Efficient Identity-Based Universal Designated Verifier Signature Proof Systems

Abstract

The implementation of universal designated verifier signatures proofs (UDVSPs) enhances data privacy and security in various digital communication systems. However, practical applications of UDVSP face challenges such as high computational overhead, onerous certificate management, and complex public key initialization. These issues hinder UDVSP adoption in daily life. To address these limitations, existing solutions attempt to eliminate bilinear pairing operations, but their proposal still involves cumbersome certificate management and inherent interactive operations that can sometimes significantly degrade system efficiency. In this paper, we first utilize the identity-based (ID-based) SM2 digital signature scheme to construct an ID-based UDVSP system which sidesteps the cumbersome certificate management issue. To further remove the interactive requirement, we also employ the OR proof and Fiat–Shamir technologies to design the other ID-based UDVSP system. Our designs not only possess the same bilinear pairing-free advantage as Lin et al.’s proposal, but also achieve the certificate-free or non-interactive goals. Security proofs and performance analysis confirm the viability and efficiency of our systems.

1. Introduction

In modern society, with the widespread application of digital signatures, protecting the privacy of signers has become a major concern for researchers. To address this issue, universal designated verifier signatures (UDVSs) were proposed by Steinfeld et al. in Asiacrypt 2003 [1]. UDVSs ensure that the designated verifier has the ability to verify digital signatures, while preventing the verifier from conveying the reliability of the signature to anyone else. This characteristic makes it suitable for scenarios where only a few specifically designated verifiers are required for signature verification. As an illustration, in the realm of e-government, government departments can utilize UDVSs to provide a proof of confidential information to relevant staff members as required for their work. However, these personnel are unable to convince third parties of the authenticity of this confidential information. This mechanism is critical to prevent malicious dissemination of confidential information. There are numerous such application scenarios, including electronic voting systems, electronic medical records, and electronic income certificates.

Universal designated verifier signature proof (UDVSP), as an enhanced variant of UDVS, eliminates the requirement for designated verifiers to generate their public/private key pairs using parameters that are predefined by signers. However, UDVSP systems still encounter several inherent limitations, including the need for complex public key certificate management, computationally intensive bilinear pairing operations, and the inherent constraints of interactive protocols. While Lin et al. [2] proposed a UDVSP scheme that eliminates the need for bilinear pairings, their solution still grapples with the persistent challenges of cumbersome certificate management and the limitations imposed by interactive protocols.

Driven by the problem of the UDVSP schemes mentioned above, we would like to obtain ID-based UDVSP systems to resolve these issues. In this paper, we construct ID-based UDVSP systems that are engineered to simultaneously resolve the four aforementioned issues. Firstly, using the ID-based SM2 digital signature scheme, we build the ID-based UDVSP system, which avoids the complex issue of certificate management. To further dispense with the need for interactivity, we make use of the OR proof and Fiat–Shamir methodologies to design an alternative ID-based UDVSP system. These schemes possess not only the same bilinear pairing-free advantage as the proposal by Lin et al. [2], but also attain the certificate-free or non-interactive objective. Moreover, we carry out an analysis of the security and performance aspects of the two schemes.

The subsequent content presents the layout of the remaining part of this paper: Some related work is introduced in Section 2. Some methodologies are introduced in Section 3. Section 4 provides our interactive ID-based UDVSP system along with its security analysis. In Section 5, our non-interactive ID-based UDVSP system and its corresponding security analysis are detailed. Section 6 is dedicated to conducting a performance analysis of the two schemes. Finally, Section 7 contains the conclusions.

2. Related Work

To protect the signer’s privacy and prevent signatures from being verified by unauthorized third parties, the undeniable signature scheme was proposed by Chaum and Antwerpen in 1990 [3]. In this scheme, the verifier must collaborate with the signer to verify the signature, which is equivalent to the signer having the power to decide who can verify the signature. However, the undeniable signature scheme is limited by the requirement of reciprocal communication, which poses a significant drawback.

In order to avoid interactive communication between signer and verifier, in 1996, Jakobsson et al.  [4] introduced the designated verifier signature (DVS) schemes. In the DVS scheme, the signer generates the DVS by incorporating the public key of the designated verifier. This eliminates the need for the signer to assist in the verification process. The designated verifier is not only able to validate the DVS but can also generate an indistinguishable DVS using the same private key. This latter property, known as transcript simulation, ensures that the verifier cannot convince a third party by transferring the proof, thereby achieving the same objective as the undeniable signature scheme.

Subsequently, Steinfeld et al. [1] proposed UDVS in 2003, which is regarded as an extended variant of DVS. Unlike DVS, in the UDVS scheme, the signer and the signature holder can be different individuals. This means that anyone in possession of an ordinary signature (not limited to the original signer) can convert the signature into a designated one for a specific verifier.

Nevertheless, in  Asiacrypt 2005, Baek et al. [5] indicated that in this UDVS scheme, the designated verifier is required to create a public/private key pair by using the parameters set by the signer. This is impractical in certain scenarios. In certificate-based (CA-based) public key systems, regenerating public/private key pairs entails cumbersome public key certificate management and results in significant computational overhead. Even incertificateless systems where the overhead of regenerating key pairs is relatively smaller, it still places an additional burden on the verifier. If the verifier has already generated public/private key pairs with public key parameters different from those set by the signer, it is unlikely that they will generate another key pair just for verifying a signature. Baek et al. [5] proposed the universal designated verifier signature proof (UDVSP) to circumvent the issue of key initialization by the verifier. In contrast to UDVS, UDVSP employs an interactive protocol with the designated verifier to demonstrate the validity of a signature. Therefore, the verifier’s key pairs play no role in this particular proof, which eliminates the need for the verifier to reinitialize a key.

Interestingly, with the introduction of the UDVSP, a new issue has emerged. The application of the interactive protocol in UDVSP can sometimes lead to a substantial decrease in the efficiency of the system. Specifically, interactive proofs necessitate that both parties be online concurrently. If either party is offline or in a network environment with high latency, it will incur additional time spent waiting and more communication overhead due to the need to resend messages.

