On Proxy (Multi-) Signature Schemes

全文

(1)ON PROXY (MULTI-) SIGNATURE SCHEMES1 Hung-Min Sun Department of Computer Science and Information Engineering National Cheng Kung University, Tainan, Taiwan 70101 Email: [email protected] ABSTRACT A proxy signature scheme allows a designed person, called a proxy signer, to sign messages on behalf of an original signer. Generalizing the concept of the proxy signature scheme, Yi et al. proposed the proxy multisignature scheme which allows a proxy signer to generate a proxy signature on behalf of two or more original signers. In this paper, we first analyze and improve the security of two proxy signature schemes, proposed by Sun and Hsieh at IS’99. Our analysis indicates that these two schemes suffer from the public key substitution attack and a kind of direct forgery. Then we show that the same attacks on Sun-Hsieh proxy signature schemes can be generalized to work on Yi et al.’s proxy multisignature schemes. Two proxy multi-signature schemes are consequently proposed to defeat these attacks. Finally, we point out that the Sun-Lee-Hwang threshold proxy signature scheme is also vulnerable to the same attacks above. An improved version is therefore proposed.. 1. INTRODUCTION The concept of the proxy signature scheme was first introduced by Mambo et al. [1] in 1996. A proxy signature scheme allows a designed person, called a proxy signer, to sign on behalf of an original signer. In [2], Mambo et al. further proposed a more secure version in which the proxy signer cannot repudiate the creation of a valid proxy signature against anyone later. This property is usually referred to as “nonrepudiation”. So far, a number of proxy signature schemes with nonrepudiation property have been constructed [1-5]. Part of them are named proxy-protected proxy signature schemes [2-3] and the others are named nonrepudiable proxy signature schemes [4-5]. Among these nonrepudiable proxy-protected proxy signature schemes, Zhang’s scheme [4] has been shown to be insecure due to Lee et al. [6]. Recently, Sun and Hsieh [5] showed that the Mambo-Usuda-Okamoto scheme is unfair. 1. to the original signer because the proxy signer can transfer the delegation to others, and that the Kim-Park-Won scheme is vulnerable to the public key substitution attack in which an attacker can forge a valid proxy signature by updating his own public key. To repair both the MamboUsuda-Okamoto scheme and the Kim-Park-Won scheme, they also presented two modified versions in [5]. Generalizing the concept of the proxy signature, Yi et al. [7] proposed a new type of proxy signature scheme, named proxy multi-signature scheme, in which a proxy signer can generate a proxy signature on behalf of two or more original signers. They proposed two proxy multisignature schemes based on the Mambo-Usuda-Okamoto proxy signature scheme and the Kim-Park-Won proxy signature scheme respectively. On the other hand, a (t, n) threshold proxy signature scheme [3,4,8] is a variant of the proxy signature scheme in which the proxy signature key is shared by a group of n proxy signers in such a way that any t or more proxy signers can cooperatively employ the proxy signature key to sign messages on behalf of an original signer, but t-1 or fewer proxy signers cannot. In [8], Sun, Lee, and Hwang showed that the threshold proxy signature scheme proposed by Zhang [4] suffers from some weaknesses and the threshold proxy signature scheme proposed by Kim et al. [3] suffers from a disadvantage. In addition, they also proposed a new threshold proxy signature scheme, the Sun-Lee-Hwang scheme in short, to prevent these weaknesses. In this paper, we first analyze and improve the security of the two proxy signature schemes, proposed by Sun and Hsieh. Our analysis indicates that these two schemes suffer from the public key substitution attack and a kind of direct forgery. Then we show that the same attacks on Sun-Hsieh proxy signature schemes can be generalized to work on Yi et al.’s proxy multi-signature schemes. Two proxy multi-signature schemes are consequently proposed to defeat these attacks. Finally, we point out that the Sun-Lee-Hwang threshold proxy signature scheme is also vulnerable to the same attacks above. An improved version is therefore proposed.. This research was supported in part by the National Science Council, Taiwan, under contract NSC-89-2213-E-006-118..

