On the proxy-protected property of Chen et al.'s proxy multisignature schemes

© 2007 Institute of Mathematics and Informatics, Vilnius

On the Proxy-Protected Property of Chen et al.’s Proxy Multisignature Schemes

Pei-Hui HUANG¹, Hsiang-An WEN², Chih-Hung WANG³, Tzonelih HWANG¹

1Department of Computer Science and Information Engineering National Cheng Kung University Tainan, Taiwan, R.O.C.

e-mail: pehui@ismail.csie.ncku.edu.tw, hwangtl@ismail.csie.ncku.edu.tw

2Department of Computer Science and Information Engineering Leader University Tainan, Taiwan, R.O.C.

e-mail: reinhard@ismail.csie.ncku.edu.tw

3Department of Computer Science and Information Engineering National Chiayi University Chiayi, Taiwan, R.O.C.

e-mail: wangch@mail.ncyu.edu.tw Received: March 2005

Abstract. Recently, Chen, Chung, and Huang proposed a traceable proxy multisignature scheme based on the elliptic curve cryptosystem. However, this paper shows that the original signers can produce a valid signature as the proxy signer does in the proxy protected scheme. Therefore, Chen et al.’s proxy-protected scheme cannot protect the proxy signer from being forged by the original signers. We further find that the early work of Chen et al. in 2003 suffers the same attack. To overcome this problem, an improved scheme will be presented.

Key words: proxy signature, proxy multisignature, proxy-protected, elliptic curve, digital signature.

1. Introduction

The proxy signature is a kind of signature which allows one party, named original signer, to delegate his signing capability to a designated party, named proxy signer. The proxy signer can sign messages on behalf of the original signer. The concept of proxy signature was first introduced by Mambo et al. (Mambo et al., 1996) in 1996. In such a scheme, the original signer can delegate his/her signing capability to a proxy signer. There are three types of delegation: full delegation, partial delegation, and delegation by warrant.

In full delegation, the original signer gives his/her private key to the proxy signer to sign messages. There is no difference between the signatures made by the original signer and the proxy signer. In partial delegation, although the proxy signing key is derived from the original signer’s private key, it is infeasible to deduce the original signer’s private key from the proxy key. In the case of delegation by warrant, the original signer signs a warrant to certify the fact of delegation. According to the original signer who can produce a valid signature or not, the proxy signature scheme can further be divided into two types.

If the original signer can generate a signature as the proxy signer signs, the scheme is called proxy-unprotected proxy signature scheme. Otherwise, it is called proxy-protected proxy signature scheme.

In contrast with the one-to-one scheme proposed by Mambo et al., the concept of proxy multisignature was introduced by Yi, Bai, and Xiao (Yi et al., 2000). In the Yi et al.’s scheme, two or more original signers can delegate a single proxy signer to sign messages. Unfortunately, Sun (Sun, 2000) showed that the scheme would suffer a public key substitution attack. That is, the original signer can forge a valid signature by using a new public key to replace the original one. Hence, Sun proposed a proxy signature scheme to avoid this attack. In order to reduce the computational overhead of Sun’s scheme, Chen, Chung, and Huang (Chen et al., 2003) proposed two improved schemes based on elliptic curve cryptosystem. The first is a proxy-unprotected scheme and the second is a proxy- protected scheme. Further, Chen, Chung, and Huang (Chen et al., 2004) used the similar concept to design a traceable proxy multisignature scheme based on the elliptic curve cryptosystem. However, this paper shows that both schemes proposed by Chen et al.

(Chen et al., 2003; Chen et al., 2004) cannot achieve the proxy-protected property. The original signers can cooperate to produce a valid proxy signature without proxy signer’s assistance. An improved scheme is further proposed to solve this problem.

The rest of this paper is organized as follows. Section 2 reviews Chen et al.’s scheme.

