A Proxy Signature Scheme without Using One-way Hash Functions

全文

(1)A Proxy Signature Scheme without Using One-way Hash Functions Hwang, Shin-Jia, and Shi, Chi-Hwai* Department of Information Management, Chaoyang University of Technology Wufeng, Taichung Country, 413, Taiwan, R.O.C. *Department of Computer Science, National Chung Hsing University 250, Kuo Kuang Road, Taichung, 402, Taiwan, R.O.C. Email: [email protected] *Email: [email protected]. authenticity [7].. However, it is not enough to. solve some practical applications only by digital. ABSTRACT. signature schemes. A new proxy signature scheme without. For example, some user. wants to take a vacation, so he needs a proxy. using one-way hash functions is proposed.. agent to execute his job.. This scheme has the following advantages.. should be able to sign some documents on behalf. This new scheme does not need one-way hash. of the user.. functions to integrate warrants into the proxy. not provide the proxy function by which the user. certificate.. is able to authorize someone as his proxy agent.. Therefore, the overall security of. this proxy signature scheme is only based on the discrete logarithm problem.. This new scheme. also removes the requirement of secure channels while the most proposed proxy signature schemes need.. Our scheme provides the. powerful specifiable function for the proxy details with the help of warrants.. Moreover,. the new scheme supports a fair protection both for the original and proxy signers. KEYWORDS:. Proxy. signatures,. signatures,. one-way. The proxy agent. But digital signature schemes do. In order to provide the proxy function, Membo et al. [5, 6] proposed the concept of the proxy signature schemes in 1996.. signature scheme, a user, an original signer, could designate someone as his proxy signer to sign a message on behalf of him.. Since then,. many proxy signature schemes [3-6, 8-11, 13] were proposed.. Among these proxy signature. schemes, there are three kinds of delegation digital hash. functions. ways: The full delegation, the partial delegation, and the delegation by warrants.. INTRODUCTION. In the full. delegation, the original signer shares his secrete key with the proxy signer.. 1.. In a proxy. But the full. delegation causes some authentication problem for the release of the secret key of the original signer.. Digital signature schemes provide two important cryptographic functions: Integrity and. The authentication problem means that. the verifier cannot identify the actual signer of signatures..

(2) To solve the authentication problem, both. our conclusions.. in the partial delegation and the delegation by warrants, a proxy secret key and a proxy public key. are. generated.. To. guarantee. 2. OUR NEW SCHEME WITHOUT. the. ONE-WAY HASH FUNCTIONS. authorization of the proxy secret key and proxy public key, the original signer generates a proxy certificate for the proxy public key by his secret key.. There are two public large prime. Then any user is able to check whether the. numbers P and Q such that Q is a large prime. proxy signer has the proxy authorization.. factor of P-1. The delegation by warrants is more specifiable than the partial delegation.. The public parameter g is a. generator with order Q in ZP.. There is another. In the. public large prime number P' such that P'> Q.. delegation by warrants, a warrant is used to. The public parameter α is a primitive root in ZP'.. describe all proxy details such as the proxy. The each user i randomly selects his secret key. period, the names of the proxy and original. xi∈ZQ and computes his public key yi= gxi mod. signers, and the responsibility of the proxy. P.. signer.. On the other hand, the partial Suppose that the original signer A wants. delegation does not have the function to describe the proxy details.. Moreover, warrants can also. prevent that the proxy signer transfers any legal proxy authorization to another user without the. to authorize the user B as his proxy signer.. specification of the proxy is described in a warrant w.. The warrant w is a short document. in some special formats.. agreement of the original singer.. The. Some of the special. formats come of the data with predetermined In the delegation by warrants, to integrate. formats such as the personal identities, the user. the warrants into the proxy certificate, the. name and address.. one-way hash function is used.. be usually written to a set format.. The use of. Moreover, the warrant will On the other. one-way hash functions may weaken the overall. hand, the length of a warrant w may be short. security of the proxy signature scheme.. because the warrant w only records some. The. security of digital signature schemes is based on. necessary proxy details.. some famous cryptographic problems, such as The new scheme contains two phases:. the discrete logarithm problem, while the security of most one-way hash functions is not [1].. Moreover, in general, the lifetime of the. one-way functions is shorter than that of digital. Instead of the security of a proxy scheme. signature generation and verification phase.. In. the following, we describe the two phases, respectively.. signature scheme.. signature. The proxy key generation phase and the. based. on. the. weaker. [The proxy key generation phase] Step 1:. The original signer A chooses a. assumption between the signature scheme and. random integer k'∈ZQ and computes. the one-way hash function, we propose a proxy. r'= gk' mod P.. signature functions.. scheme. without. one-way. w. (α mod P') mod Q.. hash. The security analysis and. discussions are given in Section 3.. Section 4 is. Then A sends. (w, r') to the proxy signer B.. In the next section, the new. scheme is described.. He also compute W=. Step 2:. The proxy signer B selects a random integer a∈ZQ and computes r= gar'.

