A New Approach to Keep the Privacy Information of the Signer in a Digital Signature Scheme

Abstract

In modern applications, such as Electronic Voting, e-Health, e-Cash, there is a need that the validity of a signature should be verified by only one responsible person. This is opposite to the traditional digital signature scheme where anybody can verify a signature. There have been several solutions for this problem, the first one is we combine a signature scheme with an encryption scheme; the second one is to use the group signature; and the last one is to use the strong designated verifier signature scheme with the undeniable property. In this paper, we extend the traditional digital signature scheme to propose a new solution for the aforementioned problem. Our extension is in the sense that only a designated verifier (responsible person) can verify a signer’s signature, and if necessary (in case the signer refuses to admit his/her signature) the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually generated the signature. The comparison between our proposed solution and the three existing solutions shows that our proposed solution is the best one in terms of both security and efficiency.

1. Introduction

The digital signature scheme has been widely used in practical applications today. As a handwritten signature, the validity of a digital signature should be publicly verified by anyone. However, in some specific modern applications, such as Electronic Voting, e-Health, e-Cash, etc, we would like that only the responsible person can verify the validity of a signature. For example, in an Electronic Voting system (similarly for e-Health application, e-Payment application or e-Bidding application) where a responsible person (the host such as the government for example) usually would like to ask users (voters) to agree or disagree on a plan. To this aim, a voter signs on an agreeing or disagreeing message, then uploads his/her signature on a public server. However, in some specific plans, the voter is not willing to let other voters in the system know whether or not he/she agrees or disagrees on these plans. In fact, the voter would like that there is only one responsible person who can know whether or not he/she agrees or disagrees on a given plan. On the other hand, if necessary, in case the voter refuses to admit his/her signature, the responsible person without revealing his/her secret key should be able to prove to anybody that the voter has actually generated the signature. To deal with this problem, there exist several following methods:

• Method 1: using additional a public key encryption scheme. A voter encrypts his/her signature under the public key of the responsible person, so only the responsible person with his/her corresponding secret key at hands can decrypt and then check the validity of the voter’s signature. Other voters in the system cannot decrypt, hence they cannot verify the voter’s signature, or they cannot know whether or not the voter agrees or disagrees on a given plan.
• Method 2: using the group signature scheme [1]. In a group signature scheme, a user in a group can generate a signature on behalf of the group, and only the group manager can know exactly who has actually generated the signature. So, if the group includes all users in the system and the responsible person plays the role of the group manager, only the responsible person can know whether or not the voter agrees or disagrees on a given plan.
• Method 3: using the recently introduced strong designated verifier signature scheme [2] ($\mathtt{SDVS}$ for short). In a $\mathtt{SDVS}$ scheme, a signature only can be checked by a chosen designated verifier, but a signature can be generated by both the signer and the designated verifier. That means no one can tell a signature has been actually generated by the signer or the designated verifier. This special property is useful in some specific practical scenarios as mentioned in [2,3,4,5,6,7], however it is undesirable in some other scenarios such as Electronic Voting, e-Health, e-Payment applications. In fact, in the e-Voting system, if we use the $\mathtt{SDVS}$ scheme, then the responsible person (the host such as the government for example) will play the role of the designated verifier. Moreover, the responsible person also can generate the voter’s signature. This leads to the fact that if the responsible person would like that a voter agrees on a given plan, he/she simply forges the signature of this voter, and the voter cannot prove to anybody that he/she actually hasn’t generated this signature. In contrast, in some cases, the voter also can refuse that he/she has already generated this signature, and of course the responsible person also cannot prove that the voter has actually generated this signature. This obviously is not a desirable property for the e-Voting system. Recent works [8,9,10] extended the $\mathtt{SDVS}$ scheme to propose a new method to deal with the above problem, the proposed schemes are named $\mathtt{SDVS}$ schemes with the undeniable property. In this type of scheme, we have a judge who can decide that a given signature is generated by a signer or a designated verifier. This type of scheme can deal with well the disputing between the signer and designated verifier, it, however, has the shortcoming that the judgment should be honest (this could face problems when the scheme is used in practice), and obviously to maintain the judgment, the system has to pay the cost on the storage, computation complexity and communication overhead.

We also note that in method 2 and method 3, the user cannot generate the usual signature (anyone can verify the signature). So, when we use method 2 or method 3 in the e-Voting system for example, to support the functionality of generating the usual signature we have to use an additional traditional signature scheme.

We motivate from the aforementioned problem to ask a question that whether or not there exists an efficient signature scheme where a signer can freely choose to generate either a usual signature (anyone can verify this signature) or a designated verifier signature (only the designated verifier can verify this signature, and the designated verifier cannot generate this signature as in $\mathtt{SDVS}$ scheme). Moreover, if necessary, in case the signer refuses to admit his/her signature, the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually produced the signature. Regarding the application, we believe that besides Electronic Voting, e-Health, e-Payment, this type of scheme could also find many other applications in practice.

1.1. Our Contribution

In this paper, we affirmatively answer the above question by proposing an efficient signature scheme where a user can choose to produce either a usual signature or a designated verifier signature. Concretely, our scheme has the following properties:

• only the designated verifier can verify the signer’s designated verifier signature, it, therefore, can keep the privacy information of the signer;
• the designated verifier cannot forge the signer’s designated verifier signature. This means that the responsible person cannot forge the voter’s signature as in the case of Electronic Voting application;
• in case the signer refuses to admit his/her designated verifier signature, the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually generated this signature. By this way, there is no need to have a judgment in the system, and more importantly, this forces the signer to be honest;
• the user can choose to generate either a usual signature or a designated verifier signature. That means our proposed scheme can be seen as an improvement of the traditional signature scheme in terms of functionality. Note that in the existing group signature scheme and $\mathtt{SDVS}$ scheme, the signer cannot generate the usual signature.

We name our scheme signer privacy-preserving digital signature scheme with undeniable property ($\mathtt{SPPS}$ for short) scheme. In our scheme, to achieve the privacy information of the signer, technically we prove that everyone (except the designated verifier) is not able to distinguish between the signer’s designated verifier signature and random elements. That means everyone (except the designated verifier) cannot verify the signer’s designated verifier signature. The comparison

Table 1. Performance comparison. Sig is a signature algorithm, Ver is a verification algorithm, Enc and Dec are encryption algorithm and decryption algorithm, respectively, while E denotes exponentiation operation, P denotes pairing operation, H denotes hash operation. $\left|p\right|$, $\left|p^{\prime }\right|$, $\left|\mathbb{G}\right|$ and $\left|\tilde{\mathbb{G}}\right|$ are the size of the prime $p,p^{\prime }$ and the groups $\mathbb{G},\tilde{\mathbb{G}}$. Note that if we set the security parameter $\lambda =80$, then we can implement a curve of type 3 Pairing where $\left|p^{\prime }\right|$, $\left|\mathbb{G}\right|$ and $\left|\tilde{\mathbb{G}}\right|$ are about 170 bits, 170 bits and 1024 bits, while method 3 uses finite field where $\left|p\right|$ is much more bigger than 170 bits (about 1024 bits) when the security parameter $\lambda =80$, see [13] for more details. Regarding method 2, we use BBS scheme [14], which is one of the most efficient group signature scheme to date.

