A Hash-Based Quantum-Resistant Designated Verifier Signature Scheme

Abstract

Digital signatures are unsuitable for specific applications that are sensitive on a personal or commercial level because they are universally verifiable. Jakobsson et al. proposed the Designated Verifier Signature (DVS) system, which only allows the intended verifier to validate a message’s signature. It prohibits the disclosure of a conviction to a third party. This functionality is useful in applications that require both authenticity and signer privacy, such as electronic voting and tender calls. The vast majority of current DVS schemes are based on difficult number theory problems such as integer factorization or discrete log problems over various groups. The development of a large-scale quantum computer would render these schemes unsafe. As a result, it is critical to develop quantum-resistant DVS methods. In both quantum and classical computers, signatures based on one-way functions are more efficient and secure. They have several advantages over digital signatures based on trapdoor functions. As a result, hash-based signatures are now considered viable alternatives to number-theoretic signatures. Existing hash-based signatures, on the other hand, are easily verifiable by anyone. As a result, they do not protect the signer’s identity. In addition, they are one-time signatures. This paper presents a hash-based multi-time designated verifier signature scheme that ensures signer anonymity. The unforgeability of the signature scheme is also tested in the random oracle model under chosen message attack. The properties such as non-transferability and non-delegatability are investigated.

1. Introduction

Digital signatures play a vital role in the security of internet and IT infrastructures. Message integrity, authenticity, and non-repudiation are all provided by digital signatures. Traditional digital signatures can be verified by the public. However, in certain circumstances, the signer ought not uncover his signature to different gatherings, for example when signing individual well-being records, a financial statement, or a proposal of a vendor in an electronic auction. Henceforth, Chaum et al. [1] proposed an undeniable signature scheme in which the signature validation by a verifier requires an interactive confirmation protocol with the signer. Hence, the signer has complete full control over his signature. However, if the signer refuses to take part in the verification, then the signatures are considered to be invalid. To address this problem, Jakobsson et al. presented a new sort of digital signature called Designated Verifier Signature (DVS) [2], which replaces the interactive verification of an undeniable signature scheme by a non-interactive verification and thereby reduces the burden on the signer. The DVS system enables the designated verifier to create signatures that are indistinguishable from the signer’s. Subsequently, no outsider can identify the genuine signer of DVS. Although DVS achieves non-transferability, it does not prevent an outsider from checking the correctness of the scheme and being convinced that the signature is generated either by the signer or by the verifier. These significant features allow DVS to be more useful in scenarios such as electronic voting, tendering, and so on, where it is important for the signer to designate who has to be convinced by his/her signature.

1.1. Related Work

Saeednia et al. introduced the notion of Strong Designated Verifier Signature (SDVS) in [3] that requires the private key of the designated verifier to verify the signature. Hence, the signature can only be verified by the chosen verifier and not by an outsider. Followed by the author, Huang et al. [4] and Kang et al. [5] proposed identity-based strong designated verifier signature (IBSDVS) schemes and under the Bilinear Diffie–Hellman (BDH) assumption, the schemes are unforgeable. In [6], Laguillaumie and Vergnaud presented a multi-designated verifier signature technique that allows the signer to prove the authenticity of a statement to a chosen group of verifiers and allows the verifiers to create an identical signature by having cooperation among themselves. The authors also emphasized the concept of signer’s identity privacy in SDVS and established that without knowing the secret keys, it is impossible to tell the difference between the signer’s and the verifier’s signatures. Li et al. [7] introduced the concept of non-delegatability to the DVS scheme, which ensures that the signer and verifier cannot entrust the generation of their signatures to a third party without disclosing their secret keys. Zhang and Mao proposed an IBSDVS scheme in [8] and claimed that their scheme is non-delegatable. De Almeida et al. [9] presented a protocol that uses DVS in a context of packet-switching networks. Attracted by the applications of DVS, many researchers proposed different DVS schemes. The majority of DVS schemes use certificate-based or identity-based cryptography, with only a few using certificateless cryptography [10,11,12].

According to Shor’s algorithm [13], the emergence of quantum computers would make integer factorization and discrete logarithm issues insecure, which offer a stable foundation for the above-mentioned schemes. As a result, alternate strategies that are resistant to quantum computer attacks must be devised. Despite the fact that quantum computers are still in their early stages of development [14,15], their theoretical ability to compromise present cryptographic techniques has motivated the development of post-quantum cryptographic schemes. Thanalakshmi et al. [16] proposed the DVS scheme and Assar et al. [17] and Ren et al. [18] Shooshtari [19] proposed SDVS schemes based on the hard problem bounded syndrome decoding in coding theory that are believed to be quantum resistant [20,21]. However, it is demonstrated in [16] that the systems proposed by Ren et al. and Shooshtari et al. fail to meet non-transferability. Wang et al. [22], Li et al. [7], Noh and Jeong [23], and Cai  et al. [24] proposed SDVS schemes based on the hard problems in lattices and claimed the schemes are quantum secure. However, the above schemes are based on trapdoor one-way functions and are considered to be more complex than the schemes based on one-way functions.