(3) mod P and r''= (yA)a mod P. w. compute W= (α. B also. mod P') mod Q.. Then he sends r'' to A. Step 3:. (r''). Given a warrant w,. no one can generate (r, s') without the secret key of the original signer.. The original signer A computes r= -1 xA. discrete logarithm problem.. Given a (r, s'), the proxy. signer may try to the attack which the both sides of s'= k'+ WrxA mod Q are multiplied by a factor. r' mod P and s'= k'+ WrxA mod. α.. However, he cannot determine the value of w. w from W because W= (α mod P') mod Q is a. Q and sends s' to B.. one-way function. Step 4:. w. To derive w from W= (α. The proxy signer verifies s' by the. mod P') mod Q is at least to solve the discrete. equation gs'≡ r'(yA)rW (mod P).. logarithm. If the. problem.. Therefore,. only the. equation holds, the proxy signer has. original signer can generate (w, r) to authorize. obtains the authorization form the. someone as his proxy signer.. original signer A.. Then the proxy The integrity problem of the warrant w is. signer computes the proxy secret key s= s'+a+rxB mod Q and the proxy. discussed in the following.. Given a (w, r), the. proxy signer cannot replaces w with a new. public key gs mod P.. warrant w'. [The signature generation and verification phase] Assume that the proxy signer B wants to. For the new warrant w', the proxy w'. signer may obtains another W'= (α mod P') mod Q. To generate the new signature (r, s') for W' is hard for the proxy signer since he does not. sign a message m on behalf of the original signer. have the secret key of the original signer.. A.. By using the proxy secret key s and the. proxy signer may try to find a warrant w' such. digital signature schemes based on the discrete. that W= (α mod P') mod Q = (α mod P') mod. logarithm problem, the proxy signer B is able to. Q.. generate the signature Signs(m).. solutions satisfying w'≡ w (mod P'-1) but only. Then he sends. According to the specification in the warrant w, the verifier first checks whether or not the user B has the authorization to sign the For the proxy signer B, the verifier. recovers the proxy public key by the equation w. gs≡ r(yA)rWyBr mod P, where W= (α mod P') mod Q.. w'. w. So w'≡ w (mod P'-1).. There are many. some limited solutions may be suitable for the. ((w, r), (m, Signs(m))) to the verifier.. message m.. The. Then he use this proxy public key to. verify whether or not the signature Signs(m) is signed by the proxy signer B.. warrant because the length of the warrant is limited.. Moreover, the remaining solutions can. be filtered out with the help of the set of formats of warrants since the warrant has to be written in a set of formats and contains data in special format.. Therefore, the probability that w' is. legal is insignificant. The original signer cannot forge a proxy signature because he does not have the secret key of the proxy signer.. Moreover, this scheme. does not need secure channels in the proxy key 3. SECURITY ANALYSIS AND DISCUSSIONS. generation phase.. Even though the attackers. intercept (r, s') in the proxy key generation phase, he does not have the secret key of the proxy. In essence, the procedure to generate (w, r) is a digital signature scheme based on the. signer to generate the proxy secret key s= s'+a+rxB mod Q..

