Short Paper
__________________________________________________An Efficient Strong Designated Verifier Proxy Signature
Scheme for Electronic Commerce
HAN-YU LIN, TZONG-SUN WU+AND SHIH-KUN HUANG Department of Computer Science
National Chiao Tung University Hsinchu, 300 Taiwan +
Department of Computer Science and Engineering National Taiwan Ocean University
Keelung, 202 Taiwan
A strong designated verifier signature (SDVS) scheme only allows a designated veri-fier to validate signer’s signatures for ensuring confidentiality. At the same time, the des-ignated verifier can not transfer the signature to any third party, since he can also generate another computationally indistinguishable SDVS, which is referred to as non-transfer- ability. A proxy signature scheme is a special type of digital signature schemes, which en-ables an authorized proxy signer to create a valid proxy signature on behalf of the original one. The resulted proxy signature is publicly verifiable by anyone. In this paper, we elabo-rate on the merits of SDVS schemes and proxy signature schemes to propose an efficient strong designated verifier proxy signature (SDVPS) scheme in which only a designated verifier can be convinced of the proxy signer’s identity. The proposed scheme has crucial benefits in organizational operations and electronic commerce. Compared with related schemes, ours has not only shorter signature length, but also lower computational costs. Moreover, the security requirement of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) is proved in the random oracle model.
Keywords: designated verifier, digital signature, proxy, discrete logarithms, public key
system
1. INTRODUCTION
In a digitalized world, digital signatures [1, 2] serve the same function as traditional handwritten signatures, which provide the properties of integrity, authenticity [3] and non- repudiation [4]. In 1996, Mambo et al. [5, 6] introduced proxy signature schemes in which a properly delegated proxy signer has the ability to sign messages on behalf of an original signer such that anyone can verify the corresponding proxy signature with proxy signer’s public key. It thus can be seen that proxy signature schemes are applicable in electronic commerce and mobile agents, etc. When it comes to proxy delegation, it can be categorized into four different kinds: full delegation, partial delegation, delegation by warrant [7, 8] and partial delegation with warrant [9]. In full delegation, an original signer directly gives a proxy signer his private key as the proxy signing key. Consequently, all the (proxy) sig-Received July 9, 2010; revised September 23 & November 2, 2010; accepted November 28, 2010.
natures are generated with the same private key. It is difficult for any third party to identify the actual signer from a given signature. In partial delegation, an original signer further derives another proxy signing key with his own private key. Even with the knowledge of the proxy signing key, it is computationally infeasible for any polynomial-time adversary to compute original signer’s private key. However, a malicious original signer can easily impersonate the proxy signer to create valid proxy signatures. In delegation by warrant, a warrant composed of some proxy information, e.g., the proxy period and the identities of original and proxy signers is delivered to the proxy signer who thus has to spend more computational efforts for certifying the warrant. To obtain better efficiency, partial delega-tion with warrant is a better alternative, since certifying the warrant can be combined with subsequent procedures.
In the same year, Jakobsson et al. [10] proposed another variant of digital signature scheme called designated verifier signature (DVS) scheme. In such a scheme, only a des-ignated verifier can be convinced of the validity of received signature with respect to some signer. The designated verifier can not transfer the signature to any third party, because he is also capable of creating a computationally indistinguishable transcript intended for himself, which is referred to as non-transferability. One can see that DVS schemes are suitable in the applications such as electronic voting [11, 12] in which the non-repudia- tion property is not desirable. Yet, in 2003, Wang [13] pointed out that Jakobsson et al.’s scheme is insecure, as a malicious signer can easily cheat the designated verifier. Later, Saeednia et al. [14] addressed a strong designated verifier signature (SDVS) scheme which only allows a designated verifier to validate received signatures in relation to some signer. Since the designated verifier’s private key is a vital parameter for performing signature validation equation, anyone without such information can not verify the signa-ture. So far, lots of SDVS schemes [15-22] have been proposed and extensively studied.
