A New Multi-Proxy Multi-Signature Scheme

全文

(1)A New Multi-Proxy Multi-Signature Scheme

(2) Hwang, Shin-Jia. Chen, Chiu-Chin. Department of Computer Science and Information Engineering, TamKang. Department of Information Management, Chaoyang University of Technology. University, Tamsui, Taipei Hsien, 251,. Wufeng, Taichung Country, 413, Taiwan,. Taiwan, R.O.C.. R.O.C.. E-mail: [email protected]. E-mail: [email protected] 1.Introduction In the digital information world, it is. Abstract In. this. paper,. a. important to provide the authenticity and new. multi-proxy. integrity of digital documents.. These functions. multi-signature scheme, which is a new kind of. are provided by digital signature schemes.. proxy signature scheme, is proposed.. However, digital signature schemes do not. In this. scheme, an original group of signers can. provide the proxy function.. For the proxy. authorize a group of proxy signers under the. function,. and. agreement of all singers both in the original. proposed the proxy signature scheme in 1996. group and proxy group.. [10, 11].. Then only the. Mambo,. Usuda,. Okamoto. In the proxy signature scheme, any. cooperation of all singers in proxy group could. singer, called an original signer, is allowed to. generate multi-proxy multi-signatures.. The. authorize a designated person as his proxy signer.. size of the proxy certificate and the multi-proxy. Then the proxy signer is able to sign on behalf of. multi-signature is independent on the number of. an original signer.. original or proxy singers.. signature schemes were proposed [3-8, 10-21].. The verification of. multi-proxy multi-signatures is similar to that of proxy signatures.. So the new scheme is. There. Since then, many proxy. are. several kinds. signature schemes.. of proxy. The threshold proxy. The new scheme also provides the. signature schemes were proposed [4, 15, 18, 21].. fair protection for the original signer group and. In a (t, n) threshold proxy signature scheme, the. the proxy group.. original signer can authorize a proxy group with. efficient.. Further, there is no secure. channel in the new scheme.. This new scheme. n proxy members.. Only the cooperation of t or. is secure against the insider attack that is a. more proxy members is allowed to generate the. powerful attack on the multisignature schemes.. proxy signatures.. Keywords: Proxy. signatures,. multi-proxy. The multi-proxy signature scheme was. signatures, proxy multi-signatures,. first proposed in [4].. digital signatures. signature scheme is a special case of the threshold. proxy. signature. The multi-proxy. scheme.. The.

(3) multi-proxy signature scheme allows an original. such that q|(p-1).. signer to authorize a group of proxy members.. generator with order q in Zp.. Only the cooperation of all the proxy members. group consist of n original signers U1, U2, …,. can generate the multi-signature on behalf of the. and Un.. original signer.. private key xui and their public key yui= gxui mod. In 2000, Yi et al. first proposed. the proxy multi-signature schemes [20].. Then. The public parameter g is a Let the original. The original signer Ui owns their. p, for i= 1, 2, .., n.. Let the proxy group consist. some proxy mulit-signature schemes were. of m proxy signers P1, P2, …, and Pm.. proposed [3,14].. In a proxy multi-signature. proxy signer Pj owns their private key xpj and. scheme, an original signer group can authorize a. their public key ypj= gxpj mod p, for j= 1, 2, …,. proxy signer on behalf of the original signer. m.. group.. function. In this paper, a new kind of proxy. The. The function h is a public one-way hash The proxy warrant w specifies the. proxy details.. The proxy warrant also includes. signature scheme, multi-proxy multi-signature. the identities IDui’s and IDpj’s, the certified. schemes, will be proposed.. In the multi-proxy. public keys yui’s of the original signers, and the. multi-signature scheme, only the cooperation of. certified public keys ypj’s of the proxy signers.. all members in the original group can authorize a. Our multi-proxy multi-signature scheme is. proxy group.. divided into three phases: The proxy certificate. Only the cooperation of all. members in the authorized proxy group could. generation. sign messages on behalf of the original group.. multi-signature. In our real life, there exist many applications of. multi-proxy multi-signature verification phase.. multi-proxy. multi-signature. schemes.. among. householders.. the. constructors. and. All householders of the large. So a group of lawyers are authorized to. [4]. and. the. the. cooperate to generate the proxy certificate. They execute the following steps. Each original singer Ui selects a random integer kui∈Z*q, computes Kui= gkui mod p, and broadcasts his Kui. proxy. to the other n-1 original signers and m. multi-signature scheme [3], a new multi-proxy. proxy signers, for i= 1, 2, …, n.. multi-signature scheme will be proposed in the next section.. and. P1 ,P2, …, Pm, and original signers U1, U2, …, Un,. Be inspired of the simple multi-proxy scheme. phase,. In this phase, all of the proxy signers. Step 1:. act on behalf of all householders.. signature. generation. multi-proxy. [The Proxy Certificate Generation Phase]. the. building want to depute a lawyer group as their agents.. the. For. example, for a large building, there are some conflict. phase,. At. the same time each proxy signer Pj. In Section 3, the performance and. also selects a random integer kpj∈Z*q,. security analysis of our scheme is given.. computes Kpj= gkpj mod p, and. Section 4 is our conclusion.. broadcasts his Kpj to the other n original signers and m-1 proxy signers,. 2. A New Multi-Proxy Multi-signature Scheme. for j= 1, 2, …, m.. Here Z*q denotes. the set {1, 2, …., q}.. Let p and q be two large prime numbers Step 2:. Each signer Ui (or Pj) computes.