As hash functions are one-way and sufficient to have an efficient and secure transmission of data, the hash-based cryptosystem is considered as another promising quantum immune cryptosystem. In [25], the authors introduce hash-based signature schemes in the IoT ecosystem. For convenient transmission, a large file can be broken into smaller blocks and transmitted. One can receive a subset of blocks sequentially and finally be able to reconstruct the original file. Until the original file is decoded, one cannot check whether an intermediate block is valid or not. By using a homomorphic hash function, one can solve such a situation as follows. Compute the hash value of individual blocks and send the list of hash values to the user. The user can use it to verify the incoming blocks as they come and can compute the hash of the original file from the hashes of individual blocks. Chen presented a PDP protocol based on an algebraic signature and a hash function with homomorphic property [26]. The homomorphic hash function is proven to enable rapid and efficient content retrieval as well as proved data possession and data integrity protection in cloud storage. Thanalakshmi et al. [27] proposed a quantum-resistant chameleon signature scheme with homomorphic hash functions and homomorphic pseudorandom generators and without using complex algebraic computation. Hence, to build identification schemes and special signatures such as DVS in a quantum world, quantum-resistant homomorphic hash functions are essential.

Lamport’s one-time signature scheme in [28] laid a foundation for introducing the hash-based signature scheme by Merkle in [29]. Various extensions and improvements were made in Lamport’s original scheme either by iterating the application of one-way functions several times or revealing the intermediate values of one-way functions as signatures. All of these methods can be thought of as variations on the approach proposed by Bleichenbacher and Maurer in [30]. As the security proofs of their schemes are left open, Hevia and Micciancio in [31] proposed a modification in [30] and proved the proposed signature is provably hard to break since the underlying functions are a hash function and a pseudorandom generator. A novel one-time signature scheme NOTS, which offers minimum key and signature sizes from existing OTS/FTS schemes, is presented in [32]. However, the above signature schemes are universally verifiable. Hence, they are unsuitable for applications where the intended verifier alone has to verify the signature. In addition, they are one-time—that is, each time when a signer wants to sign a document, he has to generate a new key pair, which in turn increases the key generation time. This motivates us to design a multi-time privacy providing DVS scheme based on hash functions. Although SDVS protects the privacy of signers, there are specific situations in which SDVS is ineffective and only DVS is appropriate. DVS is beneficial in electronic commerce applications such as the sale of digital products, for example. If Cindy buys a digital product from vendor Bob over the internet, she needs a digital receipt that ensures the product’s quality, validity, and legality. Cindy would be convinced that the product is genuinely manufactured by Alice and sold by Bob if the receipt is bound with the identities of Bob and the product’s manufacturer, say Alice. In this situation, Alice can create a DVS as a digital receipt for Bob. When Cindy buys a goods and receives a receipt from Bob, she may verify the signature using Bob’s and Alice’s public keys and be convinced of the merchandise. Under certain conditions, such as when the product requires service during the warranty period, Bob can provide it and issue a DVS receipt to satisfy the customer and build goodwill with the customer. In addition, DVS is preferable to SDVS, since Cindy will be unable to validate the signature if she receives SDVS as a receipt because SDVS requires Bob’s private key for verification. Hence, in this paper, a DVS scheme is designed using a homomorphic hash function such that the signer can sign many documents with one private key, and the intended verifier can alone verify the validity of the signature. The scheme is proven to be existentially unforgeable under the chosen message attack in the random oracle model under the assumption of the preimage resistance of hash functions. The proposed technique further retains the non-transferability property by allowing the verifier to generate signatures that are indistinguishable from those issued by the signer. The proposed scheme satisfies the non-delegatability property, which is a desirable property for many applications of DVS such as the hypothetical e-voting protocol and the online subscription system.

1.2. Paper Organization

The following is a breakdown of the paper’s structure. Cryptographic primitives, the specification of designated verifier signature schemes, and the security model are all covered in Section 2. In Section 3, a novel hash-based designated verifier signature mechanism is presented. In Section 4, the scheme’s security is demonstrated using the provided security definitions. Section 5 discusses the suggested scheme’s performance as well as a comparison study. Finally, Section 6 brings the paper to a close.

