Forward Secure Proxy Signature Scheme

全文

(1)Forward-Secure Proxy Signature Scheme Ming-Hsin Chang, Tzu-Shin Lin, and Yi-Shiung Yeh Department of Computer Science and Information Engineering National Chiao-Tung University 1001, Dashiue Rd., Hsinchu, Taiwan 300, R.O.C. Tel: 886-3-5731813, Fax: 886-3-5724176 E-mail: [email protected], [email protected] , [email protected]. Abstract In this paper, we adopt the concept of forward-secure property for proxy signatures. Proxy signature is a kind of signature schemes in which an original signer delegates his signing capability to a designated signer called a proxy signer. Then, the proxy signer creates a digital signature on behalf of the original signer. We describe the problems of exposing of the secure key in proxy signature scheme. The key exposure problem in distributed environments is also a serious problem. To address the weaknesses we propose a proxy signature scheme with forward-secure based on 2l-root signature scheme. The proposed scheme with forward-secure property that renews the proxy key in each period and deletes the previous keys to prevent the secret against key exposure and conforms strong proxy signature requirements. We also mention that the forward proxy signature scheme can be applied to limitation on time duration of delegation. Keyword: Proxy signature, Forward-secure property, Digital signature. 1. Introduction The concept of proxy signature was firstly introduced by Mambo et al. [2] in 1996 which is a kind of digital signature schemes that an original signer delegates his/her signing capability to a proxy signer, and then the proxy signer creates a digital signature on behalf of the original signer. In [2], there are three types of proxy signature based on delegation type as full delegation, partial delegation, and delegation by. warrant. In full delegation, an original signer gives its private key to a proxy signer. In this case the proxy signature by the proxy signer is indistinguishable from the original signer. In delegation with warrant, the proxy signer is authorized to sign by warrant. In partial delegation, a new secret is computed from the secret of an original signer, and the new secret is given to a proxy signer in a secure way. Kim et al [3] used them by using Schnorr signature and including warrant information in partial delegation schemes. Lee-Kim [4] extended the concept of proxy signature of a partial delegation to strong proxy scheme. The requirements of strong proxy scheme should conform the requirements as follows [4][5]: (i) Strong unforgeability: Except the designated proxy signer can create a valid proxy signature on behalf of the original signer. (ii) Verifiability: From a proxy signature a verifier can be convinced that the original signer delegates her signing capacity to a proxy signer. (iii) Strong identifiability: From a proxy signature anyone can confirm the identity of the corresponding proxy signer. (iv) Strong undeniability: Once a proxy signer creates a valid proxy signature, he cannot repudiate his/her signature creation against anyone. (v) Prevention of misuse: It should be confident that proxy key should be used only for creating proxy signature conforming to delegation information. However, many of proxy signature schemes can be proven secure under very reasonable assumptions. In many solutions, security guarantees last as long as the secret keys remain.

