#### Abstract

A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party can even verify the validity of a designated verifier signature. In 2005, Lipmaa, Wang, and Bao identified a new essential security property, non delegatability, of designated verifier signature schemes. Briefly, in a non delegatability designated verifier signature scheme, neither a signer nor a designated verifier can delegate the signing rights to any third party without revealing their secret keys. However, this paper shows that four recently proposed strong designated verifier signature schemes are delegatable. These schemes do not satisfy non delegatability secure requirement of strong designated verifier signature schemes.

#### 1. Introduction

Ensuring the integrity and the authenticity of the origin of a message is one of the goals of cryptography, and standard authentication tools are digital signatures. Digital signature schemes allow a receiver of a signature, Bob, to verify that the signature received is indeed sent by the sender, Alice. And Bob can convince any third party that Alice has indeed sent him the message. This is also referred to as nonrepudiation in the sense that Alice cannot deny the fact that she has sent a signature to Bob. Nonrepudiation is a very useful property for the authenticity of the origin of a message when dispute could occur at some later time. On the other hand, in numerous applications such as tender, electronic voting, or electronic auctions, the public verification and nonrepudiation properties of a signature are not desired. Let us consider the following example [1].

Suppose that a public institution initiates a call for tenders, asking some companies to propose their prices for a set of instruments and tasks to be accomplished. The institution may require the companies to sign their offers in order to make sure that they are actually authentic and originated from whom they claim to be. This is a valid requirement, but no company involved in this process desires its offer to affect other tenders’ decisions. That is, a company may capture a competitor’s signed offer on the transmission line (to the institution) and prepares its offer consequently in order to increase its chance to be selected by the institution. The here raised question is about the conflict between authenticity and privacy.

To satisfy the above requirements in signature schemes, Jakobsson et al. [2] firstly proposed the concept of strong designated verifier signatures (SDVS). A SDVS scheme is special type of digital signature which provides message authentication without nonrepudiation. In a SDVS scheme, suppose Alice, the signer, has sent a signature to Bob, the designated verifier. Bob can use his private key to verify the validity of the signature. But Bob cannot prove to a third party that Alice has created the signature. Since Bob can efficiently simulate signatures that are indistinguishable from Alice’s signature. The SDVS fit into various cryptographic applications such as privacy preserving cloud computing [3] and social networks [4]. They also are useful in some new fields, such as cognitive computing [5], where a brainy robot needs to authenticate its owner and keeps no evidences of its owner’s authentication.

After Saeednia et al. [1] formalized the notion of SDVS in 2003, many SDVS schemes have been proposed [6–18]. Based on nondelegatability proposed by Lipmaa, Wang, and Bao in 2005, an essential security property of designated verifier signature schemes, Huang et al. [14] proposed a security model for SDVS scheme. The model is stricter than the previous one [11]. All schemes [6–13] are insecure in Huang et al.’s model. In a nondelegatability designated verifier signature scheme, neither a signer nor a designated verifier can delegate the signing rights to any third party without revealing their secret keys. Recently, four strong designated verifier signature schemes are proposed [15–18]. However, in this work, we show that the four schemes are delegatable. So, they are insecure.

The remainder of this paper is organized as follows. Some basic concepts are introduced in Section 2. In Section 3, we review four designated verifier signature schemes and present delegation attacks on them. Finally, Section 4 concludes the paper.

#### 2. Preliminaries

In this section, we briefly review the basic concepts of bilinear pairings and model of strong designated verifier signatures.

##### 2.1. Basic Concepts on Bilinear Pairings

Let be a cyclic additive group and a cyclic multiplicative group of the same order . An admissible bilinear pairing is a map , which satisfies the following properties.(i)*Bilinearity.* One has for all , . This can also be stated as and for all .(ii)*Nondegeneracy.* There exists , such that .(iii)*Computability*. There is an efficient algorithm to compute for all .

##### 2.2. Complexity Assumptions

*Definition 1 (bilinear Diffie-Hellman (BDH) problem). *Given randomly chosen , as well as (for unknown randomly chosen ), compute .

*Definition 2 (BDH assumption). *The BDH assumption holds in the bilinear setting , if there is no probabilistic polynomial-time adversary that runs in time at most and .

##### 2.3. Model of Strong Designated Verifier Signature Scheme

Here, we introduce the concept of strong designated verifier signature in identity-based setting. An identity-based strong designated verifier signature scheme (IDSDVS) consists of five algorithms (that may be randomized) as follows.(i)Parameter Generation (*Setup*) is an algorithm that accepts a security parameter and outputs a string consisting of system parameters and master key.(ii)Key Extraction (*Extract*) is an algorithm that accepts system parameters and master key and an arbitrary string outputs a private key . Here is the user's identity and will be used as the user's public key.(iii)Signature Generation (*Sign*) is an algorithm that accepts system parameters, the signer's private key , a message , and the designated verifier's public key and outputs the signature on the message .(iv)Designated Verification (*Ver*) is an algorithm that accepts system parameters, the signer's identity , a message , the designated verifier's public key , and private key and the signature on the message outputs either accept or reject as the verification decision.(v)Transcript Simulation is the algorithm that the designated verifier runs to produce identically distributed transcripts which are indistinguishable from the signature produced by the signer.

The IDSDVS scheme should satisfy the following security properties.(i)*Correctness.* A properly formed IDSDVS must be accepted by the verifying algorithm.(ii)*Nontransferability.* We require an IDSDVS scheme to be nontransferable. The nontransferability property is ensured by a transcript simulation algorithm that can be performed by all designated verifiers to produce an indistinguishable signature from the one that should be produced by the signature holder.(iii)*Unforgeability. *It is computationally infeasible to construct a valid IDSDVS signature without the knowledge of the private key of either the signer or the designated verifier.(iv)*Nondelegatability.* It requires an adversary to “know” a secret key of a signer or a designated verifier if the adversary can produce a valid signature on a message.

