# A Traceable Universal Designated Verifier Transitive Signature Scheme

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Our Contributions

- (1)
- Our goal is to substitute the public verifiability of transitive signatures with single entity verifiability, where the entity is trusted. Therefore, we adopt the UDVTS proposed by [2]. Considering that the common issue of designated verifier signatures is that arbitration service cannot be provided when there is a signature dispute, we have introduced a tracer into the system that can find the true source of the signature.
- (2)
- We propose the concept of TUDVTS. We introduce to the UDVTS a tracer who is responsible for arbitrating any disputed data, and the chain relationships in the graphic remain hidden from other entities except the tracer. Therefore, this scheme protects the rights and interests of the signer and the verifier.
- (3)
- We describe definitions of TUDVTS and its security model. The security requirements of TUDVTS include unforgeability, privacy, and traceability. The unforgeability of TUDVTS means that any adversary cannot forge a transitive signature or a designated verifier signature even if it is allowed to obtain signatures on many other messages and public keys of its choice. The TUDVTS scheme encompasses two distinct forms of privacy: the non-transferability of TUDVTS and the privacy of transitive signatures. The former means that there is no way for anyone to distinguish between the two designated verifier signatures produced by the combiner or the verifier. The latter means that there is no way for anyone to distinguish between the two transitive signatures produced by the signer or the combiner. The traceability implies that the tracer can determine whether the signer signed the message.
- (4)
- We construct a TUDVTS scheme. By incorporating traceability, our scheme not only achieves the goal of controlling the verifier but also provides an arbitration service when signature disputes arise. We have conducted proofs to establish that our scheme satisfies the unforgeability, privacy, and traceability.

#### 1.2. Related Works

**Transitive Signatures (TS).**The earliest transitive signature schemes, DLTS and RSATS-1, were proposed by Micali and Rivest [1], where their security relies on the discrete logarithm problem and the RSA assumption, respectively. Note that the former can resist adaptive chosen-message attacks, while the latter can only resist non-adaptive chosen-message attacks. In the same year, Bellare and Neven [3] proposed the “node certification paradigm” and constructed two schemes based on RSA assumption and factoring, respectively. In addition, they proposed other new schemes based on the one-more discrete logarithm problem and one-more gap Diffie-Hellman problem [4]. By employing braid groups, Wang et al. [5] designed a transitive signature scheme that was not susceptible to quantum attacks at the time. Previous schemes required special hash functions, which made them less efficient. Lin et al. [6] introduced a scheme that utilizes general hash functions to achieve improved efficiency by reducing computational time.

**Universal Designated Verifier Signatures (UDVS).**Steinfeld et al. [17] introduced the concept of UDVS: only the verifier designated by the signature holder is allowed to authenticate signatures. Steinfeld et al. [17] proposed the first UDVS scheme by utilizing a BLS [18] short signature in the same year. They then combined the standard RSA and Schnor schemes to propose two identity-based UDVS schemes [19]. Ng et al. [20] proposed another scheme with multiple verifiers designated, allowing multiple verifiers to authenticate the signature. Zhang et al. [21] use the model proposed by Steinfeld et al. [17] to design two new identity-based UDVS schemes. The security of the above schemes all rely on the random oracle model. Zhang et al. [22] designed the first UDVS scheme that is provably secure in the standard model. Shahandashti et al. [23] provided a generic construction of UDVS from standard digital signatures. Since then, a multitude of UDVS schemes with distinct features have been put forward, such as multi-signer and multiple designated verifiers UDVS [24], UDVS without delegatability [25], universal designated verifier ring signatures [26], and universal designated multi-verifiers content extraction signatures [27]. To resist quantum attacks, Li et al. [28] constructed the first lattice-based UDVS scheme. Moreover, Tang et al. [29] pointed out that the strong privacy in traditional universal designated verifier signature schemes leads to the problem of unfairness to the verifier and, thus, designed a traceable universal designated verifier signature proof scheme.

## 2. Preliminaries

#### 2.1. Notations

#### 2.2. Graphs

#### 2.3. Admissible Bilinear Pairing

- (1)
- Bilinearity: $e({g}^{a},{g}^{b})=e{(g,g)}^{ab}$, for all $a,b\stackrel{R}{\leftarrow}{\mathbb{Z}}_{p}$.
- (2)
- Non-degeneracy: $e(g,g)\ne 1$.
- (3)
- Computability: $e({g}_{1},{g}_{2})$ is efficiently computable for all ${g}_{1},{g}_{2}\stackrel{R}{\leftarrow}\mathbb{G}$.

#### 2.4. Complexity Assumptions

**Definition**

**1**

**.**Let $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{\mathbb{T}}$ be a bilinear mapping, where $\mathbb{G}$ and ${\mathbb{G}}_{\mathbb{T}}$ are groups of prime order p, and g is a generator of $\mathbb{G}$. Let $A={g}^{a},B={g}^{b}$, where $a,b\stackrel{R}{\leftarrow}{\mathbb{Z}}_{p}$. Given $(e,\mathbb{G},{\mathbb{G}}_{\mathbb{T}},p,g,A,B)$ and the following two oracles:

- (1)
- The ${H}_{1}$ oracle ${\mathcal{O}}^{{\mathcal{H}}_{1}}$: inputs a point $i\in N$, returns a random point ${h}_{i}\in \mathbb{G}$.
- (2)
- The CDH oracle ${\mathcal{O}}^{\mathcal{CDH}}$: inputs a point ${h}_{i}\in \mathbb{G}$, returns a point ${\left({h}_{i}\right)}^{a}\in \mathbb{G}$.

