A designated verifier multi-signature scheme in multi-clouds

Multi-cloud computing provides services by used different clouds simultaneously multi-signature can be used as the interactive technology between multi-cloud and users. However, the limited resources of some terminal devices make multi-signature, which based on bilinear map, is not suitable for multi-cloud computing environment. In addition, the signers are disclosure in multi-signature so there is the risk of attack. To solve this issues, this paper proposes a certificateless designated verifier multi-signature scheme based on multivariable public key cryptography (MPKC). Firstly, the formalized definition and security model of the proposed scheme are given. Secondly, it is proved that the proposed scheme is against adaptive chosen-message attacks. Finally, the analysis shows that the proposed scheme is more efficiency and suitable for multi-cloud. Moreover, the proposed scheme can hidding signature source to achieve privacy protection.

With the development of fifth-generation (5G) technology [1], the data processing capacity requirements of the Internet of Things (IoT) have been increasing [2, 3], so, many users entrust data processing to cloud computing for more efficiency [4]. Cloud computing is a paradigm of distributed computing, which can execute computing by dynamically scalable virtualized resources on the basis of the existence of the internet [5]. However, there are many security issues in cloud computing. Such as malicious attacks [6], privacy of data [7], real-time data processing [8] and issues caused by multi-cloud computing [9].

A. Malicious attacks

Cloud computing does not use virtual private network (VPN) [10], which means that servers in cloud computing can access the Internet, it makes cloud computing vulnerable to malicious attacks [11]. Blockchain is a decentralized technology, by deploying cloud computing on the alliance chain, users participating in cloud computing need to be authenticated [12], can effectively prevent cloud computing from being attacked by malicious users.

B. Privacy of data

Cloud data is usually stored in plain text, which seriously affects the privacy of data. Besides, some attacks caused by combined with blockchain also bring privacy issues [13]. Federated learning (FL), as an emerging artificial intelligence basic technology, can ensure efficient machine learning with protecting the privacy of terminal data and personal data [14]. So the combination of FL and cloud computing could solve privacy of data.

C. Real-time data processing

With the popularity of smart wearable devices [15], a lot of data needs to be processed and feedback in real time [16]. Due to the delay in the cloud computing data transmission process, it cannot be used for real-time data processing [17], which is the third issue faced by cloud computing [18]. For example, cars need to process the data generated by the surrounding environment in real-time to form the instructions for the driving process of the car [19]. Edge computing, puts more emphasis on the edge, has more real-time and faster data processing capabilities. Data processing is also faster due to reduced intermediate transfers [20]. The combination of cloud computing and edge computing solves the issue of data transmission delay in cloud computing and makes data processing more accurate.

D. Multi-cloud computing

Multi-cloud computing is a techology which uses two or more cloud servicer providers(CSPs) to satisfy the needed of all users [21], but trust and security have prevented businesses from fully accepting cloud platforms [22]. Multi-signature, a solution of trust and security in issues with multi-user participation, can be used in multi-cloud. This paper mainly improves the multi-signature technology used in cloud computing, and focusing on its security and efficiency.

The original multi-signature scheme uses a certificate-based public key cryptosystem [23], that is, when using a public key, it is necessary to verify the validity of public key certificate(CA) before using it to verify signatures or encrypt data [24]. The certificateless multi-signature scheme reduces the computation overhead and storage cost, so is more widely used than the certificate-based multi-signature scheme [25, 26]. In 2018, Yanai et al. [27] proposed a three-round interactive multi-signature party constructed by using global hashing, and reduced the security of the scheme to the The Computational Diffie-Hellman(CDH) problem in bilinear groups. In the same year, Maxwell et al. [28] proposed a new Schnorr multi-signature scheme. The signature process of this scheme only requires two rounds of interaction, and the security is reduced to the discrete logarithmic difficulty. In 2019, Drijvers et al. [29] analyzed the multi-signature scheme of the two-round interaction, pointed out that the existing scheme has subtle defects in the security proof, and proposed a variant of the BCJ scheme [30] mBCJ scheme, the security of the proposed scheme is reduced to the assumption of discrete logarithmic difficulty in random oracle model. But the development of quantum computing poses a serious threat to the public key cryptosystem [31, 32], and also has an impact on the multi-signature scheme constructed which based on the public key cryptosystem. Therefore, how to construct a new public key cryptosystem to defend against quantum computer attacks has become a research hotspot in cryptography. At present, the effective methods for quantum computer attacks mainly include code-based encryption, lattice-based encryption, multivariate quadratic equation-based encryption. encryption and hash-based encryption [33]. In 2020, Kansal et al. [34] proposed the first lattice-based multi-signature scheme, which supports signature compression and public key aggregation. In 2021, they improved the scheme of [34], while ensuring the security of the scheme, the new scheme reduces its communication and storage overhead [35]. In 2021, Yu et al. [36] proposed the first multi-signature scheme based on MPKC. The security of MPKC relies on solving quadratic polynomial equations over finite fields.

For these issues, this paper proposes a certificateless designated verifier multi-signature scheme based on MPKC(MPKC-DVMS), and gives the formalized definition and security model of the scheme. Compared with the scheme [36], this scheme reduces the number of signature participants and improves the computational efficiency. In addition, this paper proves that the scheme is existential unforgeability against adaptive chosen-message attacks in random oracle model. Finally, it is found that the proposed scheme can hide the signature source and protect user privacy. The contributions of this paper are as follow.

