Remarks on Some Proxy Signature Schemes

全文

(1)Remarks on Some Proxy Signature Schemes Sung-Ming Yen. 1). 1). 1). Chung-Pei Hung. Yi-Yuan Lee. 2). Dept of Electrical Engineering, Tamkang University Tamsui, Taipei Hsien, Taiwan 25137, R.O.C. E-mail: yensm@csie.ncu.edu.tw 2) Communication Network Lab. Institute for Information Industry, Taiwan, R.O.C.. Abstract. In 1996, a new category of signature scheme called a proxy signature was proposed by Mambo, Usuda, and Okamoto. The proxy signature scheme allows a designated person, called a proxy signer, to sign on behalf of an original signer. In Mambo's paper, one kind of cryptanalysis on their scheme was considered. In this paper, it will be shown that the reported attack in Mambo's paper is not practical and a simple countermeasure can be easily developed. The proxy signature scheme plays the role in many practical applications and receives great attention after it was proposed. In 1999, Sung and Hsieh developed an enhanced version of proxy signature scheme. However, it will be proven that the Sung-Hsieh scheme is not secure. A simple modi

(2) ed version will be suggested.. 1 Introduction Public key based signature schemes, e.g., [1, 2, 3], are developed to enable a signer to produce the signature for a message by using his private key. To check the validity of the signature, the corresponding public key (verifying key) of a signer should be employed. An interesting problem was considered in 1996 by Mambo, Usuda, and Okamoto [4] in which a designated person will be assigned to produce a signature on behalf of an original signer when he will be absent. This new category of signature scheme is called the proxy signature. The proxy signature scheme plays the role in many practical applications and receives great attention after it was proposed. Related works can be found in the literature [5, 6, 7, 8, 9]. Also, the concept of proxy signature was independently pointed out by Yen [10, x3.4] in 1994. So far, there have been

(3) ve categories of proxy signature schemes, each with di erent level of delegation and security assumption. The full delegation, the. partial delegation, and the delegation with warrant were proposed by Mambo, Usuda, and Okamoto [4]. Later on, Zhang [6] suggested two other modi

(4) cations, i.e., the partial delegation with warrant and the threshold delegation. Brief description of the above

(5) ve proxy signatures are given below. Full delegation: In a full delegation, a proxy signer is given the same secret that the original signer has. So, a proxy signer can produce exactly the same signature as the original signer can do. Partial delegation: In a partial delegation, a proxy signing key will be created by the original signer. A proxy signer then uses to sign messages on behalf of the original signer. Delegation by warrant: A signed warrant can be explicitly included in the delegation. It is used to claim the regulation of a delegation. Partial delegation with warrant: In a partial delegation with warrant, a proxy signing key will be created and a warrant will be signed both by the original signer. Threshold delegation: In a threshold delegation, a set of n proxy signers are given shares such that at least t n shares are required to produce a proxy signature. It is called a (t; n)-threshold delegation. A partial delegation and a delegation by warrant are more secure than the full delegation. A partial delegation with warrant combines both the advantages of a partial delegation and a delegation by warrant. In general, a partial delegation with warrant provides the characteristics of acceptable performance and a reasonable way to regulate the delegation, e.g., a valid delegation period..

(6) The property of nonrepudiation of generating a signature is also necessary for a sound proxy signature scheme, like in any conventional signature scheme. In a proxy signature scheme without nonrepudiation, a proxy signer can ame the original signer and vice versa. This is simply because that the original signer can sign on behalf of the proxy signer. So far, a number of proxy signature schemes with the property of nonrepudiation have been developed. They are called the proxy-protected proxy signature in [4, 5] and are called the nonrepudiable proxy signature in [6, 7]. Among the above nonrepudiable proxy signature schemes, the Mambo-Usuda-Okamoto scheme [4] and the Kam-Park-Won scheme [5] have been shown to be insecure by Sun and Hsieh [8]. Also, the Zhang's scheme [6] has been shown to be insecure by Lee, Hwang, and Wang [7]. In [8], Sun and Hsieh also suggested an enhanced proxy signature scheme based on both the MamboUsuda-Okamoto and the Kam-Park-Won schemes. In this paper, we will examine the security of the SungHsieh scheme and will prove that the scheme is not nonrepudiable. A slightly modi

