In this paper we present a designated verifier-set signature (DVSS), in which the signer allows to designate many verifiers rather than one verifier, and each designated verifier can verify the validity of signature by himself. Our research starts from identity-based aggregator (IBA) that compresses a designated set of verifier’s identities to a constant-size random string in cryptographic space. The IBA is constructed by mapping the hash of verifier’s identity into zero or pole of a target curve, and extracting one curve’s point as the result of aggregation according to a specific secret. Considering the different types of target curves, these two IBAs are called as zeros-based aggregator and poles-based aggregator, respectively. Based on them, we propose a practical DVSS scheme constructed from the zero-pole cancellation method which can eliminate the same elements between zeros-based aggregator and poles-based aggregator. Due to this design, our DVSS scheme has some distinct advantages: (1) the signature supporting arbitrary dynamic verifiers extracted from a large number of users; and (2) the signature with short and constant length. We rigorously prove that our DVSS scheme satisfies the security properties: correctness, consistency, unforgeability and exclusivity.

中文翻译：

---

基于身份的聚合器的零极抵消：恒定大小的指定验证者集签名

在本文中，我们提出了一个指定的验证者集签名（DVSS），其中的签名者可以指定多个验证者，而不是一个验证者，并且每个指定的验证者都可以亲自验证签名的有效性。我们的研究始于基于身份的聚合器（IBA），该算法将一组指定的验证者身份压缩为密码空间中恒定大小的随机字符串。通过将验证者身份的哈希映射到目标曲线的零或极点，并根据特定的秘密将一条曲线的点作为聚合的结果来提取，来构造IBA。考虑到目标曲线的不同类型，这两个IBA分别称为基于零的聚合器和基于极点的聚合器。基于它们，我们提出了一种由零极点消除方法构造的实用DVSS方案，该方案可以消除基于零的聚合器和基于极点的聚合器之间的相同元素。由于这种设计，我们的DVSS方案具有一些明显的优势：（1）支持从大量用户提取的任意动态验证者的签名；（2）长度短且固定的签名。我们严格证明，我们的DVSS方案满足安全性要求：正确性，一致性，不可伪造性和排他性。