Next Article in Journal
A Mathematical Perspective on the Influence of Allee Effects in Oncolytic Virotherapy
Previous Article in Journal
Neuro Adaptive Command Filter Control for Predefined-Time Tracking in Strict-Feedback Nonlinear Systems Under Deception Attacks
Previous Article in Special Issue
Attribute-Based Designated Combiner Transitive Signature Scheme
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Efficient Identity-Based Universal Designated Verifier Signature Proof Systems

1
College of Computer and Cyber Security, Fujian Normal University, Fuzhou 350117, China
2
School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
3
Network and Data Center, Fujian Normal University, Fuzhou 350117, China
4
College of Education Sciences, Hong Kong University of Science and Technology (Guangzhou), Guangzhou 511455, China
*
Author to whom correspondence should be addressed.
Mathematics 2025, 13(5), 743; https://doi.org/10.3390/math13050743
Submission received: 16 January 2025 / Revised: 19 February 2025 / Accepted: 20 February 2025 / Published: 25 February 2025
(This article belongs to the Special Issue Advances in Mathematics Computation for Software Engineering)

Abstract

:
The implementation of universal designated verifier signatures proofs (UDVSPs) enhances data privacy and security in various digital communication systems. However, practical applications of UDVSP face challenges such as high computational overhead, onerous certificate management, and complex public key initialization. These issues hinder UDVSP adoption in daily life. To address these limitations, existing solutions attempt to eliminate bilinear pairing operations, but their proposal still involves cumbersome certificate management and inherent interactive operations that can sometimes significantly degrade system efficiency. In this paper, we first utilize the identity-based (ID-based) SM2 digital signature scheme to construct an ID-based UDVSP system which sidesteps the cumbersome certificate management issue. To further remove the interactive requirement, we also employ the OR proof and Fiat–Shamir technologies to design the other ID-based UDVSP system. Our designs not only possess the same bilinear pairing-free advantage as Lin et al.’s proposal, but also achieve the certificate-free or non-interactive goals. Security proofs and performance analysis confirm the viability and efficiency of our systems.

1. Introduction

In modern society, with the widespread application of digital signatures, protecting the privacy of signers has become a major concern for researchers. To address this issue, universal designated verifier signatures (UDVSs) were proposed by Steinfeld et al. in Asiacrypt 2003 [1]. UDVSs ensure that the designated verifier has the ability to verify digital signatures, while preventing the verifier from conveying the reliability of the signature to anyone else. This characteristic makes it suitable for scenarios where only a few specifically designated verifiers are required for signature verification. As an illustration, in the realm of e-government, government departments can utilize UDVSs to provide a proof of confidential information to relevant staff members as required for their work. However, these personnel are unable to convince third parties of the authenticity of this confidential information. This mechanism is critical to prevent malicious dissemination of confidential information. There are numerous such application scenarios, including electronic voting systems, electronic medical records, and electronic income certificates.
Universal designated verifier signature proof (UDVSP), as an enhanced variant of UDVS, eliminates the requirement for designated verifiers to generate their public/private key pairs using parameters that are predefined by signers. However, UDVSP systems still encounter several inherent limitations, including the need for complex public key certificate management, computationally intensive bilinear pairing operations, and the inherent constraints of interactive protocols. While Lin et al. [2] proposed a UDVSP scheme that eliminates the need for bilinear pairings, their solution still grapples with the persistent challenges of cumbersome certificate management and the limitations imposed by interactive protocols.
Driven by the problem of the UDVSP schemes mentioned above, we would like to obtain ID-based UDVSP systems to resolve these issues. In this paper, we construct ID-based UDVSP systems that are engineered to simultaneously resolve the four aforementioned issues. Firstly, using the ID-based SM2 digital signature scheme, we build the ID-based UDVSP system, which avoids the complex issue of certificate management. To further dispense with the need for interactivity, we make use of the OR proof and Fiat–Shamir methodologies to design an alternative ID-based UDVSP system. These schemes possess not only the same bilinear pairing-free advantage as the proposal by Lin et al. [2], but also attain the certificate-free or non-interactive objective. Moreover, we carry out an analysis of the security and performance aspects of the two schemes.
The subsequent content presents the layout of the remaining part of this paper: Some related work is introduced in Section 2. Some methodologies are introduced in Section 3. Section 4 provides our interactive ID-based UDVSP system along with its security analysis. In Section 5, our non-interactive ID-based UDVSP system and its corresponding security analysis are detailed. Section 6 is dedicated to conducting a performance analysis of the two schemes. Finally, Section 7 contains the conclusions.