1. 1

   We give the application of MPKC-DVMS in multi-clouds and build the formalized definition and security model of the proposed scheme, and prove that the scheme is existential unforgeability against adaptive chosen-message attacks in random oracle model.

2. 2

   This paper proposes a multi-signature scheme based on MPKC. This proposed scheme does not need to compute bilinear pairing, reduces the calculation steps and improves the calculation efficiency, which makes the signature more efficiency in multi-cloud.

3. 3

   We add a designated verifier, who can generate signatures that are indistinguishable from n signature participants, to hidding signature source to achieve privacy protection

The rest of the paper is organized as follows. Section 2 gives the related work of this paper. Section 3 gives some preliminaries. Section 4 introduces the details of the proposed scheme. Section 5 provides some experimental results and evaluation analysis of our secheme. Finally, Section 6 concludes the paper and gives the future work.

This section mainly introduces some mathematical knowledge and theorems used in the proposed scheme.

Finite field

Let \(\textit{k}\) be a set of non-empty elements, if two operations are defined in k: addition and multiplication, and the following conditions are satisfied [37]:

1. 1

   \(\textit{k}\) constitutes an Abel group with respect to addition, and its addition identity element is denoted as 0.

2. 2

   All pairs of multiplications in k form an Abel group (except zero elements), and the multiplication identity element is denoted as 1.

3. 3

   Addition and multiplication have the following distributive laws:

   $$\begin{aligned} a{b+c}=ab+ac \end{aligned}$$

   (1)
   $$\begin{aligned} {b+c}a=ba+ca \end{aligned}$$

   (2)

Then k is a field. If the field k contains only a finite number of elements, then the field k is called a finite field, also known as Galois (Galois field). where q is the number of elements in the field. The number of elements in the field is called the order of the finite field. A finite field of order q, usually expressed as GF(q) or Fq.

Multivariate polynomial equations in finite fields

Let \(x_1\), \(x_2\), \(x_3\), ..., \(x_n\) be n variables on a finite field k, then a polynomial of n variables on the field k is represented by \(f_i\), the degree is d, and m polynomials form a polynomial group, denoted by F, then [38]:

where \(f_i:=\sum a_j\prod x_j\), \(1\le i\le n\), \(1\le j\le m\). Let \(y_1\), \(y_2\), \(y_3\), ..., \(y_n\) be the elements on the finite field k, then the multivariate polynomial equation system has the form:

Multivarivate quadratic problem (MQ Problem)

The MQ problem refers to solving a system of quadratic polynomial equations in the following field \(k=GF(q)\) [39]:

where \(f_i\) is the polynomial equation on the domain k, which defines \(f_i\) in the system of quadratic multivariate polynomial equations of the same formula. The MQ problem has been shown to be NP-hard, even for the smallest field \(k=GF(2)\). Therefore, the MQ problem has become an important tool for constructing public key cryptosystems over finite fields.

Isomorphism of polynomials problem (IP Problem)

Let P, Q be a multivariate system of two random n-element g equations on a finite field k, and P and Q are isomorphic, then there are \(P=T\circ Q\circ V\), where T and V are respectively denoted as two reversible affine transformations on \(k^n\) , the (T, V) problem of finding isomorphism from \(P\sim Q\) is called an IP problem, this is a polynomial isomorphism problem [40].

Affine transformation

Affine transformation, also known as affine mapping, means that in geometry, a vector space undergoes a linear transformation followed by a translation to transform into another vector space.

Definition 1

The order of every finite field must be a power of a prime number.

Definition 2

Let k be a finite field, and \(k^n\) be an n-dimensional isomorphic vector space over the finite field k, which is z linear polynomials over k such that:

In this section, we first give the application of MPKC-DVMS in multi-clouds, and then bulid the formalized Definition and security model of MPKC-DVMS, Finally, we describe the MPKC-DVMS in detail.

Application of MPKC-DVMS in multi-clouds

The application of MPKC-DVMS in multi-clouds is showing in Fig. 1, the entire procedure is comprised of the following phases.

The application of MPKC-DVMS in multi-clouds

Full size image

As the Fig. 1 shows, user submits tasks to multiple CSPs for computing. Then CSPs sign the result and sends it to other clouds after computing, if the number of signers of the result is 2/3 of the total of CSPs or over, the result is considered to be correct and can be returned to the user, and the CSPs receive the corresponding remuneration, else it cannot be sent to the user.

In order to prevent the CSPs from maliciously delaying the calculation, the CSPs should promise a time commitment before submitting the task, the CSPs cannot get the paid of commitment if the timeout and cannot participate in the subsequent task.

Formalized definition and security model

Formalized definition

The participating entities of the MPKC-DVMS scheme include a secret key generation center (KGC), v signers \(ID_i\) where i=0...\(v-1\), and a designated verifier \(ID_v\). This scheme consists of the following five algorithms.

1. 1

   Setup: KGC (Key Generate Center) inputs the security parameter K, and outputs the system master key S and system params.

2. 2

   Partial-key-extract: KCG inputs params and S, outputs part of the public key Pksub and part of the private key \(S_{sub}\) of the system, and sends \(Pk_{sub}\) and \(S_{sub}\) to the signing participant through a secure channel.

3. 3

   User-key-generate: The user inputs identity \(ID_i\), reversible affine transformations \(L_{1i}\), \(L_{2i}\), some public and private keys \(Pk_{sub}\), \(S_{sub}\), and outputs the user’s public and private keys \(Pk_i\), \(Sk_i\).

