Access to this full-text is provided by MDPI.
Content available from Mathematics
This content is subject to copyright.
Academic Editor: Antanas Cenys
Received: 16 January 2025
Revised: 19 February 2025
Accepted: 20 February 2025
Published: 25 February 2025
Citation: Yang, Y.; Zhou, X.; Su, B.;
Wu, W. Efficient Identity-Based
Universal Designated Verifier
Signature Proof Systems. Mathematics
2025,13, 743. https://doi.org/
10.3390/math13050743
Copyright: © 2025 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license
(https://creativecommons.org/
licenses/by/4.0/).
Article
Efficient Identity-Based Universal Designated Verifier Signature
Proof Systems
Yifan Yang 1, Xiaotong Zhou 2, Binting Su 3,* and Wei Wu 4
1College of Computer and Cyber Security, Fujian Normal University, Fuzhou 350117, China;
121152022009@student.fjnu.edu.cn
2School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China; xtzhou163@163.com
3Network and Data Center, Fujian Normal University, Fuzhou 350117, China
4College of Education Sciences, Hong Kong University of Science and Technology (Guangzhou),
Guangzhou 511455, China; weiwu@fjnu.edu.cn
*Correspondence: bintingsu@fjnu.edu.cn
Abstract: The implementation of universal designated verifier signatures proofs (UDVSPs)
enhances data privacy and security in various digital communication systems. However,
practical applications of UDVSP face challenges such as high computational overhead,
onerous certificate management, and complex public key initialization. These issues hinder
UDVSP adoption in daily life. To address these limitations, existing solutions attempt
to eliminate bilinear pairing operations, but their proposal still involves cumbersome
certificate management and inherent interactive operations that can sometimes significantly
degrade system efficiency. In this paper, we first utilize the identity-based (ID-based) SM2
digital signature scheme to construct an ID-based UDVSP system which sidesteps the
cumbersome certificate management issue. To further remove the interactive requirement,
we also employ the OR proof and Fiat–Shamir technologies to design the other ID-based
UDVSP system. Our designs not only possess the same bilinear pairing-free advantage as
Lin et al.’s proposal, but also achieve the certificate-free or non-interactive goals. Security
proofs and performance analysis confirm the viability and efficiency of our systems.
Keywords: UDVSP; ID-based SM2 digital signature; non-interactive proof; certificate
management
MSC: 94A60
1. Introduction
In modern society, with the widespread application of digital signatures, protecting
the privacy of signers has become a major concern for researchers. To address this issue,
universal designated verifier signatures (UDVSs) were proposed by Steinfeld et al. in
Asiacrypt 2003 [
1
]. UDVSs ensure that the designated verifier has the ability to verify digital
signatures, while preventing the verifier from conveying the reliability of the signature to
anyone else. This characteristic makes it suitable for scenarios where only a few specifically
designated verifiers are required for signature verification. As an illustration, in the
realm of e-government, government departments can utilize UDVSs to provide a proof of
confidential information to relevant staff members as required for their work. However,
these personnel are unable to convince third parties of the authenticity of this confidential
information. This mechanism is critical to prevent malicious dissemination of confidential
information. There are numerous such application scenarios, including electronic voting
systems, electronic medical records, and electronic income certificates.
Mathematics 2025,13, 743 https://doi.org/10.3390/math13050743
Mathematics 2025,13, 743 2 of 14
Universal designated verifier signature proof (UDVSP), as an enhanced variant of
UDVS, eliminates the requirement for designated verifiers to generate their public/private
key pairs using parameters that are predefined by signers. However, UDVSP systems
still encounter several inherent limitations, including the need for complex public key
certificate management, computationally intensive bilinear pairing operations, and the
inherent constraints of interactive protocols. While Lin et al.
[2]
proposed a UDVSP scheme
that eliminates the need for bilinear pairings, their solution still grapples with the persis-
tent challenges of cumbersome certificate management and the limitations imposed by
interactive protocols.
Driven by the problem of the UDVSP schemes mentioned above, we would like to ob-
tain ID-based UDVSP systems to resolve these issues. In this paper, we construct ID-based
UDVSP systems that are engineered to simultaneously resolve the four aforementioned
issues. Firstly, using the ID-based SM2 digital signature scheme, we build the ID-based
UDVSP system, which avoids the complex issue of certificate management. To further
dispense with the need for interactivity, we make use of the OR proof and Fiat–Shamir
methodologies to design an alternative ID-based UDVSP system. These schemes possess
not only the same bilinear pairing-free advantage as the proposal by Lin et al.
[2]
, but also
attain the certificate-free or non-interactive objective. Moreover, we carry out an analysis of
the security and performance aspects of the two schemes.
The subsequent content presents the layout of the remaining part of this paper: Some
related work is introduced in Section 2. Some methodologies are introduced in Section 3.
Section 4provides our interactive ID-based UDVSP system along with its security analysis.
In Section 5, our non-interactive ID-based UDVSP system and its corresponding security
analysis are detailed. Section 6is dedicated to conducting a performance analysis of the
two schemes. Finally, Section 7contains the conclusions.
2. Related Work
To protect the signer’s privacy and prevent signatures from being verified by unau-
thorized third parties, the undeniable signature scheme was proposed by Chaum and
Antwerpen in 1990
[3]
. In this scheme, the verifier must collaborate with the signer to verify
the signature, which is equivalent to the signer having the power to decide who can verify
the signature. However, the undeniable signature scheme is limited by the requirement of
reciprocal communication, which poses a significant drawback.
In order to avoid interactive communication between signer and verifier, in 1996,
Jakobsson et al.
[4]
introduced the designated verifier signature (DVS) schemes. In the
DVS scheme, the signer generates the DVS by incorporating the public key of the designated
verifier. This eliminates the need for the signer to assist in the verification process. The desig-
nated verifier is not only able to validate the DVS but can also generate
an indistinguishable
DVS using the same private key. This latter property, known as transcript simulation, en-
sures that the verifier cannot convince a third party by transferring the proof, thereby
achieving the same objective as the undeniable signature scheme.
Subsequently, Steinfeld et al.
[1]
proposed UDVS in 2003, which is regarded as
an extended
variant of DVS. Unlike DVS, in the UDVS scheme, the signer and the signature
holder can be different individuals. This means that anyone in possession of
an ordinary
signature (not limited to the original signer) can convert the signature into
a designated
one for a specific verifier.