(7) ed version will be suggested. In Mambo's paper [4], one kind of cryptanalysis on their scheme was considered. In this paper, it will be shown that the reported attack in Mambo's paper is not practical and a simple countermeasure can be easily developed.. 2 Remark on the Sung-Hsieh proxy signature Recently, Sun and Hsieh [8] proposed a modi

(8) ed nonrepudiable proxy signature scheme based on the KimPark-Won scheme [5]. In this section, it will be shown that the modi

(9) ed scheme is not nonrepudiable because the original signer can forge a proxy signature key and can sign on behalf of the proxy signer.. 2.1 Brief review of the Sung-Hsieh scheme. In the scheme, like in the ordinary Kim-Park-Won scheme, the original signer and the proxy signer select so and sp as their private keys, respectively. The corresponding public keys are vo = gso mod p and vp = g sp mod p where p is a large prime and g is a primitive root modulo p. The scheme is reviewed in the following. Step 1: The original signer computes K = gk mod p where k 2R Zp;1. Then, the parameter e =. h(W; K; vp ). is computed where W is the warrant of the delegation and h() is a one-way hash function, e.g., MD5 [11] and SHA [12]. Finally, a secret delegation parameter = so e + k mod (p ; 1) is constructed. The original signer sends fW; ; K g, called the proxy certi

(10) cate, to the proxy signer through a secure channel (to protect ). Step 2: The proxy signer checks the validity of the proxy certi

(11) cate by computing g. ? voh(W;K;vp ) K (mod p):. If it holds, the proxy signer computes the proxy signing key as p = + sp mod (p ; 1): (1) Note that the corresponding public key for verifying signature generated using p is vp0 = g p = voh(W;K;vp ) K vp mod p: (2). Step 3: When the original signer is absent, the. proxy signer can sign on behalf of the original signer by using any existing discrete logarithm based signature schemes, e.g., the ElGamal scheme [2] or the Schnorr scheme [3]. Now, fM; W; Signp (M ); K; vo ; vp g are sent as the complete signature for message M where Signp (M ) means the usual signature using p as the signing key. Step 4: The signature veri

(12) er/receiver

(13) rst computes the signature verifying key vp0 as in Eq.(2), then checks the correctness (validity) of the signature Signp (M ) in the usual approach.. 2.2 A forgery attack. In the following, it will be shown that the above proxy signature scheme is not \proxy signer nonrepudiable". This means that the original signer can sign on behalf of the proxy signer and can frame the proxy signer if he wishes. The original signer chooses random integer k 2R Zp;1 as usual and computes K 0 = g k vp;1 mod p (3) where vp;1 is the multiplicative inverse of vp modulo p. It can be proven that the original signer can use ~p = so e + k mod (p ; 1).

(14) as the forged proxy signing key, where e = h(W; K 0 ; vp ). Consequently, the corresponding forged public key (i.e., the signature verifying key) is v~p0 = voh(W;K ;vp ) g k mod p: (4) 0. The. original. signer. can. sign. and. send. fM; W; Sign~p (M ); K 0 ; vo ; vp g to the receiver as. a valid proxy signature using ~p as the signing key. As described in the Step 4 of the scheme, the signature veri

(15) er/receiver will compute the signature verifying key as in Eq.(2) before verifying the received signature. The following manipulation proves that v~p0 will be the derived verifying key: voh(W;K ;vp ) K 0 vp (mod p) voh(W;K ;vp ) gk vp;1 vp (mod p) (by Eq.(3)) v~p0 (by Eq.(4)) 0. 0. 2.3 Enhancement of the Sung-Hsieh scheme. In this subsection, an enhanced Sung-Hsieh scheme is suggested. In this improved scheme, it is infeasible for the original signer to forge a valid proxy signing key. The scheme is sketched in the following. Step 1: It is exactly the same as the original Step-1 except that e = h(W; K; vp ) is replaced by e = h(W; K; vo ; vp ). Step 2: The proxy signer checks the validity of the proxy certi

(16) cate by computing g ? voh(W;K;vo ;vp) K (mod p). If it holds, the proxy signer computes the proxy signing key as p = + sp K mod (p ; 1): (5) In this modi

(17) ed scheme, the corresponding public key for verifying signature generated using p is vp0. = gp = voh(W;K;vo ;vp) K vpK mod p:. (6). Step 3: It is exactly the same as the original Step-3. Step 4: The signature veri

