Designated Verifier Signature with Repudiability

Takumi Matsuura, Graduate School of Information Science and Technology, Osaka University, Japan, [email protected]

Keisuke Hara, National Institute of Advanced Industrial Science and Technology, Japan, [email protected]

Kyosuke Yamashita, Osaka University / National Institute of Advanced Industrial Science and Technology, Japan, [email protected]

DOI: https://doi.org/10.1145/3659467.3659901
APKC '24: The 11th ACM ASIA Public-Key Cryptography Workshop, Singapore, Singapore, July 2024

Designated Verifier Signature (DVS) is an extension of digital signature that allows the specification of the verifier. This feature is realized by granting the designated verifier the privilege of simulating a valid signature, thereby virtually invalidating the third-party verification of the signature. However, this implementation means that when a malicious verifier is designated, signature forgery can be easily accomplished.

Due to the feature of DVS, i.e. the third-party verification on a signature is disabled, there is a significant potential that the credibility of the victim by signature forgery is compromised. To address such problems, it is desirable to introduce a feature where victims can assert the forgery of the signature.

Therefore, in this paper, we propose an extension of DVS called Repudiable Designated Verifier Signature (RDVS), which allows signers to repudiate their signatures in such scenarios. Furthermore, we demonstrate that RDVS can be generally constructed from the Repudiable Ring Signatures (Park and Sealfon, CRYPTO’19).

CCS Concepts: • Do Not Use This Code, Generate the Correct Terms for Your Paper; • Do Not Use This Code, Generate the Correct Terms for Your Paper; • Do Not Use This Code, Generate the Correct Terms for Your Paper; • Do Not Use This Code, Generate the Correct Terms for Your Paper;

Keywords: designated verifier signature, ring signature, anonymity, traceability, repudiability.

ACM Reference Format:
Takumi Matsuura, Keisuke Hara, and Kyosuke Yamashita. 2024. Designated Verifier Signature with Repudiability. In The 11th ACM ASIA Public-Key Cryptography Workshop (APKC '24), July 01--05, 2024, Singapore, Singapore. ACM, New York, NY, USA 10 Pages. https://doi.org/10.1145/3659467.3659901

1 INTRODUCTION

Designated verifier signature [3, 7] is a signature scheme that a signer can designate a single verifier who can verify a signature. Furthermore, the designated verifier is capable of simulating the signer's signature so that other non-designated verifiers cannot identify who created the signature. This property is called off-the-record (OTR). Thanks to OTR, DVS is expected to be used in secure messaging applications [4, 10].

DVS exhibits a fundamental shortcoming that stems from OTR. That is, a designated verifier can forge the signature of a signer only by running the simulator. Of course, third parties do not trust such a signature due to OTR, but there is a potential risk of damaging the reputation of the signer in practice. Suppose that Sophia, a politician, designates David, a journalist, to communicate privately. David can forge Sophia's signature on a message that she admits the fact of receiving a bribe. There is no way to believe the signature, but the mass media adversarial to Sophia could report it to diminish Sophia's credibility. Hence, it is important to propose a DVS equipped with repudiability.

In this article, we propose the formalization of repudiable DVS (RDVS) to deal with the above problem. Furthermore, we demonstrate a generic construction of RDVS from repudiable ring signature (RRS) [12]. Since it is known that RRS is generally obtained from ZAP [5] and Verifiable Random Function (VRF) [11], RDVS can be constructed from ZAP and VRF as well. ¹ We believe that repudiability is indispensable for DVS.

1.1 Related Work

Recently, DVS that equips with claimability has been proposed [16]. Claimability is a property that a signer can claim the ownership of a signature if she indeed created it. We note that both repudiability and claimability are proposed by Park and Sealfon [12]. In addition to this, various DVS with different properties have been proposed so far [2, 6, 13, 14].

Laguillaumie and Vergnaud [8] propose multi variant of DVS (MDVS) in the early 2000s. They propose a generic construction of MDVS from ring signature, and several constructions of MDVS have been proposed by following their idea [9, 17] However, recently, Yamashita and Hara [15] point out that their construction is flawed and demonstrate a black-box impossibility of MDVS from ring signature.

Recently, a stronger definition of MDVS has been proposed [1, 4]. Conventionally, all designated verifiers should collude to run the simulator. However, they relax this requirement so that a subset of designated verifiers is sufficient to run the simulator.

2 PRELIMINARY

We let $\lambda \in \mathbb {N}$ be a security parameter, $\mathsf {poly}()$ be a polynomial function, and $\mathsf {negl}()$ be a negligible function. For any $n \in \mathbb {N}$, we let [n] = {1, 2, ⋅⋅⋅, n}. Throughout this article, we let $n = \mathsf {poly}(\lambda)$ and $m = \mathsf {poly}(\lambda)$, respectively.

We denote probabilistic polynomial time by PPT. For an algorithm Π with a subroutine X, we denote it by Π.X. Every algorithm is implicitly given a security parameter 1^λ as an input.

2.1 Repudiable Ring Signature

We introduce RRS, which will be used as a building block for our RDVS.

Definition 1 (Repudiable Ring Signature) A repudiable ring signature (RRS) consists of six polynomial time algorithms $(\mathsf {Set}, {\sf KG}, {\sf RSig}, {\sf Vrf}, {\sf Rpd}, {\sf RpdVrf})$ that work as follows:

$\mathsf {Set}(1^\lambda) \rightarrow {\sf pp}$: Given a security parameter 1^λ, it outputs a public parameter ${\sf pp}$.
${\sf KG}({\sf pp}) \rightarrow ({\sf pk}, {\sf sk})$: Given a public parameter ${\sf pp}$, it outputs a public key ${\sf pk}$ and secret key ${\sf sk}$.
${\sf RSig}({\sf pp}, \lbrace {\sf pk}_i \rbrace _{i \in [n]}, {\sf sk}, \mathsf {m}) \rightarrow \sigma$ : Given a public parameter ${\sf pp}$, a set of public key (or a ring) $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$, a secret key ${\sf sk}$, and a message $\mathsf {m}$, it outputs a signature σ. If there is no ${\sf pk}\in \lbrace {\sf pk}_i \rbrace _{i\in [n]}$ s.t. $({\sf pk}, {\sf sk}) \leftarrow {\sf KG}({\sf pp})$, then it outputs ⊥.
$\mathsf {Vrf}({\sf pp}, \lbrace {\sf pk}_i \rbrace _{i \in [n]}, \mathsf {m}, \sigma) = 1/0$: Given a public parameter ${\sf pp}$, a set of public key (or a ring) $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$, a message $\mathsf {m}$, and a signature σ, it outputs 1 (meaning valid) or 0 (meaning invalid).
${\sf Rpd}({\sf pp}, \lbrace {\sf pk}_i \rbrace _{i \in [n]}, {\sf sk}{}, \mathsf {m}, \sigma) \rightarrow \xi /\bot$ : Given a public parameter ${\sf pp}$, a set of public key (or a ring) $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$, a non-signer's secret key ${\sf sk}{}$, a message $\mathsf {m}$, and a signature σ, it outputs a repudiation ξ. If there is no ${\sf pk}\in \lbrace {\sf pk}_i \rbrace _{i\in [n]}$ s.t. $({\sf pk}, {\sf sk}) \leftarrow {\sf KG}({\sf pp})$, then it outputs ⊥.
${\sf RpdVrf}({\sf pp}, \lbrace {\sf pk}_i \rbrace _{i \in [n]}, {\sf pk}, \mathsf {m}, \sigma, \xi) = 1/0$: Given a public parameter ${\sf pp}$, a set of public key $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$, a public key ${\sf pk}$, a message $\mathsf {m}$, a signature σ, and a repudiation ξ, it outputs 1 (meaning valid) or 0 (meaning invalid).

Definition 2 (Correctness) An RRS $\Pi _{\rm\small {RRS}}= (\mathsf {Set}, {\sf KG}, {\sf RSig}, {\sf Vrf}, {\sf Rpd}, {\sf RpdVrf})$ satisfies correctness if for any security parameter λ, any ${\sf pp}\leftarrow \mathsf {Set}(1^\lambda)$, any ring $R = \lbrace {\sf pk}_i \rbrace _{i\in [n]}$, any secret key ${\sf sk}$, any message $\mathsf {m}$, and any signature $\sigma \leftarrow {\sf RSig}({\sf pp}, R, {\sf sk}{}, \mathsf {m})$, it holds that

where $\forall i \in [n], ({\sf pk}_i, {\sf sk}_i) \leftarrow {\sf KG}({\sf pp})$, in particular, there exists ${\sf sk}\in \lbrace {\sf sk}_i \rbrace _{i\in [n]}$.

The security of a repudiable ring signature requires unforgeability, anonymity, and repudiability. They are defined as follows.

Definition 3 (EUF-CMA) An RRS $\Pi _{\rm\small {RRS}}= (\mathsf {Set}, {\sf KG}, {\sf RSig}, {\sf Vrf}, {\sf Rpd}, {\sf RpdVrf})$ is existentially unforgeable under an adoptive chosen-message attack (EUF-CMA) if for any sufficiently large security parameter λ, and any PPT adversary $\mathcal {A}$, $\Pr [\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathcal {A}}(1^{\lambda }) = 1] \le \mathsf {negl}(\lambda)$ where the experiment $\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathcal {A}}(1^{\lambda })$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathcal {A}}(1^{\lambda })\\ \hline L_\mathsf {SK}:=\emptyset ; L_\mathsf {RSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RRS}}.\mathsf {Set}(1^\lambda);\\ \forall i \in [n], ({\sf pk}_i, {\sf sk}_i) \leftarrow \Pi _{\rm\small {RRS}}.{\sf KG}({\sf pp});\\ (R^*, \mathsf {m}^*, \sigma ^*) \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {SK}, \mathsf {O}_\mathsf {RSig}, \mathsf {O}_\mathsf {Rpd}}({\sf pp}, \lbrace {\sf pk}_i \rbrace _{i\in [n]});\\ b \leftarrow \Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, R^*, \mathsf {m}^*, \sigma ^*)\\ {\rm abort\, the\, experiment\, if\, } \exists {\sf pk}\in R^* \,{\rm s.t.}\, ({\sf pk}, \cdot) \in L_\mathsf {SK}\\ \quad \vee R^* \not\subseteq \lbrace {\sf pk}_i \rbrace _{i\in [n]} \vee (R^*, \mathsf {m}^*, \cdot) \in L_\mathsf {RSig}:\\ {\rm output\, } 1 {\rm \, if\, } b = 1\\ {\rm otherwise\, } 0 \end{array} \end{aligned} \end{eqnarray*}

where the oracles $\mathsf {O}_\mathsf {SK}, \mathsf {O}_\mathsf {RSig}, \mathsf {O}_\mathsf {Rpd}$ work as follows:

$\mathsf {O}_\mathsf {SK}$: Given a public key ${\sf pk}\in \lbrace {\sf pk}_i \rbrace _{i\in [n]}$, it works as follows.
- If $({\sf pk}, {\sf sk}) \in L_\mathsf {SK}$, then output ${\sf sk}$.
- Otherwise, it outputs a secret key ${\sf sk}$ corresponding to ${\sf pk}$, and updates $L_\mathsf {SK}:=L_\mathsf {SK}\cup \lbrace ({\sf pk}, {\sf sk}) \rbrace$.
Here we call the signer corresponding to the key pair $({\sf pk}, {\sf sk})$ a corrupted one.
$\mathsf {O}_\mathsf {RSig}$: Given a ring $R \subseteq \lbrace {\sf pk}_i \rbrace _{i \in [n]}$, a signer's public key ${\sf pk}\in R$ whose corresponding secret key is ${\sf sk}$, and a message $\mathsf {m}$, it works as follows.
- If $(R, {\sf pk}, \mathsf {m}, \sigma) \in L_\mathsf {RSig}$, then output σ.
- Otherwise, it outputs $\sigma \leftarrow \Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, R, {\sf sk}, \mathsf {m})$, and updates $L_\mathsf {RSig}:=L_\mathsf {RSig}\cup \lbrace (R, {\sf pk}, \mathsf {m}, \sigma) \rbrace$.
$\mathsf {O}_\mathsf {Rpd}$: Given a ring $R \subseteq \lbrace {\sf pk}_i \rbrace _{i \in [n]}$, a non-signer's public key ${\sf pk}\in R$ whose corresponding secret key is ${\sf sk}$, a message $\mathsf {m}$, and a signature σ, it works as follows.
- If $\Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, R, \mathsf {m}, \sigma) = 0$, then output ⊥.
- If $(R, {\sf pk}, \mathsf {m}, \sigma, \xi) \in L_\mathsf {Rpd}$, then output ξ.
- Otherwise, it outputs $\xi \leftarrow \Pi _{\rm\small {RRS}}.{\sf Rpd}({\sf pp}, R, {\sf sk}, \mathsf {m}, \sigma)$, and updates $L_\mathsf {Rpd}:=L_\mathsf {Rpd}\cup \lbrace (R, {\sf pk}, \mathsf {m}, \sigma, \xi) \rbrace$. Where the secret key ${\sf sk}$ corresponds to the public key ${\sf pk}$.