Nevertheless, in Asiacrypt 2005, Baek et al. [
5
] indicated that in this UDVS scheme,
the designated verifier is required to create a public/private key pair by using the pa-
rameters set by the signer. This is impractical in certain scenarios. In certificate-based
(CA-based) public key systems, regenerating public/private key pairs entails cumbersome
Mathematics 2025,13, 743 3 of 14
public key certificate management and results in significant computational overhead. Even
incertificateless systems where the overhead of regenerating key pairs is relatively smaller,
it still places an additional burden on the verifier. If the verifier has already generated pub-
lic/private key pairs with public key parameters different from those set by the signer, it is
unlikely that they will generate another key pair just for verifying a signature. Baek et al. [
5
]
proposed the universal designated verifier signature proof (UDVSP) to circumvent the issue
of key initialization by the verifier. In contrast to UDVS, UDVSP employs an interactive
protocol with the designated verifier to demonstrate the validity of a signature. Therefore,
the verifier’s key pairs play no role in this particular proof, which eliminates the need for
the verifier to reinitialize a key.
Interestingly, with the introduction of the UDVSP, a new issue has emerged. The appli-
cation of the interactive protocol in UDVSP can sometimes lead to a substantial decrease in
the efficiency of the system. Specifically, interactive proofs necessitate that both parties be
online concurrently. If either party is offline or in a network environment with high latency,
it will incur additional time spent waiting and more communication overhead due to the
need to resend messages.
Beyond the problem of interactive proofs, the onerous management of public key
certificates is also an issue of widespread concern. The UDVS/UDVSP schemes of
Steinfeld et al. [1,5,6]
are all constructed under CA-based system. To be more specific,
these schemes involve cumbersome certificate processes, including application, issuance,
query, and revocation. As a direct consequence, this gives rise to a significant amount
of overhead. In contrast, ID-based systems [
7
] streamline the key management process
while ensuring a moderate level of security. This makes them a favorable substitute to
CA-based systems. In light of this, Zhang et al. [
8
] constructed an ID-based UDVS in 2005.
Subsequently, Chen et al. [
9
] introduced an ID-based UDVSP in 2008. These schemes allow
UDVS and UDVSP to avoid the complex certificate management process.
In addition to the above-mentioned issues, the substantial computation cost associated
with UDVS/UDVSP is also not something that can be overlooked. As Lin et al. [
2
] point
out, existing UDVSP schemes [
5
,
9
] involve time-consuming bilinear pairing operations
(
one bilinear
pairing operation on a mobile terminal takes about 32 ms, which is approxi-
mately 9 times the time demanded by an elliptic curve multiplication operation [
10
]). In
order to reduce the computational overhead of UDVSP, Lin et al. [
2
] designed a UDVSP
scheme based on the Chinese cryptographic SM2 algorithm. This scheme eschews bilinear
pairing operations and instead makes use of operations on elliptic curves. This approach
enhances the computational efficiency of the scheme. However, it is still constructed un-
der CA-based public key systems. Moreover, it is encumbered with the intricacies and
challenges inherent to the interactive protocol.
3. Methodology
3.1. Symbols and Definitions
Table 1lists the symbols and definitions involved.
3.2. The ID-Based Digital Signature Based on SM2
The SM2 digital signature algorithm is a component of elliptic curve-based key cryp-
tography algorithms. This algorithm was released by the Chinese National Cryptography
Administration (see “SM2 Public Key Cryptographic Algorithms Based on Elliptic Curves”,
China’s State Cryptography Administration, December 2010 [11]).
Mathematics 2025,13, 743 4 of 14
Table 1. Symbols and definitions.
Symbol Definition
IDaUser’s identity.
ENTLA Two bytes converted from the bit length of I Da.
qA large prime number.
FqA finite field consisting of qelements.
a,bElements in Fqthat define an elliptic curve Eover Fq.
E(Fq)
The collection of all rational points on the elliptic curve
E
over Fq(where the point at infinity Ois also included).
OA special point on the elliptic curve, referred to as the
point at infinity or zero point.
GThe cyclic group containing every point on the elliptic
curve Ealong with the point at infinity.
PThe generator of the group G.
nThe order of the generator P(where nis a prime factor of
#E(Fq)).
H(·),Ho(·),Hn(·),Hv(·)A secure cryptographic hash function.
The ID-based digital signature based on SM2 [
12
] is an improved algorithm derived
from the SM2 digital signature. Compared with the SM2 digital signature, the ID-based
digital signature based on SM2 utilizes identity information to create the user’s private
key. Its application and management do not revolve around digital certificates. Conse-
quently, this obviates the necessity of managing and maintaining public key certificates
and circumvents time-consuming procedures. The ID-based digital signature based on
SM2 consists of four steps: setup, extract, sign, and verify. The process of the scheme is as
shown in Figure 1.
(1)
Setup: With the security parameter
λ
provided, the key generation center (KGC)
randomly selects a large prime number
q
and determines a non-singular elliptic
curve
E:y2=x3+ax +bmod q
(where
a
,
b∈Z∗
q
). From all the points on
E
(including the point at infinity), select a cyclic group
G
of prime order
n
and
a generator P∈G
. Choose three secure hash functions
H:{
0, 1
}∗× {
0, 1
}∗→Zn∗
,
Hv:{
0, 1
}∗× {
0, 1
}∗→ {
0, 1
}v
, and
Ho:{
0, 1
}∗→ {
0, 1
}256
. Randomly select
x∈Zn∗
and generate the partial system public key
Ppub =xP
. The algorithm
outputs the system public key
mpk = (E
,
a
,
b
,
q
,
G
,
n
,
P
,
Ppub
,
H
,
Hv
,
Ho)
and the
master private key msk =x.
(2)
Extract: Given
mpk
,
msk
, and user information
IDa
, the KGC randomly selects
l∈Z∗
n
and computes the partial user private key
L=lP
, and the intermediate
variable
h=H(IDa∥L)
. The partial user private key
d
is calculated as
d=l+xh
mod n. The algorithm gives out the user ’s private key sk = (L,d).
(3)
Sign: Given
mpk
,
sk = (L
,
d)
, and the message
m
, the signer computes the user’s
distinguishable identifier
Za=Ho(ENTLA ∥I Da∥a∥b∥xp∥yp∥xL∥yL)
and
its hash value
e=Hv(Za∥m)
, where
EN TLA
is the bit length of
IDa
, and
(xp
,
yp)
and
(xL
,
yL)
are the coordinates of
Pr
and
L
, respectively. Select
a random
num-
ber
k∈Z∗
n
, and then compute the elliptic curve point
K=kP = (xK
,
yK)
and the partial signature
r= (e+xK)mod n
. If
r=
0 or
r+k=n
, se-
lect a new
k
and repeat the calculations. Otherwise, compute the partial signa-
ture
s= (1+d)−1(k−rd)mod n.