(2) unrevealed. If a secret key is revealed, security is compromised and any signature created by the key is no longer trusted. Recently, several lectures are [6][7] proposed. Many use distribution of the key across multiple proxy signers with (k, n) threshold schemes and proactive schemes [11][12]. In (k, n) threshold schemes, security is assumed if throughout the entire lifetime of the secret the adversary is restricted to comprise less than k of the n shares. Moreover, since each of the proxy signer with shares may be faced the same attack, the actual risk may not decrease. To address the problem forward security is a novel approach. The object of forward security on proxy signature scheme is to protect signature security against the risk of key exposure of the proxy key without requiring effort of key distributions. A proxy signer proxy key σ 0 and keeps the corresponding proxy key. During of validation of the public key, the time is divided into periods, numbered 1...t . The proxy signer renews the proxy key in each period and deletes the previous keys, while the public key stays fixed. At the start the proxy key σ 0 is the proxy key. σ0 .. At time period j the proxy. σ j . During the period j , an attacker gets proxy key σ j , but he does not break σ 0 … σ j −1 since they has been signer has the proxy key. root signature and Lee et al’s [4] to make a proxy signature with forward-secure property. We describe mathematic background and relative work as follows. 2.1 Notations and assumptions Throughout this paper the following parameters and assumptions are the same. We list the used parameters in this paper. The details of description refer to [9].. H ( ) : One-way hash function. v : A secure parameter known by original signer and proxy signer.. p1 and p2 : Two primes of approximately equal size with p1 = p2 =3(mod 4). N : A k-bits integer with N = p1 p2 such N is called a Blum integer. Q : A set of non-zero quadratic residues modulo N. ( s A , u A ) : public key pairs with u A = 1 / s A (mod N) for signer A. ( s B , u B ) : public key pairs with u B = 1 / s B (mod N) for signer B.. 2v. 2v. 2.2 Mathematic background. deleted. In this paper, we proposed a proxy signature scheme with forward security property. The proposed scheme refers to the concepts of 2l-th root signature scheme and forward-secure scheme [9]. The security is based on assumptions of square root (SQROOT) problem and cryptographic one-way hash function. The rest of this paper is organized as follows. In section 2, we describe description relative schemes briefly. In section 3 we proposed a forward-secure proxy signature scheme. In section 4 the correctness and conformance of the proposed scheme are presented. The discussion on the proposed proxy signature scheme is presented in section 5. In section 6 we deploy our scheme to limitation of proxy time period. Finally, we make a brief conclusion of this paper in section 7.. The basis of mathematic is an extension of square root (SQROOT) problem. We use the parameters as defined in section 2. For k ∈ Q and We define a v -bit binary string. r = b1 ... bv , we define Fr ( s ) ≡ s 2 k r (mod N). Anyone who knows N and r can efficiently compute Fr ( s ) and who knows p1 and p2 can efficient compute s for a given Fr ( s ). On the contrary, if one does know N and r , it is hard to compute s . v. 2.3 2v-th root signature scheme In the proposed scheme we use 2v-th root signature scheme to sign a warrant message. Here we introduce briefly. (Signature generation) To sign a message. 2 Preliminary We modify the forward Abdalla-Reyzin’s forward-secure digital signature scheme, 2v-th. M a signer picks a random number k ∈ Q and computes. r. = (k ). 2v. (mod N),.

(3) (Proxy generation) – The original signer Alice. = H ( M , r ), and. e. chooses a random number k A ∈ Z N , computes *. σ. = k sA. e. (mod N).. rA = (1 / k A ) v (t +1) (mod N),. (1). e A = H ( M W , rA ), and. (2). (Message verification) To verify the validity of a signature a verifier computes. σA. (3). σ. and sends ( σ , M W , rA ) to the proxy signer Bob. The pair ( r , σ ) is the signature on the message M .. ≠ 0 (mod N) and. = k A s A (mod N). r ' = (σ ) 2 u r. in a secure manner.. checks that following equation holds. (Proxy key verification) – Upon receiving ( σ A , M W , rA ), Bob computes. e = H ( r ' , M ).. e A = H ( M W , rA ) and checks that following. v. equation holds. 3 The proposed scheme In this section, we shall present a new forward-secure proxy signature scheme. Like a standard proxy signature scheme, it contains four phases - proxy generation, proxy key verification, proxy signature, and proxy signature verification. The proposed scheme adds a proxy key update phase in which a proxy signer updates his/her proxy key and deletes the previous proxy key during time period. Therefore, a forward-secure proxy signature scheme is a key-evolving digital signature scheme. The sketch of the proposed scheme is illustrated as follows. The proposed scheme involves the following participants: the original signer (Alice), the proxy signer (Bob) and a verifier (Carol). First, Alice creates a signature σ A on a warrant M W using 2v-th root signature scheme and Bob receives and verifies the signature to create a proxy key. Second, Bob has secret key pair ( j -1, σ B j −1 ) in the time. ν ( t +1 ). σ2. = (1 / rA ) (1 / u A ). σB. σB. for v times. Finally, to sign on message. j −1. j. ) at time period. j by squaring. M Bob uses forward-secure signature scheme to create a signature. The valid proxy signature tuple ( σ , M , r , M W , rA , j ) on message. σB. 0. σ A (sB )e. =. A. (mod N). (4). (5). as his proxy key where the index “0” means base state of the proxy key of σ B , i.e. the beginning at the time period 0.. (Proxy key update) – At the time period j -1, Bob renews his proxy key pair ( j -1, ( j , σ B j ) used in next period. σB. j. = (σ B j −1 ). 2v. σB. and deletes. j −1. σB. j −1. ) to. j , computes. (mod N). (6). .. (Proxy signature) – To sign a message M at the current period j Bob chooses a random number k ∈ Z N , computes *. ν ( t +1− j ). r =k2. (mod N),. M includes proxy information M W and rA. e = H ( M , r , j ), and. for conforming requirements of proxy signature.. σ = k (σ B ) e. The protocol presents as following steps. The system parameters are same as given previously. Alice and Bob have public key pairs ( u A , s A ) and ( u B , s B ) respectively.. (mod N). If the checking passes successfully, Bob accepts σ and computes. period j -1 and wants to get proxy key pairs ( j ,. eA. j. (7). (mod N),. (8). The tuple ( σ , M , r , M W , rA , proxy signature on the message. M.. j ) is the.