Beyond the problem of interactive proofs, the onerous management of public key certificates is also an issue of widespread concern. The UDVS/UDVSP schemes of Steinfeld et al. [1,5,6] are all constructed under CA-based system. To be more specific, these schemes involve cumbersome certificate processes, including application, issuance, query, and revocation. As a direct consequence, this gives rise to a significant amount of overhead. In contrast, ID-based systems [7] streamline the key management process while ensuring a moderate level of security. This makes them a favorable substitute to CA-based systems. In light of this, Zhang et al. [8] constructed an ID-based UDVS in 2005. Subsequently, Chen et al. [9] introduced an ID-based UDVSP in 2008. These schemes allow UDVS and UDVSP to avoid the complex certificate management process.

In addition to the above-mentioned issues, the substantial computation cost associated with UDVS/UDVSP is also not something that can be overlooked. As Lin et al. [2] point out, existing UDVSP schemes [5,9] involve time-consuming bilinear pairing operations (one bilinear pairing operation on a mobile terminal takes about 32 ms, which is approximately 9 times the time demanded by an elliptic curve multiplication operation [10]). In order to reduce the computational overhead of UDVSP, Lin et al. [2] designed a UDVSP scheme based on the Chinese cryptographic SM2 algorithm. This scheme eschews bilinear pairing operations and instead makes use of operations on elliptic curves. This approach enhances the computational efficiency of the scheme. However, it is still constructed under CA-based public key systems. Moreover, it is encumbered with the intricacies and challenges inherent to the interactive protocol.

3. Methodology

3.1. Symbols and Definitions

Table 1. Symbols and definitions.

Symbol	Definition
$I{D}_a$	User’s identity.
ENTLA	Two bytes converted from the bit length of $I{D}_a$.
q	A large prime number.
$F_q$	A finite field consisting of q elements.
$a,b$	Elements in $F_q$ that define an elliptic curve E over $F_q$.
$E\left(F_q\right)$	The collection of all rational points on the elliptic curve E over $F_q$ (where the point at infinity O is also included).
O	A special point on the elliptic curve, referred to as the point at infinity or zero point.
G	The cyclic group containing every point on the elliptic curve E along with the point at infinity.
P	The generator of the group G.
n	The order of the generator P (where n is a prime factor of $\#E\left(F_q\right)$).
$H(·),H_o(·),H_n(·),H_v(·)$	A secure cryptographic hash function.

lists the symbols and definitions involved.

3.2. The ID-Based Digital Signature Based on SM2

The SM2 digital signature algorithm is a component of elliptic curve-based key cryptography algorithms. This algorithm was released by the Chinese National Cryptography Administration (see “SM2 Public Key Cryptographic Algorithms Based on Elliptic Curves”, China’s State Cryptography Administration, December 2010 [11]).

The ID-based digital signature based on SM2 [12] is an improved algorithm derived from the SM2 digital signature. Compared with the SM2 digital signature, the ID-based digital signature based on SM2 utilizes identity information to create the user’s private key. Its application and management do not revolve around digital certificates. Consequently, this obviates the necessity of managing and maintaining public key certificates and circumvents time-consuming procedures. The ID-based digital signature based on SM2 consists of four steps: setup, extract, sign, and verify. The process of the scheme is as shown in Figure 1.

(1)

Setup: With the security parameter $\lambda$ provided, the key generation center (KGC) randomly selects a large prime number q and determines a non-singular elliptic curve $E:y^2=x^3+ax+bmodq$ (where $a,b\in Z_q^{*}$). From all the points on E (including the point at infinity), select a cyclic group G of prime order n and a generator $P\in G$. Choose three secure hash functions $H:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to Z{n}^{*}$, $H_v:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^v$, and $H_o:{\{0,1\}}^{*}\to {\{0,1\}}^{256}$. Randomly select $x\in Z{n}^{*}$ and generate the partial system public key $Ppub=xP$. The algorithm outputs the system public key $mpk=(E,a,b,q,G,n,P,Ppub,H,H_v,H_o)$ and the master private key $msk=x$.

(2)

Extract: Given $mpk$, $msk$, and user information $I{D}_a$, the KGC randomly selects $l\in Z_n^{*}$ and computes the partial user private key $L=lP$, and the intermediate variable $h=H(I{D}_a\Vert L)$. The partial user private key d is calculated as $d=l+xhmodn$. The algorithm gives out the user’s private key $sk=(L,d)$.

(3)

Sign: Given $mpk$, $sk=(L,d)$, and the message m, the signer computes the user’s distinguishable identifier $Z_a=H_o(ENTLA\Vert I{D}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$ and its hash value $e=H_v(Z_a\Vert m)$, where $ENTLA$ is the bit length of $I{D}_a$, and $(x_p,y_p)$ and $(x_L,y_L)$ are the coordinates of $Pr$ and L, respectively. Select a random number $k\in Z_n^{*}$, and then compute the elliptic curve point $K=kP=(x_K,y_K)$ and the partial signature $r=(e+x_K)modn$. If $r=0$ or $r+k=n$, select a new k and repeat the calculations. Otherwise, compute the partial signature $s={(1+d)}^{-1}(k-rd)modn$. If $s\ne 0$, the algorithm outputs the message–signature pair m and $\sigma =(L,r,s)$.

(4)

Verify: Given $mpk$, $I{D}_a$, m, and the signature to be verified $\sigma =(L,r,s)$. If $r,s\notin Z_n^{*}$, the verifier outputs 0. Otherwise, the verifier computes $t=r+smodn$. If $t=0$, the verifier outputs 0. If $t\ne 0$, the following series of computations are carried out. First, compute $Z_a=H_o(ENTLA\Vert I{D}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$. Then, calculate $h\prime =H(I{D}_a\Vert L)$. Next, determine $e\prime =H_v(Z_a\Vert m)$. After that, obtain $K\prime =sP+t(L+h\prime P_{pub})=(x_K\prime ,y_K\prime )$. Finally, calculate $r\prime =(e\prime +x_K\prime )modn$. If $r\prime =r$, the algorithm outputs 1 to denote the validity of the signature; otherwise, it outputs 0 to denote the invalidity of the signature.