If
s=
0, the algorithm outputs the message–
signature pair mand σ= (L,r,s).
Mathematics 2025,13, 743 5 of 14
(4)
Verify: Given
mpk
,
IDa
,
m
, and the signature to be verified
σ= (L
,
r
,
s)
. If
r
,
s/∈Z∗
n
,
the verifier outputs 0. Otherwise, the verifier computes
t=r+smod n
. If
t=
0,
the verifier outputs 0. If
t=
0, the following series of computations are carried
out. First, compute
Za=Ho(ENTLA ∥I Da∥a∥b∥xp∥yp∥xL∥yL)
.
Then, calculate
h′=H(IDa∥L)
. Next, determine
e′=Hv(Za∥m)
. After that,
obtain
K′=sP +t(L+h′Ppub) = (x′
K
,
y′
K)
. Finally, calculate
r′= (e′+x′
K)mod n
.
If
r′=r
, the algorithm outputs 1 to denote the validity of the signature; otherwise,
it outputs 0 to denote the invalidity of the signature.
Figure 1. The process of ID-based digital signature based on SM2.
The ID-based digital signature algorithm based on SM2 satisfies correctness and
existential unforgeability under adaptively chosen message attacks (EUF-CMA) [13].
3.3. Zero-Knowledge Proof, Σ-Protocol with Its or Construction
Suppose the interactive protocol Πconsists of two entities, a prover Pr and a verifier
Vr
.
Pr
can convince
Vr
about the binary relation
R= (x,w):{
0, 1
}∗× {
0, 1
}∗
(where
x
and
w
refer to the instance and the witness, respectively). If the protocol
Π
meets the
requirements of completeness and soundness, it is called a proof of knowledge system.
Additionally, if
Π
further satisfies honest verifier zero-knowledge (HVZK), then it is known
as an interactive honest verifier zero-knowledge proof system [14,15].
The
Σ
-protocol is an interactive three-move zero-knowledge proof system. Assume
Pr
and
Vr
execute the OR proof [
16
] and obtain the result
(a0
,
a1
,
c
,
c0
,
c1
,
z0
,
z1)
, P chooses
a challenge c1−b
, where
b=
0 or 1. Another challenge
cb=c⊕c1−b
is determined by
Vr
’s
random challenge
c
. The commitment and response
(a0
,
a1
,
z0
,
z1)
are generated by
Pr
using
the private witness
w
based on
c0
,
c1
. The completeness of the
Σ
-protocol means that if there
exists a valid function
ϕ(α
,
a1
,
c
,
c0
,
c1
,
z0
,
z1) =
1, then
Vr
accepts
(a0
,
a1
,
c
,
c0
,
c1
,
z0
,
z1)
.
Special soundness means that given two valid tuples
(a
,
c
,
z)
and
(a
,
c′
,
z′)
with
c=c′
,
one can recover
Pr
’s witness
w
. Special HVZK means that given
Vr
’s random challenge
c
, there is a probabilistic polynomial-time (PPT) simulator
SI
that can interact with
Vr
to output a valid tuple
(a0
,
a1
,
c
,
c0
,
c1
,
z0
,
z1)
. Assume the real interaction between
Pr
and
Vr
outputs
(a0
,
a1
,
c′
,
c′
0
,
c′
1
,
z′
0
,
z′
1)
, then
(a0
,
a1
,
c
,
c0
,
c1
,
z0
,
z1)
and
(a0
,
a1
,
c′
,
c′
0
,
c′
1
,
z′
0
,
z′
1)
are indistinguishable.
The OR proof [
16
] is a fundamental construction of the
Σ
-protocol. It allows
Pr
to
prove that for two computational problems
x0
and
x1
,
Pr
knows the witness
w
for one of
the problems, such that either (x0,w)∈Ror (x1,w)∈R, without disclosing which one.
The last property of the OR proof is known as witness indistinguishable (WI). This
property sets it apart from other
Σ
-protocols. To elaborate,
Pr
might be aware of which one
in several distinct values of
w
would enable them to successfully complete the protocol.
However, for arbitrary
Vr
, it is impossible to determine which of these possible values the
Pr actually knows merely from the conversations.
The
Σ
-protocol is capable of being changed into a non-interactive instance through
the utilization of the Fiat–Shamir heuristic
[17]
. However, using the normal
Σ
-protocol
to construct a non-interactive scheme will undermine the non-transferable privacy prop-
erty of the UDVS. Therefore, we utilize the OR proof to construct our scheme, leveraging
Mathematics 2025,13, 743 6 of 14
the WI property of the OR proof. In the non-interactive form of the OR proof,
Pr
com-
putes
(a0
,
a1)
and
c1−b
, and then directly calls
c=H(x
,
a)
to obtain the challenge value
c
and determine
cb
. Using the private witness
w
,
Pr
then computes (
z0
,
z1)
and finally sends
(a0
,
a1
,
c
,
c0
,
c1
,
z0
,
z1)
to
Vr
. The non-interactive protocol obtained through the Fiat–Shamir
transformation still satisfies the properties of interactive form [17].
4. Interactive ID-Based UDVSP Based on SM2 Digital Signature
4.1. The Proposed System
The interactive ID-based UDVSP scheme was constructed by ID-based SM2 signatures
and the
Σ
-protocol. Specifically, it is formed by five algorithms and one protocol. The
process of the scheme is as shown in Figure 2.
•
Setup: Provided the security parameter
λ
, the KGC randomly picks a large prime num-
ber
q
and determines a non-singular elliptic curve
E:y2=x3+ax +bmod q
(where
a
,
b∈Z∗
q
). Among all the points on
E
(including the point at infinity), a cyclic group
G
of prime order
n
and a generator
P∈G
are selected. Secure hash functions are
chosen as follows:
H:{
0, 1
}∗× {
0, 1
}∗→Zn∗
,
Hv:{
0, 1
}∗× {
0, 1
}∗→ {
0, 1
}v
,
and
Ho:{
0, 1
}∗→ {
0, 1
}256
. Here,
Hv(·)
and
Ho(·)
are secure cryptographic
hash functions. A random
x∈Zq∗
is selected, and the partial system public
key is computed as
Ppub =xP
. The algorithm outputs the system public key
mpk = (E
,
a
,
b
,
q
,
G
,
n
,
P
,
Ppub
,
H
,
Hv
,
Ho)
and the master private key
msk =x
. This
invention is based on the SM2 digital identity signature design, so it uses the same
system parameters as the identity-based SM2 digital signature. For specific parameter
symbols and definitions, refer to the detailed implementation in Section 3.1 (Symbols
and Definitions).
