代理簽章具有前向安全與單次特性及應用於公開金鑰建設

國立交通大學

資訊工程學系

博士論文

代理簽章具有前向安全與單次特性

及應用於公開金鑰建設

On Proxy Signatures with Forward-Secure and One-time

Properties and their Applications in PKI

研 究 生 : 張明信

指導教授 : 葉義雄 博士

代理簽章具有前向簽章與單次特性及

應用於公開金鑰建設

On Proxy Signatures with Forward-Secure and One-time

Properties and their Applications in PKI

研 究 生 : 張明信

Student : Ming-Hsin Chang

指導教授 : 葉義雄 博士

Advisor : Dr. Yi-Shiung Yeh

國立交通大學

資訊工程學系

博士論文

A Dissertation Submitted to the

Department of Computer Science and Information Engineering College of Electrical Engineering and Computer Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Doctor of Philosophy

in

Computer Science and Information Engineering Mar 2005

Hsinchu, Taiwan, Republic of China

代理簽章具有前向安全與單次特性及應用於公開金鑰建設

學生：張明信

指導教授：葉義雄博士

國立交通大學資訊工程學系研究所博士班

摘 要

網際網路越來越多使用於商業上，安全之機制的實際應用，必須要從紙式 的文件世界，改為電子文件世界，而電子文件之數位簽章提供了個人簽章的功 能，但此簽章很少考慮到使用於代表機關之簽章或是代理簽章。而代理簽章產生 主要目標是解決這一個問題，而且不洩漏代理人之私密訊息，且具有原簽章者之 簽章權利。 實際上，已經有很多代理簽章方法之建議，但很多都無法運用於實際系統， 因為提出建議方法時，作者證明其方法的安全性後，又常有其他的缺失被發現。 此外，其建議方法無法使用於現行之簽章方法。而 DSA 和 ECDSA 為大家所熟 知之簽章方法，具有安全性，所以我們建議代理簽章使用DSA 的方法，使代理 簽章成為可行的簽章機制。補足簽章者之驗證問題，在實用性上，更進一步，公 開金鑰建設 (Public-Key Infrastructure, PKI) 是整合密碼學與憑證機構 (Certificate Authority, CA) 之整體全球網路安全，傳統之代理簽章機制，幾 乎無法使用於 PKI 的架構中，我們依照 PKI 的特性設計新的流程，使代理簽章 能使用於 PKI 的架構中，實際使用於應用系統，使代理簽章更能符合實用。

另一方面，我們發展了前向安全性代理簽章，它可以保證，至目前之簽章 私密金鑰與資料，沒有被洩漏，保證之前資料之安全性。而且使用之方法必須簡

單，特別不需要散佈資料，或者是保護儲存機制，所以不增加金鑰管理的經費。 其另外應用可以使用於代理簽章之簽章的時戳和代理簽章時限，簽章者需要使用 當時之合法金鑰，即有隱性時戳之功能，簽章金鑰更新超出使用時限，限制了簽 章者之代理功能。 單次簽章 (one-time signature)方法的簽章和驗證優點是非常有效率，他 們適用於低運算功能之晶片卡，而 Lamport 是最先發明的數位簽章是基於單向 雜湊函數為基礎。如果簽章資料長度很大，然而 Lamport 的單次簽章方法需要 很大之驗證資料與儲存空間，我們改進這大量公開金鑰，與簽章訊息之儲存空間 問題。我們提出新的有效方法去簽發資料長度很大的資訊，我們也發展出單一代 理簽章，使得 Lamport 的單次簽章變的可用於實際系統。

On Proxy Signatures with Forward-Secure and One-time

Properties and their Applications in PKI

Student：Ming-Hsin

Chang

Advisor：Yi-Shiung Yeh

Department of Computer Science and Information Engineering

College of Electrical Engineering and Computer Science

National Chiao Tung University

ABSTRACT

As the Internet is used more and more for business, security mechanisms in the electronic world are needed to replace established practice in the paper-based world. While basic digital signature schemes are able to provide most of the functionalities of personal signature, they are less than ideal for institutional purpose or a proxy purpose. A proxy signature scheme was introduced in order to solve this problem without revealing the secret information of a person who wants to delegate his digital signature signing power to someone else.

Actually, most of the proposed schemes are theoretical research, because the proxy schemes are not in practice on the field of cryptography. Digital signature Algorithm (DSA) and Elliptic curve DSA (ECDSA) which are pretty well known by their security properties. We develop a proxy signature based on the DSA in which leads the proxy signature scheme on applications in practice. Moreover, PKIs (Public-Key Infrastructures) integrate digital certificates, public cryptography, and certificate authorities into a total worldwide network security architecture. A typical

PKI is less effort for utility of proxy signature. We design a new procedure to make proxy signatures adopt for PKIs leading to the proxy signature more applicable in practical application.

On the other way, we develop a forward-secure proxy signature scheme. It guarantees that the secret key material at present (or up to date) does not compromise the secrecy of the earlier signature or encrypted material; and it also must be achieved in a simple way, in particular without requiring distribution or protected storage devices, and without increasing key management costs. The forward-secure proxy signature scheme also can be applied on proxy time limitation.

The advantages of the one-time signature generation and verification are very efficient and useful for chip cards where low computation complexity is required. Lamport first invented a one-time digital signature scheme based on one-way functions. However, the Lamport one-time scheme requires a large amount of space for storage of authentic information if a large number of messages are signed. We improve the Lamport one-time signature on the amount of storage space for public keys and signed message saving storage space and propose an efficient scheme to sign a long message. We also develop a one-time proxy signature scheme in which we make the Lamport one-time signature useful in practice.

誌 謝

這個學位是我畢生的榮耀，我將分享這一份榮耀給協助我的長官與親友，也 感謝他們的付出與容忍。最感謝我的指導教授葉義雄老師，他親和的展現長者的 風範，亦師亦友，在我修習學位期間，其學術與為人，均為我表率；也特別感謝 以德同學，因我在職進修，無法事事照應，均由於他無私的協助，得以順利完成 學位進修，是我畢生難得的益友。 感謝工作單位中華電信研究所，提供我進修的機會，尤其是鄭伯順副所長、 張光耀主任、張耿豪經理與謝東明博士的提攜與關心，也是我進修動力的推手； 工作期間，接受樊國楨博士、盧登臨博士、楊中皇博士等安全領域知識界之前輩 引領，在此誠心感謝。 論文口試委員張真誠教授的深入指導與教誨是我爾後做學問與為人座右銘， 其他賴溪松教授、謝續平教授、蔡錫鈞教授、雷欽隆教授與詹進科教授，對於我 論文之指導，懇切的建議，也是我需隨時警惕自我的良言。 我也將我最多的榮耀分享給我妻子芬芳，與兩位兒子伯仲與伯瑞，我們沒有 榮華富貴，但僅有這一點名位，聊表心意；也要誠心感謝我岳父與岳母，多年細 微的照料我家，得以安心進修，也感謝我兄弟西韻、阿圖、銘章、有政、阿通的 鼓勵，其餘無法一一陳述，在此一併致謝。