The ID-based digital signature algorithm based on SM2 satisfies correctness and existential unforgeability under adaptively chosen message attacks (EUF-CMA) [13].

3.3. Zero-Knowledge Proof, $\mathsf{\Sigma }$-Protocol with Its or Construction

Suppose the interactive protocol $\mathsf{\Pi }$ consists of two entities, a prover $Pr$ and a verifier $Vr$. $Pr$ can convince $Vr$ about the binary relation $R=(x,w):{\{0,1\}}^{*}\times {\{0,1\}}^{*}$ (where x and w refer to the instance and the witness, respectively). If the protocol $\mathsf{\Pi }$ meets the requirements of completeness and soundness, it is called a proof of knowledge system. Additionally, if $\mathsf{\Pi }$ further satisfies honest verifier zero-knowledge (HVZK), then it is known as an interactive honest verifier zero-knowledge proof system [14,15].

The $\mathsf{\Sigma }$-protocol is an interactive three-move zero-knowledge proof system. Assume $Pr$ and $Vr$ execute the OR proof [16] and obtain the result $(a_0,a_1,c,c_0,c_1,z_0,z_1)$, P chooses a challenge $c_{1-b}$, where $b=0$ or 1. Another challenge $c_b=c\oplus c_{1-b}$ is determined by $Vr$’s random challenge c. The commitment and response $(a_0,a_1,z_0,z_1)$ are generated by $Pr$ using the private witness w based on $c_0,c_1$. The completeness of the $\mathsf{\Sigma }$-protocol means that if there exists a valid function $\varphi (\alpha ,a_1,c,c_0,c_1,z_0,z_1)=1$, then $Vr$ accepts $(a_0,a_1,c,c_0,c_1,z_0,z_1)$. Special soundness means that given two valid tuples $(a,c,z)$ and $(a,c\prime ,z\prime )$ with $c\ne c\prime$, one can recover $Pr$’s witness w. Special HVZK means that given $Vr$’s random challenge c, there is a probabilistic polynomial-time (PPT) simulator $SI$ that can interact with $Vr$ to output a valid tuple $(a_0,a_1,c,c_0,c_1,z_0,z_1)$. Assume the real interaction between $Pr$ and $Vr$ outputs $(a_0,a_1,c^{\prime },c_0^{\prime },c_1^{\prime },z_0^{\prime },z_1^{\prime })$, then $(a_0,a_1,c,c_0,c_1,z_0,z_1)$ and $(a_0,a_1,c^{\prime },c_0^{\prime },c_1^{\prime },z_0^{\prime },z_1^{\prime })$ are indistinguishable.

The OR proof [16] is a fundamental construction of the $\mathsf{\Sigma }$-protocol. It allows $Pr$ to prove that for two computational problems $x_0$ and $x_1$, $Pr$ knows the witness w for one of the problems, such that either $(x_0,w)\in R$ or $(x_1,w)\in R$, without disclosing which one.

The last property of the OR proof is known as witness indistinguishable (WI). This property sets it apart from other $\mathsf{\Sigma }$-protocols. To elaborate, $Pr$ might be aware of which one in several distinct values of w would enable them to successfully complete the protocol. However, for arbitrary $Vr$, it is impossible to determine which of these possible values the $Pr$ actually knows merely from the conversations.

The $\mathsf{\Sigma }$-protocol is capable of being changed into a non-interactive instance through the utilization of the Fiat–Shamir heuristic [17]. However, using the normal $\mathsf{\Sigma }$-protocol to construct a non-interactive scheme will undermine the non-transferable privacy property of the UDVS. Therefore, we utilize the OR proof to construct our scheme, leveraging the WI property of the OR proof. In the non-interactive form of the OR proof, $Pr$ computes $(a_0,a_1)$ and $c_{1-b}$, and then directly calls $c=H(x,a)$ to obtain the challenge value c and determine $c_b$. Using the private witness w, $Pr$ then computes ($z_0,z_1)$ and finally sends $(a_0,a_1,c,c_0,c_1,z_0,z_1)$ to $Vr$. The non-interactive protocol obtained through the Fiat–Shamir transformation still satisfies the properties of interactive form [17].

4. Interactive ID-Based UDVSP Based on SM2 Digital Signature

4.1. The Proposed System

The interactive ID-based UDVSP scheme was constructed by ID-based SM2 signatures and the $\mathsf{\Sigma }$-protocol. Specifically, it is formed by five algorithms and one protocol. The process of the scheme is as shown in Figure 2.

