Strong Designated Verifier Signature Scheme with Undeniability and Strong Unforgeability in the Standard Model

Abstract

Strong designated verifier signature can provide an efficient way to protect the identity privacy of the signer and the integrity of the data transmitted over the public channel. These characteristics make it very useful in outsourcing computing, electronic voting, electronic bidding, electronic auction and other fields. However, most strong designated verifier signature schemes are unable to identify the real signature generator when the signer and the designated verifier dispute a signature. In addition, the existing strong designated verifier signature schemes in the standard model rarely satisfy strong unforgeability, and thus cannot prevent the attacker from forging a valid signature on any previously signed message. Therefore, designing a strong designated verifier signature scheme without random oracles that satisfies strong unforgeability and undeniability is very attractive in both practice and theory. Motivated by these concerns, we design the first undeniable strong designated verifier signature scheme without random oracles, in which the arbiter can independently perform the judgment procedure to prove whether a controversial signature is generated by the signer or the designated verifier. Under standard assumptions, the scheme is proved to be strongly unforgeable in standard model. Furthermore, it not only achieves non-transferability and privacy of the signer’s identity but also satisfies the undeniable property of traditional digital signature schemes. Performance analysis results show that the length of the signer’s private key, the designated verifier’s private key and signature length are 40 bits, 40 bits and 384 bits, respectively. Compared with he related schemes, the proposed scheme has higher performance in signature length, private key size and computational overhead. Finally, we show how to apply it to implement outsourcing computation in cloud computing.

1. Introduction

Digital signature is a very important information security technology, which can realize data integrity, non-repudiation, identity authentication and other functions. It plays an important role in network security communication [1], e-commerce [2], e-government [3] and other systems [4,5,6]. To deal with specific application scenarios, some digital signature schemes with special properties have been proposed. Among them, designated verifier signature (DVS) [7] is a significant variant of digital signature. In DVS, the signer is allowed to designate a verifier to confirm the authenticity of a signature, but the designated verifier is unable to convince anyone that the signature was generated by the real signer. The reason is that the simulated signature produced by the designated verifier is computationally indistinguishable from the original signature created by the signer for the same message. This feature of DVS is called non-transferability, which is very useful in the fields of electronic voting, electronic tendering and software copyright [8,9]. To avoid the signer’s identity information being leaked, Jakobsson et al. [7] introduced the concept of strong designated verifier signature (SDVS). In SDVS, the validation of a signature must require the designated verifier’s private key, and any third party cannot determine the real creator of the signature. That is to say, only the designated verifier knows the real identity of the signer. Thus, SDVS enhances the privacy of the signer’s identity (PSI) and can be applied to some new fields [10]. For example, in cognitive computation [11], an intelligent robot authenticates the identity of its owner, but it must protect the owner’s identity information.

However, in a SDVS scheme, any third party does not know who generated the signature when the signer and the designated verifier dispute a signature. In this scenario, the undeniability property is very essential for SDVS. There are a few SDVS schemes with undeniability, and they were proved to be secure in the random oracle model [12,13,14]. Unfortunately, Canetti et al. [15] showed that the cryptographic scheme in the random oracle model may be insecure when the random oracle is instantiated by a concrete hash function. Therefore, it is of practical significance to study the SDVS scheme without random oracles.

Most existing SDVS schemes in the standard model only possess existential unforgeability [16,17,18]. Namely, an adversary can easily obtain a new legal signature of the same message by modifying an existing message-signature pair. Strong unforgeability can prevent the above-mentioned modification and protect the integrity of a signature [19]. A SDVS scheme is said to be strongly unforgeable if it satisfies existential unforgeability and the adversary cannot produce a legal signature of a message that has previously been signed. Although strong unforgeability has already been considered in several SDVS schemes [20], none of them has the undeniable property in the standard model.

1.1. Our Contribution

Motivated by the above concerns, we construct a new SDVS scheme with undeniability and strong unforgeability, which is named the SDVS-USU scheme in this paper. The main contributions of this paper are as follows.

• The proposed scheme is the first strongly unforgeable SDVS scheme with the undeniability property in the standard model, while the existing SDVS schemes are secure in the random oracle model.
• In the SDVS-USU scheme, the signer assigns a verifier to validate the signature, and designates an arbiter to determine the actual generator of the signature. For a controversial signature, the arbiter can independently identify the real signature generator without the help of the signer or the designated verifier.
• The SDVS-USU scheme is proved to be strongly unforgeable against adaptive chosen message attacks under the bilinear Diffie–Hellman (BDH) assumption, while the privacy of the signer’s identity relies on the decisional bilinear Diffie–Hellman (DBDH) assumption. At the same time, it has the property of non-transferability.
• Compared with the existing SDVS schemes without random oracles, the SDVS-USU scheme has better performance in terms of signature length, private key size and computational cost.

1.2. Paper Organization

The rest of this paper is organized as follows. Section 2 describes the work related to SDVS. Section 3 introduces some preliminaries, such as bilinear parings, complexity assumptions and the security definition of SDVS. Section 4 presents the SDVS-USU scheme. Section 5 demonstrates the security of the SDVS scheme. Section 6 analyzes the performance of the SDVS-USU scheme. Section 7 illustrates the application of the SDVS-USU scheme in outsourcing computation. Section 8 is the conclusions.

2. Related Work

The concept of SDVS was first introduced by Jakobsson et al. [7], and formalized by Saeednia et al. [21]. Since then, some efficient SDVS schemes were proposed [22,23,24,25,26,27], but the security of those schemes is based on the ideal random oracle. To deal with this problem, Hung et al. [17] designed a SDVS scheme in the standard model. However, its security is highly dependent on the security of the pseudo-random function. If the pseudo-random function leaks the associated index, the attacker can easily generate legitimate signatures for arbitrary messages on behalf of the signer or the designated verifier. Based on the q-Strong Diffie–Hellman assumption, Zhang et al. [16] constructed another SDVS scheme without random oracles. However, their SDVS scheme could not protect the privacy of the signer’s identity and did not give formal security proof. Besides, Asaar et al. [18] presented a secure SDVS scheme based on Waters’ scheme [28], but their scheme is malleable. Tian et al. [20] showed that the above three SDVS schemes [16,17,18]. do not satisfy strong unforgeability. Later, Tian et al. [20] used the OR proof [29] and Kang et al.’s scheme [30] to design a basic signature scheme with existential unforgeability. Then, Tian et al. [20] constructed a SDVS scheme using their basic scheme and the Cramer–Shoup scheme [31]. To shorten the signature length, Tian et al. [20] proposed another SDVS scheme based on their basic signature scheme and Tian et al.’s encryption scheme [32]. Although Tian et al.’s two SDVS schemes [20] satisfy strong unforgeability, neither provides undeniability. To overcome this shortcoming, Yang et al. [12] designed an undeniable SDVS scheme using chameleon hash function [33]. However, the signer needs to store all previous signature data to identify the real generator in a signature, and the judgment process needs the help of the signer. To improve the fairness of the judgment, Hu et al. [14] designed two undeniable SDVS schemes in which the arbiter can independently identify the real signer in a disputed signature. However, Yang et al.’s scheme [12] and Hu et al.’s schemes [14] were provably secure in the random oracle model. Unfortunately, there is no strongly unforgeable SDVS scheme with the undeniable property in the standard model. Thus, in this paper, we put forward such construction for SDVS.

3. Preliminaries

3.1. Bilinear Paring

Suppose p is a prime, $G_1$ and $G_2$ are two cyclic groups of order p, and g is any generator of $G_1$. A map $e:G_1\times G_1\to G_2$ is called a bilinear pair if it satisfies the following conditions [18]:

• Bilinearity: For any $x,y\in Z_p$, $e(g^x,g^y)=e{(g,g)}^{xy}=e(g^y,g^x)$.
• Non-degeneracy:$e(g,g)\ne 1$.
• Computability: For any $x,y\in Z_p$, $e(g^x,g^y)$ can be calculated efficiently.

