Designated Verifier Signature

Designated verifier signature(DVS), enables a signer to sign a message sothat the designated verifier can verify it is coming from the signer, but the des-ignated verifier cannot convince the third party believe it. Since he himself canproduce the signature. Although someone knows the secret key of signer ordesignated verifier, he can not know who is signer except for signer and the des-ignated verifier. That is to say, DVS is perfectly solving contradiction problemof "privacy" and "reality" by losing non-repudiation.Strong designated verifier signature(SDVS) is a special DVS. In SDVS, ver-ifying algorithm of signature must be used the secret key of designated verifier,thus only the designated verifier is capable of verifying the validity of the signa-ture.However, in 2005, Lipmaa et al. pointed out that any DVS scheme had tosatisfy the property of non-delegatability of signing rights according to originaldefinition of DVS. Simple to say, non-delegatability of DVS scheme is to requiresigner(designated verifier) to sign a message by using the signer's secret keysks(or designated verifier's secret key sk_D), but not a functionf(sk_S, pk_D)(f(pk_S,sk_D)). And the delegating attack broke out all SDVS schemes. Recently, Susiloet al. showed that the applicability of the non-delegatability notion discoveredby Lipmaa et al. was too strong to be implemented in strong designated verifiersignature (SDVS) schemes. Therefore, they re-coined a new term called "weaknon-delegatability" for the strong DVS variants.This thesis have done some work as follows on DVS:Firstly, we point out that there was not correct in proof of unforgeability andre-proof the unforgeability, then we extend non-delegatability to ring signature.we study delegatability of DVS schemes. Although Lipmaa et al. showed theirscheme is secure, there exists a bug in proof of unforgeability, we modify theproof in the non-programble random oracle. We discover that attack of delegatingsigning rights is not only available to (S)DVS scheme, but also some ring signature schemes, such as Bendery et al.'s 2 user-ring signature schemes. We show thatBendery et al.'s 2 user-ring signature schemes are delegatable.Secondly, we formalize the secure model for SDVS schemes and show Susiloet al.'s idea was wrong. We formally define the notion of strong privacy of signer'sidentity for SDVS, which is the privacy of signer's identity under delegatabilitynotion. In this new notion, we require that if we consider the attack of reveal-ing any side of information for SDVS schemes (excluding the secret keys of theparticipants), then the scheme must satisfy the property of privacy of signer'sidentity (PSI). Secondly, we show that our notion notion is consistent with thenotion of common key delegation and the concept of SDVS, in contrast to theweak non-delegatability notion that is redundant and produce inconsistency be-tween DVS and SDVS. For the first time in the literature, this paper clarifiesthe notion between DVS and SDVS, since Lipmaa et al.'s non-delegatability no-tion does not really consider SDVS, meanwhile Susilo et al.'s work assumed thatthere exists only one way to construct SDVS and neglecting the fact that allSDVS schemes are indeed DVS, as motivated in the original paper by Jakobsson,Sako and Impagliazzo.Thirdly, we construct a secure efficient SD VS scheme. We first construct ba-sic signature scheme, which is variation of Boneh et al.'s short signature scheme.We show its security in random oracle model by using Boneh et al.'s method.Whereafter, we show Boneh et al.'s ring signature scheme is DVS scheme whenthere are only 2 users~2. And we construct a SDVS scheme based this DVS schemeand show the scheme is secure SDVS scheme. At the same time, we use the basicsignature scheme to design two provably secure blind signature schemes.Finally, we present a new notion of weak designated verifier signature, thenformalize its secure model and construct two schemes. (S)DVS solves the problemof collision between "privacy" and "reality" by losing the property of signer'snon-repudiation. However, in some real world, since identity of participantsis different, not only it requires signatures not only to has the property of non- repudiation, but also "privacy" and "reality". Thus, we introduce a new conceptof weak designated verifier signature(WDVS). WDVS enables a signer to sign amessage so that the designated verifier is the only one who can verify whethera signature is valid or not (any other users except signer and the designatedverifier can not verify the signatures without the help of signer and the desig-nated verifier), but that the designated verifier can generate valid signatures iscomputationally impossible. We presents definition of WDVS and its securitymodel. Meanwhile, here we propose two secure WDVS, one is based on BLSshort signature scheme, another is based on basic signature scheme in this thesis.