	Signature Size	Public-K Size	Secret-K Size	Sign Time	Verify Time
M1	$|Enc(Sig)|$	$|P{K}_{Enc}+P{K}_{Sig}|$	$|S{K}_{Enc}+S{K}_{Sig}|$	$Sig+Enc$	$Dec+Ver$
M2—[14]	$9\left|\mathbb{G}\right|$	$4\left|\mathbb{G}\right|+2\left|\tilde{\mathbb{G}}\right|$	$1\left|\mathbb{G}\right|+1\left|p^{\prime }\right|$	$12E+5P$	$10E+10P$
M3—[10]	$5\left|p\right|$	$2\left|p\right|$	$2\left|p\right|$	$6E+3H$	$9E+1H$
Ours	2$\left|\mathbb{G}\right|$	$2\left|\mathbb{G}\right|+3\left|\tilde{\mathbb{G}}\right|$	$3\left|p^{\prime }\right|$	$2E$	$2E+3P$

shows that our proposed method is one of the most efficient ones: using additional encryption scheme (method 1—M1); using group signature (method 2—M2); and finally using $\mathtt{SDVS}$ schemes with undeniable property (method 3—M3). As shown in the comparison table, our scheme just needs two exponentiations for signing and three pairings for verifying. Note that the time to compute one pairing is very fast and it is practical even for lightweight devices. More precisely, we refer to Section 5.3 in the paper [11], where the authors have tested that the time to compute one paring using a weak device is about 5.5 ms and the time to compute one exponentiation in two groups $\tilde{\mathbb{G}}$ and $\mathbb{G}$ are about 6.4 ms and 0.6 ms, respectively. One also can argue that in method 1, if we use RSA or Elliptic-curve cryptography (ECC) for the signature and encryption schemes instead of Pairing-based cryptography, this method will be efficient. We however note that Pairing-based signature schemes provide more advanced properties than RSA or Elliptic-curve-based signature schemes (that is why Pairing-based signature schemes currently still have deeply studied) such that short signature size, randomizable signature, aggregate signature, full security in the standard model, etc. Fortunately, our scheme is an extension of the Pointcheval-Sanders signature scheme [12] which supports all the above-advanced properties, therefore our scheme naturally also supports all the above-advanced properties. In addition, when using method 1, the security of the combined scheme (signature scheme and encryption scheme) should be carefully considered.

We also note that our $\mathtt{SPPS}$ scheme can be applied in any context that the privacy of the signer is needed.

1.2. Related Work and Organization of the Paper

The anonymity of the signer is also supported in attribute-based signature scheme, which was first introduced in [15]. In this system, each user possesses a set of attributes and then receives a corresponding secret key from the authority. To generate a signature on a given message m, the user relies on his/her secret key and a predicate which is satisfied by his/her attribute set. That means any user whose attribute set satisfies this predicate is able to generate this signature. The anonymity of the signer here is in the sense that from a given signature, anybody only knows that there are a set of users who are able to generate this signature, anybody (even the authority) cannot know exactly who actually generated this signature. This is obviously not suitable for the contexts of e-Voting, e-Health, e-Bidding or e-Payment applications, where the responsible person needs to know exactly who has generated this signature.

Another scheme, which also supports the anonymity of signer, is the ring signature scheme [16]. In this scheme, a user can generate a signature on behalf of a public set of users, and no one can identify who has actually generated this signature. Different from group signature, in the ring signature scheme we do not have the group manager to identify the signature.

The last one which supports the anonymity of signer is the anonymous signature scheme, this scheme was introduced by Yang et al. [17]. The anonymity of the signer is achieved in the sense that to run the verification procedure the verifier needs both the signer’s public key and the signed message. If we hide the signed message, no one can identify who has actually generated the signature. This is also not suitable for the contexts of Electronic Voting, e-Health, e-Bidding or e-Payment applications.

Paper organization. The next section introduces the definition and security model of our $\mathtt{SPPS}$ scheme and some used tools to construct our scheme. The construction of our $\mathtt{SPPS}$ scheme and its security analysis are introduced in Section 3. We give the conclusion of the paper in the last Section 4.

2. Preliminaries

In this section, we present the security model of our $\mathtt{SPPS}$ scheme, the assumptions which are used to prove the security of our scheme, and some useful tools used to construct our scheme.

2.1. Definition and Security Model

2.1.1. Definition

As in the usual signature scheme, a user in our scheme possesses a pair of the public key and secret key, as well as plays the roles of both the signer and the (designated) verifier. To generate the usual signature, the signer uses only his/her secret key as usual, however, to generate the designated verifier signature he/she uses both his/her secret key and the public key of the chosen designated verifier. To verify the usual signature, the verifier uses only the public key of the signer, however, to verify the designated verifier signature the designated verifier uses both the public key of the signer and his/her secret key. Moreover, in case the signer refuses to admit his/her designated verifier signature, the designated verifier uses his/her secret key to prove that the signer has actually generated this designated verifier signature.

Formally, there are seven probabilistic algorithms in our $\mathtt{SPPS}$ scheme.

• $\mathtt{Setup}(1^{\lambda })$: the input of this algorithm is the security parameter $\lambda$, the output is the system parameters $\mathtt{param}$.
• $\mathtt{Key} \mathtt{Generation}$: the input of this algorithm is the $\mathtt{param}$, the output is a pair consisting of a public key and secret key $(p{k}_i,s{k}_i)$.
• $\mathtt{Usual} \mathtt{Signing}$: the input of this algorithm are a message m, the $\mathtt{param}$ and a secret key $s{k}_i$, the output is a usual signature $\sigma$.
• $\mathtt{Designated} \mathtt{Signing}$: the input of this algorithm are a message m, the $\mathtt{param}$, a secret key $s{k}_i$ and the public key $p{k}_j$ of chosen designated verifier. The output is a designated verifier signature $\sigma$.
• $\mathtt{Usual} \mathtt{Verification}$: the input of this algorithm are the $\mathtt{param}$, a usual signature $\sigma$ and the public key $p{k}_i$ of the signer. The algorithm returns 1 in case $\sigma$ is a valid signature of the message m under $p{k}_i$, and 0 otherwise.
• $\mathtt{Designated} \mathtt{Verification}$: the input of this algorithm are the $\mathtt{param}$, a designated verifier signature $\sigma$, the public key $p{k}_i$ of the signer and the secret key $s{k}_j$ of the designated verifier. The algorithm returns 1 in case $\sigma$ is a valid signature of the message m under $p{k}_i$, and 0 otherwise.
• $\mathtt{Proving}$: this algorithm includes two sub-algorithms:

  –

  first: takes as input $\mathtt{param}$, a designated verifier signature $\sigma$ on a message m and a designated verifier’s secret key $s{k}_j$, outputs a public proof $\mathtt{proof}$;

  –

  second: takes as input $\mathtt{param}$, a public proof $\mathtt{proof}$ and the corresponding signer’s public key $p{k}_i$. The algorithm returns 1 in the case where $\sigma$ is a valid signature of the message m under $p{k}_i$, and 0 otherwise. Note that the second sub-algorithm is run by anyone.

