Self-certified multi-proxy signature schemes with
message recovery
*Tzong-sun WU1, Chien-lung HSU†‡2, Han-yu LIN3
(1Department of Computer Science and Engineering, National Taiwan Ocean University, Keelung 202, Taiwan, China)
(2Department of Information Management, Chang Gung University, Taoyuan 333, Taiwan, China) (3Department of Computer Science, National Chiao Tung University, Hsinchu 300, Taiwan, China)
†E-mail: [email protected]
Received Apr. 19, 2008; Revision accepted June 21, 2008; Crosschecked Dec. 22, 2008
Abstract: Multi-proxy signature schemes allow the original signer to delegate his/her signing power to n proxy signers such that all proxy signers must corporately generate a valid proxy signature on behalf of the original signer. We first propose a multi-proxy signature scheme based on discrete logarithms and then adapt it to the elliptic curve cryptosystem. With the integration of self-certified public-key systems and the message recovery signature schemes, our proposed schemes have the following advan-tages: (1) They do not require the signing message to be transmitted, since the verifier can recover it from the signature; (2) The authentication of the public keys, verification of the signature, and recovery of the message can be simultaneously carried out in a single logical step; (3) No certificate is needed for validating the public keys. Further, the elliptic curve variant with short key lengths especially suits the cryptographic applications with limited computing power and storage space, e.g., smart cards. As compared with the previous work that was implemented with the certificate-based public-key systems, the proposed schemes give better performance in terms of communication bandwidth and computation efforts.
Key words: Self-certified, Multi-proxy signature, Message recovery, Smart cards, Discrete logarithms, Elliptic curve doi:10.1631/jzus.A0820202 Document code: A CLC number: TN918; TP309
INTRODUCTION
Since Diffie and Hellman (1976) first proposed the public-key cryptosystem for solving the problem of key management, public-key systems have been widely used in various applications such as e-cash, e-market, and e-voting. In a public-key cryptosystem, each one has a private key and a corresponding public key. To achieve the security requirements of authen-tication, data integrity and non-repudiation, one can use his/her own private key to generate a digital nature for the given message by using a digital sig-nature scheme. The digital sigsig-nature will be verified by the signer’s public key. Extending the concept of
digital signatures, Mambo et al.(1996a; 1996b) first introduced the concept of proxy signatures. In a proxy signature scheme, an authorized person, called the proxy signer, is delegated from the original signer to generate a proxy signature on behalf of the original signer.
So far, there are four different sorts of delega-tions: full delegation, partial delegation, delegation by warrant, and partial delegation with warrant. In the full delegation (Mambo et al., 1996a; 1996b), the proxy signer’s signing key is the same as the original signer’s private key so that all (proxy) signatures are generated with the same private key. Consequently, it cannot offer secure mechanisms to protect the origi-nal signer or the proxy signer from being framed by the other. In the partial delegation (Mambo et al., 1996a; 1996b), the proxy signature key is computed from the original signer’s private key, while the latter
Journal of Zhejiang University SCIENCE A ISSN 1673-565X (Print); ISSN 1862-1775 (Online) www.zju.edu.cn/jzus; www.springerlink.com E-mail: [email protected]
‡ Corresponding author *
Project (No. 94-2213-E-182-019) supported by the National Science Council, Taiwan, China
cannot be derived from the former. However, it is hard to identify the actual signer of a given signature, since a malicious original signer can impersonate the proxy signer to forge a valid proxy signature. In the delegation by warrant (Varadharajan et al., 1991; Neuman, 1993), the original signer prepares the warrant that contains some necessary proxy informa-tion, and then sends it to the proxy signer as the delegation authorization. It requires extra efforts to certify and transmit the warrant. Partial delegation with warrant (Kim et al., 1997) preserves the merits of partial delegation and delegation by warrant. It is computationally infeasible for the proxy signer to derive the original signer’s private key from the proxy signature key. Certification of the warrant and vali-dation of the signature can be simultaneously carried out in a single step. Obviously, the fourth approach, partial delegation with warrant, is more flexible and secure as compared with the other three, and thus is adopted to implement our proposed schemes.
Generally a secure proxy signature scheme sat-isfies the following two properties (Mambo et al., 1996a): (1) Unforgeability—No one but the desig-nated proxy signer can generate a valid proxy signa-ture; (2) Verifiability—Any receiver of the proxy signature can verify its legitimacy.
Since we adopt partial delegation with warrant to implement our proposed schemes, the following properties should also be considered (Mambo et al., 1996a): (1) Proxy signer’s deviation—The proxy signer cannot create a valid proxy signature with respect to another proxy signer; (2) Distinguishability —A valid proxy signature is distinguishable from a valid original signature; (3) Identifiability—An original signer can identify the actual proxy signer from a given proxy signature; (4) Secret-keys’ de-pendence—The proxy signer’s secret key is com-puted from the original signer’s secret key; (5) Un-deniability—The proxy signer cannot deny his/her signatures. Up to now, lots of variations of proxy signatures have been proposed (Kim et al., 1997; Lee
et al., 1998; Sun et al., 1999; Hwang and Shi, 2000;
Hwang et al., 2000; Yi et al., 2000; Hsu et al., 2001; Hwang and Chen, 2001; Lin et al., 2002; Tzeng et al., 2004; Xue and Cao, 2004a; 2004b).
In a multi-proxy signature, the original signer delegates his signing power to two or more proxy signers, and all of the proxy signers must
coopera-tively sign on behalf of the original signer. This paper gives a solution to the most common problem of the delegation in enterprise management. For example, two or more vice presidents can corporately make a significant decision or sign an important document on behalf of the president in his absence.
