Content uploaded by Willy Susilo
Author content
All content in this area was uploaded by Willy Susilo on Jan 23, 2017
Content may be subject to copyright.
Short Designated Verifier Proxy Signature from
Pairings
Xinyi Huang1,YiMu
2, Willy Susilo2, and Futai Zhang1,
1College of Mathematics and Computer Science,
Nanjing Normal University, P.R. China
xinyinjnu@126.com,zhangfutai@njnu.edu.cn
2Centre for Information Security Research,
School of Information Technology and Computer Science,
University of Wollongong, Australia
{wsusilo, ymu}@uow.edu.au
Abstract. In a designated verifier proxy signature scheme, the original
signer delegates her/his signing capability to the proxy signer in such a
way that the latter can sign messages on behalf of the former, but only
the designated verifier can believe the validity of these signatures. In this
paper, we firstly describe the notion of short designated verifier proxy
signature, which we call SDVPS. Then a concrete scheme is presented.
We prove that the proposed scheme is unforgeable even to the original
signer under the Gap Bilinear Diffie-Hellman assumption and Random
Oracle Model.
Keywords: Proxy Signature, Short Signature, Pairings, Authentication.
1 Introduction
In a proxy signature scheme, the original signer (say, Alice) can delegate her
signing right to another user (say, Bob) who is called proxy signer. Bob can
sign messages on behalf of Alice. Upon receiving a proxy signature on some
message, the verifier can validate its correctness by a given verification procedure
and can be convinced of the original signer’s agreement on the proxy signing.
The notion of proxy signature was introduced in [7]. Proxy signature schemes
have been suggested for use in a number of applications, including electronic
commerce and distributed shared object systems. Based on the application, they
canbeclassifiedasfull delegation,partial delegation,anddelegation by warrant
schemes. Based on the knowledge of the proxy private key, proxy signatures can
be classified into proxy-unprotected and proxy-protected. In a proxy-protected
scheme only the proxy signer can generate proxy signatures, while in a proxy-
unprotected scheme either the proxy signer or the original signer can generate
This work is supported by ARC Discovery Grant DP0557493.
Partially supported by Ministry of Education of Jiangsu Province Project
03KJA520066 and Open Project of Key Laboratory on Computer Network and In-
formation Security of Ministry of Education of China.
T. Enokido et al. (Eds.): EUC Workshops 2005, LNCS 3823, pp. 835–844, 2005.
c
IFIP International Federation for Information Processing 2005
836 X. Huang et al.
proxy signatures since both of them have a knowledge on the proxy private
key. In many applications, proxy-protected schemes are required to avoid the
potential disputes between the original signer and the proxy signer.
There have been several interesting works that provide different features to
proxy signature, for example, threshold proxy signature [15], one-time proxy sig-
nature [13], ID-based proxy signature [14], etc. Let’s consider a scenario where the
proxy signer wishes to protect his signing privilege from knowing by other parties.
That is, Bob only wants to convince the designated receiver that he has signed
the specific message. This scenario is related to the designated verifier signatures
proposed by Jakobsson, Sako and Impagliazzo in [4]. This signature scheme can
be considered as the first non-interactive undeniable signature scheme that trans-
forms Chaum’s scheme [1] into non-interactive verification using a designated veri-
fier proof. In a designated verifier scheme, the signature provides authentication of
a message without providing a non-repudiation property of traditional signatures.
A designated verifier scheme can be used to convince a single third party, i.e., the
designated verifier, and only the designated verifier can be convinced about its va-
lidity or invalidity. This is due to the fact that the designated verifier can always
create a signature intended for himself that is indistinguishable from an original
signature. This scheme does not require any interaction with the presumed signer
to verify the authenticity of the message.There are a number of other works on
designated verifier signatures, for example [5, 4, 9, 10, 8, 11].
