Mobile Information Systems

Volume 2015, Article ID 626415, 11 pages

http://dx.doi.org/10.1155/2015/626415

## Server-Aided Verification Signature with Privacy for Mobile Computing

^{1}School of Computer Science and Engineering, South China University of Technology, Guangzhou 510006, China^{2}School of Computer Science and Educational Software, Guangzhou University, Guangzhou 510006, China^{3}Khalifa University of Science, Technology and Research, P.O. Box 127788, Abu Dhabi, UAE

Received 6 May 2014; Accepted 1 September 2014

Academic Editor: David Taniar

Copyright © 2015 Lingling Xu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

With the development of wireless technology, much data communication and processing has been conducted in mobile devices with wireless connection. As we know that the mobile devices will always be resource-poor relative to static ones though they will improve in absolute ability, therefore, they cannot process some expensive computational tasks due to the constrained computational resources. According to this problem, server-aided computing has been studied in which the power-constrained mobile devices can outsource some expensive computation to a server with powerful resources in order to reduce their computational load. However, in existing server-aided verification signature schemes, the server can learn some information about the message-signature pair to be verified, which is undesirable especially when the message includes some secret information. In this paper, we mainly study the server-aided verification signatures with privacy in which the message-signature pair to be verified can be protected from the server. Two definitions of privacy for server-aided verification signatures are presented under collusion attacks between the server and the signer. Then based on existing signatures, two concrete server-aided verification signature schemes with privacy are proposed which are both proved secure.

#### 1. Introduction

Recent advances in wireless technology have led to mobile computing [1, 2] which is a technology that enables access to digital resources at any time, from any location. In mobile computing, much data communication and processing is conducted in mobile devices with wireless connection such as cell-phones, security access-cards, and sensors. Therefore, mobile computing represents the elimination of time-and-place restrictions imposed by desktop computers and wired networks. As we know mobile devices must be light and small to be easily carried around. Such considerations, in conjunction with a given cost and level of technology, will exact a penalty in computational resources of mobile devices such as processor speed. While mobile devices will improve in absolute ability, they will always be computationally weak in relation to static ones. As a consequence there are tasks, which potentially could enlarge a device’s range of application, which are beyond its reach. A natural solution is to outsource computations that are too expensive for one device, to other devices which are more powerful or numerous and connected to the device. For example, consider a sensor that is presented with an access-card, sends it a random challenge, and receives a digital signature of the random challenge. The computation is required to verify the signature involves public-key operations which are too expensive in both time and space for the sensor to run. Instead, it could outsource the verification to a powerful device in order to reduce its computational load. Recently, with the development of cloud computing, server-aided computation has received widespread attention which enables power-constrained devices to outsource expensive computational tasks to a server. The related works such as server-aided delegated computation [3–8] and server-aided verification signatures [9–16] have been widely studied. Delegated computation is a protocol between two polynomial-time parties, a client, and a server, to collaborate on the computation of a function . Concretely, the client wants the server to compute for any input instance by the delegated computation protocol and verify the correctness of the results that is returned by the server. A key requirement is that the amount of work performed by the client to generate and verify work instances must be substantially cheaper than performing the computation on its own.

A server-aided verification signature scheme consists of a digital signature scheme and a server-aided verification protocol. Signatures can be verified by executing the server-aided verification protocol with the server, where the verification requires less computation than the original verification algorithm of the digital signature. Different to delegated computation, the existing server-aided verification signature schemes can achieve the soundness of the server-aided verification protocol under their security definitions, namely, a trusted server cannot convince the verifier that an invalid signature is valid, and the verifier cannot directly verify the results computed by the server. The notion of server-aided verification signature was first introduced by Quisquater and de Soete [10] for speeding up RSA verification with a small exponent. Then, Lim and Lee [11] extended this idea into discrete-logarithm based schemes, by proposing efficient protocols for speeding up the verification of discrete-logarithm based identity proofs and signatures. Girault and Quisquater [13] introduced a different approach for server-aided verification signature which does not require precomputation or randomization. Its security remains computational, based on the hardness of a subproblem (viz. factorization) of the initial underlying problem (viz. composite discrete logarithm). Hohenberger and Lysyanskaya [17] addressed the situation in which the server is made of two untrusted softwares, which are assumed not to communicate with each other. Girault and Lefranc [14] presented a generic server-aided verification protocol for digital signatures from bilinear maps which has been used to construct many digital signature schemes such as [18–23].