Consider the scenario that a malicious adversary may plot the impersonation attack by substituting the fake public key for the genuine one (Michels and Horster, 1996). In this case, it is necessary to authen-ticate the public key before using it. A certificate- based public-key system (Kohnfelder, 1978; ISO/IEC 9798-3, 1993; ISO/IEC 14888-3, 1998) is a com-monly used solution, in which each public key is accompanied with a certificate issued by the certifi-cation authority (CA). One can perform certificate verification to make sure the authenticity of the re-ceived public key before using it. It is obvious that extra computation efforts and communication over-heads are required for verifying and transmitting the certificate. Shamir (1984) introduced the concept of ID-based public-key cryptosystems, where the public key is defined as the identifier of the user. Obviously, the authenticity of the public key can be explicitly verified without any extra certificate, since the public identifier of each user is intrinsically known. The security of the system heavily relies on the system authority, since all private keys are generated by the system authority. Girault (1991) introduced the con-cept of a self-certified public-key system. The user can determine his private key, while the public key of the user is generated by CA. In the subsequent sig-nature verification or other cryptographic applications, the verification of the signature and the authentication of the public keys are simultaneously carried out in a single logical step. As compared with certificate- based systems, this approach greatly reduces the computation efforts and communication overheads, since no additional certificates are required. From the above discussions, one can see that the self-certified public-key system might be a better choice for im-plementing secure and efficient cryptographic applications.
The main advantage of the message recovery signature scheme is that the message can be recovered from the received signature. Hence, the message is unnecessary to be transmitted along with the signa-ture, which results in more bandwidth savings. In this
paper, we adopt the merits of the self-certified public- key systems and the message recovery signature scheme to implement efficient multi-proxy signature schemes. A significant feature of our proposed schemes is that the tasks of verifying the signature, authenticating the public keys and recovering the message are simultaneously carried out within one step. That is, the proposed schemes can improve the efficiency of communication and computation.
Elliptic curve cryptography (ECC) (ANSI X9.31, 1998; ANSI X9.62, 1998; ISO/IEC 14888-3, 1998; IEEE P1363, 2000; ANSI X9.63, 2001; ISO/IEC 15946-3, 2002), first introduced by Miller (1985) and Koblitz (1987), especially suits the applications with limited computing power and insufficient storage space, such as smart cards. To achieve the same level of security as conventional cryptography, ECC re-quires shorter key lengths, which ensure faster exe-cution and more bandwidth savings (Jurisic and Menezes, 1997; Stallings, 2002). In this paper, we further present an elliptic curve variant of our pro-posed multi-proxy signature scheme.
The remainder of this paper is organized as fol-lows. In Section 2, we propose a multi-proxy signa-ture scheme based on the discrete logarithms over a finite field. An elliptic curve variant based on the elliptic curve discrete logarithms is given in Section 3. Section 4 discusses some security considerations and the performance evaluation. Also, we compare our proposed scheme with two existing multi-proxy sig-nature schemes. Finally, conclusions are given in Section 5.
PROXY SIGNATURE SCHEME BASED ON DISCRETE LOGARITHMS
In this section, we propose a multi-proxy sig-nature scheme over a finite field. In the system, there exists a trusted CA whose tasks are to set up the sys-tem and to generate users’ private and public-key pairs in the registration stage. Initially, the CA de-termines the following parameters: p, q—two large primes, and q|p−1; g—a generator with order q over
GF(p); h(·)—a secure one-way hash function that
accepts input of any length and generates a fixed-length output; (δ, β)—the CA’s private and public keys, where δ∈RZq*
(In this paper, we denote “∈R” as “randomly chosen from”), and
β=gδ mod p. (1) The parameters p, q, g, β and the hash function h are made public, while the CA’s private key δ is kept secret. The proposed scheme consists of three stages: registration, proxy share generation, and multi-proxy signature generation and verification. Details of each stage are described below.
1. Registration stage
Each user Ui associated with the identifier IDi performs the following interactive steps with the CA:
Step 1: Ui chooses an integer ti∈RZq*
, computes ( || ) mod , i i h t ID i v =g p (2) and sends (vi, IDi) to the CA, where “||” is the con-catenation symbol.
Step 2: After receiving (vi, IDi), the CA chooses
ai∈RZq*, computes 1 ( ) ai mod , i i i y =v h ID − g p (3) ( || ) mod , i i i i w = +a δh y ID q (4) and returns (yi, wi) to Ui.
Step 3: Ui first computes
( || ) mod ,
i i i i
x =w +h t ID q (5) and verifies its validity by checking if
( || ) ( ) (mod ). i i i h y ID x i i h ID y g p β = (6)
If Eq.(6) holds, user Ui accepts (xi, yi) as his/her private and public keys.
