Server-Aided Verification Signature with Privacy for Mobile Computing

Xu, Lingling; Li, Jin; Tang, Shaohua; Baek, Joonsang

doi:https://doi.org/10.1155/2015/626415

Mobile Information Systems

On this page

Abstract Introduction Preliminaries Conclusion Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2015 | Article ID 626415 | https://doi.org/10.1155/2015/626415

Server-Aided Verification Signature with Privacy for Mobile Computing

Lingling Xu,¹Jin Li,²Shaohua Tang,¹and Joonsang Baek³

Academic Editor: David Taniar

Received06 May 2014

Accepted01 Sept 2014

Published11 Mar 2015

Abstract

With the development of wireless technology, much data communication and processing has been conducted in mobile devices with wireless connection. As we know that the mobile devices will always be resource-poor relative to static ones though they will improve in absolute ability, therefore, they cannot process some expensive computational tasks due to the constrained computational resources. According to this problem, server-aided computing has been studied in which the power-constrained mobile devices can outsource some expensive computation to a server with powerful resources in order to reduce their computational load. However, in existing server-aided verification signature schemes, the server can learn some information about the message-signature pair to be verified, which is undesirable especially when the message includes some secret information. In this paper, we mainly study the server-aided verification signatures with privacy in which the message-signature pair to be verified can be protected from the server. Two definitions of privacy for server-aided verification signatures are presented under collusion attacks between the server and the signer. Then based on existing signatures, two concrete server-aided verification signature schemes with privacy are proposed which are both proved secure.

1. Introduction

Recent advances in wireless technology have led to mobile computing [1, 2] which is a technology that enables access to digital resources at any time, from any location. In mobile computing, much data communication and processing is conducted in mobile devices with wireless connection such as cell-phones, security access-cards, and sensors. Therefore, mobile computing represents the elimination of time-and-place restrictions imposed by desktop computers and wired networks. As we know mobile devices must be light and small to be easily carried around. Such considerations, in conjunction with a given cost and level of technology, will exact a penalty in computational resources of mobile devices such as processor speed. While mobile devices will improve in absolute ability, they will always be computationally weak in relation to static ones. As a consequence there are tasks, which potentially could enlarge a device’s range of application, which are beyond its reach. A natural solution is to outsource computations that are too expensive for one device, to other devices which are more powerful or numerous and connected to the device. For example, consider a sensor that is presented with an access-card, sends it a random challenge, and receives a digital signature of the random challenge. The computation is required to verify the signature involves public-key operations which are too expensive in both time and space for the sensor to run. Instead, it could outsource the verification to a powerful device in order to reduce its computational load. Recently, with the development of cloud computing, server-aided computation has received widespread attention which enables power-constrained devices to outsource expensive computational tasks to a server. The related works such as server-aided delegated computation [3–8] and server-aided verification signatures [9–16] have been widely studied. Delegated computation is a protocol between two polynomial-time parties, a client, and a server, to collaborate on the computation of a function . Concretely, the client wants the server to compute for any input instance by the delegated computation protocol and verify the correctness of the results that is returned by the server. A key requirement is that the amount of work performed by the client to generate and verify work instances must be substantially cheaper than performing the computation on its own.

A server-aided verification signature scheme consists of a digital signature scheme and a server-aided verification protocol. Signatures can be verified by executing the server-aided verification protocol with the server, where the verification requires less computation than the original verification algorithm of the digital signature. Different to delegated computation, the existing server-aided verification signature schemes can achieve the soundness of the server-aided verification protocol under their security definitions, namely, a trusted server cannot convince the verifier that an invalid signature is valid, and the verifier cannot directly verify the results computed by the server. The notion of server-aided verification signature was first introduced by Quisquater and de Soete [10] for speeding up RSA verification with a small exponent. Then, Lim and Lee [11] extended this idea into discrete-logarithm based schemes, by proposing efficient protocols for speeding up the verification of discrete-logarithm based identity proofs and signatures. Girault and Quisquater [13] introduced a different approach for server-aided verification signature which does not require precomputation or randomization. Its security remains computational, based on the hardness of a subproblem (viz. factorization) of the initial underlying problem (viz. composite discrete logarithm). Hohenberger and Lysyanskaya [17] addressed the situation in which the server is made of two untrusted softwares, which are assumed not to communicate with each other. Girault and Lefranc [14] presented a generic server-aided verification protocol for digital signatures from bilinear maps which has been used to construct many digital signature schemes such as [18–23].