On Proxy Signatures with Forward-Secure and One-time

Properties and their Application in PKI

Contents

中文摘要 ...II

ABSTRACT... IV

誌 謝 ... VI

LIST OF TABLES... XI LIST OF FIGURES ...XII

CHAPTER 1 INTRODUCTION ...1

1.1. MOTIVATION...1

1.2. RELATED WORK...5

1.3. RESEARCH CONTRIBUTIONS...9

1.4. ABOUT THIS DISSERTATION...10

CHAPTER 2 PRELIMINARIES ... 11

2.1. DIGITAL SIGNATURE...11

2.2. PROXY SIGNATURE...13

2.2.1. Proxy signature background ...13

2.2.2. PROXY SIGNATURE REQUIREMENTS...15

2.2.4. Proxy signature protocol...18

2.2.5. Strong proxy signature ...20

2.3. FORWARD-SECURE SIGNATURE...23

2.3.1. Background of forward-secure proxy signature...23

2.3.2. Protocol of forward-secure signature ...24

2.4. LAMPORT ONE-TIME SIGNATURE...26

CHAPTER 3 PROXY SIGNATURE IN PUBLIC-KEY INFRASTRUCTURES (PKIS) ...30

3.1 PROXY-PROTECTED SCHEME...30

3.2. SECURITY ANALYSIS AND PERFORMANCE...35

3.3. APPLICATION ON THE ECDSA...38

3.3.1. Proxy-protected ECDSA ...38

3.3.2. Example demonstration ...41

3.4. APPLICATIONS ON PUBLIC KEY INFRASTRUCTURES (PKIS) ...47

3.4.1. PKI architecture...47

3.4.2. PKIX components...47

3.4.3. PKIX management functions...48

3.4.4. Proxy signature applied in PKIs ...51

CHAPTER 4 FORWARD-SECURE PROXY SIGNATURE ...54

4.1. FORWARD-SECURE PROXY SIGNATURE SCHEME...55

4.1.2. Correctness and conformance of the forward-secure proxy signature

scheme...61

4.1.3. Security analysis of the forward-secure proxy signature scheme ...63

4.1.4. Comparison...64

4.2. A VARIANT FORWARD-SECURE PROXY SIGNATURE...65

4.2.1. Protocol variant of forward-secure proxy signature...66

4.2.2. Correctness ...68

4.2.3. Conformance with properties of proxy signature...69

4.2.4. Security analysis ...70

CHAPTER 5 ONE-TIME SIGNATURE AND ITS APPLICATION TO PROXY SIGNATURE ...78

5.1. IMPROVING LAMPORT ONE-TIME SIGNATURE...78

5.1.1. Protocol of variant Lamport one-time signature ...79

5.1.2. Efficiency...82

5.2. MORE IMPROVING ON LAMPORT ONE-TIME SIGNATURE...84

5.2.1 THE DEFINITION OF LAMPORT-T SCHEME...84

5.2.2. SECURITY ANALYSIS AND EFFICIENCY...88

5.2.3. COMPARISON...92

5.3. ONE-TIME SIGNATURE SCHEME APPLIED ON PROXY SIGNATURE...94

5.4. DISCUSSION...96

6.1. CONCLUSION...98 6.2. FUTURE WORK...99

List of Tables

Table 3.1. The comparison of time complexity between proposed scheme

and DSA...38

Table 3.2. Points on the elliptic curve _x3_{+ x+}6_{mod 11...46}

Table 3.3. The multiples of generator G ...46

Table 4.1. The comparison of proxy signature schemes...65

Table 5.1. Comparison of the variant Lamport one-time signature scheme and Lamport one-time signature scheme ...84

Table 5.2. Comparison of the L(1) and L(t) with message n bits...87

Table 5.3. The iterations of the private keys of L(5)...91

Table 5.4. The comparison of variant L(t)s with message 320 bits ...92

Table 5.5. The comparison of Bos-Chaum scheme and L(t) with the message 160 bits ...93

List of Figures

Figure 3.1. The PKIX Architecture Model ...50

Figure 3.2 Proxy signer initialization in PKI ...53

Figure 3.3 Verification of proxy signature in PKI...53

Figure 4.1.1 The protocol of the forward-secure proxy signature scheme (1) ...59

Figure 4.1.2 The protocol of the forward-secure proxy signature scheme (2) ...60

Figure 4.2.1 The protocol of a variant forward-secure proxy signature (1) 72 Figure 4.2.2 The protocol of a variant forward-secure proxy signature (2) 73 Figure 4.3. The algorithm of forward-secure proxy key generation...74

Figure 4.4. The algorithm of forward-secure proxy acceptance...75

Figure 4.5 Forward-secure signature algorithm...76

Chapter 1 Introduction

1.1. Motivation

Since the Internet pervasion on business, the security mechanisms in the electronic world are needed to replace in the paper-based world established practice. Therefore, digital signatures have been invented as a counterpart of handwritten signatures. Then, a digital signature not only provides the proof of authenticity of document and its originator as handwritten signature does, but digital signature properties are widely used in security mechanisms, such as integrity, authentication and non-repudiation.

While conventional digital signature schemes are able to provide most of the functionalities of personal signature, a conventional digital signature however is not suitable for some practical applications. They are less than ideal for institutional purpose or a proxy purpose. For institution, an institutional seal presents the institution and is used for signing on behalf of institution. A major difference between signing by hand and by seal is that seal is transferable such that the seal could reduce costs.

Take the following scenario for example. Suppose that a manager of a company goes on holiday. He may hand over his company seal to his deputy to sign on behalf of the company. Nevertheless, the signatures presented to customers are the same as before and they can verify the signatures using the same process, i.e. the customers of

a company are not affected. It will be economically infeasible for a big company to notify all its customers each time, when there is a personnel change in the company.

So far, there are still no straightforward methods of transferable seal proposed. A proxy signature scheme was introduced in order to solve this problem without revealing the secret information of a person who wants to delegate his digital signature signing power to someone else. The main idea of the proxy signature scheme is that: an original signer allows a designated person, called a proxy signer, to sign a message on behalf of original signer. In resent years, there are many papers

proposed on this matter. Strong proxy signature [LK99,LKK101] is one of these

papers that make the requirements of the proxy signature more complete.