3.2. Complexity Assumptions

Given $(g,g^x,g^y,g^z)\in G_1^4$, where $x,y,z\in Z_p$ are unknown, the BDH problem is to calculate $e{(g,g)}^{xyz}$.

Definition 1.

The BDH assumption is that the probability of any probabilistic polynomial-time (PPT) algorithm solving the BDH problem is negligible.

Given $(g,g^x,g^y,g^z)\in G_1^4$ and $Z\in G_2$, where unknown $x,y,z\in Z_p$, the DBDH problem is to determine whether $Z=e{(g,g)}^{xyz}$ holds.

Definition 2.

The DBDH assumption is that there is no PPT algorithm to solve the DBDH problem with a probability of more than $\frac{1}{2}$ [18].

3.3. Strong Designated Verifier Signature

An SDVS scheme with undeniable property is defined as follows:

• $\mathbf{Setup}$: On the input of a security parameter $\lambda \in Z$, this algorithm produces the public parameters $params$.
• $\mathbf{KeyGen}$: On the input of $params$, this algorithm produces a public/private key pair $(p{k}_S,s{k}_S)$ for a signer S, $(p{k}_V,s{k}_V)$ for a designated verifier V and $(p{k}_A,s{k}_A)$ for an arbiter A.
• $\mathbf{Sign}$: On the input of public keys of S, V and A, the signer S’s private key $s{k}_S$ and a message m, this algorithm produces a signature $\sigma$ on m.
• $\mathbf{Verify}$: Given public keys of S, V and A, this algorithm returns 1 if the designated verifier V’s private key $s{k}_V$ can be used to verify that $\sigma$ is a legal signature for a message m; otherwise, it returns 0.
• $\mathbf{Sim}$: On the input of public keys of S, V and A, the designated verifier V’s private key $s{k}_V$ and a message m, this algorithm produces a simulated signature ${\sigma }^{{}^{\prime }}$ that is indistinguishable from $\sigma$.

The correctness of SDVS requires that both the original signature and the simulated signature are valid. That is, for any key pairs $(p{k}_S,s{k}_S)$, $(p{k}_V,s{k}_V)$ and $(p{k}_A,s{k}_A)$, any message m, any signature $\sigma$=$\mathbf{Sign}$$(p{k}_S,p{k}_V,p{k}_A$, $s{k}_S,m)$ and any simulated signature ${\sigma }^{{}^{\prime }}$=$\mathbf{Sim}$$(p{k}_S,p{k}_V$, $p{k}_A,s{k}_V,m)$, the following two equations must hold:

$$\begin{gathered} \mathbf{Verify}(p{k}_S,p{k}_V,p{k}_A,s{k}_V,m,\sigma )=1, \\ \mathbf{Verify}(p{k}_S,p{k}_V,p{k}_A,s{k}_V,m,{\sigma }^{{}^{\prime }})=1. \end{gathered}$$

A secure SDVS scheme with undeniable property should achieve the security requirements of strong unforgeability, non-transferability, privacy of the signer’s identity (PSI) and undeniability.

The unforgeability requires that only the signer and the designated verifier can produce a valid signature. Formally, the strong unforgeability of an SDVS scheme is defined by the following game between a challenger $\mathcal{C}$ and an adversary $\mathcal{F}$.

• Setup: $\mathcal{C}$ executes the $\mathbf{Setup}$ algorithm to output the public parameters $params$, and runs the $\mathbf{KeyGen}$ algorithm to generate the signer’s key pair $(p{k}_S,s{k}_S)$, the designated verifier’s key pair $(p{k}_V,s{k}_V)$ and the arbiter’s key pair $(p{k}_A,s{k}_A)$. Then, $\mathcal{C}$ sends $(params,p{k}_S,p{k}_V,p{k}_A)$ to $\mathcal{F}$.
• Signing queries: When $\mathcal{F}$ initiates a signature query for message $m_i$, $\mathcal{C}$ runs the $\mathbf{Sign}$$(p{k}_S,p{k}_V,p{k}_A$, $s{k}_S,m_i)$ algorithm to obtain a signature ${\sigma }_i$ on $m_i$ and returns ${\sigma }_i$ to $\mathcal{F}$.
• Simulating queries: When $\mathcal{F}$ asks for a simulated signature on a message $m_i$, $\mathcal{C}$ runs the $\mathbf{Sim}$$(p{k}_S,p{k}_V$, $p{k}_A$, $s{k}_V,m_i)$ algorithm to obtain a signature ${\sigma }_i^{{}^{\prime }}$ on $m_i$ and returns ${\sigma }_i^{{}^{\prime }}$ to $\mathcal{F}$.
• Verifying queries: When $\mathcal{F}$ submits a signature ${\sigma }_i$ on a message $m_i$, $\mathcal{C}$ sends the signature verification result output by the algorithm $\mathbf{Verify}(p{k}_S,p{k}_V,p{k}_A$, $s{k}_V,m_i,{\sigma }_i)$ to $\mathcal{F}$.
• Output: Finally, $\mathcal{F}$ outputs a message/signature pair $(m^{\ast },{\sigma }^{\ast })$. $\mathcal{F}$ wins the game if

  1.

  $\mathbf{Verify}(p{k}_S,p{k}_V,p{k}_A,s{k}_V,m^{\ast },{\sigma }^{\ast })$=1.

  2.

  $(m^{\ast },{\sigma }^{\ast })$ has not been produced by the Simulating query.

  3.

  $(m^{\ast },{\sigma }^{\ast })$ is not one of all tuples $(m_i,{\sigma }_i)$ during the Signing queries.

Definition 3.

If the probability of any PPT attacker $\mathcal{F}$ winning in the above game is negligible, then an SDVS scheme is said to be strongly unforgeable against adaptive chosen message attacks.

The non-transferability requires that no third party can tell the signature on a message was created by the signer or was simulated by the designated verifier.

Definition 4.

An SDVS scheme is said to be non-transferable if it is not feasible for any PPT algorithm ${\mathcal{A}}_1$ to differentiate that a given signature is produced by the signer or the designated verifier without knowing the signer’s private key $s{k}_S$, the designated verifier’s private key $s{k}_V$ or the arbiter’s private key $s{k}_A$. That is, the probability ε of ${\mathcal{A}}_1$ distinguishing between simulated signatures and real signatures is negligible.

$$Pr\left[b=b^{{}^{\prime }}\left|\begin{array}{c}\begin{array}{c}{\sigma }_0\leftarrow Sign(p{k}_S,p{k}_V,p{k}_A,s{k}_S,m)\\ {\sigma }_1\leftarrow Sim(p{k}_S,p{k}_V,p{k}_A,s{k}_V,m)\end{array}\\ b\leftarrow \{0,1\}\\ b^{{}^{\prime }}\leftarrow {\mathcal{A}}_1(p{k}_S,p{k}_V,p{k}_A,{\sigma }_b)\end{array}\right.\right]=\epsilon .$$

In other words, the signature generated by the signer is computationally indistinguishable from the signature simulated by the designated verifier, i.e.,

$$\left\{Sign(p{k}_S,p{k}_V,p{k}_A,s{k}_S,m)\right\}\approx \left\{Sim(p{k}_S,p{k}_V,p{k}_A,s{k}_V,m)\right\}.$$

PSI requires that no one other than the designated verifier knows the identity of the signer, but any third party is unable to identify the designated verifier and the signer. That is, if there are two signers $S_0$ and $S_1$, it is infeasible for any PPT adversary to differentiate whether the signature of a message is signed by $S_0$ or $S_1$ without knowing the designated verifier’s private key. PSI is formally defined by the following security game between a distinguisher $\mathcal{D}$ and a challenger $\mathcal{B}$.

