Constructing Strong Designated Verifier Signatures from Key Encapsulation Mechanisms

A designated verifier signature (DVS) allows a signer to convince a verifier that a message has been endorsed in a way that the conviction cannot be transferred to any third party. This is achieved by the property that the signature can be generated by one of them. Since DVS is publicly verifiable, a valid DVS implies that the signature must be created by either the signer or the verifier. To enhance privacy of signers' identity, a strong DVS (SDVS) disallows public verification. In this paper, we investigate various aspects of SDVS with making two contributions. Firstly, we consider SDVS in the multi-user setting and propose two strengthened models, namely, multi-user and multi-user+. To illustrate the significance of our models, we show that it is possible to forge an SDVS when the attacker is given signatures from an honest signer to multiple dishonest verifiers. Secondly, we give a generic construction of SDVS from Key Encapsulation Mechanism (KEM) and Pseudorandom Function (PRF) in the standard model. Our generic construction is secure in the multi-user setting if the underlying KEM and PRF are secure. We also give instantiations based on DDH and LWE assumptions respectively.