Actually, most of the proposed schemes trend to theoretic approach and less consider in practice. When a new scheme is proposed, the authors always believe that their scheme will be sufficiently strong, secure, and unbreakable. In fact, all that the authors can do is to demonstrate the scheme’s power against some known attacks; however, it occurs often that there will be always a new attack invented exactly against this scheme. Hence, a newly proposed scheme almost always suffers from some inborn weaknesses. To conquer this disadvantage, our proposed proxy signature scheme does not invent new signature schemes, but rather than combines existing mechanisms – Digital Signature Algorithm (DSA) and Elliptic curve DSA (ECDSA) [NIST00] which are pretty well-known by their security properties. Therefore, the proxy signature schemes based on the existence algorithms [LC03] are more

practicable. Even more the scheme can apply on the PKIs

[CF+03,AF99,BPH02,ANSI99] in which the scheme can be pervade over Internet.

On the other way, although the security in many cryptographic techniques today, whether only available in the literature or used in practice, are believed to be considerably secure, if a secret information is revealed, either accidentally or via an attack. Security is often compromised not only for subsequent uses of the secret, but also for prior signed documents. That is, the greatest problem against the security of a digital signature scheme or a cryptographic method is exposure of the secret key. The problem is even worse especially in the open environments such as the Internet, where every computer node is a potential victim of hackers, because we cannot trust all signatures signed by this key even the signature was signed before key compromise. Once a hacker gets the secret key, he can create a signature and claim it was signed prior to the time he caught this key.

Take the following scenario for example. Suppose Alice is a notary public who has public key PK; and uses normal signature scheme without forward security. On

January 1st, 2002, a client Bob brings to Alice a document m and she notaries the

document by signing a signature δ. Bob expects to be able to use the document m for

a long time. Unfortunately, Alice‘s secret key is compromised later, says January 1st,

2003. She discovers the fact and revokes her public key. Now, the notarized document

m will no longer be accepted. The fact the m is dated “in the past” makes no

himself if Alice’s secret key is no longer secure. This reduces the quality of the service which a notary Alice can provide.

To deal with this problem, several different approaches have been proposed. Many people attempt to lower the chance of exposure of secrets by distributing them across several systems, usually through secret-sharing method. Nevertheless, the cost of this method is usually extremely high; and as a matter of fact, is too expensive to be implemented by a typical individual user. What is more, since each of the systems may be susceptible to the same attack, the actual risk may not decrease. Other ways of protecting against key exposure include use of protected hardware or smartcard, but these are also costly and not suitable for ordinary people. The use of a trusted time stamping service applied to the signature to validate its date of creation is also a solution, but it needs extra resource to provide time issuing service.

Forward secure [AMN01,AR00,BM99,Kra00,BC+01] is a better way to reduce the

damage. It guarantees that disclosure of the secret key material at present does not compromise the secrecy of the earlier signature or encrypted material; and it must be achieved in a simple way, in particular without requiring distribution or protected storage devices, and without increasing key management costs. We extend the concept to proxy signatures as forward-secure proxy signature [AR00] to make the system with a forward-secure property.

In recent years, one-time signature schemes [Lam79,Rab79,WS96,Mer87,Sch00] have attracted more and more attention, as an attractive alternative to the traditional

signature schemes based on public key cryptography. One of the main advantages of one-time signature schemes is their reliance on one-way functions that can be implemented using fast hash functions such that SHA-serials [NIST02]. The resulting signatures are the order of magnitude faster than signatures based on public cryptography applying on the resource-constrained, small devices, such as cell phones, pagers, smart cards etc. The other of advantage of such a scheme is that it is generally quite fast. However, the scheme tends unwieldy when used to authenticate multiple messages because additional data needs to be generates to both sign and verify each new message. By contrast, with conventional signature scheme like RSA [RSA78], the same key pair can be used to authenticate multiple documents, which will face the threat of replay attacks.

We propose a new scheme to generalize the Lamport one-time signature. Thus, the proposed scheme is a generalized Lamport one-time signature scheme and save the storage of the public key and the size of the signature. Moreover, we propose an efficient solution for signing a long message to make the proposed scheme more operative in practical. Moreover, we apply the proposed scheme to proxy signature.

1.2. Related Work

schemes have been proposed. Mambo, Usuda and Okamoto firstly proposed a proxy

signature scheme (MUO scheme) [MUO196, MUO296] based on discrete logarithms

[ElG85] for partial delegation of signing capacity. However, MUO scheme does not provide non-repudiation of proxy signatures [Zha97,Sun99,]. Non-repudiation means signature signers, both the original signer and proxy signers, cannot falsely deny later that he generated a signature. In practice, it is important, and sometimes necessary, to have the capability to know who is the actual signer of the proxy signature for auditing purpose or when there is abusing of signing capability. Thus some papers

propose non-repudiable proxy signature scheme [HWW01,LHW98,LKK201,Sun99,

Zha97] which means the signature signers, both original and proxy signers, cannot disavow later that he generated a signature. This property is necessary in later proxy signature scheme.

In the mobile communication [LKK301,KB+01,ZW+04], a proxy signature can be

used into a mobile agent who can be applied in the electronic commerce. In a mobile agent system applying proxy signature, a customer, representing an original signer, generates delegation key pair and loads this key pair and other constraint requirements to the mobile agent. Mobile agents are autonomous software entities which are able to migrate across different execution environments. Mobility and autonomy make permanent connections unnecessary. So, mobile agents are suitable for heterogeneous environment. Non-repudiation property are considered in the mobile communication

generated the signature. Therefore a dispute between the original signer and the proxy signer may be happened.

In some group-oriented application, it is often desire to share the signing capability among signers in a proxy group signer than one proxy signer or a group delegated by him can sign documents under the company’s security policy. Thus someone proposes the multi-proxy signature schemes [CCH03,Son01,YBX00] and threshold proxy signature schemes [SLH99,Sun99,Zha97,KPW97] to solve problems. Threshold proxy signature scheme comes from the threshold cryptography. The idea about threshold cryptography is to protect information by fault-tolerantly distributing it among a cluster of cooperating computer and to diminish the risk attacking by adaptive attackers, who can corrupt parties’ run protocols during any time in some run; and have the ability to integrate information comprised from different parties.

Some threshold proxy signature scheme haves the property of non-repudiation with known signers [Sun99,ElG85]. Thorough this property, a verifier not only can prove that proxy signature is valid but also can identify the actual proxy signer in the group who signs this proxy signature. As a result, the signer who did sign the message on behalf of the proxy group cannot deny their participation in signing the message.

In order to declare the valid delegation period, most proxy signature schemes use a warrant appearing in the signature verification equation. But the declaration in the warrant may be useless because the proxy signer can still create a proxy signature and claim that this signature was done during the delegation period even if the delegation

period has expired. Schemes of a time-stamped proxy signature with traceable receivers [Sun00,HS97] can make sure whether a proxy signature is created during the delegation period, and can trace the receivers who did receive the proxy signatures from the proxy signer.