(4) (Verification of proxy signature) – To verify the validity of a signature the verifier Carol computes. e A = H ( M W , rA ), and. r' =σ 2. v ( t +1− j ). (rA (u Au B ) e A )σ (mod N) (9). and checks the equation. H ( M , r' , j ) =. H ( M , r , j ) holds.. = (k A ). 2 v ( t +1). (( s A ) e ) 2. In the proxy key update phase Bob renews. σB. his proxy key deletes. σB. j −1. j. = (σ B j −1 ). 2v. at the time period. From Eq. (1)(2), we replace k A with rA and the original signer’s secret key, and have. σ A2. v ( t +1). e 2 v ( t +1). = (1 / rA ) (( s A ) ) eA. (mod N) and. j . Base on. period j, it will pass Verfication of proxy siganture in section 4.. We compute e A =. The procedures of creation and verification of proxy signature resemble 2l-th root signature scheme, but the creation of signature uses the proxy key at current time period and the verification of proxy signature uses both of Alice’s public key and Bob’s public key.. 4. Correctness and conformance. From Eq. (9), let. r' =σ 2. v ( t +1− j ). Replace. σ. (rA (u Au B ) eA ) e (mod N). with Eq(8). r ' = (k (σ B j ) e ) 2. In the following theorems, we describe that the proposed scheme works correctly.. (mod N). Theorem 1: If an original signer delegates its right, a proxy signer can verify the validity of σ A in Eq. (4).. H ( M W , rA ) and e =. H ( M , r , j ) form the signature tuple ( σ , M , r , M W , rA , j ).. 4.1 Correctness. =k. 2 v ( t +1− j ). ((σ B j ) 2. v ( t +1− j ). v ( t +1− j ). Computing e = ( M W , rA ) and Raising. (rA (u Au B ) eA ) e. ) e (rA (u Au B ) eA ) e. (mod N). B0 for B j. From (6), we substitute. Proof:. v ( t +1). Q.E.D. Theorem 2 : If the proposed signature ( σ , M , r , M W , rA , j ) is valid at the time. knowing p1 and p2 .. σA. (mod N). the 2th-root signature scheme. Except the original signer others can create the signature to delegates her signing capability.. Proof:. both side of Eq. (3) by 2. (mod N). The original signer delegates her signing capability to the proxy signer using creating a signature on a warrant message M W by using. the SQROOT problem it is computationally infeasible to get σ B j from σ B j −1 without. 2 v ( t +1). (mod N). where s A is the secret key of the original signer.. = (1 / rA ) (1 / u A ) Because the scheme provides forward-secure property, the proxy signer renews the proxy key at every time period. The previous proxy signature schemes were not able to renew proxy keys. Therefore, the proposed scheme provides the property of timestamp. From a proxy signature a verifier can check at what time period the proxy signature created.. v ( t +1). r' = k 2. v ( t +1− j ). ((σ B j ) 2. v ( t +1− j ). ) e (rA (u Au B ) eA ) e. , we have (mod N). e 2 v ( t +1). = (k A ( s A ) ). (mod N) =. k2. v ( t +1− j ). ((σ B0 ) 2. v ( t +1). ) e (rA (u Au B ) eA ) e.