Note that Eq.(6) also validates the authenticity of
yi with respect to xi. Accordingly, there is no need to transmit any certificate along with the public key yi. Eq.(6) can be easily verified as follows:
( || ) ( || ) ( || ) ( || ) ( || ) ( || ) ( ) by Eq.(3) by Eq.(1) by Eq.(2) by Eq.(4) (mod ). i i i i i i i i i i i i i i i i i h y ID h y ID a i i i a h y ID i h t ID a h y ID h t ID w x h ID y v g v g g g g g p δ δ β β + + + = = = = = by Eq.(5)
2. Proxy share generation stage Let 1 2 { , , ..., } n p p p G= U U U be the set of n designated proxy signers and U0 the original signer who wants to delegate his/her signing power to the designated proxy group G. U0 distributes proxy shares to the members in G with the following steps:
Step 1: U0 chooses an integer ki∈RZq* (for i=1, 2, …, n) and computes mod , i k i K =g p (7) 1 mod , n i i K K p = =
∏
(8) 1 0 ( w|| ) mod , i x n k h mi K q σ = − + (9) where mw is the warrant consisting of the original and the proxy signers’ identifiers, the delegation duration, and so on.Step 2: U0 sends (σi, mw) to
i
p
U ∈ via a secure G
channel and broadcasts (Ki, K). Step 3:
i
p
U ∈ verifies the validity of (G σi, mw) by checking that 1 0 0 w ( || ) ( || ) 0 0 ( ( ) ) (mod ). i h y ID n h m K i gσ = β h ID y − K p (10)
The correctness of Eq.(10) is shown as follows. By raising both sides of Eq.(9) to exponent with base
g, we have 1 1 0 w 0 w 1 0 0 w ( || ) ( || ) ( || ) ( || ) 0 0 by Eq.(7) ( ( ) ) (mod ). by Eq.(6) i x n k h mi K x n h m K i h y ID n h m K i g g g K h ID y K p σ β − − − + = = =
3. Multi-proxy signature generation and verifi-cation stage
For signing m on behalf of the original signer U0, each
i
p
U ∈ performs the following steps: G
Step 1: Choose an integer zi∈RZq*
, compute mod , i z i r =g p (11) and broadcast ri to all other proxy signers.
Step 2: After receiving all rj’s (j=1, 2, ..., n; j≠i) from other proxy signers, compute r and si with the following equations: 1 ( || ( )) j mod , n r j j r m h m r p = =
∏
(12) ( ) ( || ) mod , i i i i i s =z r + σ +x h r K q (13)and then broadcast si to all other proxy signers. Step 3: Validate (rj, sj) sent from the proxy signer
j
p
U ∈ (j≠i) by checking that G
(
)
1 1 0 0 1 w ( || ) ( || ) 0 ( || ) ( || ) 0 ( ) ( ) (mod ). j j j j s r n h y ID h y ID n j h r K h m K n j j j g r h ID h ID y y K p β − − − + = ⋅ (14)If Eq.(14) holds, proceed to the next step; oth-erwise, sj is requested to be sent again.
Step 4: Compute s with all collected sj’s (j=1,
2, ..., n) as 1 mod . n j j s s q = =
∑
(15) The multi-proxy signature of m is (K, r, s, mw). Note that the message m is unnecessary to betrans-mitted, since it can be recovered from the signature. To check the validity of the multi-proxy signature, the verifier first computes
0 w ( || ) ( || ) ( || ) 0 || ( ) ( ) (mod ). n i i i h r K n h y ID h m K s i i i m h m rg− β = h ID y K p = ⎛⎛ ∑ ⎞ ⎞ = ⎜⎜ ⎟ ⎟ ⎝ ⎠ ⎝
∏
⎠ (16) With the recovered m and h(m), along with thepublic one-way function h, the verifier can check the
integrity of the message and the validity of the multi-proxy signature as well. Since the public keys
y0 and yi’s are combined into Eq.(16), no additional public-key verification is needed before multi-proxy signature verification. Thus, the message recovery procedure, the authentication of the public keys, and the validation of the multi-proxy signature are si-multaneously carried out in one single equation, Eq.(16).
Theorem 1 If an individual proxy signature (ri, si) is properly generated by
i
p
U ∈ with Steps 1 and 2 of G
the multi-proxy signature generation stage, then it satisfies Eq.(14) (See Appendix for the proof).
Theorem 2 The verifier can perform Eq.(16) to recover the message m from the multi-proxy signature
(K, r, s, mw) and to check the validity of the signature
as well as the signers’ public keys (See Appendix for the proof).
MULTI-PROXY SIGNATURE SCHEME BASED ON ELLIPTIC CURVE DISCRETE LOGARITHMS
In this section, we propose the elliptic curve variant based on our first scheme. A significant property of the variant is that the key length required is shorter than that of our first scheme at the same level of security. In general, the elliptic curve cryp-tography of a 160-bit modulus is almost as secure as our first scheme of a 1024-bit modulus (Jurisic and Menezes, 1997; Stallings, 2002). Furthermore, the computational efforts required for ECC and for the traditional public-key cryptosystems are considered comparable for equal key lengths. Hence, the elliptic curve variant is more efficient in terms of computa-tional complexities and communication overheads, which especially appeals to smart card applications with limited computing power and insufficient stor-age space.
In the system initialization, the CA determines the following parameters: p—a large prime; a, b— two parameters for Zp satisfying 4a3+27b2 mod p≠0;
Ep(a, b)—an elliptic curve y2=x3+ax+b (mod p); q—a
large prime such that q is a divisor of the number of
points on the elliptic curve Ep(a, b); O—a point at
infinity over Ep(a, b); Q—the base point of order q
over Ep(a, b); h(·)—a secure one-way hash function
that accepts input of various lengths and generates output of a fixed length (note that input of a point over
Ep(a, b) means input of the concatenation of the x- and
y-coordinate of that point); (δ, B)—the CA’s private
and public keys, where δi∈RZq* and
B=δQ. (17)
The parameters p, q, O, Q, B, the hash function h,
and the elliptic curve Ep(a, b) are made public, while
the CA’s private key δ is kept secret. In the following, all elliptic curve point operations are manipulated over Ep(a, b). We further denote x(P) as the
x-coordinate of point P. The proposed ECC variant
also consists of three stages like those of the proposed first scheme. Details of each stage are stated below.