4. 4

   Sign: \(ID_i\) input params, message m to be signed, identity set of v signers \(ID_{set}={ID_0, ID_1, ..., ID_{v-1}}\), signer’s private key \(Sk_i\) and the identity and identity of the specified verifier The public key (\(ID_v\), \(Pk_v\)) outputs a multi-signature on m.

5. 5

   Simulation: Specify the verifier input, params, the public key \(Pk_i\) of all signing participants, specify the verifier’s identity and private key (\(ID_v\), \(Pk_v\)), determine whether the signature is valid, and if it is valid, generate an indistinguishable signature.

Security model

In this scheme, there are two adversaries \(A_1\) and \(A_2\) with different attack capabilities. The first type of adversary, \(A_1\), simulates an external adversary, a malicious user. \(A_1\) holds the signer’s secret value (reversible affine transformation) and can arbitrarily replace the user’s public key, but \(A_1\) does not know the system master key and some private keys. The second type of adversary, \(A_2\), simulates a malicious but passive KGC. Mastering the system master key can obtain part of the user’s private key, but does not know the user’s secret value and cannot replace the user’s public key. The scheme in this paper simulates the security model of this scheme through the Game between the challenger C and the adversary A (\(A_1\) or \(A_2\)).

Setup: C runs the setup algorithm, generates the system master key S and public parameters params, secretly saves S and sends the params to the adversary A. If the adversary is of type \(A_2\), send the params and S to \(A_2\).

Query: A can adaptively query the following oracles:

1. 1

   Hash query: When the adversary A asks any Hash function, C outputs the corresponding Hash value to the adversary A.

2. 2

   Public-key query: When A inputs \(ID_i\), if \(ID_i\) has been created, C returns the corresponding public key to A. Otherwise, C runs the Partial-key-extract algorithm and the User-key-generate algorithm to generate part of \(Pk_{sub}\)/\(S_{sub}\) and \(Pk_i\)/\(Sk_i\). At this time, the \(ID_i\) is said to be created by the user. Finally, C returns \(Pk_i\) of \(ID_i\) to A.

3. 3

   Public-key-replace query: A enters \(ID_i\) for public key replacement query, and C replaces public key(this oracle is only for \(A_1\)-type adversaries).

4. 4

   Secret-Value-Extract: When A asks the secret value of \(ID_i\) (invertible affine transformation), C returns the corresponding secret value (\(L_{1i}\), \(L_{2i}\)) to A. If \(ID_i\)’s public key has been replaced, C outputs NULL.

5. 5

   Partial-key-extract query: When A asks for the partial private key of the system, C inputs \(ID_i\) and returns the partial private key Ssub to A (this oracle is only for \(A_1\)-type adversaries).

6. 6

   Sign query: A input message, signer/specified verifier identity (\(ID_i\), \(ID_v\)), public key (\(Pk_i\), \(Pk_v\)), signer identity set \(ID_{set}\)=\({ID_0, ID_1, \ldots , ID_{v-1}}\), and partial signatures, C runs the Sign algorithm to generate multiple signatures and returns them to A.

7. 7

   Forgery: Adversary A has forged a multi-signature on message \(m^*\) about \({ID_{set}}^*\)=\({{ID_0}^*, {ID_1}^*, \ldots , {ID_{v-1}}^*}\) with a valid designated verifier, and satisfy:

   1. (a)

      the \(A_1\) adversary did not ask the Partial-key-extract oracle.

   2. (b)

      the \(A_2\) adversary did not ask the Secret-Value-Extract oracle.

If there is no probabilistic polynomial-time adversary A that can win with a non-negligible advantage in the above Game, then the proposed scheme proposed in this paper is existential unforgeability against adaptive chosen-message attacks.

Details of MPKC-DVMS

Setup

KCG randomly selects the security parameter K to generate a finite field \(k=GF(q)\), where q is the order of the finite field, p and l are large prime numbers. Choose two positive integers m and n, where m is the number of multivariable equations and n is the number of variables. Selected as a cryptographic hash function. Randomly select a central map F which is an easy-to-invert nonlinear mapping from \(k^n\) to \(k^m\), and randomly select two reversible affine transformations I and J, where I is the reversible affine transformation from \(k^n\) to \(k^n\), and J is the reversible affine transformation from \(k^m\) to \(k^m\) . Compute \(\overline{F}=I\circ F\circ J\) as the system public key. The system generates params=\(\left\{ k, q, p, l, m, n, H, \overline{F}\right\}\) and secretly stores the system master key \(S=\left\{ I, F, J\right\}\).

Partial key-extract

KGC randomly selects two reversible affine transformations, \(L_1\) and \(L_2\), calculation \(Pk_{sub}=L_2 \circ \overline{F}\circ L_1\) as part of the public key of the system and part of the private key of the system \(S_{sub}=\left\{ I\circ L_2, F, J\circ L_1 \right\}\). KGC sends part of the public and private keys to the signing participants through a secure channel.

User key-generate

For the convenience of description, the identity of the signing participant in this scheme is expressed as \(ID_i\in {01}^{*}\). Among them, the specified verifier identity is represented as \(ID_v\). The signing participant randomly selects two reversible affine transformations \(L_{1i}\), \(L_{2i}\), of which \(L_{1i}\in \ k^n\rightarrow \ k^n\), \(L_{2i}\in \ k^m\rightarrow \ k^m\). Calculate \({Pk}_i=L_{2i}\circ {Pk}_{sub}\circ \ L_{1i}\) as the public key and \({Sk}_i=\left\{ L_{2i}\circ \ L_2\circ \ I,F,L_{1i}\circ \ L_1\circ \ J\right\}\) as the private key.