$\mathtt{Correctness}$: If all $m,p{k}_i,s{k}_i,p{k}_j,s{k}_j$ are valid, and $\sigma =\mathtt{Usual} \mathtt{Signing}(\mathtt{param},m,s{k}_i)$ or $\sigma =\mathtt{Designated} \mathtt{Signing}(\mathtt{param},m,s{k}_i,p{k}_j)$, then the following equations must hold:

$$\mathtt{Usual} \mathtt{Verification}(\mathtt{param},\sigma ,m,p{k}_i)=1$$

$$\mathtt{Designated} \mathtt{Verification}(\mathtt{param},\sigma ,m,p{k}_i,s{k}_j)=1$$

$$\mathtt{Proving}(\mathtt{param},s{k}_j,\sigma ,m,p{k}_i)=1$$

2.1.2. Adversary’s Oracles

We allow the forger $\mathcal{F}$ to query the challenger $\mathcal{C}$ the following oracles.

• $\mathtt{UsualSigningRequest}(m,p{k}_i)$: when $\mathcal{F}$ requests a usual signature of user i on a message m, the challenger $\mathcal{C}$ returns a valid corresponding usual signature $\sigma$.
• $\mathtt{DesignatedSigningRequest}(m,p{k}_i,p{k}_j)$: when $\mathcal{F}$ requests a designated verifier signature of user i on a message m with designated verifier public key $p{k}_j$, the challenger $\mathcal{C}$ returns a valid corresponding designated verifier signature $\sigma$.
• $\mathtt{RequestDesignatedVerifying}(\sigma ,m,p{k}_i,p{k}_j)$: when $\mathcal{F}$ requests to know the validity of a designated verifier signature $\sigma$, the challenger $\mathcal{C}$ returns the validity of $\sigma$.

2.1.3. Security Model

The security requirements of our $\mathtt{SPPS}$ scheme are that an attacker is unable to forge the usual signature as well as the designated verifier signature. Moreover, he/she also cannot verify any designated verifier signature. To this aim, based on security models in [7], we consider the unforgeability property which guarantees that the attacker cannot forge any signature, and the privacy of signer’s identity ($\mathtt{PSI}$) property which guarantees that the attacker cannot verify any designated verifier signature.

Unforgeability: Regarding this property, we allow the colluding of any user. The security game is described as follows.

• $\mathtt{Initialization} \mathtt{Phase}$: At this step $\mathcal{C}$ first uses the $\mathtt{Setup}$ algorithm to produce the public parameters $\mathtt{param}$. Next, he/she uses the $\mathtt{Key} \mathtt{Generation}$ algorithm to produce the target user’s key pair $(p{k}_i,s{k}_i)$ and the target designated verifier’s key pair $(p{k}_j,s{k}_j)$. $\mathcal{C}$ sends $\mathtt{param}$ and $(p{k}_i,p{k}_j,s{k}_j)$ to $\mathcal{F}$.
• $\mathtt{Query} \mathtt{Phase}$: At this step, $\mathcal{F}$ adaptively asks the following oracles: $\mathtt{UsualSigningRequest}(m,p{k}_i)$, $\mathtt{DesignatedSigningRequest}(m,p{k}_i,p{k}_j)$ and $\mathtt{RequestDesignatedVerifying}(\sigma ,m,p{k}_i,p{k}_j)$.
• $\mathtt{Output} \mathtt{Phase}$: At this step, $\mathcal{F}$ outputs ($m^{*},{\sigma }^{*}$). $\mathcal{F}$ is said to win the game if the followings are correct:
  • $m^{*}$ has never been queried to $\mathtt{UsualSigningRequest}(m,p{k}_i)$
    and $\mathtt{DesignatedSigningRequest}(m,p{k}_i,p{k}_j)$;
  • $\mathtt{Usual} \mathtt{Verification}(\mathtt{param},{\sigma }^{*},m^{*},p{k}_i)$ outputs 1,
    or $\mathtt{Designated} \mathtt{Verification}(\mathtt{param},{\sigma }^{*},m^{*},p{k}_i,p{k}_j)$ outputs 1.

Let $SuccU{n}_{\mathcal{F}}^{\Pi }$ be the success probability that the forger $\mathcal{F}$ wins the above security game.

Definition 1.

A $\mathtt{SPPS}$ scheme Π is said to achieve the existentially unforgeable property against any polynomial-time forger $\mathcal{F}$ if the success probabilities $SuccU{n}_{\mathcal{F}}^{\Pi }$ above is negligible.

Privacy of the signer’s identity—$\mathtt{PSI}$: This property is defined in the sense that an attacker cannot distinguish between a valid designated verifier signature and random elements, that means he/she cannot check the validity of a designated verifier signature.

The security game between a challenger $\mathcal{C}$ and an adversary $\mathcal{F}$ is described as follows.

