Identity-based universal designated multi-verifiers signature schemes

Available online at www.sciencedirect.com

Computer Standards & Interfaces 30 (2008) 288 – 295 www.elsevier.com/locate/csi

Identity-based universal designated multi-verifiers signature schemes Seung-Hyun Seoa,⁎, Jung Yeon Hwangb , Kyu Young Choib , Dong Hoon Leeb,⁎ a

b

Financial Security Agency, 36-1 Yoido-Dong, Youngdeungpo-Gu, Seoul 150-886, Korea Graduate School of Information Securities, Center for Information Security Technologies (CIST), Korea University, Seoul, 136-701, Korea Received 3 April 2007; accepted 29 August 2007 Available online 7 September 2007

Abstract An identity-based (ID-based) universal designated verifier signature (ID-UDVS) scheme allows a signature holder to designate a specific verifier of the signature by using a simplified public identity such as e-mail address. In the paper, we present an efficient identity-based universal designated multi-verifiers signature (ID-UDMVS) scheme by extending a single verifier to a set of multi-verifiers for verification of a signature. To achieve our goal, we construct an ID-based signature scheme providing batch verification and then, using this scheme as a building block, we firstly propose an ID-UDMVS scheme with constant signature size. Interestingly our construction method can be used as a generic method transforming an ID-UDVS scheme, which is defined in a bilinear version of the so-called ∑ protocol, to an ID-UDMVS scheme. © 2007 Elsevier B.V. All rights reserved. Keywords: ID-based signature; Designated multi-verifier signature; Signature

1. Introduction In 1996, Jakobsson et al. firstly introduced a new primitive called designated-verifier signature (DVS) scheme [9]. In the DVS scheme, the signature provides authentication of a message without providing a non-repudiation property of traditional signatures. As pointed out in [14], this property can be viewed as a “light signature scheme”. The DVS scheme can be used to convince a single third party, i.e., the designatedverifier, and only the designated-verifier can be convinced about its validity or invalidity. It is due to the fact that the designated verifier himself can efficiently simulate signatures that are indistinguishable from signer's signatures. Such signature schemes have numerous applications for tenders, electronic voting or electronic auction. Jakobsson et al. also briefly discussed a stronger notion called a strong designatedverifier signature (SDVS) scheme. The strongness property required in this notion refers to the requirement of the designated-verifier to use his secret key to verify the validity or invalidity of a signature. This notion was formally defined by ⁎ Corresponding author. E-mail addresses: [email protected] (S.-H. Seo), [email protected] (J.Y. Hwang), [email protected] (K.Y. Choi), [email protected] (D.H. Lee). 0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2007.08.020

Saeednia et al. [17] and strengthen by Laguillaumie and Vergnaud [10]. Given a SDVS signature and two potential signing public keys, it is computationally infeasible for an eavesdropper to determine under which of the two secret keys the signature was performed. At Crypto'03 rump session [6], Desmedt raised the problem of generalizing the designated-verifier signature concept. It was to allow several designated-verifiers. This new primitive, designated multi-verifiers signature scheme, may have interests in a multi-users setting, for instance it seems promising for the design of fair distributed contract signing. In [11], Laguilaumie et al. proposed a construction of designated multi-verifiers signatures where the signer chooses to sign a message for a fixed numbers of specific designated-verifiers. In 2003, Steinfeld et al. directly addressed user privacy issue in user certification systems and introduced Universal Designated-Verifier Signature (UDVS) scheme by extending the notion of DVS scheme [16]. The UDVS scheme is a digital signature scheme with additional functionality which allows any holder of a signature to designate any desired verifier. The designated-verifier can verify that the message was signed by the signer. Nevertheless, the designated-verifier cannot convince anyone else of this fact, because his secret key allows him to forge the designated-verifier signature without the signer's cooperation. Based on their ideas, Steinfeld et al. [16] proposed

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

289

how to extend the classical Schnorr or RSA signature schemes into UDVS schemes. Laguillaumie and Vergnaud [10] proposed a generic construction of DVS scheme from any bilinear maps. Ng et al. [12] extend the notion of UDVS scheme to Universal Designated Multi-Verifiers Signature (UDMVS) scheme. So far, even if there have been a wide range of research for designated verifier signatures, most works have been based on a certificate-based PKI (Public Key Infrastructure). In the certificate-based public key cryptographic systems, however, a user should obtain a certificate of a long-lived public key from the CA and the participants must firstly verify the user's certificate before a user's public key is used. Therefore, certificated-based public key cryptographic systems require a large storage for each user's public key and certificate, and much computing time to verify the users certificate. In 1984, Shamir [15] proposed a new model for public key cryptography, called identity-based encryption and signature scheme. The main idea of identity-based cryptosystem is that the identity information of each user serves as his public key. That is, in an identity-based system, the participants just have to know the public identity of the user such as email address, IP address, etc. Thus, compared to certificate-based PKI systems, identitybased authenticated systems simplify the key management procedures [1]. Since Shamir's work, there have been many works for identity-based encryption and signature schemes. Recently, several papers have attempted to construct identitybased DVS schemes. Susilo et al. [18] proposed an identitybased strong designated verifier signature scheme, and Huang et al. [8] proposed an identity-based short strong designated verifier signature scheme. Zhang et al. [19] proposed two concrete constructions of identity-based universal designated verifier signature (ID-UDVS) scheme. One is the ID-UDVS based on bilinear pairings using Cha-Cheon signature scheme. The other is ID-UDVS based on a chameleon hash function.

unforgeable against adaptive chosen message and ID attacks in the random oracle model under the bilinear CDH assumption. Interestingly our approach provides a generic method which derives an ID-UDMVS scheme from an ID-UDVS scheme well defined in a bilinear version of the so-called ∑ protocol [4,7] of which a signature typically consists of two parts, a commitment of a random number and a linear combination between the random number, a private signing key and a message digest.

