A Proxy-Protected Proxy Multi-Signature Scheme Based on the Elliptic Curve Cryptosystem

全文

(1)2002 International Computer Symposium (ICS2002) (1) Name of the workshop：Workshop on Cryptology and Information Security (2) Title of the paper：A Proxy-Protected Proxy Multi-Signature Scheme Based on the Elliptic Curve Cryptosystem (3) A short abstract：The research in the paper contributes to publicly delivering the delegation parameter and to reducing the amount of verifying operation for a proxy signature. A new proxy-protected proxy multi-signature scheme is presented based on the elliptic curve discrete logarithm problem (ECDLP). To the demand for security, the proposed scheme inherits most merits of the typical solutions based on the discrete logarithm problem (DLP). As to the expectation toward efficiency, the scheme on the elliptic curve cryptosystem (ECC) can achieve the performance of the cryptosystem more efficient than those on the DLP. (4) Name：Tzer-Shyong Chen, Tzuoh-Pyng Liu, and Yu-Fang Chung Current affiliation：Department of Computer Science and Information Engineering, Da-Yeh University Postal address：Department of Computer Science and Information Engineering, Da-Yeh University, 112 Shan-Jiau Rd, Da-Tsuen, Changhua, Taiwan 515, R.O.C. E-mail address：[email protected] Telephone number：0923696355 (5) Name of the contact author：Tzer-Shyong Chen (6) A list of keywords ： Elliptic Curve Cryptosystem, Elliptic Curve Discrete Logarithm Problem, Proxy Signature, Proxy Multi-Signature and Cryptography. 0.

(2) A Proxy-Protected Proxy Multi-Signature Scheme Based on the Elliptic Curve Cryptosystem Tzer-Shyong Chen. Tzuoh-Pyng Liu*. Yu-Fang Chung*. Department of Information management, Tunghai University, Taichung, Taiwan 40744, R.O.C. * Graduate School of Computer Science and Information Engineering, Da-Yeh University E-mail: [email protected]. Abstract The research in the paper contributes to publicly delivering the delegation parameter and to reducing the amount of verifying operation for a proxy signature. A new proxy-protected proxy multi-signature scheme is presented based on the elliptic curve discrete logarithm problem (ECDLP).. To the demand for security, the. proposed scheme inherits most merits of the typical solutions based on the discrete logarithm problem (DLP). As to the expectation toward efficiency, the scheme on the elliptic curve cryptosystem (ECC) can achieve the performance of the cryptosystem more efficient than those on the DLP. Key words: Elliptic Curve Cryptosystem, Elliptic Curve Discrete Logarithm Problem, Proxy Signature, Proxy Multi-Signature and Cryptography. 1. Introduction A digital signature is generally applied to the various electronic documents in the digital times.. To be provided with both validity and undeniability, a digital signature. must be affixed via the secret key held by the signer so that the verifier can determine the validity of signature via the public key equally attached to the same one.. It is a. common situation that a document cannot become effective except under the proviso 1.

(3) of a certain signer who may be not able to sign by himself. Then, the signer can empower a proxy signer to generate a valid signature defined as a proxy signature for him.. The proxy signature scheme was first introduced by Mambo et al. [1] in 1996.. By such a technique, an original signer only can delegate one proxy signer to sign the messages for himself.. Later, another securer version [2] was presented by Mambo et. al., in which no one can forge the proxy signature even to the original one. Such a property is indicated as “non-repudiated” or “ proxy-protected”. Different from the one-to-one scheme by Mambo, the concept of proxy multi-signature presented by Yi [3] allows two or more original signers delegate the same proxy signer to sign the messages for all original ones. According to the authorized degree, the shapes of proxy signatures are differentiated into the following three: full delegations, partial delegations, and delegations by warrant.. Kim et al. [4] originated to combine both partial delegation. and delegation by warrant in 1997, so that the generation of signature by the original or the proxy signers becomes to be identified and the delegation qualification can be limited by the original signer.. So far the technique of proxy signature is developed. under the considerations of the practical application and requirement, the last originated to combine both partial delegation and delegation by warrant is most in match with the current demands. Therefore, the proposed scheme is directed at such a kind of authorized degree. As what was mentioned in the Sun′s research [5,6], the public key substitution attack universally occurs in the existing proxy signature schemes.. Aimed at the. attack, he presented several modified proxy signature schemes to give the solutions, such as the schemes by Mambo, that by Yi, and that by Kim. However, there left something to be improved that the delivery of the delegation parameter needs to be. 2.