• Setup: Provided the security parameter $\lambda$, the KGC randomly picks a large prime number q and determines a non-singular elliptic curve $E:y^2=x^3+ax+bmodq$ (where $a,b\in {\mathbb{Z}}_q^{*}$). Among all the points on E (including the point at infinity), a cyclic group G of prime order n and a generator $P\in G$ are selected. Secure hash functions are chosen as follows: $H:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to \mathbb{Z}{n}^{*}$, $H_v:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^v$, and $H_o:{\{0,1\}}^{*}\to {\{0,1\}}^{256}$. Here, $H_v(·)$ and $H_o(·)$ are secure cryptographic hash functions. A random $x\in \mathbb{Z}{q}^{*}$ is selected, and the partial system public key is computed as $P\mathrm{pub}=xP$. The algorithm outputs the system public key $\mathrm{mpk}=(E,a,b,q,G,n,P,P\mathrm{pub},H,H_v,H_o)$ and the master private key $\mathrm{msk}=x$. This invention is based on the SM2 digital identity signature design, so it uses the same system parameters as the identity-based SM2 digital signature. For specific parameter symbols and definitions, refer to the detailed implementation in Section 3.1 (Symbols and Definitions).
• Extract: Given the system’s master public key $mpk$, master private key $msk$, and user information $I{D}_a$, the KGC randomly selects $l\in Z_n^{*}$, computes the partial user private key $L=lP$, and the intermediate variable $h=H(I{D}_a\Vert L)$. The partial user private key d is calculated as $d=l+xhmodn$. The user’s private key $sk=(L,d)$ is output.
• Sign: Given the system’s master public key $mpk$, the user’s private key $sk=(L,d)$, and the message m, the signer computes the user’s distinguishable identifier $Z_a=H_o(\mathrm{ENTLA}\Vert I{D}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$ and the hash value $e=H_v(Z_a\Vert m)$, where $ENTLA$ is the bit length of $I{D}_a$, and $(x_p,y_p)$ and $(x_L,y_L)$ are the coordinates of $Pr$ and L, respectively. A random $k\in Z_n^{*}$ is selected, then the elliptic curve point $K=kP=(x_K,y_K)$ and the partial signature $r=(e+x_K)modn$ are computed. If $r=0$ or $r+k=n$, a new k is selected and the calculations are repeated. Otherwise, the partial signature $s={(1+d)}^{-1}(k-rd)modn$ is computed. If $s\ne 0$, the algorithm outputs the message m and the signature $\sigma =(L,r,s)$.
• Verify: Given the system’s master public key $mpk$, user information $I{D}_a$, message m, and the signature to be verified $\sigma =(L,r,s)$, if $r,s\notin Z_n^{*}$, the verifier (which may be the signature holder or others) outputs 0. Otherwise, it computes $t=r+smodn$. If $t=0$, the verifier outputs 0. Otherwise, it computes $Z_a=H_o(\mathrm{ENTLA}\Vert I{D}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$, $h\prime =H(I{D}_a\Vert L)$, $e\prime =H_v(Z_a\Vert m)$, $K\prime =sP+t(L+h\prime P_{pub})=(x_K\prime ,y_K\prime )$, and $r\prime =(e\prime +x_K\prime )modn$. If $r\prime =r$, the algorithm outputs 1 to denote the validity of the signature; in contrast, it outputs 0 to denote the invalidity of the signature.
• Tran: Given the system public key mpk, user information ${\mathrm{ID}}_a$, message m, and the signature to be verified $\sigma =(L,r,s)$, the signature holder randomly selects $a_r,b_r\in {\mathbb{Z}}_n^{*}$ and computes $Z_a=H_o(\mathrm{ENTLA}\Vert {\mathrm{ID}}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$, $e=H_v(Z_a\Vert m)$, $\widehat{r}=r+a_r-emodn$, $\widehat{s}=s+b_{r}modn$. The algorithm outputs the transformed signature $\widehat{\sigma }=(L,\widehat{r},\widehat{s})$ and the transformation key $tk=(a_r,b_r)$.
• IVerf: Provided the system public key mpk, user information ${\mathrm{ID}}_a$, and the transformed signature $\widehat{\sigma }$, the signature owner $Pr$ additionally takes the transformation key $tk$ and the signature $\sigma$ as input. The signature owner $Pr$ and the designated verifier $Vr$ perform the following interaction:
  • $Pr$ first computes $h=H(\mathrm{ID}a\Vert L)$, $T=hP\mathrm{pub}$, $K=sP+(r+s)(L+T)$. Then, $Pr$ randomly selects $\alpha ,\beta \in \mathbb{Z}{n}^{*}$ and $R\in G$, and computes the commitment value $D=R+\beta P+\alpha (L+hP\mathrm{pub})+\beta (L+h{P}_{\mathrm{pub}})$. Finally, $Pr$ sends D to $Vr$.
  • $Vr$ randomly selects a challenge value $c\in {\mathbb{Z}}_n^{*}$ and returns c to $Pr$.
  • $Pr$ calculates the response to the challenge $Z_K=R-cK$, $z_a=\alpha -c·a_{r}modn$, $z_b=\beta -c·b_{r}modn$, and sends $(Z_K,z_a,z_b)$ to $Vr$.
  • $Vr$ calculates $e\prime =H_v(Z_a\Vert m)$, $h\prime =H(\mathrm{ID}a\Vert L)$, $T=(L+h\prime P\mathrm{pub})$, and $D\prime =Z_K+z_{b}P+z_{a}T+z_{b}T+c(\widehat{s}P+\widehat{r}T+e\prime T+\widehat{s}T)$. If $D\prime =D$, $Vr$ outputs 1, indicating acceptance; otherwise, $Vr$ outputs 0.

4.2. Security Analysis

This section will show that the constructed interactive ID-based UDVSP system constructed from SM2 can achieve the anticipated security properties. Based on the security framework introduced by Baek et al. [5], a (UDVSP) scheme must satisfy two critical security requirements: existential unforgeability under adaptive chosen message and identity attacks (EUF-CM-ID-A), and resistance to impersonation attacks (R-IM).

Since the EUF-CM-ID-A of UDVSP is consistent with the EUF-CM-ID-A of the SM2 ID-based digital signature scheme (the SM2 ID-based digital signature has been proven to be EUF-CM-GID-A by Lin et al. [13]), this paper only analyzes the security of the UDVSP system against impersonation attacks. Specifically, we examine two distinct attack scenarios: resistance against Type 1 impersonation attacks (R-IM-TYPE-1) and resistance against Type 2 impersonation attacks (R-IM-TYPE-2).

Theorem 1.

If the IVerf protocol of UDVSP satisfies honest verifier zero-knowledge (HVZK), then UDVSP satisfies R-IM-TYPE-1.

Proof. 