Definition 4 (Anonymity) An RRS $\Pi _{\rm\small {RRS}}= (\mathsf {Set}, {\sf KG}, {\sf RSig}, {\sf Vrf}, {\sf Rpd}, {\sf RpdVrf})$ satisfies anonymity if for any sufficiently large security parameter λ, and any PPT adversary $\mathcal {A}$,

where the experiment $\mathsf {ExpAnoRRS}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpAnoRRS}_{\Pi _{\rm\small {RRS}}, \mathcal {A}}(1^{\lambda })\\ \hline L_\mathsf {SK}:=\emptyset ; L_\mathsf {RSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RRS}}.\mathsf {Set}(1^\lambda);\\ \forall i \in [n], ({\sf pk}_{i}, {\sf sk}_{i}) \leftarrow \Pi _{\rm\small {RRS}}.\mathsf {SKG}({\sf pp});\\ ({\sf pk}_{i_0}^*, {\sf pk}_{i_1}^*, \mathsf {m}^*, R^*) \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {SK}, \mathsf {O}_\mathsf {Sig}, \mathsf {O}_\mathsf {Rpd}}({\sf pp}, \lbrace {\sf pk}_{i} \rbrace _{i \in [n]});\\ b \leftarrow \lbrace 0, 1 \rbrace ; \\ \sigma \leftarrow \Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, {\sf sk}_{i_b}^*, R^*, \mathsf {m}^*);\\ b^* \leftarrow \mathcal {A}^{ \mathsf {O}_\mathsf {Sig}, \mathsf {O}_\mathsf {Rpd}^{\langle R^*, \mathsf {m}^*\rangle }}(\sigma):\\ {\rm output} \, 1 \, {\rm if}\, b^* = b \wedge ({\sf pk}_{i_0}^*, \cdot)\notin L_\mathsf {SK}\wedge ({\sf pk}_{i_1}^*, \cdot) \notin L_\mathsf {SK}\\ {\rm otherwise}\, 0 \end{array} \end{aligned} \end{eqnarray*}

where the oracles other than $\mathsf {O}_\mathsf {Rpd}^{\langle R^*, \mathsf {m}^*\rangle }$ are the same as in Definition 3. The oracle $\mathsf {O}_\mathsf {Rpd}^{\langle R^*, \mathsf {m}^*\rangle }$ outputs ⊥ when $(R^*, \cdot, \mathsf {m}^*, \cdot)$ is given as input, otherwise it works as $\mathsf {O}_\mathsf {Rpd}$.

We provide supplemental remarks on the definition of anonymity. In the work by Park et al.[12], a more general formulation for the anonymity of RRS is presented. Specifically, it posits that an adversary $\mathcal {A}$ can access a corruption oracle $\mathsf {O}_\mathsf {SK}$ even after receiving a signature σ. However, in the construction of RRS proposed by them, it only satisfies security constraints with restrictions on access to the corruption oracle, as defined in Definition 4. As the current known constructions of RRS are solely based on the work by Park et al. [12], we have chosen to adopt the security requirements of their construction.

Definition 5 (Repudiability) An RRS $\Pi _{\rm\small {RRS}}= (\mathsf {Set}, {\sf KG}, {\sf RSig}, {\sf Vrf}, {\sf Rpd}, {\sf RpdVrf})$ satisfies repudiability if it satisfies all of the following conditions.

(non-signer's repudiability). For any large security parameter λ and any PPT adversary $\mathcal {A}$,

where $\mathsf {ExpRpdRRS}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathcal {A}}(1^\lambda)\\ \hline L_\mathsf {RSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RRS}}.\mathsf {Set}(1^\lambda); ({\sf pk}, {\sf sk}) \leftarrow \Pi _{\rm\small {RRS}}.{\sf KG}({\sf pp});\\ (R^*, \mathsf {m}^*, \sigma ^*) \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {RSig}^{({\sf pk},{\sf sk})}, \! \mathsf {O}_\mathsf {Rpd}^{({\sf pk},{\sf sk})}}({\sf pp}, \! {\sf pk});\\ \xi \leftarrow \Pi _{\rm\small {RRS}}.{\sf Rpd}({\sf pp}, R^*, {\sf sk}, \mathsf {m}^*, \sigma ^*);\\ b \leftarrow \Pi _{\rm\small {RRS}}.{\sf RpdVrf}({\sf pp}, R^*, {\sf pk}, \mathsf {m}^*, \sigma ^*, \xi);\\ {\rm abort\, the\, experiment\, if\,} \Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, R^*, \mathsf {m}^*, \sigma ^*) = 0\\ \quad \vee (R^*, \mathsf {m}^*, \cdot) \in L_\mathsf {RSig}:\\ {\rm output}\, 1\, {\rm if}\, b = 1\, {\rm otherwise}\, 0\\ \end{array} \end{aligned} \end{eqnarray*}

where the oracles $\mathsf {O}_\mathsf {RSig}^{({\sf pk}, {\sf sk})}$ and $\mathsf {O}_\mathsf {Rpd}^{({\sf pk}, {\sf sk})}$ work as follows:

$\mathsf {O}_\mathsf {RSig}^{({\sf pk},{\sf sk})}$: Given a ring R and a message $\mathsf {m}$, it works as follows.
- If $(R \cup \lbrace {\sf pk} \rbrace, \mathsf {m}, \sigma) \in L_\mathsf {RSig}$, then output σ.
- Otherwise, it outputs $\sigma \leftarrow \Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, R \cup \lbrace {\sf pk} \rbrace, {\sf sk}, \mathsf {m})$, and updates $L_\mathsf {RSig}:=L_\mathsf {RSig}\cup \lbrace (R \cup \lbrace {\sf pk} \rbrace, \mathsf {m}, \sigma) \rbrace$.
$\mathsf {O}_\mathsf {Rpd}^{({\sf pk},{\sf sk})}$: Given a ring R, a message $\mathsf {m}$, and a signature σ, it works as follows.
- If $(R \cup \lbrace {\sf pk} \rbrace, \mathsf {m}, \sigma, \xi) \in L_\mathsf {Rpd}$, then output ξ.
- Otherwise, it outputs $\xi \leftarrow \Pi _{\rm\small {RRS}}.{\sf Rpd}({\sf pp}, R \cup \lbrace {\sf pk} \rbrace, {\sf sk}, \mathsf {m}, \sigma)$, and updates $L_\mathsf {Rpd}:=L_\mathsf {Rpd}\cup \lbrace (R \cup \lbrace {\sf pk} \rbrace, \mathsf {m}, \sigma, \xi) \rbrace$.

(signer's non-repudiability). For any large security parameter λ and any PPT adversary $\mathcal {A}$,

where the experiment $\mathsf {ExpFlsRpdRRS}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpFlsRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathcal {A}}(1^\lambda)\\ \hline L_\mathsf {RSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RRS}}.\mathsf {Set}(1^\lambda);\\ \forall i \in [n], ({\sf pk}_i, {\sf sk}_i) \leftarrow \Pi _{\rm\small {RRS}}.{\sf KG}({\sf pp});\\ (R^*, \mathsf {m}^*, \sigma ^*, \lbrace \xi ^*_{{\sf pk}} \rbrace _{{\sf pk}\in R^*\setminus \lbrace {\sf pk}_i \rbrace _{i \in [n]}}) \\ \quad \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {RSig}, \mathsf {O}_\mathsf {Rpd}}({\sf pp}, \lbrace {\sf pk}_i \rbrace _{i \in [n]});\\ \forall {\sf pk}\in R^*\setminus \lbrace {\sf pk}_i \rbrace _{i \in [n]},\\ \quad b_{{\sf pk}} \leftarrow \Pi _{\rm\small {RRS}}.{\sf RpdVrf}({\sf pp}, R^*, \mathsf {m}^*, \sigma ^*, \xi ^*_{{\sf pk}});\\ {\rm abort\, the\, experiment\, if\,}\, \Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, R^*, \mathsf {m}^*, \sigma ^*) = 0 \\ \quad \vee R^* \cap \lbrace {\sf pk}_i \rbrace _{i \in [n]} = \emptyset \vee (R^*, \mathsf {m}^*, \cdot) \in L_\mathsf {RSig}:\\ {\rm output}\, 1 \,{\rm if\,} \bigwedge \limits _{{\sf pk}\in R^*\setminus \lbrace {\sf pk}_i \rbrace _{i \in [n]}} b_{{\sf pk}} = 1\\ {\rm otherwise\, }0 \end{array} \end{aligned} \end{eqnarray*}

where the oracles $\mathsf {O}_\mathsf {RSig}, \mathsf {O}_\mathsf {Rpd}$ are the same as in Definition 3.

We provide additional details about the experiment $\mathsf {ExpFlsRpdRRS}$. This experiment represents that a malicious signer cannot generate a repudiation against a ring signature that he generates with honest members. Since a corruption oracle is not given in this experiment, the adversary cannot know the secret key generated by the challenger with better than negligible probability. So, if the adversary generates a valid signature, it is generated with the (corrupted) key he made. Also, the challenge signature cannot be obtained from the oracles. Therefore, if the repudiation is valid against such corrupted keys, the malicious signer can sign and repudiate.

3 RDVS

We introduce the new cryptographic primitive, repudiable designated verifier signature, whose definition is provided as follows.