1. Registration stage
Each user Ui associated with the identifier IDi performs the following interactive steps with the CA. Step 1: Ui chooses an integer ti∈RZq*, computes
( || ) ,
i i i
V =h t ID Q (18) and sends (Vi, IDi) to the CA.
Step 2: After receiving (Vi, IDi), the CA chooses
ai∈RZq*, computes 1 ( ) ( ), i i i i Y =h ID − V +a Q (19) ( || ) mod , i i i i w = +a δh Y ID q (20) and returns (Yi, wi) to Ui.
Step 3: Ui first computes
( || ) mod ,
i i i i
x =w +h t ID q (21) and verifies its validity by checking that
( i|| i) ( i) i i .
h Y ID Β+h ID Y =x Q (22)
If Eq.(22) holds, user Ui accepts (xi, Yi) as his/her private and public keys.
Note that Eq.(22) also validates the authenticity of Yi with respect to xi. Consequently, it is unneces-sary to transmit any extra certificate with the public key Yi. The correctness of Eq.(22) is given as follows:
( || ) ( ) ( || ) by Eq.(19) ( ( || ) ) by Eq.(17) by Eq.(20) ( ( || )) by Eq i i i i i i i i i i i i i i i i i h Y ID Β h ID Y h Y ID Β V a Q h Y ID a Q V w Q V w h t ID Q δ + = + + = + + = + = + .(18) =x Qi . by Eq.(21) That is, if (Yi, Wi) is correctly generated by the CA, it will pass the test of Eq.(22).
2. Proxy share generation stage Let 1 2 { , , ... , } n p p p G= U U U be the set of n
who wants to delegate his/her signing power to the designated proxy signers G. U0 distributes proxy shares to the members in G with the following steps:
Step 1: U0 chooses an integer ki∈RZq * (for i=1, 2, …, n) and computes , i i K =k Q (23) 1 , n i i K K = =
∑
(24) 1 0 ( w|| ) mod , i x n k h mi K q σ = − + (25) where mw is defined as in the proposed first scheme.Step 2: U0 broadcasts (Ki, K) and further sends (σi, mw) to
i
p
U ∈ via a secure channel. G
Step 3:
i
p
U ∈ verifies the validity of (G σi, mw) by checking that 1 1 0 0 0 0 w ( ( || )) ( ( )) ( || ) . (26) i i Q n h Y ID Β n h ID Y h m K K σ = − + − +
The correctness of Eq.(26) is shown as follows. Multiplying both sides of Eq.(25) with the base point
Q, we have 1 0 w 1 0 w 1 1 0 0 0 0 w ( ( || )) ( ) ( || ) by Eq.(23) ( ( || )) ( ( )) ( || ) . by Eq.(22) i i i i Q x n k h m K Q x n Q h m K K n h Y ID B n h ID Y h m K K σ − − − − = + = + = + +
Therefore, the test of Eq.(26) is successful on condi-tion that (K, σi, mw) is correctly generated by U0.
3. Multi-proxy signature generation and verifi-cation stage
For signing m on behalf of the original signer U0, each user
i
p
U ∈ performs the following steps: G
Step 1: Choose an integer zi∈RZq*, compute
,
i i
R =z Q (27) and then broadcast Ri to all other proxy signers.
Step 2: After receiving all Rj’s (j=1, 2, ..., n and
j≠i) from other proxy signers, compute r and si with
1 1 ( || ( )) ( ) mod , n j j j r m h m x x R R P − = ⎛ ⎞ = ⎜ ⎟ ⎝
∑
⎠ (28) ( ( )) ( ) ( || ) mod , i i i i i s =z x R + σ +x h r K q (29)and then broadcast si to all other proxy signers. Step 3: Validate (Rj, sj) sent from the proxy signer
j
p
U ∈ (j≠i) by checking that G
1 0 0 1 0 0 w ( ) ( || )[( ( || ) ( || )) ( ) ( ) ( || ) ]. (30) j j j j j j j j s Q x R R h r K n h Y ID h Y ID B n h ID Y h ID Y h m K K − − = + + + + +
If Eq.(30) holds, proceed to the next step; oth-erwise, sj is requested to be sent again.
Step 4: Compute s with all collected sj’s (j=1, 2, ..., n) as 1 mod . n j j s s q = =
∑
(31) The multi-proxy signature of m is (K, r, s, mw). Note that the signing message is unnecessary to be transmitted, since any verifier can recover it from the signature. To check the validity of the signature, the verifier first computes(
)
0 w || ( ) ( || ) ( || ) ( ) ( || ) ( || ) mod . (32) n i i i i i m h m rx sQ h r K h Y ID B h ID Y h m K h r K K p = ⎛ = ⎜ − + ⎝ ⎞ − ⎟ ⎠∑
∑
Then one can use the public one-way function h to ensure the integrity of the message and the validity of the multi-proxy signature. Since the public keys Y0 and Yi’s are combined into Eq.(32), additional public- key verifications are not required before the multi- proxy signature verification. Thus the authentication of the public keys, the validation of the multi-proxy signature, and the message recovery procedure are simultaneously carried out in a single equation, Eq.(32).
Theorem 3 (Ri, si) that can be correctly generated by Steps 1 and 2 of the multi-proxy signature generation stage of the elliptic curve variant satisfies Eq.(30) (See Appendix for the proof).
Theorem 4 A valid multi-proxy signature (K, r, s,
mw) for the message m can be used to recover m with Eq.(32) (See Appendix for the proof).