2. Related Work

To protect the signer’s privacy and prevent signatures from being verified by unauthorized third parties, the undeniable signature scheme was proposed by Chaum and Antwerpen in 1990 [3]. In this scheme, the verifier must collaborate with the signer to verify the signature, which is equivalent to the signer having the power to decide who can verify the signature. However, the undeniable signature scheme is limited by the requirement of reciprocal communication, which poses a significant drawback.
In order to avoid interactive communication between signer and verifier, in 1996, Jakobsson et al.  [4] introduced the designated verifier signature (DVS) schemes. In the DVS scheme, the signer generates the DVS by incorporating the public key of the designated verifier. This eliminates the need for the signer to assist in the verification process. The designated verifier is not only able to validate the DVS but can also generate an indistinguishable DVS using the same private key. This latter property, known as transcript simulation, ensures that the verifier cannot convince a third party by transferring the proof, thereby achieving the same objective as the undeniable signature scheme.
Subsequently, Steinfeld et al. [1] proposed UDVS in 2003, which is regarded as an extended variant of DVS. Unlike DVS, in the UDVS scheme, the signer and the signature holder can be different individuals. This means that anyone in possession of an ordinary signature (not limited to the original signer) can convert the signature into a designated one for a specific verifier.
Nevertheless, in  Asiacrypt 2005, Baek et al. [5] indicated that in this UDVS scheme, the designated verifier is required to create a public/private key pair by using the parameters set by the signer. This is impractical in certain scenarios. In certificate-based (CA-based) public key systems, regenerating public/private key pairs entails cumbersome public key certificate management and results in significant computational overhead. Even incertificateless systems where the overhead of regenerating key pairs is relatively smaller, it still places an additional burden on the verifier. If the verifier has already generated public/private key pairs with public key parameters different from those set by the signer, it is unlikely that they will generate another key pair just for verifying a signature. Baek et al. [5] proposed the universal designated verifier signature proof (UDVSP) to circumvent the issue of key initialization by the verifier. In contrast to UDVS, UDVSP employs an interactive protocol with the designated verifier to demonstrate the validity of a signature. Therefore, the verifier’s key pairs play no role in this particular proof, which eliminates the need for the verifier to reinitialize a key.
Interestingly, with the introduction of the UDVSP, a new issue has emerged. The application of the interactive protocol in UDVSP can sometimes lead to a substantial decrease in the efficiency of the system. Specifically, interactive proofs necessitate that both parties be online concurrently. If either party is offline or in a network environment with high latency, it will incur additional time spent waiting and more communication overhead due to the need to resend messages.
Beyond the problem of interactive proofs, the onerous management of public key certificates is also an issue of widespread concern. The UDVS/UDVSP schemes of Steinfeld et al. [1,5,6] are all constructed under CA-based system. To be more specific, these schemes involve cumbersome certificate processes, including application, issuance, query, and revocation. As a direct consequence, this gives rise to a significant amount of overhead. In contrast, ID-based systems [7] streamline the key management process while ensuring a moderate level of security. This makes them a favorable substitute to CA-based systems. In light of this, Zhang et al. [8] constructed an ID-based UDVS in 2005. Subsequently, Chen et al. [9] introduced an ID-based UDVSP in 2008. These schemes allow UDVS and UDVSP to avoid the complex certificate management process.
In addition to the above-mentioned issues, the substantial computation cost associated with UDVS/UDVSP is also not something that can be overlooked. As Lin et al. [2] point out, existing UDVSP schemes [5,9] involve time-consuming bilinear pairing operations (one bilinear pairing operation on a mobile terminal takes about 32 ms, which is approximately 9 times the time demanded by an elliptic curve multiplication operation [10]). In order to reduce the computational overhead of UDVSP, Lin et al. [2] designed a UDVSP scheme based on the Chinese cryptographic SM2 algorithm. This scheme eschews bilinear pairing operations and instead makes use of operations on elliptic curves. This approach enhances the computational efficiency of the scheme. However, it is still constructed under CA-based public key systems. Moreover, it is encumbered with the intricacies and challenges inherent to the interactive protocol.

3. Methodology

3.1. Symbols and Definitions

Table 1 lists the symbols and definitions involved.

3.2. The ID-Based Digital Signature Based on SM2

The SM2 digital signature algorithm is a component of elliptic curve-based key cryptography algorithms. This algorithm was released by the Chinese National Cryptography Administration (see “SM2 Public Key Cryptographic Algorithms Based on Elliptic Curves”, China’s State Cryptography Administration, December 2010 [11]).
The ID-based digital signature based on SM2 [12] is an improved algorithm derived from the SM2 digital signature. Compared with the SM2 digital signature, the ID-based digital signature based on SM2 utilizes identity information to create the user’s private key. Its application and management do not revolve around digital certificates. Consequently, this obviates the necessity of managing and maintaining public key certificates and circumvents time-consuming procedures. The ID-based digital signature based on SM2 consists of four steps: setup, extract, sign, and verify. The process of the scheme is as shown in Figure 1.
(1)
Setup: With the security parameter λ provided, the key generation center (KGC) randomly selects a large prime number q and determines a non-singular elliptic curve E : y 2 = x 3 + a x + b mod q (where a , b Z q * ). From all the points on E (including the point at infinity), select a cyclic group G of prime order n and a generator P G . Choose three secure hash functions H : { 0 , 1 } * × { 0 , 1 } * Z n * , H v : { 0 , 1 } * × { 0 , 1 } * { 0 , 1 } v , and  H o : { 0 , 1 } * { 0 , 1 } 256 . Randomly select x Z n * and generate the partial system public key P p u b = x P . The algorithm outputs the system public key m p k = ( E , a , b , q , G , n , P , P p u b , H , H v , H o ) and the master private key m s k = x .
(2)
Extract: Given m p k , m s k , and user information I D a , the KGC randomly selects l Z n * and computes the partial user private key L = l P , and the intermediate variable h = H ( I D a L ) . The partial user private key d is calculated as d = l + x h mod n . The algorithm gives out the user’s private key s k = ( L , d ) .
(3)
Sign: Given m p k , s k = ( L , d ) , and the message m, the signer computes the user’s distinguishable identifier Z a = H o ( E N T L A I D a a b x p y p x L y L ) and its hash value e = H v ( Z a m ) , where E N T L A is the bit length of I D a , and  ( x p , y p ) and ( x L , y L ) are the coordinates of P r and L, respectively. Select a random number k Z n * , and then compute the elliptic curve point K = k P = ( x K , y K ) and the partial signature r = ( e + x K ) mod n . If  r = 0 or r + k = n , select a new k and repeat the calculations. Otherwise, compute the partial signature s = ( 1 + d ) 1 ( k r d ) mod n . If  s 0 , the algorithm outputs the message–signature pair m and σ = ( L , r , s ) .
(4)
Verify: Given m p k , I D a , m, and the signature to be verified σ = ( L , r , s ) . If  r , s Z n * , the verifier outputs 0. Otherwise, the verifier computes t = r + s mod n . If  t = 0 , the verifier outputs 0. If  t 0 , the following series of computations are carried out. First, compute Z a = H o ( E N T L A I D a a b x p y p x L y L ) . Then, calculate h = H ( I D a L ) . Next, determine e = H v ( Z a m ) . After that, obtain K = s P + t ( L + h P p u b ) = ( x K , y K ) . Finally, calculate r = ( e + x K ) mod n . If  r = r , the algorithm outputs 1 to denote the validity of the signature; otherwise, it outputs 0 to denote the invalidity of the signature.
The ID-based digital signature algorithm based on SM2 satisfies correctness and existential unforgeability under adaptively chosen message attacks (EUF-CMA) [13].