(2) The remainder of this paper is organized as follows. In section 2, we analyze and improve the Sun-Hsieh proxy signature scheme based on the Mambo-Usuda-Okamoto scheme. In section 3, we analyze and improve the SunHsieh proxy signature scheme based on the Kim-ParkWon scheme. In section 4 and 5, we analyze the Mambolike proxy multi-signature scheme and the Kim-like proxy multi-signature scheme, proposed by Yi et al. In section 6 and 7, we further propose a proxy-unprotected proxy multi-signature scheme and a proxy-protected proxy multisignature scheme against forgery respectively. In section 8, we analyze and improve the Sun-Lee-Hwang threshold proxy signature. Section 9 gives a general approach to defeat the public key substitution attack. Finally, we conclude this paper in section 10.. vp. (v p K h ( M. p. vp. = (v p K h ( M a. signer has a private key. sp. corresponding public key v p = g. sp. (mod p); the proxy. ) 1 g a v p K h ( M vp. p. w ,K ). (mod p). (mod p).. Here we present an improved proxy signature scheme to defeat the above forgery. Step I. Step II. Step III. Z p 1 /{0} and the (mod p). Both vo and. v p are certified by a certification authority (CA). Let h( ). be a public collision resistant hash function. For simplicity, we describe only the signature verification process for a proxy signature. A proxy signature, generated by the proxy signer, on a message m is a 4-tuple ( m, Sign (m), K , M w ), where. w ,K ). 2.3 Our Improvement. original signer has a private key s o Z p 1 /{0} and the o. w. = g (mod p) = g. 2.1 Description of the Scheme [5]. corresponding public key v o = g s. ) 1 g a (mod p). Thus p = a is a valid. proxy signature key. This is because v v vo v p K h ( M , K ) (mod p). 2. ON SUN-HSIEH PROXY SIGNATURE SCHEME BASED ON MAMBO-USUDAOKAMOTO SCHEME. Let p be a large prime and g be a generator for Z *p . The. w ,K ). (Proxy generation): The original signer first chooses a random number k Z p 1 /{0}, and then computes K= g k (mod p) and s o v o k h( M w , K ) (mod p-1), where M w is a warrant which contains the original signer’s ID, the proxy signer’s ID, the delegation period, the issue time for the delegation. (Proxy delivery): The original signer sends ( , K , M w ) to the proxy signer over a public channel. (Verification and alteration of the proxy): The proxy signer confirms the validity of ( , K , M w ) by checking if the following congruence holds: vo. g vo K h ( M , K ) (mod p). If it holds, then the proxy signer computes an alternative proxy signature key p s p h( M w , K , v p ) mod (p-1).. Step IV. p. Sign (m) is the signature on m using an ordinary p. signature scheme with a proxy signature key p . The. w. (Signing by the proxy signer): The proxy signer signs a message m by using an ordinary signature scheme with secret key p . Assume that the resulting signature is Sign (m) . The p. validity of the proxy signature can be checked by the verification equation in the ordinary signature scheme with the corresponding public key v v vo v p K h ( M , K ) (mod p) . p. w. 2.2 Cryptanalysis of the Scheme In this section, we show that the original signer can make the public key substitution attack feasible. First, the original signer selects a random number k Z p 1 /{0}, and computes K g k (mod p). Then he selects a random number a Z p 1 /{0} and updates his pulic key by vo =. proxy signature on m is ( m, Sign (m), K , p. Step V. M w ). (Verification of the proxy signature): The verifier computes the corresponding public key in the ordinary signature scheme: v h ( M , K ,v ) v vo v p K h ( M , K ) (mod p ) . o. w. p. w. Then, he verifies the validity of Sign (m) by p. checking the validity of the verification equation in the ordinary signature scheme with the new generated public key v..

