wins the game if

acceptpID−UMDV IDS ;DV⁎; SV1 ; :::; SVnf g; m⁎; rbDVð Þ;

291S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

under the restriction that (IDS,m⁎) has never been queried beforeto the Sign query, and IDS and one of ID⁎V (1≤ i≤n) havenever been queried to the Extract query, that is, F is allowed tomake, at most, n−1 Extract queries for n designated verifiers'identities ID⁎V1,…, ID⁎Vn.

An ID-UDMVS scheme is secure against EUF-ID-UDMVS-CMAID if no probabilistic polynomial time algorithm F canwin the above game with non-negligible probability.

Non-transferability (privacy notion). The non-transferabilityproperty is ensured by a transcript simulation algorithm that canbe performed by all designated multi-verifiers to produce anindistinguishable signature from the one that should be pro-duced by the signature holder.

4. ID-based universal designated verifier signature scheme

We present an ID-based signature scheme which is used as abuilding block for our ID-UDVS scheme. The signature schemeinvolves a trusted KGC. We denote this scheme by ID-S. Andthen, we present our construction of an ID-based universaldesignated verifier signature (ID-UDVS) scheme which pro-vides batch verification for efficiency.

4.1. Underlying ID-based signature scheme (ID-S)

This scheme consists of four algorithms, SetUp, Extract, ID-Sign, ID-PV.

SetUp. First KGC runs BDH parameter generator and pro-duces a random generator P of G1. KGC chooses a randoms∈Zp

⁎ and computes Ppub= sP. Then KGC keeps s secret asthe master secret key and publishes system parameterspara=fe;G1;G2; q;P;Ppub;H1;H2g: H1 : f0; 1g⁎YG1 andH2: {0, 1}⁎→Zq are cryptographic hash functions.

Extract. When a user with identity ID wishes to obtain a keypair, KGC computes the public key QID←H1(ID) and theprivate key SID← sQID, and returns ⟨QID, SID⟩ to the user.

ID-Sign. Given a secret key SID and a message m, picka random r∈RZq

⁎, compute U← rP, h←H2(m, U) andV← rPpub+hSID. Output a signature σ=(U, V).

ID-PV. Given the public parameter para, a message m, asignature σ=(U, V), check if

eðV ;PÞ ¼ eðU þ hQID;PpubÞ:If the equality holds then output accept. Otherwise reject.

4.1.1. Batch verificationThe previous ID-S scheme allows so-called batch verifica-

tion [2] of multiple signatures on different messages. That is,a verifier can check the validity of n signatures (U1, V1),⋯(Un, Vn) on n messages m1,…, mn simultaneously: For givenσi=(Ui, Vi) on mi (1≤ i≤n), check if

eXn

i¼1Vi;P

� �¼ e

Xn

i¼1ðUi þ hiQiÞ;Ppub

� �;

where hi←H2(mi, Ui).

Remark. A similar method was used for user authentication inthe group key agreement protocol in [5].

Next we show that the above ID-based signature scheme issecure in the following theorem.

Theorem 1. Above ID-based signature scheme ID-S isexistentially unforgeable against an adaptively chosen IDattacker in random oracle model under the CDH assumption.

Proof. H1 and H2 are considered as random oracles in thesecurity proof. Suppose there exists a forger A which hasadvantage in attacking ID-S. We want to build an algorithm Bthat uses A to solve the CDH problem. B receives a CDHinstance (P, aP, bP) for randomly chosen a; baZ⁎

q and PaG1.Its goal is to compute abP. B runs A as a subroutine andsimulates its attack environment. B sets Ppub=aP where a is themaster key, which is unknown to B, and gives systemparameters to A. Without loss of generality, we assume thatthe Extract query is preceded by H1 query. To avoid collisionand consistently respond to these queries B maintains two listsLH1

and LH2which are initially empty. B then simulates the

oracle queries of A as follows:

• H1(IDi) query: Suppose A makes at most qH1queries to H1

oracle. First, B chooses j∈ [1, qH1] randomly. When A

makes an H1(IDi) query where 1≤ i≤qH1, if i= j (we let

IDi=ID⁎ at this point), B returns bP and adds ⟨ID⁎,bP⟩ toLH1

. Otherwise B picks a random tiaZ⁎q and returns tiP, and

adds ⟨IDi,ti⟩ to LH1.