In Section 3, the weaknesses of Chen et al.’s scheme are illustrated. We give an improve- ment and discuss its security in Section 4. Finally, the conclusion of this paper is given in Section 5.

2. Review of Chen et al.’s Scheme

Chen et al. proposed a proxy-protected proxy multisignature scheme based on elliptic curve (Chen et al., 2003) to improve the performance of Sun’s scheme. Later, Chen et al.

proposed a similar scheme with traceability (Chen et al., 2004). However, both schemes do not satisfy the proxy-protected property. This section just reviews Chen et al.’s trace- able proxy-protected scheme to explain the weakness in the proxy-protected property of both schemes.

2.1. System Initialization and Key Generation Phase The used notation will be listed below.

1. Fp: a finite field, where p is a prime.

2. E: an elliptic curve y = x³+ ax + b over F_p, where a, b∈ Fpand 4a³+ 27b²= 0.

3. G: a finite point on E(Fp) with prime order t.

4. h:{0, 1}^∗× Fp× Fp× Fp → Zt^∗, a public collision-resistant hash function.

For each i∈ [1, n], the original signer Aihas a private/public key pair doi/Qoicerti- fied by a trust authority, where d_oi ∈ Zt^∗and Q_oi = d_oiG = (x_oi, y_oi). The proxy signer also has the private/public key pair dp/Qpand Qp= dpG = (xp, yp).

2.2. Proxy Multisignature Generation and Verification Phase

1. Subproxy key generation: For i = 1, 2,· · · , n, each original signer Ai selects a random number ki ∈ Z_t^∗and computes Ri= kiG = (xRi, yRi). If xRi = 0, then he/she selects another ki, otherwise broadcasts Rito other original signers. After receiving all Rj, 1  j  n, j = i , from the other original signers, Aicomputes R =n

i=1R_i= (x_R, y_R) and s_i = d_oi· h(Mw, x_oi, x_p, x_R)− ki mod t, where Mw is a warrant that specifies the fact of delegation, the delegation period, and other information.

2. Subproxy key delivery: For i = 1, 2,· · · , n, each original signer Aisends (Mw, si) to the proxy signer via a public channel.

3. Subproxy key verification: The proxy signer computes

U_i = h(M_w, x_oi, x_p, x_R)· Qoi− siG = (x_Ui, y_Ui), for i = 1, 2,· · · n. If xUi = xRi, the proxy signer accepts sias a valid subproxy key, otherwise, he/she rejects it.

4. Proxy key generation: The proxy signer computes d = dp+n

i=1si as a valid proxy key.

5. Signing by the proxy signer: The proxy signer uses the signing function Signd() with the proxy key d to generate a signature on the message m. Note that Signd() can be any secure signature scheme based on elliptic curve such as (Pohlig and Hellman, 1978). The result of whole signature is (m, Signd(m), R, Mw).

6. Proxy multisignature verification: The verifier computes the corresponding proxy public key Q = Qp+h(Mw, xo1, xp, xR)·Qo1+· · ·+h(Mw, xon, xp, xR)·Qon− R to verify the signature. The equation Q_p+ h(M_w, x_o1, x_p, x_R)· Qo1 +· · · + h(Mw, xon, xp, xR)·Qon−R = dG holds if the signature (m, Signd(m), R, Mw) is valid.

3. The Weakness of Chen et al.’s Proxy-Protected Scheme

In this section, we show that Chen et al.’s traceable proxy-protected scheme (Chen et al., 2004) cannot resist the original signers’ forgery attack. The original signers can cooperate to impersonate the proxy signer to sign a valid proxy signature. We can also apply the same attack to Chen et al.’s proxy-protected proxy multisignature proposed in (Chen et al., 2003). The original signers perform this attack as follows:

1. Each original signer except a special one named Afollows the scheme mentioned above. Arandomly chooses kand computes R= kG+Qp, and then broadcasts R_. After receiving all R_j, 1 j  n, j = , from the other original signers, A

computes R =n

i=1Ri= (xR, yR) and s= do· h(Mw, xo, xp, xR)− kmod t. The other original signers A_i, for 1  i  n and i =  follow the scheme to compute R =n

i=1Ri= (xR, yR) and si= doi·h(Mw, xoi, xp, xR)−kimod t.