Sign

User needs to perform the following steps to sign the message.

Step 1

1. 1

   Calculate \(h_0=H(M||ID_0||ID_v)\).

2. 2

   Calculate \(\sigma _0=L_{20}^{-1}\circ \ L_2^{-1}\circ \ I^{-1}\circ (F^{-1}\circ (L_{10}^{-1}\circ \ L_1^{-1}\circ \ J^{-1}(h_0)))\).

3. 3

   To output the partial signature \(\sigma _i\), \(ID_0\) sends \(\sigma _i\), message hash, identity set \(ID_{set}=\left\{ ID_0\right\}\) and the specified verifier identity \(ID_v\) to the closest \(ID_1\).

Step 2

After received a partial signature, \(ID_i\) verifies whether \(h_i^{\prime} =L_{2i}\circ {Pk}_{sub}\circ \ L_{1i}(\sigma _i)\)=\(h_i\). If not, \(ID_i\) rejected. If succeeds, the following steps are performed:

1. 1

   Calculate \(h_i=H(M||ID_i||ID_v)\).

2. 2

   Calculate \(\sigma _i=L_{2i}^{-1}\circ \ L_2^{-1}\circ \ I^{-1}\circ (F^{-1}\circ (L_{1i}^{-1}\circ \ L_1^{-1}\circ \ J^{-1}(h_i)))\).

3. 3

   To output the partial signature \(\sigma _i\), \(ID_i\) sends the \(\sigma _i\), message hash, identity set \(ID_{set}=\left\{ ID_0, ID_1,\ldots , ID_i, \ldots , ID_{v-1}\right\}\) and the specified verifier identity \(ID_v\) to \(ID_v\).

Step 3

\(ID_v\) verifies whether \(h_i^\prime =L_{2i-1}\circ {Pk}_{sub}\circ \ L_{1\mathrm {i-1}}(\sigma _i)\) is equal to \(h_i\) after receiving the partial signature. If the verification fails, the signature is rejected. If the verification succeeds, the following steps are performed.

1. 1

   Calculate \(h_v=H(M||ID_v||ID_v)\).

2. 2

   Calculate \(\sigma _v=L_{2v}^{-1}\circ \ L_2^{-1}\circ \ I^{-1}\circ (F^{-1}\circ (L_{1v}^{-1}\circ \ L_1^{-1}\circ \ J^{-1}(h_v)))\).

3. 3

   calculate \(\sigma =\prod _{i=0}^{v}\sigma _i\).

Simulation

After the signature is completed, \(ID_v\) performs the following steps.

1. 1

   Verify \(\prod _{i=0}^{v}h_i=\prod _{i=0}^{v}{L_{2i}\circ L_2\circ I\circ F\circ L_{1i}\circ L_1\circ J(\sigma _i)}\).

2. 2

   If the verification is successful, \(ID_v\) generates a signature \(\sigma\) that is indistinguishable from \(\sigma ^\prime =L_{2i}^{-1}\circ \ L_2^{-1}\circ \ I^{-1}\circ \ F^{-1}\circ \ L_{1i}^{-1}\circ \ L_1^{-1}\circ \ J^{-1}(h_i)\) and publishes it.

This section verifies the usability of the proposed scheme through correctness analysis, security analysis and efficiency analysis.

Correctness analysis

Theorem 1

This scheme is correct.

Proof

where, \(w=\left( \prod _{i}^{v}{L_{2i}^{-1}\circ L_2^{-1}\circ I^{-1}\circ (F^{-1}\circ (L_{1i}^{-1}\circ L_1^{-1}\circ J^{-1}(h_v)))}\right)\).

It is obvious that \(h^{\prime \prime }=h^{\prime}\), so it can be deduced that the proposed scheme is correct.

Security analysis

existential unforgeability

In this paper, the security of the proposed scheme is reduced to the security of the message signature by any signer \(ID_i\) The specific proof is as follow.

Theorem 2

Assuming that the MQ and IP problems are difficult, the proposed scheme proposed in this paper is existentially unforgeable to \(A_1\) class adversaries. In random oracle model, it is assumed that \(A_1\) breaks the proposed scheme in this paper with an advantage \(\varepsilon\) within the probability polynomial time t, and the maximum times \(A_1\) queries Hash, Public-key, Partial-private-key, and Sign is \(q_h\), \(q_c\), \(q_p\) and \(q_s\), there is an algorithm C that \(A_1\) can solve the MQ problem with the advantage of \(\varepsilon ^\prime \ge \varepsilon (\frac{v}{q_cq_h}){(1-\frac{2}{q_c})}^{q_p}{(1-\frac{1}{q_cq_h})}^{q_s}\) within time \(t^{\prime} < t+6q_c t_c +v(q_h +q_s)t_h +10q_s (t_s+t_{inv})\), where \(t_c\) represents the time to calculate a mapping synthesis on the finite field, \(t_{inv}\) represents the time to obtain an inverse on the finite field, and \(t_s\) represents the time to calculate the first-order polynomial on the finite field.