• H2(mi, Ui) query: When A makes an H2(mi, Ui) query, Bfinds the tuple of the form ⟨mi, Ui, hi⟩ in LH2

. If it exists, Breturns hi. Otherwise B picks a random hiaZ⁎

q and returns hi,and adds ⟨mi, Ui, hi⟩ to LH2

.• Extract (IDi) query: WhenA makes an Extract (IDi) query, ifIDi≠ ID⁎, B finds the tuple of the form ⟨IDi, ti⟩ in LH1

, andreturns tiaP. Otherwise B outputs FAIL and aborts thesimulation.

• Sign (IDi, mi) query: WhenAmakes a Sign(IDi, mi) query, Bpicks a random ri; hiaZ⁎

q. If IDi≠ ID⁎, B finds the tuples ofthe form ⟨IDi, ti⟩ in LH2

, and computes Ui= riP and Vi=riPpub+hitiaP. B then returns (Ui, Vi) and adds ⟨mi, Ui, hi⟩ toLH2

. Otherwise B computes Ui= riP−hibP and Vi= riPpub

and returns (Ui, Vi), and adds ⟨mi, Ui, hi⟩ to LH2.

Eventually, A outputs a valid signature tuple (IDt, mt, σt)where IDt is a identity of a target user to be selected by A. IfIDt=ID⁎, B outputs FAIL and aborts the simulation. Otherwiseby replaying ofB with the same random tape but different choicesof H2, as done in the forking lemma [12], B gets two validsignature tuples (ID⁎, mt,h,Ut,Vt) and (ID⁎, mt,h′,Ut, Vt′) suchthat h≠h′. If both outputs are expected ones, B computes asfollows:

1h� hV

ðVt � VtVÞ ¼ SID⁎ ¼ abP:

The probability that B dose not abort during the simulation is1 /qH1

. Therefore, if a forger who can break ID-S exists, then anattacker who solves the CDH problem exists. □

292 S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

4.2. Our ID-UDVS scheme

If a designation is not performed, our ID-UDVS schemefunctions as a public verifiable ID-S scheme and so compatiblyuses SetUp, Extract, ID-Sign, and ID-PV algorithm of the ID-Sscheme.

SetUp. First KGC runs BDH parameter generator andproduces a random generator P of G1 . KGC chooses a randomsaZ⁎

p and computes PPub= sP. Then KGC keeps s secret asthe master secret key and publishes system parameters para={e, G1, G2, q, P, PPub, H1, H2}. H1: {0, 1}⁎→G1 and H2:{0, 1}⁎→Zq are cryptographic hash functions.

Extract. When a user with identity ID wishes to obtain a keypair, KGC computes the public key QID=H1(ID) and the privatekey SID= sQID, and returns ⟨QID, SID⟩ to the user.

ID-Sign. Given a signer's secret key SIDS and a message m,pick a random raRZ

⁎p, compute U← rP, h←H2(m, U) and

V← rPPub+hSIDS. Output a signature σ=(U, V).ID-PV. Given the public parameter para, a message m, a

signature σ=(U, V), check if

e V ;Pð Þ ¼ e U þ hQIDS ;Ppub

� �:

If the equality holds then output accept. Otherwise reject.ID-UDS. Given a designated verifier's public key IDV and a

message/signature pair (m, σ), compute VbDV=e(V, QIDV),where QIDV=H1(IDV)∈G1. The designated verifier signatureis σbDV=(U, VbDV).

ID-UDV. Given a signer's public key IDS, a verifier's secretkey SIDV, and a message/designated verifier signature pair(m, σbDV), check if

e U þ H2 m;Uð ÞQIDS ; SIDVð Þ ¼ bVDV

If the equality holds then output accept. Otherwise reject.Completeness. The completeness of the ID-UDVS is

justified as follows:

bVDV ¼ e V ;QIDVð Þ¼ e rPpub þ hSIDS ;QIDV

� �¼ e rsP þ hsQIDV ;QIDVð Þ¼ e rP þ hQIDV ; sQIDVð Þ¼ e U þ H2 m;Uð ÞQIDS ; SIDVð Þ:

Theorem 2. (ID-UDVS Unforgeability).