3.1 Syntax

Definition 6 (RDVS) A repudiable designated verifier signature scheme (RDVS) consists of eight polynomial time algorithms $(\mathsf {Set}, \mathsf {SKG}, \mathsf {VKG}, \mathsf {DVSign}, {\sf Sim}, \mathsf {Vrf}, {\sf Rpd}, {\sf RpdVrf})$ that work as follows:

$\mathsf {Set}(1^\lambda) \rightarrow ({\sf pp})$: Given a security parameter 1^λ, it outputs a public parameter ${\sf pp}$.
$\mathsf {SKG}({\sf pp}) \rightarrow ({\sf spk}_{}, {\sf ssk}_{})$: Given a public parameter ${\sf pp}$, it outputs a signer's public key ${\sf spk}_{}$ and secret key ${\sf ssk}_{}$.
$\mathsf {VKG}({\sf pp}) \rightarrow ({\sf vpk}_{}, {\sf vsk}_{})$: Given a public parameter ${\sf pp}$, it outputs a verifier's public key ${\sf vpk}_{}$ and secret key ${\sf vsk}_{}$.
$\mathsf {DVSign}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m}) \rightarrow \sigma$ /⊥ : Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, and a message $\mathsf {m}$, it outputs a signature σ or ⊥.
${\sf Sim}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf vsk}_{}, \mathsf {m}) \rightarrow \sigma /\bot$ : Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a verifier's secret key ${\sf vsk}_{}$, and a message $\mathsf {m}$, it outputs a signature σ or ⊥.
$\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf vsk}_{}, \mathsf {m}, \sigma) \rightarrow 1/0$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a verifier's secret key ${\sf vsk}_{}$, a message $\mathsf {m}$, and a signature σ, it outputs 1 (meaning valid) or 0 (meaning invalid).
${\sf Rpd}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m}, \sigma) \rightarrow \xi /\bot$ : Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, a message $\mathsf {m}$, and a signature σ, it outputs a repudiation ξ or ⊥.
${\sf RpdVrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi) = 1/0$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, a message $\mathsf {m}$, a signature σ, and a repudiation ξ, it outputs 1 (meaning valid) or 0 (meaning invalid).

Definition 7 (Correctness) An RDVS $\Pi _{\rm\small {RDVS}}= (\mathsf {Set}, \mathsf {SKG}, \mathsf {VKG}, \mathsf {DVSign}, {\sf Sim}, \mathsf {Vrf}, {\sf Rpd}, {\sf RpdVrf})$ satisfies correctness if for any security parameter λ, any public parameter $({\sf pp}) \leftarrow \mathsf {Set}(1^\lambda)$, any signer's key pair $({\sf spk}_{}, {\sf ssk}_{}) \leftarrow \mathsf {SKG}({\sf pp})$, any verifier's key pair $({\sf vpk}_{}, {\sf vsk}_{}) \leftarrow \mathsf {VKG}({\sf pp})$, any message $\mathsf {m}$, and any signature $\sigma \leftarrow \mathsf {DVSign}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m})$, it holds that

In MDVS (Multi DVS) proposed by Damgård et al. [4] (which does not possess the repudiability), the key generation algorithm is given a user identification as an input. This paper does not need such identification because, in our RDVS, only a single verifier is designated. For generality, the signer's key generation algorithm and the verifier's one have been described separately, but they can be the same.

3.2 Security requirements

Definition 8 (EUF-CMA) An RDVS $\Pi _{\rm\small {RDVS}}= (\mathsf {Set}, \mathsf {SKG}, \mathsf {VKG}, \mathsf {DVSign}, {\sf Sim}, \mathsf {Vrf}, {\sf Rpd}, {\sf RpdVrf})$ is existentially unforgeable under an adoptive chosen-message attack (EUF-CMA) if for any sufficiently large security parameter λ and any PPT adversary $\mathcal {A}$, it holds that

where the experiment $\mathsf {ExpEUFDVS}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}(1^{\lambda })\\ \hline L_\mathsf {SSK}:=\emptyset ; L_\mathsf {VSK}:=\emptyset ; L_\mathsf {DVSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {Set}(1^\lambda);\\ \forall i \in [n], ({\sf spk}_{i}, {\sf ssk}_{i}) \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {SKG}({\sf pp});\\ \forall j \in [m], ({\sf vpk}_{j}, {\sf vsk}_{j}) \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {VKG}({\sf pp});\\ ({\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*)\\ \quad \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {SSK}, \! \mathsf {O}_\mathsf {VSK}, \! \mathsf {O}_\mathsf {DVSig}, \! \mathsf {O}_\mathsf {Vrf}, \! \mathsf {O}_\mathsf {Rpd}}({\sf pp}, \! \lbrace {\sf spk}_{i} \rbrace _{i \in [n]}, \! \lbrace {\sf vpk}_{j} \rbrace _{j \in [m]}):\\ {\rm output}\, 1\, {\rm if}\, ({\sf spk}_{}^* \in \lbrace {\sf spk}_{i} \rbrace _{i \in [n]}) \wedge ({\sf vpk}_{}^* \in \lbrace {\sf vpk}_{j} \rbrace _{j \in [m]})\\ \quad \wedge (({\sf spk}_{}^*, \cdot) \notin L_\mathsf {SSK}) \wedge (({\sf vpk}_{}^*, {\sf vsk}_{}^*) \notin L_\mathsf {VSK})\\ \quad \wedge (({\sf spk}_{}^*,{\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*) \notin L_\mathsf {DVSig})\\ \quad \wedge (\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}^*, {\sf vpk}_{}^*, {\sf vsk}_{}^*, m^*, \sigma ^*) = 1)\\ {\rm otherwise} \, 0 \end{array} \end{aligned} \end{eqnarray*}

where the oracles $\mathsf {O}_\mathsf {SSK}, \mathsf {O}_\mathsf {VSK}, \mathsf {O}_\mathsf {DVSig}, \mathsf {O}_\mathsf {Vrf}, \mathsf {O}_\mathsf {Rpd}$ work as follows:

$\mathsf {O}_\mathsf {SSK}$: Given a signer's public key ${\sf spk}_{} \in \lbrace {\sf spk}_{i} \rbrace _{i\in [n]}$, it works as follows.
- If $({\sf spk}_{}, {\sf ssk}_{}) \in L_\mathsf {SSK}$, then output ${\sf ssk}_{}$.
- Otherwise, it outputs a secret key ${\sf ssk}_{}$ corresponding to ${\sf spk}_{}$, and updates $L_\mathsf {SSK}:=L_\mathsf {SSK}\cup \lbrace ({\sf spk}_{}, {\sf ssk}_{}) \rbrace$.
Note that we regard the signer corresponding to the key pair $({\sf spk}_{}, {\sf ssk}_{}) \in L_\mathsf {SSK}$ as a corrupted one.
$\mathsf {O}_\mathsf {VSK}$: Given a signer's public key ${\sf vpk}_{} \in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m]}$, it works as follows.
- If $({\sf vpk}_{}, {\sf vsk}_{}) \in L_\mathsf {VSK}$, then output ${\sf vsk}_{}$.
- Otherwise, it outputs a verifier's secret key ${\sf vsk}_{}$ corresponding to ${\sf vpk}_{}$, and updates $L_\mathsf {VSK}:=L_\mathsf {VSK}\cup \lbrace ({\sf vpk}_{}, {\sf vsk}_{}) \rbrace$.
$\mathsf {O}_\mathsf {DVSig}$: Given a signer's public key ${\sf spk}_{} \in \lbrace {\sf spk}_{i} \rbrace _{i\in [n]},$ verifier's public key $ {\sf vpk}_{} \in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m]},$ and a message $\mathsf {m}$, it works as follows.
- If $({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma) \in L_\mathsf {DVSig}$, then output σ.
- Otherwise, it outputs $\sigma \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {DVSign}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m})$, and updates $L_\mathsf {DVSig}:=L_\mathsf {DVSig}\cup \lbrace ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma) \rbrace$.
$\mathsf {O}_\mathsf {Vrf}$: Given a signer's public key ${\sf spk}_{} \in \lbrace {\sf spk}_{i} \rbrace _{i\in [n]},$ verifier's pubilc key ${\sf vpk}_{} \in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m]},$ a message $\mathsf {m},$ and a signature σ, it works as follows.
- It outputs $b = \Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf vsk}_{}, \mathsf {m}, \sigma)$, where ${\sf vsk}_{}$ is a secret key corresponding to ${\sf vpk}_{}$.
$\mathsf {O}_\mathsf {Rpd}$: Given a signer's public key ${\sf spk}_{} \in \lbrace {\sf spk}_{i} \rbrace _{i\in [n]},$ verifier's public key ${\sf vpk}_{} \in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m]},$ a message $\mathsf {m},$ and a signature σ, it works as follows.
- If $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma) = 0$, then output ⊥.
- If $({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi) \in L_\mathsf {Rpd}$, then output ξ.
- Otherwise, it outputs $\xi \leftarrow \Pi _{\rm\small {RDVS}}.{\sf Rpd}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m}, \sigma)$, and updates $L_\mathsf {Rpd}:=L_\mathsf {Rpd}\cup \lbrace ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi) \rbrace$, where ${\sf ssk}_{}$ is a secret key corresponding to ${\sf spk}_{}$.

Next, we define Off-the-Record (OTR). OTR is a standard security notion for DVS, which requires that a designated verifier be able to simulate a signature. Undesignated verifiers cannot identify who created the signature and they are not convinced with the signature. We define such an intuition as follows.

Definition 9 (OTR) An RDVS $\Pi _{\rm\small {RDVS}}= (\mathsf {Set}, \mathsf {SKG}, \mathsf {VKG}, \mathsf {DVSign}, {\sf Sim}, \mathsf {Vrf}, {\sf Rpd}, {\sf RpdVrf})$ satisfies OTR if for any sufficiently large security parameter λ and any PPT adversary $\mathcal {A}$, it holds that

where the experiment $\mathsf {ExpOTR}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}(1^{\lambda })\\ \hline L_\mathsf {SSK}:=\emptyset ; L_\mathsf {VSK}:=\emptyset ; L_\mathsf {DVSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {Set}(1^\lambda);\\ \forall i \in [n], ({\sf spk}_{i}, {\sf ssk}_{i}) \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {SKG}({\sf pp});\\ \forall j \in [m], ({\sf vpk}_{j}, {\sf vsk}_{j}) \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {VKG}({\sf pp});\\ ({\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*)\\ \quad \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {SSK}, \! \mathsf {O}_\mathsf {VSK}, \! \mathsf {O}_\mathsf {DVSig}, \! \mathsf {O}_\mathsf {Vrf}, \! \mathsf {O}_\mathsf {Rpd}}({\sf pp}, \! \lbrace {\sf spk}_{i} \rbrace _{i \in [n]}, \! \lbrace {\sf vpk}_{j} \rbrace _{j \in [m]});\\ b \leftarrow \lbrace 0, 1 \rbrace ; \\ \sigma _0 \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {DVSign}({\sf pp}, {\sf spk}_{}^*, {\sf ssk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*);\\ \sigma _1 \leftarrow \Pi _{\rm\small {RDVS}}.{\sf Sim}({\sf pp}, {\sf vpk}_{}^*, {\sf vsk}_{}^*, {\sf spk}_{}^*, \mathsf {m}^*);\\ b^* \leftarrow \mathcal {A}^{ \mathsf {O}_\mathsf {DVSig}, \mathsf {O}_\mathsf {Vrf}, \mathsf {O}_\mathsf {Rpd}^{\langle {\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*\rangle }}(\sigma _b):\\ {\rm output} \, 1 \, {\rm if}\, b^* = b \wedge ({\sf spk}_{}^*, \cdot) \notin L_\mathsf {SSK}\wedge ({\sf vpk}_{}^*, \cdot) \notin L_\mathsf {VSK}\\ {\rm otherwise}\, 0 \end{array} \end{aligned} \end{eqnarray*}

where the oracles other than $\mathsf {O}_\mathsf {Rpd}^{\langle {\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*\rangle }$ are the same as in Definition 8. The oracle $\mathsf {O}_\mathsf {Rpd}^{\langle {\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*\rangle }$ outputs ⊥ when $({\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \cdot)$ is given as input, otherwise it works as $\mathsf {O}_\mathsf {Rpd}$.