Consider the situation of on-line auction that a famous handicraft designer asks an auction manager to sale his precious product for charities. The winning bidder will ob-tain the product along with a signed receipt which can be used to prove the handicraft’s legal origin. The auction manager also hopes that only the winning bidder is able to ver-ify the signed receipt such that he can not illegally resell the precious handicraft to black market for more profits. Another commonly seen application is confidential contract signing. A company can authorize one legal agent to sign business contracts such that only an intended company is capable of validating the contract. To solve above application re-quirements, in 2003 and 2005, Dai et al. [23] and Wang [24] separately proposed desig-nated verifier proxy signature schemes in which a proxy signer can generate a valid proxy DVS on behalf of an original singer such that only a designated verifier is able to verify it. Nevertheless, their schemes are inefficient in terms of computational efforts and com-municational overheads. In this paper, we propose an efficient strong designated verifier proxy signature (SDVPS) scheme with provable security in the random oracle model. Compared with related works, our scheme not only has shorter signature length, but also earns more computational efficiency.
The rest of this paper is organized as follows. Section 2 states some preliminaries. We introduce the proposed SDVPS scheme in section 3. The security proof and some com-parisons are detailed in section 4. Finally, a conclusion is made in section 5.
2. PRELIMINARIES
In this section, we first define used notations as Table 1 and then briefly review some security notions along with the computational assumptions.
Discrete Logarithm Problem (DLP) [25] Let p and q be two large primes satisfying q |
p − 1, and g a generator of order q over GF(p). The discrete logarithm problem is, given an
instance (y, p, q, g), where y = gx mod p for some x ∈ Zq, to derive x.
Discrete Logarithm (DL) Assumption [25] A probabilistic polynomial-time algorithm
B is said to (t, ε)-break the DLP if given a DLP instance (y, p, q, g) where y = gx
mod p for some x ∈ Zq, B can derive x with probability ε after running at most t steps. The probability
is taken over the uniformly and independently chosen instance and over the random bits consumed by B.
Definition 1 The (t, ε)-DL assumption holds if there is no probabilistic polynomial-time
adversary that can (t, ε)-break the DLP.
Table 1. The used notations.
Zp integers modulo p
Z*p multiplicative group of integers modulo p
GF(p) Galois field of p elements
X ∈ Zp element x in set Zp
X ∈R Zp element x is a random integer in set Zp x ← Zp sampling element x uniformly in set Zp a mod b modulo operation: reminder of a divided by b
a | b integer b is divisible by integer a a || b concatenation of a and b
|x| bit-length of integer x, also absolute value of x logbx logarithm to base b of x
¬ logical operation NOT ∧ logical operation AND ∨ logical operation OR
∀ for all
Pr[E] probability of event E occurring
3. THE PROPOSED SCHEME
In this section, we first address involved parties and algorithms of our proposed scheme and then give a concrete construction.
3.1 Involved Parties
designated verifier. Each one is a probabilistic polynomial-time Turing machine (PPTM). The original signer will compute and transmit a proxy credential to the proxy signer. The proxy signer is responsible for generating an SDVPS intended for the designated verifier on behalf of the original signer. Finally, the designated verifier validates the proxy sig-nature with his private key. An SDVPS scheme is correct if the proxy signer can generate a valid SDVPS which can only be verified by the designated verifier.
3.2 Algorithms
The proposed SDVPS scheme consists of the following algorithms: − Setup: Taking as input 1k
where k is a security parameter, the algorithm generates sys-tem’s public parameters params.
− Proxy-Credential-Generation (PCG): The PCG algorithm takes as input system para- meters params and the private key of original signer. It outputs a corresponding proxy credential.
− Proxy-Signature-Generation (PSG): The PSG algorithm takes as input system pa-rameters params, a proxy credential, a message, the public key of designated verifier and the private key of proxy signer. It generates an SDVPS δ.
− Proxy-Signature-Verification (PSV): The PSV algorithm takes as input system parame-ters params, a message m, an SDVPS δ, the private key of designated verifier and the public keys of original and proxy signers. It outputs True if δ is a valid SDVPS for m. Otherwise, an error symbol ⊥ is returned as a result.
3.3 Concrete Construction
We demonstrate the proposed SDVPS scheme over a finite field. Details are described below:
− Setup: Taking as input 1k
, the system authority (SA) selects two large primes p and q where |q| = k and q | (p − 1). Let g be a generator of order q and h1: {0, 1}k × Zq → Zq, h2:
{0, 1}* × Zq → Zq and h3: Zq → Zq collision resistant hash functions. The system
pub-lishes public parameters params = {p, q, g, h1, h2, h3}. Each user Ui chooses his private
key xi ∈ Zq and computes the public key as yi = gxi.