Constructing an ordinary designated verifier proxy signature scheme is trivial
(e.g., [2],[12]). The motivation of this paper is to find a scheme of designated
verifier proxy signature which is very short. We call it Short Designated Verifier
Proxy Signature (SDVPS). Compared with other schemes, our proxy key gener-
ation is noninteractive and the signature length is shortest. We prove that our
scheme is proxy-protected that is even the original signer cannot forge a valid
signature. The proof is based on the Gap Bilinear Diffle-Hellman problem in
random oracle.
The rest of this paper is organized as follows. In the next section, we will
provide some preliminaries and background required throughout the paper. In
Section 3, we introduce the notion of the SDVPS scheme. In Section 4, we provide
our concrete SDVPS scheme, and its security proof is given in Section 5. In
Section6,wecomparetheperformance of our scheme with the existing scheme.
Section 7 concludes this paper.
2 Preliminaries
In this section, we will review some fundamental backgrounds required in this
paper, namely bilinear pairing and the definition of the designated verifier sig-
nature.
2.1 Basic Concepts on Bilinear Pairings
Let G1,G2be cyclic additive groups generated by P1,P
2, respectively, whose
orders are a prime q.LetGMbe a cyclic multiplicative group with the same
Short Designated Verifier Proxy Signature from Pairings 837
order q. We assume there is an isomorphism ψ:G2→G1such that ψ(P2)=P1.
Let e:G1×G2→GMbe a bilinear mapping with the following properties:
1. Bilinearity:e(aP, bQ)=e(P, Q)ab for all P∈G1,Q∈G2,a,b,∈ZZq.
2. Non-degeneracy:ThereexistsP∈G1,Q ∈G2such that e(P, Q)=1
GM.
3. Computability: There exists an efficient algorithm to compute e(P, Q) for all
P∈G1,Q∈G2.
For simplicity, hereafter, we set G1=G2and P1=P2. We note that our scheme
can be easily modified for a general case, when G1=G2.
2.2 Complexity Assumptions
We assume that the Bilinear Diffie-Hellman problem is intractable in polynomial
time. Formally, we define it as follows.
Definition 1. Bilinear Diffie-Hellman (BDH) Problem
Given a randomly chosen P∈G1,aswellasaP, bP and cP (for unknown
randomly chosen a, b, c ∈ZZ∗
q), compute e(P, P)abc .
Definition 2. Decisional Bilinear Diffie-Hellman (DBDH) Problem
Given a randomly chosen P∈G1,aswellasaP, bP, cP (for unknown randomly
chosen a, b, c ∈ZZ∗
q)andh∈GM,decidewhetherh=e(P, P )abc.
Definition 3. Gap Bilinear Diffie-Hellman (GBDH) Problem
Given a randomly chosen P∈G1,aswellasaP, bP and cP (for unknown
randomly chosen a, b, c ∈ZZ∗
q), compute e(P, P)abc with the help of the DBDH
oracle.
2.3 Designated Verifier Signature
The goal of designated verifier proofs is to allow an entity, Alice, to prove the
validity of a statement Θto a specific entity, Bob, in such a way that Bob is
convinced about this fact but he cannot transfer this conviction to other third
party. In [4], it is suggested that Alice should prove the statement “Θis correct or
I know Bob’s secret key”. Bob, who is aware that he has not generated the proof
himself and also sure that Alice does not know his secret key will be convinced
by this proof (i.e. the first part of the proof, namely Θis correct), while no other
verifier can decide which part of the disjunction is correct.
The notion of designated verifier proofs are given in [4], and they are formal-
ized in [8] as follows.
Definition 1. Designated Verifier Signature [8]
Let P(A, B)be a protocol between Alice and Bob so that Alice can prove the
correctness of statement Θ. Bob is said to be a designated verifier if he can
produce identically distributed transcripts that are indistinguishable from those
of P(A, B).
838 X. Huang et al.
3 Short Designated Verifier Proxy Signature(SDVPS)
3.1 Outline of the SDVPS
There exist three participants in the system, namely Alice, Bob and Cindy, who
act as the original signer, the proxy signer and the receiver (or the designated
verifier), respectively. We denote (xi,P
i) as a pair of private key and public key
for user i,wherei∈{A, B, C }indicating Alice, Bob, and Cindy, respectively. A
short designated verifier proxy signature scheme (SDVPS) consists of following
six essential algorithms:
–ParamGen: It takes as input the system security parameter and outputs
the system parameters.
