Cryptanalysis of and improvement on the Hwang–Chen multi-proxy multi-signature schemes

(1)

Cryptanalysis of and improvement

on the Hwang–Chen multi-proxy

multi-signature schemes

Yuh-Dauh Lyuu

a,b,1

, Ming-Luen Wu

b,c,*

a_{Department of Computer Science and Information Engineering, Department}

of Finance, National Taiwan University, No. 1, Sec. 4, Roosevelt Road, Taipei, Taiwan

b_{Department of Computer Science and Information Engineering, National Taiwan University,}

No. 1, Sec. 4, Roosevelt Road, Taipei, Taiwan c

Department of Information Management, Chung-Yu Institute of Technology, No. 40, Yi-7th Road, Keelung, Taiwan

Abstract

Hwang and Chen recently proposed new multi-proxy multi-signature schemes that allow a group of authorized proxy signers to sign messages on behalf of a group of orig-inal signers. This paper shows that their schemes are insecure because a malicious proxy signer can forge a signature for a message secretly while participating in the message signing process with the other proxy signers. This paper then proposes a method to remove this weakness with only small computational overheads and without impairing the security of the original schemes.

Keywords: Multi-signatures; Proxy signatures; Cryptanalysis; Primitive roots

*

Corresponding author. Address: Department of Computer Science and Information Engineering, P.O. Box 12-20, Keelung 201, Taiwan, ROC.

E-mail addresses:lyuu@csie.ntu.edu.tw(Y.-D. Lyuu),d5526009@csie.ntu.edu.tw(M.-L. Wu).

1_{The author was supported in part by NSC grant 92-2213-E-002-016.}

(2)

1. Introduction

A proxy signature scheme allows an authorized person called the proxy signer to sign messages on behalf of the original signer. The concept of proxy signatures is ﬁrst introduced by Mambo et al.[11,12]and further stud-ied in [8,9,17,20]. In addition to these proxy signature schemes, various group-oriented proxy signatures have been introduced [3–7,16,18,19,21,22]. In a (t, n) threshold proxy signature scheme, the original signer can author-ize n proxy signers such that only the cooperation of t or more of them is able to generate proxy signatures [3,4,16,19,22]. A multi-proxy signature scheme is a threshold proxy signature scheme in which only the coopera-tion of all the proxy signers can generate proxy signatures on behalf of the original signer [7]. Finally a proxy multi-signature scheme allows the group of original signers to authorize one person as their proxy signer

[5,18,21].

Recently, by combining the notions of multi-proxy signature and proxy multi-signature, Hwang and Chen proposed a new type of group-oriented proxy signature scheme called multi-proxy multi-signature scheme [6]. In this signature scheme, the group of original signers (called the original signer group) can authorize a group of persons (called the proxy signer group) as their proxy signers, who sign messages on behalf of the original signer group. A multi-proxy multi-signature scheme satisfies the following two require-ments: (1) only the cooperation of all the members in the original signer group can authorize a proxy signer group and (2) only the cooperation of all the members in the proxy signer group can sign messages. In Hwang and ChenÕs schemes, the original signers and proxy signers all cooperate to create a proxy certificate. Afterwards, the proxy certificate enables the proxy signers to work together in generating the multi-proxy multi-signatures of any messages. Hwang and Chen claim that their schemes are unforgettable even from insider attacks [6,10].

This paper will present an insider attack on the Hwang–Chen schemes that leads to forged signatures. With our attack, a malicious proxy signer can forge a multi-proxy multi-signature for a message secretly while participating in a normal message signing process with the other proxy signers. The signature is valid as if the other proxy signers had cosigned. To thwart this type of attack, a modiﬁcation of the Hwang–Chen schemes is proposed. In the modiﬁed schemes, the original schemesÕ security is not impaired and the computation overheads are small.

The rest of this paper is organized as follows. In Section 2, we review the Hwang–Chen schemes. Then we present an attack that compromises the secu-rity of their schemes in Section 3. In Section 4, a modiﬁcation of their scheme is proposed and analyzed. Section 5 concludes.