As to the security of server-aided verification signature, many efforts have been devoted to defining strong security models for it. The schemes [10, 11, 13, 14] considered the security property based on the assumption that the malicious server does not have any valid signatures on the message when it tries to prove an invalid signature of that message to be valid. Among them, the scheme [13] is computationally secure based on the hardness of a subproblem of the underlying complexity problem in the original signature scheme. To give stronger definition of this property, Wu et al. [15] formally defined this security assuming that the malicious server may collude with the signer and obtain the secret key of the signer. They first introduced and defined the existential unforgeability of server-aided verification signatures and considered collusion between a signer and a server, who collaboratively prove an invalid signature to be valid. In addition, under their security models, they introduced the server-aided verification for the Waters signature [21] and the BLS signature [18], respectively.

Though the existing server-aided verification signature schemes above have been devoted many efforts to their security models, they only considered the soundness to protect the malicious server who may try to prove an invalid signature of a message to be valid. However, in some applications where the message-signature to be verified contains some sensitive information, for example, the message contains important business secrets or is related to medical information, the verifier does not want the server learn anything about the message and/or the signature to protect its privacy. So, the message privacy of the server-aided verification protocol is also desired besides the soundness. Though in Wu et al. [15], based on Waters Signature [21] and BLS signature [18], two SA verification signature schemes (see Section 4 in [15]) were presented in which the message to be verified is not revealed to the server, the schemes cannot achieve the soundness under collusion and adaptively chosen message attacks.

In this paper, we will present two privacy definitions for server-aided verification signature under collusion by the server and the signer and adaptive chosen message attacks. A server-aided verification signature scheme with privacy also consists of a digital signature scheme and a server-aided verification protocol.(1)The first privacy definition for the server-aided verification signature is about message privacy; namely, the server cannot learn anything about the message to be verified during the server-aided verification protocol even if it possesses the secret key of the signer. Generally, when the verifier wants the server to verify a message-signature pair, it will “blind” this message at the beginning of the server-aided verification protocol so that the server cannot obtain any information about this message, while it can verify the validity of the message-signature pair by using the server’s responses.(2)The second privacy definition for the server-aided verification signature is about message-signature privacy which is stronger than the first one, and in this definition, the server can learn nothing about the message-signature pair to be verified even if it colludes with the signer. To achieve this privacy, similarly, the verifier will “blind” the message-signature pair at the beginning of the server-aided verification protocol so that the server cannot obtain any information about the message or the signature; however it can verify the validity of the message-signature pair after the server responds.

For the two privacy notions, we present detailed and strict security models. Then, under the security models, we present two concrete constructions for server-aided verification signature based on Waters signature [21] and BLS signature [18] which, respectively, achieve message privacy and message-signature privacy. The soundness of the two constructions is proved under the strong definition of [15] assuming that the malicious server may collude with the signer and obtain the secret key of the signer. In addition, the efficiency analysis of the server-aided verification protocols shows that our two concrete server-aided verification signature schemes are both computation saving. Computation saving is probably the most obvious property that can distinguish a server-aided verification signature scheme SAV- from an ordinary signature scheme . This property enables the verifier in SAV- to check the validity of signatures in a more computationally efficient way than that in .

*Organization*. This paper is organized as follows. In Section 2, we will review some fundamental backgrounds, the definition of server-aided verification signatures and the security notions defined in [15] including existential unforgeability and soundness against collusion and adaptive chosen message attacks. In Section 3, we will present the message privacy of server-aided verification signatures, give a concrete construction based on Waters signature scheme, and prove its security under our security model for message privacy. In Section 4, a stronger privacy of server-aided verification signatures named message-signature privacy will be defined and a provably secure concrete construction will be presented based on BLS signature scheme. Finally we conclude in Section 5.

#### 2. Preliminaries

##### 2.1. Syntax

Throughout the paper, if is a randomized algorithm, then denotes the assignment to of the output of on input . Unless noted, all algorithms are probabilistic polynomial-time (PPT) and we implicitly assume that they take an extra parameter in their input, where is a security parameter.