3.3. Zero-Knowledge Proof, Σ -Protocol with Its or Construction

Suppose the interactive protocol Π consists of two entities, a prover P r and a verifier V r . P r can convince V r about the binary relation R = ( x , w ) : { 0 , 1 } * × { 0 , 1 } * (where x and w refer to the instance and the witness, respectively). If the protocol Π meets the requirements of completeness and soundness, it is called a proof of knowledge system. Additionally, if  Π further satisfies honest verifier zero-knowledge (HVZK), then it is known as an interactive honest verifier zero-knowledge proof system [14,15].
The Σ -protocol is an interactive three-move zero-knowledge proof system. Assume P r and V r execute the OR proof [16] and obtain the result ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) , P chooses a challenge c 1 b , where b = 0 or 1. Another challenge c b = c c 1 b is determined by V r ’s random challenge c. The commitment and response ( a 0 , a 1 , z 0 , z 1 ) are generated by P r using the private witness w based on c 0 , c 1 . The completeness of the Σ -protocol means that if there exists a valid function ϕ ( α , a 1 , c , c 0 , c 1 , z 0 , z 1 ) = 1 , then V r accepts ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) . Special soundness means that given two valid tuples ( a , c , z ) and ( a , c , z ) with c c , one can recover P r ’s witness w. Special HVZK means that given V r ’s random challenge c, there is a probabilistic polynomial-time (PPT) simulator S I that can interact with V r to output a valid tuple ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) . Assume the real interaction between P r and V r outputs ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) , then ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) and ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) are indistinguishable.
The OR proof [16] is a fundamental construction of the Σ -protocol. It allows P r to prove that for two computational problems x 0 and x 1 , P r knows the witness w for one of the problems, such that either ( x 0 , w ) R or ( x 1 , w ) R , without disclosing which one.
The last property of the OR proof is known as witness indistinguishable (WI). This property sets it apart from other Σ -protocols. To elaborate, P r might be aware of which one in several distinct values of w would enable them to successfully complete the protocol. However, for arbitrary V r , it is impossible to determine which of these possible values the P r actually knows merely from the conversations.
The Σ -protocol is capable of being changed into a non-interactive instance through the utilization of the Fiat–Shamir heuristic [17]. However, using the normal Σ -protocol to construct a non-interactive scheme will undermine the non-transferable privacy property of the UDVS. Therefore, we utilize the OR proof to construct our scheme, leveraging the WI property of the OR proof. In the non-interactive form of the OR proof, P r computes ( a 0 , a 1 ) and c 1 b , and then directly calls c = H ( x , a ) to obtain the challenge value c and determine c b . Using the private witness w, P r then computes ( z 0 , z 1 ) and finally sends ( a 0 , a 1 , c , c 0 , c 1 , z 0 , z 1 ) to V r . The non-interactive protocol obtained through the Fiat–Shamir transformation still satisfies the properties of interactive form [17].

4. Interactive ID-Based UDVSP Based on SM2 Digital Signature

4.1. The Proposed System

The interactive ID-based UDVSP scheme was constructed by ID-based SM2 signatures and the Σ -protocol. Specifically, it is formed by five algorithms and one protocol. The process of the scheme is as shown in Figure 2.
  • Setup: Provided the security parameter λ , the KGC randomly picks a large prime number q and determines a non-singular elliptic curve E : y 2 = x 3 + a x + b mod q (where a , b Z q * ). Among all the points on E (including the point at infinity), a cyclic group G of prime order n and a generator P G are selected. Secure hash functions are chosen as follows: H : { 0 , 1 } * × { 0 , 1 } * Z n * , H v : { 0 , 1 } * × { 0 , 1 } * { 0 , 1 } v , and  H o : { 0 , 1 } * { 0 , 1 } 256 . Here, H v ( · ) and H o ( · ) are secure cryptographic hash functions. A random x Z q * is selected, and the partial system public key is computed as P pub = x P . The algorithm outputs the system public key mpk = ( E , a , b , q , G , n , P , P pub , H , H v , H o ) and the master private key msk = x . This invention is based on the SM2 digital identity signature design, so it uses the same system parameters as the identity-based SM2 digital signature. For specific parameter symbols and definitions, refer to the detailed implementation in Section 3.1 (Symbols and Definitions).
  • Extract: Given the system’s master public key m p k , master private key m s k , and user information I D a , the KGC randomly selects l Z n * , computes the partial user private key L = l P , and the intermediate variable h = H ( I D a L ) . The partial user private key d is calculated as d = l + x h mod n . The user’s private key s k = ( L , d ) is output.
  • Sign: Given the system’s master public key m p k , the user’s private key s k = ( L , d ) , and the message m, the signer computes the user’s distinguishable identifier Z a = H o ( ENTLA I D a a b x p y p x L y L ) and the hash value e = H v ( Z a m ) , where E N T L A is the bit length of I D a , and  ( x p , y p ) and ( x L , y L ) are the coordinates of P r and L, respectively. A random k Z n * is selected, then the elliptic curve point K = k P = ( x K , y K ) and the partial signature r = ( e + x K ) mod n are computed. If  r = 0 or r + k = n , a new k is selected and the calculations are repeated. Otherwise, the partial signature s = ( 1 + d ) 1 ( k r d ) mod n is computed. If  s 0 , the algorithm outputs the message m and the signature σ = ( L , r , s ) .
  • Verify: Given the system’s master public key m p k , user information I D a , message m, and the signature to be verified σ = ( L , r , s ) , if  r , s Z n * , the verifier (which may be the signature holder or others) outputs 0. Otherwise, it computes t = r + s mod n . If  t = 0 , the verifier outputs 0. Otherwise, it computes Z a = H o ( ENTLA I D a a b x p y p x L y L ) , h = H ( I D a L ) , e = H v ( Z a m ) , K = s P + t ( L + h P p u b ) = ( x K , y K ) , and  r = ( e + x K ) mod n . If  r = r , the algorithm outputs 1 to denote the validity of the signature; in contrast, it outputs 0 to denote the invalidity of the signature.
  • Tran: Given the system public key mpk, user information ID a , message m, and the signature to be verified σ = ( L , r , s ) , the signature holder randomly selects a r , b r Z n * and computes Z a = H o ( ENTLA ID a a b x p y p x L y L ) , e = H v ( Z a m ) , r ^ = r + a r e mod n , s ^ = s + b r mod n . The algorithm outputs the transformed signature σ ^ = ( L , r ^ , s ^ ) and the transformation key t k = ( a r , b r ) .
  • IVerf: Provided the system public key mpk, user information ID a , and the transformed signature σ ^ , the signature owner P r additionally takes the transformation key t k and the signature σ as input. The signature owner P r and the designated verifier V r perform the following interaction:
    • P r first computes h = H ( ID a L ) , T = h P pub , K = s P + ( r + s ) ( L + T ) . Then, P r randomly selects α , β Z n * and R G , and computes the commitment value D = R + β P + α ( L + h P pub ) + β ( L + h P pub ) . Finally, P r sends D to V r .
    • V r randomly selects a challenge value c Z n * and returns c to P r .
    • P r calculates the response to the challenge Z K = R c K , z a = α c · a r mod n , z b = β c · b r mod n , and sends ( Z K , z a , z b ) to V r .
    • V r calculates e = H v ( Z a m ) , h = H ( ID a L ) , T = ( L + h P pub ) , and  D = Z K + z b P + z a T + z b T + c ( s ^ P + r ^ T + e T + s ^ T ) . If  D = D , V r outputs 1, indicating acceptance; otherwise, V r outputs 0.