Our ID-based universal designated verifier signaturescheme ID-UDVS is existentially unforgeable against anadaptively chosen message and ID attacker in random oraclemodel under the CBDH assumption.

Proof. Suppose there exists a forger F which has advantage inattacking ID-UDVS. We want to build an algorithm B that usesF to solve the CBDH problem. B receives a CBDH instance(aP, bP, cP) for random a; b; caZ⁎

q and PaG1. The purpose of

B is to inject the above (aP, bP, cP) during the simulation, andto compute e(P, P)abc. B runs F as a subroutine and simulatesits attack environment. B sets Ppub=aP where a is the masterkey, which is unknown to B, and gives system parameters to F .Without loss of generality, we assume that the Extract query ispreceded by H1 query. To avoid collision and consistentlyrespond to these queries B maintains two lists LH1

and LH2

which are initially empty.Then, B simulates the oracle queries of F as follows:

• H1 (IDi) query: Suppose F makes at most qH1queries to H1

oracle. First, B chooses j, k∈ [1, qH1] randomly. When F

makes an H1 (IDi) query where 1≤ i≤qH1, if i= j (we let

IDi=ID⁎S at this point), B returns bP and adds ⟨ID⁎S, bP⟩ toLH1

. If i=K (we let IDi=ID⁎V at this point), B returns cP andadds ⟨ID⁎V, cP⟩ to LH1

. Otherwise B picks a random tiaZ⁎q

and returns tiP, and adds ⟨IDi, ti⟩ to LH1.

• H2 (m1, Ui) query: When F makes an H2 (m1, Ui) query, Bfinds the tuple of the form ⟨mi, Ui, hi⟩ in LH2

. If it exists, Breturns hi. Otherwise B picks a random hi∈Z⁎

q and returnshi, and adds ⟨mi, Ui, hi⟩ to LH2

.• Extract (IDi) query: When F makes an Extract (IDi) query, ifIDi≠ ID⁎S and IDi≠ ID⁎V, B finds the tuples of the form ⟨IDi, ti⟩in LH1

, and returns tiaP. Otherwise B outputs FAIL and abortsthe simulation.

• Sign (IDi, mi) query: When F makes a Sign (IDi, mi) query, Bpicks a random ri, hi∈Z⁎

q. If IDi≠ ID⁎S and IDi≠ ID⁎V, Bfinds the tuples of the form ⟨IDi, ti⟩ in LH2

, and computesUi=riP and Vi=riPpub+hitiaP. B then returns (Ui, Vi) and adds⟨mi, Ui, hi⟩ to LH2

. If IDi=ID⁎S, B computes Ui=riP−hibPand Vi=riPpub and returns (Ui, Vi), and adds ⟨mi, Ui, hi⟩ to LH2

.If IDi=ID⁎V, B computes Ui=riP−hicP and Vi=riPpub andreturns (Ui, Vi), and adds ⟨mi, Ui, hi⟩ to LH2

.

Eventually, F outputs a valid designated verifier signaturetuple (IDt, mt, Ut, VbDV) where IDt is an identity of a target userto be selected by F. If IDt≠ ID⁎S and IDt≠ ID⁎V∈DV1, Boutputs FAIL and aborts the simulation. Otherwise by replayingof B with the same random tape but different choice of a randomset for H2, as done in the forking lemma [13]. B gets two validdesignated verifier signature tuples (IDt, mt, Ut, VbDVt

), whereVbDVt

=e(Vt, QIDV) and (IDt, mt, Ut, Vb′DVt), where Vb′DVt

=e(V′t,QIDV) such that h≠h′. If both outputs are expected ones, Bcomputes as follows:

ðbVDVt=bV V

DVtÞðh�hVÞ�1mod q ¼ eðVt � V V

t ;QIDV Þðh�hVÞ�1

¼ eððh� hVÞSIDS ;QIDV Þðh�hVÞ�1

¼ eððh� hVÞabP; cPÞðh�hVÞ�1

¼ eðP;PÞabc

The probability that B dose not abort during the simulation is2 / (qH1

· (qH1−1)). Therefore, if a forger who can break ID-

UDVS exists, then an attacker who solves the CBDH problemexists. □

293S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

Theorem 3. (Non-transferability).

