M OTIVATION

Since the Internet pervasion on business, the security mechanisms in the electronic world are needed to replace in the paper-based world established practice. Therefore, digital signatures have been invented as a counterpart of handwritten signatures. Then, a digital signature not only provides the proof of authenticity of document and its originator as handwritten signature does, but digital signature properties are widely used in security mechanisms, such as integrity, authentication and non-repudiation.

While conventional digital signature schemes are able to provide most of the functionalities of personal signature, a conventional digital signature however is not suitable for some practical applications. They are less than ideal for institutional purpose or a proxy purpose. For institution, an institutional seal presents the institution and is used for signing on behalf of institution. A major difference between signing by hand and by seal is that seal is transferable such that the seal could reduce costs.

Take the following scenario for example. Suppose that a manager of a company goes on holiday. He may hand over his company seal to his deputy to sign on behalf of the company. Nevertheless, the signatures presented to customers are the same as before and they can verify the signatures using the same process, i.e. the customers of

a company are not affected. It will be economically infeasible for a big company to notify all its customers each time, when there is a personnel change in the company.

So far, there are still no straightforward methods of transferable seal proposed. A proxy signature scheme was introduced in order to solve this problem without revealing the secret information of a person who wants to delegate his digital signature signing power to someone else. The main idea of the proxy signature scheme is that: an original signer allows a designated person, called a proxy signer, to sign a message on behalf of original signer. In resent years, there are many papers proposed on this matter. Strong proxy signature [LK99,LKK101] is one of these papers that make the requirements of the proxy signature more complete.

Actually, most of the proposed schemes trend to theoretic approach and less consider in practice. When a new scheme is proposed, the authors always believe that their scheme will be sufficiently strong, secure, and unbreakable. In fact, all that the authors can do is to demonstrate the scheme’s power against some known attacks;

however, it occurs often that there will be always a new attack invented exactly against this scheme. Hence, a newly proposed scheme almost always suffers from some inborn weaknesses. To conquer this disadvantage, our proposed proxy signature scheme does not invent new signature schemes, but rather than combines existing mechanisms – Digital Signature Algorithm (DSA) and Elliptic curve DSA (ECDSA) [NIST00] which are pretty well-known by their security properties. Therefore, the proxy signature schemes based on the existence algorithms [LC03] are more

practicable. Even more the scheme can apply on the PKIs [CF⁺03,AF99,BPH02,ANSI99] in which the scheme can be pervade over Internet.

On the other way, although the security in many cryptographic techniques today, whether only available in the literature or used in practice, are believed to be considerably secure, if a secret information is revealed, either accidentally or via an attack. Security is often compromised not only for subsequent uses of the secret, but also for prior signed documents. That is, the greatest problem against the security of a digital signature scheme or a cryptographic method is exposure of the secret key. The problem is even worse especially in the open environments such as the Internet, where every computer node is a potential victim of hackers, because we cannot trust all signatures signed by this key even the signature was signed before key compromise.

Once a hacker gets the secret key, he can create a signature and claim it was signed prior to the time he caught this key.

Take the following scenario for example. Suppose Alice is a notary public who has public key PK; and uses normal signature scheme without forward security. On January 1^st, 2002, a client Bob brings to Alice a document m and she notaries the document by signing a signature δ. Bob expects to be able to use the document m for a long time. Unfortunately, Alice‘s secret key is compromised later, says January 1^st, 2003. She discovers the fact and revokes her public key. Now, the notarized document m will no longer be accepted. The fact the m is dated “in the past” makes no difference, because everyone believes that Bob can produce a signature on m by

himself if Alice’s secret key is no longer secure. This reduces the quality of the service which a notary Alice can provide.

To deal with this problem, several different approaches have been proposed. Many people attempt to lower the chance of exposure of secrets by distributing them across several systems, usually through secret-sharing method. Nevertheless, the cost of this method is usually extremely high; and as a matter of fact, is too expensive to be implemented by a typical individual user. What is more, since each of the systems may be susceptible to the same attack, the actual risk may not decrease. Other ways of protecting against key exposure include use of protected hardware or smartcard, but these are also costly and not suitable for ordinary people. The use of a trusted time stamping service applied to the signature to validate its date of creation is also a solution, but it needs extra resource to provide time issuing service.

Forward secure [AMN01,AR00,BM99,Kra00,BC⁺01] is a better way to reduce the damage. It guarantees that disclosure of the secret key material at present does not compromise the secrecy of the earlier signature or encrypted material; and it must be achieved in a simple way, in particular without requiring distribution or protected storage devices, and without increasing key management costs. We extend the concept to proxy signatures as forward-secure proxy signature [AR00] to make the system with a forward-secure property.

In recent years, one-time signature schemes [Lam79,Rab79,WS96,Mer87,Sch00]

have attracted more and more attention, as an attractive alternative to the traditional

signature schemes based on public key cryptography. One of the main advantages of one-time signature schemes is their reliance on one-way functions that can be implemented using fast hash functions such that SHA-serials [NIST02]. The resulting signatures are the order of magnitude faster than signatures based on public cryptography applying on the resource-constrained, small devices, such as cell phones, pagers, smart cards etc. The other of advantage of such a scheme is that it is generally quite fast. However, the scheme tends unwieldy when used to authenticate multiple messages because additional data needs to be generates to both sign and verify each new message. By contrast, with conventional signature scheme like RSA [RSA78], the same key pair can be used to authenticate multiple documents, which will face the threat of replay attacks.

We propose a new scheme to generalize the Lamport one-time signature. Thus, the proposed scheme is a generalized Lamport one-time signature scheme and save the storage of the public key and the size of the signature. Moreover, we propose an efficient solution for signing a long message to make the proposed scheme more operative in practical. Moreover, we apply the proposed scheme to proxy signature.