In the following, we define the repudiability of RDVS. Intuitively, repudiability requires the followings:

A non-signer can repudiate against a signature he has not created.
A signer cannot repudiate against a signature he has created.

These intuitive requirements are formally defined as follows.

Definition 10 (Repudiability) An RDVS $\Pi _{\rm\small {RDVS}}= (\mathsf {Set}, \mathsf {SKG}, \mathsf {VKG}, \mathsf {DVSign}, {\sf Sim}, \mathsf {Vrf}, {\sf Rpd}, {\sf RpdVrf})$ satisfies repudiability if it satisfies all of the following conditions.

(Non-signer's repudiability) For any sufficiently large security parameter λ and any PPT adversary $\mathcal {A}$, it holds that

where the experiment $\mathsf {ExpRpdDVS}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}(1^\lambda)\\ \hline L_\mathsf {DVSig}:=\emptyset ; L_\mathsf {Rpd}:=\emptyset ;\\ {\sf pp}\leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {Set}(1^\lambda);({\sf spk}_{}, {\sf ssk}_{}) \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {SKG}({\sf pp});\\ ({\sf vpk}_{}^*, {\sf vsk}_{}^*, \mathsf {m}^*, \sigma ^*) \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {DVSig}, \mathsf {O}_\mathsf {Rpd}}({\sf pp}, {\sf spk}_{});\\ \xi \leftarrow \Pi _{\rm\small {RDVS}}.{\sf Rpd}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}^*, {\sf ssk}_{}, \mathsf {m}^*, \sigma ^*);\\ b \leftarrow \Pi _{\rm\small {RDVS}}.{\sf RpdVrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*, \xi);\\ {\rm abort\, the\, experiment\, if\,}\\ \quad \Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}^*, {\sf vsk}_{}^*, \mathsf {m}^*, \sigma ^*) = 0\\ \quad \vee ({\sf spk}_{}, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*) \in L_\mathsf {DVSig}:\\ {\rm output}\, 1\, {\rm if}\, b = 1\, {\rm otherwise}\, 0\\ \end{array} \end{aligned} \end{eqnarray*}

where the oracles are the same as in Definition 8.

(Signer's non-repudiability) For any sufficiently large security parameter λ and any PPT adversary $\mathcal {A}$, it holds that

where the experiment $\mathsf {ExpFlsRpdDVS}$ is defined as follows:

\begin{eqnarray*} \begin{aligned} \begin{array}{l}\mathsf {ExpFlsRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}(1^\lambda)\\ \hline {\sf pp}\leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {Set}(1^\lambda);\\ \forall j \in [m], ({\sf vpk}_{j}, {\sf vsk}_{j}) \leftarrow \Pi _{\rm\small {RDVS}}.\mathsf {VKG}({\sf pp});\\ ({\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*, \xi ^*) \leftarrow \mathcal {A}^{\mathsf {O}_\mathsf {Vrf}}({\sf pp}, \lbrace {\sf vpk}_{j} \rbrace _{j\in [m]});\\ b \leftarrow \Pi _{\rm\small {RDVS}}.{\sf RpdVrf}({\sf pp}, {\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*, \xi ^*);\\ {\rm abort\, the\, experiment\, if\,}\, \\ \quad \Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp},{\sf spk}_{}^*, {\sf vpk}_{}^*, {\sf vsk}_{}^*, \mathsf {m}^*, \sigma ^*) = 0\\ \quad \vee {\sf vpk}_{}^* \notin \lbrace {\sf vpk}_{j} \rbrace _{j\in [m]}:\\ {\rm output}\, 1\, {\rm if}\, b = 1\, {\rm otherwise}\, 0\\ \end{array} \end{aligned} \end{eqnarray*}

where an oracle is the same as in Definition 8.

Similar to the repudiability in RRS, the definition 10 requires that the signer corrupted by $\mathcal {A}$ cannot repudiate the signature.

4 A GENERIC CONSTRUCTION OF RDVS

Let $\Pi _{\rm\small {RRS}}= (\mathsf {Set}, {\sf KG}, {\sf RSig}, {\sf Vrf}, {\sf Rpd}, {\sf RpdVrf})$ be an RRS scheme. We demonstrate that we can construct an RDVS scheme $\Pi _{\rm\small {RDVS}}$ based on $\Pi _{\rm\small {RRS}}$ in a generic manner. The construction has the following features.

The key generation algorithms for signers and verifiers are the same.
The verification algorithm does not require the secret key of the designated verifier.

$\Pi _{\rm\small {RDVS}}.\mathsf {Set}(1^{\lambda }):$ Given a security parameter 1^λ, it outputs a public parameter ${\sf pp}\leftarrow \Pi _{\rm\small {RRS}}.\mathsf {Set}(1^{\lambda })$.
$\Pi _{\rm\small {RDVS}}.\mathsf {SKG}({\sf pp}):$ Given a public parameter ${\sf pp}$, it outputs a key pair $({\sf spk}_{}, {\sf ssk}_{}) :=({\sf pk}, {\sf sk}) \leftarrow \Pi _{\rm\small {RRS}}.{\sf KG}({\sf pp})$.
$\Pi _{\rm\small {RDVS}}.\mathsf {VKG}({\sf pp}):$ Given a public parameter ${\sf pp}$, it outputs a key pair $({\sf vpk}_{}, {\sf vsk}_{}) :=({\sf pk}, {\sf sk}) \leftarrow \Pi _{\rm\small {RRS}}.{\sf KG}({\sf pp})$.
$\Pi _{\rm\small {RDVS}}.\mathsf {DVSign}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m}):$ Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, and a message $\mathsf {m}$, it outputs a signature $\sigma \leftarrow \Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, \lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, {\sf ssk}_{}, \mathsf {m})$.
$\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma):$ Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a message $\mathsf {m}$, and a signature σ, it outputs $b = \Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, \lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, \mathsf {m}, \sigma)$.
$\Pi _{\rm\small {RDVS}}.{\sf Sim}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf vsk}_{}, \mathsf {m}):$ Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a verifier's secret key ${\sf vsk}_{}$, and a message $\mathsf {m}$, it outputs a signature $\sigma \leftarrow \Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, \lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, {\sf vsk}_{}, \mathsf {m})$.
$\Pi _{\rm\small {RDVS}}.{\sf Rpd}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m}, \sigma):$ Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, a message $\mathsf {m}$, and a signature σ, it outputs a repudiation $\xi \leftarrow \Pi _{\rm\small {RRS}}.{\sf Rpd}({\sf pp}, \lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, {\sf ssk}_{}, \mathsf {m}, \sigma)$.
$\Pi _{\rm\small {RDVS}}.{\sf RpdVrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi):$ Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, a message $\mathsf {m}$, a signature σ, and a repudiation ξ, it outputs $b = \Pi _{\rm\small {RRS}}.{\sf RpdVrf}({\sf pp}, \lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, {\sf spk}_{}, \mathsf {m}, \sigma, \xi)$.

The correctness of $\Pi _{\rm\small {RDVS}}$ is obvious from the correctness of $\Pi _{\rm\small {RRS}}$. To prove that $\Pi _{\rm\small {RDVS}}$ is an RDVS scheme, we prove three lemmas.

Lemma 1 If $\Pi _{\rm\small {RRS}}$ is EUF-CMA, then $\Pi _{\rm\small {RDVS}}$ is EUF-CMA.

Proof. We assume for contradiction that there is a PPT adversary $\mathcal {A}$ that breaks EUF-CMA of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability. We demonstrate a PPT reduction algorithm $\mathsf {R}$ that breaks the EUF-CMA security of $\Pi _{\rm\small {RRS}}$ by using $\mathcal {A}$ with non-negligible probability. The reduction algorithm $\mathsf {R}^{\mathcal {A}}$ plays the experiment $\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ as an adversary, but simultaneously it simulates the experiment $\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}$ as the challenger.

Setup Phase. Given ${\sf pp}$ and $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$, $\mathsf {R}$ initiates the lists $L_\mathsf {SSK}:=\emptyset, L_\mathsf {VSK}:=\emptyset, L_\mathsf {DVSig}:=\emptyset, L_\mathsf {Rpd}:=\emptyset$. Without loss of generality, $\mathsf {R}$ divides the given key set into $\lbrace {\sf spk}_{i} \rbrace _{i \in [n^{\prime }]} = \lbrace {\sf pk}_i \rbrace _{i\in [n^{\prime }]}$ and $\lbrace {\sf vpk}_{j} \rbrace _{j \in [m^{\prime }]} = \lbrace {\sf pk}_{j+n^{\prime }} \rbrace _{j\in [n]\setminus [n^{\prime }]}$, and sends ${\sf pp}, \lbrace {\sf spk}_{i} \rbrace _{i \in [n^{\prime }]}$, and $\lbrace {\sf vpk}_{j} \rbrace _{j \in [m^{\prime }]}$ to $\mathcal {A}$. If $\mathcal {A}$ makes a query, $\mathsf {R}$ simulates the answer as follows.

$\mathsf {O}_\mathsf {SSK}$: Given a signer's public key ${\sf spk}_{}\in \lbrace {\sf spk}_{i} \rbrace _{i\in [n^{\prime }]}$ from $\mathcal {A}$, it works as follows.
- If $({\sf spk}_{},{\sf ssk}_{})\in L_\mathsf {SSK}$, then output ${\sf ssk}_{}$.
- Otherwise, it queries ${\sf spk}_{}$ for the challenger of the experiment $\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ to call $\mathsf {O}_\mathsf {SK}$, returns the answer ${\sf ssk}_{}$ to $\mathcal {A}$, and updates $L_\mathsf {SSK}:=L_\mathsf {SSK}\cup \lbrace ({\sf spk}_{}, {\sf ssk}_{}) \rbrace$.
$\mathsf {O}_\mathsf {VSK}$: Given a verifier's public key ${\sf vpk}_{}\in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m^{\prime }]}$ from $\mathcal {A}$, it works as follows.
- If $({\sf vpk}_{},{\sf vsk}_{})\in L_\mathsf {VSK}$, then output ${\sf vsk}_{}$.
- Otherwise, it queries ${\sf vpk}_{}$ for the challenger of the experiment $\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ to call $\mathsf {O}_\mathsf {SK}$, returns the answer ${\sf vsk}_{}$ to $\mathcal {A}$, and updates $L_\mathsf {VSK}:=L_\mathsf {VSK}\cup \lbrace ({\sf vpk}_{}, {\sf vsk}_{}) \rbrace$.
$\mathsf {O}_\mathsf {DVSig}$: Given a signer's public key ${\sf spk}_{}\in \lbrace {\sf spk}_{i} \rbrace _{i\in [n^{\prime }]}$, a verifier's public key ${\sf vpk}_{}\in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m^{\prime }]},$ and a message $\mathsf {m}$ from $\mathcal {A}$, it works as follows.
- If $({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma) \in L_\mathsf {DVSig}$, then output σ.
- Otherwise, it queries $(\lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, {\sf spk}_{}, \mathsf {m})$ for the challenger of the experiment $\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ to call $\mathsf {O}_\mathsf {RSig}$, returns the answer σ, and updates $L_\mathsf {DVSig}:=L_\mathsf {DVSig}\cup \lbrace ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma) \rbrace$.
$\mathsf {O}_\mathsf {Rpd}$: Given a signer's public key ${\sf spk}_{}\in \lbrace {\sf spk}_{i} \rbrace _{i\in [n^{\prime }]}$, a verifier's public key ${\sf vpk}_{}\in \lbrace {\sf vpk}_{j} \rbrace _{j\in [m^{\prime }]}$, a message $\mathsf {m}$, and a signature σ, it works as follows.
- If $({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi) \in L_\mathsf {Rpd}$, then output ξ.
- Otherwise, it queries $(\lbrace {\sf spk}_{} \rbrace \cup \lbrace {\sf vpk}_{} \rbrace, {\sf spk}_{}, \mathsf {m}, \sigma)$ for the challenger of the experiment $\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ to call $\mathsf {O}_\mathsf {Rpd}$, returns the answer ξ, and updates $L_\mathsf {Rpd}:=L_\mathsf {Rpd}\cup \lbrace ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi) \rbrace$.