1.1. Contributions

2.1.1. Admissible bilinear map We call e:G1
G1 YG2 an admissible bilinear map if it satisfies the following properties:

In this paper, we propose the first construction of an Identitybased Universal Designated Multi-Verifiers Signature (IDUDMVS) scheme which generalizes an ID-UDVS scheme. We present a formal model for an ID-UDMVS scheme and its security requirements, and concretely construct an ID-UDMVS scheme. To achieve our goal, we first construct an Identity-based Signature (ID-S) scheme providing a batch verification technique which verifies the validity of signatures simultaneously. This batch verification is a useful technique to improve computational efficiency in our construction of ID-UDMVS scheme where many signatures need to be generated or verified together. We show that ID-S is existentially unforgeable against adaptive chosen message and ID attacks in the random oracle model under the computational DH (CDH) assumption. Next, using this ID-S scheme as a building block, we propose an ID-UDVS scheme and then propose ID-UDMVS scheme by extending the ID-UDVS for multi-verifier setting. Like the underlying ID-S scheme, our ID-UDVS and IDUDMVS schemes provide batch verification technique. We also prove that ID-UDVS and ID-UDMVS scheme are existentially

1.2. Organization The remainder of this paper is organized as follows. In Section 2 we review some definitions and cryptographic hard problems which our schemes rely on. In Section 3 we present a security model for ID-UDMVS scheme. In Section 4 we present an ID-based signature scheme with batch verification, and we propose an ID-UDVS scheme and prove its security. In Section 5, we propose an ID-UDMVS scheme and prove its security. We conclude in Section 6. 2. Definitions In this section, we review the basic concept of bilinear maps and some assumptions related to our schemes. Through the paper, we assume that G1 is a cyclic additive group of prime order q and G2 is a cyclic multiplicative group of same order q, and the discrete logarithm problem (DLP) in both G1 and G2 are intractable. 2.1. Bilinear maps We briefly review the necessary facts about bilinear maps and bilinear map groups. We use the following standard notation:

(1) Bilinear: e(aP,bQ) = e(P,Q)ab for all P,Q ∈ G1 and a, b ∈ Z⁎q . (2) Non-degenerate: There exist a P ∈ G1 such that e(P,P) ≠ 1. (3) Computable: There exists an efficient algorithm to compute e(P,Q) for all P,Q ∈ G1 . In our setting of prime order groups, the Non-degenerate property is equivalent to e(P,Q) ≠ 1 for all P,Q ∈ G1 . So, when P is a generator of G1 , e (P,P) is a generator of G2 . 2.2. Complexity assumptions 2.2.1. Computational Diffie-Hellman (CDH) problem A CDH parameter generator I GCDH is a probabilistic polynomial time (PPT) algorithm that takes as input security parameter 1λ, runs in polynomial time, and outputs an additive group G of prime order q. Informally the CDH problem is to compute abP when given a generator P of G and aP, bP for

290

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295 ⁎

random numbers a,b ∈ Zq . More formally, the advantage of A with respect to IGCDH is defined to be h i
 ⁎ Pr abPpAðG; P; aP; bPÞjGpI GCDH 1k ; PpR G; a; bpR Zq : I GCDH is said to satisfy the CDH assumption if any PPT adversary A has negligible advantage in solving CDH problem. 2.2.2. Computational bilinear Diffie-Hellman (CBDH) problem A CBDH parameter generator I GCDH is a PPT algorithm that takes as input security parameter 1λ, runs in polynomial time, and outputs the description of two groups G1 and G2 of the same order q and an admissible bilinear map e:G1 × G1 →G2 . Informally the CBDH problem is to compute e(P,P)abc ∈ G2 for given a random generator P of G1 and aP, bP, cP or random ⁎ numbers a,b,c ∈ Zq . More formally, the advantage of A with respect to I GCBDH is defined to be " Pr eðP; PÞabc pAð G1 ; G2 ; e; P; aP; bP; cP Þ

j


 # ðG1 ; G2 ; eÞpIGCBDH 1k ; ⁎ PpR G1 ; a; b; cpR Zq

I GCBDH is said to satisfy the CBDH assumption if any PPT adversary A has negligible advantage in solving CBDH problem. As noted in [1], CBDH parameter generators satisfying the CBDH assumption is believed to be constructed from Weil and Tate pairings associated with super-singular eliptic curves or Abelian varieties.