(4) n. K=. m. ∏K ∏K ui. i =1. Step 3:. j =1. pj. sj=. mod p.. mod. q.. Each original signer Ui computes vui=. of the message m is (rj, sj), for j= 1,. h(w)xuiyui+ kuiK mod q and broadcasts. 2, …, m.. Each. Each proxy signer Pj sends (w, (K, V),. Step 4:. proxy signers Pj also computes vpj=. M, (rj, sj)) to the clerk C, for j= 1,. h(w)xpjypj+ kpjK mod q and broadcasts. 2, …, m.. vpi to the other n+m-1 signers.. The clerk C first checks the proxy. Step 5:. certificate. Each signer verifies the correctness of vui by the equation. gvui≡. yuiyui h(w)KuiK. the equation. gvpj≡. ypjypj h(w)KpjK. by n. the. equation. m. g V ≡ K K [∏ (y ui ui )∏ (y pj pj )]h(w). (mod p), for i= 1, 2, …, n, and vpj by. Step 5:. xpjypjR)h(M)-1. Finally the individual proxy signature. vui to the other n+m-1 signers.. Step 4:. (Vtj+. y. i =1. (mod. (mod p).. y. j=1. If the equation holds, then. p), for j= 1, 2, …, m.. the clerk C continues the next step.. Once all of the above equations hold,. Otherwise. each member of the proxy group Pj. certificate.. n. computes V=. C. rejects. the. m. m. ∑ vui + ∑ v pj mod q, i =1. proxy. Step 6:. The clerk C computes R=. ∏. rj. j=1. j =1. for j= 1, 2, …, m.. mod p and verifies the individual. Finally, the m proxy signers P1, P2, …, Pm are. proxy signatures (rj, sj)’s by the. authorized to act for the agent of the n original. equation gh(M)sj≡ (rj)V(ypj)Rypj (mod p),. signers.. for j= 1, 2, …, m.. The proxy certificate is (K, V).. It is. Once all. important that not only n original signers but. individual proxy signatures are correct,. also m proxy signers reach an agreement to. the multi-proxy multi-signature of. authorize the signers P1, P2, …, Pm as proxy. message m can be generated as (w, (K,. signers.. V),. M,. (R,. S)). by. computing. m. S=. [The Multi-Proxy Multi-signature Generation. ∑. sj mod q.. j=1. Phase] Suppose the proxy group wants to sign a message M on behalf of the n original signers. Step 1:. * q,. for j= 1, 2, …m.. Each proxy signer Pj computes rj= gtj mod p and broadcasts rj to the other m-1 proxy signers, for j= 1, 2, …, m.. Step 3:. Each. proxy. signer. Pj. computes. Multi-Proxy. Multi-signature. Verification Phase]. Each proxy signer Pj randomly selects an integer tj ∈ Z. Step 2:. [The. After. receiving. the. multi-proxy. multi-signature (w, (K, V), M, (R, S)), the verifier. B. verifies. the. multi-signature in two steps.. multi-proxy In Step 1, by. using the warrant w and the certificate (K, V), the verifier B first checks whether or not the m proxy signers are authorized by the n original. m. R=. ∏ r mod p and finds s satisfying j=1. j. j. signers.. Then the verifier B checks the.