Proxy signature schemes should be designed carefully for the proxy key pair not

to be used for other purposes, such that the strong proxy signature [LK99,LKK101,

LKK201,LKK301] is need for undeniability of an original signer. The strong proxy

signature represents both original signer’s and proxy signer’s signatures. Once a proxy signer creatures a valid proxy signature, he cannot repudiate his signature creation against anyone.

The elliptic curve cryptosystem (ECC) [Men93,MVS96] is constructed by integer points over elliptic curves in finite fields, The ECC can reach the same level of security of security constituted by DSA or RSA but provides greater efficiency than either discrete logarithm [LTH03] or factorization systems. Therefore, the proxy signatures based on elliptic curves are more efficient than on others.

Furthermore, there are other papers proposed variant proxy signature: such as blind proxy signature scheme [SH04,LA03,Cha83,MEE00] in which a proxy is able to make proxy blind signature which is able to verify in a way similar to proxy signature scheme. Generalizations of proxy signature [HTT04,LTH03] are proposed that can be applied to every proxy situation. The novel scheme allows the original group of original signers to delegate their signing capacity to a designed proxy group.

1.3. Research Contributions

Digital signature Algorithm (DSA) and Elliptic curve DSA (ECDSA) [NIST00] are pretty well known by their security properties to reach the properties of proxy signature. Our proposed proxy signature scheme combines existing mechanisms. We believe that their scheme will be sufficiently strong, secure, and unbreakable. Moreover, we develop a registration procedure in PKIs leading to proxy signature in practice.

Using proxy signature could make delegation of signing ability possible and forward secure property makes digital signature much more robust than common ones.

Because proxy signature schemes involve in more participants, an original signer and

a group of proxy signers, than ordinary signature scheme, it is required to make it stronger. Thus, it would be good to combine proxy signature and forward secure property to implicating to time limitation.

The Lamport one-time signature scheme is quite elegant, but it is not practical use. One problem is the size of the signature it produces. We propose a general Lamport one-time signature scheme called Lamport-t scheme in which the size of the signature and the public key are greatly reduced such that the Lamport one-time signature scheme are in practice. Moreover, we apply it to the proxy signature scheme as a one-time proxy signature scheme.

1.4. About this Dissertation

This dissertation firstly explains the scope of our dissertation. Then, we give some fundamental information about digital signature, (strong) proxy signature and forward secure property in chapter 2. In chapter 3, we propose a new proxy signature and apply it in PKIs. In chapter 4, we will provide a forward-secure proxy signature scheme and it applications on non-repudiation property. In chapter 5, we will present an enhanced one-time signature and its application on proxy signature. Finally, we will have a conclusion in chapter 6.

Chapter 2 Preliminaries

In this chapter, we briefly describe the necessary cryptographic systems in detail which are used in this dissertation. They include digital signature, proxy signature, one-time signature and forward secure property. In addition, we will mention some extended concept according to proxy signature; one-time signature and forward secure property. Based on those basic concepts, we will propose novel schemes or improve original schemes.

2.1. Digital Signature

The concept of a digital signature was recognized several years before any practical approach was available. A digital signature is created to replace the real hand-written signature in the electronic world. A digital signature scheme is a method of signing a message stored in an electronic form. As such, a signed message can be transmitted over a computer network. The first method discovered was the RSA signature scheme [RSA78], which remains today one of the most practical and versatile techniques available. Subsequent research has resulted in many alternative digital signature techniques.

secret known only to the signer and the content of the message being signed. In practical implementations, we often combine one-way hash function with it to increase the efficiency.

A digital signature must have many characteristics. We list some of characteristics [Sch00] in the following:

z The signature is authentic: The signature convinces the document’s recipient that the signer deliberately signed the document.

z This signature is unforgeable: The signature is proved that the signer did sign the document, and no one else can create the signature on behalf of this signer. z The signed document is unalterable: After the document is signed, it cannot be

altered.

z The signature cannot be repudiated: Once the signer signed a signature, he cannot later claim that he didn’t sign it.

z The signature must be verifiable: If a dispute arises as to whether a party signed a document, an unbiased third party should be able to resolve the matter equitably, without requiring access to the signer’s secret information (private key).

2.2. Proxy Signature

2.2.1. Proxy signature background

Proxy signatures are signature scheme that an original signer delegates his signing capability to a proxy signer, and then the proxy signer creates a digital proxy signature on behalf of the original signer.

According to proxy signature of Mambo et al [MUO196,MUO296], there are three

types of delegation: full delegation, partial delegation and delegation by warrant. For the security consideration, full delegation is barely used.

(i) Full delegation: In full delegation, a proxy signer is given the same secret s that

an original signer has. Because of full delegation, the proxy signature created by this proxy signer is indistinguishable from the signature created by the original signer.

(ii) Partial delegation: In partial delegation, a new secret σ is computed from the

secret s of an original signer, and σ is given to a proxy signer in a secure way. From security requirement s should not be computed from σ. Moreover, there are two types of signature scheme for partial delegation.

signer also can create a valid proxy signature. But the third parties who are not designated as a proxy signer cannot create a valid proxy signature of the proxy signer.

(2) Proxy-protected proxy signature: Only designated proxy signer can create a valid proxy signature for the original signer. The third parties and even the original signer cannot create a valid proxy signature of the proxy signer.

(iii). Delegation by warrant: This kind of delegation is implemented by using a

warrant mw [LK99,Neu93], which certifies that designated proxy signer is

exactly the signer to be entrusted. Delegation by warrant is performed by the consecutive execution on signing of the public key signature scheme, which is time-consuming. But, it is appropriate for restricting documents to be signed, e.g. a warrant can state the valid time. In addition, there are two types of scheme for this approach.

(1) Delegate proxy: In this type, an original signer signs a document, declaring some person, said Bob, is designated as proxy signer under the original signer’s secret key by an ordinary signature scheme. The created warrant is given to Bob.

(2) Bearer proxy: In this type, a warrant is composed of a message part and an original signer’s signature for newly generated public key. The secret key for a newly generated public key is given to Bob in a secure way

In the partial delegation, we can classify proxy signature schemes into designed and non-designed proxy signature schemes according to whether the original signer designate a proxy signer in the proxy key generation phase.

(1). Designated proxy signature: In this scheme original signer specifies the identity of a proxy signer as a form of warrant in proxy generation.

(2). Non-designate proxy signature: In this scheme original signer does not satisfy a proxy signer in the proxy generation phase. Instead she can specify the set of allowed proxy signers of allowed message space.