•
Extract: Given the system’s master public key
mpk
, master private key
msk
, and user
information
IDa
, the KGC randomly selects
l∈Z∗
n
, computes the partial user private
key
L=lP
, and the intermediate variable
h=H(IDa∥L)
. The partial user private
key dis calculated as d=l+xh mod n. The user’s private key sk = (L,d)is output.
•
Sign: Given the system’s master public key
mpk
, the user’s private key
sk = (L
,
d)
,
and the message
m
, the signer computes the user’s distinguishable identifier
Za=
Ho(ENTLA ∥IDa∥a∥b∥xp∥yp∥xL∥yL)
and the hash value
e=Hv(Za∥m)
,
where
EN TLA
is the bit length of
IDa
, and
(xp
,
yp)
and
(xL
,
yL)
are the coordinates
of
Pr
and
L
, respectively. A random
k∈Z∗
n
is selected, then the elliptic curve point
K=kP = (xK
,
yK)
and the partial signature
r= (e+xK)mod n
are computed.
If
r=
0 or
r+k=n
, a new
k
is selected and the calculations are repeated. Otherwise,
the partial signature
s= (
1
+d)−1(k−rd)mod n
is computed. If
s=
0, the algorithm
outputs the message mand the signature σ= (L,r,s).
•
Verify: Given the system’s master public key
mpk
, user information
IDa
, message
m
,
and the signature to be verified
σ= (L
,
r
,
s)
, if
r
,
s/∈Z∗
n
, the verifier (which may be the
signature holder or others) outputs 0. Otherwise, it computes
t=r+smod n
. If
t=
0, the verifier outputs 0. Otherwise, it computes
Za=Ho(ENTLA ∥IDa∥a∥b∥xp∥
yp∥xL∥yL)
,
h′=H(IDa∥L)
,
e′=Hv(Za∥m)
,
K′=sP +t(L+h′Ppub) = (x′
K
,
y′
K)
,
and r′= (e′+x′
K)mod n. If r′=r, the algorithm outputs 1 to denote the validity of
the signature; in contrast, it outputs 0 to denote the invalidity of the signature.
•
Tran: Given the system public key
mpk
, user information
IDa
, message
m
, and the
signature to be verified
σ= (L
,
r
,
s)
, the signature holder randomly selects
ar
,
br∈Z∗
n
and computes
Za=Ho(ENTLA ∥IDa∥a∥b∥xp∥yp∥xL∥yL)
,
e=Hv(Za∥m)
,
ˆ
r=r+ar−emod n
,
ˆ
s=s+brmod n
. The algorithm outputs the transformed
signature ˆ
σ= (L,ˆ
r,ˆ
s)and the transformation key tk = (ar,br).
Mathematics 2025,13, 743 7 of 14
•
IVerf: Provided the system public key
mpk
, user information
IDa
, and the transformed
signature
ˆ
σ
, the signature owner
Pr
additionally takes the transformation key
tk
and
the signature
σ
as input. The signature owner
Pr
and the designated verifier
Vr
perform the following interaction:
1. Pr
first computes
h=H(IDa∥L)
,
T=hPpub
,
K=sP + (r+s)(L+T)
. Then,
Pr
randomly selects
α
,
β∈Zn∗
and
R∈G
, and computes the commitment
value D=R+βP+α(L+hPpub) + β(L+hPpub). Finally, Pr sends Dto Vr.
2. Vr randomly selects a challenge value c∈Z∗
nand returns cto Pr.
3. Pr
calculates the response to the challenge
ZK=R−cK
,
za=α−c·armod n
,
zb=β−c·brmod n, and sends (ZK,za,zb)to Vr.
4. Vr
calculates
e′=Hv(Za∥m)
,
h′=H(IDa∥L)
,
T= (L+h′Ppub)
,
and
D′=ZK+zbP+zaT+zbT+c(ˆ
sP +ˆ
rT +e′T+ˆ
sT)
. If
D′=D
,
Vr
outputs
1, indicating acceptance; otherwise, Vr outputs 0.
Figure 2. The process of interactive ID-based UDVSP based on SM2 digital signature.
4.2. Security Analysis
This section will show that the constructed interactive ID-based UDVSP system con-
structed from SM2 can achieve the anticipated security properties. Based on the security
framework introduced by Baek et al.
[5]
, a (UDVSP) scheme must satisfy two critical secu-
rity requirements: existential unforgeability under adaptive chosen message and identity
attacks (EUF-CM-ID-A), and resistance to impersonation attacks (R-IM).
Since the EUF-CM-ID-A of UDVSP is consistent with the EUF-CM-ID-A of the SM2
ID-based digital signature scheme (the SM2 ID-based digital signature has been proven to
be EUF-CM-GID-A by Lin et al.
[13]
), this paper only analyzes the security of the UDVSP
system against impersonation attacks. Specifically, we examine two distinct attack scenarios:
resistance against Type 1 impersonation attacks (R-IM-TYPE-1) and resistance against Type
2 impersonation attacks (R-IM-TYPE-2).
Theorem 1. If the IVerf protocol of UDVSP satisfies honest verifier zero-knowledge (HVZK), then
UDVSP satisfies R-IM-TYPE-1.
Proof.
First, we construct a simulator
SI
(Algorithm 1) to prove that the IVerf protocol of
UDVSP satisfies HVZK. SI first generates a valid message–signature pair (m,σ= (L,r,s))
and replicates all interactions with the honest verifier
Vr
. Due to the random numbers
ar
,
br∈Z∗
n
in steps (1) and (2), the first two steps of
SI
are completely blind. The point
L
is a random point derived from the user’s private key, and the verifier cannot recover the
original signature
(L
,
r
,
s)
from the transformed signature
(L
,
ˆ
r
,
ˆ
s)
. Additionally, steps (3) to
(5) form a
σ
-protocol, which satisfies special HVZK, effectively preventing the disclosure of
the transformation key (ar,br). Therefore, the IVerf protocol of UDVSP satisfies HVZK.
Mathematics 2025,13, 743 8 of 14
Algorithm 1 Simulator SI for the IVerf protocol.
1. SI requests a signature (m,σ= (L,r,s)) from the signer.
2. SI
selects
ar
,
br∈Z∗
n
at random and computes
e=Hv(Za∥m)
,
ˆ
r=r+ar−emod n
,
ˆ
s=s+brmod n, and sends (L,ˆ
r,ˆ
s)to Vr.