Proof

It is assumed that \(A_1\) can attack the signature scheme of this paper with a non-negligible probability, thereby solving the MQ and IP problems. This scheme involves v signing users \({ID}_0,\ {ID}_2,\ldots ,{ID}_{v-1}\), and the designated verifier \({ID}_v\). This scheme assumes that all users except user \({ID}_I\in {{ID}_0,\ {ID}_2,\ldots ,{ID}_{v-1}}\) are bribed by \(A_1\). Let C be the challenger, given any instance of the MQ problem over a finite field \(k=GF(q)\), \(Y^{\prime} =\left( y_1^{\prime} ,\ldots ,y_m^{\prime} \right) \in k=GF (q)\), the ultimate purpose of C is to solve the polynomial equation system, that is, to find \(\bar{F}\left( x_1,\ldots x_n\right) =Y^\prime\).

Setup: Challenger C builds a system and returns the system parameters \(params=\left( k,q,p,l,m,n,H,\bar{F}\right)\) to adversary \(A_1\). The C maintenance lists \(H^{\mathrm {list}}\) and \(K^{\mathrm {list}}\) represent Hash query, Public-key query, Partial-Private-key query and Sign query respectively. The list is initially empty. An adversary can adaptively interrogate the following oracles.

• Hash query: The challenger maintains the list \(H^{\mathrm {list}}(M,ID_i,ID_v,h_i)\). When receiving the \(H(M||ID_i||ID_v)\) query from \(A_1\), it first searches the \(H^{list}\). If it exists, return it directly to \(A_1\), if not, randomly select \(h_i\in k^n\) and return it to \(A_1\), and add the record to the \(H^{\mathrm {list}}\).

• Public-key query: C maintains a list \(K^{\mathrm {list}}(ID_i,L_{1i},L_{2i},Pk_i)\), when C receives public-key query, finds \(K^{\mathrm {list}}\) exists in the list. If it exists, it returns directly to \(A_1\), if not, C executes as follows.

  • If \({ID}_i\ne {ID}_I,\ {ID}_v\), C randomly selects four reversible affine transformations \(L_1\), \(L_2\), \(L_{1i}\), \(L_{2i}k\), and calculates the partial public key \(Pk_{\mathrm {sub}}= L_2\circ \overline{F}\circ L_1\), partial private key \(S_{\mathrm {sub}}={I\circ L_2,F,J\circ L_1}\), user’s public key \({Pk}_i=L_{2i }\circ {Pk}_{sub}\circ L_1\) is returned to \(A_1\), and \(\left( {ID}_i, L_1, L_2, L_{1i}, L_{2i},{Pk}_ {sub},{Sk}_{sub},{Pk}_i\right)\) are stored in the \(K^{\mathrm {list}}\).

  • If \({ID}_i={ID}_I\), C randomly selects four invertible affine transformations \(L_1\), \(L_2\), \(L_{1i}\), \(L_{2i}k\), and calculates \(Pk_{\mathrm {sub}}=\bot\), \(S_{\mathrm {sub} }=\bot\), \({Pk}_i=L_{2i}\circ {Pk}_{sub}\circ L_{1i}\), return \(Pk_i\) to \(A_1\), and \(\left( {ID}_i, L_1, L_2, L_{1i}, L_{2i},{Pk}_ {sub},{Sk}_{sub},{Pk}_i\right)\) are stored in the \(K^{\mathrm {list}}\).

  • If \({ID}_i={ID}_I\), C randomly selects four invertible affine transformations \(L_1\), \(L_2\), \(L_{1v}\), \(L_{2v}k\) and calculates \(Pk_{\mathrm {sub}}=\bot\), \(S_{\mathrm {sub} }=\bot\), \({Pk}_v=L_{2v}\circ {Pk}_{sub}\circ L_{1v}\), \(Pk_i\) to \(A_1\), and \(\left( {ID}_i, L_1, L_2, L_{1v}, L_{2v},{Pk}_ {sub},{Sk}_{sub},{Pk}_i\right)\) are stored in the \(K^{\mathrm {list}}\).

• Public-key-replace query: When C receives the public-key-replac query, C replaces \({Pk}_i\) in the original list with \({Pk}_i^\prime\), makes \(L_{1i}=L_{2i}=\bot\) return to \(A_1\), and Store \(\left( ID_i,Pk_i^\prime \right)\) into the \(K^{\mathrm {list}}\).

• Secret-value query: When C receives the secret-value query, checking whether the item \(\left( ID_I, L_{1i}, L_{2i}\right)\) exists in the \(K^{list}\), if \(L_{1i}=L_{2i}= \bot\), the public key has been replaced, and C ends the query. Otherwise, return (\(L_{1i}, L_{1i}\)) to \(A_1\).

• Partial-private-key query: When C receives the partial-private-key query, checking the \(K^{\mathrm {list}}\), if \({ID}_i\ne {ID}_I,\ {ID}_v\), return \(Sk_{sub}\), otherwise, stop the simulation, output failure.

• Sign query: \(A_1\) inputs the message \(M\in {0,1}^*\), the signer/specified verifier identity (\(ID_i, ID_j\)), the public key (\(Pk_i, Pk_j\)), the signer identity set \(ID_{set}\), and C performs the following operations.

  • If \({ID}_i\ne {ID}_I,\ {ID}_v\), C brings up the list \(K^{\mathrm {list}}\left( {ID}_i,{\ L}_1,\ L_2,\ L_{1i}, L_{2i},{Pk}_{sub},{Sk}_{sub},{Pk}_i\right)\) and the list \(H^{\mathrm {list}}(M,ID_i,ID_v, h)\), calculate \(h=H\left( M||\mathrm{ID}_i||ID_v\right) ,\ \ \sigma _i=L_{2i}^{-1}\circ L_2^{-1}\circ I^{-1}\circ (F^{-1}\circ (L_{1i}^{-1}\circ L_1^{-1}\circ J^{-1}(h)))\) and returns the signature \(\sigma _i\) to \(A_1\).