## 3. Traceable Universal Designated Verifier Transitive Signature Scheme

- $pp\leftarrow \mathbf{Setup}\left({1}^{k}\right)$. The initialization algorithm that takes as input the security parameter k, outputs the public parameters $pp$.
- $(p{k}_{i},s{k}_{i})\leftarrow \mathbf{KGen}\left(pp\right)$. The key generation algorithm that takes as input the public parameters $pp$, outputs all users’ public/secret key pairs $(p{k}_{i},s{k}_{i})$.
- ${\sigma}_{ij}\leftarrow \mathbf{TSign}(i,j,s{k}_{s})$. The transitive signing algorithm that takes as input the signer’s secret key $s{k}_{s}$ and nodes $i,j\in \mathbb{N}$ and outputs an original signature of edge $(i,j)$ relative to $s{k}_{s}$.
- $\left\{0,1\right\}\leftarrow \mathbf{TVry}(i,j,p{k}_{s},{\sigma}_{ij})$. The verification algorithm that takes as input the signer’s public key $p{k}_{s}$, nodes $i,j\in \mathbb{N}$, and a candidate signature ${\sigma}_{ij}$, which outputs 1 if accepting the signature or 0 for rejecting it.
- $\left\{\perp ,{\sigma}_{ik}\right\}\leftarrow \mathbf{Comp}(i,j,k,p{k}_{s},{\sigma}_{ij},{\sigma}_{jk})$. The composition algorithm that takes as input the signer’s public key $p{k}_{s}$,nodes $i,j,k\in \mathbb{N}$, and two signatures ${\sigma}_{ij},{\sigma}_{jk}$, which outputs the composed signature ${\sigma}_{ik}$ or the symbol ⊥to indicate failure.
- $\left\{{\widehat{\sigma}}_{ij},t\right\}\leftarrow \mathbf{Trans}(p{k}_{t},{\sigma}_{ij})$. The translation algorithm that takes as input the tracer’s public key $p{k}_{t}$ and a transitive signature ${\sigma}_{ij}$ of edge $(i,j)$ and outputs a translated signature ${\widehat{\sigma}}_{ij}$. In addition, the combiner selects and saves a secret value t.
- ${\sigma}_{DV}\leftarrow \mathbf{DS}(i,j,p{k}_{v},{\widehat{\sigma}}_{ij},t)$. The signature holder’s designation algorithm that takes as input the verifier’s public key $p{k}_{v}$, nodes $i,j\in \mathbb{N}$, a secret value t, and a translated signature ${\widehat{\sigma}}_{ij}$, which outputs a designated verifier signature ${\sigma}_{DV}$.
- ${\widehat{\sigma}}_{DV}\leftarrow \mathbf{Sim}(i,j,p{k}_{s},p{k}_{t},s{k}_{v},{\widehat{\sigma}}_{ij})$. The transcript simulation algorithm that takes as input the signer’s public key $p{k}_{s}$, the tracer’s public key $p{k}_{t}$, the verifier’s secret key $s{k}_{v}$, nodes $i,j\in \mathbb{N}$, and the translated signature ${\widehat{\sigma}}_{ij}$, which outputs a simulated signature ${\widehat{\sigma}}_{DV}$.
- $\left\{0,1\right\}\leftarrow \mathbf{DV}(i,j,p{k}_{s},s{k}_{v},{\sigma}_{DV})$. The designated verifying algorithm that takes as input the signer’s public key $p{k}_{s}$, the verifier’s secret key $s{k}_{v}$, nodes $i,j\in \mathbb{N}$, and a designated verifier signature ${\sigma}_{DV}$, which outputs 1 if accepting the signature or 0 for rejecting it.
- ${\sigma}_{ij}\leftarrow \mathbf{Trace}(s{k}_{t},{\widehat{\sigma}}_{ij})$. The tracing algorithm that takes as input the tracer’s secret key $s{k}_{t}$ and the translated signature ${\widehat{\sigma}}_{ij}$, which outputs the transitive signature ${\sigma}_{ij}$.

**Correctness**: we require five obvious correctness properties in TUDVTS. The first four points are the correctness requirements of UDVTS. Algorithm**TVry**checks the correctness of**TSign**and**Comp**. Algorithm**DV**checks the correctness of**DS**and**Sim**. Algorithm**Trans**checks the correctness of**Trace**.

- Correctness of
**TSign**: If ${\sigma}_{ij}\leftarrow \mathbf{TSign}(i,j,s{k}_{s})$, then$$Pr[1\leftarrow \mathbf{TVry}(i,j,p{k}_{s},{\sigma}_{ij})]=1.$$ - Correctness of
**Comp**: If ${\sigma}_{ik}\leftarrow \mathbf{Comp}(i,j,k,p{k}_{s},{\sigma}_{ij},{\sigma}_{jk})$, then$$Pr[1\leftarrow \mathbf{TVry}(i,k,p{k}_{s},{\sigma}_{ik})]=1,$$**Comp**on legitimate signatures). - Correctness of
**DS**: If ${\sigma}_{DV}\leftarrow \mathbf{DS}(i,j,p{k}_{v},{\widehat{\sigma}}_{ij})$, then$$Pr[1\leftarrow \mathbf{DV}(i,j,p{k}_{s},s{k}_{v},{\sigma}_{DV})]=1.$$ - Correctness of
**Sim**: If ${\sigma}_{DV}\leftarrow \mathbf{Sim}(i,j,p{k}_{s},p{k}_{t},s{k}_{v},{\widehat{\sigma}}_{ij})$, then$$Pr[1\leftarrow \mathbf{DV}(i,j,p{k}_{s},s{k}_{v},{\sigma}_{DV})]=1.$$ - Correctness of
**Trace**: If ${\widehat{\sigma}}_{ij}\leftarrow \mathbf{Trans}(p{k}_{t},{\sigma}_{ij})$, then ${\sigma}_{ij}\leftarrow \mathbf{Trace}(s{k}_{t},{\widehat{\sigma}}_{ij})$.

#### Security Models

**Unforgeability**: the unforgeability of TUDVTS is similar to the unforgeability of UDVTS. TUDVTS encompasses two distinct forms of unforgeability. The first property refers to the fact that any adversary cannot output a forgery even if it is allowed to obtain transitive signatures on many other messages of its choice, i.e., the transitive signature unforgeability (TS-unforgeability). The second property refers to the impossibility for any adversary to forge a valid designated verifier signature even if they possess a valid translated signature from before, i.e., the designated verifier signature unforgeability (DV-unforgeability). Note that it is possible that the translated signature in DV-unforgeability is forged. As described in reference [29], we only consider this case where the translated signature is sent by the designator.

**Setup**: the public parameters $pp$ and the signer’s public/secret key-pair $(p{k}_{s},s{k}_{s})$ are generated by running**Setup**and**KGen**, respectively. Then, it is sent to $\mathcal{A}$.**TSign Query**: $\mathcal{A}$ picks an edge $(i,j)$. Then, the transitive signature ${\sigma}_{ij}$ is generated by running**TSign**and sent to $\mathcal{A}$.

**TSign Query**.

**Definition**

**2**

**.**The transitive signature is unforgeable under adaptive chosen-message attacks if ${\mathrm{Adv}}_{\mathcal{A},\mathrm{TS}}^{cma}\left(k\right)$ is negligible for any $\mathcal{PPT}$ adversary $\mathcal{A}$.

**Setup**: the public parameters $pp$ and all users’ public/secret key-pairs $(p{k}_{i},s{k}_{i})$ are generated by running**Setup**and**KGen**, respectively. Then, it is sent to $\mathcal{A}$.**Trans Query**: $\mathcal{A}$ picks an edge $(i,j)$. The transitive signature ${\sigma}_{ij}$ is first generated by running**TSign**. Then, the translated signature ${\widehat{\sigma}}_{ij}$ is generated by running**Trans**and sent to $\mathcal{A}$. The secret value t is kept private.**DS Query**: $\mathcal{A}$ picks an edge ($i,j$), a verifier’s public key $p{k}_{{v}_{i}}$ and the corresponding translated signature ${\widehat{\sigma}}_{ij}$. He initially acquires the signature ${\widehat{\sigma}}_{ij}$ using the aforementioned procedure in the absence of the translated signature. Then, ${\sigma}_{DV}$ is generated by running**DS**and sent to $\mathcal{A}$.**DV Query**: $\mathcal{A}$ requests the verification result of ($(i,j),{\sigma}_{DV}$) using the chosen public key $p{k}_{{v}_{i}}$. The verification result is generated by running**DV**and sent to $\mathcal{A}$.**SKey Query**: $\mathcal{A}$ picks a verifier’s public key $p{k}_{{v}_{i}}$. Then, the corresponding private key $s{k}_{{v}_{i}}$ is sent to $\mathcal{A}$.

- -
- $1\leftarrow $
**DV**(${i}^{\prime},{j}^{\prime},p{k}_{s},s{k}_{{v}_{k}},{\sigma}_{DV}^{\prime}$). - -
- $(({i}^{\prime},{j}^{\prime}),p{k}_{{v}_{k}})$ has never been submitted to
**DS Query**. - -
- $p{k}_{{v}_{k}}$ has never been submitted to
**SKey Query**.