3. SI
randomly selects
α
,
β∈Zn∗
and
R∈G
, computes the commitment value
D=
R+βP+α(L+hPpub) + β(L+hPpub), and sends Dto Vr.
4. SI receives the challenge value c∈Z∗
nsent by Vr.
5. SI
computes the response to the challenge
ZK=R−cK
,
za=α−c·armod n
,
zb=β−c·brmod n, and sends (ZK,za,zb)to Vr
If there exists a PPT adversary
A= (V′
,
P′)
that successfully breaks the R-IM-TYPE-1
security of UDVSP, it implies that
A
can obtain information about
(ar
,
br)
to successfully
interact with other designated verifiers. This would violate the HVZK property of the IVerf
protocol in UDVSP. Therefore, UDVSP satisfies R-IM-TYPE-1.
Theorem 2. If the SM2 identity-based digital signature has the property of EUF-CM-GID-A, then
UDVSP has the property of R-IM-TYPE-2.
Proof.
Suppose there exists an algorithm
A
that successfully breaks the R-IM-TYPE-2
property of UDVSP. Then, there exists an algorithm
B
that can use the capability of
A
to
successfully break the EUF-CM-GID-A property of the SM2 identity-based digital signa-
ture. Algorithm
B
is given the system public key
mpk = (E
,
a
,
b
,
q
,
G
,
n
,
P
,
Ppub
,
H
,
Hv
,
Ho)
(Ppub =xP
,
H: 0, 1∗× {
0, 1
}∗→Z∗
n
,
Hv:{
0, 1
}∗× {
0, 1
}∗→ {
0, 1
}v
,
Ho:{
0, 1
}∗→
{0, 1}256). The goal is to output a valid message–signature pair.
First,
B
sends
(E
,
a
,
b
,
q
,
G
,
n
,
P
,
Ppub
,
H
,
Hv
,
Ho)
to
A
and calls
A
to obtain the trans-
formed signature
ˆ
σ= (L
,
ˆ
r
,
ˆ
s)
for
m
. Then,
B
and
A
execute step 1 of the IVerf pro-
tocol to obtain
D=R+βP+α(L+hPpub) + β(L+hPpub )
, and
D
is returned to
B
.
B
computes
e′=Hv(Za∥m)
,
h′=H(IDa∥L)
,
T= (L+h′Ppub)
, and verifies
D=ZK+zbP+zaT+zbT+c(ˆ
sP +ˆ
rT +e′T+ˆ
sT)
. If this does not hold,
B
terminates the
current interaction; otherwise,
B
calls
A
again with a new challenge value
c′∈Z∗
n
to obtain
new proof values
(Z′
K
,
z′
a
,
z′
b)
. If
D′=Z′
K+z′
bP+z′
aT+z′
bT+c(ˆ
sP +ˆ
rT +e′T+ˆ
sT)
, then
B
can compute ar= (za−z′
a)·τmod n,br= (zb−z′
b)·τmod n,K=τ(ZK−Z′
K), where
τ= (c−c′)−1can be solved using the extended Euclidean algorithm. Buses (ar,br)to re-
cover
σ= (L
,
r
,
s)
, and finally outputs the forged message–signature pair
(m
,
σ= (L
,
r
,
s))
.
This contradicts the EUF-CM-GID-A property of the SM2 identity-based digital signature;
thus, UDVSP satisfies R-IM-TYPE-2.
5. Non-Interactive ID-Based UDVSP Based on SM2 Digital Signature
5.1. The Proposed System
The non-interactive ID-based UDVSP scheme is also relies on ID-based SM2 signatures.
However, unlike the previous scheme, it uses the OR form of the
Σ
-protocol for protocol
design. Although the designated verifier still needs to have a pair of public and private
keys, these required key pairs do not have to be generated based on the signer’s public key
parameters. Instead, the designated verifier can make use of an existing public/private key
pair. The scheme specifically comprises five algorithms and one protocol. The process of
the scheme is as shown in Figure 3.
•
Setup: Given the security parameter
λ
, the KGC randomly picks a large prime number
q
and determines a non-singular elliptic curve
E:y2=x3+ax +bmod q
(where
a
,
b∈Z∗
q
). Among all the points on
E
(including the point at infinity), a cyclic
group
G
of prime order
n
and a generator
P∈G
are selected. Secure hash func-
Mathematics 2025,13, 743 9 of 14
tions are chosen as follows:
H:{
0, 1
}∗× {
0, 1
}∗→Zn∗
,
Hv:{
0, 1
}∗× {
0, 1
}∗→
{
0, 1
}v
, and
Ho:{
0, 1
}∗→ {
0, 1
}256
. Here,
Hv(·)
is a cryptographic hash func-
tion with a message digest length of
v
bits, and
Ho(·)
is a secure cryptographic
hash function. A random
x∈Zq∗
is selected, and the partial system public
key is computed as
Ppub =xP
. The algorithm outputs the system public key
mpk = (E
,
a
,
b
,
q
,
G
,
n
,
P
,
Ppub
,
H
,
Hv
,
Ho)
and the master private key
msk =x
. This
invention is based on the SM2 digital identity signature design, so it uses the same
system parameters as the identity-based SM2 digital signature. For specific parameter
symbols and definitions, refer to the detailed implementation in Section 3.1 (Symbols
and Definitions).
•
Extract: Given the system’s master public key
mpk
, master private key
msk
, and user
information
IDa
, the KGC randomly selects
l∈Z∗
n
, computes the partial user private
key
L=lP
, and the intermediate variable
h=H(IDa∥L)
. The partial user private
key
d
is calculated as
d=l+xh mod n
. The algorithm outputs the user ’s private key
sk = (L,d).
•
Sign: Given the system’s master public key
mpk
, the user’s private key
sk = (L
,
d)
,
and the message
m
, the signer computes the user’s distinguishable identifier
Za=
Ho(ENTLA ∥IDa∥a∥b∥xp∥yp∥xL∥yL)
and the hash value
e=Hv(Za∥m)
,
where
EN TLA
is the bit length of
IDa
, and
(xp
,
yp)
and
(xL
,
yL)
are the coordinates
of
Pr
and
L
, respectively. A random
k∈Z∗
n
is selected, and the elliptic curve point
K=kP = (xK
,
yK)
and the partial signature
r= (e+xK)mod n
are computed.
If
r=
0 or
r+k=n
, a new
k
is selected and the calculations are repeated. Otherwise,
the partial signature
s= (
1
+d)−1(k−rd)mod n
is computed. If
s=
0, the algorithm
outputs the message mand the signature σ= (L,r,s).