• $\mathtt{Initialization} \mathtt{Phase}$: At this step $\mathcal{C}$ first uses the $\mathtt{Setup}$ algorithm to produce the public parameters $\mathtt{param}$. Next, he/she uses the $\mathtt{Key} \mathtt{Generation}$ algorithm to produce three target users’ key pairs $(p{k}_{i_0},s{k}_{i_0}),(p{k}_{i_1},s{k}_{i_1}),(p{k}_j,s{k}_j)$, where $i_0$ and $i_1$ are target signers, j is the target designated verifier. $\mathcal{C}$ sends $\mathtt{param}$ and $(p{k}_{i_0},p{k}_{i_1},p{k}_j)$ to $\mathcal{F}$.
• $\mathtt{Query} \mathtt{Phase}$: At this step, $\mathcal{F}$ adaptively asks the following oracles: $\mathtt{UsualSigningRequest}(m,p{k}_{i_k})$, $\mathtt{DesignatedSigningRequest}(m,p{k}_{i_k},p{k}_j)$ and $\mathtt{RequestDesignatedVerifying}(\sigma ,m,p{k}_{i_k},p{k}_j)$, $k\in \{0,1\}$.
• $\mathtt{Challenge} \mathtt{Phase}$: At this step, $\mathcal{F}$ first outputs $m^{*}$, $\mathcal{C}$ then randomly picks $b\stackrel{\$}{\leftarrow }\{0,1\}$ and produces ${\sigma }^{*}=\mathtt{Designated} \mathtt{Signing}(\mathtt{param},m^{*},s{k}_{i_b},p{k}_j)$, then sends ${\sigma }^{*}$ to $\mathcal{F}$.
• $\mathcal{F}$ still can request queries as above except that he/she cannot request query
  $\mathtt{RequestDesignatedVerifying}({\sigma }^{*},m^{*},p{k}_{i_k},p{k}_j)$ for any $k\in \{0,1\}$.
• $\mathtt{Guess} \mathtt{Phase}$: At this step, $\mathcal{F}$ outputs a guess bit $b^{\prime }$ for b, $\mathcal{F}$ is said to win the game if $b^{\prime }=b$.

Let $AdvPS{I}_{\mathcal{F}}^{\Pi }$ be the advantage that $\mathcal{F}$ wins the above security game, where $AdvPS{I}_{\mathcal{F}}^{\Pi }$ is defined by the success probability that $\mathcal{F}$ wins the above security game deviates from one-half.

Definition 2.

A $\mathtt{SPPS}$ scheme Π is said to achieve the $\mathtt{PSI}$ property against any polynomial-time adversary $\mathcal{F}$ if the advantage $AdvPS{I}_{\mathcal{F}}^{\Pi }$ above is negligible.

2.2. Bilinear Groups

Let $\mathbb{G}$, $\tilde{\mathbb{G}}$ and ${\mathbb{G}}_T$ be three finite multiplicative abelian groups of large prime order $p>2^{\lambda }$ where $\lambda$ is the security parameter. Let $g,\tilde{g}$ be generators of $\mathbb{G},\tilde{\mathbb{G}}$, respectively. Let e be an admissible asymmetric bilinear map $e:\mathbb{G}\times \tilde{\mathbb{G}}\to {\mathbb{G}}_T$ such that for all $a,b\in {\mathbb{Z}}_p$

• $e(g^a,{\tilde{g}}^b)=e{(g,\tilde{g})}^{ab}$;
• for $g\ne 1_{\mathbb{G}}$ and $\tilde{g}\ne 1_{\tilde{\mathbb{G}}}$, $e(g,\tilde{g})\ne 1_T$;
• $e(g,\tilde{g})$ is efficiently computable.

We call the tuple $(p,\mathbb{G},\tilde{\mathbb{G}},{\mathbb{G}}_T,g,\tilde{g},e)$ a bilinear map group system, and according to [13] it is in:

• Type 1 pairings if $\mathbb{G}=\tilde{\mathbb{G}}$
• Type 2 pairings if $\mathbb{G}\ne \tilde{\mathbb{G}}$ but there is an efficiently computable homomorphism $\varphi :\tilde{\mathbb{G}}\to \mathbb{G}$
• Type 3 pairings if $\mathbb{G}\ne \tilde{\mathbb{G}}$ but there doesn’t exist efficiently computable homomorphism between $\tilde{\mathbb{G}}$ and $\mathbb{G}$.

2.3. Pointcheval-Sanders Signature Scheme

At CT-RSA’16, Pointcheval et al. proposed a new signature scheme, this scheme achieves full security under a new assumption which they named $\mathtt{PS}$ assumption 1. In the recent paper at CT-RSA’18 [12], the author showed that the hardness of this new assumption and the hardness of the well-known q-$\mathtt{SDH}$ assumption [18] are equivalent.

More precisely, the Pointcheval–Sanders signature scheme includes four following probabilistic algorithms.

• $\mathtt{Setup}$: the input of this algorithm is the security parameter $\lambda$, the output is the public parameter $\mathtt{param}=(p$, $\mathbb{G}$, $\tilde{\mathbb{G}}$, ${\mathbb{G}}_T$, g, $\tilde{g}$, $e)$.
• $\mathtt{KeyGen}$: the input of this algorithm is the security parameter $\lambda$, the output is the user’s key pairs. Concretely, user’s secret key includes two elements $(x,y)\in {\mathbb{Z}}_p^{*}$, and user’s public key includes three elements $(\tilde{h}\in \tilde{\mathbb{G}},\tilde{X}={\tilde{h}}^x,\tilde{Y}={\tilde{h}}^y)$.
• $\mathtt{Sign}$: the inputs of this algorithm are the user’s secret key $(x,y)$ and a message $m\in {\mathbb{Z}}_p$. The algorithm randomly picks $h\stackrel{\$}{\leftarrow }\mathbb{G},$$h\ne 1_{\mathbb{G}}$, and generates the signature $\sigma =({\sigma }_1=h,{\sigma }_2=h^{(x+ym)})$.
• $\mathtt{Verify}$: the input of this algorithm are a message m, signature $\sigma =({\sigma }_1,{\sigma }_2)$ and the corresponding public key $(\tilde{h},\tilde{X},\tilde{Y})$. The algorithm returns 1 which indicates that the signature is valid if the following conditions are verified:

  $$\begin{array}{ccc}\hfill {\sigma }_1& \ne & 1_{\mathbb{G}};\hfill \\ \hfill e({\sigma }_1,\tilde{X}{\tilde{Y}}^m)& =& e({\sigma }_2,\tilde{h}).\hfill \end{array}$$

  Otherwise, the algorithm returns 0 which indicates that the signature is invalid.

The $\mathtt{PS}$ assumption 1, given in [12], permits to prove that such signature scheme is secure.

Definition 3.

PS assumption 1:Let $(p,\mathbb{G},\tilde{\mathbb{G}},{\mathbb{G}}_T,g,\tilde{g},e)$ be a bilinear group setting of type 3. Choose $u,v\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, we define the oracle $\mathcal{O}(m)$ on input $m\in {\mathbb{Z}}_p$ that chooses a random $h\in \mathbb{G}$ and outputs the pair $(h,h^{u+mv})$. Given $(g$, $\tilde{g}$, ${\tilde{g}}^u$, ${\tilde{g}}^v$, $g^v)$ and unlimited access to this oracle, no adversary can have non-negligible success probability to generate a pair $(h,h^{u+m^{*}v})$, with $h\ne 1_{\mathbb{G}}$, for a new $m^{*}$ not asked to $\mathcal{O}$.

In this paper, we prove that our $\mathtt{SPPS}$ scheme is secure under the $\mathtt{PS}$ assumption 1 and a new assumption which is a simple modification of the well known $\mathtt{XDH}$ assumption. The $\mathtt{XDH}$ assumption is described as follows.