As to the security of server-aided verification signature, many efforts have been devoted to defining strong security models for it. The schemes [10, 11, 13, 14] considered the security property based on the assumption that the malicious server does not have any valid signatures on the message when it tries to prove an invalid signature of that message to be valid. Among them, the scheme [13] is computationally secure based on the hardness of a subproblem of the underlying complexity problem in the original signature scheme. To give stronger definition of this property, Wu et al. [15] formally defined this security assuming that the malicious server may collude with the signer and obtain the secret key of the signer. They first introduced and defined the existential unforgeability of server-aided verification signatures and considered collusion between a signer and a server, who collaboratively prove an invalid signature to be valid. In addition, under their security models, they introduced the server-aided verification for the Waters signature [21] and the BLS signature [18], respectively.

Though the existing server-aided verification signature schemes above have been devoted many efforts to their security models, they only considered the soundness to protect the malicious server who may try to prove an invalid signature of a message to be valid. However, in some applications where the message-signature to be verified contains some sensitive information, for example, the message contains important business secrets or is related to medical information, the verifier does not want the server learn anything about the message and/or the signature to protect its privacy. So, the message privacy of the server-aided verification protocol is also desired besides the soundness. Though in Wu et al. [15], based on Waters Signature [21] and BLS signature [18], two SA verification signature schemes (see Section 4 in [15]) were presented in which the message to be verified is not revealed to the server, the schemes cannot achieve the soundness under collusion and adaptively chosen message attacks.

In this paper, we will present two privacy definitions for server-aided verification signature under collusion by the server and the signer and adaptive chosen message attacks. A server-aided verification signature scheme with privacy also consists of a digital signature scheme and a server-aided verification protocol.(1)The first privacy definition for the server-aided verification signature is about message privacy; namely, the server cannot learn anything about the message to be verified during the server-aided verification protocol even if it possesses the secret key of the signer. Generally, when the verifier wants the server to verify a message-signature pair, it will “blind” this message at the beginning of the server-aided verification protocol so that the server cannot obtain any information about this message, while it can verify the validity of the message-signature pair by using the server’s responses.(2)The second privacy definition for the server-aided verification signature is about message-signature privacy which is stronger than the first one, and in this definition, the server can learn nothing about the message-signature pair to be verified even if it colludes with the signer. To achieve this privacy, similarly, the verifier will “blind” the message-signature pair at the beginning of the server-aided verification protocol so that the server cannot obtain any information about the message or the signature; however it can verify the validity of the message-signature pair after the server responds.

For the two privacy notions, we present detailed and strict security models. Then, under the security models, we present two concrete constructions for server-aided verification signature based on Waters signature [21] and BLS signature [18] which, respectively, achieve message privacy and message-signature privacy. The soundness of the two constructions is proved under the strong definition of [15] assuming that the malicious server may collude with the signer and obtain the secret key of the signer. In addition, the efficiency analysis of the server-aided verification protocols shows that our two concrete server-aided verification signature schemes are both computation saving. Computation saving is probably the most obvious property that can distinguish a server-aided verification signature scheme SAV- from an ordinary signature scheme . This property enables the verifier in SAV- to check the validity of signatures in a more computationally efficient way than that in .

Organization. This paper is organized as follows. In Section 2, we will review some fundamental backgrounds, the definition of server-aided verification signatures and the security notions defined in [15] including existential unforgeability and soundness against collusion and adaptive chosen message attacks. In Section 3, we will present the message privacy of server-aided verification signatures, give a concrete construction based on Waters signature scheme, and prove its security under our security model for message privacy. In Section 4, a stronger privacy of server-aided verification signatures named message-signature privacy will be defined and a provably secure concrete construction will be presented based on BLS signature scheme. Finally we conclude in Section 5.

2. Preliminaries

2.1. Syntax

Throughout the paper, if is a randomized algorithm, then denotes the assignment to of the output of on input . Unless noted, all algorithms are probabilistic polynomial-time (PPT) and we implicitly assume that they take an extra parameter in their input, where is a security parameter.

2.2. Bilinear Maps

Let , be two (multiplicative) cyclic groups such that , where is a large prime. Let be a generator of , and be an admissible bilinear map: , satisfying for all ; it holds that ; ; and it is efficiently computable.

We say that () are bilinear groups if there exists the bilinear map as above, and the group action in and can be computed efficiently. Such groups can be built from Weil pairing or Tate pairing on elliptic curves.