(4) extra-enciphered and extra-deciphered in the Sun′s schemes. Actually, such a kind of enciphering and deciphering processes should be negligible because it will burden the system with overhead.. In light of the above-mentioned, the scheme is presented. to avoid the scheme from the public key substitution attack under the condition of no extra-overhead for the efficiency of performance. After being proposed by both Koblitz [7] and Miller [9] in 1985, the elliptic curve has widely applied to the cryptosystems.. The security of ECC rests on the. difficulty of the ECDLP [7-11]. The ECC is constructed by the integer points over the elliptic curve in the finite fields.. The basic operations contain the addition and. multiplication operations under the ECC, thus the operations by ECC are more efficient than the other cryptosystems, such as the RSA and DSA. Concerning for performance efficiency and security, the ECC is directed to solving the secure defense problem of a cryptosystem. In the later sections of the paper, Section 2 illustrates the new proxy multi-signature scheme, and Section 3 emphasizes on the analyses of security and efficiency. Finally, Section 4 concludes the research in various points.. 2. The elliptic curve proxy-protected proxy multi-signature scheme To successfully withstand the public key substitution attack and achieve the delivery of the delegation parameter without the additional enciphering and deciphering procedure, the new one on the ECDLP is presented, which is equally resulted from the proxy-protected proxy multi-signature scheme by Sun on the DLP [6].. Moreover, another improvement is that the proposed multi-signature scheme. makes the computation overhead independent from the number of the original signer. The structure of the proposed scheme is divided into four phases, including the system 3.

(5) initialization phase, the key generation phase, the proxy signature generation phase, the proxy signature verification phase.. 2.1 System initialization phase Before initializing the whole scheme, the following parameters over the elliptic curve domain are required: Step 1: A field size p, which is a large odd prime. Step 2: Two parameters a, b ∈ F p to define the equation of elliptic curve E over F p (i.e., y2 = x3 + ax + b (mod p) in the case p > 3), where 4a3 + 27 b2 ≠ 0 (mod p). The cardinality of E should be divisible by a large prime number for the security issue of Pohlig and Hellman [10]. Step 3: A finite point B = ( x B , y B ) whose order is a large prime number in E ( F p ) , where B ≠ Ο , because Ο denotes an infinity point.. Step 4: The order of B = t.. 2.2 Key generation phase This phase can be further divided into two parts.. Part 1: Personal public key generation phase All original signers and the designated proxy signer are authorized to select the secret key owned by the individual. -. For each 1 ≤ i ≤ n, the original signer Ai randomly selects a number d i ∈ [1,t-1] in secure, and then computes Qi = d i × B = ( xQi , yQi ) .. If xQi ≠ 0,. then indicate d i as the secret key and Qi as the public one. -. The proxy signer randomly selects a number d p ∈ [1,t-1] in secure, and then computes Q p = d p × B = ( xQ p , y Q p ) . 4. If xQ p ≠ 0, then indicate d p as the.