Definition 4.

$\mathsf{XDH}$assumption: Assume that $(\mathit{p},\mathbb{G},\tilde{\mathbb{G}},{\mathbb{G}}_{\mathit{T}},\mathit{g},\tilde{\mathit{g}},\mathit{e})$ is a bilinear group system of type 3. Pick $\mathit{a},\mathit{b}\stackrel{\mathit{\$}}{\leftarrow }{\mathbb{Z}}_{\mathit{p}}$. Given $(\mathit{g},\tilde{\mathit{g}},{\mathit{g}}^{\mathit{a}},{\mathit{g}}^{\mathit{b}},\mathit{T})$, it is hard to distinguish $\mathit{T}$ is either ${\mathit{g}}^{\mathit{a}\mathit{b}}$ or a random element in $\mathbb{G}$.

We define a simple modification of $\mathtt{XDH}$ assumption, we name $\mathtt{MXDH}$ assumption, as follows.

Definition 5.

$\mathsf{MXDH}$assumption: Assume that $(\mathit{p},\mathbb{G},\tilde{\mathbb{G}},{\mathbb{G}}_{\mathit{T}},\mathit{g},\tilde{\mathit{g}},\mathit{e})$ is a bilinear group system of type 3. Pick $\mathit{a},\mathit{b},\mathit{c}\stackrel{\mathit{\$}}{\leftarrow }{\mathbb{Z}}_{\mathit{p}}$ and $\tilde{\mathit{h}}\stackrel{\mathit{\$}}{\leftarrow }\tilde{\mathbb{G}}$. Given $\overrightarrow{\mathit{Y}}=(\mathit{g},\tilde{\mathit{g}},{\mathit{g}}^{\mathit{a}},{\mathit{g}}^{\mathit{b}},{\mathit{g}}^{\mathit{c}},{\mathit{g}}^{\mathit{a}\mathit{c}},\tilde{\mathit{h}},{\tilde{\mathit{h}}}^{\mathit{a}},\mathit{T})$, it is hard to distinguish $\mathit{T}$ is either ${\mathit{g}}^{\mathit{a}\mathit{b}\mathit{c}}$ or a random element in $\mathbb{G}$.

It is easy to see that one needs to have the value ${\tilde{g}}^b$ or $g^{bc}$ to distinguish T. However, these values are not provided in $\overrightarrow{Y}$.

3. $\mathsf{SPPS}$ Scheme

We rely on the Pointcheval–Sanders signature scheme [12] to construct our $\mathtt{SPPS}$ scheme. In our $\mathtt{SPPS}$ scheme a user can choose to generate either a usual signature (using the same signing algorithm as in [12]) or a designated verifier signature.

3.1. Detailed Description

The scheme is described as follows.

• $\mathtt{Setup}(1^{\lambda })$: the input of this algorithm is the security parameter $\lambda$, the output is the public parameters $\mathtt{param}=(p,\mathbb{G}$$,\tilde{\mathbb{G}},{\mathbb{G}}_T,g,\tilde{g},e)$.
• $\mathtt{Key} \mathtt{Generation}$: the input of this algorithm is $\mathtt{param}$. To produce the output, the algorithm first randomly chooses $(x_i,y_i,z_i)\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*},{\tilde{h}}_i\stackrel{\$}{\leftarrow }\tilde{\mathbb{G}}$, computes ${\tilde{X}}_i={\tilde{h}}_i^{x_i},{\tilde{Y}}_i={\tilde{h}}_i^{y_i},Y_i=g^{y_i},Z_i=g^{z_i}$. The algorithm finally outputs the secret key $s{k}_i=(x_i,y_i,z_i)$ and public key $p{k}_i=({\tilde{h}}_i,{\tilde{X}}_i,{\tilde{Y}}_i,Y_i,Z_i)$
• $\mathtt{Usual} \mathtt{Signing}$: the input of this algorithm are $\mathtt{param}$, $s{k}_i$ and the message $m\in {\mathbb{Z}}_p$ (note that in practice we use a hash function to hash a long message $m\in {\{0,1\}}^{*}$ to a short message $m\in {\mathbb{Z}}_p$). The algorithm first randomly chooses $h\stackrel{\$}{\leftarrow }\mathbb{G}$ such that $h\ne 1_{\mathbb{G}}$, then outputs the usual signature $\sigma =({\sigma }_1,{\sigma }_2)$ where ${\sigma }_1=h$ and ${\sigma }_2=h^{(x_i+y_{i}m)}$.
• $\mathtt{Designated} \mathtt{Signing}$: the input of this algorithm are $\mathtt{param}$, $s{k}_i,p{k}_j$ and the message $m\in {\mathbb{Z}}_p$. The algorithm first randomly chooses $h\stackrel{\$}{\leftarrow }\mathbb{G}$ such that $h\ne 1_{\mathbb{G}}$, then outputs the designated verifier signature $\sigma =({\sigma }_1,{\sigma }_2)$ where ${\sigma }_1=h$ and ${\sigma }_2=h^{(x_i+y_{i}m)}·{(g^{z_j})}^{y_i{z}_i}$.
• $\mathtt{Usual} \mathtt{Verification}$: the input of this algorithm are $\mathtt{param}$, $p{k}_i,m$ and the usual signature $\sigma =({\sigma }_1,{\sigma }_2)$. The algorithm checks that whether ${\sigma }_1\ne 1_{\mathbb{G}}$ and

  $$e({\sigma }_2,{\tilde{h}}_i)=e({\sigma }_1,{\tilde{X}}_i{\tilde{Y}}_i^m).$$
  If this is the case the algorithm outputs 1, else it outputs 0.
• $\mathtt{Designated} \mathtt{Verification}$: the input of this algorithm are $\mathtt{param}$, $p{k}_i,s{k}_j,m$ and the designated verifier signature $\sigma =({\sigma }_1,{\sigma }_2)$. The algorithm checks that whether ${\sigma }_1\ne 1_{\mathbb{G}}$ and

  $$e({\sigma }_2,{\tilde{h}}_i)=e({\sigma }_1,{\tilde{X}}_i{\tilde{Y}}_i^m)·e(Z_i,{\tilde{Y}}_i^{z_j}).$$
  If this is the case the algorithm outputs 1, else it outputs 0.
• $\mathtt{Proving}$:
  • first: the designated verifier j with his/her secret key $s{k}_j=(x_j,y_j,z_j)$ and the signature $\sigma =({\sigma }_1,{\sigma }_2)$ of user i at hands generates the proof as follows:

    $$\mathtt{proof}=({\sigma }_1^{{}^{\prime }},{\sigma }_2^{{}^{\prime }})=({\sigma }_1^{\frac{1}{z_j}},{\sigma }_2^{\frac{1}{z_j}})=(h^{\frac{1}{z_j}},h^{\frac{x_i+y_{i}m}{z_j}}·g^{y_i{z}_i}).$$
  • second: on input a message m, anybody with the $\mathtt{proof}$ at hands can verify whether or not that the user i with his/her public key $p{k}_i$ has signed on the message m by checking that:

    $$\begin{array}{ccc}\hfill {\sigma }_1^{{}^{\prime }}& \ne & 1_{\mathbb{G}};\hfill \\ \hfill e({\sigma }_2^{{}^{\prime }},{\tilde{h}}_i)& =& e({\sigma }_1^{{}^{\prime }},{\tilde{X}}_i{\tilde{Y}}_i^m)·e(Z_i,{\tilde{Y}}_i).\hfill \end{array}$$