2.2.2. Proxy signature requirements

The basic construction of [MUO196] and [MUO296] do not satisfy the strong

undeniability property, i.e. the proxy signer can repudiate the fact of that he has created the proxy key pair does not contain any authentic information of the proxy signer. Although, they classify proxy signature schemes into strong and weak ones according to the undeniability property. Strong proxy signature represents both original signer’s and proxy signer’s signature, while weak proxy signature represent only original signer’s signature.

There are some requirements with which strong proxy signatures must conform to verifiability, strong unforgeability, strong identifiability and strong undeniability

R1 - Verifiability: From a proxy signature a verifier can be convinced of the original

signer’s agreement on the signed message either by a self-authenticating from or by an interactive form.

R2 - Strong unforgeability: A designated proxy signer can create a valid proxy

signature for the original signer. But the original signer and other third parties who are not designated as a proxy signer cannot create a valid proxy signature.

R3 - Strong identifiability: Anyone can determine the identity of the corresponding

proxy signer from a proxy signature.

R4 - Strong undeniability: Once a proxy signer creates a valid proxy signature for an

original signer, he cannot repudiate his signature creation against anyone.

(Note: The requirement R3 is an explicit authentication in which the authenticator can verify the identity of the proxy signer in this thesis.)

Besides, to avoid dispute, it is sometime necessary to identify the actual signer who generates the proxy signature. This property is called non-repudiation. Hence, a proxy signature scheme with non-repudiation property is a necessary property that we need.

2.2.3. Proxy signature model

conform to requirement R1 to R4 mentioned above.

In general, there are four phases in a proxy signature scheme: proxy generation and delivery phase, proxy verification and proxy key generation phase, proxy signature signing phase and verification of the proxy signature.

(i). Proxy generation and delivery phase: An original signer generates the proxy

secret and sends the proxy secret to a proxy signer in a secure wary.

(ii). Proxy verification and proxy key generation phase: The proxy signer checks

whether the proxy secret really comes from the original signer. If the proxy-protected scheme is considered to be used, the proxy secret that original signer gives to proxy signer also needs to be alternated to proxy key otherwise the proxy secret is a proxy key.

(iii). Proxy signature signing by the proxy signer phase: The proxy signer signs a

proxy signature on document.

(iv). Verification of the proxy signature phase: The receiver gets the proxy

signature and verifies its accuracy.

A proxy signature scheme provided in this dissertation will also use these four phases. Besides, we will add another phase – “proxy key updating phase” introduced as our forward proxy signature scheme because of the property forward security required.

2.2.4. Proxy signature protocol

The basic of the MUO scheme [MUO196,MUO296] is a proxy-unprotected

signature, which includes four phases - proxy generation and proxy delivery, proxy verification, proxy signature signing and verification of the proxy signature. The notations are as follows:

O An original signer.

P A proxy signer.

V A verifier.

p, q Two large primes with q|(p-1).

g A element of order q in Zp*.

h( ) A one-way hash function.

xu The secret key of user u.

yu The public key of user u.

m A message to be signed.

A→B A sends message to B

The original signer has a key pair, (x_A,y_A). The scheme uses the following

protocol.

(Proxy generation and delivery)

An original signer O selects random k , computes ₀ K_A and sets the proxy key

A

s . Then, he sends (s_A,K_A) to a designed proxy signer P in a secure way.

O: Select a random, k (₀ 1≤k₀ ≤ p−1).

Compute K gk p

A = 0mod .

Set s_A = x_A +k₀K_A modq as a proxy key.

O→P (s_A,K_A) in a secure way.

(Proxy verification and proxy key generation)

The proxy signer checks the validation of (s_A,K_A) and set s_A as a proxy key.

P: Accept the delegation, if and only if sA KA

A A

g = y K mod p.

(Proxy signature signing)

The proxy signer, P, using the s_A as an alternative x_A, signs on the message m

on behalf of the original signer, O. Then, P executes the ordinary signing operation

( , )_A

S s m , thus ( ( , ),S s m K_{A A}) is a proxy signature.

P: Signs the message m, ( , )S s m_A .

(Verification of the proxy signature)

The verification of the proxy signature is similar to the verification of ordinary

signature by executing the verification ( ( , ), KA)

A A A

V S s m y K .

V: Compute the original’s public key KA

A AK y , where g =sA KA A AK y . Execute )( ( , ), KA A A A m y K s S V .

the proxy signs such that the original signer can forge a proxy signature.

2.2.5. Strong proxy signature

Lee et al [LK99] first proposed the concept of the strong proxy signature. In their consideration, four basic requirements for R1 to R4, i.e. verifiability, strong unforgeability, strong identifiability and strong identifiability undeniability, are not enough. This is because a proxy signer may maliciously sign documents or even give his proxy key pair to other people. The strong proxy signature needs to add a requirement as follows:

R5 - Prevention of misuse: it should be confident that proxy key should be used

only for creating proxy signature conforming to delegation information (ex: some

conditions specified in mw). Proxy key pair cannot be used for other purposes. In case

of any misuse of proxy key pair, the responsibility of proxy signer should be determined explicitly.

In the strong proxy, once a proxy signer creates a valid proxy signature, he cannot repudiate his signature creation against anyone. If a proxy signer creates a signature

conforming to mw, then the original signer is responsible for it, too. Namely, the

for m.

Strong signature scheme in LK99 is discrete-logarithms based as well. Therefore,

the mathematic model and symbols are similar to those in section 2.2.4. (x_A,y_A) and

(x_B,y_B) are original signer’s key pair and proxy signer’s key pair respectively. In

addition, it was proposed by using partial delegation with warrant proxy signature

scheme. Hence, a warrant m is also appearing in this scheme. _w

The strong proxy signature scheme proposed by Lee et al [LK99] is as follows:

(Proxy generation and delivery)

An original signer ‘O’ generates a random number k_A. After that, she computes

A r ≡gkA (mod p) and A A w A A x h m r k

s ≡ ( , )+ (mod p-1). The warrant m should _w

state application-dependent delegation information clearly such as the qualification of the proxy signer and allowed message content. Then, the original signer gives (r_A,s_A,m ) to a proxy signer ‘P’ secretly. _w

O: Select a random, k_A (1≤k_A ≤ p−1).

Compute r gkA p

A = mod .

Set s_A ≡x_Ah(m_w,r_A)+k_A as a proxy key.

O→P (r_A,s_A,m ) in a secure way. _w

(Proxy verification and proxy key generation)

Bob checks the validity of the following equation:

) , ( ? A w A hm r A A s _{r y} g ≡ mod p.

If the checking passes, the proxy signer uses s_A to generate his own proxy key as

B A

p s x

x ≡ + mod q.

and the implicitly public key is

A B r m h A x P g y y r y ≡ P ≡ ( w,A) mod p.