Challenge Phase. When $\mathcal {A}$ outputs $({\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*)$, then $\mathsf {R}$ outputs $(\lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, \mathsf {m}^*, \sigma ^*)$ to the challenger.

Analysis. Under the initial assumption, we demonstrate that the above $\mathsf {R}^{\mathcal {A}}$ breaks the EUF-CMA of $\Pi _{\rm\small {RRS}}$ with non-negligible probability.

First, we show that if $\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in RDVS, then $\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$ in RRS. Since $\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$, the following (1), (2), (3), and (4) are satisfied in the definition 8.

(1) $({\sf spk}_{}^* \in \lbrace {\sf spk}_{i} \rbrace _{i \in [n^{\prime }]}) \wedge ({\sf vpk}_{}^* \in \lbrace {\sf vpk}_{j} \rbrace _{j \in [m^{\prime }]})$

(2) $(({\sf spk}_{}^*, \cdot) \notin L_\mathsf {SSK}) \wedge (({\sf vpk}_{}^*, {\sf vsk}_{}^*) \notin L_\mathsf {VSK})$

(3) $(({\sf spk}_{}^*,{\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*) \notin L_\mathsf {DVSig})$

(4) $(\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}^*, {\sf vpk}_{}^*, {\sf vsk}_{}^*, m^*, \sigma ^*) = 1)$

Here, the formula (1) means that $\lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace \subseteq \lbrace {\sf pk}_i \rbrace _{i\in [n]}$ in Definition 3. From formula (2), and the fact that $\mathsf {O}_\mathsf {SSK}$ and $\mathsf {O}_\mathsf {VSK}$ are simulated by $\mathsf {O}_\mathsf {SK}$, it holds that $\forall {\sf pk}\in \lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, ({\sf pk}, \cdot) \notin L_\mathsf {SK}$ in Definition 3. From formula (3), and the fact that $\mathsf {O}_\mathsf {DVSig}$ is simulated by $\mathsf {O}_\mathsf {RSig}$, it holds that $(\lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, \mathsf {m}^*, \sigma ^*)\notin L_\mathsf {RSig}$ in Definition 3. From formula (4), and the generic construction of $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}$, it holds that b = 1 in Definition 3. Thus, if $\mathsf {ExpEUFDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in the simulation, then $\mathsf {ExpEUFRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$.

Since $\mathcal {A}$ now breaks the EUF of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability, a corollary is presented from the above. □

Lemma 2 If $\Pi _{\rm\small {RRS}}$ satisfies anonymity, then $\Pi _{\rm\small {RDVS}}$ satisfies OTR.

Proof. We assume for contradiction that there is a PPT adversary $\mathcal {A}$ that breaks OTR of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability. We demonstrate a PPT reduction algorithm $\mathsf {R}$ that breaks the anonymity of $\Pi _{\rm\small {RRS}}$ with non-negligible probability by using $\mathcal {A}$. The reduction algorithm $\mathsf {R}^{\mathcal {A}}$ plays the experiment $\mathsf {ExpAnoRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ as an adversary, but simultaneously it simulates the experiment $\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}$ as the challenger.

Setup Phase. Given ${\sf pp}$ and $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$, $\mathsf {R}$ initiates the lists $L_\mathsf {VSK}:=\emptyset$, $L_\mathsf {SSK}:=\emptyset$, $L_\mathsf {DVSig}:=\emptyset$ and $L_\mathsf {Rpd}:=\emptyset$. Without loss of generality, $\mathsf {R}$ divides the given key set into $\lbrace {\sf spk}_{i} \rbrace _{i \in [n^{\prime }]} = \lbrace {\sf pk}_i \rbrace _{i\in [n^{\prime }]}$ and $\lbrace {\sf vpk}_{j} \rbrace _{j \in [m^{\prime }]} = \lbrace {\sf pk}_{j+n^{\prime }} \rbrace _{j\in [n]\setminus [n^{\prime }]}$, and sends ${\sf pp}, \lbrace {\sf spk}_{i} \rbrace _{i \in [n^{\prime }]}$ and $ \lbrace {\sf vpk}_{j} \rbrace _{j \in [m^{\prime }]}$ to $\mathcal {A}$. If $\mathcal {A}$ makes a query, $\mathsf {R}$ simulates the answer as in the proof of Lemma 1. When $\mathcal {A}$ outputs $({\sf spk}_{}^*,{\sf vpk}_{}^*, \mathsf {m}^*)$, $\mathsf {R}$ finds i^* and j^* s.t. ${\sf pk}_{i^*} = {\sf spk}_{}^*$ and ${\sf pk}_{n^{\prime } + j^*} = {\sf vpk}_{}^*$. Then, $\mathsf {R}$ returns $i^*_0 :=i^*, i^*_1 :=n^{\prime } + j^*, \mathsf {m}^*$ and $R^* :=\lbrace {\sf pk}_{i^*} \rbrace \cup \lbrace {\sf pk}_{n^{\prime } + j^*} \rbrace$ to the challenger.

Challenge Phase. Given the challenge signature σ from the challenger, $\mathsf {R}$ gives σ to $\mathcal {A}$. Again, $\mathsf {R}$ simulates the answer to a query made by $\mathcal {A}$ as in the Setup phase except for a query to $\mathsf {O}_\mathsf {Rpd}$; if a query $({\sf spk}_{i^*}, {\sf vpk}_{j^*}, \mathsf {m}^*, \cdot)$ is made to $\mathsf {O}_\mathsf {Rpd}$, then $\mathsf {R}$ returns ⊥. When $\mathcal {A}$ output a bit b^*, $\mathsf {R}$ returns b^* to the challenger.

Analysis. We demonstrate that $\mathsf {R}^{\mathcal {A}}$ breaks the anonymity of $\Pi _{\rm\small {RRS}}$ with non-negligible probability. We first argue that $\mathsf {R}$ correctly simulated the experiment $\mathsf {ExpOTR}$ in the Challenge Phase. At the beginning of the Challenger Phase, the challenger creates a signature σ of the ring $R^* = \lbrace {\sf pk}_{i^*_0} \rbrace \cup \lbrace {\sf pk}_{i^*_1} \rbrace$ by using ${\sf sk}_{i^*_0}$ or ${\sf sk}_{i^*_1}$. If ${\sf sk}_{i^*_0}$ is used, then we can regard σ as an output by $\Pi _{\rm\small {RDVS}}.\mathsf {DVSign}({\sf pp}, {\sf spk}_{i^*_0}, {\sf vpk}_{i^*_1}, {\sf ssk}_{i^*_0}, \mathsf {m}^*)$, otherwise by $\Pi _{\rm\small {RDVS}}.{\sf Sim}({\sf pp}, {\sf spk}_{i^*_0}, {\sf vpk}_{i^*_1}, {\sf vsk}_{i^*_1}, \mathsf {m}^*)$. As $\mathcal {A}$ is given a correct input, it runs correctly.

Now we show that if $\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ then $\mathsf {ExpAnoRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$. As $\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$, considering Definition 9, we have the following formulae.

b^* = b
$ ({\sf spk}_{}^*, \cdot) \notin L_\mathsf {SSK}$
$({\sf vpk}_{}^*, \cdot) \notin L_\mathsf {VSK}$

Here, the formula (1) means that $\mathcal {A}$ distinguishes if σ is output by $\Pi _{\rm\small {RDVS}}.\mathsf {DVSign}$ or $\Pi _{\rm\small {RDVS}}.{\sf Sim}$. Considering the construction of $\Pi _{\rm\small {RDVS}}$, this indicates that $\mathsf {R}$ distinguishes if σ is output by $\Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, {\sf sk}_{i^*_0}, R^*, \mathsf {m}^*)$ or $\Pi _{\rm\small {RRS}}.{\sf RSig}({\sf pp}, {\sf sk}_{i^*_1}, R^*, \mathsf {m}^*)$. Therefore, it holds that b^* = b in Definition 4. From formulae (2) and (3), and the fact that $\mathsf {O}_\mathsf {DVSig}$ is simulated by $\mathsf {O}_\mathsf {RSig}$, it holds that $({\sf pk}_{i_0^*}, \cdot)\notin L_\mathsf {SK}$ and $({\sf pk}_{i_1^*}, \cdot) \notin L_\mathsf {SK}$ in Definition 4. Thus, if $\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in the simulation, then $\mathsf {ExpAnoRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$.

Finally, we confirm that if $\mathcal {A}$ wins, so does $\mathsf {R}^{\mathcal {A}}$. The winning conditions of $\mathcal {A}$ are b^* = b, $i^* \notin L_\mathsf {SSK}$ and $j^* \notin L_\mathsf {VSK}$. If all of them are satisfied, considering the way of oracle simulations, it should hold that $({\sf pk}_{i^*_0}, \cdot)\notin L_\mathsf {SK}\wedge ({\sf pk}_{i^*_1},\cdot) \notin L_\mathsf {SK}$ in the experiment $\mathsf {ExpAnoRRS}$. Thus, if $\mathcal {A}$ wins, so does $\mathsf {R}^{\mathcal {A}}$. As we are under the assumption that $\mathcal {A}$ wins with non-negligible probability, $\mathsf {R}^{\mathcal {A}}$ wins with non-negligible probability as well. □

Lemma 3$\Pi _{\rm\small {RDVS}}$ satisfies repudiability.

To show the lemma 3, we prove two claims.

Claim 1 If there exists a polynomial-time adversary that breaks non-signer's repudiability in $\Pi _{\rm\small {RDVS}}$ with non-negligible probability, then there exists another polynomial-time adversary that breaks non-signer repudiability in $\Pi _{\rm\small {RRS}}$ with non-negligible probability.

Proof. We assume for contradiction that there is a PPT adversary $\mathcal {A}$ that breaks the non-singner's repudiability of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability. We demonstrate a PPT reduction algorithm $\mathsf {R}$ that breaks the non-signer's repudiability of $\Pi _{\rm\small {RRS}}$ with non-negligible probability. The reduction algorithm $\mathsf {R}^{\mathcal {A}}$ plays the experiment $\mathsf {ExpRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ as an adversary, but simultaneously it simulates the experiment $\mathsf {ExpRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}$ as the challenger.

Setup Phase. Given public parameter ${\sf pp}$ and public key ${\sf pk}$ from the challenger, initiate the lists $L_\mathsf {DVSig}:=\emptyset, L_\mathsf {Rpd}:=\emptyset$. Then sends ${\sf pp}, {\sf spk}_{} :={\sf pk}$ to the adversary $\mathcal {A}$. If $\mathcal {A}$ makes a query, $\mathsf {R}$ simulates the answer as in the proof of Lemma 1.

Challenge Phase. When $\mathcal {A}$ outputs $({\sf vpk}_{}^*, {\sf vsk}_{}^*, \mathsf {m}^*, \sigma ^*)$, then $\mathsf {R}$ outputs $(\lbrace {\sf pk} \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, \mathsf {m}^*, \sigma ^*)$ to the challenger.