ID-UDVS scheme achieves the non-trans-ferability. That is,the designated verifier cannot convince any other third partyabout the authenticity of the received designated verifiersignature σbDV on a message m.

Proof. The non-transferability of our ID-UDVS scheme isachieved because the designated verifier can always simulatethe received signature σbDV=(U, VbDV) by producing a validsignature. More precisely, he can generate U′= rP for a randomnumber r∈Zq and Vb′DV=e(U′+H2 (m′, U′)QIDS, SIDV) for anarbitrary message m′∈{0, 1}⁎ such that σb′DV=(U′, Vb′DV)passes the designated verification algorithm ID-UDV sinceVb′DV=e (U′+H2 (m′, U′)QIDS, SIDV)=e (rPpub+H2 (m′, U′)sQIDS, QIDV). Obviously, the distribution of σb′DV=(U′, Vb′DV)is perfectly indistinguishable from that of an original designat-ed-verifier signature generated by ID-UDS. □

5. ID-based universal designated multi-verifiers signaturescheme

In this section, we propose an ID-based universal designatedmulti-verifiers signature (ID-UDMVS) scheme based onbilinear pairings. If a multi-designation is not performed, ourID-UDMVS scheme functions as a public verifiable ID-Sscheme and so compatibly uses SetUp, Extract, ID-Sign, andID-PV algorithm of the ID-S scheme. Like the ID-S, theproposed ID-UDMVS scheme provides batch verification.

5.1. Our ID-UDMVS scheme

SetUp. First KGC runs BDH parameter generator andproduces a random generator P of G1. KGC chooses a randoms∈Z⁎

p and computes Ppub= sP. Then KGC keeps s secret as themaster secret key and publishes system parameters para={e, G1, G2, q, P, Ppub, H1, H2}. H1: {0, 1}⁎→G1 and H2:{0, 1}⁎→Zp are cryptographic hash functions.

Extract. When a user with identity ID wishes to obtain a keypair, KGC computes the public key QID=H1(ID) and the privatekey SID= sQID, and returns ⟨QID, SID⟩ to the user.

ID-Sign. Given a secret key SIDSand a message m, pick

a random r∈ RZ⁎p, compute U← rP, h←H2(m, U) and

V← rPpub+hSID. Output a signature σ=(U, V).ID-PV. Given the public parameter para, a message m, a

signature σ=(U, V), check if

e V ;Pð Þ ¼ e U þ hQIDS ;Ppub

� �:

If the equality holds then output accept. Otherwise reject.ID-UMDS.Given a set of verifiers' public keysDV={IDV1,…,

IDVn} and a message-signature pair (m, σ), computebVDV ¼ e V ;Pn

i¼1 QIDi

� �, where QIDi=H1(IDi)∈G1. The DMV

signature is σbDV=(U, VbDV).ID-UMDV. Given a signer's public key IDs, a set of

verifiers' secret/public keys {(IDV1, SIDV1),…, (IDVn, SIDVn)},

and a message/DMVS pair (m, σbDV), each verifier performs thefollowing algorithm:

• Compute ei=e(U+H2(m, U)QIDS, SIDVi).

• Generate a signature σi on the ei by running ID-Sign (SIDVi,ei) and publish (ei, σi) among the designated verifiers DV={IDV1,…, IDV}.

• Run ID-PV (para, ej, σj) to check the validity of all of the σj

(j=1,…, n) (possibly using batch verification technique). Ifone of n signatures is invalid then output reject.

• Check if

bVDV ¼ jn

i¼1ei ¼ j

n

i¼1e U þ H2 m;Uð ÞQIDS ; SIDVi

� �:

If the equality holds then output accept. Otherwise reject.

5.2. Security analysis

Completeness. The completeness of the ID-UDMVS isjustified as follows:

jn

i¼1e U þ H2 m;Uð ÞQIDS ; SIDVi

� �¼ e U þ H2 m;Uð ÞQIDS ;

Xni¼1

SIDVi

!

¼ e srP þ shQIDS ;Xni¼1

QIDVi

!

¼ e rPpub þ hSIDS ;Xni¼1

QIDVi

!

¼ e V ;Xni¼1

QIDVi

!¼ bV

Next we show that the ID-UDMVS Unforgeability and Non-Transferability of ID-UDMVS scheme.

