M OTIVATION AND R ELATED W ORK

When original signers cannot sign a document by themselves, they might delegate their signing capability to trustworthy proxy signers. For example, when the manager of a company will leave for the vacation, she/he needs to authorize her/his secretary to sign messages on behalf of her/him. To deliver manager’s private key directly to her/his secretary is dangerous, nevertheless, the traditional digital signature does not provide functionality of proxy, either.

A proxy signature scheme was introduced by Mambo et al. [MUO96] to solve the proxy problem so that the original signer could delegate her/his signing capability to proxy signer without revealing her/his secret information. However, Mambo’s scheme does not provide non-repudiation property [Zha97a][Sun99]; thus several papers propose non-repudiation proxy signature scheme [Zha97a][Sun99][HWW03][LHW98][LKK01b]

which means both original and proxy signers cannot deny the signatures those are created exactly by themselves.

In addition, Mambo's proxy signature scheme is not a strong proxy signature scheme because it is not a proxy-protected signature scheme in which the original signer knows and can derive the proxy key on her/his own. On the contrary, in the proxy-protected proxy signature scheme, the original signer and proxy signer create the proxy key interactively so that the proxy signer can be protected from a malicious original signer. Hence, Lee and Kim [LK99][LKK01a][LKK01b] proposed the concept of the strong proxy signature, which defined the four requirements of the proxy signature: verifiability, strong unforgeability, strong identiability, and strong undeniability. The strong proxy signature should complete all the requirements of proxy signature.

In the first, most of proxy signatures are based on discrete logarithm problem [EIG85]

including Mambo's one, so that Li, Tzeng and Hwang proposed generalization of proxy signature based on discrete logarithms [LTH03]. After that, Wu and Varadharajan proposed a proxy signature based on Chinese remainder theorem [WV99]. In 2002, Chen, Liu and Chung proposed a proxy-protected signature scheme based on elliptic curve cryptosystem [CLC02], then Hwang et al proposed generalization of proxy signature based on elliptic curves [HTT04]. Furthermore, Z. H. Shao proposed the proxy signature schemes based on factoring in 2002 [Shao02] and Qingshui Xue, Zhenfu Cao proposed

"Factoring based proxy signature schemes," in 2005 [XC05]. It is desirable to design proxy signature schemes based on Quadratic Residues (QR) problem.

Fan and Lei proposed efficient blind signature scheme based on QR in 1996 [FL96]

and improved their scheme in 1998 [FL98]. Therefore, by adopting Fan's signature scheme, we propose the proxy signature based on QR to provide another mathematical implement.

Unfortunately, most of the proposed proxy signature schemes prior to this date are not feasible in practice because the security of those schemes cannot be really proved without

adopting standard signature such as DSA/ECDSA. The Digital Signature Algorithm (DSA) based on ElGamal [EIG85] and Schnorr’s [Sch90] signature schemes is a useful digital signature scheme and has become a U.S. Federal Information Process Standard (FIPS 186) in August, 1991; called as the Digital Signature Standard (DSS) [NIST00]. In addition, the Elliptic Curve Digital Signature Algorithm (ECDSA), a DSA reinforced by the Elliptic curve cryptosystems (ECC), was invented in 1985 [ANSI99], which was also accepted as a FIPS standard (FIPS 186-2) in 2000 [NIST00].

To conquer those disadvantages, therefore, we are the first one who propose proxy-protected signature scheme combining standard signature DSA/ECDSA, as well as the Public key infrastructure (PKI) mechanism [AF99][BPH02][CFSMW03], which are pretty well known by their security properties to reinforce the proxy signature in order to be used in practice.

In many applications, the security is assured whenever the secret key remains unrevealed; therefore, a proxy key exposure is also a serious problem for proxy signature schemes. Chang, Lin and Yeh proposed "Forward Secure Proxy Signature Scheme" in NCS 2003 to deal with the key exposure problem [CLY03]. In forward secure proxy signature scheme, the proxy signer renews her/his proxy keys and deletes the previous proxy keys periodically. Those deleted proxy keys cannot be recovered, needless to mention being revealed. In addition, many threshold proxy signature schemes are proposed in which the k out of n threshold schemes [DF89][Zha97b][KPW97][SLH99]

[HWW03]. However, those threshold proxy signature schemes may be insufficient to construct a long-live scheme with the proactive properties to reinforce security and the proxy share cannot be recovery either.

