CHAPTER 3 A GROUP-ORIENTED NOMINATIVE PROXY SIGNATURE SCHEME
3.3.2 The Proposed Scheme
The proposed GO-NPSS scheme is a combination of threshold-based secret sharing and original-nominative proxy signature. By secret sharing scheme, secret can be shared and reconstructed easily. By original-nominative proxy signature scheme, the signed license could be done by a group of proxy signers and a group of verifiers.
In addition, the proposed original-nominative proxy signature is a kind of delegation by warrant and proxy protected signature scheme. Furthermore, the security of the proposed scheme is based on both factorization problem (FP) and discrete logarithm problem (DLP). Detailed security analysis is shown in section 3.4.
The proposed scheme has five phases: the initialization phase, the delegation phase, the proxy key generation phase, the nominative proxy signature generation phase, and the original-nominative proxy signature verification phase. Figure 8 illustrates the GO-NPSS scheme.
Figure 8. The GO-NPSS scheme
3.3.2.1 Initialization Phase
Before describing the proposed GO-NPSS scheme in detail, this dissertation will exhibit a user‟s public and private key pair generation. Before joining a cluster, all participants have contact to an offline certificate authority (CA). The CA assigns a key pair (xi,yi) to each joining user. These key pairs facilitate users claiming that they are the legal users. They can further get other related keys and use the related services described in the following chapters.
In the initialization phase, members in CHG generate their secret share, sCHGi, by themselves, and members in CVG also generate their secret share, sCVGi , by themselves. In the future, the group private key, PVCHG, of CHG group will be reconstructed by a sufficient number of shares, sCHGi, are combined together; the same, the group private key, PVCVG, of CVG group will be reconstructed by a sufficient number of shares, sCVGi, are combined together. In the proposed scheme, each member fairly contributes their partial information to construct the group private keys.
Initially, CP chooses both CHG and CVG ’s members. This dissertation denotes a group of member set in CHG by {CHG1,CHG2,,CHGt} and a group
member set in CVG by {CVG1,CVG2,,CVGw}. User authentication could be done by Wireless Public Key Infrastructure (WPKI). WPKI provides a secure and trusted trading environment. Each member issues his digital certificate to authenticate himself.
CP publishes the parameters: p, q, and g to his/her members. Then, the group private keys generation and secret sharing procedures in CHG and CVG are described as follows.
(1) Group private key share generation for CHG group:
Figure 9 illustrates the flow chart of the group private key generation and the key sharing in CHG.
Figure 9. The flow chart of the group private key generation and key sharing in CHG
Group private key share, sCHGi, generation consists of the following five steps:
Step 1: Partial group private key generation
In this step, each CHGiCHG chooses aCHGi,PPVCHGiR Z*q at random and computes. Then, CHGi computes the following formulas, as shown in Eqs. (3.1), (3.2), and (3.3), and signs the parameters, PPVCHGi , rCHGi , and cCHGi , by
)
(3.3), is broadcasted directly to the proxy group. In addition, based on the difficulty of the DLP problem, anyone can not compute PPVCHGi except CHGi itself.
Step 2: Threshold-based secret share generation
In this step, the concept of threshold-based secret sharing scheme is used. This scheme helps each CHGi shares its own secret PPVCHGi to the members in CHG. First, CHGi generates a polynomial fi() of degree t1, as shown in Eq. (3.4).
Then, each member CHGj obtains one share fi( j) from CHGi, as shown in Eq.
(3.5). CHGi’s secret can be reconstructed with at least t shares using Lagrange’s interpolation formula.
Step 3: Share delivery
In this step, CHGi sends fi(j) to CHGj in a secure way, and broadcasts
Step 4: Share verification
In this step, CHGi verifies the validity of the shares fj(i), j1,,n, which are from CHGj. The verification procedure is described in Eq. (3.6).
1
Step5: Group private key‟s secret share generation
In this step, CHGi verifies all shares from the proxy group members. If all fj(i)
are verified to be legal, CHGi computes sCHGi nj1fj(i)modq as its share.
In addition, without loss of generality, let
q
Furthermore, CHG‟s public key, yCHG, is computed as follows:
p
(2) Group private key share generation for CVG group:
Figure 10 illustrates the flow chart of the group private key generation and the key sharing in CVG.
Figure 10. The flow chart of the group private key generation and key sharing in CVG
Group private key share, sCVGj, generation consists of the following five steps:
Step 1: Partial group private key generation
In this step, each CVGjCVG chooses CVGj R *q '
CVGj,PPV Z
a at random and
computes. Then, CVGj computes the following formulas, as shown in Eqs. (3.10), (3.11), and (3.12), and signs the parameters, PPVCVGj , rCVG' j , and c'CVGj , by
) c , r ), PPV ( h (
sign ' 'CVGj CVGj
CVGj .
p mod g
rCVG' j a'CVGj (3.10)
q mod c a r x
PPVCVGj CVGj CVG' j 'CVGj 'CVGj (3.11)
p mod r
y g
y CVG' jc'CVGj
' j
rCVG CVGj CVGj ' PPV
CVGj (3.12)
In Eq. (3.11), partial group private key PPVCVGj is generated. Each member in
CVG contributes its PPVCVGj to construct the group private key PVCVG. PPVCVGj is not broadcasted directly to the CVG group. Instead, y'CVGj, which is computed in Eq.
