Embed Size (px)
Citation preview
Computers and Electrical Engineering 37 (2011) 180–186
Contents lists available at ScienceDirect
Computers and Electrical Engineering
journal homepage: www.elsevier .com/ locate /compeleceng
Short designated verifier proxy signatures q
Kyung-Ah ShimDivision of Fusion and Convergence of Mathematical Sciences, National Institute for Mathematical Sciences, KT Daedoek 2nd Research Center,463-1, Jeonmin-dong, Yuseong-gu, Daejeon, South Korea
a r t i c l e i n f o
Article history:Available online 25 March 2011
0045-7906/$ - see front matter � 2011 Published bdoi:10.1016/j.compeleceng.2011.02.004
q Reviews processed and proposed for publicationE-mail address: [email protected]
a b s t r a c t
A proxy signature enables an original signer to delegate its signing capability to a proxysigner and the proxy signer can sign a message on behalf of the original signer. Later, any-one can verify the validity of proxy signatures. The ‘‘public-verifiable’’ property of theproxy signature is not suitable in some applications in which a proxy signed messagemay be personally or commercially sensitive. A designated verifier proxy signature schemeis suitable for these environments. In this paper, we propose a provably secure shortdesignated verifier proxy signature scheme in the random oracle model under the BilinearDiffie–Hellman assumption.
� 2011 Published by Elsevier Ltd.
1. Introduction
The concept of proxy signature was first introduced by Mambo et al. [1] in 1996. The proxy signature schemes allow anentity to delegate signing capabilities to other participants so that they can sign on behalf of the entity within a given context(the context and limitations on proxy signing capabilities are captured by a certain warrant issued by the delegator which isassociated with the delegation act). The ‘‘public-verifiable’’ property of the proxy signature is not suitable in some applica-tions in which a proxy signed message may be personally or commercially sensitive, for example, in a bill of tax or a bill ofhealth, etc. A designated verifier proxy signature scheme is suitable for these environments. An example is about on-lineshopping. When a customer Cindy buys a digital product m from an Internet vendor Bob, who sells some digital products(e.g. digital music, movies, books, etc.), she needs a digital receipt from Bob to guarantee the quality, authenticity, and legal-ity of m. This is reasonable since Cindy does not completely trust Bob and his goods. Furthermore, Cindy would expect thereceipt is bounded with not only the identity of the vendor Bob but also that of the goods producer, say Alice. With suchreceipts, Cindy will be convinced that the digital product m is produced by Alice and sold by Bob. At the same time, to pre-vent Cindy from illegally distributing m to others, Alice and Bob want the validity of Cindy’s receipt can only be validated byCindy herself. In such situations, designated-verifier proxy signatures, instead of ordinary digital signatures, can be used assuch receipts. That is, Alice delegates her signing capability to Bob so that he can generate strong designated-verifier proxysignatures as digital receipts to all potential customers. The notion of designated verifier signatures is introduced byJakobsson et al. [2]. Designated verifier signature (DVS) schemes provide authentication of a message, without having thenon-repudiation property of traditional signatures. In other words, they convince one and only one specified recipient thatthey are valid, but unlike standard digital signatures, nobody else can be convinced about their validity or invalidity. Thereason is that the designated verifier in these schemes is able to create a signature intended to himself that is indistinguish-able from a real signature. Since then, stronger notions such as a universal designated verifier signature scheme [3], that al-lows any signature holder to convert a standard signature into a DVS specified to any designated verifier of his choice, and astrong designated verifier signature scheme [4,5], where the designated verifier to use his private key to verify the validity or
y Elsevier Ltd.
by Associate Editor Pro. N. Sklavos.
K.-A. Shim / Computers and Electrical Engineering 37 (2011) 180–186 181
invalidity of a signature. A number of designated verifier proxy signature schemes have been proposed [6–10,4]. However,those schemes provide only informal security analysis [6,7,10,4] or formal security proof against adversaries with a limitedpower [10,8,9,11,12]. In this paper, we propose a short designated verifier proxy signature scheme based on the BLS shortsignature scheme [13]. We also give the exact security proof of the proposed scheme in the random oracle model underthe Bilinear Diffie–Hellman assumption.