(3) 3. ON SUN-HSIEH PROXY SIGNATURE SCHEME BASED ON KIM-PARK-WON SCHEME 3.1 Description of the Scheme [5]. Step 1. then computes K= g k (mod p), e h( M w , K , v p ) , and eso k (mod p-1). Step 2. The system parameters are the same as those in Section 2.1. For simplicity, we describe only the signature verification process for a proxy signature. Similar to Section 2.1, a proxy signature on a message m is a 4-tuple ( m, Sign (m), K , M w ). The validity of the proxy. Step 3. p. signature can be checked by the verification equation in the ordinary signature scheme with the corresponding h ( M , K ,v ) public key v vo v p K (mod p ) . w. (Proxy generation): The original signer first chooses a random number k Z p 1 /{0}, and. (Proxy delivery): The original signer sends ( M w , , K ) to the proxy signer over a public channel. (Verification and alteration of the proxy): The proxy signer confirms the validity of ( M w , , K ) by checking if the following congruence holds: h ( M w , K ,v p ). g vo K (mod p). If it holds, then the proxy signer computes an alternative proxy signature key p s p h( M w , v o , K ) mod (p-1).. p. 3.2 Cryptanalysis of the Scheme Step 4 In the following, we show that (i) the original signer can make the public key substitution attack feasible; (ii) the original signer can create a valid proxy signature key p. (Signing by the proxy signer): The proxy signer signs a message m by using an ordinary signature scheme with secret key p . Assume that the resulting signature is Sign (m) . The p. with respect to an arbitrary user (who has/hasn’t been told as the proxy signer).. proxy signature on m is ( m, Sign (m), K , M w ). p. (i) First, the original signer selects a random number k Z p 1 /{0}, and computes K g k (mod p) and. Step 5. e h( M w , K , v p ) . Then he selects a random number. a Z p 1 /{0} and updates his pulic key by vo = v p. e 1. g. w. a. (mod p) = g. p. v p K (mod p) = (v p. e 1. 4. ON MAMBO-LIKE PROXY MULTISIGNATURE SCHEME. (mod p).. he computes p = h( M w , K , v p ) so k (mod p-1). Thus v vo. is. a. h ( M w , K ,v p ). (mod p) = g. p. valid. proxy. o. p. g a )e v p g k. (ii) First, the original signer randomly selects a number 1 k Z p 1 /{0}, and computes K g k v p (mod p). Then p. w. checking the validity of the verification equation in the ordinary signature scheme with the new generated public key v.. Thus p is a valid proxy signature key. This is because h ( M w , K ,v p ). p. Then, he verifies the validity of Sign (m) by. (mod p). Finally, he computes p ae k (mod p-1). v vo. (Verification of the proxy signature): The verifier computes the corresponding public key in the ordinary signature scheme: h ( M , K ,v ) h ( M ,v , K ) v vo vp K (mod p) .. signature. key. v p K (mod p) (mod p)= g. because. h ( M w , K , v p ) so k. 4.1 Description of the Scheme [7] Let A1 , A2 , …, An be n original signers with private key si. Z p 1 /{0} and public key. Step A. In this section, we present an improved proxy signature scheme to defeat the above forgery.. = gs. i. (mod p). respectively. These vi are certified by a CA.. (mod p).. 3.3 Our Improvement. vi. (Subproxy key generation): For each 1 i n, the original signer Ai chooses a random number k i Z p 1 /{0}, and then computes K i = g k (mod p) and i si k i K i (mod p1). i.

