A New Approach to Keep the Privacy Information of the Signer in a Digital Signature Scheme

In modern applications, such as Electronic Voting, e-Health, e-Cash, there is a need that the validity of a signature should be verified by only one responsible person. This is opposite to the traditional digital signature scheme where anybody can verify a signature. There have been several solutions for this problem, the first one is we combine a signature scheme with an encryption scheme; the second one is to use the group signature; and the last one is to use the strong designated verifier signature scheme with the undeniable property. In this paper, we extend the traditional digital signature scheme to propose a new solution for the aforementioned problem. Our extension is in the sense that only a designated verifier (responsible person) can verify a signer’s signature, and if necessary (in case the signer refuses to admit his/her signature) the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually generated the signature. The comparison between our proposed solution and the three existing solutions shows that our proposed solution is the best one in terms of both security and efficiency.


Introduction
The digital signature scheme has been widely used in practical applications today. As a handwritten signature, the validity of a digital signature should be publicly verified by anyone. However, in some specific modern applications, such as Electronic Voting, e-Health, e-Cash, etc, we would like that only the responsible person can verify the validity of a signature. For example, in an Electronic Voting system (similarly for e-Health application, e-Payment application or e-Bidding application) where a responsible person (the host such as the government for example) usually would like to ask users (voters) to agree or disagree on a plan. To this aim, a voter signs on an agreeing or disagreeing message, then uploads his/her signature on a public server. However, in some specific plans, the voter is not willing to let other voters in the system know whether or not he/she agrees or disagrees on these plans. In fact, the voter would like that there is only one responsible person who can know whether or not he/she agrees or disagrees on a given plan. On the other hand, if necessary, in case the voter refuses to admit his/her signature, the responsible person without revealing his/her secret key should be able to prove to anybody that the voter has actually generated the signature. To deal with this problem, there exist several following methods: • Method 1: using additional a public key encryption scheme. A voter encrypts his/her signature under the public key of the responsible person, so only the responsible person with his/her corresponding secret key at hands can decrypt and then check the validity of the voter's signature.
Other voters in the system cannot decrypt, hence they cannot verify the voter's signature, or they cannot know whether or not the voter agrees or disagrees on a given plan. • Method 2: using the group signature scheme [1]. In a group signature scheme, a user in a group can generate a signature on behalf of the group, and only the group manager can know exactly who has actually generated the signature. So, if the group includes all users in the system and the responsible person plays the role of the group manager, only the responsible person can know whether or not the voter agrees or disagrees on a given plan. • Method 3: using the recently introduced strong designated verifier signature scheme [2] (SDVS for short). In a SDVS scheme, a signature only can be checked by a chosen designated verifier, but a signature can be generated by both the signer and the designated verifier. That means no one can tell a signature has been actually generated by the signer or the designated verifier. This special property is useful in some specific practical scenarios as mentioned in [2][3][4][5][6][7], however it is undesirable in some other scenarios such as Electronic Voting, e-Health, e-Payment applications. In fact, in the e-Voting system, if we use the SDVS scheme, then the responsible person (the host such as the government for example) will play the role of the designated verifier. Moreover, the responsible person also can generate the voter's signature. This leads to the fact that if the responsible person would like that a voter agrees on a given plan, he/she simply forges the signature of this voter, and the voter cannot prove to anybody that he/she actually hasn't generated this signature. In contrast, in some cases, the voter also can refuse that he/she has already generated this signature, and of course the responsible person also cannot prove that the voter has actually generated this signature. This obviously is not a desirable property for the e-Voting system. Recent works [8][9][10] extended the SDVS scheme to propose a new method to deal with the above problem, the proposed schemes are named SDVS schemes with the undeniable property. In this type of scheme, we have a judge who can decide that a given signature is generated by a signer or a designated verifier. This type of scheme can deal with well the disputing between the signer and designated verifier, it, however, has the shortcoming that the judgment should be honest (this could face problems when the scheme is used in practice), and obviously to maintain the judgment, the system has to pay the cost on the storage, computation complexity and communication overhead.
We also note that in method 2 and method 3, the user cannot generate the usual signature (anyone can verify the signature). So, when we use method 2 or method 3 in the e-Voting system for example, to support the functionality of generating the usual signature we have to use an additional traditional signature scheme.
We motivate from the aforementioned problem to ask a question that whether or not there exists an efficient signature scheme where a signer can freely choose to generate either a usual signature (anyone can verify this signature) or a designated verifier signature (only the designated verifier can verify this signature, and the designated verifier cannot generate this signature as in SDVS scheme). Moreover, if necessary, in case the signer refuses to admit his/her signature, the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually produced the signature. Regarding the application, we believe that besides Electronic Voting, e-Health, e-Payment, this type of scheme could also find many other applications in practice.