The rest of this paper is organized as follows. In the following section, we describe basic tools and a new security notionfor designated verifier proxy signature schemes. In Section 3, we propose a short designated verifier proxy signature schemebased on the BLS short signature scheme. We then give its security proof in the random oracle model under the BilinearDiffie–Hellman assumption. Concluding remarks are given in Section 4.
2. Preliminaries
2.1. Some definitions and assumption
Let G1 and G2 be two cyclic groups of a large prime order q. We write G1 additively and G2 multiplicatively. We assumethat the discrete logarithm problems in both G1 and G2 are hard.
Admissible pairing: We call e an admissible pairing if e : G1 �G1 ! G2 is a map with the following properties:
1. Bilinearity: eðaP; bQÞ ¼ eðP;QÞab for all P;Q 2 G1 and for all a; b 2 Z.2. Non-degeneracy: There exists P 2 G1 such that eðP; PÞ–1.3. Computability: There is an efficient algorithm to compute eðP;QÞ for any P;Q 2 G1.
The Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modified to createadmissible pairings, as in [14].
We consider some problem and assumption in ðG2; �Þ.
Definition 2.1 (Bilinear Diffie–Hellman (BDH) problem). Given ðP; xP; yP; zPÞ for some x; y; z2RZ�q, to compute eðP; PÞxyz 2 G2.
Definition 2.2 (Bilinear Diffie–Hellman (BDH) assumption). Let G2 be a BDH parameter generator. We say that an algorithm Ahas advantage �ðkÞ in solving the BDH problem for G2 if for a sufficiently large k,
AdvG2 ;AðtÞ ¼ PrAðq;G1; P; xP; yP; zPÞ ¼ eðP; PÞxyz
jðq;G1Þ G2ð1kÞ; P G1; x; y; z Z�q
" #P eðkÞ
We say that G2 satisfies the BDH assumption if for any randomized polynomial-time in t algorithm A we have that AdvG;AðtÞis a negligible function. When G2 satisfies the BDH assumption we say that the BDH problem is hard in G2 generated by G.
2.2. Security notion
A designated verifier proxy signature (DVPS) scheme consists of three kinds of participants: an original signer, a proxysigner and a designated verifier.
COMPONENT OF PROXY SIGNATURE SCHEMES. A DVPS scheme DVPS= (KeyGen, Desig, ProxyKeyExtract, DPSign, DPVerify,Transcript Simulation, IDDVPS) based on the standard signature scheme DS=(KeyGen, Sign, Verify) is specifiedby seven polynomial time algorithms with the following functionality:
KeyGen. The randomized key generation algorithm KeyGen takes input 1k, where k 2 Z is a securityparameter and outputs a public/private key pair ðPK; SKÞ.
Desig. The proxy-designation algorithm Desig is an interactive designation algorithm which takesinput public keys of an original signer and a proxy signer ðPKi; PKjÞ and a delegation relation(including information on period, limitation, etc.) and outputs a warrant wi;j (it means that PKj
is designated by PKi). We say that a message violates a warrant if the message is not compliantwith the contents of the warrant.
ProxyKeyExtract. The proxy key extraction algorithm ProxyKeyExtract takes input a warrant wi;j, the signa-ture of an original signer under the private key SKi;ri SignðSKi;wi;jÞ and the private key of aproxy signer SKj and outputs a proxy signing key rPi;j
ProxyKeyExtractðri; SKj;wi;jÞ.DPSign. The designated verifier proxy signing algorithm DPSign takes input a proxy signing key rPi;j
and the private key SKj of a proxy signer, the public key PKD of a designated verifier and a mes-sage m 2 f0;1g� and outputs a DV proxy signature d DPSignðrPi;j
; SKj; PKD;mÞ.
182 K.-A. Shim / Computers and Electrical Engineering 37 (2011) 180–186
DPVerify. The verification algorithm DPVerify takes input public keys of original signer and proxysigner, the private key SKD of a designated verifier, a message m 2 f0;1g� and a DV proxy sig-nature d on m with wi;j, and outputs True if the signature is correct, or ? otherwise, i.e.,fTrue;?g DPVerifyðSKD; PKi; PKj;wi;j;m; dÞ.