(4) Step B. Step C. (Subproxy key delivery): For each 1 i n, the original signer Ai sends ( i , K i ) to the proxy signer in a secure manner. (Subproxy key verification): For each 1 i n, the proxy signer confirms the validity of ( i , K i ) by checking if the following congruence holds: g vi K i (mod p). If ( i , K i ) passes this equation, he accepts it as a valid subproxy key; otherwise, he rejects it and requests Ai for a valid one, or he Ki. i. Step D. terminates this protocol. (Proxy signature key generation): If the proxy signer confirms the validity of all ( i , K i ) for. key). Thus p is a valid proxy signature key and v= g. p. (mod p) is the corresponding proxy public key. K K This is because v v1 * vt K1 K t (mod p) = 1. t. ( v 2 v t K 1 K t ) 1 g * ( v 2 v t K 1 K t ) 1 g K1. Kt. K1. Kt. p. (mod p). Therefore, A1 can use p to generate a forged proxy multi-signature on an arbitrary message m for A1 , A2 , …, At .. 5. ON KIM-LIKE PROXY MULTISIGNATURE SCHEME 5.1 Description of the Scheme [7]. n. 1 i n, then he computes p i mod (pi 1. Step E. 1) as a valid proxy signature key. (Signing by the proxy signer): The proxy signer executes the signing operation of an ordinary signature scheme using p as the signing key. Assume that the resulting signature is Sign (m) . The proxy multi-. The system parameters are the same as those in the Mambo-like proxy multi-signature scheme. Step i. Step ii. p. signature on m for A1 , ( m, Sign (m), K1 ,..., K n ).. A2 , …,. An. is Step iii. p. Step F. (Verification of the proxy multi-signature): The verifier computes the corresponding proxy public key in the ordinary signature scheme: K K v v1 v n K 1 K n (mod p) . Then, he verifies the validity of Sign (m) by 1. n. i. Step iv. p. checking the validity of the verification equation in the ordinary signature scheme with the new generated proxy public key v.. Step v. 4.2 Cryptanalysis of the Scheme Step vi. K1. Kt. p. (mod p).. i. p. In the following, we show that the Mambo-like proxy multi-signature scheme is also insecure against the public key substitution attack that an attacker can forge a valid proxy multi-signature by updating his own public key. Without loss of generality, we assume that A1 wants to forge a proxy multi-signature on m for A1 , A2 , …, At . He first selects t+1 random numbers, p , K1 ,..., and K t Z p 1 /{0}, and then computes v1* (v2 vt K1 K t ) 1 g. (Subproxy key generation): is the same as Step A except that i ei si k i (mod p-1), where ei h( M w , K i ) . (Subproxy key delivery): is the same as Step B except that ( i , K i ) is replaced with (M w , i , K i ) . (Subproxy key verification): is the same as e Step C except that g vi K i (mod p), where ei h ( M w , K i ) . (Proxy signature key generation): is the same as Step D except that ( i , K i ) is replaced with (M w , i , K i ) . (Signing by the proxy signer): is the same as Step E except that the proxy multi-signature on m for A1 , A2 , …, An is ( m, Sign (m), K 1 ,..., K n , M w ).. Then he. makes a request to CA for updating his public key v1 with v1 * (Note that he may claim that he has lost his private. (Verification of the proxy multi-signature): is the same as Step F except that e e v v1 v n K 1 K n (mod p ) , where 1. n. ei h( M w , K i ) for 1 i n.. 5.2 Cryptanalysis of the Scheme In the following, we show that the Kim-like proxy multisignature scheme is insecure against a direct forgery. Without loss of generality, we assume that A1 wants to forge a proxy multi-signature on m for A1 , A2 , …, At . He first selects t-1 random numbers, K 2 ,..., K t Z p 1 /{0}, and then computes ei h( M w , K i ) for 2 i t. Then he.