SECURITY CONSIDERATIONS AND PER-FORMANCE EVALUATION
In this section, we discuss some security con-siderations and analyze the performance of our pro-posed schemes.
Security considerations
The security of the proposed first scheme is primarily based on the cryptographic assumptions of the discrete logarithm problem (DLP) (Diffie and Hellman, 1976; Menezes et al., 1997) and the one-way hash function (OHF) (Diffie and Hellman, 1976; Menezes et al., 1997). The security of the el-liptic curve variant is primarily based on the assump-tion of the elliptic curve discrete logarithm problem (ECDLP) (Menezes, 1993; Blake et al., 1999; IEEE P1363, 2000), instead of the DLP. Since the elliptic curve variant and our first scheme have almost the same structure, we make a merged discussion rather than separate ones. In the following, security consid-erations are analyzed from three perspectives: the intractability of private keys, the authenticity of pub-lic keys and the unforgeability of the multi-proxy signature.
1. Intractability of private keys
Consider the attack that an outsider wants to de-rive the CA’s private key δ from Eq.(1)/(17). He/She will face the intractability of the DLP/ECDLP as-sumption. Further, if a malicious member tries to derive δ from Eq.(4)/(20), he/she has to know ai, a secret number chosen by the CA and under the pro-tection of the DLP/ECDLP assumption in Eq.(3)/(19). Hence, the CA’s private key δ is secure against both inside and outside attacks.
The security of the user’s private key xi, com-puted from Eq.(5)/(21), depends on the random value
h(ti||IDi), which is protected by the DLP/ECDLP as-sumption in Eq.(2)/(18). If any proxy signer attempts to derive the original signer’s private key x0 from Eq.(9)/(25), he/she has to know the secret value ki chosen by U0. However, it is infeasible to obtain ki, since Ki is protected by the DLP/ECDLP assumption in Eq.(7)/(23). In addition, an adversary may try to reveal the original or the proxy signers’ private key(s) from some intercepted information, including the (ri,
si), the resulting multi-proxy signature (K, r, s, mw), and the corresponding signing message m. Substi-tuting σi in Eq.(13)/(29) with Eq.(9)/(25), we have
1 0 w ( ( || ) ) ( || ) mod , i i i i i s =z r + x n− +k h m K +x h r K q 1 0 w ( ( )) ( ( || ) ) ( || ) mod , i i i i i s =z x R + x n− +k h m K +x h r K q
respectively. It can be seen that, besides the private keys x0 and xi, there are two unknown random values
ki and zi protected by the DLP/ECDLP assumption in Eq.(7)/(23) and Eq.(11)/(27), respectively. That is to say, it is impossible for the attacker to obtain the private keys x0 and xi.
2. Authenticity of public keys
Note that a valid public key yi with respect to xi and IDi has to satisfy the verification equality, Eq.(6)/(22). A malicious adversary may attempt to forge a valid pair (IDadv, xadv, yadv) satisfying Eq.(6)/(22). The malicious adversary can first arbi-trarily choose his/her identifier IDadv and private key
xadv, and then tries to compute the forged valid public key yadv. Obviously, it is infeasible since he/she will face the intractability of the DLP assumption. Simi-larly, if he/she first fixes (IDadv, yadv), and tries to obtain xadv, the situation is the same as the previous one. What is more, to generate a valid IDadv with the arbitrarily chosen xadv and yadv, the adversary will be confronted with the difficulty of the DLP/ECDLP and the OHF assumptions.
3. Unforgeability of multi-proxy signature To forge a valid multi-proxy signature (K, r, s,
mw) passing the test of Eq.(16)/(32), the adversary may first choose a message m along with (K, r, mw), and then tries to compute s from Eq.(16)/(32). How-ever, the adversary will face the problem of comput-ing discrete logarithms/elliptic curve discrete loga-rithms and fail to make it under the DLP/ECDLP assumption.
On the other hand, if the adversary first fixes (K,
r, s, mw) and then tries to obtain a message m
satis-fying Eq.(16)/(32), he/she cannot successfully plot the attack unless he/she has the ability to reverse the OHF. Thus, potential forgery attacks cannot succeed in the proposed scheme under the protection of the DLP/ECDLP and the OHF assumptions.
Consider the well-known chosen-ciphertext at-tack (Bellare et al., 1998). An adversary may submit different arbitrarily chosen signatures (K, r, s, mw) to the decryption oracle D(·), which will return the cor-responding plaintext to obtain the desired message. However, the probability of obtaining a meaningful plaintext is negligible. Thus, the chosen-ciphertext attack does not work in our proposed schemes.
Performance evaluation
In this subsection we will make some compari-sons among our proposed first scheme, Lin et
al.(2002)’s scheme (the LWH scheme for short), and
the Xue-Cao scheme (the XC scheme for short) (Xue and Cao, 2004b). These two schemes have structures with partial delegation similar to ours and both seem secure so far. For convenience, we define Th, Tm, Ti, and Te as the time for performing an OHF h, a modular multiplication computation, a modular in-verse computation, and a modular exponentiation computation, respectively.
The time for performing the modular addition is negligible compared to the computation time of per-forming other operations, and thus is ignored here. In the following comparisons, we assume that all hash functions are implemented with the VSH (Contini et
al., 2006), an efficient and provable collision-resistant
hash function. Contini et al.(2006) also claimed that a VSH hash function requires only 4 modular multi-plications, i.e., Th≈4Tm. Ti and Te can be further con-verted into computational units in Tm (Koblitz et al., 2000) for facilitating the evaluation of the computa-tional complexities. The relations between Ti, Te and
Tm are: Ti≈3Tm, Te≈240Tm. Detailed comparisons of the computational complexities and communication overheads among these three multi-proxy signature schemes are demonstrated by Tables 1 and 2, respectively.