• Setup: $\mathcal{B}$ runs the $\mathbf{Setup}$ algorithm to produce the public parameters $params$, and runs the $\mathbf{KeyGen}$ algorithm to generate the signer $S_0$’s key pair $(p{k}_{S_0}$, $s{k}_{S_0})$, the signer $S_1$’s key pair $(p{k}_{S_1},s{k}_{S_1})$, the designated verifier V’s key pair $(p{k}_V,s{k}_V)$ and the arbiter A’s key pair $(p{k}_A,s{k}_A)$. Then, $\mathcal{B}$ sends $(params$, $p{k}_{S_0},p{k}_{S_1},p{k}_V,p{k}_A)$ to $\mathcal{D}$.
• Query phase 1: $\mathcal{D}$ adaptively initiates a series of inquiries to $\mathcal{B}$ as follows.

  -

  Signing queries: When $\mathcal{D}$ issues a signature query on a message $m_i$ and an index $d_i\in \{0,1\}$, $\mathcal{B}$ executes the $\mathbf{Sign}$$(p{k}_{S_{d_i}},p{k}_V,p{k}_A$, $s{k}_{S_{d_i}},m_i)$ algorithm to obtain a signature ${\sigma }_i$ on $m_i$ and returns ${\sigma }_i$ to $\mathcal{D}$.

  -

  Simulating queries: When $\mathcal{D}$ issues a simulated signature query on a message $m_i$ and an index $d_i\in \{0,1\}$, $\mathcal{B}$ runs the $\mathbf{Sim}$$(p{k}_{S_{d_i}},p{k}_V$, $p{k}_A$, $s{k}_V,m_i)$ algorithm to obtain a signature ${\sigma }_i^{{}^{\prime }}$ on $m_i$ and returns ${\sigma }_i^{{}^{\prime }}$ to $\mathcal{D}$.

  -

  Verifying queries: After receiving a message $m_i$, a signature ${\sigma }_i$ and an index $d_i\in \{0,1\}$, $\mathcal{B}$ responds to $\mathcal{D}$ with the output of the algorithm $\mathbf{Verify}(p{k}_{S_{d_i}},p{k}_V,p{k}_A$, $s{k}_V,m_i,{\sigma }_i)$.

• Challenge: After receiving the challenge message $m^{\ast }$ submitted by $\mathcal{D}$, $\mathcal{B}$ obtains a random value $d\in \{0,1\}$ by flipping a coin. Then, $\mathcal{B}$ returns the signature ${\sigma }^{\ast }$ generated by the algorithm $\mathbf{Sign}$$(p{k}_{S_d},p{k}_V,p{k}_A$, $s{k}_{S_d},m^{\ast })$ to $\mathcal{D}$.
• Query phase 2: $\mathcal{D}$ continues to make queries as in Query phase 1 except that $\mathcal{D}$ is unable to submit a signature verification query on $(m^{\ast },{\sigma }^{\ast },d^{\ast })$ for any $d^{\ast }\in \{0,1\}$.
• Output: $\mathcal{D}$ returns a value $d^{{}^{\prime }}\in \{0,1\}$. If $d=d^{{}^{\prime }}$, $\mathcal{D}$ wins the game.

Definition 5.

An SDVS scheme is secure about PSI if there is no PPT distinguisher $\mathcal{D}$ wins the game with a probability of more than $\frac{1}{2}$.

For a controversial signature, the undeniability requires that the arbiter can correctly identify the real identity of the generator in the signature.

Definition 6.

An SDVS scheme is said to be undeniable if there exists a PPT arbiter, with inputting the signer’s public key $p{k}_S$, the designated verifier’s public key $p{k}_V$, the arbiter’s private key $s{k}_A$ and a disputed signature $\tilde{\sigma }$ on a message $\tilde{m}$, can prove whether the signer S or the designated verifier V generated $\tilde{\sigma }$ with an overwhelming probability, namely,

$$Pr\left[id\in \{S,V\}\leftarrow Arbiter(p{k}_S,p{k}_V,s{k}_A,\tilde{\sigma })\right]\approx 1.$$

Here, the output S indicates $\tilde{\sigma }$ is created by the signer, while the output V indicates $\tilde{\sigma }$ is generated by the designated verifier.

4. The SDVS-USU Scheme

In this section, we design a strongly unforgeable SDVS scheme with undeniable property on the basis of a variant of Waters’ scheme [28]. Although a few SDVS schemes [12,13,14] satisfy undeniability, their security depends on ideal random oracles, which might be insecure in reality. Most of the SDVS schemes [17,18] without random oracles are malleable, so they cannot achieve strong unforgeability. To overcome these problems, the SDVS-USU scheme uses two collision-resistant hash functions to protect the integrity of the signature. This method can not only generate non-malleable signatures, but also achieve strong unforgeability and undeniability. Since we design the SDVS-USU scheme using a direct construction rather than a general conversion method, it basically maintains the performance of the Waters’ scheme [28] in terms of signature size and computational overhead. Additionally, it should be emphasized that the employed collision-resistant hash functions are not considered as random oracles in our security proof.

There are three participants in the SDVS-USU scheme: the signer S, the designated verifier V and the arbiter A. In the following, we assume that all signed messages are bit strings of length n. To achieve this assumption, messages of arbitrary length can be converted into messages of fixed length n by using a secure hash function $H:{\{0,1\}}^{\ast }\to {\{0,1\}}^n$. The SDVS-USU scheme is described as follows.

• $\mathbf{Setup}$: Let $G_1$ and $G_2$ be two multiplicative cyclic groups of prime order p. g is any generator of $G_1$, $e:G_1\times G_1\to G_2$ is a bilinear pair, and $\overrightarrow{u}=(u_j)$ is a vector of length n, where $u_j\in G_1$. Let $H_1:{\{0,1\}}^{\ast }\times G_1\to Z_p$ and $H_2:{\{0,1\}}^{\ast }\times G_1\times G_1\to Z_p$ be two collision-resistant hash functions. The public parameters are $params=(G_1,G_2,p,g,e,u_0,v,\overrightarrow{u},H_1,H_2)$.
• $\mathbf{KeyGen}$: The signer S picks two random elements $k_{S,1},k_{S,2}\in Z_p^{\ast }$ as the private key $s{k}_S=(s{k}_{S,1}$, $s{k}_{S,2})=(k_{S,1},k_{S,2})$, and computes the corresponding public key $p{k}_S=(p{k}_{S,1},p{k}_{S,2})=(g^{k_{S,1}},g^{k_{S,2}})$. Similarly, $s{k}_V=(s{k}_{V,1},s{k}_{V,2})=(k_{V,1},k_{V,2})$ and $p{k}_V=(p{k}_{V,1},p{k}_{V,2})=(g^{k_{V,1}},g^{k_{V,2}})$ are the designated verifier V’s private key and public key respectively. The arbiter A’s public/private key pair is $(p{k}_A,s{k}_A)=(g^{k_A},k_A)$, where $k_A\in Z_p^{\ast }$.
• $\mathbf{Sign}$: To generate the signature of a n-bit message $m=(m_1,...,m_n)\in {\{0,1\}}^n$, the signer proceeds as follows.

  1.

  Select $r\in Z_p$ randomly and calculate ${\sigma }_2=g^r$.

  2.

  Compute $w=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_j}$, $T={(p{k}_A)}^{k_{S,1}{k}_{S,2}{H}_1(m,{\sigma }_2)}$ and $h=H_2(m,{\sigma }_2,T)$.

  3.

  Compute ${\sigma }_1=e(g^{k_{S,1}{k}_{S,2}}{(w{v}^h)}^r,p{k}_{V,1})$.

  4.

  Output a signature $\sigma =({\sigma }_1,{\sigma }_2,T)$ on m.