(5) (mod N) From (3)(5)(7), replace with. B0 by σ A and. sB. r' = v ( t +1− j ) v ( t +1) k2 ((σ B0 ) 2 ) e (rA (u Au B ) eA ) e (mod N) =k. 2 v ( t +1− j ). ((1 / rA )((1 / u A )(1 / u B )) e A ) e. (rA (u Au B ) eA ) e (mod N) =. k2. (mod N). = r (mod N) Therefore, the equation. At the time period. (Strong undeniability) Once a proxy singer created a legal proxy signature at the time period time j before the key is compromised, Bob cannot repudiate it in the future because he is the only person who can compute the proxy key pairs. (Prevention of misuse) If Bob uses the proxy key pair for other applications that the warrant M W does not state, he must be. v ( t +1− j ). H (M ,r , j ). in the public key. Anyone can determine the identity of the corresponding proxy signer because the proxy signer’s public key u B is required in order to check a proxy signature in the verification proxy signature phase.. H ( M , r' , j ) = Q.E.D. j the proxy signer has. proxy key pair ( j , B j ) and signs on a message using forward-secure scheme [9] except the proxy signer uses proxy key instead of secret key and public key combined from rA , u A and u B . 4.2 Conformance In this section, we discuss that the proposed scheme conforms to the security requirements of strong proxy signature. (Strong unforgeability) No one except the proxy signer Bob can generate a valid proxy key pair on behalf of Alice because the proxy key σ B 0 (at basic state with index ‘0’) contains Bob’s secret key s B , which is only known by Bob. It is computationally infeasible to break Bob’s secret key s B form Bob’s public key. u B without additional information based on SQROOT problem. Hence, only a designated proxy signer can create a valid proxy signature. (Verifiability) The warrant information M W , which includes the original signer Alice’s assignment material, is implied in the hash value e A . And, this hash value is used in the verifying process. Therefore, if the proxy signature σ passes the checking successfully, Alice’s agreement on the signed message M is also verified explicitly. (Strong identifiability) Identity information of the proxy signer Bob is included. responsible for it because no one except him can generate the proxy signature under the name of Bob. Accordingly, illegal proxy transfer is prevented and signing capability of proxy signer is limited. (Forward-secure property) In proxy update phase, the new secret key σ B j +1 is generated by computing v time squares, (i.e.. (σ B j +1 ) 2 ). According to the above sections, it v. is difficult to compute secret key. σBj. σ B j +1. from the current. without knowing. p1 and. p2 under SQROOT problem. Therefore, even though an adversary breaks into the proxy system and gets the present key pair ( j , σ B j ), he cannot generate past key pair form (0, to (. σB. 0. ). j -1, σ B j −1 ). 5 Discussion. The proposed scheme is derived from Abdalla-Reyzin’s forward-secure digital scheme in which the security of scheme is based on the hardness of factoring Blum integers. The most significant feature of forward-secure signature is to allow for key exposure attacks. The adversary can obtain the proxy key σ j at the current time period j . The adversary can forge the current signature successfully, but he will be fail to forge a valid signature for the time period i < j . Since it is computationally infeasible to derive. σ 0 … σ j −1. based on SQROOT problem.. i.e. the hardness of factoring Blum integers. The efficiency of the phases of proxy.