Our Contribution
In this paper, we affirmatively answer the above question by proposing an efficient signature scheme where a user can choose to produce either a usual signature or a designated verifier signature. Concretely, our scheme has the following properties: • only the designated verifier can verify the signer's designated verifier signature, it, therefore, can keep the privacy information of the signer; • the designated verifier cannot forge the signer's designated verifier signature. This means that the responsible person cannot forge the voter's signature as in the case of Electronic Voting application; • in case the signer refuses to admit his/her designated verifier signature, the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually generated this signature. By this way, there is no need to have a judgment in the system, and more importantly, this forces the signer to be honest; • the user can choose to generate either a usual signature or a designated verifier signature. That means our proposed scheme can be seen as an improvement of the traditional signature scheme in terms of functionality. Note that in the existing group signature scheme and SDVS scheme, the signer cannot generate the usual signature.
We name our scheme signer privacy-preserving digital signature scheme with undeniable property (SPPS for short) scheme. In our scheme, to achieve the privacy information of the signer, technically we prove that everyone (except the designated verifier) is not able to distinguish between the signer's designated verifier signature and random elements. That means everyone (except the designated verifier) cannot verify the signer's designated verifier signature. The comparison Table 1 shows that our proposed method is one of the most efficient ones: using additional encryption scheme (method 1-M1); using group signature (method 2-M2); and finally using SDVS schemes with undeniable property (method 3-M3). As shown in the comparison table, our scheme just needs two exponentiations for signing and three pairings for verifying. Note that the time to compute one pairing is very fast and it is practical even for lightweight devices. More precisely, we refer to Section 5.3 in the paper [11], where the authors have tested that the time to compute one paring using a weak device is about 5.5 ms and the time to compute one exponentiation in two groups G and G are about 6.4 ms and 0.6 ms, respectively. One also can argue that in method 1, if we use RSA or Elliptic-curve cryptography (ECC) for the signature and encryption schemes instead of Pairing-based cryptography, this method will be efficient. We however note that Pairing-based signature schemes provide more advanced properties than RSA or Elliptic-curve-based signature schemes (that is why Pairing-based signature schemes currently still have deeply studied) such that short signature size, randomizable signature, aggregate signature, full security in the standard model, etc. Fortunately, our scheme is an extension of the Pointcheval-Sanders signature scheme [12] which supports all the above-advanced properties, therefore our scheme naturally also supports all the above-advanced properties. In addition, when using method 1, the security of the combined scheme (signature scheme and encryption scheme) should be carefully considered.
We also note that our SPPS scheme can be applied in any context that the privacy of the signer is needed. Table 1. Performance comparison. Sig is a signature algorithm, Ver is a verification algorithm, Enc and Dec are encryption algorithm and decryption algorithm, respectively, while E denotes exponentiation operation, P denotes pairing operation, H denotes hash operation. |p|, |p |, |G| and | G| are the size of the prime p, p and the groups G, G. Note that if we set the security parameter λ = 80, then we can implement a curve of type 3 Pairing where |p |, |G| and | G| are about 170 bits, 170 bits and 1024 bits, while method 3 uses finite field where |p| is much more bigger than 170 bits (about 1024 bits) when the security parameter λ = 80, see [13] for more details. Regarding method 2, we use BBS scheme [14], which is one of the most efficient group signature scheme to date.