Note that ${\sf vpk}_{}^*$ is equivalent to the RRS public key from the generic construction, so $\lbrace {\sf pk} \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace$ can be assumed to be the ring of the RRS. Also, in Definition 10, the adversary $\mathcal {A}$ also includes the verifier's secret key ${\sf vsk}_{}^*$ in its output, which is not necessary in our construction.

Analysis. Under the initial assumption, we demonstrate that the above $\mathsf {R}^{\mathcal {A}}$ breaks the non-signer's repudiability of $\Pi _{\rm\small {RRS}}$ with non-negligible probability.

First, we show that if $\mathsf {ExpRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in RDVS, then $\mathsf {ExpRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$ in RRS. Since $\mathsf {ExpRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$, the following (1), (2), and (3) are satisfied in Definition 10.

(1) $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf pk}, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*) = 1$

(2) $({\sf pk}, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*) \notin L_\mathsf {DVSig}$

(3) $\Pi _{\rm\small {RDVS}}.{\sf RpdVrf}({\sf pp}, {\sf pk}, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*, \xi) = 1$

Here, from the formula (1) and the generic construction of $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}$, it holds that $\Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, \lbrace {\sf pk} \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, \mathsf {m}^*, \sigma ^*) = 1$ in Definition 5. From the formula (2) and the fact that $\mathsf {O}_\mathsf {DVSig}$ is simulated by $\mathsf {O}_\mathsf {RSig}$, it holds that $(\lbrace {\sf pk} \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, \mathsf {m}^*, \cdot) \notin L_\mathsf {RSig}$ in Definition 5. From the formula (3) and the generic construction of $\Pi _{\rm\small {RDVS}}.{\sf RpdVrf}$, it holds that b = 1 in Definition 5. Thus, if $\mathsf {ExpRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in RDVS, then $\mathsf {ExpRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$ in RRS.

Since $\mathcal {A}$ now breaks the non-signer's repudiability of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability, $\mathsf {R}^{\mathcal {A}}$ breaks it of $\Pi _{\rm\small {RRS}}$. Therefore, Claim 1 was shown. □

Claim 2 If there exists a polynomial-time adversary that breaks signer's unrepudiability in $\Pi _{\rm\small {RDVS}}$ with non-negligible probability, then there exists another polynomial-time adversary that breaks signer's unrepudiability in $\Pi _{\rm\small {RRS}}$ with non-negligible probability.

Proof. We assume for contradiction that there is a PPT adversary that breaks the non-signer's unrepudiability of $\Pi _{\rm\small {RDVS}}$ with a non-negligible probability. We demonstrate a PPT reduction algorithm $\mathsf {R}$ that breaks the non-signer's unrepudiability of $\Pi _{\rm\small {RRS}}$ by using $\mathcal {A}$ with non-negligible probability. The reduction algorithm $\mathsf {R}^{\mathcal {A}}$ plays the experiment $\mathsf {ExpFlsRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}}$ as an adversary, but simultaneously it simulates the experiment $\mathsf {ExpFlsRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}$ as the challenger.

Setup Phase. Given ${\sf pp}$ and $\lbrace {\sf pk}_i \rbrace _{i \in [n]}$ from the challenger. Then sends ${\sf pp}, \lbrace {\sf vpk}_{i} \rbrace _{i\in [n]} = \lbrace {\sf pk}_i \rbrace _{i\in [n]}$ to the adversary $\mathcal {A}$. If $\mathcal {A}$ makes a query, $\mathsf {R}$ simulates the answer as in the proof of Lemma 1.

Challenge Phase. When $\mathcal {A}$ outputs $({\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*, \xi ^*)$, then $\mathsf {R}$ outputs $(\lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace, \mathsf {m}^*, \sigma ^*, \lbrace \xi ^* \rbrace)$ to the challenger.

Analysis. Under the initial assumption, we demonstrate that the above $\mathsf {R}^{\mathcal {A}}$ breaks the signer's unrepudiability of $\Pi _{\rm\small {RRS}}$ with non-negligible probability.

First, we show that if $\mathsf {ExpFlsRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in RDVS, then $\mathsf {ExpFlsRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$ in RRS. Since $\mathsf {ExpFlsRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$, the following (1), (2), and (3) are satisfied in Definition 10.

(1) $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp},{\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*) = 1$

(2) ${\sf vpk}_{}^* \in \lbrace {\sf pk}_{i} \rbrace _{i\in [n]}$

(3) $\Pi _{\rm\small {RDVS}}.{\sf RpdVrf}({\sf pp}, {\sf spk}_{}^*, {\sf vpk}_{}^*, \mathsf {m}^*, \sigma ^*, \xi ^*) = 1$

Here, from the formula (1) and the generic construction of $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}$, it holds that $\Pi _{\rm\small {RRS}}.\mathsf {Vrf}({\sf pp}, R^*, \mathsf {m}^*, \sigma ^*) = 1$ in Definition 5. From the formula (2) and the fact that $\mathsf {R}$ outputs $\lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace$ as the ring, it holds that $\lbrace {\sf spk}_{}^* \rbrace \cup \lbrace {\sf vpk}_{}^* \rbrace \cap \lbrace {\sf pk}_i \rbrace _{i\in [n]} \ne \emptyset$ in Definition 10. From the formula (3) and the generic construction of $\Pi _{\rm\small {RDVS}}.{\sf RpdVrf}$, it holds $b_{{\sf pk}} = 1$ in Definition 5. Thus, if $\mathsf {ExpFlsRpdDVS}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}} = 1$ in RDVS, then $\mathsf {ExpFlsRpdRRS}_{\Pi _{\rm\small {RRS}}, \mathsf {R}^{\mathcal {A}}} = 1$ in RRS.

Since $\mathcal {A}$ now breaks the signer's unrepudiability of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability, $\mathsf {R}^{\mathcal {A}}$ breaks it of $\Pi _{\rm\small {RRS}}$. Therefore, Claim 2 was shown. □

Discussion on Unrepudiability. We briefly discuss unrepudiable DVS. Park and Sealfon [12] introduce the notion of unclaimability and unrepudiability in ring signature. We argue that unrepudiability (and unclaimability) of DVS can be handled in a similar manner as [12]. Unrepudiability of a DVS is a property that prohibits a signer from repudiating a signature. This property is useful in cases where there is a hierarchical relationship (such as a CEO and an employee) between a signer and a designated verifier, because the CEO might force his employee to repudiate a signature. We emphasize that standard DVSs tell nothing about (un)repudiability of a signer.

We argue that DVS with OTR against full key exposure implies unrepudiable DVS. Here, OTR against full key exposure means that the OTR property still holds even if the signer and the designated verifier in $\mathsf {ExpOTR}$ are corrupted. Such DVS is already seen in the literatures [1, 17]. Intuitively, we could compromise OTR against full key exposure if repudiation is possible.

5 CONCLUSION AND FUTURE WORK

This article presents a repudiable designated verifier signature scheme (RDVS), addressing a pivotal vulnerability inherent in conventional designated verifier signature schemes (DVS). Namely, in instances where a designated verifier simulates a signer's signature and asserts its origin from the signer, the signer retains the ability to repudiate such a claim. Repudiability is deemed indispensable when applying DVS in messaging applications and similar contexts.

A prospective avenue of research involves exploring the development of RDVS through the utilization of primitives rather than repudiable ring signature schemes (RRS). It is theoretically an important task to investigate the equivalence between RDVS and RRS, particularly in the context of exploring the feasibility of constructing RRS from RDVS.

Acknowledgement

This research was in part conducted under a contract of “Research and development on new generation cryptography for secure wireless communication services” among “Research and Development for Expansion of Radio Wave Resources (JPJ000254),” which was supported by the Ministry of Internal Affairs and Communications, Japan. This research was also in part conducted under JST CREST (JPMJCR21M5, JPMJCR22M1), and under JST AIP Acceleration Research (JPMJCR22U5).

REFERENCES

Suvradip Chakraborty, Dennis Hofheinz, Ueli Maurer, and Guilherme Rito. 2023. Deniable Authentication When Signing Keys Leak. In Advances in Cryptology – EUROCRYPT 2023. Springer Nature Switzerland, Cham, 69–100.
David Chaum. 1994. Designated confirmer signatures. In Workshop on the Theory and Application of Cryptographic Techniques. Springer, 86–91.
David Chaum. 1996. Private signature and proof systems. US Patent 5,493,614.
Ivan Damgård, Helene Haagh, Rebekah Mercer, Anca Nitulescu, Claudio Orlandi, and Sophia Yakoubov. 2020. Stronger Security and Constructions of Multi-designated Verifier Signatures. In Theory of Cryptography, Rafael Pass and Krzysztof Pietrzak (Eds.). Springer International Publishing, Cham, 229–260.
Cynthia Dwork and Moni Naor. 2000. Zaps and Their Applications. In 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12-14 November 2000, Redondo Beach, California, USA. IEEE Computer Society, 283–293.
Xinyi Huang, Willy Susilo, Yi Mu, and Futai Zhang. 2006. Restricted Universal Designated Verifier Signature. In Proceedings of the Third International Conference on Ubiquitous Intelligence and Computing. 874–882.
Markus Jakobsson, Kazue Sako, and Russell Impagliazzo. 1996. Designated Verifier Proofs and Their Applications. In Advances in Cryptology — EUROCRYPT ’96, Ueli Maurer (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 143–154.
Fabien Laguillaumie and Damien Vergnaud. 2004. Multi-designated Verifiers Signatures. In Information and Communications Security, Javier Lopez, Sihan Qing, and Eiji Okamoto (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 495–507.
Fabien Laguillaumie and Damien Vergnaud. 2007. Multi-Designated Verifiers Signatures: Anonymity without Encryption. Inf. Process. Lett. 102, 2–3 (apr 2007), 127–132.
Moxie Marlinspike. 2013. Advanced cryptographic ratcheting.
Silvio Micali, Salil Vadhan, and Michael Rabin. 1999. Verifiable Random Functions. In Proceedings of the 40th Annual Symposium on Foundations of Computer Science(FOCS ’99). 120.
Sunoo Park and Adam Sealfon. 2019. It wasn't me! Repudiability and Unclaimability of Ring Signatures. In Annual International Cryptology Conference. Springer, 159–190.
Shahrokh Saeednia, Steve Kremer, and Olivier Markowitch. 2004. An Efficient Strong Designated Verifier Signature Scheme. In Information Security and Cryptology - ICISC 2003. 40–54.
Ron Steinfeld, Laurence Bull, Huaxiong Wang, and Josef Pieprzyk. 2003. Universal designated-verifier signatures. In Advances in Cryptology - ASIACRYPT 2003. 523–542.
Kyosuke Yamashita and Keisuke Hara. 2023. On the Black-Box Impossibility of Multi-Designated Verifiers Signature Schemes from Ring Signature Schemes. Cryptology ePrint Archive, Paper 2023/1249.
Kyosuke Yamashita, Keisuke Hara, Yohei Watanabe, Naoto Yanai, and Junji Shikata. 2023. Designated Verifier Signature with Claimability. In Proceedings of the 10th ACM Asia Public-Key Cryptography Workshop(APKC ’23). 21–32.
Yunmei Zhang, Man Ho Au, Guomin Yang, and Willy Susilo. 2012. (Strong) Multi-Designated Verifiers Signatures Secure against Rogue Key Attack. In Network and System Security, Li Xu, Elisa Bertino, and Yi Mu (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 334–347.