Correctness. The correctness of $\mathtt{Usual} \mathtt{Verification}$ algorithm is straightforward followed from Pointcheval-Sanders signature scheme [12].

Regarding the correctness of $\mathtt{Designated} \mathtt{Verification}$, let $\sigma =({\sigma }_1=h,{\sigma }_2=h^{(x_i+y_{i}m)}·{(g^{z_j})}^{y_i{z}_i})$, we have:

$$\begin{array}{ccc}\hfill e({\sigma }_2,{\tilde{h}}_i)& =& e(h^{(x_i+y_{i}m)}·{(g^{z_j})}^{y_i{z}_i},{\tilde{h}}_i)\hfill \\ \hfill & =& e(h^{(x_i+y_{i}m)},{\tilde{h}}_i)·e(g^{z_j{y}_i{z}_i},{\tilde{h}}_i)\hfill \\ \hfill & =& e(h,{\tilde{h}}_i^{(x_i+y_{i}m)})·e(g^{z_i},{\tilde{h}}_i^{y_i{z}_j})\hfill \\ \hfill & =& e({\sigma }_1,{\tilde{X}}_i{\tilde{Y}}_i^m)·e(Z_i,{\tilde{Y}}_i^{z_j}),\hfill \end{array}$$

and similar to the correctness of the $\mathtt{Proving}$ algorithm.

Remark 1.

It is clear that from the $\mathtt{proof}$, one cannot extract $z_j$, which means the designated verifier can runs the Proving algorithm without revealing his/her secret key. However, the crucial point here is that the signer realizes that he/she cannot refuse his/her designated verifier signature, therefore in practice the designated verifier may never need to runs the Proving algorithm.

3.2. Security Analysis of $\mathtt{SPPS}$ Scheme

In this section, we prove that our $\mathtt{SPPS}$ scheme is existentially unforgeable under the $\mathtt{PS}$ assumption 1, and our $\mathtt{SPPS}$ scheme achieves $\mathtt{PSI}$ property under the $\mathtt{MXDH}$ assumption.

Theorem 1.

Our $\mathtt{SPPS}$ scheme is existentially unforgeable under the $\mathtt{PS}$ assumption 1.

Proof. 

Let $\mathcal{F}$ be a forger against the security of our $\mathtt{SPPS}$ scheme, and $\mathcal{C}$ be an adversary against $\mathtt{PS}$ assumption 1. We will prove that $\mathcal{C}$ can simulate $\mathcal{F}$ and based on the $\mathcal{F}$’s output to solve the $\mathtt{PS}$ assumption 1.

To this aim, at the beginning of the security game (see Section 2.1.3) $\mathcal{C}$ first gets an instance of the $\mathtt{PS}$ assumption 1: $(p,\mathbb{G},\tilde{\mathbb{G}},{\mathbb{G}}_T,g,\tilde{g},e,g^v$, ${\tilde{g}}^u$, ${\tilde{g}}^v)$, and gets the right to access oracle $\mathcal{O}$. Note that $\mathcal{O}(m)$, on input $m\in {\mathbb{Z}}_p$, outputs a pair $(h$, $h^{u+vm})$ where h is a random element in $\mathbb{G}$.

• $\mathtt{Initialization} \mathtt{Phase}$: $\mathcal{C}$ chooses $t,z_i,x_j,y_j,z_j\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, implicitly sets $x_i=u,y_i=v$, then computes ${\tilde{h}}_i={\tilde{g}}^t,{\tilde{X}}_i={({\tilde{g}}^u)}^t,{\tilde{Y}}_i={({\tilde{g}}^v)}^t,Y_i=g^v,Z_i=g^{z_i}$, sets $p{k}_i=({\tilde{h}}_i,{\tilde{X}}_i,{\tilde{Y}}_i,Y_i,Z_i)$. Next, $\mathcal{C}$ chooses ${\tilde{h}}_j\stackrel{\$}{\leftarrow }\tilde{\mathbb{G}}$, computes ${\tilde{X}}_j={\tilde{h}}_j^{x_j},{\tilde{Y}}_i={\tilde{h}}_j^{y_j},Y_j=g^{y_j},Z_j=g^{z_j}$, sets $p{k}_j=({\tilde{h}}_j,{\tilde{X}}_j,{\tilde{Y}}_j,Y_j,Z_j)$ and $s{k}_j=(x_j,y_j,z_j)$.
  Finally, $\mathcal{C}$ gives $\mathtt{param}=(p,\mathbb{G},\tilde{\mathbb{G}},$${\mathbb{G}}_T,g,\tilde{g},e)$ and $(p{k}_i,p{k}_j,s{k}_j)$ to $\mathcal{F}$.
• $\mathtt{Query} \mathtt{Phase}$: $\mathcal{C}$ now answers the requested oracles from $\mathcal{F}$ as follows.
  • $\mathtt{UsualSigningRequest}(m,p{k}_i)$: $\mathcal{C}$ needs to answer to $\mathcal{F}$ the usual signature of user i on message m. To this aim, $\mathcal{C}$ simply asks $\mathcal{O}$ on input m to obtain the pair $(h,h^{u+vm})=(h,h^{x_i+y_{i}m})$, then returns it to $\mathcal{F}$.
  • $\mathtt{DesignatedSigningRequest}(m,p{k}_i,p{k}_j)$: $\mathcal{C}$ needs to answer to $\mathcal{F}$ the designated verifier signature of user i on message m with designated verifier j. To this aim, $\mathcal{C}$ first requests the oracle $\mathcal{O}$ on input m to get the pair $(h,h^{u+vm})=(h,h^{x_i+y_{i}m})$. Next, $\mathcal{C}$ produces designated verifier signature $\sigma =({\sigma }_1,{\sigma }_2)$ as follows.