First, we construct a simulator SI (Algorithm 1) to prove that the IVerf protocol of UDVSP satisfies HVZK. SI first generates a valid message–signature pair $(m,\sigma =(L,r,s\left)\right)$ and replicates all interactions with the honest verifier $Vr$. Due to the random numbers $a_r,b_r\in {\mathbb{Z}}_n^{*}$ in steps (1) and (2), the first two steps of SI are completely blind. The point L is a random point derived from the user’s private key, and the verifier cannot recover the original signature $(L,r,s)$ from the transformed signature $(L,\widehat{r},\widehat{s})$. Additionally, steps (3) to (5) form a $\sigma$-protocol, which satisfies special HVZK, effectively preventing the disclosure of the transformation key $(a_r,b_r)$. Therefore, the IVerf protocol of UDVSP satisfies HVZK.

Algorithm 1 Simulator SI for the IVerf protocol.

SI requests a signature $(m,\sigma =(L,r,s\left)\right)$ from the signer. SI selects $a_r,b_r\in {\mathbb{Z}}_n^{*}$ at random and computes $e=H_v(Z_a\Vert m)$, $\widehat{r}=r+a_r-emodn$, $\widehat{s}=s+b_{r}modn$, and sends $(L,\widehat{r},\widehat{s})$ to $Vr$. SI randomly selects $\alpha ,\beta \in \mathbb{Z}{n}^{*}$ and $R\in G$, computes the commitment value $D=R+\beta P+\alpha (L+hP\mathrm{pub})+\beta (L+h{P}_{\mathrm{pub}})$, and sends D to $Vr$. SI receives the challenge value $c\in {\mathbb{Z}}_n^{*}$ sent by $Vr$. SI computes the response to the challenge $Z_K=R-cK$, $z_a=\alpha -c·a_{r}modn$, $z_b=\beta -c·b_{r}modn$, and sends $(Z_K,z_a,z_b)$ to $Vr$

If there exists a PPT adversary $A=(V\prime ,P\prime )$ that successfully breaks the R-IM-TYPE-1 security of UDVSP, it implies that A can obtain information about $(a_r,b_r)$ to successfully interact with other designated verifiers. This would violate the HVZK property of the IVerf protocol in UDVSP. Therefore, UDVSP satisfies R-IM-TYPE-1. □

Theorem 2.

If the SM2 identity-based digital signature has the property of EUF-CM-GID-A, then UDVSP has the property of R-IM-TYPE-2.

Proof. 

Suppose there exists an algorithm A that successfully breaks the R-IM-TYPE-2 property of UDVSP. Then, there exists an algorithm B that can use the capability of A to successfully break the EUF-CM-GID-A property of the SM2 identity-based digital signature. Algorithm B is given the system public key $\mathrm{mpk}=(E,a,b,q,G,n,P,P_{\mathrm{pub}},H,H_v,H_o)$$(P_{\mathrm{pub}}=xP,H:{0,1}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_n^{*},H_v:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^v,H_o:{\{0,1\}}^{*}\to {\{0,1\}}^{256})$. The goal is to output a valid message–signature pair.

First, B sends $(E,a,b,q,G,n,P,P_{\mathrm{pub}},H,H_v,H_o)$ to A and calls A to obtain the transformed signature $\widehat{\sigma }=(L,\widehat{r},\widehat{s})$ for m. Then, B and A execute step 1 of the IVerf protocol to obtain $D=R+\beta P+\alpha (L+h{P}_{\mathrm{pub}})+\beta (L+h{P}_{\mathrm{pub}})$, and D is returned to B. B computes $e^{\prime }=H_v(Z_a\Vert m)$, $h^{\prime }=H({\mathrm{ID}}_a\Vert L)$, $T=(L+h^{\prime }{P}_{\mathrm{pub}})$, and verifies $D=Z_K+z_{b}P+z_{a}T+z_{b}T+c(\widehat{s}P+\widehat{r}T+e^{\prime }T+\widehat{s}T)$. If this does not hold, B terminates the current interaction; otherwise, B calls A again with a new challenge value $c^{\prime }\in {\mathbb{Z}}_n^{*}$ to obtain new proof values $(Z_K^{\prime },z_a^{\prime },z_b^{\prime })$. If $D^{\prime }=Z_K^{\prime }+z_b^{\prime }P+z_a^{\prime }T+z_b^{\prime }T+c(\widehat{s}P+\widehat{r}T+e^{\prime }T+\widehat{s}T)$, then B can compute $a_r=(z_a-z_a^{\prime })·\tau modn$, $b_r=(z_b-z_b^{\prime })·\tau modn$, $K=\tau (Z_K-Z_K^{\prime })$, where $\tau ={(c-c^{\prime })}^{-1}$ can be solved using the extended Euclidean algorithm. B uses $(a_r,b_r)$ to recover $\sigma =(L,r,s)$, and finally outputs the forged message–signature pair $(m,\sigma =(L,r,s\left)\right)$. This contradicts the EUF-CM-GID-A property of the SM2 identity-based digital signature; thus, UDVSP satisfies R-IM-TYPE-2. □

5. Non-Interactive ID-Based UDVSP Based on SM2 Digital Signature

5.1. The Proposed System

The non-interactive ID-based UDVSP scheme is also relies on ID-based SM2 signatures. However, unlike the previous scheme, it uses the OR form of the $\mathsf{\Sigma }$-protocol for protocol design. Although the designated verifier still needs to have a pair of public and private keys, these required key pairs do not have to be generated based on the signer’s public key parameters. Instead, the designated verifier can make use of an existing public/private key pair. The scheme specifically comprises five algorithms and one protocol. The process of the scheme is as shown in Figure 3.