2. The original signers can compute a signing key d^=_n

i=1s_ito generate a proxy signature Signd^(m^) on a forged message m^.

3. To verify the validity of a proxy signature, the verifier computes the proxy public key Q^= Qp+ h(Mw, xo1, xp, xR)· Qo1+· · · + h(Mw, xon, xp, xR)· Qon− R.

However,

Q^ = Qp+ h(Mw, xo1, xp, xR)· Qo1+· · · + h(Mw, xo, xp, xR)· Qo

+· · · + h(Mw, x_on, x_p, x_R)· Qon− R

= Qp+ h(Mw, xo1, xp, xR)·Qo1+· · · + h(Mw, xo, xp, xR)·Qo+· · · +h(M_w, x_on, x_p, x_R)· Qon− (R1+· · · + kG + Q_p+· · · + Rn)

= h(Mw, xo1, xp, xR)· Qo1+· · · + h(Mw, xo, xp, xR)· Qo

+· · · + h(Mw, x_on, x_p, x_R)· Qon− (R1+· · · + kG +· · · + Rn)

=

n i=1

s_iG

= d^G

and the original signers know how to compute d^. Therefore, the signature (m^, Sign_d(m^), R, M_w) is a valid signature.

4. The Modified Scheme and Security Analysis

In this section, we propose an improvement to the above mentioned Chen et al.’s scheme and show that the improvement achieves the proxy-protected property. The same idea can also be applied to remedying their another scheme in (Chen et al., 2003).

4.1. The Proposed Scheme

All the steps are the same as the original scheme except the proxy key generation step and the proxy multisignature verification step. In the proxy key generation step, the proxy key is replaced by d = dp·h1(Mw, xR) +n

i=1si, where h1:{0, 1}^∗×Fp→ Zt^∗is a public collision-resistant hash function. In the proxy multisignature verification step, the verifier uses Q = Qp· h1(Mw, xR) + h(Mw, xo1, xp, xR)· Qo1+· · · + h(Mw, xon, xp, xR)· Qon− R to verify the signature.

4.2. Security Analysis

Chen et al. have shown that their scheme can prevent the substitution attack and satisfy all security requirements (Chen et al., 2004). Our improvement is similar to Chen et al.’s scheme. The improvement does not change the basic operations made by the original signer’s private key and the proxy signer’s private key. Thus, the improved scheme can resist the substitution attack according to the proof in Chen et al.’s scheme.

In Section 3, we show that the original signers can cooperate to create a valid proxy signature without the proxy signer’s authorization. It is because that the original sign- ers choose a specific random number Rto eliminate Qp. Our improvement replaces Qp

with Qp· h1(Mw, xR) to avoid the attack. Suppose that the original signer Awants to use R_to eliminate Q_p· h1(M_w, x_R), he/she must compute R_to get x_Rbefore deciding h1(Mw, xR). However, h1(Mw, xR) cannot be decided in the first priority than R. Since xRis the x-coordinate, Rmust be decided coinciding with xR. Therefore, it is infeasi- ble for original signers to create a valid proxy signature by the method that we mentioned above.

5. Conclusions

This paper pointed out that both of Chen et al.’s proxy-protected schemes (Chen et al., 2003; Chen et al., 2004) do not achieve the proxy-protected property. That is, the original signers can cooperate to generate a valid proxy signature. Essentially, it is unfair for the proxy signer to take the responsibility on the malicious behavior of the original signers.

To overcome this weakness, we have proposed an improved scheme and shown that it satisfies the proxy-protected property.

Acknowledgement

This research was partially supported by the National Science Council of Republic of China (R.O.C.), under contract No.: NSC 93-2213-E-006-104.