2.3. Server-Aided Verification Signature

A server-aided verification signature scheme SAV- consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in an ordinary signature scheme . SAV- contains three parties, respectively, a signer, a verifier, and a server.(i) ParamGen. This algorithm takes a security parameter and returns a string as input, which denotes the common scheme parameters, including the description of the message space and the signature space .(ii). This algorithm takes as input and outputs a key pair , where is the signing key and is the verification key.(iii). The signer takes a message , the system parameter and the key pair as inputs, outputs a signature .(iv). The verifier takes the parameter , a message-signature pair and the public key , outputs Valid/Invalid to indicate that is a valid/invalid signature on under .(v). The verifier takes as input the system parameter and outputs a string VString which contains the information which can be precomputed by it.(vi). This is an interactive protocol between the server and the verifier where the server takes as input and the verifier takes as inputs. Finally, the verifier outputs Valid if the server can convince it that is a valid signature on . Otherwise, the verifier outputs Invalid.In a SA verification signature scheme, we assume that the verifier has a limited computational ability and is not able to perform all computations in Verify alone. So, a SA verification signature scheme must satisfy an important property called computation saving property, which requires that the computations performed by the verifier in SA-Verify must be less than those performed in Verify.

2.4. Security Model for Server-Aided Verification Signature

In the following, we will first present the security model for SAV- with message privacy. As for the existential unforgeability of SAV-, we will adopt existential unforgeability of SAV- defined in [15], including the existential unforgeability against adaptive chosen message attacks of defined in [24] and the soundness against collusion and adaptive chosen message attacks of SA-Verify. In the following, we will present the existential unforgeability of SAV- as [15]. It requires that the adversary should not be (computationally) capable of producing a signature of a new message which can be proved as valid by SA-Verify, even if the adversary acts as a server.

Definition 1 (existential unforgeability against adaptive chosen message attacks of ). The adversary and the challenger play the following game. (i)Setup. The challenger runs the algorithms ParamGen and KeyGen to obtain system parameter and one key pair . The adversary is given and .(ii)Queries. The adversary is allowed to make at most sign queries. For each sign query , the challenger returns as the response.(iii)Output. Eventually, the adversary outputs a pair and wins the game if:(1);(2)Verify = Valid.
An adversary is said to -break a signature scheme if runs in time at most and makes at most signature queries and the success probability to win the game above is at most .
We say that is existentially unforgeable against adaptive chosen message attacks if there exists an adversary that -breaks it.

In the following, we will present the soundness against collusion and adaptive chosen message attacks of SA-Verify which means that the server cannot prove an invalid signature to be valid even if it colludes with the signer.

Definition 2 (soundness against collusion and adaptive chosen message attacks of ). The adversary and the challenger play the following game. (i)Setup. The challenger runs the algorithms ParamGen, KeyGen, and SA-Verifier-Setup to obtain the system parameter , one key pair and VString. The adversary is given and .(ii)Queries. Proceeding adaptively, the adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , where the adversary acts as the server and the challenger acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary .(iii)Output. Eventually, the adversary outputs a message . The challenger chooses a random invalid signature on the message . Namely, it chooses a random element in , where and are, respectively, the signature space and the set of valid signatures of . We say that wins the game if
An adversary is said to -break SA-Verify’s soundness against collusion and chosen message attacks if runs in time at most , makes at most server-aided verification queries and the success probability to win the game above is at least .

We say that SA-Verify is -sound against collusion and chosen message attacks if there exists no adversary that -breaks it.

3. Server-Aided Verification Signature with Message Privacy

In this section, we will present the definition of message privacy for SA-Verify, and then, based on Waters signature scheme [21], present a concrete server-aided verification scheme with this privacy property. This privacy property is called message privacy against collusion and adaptive chosen message attacks. In this definition, the server is allowed to collude with the signer. Concretely, the server can obtain the key pair of the signer and therefore can create the signature on any message. In addition, we will assume that the server cannot obtain the message-signature pairs that have been created by the signer before, alternatively, the signer will not store any message-signature pair that it has created. (Actually, this can be achieved by performing blind signature scheme presented in [25] between the signer and the verifier instead of performing the ordinary signature scheme. After the blind signature scheme, the verifier can obtain the ordinary message-signature pair without the signer learning anything about this pair. Then the verifier lets the server to verify the message-signature pair by performing SA-Verify. In this sense, even if the server colludes with the signer, it cannot obtain more information about the signed messages from the signer than it can obtain on its own. To clarify our privacy definition below more clearly, we simply assume that the server cannot obtain any message-signature pair which the signer has created for the verifier before.)

3.1. Definition of Message Privacy

A server-aided verification signature scheme with message privacy SAV- also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The following is the definition of message privacy for the server-aided verification protocol under the collusion and adaptive chosen message attacks. In this definition, the server cannot obtain any information about the message to be verified under the collusion and adaptive chosen message attacks.