–KeyGen: It takes as input the security parameter and outputs the key set:
(xi,P
i)fori=A, B, C .
–ProxyKeyGen: A deterministic algorithm that takes as input the original
signer’s secret key, the proxy signer’s secret key, the identity of the proxy
signer and the warrant mwto generate the proxykey.Thatisproxykey ←
ProxyKeyGen(xA,x
B,ID
B,m
w).where xA,x
Bis the secret key of the origi-
nal signer and the proxy signer, IDBis the identity of the proxy signer.
–Sign: A deterministic algorithm that takes as input the proxykey, the desig-
nated verifier’s public key and a message mto generate a signature σ.That
is σ←Sign(proxykey,ID
B,P
C,m),where proxykey is generated by the above
ProxyKeyGen algorithm, IDBis the identity of the proxy signer and PCis
the public key of the receiver(the designated verifier).
–Verify: A deterministic algorithm that accepts a message m, a signature σ,the
original signer’s public key PA, the proxy signer’s public key PB, the proxy
signer’s identity and the receiver’s secret key xcand returns True if the signa-
ture is correct, or ⊥otherwise. That is, {True,⊥} ← Verify(PA,P
B,ID
B,x
C,
m, σ).
–Transcript Simulation: An algorithm that is run by the verifier to produce
identically distributed transcripts that are indistinguishable from the original
protocol.
In addition to the above main algorithms, we also require the following.
– Correctness. All signatures generated correctly by Sign algorithm must
always pass the verification algorithm. That is,
Pr(True ←Verify(PA,P
B,ID
B,x
C,m,Sign(proxykey,ID
B,P
C,m),m
w))
=1.
– Transcript Simulation Generation. We require that the verifier, who
holds the secret key xCcan always produce identically distributed tran-
scripts that are indistinguishable from the original protocol via the Transcript
Simulation algorithm.
Short Designated Verifier Proxy Signature from Pairings 839
3.2 Security Model
There are three types adversaries in the system:
1. Type I: This type adversary only has the public keys of Alice and Bob.
2. Type II: This type of adversary has the public keys of Alice and Bob, her/he
also has the secret key of Bob (the proxy signer).
3. Type III: This type of adversary has the public keys of Alice and Bob,
her/he also has the secret key of Alice (the original signer).
We can find that if our short proxy signature scheme is unforgeable against
Type II (or Type III) adversary, our scheme is also unforgeable against Type I
adversary.
Formal Security Notion: Unforgeability of the SDVPS
We provide a formal definition of existential unforgeability of a short designated
verifier proxy signature scheme (SDVPS) under a chosen message attack(EF-
CMA-adversary). It is defined using the following game between an adversary A
and a challenger C.
–Setup:Cruns the algorithm to generate the public keys (PA,P
Band PC)of
the original signer A,proxysignerBand the designated verifier C.Calso
generates the identity IDBof the proxy signer.
–Sign Queries:Acan request a proxy signature on a message mwith the orig-
inal signer A, the proxy signer Band the designated verifier C. In response,
Coutputs a signature σfor a message m.
–Verify Queries:Acan request a signature verification on a pair (m, σ)with
the original signer A, the proxy signer Band the designated verifier C.In
response, Coutputs True if it is correct, or ⊥otherwise.
–Output: Finally, Aoutputs a new pair (m∗,σ
∗), where m∗has never been
queried during the Sign Queries and σ∗is a valid signature for the original
signer A, the proxy signer Band the designated verifier C.
The success probability of an adversary to win the game is defined by
SuccEF−CMA
SDV PS,A().
Definition 4. We say that a short designated verifier proxy signature scheme
is existentially unforgeable under a chosen message attack if the probability of
success of any polynomially bounded adversary in the above game is negligible
for all the three types of adversaries. In other words, SuccEF −CMA
SDV PS,A()≤where
A∈{A
I,AII,AIII }and is negligible.