(5) correctness of the multi-proxy multi-signature (R,. a forged individual certificate (K'un, v'un) passing. S) in Step 2.. the verification equation gv'un≡ yunh(w)yunK'unK'. Step 1: Verify the warrant w and the certificate. (mod. (K,. V). by. n. ∏ (y. gV≡KK [. i =1. od p).. y ui ui. the m. equation. ) ∏ (y pjpj )]h(w) (m y. j=1. If the certificate (K, V) is. p),. where. K'=. Ku1×Ku2×…×Ku,n-1×K'u,n×Kp1×Kp2×…×Kpm.. If. the value of v'un is determined first, he has to solve. the. KunKun≡. equation -1K. [gvun(yunh(w)yun)-1]Ku1. -1 -1 -1 -1…K -1 u2 …Ku,n-1 Kp1 Kp2 pm (. incorrect, then reject the multi-proxy. mod p).. multi-signature (R, S).. K'un is an extremely difficult problem.. According to [2], to find the value of If the. the. value of K'un is determined first, to derive v'un. multi-proxy multi-signature (R, S) by. form gv'un≡ yunh(w)yunK'unK' (mod p) is a discrete. Step 2: Check. the. correctness. m. ∏y. gh(M)S≡ RV [. j=1. y pj pj. ]R. of. logarithm problem.. (mod p).. By the same reason, the. individual certificates (K'pj, v'pj)’s are also unforged.. 3. Security and Performance Analysis. Therefore, the proxy certificate. cannot be forged for the same reason.. For the. case of the multi-proxy multi-signatures, by the The security and performance analysis of our proposed scheme is given in this session.. similar security analysis, we can find that the multi-proxy multi-signatures are also unforged.. In essence, the security of our multi-proxy The insider attack [9] is considered since. multi-signature scheme is based on the security of the underlying mutisignature scheme.. The. it is a powerful attack on the proposed. security basis of the underlying multisignature. multisignature schemes.. scheme is the discrete logarithm problem.. To. attack, any original signer or proxy signer has to. reveal the secret key of any signer from his. change his public key after the public keys of the. public key is protected by the discrete logarithm. other singers have been determined.. problem.. losing the generality, suppose that the signer Pm. The security of the multisignature is. also guaranteed by the difficulty of the discrete. is the malicious signer.. logarithm problem.. as his secret key.. Therefore, the secret key. To perform the insider. Without. He selects an integer a. Then he has to make his. of each signer is secure while the multisignature. public key as y' satisfying the equation. cannot be forged.. g≡. n. a. y' (∏ (y ui ) y'. y ui. i =1. Let us consider the security of the multisignatures for the proxy certificates or multi-proxy multi-signatures.. The case of. proxy certificate (K, V) is considered first.. The. individual proxy certificate (Kui, vui) cannot be forged.. Without losing the generality, suppose. that someone wants to forge the individual proxy certificate (Kun, vun).. The forger must generates. m −1. ∏ (y j=1. y. pj. ) pj ). (mod. p).. After obtaining the other signers’ public keys, he has to compute the value of y' satisfying y'y'≡ n. m −1. [∏ (y ui ) ] [∏ (y pj ) pj ]−1g a i =1. y ui −1. y. (mod. p).. j=1. If the signer fixed the integer y', he will find that he has to solve the discrete logarithm problem to find the value of a.. If the signer determines the. integer a first, he has to obtain the value of y' by.

(6) solving the difficult problem in [2].. Therefore,. used to generate the multi-proxy multi-signature,. the insider attack cannot work to forge the proxy. so. certificate.. multi-signature without the agreement of all. By the similar analysis, the. multi-proxy multi-signatures cannot be forged. no. one. can. forge. the. multi-proxy. members in the proxy group.. by the insider attack for the equation y'y'≡ m −1. Our scheme satisfies the distinguishability. [∏ (y pj ) pj ]−1 g a (mod p). y. Therefore, both. j=1. the. proxy. certificates. and. multi-proxy. and identifiability conditions [10, 11].. can forge the multi-proxy multisignture even if he is an original signer.. multi-signatures are secure.. No one. Moreover, the. multi-proxy multi-signture is verified by the The proxy certificate must be generated. public keys of all proxy signers.. Therefore, the. by the cooperation of the original group and the. multi-proxy multi-signature generated by the. proxy. proxy group can be distinguished.. group. while. the. multi-proxy. Moreover,. multi-signature has to be generated by the. the proxy singers’ certificated public keys are. agreement of all members in the proxy group.. used, it is to identified by the warrant w.. The. equation. the other hand, the multi-signature generated by. K K [∏ (y ui ui ) ∏ (y pjpj )]h(w) (mod p). the original group can be also identified and. certificate n. gV≡. verification m. y. i =1. y. j=1. On. distinguished.. uses the public keys of all original signers and all proxy singers.. The performance analysis of our scheme is. Since the insider attack. cannot work for our scheme, no signer is able to create the proxy certificate or mulit-proxy multisiganture alone.. So the proxy certificate. must be generated by the cooperation of the original signers and proxy signers.. With the. same analysis on the multi-signature verification m. ∏ y pjpj ]R (mod p), all. equation gh(m)S≡ RV [. given in the following.. To briefly express the. computation and the communication costs, some symbols are defined.. The symbol Tm means the. time to execute one modular multiplication. The symbol Te is the time to execute one modular exponentiation, and the symbol Th is the time to execute one one-way hash function h.. y. j=1. proxy signers must be in agreement on the. The symbol TINV means the time to execute one modular inverse operation.. The time to execute. one modular addition or subtraction is neglected. multi-proxy multi-signature generation.. since the cost of them is much less than Tm, Te, Our proposed scheme supports the fair protection for the proxy group and the original group.. or TINV.. The symbol |T| is the size of an integer. T.. Since no one can forge the proxy. certificate without the cooperation of the proxy and original groups, no one can generate the multi-proxy. multi-signature. without. authorization of the original group.. the. On the. other hand, the proxy singers’ secret keys are. In our scheme, the generation cost for the proxy certificate is given in the following. computation produce. and. the. (n+m-1)(n+m)Tm. communication. integer and. K. are. costs. The to. (n+m)Te+. (n+m-1)(n+m)|p|,.