Theorem 4. (ID-UDMVS Unforgeability).

Our ID-based universal designated multi-verifiers signaturescheme ID-UDMVS is existentially unforgeable against anadaptively chosen message and ID attacker in random oraclemodel under the CBDH assumption.

Proof. Suppose there exists a forger F which has advantage inattacking ID-UDMVS. We want to build an algorithm B thatuses F to solve the CBDH problem. B receives a CBDHinstance (aP, bP, cP) for random a, b, c∈Z⁎

q and P∈G1. Thepurpose of B is to inject the above (aP, bP, cP) during thesimulation, and to compute e(P,P)abc. B runs F as a subroutineand simulates its attack environment. B sets Ppub=aP whereIDV∈DV={IDV1,…, IDVn}, a is the master key, which isunknown to B. B gives system parameters to F . Without loss ofgenerality, we assume that the Extract query is preceded by H1

query. To avoid collision and consistently respond to these

294 S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

queries B maintains two lists LH1and LH2

which are initiallyempty.

Then, B simulates the oracle queries of F as follows:

• H1 (IDi) query: Suppose F makes at most qH1queries to H1

oracle. First, B chooses j, k∈ [1, qH1] randomly. When F

makes an H1 (IDi) query where 1≤ i≤qH1, if i= j (we let

IDi=ID⁎S at this point), B returns bP and adds ⟨ID⁎V, bP⟩ toLH1

. If i=k (we let IDi=ID⁎V, ID⁎V∈DV at this point), Breturns cP and adds ⟨ID⁎V, cP⟩ to LH1

. Otherwise B picks arandom ti∈Z⁎

q and returns tiP, and adds ⟨IDi, ti⟩ to LH1.

• H2 (mi, Ui) query: When F makes an H2 (mi, Ui) query, Bfinds the tuple of the form ⟨mi, Ui, hi⟩ in LH1

. If it exists, Breturns hi. Otherwise B picks a random hi∈Z⁎

q and returnshi, and adds ⟨mi, Ui, hi⟩ to LH2

.• Extract(IDi) query: When F makes a Extract(IDi) query, ifIDi≠ ID⁎S and IDi≠ ID⁎V, B finds the tuple of the form ⟨IDi, ti⟩in LH1

, and returns tiaP. Otherwise B outputs FAIL and abortsthe simulation.

• Sign(IDi, mi) query: When F makes a Sign(IDi, mi) query, Bpicks a random ri, hi∈Z⁎

q. If IDi≠ ID⁎S and IDi≠ ID⁎V, Bfinds the tuples of the form ⟨IDi, ti⟩ in LH2

, and computesUi= riP and Vi= riPpub+hitiaP. B then returns (Ui, Vi)and adds ⟨mi, Ui, hi⟩ to LH2

. If IDi=ID⁎S, B computesUi= riP−hibP and Vi= riPpub and returns (Ui, Vi), and adds⟨mi, Ui, hi⟩ to LH2

. If IDi=ID⁎V, B computes Ui= riP−hicPand Vi=riPpub and returns (Ui, Vi), and adds ⟨mi, Ui, hi⟩ to LH2

.

Eventually, F outputs a valid designated multi-verifierssignature tuple (IDt, DVt={IDV1,…, IDVn}, mt, σbDVt

) where IDt

is a identity of a target user to be selected byF. If IDi≠ ID⁎S andIDi≠ ID⁎V∈DVt, B outputs FAIL and aborts the simulation.Otherwise by replaying of B with the same random tape butdifferent choice of a random set for H2, as done in the forkinglemma [13]. B gets two valid designated multi-verifierssignature tuples (ID t, DV t, mt, σbDV t

), where rbDVt ¼ðUt;bVDVtÞ;bVDVt ¼ eðVt;

Pni¼1 QIDVi

Þ and (IDt, DV′t, m′t, σbDV′t),where rbDVt V¼ ðUt;bVDVt VÞ; bVDVt V¼ eðVt V;