Definition 3 (message privacy of ). We say that SA-Verify satisfies -message privacy against collusion and adaptive chosen message attacks if there exists no adversary who runs in time at most , makes at most server-aided verification queries, and succeeds with probability at least in the following game with the challenger . The game is defined as follows. (i)Setup. The challenger runs the algorithms ParamGen, KeyGen and SA-Verifier-Setup to obtain system parameter param, one key pair , and VString. The adversary is given param and . Note that can generate any message-signature pair with the secret-public key pair ; however as we assumed, it cannot obtain any message-signature pair that has been created by the signer before.(ii)Queries. Proceeding adaptively, the adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , where the adversary acts as the server and the challenger acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary .(iii)Challenge. outputs two messages , , and sends them to the challenger . chooses a bit at random and also chooses an element either randomly from or randomly from , where and are, respectively, the signature space of and . Then and interact with each other by running SA-Verify, where plays as a server and plays as a verifier. After the interaction, sends the output of SA-Verify to .(iv)Output. Finally, outputs a bit . We say that wins the game with probability if

Similar to Wu et al. [15], in the protocol Setup of the game above, VString is not provided to the adversary who now is acting as a server since VString might contain some private information of the verifier, which must be kept secret in server-aided verification signatures. In the definition, adversary acts as the server and the challenger acts as the verifier which will help to extract some information from VString.

3.2. Concrete SA Verification Signature with Message Privacy

In the following, we will first present a concrete SA verification signature scheme with message privacy based on Waters signature [21]. The SA verification signature scheme with message privacy SAV- consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in Waters signature scheme [21]. As we know that, due to the elegant properties of pairing computation on elliptic curves, pairing has been widely employed as a building block for lots of cryptographic schemes, in particular in the construction of digital signatures. However, performing a pairing on an elliptic curve requires much more computational cost than executing both an exponentiation and a multiplication [16, 26–30], and for a power-constrained verifier who must execute multiple pairing computations during the verification of a message-signature pair, reducing the computational load of it is a meaningful task. In Waters signature [21], the verifier has to compute two pairings; however in SAV-, its computational load is reduced and it will not compute any pairing. The concrete SA verification signature with message privacy based on Waters signature is described in detail as follows.(i) ParamGen. Let be a security parameter, be bilinear groups where for some prime number and be a generator of . is a bilinear mapping. The system parameters are and the message space is .(ii). Given the system parameters , the signer chooses a random element , generates the public key as and where is a vector consisting of elements randomly selected in and .(iii). For an -bit message , let be the set of all for which the th bit of is 1. The signer selects a random element and generates the signature as .(iv). The verifier takes as input a claimed message-signature pair , and outputs Valid if and only if . Otherwise it outputs Invalid.(v) -Setup. The verifier takes as inputs the system parameters and computes as VString.(vi). This is an interactive protocol between the server and the verifier which is shown in Algorithm 1.(1)Verifier, for a message-signature pair to be verified, first computes ; then selects randomly , and blinds the message by computing , ; finally sends to the verifier.(2)Server computes , and returns to the verifier.(3)Verifier checks the equation , and outputs Valid if it holds, and otherwise outputs Invalid.

Verifier (param, ) Server (param)
Input: (, = (, )), pk = (, PK)
= ,
, =

= , ,
= , )

Output:
, if = ;
, if otherwise.

Correctness of . For a claimed message-signature pair , when the verifier and the server are both honest, namely, the verifier correctly computes and and the server correctly computes and , then the verification equation holds if the message-signature pair is valid and otherwise does not hold. In the following, we denote :

In the following, by Theorems 4 and 5, we will show that our SA verification signature scheme above is secure under our security model; namely, the SA verification protocol described in Algorithm 1 is sound against collusion and adaptive chosen message attacks and also satisfies message privacy against collusion and adaptive chosen message attacks.

Since Waters signature scheme has been proved existentially unforgeable against adaptive chosen message attacks, in order to prove that our SA verification signature scheme above is secure, we need only to prove that the SA verification protocol described in Algorithm 1 satisfies soundness against collusion and adaptive chosen message attacks defined in Definition 2 and message privacy against collusion and adaptive chosen message attacks.

Theorem 4. The SA verification protocol described in Algorithm 1 satisfies -soundness against collusion and adaptive chosen message attacks.