(3.12), is broadcasted directly to the proxy group. In addition, based on the difficulty of the DLP problem, anyone can not compute PPVCVGj except CVGj itself.
Step 2: Threshold-based secret share generation
Step 3: Share delivery
In this step, CVGj sends j(i) to CVGi in a secure way, and broadcasts
Step 4: Share verification
In this step, CVGj verifies the validity of the shares i(j), i1,,l, which are from CVGi. The verification procedure is described in Eq. (3.15).
1
Step5: Group private key‟s secret share generation
In this step, CVGj verifies all shares from the proxy group members. If all i( j)
are verified to be legal, CVGj computes sCVGj li1i(j)modq as its share.
In addition, without loss of generality, let
generating PVCVG‟s shares. For example, CVGj‟s share sCVGj is (j) and is also equal to
li1i( j)modq.Furthermore, CVG‟s public key, yCVGj, is computed as follows:
p mod g
yCVG PVCVG (3.18)
In Eq. (3.18), based on the difficulty of DLP problem, no one can get PVCVG even if he/she has yCVGj and g. Only any at least w proxy group members in CVG can compute and reconstruct the value of PVCVG, but no group of w1 members can do so.
3.3.2.2 Delegation Phase
In the delegation phase, the original signer CP generates the proxy shares to the members in CHG. This phase consists of the following four steps:
Step 1: Proxy key generation
In this step, CP generates a warrant Mw and chooses kR Z*q at random and computes:
p mod g
K k (3.19)
) y
||
K
||
T
||
M ( h
eh w CVG (3.20)
q mod k e xCP h
(3.21)
The digital license information is recorded in Mw. This operation will not cause any security problem. This is because the encryption key used for protecting the digital contents is encrypted. Only the consumers in CVG could get the encryption key. In Eq. (3.21), is the proxy key and will be shared among the t members in
CHG. Here, eh is one of the parameters while CP computes the value of . Hence, the information of CP and CVG are in . In addition, both Mw and the time stamp T are also in . The threshold-based secret sharing scheme is used to generate its shares for proxy signers. In the future, any at least t proxy group members in CHG can compute and reconstruct the value of .
Step 2: Threshold-based secret share generation
In this step, CP generates the secret shares, CHGi , from by using the
following polynomial, as shown in Eq. (3.22):
Step 3: Proxy share delivery
In this step, CP sends CHGi to CHGi in a secure way, and broadcasts
Step 4: Proxy share verification
In this step, CHGi verifies the validity of the share CHGi by computing eh*, as shown in Eq. (3.24), and checking the equality in Eq. (3.25). CHGi accepts this share only if the equality holds.
)
The formula in Eq. (3.25) will be proved as follows:
Proof:
3.3.2.3 Proxy key Generation Phase
In this dissertation, the proposed GO-NPSS uses the concept of proxy-protected
delegation with warrant. Thus, CHGi does not directly use the proxy key CHGi. Instead of this key, CHGi generates a new proxy key, as shown in Eq. (3.26), by itself.
This is because 'CHGi carries CHGi‟s identity information; thus, CHGi cannot deny his contribution about some specific proxy signature.
Without loss of generality, we assume that the members {CHG1,CHG2,,CHGt}
3.3.2.4 Nominative Proxy Signature Generation Phase
In the nominative proxy signature generation phase, members
} shown in Eq. (3.27). This phase consists of the following three steps:
Step 1: CHGigeneration
In this step, two parameters, k1 and k2 are shared among these t proxy signers. The secret sharing generation scheme for these two parameters is the same as group private key share generation of the initialization phase.
Each CHGi computes the following equations, as shown in Eqs. (3.27) and
t , , 1 j
, by checking the following equation, as shown in Eq. (3.29):
p
(3.29) will be proved as follows:
Proof:
Step 3: Nominative proxy signature generation
In this step, CHGi generates the signature S on message DL, as shown in Eq.
Original-nominative Proxy Signature Verification Phase
In the original-nominative proxy signature verification phase, any w members of
CVG can verify the validity of the proxy signature generated by the proxy signers.
We assume without loss of generality that the members, {CVG1,CVG2,,CVGw}, are chosen as the verifiers. They cooperate to generate verifier group‟s private key PVCVG
and check equality in Eq. (3.32):
p
p