Verifier-key-flexible universal designated-verifier signatures

Abstract

Universal Designated-Verifier Signatures (UDVS) are proposed to protect the privacy of a signature holder. Since UDVS schemes reduce to standard signatures when no verifier designation is performed, from the perspective of a signer, it is natural to ask if a UDVS can be constructed from widely used standardized-signatures so that the existing public key infrastructures for these schemes can be used without modification. Additionally, if designated-verifiers already have their own private/public key-pairs (which may be of a different type from the signer's), then, for the convenience of designated-verifiers, it is also natural to ask if designated-verifiers can use their own private keys to verify designated signatures instead of using a new key compatible with the UDVS system. In this paper, we address these problems and propose a new UDVS scheme. In our scheme, the signature is generated by a signer using DSA/ECDSA, and the designated-signature can be verified using the original private key (RSA-based or DL-based) of the designated-verifier instead of using a new key. We call this new property verifier-key-flexible. The security of the scheme is proved in the random oracle model. © Springer-Verlag Berlin Heidelberg 2007.