− Proxy-Credential-Generation (PCG): Let Uo be an original user delegating his signing
power to a proxy signer Up. Uo first chooses d ∈R Zq to compute
T = (gd mod p) mod q, (1)
σ = d − xoh1(mw, T) mod q, (2)
where mw is a warrant consisting of the identifiers of original and proxy signers, the
delegation duration and so on. (σ, mw, T) is then sent to Up. Upon receiving (σ, mw, T),
Up computes Z as Eq. (3) and performs Eq. (4) to check its validity.
Z = yoh1(mw,T) mod p, (3)
If it does not hold, (σ, mw, T) is requested to be sent again. We demonstrate that the
veri-fication of Eq. (4) works correctly. From the right-hand side of Eq. (4), we have
gσZ = gσyoh1(mw,T) by Eq. (3) = gd−xoh1(mw,T)y oh1(mw,T) by Eq. (2) = gd = T(mod q) by Eq. (1)
which leads to the left-hand side of Eq. (4).
− Proxy-Signature-Generation (PSG): For signing a message m ∈R {0, 1}* on behalf of
the original signer Uo, Up chooses w ∈R Zq to compute
s1 = h3((yvw mod p) mod q), (5)
s2 = w − (xp + σ)h2(m, T) mod q, (6)
and then delivers (m, mw) along with the SDVPS δ = (s1, s2, T) to a designated recipient
Uv.
− Proxy-Signature-Verification (PSV): Upon receiving (m, mw) and δ, Uv first computes
(R1, R2) as follows:
R1 = yvs2 mod p, (7)
R2 = (Typyo−h1(mw,T))xvh2(m,T) mod p. (8)
Uv then verifies the proxy signature by checking if
s1 = h3((R1R2 mod p) mod q). (9)
If it holds, the SDVPS δ = (s1, s2, T) for m is valid. We show that the verification of Eq.
(9) works correctly. From the right-hand side of Eq. (9), we have
R1R2
= yvs2(Typyo−h1(mw,T))xvh2(m,T) by Eqs. (7) and (8)
= yvs2(ypgσ)xvh2(m,T) by Eq. (4)
= yvs2(yv)(xp+σ)h2(m,T)
= yvs2+(xp+σ)h2(m,T)
= yvw(mod p) by Eq. (6)
which implies h3((R1R2 mod p) mod q) = h3((yvw mod p) mod q) = s1. by Eq. (5)
4. SECURITY PROOF AND COMPARISON
In this section, we first define the security model of our proposed SDVPS scheme and prove it in the random oracle model. Then some comparisons with related schemes are made.
4.1 Security Model
The essential security requirements of the proposed SDVPS scheme are non-trans- ferability and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA). We define these notions as follows.
Definition 2 (Unforgeability) An SDVPS scheme is said to achieve the security
require-ment of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) if there is no probabilistic polynomial-time adversary A with non- negligible
advantage in the following game played with a challenger B: (Note that the challenger B is
responsible for answering queries of the adversary A who attempts to forge a valid SDVPS
of the proposed scheme.)
Setup: B first runs Setup(1k
) algorithm and sends system’s public parameters params to the adversary A.
Phase 1: The adversary A can issue several queries adaptively, i.e., each query might be
based on the result of previous queries:
− Proxy-Credential-Generation (PCG) queries: A issues a PCG query with respect to a proxy signer. B returns a corresponding proxy credential.
− Proxy-Signature-Generation (PSG) queries: A chooses a message m and then gives it to
B who returns an SDVPS δ to A.
− Proxy-Signature-Verification (PSV) queries: A gives B a message m and an SDVPS δ. If δ is a valid SDVPS for m, B runs True. Otherwise, an error symbol ⊥ is returned as a result.
Forgery: Finally, A produces a new pair (m*, δ*
) which is not outputted by any PSG query. The adversary A wins if δ*
is a valid SDVPS for m*.
Definition 3 (Non-Transferability) An SDVPS scheme is said to achieve the security
requirement of non-transferability if a designated verifier can simulate a computationally indistinguishable transcript intended for himself with his private key.
Definition 4 (Strong Privacy of Signer’s Identity) An SDVPS scheme satisfies the
se-curity requirement of strong privacy of signer’s identity if there is no probabilistic poly-nomial-time adversary having the ability to determine the identity of signer for an inter-cepted SDVPS by performing the signature verification process before the SDVPS has been received by the designated verifier.
