Sage Journals: Discover world-class research

Abstract

Strong designated verifier signature is a special digital signature in which a signature can only be verified by the designated verifier. As more and more mobile devices have been used in the scenarios of strong designated verifier signature, it raises a challenge to design a strong designated verifier signature scheme to meet security and efficiency simultaneously. Recently, Zhang et al. proposed a new strong designated verifier signature scheme with time limit to address the challenge. However, we show that their scheme is not secure against forgery attack and propose an improved strong designated verifier signature scheme using symmetrical encryption technology. Performance analysis shows that the proposed scheme can meet all security requirements and is more efficient than Zhang et al.’s strong designated verifier signature scheme.

Keywords

Strong designated verifier signature bilinear pairing computational Diffie–Hellman problem security model performance

Introduction

As one of the pivotal technologies of information security, digital signature has been widely used in all kinds of applications to provide authentication, data integrality, and non-repudiation. In general, the validity of a signature can be checked by anyone who has the signer’s public key. In some case, the signature can be checked by its designated verifier only, such as electronic payment system and electronic voting system. To settle this question, Chaum and Van Antwerpen¹ introduced the concept of undeniable signature, in which the signer can completely control his or her signature by the participation of verifier under interaction protocol. However, their undeniable signature is vulnerable to blackmailing attack² and mafia attack.³ Based on the similar concept, Jakobsson et al.⁴ presented two new concepts about designated verifier signature (DVS) and strong DVS (SDVS). The DVS provides message authentication without non-repudiation. Only the designated verifier in DVS can check the validity of any signature that has designated to him or her. Because the designated verifier could simulate a signature that is distinguished from one that generated by the original signer, he or she could not transfer the conviction to others. In SDVS, the public key of designated verifier is involved to generate the signature and the secrete key of designated verifier is used to check the validity of message. Thus, SDVS achieves the goal of designated verification well. Saeednia et al.⁵ proposed a formal definition of SDVS and an efficient specific SDVS scheme. From then on, many study results on the DVS/SDVS have been proposed. These proposed schemes are mainly be classified into three categories, public key cryptography (PKC)-based DVS,^5–7 certificateless SDVS schemes^8–11 and ID-based SDVS schemes.^12–16

With the development of wireless communication technology, we have entered a wireless mobile Internet era. More and more mobile devices are used as the main tools for electronic payment, electronic voting, and so on. However, mobile devices are limited in computation capacity and energy, in which the complex cryptographic operations could not be executed perfectly and may face a dilemma in balancing efficiency and security. In addition, there may be a large number of messages should be checked and processed within time limit in the scenarios of SDVS. Therefore, it poses a new challenge on the design of SDVS scheme that should meet the requirement of security and efficiency for mobile devices.

Most recently, Zhang et al.¹⁷ proposed an efficient secured SDVS scheme to meet the new requirements of SDVS. In Zhang et al.’s scheme, messages and timestamp are secretly embedded in signatures that could be recovered only by the signer and the designed verifier. Zhang et al. claimed that their scheme could resist the replay attack and forgery attack. However, a concrete example in section “Review and cryptanalysis of Zhang et al.’s scheme” demonstrates that their scheme is not secure against universal forgery attack.

To address the challenge of SDVS well, we propose an improved SDVS scheme over Zhang et al.’s¹⁷ scheme in this article. In the proposed scheme, the message and timestamp could be transmitted in secret, where symmetric cryptography is involved to decrease computation cost without security loss. Security analysis shows that the proposed scheme can meet all security requirements of SDVS, and the comparison of computation cost shows that the proposed scheme needs less computation cost than Zhang et al.’s¹⁷ scheme.

The rest of this article is organized as follows. Section “Preliminaries” reviews preliminaries about SDVS. Section “Review and cryptanalysis of Zhang et al.’s scheme” briefly reviews Zhang et al.’s¹⁷ SDVS scheme and demonstrates their scheme’s deficiency. A new improved SDVS scheme using the symmetrical encryption technology is proposed in section “The proposed SDVS scheme.” Performance analysis is presented in section “Performance analysis” and conclusions in section “Conclusion.”

Preliminaries

In this section, we briefly introduce some knowledge about the bilinear pairing and the security model of the SDVS scheme. For simplicity, the main notations used in this article are listed in Table 1.

Table 1.

Notations and corresponding descriptions.