(5) selects a random number k1 Z p 1 /{0}, computes. m for A1 and A2 . Let v1 v 2 .g b (mod p), K 1 v 2 .g d. K1 = (v 2 v t K 2 K t ) 1 g k. (mod. e2. et. (mod p) and e1 h( M w , K1 ) . Let s1 be the private key of A1 . Thus p = s1 e1 k1 (mod p-1) is a valid proxy signature key 1. p. and v= g (mod p) is the corresponding proxy public key. This is because e e v v1 vt K 1 K t (mod p ) = 1. t. v1 (v 2 vt K 2 K t ) K 1 (mod p) = ( g s ) e g k (mod p) e1. = g. e2. p. et. 1. 1. 1. (mod p). Therefore, A1 can use p to generate a. forged proxy multi-signature on an arbitrary message m for A1 , A2 , …, At .. 6. PROXY-UNPROTECTED PROXY MULTI-SIGNATURE SCHEME AGAINST FORGERY Both the Mambo-like and the Kim-like proxy multisignature schemes, proposed by Yi et al., are proxyunprotected because the identity of the proxy signer cannot be proved. In this section, we present a proxy-unprotected proxy multi-signature scheme which is secure against forgery. The system parameters are the same as those in the Mambo-like proxy multi-signature scheme and we assume that the proxy signer has a private key s p Z p 1 /{0} and the corresponding public key v p = g. sp. (mod p). Step a. (Subproxy key generation): is the same as Step A except that i si vi k i K i (mod p-1). (Subproxy key delivery): is the same as Step B. (Subproxy key verification): is the same as v K Step C except that g vi K i (mod p). (Proxy signature key generation): is the same as Step D. (Signing by the proxy signer): is the same as Step E. (Verification of the proxy multi-signature): is the same as Step F except that v v K K v v1 v n K 1 K n (mod p ) .. Step b Step c. i. i. Step d Step e Step f. 1. n. 1. i. a. p. and. av1 v2 cK1 eK 2. K 2 v 2 .g f e. (mod. 7. PROXY-PROTECTED PROXY MULTISIGNATURE SCHEME AGAINST FORGERY In Yi et al.’spaper, they mentioned that their idea can also be used to construct proxy-protected proxy multisignature schemes in which the proxy signer cannot later repudiate the proxy multi-signature which he has ever signed. Similarly, these constructed proxy-protected proxy multi-signature schemes also suffer from the same security problems as described above. In this section, we present a proxy-protected proxy multi-signature scheme which is secure against forgery. The system parameters are the same as those in the Mambo-like proxy multi-signature scheme. Moreover, let h( ) be a public collision resistant hash function. Furthermore, the proxy signer has a private key s p R Z p 1 /{0} and a public key v p = g s (mod p). i. Step (1). Step (2). (Subproxy key generation): is the same as Step A except that i s i vi k i h( M w , K i ) (mod p-1), where M w is a warrant which contains the original signerID, the proxy signers’ ID, the issue time for the delegation, the valid delegation period, etc.. (Subproxy key delivery): For each 1 i n, the original signer Ai sends ( M w , i , K i ) to the proxy signer over a public channel. (Subproxy key verification): is the same as v h( M ,K ) Step C except that g v i K i (mod p). (Proxy signature key generation): If the proxy signer confirms the validity of all ( M w , i , K i ) for 1 i n, then he computes i. 1. 2. 1. 2. Then. 1). However, it is infeasible to find a, c, and e such that av1 v 2 cK1 eK 2 0 (mod p-1) holds. This is because v1 depends on a, K1 depends on c, and K 2 depends on e, and hence any change of a, c, and e will lead to the change of v1 , K1 , and K 2 respectively. If he fixes v1 , K1 , and K 2 such that they are independent of a, c, and e respectively, then he must solve the difficult discrete logarithm problem to find b, d, and f.. Step (3). Without loss of generality, we assume n=2. Therefore, v v K K v v1 v 2 K 1 K 2 (mod p ) . In the following, we show that the public key substitution attack cannot work here. Without loss of generality, we assume that A1 wants to forge a proxy multi-signature on. p).. bv1 dK1 fK 2. = v2 g (mod p) must hold. If A1 can make the equation av1 v 2 cK1 eK 2 0 (mod p1) hold, he can obtain p = bv1 dK 1 fK 2 0 (mod pg. n. Security Analysis:. p),. c. Step (4). i. w. i.