4 Our SDVPS Scheme
As assumed earlier, there are three participants in the system, namely Alice,
Bob and Cindy, who act as the original signer, the proxy signer and the receiver
(or the designated verifier), respectively. Our SDVPS consists of the following
algorithms.
840 X. Huang et al.
1. ParamGen: Taking as input the system security parameter , the algorithm
outputs {G1,GM,q,e,P}, including a cyclic additive group G1of order
q(q≥2), a multiplicative group GMof order q, a bilinear map e:G1×G1→
GMand a generator Pof G1. This algorithm also outputs two cryptographic
hash functions H0and H1where H0:{0,1}∗→G1and H1:{0,1}∗→ZZ∗
q.
2. KeyGen: Taking as input the system security parameter k, the algorithm
outputs three pairs of secret/public keys (xi,P
i=xiP), for i=A, B, C ,
which denote Alice, Bob, and Cindy, respectively.
3. ProxyKeyGen:
(a) Alice computes DAB =xAQB,whereQB=H0(IDB,P
B,m
w), IDBis
the identity of Bob, PBis the public key of Bob, and mwis the warrant.
Alice then sends (DAB ,m
w)toBob.
(b) Bob verifies whether e(DAB ,P)=e(QB,P
A)holds.
(c) Bob obtains the proxykey (xB,D
AB).
4. Sign: For a message m, Bob computes σ=H1(m, e(DAB +xBQB,P
C)) and
the designated verifier proxy signature on the message mis σ.
5. Verify: To check whether σis a valid signature of the message mand the war-
rant mw, Cindy uses her secret key xCto check: σ?
=H1(m, e(xCQB,P
A+
PB)) where QB=H0(IDB,P
B,m
w). If the above equation holds, Cindy
accepts the signature σ, otherwise rejects it.
Correctness:
H1(m, e(xCQB,P
A+PB)=H1(m, e(xCQB,x
AP+xBP))
=H1(m, e((xA+xB)QB,x
CP)) = H1(m, e(DAB +xBQB,P
C))
Tra n script Simulation:
Cindy can use her secret key to compute an arbitrary signature on a message
m∗as σ∗=H1(m∗,e(xCQB,P
A+PB)).
5 Security Analysis
In this section, we will firstly prove that the proposed scheme is a designated
verifier signature scheme. Then we prove that our SDVPS is secure against all
types of adversaries.
Theorem 1. The proposed scheme is a designated verifier signature scheme.
Proof: For any message m, Cindy can compute a valid signature by computing
σ=H1(m, e(xCQB,P
A+PB)).One can find that signature generatedlike this is
the same as the original one generated by the proxy signer Bob. Therefore, even
given Cindy’s secret key xC, no one can believe the signature is sent by Bob.
Theorem 2. IftheTypeIIAdversaryAII(the proxy signer Bob) can forge a
valid signature of the proposed scheme with success probability SuccEF−CMA
SDV PS, AII
after making qHqueries to the H1:{0,1}∗→ZZ∗
q(q≥2,whereis the system’s
security parameter), qSqueries to the signing algorithm and qVto the verifying
Short Designated Verifier Proxy Signature from Pairings 841
algorithm in polynomial time t, then there exists an algorithm Bwho can use
AII to solve an instance of the GBDH problem with probability: SuccGBDH
B≥
SuccEF−CMA
SDV PS,AII −qV
2−qH−qSin the same time t.
Proof: Our overall strategy for the proof is as follows. We shall define a sequence
Game0,Game1,Game2,Game3,Game4of attack games. Each game operates on
the same underlying probability space, in particular, the system’s parameter,
public keys of the original signer Alice, the proxy signer Bob, the receiver Cindy
and the values of the random oracle H. We will prove that if there exists AII
who can forge a valid signature of our SDVPS scheme, then there exists Bwho
can use AII to solve an instance of Gap Bilinear Diffle-Hellman problem. That
is given a random instance (P, aP, bP, cP ), Bcan use AII to obtain the value of
e(P, P )abc with the help of Decisional Bilinear Diffle-Hellman(DBDH) Oracle.