(6) generation and proxy key verification is about the 2th-root signature scheme, but the phases of proxy key update, proxy signature and proxy key verification is the same as [9]. We analysis the number of modular multiplications and modular squarings, required to sign on a document and verify validation. Like the Abdalla-Reyzin’s forward security scheme, the proxy signature takes time v(t + 1 − j ) modular squarings and e modular multiplications. Because the proxy signature verification can require to combining the proxy public key, the scheme takes time e A modular multiplications more than the verification in forward-secure scheme. So the verification of proxy signature about v(t + 1 − j ) + e modular multiplications is needed.. periods.), the automatically.. proxy. key. is. revoked. 7. Conclusion Proxy signatures are very helpful tools in which an original signer delegates his signing capability to a proxy signer and then the proxy signer creates a digital signature on behalf of the original signer. However, the key exposure problem in distributed environments is also a serious problem against the security of a strong proxy signature scheme. Consequently, we have proposed a forward-secure proxy signature scheme to avoid the problem of key compromise.. References Thus, our scheme has almost the same as the forward-secure scheme in [9]. In general, we take N = 102b bit and the length of hash value is 160 bits. However, because we add the phases of proxy generation and proxy verification scheme, we believe that the result is more efficient than the scheme inherited from [8].. 6. Application to limitation on time duration of delegation. [1]. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996.. [2]. M. Mambo, K. Usuda, and E. Okamoto, "Proxy Signatures: Delegation of the power to sign messages, " IEICE Trans. Fundamentals, vol. E79-A, no.9 1996, pages1338-1354.. [3]. S. Kim, S. Park, and D. Won, "Proxy Signatures, Revisited," Proc. of ICICS’97, Springer-Verlag, Lecture Notes in Computer Science, LNCS 1334, 1997, pages 223-232.. [4]. B. Lee, and K. Kim, "Strong proxy signatures", IEICE Trans. Fundamentals, vol. E82-A, no.1 Jan 1999, pages.1-11.. [5]. B. Lee, H. Kim and K. Kim, "Strong proxy signature and its applications," Proc. of SCIS 2001, 11B-1, pages 603-608, 2001.. [6]. K. Zhang, "Threshold Proxy Signature Schemes," 1997 Information Security workshop, Japan, Sep. 1997, pages 191-199.. [7]. H. M. Sun, N. Y. Lee, and T. Hwang," Threshold Proxy Signatures" IEE proceedings – Computers and Digital Techniques, Vol. 146, No. 5, 1999, pages 259-263.. [8]. M. Bellare and S. Miner,” A Forward-Secure Digital Signature Scheme,” Advances in Cryptology { CRYPTO 99 Proceedings, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag, M. Wiener, ed, 1999,. Besides protecting proxy signature before key’s explosion, the proposed scheme provides a mechanism of the time limitation of signing key. In [2], an original signer Alice gives her signature parameter secretly to a proxy signer Bob which does not contain key information. The scheme endures the proxy key will be valid throughout the entire lifetime of the key. Kim et al. [3] proposed a warrant to state the information on delegation relationship that may include valid duration of proxy signature. It not provide an efficient mechanism to process time duration. In our scheme, a proxy signature includes the value j of the time period that it was created. A verifier can verifies the valid period by checking whether the value j of the time period in duration of delegation. The number of period T and each period can be presented a proxy time period. For example, an original signer Alice wants to delegate his signing capability to a proxy signer Bob for a month. The time period could be set T = 30 and each period has length one day. The proxy public key keeps for one month and the proxy key is updated daily. When a secret key finishes updating (i.e. it has been updated for all the.

(7) pages 431-438.} Full version: Theory of Cryptography Library: Record 99-16, September 1999, http://philby.ucsd.edu/cryptolib.html. [9]. M. Abdalla and L. Yeyzin “A new forward-secure digital signature scheme”, ASIACRYPT pages 116 -129, 2000.. [10]. H. Ong and C. Schnorr, “Fast Signature Generation with a Fiat Shamir-Like Scheme”, Advances in Cryptology Eurocrypt '90, Lecture Notes in Computer Science, Vol.473, Springer Verlag, pages 432-440,1991.. [11]. A. Herzberg, S. Jarecki, H. Krawczyk,and M. Yung, “Proactive Secret Sharing or: How to Copy With Perpetual Leakage,” CRYPTO ’95, LNCS 963,1995.. [12]. A. Shamir, “How to Share a Secret,” CACM Vol. 22, No. 11, 1979..

(8)