Transcript Simulation. Via this algorithm, a designated verifier, who holds its private key SKD can always produceidentically distributed transcripts that are indistinguishable from the original proof.
IDDPS. The proxy identification algorithm IDDPS takes a warrant wi;j and a DV proxy signature d andoutputs a list of identity (i.e., public key) in the delegation.
We model a case in which an adversary is working against a proxy signer with PK and a designated verifier with PKD. Theadversary’s goal is to forgery a DVPS for PK designated by original signers its choice with a designated verifier PKD. We givethe adversary the power to request proxy signing keys of the proxy signer designated by original signers its choice. Theadversary is also given access to a DPSign oracle on any message for the proxy signer with any delegation and PKD. We for-malize security notions for DVPS schemes [15].
EXISTENTIAL UNFORGEABILITY AGAINST AN ADAPTIVELY CHOSEN-MESSAGE ATTACK. An adversary’s advantage AdvDVPS;A is defined as its proba-bility of success in the following game between a challenger C and an adversary A;
KeyGen: The challenger runs the KeyGen algorithm to obtain a public/private key pair ðPK; SKÞ. Theadversary A is given PK and PKD.
ProxyKeyExtract Query: Proceeding adaptively, A requests proxy signing keys on at most qE original signers related towarrants fwigqE
i¼1 of its choice. For a given warrant wi obtained by running the Desig algo-rithm, where wi contains the fact that PK is designated by PKi in the delegation relationdescribed in wi, A requests a proxy signing key for PK. The challenger responds to each querywith its proxy signing key rPi
.DPSign Query: Proceeding adaptively, A requests proxy signatures on at most qS messages of his choice
M1; . . . ;MqS2 f0;1g� for a warrant wi. The challenger responds to each query with a proxy sig-
nature di DPSignðrPi; SKi; PKD;Mi;wiÞ.
DPVerify Query: Adversary A requests verification for a DVPS d, the challenger responds to each query withTrue if the signature is correct, or ? otherwise, i.e., fTrue;?g DPVerifyðSKD;
PKi; PKj;wi;j;m; dÞ.Output: Eventually,A outputs a pair ðwi;M; dÞ and wins the game if (i) m is not any of M1; . . . ;MqS
for wi
with PKD, and (ii) d is a valid DV proxy signature.
Definition 2.3. A forger Aðt; qE; qS; qV ; qH; eÞ-breaks a DVPS scheme DVPS if A runs in time at most t, A makes at most qE
ProxyKeyExtract queries, qS DPSign queries, qV DPVerify queries and at most qH queries to the hash function, andAdvDVPS;A is at least e. A DVPS scheme is AdvDVPS;Aðt; qE; qS; qV ; qH; eÞ-existentially unforgeable under an adaptive chosen-message attack if no forger AdvDVPS;Aðt; qE; qS; qV ; qH; eÞ-breaks it.
3. A short designated verifier proxy signature scheme
3.1. A short DVPS scheme: SDVPS
Before we propose a new short DVPS scheme, we describe BLS short signature scheme [13].
j BLS short signature scheme.
KeyGen. Choose a random x RZ�q, compute gx. The public/private key pair is ðPK; SKÞ ¼ ðgx; xÞ.
Sign. Given a message m 2 f0;1g�, compute r ¼ HðmÞx 2 G1 as a signature on m.Vfy. Given a message m, and a signature r on m under PK, verify the equality
eðr; gÞ ¼ eðHðmÞ; PKÞhold or not. If it holds, accept the signature, otherwise, reject.
We propose a short DVPS scheme SDVPS based on the BLS short signature scheme.
j Our construction: SDVPS
Setup. Given a security parameter k 2 Z, the algorithm works as follows:
� Run the parameter generator G on input k to generate a prime q, two groups G1, G2 of order q, agenerator P in G1 and an admissible pairing e : G1 �G1 ! G2.