Proof. In order to prove that the SA verification protocol in Algorithm 1 is -sound against collusion and adaptive chosen message attacks, we will show that the adversary can only prove an invalid signature as valid with at most probability . The challenger and the adversary play the following game.(i) Setup. The challenger generates the system parameters , chooses a random element , and sets and where is a vector consisting of elements randomly selected in and . Then it also computes . Finally the challenger sends to the adversary.(ii) Queries. The adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , where the adversary acts as the server and the challenger acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary .(iii) Output. Eventually, the adversary outputs a message . The challenger chooses a random element in , where and are, respectively, the signature space and the set of valid signatures of . Then they interact with each other as described in the SA-Verify protocol. Concretely, the challenger chooses two random elements , computes , and , and sends to the adversary. Then the adversary returns and to the challenger. In the following, we will show that happens with probability . The challenger sends to such that Since the adversary can only obtain from the challenger, from the equation set (5), we can see that the adversary can only obtain with probability . Furthermore, from (6) below, we can directly deduce (7) as follows: Since the adversary can only guess with probability , and is uniquely determined by , the adversary can only give out a pair satisfying (6) with probabitity . This completes the proof of Theorem 4.

Theorem 5. The SA verification protocol in Algorithm 1 satisfies -message privacy against collusion and adaptive chosen message attacks.

Proof. In order to prove that the SA verification protocol in Algorithm 1 satisfies -message privacy against collusion and adaptive chosen message attacks, we will show that the adversary can only succeed with at most the probability in the game with the challenger described as follows.(i) Setup. The challenger generates the system parameter , and the secret key and public key , where is a vector consisting of elements randomly selected in and . Then it also computes . Finally the challenger sends to the adversary.(ii) Queries. The adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , and, at the end of each execution, returns the output of SA-Verify to the adversary .(iii) Challenge. outputs two messages and and sends them to the challenger . chooses a bit at random and also chooses either randomly from or randomly from , where and are, respectively, the signature spaces of and . Then and interact with each other by running , where plays as a server and plays as a verifier. Concretely, the challenger chooses two random elements , computes , , and , and sends to the adversary. Then the adversary returns and to the challenger. After the interaction, sends the output of SA-Verify to .(iv) Output. Finally, outputs a bit . We will show that can only succeed with probability . From the equation set (5) in the proof of Theorem 4, we can see that there exist two pairs and satisfying for , and for each , there exist pairs satisfying for . So the adversary cannot obtain anything about . Though the adversary learns which may correspond to or , it only guess correctly with probability . This completes the proof of Theorem 4.

Efficiency Analysis. The SA verification signature with privacy based on Waters signature above is computation saving and efficient. In the following, we will analyze the efficiency of SA-Verify algorithm by comparing that of Waters signature scheme. In Waters signature scheme [21], to verify a message-signature pair , the verifier needs to compute which takes multiplications in , which takes 1 multiplication in , and two pairings and . However, in our server-aided verification signature scheme, the verifier can first precompute a pairing which can be used by multiple SA-Verify protocols. Then in a SA-Verify protocol, we can see that the verifier needs to compute totally 3 exponentiations in and 1 exponentiation in as well as multiplications in and 3 multiplications in . As we know that, performing a pairing on an elliptic curve requires much more computational cost than executing both an exponentiation and a multiplication. So our SA verification signature scheme based on Waters signature is computation saving and efficient.

The concrete computation cost comparison of the verifier in the verification of Waters Signature [21] and our SA-Verify in Algorithm 1 is shown in Table 1.

4. Server-Aided Verification Signature with Message-Signature Privacy

In this section, we will present a stronger definition of privacy, namely, message-signature privacy against collusion and adaptive chosen message attacks. Then based on BLS signature scheme [18], a concrete server-aided verification scheme with this privacy property will be presented. We assume that the server can obtain the key pair of the signer and cannot obtain the message-signature pairs that have been created by the signer. Under this assumption, the server cannot obtain anything about the message-signature pair.

4.1. Definition of Message-Signature Privacy

A server-aided verification signature scheme with message-signature privacy SAV- also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify.

Definition 6 (message-signature privacy of ). We say that SA-Verify satisfies -message-signature privacy against collusion and adaptive chosen message attacks if there exists no adversary who runs in time at most , makes at most server-aided verification queries, and succeeds with probability at least in the following game with the challenger . The game is defined as follows. (i) Setup. The challenger runs the algorithms ParamGen, KeyGen, and SA-Verifier-Setup to obtain the system parameter , one key pair , and VString. The adversary is given and . Similar to the definition of message privacy for SA verification signature, can generate any message-signature pair with the key pair ; however as we assumed, it cannot obtain any message-signature pair that has been created by the signer before.(ii) Queries. Proceeding adaptively, the adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , where the adversary acts as the server and the challenger acts as the verifier. At the end of each execution, the challenger returns the output of SA-Verify to the adversary .(iii) Challenge. outputs two pairs and , where is a valid signature on for . Then sends them to the challenger . chooses a bit at random and interacts with by running SA-Verify where plays as a server and plays as a verifier. After the interaction, sends the output of SA-Verify to .(iv) Output. Finally, outputs a bit . We say that wins the game with probability if