As the proxy signer qualification is stated in m explicitly, (_w r_A,s_A,m ) can be _w

exposed to a set of possible proxy signers in the proxy delivery stage. Only a qualified person can be a proxy signer.

(Proxy signature signing)

If a document m conforms to the message qualification stated in m , the proxy _w

signer can use the x as a private key to create a signature ξ on behalf of the _p

original signer. Then, = (m, ξ, m ,_w y_A, y_B,r_A) is a valid proxy signature.

(Verification of the proxy signature)

First, a verifier computes the proxy public key as h m r _{B A}

A

P y y r

y '≡ ( w,A) using

(m ,_w y_A, y_B,r_A). Using y , the verifier verifies the validity of the proxy signature _p'

as V(m, ξ, 'y ) _p = true. ?

Right after that, the verifier checks the conformance of proxy signature to the

2.3. Forward-Secure Signature

Ross Andersen suggested the idea of a digital scheme with forward security in an

invited lecture at the ACM CCS conference [And99].The term “forward secrecy” was

first used in the context of session key exchange protocols by Bellare and Miner [BM99]. The basic idea is that compromise of long-term keys does not compromise past session key, meaning that past actions are protected in some way against the loss of the current key. Furthermore, the core of forward secure digital signature schemes is the key updating method.

2.3.1. Background of forward-secure proxy signature

At the first, a user registers a public key PK and keeps private the corresponding

secret key, which denotes SK0. The index “0” means a base secret key. The total time

T is divided into t periods. While the public key is keeping the same in the whole

periods of the total time T, the user evolves the secret key with time period t. When a

period i begins, the user applies a function with an input SKi-1, the secrete key at last

period, to generate SKi and right after that the user deletes the previous secrete key

SKi-1.

The function using in updating should be one-way function, whose feature is that an output is to compute from an input and inversely; and almost impossible to

calculate the input from this output without any additional information. Hence, the

user can produce signatures using a different signing key, i.e. SKi in period i.

The public key stays fixed throughout, so that the signature verification process is unchanged. In addition, the public key certification and management processes are unaltered, too.

2.3.2. Protocol of forward-secure signature

A forward-secure digital signature scheme is a kind of digital signature schemes and contains four phases, a key update phase, a key generation phase, a signature signing phase and a verification phase. A key update phase is a concept of key-revolution schemes to create a new key for the current period in which the duration of operation is divided into several periods with a different secret key for each period. We apply the Abdalla-Reyzin forward-secure digital signature scheme

[AR00] to our proposed scheme, so we briefly describe the Abdalla-Reyzin

forward-secure digital signature scheme firstly.

Let p1 and p2 be two primes of approximately equal size with p1 = p2 =3 (mod 4)

and N= p1 p2. The number N is a k-bits integer called Blum integer [Sti02]. The

parameter v is a secure parameter. Assume that the valid duration for signature is

divided into several periods, numbered 1,…,t. The function h is an one-way hash function. An Abdalla-Reyzin forward-secure digital signature scheme includes four

phases - key generation, key update, signature signing, and verification. We described as follows:

(Key generation)

To generate a key pair, a signer should do the following step:

Step 1. Select a random s₀∈ *

N

Z as a private key

Step 2. Compute a corresponding public key u= 2( 1)

0

/

1 s vt+ mod N.

The original signer’s key pair is (s ,₀ u). The suffix ‘0’ of private key s indicates ₀

the basis state of a key-revolution scheme.

(Key update)

At current period j, the signer needs to update the private from s to _j−1 s by _j

j

s = s_j 2v 1)

( ₋ mod N. Note that the suffix denotes the current period.

(Signature signing)

At the current period j, the signer want selects to sign a message M and execute the following steps:

Step 1. Select a random k∈ *

N Z . Step 2. Compute r = 2v(t1j) k +− mod N and e=h(j,r,M). Step 3. Compute σ = e j ks .

(Verification)

A verifier can verify the validation of (j,σ,e) on message M to execute the

following steps:

Step 1. If σ =0 then reject the signature.

Step 2. Compute r =' 2v(t+1−j)

σ _{u mod N.} e

Step 3. If e=h(j,r,'M) then accept the signature, else reject it.

For fitting with the proposed scheme, we slightly modify the output parameter of signature algorithm and the input of verification algorithm.

2.4. Lamport One-Time Signature

One-time signature schemes were first proposed by Rabin [Rab79] and Lamport [Lam79] and based on the idea of committing public keys to secure keys using one-way functions. For more 25 years, Lamport one-time signature schemes have been proposed and investigated by many researchers. Indeed, one-time signature schemes have found many interesting applications, including on-line/off-line signatures, digital signatures with forward security properties, broadcast authentication protocols and proxy signatures etc.

In recent years, one-time signature schemes have attracted more and more attention, as an attractive alternative to the traditional signature schemes based on public key cryptography. One of the main advantages of one-time signature schemes

is their reliance on one-way functions that can be implemented using fast hash functions. The resulting signatures are the order of magnitude faster than signatures based on public cryptography applying on the resource-constrained, small devices, such as cellular phones, pagers, smart cards etc. The other of advantage of such a scheme is that it is generally quire fast. However, the scheme tends unwieldy when used to authenticate multiple messages because additional data needs to be generates to both sign and verify each new message. By contrast, with conventional signature schemes like RSA [RSA78], the same key pair can be used to authenticate multiple documents, which will face the threat of replay attacks.

In this section, we briefly review the Lamport one-time signature, which includes three algorithms- key generation, signature signing and verification. Suppose that

Z Y

h: → is a one-way hash function.

(Key generation)

Step 1. Select 2k elements y_i,j ∈ Y at random with 1≤i≤k and j=1,0

where k is the length of message based on 2.

Step 2. Compute z_i,j=h(y_{i, j}) for all ji, .

Step 3. The key K consists of the 2k y’s and 2k z’s. The private key SK box

and the public key PK box are as follows:

SK = ⎟⎟_⎠ ⎞ ⎜⎜ ⎝ ⎛ 1 , 1 , 2 1 , 1 0 , 0 , 2 0 , 1 ... ... k k y y y y y y

PK = ⎟⎟_⎠ ⎞ ⎜ ⎜ ⎝ ⎛ 1 , 1 , 2 1 , 1 0 , 0 , 2 0 , 1 ... ... k k z z z z z z (Signature signing)

To sign a k-bit message m=m ...₁ m_k, we should do the following steps:

Step 1. The corresponding entries of the message m ...₁ m_k are

k m k m y y_1, ,..., _, 1 .

Step 2. We define the signature sig (m ...₁ m_k) = ( k m k m y y_1, ,..., _, 1 ).