Pni¼1 QIDVi

Þ suchthat h≠h′. If both outputs are expected ones, B computes asfollows: bVDVt

e Ut þ hQIDS ;Pn

i¼1;ipk SVi

� � ¼ e Vt;QIDVk

� �;

bVDV Vt

e Ut þ hVQIDS ;Pn

i¼1;ipk SVi

� � ¼ e VtV;QIDVk

� �

e Vt;QIDVk

� �=e VtV;QIDVk

� � h�hVð Þ�1mod q

¼ e Vt � V Vt ;QIDVk

� � h�h Vð Þ�1

¼ e h� hVð ÞSIDS ;QIDVk

� � h�hVð Þ�1

¼ e h� hVð ÞabP; cPð Þ h�h Vð Þ�1¼ e P;Pð Þabc

The probability that B dose not abort during the simulation is2 / (qH1

· (qH1−1)). Therefore, if a forger who can break ID-

UDMVS exists, then an attacker who solves the CBDH problemexists. □

Theorem 5. (Non-transferability). ID-UDMVS schemeachieves the non-transferability.

That is, each designated verifier cannot convince any otherthird party about the authenticity of the received designatedmulti-verifiers signature σbDV on a message m.

Proof. The non-transferability of our ID-UDMVS scheme isachieved because designated multi-verifiers IDV1 ,…, IDVn canalways simulate the received signature σbDV = (U, VbDV) byproducing a valid signature. More precisely, they can alwaysgenerate a designated multi-verifiers signature σb′

DVon a

message m′ as follows:

• Generate a random number r′∈Z⁎p and compute U′=r′P.

• For given U′ and m′, each designated verifier computes ei=e(U′+H2(m′, U′) QIDS

, SIDVi).

• Compute

bV VDV ¼ jn

i¼1e U Vþ H2 mV;U Vð ÞQIDS ; SIDVi

� �The generated signature σb′DV=(U′, Vb′DV) passes the multi-

designation verification algorithm ID-UMDV, because

bV VDV ¼ jn

i¼1e U Vþ H2 mV;U Vð ÞQIDS ; SIDVi

� �¼ e rVPpub þ hVSIDS ;

Xni¼1

QIDVi

!

¼ e V V;Xni¼1

QIDVi

!;

where h′=H2 (m′, U′) and V′=r′Ppub+h′SIDS. Obviously, thedistribution of σb′DV=(U′, Vb′DV) is perfectly indistinguishablefrom that of an original designated multi-verifiers signaturegenerated by ID-UMDS. □

5.3. Further constructions

We can similarly apply our construction method for UDVSscheme to ID-based signature schemes using bilinear maps inthe “Σ framework” such as ID-based signature schemes in [3]:Typically, in this framework a generator P for a mathematicalgroup G and a master private key s are randomly generated and(P, Ppub= sP) is made public. Each user with ID is given a publickey, H (ID), and a private signing key, sH (ID), where H is apublic hash function. A signature normally consists of two parts(U, V), i.e., a commitment U of a random number and a linearcombination V between the random number, a private signingkey and a message digest. Using a bilinear map as a DDHoracle, we can publicly verify the validity of the signature by

295S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

checking a given quadruple (P, U′, Ppub, V) is a DDH-tuplewhere U′= s−1V contains U as a part.

When a user obtains a signature (U, V), he makes use of abilinear map e to compute V′=e(V, H(ID1)) to freely designate averifier with ID1. Since the verifier has a private key sH(ID1),he can only verify the validity of the signature by computing e(U′, sH(ID1)) and comparing this with given V′. Interestingly,this structure of secret verification by only the designatedverifier provides signer ambiguity since the designated verifier,like a original signer, can generate such a signature by using hisprivate key, sH(ID).

Extending this designation and verification structure fora single verifier by combining, i.e., adding verifier identitiesH(IDi) to be QDV ¼ Rn

i¼1H IDið Þ, we can make a structure formulti-verifiers which results in a UDMVS scheme. Thecombined identities mID is considered as a single ID of adesignated-verifier in the previous UDVS construction. How-ever, to verify a UDVS signature, a set of multi-designatedverifiers collaborate to construct a private key sQDV corre-sponding to QDV.