• ID-UMDV is a deterministic polynomial time algorithm that on input common parameters para, a signer's identity IDS, a set of verifiers' identities DV = {IDV1,…, IDVn}, a set of verifiers' private keys SIDVi for IDVi ∈ DV and a message/DMV-signature pair (m,σ bDV), outputs accept or reject. Informally, in the above description SetUp and Extract are run by a trusted Key Generation Center (KGC). The four algorithms SetUp, Extract, ID-Sign, ID-PV denote an ordinary ID-based signature scheme [3]. Next we define security requirements for ID-UDMVS scheme: completeness, existential unforgeability under adaptive chosen message and ID attacks, non-transferability. Completeness. A properly formed ID-based universal designated multi-verifiers signature must be accepted by the identity-based multi-designated verification algorithm IDUMDV. That is, ID-UDMVS scheme should satisfy the following probability equation: (para, msk) ← SetUp (1λ), ∀ SIDS ← Extract (para, msk IDS), σ ← ID–Sign (para, SIDS, IDS, m), accept ← ID–PV (para, IDS, m, σ), For all DV = {IDV1 ,…, IDVn}, ∀ SIDVi ← Extract (para, msk IDVi), σ bDV ← ID–UMDS ( para, IDS, DV, m, σ), accept ← ID–UMDV (para, IDS, DV, SIDV1,…, SIDVn, m, σˆ DV)

3. Model In this section, we formally define a notion of Identity-based Universal Designated Multi-Verifiers Signature (ID-UDMVS) scheme. The ID-UDMVS scheme consists of a tuple of six algorithms, setup algorithm SetUp, identity-based signature generation algorithm ID-Sign, identity-based public verification algorithm ID-PV, identity-based universal multi-designation algorithm ID-UMDS, identity-based universal multi-designated verification ID-UMDV as follows: • SetUp is a PPT algorithm that on input security parameter 1λ, outputs a string consisting of common parameters para that are publicly shared by all users and a private master key msk. • Extract is a PPT algorithm that on input common parameters para, master key msk, and an ID ∈ {0,1}⁎, outputs a private key SID for user UID. SID may be used as a private signing key or a private verification key. • ID-Sign is a PPT algorithm that on input common parameters para, a signer's private key SIDS and a message m, outputs a public verifiable (PV) signature σ for m. • ID-PV is a deterministic polynomial time algorithm that on input common parameter para, a signer's identity IDS, a message m and a PV-signature σ, outputs accept or reject. • ID-UMDS is possibly a probabilistic algorithm that on input common parameters para, signer's identity IDS, a set of verifiers' identities DV = {IDV1,…, IDVn} and a message/ signature pair (m,σ), outputs a designated multi-verifiers (DMV) signature σ bDV for m.

ID-UDMVS unforgeability. In our model a forger F succeeds in breaking the scheme if it can output a valid new pair of (m, σ bDV). We call this security definition Existential Unforgeability for Identity-Based Universal Designated Multi-Verifiers Signature against Adaptive Chosen Message and ID Attack (EUF-IDUDMVS-CMAID). We define it via the following game: Let ID-UDMVS= (SetUp, Extract, ID-Sign, ID-PV, ID-UMDS, IDUMDV) be a ID-UDMVS scheme. F is a forger attacking the ID-UDMVS-Unforgeability of UDMVS that plays the following game with a challenger C. SetUp. The challenger C runs SetUp and gives the resulting public parameters para to F . But F does not know the master key. It is kept secret from F . Queries. F may adaptively issue the following queries to C. − Extract (ID) query: Given an ID, C outputs the private key SID corresponding to ID by running Extract. − Sign (IDS,m) query: Given an IDS and a message m, C returns the corresponding signature σ on m by running IDSign. Forgery. F outputs (IDS,DV⁎ = {ID⁎V1,…,ID⁎Vn}, m⁎, σ bDV) where IDS is a signer's identity, ID⁎V1 (1 ≤ i ≤ n) are designated verifiers' identities, σ bDV is a DMV-signature on m⁎. We say that F wins the game if acceptpID−UMDVð IDS ; DV ⁎ ; fSV1 ; :::; SVn g; m⁎ ; rbDV Þ;

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

under the restriction that (IDS,m⁎) has never been queried before to the Sign query, and IDS and one of ID⁎V (1 ≤ i ≤ n) have never been queried to the Extract query, that is, F is allowed to make, at most, n − 1 Extract queries for n designated verifiers' identities ID⁎V1,…, ID⁎Vn. An ID-UDMVS scheme is secure against EUF-ID-UDMVSCMAID if no probabilistic polynomial time algorithm F can win the above game with non-negligible probability. Non-transferability (privacy notion). The non-transferability property is ensured by a transcript simulation algorithm that can be performed by all designated multi-verifiers to produce an indistinguishable signature from the one that should be produced by the signature holder. 4. ID-based universal designated verifier signature scheme We present an ID-based signature scheme which is used as a building block for our ID-UDVS scheme. The signature scheme involves a trusted KGC. We denote this scheme by ID-S. And then, we present our construction of an ID-based universal designated verifier signature (ID-UDVS) scheme which provides batch verification for efficiency. 4.1. Underlying ID-based signature scheme (ID-S) This scheme consists of four algorithms, SetUp, Extract, IDSign, ID-PV. SetUp. First KGC runs BDH parameter generator and produces a random generator P of G1 . KGC chooses a random s ∈ Zp⁎ and computes Ppub = sP. Then KGC keeps s secret as the master secret key and publishes system parameters para = fe; G1 ; G2 ; q; P; Ppub ; H1 ; H2 g: H1 : f0; 1g⁎YG1 and H2: {0, 1}⁎ → Zq are cryptographic hash functions. Extract. When a user with identity ID wishes to obtain a key pair, KGC computes the public key QID ← H1(ID) and the private key SID ← sQID, and returns 〈QID, SID〉 to the user. ID-Sign. Given a secret key SID and a message m, pick a random r ∈R Zq⁎, compute U ← rP, h ← H2(m, U) and V ← rPpub + hSID. Output a signature σ = (U, V). ID-PV. Given the public parameter para, a message m, a signature σ = (U, V), check if eðV ; PÞ ¼ eðU þ hQID ; Ppub Þ: If the equality holds then output accept. Otherwise reject. 4.1.1. Batch verification The previous ID-S scheme allows so-called batch verification [2] of multiple signatures on different messages. That is, a verifier can check the validity of n signatures (U1, V1),⋯ (Un, Vn) on n messages m1,…, mn simultaneously: For given σi = (Ui, Vi) on mi (1 ≤ i ≤ n), check if e