• $\mathbf{Verify}$: After receiving a signature $\sigma =({\sigma }_1,{\sigma }_2,T)$ on a n-bit message $m=(m_1,...,m_n)\in {\{0,1\}}^n$ from the signer, the designated verifier calculates $h=H_2(m,{\sigma }_2,T)$ and uses its private key $s{k}_V=(s{k}_{V,1},s{k}_{V,2})=(k_{V,1},k_{V,2})$ to verify whether

  $${\sigma }_1=e{(p{k}_{S,1},p{k}_{S,2})}^{k_{V,1}}e{(w{v}^h,{\sigma }_2)}^{k_{V,1}}.$$

  If it holds, the designated verifier believes that $\sigma$ is legal and outputs 1; else, the designated verifier considers $\sigma$ to be illegal and outputs 0.
• $\mathbf{Sim}$: To produce a simulated signature on a message $m=(m_1,...,m_n)\in {\{0,1\}}^n$, the designated verifier performs the following:

  1.

  Select $s\in Z_p$ randomly and compute ${\sigma }_2^{{}^{\prime }}=g^s$.

  2.

  Compute $w=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_j}$, $T^{{}^{\prime }}={(p{k}_A)}^{k_{V,1}{k}_{V,2}{H}_1(m,{\sigma }_2^{{}^{\prime }})}$ and $h{}^{\prime }=H_2(m,{\sigma }_2^{{}^{\prime }},T^{{}^{\prime }})$.

  3.

  Compute ${\sigma }_1^{{}^{\prime }}=e{(p{k}_{S,1},p{k}_{S,2})}^{k_{V,1}}e{(w{v}^{h^{{}^{\prime }}},{\sigma }_2^{{}^{\prime }})}^{k_{V,1}}$.

  4.

  Output a simulated signature ${\sigma }^{{}^{\prime }}=({\sigma }_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }},T^{{}^{\prime }})$ on m.

Correctness: If $\sigma =({\sigma }_1,{\sigma }_2,T)$ is correctly produced by the $\mathbf{Sign}$ algorithm, then we have

$$\begin{array}{cc}{\sigma }_1\hfill & =e(g^{k_{S,1}{k}_{S,2}}{(w{v}^h)}^r,p{k}_{V,1})\hfill \\ & =e(g^{k_{S,1}{k}_{S,2}},g^{k_{V,1}})e({(w{v}^h)}^r,g^{k_{V,1}})\hfill \\ & =e{(g^{k_{S,1}},g^{k_{S,2}})}^{k_{V,1}}e{(w{v}^h,g^r)}^{k_{V,1}}\hfill \\ & =e{(p{k}_{S,1},p{k}_{S,2})}^{k_{V,1}}e{(w{v}^h,{\sigma }_2)}^{k_{V,1}}.\hfill \end{array}$$

The above equation indicates that the signature $\sigma$ of message m generated by the signer using the private key $s{k}_S$ can be verified by the signature verification algorithm $\mathbf{Verify}$. That is, $\sigma$ is a legal signature.

If ${\sigma }^{{}^{\prime }}=({\sigma }_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }},T^{{}^{\prime }})$ is correctly produced by the $\mathbf{Sim}$ algorithm, then we have

$${\sigma }_1^{{}^{\prime }}=e{(p{k}_{S,1},p{k}_{S,2})}^{k_{V,1}}e{(w{v}^{h^{{}^{\prime }}},{\sigma }_2^{{}^{\prime }})}^{k_{V,1}}.$$

It shows that the simulated signature ${\sigma }^{{}^{\prime }}$ produced by the designated verifier using its private key $s{k}_V$ can also be verified by the signature verification algorithm $\mathbf{Verify}$. Therefore, the SDVS-USU scheme satisfies correctness.

Compared with the previous similar schemes, the novelty of the SDVS-USU scheme is as follows:

• In the $\mathbf{Sign}$ algorithm, $h=H_2(m,{\sigma }_2,T)$ is embedded in a part ${\sigma }_1=e(g^{k_{S,1}{k}_{S,2}}{(w{v}^h)}^r,p{k}_{V,1})$ of a signature $\sigma =({\sigma }_1,{\sigma }_2,T)$. Since the hash function $H_2$ is collision-resistant, any modification of m, ${\sigma }_2$ and T will make $\sigma$ fail the signature verification equation. In other words, an attacker cannot generate a legitimate signature for a previously signed message if the attacker does not know the private key of the signer or the designated verifier. Hence, the SDVS-USU scheme possesses strong unforgeability.
• The value $T={(p{k}_A)}^{k_{S,1}{k}_{S,2}{H}_1(m,{\sigma }_2)}$ contains the arbiter’s public key $p{k}_A$, the signer’s private key $s{k}_S=(s{k}_{S,1},s{k}_{S,2})$ and the hash value $H_1(m,{\sigma }_2)$, which shows that only the arbiter can use its own private key $s{k}_A$ and T to identify the real generator in a signature. In addition, $H_1$ and $H_2$ are two collision-resistant hash functions, and T is a part of $h=H_2(m,{\sigma }_2,T)$ and the signature $\sigma =({\sigma }_1,{\sigma }_2,T)$. Therefore, any modification of the value T will result in the failure of the validation of the signature $\sigma$. That is, the SDVS-USU scheme provides undeniability.
• The Waters’ scheme [28] is malleable and satisfies existential unforgeability in the standard model. The proposed SDVS scheme is based on Waters’ scheme [28], but the SDVS-USU scheme is no-malleable and strongly unforgeable in the standard model. Therefore, the SDVS-USU scheme is different from Waters’ scheme [28] in terms of design and security proof.

5. Security Analysis

In this section, we demonstrate that the SDVS-USU scheme holds strong unforgeability, non-transferability, PSI and undeniability.

Theorem 1.

If the BDH assumption holds, then the SDVS-USU scheme is strongly unforgeable against adaptive chosen message attacks in the standard model.

Proof of Theorem 1.

Suppose there exists a polynomial-time adversary $\mathcal{F}$ who breaks the strong unforgeability of the SDVS-USU scheme with non-negligible probability, where $\mathcal{F}$ can make at most $q_S$ signing queries, $q_{Sim}$ simulating queries and $q_V$ verifying queries. Then, we construct another algorithm $\mathcal{C}$ who can solve the BDH problem by using the $\mathcal{F}$’s forgery. Given a random BDH problem instance $(g,g^a,g^b,g^c)\in G_1^4$, the goal of $\mathcal{C}$ is to calculate $e{(g,g)}^{abc}$. $\mathcal{C}$ will act as $\mathcal{F}$’s challenger and respond to $\mathcal{F}$’s queries as follows.

• Setup: $\mathcal{C}$ simulates the algorithm $\mathbf{Setup}$ in the following way.

  1.

  Select $k(0\le k\le n)$ randomly, and set $l=4(q_S+q_{Sim}+q_V)$ to satisfy $l(n+1)<p$.

  2.

  Select two random values $k_1,k_2\in Z_p$, and set the signer’s public key $p{k}_S=(p{k}_{S,1},p{k}_{S,2})=(g^a,g^b)$, the designated verifier’s public key $p{k}_V=(p{k}_{V,1},p{k}_{V,2})=(g^c,g^{k_2})$ and the arbiter’s public key $p{k}_A=g^{k_1}$. Note that a, b and c are unknown to $\mathcal{C}$.

  3.

  Select $x_0,x_1,...,x_n\in Z_l$ and $y_0,y_1,...$, $y_n\in Z_p$ randomly.

  4.

  Select a random integer $z\in Z_p$, assign $v=g^z$, $u_0={(g^b)}^{p-kl+x_0}{g}^{y_0}$ and $u_j={(g^b)}^{x_i}{g}^{y_i}$ for $1\le j\le n$, and set a vector $\overrightarrow{u}=(u_1,...,u_n)$.

  5.

  Pick two collision-resistant hash functions $H_1:{\{0,1\}}^{\ast }\times G_1\to Z_p$ and $H_2:{\{0,1\}}^{\ast }\times G_1\times G_1\to Z_p$.