Symbol	Description
$E_{p} (a, b)$	An elliptic curve over a finite field $F_{p}$
$G_{1} / G_{2}$	An additive/multiplication group on elliptic curve E
$P, Q$	Two generator points of $G_{1}$
q	The order of the groups $G_{1}$ and $G_{2}$
e	The bilinear pairing
$I D_{i}$	The user’s identity
$Q_{I D_{i}} / S_{I D_{i}}$	The user’s public key/private key
$E_{k} () / D_{k} ()$	The encryption/decryption with key k
$H_{1}$	Map-to-Point hash function ${0, 1}^{*} \to G_{1}$
$H_{2}, H_{3}$	One-way hash function ${0, 1}^{} \to Z_{q}^{}$

Bilinear pairing and computational problem

As listed in Table 1, e is the symmetric bilinear pairing, which satisfies the following properties:

Bilinearity: $\begin{matrix} e (R_{1} + R_{2}, Q) = e (R_{1}, Q) e (R_{2}, Q) \forall Q, R_{1}, R_{2} \in G_{1} \\ e (R, Q_{1} + Q_{2}) = e (R, Q_{1}) e (R, Q_{2}) \forall R, Q_{1}, Q_{2} \in G_{1} \end{matrix}$

Non-degeneracy: There exists $R, Q \in G_{1}$ , which satisfies $e (R, Q) \neq 1$ .

Computability: Given any two random points $R, Q \in G_{1}$ , there is a polynomial time algorithm to compute $e (R, Q)$ .

Bilinear Diffie–Hellman (BDH) Problem:¹⁸ Given three random points $xP, yP, zP \in G_{1}$ , there is no polynomial time algorithm to compute $e (P, P)^{xyz}$ , where $x, y, z$ are three unknown elements.

Security model of the SDVS scheme

An SDVS scheme should meet the security requirements defined as follows.

1. Correctness

A secure SDVS scheme should ensure that each signature could be correctly verified in the polynomial time.

2. Non-transferability

Since the fact that the verifier can generate a transcript by the simulation algorithm, the third party has no ability to distinguish the signature from the transcript.

3. Strongness

The designated verifier must use his private key when he verifies the signature. This property ensures that the secret information in the signature would not be revealed.

4. Source hiding

Given the message, the signature, and all the private keys, the third party cannot also distinguish the signature’s generator.

5. Unforgeability

An adversary cannot forge a legal signature without knowing the participants’ private keys. The unforgeability of the SDVS scheme can be defined through a game played between a challenger $C$ and an adversary $A$ . The game consists of three phase: Setup, Queries, and Attack.

Setup: In this phase, the challenger $C$ should generate system parameters and send them to the adversary $A$ .

Queries: After obtaining system parameters, $A$ can request the following queries.

$Key - extract - queries$ . When the challenger $C$ receives the user’s identity $I D_{i}$ from $A$ , he returns the responding private key to the adversary.

$Sign - queries$ . When $A$ requests this kind of query, he sends the message m, signer’s identity $I D_{i}$ , and the verifier’s identity $I D_{j}$ to the challenger. Then, $C$ generates the signature $δ$ and returns it to $A$ .

$Verify - queries$ . After receiving a signature $δ$ from the adversary, $C$ first checks its validity. Finally, $C$ returns 1 (the signature is correct) or 0 (the signature is illegal).

Attack. Finally, the adversary $A$ outputs a forge signature $δ^{*}$ . $A$ wins the game if the following situations are satisfied:

The DVS $δ^{*}$ is a legal signature and it is not from the $Sign - queries$ .

$A$ has not requested the $Key - extract - queries$ on the corresponding signer’s and verifier’s private key.

Review and cryptanalysis of Zhang et al.’s scheme

In this section, we first review Zhang et al.’s¹⁷ SDVS scheme. Then, we demonstrate that their scheme is vulnerable to forgery attack.

Review of the Zhang et al.’s scheme

There are five phases included in Zhang et al.’s SDVS scheme: setup phase, key-extract phase, signing phase, verifying phase, and simulation phase. For simple presentation, let Alice and Bob be the signer and the designated verifier in the scheme, respectively, in the rest of this article.

Setup phase. In this phase, private key generator (PKG) generates system parameters by the following steps.

PKG chooses two cyclic groups $G_{1}$ and $G_{2}$ and defines a bilinear pairing e.

PKG randomly selects a number $s \in Z_{q}$ as its mater key. Then, it computes $P_{pub} = s \cdot P$ as its public key.