Since our proposed scheme integrates self-certified public-key systems and the message recovery signature schemes, the tasks of authenticat-ing the public keys, verifyauthenticat-ing the signature and
recovering the message can be simultaneously carried out in a single logical step, which helps reduce the computational complexities. Further, it is unnecessary to transmit the signing message since the signing message can be recovered from the signature, which helps with the bandwidth saving. The rough estima-tion results in Table 1 for the entire scheme show that our proposed scheme outperforms the LWH and the XC schemes by (1647n+2426)Tm and (915n+2419)Tm, respectively. Table 2 shows that the total communi-cation cost of our scheme is less than that of the LWH and the XC schemes, both by (n2+n−1)|p|+(6n+3)|q|. Therefore, we conclude that the proposed scheme is better than the LWH and the XC schemes in terms of computation effort and communication cost.
Table 2 Comparison of communication overheads Phase Scheme Communication cost
LWH n|p|+3n|q|* XC n|p|+3n|q|* Proxy share generation Proposed (n+1)|p|+2n|q| LWH (n2+2n)|p|+(4n+2)|q|* XC (n2+2n)|p|+(4n+2)|q|* Multi-proxy signature generation Proposed n|p|+n|q| LWH 2|p|+(2n+4)|q|* XC 2|p|+(2n+4)|q|* Multi-proxy signature verification Proposed 2|p|+3|q| LWH (n2+3n+2)|p|+(9n+6)|q|* XC (n2+3n+2)|p|+(9n+6)|q|* Total cost Proposed (2n+3)|p|+(3n+3)|q|
* The cost for transmitting each public-key certificate of the LWH
and the XC schemes is implemented with ElGamal signature (El-Gamal, 1985), i.e., 2|q|. LWH: Lin et al.(2006)’s scheme; XC: Xue and Cao (2004b)’s scheme
Table 1 Comparison of computational complexities
Phase Scheme Time complexity Rough estimation
LWH 8nTe+(5n+1)Tm+(n+1)Ti * (1928n+4)Tm XC 7nTe+3nTm* 1683nTm Proxy share generation Proposed 5nTe+5nTm+(n+1)Ti+(3n+1)Th (1220n+7)Tm LWH (n2+8n+4)Te+(n2+7n+2)Tm+Ti+(n+1)Th* (241n2+1931n+969)Tm XC (n2+6n+4)Te+(n2+4n+1)Tm+Th* (241n2+1444n+965)Tm Multi-proxy signature generation Proposed (n2+7n−4)Te+(n2+5n−5)Tm+(4n−3)Th (241n2+1701n−977)Tm LWH (3n+6)Te+(2n+3)Tm+Th* (722n+1447)Tm XC (3n+6)Te+(2n+4)Tm+Th* (722n+1448)Tm Multi-proxy signature verification Proposed 4Te+5nTm+(2n+2)Th (13n+968)Tm LWH (n2+19n+10)Te+(n2+14n+6)Tm+(n+2)Ti+(n+2)Th* (241n2+4581n+2420)Tm XC (n2+16n+10)Te+(n2+9n+5)Tm+2Th* (241n2+3849n+2413)Tm Total costs Proposed (n2+12n)Te+(n2+15n−5)Tm+(n+1)Ti+9nTh (241n2+2934n−6)Tm * The cost for verifying each public-key certificate of the LWH and the XC schemes is implemented with ElGamal signature verification
CONCLUSION
We have proposed two multi-proxy signature schemes mainly based on the DLP and the ECDLP assumptions, respectively. Preserving the merits of self-certified public-key systems and message re-covery signature schemes, our proposed schemes are more efficient than the existing schemes, which were implemented with certificate-based public-key sys-tems. The characteristics of our proposed schemes are:
(1) The validation of the multi-proxy signature, the authentication of the public keys, and the message recovery procedure are simultaneously carried out within a single logical step.
(2) No certificate is required for authenticating the public keys, so as to reduce computation effort and communication overhead.
(3) The signing message is unnecessary to be transmitted with the signature, since it can be recov-ered from the signature, i.e., it gains more bandwidth savings.
As compared with our first scheme, the elliptic curve variant with shorter key lengths is more attrac-tive to the applications with limited computing power and insufficient storage space, like smart cards.
References
ANSI X9.31, 1998. Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA).
ANSI X9.62, 1998. Public Key Cryptography for the Financial Service Industry—The Elliptic Curve Digital Signature Algorithm (ECDSA). Draft.
ANSI X9.63, 2001. Public Key Cryptography for the Financial Services Industry—Key Agreement and Key Transport Using Elliptic Curve Cryptography.
Bellare, M., Desai, A., Pointcheval, D., Rogaway, P., 1998. Relations among notions of security for public-key en-cryption schemes. LNCS, 1462:26-45. [doi:10.1007/BFb 0055718]
Blake, I., Seroussi, G., Smart, N., 1999. Elliptic Curves in Cryptography. Cambridge University Press, Cambridge, UK. [doi:10.2277/0521653746]
Contini, S., Lenstra, A.K., Steinfeld, R., 2006. VSH, an effi-cient and provable collision-resistant hash function.
LNCS, 4004:165-182. [doi:10.1007/11761679_11] Diffie, W., Hellman, M., 1976. New directions in cryptography.