(3)

2. Review of the Hwang–Chen schemes[6]

Hwang and Chen proposed two multi-proxy multi-signature schemes: one has the help of a clerk, whereas the other does not. Both schemes use the same calcu-lations to generate the proxy certiﬁcate and signatures. But the scheme without a clerk is more ﬂexible than the one with a clerk in that the proxy signers rather than the clerk produce the signatures. We therefore review the scheme without a clerk in this section. Our attack also works against the scheme with a clerk.

The scheme without a clerk has two types of participants: the original sign-ers {U1, U2, . . ., Un} and the proxy signers {P1, P2, . . ., Pm}. The scheme can be divided into four phases: system set-up, proxy certiﬁcate generation, multi-proxy multi-signature generation, and multi-multi-proxy multi-signature veriﬁcation. We describe each phase in the following.

2.1. System set-up

The system parameters and the corresponding notations are deﬁned as follows.

p a large public prime such that p 1 has a large prime factor;

q a large public prime factor of p 1;

g a public integer with order q in Zp;

h a public one-way hash function;

IDui the unique ID of the original signer Ui; IDpj the unique ID of the proxy signer Pj; xui 2 Z

q the secret key of the original signer Ui;

y_u_i ¼ gx_ui_{mod p the certiﬁed public key of the original signer U}

i; xp_j2 Zq the secret key of the proxy signer Pj;

y_p j ¼ g

x_pj

mod p the certiﬁed public key of the proxy signer Pj;

w the proxy warrant that speciﬁes the public proxy details such as IDui, IDpj, yui, and ypj.

2.2. Proxy certiﬁcate generation

In this phase, all proxy signers P1, P2, . . ., Pmcooperate with all original sign-ers U1, U2, . . ., Unto generate the proxy certiﬁcate (K, V) as follows.

Step A.1: Each original signer Uiselects a random integer kui 2 Z

q, computes Kui ¼ g

k_ui_{mod p, and broadcasts K}

uito the other n 1 original sign-ers and all m proxy signsign-ers. Each proxy signer Pjselects a random integer kpj2 Z

q, computes Kpj ¼ g k_pj

mod p, and broadcasts Kpj to all n original signers and the other m 1 proxy signers.

(4)

Step A.2: Every original signer Uiand every proxy signer Pjcompute K¼ Y n i¼1 Kui ! Ym j¼1 Kpj ! mod p:

Step A.3: Each original signer Ui computes vui ¼ hðwÞxuiyuiþ kuiKmod q and sends vui to the other n 1 original signers and all m proxy signers. Each proxy signer Pj computes vpj¼ hðwÞxpjypjþ kpjKmod q and sends vpjto all n original signers and the other m 1 proxy signers. Step A.4: Each proxy signer veriﬁes the correctness of vui with the equations

gv_ui _ðyyui uiÞ

hðwÞ_KK

uiðmod pÞ, i = 1, 2, . . ., n. He also veriﬁes the correct-ness of vpj with the equations g

v_pj

ðyyppjjÞ hðwÞ_KK

pjðmod pÞ, j = 1, 2, . . ., m. If any of the equations are violated, the phase fails. Step A.5: If all the above equations hold, each proxy signer computes

V ¼ X n i¼1 vuiþ Xm j¼1 vpj ! mod q:

The proxy certiﬁcate available to all the proxy signers is (K, V). 2.3. Multi-proxy multi-signature generation

When the proxy signer group wants to sign a message M on behalf of the original signer group, the following steps are carried out.

Step B.1: Each proxy signer Pjrandomly selects an integer tj2 Zq.

Step B.2: Each proxy signer Pj computes rj¼ gtjmod p and broadcasts rj to the other m 1 proxy signers.

Step B.3: Each proxy signer Pjcomputes R and sj, where

R¼Y

m

j¼1

rjmod p;

sj¼ ðVtjþ xpjypjRhðMÞÞmod q:

Step B.4: Each Pjbroadcasts sjto the other m 1 proxy signers.