2. Preliminaries

This section recalls the standard definition of a cryptographic hash function. It also introduces the concept and security requirements of a designated verifier signature scheme.

2.1. Cryptographic Primitives

Hash function is a powerful tool which is a crucial ingredient for many applications. It is typically used to ensure the data integrity, reduce the quantity of the data to be processed, and develop safe signature methods in the random oracle model.

Definition 1.

(Cryptographic Hash Function) A cryptographic hash function $h:{\{0,1\}}^{*}\to {\{0,1\}}^n$ is a mathematical function that has the following properties:

(i) 

Computability or One-way: For any given message, it is easy to compute the hash value but practically impossible to invert.

(ii) 

Preimage resistance: It is computationally infeasible to find a message M that is hashed to y for any hash value y.

(iii) 

Second-preimage resistance: For a given message M, it is computationally infeasible to find another message $M^{\prime }$, which hashes to the same value as the message M, i.e., $h\left(M\right)=h\left(M^{\prime }\right)$.

(iv) 

Collision resistance: It is computationally infeasible to find another message $M^{\prime }$ that hashes to the same value as the message M, i.e., $h\left(M\right)=h\left(M^{\prime }\right)$ for a given message M.

Definition 2.

(Homomorphic hash function). Let $(R,+)$ be a group. A homomorphic hash function is a cryptographic hash function $H:R^2\to R$ that satisfies homomorphic property. Hence, $H(x+y)=H\left(x\right)+H\left(y\right)$ for every $x,y\in R^2.$

A post-quantum homomorphic hash function is a homomorphic hash function that is resistant against quantum attacks. It is proposed by Micciancio in [33]. Chen et al. in [26] have proved that the hash family ${\mathcal{H}}_{R,m}=\{H:R^m\to R|RisaringandHishomomorphic\}$ is a post-quantum homomorphic hash family where the ring R is $Z_p\left[x\right]/<f>$ for an irreducible monic polynomial $f\in Z_p\left[x\right]$ of degree n and for some prime p.

The formal definition of a designated verifier signature scheme and its security requirements as in [2] are given in the following subsection.

2.2. Designated Verifier Signature Schemes

A DVS scheme consists of the following four polynomial-time algorithms:

Key Generation $\left(1^{\kappa }\right)$: The key generation algorithm is a probabilistic polynomial-time algorithm which takes the security parameter $\kappa$ as input and generates public/private key pairs $(p{k}_i,s{k}_i)$, $i=S,V$ where S, V stands for the signer and verifier, respectively.

Sign: The signature generation algorithm outputs a designated verifier signature $\sigma$ based on the input of a message M from the message space, the signing secret key $s{k}_S$, and the verifying public keys $p{k}_S$ and $p{k}_V$. Either a probabilistic or deterministic algorithm can be used.

Verify: The signature verification algorithm is a deterministic algorithm that takes as inputs and outputs a bit string $\sigma$, a message M, and the verifying public keys $p{k}_S$ and $p{k}_V$. If $\sigma$ is a valid designated verifier signature on M, accept it; otherwise, reject it.

Sim: Transcript simulation is an algorithm that creates an identically distributed transcript $\sigma {}^{\prime }$ that is indistinguishable from the signature issued by the signer when given the designated verifier’s secret key $s{k}_V$, the verifying public keys $p{k}_S$ and $p{k}_V$, and a message M.

In public key infrastructure, everyone shields his/her private key and advertises his/her public key with the help of digital certificates. Otherwise, an attacker might use a signer’s or verifier’s information to create a new key pair in the signer’s or verifier’s name and place a copy of the public key on a public key server. Assume a signer generates a DVS using a verifier’s public key that has been placed by an attacker. The DVS property then allows the verifier to generate the signature. The attacker in this case is the verifier, who can easily generate the signature. To overcome this issue, a digital certificate should be used. It is a method of associating public keys with their owner. Certificate Authorities (CAs) issue these to validate the owners of public keys. The CA accomplishes this by validating (via various processes) the identity of the public key’s owner. After that, it will bind the public key to a digital certificate and sign it with its private key to ensure its authenticity. All parties who need to validate the CA’s assertion of public key ownership have access to the CA’s public key.

2.3. Designated Verifier Signature Schemes’ Security Model

The following important properties of a designated verifier signature scheme should be met: correctness, unforgeability, non-transferability, and non-delegatability.

Definition 3.