(6) n. p s p v p i. mod (p-1) as a valid. i 1. proxy signature key. (Signing by the proxy signer): is the same as Step E except that the proxy multi-signature on m for A1 , A2 , …, An is ( m, Sign (m), K 1 ,..., K n , M w ).. Step (5). generated by t out of n proxy signers. Any verifier can verify the validity of the threshold proxy signature (m, r, PGID, Y, T) by checking if the following equation holds: g T = [ yo. h ( r , PGID ). n. yi i 1. r. ]h ( m ) Y Y (mod p).. 8.1 Cryptanalysis. p. Step (6). (Verification of the proxy multi-signature): is the same as Step F except that v v v h(M ,K ) (M ,K ) v v p v1 v n K 1 Kn (mod p) . p. 1. n. w. 1. w. n. Without loss of generality, we assume that p1 wants to forge a threshold proxy signature on an arbitrary message m for an arbitrary proxy group { p1 , p 2 , …, p n }. He first selects three random numbers, r, a and b Z q , and a. Security Analysis:. Then he computes Y= g b (mod p),. forged PGID. The difference between the proxy-protected proxy multisignature scheme and the proxy-unprotected proxy multisignature scheme proposed in Section 6 is that the proxy signer’spublic key is included in the proxy public key v, Ki. h( M w ,Ki ). . Similar to Section 6, and K i is replaced by K i the proposed scheme is also secure against the public key K is substitution attack. Here we also note why K i i. h( M w ,Ki ). Ki. replaced by K i . If K i is used, the resulting scheme is unfair to the original signers because the proxy signer can transfer the delegation to others. The use of h( M ,K ) Ki limits the transference because M w indicates who the proxy signer is. w. i. 8. ON SUN-LEE-HWANG THRESHOLD PROXY SIGNATURE SCHEME In this section, we show that the Sun-Lee-Hwang threshold proxy signature scheme [8] is also vulnerable to the public key substitution attack and a direct forgery. For simplicity, we describe only the signature verification process of the Sun-Lee-Hwang scheme. Let p be a large prime, q be a prime factor q of p-1, and g be an element of order q in Z *p . Let p1 , p2 , …, pn be the n proxy signers. Assume that the original signer has a private key xo and a public key y o = g x (mod p); and each proxy signer pi has a private key xi and a public o. key yi = g x (mod p). All these public keys are certified by a CA. The PGID (Proxy Group ID) which records the proxy status is defined to be {EM, Time, Group}, where EM denotes the event mark of the proxy share generation including the parameters t and n, Time denotes the valid delegation period, and Group denotes the information describing the identities of the original signer and the proxy signers of the group. A threshold proxy signature on m is (m, r, PGID, Y, T), which is cooperatively i. y1 ( y o. h ( r , PGID ). n. r y i ) 1 g a (mod p), and T= ah(m)+bY i 2. (mod q). Finally, he makes a request to CA for updating his public key with y1 . Thus (m, r, PGID, Y, T) is a valid threshold proxy signature because the verification equation, g T = [ y o. h ( r , PGID ). n. r. yi i 1. ] h ( m ) Y Y (mod p), holds.. In addition, the original signer can also forge a valid threshold proxy signature with respect to an arbitrary proxy group by updating his own public key, while the proxy group can not repudiate. We describe this forgery as follows: We assume that the original signer wants to forge a threshold proxy signature on an arbitrary message m for an arbitrary proxy group { p1 , p 2 , …, p n }. He first selects three random numbers, r, a and b Z q , and a forged PGID.. Then n. he. y o (r yi ) h ( r , PGID ) g a 1. computes (mod. Y= g b. (mod. p),. p),. and. T=. i 1. ah(r,PGID)h(m)+bY (mod q). Finally, he makes a request to CA for updating his public key with y1 . Thus (m, r, PGID, Y, T) is a valid threshold proxy signature because the verification equation, gT = [ yo. h ( r , PGID ). n. r. yi i 1. ] h ( m ) Y Y (mod p), holds.. In the following, we show that a direct forgery by the original signer can work. The original signer first selects two random numbers a and b Z q , and a forged PGID. n. Then he computes Y= g a (mod p), r ( y i ) 1 g b (mod i 1. p), and T= [ x o h(r , PGID) b] h(m) a Y (mod q). Thus (m, r, PGID, Y, T) is a valid threshold proxy.