•
Verify: Given the system’s master public key
mpk
, user information
IDa
, message
m
,
and the signature to be verified
σ= (L
,
r
,
s)
, if
r
,
s/∈Z∗
n
, the verifier (which may be the
signature holder or others) outputs 0. Otherwise, it computes
t=r+smod n
. If
t=
0, it outputs 0. Otherwise, the verifier computes
Za=Ho(ENTLA ∥IDa∥a∥b∥xp∥
yp∥xL∥yL)
,
h′=H(IDa∥L)
,
e′=Hv(Za∥m)
,
K′=sP +t(L+h′Ppub) = (x′
K
,
y′
K)
,
and
r′= (e′+x′
K)mod n
. If
r′=r
, the algorithm outputs 1 to denote the validity of
the signature; in contrast, it outputs 0 to denote the invalidity of the signature.
•
DGenr: Given the system public key
mpk
, it randomly selects
skv∈Z′∗
n
and computes
pkv=skvP
. The algorithm outputs the designated verifier
Vr
’s private key and
public key
(skv
,
pkv)
. The public key parameters of the designated verifier and
pkv
are published, while skvis kept by Vr.
•
DVerf: In this protocol, the signature owner
Pr
proves to the designated verifier
Vr
that they possess a signature
σ
that can be verified or that they possess
Vr
’s private key
skv
. If
Vr
has not leaked
skv
, they will believe that
Pr
has a valid
σ
, but cannot disclose
this fact to a third party (because
Vr
, who possesses
skv
, can forge the related proof).
First,
Pr
selects a hash function
Hn:Z∗
n→Z′∗
n
based on
Vr
’s public key parameters.
Pr and Vr then execute the following protocol:
1.
First,
Pr
computes
h=H(IDa∥L)
,
T=L+hPpub
and
K=sP + (r+s)T
.
Then,
Pr
randomly selects
α∈Z∗
n
,
β
,
w∈Z∗
n′
, and
R∈G
, and computes
D1=R−αP−αTand D2=βP+wpkv
2. Pr obtains c=Hc(D1,D2,IDa,pkv).
3. Pr
designates
c1=c−Hn(w)
and
c2=w
, then computes
ZK=R−c1K
,
za=α−c1s
, and
zb=β
. The proof
ˆ
s= (c1
,
c2
,
ZK
,
za
,
zb)
is then formed.
Subsequently, Pr sends (L,r,ˆ
s)and the hash function Hnto Vr.
4.
V computes:
h′=H(IDa ∥L)
,
T′=L+hPpub
then
D′
1=ZK−zaP−zaT′+
c1rT′
,
D′
2=zbP+c2pkv
,
c=Hc(D1
,
D2
,
IDa
,
pkv)
. If
D′
1=D1
,
D′
2=D2
,
Mathematics 2025,13, 743 10 of 14
and
c1+Hn(c2) = c
, then it outputs 1 to indicate acceptance; otherwise, it
outputs 0.
Figure 3. The process of non-interactive ID-based UDVSP based on SM2 digital signature.
5.2. Security Analysis
This section will show that the constructed interactive ID-based UDVSP system con-
structed from SM2 can achieve the anticipated security properties. Based on the security
framework introduced by Baek et al.
[5]
, a UDVSP scheme must satisfy two critical secu-
rity requirements: existential unforgeability under adaptive chosen message and identity
attacks (EUF-CM-ID-A), and resistance to impersonation attacks (R-IM).
As in the previous section, this section focuses exclusively on analyzing the security of
the UDVSP system against impersonation attacks.
Theorem 3. If the identity-based digital signature based on SM2 has the property of EUF-CM-
GID-A, and the elliptic curve discrete logarithm problem (ECDLP) is intractable, then the UDVSP
has the property of R-IM-TYPE-2.
Proof.
This section will illustrate that the constructed non-interactive identity-based UD-
VSP system based on SM2 can hold the anticipated security properties. The ID-based
digital signature EUF-CM-GID-A based on SM2 has been verified by Lin et al [
13
],
and Chen et al. [
9
] have demonstrated that without signature conversion (Tran), due
to the zero-knowledge property of the
Σ
protocol, Type 1 impersonation attacks are equiva-
lent to Type 2 impersonation attacks. Hence, this paper only needs to prove that the UDVSP
system satisfies R-IM-TYPE- 2.
First, B sends
cp
,
pkv
and
mpk
to A, and calls A to obtain the hash functions
Hn=
Z′∗
n→Z∗
n
and
Hc:(D
,
D
,
{
0, 1
}∗
,
D)→Z∗
n
. Then, B and A execute the DVerf protocol to
obtain the commitment value, challenge value, and proof values
(D1
,
D2
,
c1
,
c2
,
ZK
,
za
,
zb)
.
B computes
h=H(IDa∥L)
and verifies
D1=ZK−zaP−za(L+hPpub) + c1r(L+hPpub)
,
D2=zbP+c2pkv
,
Hn(D1
,
D2
,
IDa
,
pkv) = c=c1+Hn(c2)
. If this does not hold, B
terminates the current interaction. Otherwise, B calls A again, and B obtains the challenge
value and proof values
(D1
,
D2
,
c′
1
,
c′
2
,
Z′
K
,
z′
a
,
z′
b)
. If
D1=Z′
K−z′
aP−z′
a(L+hPpub) +
c′
1r(L+hPpub)
,
D2=z′
bP+c′
2pkv
,
Hc(D1
,
D2
,
IDa
,
pkv) = c′
1=c′
1+Hn(c′
2)
holds, then
B can compute
s= (za−z′
a)·τmod n
,
K=τ(ZK−Z′
K)
or
skv= (zb−z′
b)·τmod n
.
Here,
τ= (c−c′)−1
, which can be solved using the extended Euclidean algorithm. B can
recover
σ= (L
,
r
,
s)
, and finally output the forged message–signature pair
(m
,
σ= (L
,
r
,
s))
or obtain the discrete logarithm
skv
of the ECDLP instance
pkv=skvP′
. This contradicts
the EUF-CM-GID-A property of the identity-based digital signature based on SM2 and the
computational hardness of ECDLP; thus, UDVSP has the property of R-IM-TYPE-2.
6. Performance Evaluation
Firstly, an analytical study of the calculation and communication consumptions of
our scheme is presented in this section, along with a comparison to prevalent existing
solutions such as UDVSP [
2
,
5
] and UDVS [
18
,
19
]. The study is based on a theoretical
Mathematics 2025,13, 743 11 of 14
analysis, where we calculate the total cost by summing up every operation involved in the
schemes. The cost of each operation was measured through 10,000 practical tests on our
hardware, with average execution times calculated to estimate the ideal performance of
the schemes. Unlike practical analysis, operations that need to be executed only once (e.g.,
system initialization) and extremely low consumption computation (e.g., if statements)
are not accounted for in this theoretical model, which may lead to some discrepancies
compared to the actual execution results.