**Definition**

**3**

**.**A TUDVTS scheme is unforgeable under adaptive chosen-message and chosen-public-key attacks if ${\mathrm{Adv}}_{\mathcal{A},\mathrm{TUDVTS}}^{cma,cpka}\left(k\right)$ is negligible for any $\mathcal{PPT}$ adversary $\mathcal{A}$, where $\mathcal{A}$ invokes at most ${q}_{1}$

**Trans Query**, ${q}_{2}$

**DS Query**, ${q}_{3}$

**DV Query**and ${q}_{4}$

**SKey Query**in time t.

**Privacy**: the privacy has been systematically discussed by Hou et al. in [2]. There are two types of privacy in the TUDVTS scheme: non-transferability of TUDVTS and privacy of transitive signature. As stated in [17], the designated verifier has the capability to produce a signature that cannot be distinguished from the signature generated by the signature holder. That is, the verifier is unable to provide convincing evidence to others that the signer has indeed signed the message. As stated in [1], The second condition states that a transitive signature and a composed signature on the same edge cannot be distinguished. This implies that the

**Comp**algorithm can operate properly even if its input was generated using

**Comp**itself.

**Setup**: the public parameters $pp$ and all users’s public/secret key-pairs $(p{k}_{i},s{k}_{i})$ are generated by running**Setup**and**KGen**, respectively. Then, it is sent to $\mathcal{D}$.**Stage 1**: the distinguisher $\mathcal{D}$ adaptively makes**Trans Query, DS Query, DV Query, Sim Query, SKey Query**: it responds to $\mathcal{D}$ in the same way as in game ${\mathrm{Forge}}_{\mathcal{A},\mathrm{TUDVTS}}^{cma,cpka}$.- -
**Sim Query:**assuming that $\mathcal{D}$ requests a simulated signature on edge ($i,j$) using the chosen public key $p{k}_{{v}_{i}}$, he initially acquires the signature ${\widehat{\sigma}}_{ij}$ using the aforementioned procedure in the absence of the translated signature. Then, the simulated signature ${\widehat{\sigma}}_{DV}$ is generated by running**Sim**and sent to $\mathcal{D}$.

**Challenge stage**: $\mathcal{D}$ returns $({i}^{\prime},{j}^{\prime})$ and $p{k}_{{v}_{k}}$ that satisfy the following conditions:- -
- $({i}^{\prime},{j}^{\prime})\notin G$.
- -
- $(({i}^{\prime},{j}^{\prime}),p{k}_{{v}_{k}})$ has never been submitted to
**DS Query**and**Sim Query**. - -
- $p{k}_{{v}_{k}}$ has never been submitted to
**SKey Query**.

In reply, the experiment randomly samples $b\in \left\{0,1\right\}$. If $b=1$, then the signature ${\sigma}_{DV}$ is generated by running**DS**and returned to $\mathcal{D}$. Otherwise, the signature ${\widehat{\sigma}}_{DV}$ is generated by running**Sim**and returned to $\mathcal{D}$.**Stage 2**. Upon the receipt of the signature, $\mathcal{D}$ can still proceed with the query in**stage 1**. However, he cannot choose $(({i}^{\prime},{j}^{\prime}),p{k}_{{v}_{k}})$ for**DS Query**or**Sim Query**.**Guess stage**. $\mathcal{D}$ outputs his guess ${b}^{\prime}\in \left\{0,1\right\}$.

**Definition**

**4**

**.**If ${\mathrm{Adv}}_{\mathcal{D},\mathrm{TUDVTS}}^{cma,cpka}\left(k\right)$ is negligible for any $\mathcal{PPT}$ distinguisher $\mathcal{D}$, then the TUDVTS scheme is non-transferable under adaptive chosen-message and chosen-public-key attacks.

**Definition**

**5**

**.**If the input of

**Comp**is legitimate signatures, then the distributions that the composed signature and the signature generated by the signer follow are statistically indistinguishable.

**Traceability**: as stated in [29], in order to determine whether the signer signed the message, we introduce a tracer in UDVTS. The tracer can restore the translated signature ${\widehat{\sigma}}_{ij}$ to its corresponding transitive signature ${\sigma}_{ij}$. According to TV-unforgeability, only the signer and the combiner have the ability to obtain valid transitive signatures. Thus, the tracer can track the identity of the translated signature generator by checking whether the transitive signature is valid.

**Definition**

**6**

**.**If the translated signature is calculated by the combiner, then the transitive signature can be recovered by the tracer.

## 4. Our TUDVTS Scheme

#### 4.1. Construction

**Setup**,

**KGen**,

**TSign**,

**TVry**,

**Comp**,

**Trans**,

**DS**,

**DV**,

**Sim**,

**Trace**) is constructed as follows: Given a group generator

**GGen**that takes as input ${1}^{k}$ and outputs a triple $(\mathbb{G},{\mathbb{G}}_{\mathbb{T}},p)$, where p is a lagre prime and $\mathbb{G},{\mathbb{G}}_{\mathbb{T}}$ are two p-order multiplicative cyclic groups. Denote ${H}_{1}:\mathbb{N}\to \mathbb{G}$ and ${H}_{2}:{\{0,1\}}^{*}\to {\mathbb{Z}}_{p}$ as two hash functions.