4.2. Security Analysis

This section will show that the constructed interactive ID-based UDVSP system constructed from SM2 can achieve the anticipated security properties. Based on the security framework introduced by Baek et al. [5], a (UDVSP) scheme must satisfy two critical security requirements: existential unforgeability under adaptive chosen message and identity attacks (EUF-CM-ID-A), and resistance to impersonation attacks (R-IM).
Since the EUF-CM-ID-A of UDVSP is consistent with the EUF-CM-ID-A of the SM2 ID-based digital signature scheme (the SM2 ID-based digital signature has been proven to be EUF-CM-GID-A by Lin et al. [13]), this paper only analyzes the security of the UDVSP system against impersonation attacks. Specifically, we examine two distinct attack scenarios: resistance against Type 1 impersonation attacks (R-IM-TYPE-1) and resistance against Type 2 impersonation attacks (R-IM-TYPE-2).
Theorem 1.
If the IVerf protocol of UDVSP satisfies honest verifier zero-knowledge (HVZK), then UDVSP satisfies R-IM-TYPE-1.
Proof. 
First, we construct a simulator SI (Algorithm 1) to prove that the IVerf protocol of UDVSP satisfies HVZK. SI first generates a valid message–signature pair ( m , σ = ( L , r , s ) ) and replicates all interactions with the honest verifier V r . Due to the random numbers a r , b r Z n * in steps (1) and (2), the first two steps of SI are completely blind. The point L is a random point derived from the user’s private key, and the verifier cannot recover the original signature ( L , r , s ) from the transformed signature ( L , r ^ , s ^ ) . Additionally, steps (3) to (5) form a σ -protocol, which satisfies special HVZK, effectively preventing the disclosure of the transformation key ( a r , b r ) . Therefore, the IVerf protocol of UDVSP satisfies HVZK.
Algorithm 1 Simulator SI for the IVerf protocol.
  • SI requests a signature ( m , σ = ( L , r , s ) ) from the signer.
  • SI selects a r , b r Z n * at random and computes e = H v ( Z a m ) , r ^ = r + a r e mod n , s ^ = s + b r mod n , and sends ( L , r ^ , s ^ ) to V r .
  • SI randomly selects α , β Z n * and R G , computes the commitment value D = R + β P + α ( L + h P pub ) + β ( L + h P pub ) , and sends D to V r .
  • SI receives the challenge value c Z n * sent by V r .
  • SI computes the response to the challenge Z K = R c K , z a = α c · a r mod n , z b = β c · b r mod n , and sends ( Z K , z a , z b ) to V r
If there exists a PPT adversary A = ( V , P ) that successfully breaks the R-IM-TYPE-1 security of UDVSP, it implies that A can obtain information about ( a r , b r ) to successfully interact with other designated verifiers. This would violate the HVZK property of the IVerf protocol in UDVSP. Therefore, UDVSP satisfies R-IM-TYPE-1. □
Theorem 2.
If the SM2 identity-based digital signature has the property of EUF-CM-GID-A, then UDVSP has the property of R-IM-TYPE-2.
Proof. 
Suppose there exists an algorithm A that successfully breaks the R-IM-TYPE-2 property of UDVSP. Then, there exists an algorithm B that can use the capability of A to successfully break the EUF-CM-GID-A property of the SM2 identity-based digital signature. Algorithm B is given the system public key mpk = ( E , a , b , q , G , n , P , P pub , H , H v , H o ) ( P pub = x P , H : 0 , 1 * × { 0 , 1 } * Z n * , H v : { 0 , 1 } * × { 0 , 1 } * { 0 , 1 } v , H o : { 0 , 1 } * { 0 , 1 } 256 ) . The goal is to output a valid message–signature pair.
First, B sends ( E , a , b , q , G , n , P , P pub , H , H v , H o ) to A and calls A to obtain the transformed signature σ ^ = ( L , r ^ , s ^ ) for m. Then, B and A execute step 1 of the IVerf protocol to obtain D = R + β P + α ( L + h P pub ) + β ( L + h P pub ) , and D is returned to B. B computes e = H v ( Z a m ) , h = H ( ID a L ) , T = ( L + h P pub ) , and verifies D = Z K + z b P + z a T + z b T + c ( s ^ P + r ^ T + e T + s ^ T ) . If this does not hold, B terminates the current interaction; otherwise, B calls A again with a new challenge value c Z n * to obtain new proof values ( Z K , z a , z b ) . If D = Z K + z b P + z a T + z b T + c ( s ^ P + r ^ T + e T + s ^ T ) , then B can compute a r = ( z a z a ) · τ mod n , b r = ( z b z b ) · τ mod n , K = τ ( Z K Z K ) , where τ = ( c c ) 1 can be solved using the extended Euclidean algorithm. B uses ( a r , b r ) to recover σ = ( L , r , s ) , and finally outputs the forged message–signature pair ( m , σ = ( L , r , s ) ) . This contradicts the EUF-CM-GID-A property of the SM2 identity-based digital signature; thus, UDVSP satisfies R-IM-TYPE-2. □