(6) secret key and Q p as the public one. All public keys {Qi } and Q p must be certified through the signification of the CA, in which i = 1, 2, …, n.. Part 2: Proxy-signature secret key generation phase Step 1: (Secret key generation). For each 1 ≤ i ≤ n, the original signer Ai. selects a random number k i ∈ {1, 2, …, t-1}\ d i in secure as the secret key. Step 2: (Group commitment value generation). For each 1 ≤ i ≤ n, the original. signer Ai respectively computes Ri = k i × B = ( x Ri , y Ri ) , if xRi = 0, then go to step 1, otherwise, broadcast the resulting Ri to the other members.. After receiving these available {Ri } from the others. through the broadcast channel, every member can compute the point n. R = ∑ Ri = (x R , y R ) , in which the parameter xR is indicated as a i =1. group commitment value. Step 3: (Sub-delegation parameter generation). For each 1 ≤ i ≤ n, the. original signer Ai uses his own secret keys d i , k i and the group commitment value xR to compute: si = d i ⋅ h( M w , xQi , xQ p , xR ) − ki (mod t) Where h( ) is a public collision resistant hash function and the warrant M w contains few information, such as the IDs of all original signers, the ID of the proxy signer, and the delegation period, etc. Then, the sub-delegation parameter for Ai is ( M w , si ) .. 5.

(7) Step 4: (Sub-delegation parameter delivery). For each 1 ≤ i ≤ n, the original. signer Ai sends the sub-delegation parameter ( M w , si ) to the proxy signer in a public channel. Step 5: (Sub-delegation parameter verification). Once the proxy signer. receives the sub-delegation parameters ( M w , si ) , and then he uses these ( M w , si ) to compute the following Ri' = (x R ' , y R ' ) : i. i. Ri' = h( M w , xQi , xQ p , xR ) × Qi − si × B If xR ' = xRi (mod t), then he accepts ( M w , si ) as a valid subi. delegation parameter; otherwise, he rejects it and requests for a valid one toward the certain Ai , or terminates this protocol. Step 6: (Proxy multi-signature secret key generation). If the proxy signer. confirms the validity of all sub-delegation parameters ( M w , si ) in which 1≤ i ≤n, and then he computes the proxy multi-signature secret key as follows: n. d p = d p + ∑ si (mod t) i =1. 2.3 Proxy signature generation phase While signing a message m for A1 , A2 , …, An , the proxy signer executes the signing operation aimed at the ordinary signature scheme using the proxy multi-signature secret key d p . Assume that the resulting signature is Signd p (m) . The proxy multi-signature on m for A1 , A2 , …, An is (m, Signd p (m), R, M w ) . Then, the proxy signer sends the (m, Signd p (m), R, M w ) to the verifier.. 2.4 Proxy Signature Verification Phase 6.

(8) The verifier computes the corresponding proxy multi-signature public key using the ordinary signature scheme: Q p = Q p + h( M w , xQ1 , xQ p , xR ) × Q1 + ⋅ ⋅ ⋅ + h( M w , xQn , xQ p , xR ) × Qn − R In the ordinary signature scheme with the new generated proxy multi-signature public key Q p , the verifier confirms the validity of Signd p (m) by verifying the accuracy of the verification equation.. Theorem 2.1 For each 1 ≤ i ≤ n, if xR ' = xRi (mod t), then the proxy signer authenticates the i. ( M w , si ) as a valid sub-delegation parameter. Proof si = d i ⋅ h ( M. w. , x Q i , x Q p , x R ) − k i (mod t). ⇔ ki = di ⋅ h(M. w. , x Q i , x Q p , x R ) − s i (mod t). ⇔ ki × B = [d i ⋅ h( M w , xQi , xQ p , xR ) − si (mod t )] × B ⇔ ki × B = [d i ⋅ h( M w , xQi , xQ p , xR ) (mod t )] × B − si × B ⇔ Ri = h( M w , xQi , xQ p , xR ) × Qi − si × B ⇔ Ri'. 3. Security and Performance Analyses 3.1 Security Issues Issue 1: ECDLP The difficulty resulted from ECDLP is based on the derivation of d according to the given B and Q as follows:. 7.