4.2 Security Proof
We prove that the proposed scheme achieves the essential security requirements de-fined above. As for the EF-CMA security, if we directly apply the proof techniques of Forking Lemma addressed by Pointcheval and Stern [26] to prove our scheme, we can also obtain the following results.
The Forking Lemma In the random oracle mode, let A be a probabilistic polynomial-
time Turing machine whose input only consists of public data. We denote respectively by
N1 and N2 the number of queries that A can ask to the random oracle and the number of
queries that A can ask to the signer. Assume that, within a time bound R, A produces, with
probability ε ≥ 10(N2 + 1)(N2 + N1)/2k, a valid signature (m, Σ1, H, Σ2) where Σ1 = (s1, mw,
T), H = (h1(mw, T), h2(m, T)) and Σ2 = s2. If the triples (Σ1, H, Σ2) can be simulated without
knowing the private key with an indistinguishable distribution probability, then there is another machine which has control over the machine obtained from A replacing interaction
with the signer by simulation and produces two valid signatures (m, Σ1, H, Σ2) and (m, Σ1,
H′, Σ2′) such that h2(m, T) ≠ h2′(m, T) in the expected time R′ ≤ 120686R/ε.
Concretely speaking, in our scheme, we can first obtain two equations:
s2 = w − (xp + σ)h2(m, T) mod q,
s2′ = w − (xp + σ)h2′(m, T) mod q,
and then compute the private key xp as
xp = ((s2 − s2′) + σ(h2(m, T) − h2′(m, T)))/(h2′(m, T) − h2(m, T)).
Nevertheless, to show the tight relation between the security of our SDVPS scheme and the hardness of DLP, we have to present another more detailed security proof and ad-vantage analyses as Theorem 1.
Theorem 1 The proposed SDVPS scheme is (t, qh1, qh2, qPCG, qPSG, qPSV, ε)-secure against
existential forgery on adaptive chosen-message attacks (EF-CMA) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t′, ε′)-break the DLP, where ε′ ≥ 4−1(ε − 2−k )3(qh2 −1 ), t′ ≈ t + tλ(4qPCG + 6qPSG + 6qPSV).
Here tλ is the time for performing a modular exponentiation over a finite field.
Proof: Fig. 1 depicts the proof structure of this theorem. Suppose that a probabilistic poly-
nomial-time adversary A can (t, qh1, qh2, qPCG, qPSG, qPSV, ε)-break the proposed SDVPS
scheme with non-negligible advantage ε under adaptive chosen message attacks after run-ning at most t steps and making at most qh
i hi random oracles (for i = 1 and 2), qPCG PCG,
qPSG PSG and qPSV PSV queries. Then we can construct another algorithm B that can (t′,
ε′)-break the DLP by taking A as a subroutine. Let all involved parties and notations be defined the same as those in section 3.3. The objective of B is to obtain α (= loggC) by
taking (p, q, g, C = gα mod p) as inputs. In this proof, B simulates a challenger to A in the
following game.
Setup: The challenger B runs Setup(1k
) algorithm to obtain system’s public parameters
params = {p, q, g} and comes up with a random tape composed of a long sequence of
simu-lates two runs of SDVPS scheme to the adversary A on input {p, q, g, yv′, yp′, yo} and the random tape. Random oracle
B
A
m, δ = (s1, s2, T) {p, q, g, yv', yp', yo} α(= logg C) PCG, PSG, PSV query (p, q, g, C = gαmod p) m, δ* = (s1, s2*, T) input input output output output accessFig. 1. The proof structure of Theorem 1.
oracle O-Sim_h1(mw, T)
1: for i = 0 to qh 1 − 1
2: if (Q_h1[i][0] = mw) and (Q_h1[i][1] = T) then // It is an old query.
3: exit for;
4: else if (Q_h1[i][0] = null) then // It is a new query.
5: insert(Q_h1, (mw, T));
6: A_h1[i] ← v1 ∈R Zq;
7: exit for; 8: end if 9: next i 10: return A_h1[i];
Fig. 2. Algorithm of the simulated random oracle O-Sim_h1.
oracle O-Sim_h2(m, T)
1: for i = 0 to qh 2 − 1
2: if (Q_h2[i][0] = m) and (Q_h2[i][1] = T) then // It is an old query.