  6.

  Send the public parameters $params=(G_1,G_2,p$, $g,e,u_0,v,\overrightarrow{u},H_1,H_2)$ and $(p{k}_S,p{k}_V,p{k}_A)$ to $\mathcal{F}$.

  For a n-bit message $m=(m_1,...,m_n)$, we define two functions

  $$F(m)=(p-lk)+x_0+\sum _{j=1}^n{x}_j{m}_j,$$

  $$J(m)=y_0+\sum _{j=1}^n{y}_j{m}_j.$$
  Hence, we obtain the following equation

  $$w=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_j}={(g^b)}^{F(m)}{g}^{J(m)}.$$
• Signing queries: When $\mathcal{F}$ issues a signature query on a message $m_i=(m_{i,1},...,m_{i,n})\in {\{0,1\}}^n$, $\mathcal{C}$ computes the value of $F(m_i)$. Note that if $F(m_i)=0modp$, there exists an unique value $0\le k\le n$ such that $F(m_i)=0modl$. On the other hand, $F(m_i)\ne 0modl$ implies $F(m_i)\ne 0modp$. If $F(m_i)$$=0modl$, $\mathcal{C}$ aborts. If $F(m_i)\ne 0modl$, $\mathcal{C}$ first searches $m_i$ in Table $T_r$ which is initially empty. If there is a tuple $(m_i,r_i)$ in $T_r$, $\mathcal{C}$ extracts $r_i$ from $T_r$; otherwise, $\mathcal{C}$ randomly selects $r_i\in Z_p$ and adds $(m_i,r_i)$ in $T_r$. Then, $\mathcal{C}$ picks a random element $T_i\in G_1$, and computes $w_i=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_{i,j}}$, ${\sigma }_{i,2}={(g^a)}^{\frac{-1}{F(m_i)}}{g}^{r_i}$, $h_i=H_2(m_i,{\sigma }_{i,2},T_i)$ and

  $${\sigma }_{i,1}=e({(g^a)}^{\frac{-J(m_i)-z{h}_i}{F(m_i)}}{(w_i{v}^{h_i})}^{r_i},p{k}_{V,1}).$$

  Finally, $\mathcal{C}$ returns a signature ${\sigma }_i=({\sigma }_{i,1},{\sigma }_{i,2},T_i)$ on $m_i$ to $\mathcal{F}$. Correctness: We show that ${\sigma }_i=({\sigma }_{i,1},{\sigma }_{i,2},T_i)$ is a valid signature on $m_i$ as follows:

  $$\begin{array}{cc}\hfill {\sigma }_{i,2}\hfill & ={(g^a)}^{\frac{-1}{F(m_i)}}{g}^{r_i}=g^{r_i-\frac{a}{F(m_i)}}=g^{{\widehat{r}}_i},\hfill \\ \hfill h_i\hfill & =H_2(m_i,{\sigma }_{i,2},T_i),\hfill \\ \hfill {\sigma }_{i,1}\hfill & =e({(g^a)}^{\frac{-J(m_i)-z{h}_i}{F(m_i)}}{(w_i{v}^{h_i})}^{r_i},p{k}_{V,1})\hfill \\ & =e((g^{ab})(g^{-ab}){(g^a)}^{\frac{-J(m_i)-z{h}_i}{F(m_i)}}{(w_i{v}^{h_i})}^{r_i},g^c)\hfill \\ & =e(g^{ab}{(g^{bF(m_i)}{g}^{J(m_i)}{g}^{z{h}_i})}^{\frac{-a}{F(m_i)}}{(w_i{v}^{h_i})}^{r_i},g^c)\hfill \\ & =e(g^{ab}{(w_i{v}^{h_i})}^{\frac{-a}{F(m_i)}}{(w_i{v}^{h_i})}^{r_i},g^c)\hfill \\ & =e(g^{ab}{(w_i{v}^{h_i})}^{r_i-\frac{a}{F(m_i)}},g^c)\hfill \\ & =e(g^{ab}{(w_i{v}^{h_i})}^{\widehat{r}},g^c)\hfill \\ & =e{(g^a,g^b)}^{c}e{(w_i{v}^{h_i},g^{\widehat{r}})}^c\hfill \\ & =e{(p{k}_{S,1},p{k}_{S,2})}^{c}e{(w_i{v}^{h_i},{\sigma }_{i,2})}^c.\hfill \end{array}$$
• Simulating queries: $\mathcal{C}$ responds to this kind of query in the same way as in Signing queries.
• Verifying queries: $\mathcal{F}$ requests a verification query on a signature ${\sigma }_i=({\sigma }_{i,1},{\sigma }_{i,2},T_i)$ on a message $m_i=(m_{i,1},...,m_{i,n})\in {\{0,1\}}^n$. If $F(m_i)=0modl$, $\mathcal{C}$ aborts. Otherwise, $\mathcal{C}$ finds $(m_i,r_i)$ in Table $T_r$ and extracts $r_i$ from $T_r$. Then, $\mathcal{C}$ computes $h_i=H_2(m_i,{\sigma }_{i,2},T_i)$, $F(m_i)$ and $J(m_i)$, and checks whether ${\sigma }_{i,1}=e({(g^a)}^{\frac{-J(m_i)-z{h}_i}{F(m_i)}}{({(g^b)}^{F(m_i)}{g}^{J(m_i)}{v}^{h_i})}^{r_i},g^c).$
  If this equation holds, $\mathcal{C}$ returns 1 to $\mathcal{F}$; otherwise, $\mathcal{C}$ returns 0 to $\mathcal{F}$.
• Output: $\mathcal{F}$ outputs a forged signature ${\sigma }^{\ast }=({\sigma }_1^{\ast },{\sigma }_2^{\ast },T^{\ast })$ on a message $m^{\ast }=(m_1^{\ast },...,m_n^{\ast })\in {\{0,1\}}^n$. If $F(m^{\ast })\ne 0modp$, $\mathcal{C}$ aborts. Otherwise, $\mathcal{C}$ calculates $w^{\ast }=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_j^{\ast }}$ and $h^{\ast }=H_2(m^{\ast },{\sigma }_2^{\ast },T^{\ast })$, and outputs $e{(g,g)}^{abc}$ as follows:

  $$\begin{array}{cc}\hfill \frac{{\sigma }_1^{\ast }}{e{(g^c,{\sigma }_2^{\ast })}^{J(m^{\ast })+z{h}^{\ast }}}=& \frac{e{(g^a,g^b)}^{c}e{(w^{\ast }{v}^{h^{\ast }},g^{r^{\ast }})}^c}{e{(g^c,g^{r^{\ast }})}^{J(m^{\ast })+z{h}^{\ast }}}\hfill \\ \hfill =& \frac{e{(g^a,g^b)}^{c}e{({(g^b)}^{F(m^{\ast })}{g}^{J(m^{\ast })}{g}^{z{h}^{\ast }},g^{r^{\ast }})}^c}{e{(g^c,g^{r^{\ast }})}^{J(m^{\ast })+z{h}^{\ast }}}\hfill \\ \hfill =& \frac{e{(g,g)}^{abc}e{(g^{J(m^{\ast })}{g}^{z{h}^{\ast }},g^{r^{\ast }})}^c}{e{(g^{J(m^{\ast })+z{h}^{\ast }},g^{r^{\ast }})}^c}(\mathrm{since}F(m^{\ast })=0modp)\hfill \\ \hfill =& e{(g,g)}^{abc}.\hfill \end{array}$$

Here, we discuss the probability of $\mathcal{C}$ successfully solving the BDH problem instance. If $\mathcal{C}$ does not abort in the above simulation, then the following conditions must hold:

• $E_i$: $F(m_i)\ne 0modl$ during the Signing, Simulating and Verifying queries.
• $E^{\ast }$: $F(m^{\ast })=0modp$ in the forgery phase.
  Hence, the probability that $\mathcal{C}$ completes the whole simulation is $Pr[E_i\cap E^{\ast }]$. According to Waters’ proof [21], we have

  $$\begin{array}{cc}\hfill Pr[E_i\cap E^{\ast }]=& Pr[\bigcap _{i=1}^{q_S+q_{Sim}+q_V}F(m_i)\ne 0modl\cap F(m^{\ast })=0modp]\hfill \\ \hfill =& Pr[\bigcap _{i=1}^{q_S+q_{Sim}+q_V}F(m_i)\ne 0modl]Pr[F(m^{\ast })=0modp|\bigcap _{i=1}^{q_S+q_{Sim}+q_V}F(m_i)\ne 0modl]\hfill \\ \hfill \ge & (1-\frac{q_S+q_{Sim}+q_V}{l})(\frac{1}{(n+1)}\frac{1}{l}(1-\frac{q_S+q_{Sim}+q_V}{l}))\hfill \\ \hfill =& \frac{1}{(n+1)}\frac{1}{l}{(1-\frac{q_S+q_{Sim}+q_V}{l})}^2\hfill \\ \hfill \ge & \frac{1}{(n+1)}\frac{1}{l}(1-\frac{2(q_S+q_{Sim}+q_V)}{l})\hfill \\ \hfill =& \frac{1}{(n+1)}\frac{1}{4(q_S+q_{Sim}+q_V)}(1-\frac{2(q_S+q_{Sim}+q_V)}{4(q_S+q_{Sim}+q_V)})\hfill \\ \hfill =& \frac{1}{8(n+1)(q_S+q_{Sim}+q_V)}.\hfill \end{array}$$

Therefore, if $\mathcal{F}$ breaks the strong unforgeability of the SDVS-USU scheme with probability $\epsilon$, then $\mathcal{C}$ can solve the BDH problem with probability at least $\frac{\epsilon }{8(n+1)(q_S+q_{Sim}+q_V)}$. □

Theorem 2.

The SDVS-USU scheme is non-transferable.

Proof of Theorem 2.

The form of the original signature $\sigma$ for a message m is

$$({\sigma }_1,{\sigma }_2,T)=(e(g^{k_{S,1}{k}_{S,2}}{(w{v}^h)}^r,p{k}_{V,1}),g^r,{(p{k}_A)}^{k_{S,1}{k}_{S,2}{H}_1(m,{\sigma }_2)}),$$

and the form of the simulated signature ${\sigma }^{{}^{\prime }}$ on m is

$$\begin{array}{c}({\sigma }_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }},T^{{}^{\prime }})=(e{(p{k}_{S,1},p{k}_{S,2})}^{k_{V,1}}e{(w{v}^{h^{{}^{\prime }}},{\sigma }_2^{{}^{\prime }})}^{k_{V,1}},g^s,{(p{k}_A)}^{k_{V,1}{k}_{V,2}{H}_1(m,{\sigma }_2^{{}^{\prime }})}).\hfill \end{array}$$

The randomness of $({\sigma }_1,{\sigma }_2,T)$ is determined by the random value $r\in Z_p$, and the randomness of $({\sigma }_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }},T^{{}^{\prime }})$ depends on the random value $s\in Z_p$. Since r and s are randomly selected from $Z_p$, the distribution of the real signature $({\sigma }_1,{\sigma }_2,T)$ and the simulated signature $({\sigma }_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }},T^{{}^{\prime }})$ is computationally indistinguishable. Namely, it is infeasible to distinguish $\sigma$ and ${\sigma }^{{}^{\prime }}$ without knowing the private key of the signer, the designated verifier or the arbiter. Hence, the SDVS-USU scheme satisfies the non-transferable property. □

Theorem 3.

Our SDVS scheme is secure against the privacy of the signer’s identity under the DBDH assumption.

Proof of Theorem 3.

Suppose there exists a PPT distinguisher $\mathcal{D}$ who breaks the privacy of the signer’s identity of the SDVS-USU scheme. Then, we can construct an algorithm $\mathcal{B}$ to solve the DBDH problem. Given a random instance $(g,g^a,g^b,g^c,Z)$ of the DBDH problem, where unknown $a,b,c\in Z_p$ and $Z\in G_2$, the $\mathcal{B}$’s goal is to determine if Z is equal to $e{(g,g)}^{abc}$.

• Setup: $\mathcal{B}$ simulates the $\mathbf{Setup}$ algorithm by performing the following steps:

  1.

  Choose $n+2$ random integers $z,y_0,y_1,...$, $y_n\in Z_p$, and set $v=g^z$, $u_0=g^{y_0}$ and a vector $\overrightarrow{u}=(u_1,...,u_n)$, where $u_j=g^{y_j}$ for $1\le j\le n$.

  2.

  Select four random values $k_1,k_2,k_3,k_4\in Z_p$, and set the signer $S_0$’s public key $p{k}_{S_0}=(p{k}_{S_0,1},p{k}_{S_0,2})$$=(g^a,g^b)$, the signer $S_1$’s public key $p{k}_{S_1}=(p{k}_{S_1,1},p{k}_{S_1,2})=(g^{k_1},g^{k_2})$, the designated verifier’s public key $p{k}_V=(p{k}_{V,1},p{k}_{V,2})=(g^c,g^{k_3})$ and the arbiter’s public key $p{k}_A=g^{k_4}$. Note that a, b and c are unknown to $\mathcal{B}$.

  3.

  Set $s{k}_{S_0\leftrightarrow V}=Z$ as the common secret key between $S_0$ and V, and $s{k}_{S_1\leftrightarrow V}=e{(g^{k_1},g^c)}^{k_2}$ as the common secret key between $S_1$ and V.

  4.

  Pick two collision-resistant hash functions $H_1:{\{0,1\}}^{\ast }\times G_1\to Z_p$ and $H_2:{\{0,1\}}^{\ast }\times G_1\times G_1\to Z_p$.

  5.

  Send the public parameters $params=(G_1,G_2,p$, $g,e,u_0,v,\overrightarrow{u},H_1,H_2)$ and $(p{k}_{S_0},p{k}_{S_1},p{k}_V,p{k}_A)$ to $\mathcal{D}$.

  For a message $m=(m_1,...,m_n)\in {\{0,1\}}^n$, we also define a function $L(m)=y_0+{\sum }_{j=1}^n{y}_j{m}_j$, and thus we have $w=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_j}=g^{L(m)}$.

• Query phase 1: $\mathcal{B}$ answers $\mathcal{D}$’s queries as follows.

  -

  Signing queries: When $\mathcal{D}$ issues a signature query on a message $m_i=(m_{i,1},...,m_{i,n})\in {\{0,1\}}^n$ and an index $d_i\in \{0,1\}$, $\mathcal{B}$ does the following.

  1.

  Select a random integer $r_i\in Z_p$, and compute ${\sigma }_{i,2}=g^{r_i}$.

  2.

  Pick a random element $T_i\in G_1$, and compute $w_i=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_{i,j}}$ and $h_i=H_2(m_i,{\sigma }_{i,2}$, $T_i)$.

  3.

  Compute ${\sigma }_{i,1}=s{k}_{S_{d_i}\leftrightarrow V}·e{(w_i{v}^{h_i},g^c)}^{r_i}$.

  4.

  Return a signature ${\sigma }_i=({\sigma }_{i,1},{\sigma }_{i,2},T_i)$ on $m_i$ to $\mathcal{D}$.

  -

  Simulating queries: $\mathcal{B}$ responds to this query in the same way as in Signing queries.