Xn i¼1



Vi ; P ¼ e

Xn

where hi ← H2(mi, Ui).

i¼1



ðUi þ hi Qi Þ; Ppub ;

291

Remark. A similar method was used for user authentication in the group key agreement protocol in [5]. Next we show that the above ID-based signature scheme is secure in the following theorem. Theorem 1. Above ID-based signature scheme ID-S is existentially unforgeable against an adaptively chosen ID attacker in random oracle model under the CDH assumption. Proof. H1 and H2 are considered as random oracles in the security proof. Suppose there exists a forger A which has advantage in attacking ID-S. We want to build an algorithm B that uses A to solve the CDH problem. B receives a CDH ⁎ instance (P, aP, bP) for randomly chosen a; baZq and PaG1 . Its goal is to compute abP. B runs A as a subroutine and simulates its attack environment. B sets Ppub = aP where a is the master key, which is unknown to B, and gives system parameters to A. Without loss of generality, we assume that the Extract query is preceded by H1 query. To avoid collision and consistently respond to these queries B maintains two lists LH1 and LH2 which are initially empty. B then simulates the oracle queries of A as follows: • H1(IDi) query: Suppose A makes at most qH1 queries to H1 oracle. First, B chooses j ∈ [1, qH1] randomly. When A makes an H1(IDi) query where 1 ≤ i ≤ qH1, if i = j (we let IDi = ID⁎ at this point), B returns bP and adds 〈ID⁎,bP〉 to ⁎ LH1. Otherwise B picks a random ti aZq and returns tiP, and adds 〈IDi,ti〉 to LH1. • H2(mi, Ui) query: When A makes an H2(mi, Ui) query, B finds the tuple of the form 〈mi, Ui, hi〉 in LH2. If it exists, B returns hi. Otherwise B picks a random hi aZ⁎q and returns hi, and adds 〈mi, Ui, hi〉 to LH2. • Extract (IDi) query: When A makes an Extract (IDi) query, if IDi ≠ ID⁎, B finds the tuple of the form 〈IDi, ti〉 in LH1 , and returns tiaP. Otherwise B outputs FAIL and aborts the simulation. • Sign (IDi, mi) query: When A makes a Sign(IDi, mi) query, B ⁎ picks a random ri ; hi aZq . If IDi ≠ ID⁎, B finds the tuples of the form 〈IDi, ti〉 in LH2, and computes Ui = riP and Vi = riPpub + hitiaP. B then returns (Ui, Vi) and adds 〈mi, Ui, hi〉 to LH2. Otherwise B computes Ui = riP − hibP and Vi = riPpub and returns (Ui, Vi), and adds 〈mi, Ui, hi〉 to LH2. Eventually, A outputs a valid signature tuple (IDt, mt, σt) where IDt is a identity of a target user to be selected by A. If IDt = ID⁎, B outputs FAIL and aborts the simulation. Otherwise by replaying of B with the same random tape but different choices of H2, as done in the forking lemma [12], B gets two valid signature tuples (ID⁎, mt,h,Ut,Vt) and (ID⁎, mt,h′,Ut, Vt′) such that h ≠h′. If both outputs are expected ones, B computes as follows: 1 ðVt  Vt VÞ ¼ SID⁎ ¼ abP: h  hV The probability that B dose not abort during the simulation is 1 / qH1. Therefore, if a forger who can break ID-S exists, then an attacker who solves the CDH problem exists. □

292

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

4.2. Our ID-UDVS scheme If a designation is not performed, our ID-UDVS scheme functions as a public verifiable ID-S scheme and so compatibly uses SetUp, Extract, ID-Sign, and ID-PV algorithm of the ID-S scheme. SetUp. First KGC runs BDH parameter generator and produces a random generator P of G1 . KGC chooses a random ⁎ saZp and computes PPub = sP. Then KGC keeps s secret as the master secret key and publishes system parameters para = {e, G1 , G2 , q, P, PPub, H1, H2}. H1: {0, 1}⁎ → G1 and H2: {0, 1}⁎ → Zq are cryptographic hash functions. Extract. When a user with identity ID wishes to obtain a key pair, KGC computes the public key QID = H1(ID) and the private key SID = sQID, and returns 〈QID, SID〉 to the user. ID-Sign. Given a signer's secret key SIDS and a message m, ⁎ pick a random raR Zp , compute U ← rP, h ← H2(m, U) and V ← rPPub + hSIDS. Output a signature σ = (U, V). ID-PV. Given the public parameter para, a message m, a signature σ = (U, V), check if
 eðV ; PÞ ¼ e U þ hQIDS ; Ppub : If the equality holds then output accept. Otherwise reject. ID-UDS. Given a designated verifier's public key IDV and a message/signature pair (m, σ), compute VbDV = e(V, QIDV), where QIDV = H1(IDV) ∈ G1. The designated verifier signature is σ bDV = (U, VbDV). ID-UDV. Given a signer's public key IDS, a verifier's secret key SIDV, and a message/designated verifier signature pair (m, σ bDV), check if eðU þ H2 ðm; U ÞQIDS ; SIDV Þ ¼ Vb DV If the equality holds then output accept. Otherwise reject. Completeness. The completeness of the ID-UDVS is justified as follows: Vb DV ¼ eðV ; QIDV Þ
 ¼ e rPpub þ hSIDS ; QIDV ¼ eðrsP þ hsQIDV ; QIDV Þ ¼ eðrP þ hQIDV ; sQIDV Þ ¼ eðU þ H2 ðm; U ÞQIDS ; SIDV Þ:

B is to inject the above (aP, bP, cP) during the simulation, and to compute e(P, P)abc. B runs F as a subroutine and simulates its attack environment. B sets Ppub = aP where a is the master key, which is unknown to B, and gives system parameters to F . Without loss of generality, we assume that the Extract query is preceded by H1 query. To avoid collision and consistently respond to these queries B maintains two lists LH1 and LH2 which are initially empty. Then, B simulates the oracle queries of F as follows: • H1 (IDi) query: Suppose F makes at most qH1 queries to H1 oracle. First, B chooses j, k ∈ [1, qH1] randomly. When F makes an H1 (IDi) query where 1 ≤ i ≤ qH1, if i = j (we let IDi = ID⁎S at this point), B returns bP and adds 〈ID⁎S, bP〉 to LH1. If i = K (we let IDi = ID⁎V at this point), B returns cP and ⁎ adds 〈ID⁎V, cP〉 to LH1. Otherwise B picks a random ti aZq and returns tiP, and adds 〈IDi, ti〉 to LH1. • H2 (m1, Ui) query: When F makes an H2 (m1, Ui) query, B finds the tuple of the form 〈mi, Ui, hi〉 in LH2. If it exists, B ⁎ returns hi. Otherwise B picks a random hi ∈ Zq and returns hi, and adds 〈mi, Ui, hi〉 to LH2. • Extract (IDi) query: When F makes an Extract (IDi) query, if IDi ≠ ID⁎S and IDi ≠ ID⁎V, B finds the tuples of the form 〈IDi, ti〉 in LH1, and returns tiaP. Otherwise B outputs FAIL and aborts the simulation. • Sign (IDi, mi) query: When F makes a Sign (IDi, mi) query, B ⁎ picks a random ri, hi ∈ Zq . If IDi ≠ ID⁎S and IDi ≠ ID⁎V, B finds the tuples of the form 〈IDi, ti〉 in LH2, and computes Ui = riP and Vi = riPpub + hitiaP. B then returns (Ui, Vi) and adds 〈mi, Ui, hi〉 to LH2. If IDi = ID⁎S, B computes Ui =riP −hibP and Vi = riPpub and returns (Ui, Vi), and adds 〈mi, Ui, hi〉 to LH2. If IDi = ID⁎V, B computes Ui = riP − hicP and Vi = riPpub and returns (Ui, Vi), and adds 〈mi, Ui, hi〉 to LH2. Eventually, F outputs a valid designated verifier signature tuple (IDt, mt, Ut, VbDV) where IDt is an identity of a target user to be selected by F. If IDt ≠ ID⁎S and IDt ≠ ID⁎V ∈ DV1, B outputs FAIL and aborts the simulation. Otherwise by replaying of B with the same random tape but different choice of a random set for H2, as done in the forking lemma [13]. B gets two valid designated verifier signature tuples (IDt, mt, Ut, VbDVt), where VbDVt = e(Vt, QIDV) and (IDt, mt, Ut, Vb′DVt), where Vb′DVt = e(V′t, QIDV) such that h ≠ h′. If both outputs are expected ones, B computes as follows: V

Theorem 2. (ID-UDVS Unforgeability). Our ID-based universal designated verifier signature scheme ID-UDVS is existentially unforgeable against an adaptively chosen message and ID attacker in random oracle model under the CBDH assumption. Proof. Suppose there exists a forger F which has advantage in attacking ID-UDVS. We want to build an algorithm B that uses F to solve the CBDH problem. B receives a CBDH instance ⁎ (aP, bP, cP) for random a; b; caZq and PaG1 . The purpose of

1

ðVb DVt =Vb DV Þðhh VÞ t

mod q

1

¼ eðVt  Vt V; QIDV Þðhh VÞ

¼ eððh  h VÞSIDS ; QIDV Þðhh VÞ

1

1

¼ eððh  h VÞabP; cPÞðhh VÞ ¼ eðP; PÞabc

The probability that B dose not abort during the simulation is 2 / (qH1 · (qH1 − 1)). Therefore, if a forger who can break IDUDVS exists, then an attacker who solves the CBDH problem exists. □

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

Theorem 3. (Non-transferability). ID-UDVS scheme achieves the non-trans-ferability. That is, the designated verifier cannot convince any other third party about the authenticity of the received designated verifier signature σ bDV on a message m. Proof. The non-transferability of our ID-UDVS scheme is achieved because the designated verifier can always simulate the received signature σ bDV = (U, VbDV) by producing a valid signature. More precisely, he can generate U′ = rP for a random number r ∈ Zq and Vb′DV = e(U′ + H2 (m′, U′)QIDS, SIDV) for an arbitrary message m′ ∈ {0, 1}⁎ such that σ b′DV = (U′, Vb′DV) passes the designated verification algorithm ID-UDV since Vb′DV = e (U′ +H2 (m′, U′)QIDS, SIDV) = e (rPpub + H2 (m′, U′) sQIDS, QIDV). Obviously, the distribution of σ b′DV = (U′, Vb′DV) is perfectly indistinguishable from that of an original designated-verifier signature generated by ID-UDS. □ 5. ID-based universal designated multi-verifiers signature scheme In this section, we propose an ID-based universal designated multi-verifiers signature (ID-UDMVS) scheme based on bilinear pairings. If a multi-designation is not performed, our ID-UDMVS scheme functions as a public verifiable ID-S scheme and so compatibly uses SetUp, Extract, ID-Sign, and ID-PV algorithm of the ID-S scheme. Like the ID-S, the proposed ID-UDMVS scheme provides batch verification. 5.1. Our ID-UDMVS scheme SetUp. First KGC runs BDH parameter generator and produces a random generator P of G1 . KGC chooses a random ⁎ s ∈ Zp and computes Ppub = sP. Then KGC keeps s secret as the master secret key and publishes system parameters para = {e, G1 , G2 , q, P, Ppub, H1, H2}. H1: {0, 1}⁎ → G1 and H2: {0, 1}⁎ → Zp are cryptographic hash functions. Extract. When a user with identity ID wishes to obtain a key pair, KGC computes the public key QID = H1(ID) and the private key SID = sQID, and returns 〈QID, SID〉 to the user. ID-Sign. Given a secret key SIDS and a message m, pick ⁎ a random r ∈ RZp , compute U ← rP, h ← H2(m, U) and V ← rPpub +hSID. Output a signature σ = (U, V). ID-PV. Given the public parameter para, a message m, a signature σ = (U, V), check if




eðV ; PÞ ¼ e U þ hQIDS ; Ppub : If the equality holds then output accept. Otherwise reject. ID-UMDS. Given a set of verifiers' public keys DV = {IDV1,…, ID Vn } and a message-signature pair (m, σ), compute
P  Vb DV ¼ e V ; ni¼1 QIDi , where QIDi =H1(IDi) ∈ G1 . The DMV signature is σ bDV = (U, VbDV). ID-UMDV. Given a signer's public key IDs, a set of verifiers' secret/public keys {(IDV1, SIDV1),…, (IDVn, SIDVn)},

293

and a message/DMVS pair (m, σ bDV), each verifier performs the following algorithm: • Compute ei = e(U + H2(m, U)QIDS, SIDVi). • Generate a signature σi on the ei by running ID-Sign (SIDVi, ei) and publish (ei, σi) among the designated verifiers DV = {IDV1,…, IDV}. • Run ID-PV (para, ej, σj) to check the validity of all of the σj (j = 1,…, n) (possibly using batch verification technique). If one of n signatures is invalid then output reject. • Check if   n n Vb DV ¼ j ei ¼ j e U þ H2 ðm; U ÞQIDS ; SIDVi : i¼1

i¼1

If the equality holds then output accept. Otherwise reject.

5.2. Security analysis Completeness. The completeness of the ID-UDMVS is justified as follows:   n j e U þ H2 ðm; U ÞQIDS ; SIDVi i¼1 ! n X SIDVi ¼ e U þ H2 ðm; U ÞQIDS ; i¼1

¼ e srP þ shQIDS ;

n X

QIDVi

i¼1

¼ e rPpub þ hSIDS ; ¼ e V;

n X

n X

! QIDVi

! !

QIDVi

i¼1

¼ Vb

i¼1

Next we show that the ID-UDMVS Unforgeability and NonTransferability of ID-UDMVS scheme. Theorem 4. (ID-UDMVS Unforgeability). Our ID-based universal designated multi-verifiers signature scheme ID-UDMVS is existentially unforgeable against an adaptively chosen message and ID attacker in random oracle model under the CBDH assumption. Proof. Suppose there exists a forger F which has advantage in attacking ID-UDMVS. We want to build an algorithm B that uses F to solve the CBDH problem. B receives a CBDH ⁎ instance (aP, bP, cP) for random a, b, c ∈ Zq and P ∈ G1 . The purpose of B is to inject the above (aP, bP, cP) during the simulation, and to compute e(P,P)abc. B runs F as a subroutine and simulates its attack environment. B sets Ppub = aP where IDV ∈ DV = {IDV1,…, IDVn}, a is the master key, which is unknown to B. B gives system parameters to F . Without loss of generality, we assume that the Extract query is preceded by H1 query. To avoid collision and consistently respond to these

294

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

queries B maintains two lists LH1 and LH2 which are initially empty. Then, B simulates the oracle queries of F as follows: • H1 (IDi) query: Suppose F makes at most qH1 queries to H1 oracle. First, B chooses j, k ∈ [1, qH1] randomly. When F makes an H1 (IDi) query where 1 ≤ i ≤ qH1, if i = j (we let IDi = ID⁎S at this point), B returns bP and adds 〈ID⁎V, bP〉 to LH1. If i = k (we let IDi = ID⁎V, ID⁎V ∈ DV at this point), B returns cP and adds 〈ID⁎V, cP〉 to LH1. Otherwise B picks a ⁎ random ti ∈ Zq and returns tiP, and adds 〈IDi, ti〉 to LH1. • H2 (mi, Ui) query: When F makes an H2 (mi, Ui) query, B finds the tuple of the form 〈mi, Ui, hi〉 in LH1. If it exists, B ⁎ returns hi. Otherwise B picks a random hi ∈ Zq and returns hi, and adds 〈mi, Ui, hi〉 to LH2. • Extract(IDi) query: When F makes a Extract(IDi) query, if IDi ≠ ID⁎S and IDi ≠ ID⁎V, B finds the tuple of the form 〈IDi, ti〉 in LH1, and returns tiaP. Otherwise B outputs FAIL and aborts the simulation. • Sign(IDi, mi) query: When F makes a Sign(IDi, mi) query, B ⁎ picks a random ri, hi ∈ Zq . If IDi ≠ ID⁎S and IDi ≠ ID⁎V, B finds the tuples of the form 〈IDi, ti〉 in LH2, and computes Ui = riP and Vi = riPpub + hitiaP. B then returns (Ui, Vi) and adds 〈mi, Ui, hi〉 to LH2. If IDi = ID⁎S, B computes Ui = riP − hibP and Vi = riPpub and returns (Ui, Vi), and adds 〈mi, Ui, hi〉 to LH2. If IDi = ID⁎V, B computes Ui = riP − hicP and Vi = riPpub and returns (Ui, Vi), and adds 〈mi, Ui, hi〉 to LH2. Eventually, F outputs a valid designated multi-verifiers signature tuple (IDt, DVt = {IDV1,…, IDVn}, mt, σ bDVt) where IDt is a identity of a target user to be selected by F. If IDi ≠ ID⁎S and IDi ≠ ID⁎V ∈ DVt, B outputs FAIL and aborts the simulation. Otherwise by replaying of B with the same random tape but different choice of a random set for H2, as done in the forking lemma [13]. B gets two valid designated multi-verifiers signature tuples (ID tP , DV t , m t , σ bDV t ), where rbDVt ¼ ðUt ;Vb DVt Þ;Vb DVt ¼ eðVt ; ni¼1 QIDVi Þ and (IDP bDV′t), t, DV′t, m′t, σ where rbDVt V ¼ ðUt ;Vb DVt VÞ; Vb DVt V ¼ eðVt V; ni¼1 QIDVi Þ such that h ≠ h′. If both outputs are expected ones, B computes as follows:   VbDVt   ; Q ¼ e V ; t ID Vk P e Ut þ hQIDS ; ni¼1;ipk SVi

The probability that B dose not abort during the simulation is 2 / (qH1 · (qH1 − 1)). Therefore, if a forger who can break IDUDMVS exists, then an attacker who solves the CBDH problem exists. □ Theorem 5. (Non-transferability). ID-UDMVS scheme achieves the non-transferability. That is, each designated verifier cannot convince any other third party about the authenticity of the received designated multi-verifiers signature σ bDV on a message m. Proof. The non-transferability of our ID-UDMVS scheme is achieved because designated multi-verifiers IDV1 ,…, IDVn can always simulate the received signature σ bDV = (U, VbDV) by producing a valid signature. More precisely, they can always generate a designated multi-verifiers signature σ b′DV on a message m′ as follows: ⁎

• Generate a random number r′ ∈ Zp and compute U′ = r′P. • For given U′ and m′, each designated verifier computes ei = e (U′ + H2(m′, U′) QIDS, SIDVi ). • Compute   n Vb VDV ¼ j e U Vþ H2 ðm V; U VÞQIDS ; SIDVi i¼1

The generated signature σ b′DV = (U′, Vb′DV) passes the multidesignation verification algorithm ID-UMDV, because   n Vb VDV ¼ j e U Vþ H2 ðm V; U VÞQIDS ; SIDVi i¼1 ! n X QIDVi ¼ e r VPpub þ h VSIDS ; i¼1 ! n X ¼ e V V; QIDVi ; i¼1

where h′ = H2 (m′, U′) and V′ = r′Ppub + h′SIDS. Obviously, the distribution of σ b′DV = (U′, Vb′DV) is perfectly indistinguishable from that of an original designated multi-verifiers signature generated by ID-UMDS. □ 5.3. Further constructions

  VbDVtV   ¼ e VtV; QIDV Pn k e Ut þ hVQIDS ; i¼1;ipk SVi    ðhh VÞ1 mod q e Vt ; QIDVk =e VtV; QIDVk  ðhh VÞ1 ¼ e Vt  Vt V; QIDVk  ðhh VÞ1 ¼ e ðh  h VÞSIDS ; QIDVk 1

¼ eððh  h VÞabP; cPÞðhh VÞ ¼ eð P; PÞabc

We can similarly apply our construction method for UDVS scheme to ID-based signature schemes using bilinear maps in the “Σ framework” such as ID-based signature schemes in [3]: Typically, in this framework a generator P for a mathematical group G and a master private key s are randomly generated and (P, Ppub = sP) is made public. Each user with ID is given a public key, H (ID), and a private signing key, sH (ID), where H is a public hash function. A signature normally consists of two parts (U, V), i.e., a commitment U of a random number and a linear combination V between the random number, a private signing key and a message digest. Using a bilinear map as a DDH oracle, we can publicly verify the validity of the signature by