**Setup**(${1}^{k}$): this algorithm first obtains $(\mathbb{G},{\mathbb{G}}_{\mathbb{T}},p)$ by running**GGen**. Then, it generates a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{\mathbb{T}}$ and a generator g of $\mathbb{G}$ and outputs the public parameters $pp=(p,g,e,\mathbb{G},{\mathbb{G}}_{\mathbb{T}},{H}_{1},{H}_{2}$).**KGen**($pp$): this algorithm takes as input the public parameters $pp$. It computes $A={g}^{a},B={g}^{b},D={g}^{d}$, where $a,b,d\stackrel{R}{\leftarrow}{Z}_{p}^{*}$. It outputs three pairs of public/secret keys $\left\{(A={g}^{a},a),(B={g}^{b},b),(D={g}^{d},d)\right\}$, which denote the signer, the verifier, and the tracer, respectively.**TSign**($i,j,s{k}_{s}$): this algorithm takes as input the signer’s secret key a and nodes $i,j\in \mathbb{N}$. It computes ${\sigma}_{ij}={\left({h}_{i}{h}_{j}^{-1}\right)}^{a}$ if $i<j$, where ${h}_{i}={H}_{1}\left(i\right),{h}_{j}={H}_{1}\left(j\right)$. If $i>j$, swap i and j.**TVry**($i,j,p{k}_{s},{\sigma}_{ij}$): this algorithm takes as input the signer’s public key A, nodes $i,j\in \mathbb{N}$, and a signature ${\sigma}_{ij}$. If $e({\sigma}_{ij},g)=e({h}_{i}{h}_{j}^{-1},A)$, then it outputs 1 (accept). Otherwise, it outputs 0 (reject).**Comp**($i,j,k,p{k}_{s},{\sigma}_{ij},{\sigma}_{jk}$): this algorithm takes as input the signer’s public key A, nodes $i,j,k\in \mathbb{N}$, and two signatures ${\sigma}_{ij}$ of $(i,j)$ and ${\sigma}_{jk}$ of $(j,k)$. If ${\sigma}_{ij}$ and ${\sigma}_{jk}$ are both valid signatures, then it outputs the composed signature ${\sigma}_{ik}\leftarrow {\sigma}_{ij}\xb7{\sigma}_{jk}$ of $(i,k)$. Otherwise, it outputs ⊥.**Trans**(${\sigma}_{ij},p{k}_{t}$): this algorithm takes as input the tracer’s public key D and the signature ${\sigma}_{ij}$ of $(i,j)$. The combiner computes ${T}_{1}={g}^{t},{T}_{2}={\sigma}_{ij}{D}^{t}$, where $t\stackrel{R}{\leftarrow}{Z}_{p}^{*}$. He outputs the translated signature ${\widehat{\sigma}}_{ij}=({T}_{1},{T}_{2})$.**DS**($i,j,p{k}_{v},{\widehat{\sigma}}_{ij},t$): this algorithm takes as input the verifier’s public key B and the translated signature ${\widehat{\sigma}}_{ij}$. The combiner randomly chooses $r\in {\mathbb{Z}}_{p}$, and calculates $R=e{(g,B)}^{r},\phantom{\rule{4pt}{0ex}}h={H}_{2}(i,j,{h}_{i},{h}_{j},R),\phantom{\rule{4pt}{0ex}}{R}_{1}=e({D}^{th},B),\phantom{\rule{4pt}{0ex}}T={T}_{2}^{h}{g}^{r}\phantom{\rule{4pt}{0ex}}\left(\mathrm{mod}\phantom{\rule{4pt}{0ex}}p\right)$ and $c=e(T,B).$ Then, he outputs the designated verifier signature ${\sigma}_{DV}=({R}_{1},h,c)$.**Sim**($i,j,p{k}_{s},p{k}_{t},s{k}_{v},{\widehat{\sigma}}_{ij}$): this algorithm takes as input the signer’s public key A, the tracer’s public key D and notes $i,j\in \mathbb{N}$. The verifier randomly picks ${r}^{\prime}\in {\mathbb{Z}}_{q}$, and calculates ${R}^{\prime}=e{(g,B)}^{{r}^{\prime}},\phantom{\rule{4pt}{0ex}}{h}^{\prime}={H}_{2}(i,j,{h}_{i},{h}_{j},{R}^{\prime}),\phantom{\rule{4pt}{0ex}}{R}_{1}^{\prime}=e({D}^{{h}^{\prime}},{T}_{1}^{b}),\phantom{\rule{4pt}{0ex}}{T}^{\prime}={T}_{2}^{{h}^{\prime}}{g}^{{r}^{\prime}}\phantom{\rule{4pt}{0ex}}\left(\mathrm{mod}\phantom{\rule{4pt}{0ex}}p\right)$ and ${c}^{\prime}=e({T}^{\prime},B).$ Then, he outputs a simulated signature ${\widehat{\sigma}}_{DV}=({R}_{1}^{\prime},{h}^{\prime},{c}^{\prime})$.**DV**($i,j,p{k}_{s},s{k}_{v},{\sigma}_{DV}$): this algorithm takes as input the signer’s public key A, the tracer’s public key D, notes $i,j\in \mathbb{N}$ and the signature ${\sigma}_{DV}$. The designated verifier calculates ${P}_{1}=e({h}_{i}{h}_{j}^{-1},{A}^{bh}){R}_{1},\phantom{\rule{4pt}{0ex}}P=c{P}_{1}^{-1}$ and checks whether $h={H}_{2}(i,j,{h}_{i},{h}_{j},P)$. If this holds, then the algorithm outputs 1 (accept). Otherwise, it outputs 0 (reject).**Trace**($s{k}_{t},{\widehat{\sigma}}_{ij}$): this algorithm takes as input the translated signature ${\widehat{\sigma}}_{ij}$. The tracer computes ${\sigma}_{ij}={T}_{2}/{T}_{1}^{d}$ and checks whether $e({\sigma}_{ij},g)=e({h}_{i}{h}_{j}^{-1},A)$. If this holds then ${\sigma}_{ij}$ is legitimate.

#### 4.2. Correctness

- Correctness of
**TSign**: if ${\sigma}_{ij}={\left({h}_{i}{h}_{j}^{-1}\right)}^{a}\leftarrow \mathbf{TSign}(i,j,s{k}_{s})$, where ${h}_{i}={H}_{1}\left(i\right),{h}_{j}={H}_{1}\left(j\right)$, then$$e({\sigma}_{ij},g)=e({\left({h}_{i}{h}_{j}^{-1}\right)}^{a},g)=e({h}_{i}{h}_{j}^{-1},{g}^{a})=e({h}_{i}{h}_{j}^{-1},A).$$ - Correctness of
**Comp**: If ${\sigma}_{ik}={\sigma}_{ij}\xb7{\sigma}_{jk}={\left({h}_{i}{h}_{j}^{-1}\right)}^{a}\xb7{\left({h}_{j}{h}_{k}^{-1}\right)}^{a}={\left({h}_{i}{h}_{k}^{-1}\right)}^{a}$, where ${h}_{k}={H}_{1}\left(k\right)$, then$$e({\sigma}_{ik},g)=e({\left({h}_{i}{h}_{k}^{-1}\right)}^{a},g)=e({h}_{i}{h}_{k}^{-1},{g}^{a})=e({h}_{i}{h}_{k}^{-1},A).$$ - Correctness of
**DS**: if ${R}_{1}=e({D}^{th},B)$ and$$\begin{array}{cc}\hfill P& =e({T}_{2}^{h}{g}^{r},B){\left[e({h}_{i}{h}_{j}^{-1},{A}^{bh}){R}_{1}\right]}^{-1}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({\sigma}_{ij}^{h},B)e({D}^{th},B)e({g}^{r},B){\left[e({h}_{i}{h}_{j}^{-1},{A}^{bh}){R}_{1}\right]}^{-1}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({h}_{i}{h}_{j}^{-1},{A}^{bh})e({D}^{th},B)e({g}^{r},B){\left[e({h}_{i}{h}_{j}^{-1},{A}^{bh}){R}_{1}\right]}^{-1}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({g}^{r},B),\hfill \end{array}$$ - Correctness of
**Sim**: If ${R}_{1}^{\prime}=e({D}^{{h}^{\prime}},{T}_{1}^{b})$ and$$\begin{array}{cc}\hfill P& =e({T}_{2}^{{h}^{\prime}}{g}^{{r}^{\prime}},B){\left[e({h}_{i}{h}_{j}^{-1},{A}^{b{h}^{\prime}}){R}_{1}^{\prime}\right]}^{-1}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({\sigma}_{ij}^{{h}^{\prime}},B)e({D}^{t{h}^{\prime}},B)e({g}^{{r}^{\prime}},B){\left[e({h}_{i}{h}_{j}^{-1},{A}^{b{h}^{\prime}}){R}_{1}^{\prime}\right]}^{-1}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({h}_{i}{h}_{j}^{-1},{A}^{b{h}^{\prime}})e({D}^{{h}^{\prime}},{T}_{1}^{b})e({g}^{{r}^{\prime}},B){\left[e({h}_{i}{h}_{j}^{-1},{A}^{b{h}^{\prime}}){R}_{1}^{\prime}\right]}^{-1}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({g}^{{r}^{\prime}},B),\hfill \end{array}$$ - Correctness of
**Trace**: if ${T}_{1}={g}^{t},{T}_{2}={\sigma}_{ij}{D}^{t}$, then$${\sigma}_{ij}={T}_{2}/{T}_{1}^{d}={\sigma}_{ij}{D}^{t}/{g}^{td}={\sigma}_{ij}{D}^{t}/{D}^{t}={\sigma}_{ij}.$$

#### 4.3. Security Analysis

**Theorem**

**1**

**.**Assuming the one-more BDH assumption holds in ($\mathbb{G},{\mathbb{G}}_{\mathbb{T}}$) using the public parameters $pp$, we can conclude that the TUDVTS scheme satisfies DV-unforgeability under adaptive chosen-message and chosen-public-key attacks, with parameters ($t,{q}_{1},{q}_{2},{q}_{3},{q}_{4}$).