(9) Q = d×B In the equation, d×B indicates that the point B is added to itself for d times and Q is a point derived from d×B, in which Q depends on the number of d.. Therefore,. an attacker in the proposed scheme encounters the difficulty constituted by the ECDLP, which makes him failed in deriving the private key from the public one to forge the signature.. Issue 2: Public key substitution attack The signature verification equation is integrated with a one-way hash function and the operation by the ECC. The difficulty, for any attackers to forge another public key from the above equation, is equivalent to the solution complicated by a one-way hash function and the problem by the ECDLP at the same time.. Its. difficulty is even harder than the ECDLP itself. Thus, the proposed scheme succeeds in withstanding the public key substitution attack. With the warrant M w , and proxy signer public key Q p , the original signer Q1 may intend to simultaneously forge his own public key Q1 and the point R from the given proxy multi-signature public key Q p to make the following signature verification equation certifiable: Q p = Q p + h( M w , xQ1 , xQ p , xR ) × Q1 + ⋅ ⋅ ⋅ + h( M w , xQn , xQ p , xR ) × Qn − R. (1). In one case, an attacker may randomly select a point Q1' = ( xQ ' , y Q' ) as his 1. 1. public key, and then he computes the corresponding point R ' = ( x R ' , y R ' ) based on the Equation (1). The difficulty is harder than that by the ECDLP.. In another case,. an attacker may randomly select a point R ' = ( x R ' , y R ' ) , and then he computes the corresponding Q1' = ( xQ ' , y Q' ) ; the difficulty is also harder than that by the ECDLP. 1. 1. 8.

(10) 3.2 Performance Analyses In order to present a contrast, the performance of the Scheme by Sun and the proposed one is formed into the following tables. Table 1 is the definitions of the given notations, and Table 2 shows the relationships of the various operations. As to the generation and verification phases, they are shown as Tables 3.. Then, the. required time complexities in the different phases are estimated as Tables 4, so that the efficiency in executing can be specifically analyzed. Table 1: Definitions of Notions Notations TMUL TEXP. Definitions the time for the modular multiplication the time for the modular exponentiation. TADD. the time for the modular addition. TEC_MUL the time for the multiplication of a number and an elliptic curve point TEC_ADD the time for the addition of two points in an elliptic curve. Through the statements [12], the relationships of various operations can be included so as to specify the time complexity: -. gx mod p, where p is a 1024-bit prime and x is a random 160-bit integer.. -. k×B is given, where B∈E(Zp), E is an elliptic curve defined over Zp, p≈2160, and k is a random 160-bit integer.. Thus, time complexity is provided with the following relationship:. Table 2: Relationships of Various Operations TEXP ≈ 240TMUL TEC_MUL ≈ 29TMUL TEC_ADD ≈ 0.12TMUL TADD is negligible. 9.

(11) Table 3: Phases of Sun′s and Proposed Proxy Multi-Signature Schemes Items Private Key Key Generation Public Key. Scheme by Sun. Scheme by us. si , s p. di , d p. vi = g si (mod p),. Qi = d i × B = ( xQi , yQi ). vp = g. sp. (mod p). Q p = d p × B = ( xQ p , y Q p ) Ri = k i × B = ( x Ri , y Ri ). ki , K i = g. Sub-Delegation Parameter Generation. ki. (mod p). n. R = ∑ Ri = ( x R , y R ) i =1. Sub-Delegation Parameter Verification Proxy Multi-Signature Secret Key Generation. σ i = s i ⋅ v i + k i ⋅ h( M w , K i ). si = d i ⋅ h( M w , xQi , xQ p , xR ) − ki. (mod p-1). (mod t) R = h( M w , xQi , xQ p , x R ) × Qi. g σ i = vi i ⋅ K i (mod p). − si × B n. σ = s p ⋅ v p + ∑σ i i =1. n. d p = d p + ∑ si (mod t) i =1. mod (p-1) v = v p p ⋅ v1 1 ⋅ ⋅ ⋅ vn n ⋅ v. Q p = Q p + h( M w , xQ1 , xQ p , xR ) × Q1. ⋅⋅⋅ Kn (mod p). h( M w ,Kn ). + ⋅ ⋅ ⋅ + h( M w , xQn , xQ p , xR ) × Qn. v. Verification of the Proxy Multi-Signature. h( M w , Ki ). v. ' i. K1. v. h ( M w , K1 ). −R. Table 4: Time Complexity and Estimation of Proxy Multi-Signature Schemes Scheme by Sun Time Roughly Complexity Estimation 240(n+1)TMUL Key Generation (n+1)TEXP Items. Sub-Delegation Parameter Generation Sub-Delegation Parameter Verification Proxy MultiSignature Secret Key Generation. nTEXP+ 2nTMUL+ nTADD+ nHashing. 242nTMUL+ nHashing. 3nTEXP+ nTMUL+ nHashing. 721nTMUL+ nHashing. 1TMUL+ nTADD. 1TMUL. 10. Scheme by us Time Roughly Complexity Estimation (n+1)TEC_MUL 29(n+1)TMUL nTEC_MUL+ nTMUL+ (30.12n+0.12)TMUL (n-1)TEC_ADD + nHashing +nTADD nHashing 2nTEC_MUL+ (58.24n-0.12)TMUL+ (2n-1)TEC_ADD+ nHashing nHashing. nTADD. Negligible.