S.-H. Seo et al. / Computer Standards & Interfaces 30 (2008) 288–295

checking a given quadruple (P, U′, Ppub, V) is a DDH-tuple where U′ = s− 1V contains U as a part. When a user obtains a signature (U, V), he makes use of a bilinear map e to compute V′ = e(V, H(ID1)) to freely designate a verifier with ID1. Since the verifier has a private key sH(ID1), he can only verify the validity of the signature by computing e (U′, sH(ID1)) and comparing this with given V′. Interestingly, this structure of secret verification by only the designated verifier provides signer ambiguity since the designated verifier, like a original signer, can generate such a signature by using his private key, sH(ID). Extending this designation and verification structure for a single verifier by combining, i.e., adding verifier identities H(IDi) to be QDV ¼ Rni¼1 H ðIDi Þ, we can make a structure for multi-verifiers which results in a UDMVS scheme. The combined identities mID is considered as a single ID of a designated-verifier in the previous UDVS construction. However, to verify a UDVS signature, a set of multi-designated verifiers collaborate to construct a private key sQDV corresponding to QDV. 6. Conclusions We presented a formal notion of ID-based universal designated multi-verifiers signature scheme and proposed concrete ID-based UDMVS schemes using bilinear maps. Our construction method provides a generic method to transform ID-based designated single verifier signature schemes defined in so-called the sigma framework to multi-verifiers schemes. Unfortunately, our method requires collaboration of designated verifiers to verify an ID-based designated multi-verifiers signature. For efficiency improvement, one interesting open problem is to build an ID-based UDMVS scheme where a designated verifier can check the validity of an ID-based designated multi-verifiers signature without collaboration of other designated verifiers. Acknowledgment This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement) (IITA-2006-(C1090-0603-0025)). References [1] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, Advances in Cryptology-Crypto 2001, LNCS 2139, Springer-Verlag, 2001, pp. 213–229. [2] M. Bellare, J.A. Garay, T. Rabin, Fast batch verification for modular exponentiation and digital signatures, Advances in Cryptology- Eurocrypt'98, LNCS 1403, Springer-Verlag, 1998, pp. 236–250.

295

[3] J.C. Cha, J.H. Cheon, An identity-based signature from gap DiffieHellman groups, PKC'2003, Springer-Verlag, 2003, pp. 51–83, LNCS 2567. [4] R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, Proc. of Crypto'94, LNCS 839, Springer-Verlag, 1994, pp. 174–187. [5] K.Y. Choi, J.Y. Hwang, D.H. Lee, Efficient ID-based group key agreement with bilinear maps, Proc. of PKC'04, LNCS 2947, Springer-Verlag, 2004, pp. 130–144. [6] Y. Desmedt, Verifier-Designated Signatures, Rump Session, Crypto'03, 2003. [7] J. Garay, P. MacKenzie, K. Yang, Strengthening zero-knowledge protocols using signatures, Proc. of EUROCRYPT '03, LNCS 2656, SpringerVerlag, 2003, pp. 177–194. [8] X. Huang, W. Susilo, Y. Mu, F. Zhang, Short (identity-based) strong designated verifier signature schemes, Proc. of ISPEC'06, LNCS 3903, Springer-Verlag, 2006, pp. 214–225. [9] M. Jakobsson, K. Sakoans, R. Impagliazzo, Designated verifier proofs and their applications, Proc. of Eurocrypt'96, LNCS 1070, Springer-Verlag, 1996, pp. 142–154. [10] F. Laguillaumie, D. Vergnaud, Designated verifiers signature: anonymity and efficient construction from any bilinear map, Proc. of SCN'04, LNCS 3352, Springer-Verlag, 2004, pp. 107–121. [11] F. Laguillaumie, D. Vergnaud, Multi-designated verifiers signatures, Proc. of ICICS'04, LNCS 3269, Springer-Verlag, 2004, pp. 495–507. [12] C.Y. Ng, W. Susilo, Y. Mu, Universal designated multi verifier signature schemes, Proc. of ICPADS'05, IEEE, 2005. [13] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures, J. Cryptol. 13 (2000) 361–396. [14] R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, Proc. of Asiacrypt'01, LNCS 2248, Springer-Verlag, 2001, pp. 552–565. [15] A. Shamir, Identity-based cryptosystems and signature schemes, Proc. of Crypto'84, LNCS 196, Springer-Verlag, 1984, pp. 47–53. [16] R. Steinfeld, L. Bull, H. Wang, J. Pieprzyk, Universal designated-verifier signatures, Proc. of Asiacrypt'03, LNCS 2894, Springer-Verlag, 2003, pp. 523–543. [17] S. Saeednia, S. Kramer, O. Markovitch, An efficient strong designated verifier signature scheme, Proc. of ICISC'03, LNCS 2869, SpringerVerlag, 2003, pp. 40–54. [18] W. Susilo, F. Zhang, Y. Mu, Identity-based strong designated verifier signature schemes, Proc. of ACISP'04, LNCS 3108, Springer-Verlag, 2004, pp. 313–324. [19] F. Zhang, W. Susilo, Y. Mu, X. Chen, Identity-based universal designated verifier signatures, Proc. of EUC Workshops'05, LNCS 3823, SpringerVerlag, 2005, pp. 825–834.