• Setup: Given the security parameter $\lambda$, the KGC randomly picks a large prime number q and determines a non-singular elliptic curve $E:y^2=x^3+ax+bmodq$ (where $a,b\in {\mathbb{Z}}_q^{*}$). Among all the points on E (including the point at infinity), a cyclic group G of prime order n and a generator $P\in G$ are selected. Secure hash functions are chosen as follows: $H:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to \mathbb{Z}{n}^{*}$, $H_v:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^v$, and $H_o:{\{0,1\}}^{*}\to {\{0,1\}}^{256}$. Here, $H_v(·)$ is a cryptographic hash function with a message digest length of v bits, and $H_o(·)$ is a secure cryptographic hash function. A random $x\in \mathbb{Z}{q}^{*}$ is selected, and the partial system public key is computed as $P\mathrm{pub}=xP$. The algorithm outputs the system public key $\mathrm{mpk}=(E,a,b,q,G,n,P,P\mathrm{pub},H,H_v,H_o)$ and the master private key $\mathrm{msk}=x$. This invention is based on the SM2 digital identity signature design, so it uses the same system parameters as the identity-based SM2 digital signature. For specific parameter symbols and definitions, refer to the detailed implementation in Section 3.1 (Symbols and Definitions).
• Extract: Given the system’s master public key $mpk$, master private key $msk$, and user information $I{D}_a$, the KGC randomly selects $l\in Z_n^{*}$, computes the partial user private key $L=lP$, and the intermediate variable $h=H(I{D}_a\Vert L)$. The partial user private key d is calculated as $d=l+xhmodn$. The algorithm outputs the user’s private key $sk=(L,d)$.
• Sign: Given the system’s master public key $mpk$, the user’s private key $sk=(L,d)$, and the message m, the signer computes the user’s distinguishable identifier $Z_a=H_o(\mathrm{ENTLA}\Vert I{D}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$ and the hash value $e=H_v(Z_a\Vert m)$, where $ENTLA$ is the bit length of $I{D}_a$, and $(x_p,y_p)$ and $(x_L,y_L)$ are the coordinates of $Pr$ and L, respectively. A random $k\in Z_n^{*}$ is selected, and the elliptic curve point $K=kP=(x_K,y_K)$ and the partial signature $r=(e+x_K)modn$ are computed. If $r=0$ or $r+k=n$, a new k is selected and the calculations are repeated. Otherwise, the partial signature $s={(1+d)}^{-1}(k-rd)modn$ is computed. If $s\ne 0$, the algorithm outputs the message m and the signature $\sigma =(L,r,s)$.
• Verify: Given the system’s master public key $mpk$, user information $I{D}_a$, message m, and the signature to be verified $\sigma =(L,r,s)$, if $r,s\notin Z_n^{*}$, the verifier (which may be the signature holder or others) outputs 0. Otherwise, it computes $t=r+smodn$. If $t=0$, it outputs 0. Otherwise, the verifier computes $Z_a=H_o(\mathrm{ENTLA}\Vert I{D}_a\Vert a\Vert b\Vert x_p\Vert y_p\Vert x_L\Vert y_L)$, $h\prime =H(I{D}_a\Vert L)$, $e\prime =H_v(Z_a\Vert m)$, $K\prime =sP+t(L+h\prime P_{pub})=(x_K\prime ,y_K\prime )$, and $r\prime =(e\prime +x_K\prime )modn$. If $r\prime =r$, the algorithm outputs 1 to denote the validity of the signature; in contrast, it outputs 0 to denote the invalidity of the signature.
• DGenr: Given the system public key mpk, it randomly selects ${\mathrm{sk}}_v\in {\mathbb{Z}}_n{\prime }^{*}$ and computes ${\mathrm{pk}}_v={\mathrm{sk}}_{v}P$. The algorithm outputs the designated verifier $Vr$’s private key and public key $({\mathrm{sk}}_v,{\mathrm{pk}}_v)$. The public key parameters of the designated verifier and ${\mathrm{pk}}_v$ are published, while ${\mathrm{sk}}_v$ is kept by $Vr$.
• DVerf: In this protocol, the signature owner $Pr$ proves to the designated verifier $Vr$ that they possess a signature $\sigma$ that can be verified or that they possess $Vr$’s private key $s{k}_v$. If $Vr$ has not leaked $s{k}_v$, they will believe that $Pr$ has a valid $\sigma$, but cannot disclose this fact to a third party (because $Vr$, who possesses $s{k}_v$, can forge the related proof). First, $Pr$ selects a hash function $H_n:Z_n^{*}\to Z_n{\prime }^{*}$ based on $Vr$’s public key parameters. $Pr$ and $Vr$ then execute the following protocol:

  1.

  First, $Pr$ computes $h=H(\mathrm{ID}a\Vert L)$, $T=L+h{P}_{\mathrm{pub}}$ and $K=sP+(r+s)T$. Then, $Pr$ randomly selects $\alpha \in Z_n^{*}$, $\beta ,w\in Z_{n\prime }^{*}$, and $R\in G$, and computes $D_1=R-\alpha P-\alpha T$ and $D_2=\beta P+wp{k}_v$

  2.

  $Pr$ obtains $c=H_c(D_1,D_2,I{D}_a,p{k}_v)$.

  3.

  $Pr$ designates $c_1=c-H_n\left(w\right)$ and $c_2=w$, then computes $Z_K=R-c_{1}K$, $z_a=\alpha -c_{1}s$, and $z_b=\beta$. The proof $\widehat{s}=(c_1,c_2,Z_K,z_a,z_b)$ is then formed. Subsequently, $Pr$ sends $(L,r,\widehat{s})$ and the hash function $H_n$ to $Vr$.

  4.

  V computes: $h^{\prime }=H(IDa\Vert L)$, $T^{\prime }=L+h{P}_{\mathrm{pub}}$ then $D_1\prime =Z_K-z_{a}P-z_a{T}^{\prime }+c_{1}r{T}^{\prime }$, $D_2\prime =z_{b}P+c_{2}p{k}_v$, $c=H_c(D_1,D_2,I{D}_a,p{k}_v)$. If $D_1\prime =D_1$, $D_2\prime =D_2$, and $c_1+H_n\left(c_2\right)=c$, then it outputs 1 to indicate acceptance; otherwise, it outputs 0.