Related Work and Organization of the Paper
The anonymity of the signer is also supported in attribute-based signature scheme, which was first introduced in [15]. In this system, each user possesses a set of attributes and then receives a corresponding secret key from the authority. To generate a signature on a given message m, the user relies on his/her secret key and a predicate which is satisfied by his/her attribute set. That means any user whose attribute set satisfies this predicate is able to generate this signature. The anonymity of the signer here is in the sense that from a given signature, anybody only knows that there are a set of users who are able to generate this signature, anybody (even the authority) cannot know exactly who actually generated this signature. This is obviously not suitable for the contexts of e-Voting, e-Health, e-Bidding or e-Payment applications, where the responsible person needs to know exactly who has generated this signature.
Another scheme, which also supports the anonymity of signer, is the ring signature scheme [16]. In this scheme, a user can generate a signature on behalf of a public set of users, and no one can identify who has actually generated this signature. Different from group signature, in the ring signature scheme we do not have the group manager to identify the signature.
The last one which supports the anonymity of signer is the anonymous signature scheme, this scheme was introduced by Yang et al. [17]. The anonymity of the signer is achieved in the sense that to run the verification procedure the verifier needs both the signer's public key and the signed message. If we hide the signed message, no one can identify who has actually generated the signature. This is also not suitable for the contexts of Electronic Voting, e-Health, e-Bidding or e-Payment applications.
PAPER ORGANIZATION. The next section introduces the definition and security model of our SPPS scheme and some used tools to construct our scheme. The construction of our SPPS scheme and its security analysis are introduced in Section 3. We give the conclusion of the paper in the last Section 4.

Preliminaries
In this section, we present the security model of our SPPS scheme, the assumptions which are used to prove the security of our scheme, and some useful tools used to construct our scheme.

Definition
As in the usual signature scheme, a user in our scheme possesses a pair of the public key and secret key, as well as plays the roles of both the signer and the (designated) verifier. To generate the usual signature, the signer uses only his/her secret key as usual, however, to generate the designated verifier signature he/she uses both his/her secret key and the public key of the chosen designated verifier. To verify the usual signature, the verifier uses only the public key of the signer, however, to verify the designated verifier signature the designated verifier uses both the public key of the signer and his/her secret key. Moreover, in case the signer refuses to admit his/her designated verifier signature, the designated verifier uses his/her secret key to prove that the signer has actually generated this designated verifier signature.
Formally, there are seven probabilistic algorithms in our SPPS scheme.
• Setup(1 λ ): the input of this algorithm is the security parameter λ, the output is the system parameters param. • Key Generation: the input of this algorithm is the param, the output is a pair consisting of a public key and secret key (pk i , sk i ). • Usual Signing: the input of this algorithm are a message m, the param and a secret key sk i , the output is a usual signature σ.
• Designated Signing: the input of this algorithm are a message m, the param, a secret key sk i and the public key pk j of chosen designated verifier. The output is a designated verifier signature σ. • Usual Verification: the input of this algorithm are the param, a usual signature σ and the public key pk i of the signer. The algorithm returns 1 in case σ is a valid signature of the message m under pk i , and 0 otherwise. • Designated Verification: the input of this algorithm are the param, a designated verifier signature σ, the public key pk i of the signer and the secret key sk j of the designated verifier. The algorithm returns 1 in case σ is a valid signature of the message m under pk i , and 0 otherwise. • Proving: this algorithm includes two sub-algorithms: first: takes as input param, a designated verifier signature σ on a message m and a designated verifier's secret key sk j , outputs a public proof proof; -second: takes as input param, a public proof proof and the corresponding signer's public key pk i . The algorithm returns 1 in the case where σ is a valid signature of the message m under pk i , and 0 otherwise. Note that the second sub-algorithm is run by anyone.