(7) signature [ yo. h ( r , PGID ). because. the. verification. equation,. gT =. g. f j (i ). n. r. yi i 1. ~. = g s rj y j. h( r , y j ). a a ~ r 1 ( g ) i ( g ) i j ,1. j,2. 2. a j ,t 1 i t 1. (mod p). If all f j (i) are verified to be legal, each pi (g. ] h ( m ) Y Y (mod p), holds.. ). n. 8.2 Our Improvement. f. computes xi ’ =. j. (i ) (mod q) as a valid. j 1. In this section, we present an improved threshold proxy signature scheme in order to defeat the above attacks.. n. proxy share.. Step (II). i. i. q. (b) Each proxy signer pi checks whether ri Z *p . If this is not true, he goes back to step. (a). Otherwise, he broadcasts ri . Step (III) The original signer computes r = in1ri , ~ ~ s = n 1 xo h(r , PGID, yo ) + k (mod q), and broadcasts ~ s. Step (IV) Each proxy signer pi computes r = in1ri and checks if the following equation holds: n h ( r , PGID , y ) ~ =y r (mod p).. ~. gs. 1. o. o. If it doesn’t hold, pi broadcasts an error and stops. Each proxy signer pi computes ~ s = s + + x h(r , y ) (mod q). i. Step (V). i. i. i. Each proxy signer pi randomly selects a polynomial f i of degree t-1 in Z q such that f i (0) = si . That is f i (x) = si + ai ,1 x + … + ai ,t 1 x t 1 (mod q). Then pi sends f i (j) mod. q to p j (for 1 j n and j i) in a secure method. g. ai , 1. In addition,. , …, g. ai ,t 1. pi also broadcasts. [Note that g s doesn’t need to. n. j 1. j 1. j. j 1. Hence, xi ’= f(i). Note that in Step (V), if these n proxy signers collude, they may change the threshold value t into t’. However, this collusion is not meaningful because t dishonest proxy signers can sign any message that they want to sign. Generation of the proxy signature without revealing shares : Without loss of generality, we assume that p1 , …, pt are the t proxy signers who want to cooperate to sign a message m on behalf of the original signer. Each proxy signer pi (1 i t) randomly selects a polynomial f i ’ of degree t-1 in Z q . That is f i ’ (x) = ai , 0 ’+ ai ,1 ’x + … + ai ,t 1 ’x t 1 (mod q). Thus f i ’ (0) = ai , 0 ’. Then pi sends f i ’ (j) to p j (for 1 j t and j i) in a secure method. In. addition, pi also broadcasts g. ai , 0 ’. , g. ai ,1 ’. , …, g. ai ,t 1 ’. . For. each distributed f j ’ (i) (for 1 j t and j i), pi can verify the validity of f j ’ (i) by checking if the following equation holds: f j ’( i ). a j,0 ’. a j ,1 ’. a j,2 ’. 2. a j ,t 1 ’. t 1. =g ( g ) i ( g ) i ( g ) i (mod p). If all f j ’ (i) are verified to be legal, each pi computes xi " g. t. t. =. f j 1. j. ’(i ) (mod q) and Y = g. a j,0 ’. (mod p).. j 1. t. Let. i. si. n. s. + ( a j ,1 ) x + … + ( a j ,t 1 ) x t 1 (mod q).. ~ The original signer randomly selects k Z q , ~ computes ~ r = g k (mod p), and broadcasts ~ r .. (a) Each proxy signer pi randomly selects i Z and computes r = g ~ r (mod p).. . n. f j ( x) =. j 1. Proxy share generation: Step (I). Let f(x) =. f ’(x) = f j ’( x) j 1. =. t. t. j 1. j 1. a j ,0 ’+ ( a j ,1 ’) x + … +. t. be broadcasted here because g can be ~ h r y ( , ) ~ computed by: g s = g s ri y i r 1 . For each. ( a j ,t 1 ’) x t 1 (mod q). Thus, xi " = f ’(i). Then each pi. distributed f j (i) (for 1 j n and j i), pi can. computes Ti = xi ’h(m) + xi " Y (mod q). Let f " (x) = f(x)h(m) + f ’(x)Y . Hence Ti = f " (i) (mod q). Each pi. i. i. verify the validity of f j (i) by checking if the following equation holds:. j 1. broadcasts Ti . For each distributed T j (for 1 j t and j i), pi can verify the validity of T j by checking if the following equation holds:.

