Provably secure message recovery limited verifier signature scheme with low cost

Digital signatures provide the functions of integrity, authenticity, and non-repudiation for signing messages. In some applications, the signature only needs to be verified by some specified recipient while keeping the message secret from the public. The message recovery limited verifier signature (MRLVS) scheme can be used to achieve this purpose. To protect the recipient's benefit in case of a later repudiation of the signer, we should enable the specified recipient to convert the signature into a publicly verifiable (PV) one. To achieve this purpose, Araki et al. and Sekhar proposed convertible MRLVS schemes, respectively. Both of them, however, require the cooperation of the signer and are vulnerable to forgery attacks. In this paper, we propose an efficient and secure MRLVS scheme allowing a specified recipient to reveal a PV-signature without the assistance of the signer. The security proof of unforgeability against existential forgery on adaptive chosen-message attacks (EF-CMA) is given in the random oracle model. Moreover, the proposed scheme requires lower computation/communication costs and storage space, as compared with previous works.