Adversary's Oracles
We allow the forger F to query the challenger C the following oracles.
• UsualSigningRequest(m, pk i ): when F requests a usual signature of user i on a message m, the challenger C returns a valid corresponding usual signature σ. • DesignatedSigningRequest(m, pk i , pk j ): when F requests a designated verifier signature of user i on a message m with designated verifier public key pk j , the challenger C returns a valid corresponding designated verifier signature σ. • RequestDesignatedVerifying(σ, m, pk i , pk j ): when F requests to know the validity of a designated verifier signature σ, the challenger C returns the validity of σ.

Security Model
The security requirements of our SPPS scheme are that an attacker is unable to forge the usual signature as well as the designated verifier signature. Moreover, he/she also cannot verify any designated verifier signature. To this aim, based on security models in [7], we consider the unforgeability property which guarantees that the attacker cannot forge any signature, and the privacy of signer's identity (PSI) property which guarantees that the attacker cannot verify any designated verifier signature.
Unforgeability: Regarding this property, we allow the colluding of any user. The security game is described as follows.
Initialization Phase: At this step C first uses the Setup algorithm to produce the public parameters param. Next, he/she uses the Key Generation algorithm to produce the target user's key pair (pk i , sk i ) and the target designated verifier's key pair (pk j , sk j ). C sends param and (pk i , pk j , sk j ) to F . Query Phase: At this step, F adaptively asks the following oracles: UsualSigningRequest(m, pk i ), DesignatedSigningRequest(m, pk i , pk j ) and RequestDesignatedVerifying(σ, m, pk i , pk j ).
Output Phase: At this step, F outputs (m * , σ * ). F is said to win the game if the followings are correct: 1. m * has never been queried to UsualSigningRequest(m, pk i ) and DesignatedSigningRequest(m, pk i , pk j ); 2.
Let SuccUn Π F be the success probability that the forger F wins the above security game.

Definition 1.
A SPPS scheme Π is said to achieve the existentially unforgeable property against any polynomial-time forger F if the success probabilities SuccUn Π F above is negligible.
Privacy of the signer's identity-PSI: This property is defined in the sense that an attacker cannot distinguish between a valid designated verifier signature and random elements, that means he/she cannot check the validity of a designated verifier signature.
The security game between a challenger C and an adversary F is described as follows.
Initialization Phase: At this step C first uses the Setup algorithm to produce the public parameters param. Next, he/she uses the Key Generation algorithm to produce three target users' key pairs (pk i 0 , sk i 0 ), (pk i 1 , sk i 1 ), (pk j , sk j ), where i 0 and i 1 are target signers, j is the target designated verifier. C sends param and (pk i 0 , pk i 1 , pk j ) to F . Query Phase: At this step, F adaptively asks the following oracles: UsualSigningRequest(m, pk i k ), DesignatedSigningRequest(m, pk i k , pk j ) and RequestDesignatedVerifying(σ, m, pk i k , pk j ), k ∈ {0, 1}.
Challenge Phase: At this step, F first outputs m * , C then randomly picks b $ ← {0, 1} and produces σ * = Designated Signing(param, m * , sk i b , pk j ), then sends σ * to F . F still can request queries as above except that he/she cannot request query RequestDesignatedVerifying(σ * , m * , pk i k , pk j ) for any k ∈ {0, 1}. Guess Phase: At this step, F outputs a guess bit b for b, F is said to win the game if b = b.
Let AdvPSI Π F be the advantage that F wins the above security game, where AdvPSI Π F is defined by the success probability that F wins the above security game deviates from one-half.

Definition 2.
A SPPS scheme Π is said to achieve the PSI property against any polynomial-time adversary F if the advantage AdvPSI Π F above is negligible.