  -

  Verifying queries: On receiving a signature ${\sigma }_i=({\sigma }_{i,1},{\sigma }_{i,2},T_i)$ of a message $m_i=(m_{i,1},...,m_{i,n})\in {\{0,1\}}^n$ and a value $d_i\in \{0,1\}$, $\mathcal{B}$ first calculates $w_i=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_{i,j}}$, $h_i=H_2(m_i,{\sigma }_{i,2},T_i)$ and $L(m_i)$. Then, $\mathcal{B}$ uses $s{k}_{S_{d_i}\leftrightarrow V}$ to verify whether

  $${\sigma }_{i,1}=s{k}_{S_{d_i}\leftrightarrow V}·e{({\sigma }_{i,2},g^c)}^{L(m_i)+z{h}_i}.$$

  If this equation holds, indicating ${\sigma }_i$ is valid, $\mathcal{B}$ sends 1 to $\mathcal{D}$; otherwise, $\mathcal{B}$ returns 0 to $\mathcal{D}$.

  Correctness: We show that the above signature ${\sigma }_i=({\sigma }_{i,1},{\sigma }_{i,2},T_i)$ produced by the Signing query is correct since

  $$\begin{array}{cc}\hfill {\sigma }_{i,1}\hfill & =s{k}_{S_{d_i}\leftrightarrow V}·e{(w_i{v}^{h_i},g^c)}^{r_i}\hfill \\ & =s{k}_{S_{d_i}\leftrightarrow V}·e{(g^{L(m_i)}{g}^{z{h}_i},g^c)}^{r_i}\hfill \\ & =s{k}_{S_{d_i}\leftrightarrow V}·e{(g^{r_i},g^c)}^{L(m_i)+z{h}_i}\hfill \\ & =s{k}_{S_{d_i}\leftrightarrow V}·e{({\sigma }_{i,2},g^c)}^{L(m_i)+z{h}_i}.\hfill \end{array}$$

• Challenge: When $\mathcal{D}$ submits a challenge message $m^{\ast }=(m_1^{\ast },...,m_n^{\ast })$, $\mathcal{B}$ proceeds as follows:

  1.

  Pick $r^{\ast }\in Z_p^{\ast }$ randomly, and compute ${\sigma }_2^{\ast }=g^{r^{\ast }}$.

  2.

  Pick a random element $T^{\ast }\in G_1$, and compute $w^{\ast }=u_0{\displaystyle \prod _{j=1}^n}{u}_j^{m_j^{\ast }}$ and $h^{\ast }=H_2(m^{\ast },{\sigma }_2^{\ast },T^{\ast })$.

  3.

  Flip a fair coin to obtain a random bit $d\in \{0,1\}$.

  4.

  Compute ${\sigma }_1^{\ast }=s{k}_{S_d\leftrightarrow V}·e{(w^{\ast }{v}^{h^{\ast }},g^c)}^{r^{\ast }}$.

  5.

  Return a signature ${\sigma }^{\ast }=({\sigma }_1^{\ast },{\sigma }_2^{\ast },T^{\ast })$ on $m^{\ast }$ to $\mathcal{D}$.

• Query phase 2: $\mathcal{D}$ continues to issue various queries as in Query phase 1 except that $\mathcal{D}$ cannot make a signature verification query on $(m^{\ast },{\sigma }^{\ast },d^{\ast })$ for any $d^{\ast }\in \{0,1\}$.
• Output: $\mathcal{D}$ outputs a value $d^{{}^{\prime }}\in \{0,1\}$. If $d=d^{{}^{\prime }}$, indicating $Z=e{(g,g)}^{abc}$, $\mathcal{B}$ outputs 1; else, indicating Z is a random element in $G_2$, $\mathcal{B}$ outputs 0.

From the above simulation, we can see that $\mathcal{B}$ does not exit in the whole simulation. Therefore, if $\mathcal{D}$ breaks the PSI property of the SDVS-USU scheme with probability $\epsilon$, then $\mathcal{B}$ can solve the DBDH problem instance with probability of $\frac{1}{2}+\epsilon$. □

Theorem 4.

The SDVS-USU scheme is undeniable.

Proof of Theorem 4.

On receiving a disputed signature $\tilde{\sigma }=({\tilde{\sigma }}_1,{\tilde{\sigma }}_2,\tilde{T})$ on a message $\tilde{m}$, the arbiter performs the following:

1.

Obtain the signer’s public key $p{k}_S=(p{k}_{S,1},p{k}_{S,2})=(g^{k_{S,1}},g^{k_{S,2}})$ and the designated verifier’s public key $p{k}_V=(p{k}_{V,1},p{k}_{V,2})=(g^{k_{V,1}},g^{k_{V,2}})$.

2.

Compute $T_S=e{(p{k}_{S,1},p{k}_{S,2})}^{k_A{H}_1(\tilde{m},{\tilde{\sigma }}_2)}$ and $T_V=e{(p{k}_{V,1},p{k}_{V,2})}^{k_A{H}_1(\tilde{m},{\tilde{\sigma }}_2)}$, where $k_A$ is the arbiter’s private key.

3.

Check $e(\tilde{T},g)=T_S$ or $e(\tilde{T},g)=T_V$. If $e(\tilde{T},g)=T_S$, the arbiter confirms $\tilde{\sigma }$ is created by the signer. If $e(\tilde{T},g)=T_V$, the arbiter confirms $\tilde{\sigma }$ is produced by the designated verifier.

In the proposed scheme, a signature from the signer has the form $T={(p{k}_A)}^{k_{S,1}{k}_{S,2}{H}_1(m,{\sigma }_2)}$, while a signature from the designated verifier has the form $T^{{}^{\prime }}={(p{k}_A)}^{k_{V,1}{k}_{V,2}{H}_1(m,{\sigma }_2^{{}^{\prime }})}$. The arbiter can independently prove the real signer of any valid signature by verifying $e(\tilde{T},g)=T_S$ or $e(\tilde{T},g)=T_V$ with probability 1. Therefore, the SDVS-USU scheme holds the undeniability property. □

6. Comparison

The SDVS-USU scheme is compared with other SDVS schemes [14,18,20] in terms of performance and security properties. In

Table 1. Comparison of performance.

Scheme	Size	Sign	Verify
Scheme I in [7]	$4|q|+|p|$	$5E_p$	$8E_p$
Scheme II in [7]	$3|q|+|p|$	$8E_p$	$9E_p$
Asaar et al. [11]	$|G_1|+|G_2|$	$2E_1+P$	$E_2+P$
Scheme I in [13]	$|p|+4|G_1|$	$6E_1$	$3E_1+2P$
Scheme II in [13]	$|p|+3|G_1|$	$5E_1$	$2E_1+2P$
Our scheme	$2|G_1|+|G_2|$	$4E_1+P$	$E_1+E_2+P$

and

Table 2. Comparison of security properties.

Scheme	SU	PSI	SM	Undeniability
Scheme I in [7]	Yes	No	No	Yes
Scheme II in [7]	Yes	No	No	Yes
Asaar et al. [11]	No	No	Yes	No
Scheme I in [13]	Yes	Yes	Yes	No
Scheme II in [13]	Yes	Yes	Yes	No
Our scheme	Yes	Yes	Yes	Yes

, the Size, Sign and Verify columns represent the size of a signature, and the computational cost of signature generation and signature verification, respectively. The SU column shows whether the scheme is strongly unforgeable. The PSI column indicates whether the scheme has the PSI property. The Undeniability column shows whether the scheme is undeniable. The SM column indicates whether the scheme is secure in the standard model. Let p and q be two primes such that $p=2q+1$. Since the computational cost of some cryptographic operations such as modular multiplication, hash function or inverse is relatively small after being optimized by various technologies [34], we consider only the computationally expensive bilinear pairing and exponentiation operations in Table 1. We use the symbol P to denote one paring operation. $E_1$, $E_2$ and $E_p$ denote one exponentiation operation in $G_1$, $G_2$ and $Z_p$, respectively. $|G_1|$, $|G_2|$, $|p|$ and $|q|$ represent the length of an element in $G_1$, $G_2$, $Z_p$ and $Z_q$, respectively.