3: exit for;
4: else if (Q_h2[i][0] = null) then // It is a new query.
5: insert(Q_h2, (m, T));
6: A_h2[i] ← v2 ∈R Zq;
7: exit for; 8: end if 9: next i 10: return A_h2[i];
oracle O-Sim_PCG(mw)
1: do
2: Choose σ, v1∈R Zq;
3: Compute (T = gσ yov1 mod p) mod q;
4: while (check(Q_h1, (mw, T)) = true)
5: insert(Q_h1, (mw, T)); insert(A_h1, v1); // define h1(mw, T) = v1
6: return (σ, T);
Fig. 4. Algorithm of the simulated PCG oracle O-Sim_PCG.
oracle O-Sim_PSG(m)
1: Choose s2∈R Zq and a proper mw;
2: (σ, T) ← O-Sim_PCG(mw); 3: v1← O-Sim_h1(mw, T); v2← O-Sim_h2(m, T); 4: Compute R1 = g rs 2 mod p; R 2 = (Cg σ )rv2 mod p; s 1 = h3((R1R2 mod p) mod q); 5: return δ = (s1, s2, T) and mw;
Fig. 5. Algorithm of the simulated PSG oracle O-Sim_PSG.
oracle O-Sim_PSV(m, δ, mw) 1: v1 ← O-Sim_h1(mw, T); Z = yo v 1mod p; v 2 ← O-Sim_h2(m, T); 2: Compute R1 = g rs 2; R2 = (CTZ−1)rv2; s1* = h3((R1R2 mod p) mod q); 3: if (s1* = s1) then 4: return True; 5: else 6: return ⊥; 7: end if
Fig. 6. Algorithm of the simulated PSV oracle O-Sim_PSV.
Phase 1: A makes the following queries adaptively:
− h1 oracle: When A queries an h1 oracle of h1(mw, T), B returns O-Sim_h1(mw, T). The
simulated random oracle O-Sim_h1 operates as Fig. 2. Note that the function insert(N, b)
will insert the value b into the array N.
− h2 oracle: When A queries an h2 oracle of h2(m, T), B returns O-Sim_h2(m, T). The
simulated random oracle O-Sim_h2 operates as Fig. 3.
− PCG queries: When A makes a PCG query, B chooses a proper mw and then returns
(mw, O-Sim_PCG(mw)) as the result. The simulated PCG oracle O-Sim_PCG operates
as Fig. 4. Note that the function check(N, b) will return a Boolean value depending on whether the value b is stored in the array N.
− PSG queries: When A makes a PSG query for some message m, B returns (m, O-Sim_
PSG(m)) as the result. The simulated PSG oracle O-Sim_P SG operates as Fig. 5.
− PSV queries: When A makes a PSV query for some message m, an SDVPS δ = (s1, s2, T)
and a warrant mw, B returns O-Sim_PSV(m, δ, mw) as the result. The simulated PSV
ora-cle O-Sim_PSV operates as Fig. 6.
Analysis of the game For each PCG and PSG query, B always returns a computationally
without collision. Let Fv be the event that A tries to forge an SDVPS for a message m and
then finally outputs a valid SDVPS δ = (s1, s2, T) along with a warrant mw. By assumption,
we know that A has non-negligible probability ε to break the proposed SDVPS scheme, i.e., Pr[Fv] = ε. The probability that A guesses a correct value without asking h2(m, T)
ran-dom oracle is not greater than 2−k. We denote such an event by (¬QH2) and Pr[¬QH2] ≤
2−k. Therefore, we can further express the probability that A outputs a valid forgery after
asking the corresponding h2 random oracle as
Pr[Fv | QH2] ≥ (ε − 2−k).