Step B.5: Each proxy signer Pj checks the validity of (rj, sj) by testing gsj_rV

jy Ry_pjhðMÞ

pj ðmod pÞ, j = 1, 2, . . ., m. If all of the equations hold, each proxy signer computes

S¼X

m

i¼1

sjmod q:

(5)

2.4. Multi-proxy multi-signature veriﬁcation

The multi-proxy multi-signature (w, K, V, M, R, S) is veriﬁed in two steps. Step C.1: Verify the warrant w and the proxy certiﬁcate (K, V) by testing

gV?_KK Y n i¼1 yyui ui !hðwÞ Ym j¼1 yyppjj !hðwÞ ðmod pÞ: Step C.2: Check the correctness of (R, S) by testing

gS?RV Y m j¼1 yyppjj !RhðMÞ ðmod pÞ:

Accept the signature if both equations hold.

3. Our insider attack

We now present an attack on the Hwang–Chen schemes. Let the proxy sign-er P1be malicious throughout this section. We will show how P1can forge a multi-proxy multi-signature for a secret message M0 _{while participating with} the other proxy signers in signing another message M.

P1takes all the necessary Steps B.1–B.5 in the multi-proxy multi-signature generation phase. Let a = h(M0_)h(M)1

modq and a1 be the multiplicative inverse of a modulo q, i.e.,

a1 ¼ hðM0_Þ1

hðMÞmod q:

In Step B.1, P1randomly selects an integer t12 Zqas before. In Step B.2, P1 waits for other proxy signersÕ r2, r3, . . ., rm. He then privately computes

R0¼ gt1Y m

j¼2

rjmod p and solves for R such that

RhðMÞ R0_hðM0_Þ _{ðmod qÞ:} _ð1Þ

Note that a1R R0_{(mod q). P}

1now solves for r1satisfying

r1 Ym

j¼2

rj Rðmod pÞ;

and broadcasts this r1in Step B.2. Note that r1is no longer random as in the original scheme. In Step B.3, each proxy signer Pjcomputes R¼Qm_j¼1rjmod p

(6)

and sj. Then each proxy signer Pj except P1 broadcasts sj. After P1 receives s2, s3, . . ., smfrom the other proxy signers, he computes

S¼X

m

j¼1

sjmod q:

Now the forged signature (w, K, V, M0_{, R}0_{, S) is completed. Note that P} 1 never sends out his s1 as required. He can attribute the failure to hardware or communications faults to diﬀuse suspicion.

This multi-proxy multi-signature (w, K, V, M0_{, R}0_{, S) is valid because}

gV KK Y n i¼1 yyui ui Ym j¼1 yyppjj !hðwÞ ðmod pÞ; and gS g Pm j¼1 sjmod q g Pm j¼1 ðVtjþxpjypjRhðMÞÞmod q gt1Y m j¼2 rj !V Ym j¼1 yyppjj !RhðMÞ ðR0ÞV Y m j¼1 yyppjj !R0hðM0_Þ ðmod pÞ:

We remark that to forge a signature, P1must ﬁnd the R such that Ym j¼1 yyppjj !RhðMÞ Y m j¼1 yyppjj !R0_hðM0_Þ ðmod pÞ; i.e., P1must solve for the R satisfying Eq.(1).

4. Modiﬁcations to foil the attack

In this section we propose modiﬁcations of the Hwang–Chen multi-proxy multi-signature schemes to foil the attack and discuss the security and perform-ance of the modiﬁed scheme.

4.1. The modiﬁed scheme

We will modify the Hwang and Chen scheme without a clerk. The same modiﬁcations can be applied to the scheme with a clerk and yield the same results. Hence we focus on the former case.

In our modiﬁed scheme, the participants and the notations are identical to those in Section 2. There are also four phases: system set-up, proxy certiﬁcate

(7)

generation, multi-proxy multi-signature generation, and multi-proxy multi-sig-nature veriﬁcation. The basic diﬀerences are the choice of moduli and the replacement of R with R2in the calculations.