(7) respectively.. The computation cost for the. n. keys. individual proxy certificates are 2(n+m)Tm+. i =1. m. m. [∏ (y ui ) ∏ (y pjpj )] mod p and y ui. y. j=1. computed in advance.. The communication cost. [∏ y pjpj ] mod p are precomputed. For our. for. proxy. scheme, the verification of the multi-proxy. (n+m)Th since xuiyui’s and xpjypj’s can be. the. individual. (n+m-1)(n+m)|q|. checking. certificates. The computation cost for. individual. proxy. certificates yuiyui’s. (n+m-1)(n+m)(3Te+Tm+Th) since ypjypj’s. are. can be computed in advance.. y. j=1. multi-signature is efficient.. is and. 4. Conclusions. The total. The new multi-proxy multi-signature. to. scheme brings out the following advantages.. are. The size of the proxy certificate is independent. (n+m)(3n+3m-2)Te+ 2(n+m) Tm+ (n+m) Th and. of the numbers of the original signers while the. (n+m-1)(n+m)(|p|+|q|), respectively.. multi-proxy multi-signature is also independent. computation produce. and the. communication proxy. costs. certificate 2. 2. In our scheme, the generation cost of one multi-proxy multi-signature is given. computation. cost. for. the. The. integer. R. is. mTe+m(m-1)Tm while the communication cost to broadcast R needs m(m-1)|p|.. The individual. multi-proxy multi-signatures’ computation cost is. m(3Tm+Th+TINV). since. xpjypj’s. can. be. computed while the communication cost for sending (w, (K, V), M, (rj, sj))’s to clerks m(2|p|+2|q|+|M|+|w|).. of the numbers of the proxy members.. Our. scheme does not need secure channels.. Our. new scheme also provides the fair protection for the original signer group and the proxy group. Moreover,. the. new. multi-proxy m. [∏ (y ui ) ∏ (y )] y ui. i =1. j=1. precomputed.. y pj pj. The new scheme is secure against the insider attack [9] which is a powerful attack on multisignature. schemes. multi-signatures. and. is. Finally. the. References [1]. since y ypj pj’s. Harn, L. (1999): "Digital multisignature with distinguished signing authorities," ELECTRONICS. can be. LETTERS,. 18th. February 1999 Vol. 35 No. 4, pp.294-295.. Therefore, the total computation. multi-signature. (m2+4m+1)Tm+. [1].. verification of our scheme is efficient.. [2]. and communication costs to produce one multi-proxy. the. The computation cost for. (3m+3)Te+(2m+1)Tm+(m+1)Th n. provides. distinguishability and identifiability functions.. the clerk C checking proxy certificate and individual. scheme. (2m+1)Th+. are. threshold digital signature scheme and. (4m+3)Te+. mTINV. digital multisignature," IEE Proceedings:. and. Computers and Digital Techniques, Vol.. m[(m+1)|p|+2|q|+|M|+|w|], respectively. Finally, in our scheme, the verification cost of one multi-proxy multi-signature (w, (K, V), M, (R, S)) is the double cost of the verification of a single multi-signature.. Here the group public. Harn, L. (1994): "Group-oriented (t, n). 141, No. 5, Sept 1994, pp. 307-313. [3]. Hwang, S. J. and Chen, Chiu-Chin (2001): "A New Proxy Multi-Signature Scheme," to appear in International Workshop on Cryptology. and. Network. Security,.