  • If \({ID}_i={ID}_I\) and IDj≠IDv, C brings up the list \(K^{\mathrm {list}}\left( {ID}_i,{\ L}_1,\ L_2,\ L_{1i}, L_{2i},{Pk}_{sub},{Sk}_{sub},{Pk}_i\right)\) and the list \(H^{\mathrm {list}}(M,ID_i,ID_v, h)\), calculate \(h=H\left( M||\mathrm{ID}_i||ID_v\right) ,\ \ \sigma _i=L_{2i}^{-1}\circ L_2^{-1}\circ I^{-1}\circ (F^{-1}\circ (L_{1i}^{-1}\circ L_1^{-1}\circ J^{-1}(h)))\) and returns the signature \(\sigma _i\) to \(A_1\).

  • If \({ID}_i={ID}_I\), \({{ID}_j=ID}_v\), C stops the game and outputs failure.

• Forgery: \(A_1\) outputs the forged signature \(\sigma ^*\) for \(M^*\), if \(ID_I\notin \left\{ {ID}_1^*,{ID}_2^*,\ldots , {ID}_{v-1}^*\right\}\),and \({ID}_j^*\ne {ID}_v\) then C terminates the game. Otherwise, C bring the list \(K^{\mathrm {list}}({ID}_i^*,L_1^*,\ L_2^*,\ L_{1i}^*\ ,L_{2i}^ *,{Pk}_{sub}^*,{Sk}_{sub}^*,{Pk}_i^*)\), \(H^{\mathrm {list}}(M^*, {ID}_i^*,ID_v,h^*)\), because \(\sigma\) is valid, so there is \(\sigma ^*=L_{20}^{-1}\circ L_2^{-1}\circ I^ {-1}\circ (F^{-1}\circ (L_{10}^{-1}\circ L_1^{-1}\circ J^{-1}(h)))(\prod _{ i=2}^{v}{{L_{2i}^{-1}}^*\circ {L_2^{-1}}^*\circ {I^{-1}}^*\ circ({F^{-1}}^*\circ ({L_{1i}^{-1}}^*\circ {L_1^{-1}}^*\circ {J^{- 1}}^*(h^*)))})\), so that \({h^*=\prod _{i=1}^{v}L}_{2i}^*\circ Pk_{sub}^*\circ L_{1i}^*\), that is, C can solve the MQ problem, but the MQ problem is difficult at present, so the proposed scheme is existentially unforgeable for \(A_1\)-type adversaries.

Then calculating the probability of C success. The four events represented by \(E_1\), \(E_2\), \(E_3\) and \(E_4\) are as follows.

• \(E_1\): C answer partial-private-key query successfuly.

• \(E_2\): C answer sign query successfuly.

• \(E_3\): \(A_1\) successfully forged a multi-signature on the message, in which the identities of v signers are \(D_1^*, D_2^*, , D_{v-1}^*\), specifying the identity of the verifier is \(D_v^*\).

• \(E_4\): There is \({ID}_v^*={ID}_v\) and \({ID}_I\in \left\{ {ID}_1^*,{ID}_2^*,\ldots ,{ID} _{v-1}^*\right\}\) when \(E_3\) occurs.

Assuming that the probabilities of events \(E_1\), \(E_2\), \(E_3\), and \(E_4\) are \(P(E_1)\), \(P(E_2)\), \(P(E_3)\) and \(P(E_4)\), where

So the probability of C success is:

\(P\left( E_1\wedge E_2\wedge E_3\wedge E_4\right) =P(E_1)P(E_2|E_1)P(E_3|E_2\wedge \ E_1)P(E_4|E_3\wedge \ E_2\wedge \ E_1)\ge \varepsilon (\frac{v}{q_cq_h}){(1-\frac{2}{q_c})}^{q_p}{(1-\frac{1}{q_cq_h})}^{q_s}\)

Theorem 3

Assuming that the MQ and IP problems are difficult, the proposed scheme proposed in this paper is existentially unforgeable to \(A_2\) class adversaries. In random oracle model, it is assumed that \(A_2\) breaks the proposed scheme in this paper with an advantage \(\varepsilon\) within the probability polynomial time t, and the maximum times of \(A_2\) queries Hash, Public-key, Partial-private-key, and Sign is \(q_h\), \(q_c\), \(q_p\) and \(q_s\), there is an algorithm C that \(A_2\) can solve the MQ problem with the advantage of \(\varepsilon ^{\prime} \ge \varepsilon (\frac{v}{q_cq_h}){(1-\frac{2}{q_c})}^{q_{se}}(1-\frac{1}{q_cq_h})\) within time \(t^{\prime} < t+6q_c t_c +v(q_h +q_s)t_h +10q_s (t_s +t_{inv})\), where \(t_c\) represents the time to calculate a mapping synthesis on the finite field, \(t_{inv}\) represents the time to obtain an inverse on the finite field, and \(t_s\) represents the time to calculate the first-order polynomial on the finite field.

Proof

Let C be the challenger, given any instance of the IP problem on the finite field \(k=GF(q)\bar{F}\left( x_1,\ldots x_n\right) =Y^\prime\), the ultimate goal of C is to find The equation system Q that is isomorphic to the polynomial equation system is to find \(P=T\circ Q\circ V\), where T and V are the reversible affine transformations on the finite field.