6. Conclusions

We presented a formal notion of ID-based universaldesignated multi-verifiers signature scheme and proposedconcrete ID-based UDMVS schemes using bilinear maps. Ourconstruction method provides a generic method to transformID-based designated single verifier signature schemes definedin so-called the sigma framework to multi-verifiers schemes.Unfortunately, our method requires collaboration of designatedverifiers to verify an ID-based designated multi-verifierssignature. For efficiency improvement, one interesting openproblem is to build an ID-based UDMVS scheme where adesignated verifier can check the validity of an ID-baseddesignated multi-verifiers signature without collaboration ofother designated verifiers.

Acknowledgment

This research was supported by the MIC(Ministry ofInformation and Communication), Korea, under the ITRC(Information Technology Research Center) support programsupervised by the IITA(Institute of Information TechnologyAdvancement) (IITA-2006-(C1090-0603-0025)).

References

[1] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing,Advances in Cryptology-Crypto 2001, LNCS 2139, Springer-Verlag,2001, pp. 213–229.

[2] M. Bellare, J.A. Garay, T. Rabin, Fast batch verification for modularexponentiation and digital signatures, Advances in Cryptology- Euro-crypt'98, LNCS 1403, Springer-Verlag, 1998, pp. 236–250.

[3] J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie-Hellman groups, PKC'2003, Springer-Verlag, 2003, pp. 51–83, LNCS2567.

[4] R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge andsimplified design of witness hiding protocols, Proc. of Crypto'94, LNCS839, Springer-Verlag, 1994, pp. 174–187.

[5] K.Y. Choi, J.Y. Hwang, D.H. Lee, Efficient ID-based group key agreementwith bilinear maps, Proc. of PKC'04, LNCS 2947, Springer-Verlag, 2004,pp. 130–144.

[6] Y. Desmedt, Verifier-Designated Signatures, Rump Session, Crypto'03,2003.

[7] J. Garay, P. MacKenzie, K. Yang, Strengthening zero-knowledge protocolsusing signatures, Proc. of EUROCRYPT '03, LNCS 2656, Springer-Verlag, 2003, pp. 177–194.

[8] X. Huang, W. Susilo, Y. Mu, F. Zhang, Short (identity-based) strongdesignated verifier signature schemes, Proc. of ISPEC'06, LNCS 3903,Springer-Verlag, 2006, pp. 214–225.

[9] M. Jakobsson, K. Sakoans, R. Impagliazzo, Designated verifier proofs andtheir applications, Proc. of Eurocrypt'96, LNCS 1070, Springer-Verlag,1996, pp. 142–154.

[10] F. Laguillaumie, D. Vergnaud, Designated verifiers signature: anonymityand efficient construction from any bilinear map, Proc. of SCN'04, LNCS3352, Springer-Verlag, 2004, pp. 107–121.

[11] F. Laguillaumie, D. Vergnaud, Multi-designated verifiers signatures, Proc.of ICICS'04, LNCS 3269, Springer-Verlag, 2004, pp. 495–507.

[12] C.Y. Ng, W. Susilo, Y. Mu, Universal designated multi verifier signatureschemes, Proc. of ICPADS'05, IEEE, 2005.

[13] D. Pointcheval, J. Stern, Security arguments for digital signatures and blindsignatures, J. Cryptol. 13 (2000) 361–396.

[14] R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, Proc. ofAsiacrypt'01, LNCS 2248, Springer-Verlag, 2001, pp. 552–565.

[15] A. Shamir, Identity-based cryptosystems and signature schemes, Proc. ofCrypto'84, LNCS 196, Springer-Verlag, 1984, pp. 47–53.

[16] R. Steinfeld, L. Bull, H. Wang, J. Pieprzyk, Universal designated-verifiersignatures, Proc. of Asiacrypt'03, LNCS 2894, Springer-Verlag, 2003,pp. 523–543.

[17] S. Saeednia, S. Kramer, O. Markovitch, An efficient strong designatedverifier signature scheme, Proc. of ICISC'03, LNCS 2869, Springer-Verlag, 2003, pp. 40–54.

[18] W. Susilo, F. Zhang, Y. Mu, Identity-based strong designated verifiersignature schemes, Proc. of ACISP'04, LNCS 3108, Springer-Verlag,2004, pp. 313–324.

[19] F. Zhang, W. Susilo, Y. Mu, X. Chen, Identity-based universal designatedverifier signatures, Proc. of EUC Workshops'05, LNCS 3823, Springer-Verlag, 2005, pp. 825–834.