Designated Verifier Signature Scheme

A digital signature scheme is one fundamental cryptographic technique which primarily aims for providing authenticity and non-repudiation [MWX02]. Since all public keys are either maintained by the system authority (SA) or stored in the public key directory, one can easily obtain the corresponding public key of the other to verify his/her signature. The actual signer thus can not deny his/her generated signature later. However, in some applications such as electronic voting [RN01, Sch99] and electronic auction [JS03, WCL08], the non-repudiation property is not desirable. With an eye to the above requirement, in 1990, Chaum and Antwerpen [CA90] proposed an undeniable signature scheme in which a signer must assist a verifier to validate a generated signature. It is obvious that any third party attempting to verify the signature has to reach an agreement with the signer in advance. That is to say, in an undeniable signature scheme, a signer has completely control over his generated signatures.In 1996, Jakobsson et al. [JSI96] came up with the notion of designated verifier proofs and in a sense proposed a designated verifier signature (DVS) scheme. In their scheme, a designated verifier can be convinced of the signer’s identity regarding a given signature without the assistance of the actual signer. Yet, a designated verifier can not transfer the proofs to convince any third party, since he is also capable of generating another DVS which is computationally indistinguishable from the received one. In 2003, Wang [Wan03]

formalized the notion of DVS scheme and further proposed a so-called strong designated verifier signature (SDVS) scheme in which a designated verifier’s private key is directly involved in the validation equation. Consequently, anyone cannot even perform the validation equation without the knowledge of designated verifier’s private key. In 2007, Lee and Chang [LC07] further combine SDVS schemes with message recovery signatures. More recently, they [LC09] pointed out that signer’s ambiguity could be a vital property of secure SDVS schemes. Namely, even if a signer’s private key is compromised, any attacker still cannot

identify the actual signer for a given SDVS which has not been received by the designated verifier. Another SDVS scheme satisfying such a property is also proposed in their paper.

Nevertheless, they give no formal proof. In 2004, Susilo et al. [SZM04] addressed the first identity-based SDVS scheme from bilinear pairings. Since then, several researchers [HSM⁺08, KBD09, KSS06, ZM08, LW09] have devoted themselves to the design of pairing-based SDVS schemes. However, we find out that none of these schemes could fulfill the property of signer’s ambiguity addressed by Lee and Chang [LC09].

Generally speaking, an SDVS scheme should satisfy the following security requirements [SKM03]:

(i) Unforgeability: It is computationally infeasible for any polynomial-time adversary to forge a valid SDVS without knowing the private key of either the signer or the designated verifier.

(ii) Non-Transferability: Based on the transcript simulation property in an SDVS scheme, a designated verifier can also generate another SDVS which is computationally indistinguishable from the received one. Therefore, a designated verifier cannot transfer the SDVS to any third party.

(iii) Signer’s Ambiguity: It is difficult to determine the identity of signer from an actual signer and a designated verifier for a given SDVS.

Recently, Lin et al. [LWY10] proposed a DL based short strong designated verifier signature scheme. An SDVS scheme has two involved parties, a signer and a designated verifier. Each one is a probabilistic polynomial-time Turing machine (PPTM). The signer will generate an SDVS intended for the designated verifier. Consequently, the corresponding SDVS can only be validated by the designated verifier with his private key. An SDVS scheme is correct if a signer can generate a valid SDVS and only a designated verifier can be convinced of the signer’s identity. Lin et al.’s SDVS scheme consists of the following algorithms:

– Setup: Taking as input 1^k where k is a security parameter, the algorithm generates system’s public parameters params.

– Signature-Generation (SG): The SG algorithm takes as input system parameters params, a message, the public key of designated verifier and the private key of signer. It generates a

corresponding SDVS δ.

– Signature-Verification (SV): The SV algorithm takes as input system parameters params, a message m, an SDVS δ, the private key of designated verifier and the public key of signer.

It outputs True if δ is a valid SDVS for m. Otherwise, an error symbol ⊥ is returned as a result.

– Transcript-Simulation (TS): The TS algorithm takes as input system parameters params, a message m, an SDVS δ and the private key of designated verifier. It outputs another valid SDVS δ* for m.

The concrete construction of each algorithm is described as follows:

– Setup: Taking as input 1^k, the system authority (SA) selects two large primes p and q where

|q| = k and q | (p − 1). Let g be a generator of order q and f:Z^*_p×Z^*_p→ Z_q, F: Z_q → Z_q and H: {0, 1}* × Z_q → Z_q collision resistant hash functions. The system publishes public parameters params = {p, q, g, f, F, H}. Each user U_i chooses his private key x_i ∈ Z_q and computes the public key as y_i =g^xi mod p. In addition, he also announces a universal parameter T_i = g^ci mod p where c_i ∈_R Z_q.

– Signature-Generation (SG): Let U_s and U_v separately be a signer and a designated verifier.

For signing a message m ∈_R{0, 1}*, U_s first chooses w ∈_R Z_q to compute Q = F(w) and

R = f(y_v^w mod p, y_v^cs mod p), (2.2.1)

S = (w − x_sH(m, Q, T_s)) mod q. (2.2.2)

Then U_s delivers m along with its SDVS δ = (Q, R, S) to U_v.

– Signature-Verification (SV): Upon receiving (m, δ), U_v computes

Z₁ = y_v^Sy_sxvH(m, Q, Ts) mod p, (2.2.3)

Z₂ = T_s^xv mod p, (2.2.4)

and then verifies the signature by checking whether

R = f(Z₁, Z₂). (2.2.5) We show that the verification of Eq. (2.2.5) works correctly. From the right-hand side of Eq. (2.2.5), we have

f(Z₁, Z₂)

= f(y_v^Sy_sxvH(m, Q, Ts) mod p, T_s^xv mod p) (by Eqs. (2.2.3) and (2.2.4)) = f(y_vS + xs(H(m, Q, Ts) mod p, T_s^xv mod p)

= f(y_vS + xs(H(m, Q, Ts) mod p, y_v^cs mod p)

= f(y_v^w mod p, y_v^cs mod p) (by Eq. (2.2.2))

= R (by Eq. (2.2.1))

which leads to the left-hand side of Eq. (2.2.5).

– Transcript-Simulation (TS): To generate another SDVS δ* intended for himself, U_v computes

S* = S + 1 mod q, (2.2.6)

R* = f(y_vZ₁ mod p, Z₂). (2.2.7)

Here, δ* = (Q, R*, S*) is another valid SDVS for the message m. In fact, the probability that the computed δ* = (Q, R*, S*) and the received δ = (Q, R, S) are identical is at most 1/2^k, i.e., Pr[δ* = δ] ≤ 1/2^k.

Motivated by Schnorr’s signature scheme [Sch91], Lin et al.’s scheme can be regarded as a generic signature scheme. Therefore, we can directly apply the Forking lemma introduced by Pointcheval and Stern [PS00] to prove the security of their scheme. Concretely speaking, we can first obtain two equations

Z₁ = y_v^Sy_sxvH(m, Q, Ts) mod p, Z₁ = y_v^S'y_sxvH'(m, Q, Ts) mod p,

and then compute the private key x_s as (S − S')/(H'(m, Q, T_s) − H(m, Q, T_s)). Theorem 2.2.1 gives more detailed security proof and advantage analyses to show the tight relation between the security of their SDVS scheme and the hardness of the DLP.

Theorem 2.2.1. Lin et al.’s SDVS scheme is (t, q_F, q_H, q_SG, q_SV, ε)-secure against existential forgery on adaptive chosen-message attacks (EU-CMA) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-break the DLP, where

ε' ≥ (q_F⁻¹)(ε − 2^−k) + ((q_F − 1)q_F⁻¹)(4⁻¹(ε − 2^−k)³(q_F⁻¹ + q_H⁻¹)),

t' ≈ t + t_λ(2q_SG + 2q_SV).

Here t_λ is the costs for performing a modular exponentiation over a finite field.

Proof: Please refer to [LWY10] for the full version.

Table 2.2.1. Comparisons of previous SDVS schemes Scheme

Item JSI SKM YL LWY LC-1 LC-2

Unforgeability × O O O O O

Non-Transferability O O O O O O

Signer’s Ambiguity × × × O × O

Provable Security × × O O × ×

Signature Length 3|p| + 3|q| 3|q| |p| + |q| 3|q| 2|p| + 2|q| |p| + |q|

#Exponentiation for

entire scheme 16 6 3 5 12 7

Table 2.2.1 summarizes the comparison of previous SDVS schemes including Jakobsson et al.’s (JSI for short) [JSI96], Saeednia et al.’s (SKM for short) [SKM03], the Yang-Liao (YL for short) [YL10], Lin et al.’s (LWY for short) [LWY10] and two presented by Lee and Chang separately in 2007 (LC-1 for short) [LC07] and 2009 (LC-2 for short) [LC09].

Although the Yang-Liao scheme has the lowest computation costs, the signature length of their scheme is longer than that of Lin et al.’s. Most importantly, their scheme cannot satisfy the requirement of signer’s ambiguity addressed in [LC09], which is regarded as an essential

property of secure SDVS schemes. To sum up, Lin et al.’s SDVS scheme not only provides better functionalities, but also has lower computation costs and shorter signature length.

2.3 Convertible Authenticated Encryption Scheme

Considering the RSA cryptosystem, in 2009, Wu and Lin [WL09] presented a CAE scheme based on RSA assumption.A CAE scheme has two involved parties, a signer and a designated recipient. Each one is a polynomial-time-bounded probabilistic Turing machine (PPTM). A signer will generate an authenticated ciphertext and deliver it to a designated recipient. Yet, a dishonest signer might repudiate his generated ciphertext. Finally, the designated recipient decrypts the ciphertext and verifies the signature. The Wu-Lin scheme consists of the following algorithms:

– Setup: Taking as input 1^k where k is a security parameter, the algorithm generates system’s public parameters params.

– Authenticated-Ciphertext-Generation (ACG): The ACG algorithm takes as input system parameters params, a message m, the public key of designated recipient and the private key of signer. It generates a corresponding authenticated ciphertext δ.

– Signature-Recovery-and-Verification (SRV): The SRV algorithm takes as input system parameters params, an authenticated ciphertext δ, the private key of designated recipient and the public key of signer. It outputs a message m and its converted signature Ω if the authenticated ciphertext δ is valid. Otherwise, an error symbol ⊥ is returned as a result.

The concrete construction of each algorithm is described as follows:

– Setup: Initially, each user chooses two large primes (p_i, q_i), computes N_i = p_iq_i, selects e_i relatively prime to φ(N_i) and then derives d satisfying that ed = 1 mod φ(N). Here, (N_i, e_i) and (p_i, q_i, d_i) are public and private keys of each user, respectively. Let h: {0, 1}^k × {0, 1}^k

→ {0, 1}^k be a collision resistant hash function, where |k| = 160 bits and |k| < |N_i| ≈ 2048 bits.

– Authenticated-Ciphertext-Generation (ACG): For signing a message m, a signer U_s chooses an integers c ∈ {0, 1}^k and computes

R = mc^c mod N_v, (2.3.1)

T = c^ev mod N_v, (2.3.2)

S = h(m, c)^ds mod N_s, (2.3.3)

and then delivers the authenticated ciphertext δ = (S, R, T) to a designated recipient U_v.

– Signature-Recovery-and-Verification (SRV): Upon receiving δ, U_v first computes

c = T^dv mod N_v. (2.3.4)

He then recovers the message m as

m = Rc^−c mod N_v, (2.3.5)

and checks the redundancy embedded in m. U_v can further verify the signature by checking if

S^es = h(m, c) mod N_s. (2.3.6)

We show that U_v then can correctly recover the message m with embedded redundancy by Eq. (2.3.5). From the right-hand side of Eq. (2.3.5), we have

Rc^−c

= (mc^c)c^−c (by Eq. (2.3.1))

= m (mod N_v)

which leads to the left-hand side of Eq. (2.3.5).

If the authenticated ciphertext (S, R, T) is correctly generated, it will pass the test of Eq.

(2.3.6). From the right-hand side of Eq. (2.3.6), we have h(m, c)

= (h(m, c)^ds)^es

= S^es (mod N^s) (by Eq. (2.3.3))

which leads to the left-hand side of Eq. (2.3.6).

Since the secret parameter c is obtained during the verification of authenticated ciphertext, the recipient can easily reveal the converted signature (S, c) along with the message m in case of a later repudiation. One can see that the conversion process is efficient as it will not incur extra computation costs or communication overheads. Anyone can perform Eq. (2.3.6) to verify the correctness of converted signature.

The IND-CCA2 and the EF-CMA security for their scheme can be proved in the random oracle model as Theorems 2.3.1 and 2.3.2, respectively.

Theorem 2.3.1. (Proof of Confidentiality) The Wu-Lin scheme is (t, q_h, q_ACG, q_SRV, ε)- secure against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-break the RSA problem, where

ε' ≥ (q_h⁻¹)(2ε −q^SRV_k 2 ), t' ≈ t + t_λ(q_h + q_ACG + q_SRV).

Here t_λ is the average running time of one oracle-query.

Proof: Please refer to [WL09] for the full version.

Theorem 2.3.2. (Proof of Unforgeability) The Wu-Lin scheme is (t, q_h, q_ACG, ε)-secure against existential forgery under adaptive chosen-message attacks (EF-CMA) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-break the RSA problem, where

ε' ≥ (q_h⁻¹)(ε − 2^−k), t' ≈ t + t_λ(q_h + q_ACG).

Here tλ is the average running time of one oracle-query.

Proof: Please refer to [WL09] for the full version.

2.4 Proxy Signcryption Scheme

In 1997, Zheng [Zhe97] proposed a so-called signcryption scheme which is suitable for confidential applications. A signcryption scheme only allows a designated recipient to verify a signer’s signature instead of everyone for the purpose of confidentiality. In 1998, Petersen and Michels [PM98] also proposed another signcryption variant modified from an authenticated encryption scheme. Yet, He and Wu [HW99] pointed out that their scheme is vulnerable to the forgery attack. To deal with a later dispute that a signer repudiates his signature, Zheng [Zhe97] introduced an arbitration mechanism by using the zero-knowledge protocol [BJY97, Cha90]. However, the arbitration mechanism is inefficient as it will increase extra computation efforts and communication overheads. In 1998, Bao and Deng [BD98]

addressed an efficient way to handle a repudiation dispute. Their scheme enables a designated recipient to convert a signcrypted message into an ordinary signature for public verification without imposing extra burdens on computation or communication cost. In 2002, Baek et al.

[BSZ02] introduced the formal security proof model for a signcryption scheme in the random oracle model. The next year, Boyen [Boy03] proposed a provably secure identity-based signcryption scheme with ciphertext anonymity. In 2005, Hwang et al. [HLS05] proposed an elliptic curve based signcryption scheme with forward secrecy for facilitating the gradually widely used mobile applications.

Considering proxy delegation, in 2010, Lin et al. [LWH10] proposed an efficient proxy signcryption scheme based on bilinear pairings. A proxy signcryption scheme mainly has three involved parties, an original signer, a proxy signer and a designated recipient. All parties are probabilistic polynomial-time Turing machines (PPTM). An original signer delegates his signing power to a proxy signer by issuing a proxy credential. After that, the latter can generate a signcrypted message on behalf of the former and sends it to a designated recipient.

Finally, the designated recipient decrypts the message and verifies the proxy signature. A proxy signcryption scheme is correct if a proxy signer can generate a valid signcrypted message on behalf of an original signer and only a designated recipient is capable of decrypting it and verifying the proxy signature.Lin et al.’s scheme consists of the following algorithms:

– Setup: Taking as input 1^k where k is a security parameter, the algorithm generates system’s public parameters params.

– Proxy-Credential-Generation (PCG): The PCG algorithm takes as input the private key of original signer and outputs a corresponding proxy credential for a proxy signer.

– Signcrypted-Message-Generation (SMG): The SMG algorithm takes as input a plaintext m, a proxy credential, the public key of designated recipient and the private key of proxy signer. It generates a corresponding signcrypted message δ.

– Signature-Recovery-and-Verification (SRV): The SRV algorithm takes as input a signcrypted message δ, the private key of designated recipient and the public keys of original and proxy signers. It outputs a plaintext m and its converted ordinary proxy signature Ω if the signcrypted message δ is valid. Otherwise, an error symbol ⊥ is returned.

The concrete construction of each algorithm is described as follows:

– Setup: Taking as input 1^k, the system authority (SA) selects two groups (G₁, +) and (G₂, ×) of the same prime order q with |q| = k. Let P be a generator of order q over G₁, e: G₁ × G₁

→ G₂ a bilinear pairing and h₁: {0, 1}^k × G₁ → Z_q, h₂: G₁ → G₁ and h₃: G₂ × G₁ → {0, 1}^k collision resistant hash functions. The system publishes params = {G₁, G₂, q, P, e, h₁, h₂, h₃}. Each user U_i chooses his private key x_i∈_R Z_q and computes the corresponding public one as Y_i = x_iP.

– Proxy-Credential-Generation (PCG): Let U_o be an original signer delegating his signing power to a proxy signer U_p. U_o first chooses an integer d ∈ Z_q to compute

N = dP, (2.4.1)

σ = x_o + d(m_w) mod q, (2.4.2)

where m_w is a warrant consisting of the identifiers of original signer, proxy signer and designated recipient, the delegation duration and so on. The proxy credential (σ, N, m_w) is then sent to U_p. Upon receiving (σ, m_w, N), U_p first checks its validity by verifying whether

σP = Y_o + m_wN. (2.4.3)

If it does not hold, (σ, m_w, N) is requested to be sent again.

We first show that the verification of Eq. (2.4.3) works correctly. From the left-hand side of Eq. (2.4.3), we have

σP

= (x_o + d(m_w))P (by Eq. (2.4.2))

= x_oP + d(m_w)P

= Y_o + m_wN (by Eq. (2.4.1))

which leads to the right-hand side of Eq. (2.4.3).

– Signcrypted-Message-Generation (SMG): For signcrypting a plaintext m ∈_R {0, 1}^k on behalf of the original signer U_o, U_p chooses r ∈_R Z_q to compute

R = rP, (2.4.4)

S =r(h₁(m, R) + x_p + σ)⁻¹P, (2.4.5)

V = e(h₂(σY_v), x_pY_v), (2.4.6)

X = E_V(S), (2.4.7)

Y = h₃(V, R) ⊕ m, (2.4.8)

and then delivers the warrant m_w and the signcrypted message δ = (R, X, Y, N) to a designated recipient U_v, where E_V denotes a symmetric encryption function with key V.

– Signature-Recovery-and-Verification (SRV): Upon receiving (R, X, Y, N), U_v first computes

V = e(h₂(x_v(Y_o + m_wN)), x_vY_p), (2.4.9)

to recover the plaintext m as

m = h₃(V, R) ⊕ Y (2.4.10)

and checks the redundancy embedded in m. U_v further computes S as

S = D_V(X) (2.4.11)

and verifies the proxy signature by checking if

e(h₁(m, R)P + Y_p + Y_o + m_wN, S) = e(P, R). (2.4.12) Note that D_V is a corresponding symmetric decryption function with key V.

We demonstrate that with received (R, X, Y, N) and the warrant m_w, a designated recipient can correctly recover the plaintext and verify the embedded proxy signature with Eq. (2.4.12). From the left-hand side of Eq. (2.4.12), we have

e(h₁(m, R)P + Y_p + Y_o + m_wN, S)

= e(h₁(m, R)P + Y_p + Y_o + m_wN, r(h₁(m, R) + x_p + σ)⁻¹P) (by Eq. (2.4.5))

= e((h₁(m, R) + x_p + x_o + d(m_w))P, r(h₁(m, R) + x_p + x_o + d(m_w))⁻¹P)

(by Eqs. (2.4.1) and (2.4.2)) = e(P, rP)

= e(P, R) (by Eq. (2.4.4))

which leads to the right-hand side of Eq. (2.4.12).

Since a converted proxy signature Ω = (S, R, N) is derived during the verification process, a designated recipient U_v can easily announce it together with (m, m_w) in case of a later dispute over repudiation. Accordingly, anyone can check Eq. (2.4.12) to realize proxy signer’s dishonesty.

The IND-CCA2 and the EF-CMA security for their scheme can be proved in the random oracle model as Theorems 2.4.1 and 2.4.2, respectively.

Theorem 2.4.1. (Proof of Confidentiality) Lin et al.’s scheme is (t, q_h1, q_h2, q_h3, q_PCG, q_SMG, q_SRV, ε)-secure against indistinguishability under adaptive chosen-ciphertext attacks

(IND-CCA2) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-break the BDHP, where

ε' ≥ (q_h3⁻¹)(2ε − q_SRV(2^−k)),

t' ≈ t + t_λ(q_SMG + 2q_SRV).

Here t_λ is the time for performing one bilinear pairing operation.

Proof: Please refer to [LWH10] for the full version.

Theorem 2.4.2. (Proof of Unforgeability) Lin et al.’s scheme is (t, q_h1, q_h2, q_h3, q_PCG, q_SMG, ε)-secure against existential forgery under adaptive chosen-message attacks (EF-CMA) in the

random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-breakthe BDHP, where

ε' ≥ (ε − (q_h2 + 1)/2^k)/(q_h2q_h3),

t' ≈ t + tλ(q_SMG).

Here t_λ is the time for performing one bilinear pairing operation.

Proof: Please refer to [LWH10] for the full version.

Table 2.4.1 summarizes the comparison of previous signcryption schemes including the Elkamchouchi-Abouelseoud [EA08] (EA for short), Duan et al.’s (DCZ for short) [DCZ05], the Li-Chen (LC for short) [LC04], the Wang-Cao (WC for short) [WC05], the Duan-Cao (DC for short) [DC06] and Lin et al.’s (LWH for short) [LWH10] schemes in terms of functionalities and security proofs. Note that the Elkamchouchi-Abouelseoud and Duan et al.’s schemes are vulnerable to the key exposure attack, i.e., once the private key of proxy signer is compromised, an attacker can easily recover the plaintext without the knowledge of designated recipient’s private key. From this table, it can be seen that Lin et al.’s scheme not only provides better functionalities, but also has provable security.

Table 2.4.1.Comparisons of previous signcryption schemes

Scheme

Item EA DCZ LC WC DC LWH

Pairing-based scheme O O O O O O

Against key exposure attack × × O O O O

Proxy delegation O O O O × O

Partial delegation with warrant × O O O × O

Public verifiability × O O O O O

No conversion cost × O O O O O

Complete proof of confidentiality × × × × O O

Complete proof of unforgeability × × × × O O

Table 2.4.2 further summarizes the comparison of computation costs in number of the most time-consuming operations, i.e., bilinear pairing computation. To obtain fair comparison results, the Duan-Cao scheme is excluded in Table 2.4.2, since their scheme does not have the property of proxy delegation. From the comparison results shown in Table 2.4.2, one can see that Lin et al.’s scheme outperforms compared ones and hence is more suitable for practical implementation.

Table 2.4.2.Comparisons of computation costs for previous proxy signcryption schemes

scheme

Item EA DCZ LC WC LWH

#Bilinear pairing for PCG 2 3 3 2 0

#Bilinear pairing for SMG 2 2 2 1 1

#Bilinear pairing for SRV 4 4 8 3 3

Total costs for the entire scheme 8 9 13 6 4

3. Formal Model of the PCAE Scheme

In this section, we first state involved parties of a PCAE scheme and then address its algorithms and security model.

3.1 Involved Parties

A proxy CAE scheme has three involved parties, an original signer, an authorized proxy signer and a designated recipient. Each one is a probabilistic polynomial-time Turing machine (PPTM). An original signer will compute and transmit a proxy credential to a proxy signer.

The latter is responsible for producing an authenticated ciphertext on behalf of the former while a dishonest proxy signer might repudiate having generated his ciphertext. Finally, a designated recipient decrypts the ciphertext and verifies the proxy signature. A proxy CAE scheme is correct if a proxy signer can generate a valid authenticated ciphertext and only a designated recipient is capable of decrypting it and verifying the proxy signature.

3.2 Algorithms

The proposed proxy CAE (PCAE) scheme consists of following algorithms:

– Setup: Taking as input 1^k where k is a security parameter, the algorithm generates system’s public parameters params.

– Proxy-Credential-Generation (PCG): The PCG algorithm takes as input system parameters params, a warrant and the private key of original signer. It outputs a corresponding proxy credential.

– Authenticated-Ciphertext-Generation (ACG): The ACG algorithm takes as input system parameters params, a proxy credential, a message m, the public key of designated recipient and the private key of proxy signer. It generates a corresponding authenticated ciphertext δ. – Signature-Recovery-and-Verification (SRV): The SRV algorithm takes as input system

parameters params, an authenticated ciphertext δ, the private key of designated recipient and the public keys of original and proxy signers. It outputs a message m and its converted proxy signature Ω if the authenticated ciphertext δ is valid. Otherwise, an error symbol ⊥ is

returned as a result.

3.3 Security Models

Two crucial security requirements of proposed proxy CAE schemes are message confidentiality and unforgeability. The widely accepted notion for the security of message confidentiality comes from the definition of indistinguishability-based security, i.e., an

Two crucial security requirements of proposed proxy CAE schemes are message confidentiality and unforgeability. The widely accepted notion for the security of message confidentiality comes from the definition of indistinguishability-based security, i.e., an

在文檔中 具代理授權特性的可轉換鑑別加密方法 (頁 24-0)