(18) er/receiver

(19) rst computes. the signature verifying key vp0 as in Eq.(6), then checks the correctness (validity) of the signature Signp (M ) in the usual approach.. 2.4 Security analysis of the enhanced scheme. The following paragraphs discuss the security issue of the enhanced Sung-Hsieh scheme.. Attack 1. The original signer may try to forge a valid. proxy signing key ~p as mentioned previously. However, in the above enhanced scheme, it requires the original signer to select two integers (K 0 ; a) such that ~p = so h(W; K 0 ; vo ; vp ) + a mod (p ; 1) (7) and K 0 = (vp K );1 g a mod p: (8) Note that the corresponding signature verifying key now becomes (computed by the signature veri

(20) er) v~p0 = g ~p = voh(W;K ;vo ;vp ) K 0 vpK mod p: 0. 0. 0. This can be justi

(21) ed by the following derivation: voh(W;K ;vo ;vp ) K 0 vpK (mod p) voh(W;K ;vo ;vp ) (vp K );1 ga vpK (mod p) (by Eq.(8)) g~p (mod p) (by Eq.(7)) v~p0 0. 0. 0. 0. 0. However, it is infeasible to solve the problem in Eq.(8). The

(22) rst approach is that K 0 is selected

(23) rst and try to solve the exponent a. However, this is well known as the discrete logarithm hard problem. The second approach is that the exponent a is selected

(24) rst and try to solve K 0. This problem seems to be also infeasible to solve or to be even harder than the discrete logarithm problem. Attack 2. In the Attack 1, the original signer (attacker) computes her public key in an usual approach. However, in some scenarios, an attacker may intend to forge a proxy signing key at the cost of having her usual private key unknown. Suppose that an attacker, say Alice with public key va , as the role of an original signer wishes to forge a proxy signature on behalf of a proxy signer, say Peter with public key vp . Alice needs to compute h(W;K;va ;vp ) va , K , and p such that g p va K vpK (mod p). One of the possibility is to let va = vp;K=h(W;K;va ;vp ) g a mod p (9) and K = g k mod p where a is an integer to determine and k 2R Zp;1. Therefore, the proxy signing key (for Peter) can be computed as p = a h(W; K; va ; vp ) + k mod (p ; 1): (10).

(25) This can be justi

(26) ed as follows: (we denote e = h(W; K; va ; vp )). . vae K vpK (mod p) vp(;K=e)e g ae g k vpK g ae+k (mod p). (mod p) (by Eq.(9)) gp (mod p) (by Eq.(10)) It is interesting to note that the problem raised in Eq.(9) seems to be more dicult than that given in Eq.(8), the reason is simply because of the inclusion of a one-way hash function in Eq.(9). Thus, the above forgery fails to work.. Attack 3. Another scenario of forgery attack is that. an attacker, as the role of a proxy signer, may intend to forge a proxy signing key at the cost of having her usual private key unknown. Suppose that an attacker, say Alice with public key va , wishes to forge a proxy signing key. Alice needs to compute h(W;K;vo ;va ) va , K , and a such that g a vo K vaK (mod p). One of the possibility is to let va = voa g b mod p and K = voc g d mod p where a, b, c, and d are integers to determine. Therefore, the proxy signing key (for Alice) can be computed as a. = so (h(W; K; vo ; va ) + a K + c) +(b K + d) mod (p ; 1):. Since so is unknown to Alice, the following approach shall be a reasonable setting to forge a. . . 0 (mod p ; 1). h(W; K; vo ; va ) + a K + c b K+d a (mod p 1):. . . ;. (11) It is infeasible to select a, c, and d

(27) rst (now K is determined) and try to compute va to satisfy Eq.(11), the reason is simply because of the inclusion of a one-way hash function in Eq.(11). Furthermore, even a possible va is obtained, the attacker needs to compute b in order to obtain the forged proxy signing key a . However, under this situation, to solve b from va = voa gb mod p is equivalent to solve the discrete logarithm problem. Finally, if the attacker let all fa; b; c; dg 2R Zp;1. Then, it is believed that Eq.(11) will be true with only a negligibly small probability.. 3 Remark on the MamboUsuda-Okamoto proxy signature In Mambo's paper [4], a cryptanalysis on their scheme was considered in which it was claimed that a proxy signer could forge another proxy signing key. Therefore, cheating conducted by a proxy signer is possible. In this section, it will be shown that the reported attack in Mambo's paper is not practical (and not really correct) and a simple countermeasure can be easily developed.. 3.1 Brief review of the Mambo-UsudaOkamoto scheme. The original signer and the proxy signer select so and sp as their private keys, respectively. The corresponding public keys are vo = gso mod p and vp = gsp mod p where p is a large prime and g is a primitive root modulo p. The Mambo-Usuda-Okamoto scheme is reviewed in the following.. Step 1: The original signer computes K = gk mod p where k 2R Zp;1. Then, the proxy signing key = so + k K mod (p ; 1) is computed. The original signer sends f; K g, called the proxy certi