In this context, the two key-producing procedures within UDVS systems are both
considered in KGen, and the focus regarding communication overheads lies primarily on
the IVerf interactive protocol. As illustrated in Table 2, compared to existing UDVSP/UDVS
schemes, our schemes exhibit optimized computational consumptions and communication
overheads. This advantage stems from the elimination of the laborious bilinear map
operation and hash function for mapping to a point in our scheme.
Table 2. Theoretical performance comparison results.
Scheme
Computation/ms Communication/B
UKGen USign UVerf UTran UIVerf UIVerf
UDVSP-1 [5]Tg1sm Th2p+Tg1s m 2Tbp +Th2pTg1sm
2Tbp +Tmm +Tma + 2Tebp +
Tmbp +Th2p
|GT|+2|Zn|
UDVSP-2 [5] 2Tg2sm
Tg1sm +Tmi+
Tmm + 2Tma
2Tbp + 2Tg2sm +
2Tg2pa
Tg1sm
2Tbp + 2Tg2sm + 2Tg2pa +Tebp +
Tmm +Tma + 2Tebp +Tmbp
|GT|+2|Zn|
UDVS-1 [18] 4Tg1sm
3Tg1sm + 2Tg1pa +
Tmm
Tg1sm +Tg1pa +
3Tbp +Tmbp
2Tg1sm +Tmm +
3Tg1pa +Tbp
2Tg1sm +Tg1pa + 2Tbp +Tmbp + 2Tebp |GT|+|G1|
UDVS-2 [19] 2Tg1sm 5Tg1sm + 3Tg1pa
2Tg1sm + 3Tg1pa+
3Tbp +Tmbp
Tbp
2Tg1sm+ 3Tg1pa + 2Tbp +
Tmbp + 2Tebp
|GT|+|G1|
UDVSP-3 [2]Tg1sm
Tg1sm +Tmi +Th+
2Tmm + 2Tma
2Tg1sm +Tg1pa +
2Tma +Th
3Tma +Th
14Tg1sm + 13Tg1pa + 7Tmm +
3Tma +Th
2|G1|+3|Zn|
Our UDVSP-1 Tg1sm +Th+
Tma +Tmm
Tg1sm +Tmi + 2Th+
2Tma + 2Tmm
3Tg1sm + 2Tg1pa +
2Tma + 3Th
3Tma + 2Th
16Tg1sm + 15Tg1pa + 7Tmm +
3Tma + 3Th
2|G1|+3|Zn|
Our UDVSP-2 Tg1sm +Th+
Tma +Tmm
Tg1sm +Tmi + 2Th+
2Tma + 2Tmm
3Tg1sm + 2Tg1pa +
2Tma + 3Th
Tma
15Tg1sm + 10Tg1pa + 7Tmm +
4Tma + 6Th
4|G1|+5|Zn|
Lin et al. [
2
] developed a prototype for each operation within these comparable
schemes to acquire the empirical effectiveness. The execution was carried out on a laptop
computer equipped with an i7-9750H 2.59 GHz processor, 16 GB of memory, and the
Windows 10 operating system. The cryptographic library used was the MIRACL library
(
a widely
used cryptographic library, version 7.0). In particular, they utilized the BLS
(Boneh–Lynn–Shacham) curve with an ate pairing embedding degree of 24, which is highly
suitable for the security level AES-256. As a result, the sizes of the elements in Zq, G1, G2,
and GT are 64 bytes, 160 bytes, 640 bytes, and 1920 bytes, respectively. The corresponding
notations and execution times are presented in Table 3. According to the test results
of various cryptographic operations (Table 3), the actual computational overhead and
communication costs can be analyzed and compared (Figure 4).
Through theoretical analysis, the proposed Our UDVSP-1 and Our UDVSP-2 schemes
reduce computational overhead by at least 85.55% compared to other schemes (except
UDVSP-3). Although their computational cost is 1.1625 times higher than UDVSP-3,
this is acceptable, as they avoid the complex public key certificate management required
by UDVSP-3.
Mathematics 2025,13, 743 12 of 14
In terms of communication overhead, Our UDVSP-1 (512 bytes) and Our UDVSP-2
(960 bytes) significantly outperform UDVSP-1/UDVSP-2 (2048 bytes) and UDVS-1/UDVS-
2 (2080 bytes). Overall, the proposed schemes offer a balanced improvement in efficiency
and practicality.
Table 3. Symbol definition and time cost.
Notation Description Time/ms Notation Description Time/ms
Tg1pa A point addition in G10.165954 Tbp A bilinear pairing GT820.32
Tg1sm A scale multiplication in G135.3111 Tebp A exponentiation in GT689.273
Tg2pa A point addition in G20.63289 Tmbp A multiplication in GT2.05855
Tg2sm A scale multiplication in G2206.575 Tmi A modular inversion in Zn∗0.05023
ThA general hash function 0.00576 Tmm A modular multiplication in Zn∗0.01231
Th2pA map-to-point hash function 17.1464 Tma A modular add in Zn∗, 0.00271
Figure 4. Real performance comparison results.
7. Conclusions
Although Lin et al.’s scheme addresses the issue that existing UDVSP schemes all
involve, such as highly time-consuming bilinear pairing operations, their scheme still
suffers from the cumbersome certificate management problem and the drawbacks brought
about by the interactive protocol. To address these issues, we first propose the ID-based
UDVSP system based on the ID-based SM2 digital signature scheme to eschew the intricate
certificate management procedures. Moreover, we construct non-interactive ID-based
UDVSP by using the OR proof and Fiat–Shamir technologies. Our work not only exhibits
the same bilinear pairing-free merit as the proposition of Lin et al.
[2]
, but also fulfills the
goal of certificate-free or non-interactive verification.
Although our ID-based UDVSP systems show improvements over existing schemes,
they are limited to achieving certificate-free operation or non-interactive verification sepa-
rately, rather than both simultaneously. Future work will focus on developing an efficient
scheme that combines both features.
Furthermore, the ID-based digital signature based on SM2 employed in this scheme is
based on the elliptic curve discrete logarithm problem (ECDLP), whose long-term security
is potentially vulnerable to attacks by quantum computers. To address the threat posed
by quantum computing, future work will consider adopting post-quantum cryptographic
techniques to enhance the security of the scheme.