Bilinear Groups
Let G, G and G T be three finite multiplicative abelian groups of large prime order p > 2 λ where λ is the security parameter. Let g,g be generators of G, G, respectively. Let e be an admissible asymmetric bilinear map e : G × G → G T such that for all a, b ∈ Z p 1.
e(g,g) is efficiently computable.
We call the tuple (p, G, G, G T , g,g, e) a bilinear map group system, and according to [13] it is in: Type 2 pairings if G = G but there is an efficiently computable homomorphism φ : G → G 3.
Type 3 pairings if G = G but there doesn't exist efficiently computable homomorphism between G and G.

Pointcheval-Sanders Signature Scheme
At CT-RSA'16, Pointcheval et al. proposed a new signature scheme, this scheme achieves full security under a new assumption which they named PS assumption 1. In the recent paper at CT-RSA'18 [12], the author showed that the hardness of this new assumption and the hardness of the well-known q-SDH assumption [18] are equivalent.
More precisely, the Pointcheval-Sanders signature scheme includes four following probabilistic algorithms. • Setup: the input of this algorithm is the security parameter λ, the output is the public parameter param = (p, G, G, G T , g,g, e).

•
KeyGen: the input of this algorithm is the security parameter λ, the output is the user's key pairs. Concretely, user's secret key includes two elements (x, y) ∈ Z * p , and user's public key includes three elements (h ∈ G,X =h x ,Ỹ =h y ).
• Sign: the inputs of this algorithm are the user's secret key (x, y) and a message m ∈ Z p .
• Verify: the input of this algorithm are a message m, signature σ = (σ 1 , σ 2 ) and the corresponding public key (h,X,Ỹ). The algorithm returns 1 which indicates that the signature is valid if the following conditions are verified: Otherwise, the algorithm returns 0 which indicates that the signature is invalid.
The PS assumption 1, given in [12], permits to prove that such signature scheme is secure. Definition 3. PS assumption 1: Let (p, G, G, G T , g,g, e) be a bilinear group setting of type 3. Choose u, v $ ← Z p , we define the oracle O(m) on input m ∈ Z p that chooses a random h ∈ G and outputs the pair (h, h u+mv ). Given (g,g,g u ,g v , g v ) and unlimited access to this oracle, no adversary can have non-negligible success probability to generate a pair (h, h u+m * v ), with h = 1 G , for a new m * not asked to O.
In this paper, we prove that our SPPS scheme is secure under the PS assumption 1 and a new assumption which is a simple modification of the well known XDH assumption. The XDH assumption is described as follows. Assume that (p, G, G, G T , g,g, e) is a bilinear group system of type 3.

Definition 4. XDH assumption:
Pick a, b $ ← Z p . Given (g,g, g a , g b , T), it is hard to distinguish T is either g ab or a random element in G.
We define a simple modification of XDH assumption, we name MXDH assumption, as follows. : Assume that (p, G, G, G T , g,g, e) is a bilinear group system of type 3. , g a , g b , g c , g ac ,h,h a , T), it is hard to distinguish T is either g abc or a random element in G.

Pick a, b, c
It is easy to see that one needs to have the valueg b or g bc to distinguish T. However, these values are not provided in − → Y .

SPPS Scheme
We rely on the Pointcheval-Sanders signature scheme [12] to construct our SPPS scheme. In our SPPS scheme a user can choose to generate either a usual signature (using the same signing algorithm as in [12]) or a designated verifier signature.