(28) -. cate, to the proxy signer through a secure channel. Step 2: The proxy signer checks the validity of the proxy certi

(29) cate by computing g. ? vo K K (mod p):. If it holds, is treated as the proxy signing key and the corresponding public key for signature veri

(30) cation is vp0 = g mod p. Step 3: When required the proxy signer can sign on behalf of the original signer by using any existing discrete logarithm based signature schemes. Now, fM; Sign (M ); K g are sent as the complete signature for message M where Sign (M ) means the usual signature using as the signing key. Step 4: The signature veri

(31) er/receiver

(32) rst computes the signature verifying key vp0 = vo K K mod p, then checks the correctness (validity) of the signature Sign (M ) in the usual approach.. 3.2 Remarks on a forgery attack. The following forgery attack was considered in [4]. In the attack, a proxy signer holding a proxy certi

(33) cate.

(34) f; K g (with a corresponding public key vo ) may intend to forge another valid proxy certi

(35) cate f~ ; K~ g (with a. corresponding public key v~o ). The forgery attack [4] works as follows. The proxy signer (attacker) selects a random number u 2 Zp;1 and computes U = gu mod p. Then the attacker computes 8 < v~o = voU mod p ~ = K U mod p : K ~ = ( + uK )U mod (p ; 1): It was claimed that f~ ; K~ g would be a valid proxy certi

(36) cate issued by some user with a corresponding public key v~o , simply because g ~. gso U +(k+u)KU v~o K~ K~ (mod p):. It can be easily veri

(37) ed that the above statement requires ~ KU mod (p;1) K~ K~ (mod p) K where (K~ K~ mod p) = (K~ KU mod p mod p). The above equation can be described in an alternative way as ~ KU mod (p;1) K~ KU mod p (mod p): K (12) However, for a very large prime number p of the form 1 + 2q (where q is also a large prime), it is easy to avoid the occurrence of Eq. (12). For the trivial case of KU < p ; 1, it is evident that (KU mod (p ; 1)) = (KU mod p). Therefore, ~ KU mod (p;1) K~ KU mod p (mod p) is true for any K ~ . It is also easy to verify the case of KU = p ; 1, K in which K~ 0 K~ p;1 (mod p). However, it is easy to counteract the above forgery by setting K p=2, so that the only possible value of U to conduct the attack is one. Note that U = 1 implies u = p ; 1 since g is a primitive root modulo p. Interestingly, the requirement of U = 1 and u = p ; 1 result in v~o = vo , K~ = K , and ~ = . So, no forgery is possible. For the nontrivial case of KU > p ; 1, we

(38) rst note from the following Lemma 1 that KU mod (p ; 1) 6= KU mod p. p=. Lemma 1. Given two nonzero integers K and U selected from [1; p ; 1] and that KU > p ; 1. It results in that KU mod (p ; 1) and KU mod p are di erent. Proof. Let KU mod (p ; 1) = R1 and KU mod p = R2 . Therefore, KU = t1 (p ; 1) + R1 and KU = t2 p + R2 for two existing integers t1 and t2 . Note also that KU (p ; 1)2 since both K and U are less than or equal to p ; 1.. Suppose that R1 = R2 , then it results in t1 (p ; 1) = Based on KU > p ; 1 and t1 (p ; 1) = t2 p, it results in that t1 = np and t2 = n(p ; 1) for an integer n 1. However, the substitution of t1 and t2 into the representation of KU contradicts KU (p ; 1)2 . This proves that KU mod (p ; 1) 6= KU mod p. ut t2 p.. In this case, the requirement for a possible proxy certi