A DIRECT CONSTRUCTION OF RDVS FROM ZAP AND VRF

Here, we provide a direct construction of RDVS from ZAPs [5] and VRF [11] for completeness of this article.

A.1 ZAPs and VRFs

First, we introduce a ZAP, a two-round public coin witness indistinguishable protocol.

Definition 11 (ZAP) A ZAP for an NP language L with witness relation $\mathcal {R}_L$ written $\Pi _{\rm\small {ZAP}}^L$ consists of three algorithms $(\mathsf {Set}, {\sf Prove}, {\sf Vrf})$, where $\mathsf {Set}$ and ${\sf Prove}$ are PPT and ${\sf Vrf}$ is polynomial-time deterministic, that work as follows:

$\mathsf {Set}(1^\lambda) \rightarrow \rho$ : Given a security parameter 1^λ, it outputs a first-round message ρ.
${\sf Prove}(\rho, x, w) \rightarrow \pi$ : Given a first-round message ρ, a statement x, and witness w, it outputs a second-round message (meaning a proof) π.
${\sf Vrf}(\rho, \pi, x) \rightarrow 1/0:$ Given a first-round message ρ, a second-round message π, and statement x, it outputs 1 (meaning valid) or 0 (meaning invalid).

The security requirements of ZAPs are public coins, completeness, adaptive soundness, and witness indistinguishability defined as follows.

Definition 12 (Public Coins) The first-round message ρ output by the $\mathsf {Set}(1^\lambda)$ is a uniformly random bit string whose length is polynomial in the security parameter λ.

Definition 13 (Completeness) For any statement x and witness w satisfying the binary relation R_L, and for any ρ, the following holds:

Definition 14 (Adaptive Soundness) The following probability is negligible:

Definition 15 (Witness Indistinguishability) For any $\lbrace \rho _i \rbrace _{i\in \mathbb {N}}$, $\lbrace x_i \rbrace _{i \in \mathbb {N}}$, $\lbrace w_{0,i} \rbrace _{i \in \mathbb {N}}$ and $\lbrace w_{1,i} \rbrace _{i \in \mathbb {N}}$, where $\rho _i \in \lbrace 0,1 \rbrace ^{\mathsf {poly}(\lambda)}$, x_i ∈ L, $(x_i, w_{0,i}) \in \mathcal {R}_L$ and $(x_i, w_{1,i}) \in \mathcal {R}_L$, the two sets of a ZAP proof

and

are computationally indistinguishable.

The next building block of our construction is a verifiable random function (VRF).

Definition 16 (VRF) A VRF consists of four polynomial time algorithms $({\sf Gen}, \mathsf {Eval}, {\sf Prove}, {\sf Vrf})$, where ${\sf Gen}$ and ${\sf Vrf}$ are PPT and $\mathsf {Eval}$ and ${\sf Prove}$ are polynomial time deterministic, that work as follows:

${\sf Gen}(1^\lambda) \rightarrow ({\sf pk}, {\sf sk})$: Given a security parameter, it outputs a public key ${\sf pk}$ and a secret key ${\sf sk}$.
$\mathsf {Eval}({\sf sk}, x) \rightarrow y$: Given a secret key ${\sf sk}$ and a string x, it outputs a string y.
${\sf Prove}({\sf sk}, x) \rightarrow \tau$ : Given a secret key ${\sf sk}$ and a string x, it outputs a proof τ.
${\sf Vrf}({\sf pk}, x, y, \tau) \rightarrow 1/0$: Given a public key ${\sf pk}$, a string x, a string y, and a proof τ, it outputs 1 (meaning valid) or 0 (meaning invalid).

The security requirements of VRFs are complete provability, unique provability, and residual pseudorandomness defined as follows. We also introduce the Parallel VRF Game, which is not a security requirement but is necessary to prove the security of our construction of RDVS.

Definition 17 (Complete provability) For all $({\sf pk}, {\sf sk}) \leftarrow \Pi _{\rm\small {VRF}}.{\sf Gen}(1^\lambda)$ and all strings x, the following holds:

Definition 18 (Unique provability) For all ${\sf pk}, x, y_1, y_2 (\ne y_1), \tau _1, \tau _2$, for either i = 1 or i = 2 the following holds:

Definition 19 (Residual pseudorandomness) For any PPT adversary $\mathcal {A}$, it holds that

where $\mathsf {ExpRP}$ is defined as follows:

where the oracles $\mathsf {O}_\mathsf {Eval}^{({\sf sk}, \cdot)}$ and $\mathsf {O}_\mathsf {Prove}^{({\sf sk}, \cdot)}$ work as follows:

$\mathsf {O}_\mathsf {Eval}$: Given a string x, it outputs $\Pi _{\rm\small {VRF}}.\mathsf {Eval}({\sf sk}, x)$ and updates $L_\mathsf {Eval}:=L_\mathsf {Eval}\cup \lbrace x \rbrace$.
$\mathsf {O}_\mathsf {Prove}$: Given a string x, it outputs $\Pi _{\rm\small {VRF}}.{\sf Prove}({\sf sk}, x)$ and updates $L_\mathsf {Prove}:=L_\mathsf {Eval}\cup \lbrace x \rbrace$.

Definition 20 (Parallel VRF Game) Let $\Pi _{\rm\small {VRF}}$ be a VRF. Then for any PPT adversary $\mathcal {A}$, the following holds:

where $\mathsf {ExpPVRF}$ is defined as follows:

where the oracles $\mathsf {O}_\mathsf {EvlPrv}$, $\mathsf {O}_\mathsf {EvlPrv}^{\langle x^*\rangle }$, and $\mathsf {O}_\mathsf {SK}$ work as follows:

$\mathsf {O}_\mathsf {EvlPrv}$: Given a pair of an index and a message (i, x), it outputs $(y,\tau) = (\Pi _{\rm\small {VRF}}.\mathsf {Eval}({\sf sk}_i, x), \Pi _{\rm\small {VRF}}.{\sf Prove}({\sf sk}_i, x)$ and updates $L_\mathsf {EvlPrv}:=L_\mathsf {EvlPrv}\cup \lbrace (i, x) \rbrace$.
$\mathsf {O}_\mathsf {EvlPrv}^{\langle x^*\rangle }$: Output ⊥ if (·, x^*) is given as an input, otherwise it works the same as $\mathsf {O}_\mathsf {EvlPrv}$.
$\mathsf {O}_\mathsf {SK}$: Given an index i, it outputs ${\sf sk}_i$ and updates $L_\mathsf {SK}:=L_\mathsf {SK}\cup \lbrace i \rbrace$.

A.2 RDVS from ZAP and VRF

Now, we provide our construction of RDVS from ZAPs and VRF. Our construction is similar to the construction of RRS in [12]. We highlight the construction of RDVS before the formal description.

The key generation algorithms for signers and designated verifiers are the same. A public key consists of four VRF public keys, two first-round messages for (two distinct) ZAPs, and uniformly chosen randomness for VRF verification. A secret key contains four VRF secret keys. We remark that these four keys are needed to prove OTR. Further, the randomness in a public key is required to guarantee that the verification is done correctly.

Roughly, a signature consists of strings (say $\vec{y} = (y_1, \ldots, y_4)$) that are created by the evaluation algorithm of the VRF on a message, and proofs (say $\vec{\pi } = (\pi _1, \pi _2)$) created by the ZAP that guarantee the strings are indeed generated by the signer or the designated verifier. Unforgeability stems from the residual pseudorandomness of the VRF in the parallel VRF game, and OTR comes from the witness indistinguishability of the ZAP.

When a signer wants to repudiate a signature, the most trivial way might be to reveal his strings $\vec{y^{\prime }}$ on the same message. However, malicious parties could use $\vec{y^{\prime }}$ to forge a signature on the same message whereas the signer has not signed on it. Therefore, we employ another ZAP using VRF proofs $\vec{\tau ^{\prime }} = (\tau ^{\prime }_1, \ldots, \tau ^{\prime }_4)$ to guarantee that (the secret) $\vec{y^{\prime }}$ is not equal to that of in the signature. Repudiability comes from the residual pseudorandomness of the VRF in the parallel VRF game.

Now, we introduce a language L (resp., L′) for ZAP used in the signing algorithm (resp., the repudiation algorithm). We first provide the description of the language L. Let ${\sf spk}_{} = (({\sf pk}^0_1, \ldots, {\sf pk}^0_4), \rho _0, \rho ^{\prime }_0, \vec{\alpha })$ and ${\sf vpk}_{} = (({\sf pk}^1_1, \ldots, {\sf pk}^1_4), \rho _1, \rho ^{\prime }_1, \vec{\alpha ^{\prime }})$, where $\vec{\alpha } = (\alpha ^0_1, \ldots, \alpha ^0_M)$ and $\vec{\alpha ^{\prime }} = (\alpha ^{\prime 1}_1, \ldots, \alpha ^{\prime 1}_M)$. The language L is defined as follows.

\begin{eqnarray*} \begin{split} &L = \lbrace {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \varphi, \vec{y} = (y_1,\ldots, y_4) :\\ &\exists b \in \lbrace 0, 1 \rbrace, \tau _1, \ldots, \tau _4, \gamma \, s.t.\, (b_1 \vee b_2) \wedge (b_3 \vee b_4)\, where \, \forall \eta \in [4], \\ &b_\eta = \bigwedge _{j \in [M]} \Pi _{\rm\small {VRF}}.\mathsf {Vrf}({\sf pk}^b_\eta, ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \varphi), y_{\eta }, \tau _{\eta }; \alpha ^b_j \oplus \gamma) \rbrace. \end{split} \end{eqnarray*}

Next, we introduce the language L′. Let ${\sf spk}_{} = (({\sf pk}_1, \ldots, {\sf pk}_4), \rho, \rho ^{\prime }, \vec{\alpha })$ where $\vec{\alpha } = (\alpha _1, \ldots, \alpha _M)$. The language L′ is defined as follows.

\begin{eqnarray*} \begin{split} &L^{\prime } = \lbrace {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \varphi, \vec{y} = (y_1, \ldots, y_4) :\\ &\exists y^{\prime }_1, \ldots, y^{\prime }_4, \tau ^{\prime }_1, \ldots, \tau ^{\prime }_4, \gamma \, s.t.\, (b_1 \wedge b_2) \vee (b_3 \wedge b_4)\, where \, \forall \eta \in [4], \\ &b_\eta = \\ &(y^{\prime }_{\eta } \ne y_{\eta }) \wedge \,\,(\bigwedge _{j \in [M]} \Pi _{\rm\small {VRF}}.\mathsf {Vrf}({\sf pk}_i, ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \varphi), y_{\eta }, \tau _{\eta }; \alpha _j \oplus \gamma)) \rbrace. \end{split} \end{eqnarray*}

The Construction. Let $\Pi _{\rm\small {VRF}}$ be a VRF, $\Pi _{\rm\small {ZAP}}^{L}$ a ZAP for L, and $\Pi _{\rm\small {ZAP}}^{L^{\prime }}$ a ZAP for L′. Our construction $\Pi _{\rm\small {RDVS}}$ of RDVS is as follows.