PKG chooses three hash functions: $H_{1}, H_{2}, H_{3}$ , as shown in Table 1.

Finally, PKG broadcasts system parameters ${G_{1}, G_{2}, e, q, P, P_{pub}, H_{1}, H_{2}, H_{3}}$ .

Key-extract phase. In this phase, PKG extracts user’s public/private key pairs. When a new registering user sends his identity $I D_{i}$ to the PKG, the PKG computes the user’s private key $S_{I D_{i}} = s \cdot H_{1} (I D_{i})$ and the corresponding public key $Q_{I D_{i}} = H_{1} (I D_{i})$ . Finally, the PKG sends $S_{I D_{i}}$ to the user.

Signing phase. Assume Bob’s identifier is $I D_{B}$ and Alice’s identifier is $I D_{A}$ . Alice generates a DVS on message m by the following steps.

Computes Bob’s public key $Q_{I D_{B}} = H_{1} (I D_{B})$ .

Selects time range T and computes timestamp $t = H_{2} (T)$ .

Computes $W = e (S_{I D_{A}}, Q_{I D_{B}})$ , $r = H_{3} (m | | t)$ , and $σ = (m | | t) \oplus W^{r}$ .

Finally, Alice sends the signature $(r, σ)$ to Bob.

Verifying phase. After receiving the signature $(r, σ)$ from Alice, Bob computes $W = e (S_{I D_{B}}, Q_{I D_{A}})$ and then obtains $(m | | t)$ by computing $(m | | t) = σ \oplus W^{r}$ . Next, Bob checks whether the equation $r = H_{3} (m | | t)$ holds or not. If it holds, Bob accepts the signature; otherwise, he rejects it.

Simulation phase. After verifying the signature $(r, σ)$ , Bob could obtain a signature transcript by the following steps.

Selects time range $T'$ and computes timestamp $t' = H_{2} (T')$ .

Computes public key of Alice by $Q_{I D_{A}} = H_{1} (I D_{A})$ .

Computes $W' = e (S_{I D_{B}}, Q_{I D_{A}})$ , $r' = H_{3} (m | | t')$ , and $σ' = (m | | t') \oplus W'^{r'}$ .

Finally, Bob saves the signature $(r', σ')$ as the transcript of message m.

Cryptanalysis of Zhang et al.’s scheme

Zhang claimed that their SDVS scheme could provide unforgeability. However, we demonstrate that a universal adversary $A$ could generate a legal signature on any messages by the following steps.

$A$ chooses two target users in the SDVS scheme, for example, Alice and Bob.

When $A$ requests the signing query on message m, Alice returns a legal signature $(r, σ)$ to $A$ , where $t = H_{2} (T)$ , $W = e (S_{I D_{A}}, Q_{I D_{B}})$ , $r = H_{3} (m | | t)$ , and $σ = (m | | t) \oplus W^{r}$ .

Because $A$ can start the signing query at any time, $A$ can easily obtain the correct time range T that is used in the signature $(r, σ)$ by checking $r ? = H_{3} (m | | H_{2} (T))$ with different T. Then, $A$ can get $W^{r}$ by computing $W^{r} = (m | | t) \oplus σ$ . After that, $A$ get W by computing $W = (W^{r})^{r^{- 1}}$ .

After getting the secret value W, $A$ selects a new time range $T^{*}$ and then computes $t^{*} = H_{2} (T^{*})$ , $r^{*} = H_{3} (m^{*} | | t^{*})$ , and $σ^{*} = (m^{*} | | t^{*}) \oplus W^{r^{*}}$ . Finally, $A$ forges a DVS $(r^{*}, σ^{*})$ on behalf of Alice.

When Bob receives the forged signature $(r^{*}, σ^{*})$ , he computes $W = e (S_{I D_{B}}, Q_{I D_{A}})$ and $(m^{*} | | t^{*}) = σ^{*} \oplus {W^{r}}^{*}$ . Then, he checks whether the equation $r^{*} = H_{3} (m^{*} | | t^{*})$ holds or not. However, because the adversary $A$ uses the correct W to forge the signature $(r^{*}, σ^{*})$ , $r^{*} = H_{3} (m^{*} | | t^{*})$ can hold well during Bob’s verification phase. Therefore, Zhang et al.’s SDVS scheme is not secure against forgery attack.

