Certificateless designated verifier signature revisited: achieving a concrete scheme in the standard model
In a designated verifier signature (DVS) scheme, the signer (Alice) creates a signature which is only verifiable by a designated verifier (Bob). Furthermore, Bob cannot convince any third party that the signature was produced by Alice. A DVS scheme is applicable in scenarios where Alice must be authenticated to Bob without disturbing her privacy. The de-facto construction of DVS scheme is achieved in a traditional public key infrastructure (PKI) setting, which unfortunately requires a high-cost certificate management. A variant of identity-based (ID-based) setting DVS eliminates the need of certificates, but it introduces a new inherent key escrow problem, which makes it impractical. Certificateless public key cryptography (CL-PKC) is empowered to overcome the problems of PKI and ID-based settings, where it does not suffer from any of the aforementioned problems. However, only a few number of certificateless DVS (CL-DVS) schemes have been proposed in the literature to date. Moreover, all existing CL-DVS schemes are only proven secure in the random oracle model, while some of them are already known to be insecure. We provide three contributions in this paper. First, we revisit the security proofs of existing CL-DVS schemes in the literature and show that unfortunately there are some drawbacks in the proofs of all of those schemes. Second, we concentrate on the recently proposed CL-DVS scheme (IEEE Access 2018) and show a drawback in its security proof which makes it unreliable. Furthermore, we show that this scheme is delegatable in contrast to the author's claim. Finally, we propose a CL-DVS scheme and prove its security requirements in the standard model. Our scheme is not only the first scheme with a complete and correct security proofs, but also the only scheme in the standard model.