5. Non-Interactive ID-Based UDVSP Based on SM2 Digital Signature

5.1. The Proposed System

The non-interactive ID-based UDVSP scheme is also relies on ID-based SM2 signatures. However, unlike the previous scheme, it uses the OR form of the Σ -protocol for protocol design. Although the designated verifier still needs to have a pair of public and private keys, these required key pairs do not have to be generated based on the signer’s public key parameters. Instead, the designated verifier can make use of an existing public/private key pair. The scheme specifically comprises five algorithms and one protocol. The process of the scheme is as shown in Figure 3.
  • Setup: Given the security parameter λ , the KGC randomly picks a large prime number q and determines a non-singular elliptic curve E : y 2 = x 3 + a x + b mod q (where a , b Z q * ). Among all the points on E (including the point at infinity), a cyclic group G of prime order n and a generator P G are selected. Secure hash functions are chosen as follows: H : { 0 , 1 } * × { 0 , 1 } * Z n * , H v : { 0 , 1 } * × { 0 , 1 } * { 0 , 1 } v , and H o : { 0 , 1 } * { 0 , 1 } 256 . Here, H v ( · ) is a cryptographic hash function with a message digest length of v bits, and H o ( · ) is a secure cryptographic hash function. A random x Z q * is selected, and the partial system public key is computed as P pub = x P . The algorithm outputs the system public key mpk = ( E , a , b , q , G , n , P , P pub , H , H v , H o ) and the master private key msk = x . This invention is based on the SM2 digital identity signature design, so it uses the same system parameters as the identity-based SM2 digital signature. For specific parameter symbols and definitions, refer to the detailed implementation in Section 3.1 (Symbols and Definitions).
  • Extract: Given the system’s master public key m p k , master private key m s k , and user information I D a , the KGC randomly selects l Z n * , computes the partial user private key L = l P , and the intermediate variable h = H ( I D a L ) . The partial user private key d is calculated as d = l + x h mod n . The algorithm outputs the user’s private key s k = ( L , d ) .
  • Sign: Given the system’s master public key m p k , the user’s private key s k = ( L , d ) , and the message m, the signer computes the user’s distinguishable identifier Z a = H o ( ENTLA I D a a b x p y p x L y L ) and the hash value e = H v ( Z a m ) , where E N T L A is the bit length of I D a , and ( x p , y p ) and ( x L , y L ) are the coordinates of P r and L, respectively. A random k Z n * is selected, and the elliptic curve point K = k P = ( x K , y K ) and the partial signature r = ( e + x K ) mod n are computed. If r = 0 or r + k = n , a new k is selected and the calculations are repeated. Otherwise, the partial signature s = ( 1 + d ) 1 ( k r d ) mod n is computed. If s 0 , the algorithm outputs the message m and the signature σ = ( L , r , s ) .
  • Verify: Given the system’s master public key m p k , user information I D a , message m, and the signature to be verified σ = ( L , r , s ) , if r , s Z n * , the verifier (which may be the signature holder or others) outputs 0. Otherwise, it computes t = r + s mod n . If t = 0 , it outputs 0. Otherwise, the verifier computes Z a = H o ( ENTLA I D a a b x p y p x L y L ) , h = H ( I D a L ) , e = H v ( Z a m ) , K = s P + t ( L + h P p u b ) = ( x K , y K ) , and r = ( e + x K ) mod n . If r = r , the algorithm outputs 1 to denote the validity of the signature; in contrast, it outputs 0 to denote the invalidity of the signature.
  • DGenr: Given the system public key mpk, it randomly selects sk v Z n * and computes pk v = sk v P . The algorithm outputs the designated verifier V r ’s private key and public key ( sk v , pk v ) . The public key parameters of the designated verifier and pk v are published, while sk v is kept by V r .
  • DVerf: In this protocol, the signature owner P r proves to the designated verifier V r that they possess a signature σ that can be verified or that they possess V r ’s private key s k v . If V r has not leaked s k v , they will believe that P r has a valid σ , but cannot disclose this fact to a third party (because V r , who possesses s k v , can forge the related proof). First, P r selects a hash function H n : Z n * Z n * based on V r ’s public key parameters. P r and V r then execute the following protocol:
    1.
    First, P r computes h = H ( ID a L ) , T = L + h P pub and K = s P + ( r + s ) T . Then, P r randomly selects α Z n * , β , w Z n * , and R G , and computes D 1 = R α P α T and D 2 = β P + w p k v
    2.
    P r obtains c = H c ( D 1 , D 2 , I D a , p k v ) .
    3.
    P r designates c 1 = c H n ( w ) and c 2 = w , then computes Z K = R c 1 K , z a = α c 1 s , and z b = β . The proof s ^ = ( c 1 , c 2 , Z K , z a , z b ) is then formed. Subsequently, P r sends ( L , r , s ^ ) and the hash function H n to V r .
    4.
    V computes: h = H ( I D a L ) , T = L + h P pub then D 1 = Z K z a P z a T + c 1 r T , D 2 = z b P + c 2 p k v , c = H c ( D 1 , D 2 , I D a , p k v ) . If D 1 = D 1 , D 2 = D 2 , and c 1 + H n ( c 2 ) = c , then it outputs 1 to indicate acceptance; otherwise, it outputs 0.

5.2. Security Analysis

This section will show that the constructed interactive ID-based UDVSP system constructed from SM2 can achieve the anticipated security properties. Based on the security framework introduced by Baek et al. [5], a UDVSP scheme must satisfy two critical security requirements: existential unforgeability under adaptive chosen message and identity attacks (EUF-CM-ID-A), and resistance to impersonation attacks (R-IM).
As in the previous section, this section focuses exclusively on analyzing the security of the UDVSP system against impersonation attacks.
Theorem 3.
If the identity-based digital signature based on SM2 has the property of EUF-CM-GID-A, and the elliptic curve discrete logarithm problem (ECDLP) is intractable, then the UDVSP has the property of R-IM-TYPE-2.
Proof. 
This section will illustrate that the constructed non-interactive identity-based UDVSP system based on SM2 can hold the anticipated security properties. The ID-based digital signature EUF-CM-GID-A based on SM2 has been verified by Lin et al. [13], and Chen et al. [9] have demonstrated that without signature conversion (Tran), due to the zero-knowledge property of the Σ protocol, Type 1 impersonation attacks are equivalent to Type 2 impersonation attacks. Hence, this paper only needs to prove that the UDVSP system satisfies R-IM-TYPE- 2.
First, B sends c p , p k v and m p k to A, and calls A to obtain the hash functions H n = Z n * Z n * and H c : ( D , D , { 0 , 1 } * , D ) Z n * . Then, B and A execute the DVerf protocol to obtain the commitment value, challenge value, and proof values ( D 1 , D 2 , c 1 , c 2 , Z K , z a , z b ) . B computes h = H ( I D a L ) and verifies D 1 = Z K z a P z a ( L + h P p u b ) + c 1 r ( L + h P p u b ) , D 2 = z b P + c 2 p k v , H n ( D 1 , D 2 , I D a , p k v ) = c = c 1 + H n ( c 2 ) . If this does not hold, B terminates the current interaction. Otherwise, B calls A again, and B obtains the challenge value and proof values ( D 1 , D 2 , c 1 , c 2 , Z K , z a , z b ) . If D 1 = Z K z a P z a ( L + h P p u b ) + c 1 r ( L + h P p u b ) , D 2 = z b P + c 2 p k v , H c ( D 1 , D 2 , I D a , p k v ) = c 1 = c 1 + H n ( c 2 ) holds, then B can compute s = ( z a z a ) · τ mod n , K = τ ( Z K Z K ) or s k v = ( z b z b ) · τ mod n . Here, τ = ( c c ) 1 , which can be solved using the extended Euclidean algorithm. B can recover σ = ( L , r , s ) , and finally output the forged message–signature pair ( m , σ = ( L , r , s ) ) or obtain the discrete logarithm s k v of the ECDLP instance p k v = s k v P . This contradicts the EUF-CM-GID-A property of the identity-based digital signature based on SM2 and the computational hardness of ECDLP; thus, UDVSP has the property of R-IM-TYPE-2. □

6. Performance Evaluation

Firstly, an analytical study of the calculation and communication consumptions of our scheme is presented in this section, along with a comparison to prevalent existing solutions such as UDVSP [2,5] and UDVS [18,19]. The study is based on a theoretical analysis, where we calculate the total cost by summing up every operation involved in the schemes. The cost of each operation was measured through 10,000 practical tests on our hardware, with average execution times calculated to estimate the ideal performance of the schemes. Unlike practical analysis, operations that need to be executed only once (e.g., system initialization) and extremely low consumption computation (e.g., if statements) are not accounted for in this theoretical model, which may lead to some discrepancies compared to the actual execution results.
In this context, the two key-producing procedures within UDVS systems are both considered in KGen, and the focus regarding communication overheads lies primarily on the IVerf interactive protocol. As illustrated in Table 2, compared to existing UDVSP/UDVS schemes, our schemes exhibit optimized computational consumptions and communication overheads. This advantage stems from the elimination of the laborious bilinear map operation and hash function for mapping to a point in our scheme.
Lin et al. [2] developed a prototype for each operation within these comparable schemes to acquire the empirical effectiveness. The execution was carried out on a laptop computer equipped with an i7-9750H 2.59 GHz processor, 16 GB of memory, and the Windows 10 operating system. The cryptographic library used was the MIRACL library (a widely used cryptographic library, version 7.0). In particular, they utilized the BLS (Boneh–Lynn–Shacham) curve with an ate pairing embedding degree of 24, which is highly suitable for the security level AES-256. As a result, the sizes of the elements in Zq, G1, G2, and GT are 64 bytes, 160 bytes, 640 bytes, and 1920 bytes, respectively. The corresponding notations and execution times are presented in Table 3. According to the test results of various cryptographic operations (Table 3), the actual computational overhead and communication costs can be analyzed and compared (Figure 4).
Through theoretical analysis, the proposed Our UDVSP-1 and Our UDVSP-2 schemes reduce computational overhead by at least 85.55% compared to other schemes (except UDVSP-3). Although their computational cost is 1.1625 times higher than UDVSP-3, this is acceptable, as they avoid the complex public key certificate management required by UDVSP-3.
In terms of communication overhead, Our UDVSP-1 (512 bytes) and Our UDVSP-2 (960 bytes) significantly outperform UDVSP-1/UDVSP-2 (2048 bytes) and UDVS-1/UDVS-2 (2080 bytes). Overall, the proposed schemes offer a balanced improvement in efficiency and practicality.

7. Conclusions

Although Lin et al.’s scheme addresses the issue that existing UDVSP schemes all involve, such as highly time-consuming bilinear pairing operations, their scheme still suffers from the cumbersome certificate management problem and the drawbacks brought about by the interactive protocol. To address these issues, we first propose the ID-based UDVSP system based on the ID-based SM2 digital signature scheme to eschew the intricate certificate management procedures. Moreover, we construct non-interactive ID-based UDVSP by using the OR proof and Fiat–Shamir technologies. Our work not only exhibits the same bilinear pairing-free merit as the proposition of Lin et al. [2], but also fulfills the goal of certificate-free or non-interactive verification.
Although our ID-based UDVSP systems show improvements over existing schemes, they are limited to achieving certificate-free operation or non-interactive verification separately, rather than both simultaneously. Future work will focus on developing an efficient scheme that combines both features.
Furthermore, the ID-based digital signature based on SM2 employed in this scheme is based on the elliptic curve discrete logarithm problem (ECDLP), whose long-term security is potentially vulnerable to attacks by quantum computers. To address the threat posed by quantum computing, future work will consider adopting post-quantum cryptographic techniques to enhance the security of the scheme.