Step 3. We just select corresponding entries from the key box to create signature.

For example, we want to sign a message m=10...1. The signature is

sig (m ,...,₁ m_k) =

[ ]

[ ]

[ ]

⎟⎟_⎠ ⎞ ⎜ ⎜ ⎝ ⎛ 1 , 1 , 2 1 , 1 0 , 0 , 2 0 , 1 ... ... k k y y y y y y =

(

y_1,1 y_2,0 ... y_k,1

)

on message m ...₁ m_k. (Verification)

To verify signature

(

y_1,1 y_2,0 ... y_k,1

)

on message m ...₁ m_k, we check if

h(m_i)=

i

m i

y_, for 1≤i≤k holds.

A message to be signed is a binary k-tuple. Each bit selects the corresponding

value in the SK box as signed value. If the ith message bit is m , the signature is _i

i

m i

y_, in the SK box. To verify the signature, we just check the hash value of each

Chapter 3 Proxy Signature in Public-Key

Infrastructures (PKIs)

The notations are defined the same as in section 2.2.4. The proposed scheme is based on the proxy-protected approach. Only the proxy signer can create the proxy signature. Although the proxy-unprotected scheme is more efficient than the proxy-protected one, the proxy-unprotected scheme is only applicable when the original signer is honest. That means the proxy-protected schemes have also the ability to prevent cheating attempts plotted by the original signer, needless to mention about malicious proxy signers. We develop a proxy-protected scheme, which could be combined with the DSA (ECDSA) and it could be applied on Public Key Infrastructures (PKIs).

3.1 Proxy-Protected Scheme

There are four steps, proxy generation and delivery, proxy verification and proxy key generation, signing by the proxy signer and verification of the proxy signature in

proxy-protected scheme. Let the original signer ‘O’ has key pair (x_A,y_A) where

A

(Proxy generation and delivery)

The proxy signer ‘P’ selects a random k , computes '₀ g and sends it to the

original signer. On receiving 'g , the original signer creates s_A and sends (r_A,s_A).

The parameters g and ' r_A are public information. The protocol is showed as

follows: P: Select a random, k (₀ 1≤k₀ ≤ p−1). Compute g_'=gk0_modp. P→ O g ' O: Compute * q R A Z k ∈ and r gkA p A = mod . Computee=h(g'kA)modp. Set s_A =(x_Ae+k_A)modq. O→ P (r_A,s_A).

(Proxy verification and proxy key generation)

The proxy signer checks the validity of (r_A,s_A) and computes a proxy key s_B.

The protocol is as follows:

P: Receive (r_A,s_A) from original signer

Check e' A s A g y r = A − mod p where ' ( k0) A r h e = . If it holds process the follows, else reject it.

Computes 1

0−

= ks

s_{B A} mod q.

(Proxy signature signing)

The original signer signs on the message m as the DSA algorithm using the proxy

key s_B. The protocol is follows:

P: To sign on message m, first compute h(m).

Then select a random k∈ *

q

Z .

Compute r = (_{g' mod p) mod q} k

Set s =_{k (}−1 _{h(m)+s r}

B ) mod q.

This signing step is similar to the DSA scheme; and the proxy signature is the tuple (g ,' r_A,e',r , s).

(Verification of the proxy signature)

To verify the proxy signature ( 'g ,r_A,e', r, s) on message m, a verifier should do

the following steps:

V: Verify that 1 r≤ ≤ and ≤q 1 s ≤ ; if not, then reject the signature. q

Compute _{w= s}−1_{mod q.}

Compute u₁= )w⋅h(m mod q, u₂=rw mod q, and u =₃ e'u₂ mod q.

Compute v=(g'u1 u2

A

r u3

A

y mod p) mod q.

Accept the signature if and only if v = r.

To verify the proxy signature (g ,' r_A,e', r, s) on message m, a verifier checks

whether v = r, where v=(g'u1 u2

A

r u3

A

In order to prove that the proposed scheme works correctly and explain that the proposed conforms to the requirements of the proxy signature schemes, there are two theorems as the follows:

Theorem 3.1: If the proxy secret (r_A,s_A) is constructed correctly, then it will pass the

verification by using s _A e'

A g y

r = A − mod p.

Proof:

Suppose the proxy secret (r_A,s_A) and g =' g mod p is correct. We have k0

A

s =(x_Ae+k_A) mod q.

Then make the substitutions

e=h(g'kA)=h((gk0)kA)=h((gkA)k0)= ( k0)

A

r

h =e' mod p.

We obtain the following:

A

s =(x_Ae'+k_A) mod q.

Rearrange the above equation

A

k =(s_A −x_Ae') mod q.

Raise both sides by g

A k g =g(sA−xAe)' mod p, A r =(gsA ⋅g−xAe') mod p (∵ A r =g mod p) kA A r =(_gsA_yA−e') mod p (∵ A y =g mod p) xA Thus, r_A=( e' A s _y g A − ) mod p as required. □

Suppose the proxy signer receives a proxy secret from the original signer correctly in the proxy key generation. The proxy signer cannot forge another proxy secret to

create a proxy key, because it is computationally infeasible to select another r_A to

create a valid tuple of proxy secret. Moreover, the original signer also cannot forge the

proxy key, because the generator is blinded by a factor of k which is only known by ₀

the proxy signer. Thus, only the designed signer can create the valid proxy key. Therefore, the proposed scheme conforms to the property of unforgeability.

Theorem 3.2: If the proxy signature is generated by the proxy signer correctly in the

proposed scheme, then it will pass the proxy signature verification.

Proof:

Suppose the proxy signature is correct. It implies that the delegation certification is correct such that we have a valid proxy signature

s=_{k (}−1 _{h(m)+s r}

B ) mod q.

Rearrange the signature

k=_{s (}−1 _{h(m)+s r} B ) mod q Substitute s_B k=_{s (}−1 _h(m)+ 1 0− k s_A r) mod q. (∵s_B= 1 0− k s_A mod q) Substitute s_A k=_{s [}−1 _h(m)+( A Ae k x + )k 1r 0− ] mod q. (∵sA=(xAe+kA)mod q)

Raise both sides by g '

k g' =( 1 ( ) 's hm g − g'kAk0−1rs−1 g'xAek0−1rs−1 mod p) mod q. Substitute _{g' by r ,} k g'kAk0−1 by A r and g'xAk0−1 by A y

r =( 1 ( ) 's h m g − rs−1 A r ers−1 A y mod p) mod q. Let _{w= s}−1_{mod q,} 1

u =w⋅h(m)mod q, u₂=rw mod q, and u =₃ e'u₂ mod q.