##### 2.2. Bilinear Maps

Let , be two (multiplicative) cyclic groups such that , where is a large prime. Let be a generator of , and be an admissible bilinear map: , satisfying for all ; it holds that ; ; and it is efficiently computable.

We say that () are bilinear groups if there exists the bilinear map as above, and the group action in and can be computed efficiently. Such groups can be built from Weil pairing or Tate pairing on elliptic curves.

##### 2.3. Server-Aided Verification Signature

A server-aided verification signature scheme SAV- consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in an ordinary signature scheme . SAV- contains three parties, respectively, a signer, a verifier, and a server.(i) ParamGen. This algorithm takes a security parameter and returns a string as input, which denotes the common scheme parameters, including the description of the message space and the signature space .(ii). This algorithm takes as input and outputs a key pair , where is the signing key and is the verification key.(iii). The signer takes a message , the system parameter and the key pair as inputs, outputs a signature .(iv). The verifier takes the parameter , a message-signature pair and the public key , outputs Valid/Invalid to indicate that is a valid/invalid signature on under .(v). The verifier takes as input the system parameter and outputs a string VString which contains the information which can be precomputed by it.(vi). This is an interactive protocol between the server and the verifier where the server takes as input and the verifier takes as inputs. Finally, the verifier outputs Valid if the server can convince it that is a valid signature on . Otherwise, the verifier outputs Invalid.In a SA verification signature scheme, we assume that the verifier has a limited computational ability and is not able to perform all computations in Verify alone. So, a SA verification signature scheme must satisfy an important property called computation saving property, which requires that the computations performed by the verifier in SA-Verify must be less than those performed in Verify.

##### 2.4. Security Model for Server-Aided Verification Signature

In the following, we will first present the security model for SAV- with message privacy. As for the existential unforgeability of SAV-, we will adopt existential unforgeability of SAV- defined in [15], including the existential unforgeability against adaptive chosen message attacks of defined in [24] and the soundness against collusion and adaptive chosen message attacks of SA-Verify. In the following, we will present the existential unforgeability of SAV- as [15]. It requires that the adversary should not be (computationally) capable of producing a signature of a new message which can be proved as valid by SA-Verify, even if the adversary acts as a server.

*Definition 1 (existential unforgeability against adaptive chosen message attacks of ). *The adversary and the challenger play the following game. (i)*Setup*. The challenger runs the algorithms ParamGen and KeyGen to obtain system parameter and one key pair . The adversary is given and .(ii)*Queries*. The adversary is allowed to make at most sign queries. For each sign query , the challenger returns as the response.(iii)*Output*. Eventually, the adversary outputs a pair and wins the game if:(1);(2)Verify = Valid.

An adversary is said to -break a signature scheme if runs in time at most and makes at most signature queries and the success probability to win the game above is at most .

We say that is existentially unforgeable against adaptive chosen message attacks if there exists an adversary that -breaks it.

In the following, we will present the soundness against collusion and adaptive chosen message attacks of SA-Verify which means that the server cannot prove an invalid signature to be valid even if it colludes with the signer.

*Definition 2 (soundness against collusion and adaptive chosen message attacks of ). *The adversary and the challenger play the following game. (i)*Setup*. The challenger runs the algorithms ParamGen, KeyGen, and SA-Verifier-Setup to obtain the system parameter , one key pair and VString. The adversary is given and .(ii)*Queries*. Proceeding adaptively, the adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , where the adversary acts as the server and the challenger acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary .(iii)*Output*. Eventually, the adversary outputs a message . The challenger chooses a random invalid signature on the message . Namely, it chooses a random element in , where and are, respectively, the signature space and the set of valid signatures of . We say that wins the game if

An adversary is said to -break SA-Verify’s soundness against collusion and chosen message attacks if runs in time at most , makes at most server-aided verification queries and the success probability to win the game above is at least .

We say that SA-Verify is -sound against collusion and chosen message attacks if there exists no adversary that -breaks it.