(39) cate forgery is analyzed below. In the following discussions, it is assumed that p (= 1 + 2q) is a very large prime number and q is also a large prime. Let the order of K~ modulo p be r. Denote = jKU mod (p ; 1) ; KU mod pj. It can be obtained from the following Lemma 2 that p ; 2 if KU > p ; 1.. Lemma 2. Given any positive integer x > p ; 1, then jx mod (p ; 1) ; x mod pj p ; 2 where p is an integer greater than two.. Proof. Let = jx mod (p ; 1) ; x mod pj = jx mod p ; ; 1)j. To maximize , it needs to maximize and at the same time to minimize (x mod. x mod (p (x mod p) (p 1)).. ;. Suppose that x mod p = p ; 1, then x = tp +(p ; 1) = (t + 1)(p ; 1) + t for an existing integer t 1. So, x mod (p ; 1) = t and totally p ; 2. ut It follows from the Fermat's theorem [13] that. ~ KU mod (p;1) K~ KU mod p (mod p) is true if the orK der r divides , i.e., r . For p = 1 + 2q, the possible order modulo p are 1; 2; q; 2q and the number of elements with this listed order are 1; 1; (q); (2q) = (q ) , respectively. We discard the two special cases of K~ = 1 of order 1 and K~ = p 1 of order 2 when modulo p; simply because of their special form and it is easy to prevent. For K~ of order 2q = p 1, it is impossible for K~ KU mod (p;1) K~ KU mod p (mod p) to be true because 2q = p 1 never divides (recall that p 2 if KU > p 1). For the last case, r = q, the probability of

(40) nding a value u (and therefore U ) so that q is negligibly small because will be a random integer over [1; p 2] = [1; 2q 1]. The only possibility for q is when = q.. . j. f. g. g. f. ;. ;. ;. ;. ;. . j. ;. j. ;. This concludes our claim that the forgery attack reported in [4] is not practical and can be prevented easily.. 4 Concluding remarks In this paper, it is shown that the Sun-Hsieh nonrepudiable proxy signature scheme is not sound. A forgery attack is demonstrated in which the original signer can.

(41) forge a valid proxy signing key and can sign messages on behalf of the proxy signer. We also give remarks on a forgery attack described in Mambo's paper on proxy signature. The attack is not practical and simple countermeasures are easy to develop.. 5 Acknowledgments This work was partly supported by the National Science Council of the Republic of China under contract NSC89-2213-E-008-049 and was partly sponsored by MOEA and supported by Institute for Information Industry, R.O.C.. References [1] R.L. Rivest, A. Shamir, and L. Adleman, \A method for obtaining digital signatures and public-key cryptosystem," Commun. of ACM, Vol.21, No.2, pp.120{126, 1978. [2] T. ElGamal, \A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Trains. Inf. Theory Vol.IT-31, No.4, pp.469{472, 1985. [3] C.P. Schnorr, \Ecient identi

(42) cation and signatures for smart cards," Proc. of Crypto '89, Lecture Notes in Computer Science 435, Springer Verlag, pp.239{252, 1990. [4] M. Mambo, K. Usuda, E. Okamoto, \Proxy signatures: Delegation of the power to sign messages," IEICE Trans. Fundamentals Vol.E79-A, No.9, pp.1338{1354, 1996. [5] S. Kim, S. Park, and D. Won, \Proxy signatures, revisited," Information and Communications Security (ICICS '97), Lecture Notes in Computer Science 1334, Springer-Verlag, pp.223{232, 1997. [6] K. Zhang, \Threshold proxy signature schemes," Proc. of 1997 Information Security Workshop, Japan, pp.191{197, Sept. 1997. [7] N.Y. Lee, T. Hwang, and C.H. Wang, \On Zhang's nonrepudiable proxy signature scheme," Advances in Cryptology ASICCRYPT '98 (ACISP 98), Lecture Notes in Computer Science 1438, Springer-Verlag, pp.415{422, 1998. [8] H.M. Sun and B.T. Hsieh, \Remarks on two nonrepudiable proxy signature schemes," Proc. of the 9th National Conference on Information Security, pp.241{246, 1999. [9] H.M. Sun and B.J. Chen. \Time-stamped proxy signatures with traceable receivers," Proc. of the 9th National Conference on Information Security, pp.247{253, 1999. [10] S.M. Yen, \Design and Computation of Public Key Cryptosystems," Ph.D. thesis, Department of Electrical Engineering, National Cheng Kung University, R.O.C., April 1994. [11] R. Rivest, \The MD5 message digest algorithm," RFC 1321, Apr. 1992. [12] FIPS 180-1, \Secure Hash Standard," NIST, US Department of Commerce, Washington D.C., April 1995. [13] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of applied cryptography, CRC Press, 1997..

(43)