Setup: Challenger C builds a system and returns the system parameters \(params=\left( k,q,p,l,m,n,H,\bar{F}\right)\) to adversary \(A_2\). The C maintenance lists \(H^{\mathrm {list}}\) and \(K^{\mathrm {list}}\) represent Hash query, Public-key query, Partial-Private-key query and Sign query respectively. The list is initially empty. An adversary can adaptively interrogate the following oracles.

• Hash query: The challenger maintains the list \(H^{\mathrm {list}}(M,ID_i,ID_v,h_i)\). When receiving the \(H(M||ID_i||ID_v)\) query from \(A_2\), it first searches the \(H^{list}\). If it exists, return it directly to \(A_2\), if not, randomly select \(h_i\in k^n\) back to \(A_2\) and add the record to the \(H^{list}\).

• Public-key query: C maintains a list \(K^{\mathrm {list}}(ID_i,L_{1i},L_{2i},Pk_i)\), when C receives public-key query, finds \(K^{\mathrm {list}}\) exists in the list. If it exists, it returns directly to \(A_2\), if not, C randomly selects two reversible affine transformations \(L_1, L2\in k\), and calculates \(Pk_{\mathrm {sub}}=L_2\circ \overline{F}\circ L_1\), \(S_{\mathrm {sub}}=\left\{ I\ circ L_2,F,J\circ L_1\right\}\), and then calculate the public key of \(ID_i\) as follows.

  • If \({ID}_i\ne {ID}_I,\ {ID}_v\), C randomly selects two reversible affine transformations \(L_{1i}\), \(L_{2i}k\), and calculate the user’s public key \({Pk}_i=L_{2i}\circ {Pk}_{sub}\circ L_1i\) and return it to \(A_2\), then stored \(\left( {ID}_i, L_1, L_2, L_{1i}, L_{2i},{Pk}_ {sub},{Pk}_i\right)\) in the \(K^{\mathrm {list}}\).

  • If \({ID}_i={ID}_I\), C sets \({Pk}_i=T\circ {Pk}_{sub}\circ \ V\), \(L_{1i}, L_{2i}=\bot\) and return \({Pk}_i\) to \(A_2\), then stored \(\left( {ID}_i, L_1, L_2, L_{1i}, L_{2i}, {Pk}_ {sub},{Pk}_i\right)\) in the \(K^{\mathrm {list}}\).

  • If \({ID}_i={ID}_I\), C randomly selects two reversible affine transformations \(L_{1v}\), \(L_{2v}k\), and calculate \({Pk}_v=L_{2v}\circ {Pk}_{sub}\circ L_1v\) and return it to \(A_2\), then stored \(\left( {ID}_i, L_1, L_2, L_{1v}, L_{2v}, {Pk}_ {sub},{Pk}_v\right)\) in the \(K^{\mathrm {list}}\).

• Secret-value query: If \({ID}_i\ne {ID}_I,\ {ID}_v\), C browses \(K^{list}\) and return \(\left( L_{1i}, L_{2i}\right)\) to \(A_2\) when receives the secret-value query. Otherwise, return failure.

• Sign query: \(A_2\) inputs the message \(M\in {0,1}^*\), the signer/specified verifier identity (\(ID_i, ID_j\)), the public key (\(Pk_i, Pk_j\)), the signer identity set \(ID_{set}\), C browses \(K^{list}\) and \(H^{list}\), computing \(h_i=H\left( M|\left| ID_i||ID_v\right\} \right)\),\(\ \ \sigma _i=L_{2i}^{-1}\circ \ L_2^{-1}\circ \ I^{-1}\circ (F^{-1}\circ (L_{1i}^{-1}\circ \ L_1^{-1}\circ \ J^{-1}(h_i)))\),then return \(\sigma _i\) to \(A_2\).

• Forgery: \(A_2\) outputs the forged signature \(\sigma ^*\) for \(M^*\), if \(ID_I\notin \left\{ {ID}_1^*,{ID}_2^*,\ldots , {ID}_{v-1}^*\right\}\),and \({ID}_j^*\ne {ID}_v\) then C terminates the game. Otherwise, C bring \(K^{\mathrm {list}}\), \(H^{\mathrm {list}}\) to query log \(({ID}_1^*,L_1^*,\ L_2^*,\ L_{11}^*\ ,L_{21}^*,{Pk}_{sub}^*,{Sk}_{sub}^*,{Pk}_1^*)\) and \((M^*,{ID}_1^*,ID_v,h^*)\), If the record does not exist in the list, C terminates the game and outputs failure. Otherwise, A2 is forged successfully. It means C can select a record containing the correct (T, V) from \(K^{\mathrm {list}}\) with the probability of \(\frac{1}{q_cq_h}\) to solve the IP problem, but IP problem is still difficult, so the proposed scheme presented in this paper is existentially unforgeable to \(A_2\)-type adversaries .

Then calculating the probability of C success. The four events represented by \(E_1\), \(E_2\), \(E_3\) are as follows.

• \(E_1\): C answer Secret-value query successfuly.

• \(E_2\): \(A_2\) successfully forged a multi-signature on the message, in which the identities of v signers are \(D_1^*, D_2^*, , D_{v-1}^*\), specifying the identity of the verifier is \(D_v^*\).

• \(E_3\): There is \({ID}_v^*={ID}_v\) and \({ID}_I\in \left\{ {ID}_1^*,{ID}_2^*,\ldots ,{ID} _{v-1}^*\right\}\) when \(E_2\) occurs.