#### 3. Server-Aided Verification Signature with Message Privacy

In this section, we will present the definition of message privacy for SA-Verify, and then, based on Waters signature scheme [21], present a concrete server-aided verification scheme with this privacy property. This privacy property is called* message privacy against collusion and adaptive chosen message attacks*. In this definition, the server is allowed to collude with the signer. Concretely, the server can obtain the key pair of the signer and therefore can create the signature on any message. In addition, we will assume that the server cannot obtain the message-signature pairs that have been created by the signer before, alternatively, the signer will not store any message-signature pair that it has created. (Actually, this can be achieved by performing blind signature scheme presented in [25] between the signer and the verifier instead of performing the ordinary signature scheme. After the blind signature scheme, the verifier can obtain the ordinary message-signature pair without the signer learning anything about this pair. Then the verifier lets the server to verify the message-signature pair by performing SA-Verify. In this sense, even if the server colludes with the signer, it cannot obtain more information about the signed messages from the signer than it can obtain on its own. To clarify our privacy definition below more clearly, we simply assume that the server cannot obtain any message-signature pair which the signer has created for the verifier before.)

##### 3.1. Definition of Message Privacy

A server-aided verification signature scheme with message privacy SAV- also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The following is the definition of message privacy for the server-aided verification protocol under the collusion and adaptive chosen message attacks. In this definition, the server cannot obtain any information about the message to be verified under the collusion and adaptive chosen message attacks.

*Definition 3 (message privacy of ). *We say that SA-Verify satisfies -message privacy against collusion and adaptive chosen message attacks if there exists no adversary who runs in time at most , makes at most server-aided verification queries, and succeeds with probability at least in the following game with the challenger . The game is defined as follows. (i)*Setup*. The challenger runs the algorithms ParamGen, KeyGen and SA-Verifier-Setup to obtain system parameter* param*, one key pair , and VString. The adversary is given* param* and . Note that can generate any message-signature pair with the secret-public key pair ; however as we assumed, it cannot obtain any message-signature pair that has been created by the signer before.(ii)*Queries*. Proceeding adaptively, the adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , where the adversary acts as the server and the challenger acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary .(iii)*Challenge*. outputs two messages , , and sends them to the challenger . chooses a bit at random and also chooses an element either randomly from or randomly from , where and are, respectively, the signature space of and . Then and interact with each other by running SA-Verify, where plays as a server and plays as a verifier. After the interaction, sends the output of SA-Verify to .(iv)*Output*. Finally, outputs a bit . We say that wins the game with probability if

Similar to Wu et al. [15], in the protocol Setup of the game above, VString is not provided to the adversary who now is acting as a server since VString might contain some private information of the verifier, which must be kept secret in server-aided verification signatures. In the definition, adversary acts as the server and the challenger acts as the verifier which will help to extract some information from VString.

##### 3.2. Concrete SA Verification Signature with Message Privacy

In the following, we will first present a concrete SA verification signature scheme with message privacy based on Waters signature [21]. The SA verification signature scheme with message privacy SAV- consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in Waters signature scheme [21]. As we know that, due to the elegant properties of pairing computation on elliptic curves, pairing has been widely employed as a building block for lots of cryptographic schemes, in particular in the construction of digital signatures. However, performing a pairing on an elliptic curve requires much more computational cost than executing both an exponentiation and a multiplication [16, 26–30], and for a power-constrained verifier who must execute multiple pairing computations during the verification of a message-signature pair, reducing the computational load of it is a meaningful task. In Waters signature [21], the verifier has to compute two pairings; however in SAV-, its computational load is reduced and it will not compute any pairing. The concrete SA verification signature with message privacy based on Waters signature is described in detail as follows.(i) ParamGen. Let be a security parameter, be bilinear groups where for some prime number and be a generator of . is a bilinear mapping. The system parameters are and the message space is .(ii). Given the system parameters , the signer chooses a random element , generates the public key as and where is a vector consisting of elements randomly selected in and .(iii). For an -bit message , let be the set of all for which the th bit of is 1. The signer selects a random element and generates the signature as .(iv). The verifier takes as input a claimed message-signature pair , and outputs Valid if and only if . Otherwise it outputs Invalid.(v) -Setup. The verifier takes as inputs the system parameters and computes as VString.(vi). This is an interactive protocol between the server and the verifier which is shown in Algorithm 1.(1)Verifier, for a message-signature pair to be verified, first computes ; then selects randomly , and blinds the message by computing , ; finally sends to the verifier.(2)Server computes , and returns to the verifier.(3)Verifier checks the equation , and outputs Valid if it holds, and otherwise outputs Invalid.