4.2. Concrete SA Verification Signature with Message-Signature Privacy

In this section, we will present a SA verification signature scheme which satisfies message-signature privacy against collusion and adaptive chosen message attacks. This scheme is constructed based on BLS signature [18], which also consists of six algorithms: ParamGen, KeyGen, Sign, Verify, SA-Verifier-Setup, and SA-Verify. The first four algorithms are the same as those in BLS signature scheme [18]. By executing the SA-Verifier-Setup and SA-Verify algorithms, the computational load of the verifier can be reduced. In BLS signature [18], the verifier has to compute two pairings; however in the following SAV-, it needs only to compute a pairing.(i) ParamGen. Let be a security parameter, be bilinear groups, where for some prime number , and be a generator of . is a bilinear mapping. is a hash function. The system parameter .(ii). Given the system parameters , the signer chooses a random element , and sets the public key and the secret key .(iii). For a message, the signer generates the signature .(iv). The verifier takes as inputs a claimed message-signature pair , and outputs Valid if and only if , and otherwise outputs Invalid.(v)-Setup. The verifier takes as inputs the system parameter and computes as .(vi), and . This is an interactive protocol between the server and the verifier which is shown in Algorithm 2.(1)Verifier, for a message-signature pair , blinds the pair by selecting randomly and computing , ; , and sends to the verifier.(2)Server computes , and returns to the verifier.(3)Verifier checks the equation , and outputs Valid if it holds, and otherwise outputs Invalid.

Verifier (param, ) Server (param)
Input: (, ), pk
, = ,
;

;


Output:
, if = ;
, if otherwise.

Correctness of . For a claimed message-signature pair , when the verifier and the server are both honest, namely, the verifier correctly computes , and , and the server correctly computes and ; then the verification equation holds if the message-signature pair is valid and otherwise does not hold. Consider

In the following, by Theorems 7 and 8, we will show that our SA verification signature scheme above is secure under our security model; namely, the SA verification protocol described in Algorithm 2 is sound against collusion and adaptive chosen message attacks and also satisfies message-signature privacy against collusion and adaptive chosen message attacks.

Theorem 7. The SA verification protocol described in Algorithm 2 satisfies soundness against collusion and adaptive chosen message attacks.

Proof. In order to prove that the SA verification protocol in Algorithm 2 is -sound against collusion and adaptive chosen message attacks, we will show that the adversary can only prove an invalid signature as valid with at most probability . The challenger and the adversary play the following game.
(i) Setup. The challenger generates the system parameter , chooses a random element , and sets and . Then it also computes . Finally the challenger sends to the adversary.(ii) Queries. The adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary . At the end of each execution, the challenger returns the output of SA-Verify to the adversary.(iii) Output. Eventually, the adversary outputs a message . The challenger chooses a random element in , where is the set of valid signatures of . Then they interact with each other as described in the SA-Verify protocol. Concretely, the challenger chooses two random elements , computes , and , and sends to the adversary. Then the adversary returns and to the challenger. In the following, we will show that happens with probability . From (10), we can directly deduce (11): Since is chosen randomly from , from the equation set (7), we can see that the adversary can only obtain and with probability . Furthermore, from the following, (13) can be deduced: We can see that is determined by and . Since is a random element in , the adversary can only give out a pair satisfying (11) with probabitity . This completes the proof of Theorem 7.

Theorem 8. The SA verification protocol described in Algorithm 2 satisfies message-signature privacy against collusion and adaptive chosen message attacks.

Proof. In order to prove that the SA verification protocol in Algorithm 2 satisfies -message-signature privacy against collusion and adaptive chosen message attacks, we will show that the adversary can only succeed with at most probability in the game with the challenger described as follows.(i) Setup. The challenger generates the system parameter , and the secret key and the public key . Then it also computes . Finally the challenger sends to the adversary.(ii) Queries. The adversary is allowed to make at most server-aided verification queries. The challenger responds by executing SA-Verify with the adversary , and, at the end of each execution, returns the output of SA-Verify to the adversary .(iii) Challenge. outputs two pairs and , where is a valid signature on for . Then it sends them to the challenger . chooses a bit at random and interacts with by running SA-Verify. Concretely, the challenger chooses two random elements , computes , and , and sends to the adversary. Then the adversary returns and to the challenger. After the interaction, sends the output of SA-Verify to .(iv) Output. Finally, outputs a bit . We will show that can only succeed with probability . From the equation set (10) in the proof of Theorem 4, we can see that there exist two pairs and satisfying for , and there exist two pairs and satisfying for . So the adversary cannot obtain anything about , and it only guesses correctly with probability . This completes the proof of Theorem 8.