K.-A. Shim / Computers and Electrical Engineering 37 (2011) 180–186 183
� Choose cryptographic hash functions H1;H2;H3 : f0;1g� ! G1. The security analysis will view H1,H2 and H3 as random oracles. The system parameters is Params=hq;G1;G2; e; P;H1;H2;H3i.
KeyGen. Pick a random generator xi 2 Zq and compute xiP 2 G1. The public/private key pair is ðPKi; SKiÞ ¼ ðxiP; xiÞ.ProxyKeyExtract. For a given original signer and a proxy signer, the algorithm works as follows:
� An original signer with the public key PKi obtains a warrant wi;j which is explicit description of the delegation
relation for PKi, i.e., PKj is designated by PKi, by running the Desig algorithm.
� An original signer with wi;j computes ri ¼ xiH1ðwi;jÞ performing the BLS signature scheme and sends ðwi;j;riÞ toa proxy signer with a public key PKj.
� A proxy signer with PKj verifies whether eðri; PÞ ¼ eðH1ðwi;jÞ; PKiÞ holds or not. If it holds, the proxy signer com-
putes rPi;j¼ ri þ xjH2ðwi;jÞ and keeps it as a proxy signing key.
DPSign. Given a proxy signing key rPi;j, a private key SKj, the public key of a designated verifier PKD and a message
M 2 f0;1g�, compute H3ðMÞ 2 G1 and d ¼ eðrPi;jþ xjH3ðMÞ; PKDÞ 2 G2. The DV proxy signature on M is d.
DPVerify. Given a private key xD corresponding to PKD and a DV proxy signature d on ðwi;j;MÞ, compute H1ðwi;jÞ;H2ðwi;jÞand H3ðMÞ 2 G1 and verify whether
d ¼ eðxDH1ðwi;jÞ; PKiÞ � eðxD½H2ðwi;jÞ þ H3ðMÞ�; PKjÞ
holds or not. If it holds, accept the signature.
Transcript Simulation. A designated verifier who can produce a DV proxy signature d on ðwi;j;MÞ intended for himself, by computing
d ¼ eðxDH1ðwi;jÞ; PKiÞ � eðxDðH2ðwi;jÞ þ H3ðMÞÞ; PKjÞ:
Note that the signature is indistinguishable from the original DV proxy signature created by the proxy signer.
The scheme requires a scalar multiplication and a pairing computation in signing and two scalar multiplications and twopairing computations in verification.
3.2. Security proof
Now, we prove the security of the SDVPS scheme. Let an adversaryA be a probabilistic polynomial time algorithm whoseinput is Params=hq;G1;G2; e; P;H1;H2;H3i, where q P 2k. A can make qS queries to the DPSign, qV queries to theDPVerify, qE queries to the ProxyKeyExtract, qH1
queries to the H1-hash, qH2queries to the H2-hash and qH3
queries tothe H3-hash. Let cG1 be the time of computing a scalar multiplication in G1 and an inversion in Z�q and cG2 be the time ofcomputing a pairing computation and a modular multiplication in G2.
Theorem 4.1. If the BDH problem is ðt0; e0Þ-hard, the SDVPS scheme is ðt; qH1; qH2
; qH2; qE; qS; qV ; eÞ- secure against existential
forgery under an adaptively chosen-message attack, for any t and e satisfying
e P e � ðqS þ 1Þ � e0;t 6 t0 � cG1 ðqH1
þ qH2þ qH2
þ 2qE þ 3qS þ 3qV þ 3Þ � cG2 ðqS þ qV þ 2Þ;
where e is the base of natural logarithm.
Proof. Suppose that A is a forger who breaks the SDVPS scheme. A BDH instance ðP; xP; yP; zPÞ is given for x; y; z2RZ�q. Byusing the forgery algorithm A, we will construct an algorithm B which outputs the BDH solution eðP; PÞxyz in G2. Algorithm Bperforms the following simulation by interacting with forger A.