#### 3. Four Designated Verifier Signature Schemes and Attacks on Them

##### 3.1. Lee et al.’s Scheme

Lee et al.’s scheme [16] can be described as follows.

Let and be two large primes such that and an element of of order . The message to be signed is . Let signer Alice’s public key be , where is her secret key, and designated verifier Bob’s public key be , where is his secret key. One-way hash function outputs values in . Suppose that Alice wants to send a strong designated verifier signature with a message to Bob.(i)*Signature generation*. Alice chooses two random numbers from and from and generates a signature as follows:
(ii)*Message Recovery and Verification*. Upon receiving from Alice, Bob recovers the message and verifies the signature by computing
(iii)*Transcript Simulation*. Bob can simulate the designated verifier signature of . Bob selects two random values and . Then he computes as follows:

*Attack on Lee et al.’s Scheme.* Assume that the signer discloses or the designated verifier discloses to any third party . Given any message , selects two random values and . Then he computes as follows:
generates a simulated signature . Bob verifies whether and recovers message . The verification accepts since
Therefore, Lee et al.’s scheme is delegatable.

##### 3.2. Yang et al.’s Scheme

Yang et al.’s certificateless strong designated verifier signature scheme [18] consists of the following six algorithms.(i)* Setup*. Given a security parameter , a KGC chooses two groups and of the same prime order and a modified Tate pairing map : . is a generator of group ; then the KGC selects two distinct cryptographic hash functions :, :, picks a random as the master key, computes the system public key , and publishes but keeps secret.(ii)* Partial-Private-Key-Extract*. Given an identity , , this paper assumes that user is the signer and is the designated verifier, the KGC computes , , and sends to a user with identity as his partial private key by a secure channel.(iii)* User-Key-Extract*. On inputs and the user’s identity , the algorithm picks a random as the user’s secret value and computes as his public key.(iv)* CLSDVS-Sign*. On inputs , signer ’s identity , his private key pair , and a message , the algorithm works as follows.(1)Pick a random value and compute . (2)Compute .(3)Compute and .

The signature on message is .(v)* CLSDVS-Verify*. To verify a signature on a message for an identity with public key , the designated verifier acts as follows.(1)Parse .(2)Compute . (3)Accept the signature and return 1 if and only if the following equation holds:
(vi)* CLSDVS-Simulation*. The designated verifier cannot prove to a third party that a signature on a message has been produced by signer since he can also create an indistinguishable signature on by the following means.(1)Pick randomly , and compute .(2)Set .(3)Compute .

The signature on the message is .

*Attack on Yang et al.’s Scheme*. Since in CLSDVS-Verify algorithm,

When one third party gets , picks a random value , and computes

can obtain a simulated signature . Because So, is a valid signature. Therefore, Lee et al.’s scheme is delegatable.

##### 3.3. Lee et al.’s Scheme

Lee et al.’s strong designated verifier signature scheme [15] is as follows.

Let and be two large primes such that and an element of of order . Let the signer Alice’s public key be , where is her secret key, and designated verifier Bob’s public key , where is his secret key. One-way hash function outputs values in . Suppose that Alice wants to send a strong designated verifier signature with a message to Bob.(i)*Signature Generation*. Alice selects a random value . She computes , , and as follows:

Then, the signature is .(ii)*Signature Verification*. Upon receiving and , Bob can verify the validity of the signature by checking whether .(iii)*Signature Simulation*. Bob can simulate the transcript for the message by selecting a random number and compute and as follows:

*Attack on Lee et al.’s Scheme*. Assume that the signer discloses or the designated verifier to any third party . Given any message , selects a random number and computes
generates a simulated signature . Bob verifies whether . The verification accepts since
Therefore, Lee et al.’s scheme is delegatable.

##### 3.4. Ki et al.’s Scheme

Ki et al.’s strong designated verifier signature scheme [17] is as follows.(i)*Setup*. Let be an additive group and a multiplicative group. Let be a symmetric bilinear map, where and have prime order . is a random generator of . The algorithm selects at random and computes . It also selects two collision-resistant cryptographic hash functions, and . The algorithm outputs the master secret key, , and its corresponding public parameters, .(ii)*Key-Extract*. For given identity , it computes and .(iii)*IDSig*. For given message , verifier’s identity , and signer’s secret key , it computes and . It selects and computes and . It computes and . The signature on a message is .(iv)*IDVerify*. For a given signature , message , and verifier’s secret key , it computes , , , and . It tests if holds. If the equality holds, then it outputs valid; otherwise, it outputs invalid.

*Attack on Ki et al.’s Scheme*. Obviously any third party can generate valid signature when they get . So, Ki et al.’s scheme is delegatable.

#### 4. Conclusion

Strong designated verifier signatures provide authentication of a message, without, however, having the nonrepudiation property of traditional signatures. They convince one and only one specified recipient that they are valid, but unlike standard digital signature, nobody else can be convinced about their validity or invalidity. The reason is that the designated verifier in these schemes is able to create a signature intended to himself, that is, indistinguishable from a “real” signature. Strong designated verifier signatures fit into various cryptographic applications where privacy preservation is needed. Recently, four strong designated verifier signature schemes are proposed. However, in this work, we show that the four schemes are delegatable. That is to say, in their scheme the signer or the designated verifier can delegate the signing right to any third party by releasing a piece of information related to but different from their secret keys. This enables a third party to simulate the signer's signatures. So, these schemes do not satisfy nondelegatability secure requirement of strong designated verifier signature scheme.

#### Conflict of Interests

The authors of the paper do not have any conflict of interests.