(4) During the proxy key generation phase,. proxy authorization, a warrant is used to. the proxy signer cannot force the original signer. generate the proxy certificate.. sign some illegal message m' for him.. If the. warrant into the proxy certificate, the proposed. proxy certificate (r', s') is the of the message m,. proxy signature schemes suggest using the. -1. then h(m')≡ (r'')xA. (mod P), where h is the. one-way. hash. functions.. To integrate the. However,. the. one-way hash functions may weaken the overall. one-way hash function used by the proxy signer. security of the proxy signature schemes because. for the message m'.. However, the proxy signer. the security of the most one-way hash functions. does not know the secret key xA, so he cannot. are based on the complexity of a repeated simple. construct r''= (h(m')). xA. mod P.. function [1].. The new proxy signature scheme has many advantages.. The overall security of the. new scheme is purely based on the discrete. functions, the overall security of the proxy signature scheme will be only based on some cryptographic hard problems.. logarithm problem because this scheme does not need additional one-way hash functions.. Without adopting one-way hash. Here, a new proxy signature scheme. The. without one-way hash function is proposed.. new scheme need no secure channel while the. Therefore, the overall security of this new. most proposed proxy signature schemes need.. scheme is only based on the discrete logarithm. The first proxy scheme without secure channels. problem.. ,. This also makes the security analysis. is Zhang’s scheme [13]. In Zhang s scheme, the proxy signer could force the original signer to. of the new scheme is clear.. sign a message m during the proxy certification. channels.. generation [11].. original and proxy signers.. Fortunately, this problem is. overcome in our scheme.. Another advantage. is that the new scheme does not need secure The new scheme is fair for the The original signer. With the help of the. cannot forge proxy signatures while the proxy. warrant, the new scheme provides powerful. signer cannot generate any proxy signature. function to specify the proxy details.. without the authorization of the original signer.. The new. scheme also provides a fair proxy scheme.. In. The new scheme also provides powerful. the new scheme, only the original signer can. specifying function to describe all of the proxy. authorized someone as his proxy signer while. details by warrants.. only the proxy signer can generate proxy. cannot transfer the proxy authorization to. signatures.. another user without the agreement of the. The original signer cannot forge the. proxy signatures while the proxy signer cannot. Moreover, the proxy signer. original signer.. transfer his proxy authorization to someone. Therefore, this new scheme supports the fair protection for the original signer and the proxy signers.. REFERENCES [1]. Harn, L. (1997): " Digital Signature for Diffie-Hellman. Public. Keys. without. Using a One-way Function," Electronics Letters, Vol. 33, No. 2, 1997, pp. 125-126.. 4. CONCLUSIONS [2]. Hwang, Sin-Jia and Shi, Chi-Hwai (1999):. In a proxy signature scheme, an original In order to describe the details of the. Specifiable. Proxy. Signature," NCS99, Vol 3, December. singer can authorized someone as his proxy signer.. "The. 1999, pp. 190-197. [3]. Kim, S., Park, S., and Won, D. (1997):.

(5) "Proxy Signatures," ICICS ’97, Lecture. [4]. [9]. Notes in Computer Science, Vol. 1334,. (1999): "Time-Stamp Proxy Signatures. Springer, Berlin, 1997, pp. 223-232.. with Traceable Receivers," Proceedings. Lee, Narn-Yih, Hwang, Tzonelih, and. of the Ninth National Conference on. ’. Wang, Chih Hung (1998): "On Zhang s. Information Security, Taiwan, 1999, pp.. Nonrepudiable. 247-253.. Proxy. Schemes,". 1998,. pp.. Sun, Hung-Min, and Hsieh, Bin-Tsan (1999): "Remark on Two Nonrepudiable. MAMBO, Masahiro, USUDA, Keisuke,. of the Ninth National Conference on. and OKAMOTO, Eiji (1996a): "Proxy. Information Security, Taiwan, 1999, pp.. Signatures: Delegation of the Power to. 241-246.. Message,". IEICE.. Transaction. [11]. Sun, Hung-Min, Lee, N-Y and Hwang T.. Fundamentals, Vol. E 79-A, No. 9, Sept.. (1999): "Threshold Proxy Signatures,". 1996, pp.1338-1354.. IEE. MAMBO, Masahiro, USUDA, Keisuke,. Techniques, Vol. 146, No. 5, 1999, pp.. and OKAMOTO, Eiji (1996b): "Proxy. 259-263.. for. Delegation. Signing. [12]. Proc.-Computers. and. Digital. Varadharajan, V., Allen, P., and Black, S.. Operation," Proceedings of third ACM. (1991): "An Analysis of the Proxy. Conference. Problem. on. Computer. and. in. Distributed. Systems,". Communications Security, New Delhi,. Proceedings of 1991 IEEE Computer. Mar. 1996, pp. 48-57.. Society Symposium on Research m. Nechvatal, James (1991): "Public Key. Security and Privacy, 1991, pp. 225-275.. Cryptography,". [8]. '98,. [10]. Proxy Signature Schemes," Proceedings. Signatures. [7]. ACISP. Australasian. 415-422.. Sign. [6]. Signature. Third. Conference, [5]. Sun, Hung-Min and Chen, Biing-Jang. in. Contemporary. [13]. Zhang, K. (1997): "Threshold Proxy. Cryptology: The Science of Information. Signature Schemes," 1997 Information. Integrity, Simmons, G. J. ed., IEEE Press,. Security Workshop, Japan, Sep., 1997, pp.. Piscatoway, N. J, 1991, pp. 177-288.. 191-197.. Sun, Hung-Min (1999): "An Efficient Nonrepudiable. Threshold. Proxy. Signature Scheme with Known Signers," Computer Communications, Vol. 22, 1999, pp. 717-722..

(6)