Abstract
Strong designated verifier signature schemes rely on sender-privacy to hide the identity of the creator of a signature to all but the intended recipient. This property can be invaluable in, for example, the context of deniability, where the identity of a party should not be deducible from the communication sent during a protocol execution. In this work, we explore the technical definition of sender-privacy and extend it from a 2-party setting to an n-party setting. Afterwards, we show in which cases this extension provides stronger security and in which cases it does not.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33
Chaum, D.: Private signature and proof systems. US Patent No. 5,493,614, February 1996
Chaum, D., van Antwerpen, H.: Undeniable signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 212–216. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_20
Huang, Q., Yang, G., Wong, D.S., Susilo, W.: Identity-based strong designated verifier signature revisited. J. Syst. Softw. 84(1), 120–129 (2011). https://doi.org/10.1016/j.jss.2010.08.057
Huang, X., Susilo, W., Mu, Y., Zhang, F.: Short (identity-based) strong designated verifier signature schemes. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 214–225. Springer, Heidelberg (2006). https://doi.org/10.1007/11689522_20
Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_13
Laguillaumie, F., Vergnaud, D.: Designated verifier signatures: anonymity and efficient construction from any bilinear map. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 105–119. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30598-9_8
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Saeednia, S., Kremer, S., Markowitch, O.: An efficient strong designated verifier signature scheme. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 40–54. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24691-6_4
Susilo, W., Zhang, F., Mu, Y.: Identity-based strong designated verifier signature schemes. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 313–324. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_27
Acknowledgements
Jeroen van Wier was supported by the Luxembourg National Research Fund (FNR), under the joint CORE project Q-CoDe (CORE17/IS/11689058/Q-CoDe/Ryan) and the CORE project EquiVox (C19/IS/13643617/EquiVox/Ryan).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Full Proof of Theorem 2
Theorem 2. For any adversary \(\mathcal {A}\), set of oracles \(\mathcal {O}\) and DVS scheme \(\varPi \), there exists an adversary \(\mathcal {B}\) such that
Proof
Here, we omit the subscripts \(\varPi \) and \(\mathcal {O}\) for \(\textsf{Adv} \) and \(\textsf{G} \) for simplicity. Let \(\mathcal {B}\) be defined as in Games 5 and 6. The permutation is used here to hide the indexation of the parties from the adversary. Note that applying a permutation \(\pi \) in this fashion is equivalent to generating the keypairs in the order \(\pi ^{-1}(0)\dots \pi ^{-1}(n)\) and since these are i.i.d. samples the order of their generation does not affect the winning probability of \(\mathcal {A}\). However, it guarantees that the winning probability of \(\mathcal {A}\) is the same for every c. Note that here we use \(\Pr _{\pi }\) to indicate the uniform probability over all \(\pi : [n] \mapsto [n]\) such that \(\pi (n)=n\).
![figure au](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-52947-4_4/MediaObjects/619304_1_En_4_Figau_HTML.png)
![figure av](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-52947-4_4/MediaObjects/619304_1_En_4_Figav_HTML.png)
![figure aw](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-52947-4_4/MediaObjects/619304_1_En_4_Figaw_HTML.png)
\(\square \)
B Full Proof of Theorem 3
Theorem 3. For any adversary \(\mathcal {A}\) and set of oracles \(\mathcal {O}\), there exists an adversary \(\mathcal {B}\) such that
Proof
Fix \(\mathcal {A}\). Let \(\mathcal {B}\) be defined as in Game 7 and Game 8.
![figure ax](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-52947-4_4/MediaObjects/619304_1_En_4_Figax_HTML.png)
![figure ay](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-52947-4_4/MediaObjects/619304_1_En_4_Figay_HTML.png)
The permutation is used here to hide the indexation of the parties from the adversary. Note that applying a permutation \(\pi \) in this fashion is equivalent to generating the keypairs in the order \(\pi ^{-1}(0)\dots \pi ^{-1}(n)\) and since these are i.i.d. samples the order of their generation does not affect the winning probability of \(\mathcal {A}\). When playing game \(\textsf{G} ^\textsf{SendPriv} _{\varPi ,\mathcal {B}}\), we can now distinguish two cases:
-
1.
\(\{\pi (s_0), \pi (s_1)\} = \{0,1\}\) and \(\pi (r) = n\). Since \(\pi \) is random and unknown to \(\mathcal {A}\), this happens with probability \(\frac{2(n-2)!}{(n+1)!}\). In this case, \(\mathcal {A}\) has chosen \(P_0\) and \(P_1\) as the possible signers and \(P_n\) as the verifier, making \(\textsf{G} ^\textsf{ChosenSendPriv} _{\varPi , \mathcal {A}}\) and \(\textsf{G} ^{\textsf{SendPriv}}_{\varPi , \mathcal {B}}\) equivalent.
-
2.
Otherwise, \(\mathcal {A}\) has chosen different signers or verifiers, in which case \(\textsf{G} ^{\textsf{SendPriv}}_{\varPi , \mathcal {B}}\) becomes equivalent to a random coin flip, with probability \(\frac{1}{2}\) of guessing c.
Combining this, we get that
![figure az](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-52947-4_4/MediaObjects/619304_1_En_4_Figaz_HTML.png)
Thus,
\(\square \)
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
van Wier, J. (2024). SDVS Sender-Privacy in the Multi-party Setting. In: Manulis, M., Maimuţ, D., Teşeleanu, G. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2023. Lecture Notes in Computer Science, vol 14534. Springer, Cham. https://doi.org/10.1007/978-3-031-52947-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-52947-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-52946-7
Online ISBN: 978-3-031-52947-4
eBook Packages: Computer ScienceComputer Science (R0)