B again runs A on input {p, q, g, yv′, yp′, yo} and the same random tape. Since A is
provided with the same sequence of random bits, we know that the ith query he will ask is always the same as the one during the first simulation. For all the oracle queries before
h2(m, T), B returns identical results as those in the first time. When A asks h2(m, T), B
di-rectly gives a new v2* ∈R Zq instead of v2. Meanwhile, A is then provided with another
dif-ferent random tape which is also composed of a long sequence of random bits. By the “Forking Lemma”, if A eventually outputs another valid SDVPS δ*
= (s1, s2*, T) with h2(m,
T) ≠ h2′(m, T), B would have a chance to solve the DLP by computing
xp = ((s2 − s2*) + σ(v2 − v2*))/(v2* − v2). (10)
To evaluate B’s success probability, we use the “Splitting lemma” [26] as follows:
Let X and Y be the sets of possible sequences of random bits and random function values supplied to A before and after the h2(m, T) query is made by A, respectively. It
fol-lows that on inputting a random value (e || f) for any e ∈ X and f ∈ Y, A outputs a valid forgery with the probability of ε, i.e., Pre∈X,f∈Y[Fv] = ε. According to the “Splitting lemma”,
there is a subset D ∈ X such that (a) Pr[e ∈ D] = |D| ⋅ |X|−1 ≥ 2−1ε,
(b) ∀e ∈ D, Pr f∈Y [Fv] ≥ 2−1ε.
From the above definition, we know that if n ∈ D is the supplied sequence of random bits and random function values given to A before the h2(m, T) query is made, then for any
sequence of random bits and random function values f′ ∈ Y after the query, A outputs a valid forgery with the probability of at least (2−1ε)2 = 4−1ε2, i.e.,
Prn∈D,f ′∈Y[Fv] ≥ 4−1ε2.
Since the probability that A outputs another SDVPS δ*
= (s1, s2*, T) with h2(m, T) ≠
h2′(m, T) is qh2
−1
, we can express the probability that B solves the DLP with Eq. (10) in the
second simulation as (ε − 2−k )(4−1(ε − 2−k)2)(qh2 −1 ) = 4−1(ε − 2−k)3(qh2 −1 ).
t′ ≈ t + tλ(4qPCG + 6qPSG + 6qPSV)
where tλ is the time for performing a modular exponentiation over a finite field.
Theorem 2 The proposed SDVPS scheme satisfies the security requirement of non-trans-
ferability.
Proof: To generate an SDVPS δ* intended for himself, Uv first chooses a proper warrant
mw* and T*, s2*∈R Zq to compute R1* = yvs2 * mod p, (11) s1* = h3((R1* ⋅ (T*ypyo−h1(mw *,T*) )xvh2(m,T*)) mod q). (12) Here, δ*
= (s1*, s2*, T*) is a valid SDVPS for m. To be precise, the probability that the
computed δ*
= (s1*, s2*, T*) and the received δ = (s1, s2, T) are identical is at most 2−3k, i.e.,
Pr[δ* = δ] ≤ 2−3k
.
Theorem 3 The proposed SDVPS scheme satisfies the security requirement of strong
privacy of signer’s identity even under the key-compromise attack.
Proof: On the basis of Proxy-Signature-Verification (PSV) algorithm in our proposed
scheme, Eq. (8) can be further expressed as
R2 = (Typyo−h1(mw,T))xvh2(m,T) mod p
= (yvd−xoh1(mw,T)+xp)h2(m,T) mod p. (8*)
It is obvious that even if the proxy signer’s private key xp is compromised, any malicious
adversary still needs both the knowledge of secret integer d and the original signer’s pri-vate key xo to perform Eq. (8*). Hence, the strong privacy of signer’s identity is fulfilled
in the proposed scheme even under the key-compromise attack.
4.3 Comparisons
For facilitating the following comparisons, we first define several used notations: |x|: the bit-length of an integer x
Th: the time for performing a one-way hash function h
Tm: the time for performing a modular multiplication computation
Te: the time for performing a modular exponentiation computation
Ti: the time for performing a modular inverse computation
The time for performing the modular addition computation is ignored because it is negligi-ble as compared to the above. We compare the proposed scheme with several previously proposed ones including Jakobsson et al.’s (JSI for short) [10], Saeednia et al.’s (SKM for short) [14], Huang et al.’s (HSM for short) [15], Wang’s (Wang for short) [24] and Dai
communicational efficiency are demonstrated as Tables 2 and 3, respectively. Note that JSI, SKM and HSM schemes can not offer the function of proxy delegation.
Table 2. Comparisons of computational costs among the proposed and other schemes. Sch.