**Proof.**

**Setup**:- 1.
- $\mathcal{C}$ sets A as the signer’s public key and sets D as the tracer’s public key.
- 2.
- $\mathcal{C}$ computes ${y}_{i}={g}^{{x}_{i}}$ as the public key of the verifier $i(i\ne l)$, where ${x}_{i}\stackrel{R}{\leftarrow}{Z}_{p}^{*}$ is his private key. For $i=l$, $\mathcal{C}$ sets B as his public key. Then, $\mathcal{C}$ maintains a list L and adds all the pairs (${y}_{i},{x}_{i}$) to L, where ${x}_{l}=\perp $.
- 3.
- $\mathcal{C}$ sends ($pp,A,B,D,{y}_{1},\cdots ,{y}_{n}$) to $\mathcal{A}$.

- ${\mathrm{H}}_{1}$
**Query**:- 1.
- $\mathcal{C}$ maintains a list ${L}_{1}$ to record the hash values output by calling ${\mathcal{O}}^{{\mathcal{H}}_{1}}(\xb7)$.
- 2.
- When $\mathcal{A}$ queries ${H}_{1}\left(i\right)$, $\mathcal{C}$ completes the following:
- -
- If $i\notin V$, then $V\leftarrow V\bigcup \left\{i\right\}$; ${h}_{i}\stackrel{R}{\leftarrow}\mathbb{G}$; ${H}_{1}\left(i\right)\leftarrow {h}_{i}$; ${L}_{1}\leftarrow {L}_{1}\cup {h}_{i}$; $\Delta (i,i)\leftarrow 1$.
- -
- $\mathcal{C}$ returns ${H}_{1}\left(i\right)$ to $\mathcal{A}$.

- ${\mathrm{H}}_{2}$
**Query**:- 1.
- $\mathcal{C}$ maintains a list ${L}_{2}$ to record the hash values output by ${H}_{2}$ oracle. $\mathcal{A}$ randomly picks a verifier’s public key ${y}_{i}$ and a number ${r}_{i}\in {\mathbb{Z}}_{p}$ and computes $R=e{(g,{y}_{i})}^{{r}_{i}}$.
- 2.
- When $\mathcal{A}$ queries ${H}_{2}(i,j,{h}_{i},{h}_{j},R)$, $\mathcal{C}$ completes the following:
- -
- Firstly, obtains ${h}_{i}$ and ${h}_{j}$ as above if the two hash values do not exist.
- -
- Returns $h\stackrel{R}{\leftarrow}{\mathbb{Z}}_{p}$ to $\mathcal{A}$. Then, $\mathcal{C}$ adds all the message/value pairs $(R,h)$ to ${L}_{2}$.

**Trans Query**: assuming that $\mathcal{A}$ requests a translated signature on an edge ($i,j$) that he has chosen. In reply, $\mathcal{C}$ firstly obtains the signature ${\sigma}_{ij}$ if $\Delta (i,j)$ is empty. $\mathcal{C}$ performs the following (assume $i<j$):- 1.
- If $i\notin V$ or $j\notin V$, $\mathcal{C}$ invokes ${\mathcal{O}}^{{\mathcal{H}}_{1}}(\xb7)$ to obtain ${H}_{1}\left(i\right)$ or ${H}_{1}\left(j\right)$.
- 2.
- If $\Delta (i,j)$ is empty, then$\Delta (i,j)\leftarrow {\mathcal{O}}^{\mathcal{CDH}}\left({H}_{1}\left(i\right){H}_{1}{\left(j\right)}^{-1}\right)$; $\Delta (j,i)\leftarrow \Delta {(i,j)}^{-1}$.
- 3.
- For all $k\in V\setminus \left\{i,j\right\}$,If $\Delta (k,i)$ is empty, then $\Delta (k,j)\leftarrow \Delta (k,i)\xb7\Delta (i,j)$; $\Delta (j,k)\leftarrow \Delta {(k,j)}^{-1}$.If $\Delta (k,j)$ is empty, then $\Delta (k,i)\leftarrow \Delta (k,j)\xb7\Delta (j,i)$; $\Delta (i,k)\leftarrow \Delta {(k,i)}^{-1}$.
- 4.
- ${\sigma}_{ij}\leftarrow \Delta (i,j)$.
- 5.
- $\mathcal{C}$ randomly picks $t\in {\mathbb{Z}}_{p}$, computes ${T}_{1}={g}^{t}$ and ${T}_{2}={\sigma}_{ij}{D}^{t}$. $\mathcal{C}$ maintains a list ${L}_{T}$ and stores all the random numbers t to ${L}_{T}$.
- 6.
- Returns (${T}_{1},{T}_{2}$) to $\mathcal{A}$, and stores the corresponding t in ${L}_{T}$.