(Correctness) For any $p{k}_S,s{k}_S$,$p{k}_V,s{k}_V$ and any message $M\in {\{0,1\}}^{*}$, the correctness of the algorithm requires that

$$Pr\left[Verify\left(\begin{array}{c}p{k}_S,p{k}_V,M,\\ \sigma =sign(s{k}_S,\\ p{k}_S,p{k}_V,M)\end{array}\right)=Accept\right]=1$$

and

$$Pr\left[Verify\left(\begin{array}{c}p{k}_S,p{k}_V,M,\\ {\sigma }^{{}^{\prime }}=sim(s{k}_V,\\ p{k}_S,p{k}_V,M)\end{array}\right)=Accept\right]=1.$$

Unforgeability

A valid DVS cannot be produced with non-negligible probability by anyone other than the signer and the designated verifier. Formally, we define unforgeability as the following game between a challenger C and a Probabilistic Polynomial-Time (PPT) adversary A:

(a)

C produces $\left(p{k}_S,s{k}_S\right)$ and $\left(p{k}_V,s{k}_V\right)$ key pairs for the signer S and the verifier V, respectively, and gives $p{k}_S,p{k}_V$ to the adversary A.

(b)

$O_h$: For the appropriate inputs, A can query the hash oracle $O_h$.

(c)

$O_{Sign}$: A can ask the signing oracle $O_{Sign}$ for a signature on a message M for the signer S and the chosen verifier V. The oracle responds by returning a signature $\sigma$ on M, where $\sigma$ is valid with regard to $p{k}_S$ and $p{k}_V$.

(d)

Finally, A outputs a forgery ${\sigma }^{*}$ on a message $M^{*}$ without querying $O_{Sign}$. A wins the game if the signature is valid for $M^{*}$ in terms of $p{k}_S$ and $p{k}_V$ and it did not query $O_{Sign}$ on input $M^{*}$.

Definition 4.

(Unforgeability). $\left(T,q_h,q_s,ϵ\right)$ is a DVS scheme that is existentially unforgeable against adaptive selected message attack if there is no adversary A who runs in time at most T, sends at mos$q_h$ queries to $O_h$, $q_s$ queries to $O_{sign}$ and wins the game with a probability of at least ϵ, as specified in [34].

Non-transferability

Any probabilistic polynomial-time algorithm cannot distinguish the signature $\sigma$ on a message M generated by either the signer or the designated verifier given a valid message–signature pair $\left(M,\sigma \right)$. As a result, the signer’s signature cannot be conveyed to a third party by a designated verifier. Its formal definition is as follows:

Definition 5.

(Non-transferability). If the signature generated by the designated verifier is indistinguishable from the original signature generated by the signer on the same message, the DVS method is non-transferable. It holds for any PPT, distinguisher D, and message $M\in {\{0,1\}}^{*}$ for any $\left(p{k}_S,s{k}_S\right),\left(p{k}_V,s{k}_V\right)$

$$\left|Pr\left(\begin{array}{c}{\sigma }_0\leftarrow Sign\left(s{k}_S,p{k}_S,p{k}_V,M\right),\\ {\sigma }_1\leftarrow Sim\left(s{k}_V,p{k}_S,p{k}_V,M\right),\\ b\leftarrow \{0,1\},\\ b^{\prime }\leftarrow D\left(s{k}_S,p{k}_S,s{k}_V,p{k}_V,{\sigma }_b\right)\\ :b^{\prime }=b\end{array}\right)-\frac{1}{2}\right|\le ϵ\left(\kappa \right)$$

where the probability is taken over the randomness used in $Sign$ and $Sim$, as well as the random coins used by D and $ϵ\left(\kappa \right)$ are a negligible function in the security parameter $kappa$. If the likelihood is $\frac{1}{2}$, the DVS scheme achieves perfect non-transferability, as stated in [17].

Non-delegatability

Non-delegatability means that in order to generate a valid signature on a message, one must ’know’ the signer’s or designated verifier’s secret key. Its formal definition is as follows:

Definition 6.

(Non-delegatability) $(t,ϵ,t^{\prime },{ϵ}^{\prime })$ is a non-delegatable DVS scheme if a knowledge extractor K can extract the private key $s{k}_S$ or $s{k}_V$ in time t with a probability of $Ad{v}_{DVS}^{ND}\left(\kappa \right)\ge ϵ$ against a forger algorithm F, a valid signature can be constructed on M with probability ${ϵ}^{\prime }$ in time $t^{\prime }$, where $ϵ>pol{y}_1\left({ϵ}^{\prime }\right)$ and $t<pol{y}_2\left(t^{\prime }\right)$ for two polynomial functions $pol{y}_1$ and $pol{y}_2$, respectively.

