Cryptanalysis of Li et al.’s Generalization of Proxy Signature Schemes
4
0
0
全文
(2) rant. However, the Li et al.’s schemes are not secure. In the following section, the Li et al.’s schemes are briefly reviewed. Section 3 is our cryptanalysis of Li et al.’s scheme. The final section is our conclusion.. 2. Brief Review of Li et al.’s Schemes. and sends sO,i to CO.. After receiving all of T. sO,i’s, CO computes K=. Õ. kO,i mod p and. i =1. checks the correctness of sO,i by adopting the equation gsO,iº kO,iKyO,iyO,ih(MW,K,AOSID) (mod p). If all of sO,i’s are correct, CO computes T. Li et al.’s (t/n-t'/n') proxy signature scheme based on the discrete logarithm problem [7] is first reviewed. Their (t/n-t'/n') proxy signature scheme consists of three phases: The proxy share generation phase, the proxy signature generation phase, and the proxy signature verification phase. In Li et al.’s (t/n-t'/n') proxy signature scheme, there are some system-wide parameters. The public parameters p and q are two large prime numbers such that q|(p-1). The parameter g is an element of order q in Z*p. The public function h(.) is a secure one-way hash function. Let GO= {UO,1, UO,2, …, UO,n} denote the original group and GP= {UP,1, UP, 2, …, UP, n'} denote the proxy group. There are two designated clerks, CO and CP, for GO and GP respectively. Let MW denote a proxy warrant that records the identities of the original signers in GO the identities of the proxy signers in GP, the parameters (t, n) and (t', n'), and the valid delegation period. Each original signer UO,i randomly selects a private key xO,iÎ Z*q and computes a certificated public key yO,i= gxO,i mod p. Similarly, each proxy signer UP,i has a private key xP,iÎZ*q and a certificated public key yP,i= gxP,i mod p.. Then CO broadcasts. (MW, K, sO, AOSID) to GP. Each proxy signer UP,iÎGP validates (MW, K, sO, AOSID) by adopting. the. gsOºKK. equation. T. Õ i =1. yO,iyO,ih(MW,K,AOSID) (mod p). Finally, each UP,j owns sO as her/his proxy share. Proxy signature generation phase Without losing generality, assume DP= {UP,1, UP,2, …, UP,T'} is the group the T' actual proxy signers with identities APSID, where t'≤ T'≤ n'. Each actual proxy signer UP,j in DP selects a random integer R'P,jÎZ*q and calculates k'P,j= gR'P,j mod p. Each UP,j in DP broadcasts k'P,j to the other T'-1 proxy signers and the designated clerk CP. After receiving all k'P,j’s, each T'. UP,j in DP calculates R=. Õ. k'P,j mod p, finds. j=1. sP,j satisfying the equation sP,j=R'P,jR+(sOT'-1+xP,jyP,j)h(M,R,APSID) mod q,. T'. R= Suppose that the original group GO wants to authorize GP as their proxy group satisfying the following requirements. At least t original signers in GO must reach an agreement on the proxy authorization such that proxy signatures should be generated by the cooperation of the t' or more proxy signers in GP. Without losing generality, assume DO= {UO,1, UO,2, …, UO,T} is the group the T actual original signers with identities AOSID, where t≤ T ≤n. Each member * UO,i in DO selects a random integer RO,iÎZ q, RO,i computes kO,i= g mod p, and broadcasts kO,i to other T-1 original signers in DO and the clerk CO. After receiving all the other kO,j’s, each T. Õ. sO,i mod q.. i =1. and sends sP,j to the clerk CP. After computing. Proxy share generation phase. UO,i in DO calculates K=. å. sO=. kO,i mod p and. i =1. sO,i= RO,iK+ xO,iyO,ih(MW, K, AOSID) mod q,. Õ. k'P,i mod p, the clerk CP validates the. i =1. correctness of all sP,j’s by the equation T. gsP,j=. k'P,jR((KK. Õ. -1. yO,iyO,ih(MW,K,AOSID))T'. i =1. yP,jyP,j)h(M,R,APSID) mod p. T'. Then the clerk CP computes S=. å. sp,j mod q.. j =1. T'. In other words, S=. å j =1. (RR'p,j+ (sOT'-1+.