(8) [4]. Tamkang University, Taipei, Taiwan, Sep.. Sign. 26-28, 2001.. Fundamentals, E79-A, 9, 1996, pp.. Hwang, S. J. and Shi, Chi-Hwai (2000):. 1338-1354.. "A. Simple. Scheme," National. [5]. Multi-Proxy. Signature. Proceedings of the Conference. on. Tenth. for. Delegation. Signing. on. "A Proxy Signature Scheme without. Security, 1996, pp. 48-57.. Computer. [12]. Computer. and. Communication. Seungjoo Kim, Sangjoon Park, and Dongho Won (1997): "Proxy Signatures,. Symposium,. Chiayi, Taiwan, R.O.C., Dec. 6-8, 2000,. Revisited,". pp. 60-64.. Communications Security, Beijing, China,. Hwang, S. J. and Shi, Chi-Hwai (1999):. November 11-14, 1997, pp. 223-232.. Specifiable. Proxy. Signature,". [13]. Information. and. Sun, Hung-Min (2000): "Design of. National Computer symposium 1999, Vol.. time-stamped. 1334, Taiwan, December 1999, pp.. traceable receivers," IEE Proc.-Comput.. 190-197.. Digit. Tech, Vol. 147, No. 6, November. Kim, S., Park, S., and won, D. (1997):. 2000. [14]. Sun,. (Multi-). 1334,. International. Springer,. Berlin,. 1997,. pp.. proxy. signatures. with. Hung-Min (2000): "On Proxy. Lecture Notes in Computer Science, Vol.. Signature. Schemes,". Computer. 2000. Symposium,. 223-232.. Chiayi, Taiwan, R.O.C., Dec. 6-8, 2000,. Lee, Narn-Yih, Hwang, Tzonelih, and. pp. 65-72.. Wang, Chin Hung (1998): "On Zhang’s Nonrepudiable. Proxy. [15]. Sun, Hung-Min (1999): "An Efficient. Signature. Nonrepudiable Threshold Proxy Signature. Schemes," Third Australasian Conference,. Scheme with Known Signers," Computer. ACISP ’98, 1998, pp. 415-422.. Communications, Vol. 22, 1999, pp.. Li, Z. C., Hui, L. C. K., Chow, K. P.,. 717-722.. Chong, C. F., Tsang, H. H., and Chan, H.. [16]. Sun, Hung-Min, Hsieh, and Bin-Tsan. W. (2000): "Cryptanalysis of Harn Digital. (1999): "Time-Stamp Proxy Signatures. Multisignature. with. with Traceable Receivers," Proceedings. Authorities,". of the Ninth National Conference on. Electronics Letters, Vol. 36, No. 4, 2000,. Information Security, Taiwan, 1999, pp.. pp. 314- 315.. 247-253.. Distinguished. [10]. Signatures. Hwang, S. J. and Shi, Chi-Hwai (2000):. "Proxy Signatures, revisited," ICICS ’97,. [9]. MAMBO, Masahiro, USUDA, Keisuke,. Operation," Proc. 3nd ACM Conference. "The. [8]. Trans.. Security, Taiwan, 2000, pp. 134-138.. International. [7]. IEICE.. and OKAMOTO, Eiji (1996): "Proxy. Information. Using One-Way Hash Functions", 2000. [6]. [11]. Message,". Scheme Signing. MAMBO, Masahiro, USUDA Keisuke,. [17]. Sun, Hung-Min, and Hsieh, Bin-Tsan. and OKAMOTO, Eiji (1996): "Proxy. (1999): "Remark on Two Nonrepudiable. signatures: Delegation of the Power to. Proxy Signature Schemes," Proceedings.

(9) [18]. of the Ninth National Conference on. International. Information Security, Taiwan, 1999, pp.. Chiayi, Taiwan, R.O.C., Dec. 6-8, 2000,. 241-246.. pp. 54-59.. Symposium,. Sun, Hung-Min, Lee N.-Y., and Hwang, T. [20] Yi, L. Bai, G., and Xiao, G. (2000): "Proxy. (1999): "Threshold Proxy Signatures,". multi-signature scheme: A new type of. IEE Proceedings-computers & Digital. proxy. Techniques, Vol. 146, No. 5, September. Letters, Vol. 36, No. 6, 2000, pp.527-528.. 1999, pp. 259-263. [19]. Computer. signature. scheme,". Electronics. [21] Zhang, K. (1997): "Threshold Proxy. Yen, Sung-Ming, Hung, Chung-Pei, and. Signature Schemes," 1997 Information. Lee, Yi-Yuan(2000): "Remarks on Some. Security Workshop, Japan, September 1997,. Proxy. pp. 191-197.. Signature. Schemes",. 2000.

(10)