Efficiency Analysis. In the following, we will show that our SA verification signature scheme based on BLS signature above is computation saving and efficient. We will analyze the efficiency of SA-Verify algorithm by comparing that of BLS Signature scheme [18]. In BLS signature scheme [18], to verify a message-signature pair , the verifier needs to compute which takes hash function and two bilinear pairings and . However, in our server-aided verification signature scheme, the verifier can first precompute a pairing which can be used by multiple SA-Verify protocols. Then in a SA-Verify protocol, the verifier needs to compute totally 2 exponentiations in and 2 exponentiation in as well as 2 multiplications in and 2 multiplications in and 1 hash function. From the comparison, we can see that our SA verification signature scheme based on BLS signature is computation saving. The concrete computation cost comparison of the verifier in the verification of BLS signature and SA-Verify in Algorithm 2 is shown in Table 2.

5. Conclusion

In this paper, we studied the SA verification signature schemes with message-signature privacy for mobile computing. A power-constrained mobile device can outsource the verification of a signature to a server with powerful resources in order to reduce its computational load. We first present two definitions for privacy of server-aided verification protocol, respectively, named message privacy and message-signature privacy under collusion and adaptive chosen message attacks. Then under our security models, two concrete constructions based on existing signature schemes were presented and proved secure. By efficiency analysis, we showed that the two concrete schemes are both computation saving and efficient.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (nos. 61202466, U1135004, 61170080, and 61100224), 973 Program under Grant no. 2014CB360501, Foundation for Distinguished Young Talents in Higher Education of Guangdong, China (no. 2012LYM_0017), and Fundamental Research Funds for the Central Universities (South China University of Technology) (no. 2014ZM0032). An abstract of this paper has been presented in the 4th International Conference on Emerging Intelligent Data and Web Technologies (2013), 414–421 [31].