3. Proposed Hash-Based Quantum-Resistant Designated Verifier Signature Scheme

The proposed Hash-Based Designated Verifier Signature Scheme (HBDVS) scheme is constructed using homomorphic hash function $H:{\mathbb{F}}_2^{2k}\to {\mathbb{F}}_2^k$ and a hash function $h:{\mathbb{F}}_2^k\times {\mathbb{F}}_2^k\times {\mathbb{F}}_2^k\to {\mathbb{F}}_2^l$, which are modeled as random oracles.

Construction of a Quantum-Resistant Hash-Based Designated Verifier Signature Scheme (HBDVS)

The scheme is made up of the polynomial-time algorithms listed below.

Signer S and verifier V with the input matrices X and Z of size l run Algorithm 1 and obtain the output matrices $H\left(X\right)$ and $H\left(Z\right)$. The signer and the verifier publish their public/private key pairs $(p{k}_S,s{k}_S)$ as $\left(H\right(X),X)$ and $\left(H\right(Z),Z)$, respectively.

Algorithm 1 Key Generation $\left(1^{\kappa }\right)$

Input:H and a matrix X of size l where $X_i\in {\mathbb{F}}_2^{2k}$ for $i=1,\dots ,l$ Output: $(pk,sk)$ Initialize $pk$ of size l values as 0 Initialize $sk$ as X For $i=1tol:$ do $$ $pk\left[i\right]=H\left(X\right[i\left]\right)$ EndFor return $(pk,sk)$

The signer S chooses $y_1$,$t_1\in {\mathbb{F}}_2^{2k}$$r_1\in {\mathbb{F}}_2^l$ and message M and runs Algorithm 2 and obtains the signature $\sigma$ for M as $(r_1,t_1,r_2,t_2)$.

When a signature $\sigma =(r_1,t_1,r_2,t_2)$ is received with the message M, the verifier runs Algorithm 3 and checks the validity of the signature. If the output is $True$, the verifier $Accepts$ the signature $\sigma$ for M and if the output is $False$, he $Rejects$ the signature.

The verifier V randomly chooses $y_2$,$t_2\in {\mathbb{F}}_2^{2k}$ and $r_2\in {\mathbb{F}}_2^l$ and runs Algorithm 4 to simulate a signature $\sigma$ for M.

Algorithm 2 Signing

Input:$y_1$, $t_1\in {\mathbb{F}}_2^{2k}$, $r_1\in {\mathbb{F}}_2^l$, $p{k}_V$, $s{k}_S$, h, H and M Output: $(r_1,t_1,r_2,t_2)$ $Y_1=H\left(y_1\right)$ $T_1=H\left(t_1\right)$ $Y_2=p{k}_V\ast r_1\oplus T_1$ $r=h(M,Y_1,Y_2)$ $r_2=r\oplus r_1$ $t_2=s{k}_S\ast r_2\oplus y_1$ return $(r_1,t_1,r_2,t_2)$

Algorithm 3 Verify

Input: signature $\sigma =(r_1,t_1,r_2,t_2)$, $p{k}_S$, $s{k}_V$, M, h and H Output: Boolean ($True$ or $False$) $T_1=H\left(t_1\right)$ $T_2=H\left(t_2\right)$ $r=r_1\oplus r_2$ $Y_1=p{k}_S\ast r_2\oplus T_2$, $Y_2=p{k}_V\ast r_1\oplus T_1$. If $r=h(M,Y_1,Y_2)$ do: $$ return “True” Endif Else do $$ return “False” EndElse

Algorithm 4 Sim

Input:$y_2$, $t_2\in {\mathbb{F}}_2^{2k}$, $r_2\in {\mathbb{F}}_2^l$, $p{k}_S$, $s{k}_V$, h, H and M Output: $(r_1,t_1,r_2,t_2)$ $Y_2=H\left(y_2\right)$ $T_2=H\left(t_2\right)$ $Y_1=p{k}_S\ast r_2\oplus T_2$ $r=h(M,Y_1,Y_2)$ $r_1=r\oplus r_2$ $t_1=s{k}_V\ast r_1\oplus y_2$. return $(r_1,t_1,r_2,t_2)$

Correctness

A valid signature’s correctness is determined as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill p{k}_S\ast r_2\oplus T_2& =H\left(s{k}_S\right)\ast r_2\oplus H\left(t_2\right)\hfill \\ \hfill & =H(s{k}_S\ast r_2)\oplus H\left(t_2\right)\hfill \\ \hfill & =H(s{k}_S\ast r_2\oplus t_2)\hfill \\ \hfill & =H\left(y_1\right)=Y_1\hfill \end{array}\end{array}$$

Similarly, one can verify $p{k}_V\ast r_1\oplus T_1=Y_2$. In addition, $r_1\oplus r_2=r$, according to the definition of r. As a result, $h(M,Y_1,Y_2)=r$. The correctness for a simulated signature follows the similar steps of correctness for a legitimate signature.