(3) T'. T'. xP,jyP,j)h(M, R, APSID)) mod q= R. å. R'p,j. RR(KAKAyAyAh(M'W,KA,IDA). j =1. T'. +(sO+. å. xP,jyP,j)h(M, R, APSID) mod q.. mod p.. º Dh(M, R, APSID)+S. S' Finally, the proxy signature of the message M is (MW, K, AOSID, M, (R, S), APSID).. º (s'-sO)h(M,R,APSID)+ S. Proxy signature verification phase. T'. º (s'-sO)h(M,R,APSID)+ R. gº. K. R (K. Õ. T'. +. å. yP,jxP,j)h(M,R,APSID). j =1. T'. º R. å. T'. R'P,j+ (s'+. å. yP,jxP,j)h(M, R,. j =1. yO,i. yO,ih(MW,K,AOSID). i =1. T'. ºR. T'. Õ. R'P,j+ (sO. APSID). T. R. å j =1. j =1. S. yP,jyP,j)h(M,R,APSID). j =1. j =1. To validate the proxy signature (MW, K, AOSID, M, (R, S), APSID), any verifier first obtains the certificated public keys of the actual proxy signers and actual original signers according to AOSID and APSID from the proxy warrant MW. Then the verifier adopts the equation. Õ. yP,jyP,j)h(M,R,APSID) (mod p). R'P,j+(KARA+ yAx Ah(M'W,KA,IDA). j =1. j =1. T'. + to validate the proxy signature (MW, K, AOSID, M, (R, S), APSID).. å. å. yP,jxP,j)h(M,R,APSID) (mod q).. j =1. 4. Conclusions 3. Cryptanalysis of Li et al’s Scheme An attack on Li et al.’s (t/n-t'/n') proxy signature scheme is proposed. Supposes that an adversary, A, wants to forge proxy signatures generated by the group DP such that GP becomes his deputy. The adversary A first intercepts sO and a legal proxy signature (MW, K, AOSID, M, (R, S), APSID) generated by DP on behalf of GO. First of all, the adversary A illegally authorizes the group GP as his agent. The adversary A randomly selects an integer RAÎZ*q and computes KA= gRA mod p. Then A uses his secret key xA to generate s' such that s'= RAKA+ xAyAh(M'W, KA, IDA) mod q, where AOSID= IDA and M'W is an illegal proxy warrant. The adversary A computes D= s'- sO mod q and finds S' such that S'= Dh(M, R, APSID)+S mod q. Finally A forges an illegal proxy signature (M'W, KA, AOSID=IDA, M, (R, S'), APSID) being like to be generated by the proxy group GP on behalf of A. The following gives why the attack is success. In other words, the forged proxy signature (M'W, KA, AOSID=IDA, M, (R, S'), APSID) can pass the verification equation gS'=. An attack on Li et al.’s proxy signature schemes [7] is proposed to show that their schemes have security problem. By our attack, any adversary intercepts the proxy share and a valid proxy signature generated by a proxy group on behalf of an original group. Then the adversary can forge a proxy signature being like the one that is generated by the proxy group GP on behalf of the adversary.. References [1] Hsu, Chien-Lung, Wu, Tzong-Sun, and Wu, Tzong-Chen, “New nonrepudiable threshold proxy signature scheme with known signers,” The Journal of Systems and Software, Vol. 58, pp. 119-124, 2001. [2] Hwang, Min-Shiang, Lin, Iuon-Chang, and Lu, Jui-Lin Eric, “A secure nonrepudiable threshold proxy signature scheme with known signers,” INFORMATICA, Vol. 11, No. 2, 2000, pp. 137-144..
(4) [3] Hwang, Shin-Jia, and Chen, Chiu-Chin, “A New Proxy Multi-Signature Scheme,” The 2001 International Workshop on Cryptology and Network Security, Taipei, Taiwan, R.O.C., Sep. 26-28, 2001, pp. 199-204.. [8] MAMBO, Masahiro, USUDA Keisuke, and OKAMOTO, Eiji, “Proxy signatures: Delegation of the power to sign message,” IEICE. Trans. Fundamentals, E79-A, 9, pp. 1338-1354, 1996.. [4] Hwang, Shin-Jia, and Chen, Chiu-Chin, “A New Multi-Proxy Multi-Signature Scheme,” 2001 National Computer Symposium: Information Security, Taipei, Taiwan, R.O.C., Dec. 20-21, 2001, pp. F019-F026. Also appear in Applied Mathematics and Computation.. [9] MAMBO, Masahiro, USUDA Keisuke, and OKAMOTO, Eiji, “Proxy signatures for delegation signing operation,” Proc. 3rd ACM Conference on Computer and Communication Security, pp. 48-57, 1996.. [5] Hwang, Shin-Jia, and Chen, Chiu-Chin, “Cryptanalysis of Nonrepudiable Threshold Proxy Signature Schemes with Known Signers,” Journal of Informatica, Vol. 14, No. 2, 2003, pp. 205-212. [6] Hwang, Shin-Jia and Shi, Chi-Hwai, “A simple multi-proxy signature scheme,” Proceedings of the Tenth National Conference on Information Security, Taiwan, pp. 134-138, 2000 [7] Li, Li-Hua, Tzeng, Shiang-Feng, and Hwang, Min-Shiang, “Generalization of proxy signature-based on discrete logarithms,” Computers & Security, Vol. 22, No. 3, pp. 245-255, 2003.. [10] Sun, Hung-Min, “On proxy (multi-) signature schemes,” 2000 International Computer Symposium, Chiayi, Taiwan, R.O.C., Dec. 6-8, 2000, pp. 65-72. [11] Sun, Hung-Min, Lee N.-Y., and Hwang, T., “Threshold proxy signatures,” IEE Proceedings-computers & Digital Techniques, Vol. 146, No. 5, pp. 259-263, September 1999. [12] Yi, L. Bai, G., and Xiao, G., “Proxy multi-signature scheme: A new type of proxy signature scheme,” Electronics Letters, Vol. 36, No. 6, pp.527-528, 2000..
(5)
相關文件
[This function is named after the electrical engineer Oliver Heaviside (1850–1925) and can be used to describe an electric current that is switched on at time t = 0.] Its graph
A trait implementation class which contains the definitions for the provided methods of the trait, proxy fields for the user of the trait and all used traits, as well as
Group, R.C., Convalescent plasma in patients admitted to hospital with COVID-19 (RECOVERY): a randomised controlled, open-label, platform trial.. Lopez-Medina, E., et al., Effect
An n×n square is called an m–binary latin square if each row and column of it filled with exactly m “1”s and (n–m) “0”s. We are going to study the following question: Find
For periodic sequence (with period n) that has exactly one of each 1 ∼ n in any group, we can find the least upper bound of the number of converged-routes... Elementary number
In this section, we consider a solution of the Ricci flow starting from a compact manifold of dimension n 12 with positive isotropic curvature.. Our goal is to establish an analogue
Al atoms are larger than N atoms because as you trace the path between N and Al on the periodic table, you move down a column (atomic size increases) and then to the left across
A subgroup N which is open in the norm topology by Theorem 3.1.3 is a group of norms N L/K L ∗ of a finite abelian extension L/K.. Then N is open in the norm topology if and only if