5.2. Security Analysis

This section will show that the constructed interactive ID-based UDVSP system constructed from SM2 can achieve the anticipated security properties. Based on the security framework introduced by Baek et al. [5], a UDVSP scheme must satisfy two critical security requirements: existential unforgeability under adaptive chosen message and identity attacks (EUF-CM-ID-A), and resistance to impersonation attacks (R-IM).

As in the previous section, this section focuses exclusively on analyzing the security of the UDVSP system against impersonation attacks.

Theorem 3.

If the identity-based digital signature based on SM2 has the property of EUF-CM-GID-A, and the elliptic curve discrete logarithm problem (ECDLP) is intractable, then the UDVSP has the property of R-IM-TYPE-2.

Proof. 

This section will illustrate that the constructed non-interactive identity-based UDVSP system based on SM2 can hold the anticipated security properties. The ID-based digital signature EUF-CM-GID-A based on SM2 has been verified by Lin et al. [13], and Chen et al. [9] have demonstrated that without signature conversion (Tran), due to the zero-knowledge property of the $\mathsf{\Sigma }$ protocol, Type 1 impersonation attacks are equivalent to Type 2 impersonation attacks. Hence, this paper only needs to prove that the UDVSP system satisfies R-IM-TYPE- 2.

First, B sends $cp,p{k}_v$ and $mpk$ to A, and calls A to obtain the hash functions $H_n=Z_n^{\prime *}\to Z_n^{*}$ and $H_c:(D,D,{\{0,1\}}^{*},D)\to Z_n^{*}$. Then, B and A execute the DVerf protocol to obtain the commitment value, challenge value, and proof values $(D_1,D_2,c_1,c_2,Z_K,z_a,z_b)$. B computes $h=H(I{D}_a\Vert L)$ and verifies $D_1=Z_K-z_{a}P-z_a(L+h{P}_{pub})+c_{1}r(L+h{P}_{pub})$, $D_2=z_{b}P+c_{2}p{k}_v$, $H_n(D_1,D_2,I{D}_a,p{k}_v)=c=c_1+H_n\left(c_2\right)$. If this does not hold, B terminates the current interaction. Otherwise, B calls A again, and B obtains the challenge value and proof values $(D_1,D_2,c_1^{\prime },c_2^{\prime },Z_K^{\prime },z_a^{\prime },z_b^{\prime })$. If $D_1=Z_K^{\prime }-z_a^{\prime }P-z_a^{\prime }(L+h{P}_{pub})+c_1^{\prime }r(L+h{P}_{pub})$, $D_2=z_b^{\prime }P+c_2^{\prime }p{k}_v$, $H_c(D_1,D_2,I{D}_a,p{k}_v)=c_1^{\prime }=c_1^{\prime }+H_n\left(c_2^{\prime }\right)$ holds, then B can compute $s=(z_a-z_a^{\prime })·\tau modn$, $K=\tau (Z_K-Z_K^{\prime })$ or $s{k}_v=(z_b-z_b^{\prime })·\tau modn$. Here, $\tau ={(c-c^{\prime })}^{-1}$, which can be solved using the extended Euclidean algorithm. B can recover $\sigma =(L,r,s)$, and finally output the forged message–signature pair $(m,\sigma =(L,r,s\left)\right)$ or obtain the discrete logarithm $s{k}_v$ of the ECDLP instance $p{k}_v=s{k}_v{P}^{\prime }$. This contradicts the EUF-CM-GID-A property of the identity-based digital signature based on SM2 and the computational hardness of ECDLP; thus, UDVSP has the property of R-IM-TYPE-2. □

6. Performance Evaluation

Firstly, an analytical study of the calculation and communication consumptions of our scheme is presented in this section, along with a comparison to prevalent existing solutions such as UDVSP [2,5] and UDVS [18,19]. The study is based on a theoretical analysis, where we calculate the total cost by summing up every operation involved in the schemes. The cost of each operation was measured through 10,000 practical tests on our hardware, with average execution times calculated to estimate the ideal performance of the schemes. Unlike practical analysis, operations that need to be executed only once (e.g., system initialization) and extremely low consumption computation (e.g., if statements) are not accounted for in this theoretical model, which may lead to some discrepancies compared to the actual execution results.

In this context, the two key-producing procedures within UDVS systems are both considered in KGen, and the focus regarding communication overheads lies primarily on the IVerf interactive protocol. As illustrated in

Table 2. Theoretical performance comparison results.