Detailed Description
The scheme is described as follows.
Setup(1 λ ): the input of this algorithm is the security parameter λ, the output is the public parameters param = (p, G , G, G T , g,g, e). Key Generation: the input of this algorithm is param. To produce the output, the algorithm first The algorithm finally outputs the secret key sk i = (x i , y i , z i ) and public key pk i = (h i ,X i ,Ỹ i , Y i , Z i ) Usual Signing: the input of this algorithm are param, sk i and the message m ∈ Z p (note that in practice we use a hash function to hash a long message m ∈ {0, 1} * to a short message m ∈ Z p ).
The algorithm first randomly chooses h $ ← G such that h = 1 G , then outputs the usual signature σ = (σ 1 , σ 2 ) where σ 1 = h and σ 2 = h (x i +y i m) . Designated Signing: the input of this algorithm are param, sk i , pk j and the message m ∈ Z p .
The algorithm first randomly chooses h $ ← G such that h = 1 G , then outputs the designated verifier signature σ = (σ 1 , σ 2 ) where σ 1 = h and σ 2 = h (x i +y i m) · (g z j ) y i z i . Usual Verification: the input of this algorithm are param, pk i , m and the usual signature σ = (σ 1 , σ 2 ).
The algorithm checks that whether σ 1 = 1 G and If this is the case the algorithm outputs 1, else it outputs 0. Designated Verification: the input of this algorithm are param, pk i , sk j , m and the designated verifier signature σ = (σ 1 , σ 2 ). The algorithm checks that whether σ 1 = 1 G and If this is the case the algorithm outputs 1, else it outputs 0. Proving: • first: the designated verifier j with his/her secret key sk j = (x j , y j , z j ) and the signature σ = (σ 1 , σ 2 ) of user i at hands generates the proof as follows: • second: on input a message m, anybody with the proof at hands can verify whether or not that the user i with his/her public key pk i has signed on the message m by checking that: Correctness. The correctness of Usual Verification algorithm is straightforward followed from Pointcheval-Sanders signature scheme [12].
Regarding the correctness of Designated Verification, let σ = (σ 1 = h, σ 2 = h (x i +y i m) · (g z j ) y i z i ), we have: and similar to the correctness of the Proving algorithm.

Remark 1.
It is clear that from the proof, one cannot extract z j , which means the designated verifier can runs the Proving algorithm without revealing his/her secret key. However, the crucial point here is that the signer realizes that he/she cannot refuse his/her designated verifier signature, therefore in practice the designated verifier may never need to runs the Proving algorithm.

Security Analysis of SPPS Scheme
In this section, we prove that our SPPS scheme is existentially unforgeable under the PS assumption 1, and our SPPS scheme achieves PSI property under the MXDH assumption.

Theorem 1.
Our SPPS scheme is existentially unforgeable under the PS assumption 1.
Proof. Let F be a forger against the security of our SPPS scheme, and C be an adversary against PS assumption 1. We will prove that C can simulate F and based on the F 's output to solve the PS assumption 1.
To this aim, at the beginning of the security game (see Section 2.1.3) C first gets an instance of the PS assumption 1: (p, G, G, G T , g,g, e, g v ,g u ,g v ), and gets the right to access oracle O. Note that O(m), on input m ∈ Z p , outputs a pair (h, h u+vm ) where h is a random element in G.
Initialization Phase: C chooses t, z i , x j , y j , z j $ ← Z * p , implicitly sets x i = u, y i = v, then computes j , Y j = g y j , Z j = g z j , sets pk j = (h j ,X j ,Ỹ j , Y j , Z j ) and sk j = (x j , y j , z j ).
Finally, C gives param = (p, G, G, G T , g,g, e) and (pk i , pk j , sk j ) to F . Query Phase: C now answers the requested oracles from F as follows.
• UsualSigningRequest(m, pk i ): C needs to answer to F the usual signature of user i on message m. To this aim, C simply asks O on input m to obtain the pair (h, h u+vm ) = (h, h x i +y i m ), then returns it to F . • DesignatedSigningRequest(m, pk i , pk j ): C needs to answer to F the designated verifier signature of user i on message m with designated verifier j. To this aim, C first requests the oracle O on input m to get the pair (h, h u+vm ) = (h, h x i +y i m ). Next, C produces designated verifier signature σ = (σ 1 , σ 2 ) as follows.
Note that C knows z i , z j . Finally, C sends σ to F . • RequestDesignatedVerifying(σ, m, pk i , pk j ): C needs to answer to F that whether or not σ is a valid designated verifier signature on m with designated verifier j. To this aim, C simply runs the Designated Verification(param, σ, m, pk i , sk j ) and returns the output to F .
Output Phase: At this phase, F outputs (m * , σ * ) with the requirement that m * has never been queried to UsualSigningRequest(m * , pk i ) and DesignatedSigningRequest(m * , pk i , pk j ), that means m * has never been queried to oracle O. There are two cases: First, σ * is a usual signature that means σ * = (σ * 1 , σ * 2 ), where: C simply uses the pair (σ * 1 , σ * 2 ) as a valid pair to solve the PS assumption 1. Second, σ * is a designated verifier signature that means σ * = (σ * 1 , σ * 2 ), where: Note that C knows z i , z j . So, C also can use the valid pair (σ * 1 , K) to solve the PS assumption 1. It is easy to see that the simulation is perfect and C has never aborted the game, so if F can break the security of our SPPS scheme with non-negligible success probability, then C also can solve the PS assumption 1 with non-negligible success probability (SuccUn Π F is non-negligible), which concludes our proof.