$\Pi _{\rm\small {RDVS}}.\mathsf {Set}(1^{\lambda })$: Given a security parameter 1^λ, choose a constant M satisfying M ≥ (ν + λ)/log ₂(1/ϵ), where ν is bit length of randomness given to $\Pi _{\rm\small {VRF}}.{\sf Vrf}$ as an input and ϵ is verification failure probability, and then output ${\sf pp}= (M, \nu)$.
$\Pi _{\rm\small {RDVS}}.\mathsf {SKG}({\sf pp})$: Given a public parameter ${\sf pp}$, it works as follows:
1. Choose four VRF key pairs $({\sf pk}_1, {\sf sk}_1),..., ({\sf pk}_4, {\sf sk}_4) \leftarrow \Pi _{\rm\small {VRF}}.{\sf Gen}(1^\lambda).$
2. Choose two first-round messages of ZAPs $\rho \leftarrow \Pi _{\rm\small {ZAP}}^L.\mathsf {Set}(1^\lambda)$ and $\rho ^{\prime }\leftarrow \Pi _{\rm\small {ZAP}}^{L^{\prime }}.\mathsf {Set}(1^\lambda)$.
3. Choose M random ν bit strings $\vec{\alpha } = (\alpha _1,..., \alpha _M) \leftarrow (\lbrace 0,1 \rbrace ^\nu)^M$.
4. Output ${\sf spk}_{} = (({\sf pk}_1,..., {\sf pk}_4), \rho, \rho ^{\prime }, \vec{\alpha })$ and ${\sf ssk}_{} = (({\sf sk}_1,..., {\sf sk}_4), {\sf spk}_{})$.
$\Pi _{\rm\small {RDVS}}.\mathsf {VKG}({\sf pp})$: Given a public parameter ${\sf pp}$, it works the same as $\Pi _{\rm\small {RDVS}}.\mathsf {SKG}$ except that the output is labeled as $({\sf vpk}_{}, {\sf vsk}_{})$.
$\Pi _{\rm\small {RDVS}}.\mathsf {DVSign}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m})$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, and a message $\mathsf {m}$, it works as follows:
1. Parse ${\sf pp}= (M, \nu)$, let $({\sf pk}_1, {\sf pk}_2) = ({\sf spk}_{}, {\sf vpk}_{})$, and parse ${\sf ssk}_{} = (({\sf sk}_1,..., {\sf sk}_4), {\sf pk}_1)$.
2. Choose a ν -bit string γ ← {0, 1}^ν and a λ -bit string φ ← {0, 1}^λ uniformly at random.
3. For each η ∈ [4], calculate $y_\eta = \Pi _{\rm\small {VRF}}.\mathsf {Eval}({\sf sk}_\eta, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi))$ and $\tau _\eta = \Pi _{\rm\small {VRF}}.{\sf Prove}({\sf sk}_\eta, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi))$, and let $\vec{y} = (y_1,..., y_4)$.
4. For each i ∈ [2], parse ${\sf pk}_i = (\vec{{\sf pk}}_i, \rho _i, \rho ^{\prime }_i, \vec{\alpha _i})$ and run $\pi _i \leftarrow \Pi _{\rm\small {ZAP}}^L.{\sf Prove}(\rho _i, ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \vec{y}), (1, \tau _1, \bot, \tau _3, \bot, \gamma))$, and let $\vec{\pi } = (\pi _1, \pi _2)$.
5. Output $\sigma = (\vec{\pi }, \vec{y}, \varphi)$.
$\Pi _{\rm\small {RDVS}}.{\sf Sim}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf vsk}_{}, \mathsf {m})$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a verifier's secret key ${\sf vsk}_{}$, and a message $\mathsf {m}$, it works as follows:
1. Parse ${\sf pp}= (M, \nu)$, let $({\sf pk}_1, {\sf pk}_2) = ({\sf spk}_{}, {\sf vpk}_{})$, and parse ${\sf vsk}_{} = (({\sf sk}_1,..., {\sf sk}_4), {\sf pk}_1)$.
2. Choose a ν -bit string γ ← {0, 1}^ν and a λ -bit string φ ← {0, 1}^λ uniformly at random.
3. For each η ∈ [4], calculate $y_\eta = \Pi _{\rm\small {VRF}}.\mathsf {Eval}({\sf sk}_\eta, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi))$ and $\tau _\eta = \Pi _{\rm\small {VRF}}.{\sf Prove}({\sf sk}_\eta, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi))$, and let $\vec{y} = (y_1,..., y_4)$.
4. For each i ∈ [2], parse ${\sf pk}_i = (\vec{{\sf pk}}_i, \rho _i, \rho ^{\prime }_i, \vec{\alpha _i})$ and run $\pi _i \leftarrow \Pi _{\rm\small {ZAP}}^L.{\sf Prove}(\rho _i, ({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \vec{y}), (2, \tau _1, \bot, \tau _3, \bot, \gamma))$, and let $\vec{\pi } = (\pi _1, \pi _2)$.
5. Output $\sigma = (\vec{\pi }, \vec{y}, \varphi)$.
$\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma)$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a message $\mathsf {m}$, and a signature σ, it works as follows:
1. Let $({\sf pk}_1, {\sf pk}_2) = ({\sf spk}_{}, {\sf vpk}_{})$ and parse $\sigma = ((\pi _1, \pi _2), \vec{y}, \varphi)$.
2. For i ∈ [2], parse ${\sf pk}_i = (\vec{{\sf pk}_i}, \rho _i, \rho ^{\prime }_i, \vec{\alpha _i})$ and $b_i = \Pi _{\rm\small {ZAP}}^L.\mathsf {Vrf}(\rho _i, \pi _i, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi, \vec{y}))$.
3. Output b₁∧b₂.
$\Pi _{\rm\small {RDVS}}.{\sf Rpd}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, {\sf ssk}_{}, \mathsf {m}, \sigma)$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a signer's secret key ${\sf ssk}_{}$, a message $\mathsf {m}$, and a signature σ, it works as follows:
1. If $\Pi _{\rm\small {RDVS}}.\mathsf {Vrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma) = 0$ then output ⊥.
2. Parse ${\sf pp}= (M, \nu)$, ${\sf ssk}_{} = (({\sf sk}_1,..., {\sf sk}_4), {\sf pk}_1)$, and $\sigma = ((\pi _1, \pi _2), \vec{y}, \varphi)$ and let $({\sf pk}_1, {\sf pk}_2) = ({\sf spk}_{}, {\sf vpk}_{})$.
3. Choose a ν -bit string γ ← {0, 1}^ν uniformly at random.
4. For η ∈ [4], calculate $y^{\prime }_\eta = \Pi _{\rm\small {VRF}}.\mathsf {Eval}({\sf sk}_\eta, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi))$ and $\tau ^{\prime }_\eta = \Pi _{\rm\small {VRF}}.{\sf Prove}({\sf sk}_\eta, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi))$.
5. For i ∈ [2], parse ${\sf pk}_i = (\vec{{\sf pk}_i}, \rho _i, \rho _i^{\prime }, \vec{\alpha _i})$, compute $\xi _i \leftarrow \Pi _{\rm\small {ZAP}}^{L^{\prime }}.{\sf Prove}(\rho _i,({\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \varphi, \vec{y}), (1, y^{\prime }_1, y^{\prime }_2, \bot, \bot, \tau ^{\prime }_1, \tau ^{\prime }_2, \bot, \bot, \gamma))$, and set ξ = (ξ₁, ξ₂).
6. Output ξ.
$\Pi _{\rm\small {RDVS}}.{\sf RpdVrf}({\sf pp}, {\sf spk}_{}, {\sf vpk}_{}, \mathsf {m}, \sigma, \xi)$: Given a public parameter ${\sf pp}$, a signer's public key ${\sf spk}_{}$, a verifier's public key ${\sf vpk}_{}$, a message $\mathsf {m}$, a signature σ, and a repudiation ξ, it works as follows:
1. Let $({\sf pk}_1, {\sf pk}_2) = ({\sf spk}_{}, {\sf vpk}_{})$ and parse $\sigma = ((\pi _1, \pi _2), \vec{y}, \varphi)$ and ξ = (ξ₁, ξ₂).
2. For i ∈ [2], parse ${\sf pk}_i = (\vec{{\sf pk}_i}, \rho _i, \rho ^{\prime }_i, \vec{\alpha _i})$ and calculate $b_i = \Pi _{\rm\small {ZAP}}^{L^{\prime }}.{\sf Vrf}(\rho ^{\prime }_i, \xi _i, ({\sf pk}_1, {\sf pk}_2, \mathsf {m}, \varphi, \vec{y}))$.
3. Output b₁∧b₂.

Proof Sketch. First, the correctness of $\Pi _{\rm\small {RDVS}}$ is immediate. Then, we provide the proof sketch for security properties.

Regarding the unforgeability, suppose that $\Pi _{\rm\small {RDVS}}$ is not unforgeable. This means that there is a PPT adversary that creates a correct signature on a message without a secret key of $\Pi _{\rm\small {RDVS}}$ with non-negligible probability. In this case, such an adversary can produce a pseudorandom value evaluated by $\Pi _{\rm\small {VRF}}$ without the secret keys of $\Pi _{\rm\small {VRF}}$. Thus, the existence of the adversary contradicts the residual pseudorandomness of $\Pi _{\rm\small {VRF}}$ in the parallel VRF game. Repudiability can be proven in a similar manner.

Regarding the OTR, it is proved using a hybrid argument for {Hyb₁, …, Hyb₆}. Let the first hybrid Hyb₁ be the experiment $\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}(1^{\lambda })$ conditioned on b = 0 with a PPT adversary $\mathcal {A}$ and $\sigma = (\vec{\pi }, \vec{y} = (y_1, \ldots, y_4), \varphi)$ a challenge signature. In the next hybrid Hyb₂, we replace y₂ and y₄ with uniformly chosen $y^{\prime }_2$ and $y^{\prime }_4$, respectively. Note that σ still passes the verification with high probability because y₁ and y₃ are correct values. The difference between Hyb₁ and Hyb₂ is negligible due to the pseudorandomness of $\Pi _{\rm\small {VRF}}$.

In the third hybrid Hyb₃, we swap $y^{\prime }_2$ and $y^{\prime }_4$ with $y^*_2$ and $y^*_4$ respectively that are created by using the secret key belonging to the user who corresponds to b = 1 (In the following, we call this user user1). Similarly to the previous hybrid, the difference between Hyb₂ and Hyb₃ is negligible.

In the fourth hybrid Hyb₄, we modify the game so that the signature is created for user1. This signature should be valid since $y^*_2$ and $y^*_4$ are valid values for user1. Hyb₃ and Hyb₄ are indistinguishable due to the witness indistinguishability of $\Pi _{\rm\small {ZAP}}^L$.

Next, in Hyb₅, we replace y₁ and y₃ with uniformly chosen values $y^{\prime }_1$ and $y^{\prime }_3$, respectively. Similar to the discussion in Hyb₃, the difference between Hyb₄ and Hyb₅ is negligible.

Finally, in Hyb₆, we replace $y^{\prime }_1$ and $y^{\prime }_3$ with $y^*_1$ and $y^*_3$ respectively, where $y^*_1$ and $y^*_3$ are values that are created by using the secret key of user1. Similar to the discussion in Hyb₃, the difference between Hyb₅ and Hyb₆ is negligible. Now, we can observe that Hyb₆ is exactly the same as the experiment $\mathsf {ExpOTR}_{\Pi _{\rm\small {RDVS}}, \mathcal {A}}(1^{\lambda })$ conditioned on b = 1, which concludes the proof of OTR.

FOOTNOTE

¹In Appendix A, while it is obvious that our RDVS scheme can be obtained using ZAP and VRF, we provide the full description of direct construction of RDVS from ZAP and VRF for completeness. We believe that the description of this direct construction facilitates the understanding for RDVS.

CC-BY license image
This work is licensed under a Creative Commons Attribution International 4.0 License.

APKC '24, July 01–05, 2024, Singapore, Singapore