As can be seen in Table 1 and Table 2, two SDVS schemes of Hu et al. [14] outperform other schemes in both signature length and computational overhead, but their two schemes are not proven to be secure in the standard model. For the length of signature, the SDVS-USU scheme has one more element in $G_1$ than Asaar et al.’s scheme [18] but is superior to Tian et al.’s two schemes [20]. The SDVS-USU scheme is able to perform some pre-computation, such as $g^{k_{S,1}{k}_{S,2}}$ in the signature generation phase and $e{(p{k}_{S,1},p{k}_{S,2})}^{k_{V,1}}$ in the verification phase. Thus, the SDVS-USU scheme has comparable computation complexity with other schemes [18,20]. However, Asaar et al.’s scheme [18] does not have strong unforgeability and the PSI property. Moreover, none of Asaar et al.’s scheme [18] and Tian et al.’s [20] schemes holds the undeniable property. The SDVS-USU scheme has strong unforgeability and the PSI property in the standard model. Moreover, it achieves undeniability. Therefore, the SDVS-USU scheme has stronger security.

We carried out simulation experiments to evaluate the performance of the SDVS-USU scheme. The experimental environment was a laptop with Intel Core i7-6500 [email protected] GHz and 8 GB memory. All simulation programs running on Microsoft Windows 10 operating system were based on PBC-0.47-VC library.

Figure 1 illustrates that the signature size of the SDVS-USU scheme, Asaar et al.’s scheme [18] and Tian et al.’s two schemes [20] is 384 bits, 256 bits, 532 bits and 404 bits, respectively. Hence, the SDVS-USU scheme has shorter signature length.

As shown in Figure 2, the length of the signer’s private key in the SDVS-USU scheme is 40 bits, which is the same as that of Asaar et al.’s scheme [18] but larger than that of Tian et al.’s two schemes [20]. Moreover, the length of the designated verifier’s private key in the SDVS-USU scheme is 40 bits, which is larger than that of Asaar et al.’s scheme [18] but smaller than that of Tian et al.’s two schemes [20].

In the signing phase, Asaar et al.’s scheme [18] requires two exponentiations and one pairing operation. The first SDVS scheme and the second SDVS scheme of Tian et al. [20] need six and five exponentiations, respectively. The SDVS-USU scheme requires four exponentiations and one pairing operation. Figure 3 shows that the computational performance of signature generation in the SDVS-USU scheme is comparable with other schemes [18,20].

We consider the optimization of the verifying process by pre-computing so that the signature verification algorithm of each scheme achieves the highest performance. In the verification phase, Asaar et al.’s scheme [18] actually requires one exponentiation and one pairing operation. The first SDVS scheme of Tian et al. [20] needs three hash functions, three exponentiations, one inverse and two pairing operations. The second SDVS scheme of Tian et al. [20] requires three hash functions, two exponentiations, one inverse and two pairing operations. The SDVS-USU scheme requires two exponentiations and one pairing operation. Figure 4 demonstrates that the computational cost of signature verification of the SDVS-USU scheme is more than that of Asaar et al.’s scheme [18] but less than Tian et al.’s two schemes [20].

7. Application in Outsourcing Computing in Cloud Computing

Cloud computing has strong computing power and storage capacity of big data. However, the cloud service provider (CSP) is not trusted by the user, and may steal the user’s private information or deceive the user. Cloud computing allows resource-constrained users to outsource expensive computations to the CSP. Hence, it is very important to ensure the integrity of the computing task and the authenticity of the remote user’s identity. Due to the limited computing ability of the user, the heavy computing task is outsourced to the CSP to complete. The CSP is able to authenticate a computing task outsourced by the user through a signature-based protocol. For the protection of private information, the user wants the designated CSP to be the only entity that can verify the legality of the signature on a computing task, and the CSP cannot reveal the signature to any third party at will. Since the ordinary digital signature has public verifiability and transferability, anyone can verify the validity of signatures by using the public key of the signer and obtain the real identity of the signer. Obviously, the ordinary digital signature scheme is not suitable for this scenario. The SDVS scheme is considered as one of the solutions to these problems, which can provide secret authentication service to the user in an outsourcing computation task. SDVS guarantees that a designated CSP can validate the user’s signature on a computing task. At the same time, it ensures that the designated CSP does not convince others that the user is involved in a computing task.

However, most of the SDVS schemes cannot identify the real signature generator when the user and the cloud service provider dispute a signature, which may cause huge economic losses to the user or the CSP. Hence, the SDVS scheme without undeniability cannot handle a controversial computing task. For example, if the user denies the submission of a computing task for some reasons, then the CSP is forced to stop it. At the same time, if the CSP forges a user’s signature on the computing task, then the user will take on the responsibility to pay for expensive computing cost. These economic losses are undesirable to the user or the CSP. The SDVS-USU scheme given in Section 3.2 is undeniable and strongly unforgeable, so it is more suitable for outsourcing computation in a cloud computing environment. The system model of outsourcing computation in cloud computing based on the SDVS-USU scheme is shown in Figure 5.

There are three entities in the system: the user, the CSP and the arbiter. The process of outsourcing calculation is as follows.

1.

A user with limited computing resources uses his private key and the SDVS-USU scheme to generate a signature ${\sigma }_1$ for a computing task $m_1$ and sends $(m_1,{\sigma }_1)$ to the CSP.

2.

The CSP has powerful computing power. After verifying the validity of the signature ${\sigma }_1$ on $m_1$ to confirm this submission, the CSP performs the computational task of $m_1$. Then, the CSP uses its private key and the SDVS-USU scheme to generate the signature ${\sigma }_2$ of the corresponding calculation result $m_2$, and returns $(m_2,{\sigma }_2)$ to the user.

3.

If ${\sigma }_2$ is the valid signature of $m_2$, the user accepts the calculation result returned by the CSP; otherwise, the user refuses to accept $m_2$ and accuses the CSP of malicious behavior.

4.

For a controversial computing task, the arbiter determines whether the user or the CSP is responsible for the economic loss of the computing task based on $(m_1,{\sigma }_1)$ and $(m_2,{\sigma }_2)$.

The SDVS-USU scheme is easily implemented as a software in cloud computing environments. For example, the signature algorithm $\mathbf{Sign}$ is installed on the user side, and the verification algorithm $\mathbf{Vefify}$ is installed on the CSP side. On the one hand, the user sends the computing task and the corresponding signature to the designated CSP. On the other hand, only the designated CSP can check the integrity of the computing task and the authenticity of the user’s identity by verifying the validity of the signature, and vice versa. From the performance analysis results in Section 5, the SDVS-USU scheme has better computational performance while achieving the undeniable property. The length of the signer’s private key, the designated verifier private key and signature are 40 bits, 40 bits and 384 bits, respectively. If the message length is 900 bits, the time cost for signing and verifying is approximately 0.12 s and 0.06 s, respectively. At present, an ordinary laptop configuration is at least Intel Core i3 [email protected] GHz, 4 G memory and 256 GB hard disk storage space. The CSP has more computing power, thus the SDVS-USU scheme can be practically applied to cloud computing environments.

8. Conclusions

In this paper, we construct an undeniable SDVS scheme that satisfies strong unforgeability in the standard model. The performance analysis results show that the SDVS-USU scheme has better performance in terms of private key size, signature length and computational overhead. In the SDVS-USU scheme, strong unforgeability prevents hackers from using the existing message/signature pair to create a legal signature of the same message. Non-transferability ensures that hackers cannot know the identity of the real signer in a signature. PSI further protects the privacy of the signer’s identity. Undeniability ensures that the signer and the designated verifier cannot deny messages that they have previously sent. Therefore, our SDVS scheme can guarantee the integrity of outsourced computing tasks and authenticate the identity of users in cloud computing. In the future, we will design an instance scenario to illustrate the feasibility of implementing the SDVS-USU scheme in the real world.