    $${\sigma }_1=h,{\sigma }_2=h^{x_i+y_{i}m}·{(g^{y_i})}^{z_j{z}_i}$$

    Note that $\mathcal{C}$ knows $z_i,z_j$. Finally, $\mathcal{C}$ sends $\sigma$ to $\mathcal{F}$.
  • $\mathtt{RequestDesignatedVerifying}(\sigma ,m,p{k}_i,p{k}_j)$: $\mathcal{C}$ needs to answer to $\mathcal{F}$ that whether or not $\sigma$ is a valid designated verifier signature on m with designated verifier j. To this aim, $\mathcal{C}$ simply runs the $\mathtt{Designated} \mathtt{Verification}(\mathtt{param},\sigma ,m,p{k}_i,s{k}_j)$ and returns the output to $\mathcal{F}$.
• $\mathtt{Output} \mathtt{Phase}$: At this phase, $\mathcal{F}$ outputs $(m^{*},{\sigma }^{*})$ with the requirement that $m^{*}$ has never been queried to $\mathtt{UsualSigningRequest}(m^{*},p{k}_i)$ and $\mathtt{DesignatedSigningRequest}(m^{*},p{k}_i,p{k}_j)$, that means $m^{*}$ has never been queried to oracle $\mathcal{O}$. There are two cases: First, ${\sigma }^{*}$ is a usual signature that means ${\sigma }^{*}=({\sigma }_1^{*},{\sigma }_2^{*})$, where:

  $${\sigma }_1^{*}=h^{\prime },{\sigma }_2^{*}=h^{\prime x_i+y_i{m}^{*}}=h^{\prime u+v{m}^{*}}$$

  $\mathcal{C}$ simply uses the pair $({\sigma }_1^{*},{\sigma }_2^{*})$ as a valid pair to solve the $\mathtt{PS}$ assumption 1.
  Second, ${\sigma }^{*}$ is a designated verifier signature that means ${\sigma }^{*}=({\sigma }_1^{*},{\sigma }_2^{*})$, where:

  $${\sigma }_1^{*}=h^{\prime },{\sigma }_2^{*}=h^{\prime x_i+y_i{m}^{*}}·g^{y_i{z}_j{z}_i}$$

  $\mathcal{C}$ computes

  $$K={\sigma }_2^{*}/{(g^{y_i})}^{z_j{z}_i}=h^{\prime x_i+y_i{m}^{*}}=h^{\prime u+v{m}^{*}}.$$
  Note that $\mathcal{C}$ knows $z_i,z_j$. So, $\mathcal{C}$ also can use the valid pair $({\sigma }_1^{*},K)$ to solve the $\mathtt{PS}$ assumption 1.
  It is easy to see that the simulation is perfect and $\mathcal{C}$ has never aborted the game, so if $\mathcal{F}$ can break the security of our $\mathtt{SPPS}$ scheme with non-negligible success probability, then $\mathcal{C}$ also can solve the $\mathtt{PS}$ assumption 1 with non-negligible success probability ($SuccU{n}_{\mathcal{F}}^{\Pi }$ is non-negligible), which concludes our proof.

 □

Theorem 2.

Our $\mathtt{SPPS}$ scheme achieves $\mathtt{PSI}$ property under the $\mathtt{MXDH}$ assumption. More precisely,

$$AdvPS{I}_{\mathcal{F}}^{\Pi }\le 2{ϵ}_{\mathtt{MXDH}}$$

Proof. 

Let $\mathcal{F}$ as above and $\mathcal{C}$ be an adversary against $\mathtt{MXDH}$ assumption. The proof includes a series of games, let $E_i$ be the event that the adversary $\mathcal{F}$ returns the correct guessed bit in Game ${\mathtt{G}}_i$.

• ${\mathtt{G}}_0$: Game ${\mathtt{G}}_0$ is the original game. In this game, $\mathcal{C}$ first chooses $x_{i_k},y_{i_k},z_{i_k},x_j,y_j,z_j\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ where $k=0,1$, so $\mathcal{C}$ can easily produce $\mathtt{param},p{k}_{i_k},p{k}_j$, and $\mathcal{C}$ sends $\mathtt{param},p{k}_{i_k},p{k}_j$ to $\mathcal{F}$.
  On the other hand, with $x_{i_k},y_{i_k},z_{i_k},x_j,y_j,z_j$ at hands where $k=0,1$, $\mathcal{C}$ can easily answer any query ($\mathtt{UsualSigningRequest}(m,p{k}_{i_k})$, $\mathtt{DesignatedSigningRequest}(m,p{k}_{i_k},p{k}_j)$ and $\mathtt{RequestDesignatedVerifying}(\sigma ,m,p{k}_{i_k},p{k}_j)$) from $\mathcal{F}$.
  Next, at the challenge phase, $\mathcal{C}$ first picks randomly a bit $\mathtt{b}\stackrel{\$}{\leftarrow }\{0,1\}$, $\mathcal{C}$ then uses $x_{i_{\mathtt{b}}},y_{i_{\mathtt{b}}},z_{i_{\mathtt{b}}},z_j$ to produce the challenge designated verifier signature ${\sigma }^{*}$. From the definition, we have:
  $Pr\left|E_0\right|=AdvPS{I}_{\mathcal{F}}^{\Pi }+\frac{1}{2}$
• ${\mathtt{G}}_1$: This game is the same as game ${\mathtt{G}}_0$ except that the value $g^{y_{i_0}{z}_{i_0}{z}_j}$ now is generated randomly.
  Let consider the following game: $\mathcal{C}$ first gets an instance of the $\mathtt{MXDH}$ assumption: $(g,\tilde{g},g^a,g^b,g^c,g^{ac},\tilde{h},$${\tilde{h}}^a,T)$, note that T is either $g^{abc}$ or a random element in $\mathbb{G}$. $\mathcal{C}$ next randomly picks $x_{i_0},x_{i_1},y_{i_1},z_{i_1}$$\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, then uses them to produce $\mathtt{param},p{k}_{i_1}$.
  For $p{k}_{i_0}$ and $p{k}_j$, $\mathcal{C}$ first implicitly sets $y_{i_0}=a,z_{i_0}=c,z_j=b$, randomly picks $x_j,y_j\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, then uses them to produce: $p{k}_j$ (note that $\mathcal{C}$ knows $Z_j=g^b$ from assumption). $\mathcal{C}$ also produces $p{k}_{i_0}$ as follows:

  $$p{k}_{i_0}=(\tilde{h},{\tilde{X}}_{i_0}={\tilde{h}}^{x_{i_0}},{\tilde{Y}}_{i_0}={\tilde{h}}^a,Y_{i_0}=g^a,Z_{i_0}=g^c)$$
  Note that ${\tilde{h}}_{i_0}=\tilde{h}$, $\mathcal{C}$ finally sends $\mathtt{param},p{k}_{i_k},p{k}_j$ where $k=0,1$ to $\mathcal{F}$.
  At the first query phase, $\mathcal{C}$ answers queries from $\mathcal{F}$ as follows.