**DS Query**: assuming that $\mathcal{A}$ requests a designated verifier signature on edge ($i,j$) using the chosen public key ${y}_{i}$, $\mathcal{C}$ firstly obtains the translated signature $({T}_{1},{T}_{2})$ as above if the signature does not exist. Then, $\mathcal{C}$ randomly selects $r\in {\mathbb{Z}}_{p}$ and calculates $R=e{(g,B)}^{r},\phantom{\rule{4pt}{0ex}}{R}_{1}=e({D}^{th},B),\phantom{\rule{4pt}{0ex}}T={T}_{2}^{h}{g}^{r}\phantom{\rule{4pt}{0ex}}\left(\mathrm{mod}\phantom{\rule{4pt}{0ex}}p\right)$ and $c=e(T,B)$, returns ${\sigma}_{DV}=({R}_{1},h,c)$ to adversary $\mathcal{A}$.**DV Query**: assuming that $\mathcal{A}$ requests a verification result of ($(i,j),{\sigma}_{DV}$) using the chosen public key ${y}_{i}$, $\mathcal{C}$ calculates ${P}_{1}=e({h}_{i}{h}_{j}^{-1},{A}^{bh}){R}_{1},\phantom{\rule{4pt}{0ex}}P=c{P}_{1}^{-1}$, returns 1 if $h={H}_{2}(i,j,{h}_{i},{h}_{j},P)$, otherwise returns 0.**SKey Query**: assuming that $\mathcal{A}$ requests the corresponding private key using the chosen public key ${y}_{i}$, $\mathcal{C}$ outputs the corresponding private key ${x}_{i}$ if $i\ne l$. Otherwise, the operation aborts. The probability of $\mathcal{C}$ not aborting is ${(1-\frac{1}{n})}^{{q}_{5}}$.**Forgery**: eventually, $\mathcal{A}$ takes as input ${r}^{*}\stackrel{R}{\leftarrow}{\mathbb{Z}}_{P}$ and ${R}^{*}=e{(g,{y}_{k})}^{{r}^{*}}$, obtains ${h}^{*}$ by asking for the ${\mathrm{H}}_{2}$ oracle, when the edge $({i}^{*},{j}^{*})$ and the verifier’s public key ${y}_{k}$ chosen by himself. Then, he obtains a translated signature ${\widehat{\sigma}}_{ij}^{*}=({T}_{1}^{*},{T}_{2}^{*})$ by**Trans Query**and computes ${c}^{*}=e({{T}_{2}^{\prime}}^{{h}^{*}}{g}^{{r}^{*}},{y}_{k})$. In the end, $\mathcal{A}$ returns a forgery signature ${\sigma}_{DV}^{*}=({R}_{1}^{*},{h}^{*},{c}^{*})$. If ${y}_{k}\ne B$, then the operation aborts. The probability of $\mathcal{C}$ not aborting is $\frac{1}{n}$. We assume ${i}^{*},{j}^{*}\in V$, otherwise $\mathcal{C}$ can query the ${\mathcal{O}}^{{\mathcal{H}}_{1}}$ by himself. Let the graph $G=(V,E)$ be composed of all pairs $(i,j)$ submitted to**Trans Query**and let $\tilde{G}=(V,\tilde{E})$ be the transitive closure of G. ${\sigma}_{DV}^{*}$ is valid if it satisfies the following:- -
- $1\leftarrow $
**DV**($i,j,p{k}_{s},s{k}_{{v}_{k}},{\sigma}_{DV}^{*}$). - -
- $(({i}^{*},{j}^{*}),B)$ has never been submitted to
**DS Query**. - -
- ${y}_{k}$ has never been submitted to
**SKey Query**.

- 1.
- ${\sigma}_{{s}_{t}}={\left({h}_{{s}_{t}}\right)}^{a}={\left({H}_{1}\left({s}_{t}\right)\right)}^{a}\leftarrow {\mathcal{O}}^{\mathcal{CDH}}\left({H}_{1}\left({S}_{t}\right)\right)$.
- 2.
- ${c}_{{s}_{t}}\leftarrow e({\sigma}_{{s}_{t}},B)$.For all $z\in {V}_{t}\setminus \left\{{s}_{t}\right\}$,
- 3.
- ${c}_{z{s}_{t}}\leftarrow e({\sigma}_{z{s}_{t}},B)$.
- 4.
- ${c}_{z}\leftarrow {c}_{z{s}_{t}}\xb7{c}_{{s}_{t}}$.

- 1.
- ${c}_{{i}^{*}{j}^{*}}\leftarrow {[{c}^{*}\xb7{{R}^{*}}^{-1}]}^{{h}^{-1}}\xb7{{R}_{1}^{*}}^{-1}$.
- 2.
- ${c}_{{i}^{*}}\leftarrow {c}_{{i}^{*}{j}^{*}}\xb7{c}_{{j}^{*}}$.For all $k\in {V}_{1}\setminus \left\{{i}^{*}\right\}$,
- 3.
- ${c}_{k{i}^{*}}\leftarrow e({\sigma}_{k{i}^{*}},B)$.
- 4.
- ${c}_{k}\leftarrow {c}_{k{i}^{*}}\xb7{c}_{{i}^{*}}$.

- -
- ${y}_{l}=B$ has never been submitted to
**SKey Query**. - -
- In the output forgery, $\mathcal{A}$ chooses the public key B.

**Theorem**

**2**

**.**Assuming the one-more BDH assumption holds in the bilinear group pair ($\mathbb{G},{\mathbb{G}}_{\mathbb{T}}$) using the public parameters $pp$, we can conclude that the transitive signature is unforgeable under an adaptive chosen-message attack.

**Proof.**

**Setup**: $\mathcal{C}$ sets A as the signer’s public key and returns $(A,pp)$ to $\mathcal{A}$.**TSign Query**: assuming that $\mathcal{A}$ requests a signature on an edge ($i,j$) that he has chosen. In reply, $\mathcal{C}$ performs the following (Assume $i<j$):- 1.
- If $i\notin V$ or $j\notin V$, $\mathcal{C}$ invokes ${\mathcal{O}}^{{\mathcal{H}}_{1}}(\xb7)$ to obtain ${H}_{1}\left(i\right)$ or ${H}_{1}\left(j\right)$.
- 2.
- If $\Delta (i,j)$ is empty, then$\Delta (i,j)\leftarrow {\mathcal{O}}^{\mathcal{CDH}}\left({H}_{1}\left(i\right){H}_{1}{\left(j\right)}^{-1}\right)$; $\Delta (j,i)\leftarrow \Delta {(i,j)}^{-1}$.
- 3.
- For all $k\in V\setminus \left\{i,j\right\}$,If $\Delta (k,i)$ is empty, then $\Delta (k,j)\leftarrow \Delta (k,i)\xb7\Delta (i,j)$; $\Delta (j,k)\leftarrow \Delta {(k,j)}^{-1}$.If $\Delta (k,j)$ is empty, then $\Delta (k,i)\leftarrow \Delta (k,j)\xb7\Delta (j,i)$; $\Delta (i,k)\leftarrow \Delta {(k,i)}^{-1}$.
- 4.
- ${\sigma}_{ij}\leftarrow \Delta (i,j)$.
- 5.
- Returns ${\sigma}_{ij}$ to $\mathcal{A}$.

- Then, $\mathcal{A}$ adaptively invokes the ${H}_{1}$ oracle. $\mathcal{C}$ responds to $\mathcal{A}$ in the same way as in the proof above.

**Theorem**

**3**

**.**Our scheme satisfies the non-transferability of TUDVTS against the adaptive chosen-message and chosen-public-key $\mathcal{PPT}$ distinguisher $\mathcal{D}$.

**Proof.**

**Setup**:- 1.
- $\mathcal{C}$ sets $A={g}^{a},D={g}^{d}$ as the public key of the signer and the tracer, respectively, where $a,d\stackrel{R}{\leftarrow}{Z}_{p}^{*}$.
- 2.
- $\mathcal{C}$ sets ${y}_{i}={g}^{{x}_{i}}$ as the ith ($i\ne l$) verifier’s public/private key-pair, where ${x}_{i}\stackrel{R}{\leftarrow}{Z}_{p}^{*}$. Then, $\mathcal{C}$ maintains a list L and adds all the public/private key-pairs $({y}_{i},{x}_{i})$ to L.
- 3.
- $\mathcal{C}$ sends ($pp,A,{y}_{1},\cdots ,{y}_{n}$) to $\mathcal{D}$.