Setup. Algorithm B sets PK ¼ xP; PKD ¼ zP and starts by giving A the system parameters including public keys hPK; PKDi.At any time, A can query the random oracles H1;H2 and H3, and Proxy Key Extract, DPSign and DPVerify. To answer
these queries, B does the following:
H1-queries. To respond to H1-queries, Bmaintains a list of tuples ðwi;Vi; diÞ. We refer to this list as the H1-list. This list isinitially empty. When A queries the oracle H1 at a point wi 2 f0;1g�;B responds as follows:
1. If the query already appears on the H1-list in a tuple ðwi;Vi; diÞ then B responds with H1ðwiÞ ¼ Vi 2 G1.2. Otherwise, B picks a random di 2 Z�q, computes Vi ¼ diP and adds the tuple ðwi;Vi; diÞ to the H1-list and responds to A
with H1ðwiÞ ¼ Vi.
H2-queries. To respond to H2-queries, B maintains a list of tuples ðwi;V0i; d0iÞ. We refer to this list as the H2-list. When A
queries the oracle H2 at a point wi 2 f0;1g�, B responds as follows:
184 K.-A. Shim / Computers and Electrical Engineering 37 (2011) 180–186
1. If the query already appears on the H2-list in a tuple ðwi;V0i; d0iÞ then B responds with H2ðwiÞ ¼ V 0i 2 G1.
2. Otherwise, B picks a random d0i 2 Z�q, computes V 0i ¼ d0iP and adds the tuple ðwi;V0i; d0iÞ to the H2-list and responds to A
with H2ðwiÞ ¼ V 0i.
H3-queries. To respond to H3-queries, B maintains a list of tuples ðm;W; b; cÞ as explained below. We refer to this list asthe H3-list. When A queries the oracle H3 at a point m 2 f0;1g�;B responds as follows:
1. If the query already appears on the H3-list in a tuple ðm;W; b; cÞ then B responds with H3ðmÞ ¼W 2 G1.2. Otherwise, B picks a random coin c 2 f0;1g with Pr½c ¼ 0� ¼ 1
qSþ1.
� If c ¼ 0 then B computes W ¼ bðyPÞ for a random b 2 Z�q.� If c ¼ 1 then B computes W ¼ bP for a random b 2 Z�q.
B adds the tuple ðm;W; b; cÞ to the H3-list and responds with H3ðmÞ ¼W .
ProxyKeyExtract Queries. When A queries a proxy signing key of the proxy signer for wi;B first finds the correspondingtuple ðwi;V ; dÞ and ðwi;V
0i; diÞ from the H1-list and the H2-list, respectively. It means that H1ðwiÞ ¼ diP and H2ðwiÞ ¼ d0iP
were previously determined. Then B computes rPi¼ di � PKi þ d0i � PK and responds to A with rPi
as the proxy signing key ofthe proxy signer.
DPSign Queries. When Amakes a DPSign-query on m with wi;B first finds the corresponding tuples ðwi;Vi; diÞ; ðwi;V0i; d0iÞ
and ðm;W; b; cÞ from the H1-list, the H2-list and the H3-list, respectively.
� If c ¼ 0 then B fails and halts.� Otherwise, c ¼ 1 and hence H3ðmÞ ¼ bP. Then B computes d ¼ eðdi � PKi þ d0i � PK þ b � PK; PKDÞ and responds to A with d.
DPVerify Queries. When A makes a DPVerify-query on ðwi;m; dÞ;B first finds the corresponding tuplesðwi;Vi; diÞ; ðwi;V
0i; d0iÞ and ðm;W; b; cÞ from the H1-list, the H2-list and the H3-list, respectively.
� If c ¼ 0 then B fails and halts.� Otherwise, c ¼ 1 and hence H3ðmÞ ¼ bP. Then B verifies whether d ¼ eðdi � PKi þ d0i � PK þ b � PK; PKDÞ holds or not. If it is
correct, B outputs True, otherwise ?.
All responses to DPSign queries are valid and so the output d of DPSign query is successfully verified in DPVerify que-ries, i.e., it is a valid DV proxy signature on m with wi for PKD. If B aborts neither as a result ofA’s DPSign queries nor a resultof A’s DPSign queries then A’s view is identical to its view in the real attack.