4. Security Analysis

The unforgeability of the proposed signature scheme is analyzed as follows:

EUF-CMA security: Pointcheval and Stern’s [35] generic signatures are of the format $\sigma =({\sigma }_0,h_1,{\sigma }_1)$, where ${\sigma }_0$ is randomly sampled from a huge set; $h_1=h(M,{\sigma }_0)$ with a hash function h that is characterized as a random oracle, and M is the message to be signed; ${\sigma }_1$ depends merely on ${\sigma }_0$ and $h_1$. The signature on the message M that results is indicated by $({\sigma }_0,h_1,{\sigma }_1)$. Pointcheval and Stern showed that their schemes were existentially unforgeable in the random oracle model by the novel forking lemma.

The General Forking Lemma by Pointcheval and Stern [35] for a generic digital signature scheme is as follows:

The General Forking Lemma: Let $\kappa$ be a security parameter for a generic digital signature system called Key Gen, Sign, Verify. Let A be a probabilistic polynomial-time Turing machine that takes public data as input and uses $q_h$ and $q_s$ queries to query the random oracle and the signer, respectively. Assume that within a time bound T, A creates a valid signature $({\sigma }_1,h_1,{\sigma }_2)$ on M with the probability $ϵ\ge \frac{10(q_s+1)(q_s+q_h)}{2^{\kappa }}$. When the triples $({\sigma }_1,h_1,{\sigma }_2)$ can be simulated with an indistinguishable distribution probability without using the secret key, there exists another machine that has control over the machine A, replaces the interaction with the signer with simulation, and produces two valid signatures $({\sigma }_1,h_1,{\sigma }_2)$ and $({\sigma }_1,h_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }})$ on M such that $h_1\ne h_1^{{}^{\prime }}$, in expected time $T^{{}^{\prime }}\le \frac{120686q_{h}T}{ϵ}$.

It is interesting to note that the proposed signature $(r_1,t_1,r_2,t_2)$ on a message M meets the definition of Pointcheval and Stern’s generic signatures. If $r_1$, $t_1$ and $y_1$ are sampled from big sets, $r_2$ can be easily derived from the hash output, and $t_2$ depends only on $r_2$ and the $r_1$, $t_1$ and $y_1$ inputs. The signature is supplied as $(r_1,t_1,r_2,t_2)$, ignoring $y_1$, because the DVS scheme must have anonymity and the value of $y_1$ can be readily obtained from $(r_2,t_2)$ when required. As a result, the Forking Lemma is used to assess the proposed scheme’s security.

Theorem 1.

The signature $(r_1,t_1,r_2,t_2)$ of the proposed scheme can be simulated using the hash oracle without knowing the private keys $s{k}_S$ and $s{k}_V$, making it indistinguishable from the original signature unless the adversary can solve the hash function’s preimage.

Proof. 

A valid four-tuple $(r_1,t_1,r_2,t_2)$, either original or simulated signature, must satisfy $p{k}_S\ast r_2\oplus T_2=Y_1$ and $p{k}_V\ast r_1\oplus T_1=Y_2$. Hence, simulation of the signature without the private keys $s{k}_S$ and $s{k}_V$ can be made as follows: choose randomly $t_1$, $t_2$ in $F_2^{2k}$, $r_1$, $r_2$ in $F_2^l$ and compute $T_1=H\left(t_1\right)$ and $T_2=H\left(t_2\right)$, $Y_1=p{k}_S\ast r_2\oplus T_2$ and $Y_2=p{k}_V\ast r_1\oplus T_1$ and set $h(M,Y_1,Y_2)=r_1\oplus r_2$. Therefore, the simulated signature satisfies either $Y_1=H\left(y_1\right)$ or $Y_2=H\left(y_2\right)$ where $y_1=s{k}_S\ast r_2\oplus t_2$ and $y_2=s{k}_V\ast r_1\oplus t_1$. However, all original signatures $(r_1,t_1,r_2,t_2)$ satisfy both $Y_1=H\left(y_1\right)$ and $Y_2=H\left(y_2\right)$ with $h(M,Y_1,Y_2)=r_1\oplus r_2$ and $y_1=s{k}_S\ast r_2\oplus t_2$ and $y_2=s{k}_V\ast r_1\oplus t_1$. Only with the knowledge of the secret keys $s{k}_S$ and $s{k}_V$ one can differentiate the simulated signature from a legitimate one. Therefore, telling a simulated signature from an original signature is the same as determining the secret keys from the public keys. It is the same as solving the hash function’s preimage. □

Theorem 2.