Bwill simulate all the oracles in the proof. In the simulation, Bwill maintain
a list which is called H-List to record the hash queries and the corresponding
values. We assume that AII is well-behaved in the sense that AII will never
repeat the same queries in the simulation.
–Game0.WeconsideraTypeIIEF-CMA adversary AII with the success
probability SuccEF−CMA
SDV PS, AII. The original signer, Alice, selects his secret key
xA∈ZZ∗
qand sets his public key as PA=xAP. The proxy signer Bob and
designated verifier Cindy also generate their own secret/public key pairs
(xB,P
B)and(xC,P
C). Bob also publishes his identity IDB.
The adversary AII,fedwith(PA,P
B,P
C)andxB, can query the hash oracle
H, the signing algorithm and the verify algorithm, and outputs (m∗,σ
∗),
such thatVerify(PA,P
B,ID
B,x
C,m
∗,σ
∗)=True.
Let qH,q
S,q
Vdenote the numbers of queries to the H, signing algorithm
and verifying algorithm. The requirement is that m∗cannot be queried to
the signing algorithm.
In any Gamei,wedenotebyForgeithe event Verify(PA,P
B,ID
B,x
C,m,σ)=
Tru e . By definition, we have Pr[Forge0]=SuccEF−CMA
SDV PS, AII .
–Game1. In this game, Bsets PA=aP ,QB=bP and PC=cP where
aP, bP, cP are the random instance of the Gap Bilinear Diffle-Hellman prob-
lem. Balso chooses b∈ZZ∗
qand sets PB=bP.ThenBreturns (PA,P
B,P
C,
QB,b
)toAII .Sincea, b, c, bare randomly chosen, therefore Pr[Forge1]=
Pr[Forge0]
–Game2. In this game, Bwill simulate the random oracle H.Thereisa
list H-List which maintains all the queries and answers consists of tuple
(mi,r
i,σ
i,coin
i). Here (mi,r
i) is the input of the Hand σiis the output of
H.coini=1ifri·e(−PC,Q
B)b=e(P, P )abc and coini=0otherwise.For
any query (mi,r
i) to the oracle H,Bsubmits (ri·e(−PC,Q
B)b,aP,bP,cP)
to the DBDH oracle and DBDH oracle will tell Bwhether ri·e(−PC,Q
B)b=
e(P, P )abc or not
1. If ri·e(−PC,Q
B)b=e(P, P )abc,Bsets coini= 1 and checks the H-List
(a) If there exists an item (mi,⊥,σ
i,1) in the H-List,Breturns σias
the answer.
842 X. Huang et al.
(b) Otherwise, Bchooses σi∈RZZ∗
qsuch that there is no item (·,·,σ
i,·)
in the H-List.Bthen adds (mi,r
i,σ
i,1) into the H-List and returns
σias the answer.
2. If ri·e(−PC,Q
B)b=e(P, P )abc,Bchooses σi∈RZZ∗
qsuch that there
is no item (·,·,σ
i,·)intheH-List.Bthen adds (mi,r
i,σ
i,0) into the
H-List and returns σias the answer.
In the random oracle model, this game is clearly identical to the previous
one. Hence Pr[Forge2]=Pr[Forge1].
–Game3. In this game, Bsimulates the signing algorithm. After receiving AII ’s
choice of the message mi,Bperforms:
1. If there is a triple (mi,r
i,σ
i,1) in the H-List,Boutputs σias the signature.
2. Else Bchooses σi∈RZZ∗
qsuch that there is no item (·,·,σ
i,·)intheH-List.
Then Badds (mi,⊥,σ
i,1) to the H-List and outputs σias the answer.
Then AII gets the value σias the signature of mi. Of course, this oracle
simulates the signature perfectly, so Pr[Forge3]=Pr[Forge2].