Author Contributions: Conceptualization, Y.Y. and X.Z.; formal analysis, Y.Y., X.Z. and B.S.; funding
acquisition, W.W.; investigation, B.S.; methodology, Y.Y. and X.Z.; resources, W.W.; software, Y.Y.;
Mathematics 2025,13, 743 13 of 14
supervision, B.S. and W.W.; visualization, X.Z. and W.W.; writing—original draft, Y.Y.; writing—
review and editing, X.Z. and B.S. All authors have read and agreed to the published version of
the manuscript.
Funding: This work was supported by the National Natural Science Foundation of China under
Grant U21A20466 and Grant 62372108.
Data Availability Statement: We used the data from Lin et al.’s paper. The DOI is https://doi.org/
10.1109/tsc.2023.3289319.
Conflicts of Interest: The authors declare no conflict of interest.
References
1.
Steinfeld, R.; Bull, L.; Wang, H.; Pieprzyk, J. Universal Designated-Verifier Signatures. IACR Cryptol. ePrint Arch. 2003, 192.
[CrossRef]
2. Lin, C.; He, D.; Huang, X. Blockchain-based electronic medical record secure sharing. J. Comput. Appl. 2022,42, 3465.
3.
Chaum, D.; van Antwerpen, H. Undeniable Signatures. In Proceedings of the Advances in Cryptology—CRYPTO’ 89 Proceedings,
Santa Barbara, CA, USA, 20–24 August 1989; Brassard, G., Ed.; Springer: New York, NY, USA, 1990; pp. 212–216.
4.
Jakobsson, M.; Sako, K.; Impagliazzo, R. Designated Verifier Proofs and Their Applications. In Proceedings of the Advances in
Cryptology—EUROCRYPT ’96, Saragossa, Spain, 12–16 May 1996; Maurer, U., Ed.; Springer: Berlin/Heidelberg, Germany, 1996;
pp. 143–154.
5.
Baek, J.; Safavi-Naini, R.; Susilo, W. Universal designated verifier signature proof (or how to efficiently prove knowledge
of a signature). In Proceedings of the Advances in Cryptology-ASIACRYPT 2005: 11th International Conference on the
Theory and Application of Cryptology and Information Security, Chennai, India, 4–8 December 2005; Proceedings 11; Springer:
Berlin/Heidelberg, Germany, 2005; pp. 644–661.
6.
Steinfeld, R.; Wang, H.; Pieprzyk, J. Efficient extension of standard Schnorr/RSA signatures into universal designated-verifier
signatures. In Proceedings of the Public Key Cryptography–PKC 2004: 7th International Workshop on Theory and Practice in
Public Key Cryptography, Singapore, 1–4 March 2004; Proceedings 7; Springer: Berlin/Heidelberg, Germany, 2004; pp. 86–100.
7.
Shamir, A. Identity-based cryptosystems and signature schemes. In Proceedings of the Advances in Cryptology: CRYPTO 84 4;
Springer: Berlin/Heidelberg, Germany, 1985; pp. 47–53.
8.
Zhang, F.; Susilo, W.; Mu, Y.; Chen, X. Identity-based universal designated verifier signatures. In Proceedings of the International
Conference on Embedded and Ubiquitous Computing, Nagasaki, Japan, 6–9 December 2005; Springer: Berlin/Heidelberg,
Germany, 2005; pp. 825–834.
9.
Chen, X.; Chen, G.; Zhang, F.; Wei, B.; Mu, Y. Identity-Based Universal Designated Verifier Signature Proof System. Int. J. Netw.
Secur. 2009,1, 52–58.
10.
Abbasinezhad-Mood, D.; Nikooghadam, M. An anonymous ECC-based self-certified key distribution scheme for the smart grid.
IEEE Trans. Ind. Electron. 2018,65, 7996–8004. [CrossRef]
11.
Zhang, Z.; Yang, K.; Zhang, J.; Chen, C. Security of the SM2 signature scheme against generalized key substitution attacks.
In Proceedings of the International Conference on Research in Security Standardisation, Tokyo, Japan, 15–16 December 2015;
Springer: Berlin/Heidelberg, Germany, 2015; pp. 140–153.
12.
He, D.; Zhang, J.; Chen, B.; Zhang, Y. An Identity-Based Digital Signature Method and System Based on SM2; China National
Intellectual Property Administration: Beijing, China, 2021. (In Chinese)
13.
Lin, C.; Huang, X.; He, D. Efficient Range Proof Protocols Based on Chinese Cryptographic SM2. Chin. J. Comput. 2022,
45, 148–159.
14.
Bellare, M.; Goldreich, O. On Defining Proofs of Knowledge. In Proceedings of the Advances in Cryptology-CRYPTO’92,
12th Annual International Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 1992; Proceedings; Brickell, E.F., Ed.;
Springer: Berlin/Heidelberg, Germany, 1992; Lecture Notes in Computer Science; Volume 740, pp. 390–420. [CrossRef]
15.
Cramer, R.; Damgård, I.; MacKenzie, P.D. Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions. In
Proceedings of the Public Key Cryptography, Third International Workshop on Practice and Theory in Public Key Cryptography,
PKC 2000, Melbourne, Victoria, Australia, 18–20 January 2000; Proceedings; Imai, H., Zheng, Y., Eds.; Springer, Berlin/Heidelberg,
Germany, 2000; Lecture Notes in Computer Science; Volume 1751, pp. 354–373. [CrossRef]
16. Ivan, D. On Σ-Protocols; LectureNote, University of Aarhus, Department for Computer Science: Aarhus, Denmark, 2002.
17.
Faust, S.; Kohlweiss, M.; Marson, G.A.; Venturi, D. On the non-malleability of the Fiat-Shamir transform. In Proceedings of the
Progress in Cryptology-INDOCRYPT 2012: 13th International Conference on Cryptology in India, Kolkata, India, 9–12 December
2012; Proceedings 13; Springer: Berlin/Heidelberg, Germany, 2012; pp. 60–79.
Mathematics 2025,13, 743 14 of 14
18.
Huang, X.; Susilo, W.; Mu, Y.; Wu, W. Secure universal designated verifier signature without random oracles. Int. J. Inf. Sec. 2008,
7, 171–183. [CrossRef]
19.
Rastegari, P.; Berenjkoub, M.; Dakhilalian, M.; Susilo, W. Universal designated verifier signature scheme with non-delegatability
in the standard model. Inf. Sci. 2019,479, 321–334. [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.
Available via license: CC BY 4.0
Content may be subject to copyright.