Scheme	Computation/ms					Communication/B
	UKGen	USign	UVerf	UTran	UIVerf	UIVerf
UDVSP-1 [5]	$T_{g1sm}$	$T_{h2p}$ + $T_{g1sm}$	2$T_{bp}$ + $T_{h2p}$	$T_{g1sm}$	2$T_{bp}$ + $T_{mm}$ + $T_{ma}$ + 2$T_{ebp}$ + $T_{mbp}$ + $T_{h2p}$	$|G_T|+2|Z_n|$
UDVSP-2 [5]	2$T_{g2sm}$	$T_{g1sm}$ + $T_{mi}$+ $T_{mm}$ + 2$T_{ma}$	2$T_{bp}$ + 2$T_{g2sm}$ + 2$T_{g2pa}$	$T_{g1sm}$	2$T_{bp}$ + 2$T_{g2sm}$ + 2$T_{g2pa}$ + $T_{ebp}$ + $T_{mm}$ + $T_{ma}$ + 2$T_{ebp}$ + $T_{mbp}$	$|G_T|+2|Z_n|$
UDVS-1 [18]	4$T_{g1sm}$	3$T_{g1sm}$ + 2$T_{g1pa}$ + $T_{mm}$	$T_{g1sm}$ + $T_{g1pa}$ + 3$T_{bp}$ + $T_{mbp}$	2$T_{g1sm}$ + $T_{mm}$ + 3$T_{g1pa}$ + $T_{bp}$	2 $T_{g1sm}$ + $T_{g1pa}$ + 2$T_{bp}$ + $T_{mbp}$ + 2$T_{ebp}$	$|G_T|+|G_1|$
UDVS-2 [19]	2$T_{g1sm}$	5$T_{g1sm}$ + 3$T_{g1pa}$	2$T_{g1sm}$ + 3$T_{g1pa}$+ 3$T_{bp}$ + $T_{mbp}$	$T_{bp}$	2$T_{g1sm}$+ 3$T_{g1pa}$ + 2$T_{bp}$+ $T_{mbp}$ + 2$T_{ebp}$	$|G_T|+|G_1|$
UDVSP-3 [2]	$T_{g1sm}$	$T_{g1sm}$ + $T_{mi}$ + $T_h$ + 2$T_{mm}$ + 2$T_{ma}$	2$T_{g1sm}$ + $T_{g1pa}$ + 2$T_{ma}$ + $T_h$	3$T_{ma}$ + $T_h$	14$T_{g1sm}$ + 13$T_{g1pa}$ + 7$T_{mm}$ + 3$T_{ma}$ + $T_h$	$2|G_1|+3|Zn|$
Our UDVSP-1	$T_{g1sm}$ + $T_h$ + $T_{ma}$ + $T_{mm}$	$T_{g1sm}$ + $T_{mi}$ + 2$T_h$ + 2$T_{ma}$ + 2$T_{mm}$	3$T_{g1sm}$ + 2$T_{g1pa}$ + 2$T_{ma}$ + 3$T_h$	3$T_{ma}$ + 2$T_h$	16$T_{g1sm}$ + 15$T_{g1pa}$ + 7$T_{mm}$ + 3$T_{ma}$ + 3$T_h$	$2|G_1|+3|Zn|$
Our UDVSP-2	$T_{g1sm}$ + $T_h$ + $T_{ma}$ + $T_{mm}$	$T_{g1sm}$ + $T_{mi}$ + 2$T_h$ + 2$T_{ma}$ + 2$T_{mm}$	3$T_{g1sm}$ + 2$T_{g1pa}$ + 2$T_{ma}$ + 3$T_h$	$T_{ma}$	15$T_{g1sm}$ + 10$T_{g1pa}$ + 7$T_{mm}$ + 4$T_{ma}$ + 6$T_h$	$4|G_1|+5|Zn|$

, compared to existing UDVSP/UDVS schemes, our schemes exhibit optimized computational consumptions and communication overheads. This advantage stems from the elimination of the laborious bilinear map operation and hash function for mapping to a point in our scheme.

Lin et al. [2] developed a prototype for each operation within these comparable schemes to acquire the empirical effectiveness. The execution was carried out on a laptop computer equipped with an i7-9750H 2.59 GHz processor, 16 GB of memory, and the Windows 10 operating system. The cryptographic library used was the MIRACL library (a widely used cryptographic library, version 7.0). In particular, they utilized the BLS (Boneh–Lynn–Shacham) curve with an ate pairing embedding degree of 24, which is highly suitable for the security level AES-256. As a result, the sizes of the elements in Zq, G1, G2, and GT are 64 bytes, 160 bytes, 640 bytes, and 1920 bytes, respectively. The corresponding notations and execution times are presented in

Table 3. Symbol definition and time cost.

Notation	Description	Time/ms	Notation	Description	Time/ms
$T_{g1pa}$	A point addition in $G_1$	0.165954	$T_{bp}$	A bilinear pairing $G_T$	820.32
$T_{g1sm}$	A scale multiplication in $G_1$	35.3111	$T_{ebp}$	A exponentiation in $G_T$	689.273
$T_{g2pa}$	A point addition in $G_2$	0.63289	$T_{mbp}$	A multiplication in $G_T$	2.05855
$T_{g2sm}$	A scale multiplication in $G_2$	206.575	$T_{mi}$	A modular inversion in $Z_{n^{*}}$	0.05023
$T_h$	A general hash function	0.00576	$T_{mm}$	A modular multiplication in $Z_{n^{*}}$	0.01231
$T_{h2p}$	A map-to-point hash function	17.1464	$T_{ma}$	A modular add in $Z_{n^{*}}$	0.00271

. According to the test results of various cryptographic operations (Table 3), the actual computational overhead and communication costs can be analyzed and compared (Figure 4).

Through theoretical analysis, the proposed Our UDVSP-1 and Our UDVSP-2 schemes reduce computational overhead by at least 85.55% compared to other schemes (except UDVSP-3). Although their computational cost is 1.1625 times higher than UDVSP-3, this is acceptable, as they avoid the complex public key certificate management required by UDVSP-3.

In terms of communication overhead, Our UDVSP-1 (512 bytes) and Our UDVSP-2 (960 bytes) significantly outperform UDVSP-1/UDVSP-2 (2048 bytes) and UDVS-1/UDVS-2 (2080 bytes). Overall, the proposed schemes offer a balanced improvement in efficiency and practicality.

7. Conclusions

Although Lin et al.’s scheme addresses the issue that existing UDVSP schemes all involve, such as highly time-consuming bilinear pairing operations, their scheme still suffers from the cumbersome certificate management problem and the drawbacks brought about by the interactive protocol. To address these issues, we first propose the ID-based UDVSP system based on the ID-based SM2 digital signature scheme to eschew the intricate certificate management procedures. Moreover, we construct non-interactive ID-based UDVSP by using the OR proof and Fiat–Shamir technologies. Our work not only exhibits the same bilinear pairing-free merit as the proposition of Lin et al. [2], but also fulfills the goal of certificate-free or non-interactive verification.

Although our ID-based UDVSP systems show improvements over existing schemes, they are limited to achieving certificate-free operation or non-interactive verification separately, rather than both simultaneously. Future work will focus on developing an efficient scheme that combines both features.

Furthermore, the ID-based digital signature based on SM2 employed in this scheme is based on the elliptic curve discrete logarithm problem (ECDLP), whose long-term security is potentially vulnerable to attacks by quantum computers. To address the threat posed by quantum computing, future work will consider adopting post-quantum cryptographic techniques to enhance the security of the scheme.