–Game4.In this game, Bsimulates the verifying algorithm. After receiving
AII’s request of (mi,σ
i), Bchecks :
1. If there is no item (·,·,σ
i,·)intheH-List,Brejects (mi,σ
i) as an invalid
signature.
2. Else, there is an item (·,·,σ
i,·)intheH−List:
(a) If this item has the form of (mi,⊥,σ
i,1) or (mi,r
i,σ
i,1), Bwill
accept it as a valid signature.
(b) Otherwise, Brejects it as an invalid signature.
This makes a difference only if (mi,σ
i) is a valid signature, while σiis
not queried from the oracle H. Since, His uniformly distributed, this case
happens with probability less than 1
2−qH−qS. Summing up for all verifying
queries, we get Pr[Forge3]−Pr[Forge4]≤qV
2−qH−qS.
After Game4terminates, AII outputs a valid signature (m∗,σ
∗) such that
Verify(PA,P
B,ID
B,x
C,m
∗,σ
∗)=True.
That is, there is an item (·,·,σ
∗,·)intheH-List. By the definition of the EF-
CMA adversary model, m∗can not be queried in the sign oracle, so σ∗is returned
as the hash value of A
IIsquery (m∗,r
∗). That is to say (m∗,r
∗,σ
∗,1) is in the
H-List and r∗·e(PC,−QB)b=e(P, P )abc.NotethatPC=cP, QB=bP and b
is randomly chosen by B,soBcan compute e(P, P )abc =r∗·e(bP, −cP )b.There-
fore, given aP, bP, cP ,Bsuccessfully solves an instance of the GBDH problem
with probability: SuccGBDH
B≥SuccEF−CMA
SDV PS,AII −qV
2−qH−qS.
Theorem 3. If the Type III Adversary AIII (that is the original signer Al-
ice) can forge a valid signature of the proposed scheme with success probability
SuccEF−CMA
SDV PS, AIII after making qHqueries to the H1:{0,1}∗→ZZ∗
q(q≥2,
is the system’s security parameter), qSqueries to the signing algorithm and
qVto the verifying algorithm in some polynomial time t, then there exists an
algorithm Bwho can use AIII to solve an instance of the GBDH problem with
probability: SuccGBDH
B≥SuccEF−CMA
SDV PS,AIII −qV
2−qH−qSinthesametimet.
Short Designated Verifier Proxy Signature from Pairings 843
Proof. The whole proof is almost the same as the above, except that Given
aP.bP, cP ,Bsends (PA=aP, PB=aP, QB=bP, PC=cP, a) to this Type III
adversary.
At last, AIII outputs a valid signature (m∗,σ
∗) such that Verify(m∗,σ
∗,P
A,
PB,Q
B,c)=True.Thatistosay(m∗,r
∗,σ
∗,1) is also in the H−Liast.Since
σ∗is a valid signature of the message m∗,thenr∗·e(PC,−QB)a=e(P, P )abc.
Note that PC=cP, QB=bP and ais randomly chosen by B,soBcan
compute e(P, P )abc =r∗·e(bP, −cP )a. Therefore, given aP, bP, cP ,Bsuccess-
fully solves an instance of the GBDH problem with probability: SuccGBDH
B≥
SuccEF−CMA
SDV PS,AIII −qV
2−qH−qS.
6Comparison
In this section, we compare the signature length of our short designated verifier
signature scheme (SDVPS) with Wang’s scheme in [12]. The signature of Wang’s
scheme is (rp,K,D,s)whererp,K,D ∈ZZpand s∈ZZq.Let|ZZp|denote the bit
length of the element in ZZpand |ZZq|denote the the bit length of the element in
ZZq, we have the following table.
Scheme Signature Length p: 1024; q: 160
Wang’s Scheme 3|ZZp|+|ZZq|3232 bits
Our Scheme |ZZq|160 bits
One can find that the signature length of our SDVPS scheme is dramatically
decreased, which is more applicable in the networks with limited bandwidth.