4.1.1. System set-up

The system parameters and the corresponding notations are deﬁned as follows:

N = p1p2 a public odd integer where piare large primes such that each pi 1 has a large prime factor qi;

Q = q1q2 a public integer;

g a public integer with order Q in ZN;

h a public one-way hash function;

IDui the unique ID of the original signer Ui; IDpj the unique ID of the proxy signer Pj; xui 2 Z

Q the secret key of the original signer Ui; yui ¼ g

x_ui_{mod N the certiﬁed public key of the original signer U}

i; xpj2 Z

Q the secret key of the proxy signer Pj; y_p

j ¼ g

x_pj

mod N the certiﬁed public key of the proxy signer Pj;

w the proxy warrant that speciﬁes the public proxy details such as IDui; IDpj; yui, and ypj.

The requirements for pi are identical to those for p under the original Hwang–Chen schemes. N should be chosen such that factoring N and Q and solving the discrete logarithm problem in Z_N are intractable.

We next show that obtaining a g with order Q = q1q2is computationally easy. But letÕs review some notations ﬁrst. Let / (N) denote EulerÕs phi func-tion, which gives the number of positive integers j2 {1, 2, . . ., N 1} that are relatively prime to N. The order of g modulo N is denoted by ordNg or simply ord(g) if N is understood. If g and p are relatively prime integers with p > 0 and if ordpg = /(p), then g is called a primitive root modulo p. A universal expo-nent of N is a positive integer u such that gu 1 mod N for all g relatively prime to N. The minimal universal exponent of N is denoted by k(N). The following known facts are needed for our purpose[1,15].

Fact 4.1. Let N be an odd positive integer with prime factorization N = p1p2. Then the following hold.

1. k(N) = lcm(/(p1), /(p2)).

2. Let ribe a primitive root modulo pi, i = 1, 2. The solution of the simultane-ous congruences x ri (mod pi), i = 1, 2, is an integer with order k(N) modulo N.

(8)

Fact 4.2. Let G =hxi be a cyclic group generated by x. If ord(x) = d and if ‘ is a positive integer, then

ordðx‘_{Þ ¼} d gcdðd; ‘Þ:

We ﬁnd primitive roots modulo pi, i = 1, 2, using, e.g., the eﬃcient Algo-rithm 4.80 of [13]. Suppose pi= aiqi+ 1 Then lcm(/(p1), / (p2)) = lcm(a1q1, a2q2) = ‘q1q2for some integer ‘. By Fact 4.1, we can use the Chinese remainder algorithm to compute a g0with order k(N) = lcm(/(p1), /(p2)) = ‘q1q2. By Fact 4.2, g‘

0mod N has order ‘q1q2

gcdð‘q1q2;‘Þ¼ q1q2. We will take g¼ g ‘ 0mod N .

4.1.2. Proxy certiﬁcate generation

This phase is the same as that of the Hwang–Chen schemes except that N replaces p and Q replaces q.

4.1.3. Multi-proxy multi-signature generation

When the proxy signer group wants to sign a message M on behalf of the original signer group, the following steps are carried out.

Step B.1: Each proxy signer Pjrandomly selects an integer tj2 ZQ.

Step B.2: Each proxy signer Pj computes rj¼ gtjmod N and broadcasts rjto the other m 1 proxy signers.

Step B.3: Each proxy signer Pjcomputes numbers R and sj, where

R¼Y m j¼1 rjmod N ; sj¼ ðVtjþ xpjypjR 2_h_{ðMÞÞ mod Q:}

Step B.4: Each Pjbroadcasts sjto the other m 1 proxy signers.