Item JSI SKM HSM Wang DYD Ours
Type Probabilistic Probabilistic Deterministic Probabilistic Probabilistic Probabilistic PCG 3Te + 2Tm* 3Te + 2Tm* 3Te + 2Tm* 4Te + 4Tm + 2Th 3Te + 2Tm + 2Th 3Te + 2Tm + 2Th PSG 5Te + 2Tm + Th Te + 2Tm + Th + Ti Te + Th Te + 2Tm + Th + Ti 3Te + Tm + Th Te + Tm + 2Th PSV 6Te + 3Tm + Th 3Te + 2Tm + Th Te + Th 4Te + 4Tm + 2Th 4Te + 4Tm + 2Th 3Te + 4Tm + 3Th Total 11Te + 5Tm + 2Th 7Te + 6Tm + 2Th + Ti 5Te + 2Tm + 2Th 9Te + 10Tm + 5Th + Ti 10Te + 7Tm + 5Th 7Te + 7Tm + 7Th *
We adopt Mambo et al.’s scheme [5] to generate the proxy information for the evaluated schemes.
Table 3. Comparisons of communicational costs among the proposed and other schemes. Sch.
Item JSI SKM HSM Wang DYD Ours
Length 4|p| + 4|q| |p| + 4|q| |p| + 2|q| |p| + 3|q| 3|p| + |q| 3|q|
Bits* ≈ 2688 ≈ 1152 ≈ 832 ≈ 992 ≈ 1696 ≈ 480
* Without loss of generality, let |p| ≈ 512 bits and |q| ≈ 160 bits. To obtain a fair comparison result, the
communi-cational costs for the warrant mw in Wang’s and our schemes are ignored. Note that the communication costs
for proxy information in JSI, SKM and HSM are evaluated by adopting Mambo et al.’s scheme [5].
In Table 2, although Huang et al.’s scheme has the lowest computational costs among all compared ones, their mechanism is not probabilistic, i.e., a signer will always generate the unique signature for an identical message. Moreover, we also found out that their scheme cannot achieve the strong privacy of signer’s identity when a signer’s private key is ac-cidentally compromised. Overall, among previous SDVPS schemes we conclude that the proposed one has not only shorter signature length, but also lower computational costs.
5. CONCLUSIONS
In this paper, we have proposed an efficient SDVPS scheme for electronic commerce. The proposed scheme preserves the merits of SDVS schemes and proxy signature schemes. The generated SDVPS can only be verified by a designated verifier for guaranteeing fidentiality. Meanwhile, a designated verifier can not transfer the proxy signature to con-vince any third party of the proxy signer’s identity based on the transcript simulation prop-erty. Compared with related works (including previous SDVS and SDVPS schemes), our proposed scheme has not only shorter signature length, but also lower computational costs. That is to say, our proposed SDVPS scheme benefits the practical implementation. Besides, we also proved that the proposed scheme achieves the EF-CMA security in the random oracle model.
REFERENCES
1. T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. IT-31, 1985, pp. 469- 472.
2. R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, Vol. 21, 1978, pp. 120-126. 3. W. Stallings, Cryptography and Network Security: Principles and Practices, 4th ed.,
Pearson, New Jersey, USA, 2005.
4. B. Meng, S. Wang, and Q. Xiong, “A fair non-repudiation protocol,” in Proceedings
of the 7th International Conference on Computer Supported Cooperative Work in De-sign, 2002, pp. 68-73.
5. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signature for delegating signature op-eration,” in Proceedings of the 3rd ACM Conference on Computer and
Communica-tions Security, 1996, pp. 48-57.
6. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Transactions on Fundamentals of Electronic Communications
and Computer Science, Vol. E79-A, 1996, pp. 1338-1354.
7. B. C. Neuman, “Proxy-based authentication and accounting for distributed systems,”
Proceedings of the 13th International Conference on Distributed Computing Systems,
1993, pp. 283-291.
8. V. Varadharajan, P. Allen, and S. Black, “An analysis of the proxy problem in dis-tributed system,” in Proceedings of IEEE Computer Society Symposium on Research
in Security and Privacy, 1991, pp. 255-277.
9. S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in Proceedings of
Inter-national Conference on Information and Communications Security, 1997, pp. 223-
232.
10. M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifier proofs and their ap-plications,” Advances in Cryptology − EUROCRYPT, 1996, pp. 143-154. 11. I. Ray and N. Narasimhamurthi, “An anonymous electronic voting protocol for voting
over the Internet,” in Proceedings of the 3rd International Workshop on Advanced
Issues of E-Commerce and Web-Based Information Systems, 2001, pp. 188-190.