The proposed SDVS scheme

In this section, an improved SDVS scheme over Zhang et al.’s scheme is proposed. The proposed scheme consists of five similar phases with Zhang et al.’s scheme.

Setup phase and key-extract phase. The two phases are same as Zhang et al.’s scheme. Therefore, we do not repeat here, and the details are available in section “Review and Cryptanalysis of Zhang et al.’s scheme.”

Signing phase. Given the message m, Alice performs the following steps to generate a DVS.

Computes Bob’s public key $Q_{I D_{B}} = H_{1} (I D_{B})$ .

Selects time range T and computes timestamp $t = H_{2} (T)$ .

Computes $W = e (S_{I D_{A}}, Q_{I D_{B}})$ and $r = H_{3} (m | | t)$ .

Computes $σ = E_{W} (m | | r | | t)$ and sends the signature $(r, σ)$ to Bob.

Verifying phase. After receiving the signature $(r, σ)$ from Alice, Bob verifies the signature by the following steps.

Computes $W = e (S_{I D_{B}}, Q_{I D_{A}})$ .

Computes m, r, and t by $(m | | r | | t) = D_{W} (σ)$ .

Bob checks whether the equation $r = H_{3} (m | | t)$ holds or not. If it holds, Bob accepts the message; otherwise, he rejects the message.

The details of signing phase and verifying phase in the proposed scheme is shown in Figure 1.

Simulation phase. After verifying the signature $(r, σ)$ , Bob could simulate a signature transcript by the following steps.

Compute Alice’s public key $Q_{I D_{A}} = H_{1} (I D_{A})$ .

Select time range $T'$ and compute timestamp $t' = H_{2} (T')$ .

Compute $W' = e (S_{I D_{B}}, Q_{I D_{A}})$ , $r' = H_{3} (m | | t')$ , and $σ' = E_{W} (m | | r' | | t')$ .

Finally, Bob saves the signature $(r', σ')$ as the transcript of message m.

Figure 1.

The signing phase and verifying phase of the proposed scheme.

Performance analysis

In this section, the security and the computational cost of the proposed SDVS scheme is evaluated first. Then, the proposed scheme is compared with Zhang et al.’s SDVS scheme in terms of security and computation cost.

Security analysis

Correctness

Because $e (S_{I D_{B}}, Q_{I D_{A}}) = e (s \cdot Q_{I D_{B}}, Q_{I D_{A}}) = e (Q_{I D_{A}}, s \cdot Q_{I D_{B}}) = e (Q_{I D_{A}}, S_{I D_{B}})$ , the verifier Bob could obtain the correct value W. Then, Bob can extract m and t via the equation $(m | | r | | t) = D_{W} (σ)$ . Finally, the equation $r = H_{3} (m | | t)$ can be verified correctly.

Unforgeability

It is well known that the BDH problem is difficult. Next, we will show that the proposed scheme can resist the universal forge attack based on BDH problem as follows.

Lemma 1

If there exists an adversary $A$ who can generate a legal DVS in the polynomial time without knowing both the signer’s and the verifier’s private key.

Proof

Assume that Alice’s public key is $Q_{I D_{A}} = xP$ , Bob’s public key is $Q_{I D_{B}} = yP$ , and the system public key is $P_{pub} = zP$ . And the target message is $m^{*}$ . After the query phase in the attack process, the adversary gets a legal signature $δ^{*} = (r^{*}, σ^{*})$ , which can be correctly verified by Bob.

Note that Bob needs to recover $m^{*}$ , $r^{*}$ , and $t^{*}$ via the equation $(m^{*} | | r^{*} | | t^{*}) = D_{W} (σ^{*})$ , where $W = e (S_{I D_{B}}, Q_{I D_{A}})$ . Since the security of the symmetrical encryption, the adversary $A$ must get the secret information W if he tries to get a legal signature. According to the rules of the proposed scheme, the adversary could only get W by the following equation

W = e (S_{I D_{B}}, Q_{I D_{A}}) = e (z \cdot yP, xP) = e {(P, P)}^{xyz}

(1)

However, it is a BDH problem to solve equation (1). Therefore, it contradicts to the assumption that $A$ can generate a legal DVS in the polynomial time. Therefore, the proposed scheme can provide unforgeability.