Step B.5: Each proxy signer Pj checks the validity of (rj, sj) by testing gsj_rV

jy R2_y

pjhðMÞ

pj ðmod N Þ, j = 1, 2, . . ., m. If all the equations hold, each proxy signer computes

S¼X

m

i¼1

sjmod Q:

The multi-proxy multi-signature of message M is (w, K, V, M, R, S). 4.1.4. Multi-proxy multi-signature veriﬁcation

(9)

Step C.1: Verify the warrant w and the proxy certiﬁcate (K, V) by testing gV?_KK Y n i¼1 yyui ui !hðwÞ Ym j¼1 yyppjj !hðwÞ ðmod N Þ: Step C.2: Check the correctness of (R, S) by testing

gS?RV Y m j¼1 yyppjj !R2_hðMÞ ðmod N Þ:

Accept the signature if both equations hold. 4.2. Discussions

We first discuss the security of our modified scheme. The security of the modified scheme is based on the following intractability assumptions:

1. The discrete logarithm problem is hard.

2. Solving for x in the equation xx a (mod N) for a constant a is hard[2]. 3. The factoring problem is hard[14].

Assumptions 1 and 2 are necessary by Hwang–ChenÕs analysis. Assumption 3 allows our modiﬁed scheme to resist the proposed attack. The reason is as follows. In the attack, a = h(M0_)h(M)1_{mod Q and R}0_{¼ g}t1Qm

j¼2rjmod N . To forge a signature with the attack, a malicious proxy signer must ﬁnd an R such that Ym j¼1 yyppjj !R2_hðMÞ Y m j¼1 yyppjj !R02hðM0_Þ ðmod N Þ:

That is, the malicious proxy signer must solve for R satisfying R0 2h(M0₎ R2h(M) (mod Q). As h(M0₎_{ah(M) (mod Q), the malicious proxy signer must} compute a square root of aR0 2mod Q. Because factoring Q is infeasible, com-puting a square root of aR02mod Q is infeasible. As a result, forging a signature with the attack is hard.

Now we briefly discuss the performance of the modified scheme. Compared with the Hwang–Chen scheme without a clerk, our modified scheme uses dif-ferent moduli and group order. In addition, our modified scheme and the Hwang–Chen scheme differ slightly in Steps B.3, B.5, and C.2. In our scheme, each proxy signer Pjin Steps B.3 and B.5 uses R

2

instead of R, so does the ver-iﬁer in Step C.2. To express the computation and communication costs more clearly, some symbols are deﬁned inTable 1. The computation costs are listed inTable 2and the communication costs inTable 3. For comparison, we also

(10)

list the computation and communication costs of the Hwang–Chen scheme in the same tables. As in Hwang–ChenÕs paper, in Table 2we do not count the computation costs of modular addition and modular subtraction because their computation times are much less than those of Tm or Te deﬁned in Table 1. Also we do not count the costs of the following calculations: xuiyui, xpjypj, yyuuii , y y_pj pj , Qn i¼1y y_ui ui, and Qm j¼1y y_pj

pj. This is because they are computed once and for all.

5. Conclusions

In this paper, we present an attack that exposes a weakness of Hwang and ChenÕs schemes[6]. In addition, we propose improvements of their schemes to overcome this weakness without compromising the original schemesÕ security. The extra computation overheads are minimal.

Table 2

Computation costs

Phases Hwang–Chen scheme

without a clerk

Our modiﬁed scheme

Proxy certiﬁcate generation (3m2_{+ 3n}2_{+ 6mn}

2n 2m)Te + 2(n + m)2_T m+ (n + m)Th (3m2_{+ 3n}2_{+ 6mn} 2n 2m)Te + 2(n + m)2_T m+ (n + m)Th Multi-proxy multi-signature generation (3m2 2m)Te+ 3m2Tm+ mTh (3m2 2m)Te+ (3m2+ m)Tm + mTh Multi-proxy multi-signature veriﬁcation 6Te+ 3Tm+ 2Th 6Te+ 4Tm+ 2Th Table 3 Communication costs

Phases Hwang–Chen scheme

without a clerk

Our modiﬁed scheme

Proxy certiﬁcate generation (n + m 1)(n + m)(jpj + jqj) (n + m 1)(n + m)(jNj + jQj)

Multi-proxy

multi-signature generation

(m2 m + 2)(jpj + jqj) + jwj + jMj (m2 m + 2)(jNj + jQj)

+jwj + jMj

Table 1

The deﬁnitions of the symbols

Symbol Deﬁnition

Tm Time to execute one modular multiplication

Te Time to execute one modular exponentiation

Th Time to execute the one-way hash function h

(11)

References

[1] G.H. Hardy, E.M. Wright, An Introduction to the Theory of Numbers, ﬁfth ed., Oxford University Press, New York, 1979.