References

A. Durresi and M. Denko, “Preface: advances in mobile communications and computing,” Mobile Information Systems, vol. 5, no. 2, pp. 101–103, 2009.
View at: Publisher Site | Google Scholar
A. Durresi and M. Denko, “Advances in wireless networks,” Mobile Information Systems, vol. 5, no. 1, pp. 1–3, 2009.
View at: Publisher Site | Google Scholar
S. Benabbas, R. Gennaro, and Y. Vahlis, “Verifiable delegation of computation over large datasets,” in Advances in Cryptology—CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, pp. 111–131, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiable computing: outsourcing computation to untrusted workers,” in Advances in Cryptology—CRYPTO 2010, vol. 6223 of Lecture Notes in Computer Science, pp. 465–482, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
K. M. Chung, Y. Kalai, and S. Vadhan, “Improved delegation of computation using fully homomorphic encryption,” in Advances in Cryptology—CRYPTO 2010, vol. 6223 of Lecture Notes in Computer Science, pp. 483–501, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
D. Fiore and R. Gennaro, “Publicly verifiable delegation of large polynomials and matrix computations, with applications,” in Proceedings of the ACM Conference on Computer and Communications Security (CCS '12), pp. 501–512, ACM, October 2012.
View at: Publisher Site | Google Scholar
B. Parno, M. Raykova, and V. Vaikuntanathan, “How to delegate and verify in public: verifiable computation from attribute-based encryption,” in Theory of Cryptography, vol. 7194 of Lecture Notes in Computer Science, pp. 422–439, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar
C. Papamanthou, R. Tamassia, and N. Triandopoulos, “Optimal verification of operations on dynamic sets,” in Advances in Cryptology—CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, pp. 91–110, 2011.
View at: Google Scholar
P. Béguin and J.-J. Quisquater, “Fast server-aided RSA signatures secure against active attacks,” in Advances in Cryptology—CRYPT0 1995, vol. 963 of Lecture Notes in Computer Science, pp. 57–69, Springer, Berlin, Germany, 1995.
View at: Publisher Site | Google Scholar
J.-J. Quisquater and M. de Soete, “Speeding up smart card RSA computation with insecure coprocessors,” in Proceedings of the Smart Cards 2000, pp. 191–197, 1989.
View at: Google Scholar
C. H. Lim and P. J. Lee, “Security and performance of server-aided RSA computation protocols,” in Advances in Cryptology—CRYPTO' 1995, vol. 963 of Lecture Notes in Computer Science, pp. 70–83, Springer, Berlin, Germany, 1995.
View at: Google Scholar
P. Nguyen and J. Stern, “The Béguin-Quisquater server-aided RSA protocol from Crypto '95 is not secure,” in Advances in Cryptology—ASIACRYPT 1998, vol. 1514 of Lecture Notes in Computer Science, pp. 372–379, Springer, Berlin, Germany, 1998.
View at: Publisher Site | Google Scholar
M. Girault and J. J. Quisquater, “GQ + GPS = new ideas + new protocols,” in Proceedings of the Eurocrypt 2002-Rump Session, April-May 2002.
View at: Google Scholar
M. Girault and D. Lefranc, “Server-aided verification: theory and practice,” in Advances in Cryptology—ASIACRYPT 2005, vol. 3788 of Lecture Notes in Computer Science, pp. 605–623, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
W. Wu, Y. Mu, W. Susilo, and X. Y. Huang, “Provably secure server-aided verification signatures,” Computers and Mathematics with Applications, vol. 61, no. 7, pp. 1705–1723, 2011.
View at: Publisher Site | Google Scholar
G. C. C. F. Pereira, M. A. Simplicío Jr., M. Naehrig, and P. S. L. M. Barreto, “A family of implementation-friendly BN elliptic curves,” Journal of Systems and Software, vol. 84, no. 8, pp. 1319–1326, 2011.
View at: Publisher Site | Google Scholar
S. Hohenberger and A. Lysyanskaya, “How to securely outsource cryptographic computations,” in Theory of Cryptography, vol. 3378 of Lecture Notes in Computer Science, pp. 264–282, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, G. Lynn, and H. Shacham, “Short signature from the Weil pairing,” in Advances in Cryptology—Asiacrypt 2001, vol. 2248 of Lecture Notes in Computer Science, pp. 514–532, Springer, Berlin, Germany, 2001.
View at: Google Scholar
D. Boneh and X. Boyen, “Short signatures without random oracles,” in Advances in Cryptology—EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 382–400, Springer, Berlin, Germany, 2004.
View at: Google Scholar
F. Zhang, R. Safavi-Naini, and W. Susilo, “An efficient signature scheme from bilinear pairing and its applications,” in Public Key Cryptography—PKC 2004, vol. 2947 of Lecture Notes in Computer Science, pp. 277–290, 2004.
View at: Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” in Advances in Cryptology—EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 114–127, 2005.
View at: Google Scholar
X. Chen, F. Zhang, Y. Mu, and W. Susilo, “Efficient provably secure restrictive partially blind signatures from bilinear pairings,” in Financial Cryptography and Data Security, vol. 4107 of Lecture Notes in Computer Science, pp. 251–265, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
X. Chen, F. Zhang, W. Susilo, H. Tian, J. Li, and K. Kim, “Identity-based chameleon hash scheme without key exposure,” in Information Security and Privacy, vol. 6168 of Lecture Notes in Computer Science, pp. 200–215, Springer, 2010.
View at: Google Scholar
S. Goldwasser, S. Micali, and R. L. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM Journal on Computing, vol. 17, no. 2, pp. 281–308, 1988.
View at: Publisher Site | Google Scholar | MathSciNet
D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptology, pp. 199–203, Plenum, 1983.
View at: Google Scholar
D. F. Aranha, K. Karabina, P. Longa, C. H. Gebotys, and J. López, “Faster explicit formulas for computing pairings over ordinary curves,” in Advances in Cryptology—EUROCRYPT 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 48–68, Springer, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
J.-L. Beuchat, J. E. Gonzalez-Díaz, S. Mitsunari, E. Okamoto, F. Rodríguez-Henríquez, and T. Teruya, “High-speed software implementation of the optimal ate pairing over Barreto-Naehrig curves,” in Pairing-Based Cryptography—Pairing 2010, vol. 6487 of Lecture Notes in Computer Science, pp. 21–39, Springer, 2010.
View at: Google Scholar
D. Hankerson, A. J. Menezes, and M. Scott, “Software implementation of pairings,” in Identity-Based Cryptography, M. Joye and G. Neven, Eds., pp. 188–206, IOS Press, 2008.
View at: Google Scholar
M. Naehrig, R. Niederhagen, and P. Schwabe, “New software speed records for cryptographic pairings,” in Progress in Cryptology—LATINCRYPT 2010, vol. 6212 of Lecture Notes in Computer Science, pp. 109–123, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
C. Costello, K. Lauter, and M. Naehrig, “Attractive subfamilies of BLS curves for implementing high-security pairings,” in Progress in Cryptology—INDOCRYPT 2011, vol. 7107 of Lecture Notes in Computer Science, pp. 320–342, Springer, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
L. Xu and S. Tang, “Server-aided verification signatures with privacy,” in Proceedings of the 4th International Conference on Emerging Intelligent Data and Web Technologies (EIDWT '13), pp. 414–421, September 2013.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2015 Lingling Xu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

948

Downloads

925

Citations