The proactive secret sharing scheme [HJKY95], which is based on Verifiable Secret Sharing [Ped91], provides strong security for a secret sharing against the active attacker.

Consequently, the proactive secret sharing scheme is a verifiable group-oriented scheme, which provides shares renewing and recovery properties. Therefore, we adopt the concept of proactive to propose a proactive secret sharing proxy signature scheme.

A proactive secret sharing proxy signature could permit the shares of designated signers, called proxy signers, being renewed periodically without changing the secret. In particular, we apply the (t, n) threshold proxy signature scheme to allow any t or more then t signers to form a designated group from n proxy signers to sign messages on behalf of the original signer. The proxy shares of proposed scheme are periodically renewed; therefore, it will be hurtless even when the adversary obtains the proxy shares information in some period. In our proactive secret sharing proxy signature scheme; furthermore, one proxy signer can recover her/his own share from the other t proxy shares without revealing any information about the other proxy shares. Unless more than t other proxy signers cooperate and collude, the secret share algorithm is always secure.

Proxy blind signature scheme is a variant proxy signature scheme prior to this date [TLT02][SH04][LA05]. Blind signature allows a user receiving a given message signed by the original signer without revealing any information about the message itself. By using Schnorr blind signature, Tan et al. proposed two digital proxy blind signature schemes based on DLP and ECDLP in 2002 respectively [TLT02]. Moreover, Lal and Awasthi further pointed out that Tan et al.’s proxy blind signature schemes suffer from a kind of forgery attack and proposed a more efficient proxy blind signature scheme, which means Tan et al.’s schemes do not fulfill the unforgeability and unlinkability properties.

Lal and Awasthi’s scheme, however, does not satisfy the unlinkability property either.

Therefore, Sun and Hsieh discuss the security of Tan and Lal's schemes in 2004 particularly [SH04].

functions are important skills to make digital signature scheme efficient. SHA-160 is one of popular one-way hash functions and the security of SHA-160 is worth discussing. In 1998, F. Chabaud and A. Joux presented a method to find collisions in Secure Hash Algorithm (SHA)[NIST02] with 2⁶¹ time complexities [CJ98]. In 2004’s crypto conference and in Feb. 2005, Wang et al. [WFLY05][WY05] developed efficient methods to find collisions in MD5, as well as in SHA-160 with time complexity of 2³⁹ and 2⁶⁹ hash steps respectively. Furthermore, Biham and Chen [BC04] announced new analytical discoveries concerning SHA-160. Their results include a collision in a reduced-round version of SHA-160, which can be found less than 40 rounds.

Suppose the output size of one-way hash function is n-bit. According to the birthday paradox attack property [MOV96], we could expect certain collisions after trying 2^n/2 possible input values. Van Oorschot and Wiener [OW94] have explained how such a brute-force attack might be implemented. That implies any cryptanalysis method with higher complexity than the birthday paradox attack will be regarded as inefficient. F.

Chabaud and A. Joux find collision in SHA with 2⁶¹ complexities, related to differential cryptanalysis of block ciphers [CJ98], and their method is theoretically faster than birthday paradox attack. Unfortunately, in SHA-160, their method is unable to detect collision faster than the birthday paradox attack.

In fact, we can still discover the decay phenomenon with the application of a message schedule’s judgment when inspecting how SHA-160 generates message schedule actually.

Furthermore, we find a reason why move SHA to SHA-160. The more nonlinear terms are involved, the more terms in message schedule process will be effective. Therefore, we would like to introduce two SHA-160 corrections to enhance the security of SHA-160.

This analysis could also be used in all SHA-serials or other one-way hash functions.