[2] L. Harn, Group-oriented (t, n) threshold digital signature scheme and digital multisignature, IEE Proceedings––Computers and Digital Techniques 141 (5) (1994) 307–313.

[3] C.-L. Hsu, T.-S. Wu, T.-C. Wu, New repudiable threshold signature scheme with known signers, The Journal of Systems and Software 58 (2001) 119–124.

[4] M.-S. Hwang, I.-C. Lin, E.J.-L. Lu, A secure nonrepudiable threshold proxy signature scheme with known signers, Informatica 11 (2) (2000) 137–144.

[5] S.-J. Hwang, C.-C. Chen, A new proxy multi-signature scheme, in: International Workshop on Cryptology and Network Security, Taiwan, 2001, pp. 199–204.

[6] S.-J. Hwang, C.-C. Chen, New multi-proxy multi-signature schemes, Applied Mathematics and Computation 147 (2004) 57–67.

[7] S.-J. Hwang, C.-H. Shi, A simple multi-proxy signature scheme, in: Proceedings of the Tenth National Conference on Information Security, Taiwan, 2000, pp. 134–138.

[8] S. Kim, S. Park, D. Won, Proxy signatures, revisited In Information security and cryptology—ICISCÕ97LNCS, vol. 1334, Springer-Verlag, Berlin, 1997, pp. 223–232. [9] N.-Y. Lee, T. Hwang, and C.-H. Wang, On ZhangÕs nonrepudiable proxy signature schemes,

in: Third Australasian Conference, ACISPÕ98, 1998, pp. 415–422.

[10] Z.C. Li, L.C.K. Hui, K.P. Chow, C.F. Chong, W.W. Tsang, H.W. Chan, Cryptanalysis of Harn digital multisignature scheme with distinguished signing authorities, Electronics Letters 36 (4) (2000) 314–315.

[11] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures: delegation of the power to sign message, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E79-A (9) (1996) 1338–1353.

[12] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures for delegation signing operation, in: CCS Õ96, Proceedings of the 3rd ACM Conference on Computer and Communications Security, 1996, pp. 48–57.

[13] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1997.

[14] M.O. Rabin, Digital signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979. [15] K.H. Rosen, Elementary Number Theory and Its Applications, third ed., Addison Wesley,

Reading, MA, 1993.

[16] H.-M. Sun, An eﬃcient nonrepudiable threshold proxy signature scheme with known signers, Computer Communications 22 (1999) 717–722.

[17] H.-M. Sun, Design of time-stamped proxy signatures with traceable receivers, IEE Proceed-ings––Computers and Digital Techniques 147 (6) (2000) 462–466.

[18] H.-M. Sun, On proxy (multi-)signature schemes, in: 2000 International Computer Symposium, Taiwan, 2000, pp. 65–72.

[19] H.-M. Sun, N.-Y. Lee, T. Hwang, Threshold proxy signatures, IEE Proceedings––Computers and Digital Techniques 146 (5) (1999) 259–263.

[20] S.-M. Yen, C.-P. Hung, and Y.-Y. Lee, Remarks on some proxy signature scheme, in: 2000 International Computer Symposium, Taiwan, 2000, pp. 54–59.

[21] L. Yi, G. Bai, G. Xiao, Proxy multi-signature scheme: A new type of proxy signature scheme, Electronics Letters 36 (6) (2000) 527–528.

[22] K. Zhang, Threshold proxy signature schemes, 1997 Information Security Workshop, Japan, 1997, pp. 191–197.