12. B. Schoenmakers, “A simple publicly verifiable secret sharing scheme and its applica-tion to electronic voting,” Advances in Cryptology − CRYPTO, 1999, pp. 148-164. 13. G. Wang, “An attack on not-interactive designated verifier proofs for undeniable sig-
natures,” Cryptology ePrint Archive, Report 2003/243, 2003, http://eprint.iacr.org/ 2003/243.
14. S. Saeednia, S. Kremer, and O. Markowitch, “An efficient strong designated verifier signature scheme,” in Proceedings of the 6th International Conference on Information
Security and Cryptology, 2003, pp. 40-54.
15. X. Huang, W. Susilo, Y. Mu, and F. Zhang, “Short designated verifier signature scheme and its identity-based variant,” International Journal of Network Security, Vol. 6, 2008, pp. 82-93.
16. B. Kang, C. Boyd, and E. Dawson, “A novel identity-based strong designated verifier signature scheme,” The Journal of Systems and Software, Vol. 82, 2009, pp. 270-273. 17. K. Kumar, G. Shailaja, and A. Saxena, “Identity based strong designated verifier sig-
nature scheme,” Cryptology ePrint Archive, Report 2006/134, 2006, http://eprint.iacr. org/2006/134.
18. W. Susilo, F. Zhang, and Y. Mu, “Identity-based strong designated verifier signature schemes,” Information Security and Privacy, Vol. 3108, 2004, pp. 167-170. 19. J. Zhang and J. Mao, “A novel ID-based designated verifier signature scheme,”
In-formation Sciences, Vol. 178, 2008, pp. 766-773.
20. S. S. M. Chow, “Multi-designated verifiers signatures revisited,” International
Jour-nal of Network Security, Vol. 7, 2008, pp. 348-357.
21. X. Chen, G. Chen, F. Zhang, B. Wei, and Y. Mu, “Identity-based universal designated verifier signature proof system,” International Journal of Network Security, Vol. 8, 2009, pp. 52-58.
22. F. Y. Yang and C. M. Liao, “A provably secure and efficient strong designated veri-fier signature scheme,” International Journal of Network Security, Vol. 10, 2010, pp. 220-224.
23. J. Z. Dai, X. H. Yang, and J. X. Dong, “Designated-receiver proxy signature scheme for electronic commerce,” in Proceedings of IEEE International Conference on
Sys-tems, Man and Cybernetics, Vol. 1, 2003, pp. 384-389.
24. G. Wang, “Designated-verifier proxy signature schemes,” Security and Privacy in the
Age of Ubiquitous Computing, Vol. 181, 2005, pp. 409-423.
25. H. Delfs and H. Knebl, Introduction to Cryptography: Principles and Applications, Springer, Berlin, 2002.
26. D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, Vol. 13, 2000, pp. 361-369.
Han-Yu Lin (林韓禹) received his B.A. degree in Economics from the Fu Jen Catho-lic University, Taiwan in 2001, and his M.S. degree in Information Management from the Huafan University, Taiwan in 2003. Now he is a Ph.D. candidate in the Department of Computer Science of National Chiao Tung University, Taiwan. His research interests in-clude cryptology and network security.
Tzong-Sun Wu (吳宗杉) received his B.S. degree in Electrical Engineering from the National Taiwan University, Taiwan in 1990, and his Ph.D. in Information Manage-ment from the National Taiwan University of Science and Technology, Taiwan in 1998. From August 1998 to July 2002, he has been an Assistant Professor in the Department of Information Management of Huafan University. From August 2001 to January 2007, he has been an Associate Professor in the Department of Informatics of Fo Guang Univer-sity. He is now with the Department of Computer Science, National Taiwan Ocean Uni-versity. His research interests include information security, watermarking, digital right management, and e-commerce.
Shih-Kun Huang (黃世昆) is a faculty member in the Department of Computer Sci-ence and Information Engineering at National Chiao Tung University in Hsinchu, Taiwan and jointly with the Institute of Information Science, Academia Sinica. His research
inter-ests are in open source software engineering, object-oriented technology and software quality. He received his B.S., M.S. and Ph.D. degrees in Computer Science and Informa-tion Engineering from NaInforma-tional Chiao Tung University in 1989, 1991 and 1996 respec-tively.