**Stage 1**: the distinguisher $\mathcal{D}$ adaptively invokes ${\mathrm{H}}_{1}$**Query**, ${\mathrm{H}}_{2}$**Query**,**Trans Query**,**DS Query**,**DV Query**,**Sim Query**,**SKey Query**. It responds to $\mathcal{D}$ in the same way as in game ${\mathrm{Forge}}_{\mathcal{A},\mathrm{TUDVTS}}^{cma,cpka}$.- -
**SKey Query**: if $\mathcal{D}$ requests the private key associated with a chosen public key ${y}_{i}$, $\mathcal{C}$ verifies the list L and provides the matching private key ${x}_{i}$ in response.- -
**Sim Query**: assuming that $\mathcal{D}$ requests a simulated signature on edge ($i,j$) using the chosen public key ${y}_{i}$, $\mathcal{C}$ firstly obtains the translated signature $({T}_{1},{T}_{2})$ as above if the signature does not exist. Then, $\mathcal{C}$ randomly selects $r\in {\mathbb{Z}}_{p}$ and calculates ${R}^{\prime}=e{(g,{y}_{i})}^{{r}^{\prime}},\phantom{\rule{4pt}{0ex}}{R}_{1}^{\prime}=e({D}^{{h}^{\prime}},{T}_{1}^{b}),\phantom{\rule{4pt}{0ex}}{T}^{\prime}={T}_{2}^{{h}^{\prime}}{g}^{{r}^{\prime}}\phantom{\rule{4pt}{0ex}}\left(\mathrm{mod}\phantom{\rule{4pt}{0ex}}p\right)$ and ${c}^{\prime}=e({T}^{\prime},{y}_{i}).$, returns ${\widehat{\sigma}}_{DV}=({R}_{1}^{\prime},{h}^{\prime},{c}^{\prime})$ to distinguisher $\mathcal{D}$.

**Challenge stage**: $\mathcal{D}$ returns $({i}^{\prime},{j}^{\prime})$ and ${y}_{k}$ that satisfy the following conditions:- -
- $({i}^{\prime},{j}^{\prime})\notin G$.
- -
- $(({i}^{\prime},{j}^{\prime}),{y}_{k})$ has never been submitted to
**DS Query**and**Sim Query**. - -
- ${y}_{k}$ has never been submitted to
**SKey Query**.

In reply, $\mathcal{C}$ randomly samples $b\in \left\{0,1\right\}$. If $b=1$, then the signature ${\sigma}_{DV}=({R}_{1},h,c)$ is generated by running**DS**and returned to $\mathcal{D}$. Otherwise, the signature ${\widehat{\sigma}}_{DV}=({R}_{1}^{\prime},{h}^{\prime},{c}^{\prime})$ is generated by running**Sim**and returned to $\mathcal{D}$.**Stage 2**: upon the receipt of the signature, $\mathcal{D}$ can still proceed with the query in**Stage 1**. However, he cannot query the translated signature on edge $({i}^{\prime},{j}^{\prime})$, and cannot choose $(({i}^{\prime},{j}^{\prime}),{y}_{k})$ for**DS Query**or**Sim Query**.**Guess stage**: $\mathcal{D}$ outputs his guess ${b}^{\prime}\in \left\{0,1\right\}$.

**Theorem**

**4**

**.**If the input of

**Comp**is legitimate signatures, then the distributions of the composed signature and the signature generated by the signer are statistically indistinguishable.