Output. Eventually A outputs a forgery s on ðwi;MÞ for PKD. Again by assumption, A has previously issued hash-queriesfor wi and M. B finds ðwi;Vi; diÞ; ðwi;V
0i; d0iÞ and ðm;W; b; cÞ from the H1-list, the H2-list and the H3-list, respectively. If
the coin flipped by B for the query to M did not show 0 then B fails. Otherwise, H3ðMÞ ¼ bðyPÞ, and B outputs
½d=eðdi � PKi þ d0i � PK; PKDÞ�1=b ¼ eðxðbyPÞ; zPÞ1=b ¼ eðP; PÞxyz:
This completes the description of B. It remains to show that B solves the given instance of the BDH problem with probabilityat least e0. To do so, we analyze four events for B to succeed;
� E1 : B does not abort as a result of any of A’s DPSign queries.� E2 : B does not abort as a result of any of A’s DPVerify queries.� E3 : B generates a valid DV proxy signature forgery ðwi;M; dÞ.� E4: Event E3 occurs and c ¼ 0 for the tuple containing M on the H3-list.
Algorithm B succeeds if all of these events happen. The probability Pr½E1 ^ E1 ^ E3 ^ E4� is decomposed as
Pr½E1 ^ E1 ^ E3 ^ E4� ¼ Pr½E1� � Pr½E2jE1� � Pr½E3jE1 ^ E2� � Pr½E4jE1 ^ E2 ^ E3�: ð1Þ
The following claims give a lower bound for each of these terms.
Claim 1. The probability that B does not abort as a result of A’s DPSign queries is at least ð1� 1qSþ1 Þ
qS . It derived that Amakes at most qS queries to the DPSign oracle and Pr½c ¼ 1� ¼ ð1� 1
qSþ1 ÞqS . Hence, Pr½E1� P ð1� 1
qSþ1 ÞqS .
Claim 2. The probability that B does not abort as a result of any of A’s DPVerify queries is 1 since it is simulated so that Baborts as a result of any of A’s DPVerify queries under the aborted result of any of A’s DPSign queries. Hence, Pr½E2jE1� ¼ 1.
Table 1Implementation result of our scheme.
Scheme DPSign DPVerify
SDVPS 7.5 ms 15 ms
K.-A. Shim / Computers and Electrical Engineering 37 (2011) 180–186 185
Claim 3. If B does not abort as a result of A’s DPSign queries then A’s view is identical to its view in the real attack. Hence,Pr½E3jE1 ^ E2� P e.
Claim 4. The probability that B does not abort after A outputs a valid forgery is at least 1qSþ1 because B will abort only if A
generates a forgery such that c ¼ 1. Hence, Pr½E4jE1 ^ E2 ^ E3� P 1qSþ1.
To complete the proof of Theorem 3.1, we use the bounds from the claims above in Eq. (1). Algorithm B produces the cor-rect answer with probability at least
1� 1qS þ 1
� �qSþ1
� e � 1qS þ 1
P1e� eðqS þ 1ÞP e0
as required.
Algorithm B’s running time is the same as A’s running time plus the time is takes to respond toðqH1
þ qH2þ qH2
þ qE þ qV þ qSÞ hash queries, qE ProxyKeyExtract queries, qS DPSign queries and qV DPVerify queries,and the time to transform A’s final forgery into the BDH solution. The H1-query, H2-query, H3-query and ProxyKeyExtract
query require at most 1, 1, 1 and 2 scalar multiplications, respectively. The DPSign query and DPVerify query all require 3scalar multiplications and a pairing computation. The output phase requires 2 scalar multiplication in G1, an inversion in Z�q,a pairing computation and a modular exponentiation in G2. Hence, the total running time is at mostt þ cG1 ðqH1
þ qH2þ qH2
þ 2qE þ 3qS þ 3qV þ 3Þ þ cG2 ðqS þ qV þ 2Þþ 6 t0 as required.
3.3. Implementation
The Table 1 presents performance (in milliseconds) for our scheme at the 80-bits security level on a 2.8 GHz Intel Pentium4. We used PBC library [16] by choosing the Tate pairing on the type A curve over Fp with an embedding degree 2, where p isa 512 bit prime.