Let A be an adversary who queries the hash and sign oracles with at most $q_h$ and $q_s$ queries, respectively, and performs an existential forgery under chosen message attack against the proposed HBDVS scheme with probability $ϵ\ge \frac{10(q_s+1)(q_s+q_h)}{2^{\kappa }}$, within time bound T; then, the preimage of the hash function H can be computed within the expected time $T^{{}^{\prime }}\le \frac{120686q_{h}T}{ϵ}$. As a result, in the random oracle model, the HBDVS scheme is $(T,q_h,q_s,ϵ)$—existentially unforgeable.

Proof. 

If an adversary A forges an HBDVS scheme with probability $ϵ$, an algorithm C exists that computes a preimage of the hash function H as follows: To construct a homomorphic hash function H, the challenger C executes the setup process on a security parameter $\kappa$. Then, C chooses randomly $p{k}_S$ and $p{k}_V$ as $k\times l$ matrices over ${\mathbb{F}}_2$ and sets them as the signer’s and verifier’s public key, respectively. C invokes A on parameters, $p{k}_S$ and $p{k}_V$.

Let A query the hash oracle and sign oracle with at most $q_h$ and $q_s$ queries, respectively, and it wins the unforgeability game with probability $ϵ$. In Theorem 1, it is shown that the four-tuple $(r_1,t_1,r_2,t_2)$ can be simulated without using the secret key with an indistinguishable distribution probability. According to General Forking Lemma, C that controls A replaces the interaction with the signer by simulation and produces two valid signatures in expected time $T^{{}^{\prime }}\le \frac{120686q_{h}T}{ϵ}$. The two valid signatures $(r_1,t_1,r_2,t_2)$ and $(r_1,t_1,r_2^{{}^{\prime }},t_2^{{}^{\prime }})$ on $M^{*}$ gives $y_1=s{k}_S\ast r_2\oplus t_2=s{k}_S\ast r_2^{{}^{\prime }}\oplus t_2^{{}^{\prime }}$

$\Rightarrow s{k}_S=\frac{t_2^{{}^{\prime }}\oplus t_2}{r_2\oplus r_2^{{}^{\prime }}}$. Thus, C determines the secret key $s{k}_S$, which is the preimage of the public key $p{k}_S$. In a similar manner, C computes the secret key $s{k}_V$ for the public key $p{k}_V$. Thus, C succeeds in finding the preimages of hash function for two instances $p{k}_S$ and $p{k}_V$ within the expected time $T^{{}^{\prime }}\le \frac{120686q_{h}T}{ϵ}$. □

The following theorem proves non-transferability, which is an important property of the proposed DVS.

Theorem 3.

The distributions of the transcripts simulated by the verifier using the Sim algorithm are the same as the distributions of the transcripts received from the signer using the Sign algorithm. Hence, the proposed scheme is non-transferable.

Proof. 

It is sufficient to establish that any valid designated verifier signature $(r_1,t_1,r_2,t_2)$ on a message M created by a simulation algorithm is indistinguishable from one produced by a signing method to prove non-transferability. That is, the likelihood of the signing algorithm producing a signature is the same as the probability of the simulation algorithm producing a signature. For randomly selected $y_1,t_1\in {\mathbb{F}}_2^{2k}$ and $r_1\in {\mathbb{F}}_2^l$, the signature $(r_1,t_1,r_2,t_2)$ produced by a signing algorithm is

$$\left(\begin{array}{c}{r}_1\stackrel{R}{\leftarrow }{\mathbb{F}}_2^l\\ t_1\stackrel{R}{\leftarrow }{\mathbb{F}}_2^{2k}\\ h(M,H\left(y_1\right),p{k}_V\ast r_1\oplus H\left(t_1\right))\oplus r_1:y_1\stackrel{R}{\leftarrow }{\mathbb{F}}_2^{2k}\\ s{k}_S\ast r_2\oplus y_1\end{array}\right)$$

For randomly selected $y_2,t_2\in {\mathbb{F}}_2^{2k}$ and $r_2\in {\mathbb{F}}_2^l$, the signature $(r_1,t_1,r_2,t_2)$ produced by a simulation algorithm is

$$\left(\begin{array}{c}h(M,p{k}_S\ast r_2\oplus H\left(t_2\right),H\left(y_2\right))\oplus r_2,:y_2\stackrel{R}{\leftarrow }{\mathbb{F}}_2^{2k}\\ s{k}_V\ast r_1\oplus y_2\\ r_2\stackrel{R}{\leftarrow }{\mathbb{F}}_2^l\\ t_2\stackrel{R}{\leftarrow }{\mathbb{F}}_2^{2k}\end{array}\right)$$

Let $\theta$ be a valid signature picked at random from among all the designated verifier signatures. The probability of a signature being formed by a signing algorithm is $Pr[\overline{\theta }=\theta ]=\frac{1}{2^{4k+l}}$, while the probability of a signature ${\theta }^{{}^{\prime }}$ being produced by a simulation algorithm is $Pr[\overline{\theta }={\theta }^{{}^{\prime }}]=\frac{1}{2^{4k+l}}$. When the random vectors and probabilities are compared, it is clear that the signatures produced by the signing and simulation algorithms have the same probability. As a result, the suggested signature system satisfies the property of non-transferability. □

Theorem 4.