Non-Transferability

As shown in simulation phase of our proposed scheme, Bob generates a transcript $(r', σ')$ after he has verified the signature $(r, σ)$ . The transcript $(r', σ')$ can be verified by the following

\begin{matrix} m | | r' | | t' \leftarrow D_{W} (σ') = D_{W} (E_{W} (m | | r' | | t')) \\ H_{3} (m | | t') = r' \end{matrix}

It is very difficult to distinguish $(r', σ')$ from $(r, σ)$ for any third party. Therefore, the proposed scheme can provide non-transferability.

Source hiding

In the proposed scheme, two undistinguished valid signatures, that is, $(r, σ)$ and $(r', σ')$ , are generated by the signer and the designated verifier. It is very hard for an attacker to determinate who is the generator of the signature $(r, σ)$ or $(r', σ')$ , even if the attacker has obtained the private key of the signer and the designated verifier. Therefore, the proposed scheme could meet source hiding.

Strongness

When the designated verifier Bob checks the signature $(r, σ)$ , he must use his own private key $S_{I D_{B}}$ to obtain corrected W by $W = e (S_{I D_{B}}, Q_{I D_{A}})$ . Therefore, the proposed scheme can meet strongness well.

The comparison of security and computation cost

In this subsection, the proposed scheme is compared with Zhang et al.’s¹⁷ scheme in terms of security and computation cost.

Let P1, P2, P3, P4, and P5 denotes correctness, unforgeability, non-transferability, source hiding, and strongness, respectively. The security comparisons of three SDVS schemes are shown in Table 2.

Table 2.

Security comparisons with similar schemes.

Schemes	Security prosperities
Schemes	P1	P2	P3	P4	P5
Our proposed	√	√	√	√	√
Zhang et al.’s¹⁷	√	x	√	√	√

As a result of the security comparisons in Table 2, our proposed scheme can meet all important security requirements of SDVS schemes, such as correctness, unforgeability, non-transferability, source hiding, and strongness. However, Lee et al.’s scheme and Zhang et al.’s scheme cannot provide unforgeability. Therefore, the proposed scheme is secure than the other two schemes.

Next, we analyze the computation cost of the proposed scheme. Because the major computations of SDVS schemes are produced in signing phase and verifying phase, the computation costs of two phases will be analyzed. For convenience, let $T_{bp}$ , $T_{m}$ , $T_{e}$ , $T_{s}$ , $T_{H}$ , and $T_{h}$ denote the times cost of executing a bilinear pairing operation, a scale multiplication operation, a modular exponentiation operation, a symmetric encryption/decryption operation, a Map-to-Point hash function operation, and a one-way hash function operation, respectively.

In our proposed scheme, the computation costs of signing phase consist of one bilinear pairing operation, one operation of Map-to-Point hash function, two operations of one-way hash function, and one symmetric encryption operation, that is, the total is $1 T_{bp} + 1 T_{H} + 2 T_{h} + 1 T_{s}$ . The computation costs of verifying phase consist of one bilinear pairing operation, one Map-to-Point hash function operation, one one-way hash function operations, and one symmetric encryption operation, that is, the total is $1 T_{bp} + 1 T_{H} + 1 T_{h} + 1 T_{s}$ . The same method of analysis can be used to evaluate the computation of Zhang et al.’s¹⁷ scheme. The results of computation costs are listed in Table 3.

Table 3.

Comparison of computation cost with similar schemes.

Schemes	Signing phase	Verifying phase
Our proposed	$1 T_{bp} + 1 T_{H} + 2 T_{h} + 1 T_{s}$	$1 T_{bp} + 1 T_{H} + 1 T_{h} + 1 T_{s}$
Zhang et al.’s¹⁷	$1 T_{bp} + 1 T_{H} + 2 T_{h} + 1 T_{e}$	$1 T_{bp} + 1 T_{H} + 1 T_{h} + 1 T_{e}$

It is well known that the computation costs of a modular exponentiation operation $T_{e}$ are much more than a symmetrical encryption/decryption operation $T_{s}$ . According to the result in Table 3, our proposed scheme takes less computation costs in both the signing phase and verifying phase than Zhang et al.’s¹⁷ scheme.

From the above analysis, it can be concluded that our proposed scheme not only provides better security prosperities but also is more efficient than Zhang et al.’s¹⁷ scheme.