4. Conclusion
Rapid advances in computing have resulted in dramatic improvements in large-number arithmetic computation. In con-trast, communication latency has not improved appreciably. Short signatures are needed in environments with strong band-width constraints. To obtain proxy signature scheme towards achieving this aim, we proposed the short designated verifierproxy signature scheme based on the BLS signature scheme, whose resulting DV proxy signature consists of a single elementof the underlying group. We proved their security proof in the random oracle model under the BDH assumption.
Acknowledgements
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF)funded by the Ministry of Education, Science and Technology (2009-0072168).
References
[1] Mambo M, Usuda K, Okamoto E. Proxy signatures: delegation of the power to sign messages. IEICE Trans Fund 1996;E79-A(9):1338–54.[2] Jakobsson M, Sako K, Impagliazzo R. Designated verifier proofs and their applications. In: Advances in cryptology: Eurocrypt’96. LNCS, vol.
1070. Springer-Verlag; 1996. p. 142–54.[3] Steinfeld R, Bull L, Wang H, Pieprzyk J. Universal designated-verifier signatures. In: Advances in cryptology: Asiacrypt’03. LNCS, vol. 2894. Springer-
Verlag; 2003. p. 523–43.[4] Saeednia S, Kramer S, Markovitch O. An efficient strong designated verifier signature scheme. In: ICISC’03. Springer-Verlag; 2003. p. 40–54.[5] Laguillaumie F, Vergnaud D. Designated verifier signature: anonymity and efficient construction from any bilinear map. In: SCN’04. LNCS, vol.
3352. Springer-Verlag; 2004. p. 107–21.[6] Wang G. Designated-verifier proxy signatures for e-commerce. In: International conference on multimedia and expo, ICME’04. IEEE Press; 2004. p.
1731–4.[7] Wang G. Designated-verifier proxy signature schemes. In: Security and privacy in the age of Ubiquitous computing, IFIP/SEC’05. Springer; 2005. p.
409–23.[8] Huang X, Mu Y, Susilo W, Zhang F. Short designated verifier proxy signature from pairings. In: EUC workshops 2005. LNCS, vol. 3823. p. 835–44.[9] Huang X, Mu Y, Susilo W, Zhang F, Chen X. A short proxy signature scheme: efficient authentication in the Ubiquitous world. In: EUC workshops 2005.
LNCS, vol. 3823. Springer-Verlag; 1996. p. 480–9.
186 K.-A. Shim / Computers and Electrical Engineering 37 (2011) 180–186
[10] Lu R, Cao Z, Dong X, Sue R. Designated verifier proxy signature scheme from bilinear pairings. The First International Multi-Symposiums on Computerand Computational Sciences, IMSCCS’06 2006;2:40–7.
[11] Liao Y, Lu Q, Qin Z. Designated verifier proxy signature scheme. Intell Inf Hiding Multimedia Signal 2008:235–8.[12] Yu Y, Xu C, Zhang X, Liao Y. Designated verifier proxy signature scheme without random oracles. Comput Math Appl 2009;57(8):1352–64.[13] Boneh D, Lynn B, Shacham H. Short signatures from the Weil pairing. In: Advances in cryptology: Asiacrypt’01. LNCS, vol. 2248. Springer-Verlag; 2001.
p. 514–32.[14] Boneh D, Franklin M. Identity-based encryption from the Weil pairing. In: Advances in cryptology: Crypto’01. LNCS, vol. 2139. Springer-Verlag; 2001. p.
213–29.[15] Schuldt Jacob CN, Matsuura Kanta, Paterson Kenneth G. In: Proxy signatures secure against proxy key exposure PKC’08. LNCS, vol. 4989. Springer-
Verlag; 2008. p. 141–61.[16] PBC Library: the pairing-based cryptography library. Available from: <http://crypto.stanford.edu/pbc>.
Kyung-Ah Shim received her Ph.D. degree in Mathematics from Ewha Womans University, Korea. From 2000 to 2008, she was a senior researcher in KISAand then a research professor in the department of Mathematics at Ewha Womans University, respectively. In September 2008, she joined the NationalInstitute for Mathematical Sciences as a senior researcher. Her research interests are cryptography.