(8) n. n. j 1. j 1. g T =[ g ns ~ r n r j y j ~. i. n. ( g. a j ,t 1 i t 1. ). j 1 t. ( g. ]h ( m ) [ ( g. a j,0 ’. j 1. n. ) ( g. a j ,1 i. j 1. t. a j ,t 1 ’ i t 1. n. ( g. h( r , y j ). t. ) ( g. a j,2 i2. ) . j 1. t. ) ( g. a j ,1 ’ i. j 1. a j,2 ’ i2. ) . j 1. ]Y (mod p).. ). j 1. Each pi computes T = f " (0) = f(0)h(m) + f ’(0)Y from. his public key. This work may be completed by either encryption or signature. For example, the CA selects a challenge number r, encrypts it with the user’s public key and sends the ciphertext to the user. The user must response r to CA in order to prove that he knows the corresponding private key. On the other hand, the CA may request the user to sign a challenge number r, and then check the validity of the signature on r with the user’s public key.. T j (for 1 j t) by applying Lagrange interpolating. polynomial. The proxy signature of m is (m, r, PGID, Y, T). Verification of the proxy signature: n. Because g. f ( 0). (mod p) = g. i 1. i. (mod p) =. n. ( x h ( r , y )). n~ s. g. s. i. i. i. (mod p) =. i 1. n. ~. ( k x h ( r , y )). h ( r , PGID , yo ) xo . g. i. i. i. i 1. n. n. yo. h ( r , PGID , yo ). ri yi i 1 i 1. yo. h ( r , PGID , yo ). r. n. i 1. yi. h ( r , yi ). h ( r , yi ). (mod p) = (mod p) =. (mod p), we can use g f ( 0 ) as the. new public key. Thus verifier can verify the validity of the proxy signature (m, r, PGID, Y, T) by checking if the following equation holds: g T = [ yo. h ( r , PGID , yo ). n. r. yi i 1. h ( r , yi ). ]h ( m ) Y Y (mod p),. where yo is the original signer’s public key and yi ’s are the proxy signers’ public keys.. 9. A GENERAL APPROACH TO DEFEAT THE PUBLIC KEY SUBSTITUTION ATTACK From Section 2 and 4, we know that both the Sun-Hsieh proxy signature scheme based on the Mambo-UsudaOkamoto scheme and the Mambo-like proxy multisignature scheme are only subject to the public key substitution attack. In this section, we propose a general approach to defeat the public key substitution attack without modifying these two schemes. It is clear that under the public key substitution attack, an attacker must update his public key, but the corresponding private key is unknown to him due to the difficulty of the discrete logarithm problem. Therefore we need a strict CA that can prove the user’s knowledge of the corresponding private key when a user registers or updates. 10. CONCLUSIONS In this paper, we have shown that some proxy signature, proxy multi-signature, and threshold proxy signature schemes are vulnerable to the public key substitution attack and/or the direct forgery. The improved versions of these schemes are proposed to defeat these attacks. Due to the limit of space, we omit the security analysis of these improved schemes. The detailed analysis for these improved versions are given in the full version of this paper.. REFERENCES [1] M. Mambo, K. Usuda, E. Okamoto, “Proxy signatures for delegating signing operation,” Proc. 3rd ACM Conference on Computer and Communications Security, 1996, pp. 4857. [2] M. Mambo, K. Usuda, E. Okamoto, “Proxy signatures: Delegation of the power to sign messages,” IEICE Trans. Fundamentals, 1996, E79-A, (9), pp. 1338-1354. [3] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” ICICS'97, Lecture Notes in Computer Science Vol. 1334, (Springer-Verlag, 1997), pp. 223-232. [4] K. Zhang, “Threshold proxy signature schemes,” 1997 Information Security Workshop, Japan, Sep., 1997, pp. 191197. [5] H.-M. Sun and B.-T. Hsieh, “Remarks on two nonrepudiable proxy signature schemes,” Proceeding of Ninth National Conference on Information Security, pp. 241-246. 1999. [6] N.-Y. Lee, T. Hwang, and C.-H. Wang, “On Zhang's nonrepudiable proxy signature schemes,” ACISP'98, Lecture Notes in Computer Science, Vol. 1438, Springer-Verlag, 1998, pp. 415-422. [7] L. Yi, G. Bai, and G. Xiao, “Proxy multi-signature scheme: A new type of proxy signature scheme,” Electronics Letters, 2000, Vol. 36, No. 6, pp. 527-528. [8] H.-M. Sun, N.-Y. Lee, and T. Hwang, “Threshold proxy signatures,” IEE Proceedings - Computers and Digital Techniques, Vol. 146, No. 5, pp. 259-263, 1999..

(9)