Conclusion

In this article, we demonstrate that Zhang et al.’s proposed SDVS scheme is not secure against forgery attack. To meet the requirement of security and efficiency for mobile devices in SDVS, we propose an improved SDVS scheme by using the symmetrical encryption technology. The security analysis shows that the proposed scheme can meet all security requirements, and the comparison of computation cost shows that the proposed scheme needs less computation cost than Zhang et al.’s scheme in both signing phase and verification phase. Therefore, the proposed scheme is more suitable for the scenarios of SDVS in wireless mobile Internet era.

Footnotes

Handling Editor: Carlos Moreno

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The work was supported in part by the National Natural Science Foundation of China under grant no. 61862052.

References

Chaum

Van Antwerpen

Undeniable signatures. In: Brassard

(ed.) Advances in cryptology-CRYPTO’89, LNCS, vol. 435. New York: Springer-Verlag, 1990, pp.212–216, https://link.springer.com/chapter/10.1007%2F0-387-34805-0_20

Jakobsson

. Blackmailing using undeniable signatures. In: Workshop on the theory and application of cryptographic techniques, Perugia, 9–12 May 1994, pp.425–427. Berlin: Springer.

Zhang

et al . A designated verifier signature scheme with undeniable property in the random oracle. In: 7th IEEE international conference on software engineering and service science (ICSESS), Beijing, China, 26–28 August 2016, pp.960–963. New York: IEEE.

Jakobsson

Sako

Impagliazzo

Designated verifier proofs and their applications. In: International conference on the theory and applications of cryptographic techniques, Saragossa, 12–16 May 1996, pp.143–154. Berlin: Springer.

Saeednia

Kremer

Markowitch

An efficient strong designated verifier signature scheme. In: International conference on information security and cryptology, Seoul, Korea, 27–28 November 2003, pp.40–54. Berlin: Springer.

Lipmaa

Wang

Bao

Designated verifier signature schemes: attacks, new security notions and a new construction. In: International colloquium on automata, languages, and programming, Lisbon, 11–15 July 2005, pp.459–471. Berlin: Springer.

Tso

Okamoto

. Practical strong designated verifier signature schemes based on double discrete logarithms. In: International conference on information security and cryptology, Beijing, China, 15–17 December 2005, pp.113–127. Berlin: Springer.

Chen

Zhao

Xiong

et al . A certificateless strong designated verifier signature scheme with non-delegatability. Int J Netw Secur 2017; 19(4): 573–582.

Yang

Shen

Wang

Certificateless universal designated verifier signature schemes. J China Univ Posts Telecommun 2007; 14(3): 85–90, 94.

10.

Xiao

Yang

Certificateless strong designated verifier signature scheme. In: 2nd international conference on E-business and information system security (EBISS), Wuhan, China, 22–23 May 2010, pp.1–5. New York: IEEE.

11.

Chen

An efficient certificateless designated verifier signature scheme. Int Arab J Inf Technol 2013; 10(4): 389–396.

12.

Kang

Boyd

Dawson

A novel identity-based strong designated verifier signature scheme. J Syst Software 2009; 82(2): 270–273.

13.

Lin

Huang

et al . A new universal designated verifier transitive signature scheme for big graph data. J Comput Syst Sci 2017; 83(1): 73–83.

14.

Yoon

EJ.

An efficient and secure identity-based strong designated verifier signature scheme. Inf Technol Control 2011; 40(4): 323–329.

15.

Yang

Sun

et al . A strong designated verifier signature scheme with secure disavowability. In: Fourth international conference on intelligent networking and collaborative systems, Bucharest, 19–21 September 2012, pp.286–291. New York: IEEE.

16.

Lee

Lai

Chen

et al . A novel designated verifier signature scheme based on bilinear pairing. Inf Technol Control 2013; 42(3): 247–252.

17.

Zhang

et al . Strong designated verifier signature scheme resisting replay attack. Inf Technol Control 2015; 44(2): 165–171.

18.

Islam

SKH

Biswas

. A provably secure identity-based strong designated verifier proxy signature scheme from bilinear pairings. J King Saud Univ: Comput Inf Sci 2014; 26(1): 55–67.

An improved strong designated verifier signature scheme

Abstract

Keywords

Introduction

Preliminaries

Bilinear pairing and computational problem

Security model of the SDVS scheme

Review and cryptanalysis of Zhang et al.’s scheme

Review of the Zhang et al.’s scheme

Cryptanalysis of Zhang et al.’s scheme

The proposed SDVS scheme

Performance analysis

Security analysis

Lemma 1

Proof

The comparison of security and computation cost

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References