Theorem 2.
Our SPPS scheme achieves PSI property under the MXDH assumption. More precisely, Proof. Let F as above and C be an adversary against MXDH assumption. The proof includes a series of games, let E i be the event that the adversary F returns the correct guessed bit in Game G i .
• G 0 : Game G 0 is the original game. In this game, C first chooses x i k , y i k , z i k , x j , y j , z j $ ← Z * p where k = 0, 1, so C can easily produce param, pk i k , pk j , and C sends param, pk i k , pk j to F .
On the other hand, with x i k , y i k , z i k , x j , y j , z j at hands where k = 0, 1, C can easily answer any query (UsualSigningRequest(m, pk i k ), DesignatedSigningRequest(m, pk i k , pk j ) and RequestDesignatedVerifying(σ, m, pk i k , pk j )) from F . Next, at the challenge phase, C first picks randomly a bit b $ ← {0, 1}, C then uses x i b , y i b , z i b , z j to produce the challenge designated verifier signature σ * . From the definition, we have: This game is the same as game G 0 except that the value g y i 0 z i 0 z j now is generated randomly.
Let consider the following game: C first gets an instance of the MXDH assumption: (g,g, g a , g b , g c , g ac ,h,h a , T), note that T is either g abc or a random element in G. C next randomly picks x i 0 , x i 1 , y i 1 , z i 1 $ ← Z * p , then uses them to produce param, pk i 1 .
For pk i 0 and pk j , C first implicitly sets y i 0 = a, z i 0 = c, z j = b, randomly picks x j , y j $ ← Z * p , then uses them to produce: pk j (note that C knows Z j = g b from assumption). C also produces pk i 0 as follows: pk i 0 = (h,X i 0 =h x i 0 ,Ỹ i 0 =h a , Y i 0 = g a , Z i 0 = g c ) Note thath i 0 =h, C finally sends param, pk i k , pk j where k = 0, 1 to F .
At the first query phase, C answers queries from F as follows.

Conclusions
In several modern applications such as Electronic Voting, e-Health, e-Payment, etc, the privacy information of the signer is needed. There exist several methods to keep the privacy information of the signer such as combining a signature scheme with an encryption scheme, using a strong designated verifier signature scheme, or using a group signature scheme. In this paper, we extend the traditional signature scheme to propose an alternative method to solve this problem. Our proposed method has two advantages: it is an improvement of the traditional signature scheme in term of functionality (adding the function of keeping privacy information of the signer); it is the most efficient one when compared with three existing methods which deal with the same problem of keeping the privacy information of the signer.