Assuming that the probabilities of events \(E_1\), \(E_2\) and \(E_3\) are \(P(E_1)\), \(P(E_2)\) and \(P(E_3)\), where

So the probability of C success is:

\(P\left( E_1\wedge E_2\wedge E_3\right) =P(E_1)P(E_2|E_1)P(E_3|E_2\wedge \ E_1)\ge \varepsilon (\frac{v}{q_cq_h}){(1-\frac{2}{q_c})}^{q_{se}}(1-\frac{1}{q_cq_h})\)

Hidding signature source

Theorem 4

Assuming that there is an adversary T(\(T_1\) or \(T_2\)) that cannot distinguish the signature \(\sigma\) is generated by \({ID}_i\) or \({ID}_v\), this scheme can hide the source of signature.

Proof

1. 1

   Assuming that the adversary \(T_1\) has the \(ID_i\) of all signers and the public and private keys of v signers. For a message signature \(\sigma\), if \(T_1\) wants to infer the true signer, it needs to compute \(\sigma _i=L_{2i}^{-1}\circ L_2^{-1}\circ I^{-1}\circ ( F^{-1}\circ (L_{1i}^{-1}\circ L_1^{-1}\circ J^{-1}(h_i)))\) and \(h_i=H(M||ID_i|| ID_v)\), to obtain the identity of a signer, it means, \(T_1\) needs to solve the MQ problem and the Hash problem in probabilistic polynomial time, but the above two problems are still difficult, so the \(T_1\)-type adversary cannot infer the signer.

2. 2

   Assuming that the adversary \(T_2\) has the private key \(Sk_i\) of all signers and the public key \(Pk_v\) of the designated verifier in addition to the attack capability of \(T_1\). For a message signature \(\sigma\), \(T_2\) can use the \(ID_i\) of all signers to calculate \(h_i=\prod _{i=0}^{v}{H(M||ID_i||ID_v)}\), then use all signers’ \(ID_i\), \(Sk_i\) calculates the message signature\(\sigma \prod _{i=0}^{v}{L_{2i}^{-1}\circ L_2^{-1}\circ I^{-1}\circ (F^ {-1}\circ (L_{1i}^{-1}\circ L_1^{-1}\circ J^{-1}(h_i)))}\), and use the specified verifier’s public key to calculate \(\sigma _v =L_{2i}^{-1}\circ L_2^{-1}\circ I^{-1}\circ F^{-1}\circ L_{1i}^{-1}\circ L_1^{ -1}\circ J^{-1}(h_v)\), where \(h_v=\prod _{i=0}^{v}{H(M||ID_i||ID_v)}\), since \({\sigma =\sigma }_v\), so the \(T_2\)-type adversary cannot infer the signer.

To sum up, this scheme can hide the signature source.

Efficiency analysis

Let f denote the calculation of the last multiplication of the finite field k, map to denote the last polynomial calculation of the finite field, \(P_r\) and \(S_m\) to denote a scalar multiplication calculation and a bilinear pair calculation on the group. Assuming that the participating users of the scheme are v, the comparison between proposed scheme and other schemes is shown in Table 1.

As shown in Table 1, bilinear pairing is used in Du et al. scheme and Du scheme for signature operation, so the signature and verification cost are higher than our scheme. In addition, Yu et al. scheme requires centralized verification, but our scheme do not require centralized verification, so the cost of Yu et al. scheme is also higher than MPKC-DVMS.

Furthermore, this paper compares the signature time between the proposed scheme and Yu et al. scheme. As can be seen from Fig. 2, since this paper only needs to perform one Hash operation and does not need to perform centralized signature verification, so the signature time of this paper is lower than that of Yu et al. scheme.

Signature time comparison

Full size image

Multi-cloud uses multiple CSPs to provide services for users. Due to the increase of participants, multi-cloud is faced with increased signature cost and security issues. In response to the above issues, this paper proposes a MPKC-based multi-signature scheme for designated verifiers , and proves the security in the random oracle model. Morever, the proposed scheme does not need to calculate bilinear pairings, the computational complexity is lower than that traditional multi-signature scheme, so it is more suitable for multi-cloud. In addition, the proposed scheme can hide the signature source, which can protection privacy for users, and improve the security of multi-cloud. The future work is to design a more efficient signature scheme.

The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.

We are thankful to State Key Laboratory of Public Big Data of Guizhou University for providing an environment for editing manuscripts and experiments.

This work is financially supported by the National Natural Science Foundation of China under Grant No. 61962009. In part by Top Technology Talent Project from Guizhou Education Department (Qian jiao ji [2022]073 ). And in part by Foundation of Guangxi Key Laboratory of Cryptography and Information Security(GCIS202118).

Authors and Affiliations

1. State Key Laboratory of Public Big Data, College of Computer Science and Technology, Guizhou University, Guiyang, China

   Chaoyue Tan, Yuling Chen, Xiaochuan He & Tao Li

2. Blockchain Laboratory of Agricultural Vegetables Weifang Key Laboratory of Blockchain on Agricultural Vegetables, Weifang University of Science and Technology, Weifang, China

   Yuling Chen & Yongtang Wu

Contributions

Chaoyue tan contributed to the conception of the study and bulit the formalized Definition and security model of MPKC-DVMS. Yuling Chen contributed significantly to analysis and manuscript preparation. Yongtang Wu perform the analysis with constructive discussions. Xiaochuan He performed the experiment and Tao Li refined the formalized definition and security model. All authors reviewed the manuscript.

Corresponding author

Correspondence to Yuling Chen.

Ethics approval and consent to participate

Not applicable.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions