결함 있는 안전성 증명을 갖는 수신자 지정 서명기법들에 대한 정확한 안전성분석

Exact Security Analysis of Some Designated Verifier Signature Schemes With Defective Security Proof

Abstract

수신자 지정 서명은 서명자가 지정된 검증자에게 서명의 유효성을 증명할 수 있도록 하는 서명기법이다. 한편 그 지정된 검증자는 제삼자에게 서명문서의 소스 즉 두 가능한 서명자들 중에서 누구에 의한 서명인지를 확인시킬 수 없다. 일반적인 전자서명과 달리, 수신자 지정 서명은 서명자가 지정된 수신자를 제외한 누구에게든 자신의 서명을 부인할 수도 있다. 그동안 제안된 몇몇 기법들 중에서, 최근 Zhang등의 기법과 Kang등의 기법이 다양한 공격에 취약하다는 사실이 밝혀졌다. 본 논문에서, 위의 기법들이 저자들에 의해서 안전성 증명이 제시되었음에도 불구하고 공격을 허용하게 되는 근본적인 이유를 밝히고, 더불어 Huang- Chou 기법과 Du-Wen 기법이 같은 문제를 갖는다는 사실을 보인다. 나아가 Huang-Chou의 기법에 대하여 실질적인 공격들을 제안한다. 마지막으로, Du-Wen 기법은 안전성 증명과정에서 저자들이 위 기법들의 저자들과 동일한 오류를 범하였으나 그 오류를 수정하여 실제 증명가능한 안전성을 갖는 기법임을 보인다.

Designated verifier signatures allow a signer to prove the validity of a signature to a specifically designated verifier. The designated verifier can be convinced but unable to prove the source of the message to a third party. Unlike conventional digital signatures, designated verifier signatures make it possible for a signer to repudiate his/her signature against anyone except the designated verifier. Recently, two designated verifier signature schemes, Zhang et al.'s scheme and Kang et al.'s scheme, have been shown to be insecure by concrete attacks. In this paper, we find the essential reason that the schemes open attacks while those were given with its security proofs, and show that Huang-Chou scheme and Du-Wen scheme have the same problem. Indeed, the security proofs of all the schemes reflect no message attackers only. Next, we show that Huang-Chou scheme is insecure by presenting universal forgery attack. Finally, we show that Du-Wen scheme is, indeed, secure by completing its defective security proof.

Ⅰ. Introdoction

The primitive, designated verifier sig­ natures, was introduced at Eurocryptz96 by Jakobsson, Sako, and Impagliazzo〔10〕, in­ spired on undeniable signatures. In the same year, Chaum independently in­ troduced a similar concept in〔3〕under the name of private signatures. In undeniable signatures, the concept suggested by Chaum and Antwerpen〔4〕, signers should partic­ ipate during verification process to avoid undesirable verifier getting convinced of the validity of signatures. The signer can reject invalid signatures but cannot deny valid signatures. One feature of undeniable sig­ nature schemes is that signers can decide when their signatures are verified but do not know to whom they are proving the val­ idity of signatures.

To solve some issues of this feature, Jakobsson et al. suggested designated veri­ fier signatures and strong designated veri­ fier signatures in which each signer is al­ lowed to specify the verifier〔10〕. The no­ tions were formalized and further inves­ tigated by Saeednia, Kremer and Marko- witch [15]. In designated verifier signature (DVS, for short), verifiers can simulate sig­ natures that are indistinguishable from sig­ natures created by signers. Due to this property, signatures cannot be transferred to a third party even if the verifiers, private keys are revealed. Normal DVS schemes are designed to be publicly verifiable and so ev­ eryone has access to verification algorithm. But, anyone, except for the verifier, should not be convinced whether signatures are valid ones from the signer or simulated ones from the designated verifier. On the other hand, if the designated verifier is assumed to be honest then such schemes may not achieve the goal of the designated verifier signatures. For use even in such a scenario, strong designated verifier signatures re­ quire an additional property that everyone can simulate signatures from which no one, except for the verifier, can distinguish the real signatures. To achieve this require­ ment, strong designated verifier signature schemes are constructed with private verifi­ ability: the secret key of the designated verifier is necessary to perform the ver­ ification algorithm. In other words, only the designated verifier can verify the validity of signatures and even the signer cannot ver­ ify the signatures if he does not keep track of the signatures.

Recently, many researchers have at­ tempted to construct (strong) ID-based des­ ignated verifier signatures. Susilo, Zhang and Mu proposed an ID-based strong DVS schemes based on bilinear Diffie-Hellman assumption [16], Huang, Susilo, Mu, and Zhang also proposed a strong DVS scheme and a short ID-based strong DVS scheme 〔8, 9〕. Kumar, Shailaja and Saxena proposed a novel ID-based strong DVS scheme (13). Zhang and Mao proposed an ID-based strong DVS scheme which enjoys non-dele­ gatability 〔17〕. Kang, Boyd and Dawson proposed an ID-based DVS scheme〔11〕and an ID-based strong DVS scheme〔12〕. More recently, Du and Wen pointed out Kang et al/s scheme in [11] is vulnerable to univer­ sal forgery attack and suggested another identity based DVS to enhance the security 〔5〕. Huang and Chou pointed out Kang et al/s another scheme in〔12〕is also insecure and proposed an improvement〔7〕.

As provable security is desirable in cryp­ tographic community, cryptographic scheme are usually given with its security proofs under suitable hardness problems. Follow­ ing this trend, the authors of the above mentioned schemes except for 〔12〕give proofs to claim that their proposed schemes are secure. However, unfortunately, most of the scheme turn out to be insecure by sev­ eral types of attacks [5, 7, 12]. Nevertheless, no research work has investigated which part of the proofs is mislea由ng while it is important to explore the possibility that the scheme can be improved.

In this paper, we first point out the com­ mon mistake the authors took in their se­ curity proofs in the papers [5, 7, 11, 17], Next, we show that Huang et al/s scheme suffers from the universal forgery attack while the authors claimed their scheme i앙 the first really secure strong designated verifier signature scheme having the source hiding security. Our attacks on the scheme give another example of the evidence that new construction without a careful proof of security is likely to contain serious flaws. For completeness, we finally give the cor­ rect security proof on Du et al/s scheme.

Ⅱ. Preliminaries

In this section, we review the definition of bilinear pairing and a related hardness assumption. Throughout this paper, we de­ note q and G2 by cyclic groups of the same prime order q.

Definition 1 (Bilinear Pairing).

An admissible bilinear pairing is a map e : Gx x G^G2 that has the following proper­ ties:

(1) Computable- There is a polynomially bounded algorithm to compute e(P, Q) for any 尸, Qc G1.

(2) Bilinear: e(aP, bQ)^ e(P, Q)ab for all RQe G and 사) w z"

(3) Non-degenerate: There is a Pe q such that e(P, P) # . That is, for non-identity elements RQw we have e (F, 1.

In the above case, we say that q is a bi­ linear group and (G\이 is a bilinear group pair. Note that the original Weil pairing for an elliptic curve does not satisfy non-de- generacy, but a modified Weil pairing over super-singular curve and Tate pairing have the above properties.

Definition 2 (Bilinear Diffie-H이Iman Assumption : BDH).

The bilinear Diffie-Hellman problem in G1 is as follows: Given (R定bP, cF) for ran­ domly chosen a, 6, ce 彳, it is infeasible to compute e(P, P)abc.

An algorithm A has advantage e in solv­ ing BDH in q if

Pr lA(PqRbP, cP)= e(P, P)abc] > e

where the probability is over the random choice of a, b, c, the choice of P, and the ran­ dom coins of A. We say that the assumption holds in q if no t-time algo­ rithm has advantage at least e in solving BDH problem in

Ⅲ. ID-based Strong Designated Verifier Signature Schemes and its Security Models

Definition 3 (ID-based Strong Designated Verifier Signat니res).

A strong designated verifier signature scheme (SDVS) consists of a tuple of (possibly randomized) algorithms (Setup, Extract, Sign, Vrfy, TrSim) where

Setup: The setup algorithm, on input se­ curity parameter 它 outputs the public parameters par and the master secret key msk.

Extract: The key extraction algorithm takes the public parameters par and an identity ID, and outputs the private key skID for the identity.

Sign: The signature generation algo­ rithm, takes as input the public parameters par, private (signing) key s統, , the designated signer's identity V (and hence 冰忆)and message m in the message space, outputs the signature on the message.

Verify: The signature verification algo­ rithm is a deterministic algo­rithm that takes as input the public parameters par, the des­ ignated verifier's private key skv, a message m, and a signature a, outputs "accept" or 'rejec".

TrSim: The transcript simulation algo­ rithm, takes as input a signer's public key, designated verifier's private key, and a message, out­ puts a signature on the message.

We say that a signature a on m is valid with respect to (pk서 if VerifyskJ^in, a, pks^ pkv) outputs "accept*'. As usually, we require that a designated verifier signature scheme is correct, that is, for all «底$景시 and (.pk^sky) generated by Extract, and for message m in the message space, we should have

Verify利矮卯怎加心=accept

For the sake of simplicity, we sometimes omit to explicitly include public parameter par that is a part of the input of all but one algorithm.

Strong DVS schemes are required to sat­ isfy several properties, namely unforge­ ability, non-transferability and strong- ness(or privacy of signer's identity). We giv흐 formal definition of unfoTg얀ability for our purpose, and list other security require­ ments only for the sake of completeness in informal argument since we will not need them in this pap여“ The notions are follow­ ing the papers (9, 10, 15, 16, 17).

1. Correctness: If the signer properly generates a signature by running the sign­ ing algorithm, the signature must be ac­ cepted by the verification algorithm.

2. Unforgeability' Informally, without the knowledge of the private k연y of either the signer or the designated verifier, it is in­ feasible to create a valid signature with re- sp 탼 et to the signer and the verifier. Formally, this security can be defined in the following experiment argument.

Experiment Exp君二需%%"k)

msk) — Setups)

(冯, IDV, m: 』如mm 场心, 0Tr^n(par) If Verify=0 then return 0

If the followings are satisfied then return 1 (i) IDS and IDV have never been queried to the Ofktract oracle.

(ii) (丑& m) has never been queried to the OSign oracle.

Return 0

In the above experiment, O£ktract is the key extraction oracle that takes ID as input and returns the corresponding private key skID, is the signing oracle that, on in­ puts (iDg, IDy, m), outputs as a response by running the Sign algorithm, and OTrSim is the transcripts simulation oracle, on in™ puts (iDg, outputs the result of

We assume that the signature output by the adversary is in the signature space, without loss of generality.

Definition 4 (Unforgeability). An ID-based strong designated verifier signature scheme ID-SDVS is unforgeable under chosen mes­ sage if for any polynomial-time adversary A, the advantage A(加밮芸凯齐) defined by

円怛次琨二繇%4戻)= J is ne인igible in k.

In words, the adversary is explicitly giv­ en public parameters as input and has ora­ cle access to OExtract, OSign, and OTrSim. The adversary wins if he creates a valid designated verifier signature (7Dk9 IDV, a, m), under the restriction that he never been queried (ID^ IDV) and 7Z?y, m)to the key extraction oracle and the signing oracle, respectively. In a secure designated verifier signature scheme, we require that the ad­ versary A not be able to create such a signature.

3. Non-transferability: The designated verifier, even after being convinced of a sig­ nature on some message, is not able to con­ vince any other user of this fact. Informally, this property is defined as follows: given a signature on a message, it is infeasible to determine who, from the original signer or the designated verifier, created the sig­ nature, even if one knows all secret keys. Non-transferability is usually ensured by allowing the designated verifier to simulate signatures that are intended for him. This notion is often called Source Hiding or per­ fectly non-transferability if the signatures and the transcripts are perfectly indistinguishable.

4. Strongness (Privacy of signer's iden­ tity): Anyone except the designated verifier can not derive useful knowledge from a sig­ nature, even when the designated verifier is believed to be honest and signer's secret key is revealed. Note that the signer should not able to distinguish the signatures gen­ erated by himself from the transcripts si­ mulated by the designated verifier.

5. Non-delegatability: It is hard for the signer to delegate his signing capability to any third party, without disclosing his se­ cret key. A weaker notion, called the Verifier-only delegatability, means that on­ ly the designated verifier is able to dele­ gate its signing capability without trans­ ferring its secret key.

Ⅳ. Some Strong DVS Schemes, Revisited

Though Zhang et al/s scheme〔17〕and Kang et al.'s scheme〔11〕have their se­ curity proofs, the schemes are shown to be insecure by Kang et al.〔12〕and Du et al. 〔5〕, respectively. In the paper〔12〕, Kang et al. suggested two different designated veri­ fier signature schemes without security proof. Later, one of the schemes is shown to be lack of source hiding. To resist their at­ tacks, Huang et al. [7] suggested an im­ provement of Kang et al/s scheme [12], and Du et al.〔5〕also proposed an improve­ ment of Kan음 et al/s scheme〔11〕by using Cha-Cheon signature scheme [2L However, we find that the improvements have the same problems with the schemes they at­ tacked in design or security proofs. It seems that the authors of〔5, 7, 12〕ignore the reason why their attack is possible. As a result, they made the same mistake in their improvements. In the following, we will pin down the problem that is inherent to the above constructions.

The security proofs of unforgeability of the above schemes were given with reduc­ tion technique- if there is a forger against the proposed DVS scheme then one can construct a solver to underlying hardness problem. We remark that the forger in their security definition is modeled as an active adversary who can see all communicated messages and has access to signing oracles. That is, a designated verifier signature scheme must possess unforgeability prop­ erty under chosen message attack. However, the forger in their proofs is much more pow­ erful than that of security model. To be more precise, we outline their proof proce­ dure: the simulator initially guesses the target identities which the forger will at­ tempt a forgery against. Let IDS and IDV de- not운 the target identities of the signer and the designated verifier, respectively. During signing queries of the adversary, the simu­ lator cannot answer any signing queries with respect to S and V. At final stage, the attacker outputs a forgery with which the simulator 샨to solve the problem instance. 미。summarize, the simulator in this game expects the forger to succeed in outputting a forgery with resp슨et to the tar­ get signer and verifier. Then, the proofs end up with the claim that this adversary can be used to contradict a given hardness assumption.

But, we stress that the adversary is not allowed to see any signature of the target identities. This means that the adversary having a valid siggtwe could attack their scheme. Most of attacks on designated veri­ fier signature schemes start with a valid signature. As a result, their security proofs do not give the evidence that the proposed constructions are provably secure. This is the reason that the attacks, as well as our attack we will describe in the n원xt section, are possible.

In this section, we have shown that the pr졍of of security of the above mentioned schemes are given against no message at­ tackers while it is no guarantee of any real security of designated verifier signatures. Du젼 to this, the schemes except Du~Wen scheme open attacks even though the au­ thors claimed the schemes are provably secure.

Ⅴ. Huang-Chou Scheme and Attacks

As we already explained, even though Huang et al/s scheme was claimed to be s연eiir。strong DVS scheme, th영ir proof was somewhat misleading. In this section, we will show that the problem appeared in their proof leads to some attacks, by de­ scribing concrete attack. As far as we know there is no known attack against this scheme.

5.1. Review of Huang-Chou Scheme

The Huang et al/s strong DVS scheme can be described as follows-

Setup.

Let G be an additive cyclic group gen­ erated by P and Q be a multiplicative cyclic group. The groups are of the same prime or­ der q. Let 心 q xGl% be a bilinear map and 牛{0」}**% and H₂: {0, ifx be cryptographic hash functions. Then, the key generation center(KGC) picks a random val­ ue s e as the system master secret key and computes the corresponding public key as Ppub = sP. The system parameter set is {q, q, P, Pg? Hp e, q} ■

Extract.

Given a user's identity ID, KGC com­ putes Qid Sid = sQid and returns (%, Qid) to the user ID as his private key and public key.

Sign.

To create signature on m, the signer with an identity A does the following: Select a random value 勇罕, and then compute (MO as d=aQA, £ = e(R 顽 Q), & = Sq Compute ° 为, Qb、)我.Then (ds) is the signature on m intended for the verifier B.

Verify.

After receiving (E, the verifier B checks the validity of the signature by testing whether or not。= £(&&/如"+ 七 The veri­ fier accepts the signature if and only if the equation holds.

TrSim(Transcript Simmulaion)

The designated verifier B can simulate correct, signature transcript for message m to be verified successfully as follows:

(1) Pick a random value

(2) Compute 5 and 4 as follows: 奋 = ", 冰=点思)끼mE

The simulated signature is 졍f m is (缶 9.

5.2. Analysis of the scheme

Huang et al/s scheme is vulnerable to universal forgery attack since an attacker who knows a valid signature can freely gen­ erate signatures by himself. To see this, the adversary does the following;

(1) Query a signature on m* with respect to signer A and verifier B to get a signature(齊尸)

(2) Compute "兩&) by 3)瓦顽#瓦MET

Now the adversary can fwe홍ly sign any message on behalf of A to convince B on the message:

(1) Choose a message m that he wants to sign,

(2) Compute 厂部臂, .

Notice that the resulting values (伊, 招 pass the verification test with respect to the signer A and 나le verifier B, and 나ze ad­ versary can perform above procedure for any message. Therefore, the adversary is able to impersonate the signer A to con­ vince the designated verifier B on messages of his choice

Remark. If the scheme allows the ver­ ification algorithm to check the first compo­ nent 6 셔f signatures is ever used, then th슨 above attack is avoidable. But, to do so, th얀 verifier should keep track of every sig­ natures intended for him and this, we be­ lieve, makes the scheme to be impractical. Moreover, even if we assume that this is not a problem, the scheme still, has security problems. First, the scheme does not pos­ sess delegatability: the signer A can dele­ gate his signing capability to any third par­ ty by sending e(SA, QB). That is, the signer can delegate his signing capability to any third party without disclosing his secret key. Second, the scheme does not satisfy the strongness property: In strong DVS, anyone should not be abi여 to verify the val­ idity of signatures without verifier's secret key even if the verifier is assum슨d to be honest and not to forge (。호 simulate) sig­ natures. However, an attacker who knows one valid signature (M) can compute e(QA, SB) via the above attack. With this val­ ue, the attacker can easily verify the val­ idity of the subseauent signatures without the seer쟌t key of the designated verifier.

Ⅵ. Du-Wen scheme

Du et al. showed that Kang et al/s scheme is insecure and suggested an improvement based on the Cha-Cheon signature scheme to resist their a忧印사如. Though the authors claimed that their improved scheme is secure and gave its security proofs, the proof also has the same problem as we explained before. In this section, we review the Du et al/s improvement and then give its correct security proof of unforgeability.

6.1. The Schema

Setup.

Let be an additive cyclic group gen- erated by P and q be a multiplicative cyclic group. The groups are of the same prime or­ der q. Let e: G\ 乂 G\ — G》be a bilinear map and 4 : and H₂: {0, 1}*x G2^Z^ be cryptographic hash functions. Then, the key generation center(KGC) picks a random val­ ue s e as the system master secret key and computes the corresponding public key as Ppub = sP. The system parameter set is {GvGvP, Ppub, Hv^e, q}.

Extract.

Given a user's identity ID, KGC computes Qid = H₁ {ID), dID = sQid and returns (dID, QID) to the user ID as his private key and public key.

Sign.

To create signature on m, the signer with an identity A does the following;

(1) Choose a random value r Zq* and compute t = rQA.

(2) Set h = .

(3) Compute T= (r-\-h')dA and a = e(T, QB). The signature on the message m is (顷)

Verify.

After receiving 膈), the designated veri­ fier B checks the validity of the signature by testing whether or not(7 = e(t-¥hQA, dB). If it does not hold, he rejects.

TrSim.

At this stage, the designated verifier B can simulate correct signature transcript for message m to be verified successfully as follows:

(1) Choose a random value K w Z; and compute tr = Jz Qa.

(2) Set h' = Hjjn#、)

(3) Compute a = e(tf + hr QA, dB).

The simulated signature is (/”)on m is a valid one in the sense that it passes the verification algorithm.

In the paper [5], the adversary in the proof only reflects no-message attack in the sense that the forger should create a valid signature with respect to the signer A and the designated verifier B without seeing any signature corresponding to A and B. On the other hand, their construction seems to be secure since they used well-studied sig­ nature scheme as building block. Indeed, we can correct their proof in the security model given in the section 3, so as to show the im­ provement is actually secure strong des­ ignated verifier signature scheme.

Theorem. The Du-Wen designated verifier signature scheme is unforgeable under adaptively chosen message. That is, if there is a forger F to the Du-Wen designated verifier signature scheme which has run­ ning time r and advantage e with e> io(qs+i)(qs+qff )/q then one can build an attacker (simulator) to solve the BCDH problem within the expected running time

120686 亦 g% 丁

r < ——----卜子一 where qff , qH and qs denote the maximal number of queries of HVH₂ and the signing queries, respectively.

Proof. For security, we show that any ad­ versary F that can break the security of the scheme with non-negligible probability e af­ ter making at most 細, q瓦 hash queries corre­ sponding to HvH₂, respectively, and request­ ing qK public keys can be used to build an adversary S that solves the BCDH problem in q. On input a bilinear Diffie-Hellman in­ stance P, aP, bF, cP, the BDH adversary S sim­ ulates the unforgeability security game for F as follows: To begin the simulation, S guess­ es which one F will attempt a forgery against. We denote the target identities IDA and IDb, where IDA is the signer and IDB is the designated verifier's identity. Th션 simu­ lator prepares tw댢 hash tables and % -List for the corresponding hash functions, and the master public key Pl)ub as Ppub ™ cP and implicitly set the virtual master secret key s as c. Of course, the simulator does not know the secret key.

Hx Oracle Query: For each query to on input 2D., the simulator checks if there is an entry in the table 払一List. (The table is initially 워M to empty) If so, it outputs the corresponding value. Otherwise, it outputs aP if lDr =IDa, bP if 1D, =IDb, or 爲P by choosing a random k..

Extract Query: For each key extraction query on input the simulator checks if lDt is IDa or IDb. If so 나len it aborts. Otherwise, it do연s the following; (i) Lookup 7^-List to check is already in the list, (ii) If so, returns k-Ppub as the private key dIDj (iii) Otherwise, it chooses a random value e , records (7P., /c..P) in the table, and r은£ums &乌가盘 as the private key d!Dj

H₂ Query: For each query to H₂ on input (m, t) where m is a message and a group ele­ ment 去 e q, the simulator checks if there is an entry in .伍니胡st. If so, it returns the corresponding value h-. Otherwise, it choo­ ses 4 at random and returns the value as the response, and th연n add /i.) to the 7頌 Li 윤 t.

Sign Query: For each signing query on input [lDvlDr m-) where ID. is the signer and ID. is the designated verifier, and m?. is a message to be signed, the simulator cre­ ates the signature using control over the output of 冬 and H₂ as follows-

(1) If 〃Z = .IDa th영n it chooses random values r. and h- and computes t- h^aP. If is already in the 7^-List then it r은computes 歸 with different computes 田:Q), add (m"?也)to %-List and returns (歸冋)as the signature on m

(2) If i= IDB then the simulator can 源… spond in a similar way as the case.

(3) If ID- e then it selects r, at random, and computes If is in the 壬&一List, it takes the corresponding value, otherwise, it se­ lects a random value 奶.Next it com” p니tes 円 =e((j+底)d泌 %) and returns(tp trj as th앙 signature on mi. It adds to

After a number of queries, F will output a purported forgery U%ID卩叫 G. If (新)老 0召) then the attacker S guessed the wrong tar- g연t signer/designated verifier and must abort. If Verifysk^m, ajda) 1 or (m, (7)is the result of any signing oracle query, the ad­ versary F has failed, so S also aborts.

Now we analyze the probability that the simulator S completes the simulation with­ out aborting so as to get a successful for­ gery . We remark that

Pr is valid] > €;

Pr [M-e [qff] I U% 叫tq* v疝이 > 1- 1/cf :1

"I%*芥城" M V시 FW"

From the above equatk)ns, we have the bound

叫四〃끼 = (五"끼 -£仔

[ A (蘭/잉如) 彼 valid] ' 歹/%

Applying the Forking Lemma〔14〕(or the Reset Lemma〔1〕)with the same random tape but different choices oi H₂, S finally gets two forgery tmj사and where h*h', a = e(t + hQA, dB) and a — e(t + KQA1 dB). Then the simulator computes the BDH sol­ ution e(Rp严 as follows:

%= e((/i-/i, )Q4, d5);

(-위” h = e(QA, dB)= e(aP, d)P)= e(P, P)abc

If the forger F against the signature scheme has advantage e > io(qs^l)(qs+qff )/q then, from the Forking Lemma, the ex­ pected time for the simulator S to solve the BCDH problem is bounded above by 120686茹. 1/e . 1/(1-1/q)2 as required.

The other security requirements, such as non-transferability and strongness, are an­ alyzed in the same way that Du et al. did. We remark that Huang et al. argued that Du et al/s scheme does not provide the source hiding because the verification equa­ tion is a = e(t + hQA, dB) and the verifier uses the signer's public key QA for doing the verification. However, on the contrary to their demonstration, this fact does not mean the lack of source hiding. Indeed, since the verifier can simulate the tran­ scripts the adversary cannot tell the source even if the private keys are revealed. Moreover, even if the verifier is honest, the attacker cannot know the source without the knowledge of the verifier's private key.

Ⅶ. Conclusion

In this paper, we have pointed out that the security proofs of some designated veri­ fier signature schemes do not capture real adversary but only reflect no message attackers. We also have presented concrete attacks on the Huang-Chou DVS scheme. Du-Wen DVS (improved) scheme has the same problem especially in the security proof of unforgeability though it is secure. To show Du-Wen scheme is a secure one, we have given correct security proof of un­ forgeability against adaptively chosen me­ ssage. Our work alerts to the possibility of danger appeared in DVS schemes, as well as other cryptographic schemes, without rigorous analysis.