We yield

r =(g'u1 u2

A

r u3

A

y mod p) mod q as required. □

The proxy signer uses the proxy key to sign on a document, but a verifier need to use the original signer’s public key to verify the validation of the signature. The proxy key is created interactively by original and proxy signer such that from the signature, a verifier can be aware of the original signer agrees proxy signer on signing the message. This property is verifiability. From the theorems, the proposed scheme conforms to the proxy signature requirements from R1 to R4. For adapting to the DSA, We could not add any warrant information in the proposed scheme.

3.2. Security Analysis and Performance

The security of the proposed scheme is based on the difficulty of breaking the one-way hash function and the hardness of the discrete logarithm problem [MVS96]. In this section, we discussion some possible security attacks against the proposed scheme. We will explain that the proposed scheme can prevent from those attacks.

Attack1: An attacker may forge the proxy signature on the message m by

selecting a random k and computing r =_{g' mod p.} k

Analysis of Attack1: The attacker needs to create a forgery signature

s=_{k (}−1 _{h(m)+s r}

B ) mod q. Because the proxy key is unknown by the attacker, it is

computationally infeasible to determine s under the assumption of the discrete

logarithm problem. The success probability is only 1/q. However, it is negligible for

large q.

Attack2: An attack might attempt to forge the proxy key s_B to create a proxy

signature.

Analysis of Attack2: The attacker will face the discrete logarithm problem too.

To solve s_B in s_B= 1( )

0 xAe kA

k − +

mod q. It is still computationally infeasible under the assumption of the discrete logarithm problem.

Attack3: A malicious original signer attempt to forge the proxy signer to derive a

valid proxy key.

Analysis of attack3: The proxy signer uses a blind factor k to blind the ₀

generator g by 'g =g mod p [Sch95]. The original signer needs to solve k0

0

k from

'

g =g mod p. It is difficult to determine k0 0

k based on the hardness of the discrete

logarithm problem. For the security reason, an original signer cannot derive the designed proxy signer’s proxy key; otherwise the proxy signature cannot be

distinguished from the original signer and the proxy signer who create it. It is a ‘proxy-protected’ property.

Attack4: The malicious proxy signer attempts to impersonate an original signer to

create a proxy secret.

Analysis of attack4: Firstly, the malicious proxy signer is computationally

infeasible to create a random k_A from r_A= g mod p. Secondly, to solve kA e'

from r_A= e'

A s _y

g A − mod p by knowing g and

A

r is computationally infeasible.

In the propose scheme, the size of q is at 160 bits and the size of p is between 512 and 1024 bits. For the security reason, a 512-bit prime provides marginal security such that at least 768 bits is commended. Suppose p is a 768-bit integer and one modular exponentiation takes on 240 modular multiplications. In the Table 1, we compare the time complexity between the proposed scheme and the DSA. The major portion of time complexity is modular multiplications and modular inverses, thus we neglect the time complexity of hash function and modular additions. In the propose scheme, the time complexity of the proxy signature is the same as the DSA; while the time complexity of the proxy signature verification requires one modular exponentiation and two modular multiplications more than the DSA.

Table 3.1. The comparison of time complexity between proposed scheme and DSA

Scheme ↓ Proxy generation Proxy verification Signature Verification

The proposed scheme 241 T_m 721 T_m 242T_m+T_inv 725T_m+T_inv

DSA NA NA 242T_m+T_inv 483T_m+T_inv

Note:

m

T : The number of modular multiplications.

inv

T : The number of modular inverse with 160-bit modulus.

3.3. Application on the ECDSA

In 2000, the ECDSA was approved as FIPS 186-2 [NIST00]. We apply the propose scheme to the ECDSA, called a proxy-protected ECDSA, which is a variant ECDSA with properties of proxy signatures.

3.3.1. Proxy-protected ECDSA

The parameters are defined in an elliptic curve E modulo a prime p as a public-key cryptography. The notations are follows:

Alice An original signer.

Bob A proxy signer.

p A prime number.

E An elliptic curve defined over F_P.

q The number of points on E.

G A point on E having prime order q .

x A private key with 0≤x≤q−1.

Q A public key with Q=xG on E.

h( ) An one-way hash function, SHA-1.

The original signer Alice has private key x and public key Q = xG certificated by a certificate authority. Bob is a designated proxy signer. The protocol of proxy-protected ECDSA we describe as follows:

(Proxy generation and delivery)

Bob: Select a random, k (₀ 1≤k₀ ≤q−1).

Compute G'=k₀G mod q.

Bob→ Alice G'.

Alice: Select a random integer,k_A (1≤k_A ≤q−1)

Compute R_A =k_AG.

Set (x₁,y₁)=k_AG'.

Compute e=h(x₁) and set s_A =(xe+k_A)mod q.

Alice→ Bob (R_A,s_A).

Bob: Set r_A =x₂, where (x₂,y₂)=R_A.

Compute )e'=h(k_{0 A}r mod q.

Compute (x₂ ,'y₂')=s_AG−e'Q.

Accept the delegation if and only if r_A =x₂'.

Then, compute 1

0−

= ks

s_{B A} mod q as a proxy key.

(Proxy signature signing)

Bob: Select a random k (1≤k <q−1).

Compute '(x₃,y₃)=kG . Set r =x . ₃ Compute )_{s k} 1(_h(_m) _{s r} B + = − _{mod q.}

If r = 0 or s=0 then re-select a random k and run again.

The proxy signature for the message m is (G,'R_A,e,'r,s).

(Verification of the proxy signature)

Carol:Verify that r and s are integers in interval [1,q−1).

Compute w₌s−1modq_.

Compute u₁ = h(m)w mod q.

Compute u₂ =rwmodq.

Compute u₃ =e'u₂modq.

If X = O, then reject the signature, else accepts the signature if and only if

3 3' x

x = = r.

The proxy-protected ECDSA could be also deployed in ECDSA by taking

parameters G'=G, R_A =0 and e'=1. Furthermore, the proxy-protected ECDSA

also reaches the properties of strong proxy signature.

3.3.2. Example demonstration

[Sti02]

In some reports on security estimates, the elliptic curve basing on cryptosystem

will be secure till the year 2020, it has been suggested that one should take _p≈2160_.

In this section we work through a tiny example to illustrate the computations in the proxy-protected ECDSA.

Let E be the elliptic curve _y2 _=x3_+x+6 _over

11

Z . The parameter q is the

number of points in E. We first compute _x3_{+ x+}6 _{mod 11 for}

11

Z

x∈ , and then try

to solve the above equation for y. We can set 6

3 _{+ +}

=x x

z mod 11

and test if z is a quadratic residue, or QR, by applying Euler’s criterion.

If the modulo prime p = 3 mod 4, we could yield the square roots of a quadratic

residue z as following formula:

4 / ) 1 11 ( + ± z mod 11 = _{± mod 11. z}3