  –

  $\mathtt{UsualSigningRequest}(m,$$p{k}_{i_0})$: $\mathcal{C}$ simply picks $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, then produces $\sigma =({\sigma }_1,{\sigma }_2)$ where

  $${\sigma }_1=g^t,{\sigma }_2=g^{t{x}_{i_0}}·{(g^a)}^{tm}$$

  $\mathcal{C}$ also can easily answer $\mathtt{UsualSigningRequest}(m,$$p{k}_{i_1})$ since he/she knows $x_{i_1},y_{i_1},z_{i_1}$.

  –

  $\mathtt{DesignatedSigningRequest}(m,$$p{k}_{i_0},p{k}_j)$: $\mathcal{C}$ first picks $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, then produces $\sigma =({\sigma }_1,{\sigma }_2)$ where

  $${\sigma }_1=g^t,{\sigma }_2=g^{t{x}_{i_0}}·{(g^a)}^{tm}·T$$

  Note that if $T=g^{abc}$ then $\sigma$ is in the correct form. As above, since $\mathcal{C}$ knows $x_{i_1},y_{i_1},z_{i_1}$, so he/she can easily answer $\mathtt{DesignatedSigningRequest}(m,$$p{k}_{i_1},p{k}_j)$, note that $\mathcal{C}$ also knows $Z_j=g^b$.

  $${\sigma }_1=g^t,{\sigma }_2=g^{t{x}_{i_1}}·{(g^{y_{i_1}})}^{tm}·{(g^b)}^{y_{i_1}{z}_{i_1}}$$

  –

  $\mathtt{RequestDesignatedVerifying}(\sigma =({\sigma }_1,{\sigma }_2),m,p{k}_{i_0},p{k}_j)$: $\mathcal{C}$ simply checks whether:

  $$e({\sigma }_1,{\tilde{X}}_{i_0}·{\tilde{Y}}_{i_0}^m)·e(T,\tilde{h})==e({\sigma }_2,\tilde{h}).$$

  If it is right, $\mathcal{C}$ outputs 1, else $\mathcal{C}$ outputs 0. Note that ${\tilde{h}}_{i_0}=\tilde{h}$. It is also easy for $\mathcal{C}$ to answer $\mathtt{RequestDesignatedVerifying}(\sigma =({\sigma }_1,{\sigma }_2),m,p{k}_{i_1},p{k}_j)$.

  At the challenge phase, $\mathcal{F}$ first sends $m^{*}$ to $\mathcal{C}$, $\mathcal{C}$ then picks $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*},\mathtt{b}\stackrel{\$}{\leftarrow }\{0,1\}$, then produces ${\sigma }^{*}=({\sigma }_1^{*},{\sigma }_2^{*})$, where:

  $${\sigma }_1^{*}=g^t,{\sigma }_2^{*}=g^{t{x}_{i_{\mathtt{b}}}}·Y_{i_{\mathtt{b}}}^{t{m}^{*}}·T_{\mathtt{b}}.$$
  Note that if $\mathtt{b}=0$, $T_{\mathtt{b}}=T$, else $T_{\mathtt{b}}=g^{b{y}_{i_1}{z}_{i_1}}$. We have that if $T=g^{abc}$, ${\sigma }^{*}$ is in the correct form.
  The second phase query is similar to the first one.
  At the guess phase, $\mathcal{F}$ outputs $b^{\prime }$ as the guess for bit $\mathtt{b}$, if $b^{\prime }=\mathtt{b}$ then $\mathcal{C}$ returns 1 means that $T=g^{abc}$ and 0 otherwise, means that T is a random element in $\mathbb{G}$.
  It is straightforward to realize that if $T=g^{abc}$ then $\mathcal{C}$ has simulated the game which is identical to Game ${\mathtt{G}}_0$, and the probability that $\mathcal{C}$ outputs the correct answer is $Pr\left|E_0\right|$. In case T is a random element, $\mathcal{C}$ has simulated the game which is identical to Game ${\mathtt{G}}_1$, and the probability that $\mathcal{C}$ outputs the correct answer is $Pr\left|E_1\right|$. Let $\beta$ be the bit outputted by $\mathcal{C}$, we have: $\left|Pr[\beta =1|T=g^{abc}]-Pr[\beta =1|T\stackrel{\$}{\leftarrow }\mathbb{G}]\right|$$=\left|Pr\left|E_0\right|-Pr\left|E_1\right|\right|$, therefore:
  $\left|Pr\left|E_0\right|-Pr\left|E_1\right|\right|\le {ϵ}_{\mathtt{MXDH}}$
• ${\mathtt{G}}_2$: This game is the same as game ${\mathtt{G}}_1$ except that $g^{y_{i_1}{z}_{i_1}{z}_j}$ now is generated randomly.
  As in the game ${\mathtt{G}}_1$, we have: $\left|Pr\left|E_1\right|-Pr\left|E_2\right|\right|\le {ϵ}_{\mathtt{MXDH}}$.
  Note that both $g^{y_{i_0}{z}_{i_0}{z}_j}$ and $g^{y_{i_1}{z}_{i_1}{z}_j}$ are generated randomly in game ${\mathtt{G}}_2$, therefore the queries as well as the challenge designated verifier signature provide no help for adversary $\mathcal{F}$, therefore $Pr\left|E_2\right|=\frac{1}{2}$. That means, we have: $\left|Pr\left|E_0\right|-Pr\left|E_1\right|\right|+\left|Pr\left|E_1\right|-Pr\left|E_2\right|\right|\le 2{ϵ}_{\mathtt{MXDH}},$$Pr\left|E_0\right|\le 2{ϵ}_{\mathtt{MXDH}}+Pr\left|E_2\right|=2{ϵ}_{\mathtt{MXDH}}+\frac{1}{2}$
  Thus $AdvPS{I}_{\mathcal{F}}^{\Pi }\le 2{ϵ}_{\mathtt{MXDH}}$, which concludes our proof.

 □

4. Conclusions

In several modern applications such as Electronic Voting, e-Health, e-Payment, etc, the privacy information of the signer is needed. There exist several methods to keep the privacy information of the signer such as combining a signature scheme with an encryption scheme, using a strong designated verifier signature scheme, or using a group signature scheme. In this paper, we extend the traditional signature scheme to propose an alternative method to solve this problem. Our proposed method has two advantages: it is an improvement of the traditional signature scheme in term of functionality (adding the function of keeping privacy information of the signer); it is the most efficient one when compared with three existing methods which deal with the same problem of keeping the privacy information of the signer.