(12) nTEC_MUL + Verification of (2n+1)TEXP+ (482n+240)TMUL+ (29.12n+0.12)TMUL+ 2nTMUL+ (n+1)TEC_ADD the Proxy nHashing nHashing + nHashing Multi-Signature nHashing. 4 Conclusions The research in the paper contributes a new proxy-protected proxy multi-signature scheme secure and more efficient than those by Sun. Noteworthy is that the additional demand for a secure manner in the previous related solutions, delivering the delegation parameter from the original signer to the proxy one, is simplified to be omissible in enciphering and deciphering.. Especially for the. proposed multi-signature scheme, it makes the computation overhead independent from the number of the original signer, so that the amount of operation for the verification can be greatly reduced.. In the way, the practicability of the proxy. signature techniques can be pushed ahead.. References [1]. M. Mambo, K. Usuda, and E. Okamoto, Proxy Signatures for Delegating Signing Operation, “Proc. 3rd ACM Conference on Computer and Communications Security,” ACM press, 1996, pp.48-57.. [2] M. Mambo, K. Usuda, and E. Okamoto, Proxy Signatures: Delegation of the Power to Sign Messages, “IEICE Trans. Fundamentals,” Vol. E79-A, No. 9, Sep. 1996, pp.1338-1354. [3] L. Yi, G. Bai, and G. Xiao, Proxy multi-signature scheme: A new type of proxy signature scheme, “Electronics Letters,” Vol. 36, No. 6, 2000, pp.527-528. [4] S. Kim, S. Park, and D. Won, Proxy Signatures, Revisited, “ICICS'97,” Lecture Notes in Computer Science 1334, Springer-Verlag, 1997, pp.223-232. [5] H. M. Sun, On Proxy Multi-Signature Schemes, “Proceedings of the International. 11.

(13) Computer Symposium,” 2000, pp.65-72. [6] H. M. Sun, Improved Proxy Signature Schemes, “Proceedings of the International Computer Symposium,” 2000. [7] N. Koblitz, Elliptic Curve Cryptosystems, “Mathematics of Computation,” Vol. 48, 1987, pp.203-209. [8] N. Koblitz, “A Course in Number Theory and Cryptography,” New York, NY: Springer-Verlag, Second edition, 1994. [9] V.S. Miller, Uses of Elliptic Curves in Cryptography, “Advances in Cryptology-Crypto'85, Proceedings, Lecture Notes in Compute Science, New York, NY: Springer-Verlag,” No. 218, 1985, pp.417-426. [10] S. Pohlig and M. Hellman, An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance, “IEEE Transactions on Information Theory,” Vol. 24, 1978, pp.106-110. [11] A Certicom Whitepaper, The Elliptic Curve Cryptosystem, July 2000, http://www.certicom.com [12] Chu-Hsing Lin and Cheng-Lung Lee, Elliptic-Curve Undeniable Signature Schemes, “Proceedings of the Eleventh National Conference on information Security,” 2001, pp.331-338.. 12.

(14)