One can also find that the implementation of out scheme needs the bilinear
pairing,howtogetaSDVPS scheme without the need of pairing is an open
problem.
7Conclusion
We have presented a new designated verifier proxy signature scheme, which we
believe is the shortest among all the known designated verifier proxy signatures.
We prove that our scheme offers transcript simulation as a normal designated
signature. We also prove that our scheme is secure under random oracle model.
References
1. D. Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology,
Proc. EUROCRYPT 1991, LNCS 547, pages 458–464. Springer–Verlag, Berlin,
1991.
2. J. Z. Dai, X. H. Yang, and J. X. Dong. Designated-receiver proxy signature scheme
for electronic commerce. In Proc. of IEEE International Conference on Systems,
Man and Cybernetics, pages 384–389. IEEE Press, 2003.
844 X. Huang et al.
3. S. Galbraith and W. Mao. Invisibility and anonymity of undeniable and confirmer
signatures. In Proc. of CT-RSA 2003, LNCS 2612, pages 80–97. Springer–Verlag,
Berlin, 2003.
4. M. Jakobsson, K.Sako, and R. Impagliazzo. Designated verifier proofs and their
applications. In Advances in Cryptology, Proc. EUROCRYPT 1996, LNCS 1070,
pages 143–154. Springer–Verlag, Berlin, 1996.
5. F. Laguillaumie and D. Vergnaud. Designated verifiers signature: Anonymity and
efficient construction from any bilinear map. In Fourth Conference on Security in
Communication Networks ’04 (SCN 2004), LNCS 3352, pages 107–121. Springer–
Verlag, Berlin, 2004.
6. B. Libert and J.-J. Quisquater. Identity based undeniable signatures. In Proc. of
CT-RSA 2004, LNCS 2964, pages 112–125. Springer–Verlag, Berlin, 2004.
7. M. Mambo, K. Usuda, and E. Okamoto. Proxy signatures for delegating signing
operation. In Proc. of the Third ACM Conf. on Computer and Communications
Security, pages 48–57, 1996.
8. S. Saeednia, S. Kramer, and O. Markovitch. An efficient strong designated verifier
signature scheme. In The 6th International Conference on Information Security
and Cryptology (ICISC 2003), LNCS 2971, pages 40–54. Springer–Verlag, Berlin,
2003.
9. R. Steinfeld, H. W. L. Bull, and J. Pieprzyk. Universal designated-verifier signa-
tures. In Advances in Cryptology–ASIACRYPT 2003, LNCS 2893, pages 523–543.
Springer–Verlag, Berlin, 2003.
10. R. Steinfeld, H. W. L. Bull, and J. Pieprzyk. Efficient extension of standard
schnorr/rsa signatures into universal designated-verifier signatures. In Public Key
Cryptography, Proc. PKC 2004, LNCS 2947, pages 86–100. Springer–Verlag, Berlin,
2004.
11. W. Susilo, F. Zhang, and Y. Mu. Identity-based strong designated verifier signature
schemes. In Proceedings of the Information Security and Privacy, 9th Australasian
Conference (ACISP 2004), LNCS 3108, pages 313–324. Springer–Verlag, Berlin,
2004.
12. G. Wang. Designated-verifier proxy signatures for e-commerce. In the IEEE 2004
International Conference on Multimedia and Expo (ICME 2004), pages 1731–1734.
IEEE Press, 2004.
13. H. Wang and J. Pieprzyk. Efficient one-time proxy signature. In Advances in
Cryptology–Aisacrypt 2003, LNCS 2894, pages 507–522. Springer–Verlag, Berlin,
2003.
14. F. Zhang and K. Kim. Id-based blind signature and proxy signature from bilinear
pairings. In In: Information Security and Privacy (ACISP 2003), LNCS 2727,
pages 312–323. Springer–Verlag, Berlin, 2003.
15. K. Zhang. Threshold proxy signature schemes. In In Proc. Information Security
(ISW 1997), LNCS 1396, pages 282–290. Springer–Verlag, Berlin, 1997.