IEEE Trans. Inf. Theory, 22(6):644-654. [doi:10.1109/ TIT.1976.1055638]
ElGamal, T., 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. LNCS, 196:10-18.
[doi:10.1007/3-540-39568-7_2]
Girault, M., 1991. Self-certified public keys. LNCS, 547:490- 497. [doi:10.1007/3-540-46416-6_42]
Hsu, C.L., Wu, T.S., Wu, T.C., 2001. New nonrepudiable threshold proxy signature scheme with known signers. J.
Syst. Software, 58(2):119-124. [doi:10.1016/S0164-1212 (01)00032-2]
Hwang, M.S., Lin, I.C., Lu, J.L., 2000. A secure nonrepudiable threshold proxy signature scheme with known signers. Int.
J. Inf., 11(2):1-8.
Hwang, S.J., Chen, C.C., 2001. A New Multi-proxy Mul-tisignature Scheme. National Computer Symp., p.19-26. Hwang, S.J., Shi, C.H., 2000. A Simple Multi-proxy Signature
Scheme. Proc. 10th National Conf. on Information Secu-rity, p.134-138.
IEEE P1363, 2000. Standard Specifications for Public Key Cryptography. The Institute of Electrical and Electronics Engineers, Inc., USA.
ISO/IEC 9798-3, 1993. Information Technology—Security Techniques—Entity Authentication Mechanism—Part 3: Entity Authentication Using a Public Key Algorithm. In-ternational Organization for Standardization.
ISO/IEC 14888-3, 1998. Information Technology—Security Techniques—Digital Signature with Appendix—Part 3: Certificate-based Mechanisms. International Organiza-tion for StandardizaOrganiza-tion.
ISO/IEC 15946-3, 2002. Information Technology—Security Techniques—Cryptographic Techniques Based on Ellip-tic Curves—Part 3: Key Establishment. International Organization for Standardization.
Jurisic, A., Menezes, A.J., 1997. Elliptic curves and cryptog-raphy. Dr. Dobb’s J., 22(4):26-35.
Kim, S., Park, S., Won, D., 1997. Proxy Signatures, Revised. Proc. Int. Conf. on Information and Communications Security. Springer, Berlin, p.223-232.
Koblitz, N., 1987. Elliptic curve cryptosystems. Math.
Com-put., 48(177):203-209. [doi:10.2307/2007884]
Koblitz, N., Menezes, A., Vanstone, S., 2000. The state of elliptic curve cryptography. Des., Codes Crypt., 19(2-3): 173-193. [doi:10.1023/A:1008354106356]
Kohnfelder, L.M., 1978. Toward a Practical Public-key Cryptosystem. BS Thesis, Department of Electronic En-gineering, Massachusetts Institute of Technology, USA. Lee, N.Y., Hwang, T., Wang, C.H., 1998. On Zhang’s
nonre-pudiable proxy signature schemes. LNCS, 1438:415-422. [doi:10.1007/BFb0053752]
Lin, C.Y., Wu, T.C., Hwang, J.J., 2002. Multi-proxy Signature Schemes for Partial Delegation with Cheater Identifica-tion. The Second Int. Workshop for Asia Public Key In-frastructure. IOS Press, Amsterdam, Netherlands, p.147- 152.
Mambo, M., Usuda, K., Okamoto, E., 1996a. Proxy Signature for Delegating Signing Operation. Proc. 3rd ACM Conf. on Computer and Communications Security, p.48-57. [doi:10.1145/238168.238185]
Mambo, M., Usuda, K., Okamoto, E., 1996b. Proxy signatures: delegation of the power to sign messages. IEICE Trans.
Fundam. Electron. Commun. Comput. Sci., E79-A(9):
1338-1354.
Menezes, A., 1993. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, USA.
Menezes, A., Oorschot, P., Vanstone, S., 1997. Handbook of Applied Cryptography. CRC Press, Inc., USA.
Michels, M., Horster, P., 1996. On the risk of disruption in several multiparty signature schemes. LNCS, 1163:334- 345. [doi:10.1007/BFB0034859]
Miller, V., 1985. Use of elliptic curves in cryptography. LNCS, 218:417-426. [doi:10.1007/3-540-39799-x_31]
Neuman, B.C., 1993. Proxy-based Authorization and Ac-counting for Distributed Systems. Proc. 13th Int. Conf. on Distributed Computing Systems, p.283-291. [doi:10. 1109/ICDCS.1993.287698]
Shamir, A., 1984. Identity-based cryptosystems and signature schemes. LNCS, 196:47-53. [doi:10.1007/3-540-39568- 7_5]
Stallings, W., 2002. Cryptography and Network Security: Principles and Practice. Prentice Hall, Upper Saddle River, NJ.
Sun, H.M., Lee, N.Y., Hwang, T., 1999. Threshold proxy signatures. IEE Proc.-Comput. Dig. Techn., 146(5): 259-263. [doi:10.1049/ip-cdt:19990647]
Tzeng, S.F., Yang, C.Y., Hwang, M.S., 2004. A nonrepudiable threshold multi-proxy multisignature scheme with shared verification. Fut. Gen. Comput. Syst., 20(5):887-893. [doi:10.1016/j.future.2004.01.002]
Varadharajan, V., Allen, P., Black, S., 1991. An Analysis of the Proxy Problem in Distributed System. Proc. IEEE Com-puter Society Symp. on Research in Security and Privacy, p.255-275. [doi:10.1109/RISP.1991.130793]
Xue, Q., Cao, Z., 2004a. A Nonrepudiable Multi-proxy Mul-tisignature Scheme. Joint 1st Workshop on Mobile Future and Symp. on Trends in Communications, p.102-105. Xue, Q., Cao, Z., 2004b. Improvement of Multi-Proxy
Signa-ture Scheme. Fourth Int. Conf. on Computer and Infor-mation Technology, p.450-455. [doi:10.1109/CIT.2004. 1357236]
Yi, L.J., Bai, G.Q., Xiao, G.Z., 2000. Proxy multi-signature scheme: a new type of proxy signature scheme. Electron.