**Proof.**

**Comp**, it outputs the composed signature

**Theorem**

**5**

**.**The TUDVTS scheme is traceable, which can check whether the signer signed the message.

**Proof.**

## 5. Efficiency Analysis

## 6. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Micali, S.; Rivest, R.L. Transitive Signature Schemes. In Topics in Cryptology—CT-RSA 2002; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 236–243. [Google Scholar]
- Hou, S.; Huang, X.; Liu, J.K.; Li, J.; Xu, L. Universal Designated Verifier Transitive Signatures for Graph-Based Big Data. Inf. Sci.
**2015**, 318, 144–156. [Google Scholar] [CrossRef] - Bellare, M.; Neven, G. Transitive Signatures Based on Factoring and RSA. In Advances in Cryptology—ASIACRYPT 2002; Zheng, Y., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 397–414. [Google Scholar]
- Bellare, M.; Neven, G. Transitive Signatures: New Schemes and Proofs. IEEE Trans. Inf. Theory
**2005**, 51, 2133–2151. [Google Scholar] [CrossRef] - Wang, L.; Cao, Z.; Zheng, S.; Huang, X.; Yang, Y. Transitive Signatures from Braid Groups. In Progress in Cryptology—INDOCRYPT 2007; INDOCRYPT’07; Springer: Berlin/Heidelberg, Germany, 2007; pp. 183–196. [Google Scholar]
- Lin, C.; Zhu, F.; Wu, W.; Liang, K.; Choo, K.K.R. A New Transitive Signature Scheme. In Network and System Security; Chen, J., Piuri, V., Su, C., Yung, M., Eds.; Springer: Cham, Switzerland, 2016; pp. 156–167. [Google Scholar]
- Zhu, F.; Zhang, Y.; Lin, C.; Wu, W.; Meng, R. A Universal Designated Multi-Verifier Transitive Signature Scheme. In Information Security and Cryptology; Chen, X., Lin, D., Yung, M., Eds.; Springer: Cham, Switzerland, 2018; pp. 180–195. [Google Scholar]
- Lin, C.; Wu, W.; Huang, X.; Xu, L. A New Universal Designated Verifier Transitive Signature Scheme for Big Graph Data. J. Comput. Syst. Sci.
**2017**, 83, 73–83. [Google Scholar] [CrossRef] - Noh, G.; Jeong, I.R. Transitive Signature Schemes for Undirected Graphs from Lattices. KSII Trans. Internet Inf. Syst.
**2019**, 13, 3316–3332. [Google Scholar] - Noh, G.; Chun, J.Y. Identity-Based Transitive Signature Scheme from Lattices. J. Korea Inst. Inf. Secur. Cryptol.
**2021**, 31, 509–516. [Google Scholar] - Rivest, R.; Hohenberger, S. The Cryptographic Impact of Groups with Infeasible Inversion. Doctoral Dissertation, Massachusetts Institute of Technology, Cambridge, MA, USA, 2003. [Google Scholar]
- Kuwakado, H.; Tanaka, H. Transitive Signature Scheme for Directed Trees. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2003**, 86-A, 1120–1126. [Google Scholar] - Yi, X. Directed Transitive Signature Scheme. In Topics in Cryptology—CT-RSA 2007, The Cryptographers’ Track at the RSA Conference 2007, San Francisco, CA, USA, 5–9 February 2007, Proceedings; Abe, M., Ed.; Springer: Berlin/Heidelberg, Germnay, 2007; Volume 4377, pp. 129–144. [Google Scholar]
- Neven, G. A Simple Transitive Signature Scheme for Directed Trees. Theor. Comput. Sci.
**2008**, 396, 277–282. [Google Scholar] [CrossRef] - Camacho, P.; Hevia, A. Short Transitive Signatures for Directed Trees. In Topics in Cryptology—CT-RSA 2012; Dunkelman, O., Ed.; CT-RSA 2012. Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7178, pp. 35–50. [Google Scholar]
- Xu, J.; Chang, E.; Zhou, J. Directed Transitive Signature on Directed Tree. In Proceedings of the Singapore Cyber-Security Conference (SG-CRC) 2016-Cyber-Security by Design, Singapore, 14–15 January 2016; Cryptology and Information Security Series. Mathur, A., Roychoudhury, A., Eds.; IOS Press: Amsterdam, The Netherlands, 2016; Volume 14, pp. 91–98. [Google Scholar]
- Steinfeld, R.; Bull, L.; Wang, H.; Pieprzyk, J. Universal Designated-Verifier Signatures. In Advances in Cryptology—ASIACRYPT 2003; Laih, C.S., Ed.; ASIACRYPT 2003. Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2894, pp. 523–542. [Google Scholar]
- Boneh, D.; Lynn, B.; Shacham, H. Short Signatures from the Weil Pairing. In Advances in Cryptology—ASIACRYPT 2001; Boyd, C., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 514–532. [Google Scholar]
- Steinfeld, R.; Wang, H.; Pieprzyk, J. Efficient Extension of Standard Schnorr/RSA Signatures into Universal Designated-Verifier Signatures. In Public Key Cryptography-PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 1–4 March 2004; Lecture Notes in Computer Science; Bao, F., Deng, R.H., Zhou, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 2947, pp. 86–100. [Google Scholar]
- Ng, C.Y.; Susilo, W.; Mu, Y. Universal Designated Multi Verifier Signature Schemes. In Proceedings of the 11th International Conference on Parallel and Distributed Systems, ICPADS 2005, Fuduoka, Japan, 20–22 July 2005; pp. 305–309. [Google Scholar]
- Zhang, F.; Susilo, W.; Mu, Y.; Chen, X. Identity-Based Universal Designated Verifier Signatures. In Embedded and Ubiquitous Computing-EUC 2005 Workshops, EUC 2005 Workshops: UISW, NCUS, SecUbiq, USN, and TAUES, Nagasaki, Japan, 6–9 December 2005, Proceedings; Lecture Notes in Computer Science; Enokido, T., Yan, L., Xiao, B., Kim, D., Dai, Y., Yang, L.T., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3823, pp. 825–834. [Google Scholar]
- Zhang, R.; Furukawa, J.; Imai, H. Short Signature and Universal Designated Verifier Signature Without Random Oracles. In Applied Cryptography and Network Security, Third International Conference, ACNS 2005, New York, NY, USA, 7–10 June 2005, Proceedings; Lecture Notes in Computer Science; Ioannidis, J., Keromytis, A.D., Yung, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3531, pp. 483–498. [Google Scholar]
- Shahandashti, S.F.; Safavi-Naini, R. Generic Constructions for Universal Designated-Verifier Signatures and Identitybased Signatures from Standard Signatures. IET Inf. Secur.
**2009**, 3, 152–176. [Google Scholar] [CrossRef] - Chang, T.Y. An ID-Based Multi-Signer Universal Designated Multi-Verifier Signature Scheme. Inf. Comput.
**2011**, 209, 1007–1015. [Google Scholar] [CrossRef] - Huang, X.; Susilo, W.; Mu, Y.; Wu, W. Universal Designated Verifier Signature Without Delegatability. In Information and Communications Security, 8th International Conference, ICICS 2006, Raleigh, NC, USA, 4–7 December 2006, Proceedings; Lecture Notes in Computer Science; Ning, P., Qing, S., Li, N., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4307, pp. 479–498. [Google Scholar]
- Li, J.; Wang, Y. Universal Designated Verifier Ring Signature (Proof) Without Random Oracles. In Emerging Directions in Embedded and Ubiquitous Computing, EUC 2006 Workshops: NCUS, SecUbiq, USN, TRUST, ESO, and MSA, Seoul, Korea, 1–4 August 2006, Proceedings; Lecture Notes in Computer Science; Zhou, X., Sokolsky, O., Yan, L., Jung, E., Shao, Z., Mu, Y., Lee, D.C., Kim, D., Jeong, Y., Xu, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4097, pp. 332–341. [Google Scholar]
- Wang, M.; Zhang, Y.; Ma, J.; Wu, W. A Universal Designated Multi Verifiers Content Extraction Signature Scheme. Int. J. Comput. Sci. Eng.
**2020**, 21, 49–59. [Google Scholar] [CrossRef] - Li, B.H.; Liu, Y.Z.; Yang, S. Lattice-Based Universal Designated Verifier Signatures. In Proceedings of the 15th International Conference on e-Business Engineering, ICEBE, Xi’an, China, 12–14 October 2018; IEEE Computer Society. pp. 329–334. [Google Scholar]
- Tang, F.; Ma, S.; Ma, C.L. Traceable Universal Designated Verifier Signature Proof Scheme. Ruan Jian Xue Bao/J. Softw.
**2022**, 33, 4305. [Google Scholar] - Gao, W.; Wang, G.; Wang, X.; Li, F. Round-Optimal ID-Based Blind Signature Schemes without ROS Assumption. J. Commun.
**2012**, 7, 909–920. [Google Scholar] [CrossRef]

**Figure 1.**An administrative domain. (Solid lines represent actual edges in the administrative domain, while dotted lines represent non-existent edges).

Algorithm | TSign | TVry | Comp | Trans | DS | DV | Sim |
---|---|---|---|---|---|---|---|

UDVTS | $\left|\mathbb{G}\right|$ | — | $\left|\mathbb{G}\right|$ | — | $\left|{\mathbb{G}}_{T}\right|$ | — | $\left|{\mathbb{G}}_{T}\right|$ |

TUDVTS | $\left|\mathbb{G}\right|$ | — | $\left|\mathbb{G}\right|$ | $2\left|\mathbb{G}\right|$ | $\left|{\mathbb{Z}}_{p}\right|+2\left|{\mathbb{G}}_{T}\right|$ | — | $\left|{\mathbb{Z}}_{p}\right|+2\left|{\mathbb{G}}_{T}\right|$ |

Algorithm | TSign | TVry | Comp | Trans | DS | DV | Sim |
---|---|---|---|---|---|---|---|

UDVTS | ${t}_{1}+2{t}_{3}+{t}_{4}+{t}_{5}$ | $2{t}_{2}+2{t}_{3}+{t}_{4}$ | ${t}_{5}$ | — | ${t}_{2}$ | ${t}_{1}+{t}_{2}+2{t}_{3}+{t}_{4}+{t}_{5}$ | ${t}_{1}+{t}_{2}+2{t}_{3}+{t}_{4}+{t}_{5}$ |

TUDVTS | ${t}_{1}+2{t}_{3}+{t}_{4}+{t}_{5}$ | $2{t}_{2}+2{t}_{3}+{t}_{4}$ | ${t}_{5}$ | $2{t}_{1}+{t}_{5}$ | $4{t}_{1}+3{t}_{2}+{t}_{3}+2{t}_{5}$ | ${t}_{1}+{t}_{2}+{t}_{3}+2{t}_{4}+4{t}_{5}$ | $5{t}_{1}+3{t}_{2}+{t}_{3}+{t}_{5}$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Hou, S.; Lin, C.; Yang, S.
A Traceable Universal Designated Verifier Transitive Signature Scheme. *Information* **2024**, *15*, 43.
https://doi.org/10.3390/info15010043

**AMA Style**

Hou S, Lin C, Yang S.
A Traceable Universal Designated Verifier Transitive Signature Scheme. *Information*. 2024; 15(1):43.
https://doi.org/10.3390/info15010043

**Chicago/Turabian Style**

Hou, Shaonan, Chengjun Lin, and Shaojun Yang.
2024. "A Traceable Universal Designated Verifier Transitive Signature Scheme" *Information* 15, no. 1: 43.
https://doi.org/10.3390/info15010043