Universal Designated Verifier Signature Without Delegatability

Abstract

In Asiacrypt 2003, the notion of the universal designated verifier signature (UDVS) was put forth by Steinfeld, Bull, Wang and Pieprzyk. In the new paradigm, any signature holder (not necessarily the signer) can designate the standard signature to any desired designated verifier (using the verifier's public key), such that only the designated verifier will believe that the signature holder holds a valid standard signature, and hence, believe that the signer has indeed signed the message. When the signature holder is the signer himself, the UDVS scheme can be considered as a designated verifier signature (DVS) which was proposed by Jakobsson, Sako and Impagliazzo in Eurocrypt 1996. In the recent paper published in ICALP 2005, Lipmaa, Wang and Bao introduced a new security property, called “non-delegatability”, as an essential property of (universal) designated verifier signature. Subsequently, Li, Lipmaa and Pei used this new property to “attack” four designated verifier signatures in ICICS 2005 and showed that none of them satisfy the required property. To date, there is no UDVS scheme that does not suffer from the delegatability problem. In this paper, we propose the first provably secure UDVS without delegatability, which can also be regarded as another DVS scheme without delegatability. We also refine the models of the UDVS schemes and introduce the notion of the strong universal designated verifier signature (SUDVS). We believe that the model itself is of an independent interest.