Lett., 36(6):527-528. [doi:10.1049/el:20000422]
APPENDIX: PROOFS OF THEOREMS 1~4
Proof of Theorem 1
By raising both sides of Eq.(13) to exponent with base g, we have ( ) ( || ) (mod ). i i i i i s z r x h r K g =g gσ + p
The above equation can be further rewritten as
(
)
1 1 0 0 1 w ( ) ( || ) ( || ) ( || ) ( || ) ( || ) 0 ( || ) ( || ) 0 by Eq.(11) ( ( ) ) by Eq.(6) ( ) ( ) (mod ), by Eq.(10) i i i i i i i i i i i s r x h r K i r h y ID h r K i i i r n h y ID h y ID n i h r K h m K n i i i g r g r h ID y g r h ID h ID y y K p σ σ β β − − − + + = = = ⋅which implies Eq.(14).
Proof of Theorem 2
Raising both sides of Eq.(15) to exponent with base g yields 1 1 1 1 1 1 ( ) ( || ) ( || ) ( || ) 1 by Eq.(13) ( ) n i i n n i i i i i i n n n i i i i i i i i s s z r x h r K h r K n z r h y ID i i i g g g g g g h ID y σ σ β = = = = = = + = ∑ = ∑ ∑ = ⎛ ⎛ ⎞⎞ ∑ ∑ ∑ = ⎜ ⎜ ⎟⎟ ⎝ ⎠ ⎝
∏
⎠ 1 0 w ( || ) ( || ) ( || ) 0 by Eq.(6) ( ) (mod ). by Eq.(10) n n i i i i i i h r K n z r h y ID h m K i i i g h ID y K p β = = = ⎛⎛ ⎞ ⎞ ∑ ∑ = ⎜⎜ ⎟ ⎟ ⎝ ⎠ ⎝∏
⎠The above equation can be further rewritten as
1 0 w ( || ) ( || ) ( || ) 0 ( ) (mod ). n n i i i i i i h r K n z r s h y ID h m K i i i g g h ID y K p β = = − − = ⎛⎛ ⎞ ⎞ ∑ = ∑ ⎜⎜ ⎟ ⎟ ⎝ ⎠ ⎝
∏
⎠Multiplying the above equation by Eq.(12) and re- arranging the result, we have
0 w ( || ) ( || ) ( || ) 0 || ( ) ( ) (mod ). n i i i h r K n h y ID h m K s i i i m h m rg h ID y K p β = − = ⎛⎛ ∑ ⎞ ⎞ = ⎜⎜ ⎟ ⎟ ⎝ ⎠ ⎝
∏
⎠Hence, the verifier can correctly recover the message
m from Eq.(16). With the assistance of the public
OHF, the verifier can check the integrity of the mes-sage and the validity of the multi-proxy signature as well. The public keys of the original signer and all proxy signers are also authenticated.
Proof of Theorem 3
By multiplying both sides of Eq.(29) with base Q, we have
{
}
1 0 0 1 0 0 w ( ( )) ( ) ( || ) ( ) ( ) ( || ) by Eq.(27) ( ) ( || ) [ ( || ) ( || )] ( ) ( ) ( || ) by Eqs.(2 i i i i i i i i i i i i i i i i s Q z x R Q x h r K Q x R R x h r K Q x R R h r K n h Y ID h Y ID B n h ID Y h ID Y h m K K σ σ − − = + + = + + = + + + + + 2) and (26) Proof of Theorem 4Multiplying both sides of Eq.(31) with base Q yields 1 1 1 1 1 1 1 1 ( ( )) ( ) ( || ) by Eq.(29) ( ( )) ( || ) ( || )[ ( || ) ( ) ] by Eq.(22) ( ( )) ( || )[ ( || ) n i i n n i i i i i i n n i i i i i n i i i i n n i i i i i i sQ s Q z x R Q x h r K Q z x R Q h r K Q h r K h Y ID B h ID Y z x R Q h r K h Y ID B σ σ = = = = = = = = = = + + = + + + = +
∑
∑
∑
∑
∑
∑
∑
∑
w +h ID Y( i) ]i +h m( ||K h r K K) ( || ) . by Eq.(26)The above equation can be further rewritten as
1 1 0 w ( ( )) ( ( )) ( || )[ ( || ) ( ) ] ( || ) ( || ) . n n i i i i i i n i i i i i z x R Q x R R sQ h r K h Y ID B h ID Y h m K h r K K = = = = = − + −
∑
∑
∑
Combining the above equation with Eq.(28), we have
0 w || ( ) ( || )[ ( || ) ( ) ] ( || ) ( || ) mod . n i i i i i m h m rx sQ h r K h Y ID B h ID Y h m K h r K K p = ⎛ = ⎜ − + ⎝ ⎞ − ⎟ ⎠
∑
∑
Hence, the verifier can correctly recover m||h(m). With the public OHF, the verifier can check not only the integrity of the recovered message but also the validity of the multi-proxy signature.