Author Contributions

Conceptualization, Y.Y. and X.Z.; formal analysis, Y.Y., X.Z. and B.S.; funding acquisition, W.W.; investigation, B.S.; methodology, Y.Y. and X.Z.; resources, W.W.; software, Y.Y.; supervision, B.S. and W.W.; visualization, X.Z. and W.W.; writing—original draft, Y.Y.; writing—review and editing, X.Z. and B.S. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the National Natural Science Foundation of China under Grant U21A20466 and Grant 62372108.

Data Availability Statement

We used the data from Lin et al.’s paper. The DOI is https://doi.org/10.1109/tsc.2023.3289319.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Steinfeld, R.; Bull, L.; Wang, H.; Pieprzyk, J. Universal Designated-Verifier Signatures. IACR Cryptol. ePrint Arch. 2003, 192. [Google Scholar] [CrossRef]
  2. Lin, C.; He, D.; Huang, X. Blockchain-based electronic medical record secure sharing. J. Comput. Appl. 2022, 42, 3465. [Google Scholar]
  3. Chaum, D.; van Antwerpen, H. Undeniable Signatures. In Proceedings of the Advances in Cryptology—CRYPTO’ 89 Proceedings, Santa Barbara, CA, USA, 20–24 August 1989; Brassard, G., Ed.; Springer: New York, NY, USA, 1990; pp. 212–216. [Google Scholar]
  4. Jakobsson, M.; Sako, K.; Impagliazzo, R. Designated Verifier Proofs and Their Applications. In Proceedings of the Advances in Cryptology—EUROCRYPT ’96, Saragossa, Spain, 12–16 May 1996; Maurer, U., Ed.; Springer: Berlin/Heidelberg, Germany, 1996; pp. 143–154. [Google Scholar]
  5. Baek, J.; Safavi-Naini, R.; Susilo, W. Universal designated verifier signature proof (or how to efficiently prove knowledge of a signature). In Proceedings of the Advances in Cryptology-ASIACRYPT 2005: 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, 4–8 December 2005; Proceedings 11. Springer: Berlin/Heidelberg, Germany, 2005; pp. 644–661. [Google Scholar]
  6. Steinfeld, R.; Wang, H.; Pieprzyk, J. Efficient extension of standard Schnorr/RSA signatures into universal designated-verifier signatures. In Proceedings of the Public Key Cryptography–PKC 2004: 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 1–4 March 2004; Proceedings 7. Springer: Berlin/Heidelberg, Germany, 2004; pp. 86–100. [Google Scholar]
  7. Shamir, A. Identity-based cryptosystems and signature schemes. In Proceedings of the Advances in Cryptology: CRYPTO 84 4; Springer: Berlin/Heidelberg, Germany, 1985; pp. 47–53. [Google Scholar]
  8. Zhang, F.; Susilo, W.; Mu, Y.; Chen, X. Identity-based universal designated verifier signatures. In Proceedings of the International Conference on Embedded and Ubiquitous Computing, Nagasaki, Japan, 6–9 December 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 825–834. [Google Scholar]
  9. Chen, X.; Chen, G.; Zhang, F.; Wei, B.; Mu, Y. Identity-Based Universal Designated Verifier Signature Proof System. Int. J. Netw. Secur. 2009, 1, 52–58. [Google Scholar]
  10. Abbasinezhad-Mood, D.; Nikooghadam, M. An anonymous ECC-based self-certified key distribution scheme for the smart grid. IEEE Trans. Ind. Electron. 2018, 65, 7996–8004. [Google Scholar] [CrossRef]
  11. Zhang, Z.; Yang, K.; Zhang, J.; Chen, C. Security of the SM2 signature scheme against generalized key substitution attacks. In Proceedings of the International Conference on Research in Security Standardisation, Tokyo, Japan, 15–16 December 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 140–153. [Google Scholar]
  12. He, D.; Zhang, J.; Chen, B.; Zhang, Y. An Identity-Based Digital Signature Method and System Based on SM2; China National Intellectual Property Administration: Beijing, China, 2021. (In Chinese) [Google Scholar]
  13. Lin, C.; Huang, X.; He, D. Efficient Range Proof Protocols Based on Chinese Cryptographic SM2. Chin. J. Comput. 2022, 45, 148–159. [Google Scholar]
  14. Bellare, M.; Goldreich, O. On Defining Proofs of Knowledge. In Proceedings of the Advances in Cryptology-CRYPTO’92, 12th Annual International Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 1992; Proceedings. Brickell, E.F., Ed.; Springer: Berlin/Heidelberg, Germany, 1992. Lecture Notes in Computer Science. Volume 740, pp. 390–420. [Google Scholar] [CrossRef]
  15. Cramer, R.; Damgård, I.; MacKenzie, P.D. Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions. In Proceedings of the Public Key Cryptography, Third International Workshop on Practice and Theory in Public Key Cryptography, PKC 2000, Melbourne, Victoria, Australia, 18–20 January 2000; Proceedings. Imai, H., Zheng, Y., Eds.; Springer: Berlin/Heidelberg, Germany, 2000. Lecture Notes in Computer Science. Volume 1751, pp. 354–373. [Google Scholar] [CrossRef]
  16. Ivan, D. On Σ-Protocols; LectureNote; University of Aarhus, Department for Computer Science: Aarhus, Denmark, 2002. [Google Scholar]
  17. Faust, S.; Kohlweiss, M.; Marson, G.A.; Venturi, D. On the non-malleability of the Fiat-Shamir transform. In Proceedings of the Progress in Cryptology-INDOCRYPT 2012: 13th International Conference on Cryptology in India, Kolkata, India, 9–12 December 2012; Proceedings 13. Springer: Berlin/Heidelberg, Germany, 2012; pp. 60–79. [Google Scholar]