References

Chen, T.S., Y.F. Chung and K.H. Huang (2004). A traceable proxy multisignature scheme based on the elliptic curve cryptosystem. Applied Mathematics and Computation, 159(1), 137–145.

Chen, T.S., Y.F. Chung and G.S. Huang (2003). Efficient proxy multisignature schemes based on the elliptic curve cryptosystem. Computer & Security, 22(6), 527–534.

Mambo, M., K. Usuda and E. Okamoto (1996). Proxy signature: delegation of the power to sign messages.

ICICE Trans. Fundamentals, E79-A(9), pp. 1338–1353.

Pohlig, S., and M. Hellman (1978). An improved algorithm for computing logarithms over GF(p) and its cryp- tographic significance. IEEE Trans. on Information Theory, 24(1), 106–110.

Sun, H.M. (2000). On proxy multisignature scheme. Proceedings of the International Computer Symposium, 65–72.

Yi, L., G. Bai and G. Xiao (2000). Proxy multisignature scheme: A new type of proxy signature signature scheme. Electronics Letters, 36(6), 527–528.

P.-H. Huang was born in Taipei Taiwan, in 1980. He received his BS degree in ap- plied mathematics from Fu Jen Catholic University in 2003. He is currently pursuing his MS degree in Department of Computer Science and Information Engineering, National Cheng Kung University. His research interests include cryptography and information se- curity.

H.-A. Wen was born in Taipei Taiwan, in 1976. He received his BE degree in Department of Mathematics from National Cheng Kung University in 1998, and PhD degree in De- partment of Computer Science and Information Engineering from National Cheng Kung University in 2005. He is presently an assistant professor of Department of Computer Science and Information Engineering, Leader University. His research interests include cryptography and information security.

C.-H. Wang was born in Kaohsiung Taiwan, in 1968. He received his BS degree in infor- mation science from Tunghi University and MS degree in information engineering from National Chung-Cheng University, Taiwan, R.O.C., in 1991 and 1993, respectively. He received the PhD degree in information engineering from National Cheng Kung Univer- sity, Taiwan, R.O.C. in 1998. He is presently an assistant professor of Department of Computer and Information Engineering, Nation Chiayi University, Taiwan, R.O.C. His research interests include cryptography, information security and data compression.

T. Hwang was born in Tainan Taiwan, in 1958. He received his undergraduate degree in National Cheng Kung University in 1980, and the MS and PhD degrees in computer science from the University of Southwestern, Louisiana, USA, in 1988. He is presently a professor of Department of Computer and Information Engineering, Nation Cheng Kung University. His research interests include cryptology, network security and coding theory.

Dr. Hwang is a member of IEEE and of the International Association for Cryptographic Research.

Apie pavaduojanˇciojo-apsaugotuma Chen ir kit_ u pavaduojanˇciojo_ daugiaparašin˙ese schemose

Pei-Hui HUANG, Hsiang-An WEN, Chih-Hung WANG, Tzonelih HWANG

Neseniai Chen, Chung ir Huang pasi¯ul˙e susekama pavaduojanˇciojo daugiaparašin_ e schem_ a,_ pagr_ista elipsin˙es kreiv˙es kriptosistema. Taˇciau šis straipsnis parodo, kad original¯us pasirašantys_ asmenys gali pateikti galiojant_i paraša kaip pavaduojantysis pasirašantis asmuo pateikia pavaduo-_ janˇciojo apsaugotoje schemoje. D˙el to Chen ir kitu pavaduojanˇciojo-apsaugota schema negali ap-_ saugoti pavaduojanˇciojo pasirašanˇcio asmens nuo originaliu pasirašanˇci_ u asmen_ u falsifikavimo._ Ankstesnis Chen ir kitu darbas, skelbtas 2003, taip pat neatsparus šiai atakai. Straipsnyje pristatoma_ pagerinta schema šios problemos išvengimui.