The proposed HBDVS scheme cannot be delegated.

Proof. 

We use the “General Forking Lemma” to show that the proposed HBDVS is non-delegatable. Assume that $ϵ>\kappa =1/2^l$ with $1/2^l$ representing the chance that F correctly predicts the hash value without consulting the random oracle h. We must prove that a knowledge extractor K exists that extracts the secret key of either the signer $s{k}_S$ or the designated verifier $s{k}_V$ with probability 1 using input $\sigma$ and black-box oracle access to algorithm F. Let K choose randomly $p{k}_S$ and $p{k}_V$ as $k\times l$ matrices over ${\mathbb{F}}_2$ and establish them as the public keys of the signer and the verifier, respectively, and send to F. K supplies sign and hash oracles in the same manner as Theorem 2 does. K selects a message $M^{*}$ and sends it to F, which produces a signature on $M^{*}$. By General Forking Lemma, two signatures $(r_1,t_1,r_2,t_2)$ and $(r_1,t_1,r_2^{{}^{\prime }},t_2^{{}^{\prime }})$ on $M^{*}$ are obtained.

This ⇒$y_1=s{k}_S\ast r_2\oplus t_2=s{k}_S\ast r_2^{{}^{\prime }}\oplus t_2^{{}^{\prime }}$$\Rightarrow s{k}_S=\frac{t_2^{{}^{\prime }}\oplus t_2}{r_2\oplus r_2^{{}^{\prime }}}$. Thus, K computes the secret key $s{k}_S$ for the public key $p{k}_S$. Similarly, K computes the secret key $s{k}_V$ for the public key $p{k}_V$. □

5. Results and Discussion

In the proposed scheme, the signature generation requires three time computations of the hash function. Hence, the signature generation has the time complexity $3\left(O\right(1\left)\right)=O\left(1\right)$. The time complexity of verification is $O\left(1\right)$, since the verification process also requires three time computations of hash evaluation.

Table 1. Comparison of HBDVS scheme with existing DVS schemes.

Scheme	System	Hard Problem	Signature Size in Bits
Wang et al. (2012) [22]	Lattice-based	LWE-SIS	$3.3\times {10}^6$
Noh and Jeong (2016) [23]	Lattice-based	LWE-SIS	$9.7\times {10}^4$
Cai et al. (2019) [24]	Lattice-based	R-SIS	$1.6\times {10}^4$
Proposed HBDVS	Hash-based	PR	$7.1\times {10}^3$

SIS: short integer solution; LWE: learning with errors; R-SIS: ring-based analogue of SIS problem; PR: preimage resistance.

shows the comparison results of the proposed method with a few current post-quantum DVS techniques for 256-bit security. We consider hash functions given by Ajtai’s construction of hash functions based on regular lattices for the proposed HBDVS. As a result, the HBDVS parameters, $k=nlog,q$ and $l=log,q$, select the values of n and q, as cited in [33]. The other schemes compared in Table 1 are lattice-based schemes in ideal lattices. As a result, the parameters of those schemes are regarded as in [24]. Table 1 indicates that the proposed scheme’s signature length is shorter than that of previous quantum secure techniques.

6. Conclusions

A DVS scheme is designed to preserve the signer’s privacy, which is a requirement for many applications such as electronic voting, tender calls, and so on. As the attacks of the quantum computer threatens most of the existing designated verifier signature schemes, in this paper, a provably secure hash-based designated verifier signature scheme is proposed. The scheme is constructed with a minimal resource of homomorphic hash function. It is a many-time scheme without using the Merkle tree structure. It is a feasible replacement to number-theoretic techniques. The scheme’s EUF-CMA security is demonstrated in the random oracle. It also meets the security requirements for a designated verifier signature technique, such as non-transferability and non-delegatability. This work will enhance the potential of one-way functions in public key cryptography. This study’s scope could be expanded to include various types of hash-based designated verifier signatures, such as strong designated verifier signatures, proxy signatures, designated confirmer signatures, and so on.