  18. Huang, X.; Susilo, W.; Mu, Y.; Wu, W. Secure universal designated verifier signature without random oracles. Int. J. Inf. Sec. 2008, 7, 171–183. [Google Scholar] [CrossRef]
  19. Rastegari, P.; Berenjkoub, M.; Dakhilalian, M.; Susilo, W. Universal designated verifier signature scheme with non-delegatability in the standard model. Inf. Sci. 2019, 479, 321–334. [Google Scholar] [CrossRef]
Figure 1. The process of ID-based digital signature based on SM2.
Figure 1. The process of ID-based digital signature based on SM2.
Mathematics 13 00743 g001
Figure 2. The process of interactive ID-based UDVSP based on SM2 digital signature.
Figure 2. The process of interactive ID-based UDVSP based on SM2 digital signature.
Mathematics 13 00743 g002
Figure 3. The process of non-interactive ID-based UDVSP based on SM2 digital signature.
Figure 3. The process of non-interactive ID-based UDVSP based on SM2 digital signature.
Mathematics 13 00743 g003
Figure 4. Real performance comparison results.
Figure 4. Real performance comparison results.
Mathematics 13 00743 g004
Table 1. Symbols and definitions.
Table 1. Symbols and definitions.
SymbolDefinition
I D a User’s identity.
ENTLATwo bytes converted from the bit length of I D a .
qA large prime number.
F q A finite field consisting of q elements.
a , b Elements in F q that define an elliptic curve E over F q .
E ( F q ) The collection of all rational points on the elliptic curve E over F q (where the point at infinity O is also included).
OA special point on the elliptic curve, referred to as the point at infinity or zero point.
GThe cyclic group containing every point on the elliptic curve E along with the point at infinity.
PThe generator of the group G.
nThe order of the generator P (where n is a prime factor of # E ( F q ) ).
H ( · ) , H o ( · ) , H n ( · ) , H v ( · ) A secure cryptographic hash function.
Table 2. Theoretical performance comparison results.
Table 2. Theoretical performance comparison results.
SchemeComputation/msCommunication/B
UKGenUSignUVerfUTranUIVerfUIVerf
UDVSP-1 [5] T g 1 s m T h 2 p + T g 1 s m 2 T b p + T h 2 p T g 1 s m 2 T b p + T m m + T m a + 2 T e b p +
T m b p + T h 2 p
| G T | + 2 | Z n |
UDVSP-2 [5]2 T g 2 s m T g 1 s m + T m i +
T m m + 2 T m a
2 T b p + 2 T g 2 s m +
2 T g 2 p a
T g 1 s m 2 T b p + 2 T g 2 s m + 2 T g 2 p a + T e b p +
T m m + T m a + 2 T e b p + T m b p
| G T | + 2 | Z n |
UDVS-1 [18]4 T g 1 s m 3 T g 1 s m + 2 T g 1 p a +
T m m
T g 1 s m + T g 1 p a +
3 T b p + T m b p
2 T g 1 s m + T m m +
3 T g 1 p a + T b p
2 T g 1 s m + T g 1 p a + 2 T b p + T m b p + 2 T e b p | G T | + | G 1 |
UDVS-2 [19]2 T g 1 s m 5 T g 1 s m + 3 T g 1 p a 2 T g 1 s m + 3 T g 1 p a +
3 T b p + T m b p
T b p 2 T g 1 s m + 3 T g 1 p a + 2 T b p +
T m b p + 2 T e b p
| G T | + | G 1 |
UDVSP-3 [2] T g 1 s m T g 1 s m + T m i + T h +
2 T m m + 2 T m a
2 T g 1 s m + T g 1 p a +
2 T m a + T h
3 T m a + T h 14 T g 1 s m + 13 T g 1 p a + 7 T m m +
3 T m a + T h
2 | G 1 | + 3 | Z n |
Our UDVSP-1 T g 1 s m + T h +
T m a + T m m
T g 1 s m + T m i + 2 T h +
2 T m a + 2 T m m
3 T g 1 s m + 2 T g 1 p a +
2 T m a + 3 T h
3 T m a + 2 T h 16 T g 1 s m + 15 T g 1 p a + 7 T m m +
3 T m a + 3 T h
2 | G 1 | + 3 | Z n |
Our UDVSP-2 T g 1 s m + T h +
T m a + T m m
T g 1 s m + T m i + 2 T h +
2 T m a + 2 T m m
3 T g 1 s m + 2 T g 1 p a +
2 T m a + 3 T h
T m a 15 T g 1 s m + 10 T g 1 p a + 7 T m m +
4 T m a + 6 T h
4 | G 1 | + 5 | Z n |
Table 3. Symbol definition and time cost.
Table 3. Symbol definition and time cost.
NotationDescriptionTime/msNotationDescriptionTime/ms
T g 1 p a A point addition in G 1 0.165954 T b p A bilinear pairing G T 820.32
T g 1 s m A scale multiplication in G 1 35.3111 T e b p A exponentiation in G T 689.273
T g 2 p a A point addition in G 2 0.63289 T m b p A multiplication in G T 2.05855
T g 2 s m A scale multiplication in G 2 206.575 T m i A modular inversion in Z n * 0.05023
T h A general hash function0.00576 T m m A modular multiplication in Z n * 0.01231
T h 2 p A map-to-point hash function17.1464 T m a A modular add in Z n * 0.00271
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Yang, Y.; Zhou, X.; Su, B.; Wu, W. Efficient Identity-Based Universal Designated Verifier Signature Proof Systems. Mathematics 2025, 13, 743. https://doi.org/10.3390/math13050743

AMA Style

Yang Y, Zhou X, Su B, Wu W. Efficient Identity-Based Universal Designated Verifier Signature Proof Systems. Mathematics. 2025; 13(5):743. https://doi.org/10.3390/math13050743

Chicago/Turabian Style

Yang, Yifan, Xiaotong Zhou, Binting Su, and Wei Wu. 2025. "Efficient Identity-Based Universal Designated Verifier Signature Proof Systems" Mathematics 13, no. 5: 743. https://doi.org/10.3390/math13050743

APA Style

Yang, Y., Zhou, X., Su, B., & Wu, W. (2025). Efficient Identity-Based Universal Designated Verifier Signature Proof Systems. Mathematics, 13(5), 743. https://doi.org/10.3390/math13050743

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop