Identity-Based Delegated Signatures

Transcription

1 Identity-Based Delegated Signatures Yi Mu 1, Willy Susilo 1, and Yan-Xia Lin 2 1 School of IT and Computer Science University of Wollongong, Wollongong, NSW 2522, Australia 2 School of Mathematics and Applied Statistics University of Wollongong, Wollongong, NSW 2522, Australia {ymu,wsusilo,yanxia}@uow.edu.au Abstract. In a delegated signature scheme, a party can delegate its signing right to other parties who can then sign on its behalf. We describe two novel identity-based delegated signature schemes, proxy signature and group signature, based on the pairing. In our proxy signature scheme, an original signer can create multiple proxy signers who can be naturally linked to their identities. In the group signature scheme, all identities of the proxies (or members) are hidden, but they are naturally linked through a unique group identity. The distinct feature of the proposed group signature lies in its suitability for the subgroup construction, where a group can be made up of multiple subgroups. We also present security proofs of these schemes in detail. 1 Introduction We will look at the scenario where Alice wants to delegate her signing right to multiple proxies, where both Alice and her proxies must be fairly treated. Two signature schemes fall in this scenario: proxy signature and group signature. The concepts of proxy signature and group signature are not new. They have been widely investigated in literature [1 7]. The focus of this paper is on the construction of new delegated signature schemes. These schemes are based on the pairing (such as Weil pairing) and are computationally efficient than other existing schemes. Using the Weil pairing, two points in an elliptic curve can be mapped to a point in a finite field. The Weil pairing was originally considered to be a bad thing, since it can be used for attacking elliptic curves [8]. Recently, it has been showed that the Weil pairing can be used to construct a protocol for threeparty one round Diffie-Hellman key exchange [9]. Boneh-Franklin have recently proposed a concrete identity based encryption protocol [10] and a short signature scheme based on the Weil pairing [11]. Verheul has found the Weil pairing is useful for credential pseudonymous certificate systems [12]. We must point out the Weil pairing is naturally suitable for identity based cryptographic systems due to the initiative by Boneh-Franklin. We will show that the Weil pairing can also be used to the construction of identity based delegated signatures. These constructions show obvious structural simplicity.

2 A sound group signature scheme must possess essential properties such as non-repudiation of signing, untraceablity, and dynamic key management. In doing so, a great deal of zero knowledge proofs must be used. This often makes a protocol very complicated and impractical. In this paper, we will propose a group signature scheme that is not only simple, but also satisfies all essential properties. Our group signature scheme supports subgroup construction, where a group can consist of multiple subgroups in terms of the identity of each group. The subgroup structure is useful in practice. For example, it may be necessary for a bank client to know a transaction is authorized by the home loan department or by the credit card department, whereas he does not care about which of officers has signed. A proxy signature scheme can be treated as a simplified group signature scheme where no untraceability is assumed. The difference between our proxy signature and the existing schemes lies in the feature of identity based signature verification. That is, the verification of a signature is associated with the identity of a proxy signer. It therefore allows a signature recipient to identify a proxy signer with no need of other information such as a certificate of the proxy signer. The rest of this paper is organized as follows. Section 2 gives basic definitions on the pairing. Section 3 presents the novel identity-based proxy signature scheme and the associated security proofs. Section 4 describe our novel identitybased group signature scheme, which meets all important requirements, and security proofs. The final section concludes the paper. 2 Preliminaries and Definitions Let E denote an elliptic curve over a field K with characteristic > 0, and E[m] be its group of m-torsion points. Definition 1. Let m Z 2 denote an integer, coprime to the characteristic of K with characteristic > 0. The Weil pairing is a mapping ê : E[m] E[m] µ m where µ m is the group of mth roots of unity in K. Under the definition of the Weil pairing, if ê(p, Q) is not the unit in µ m, then ê(ap, bq) = ê(p, Q) ab for P, Q E[m] and all a, b Z. For details on the Weil pairing see Blake-Seroussi-Smart (Page 43)[13]. Group E[m] is a cyclic additive group, now denoted G 1, which maps to a cyclic multiplicative group G 2 by Weil pairing. If m is prime, then both G 1 and G 2 have prime order. In general, m is not necessary to be prime. Thus, the order of G 1 and G 2 is not necessarily prime. In this paper, we consider the case where the order q of G 1 and G 2 is a product of some large primes. Definition 2. (Decisional Diffie-Hellman Problem) Given P, ap, bp, cp G 1 and a, b, c Z q, decide whether c = ab Z q. 2

3 A decisional Diffie-Hellman problem (DDHP) is easy[14], since ê(ap, bp ) = ê(p, abp ). The security of a pairing based algorithm is based the computational Diffie-Hellman problem (CDHP), which is given below. Definition 3. (Computational Diffie-Hellman Problem) Let a, b be chosen from Z q at random and P be chosen from G 1 at random. Given (P, ap, bp ), compute abp G 1. G 1 is referred to as a gap Diffie-Hellman (GDH) group if DDHP can be solved in polynomial time and no polynomial algorithm can solve CDHP with non-negligible advantage within polynomial time [15, 11, 16]. Definition 4. Let a polynomial time probabilistic algorithm IG be a GDH parameter generator. Taking a security parameter l, IG(1 l ) generates two cyclic group G 1 and G 2 defined in Definition 1. For a sufficiently large l an algorithm A has advantage ɛ(l) in solving the CDHP problem for IG, if l sufficiently large, Adv IG = Pr[A(G 1, G 2, ê, P, ap, bp ) = abp (G 1, G 2, ê) IG(1 l ), P G 1, a, b Z q ] > ɛ(l). 3 The Proxy Signature Scheme Assume that Alice is the original signer and Bob is her proxy. Alice delegates a signing right to Bob by issuing a proxy tuple containing a proxy signing key. A sound proxy signature protocol must meet the following requirements. (1) A proxy signature recipient is convinced of the authenticity of a proxy, i.e., the proxy signer Bob is authorized for proxy signing on behalf of the original signer Alice. (2) Alice cannot sign on behalf of Bob. 3.1 Setup of a proxy key Setup: (Alice) Run IG(1 l ) with the input l Z and set (G 1, G 2, ê) as the output. Pick strong hash functions H 1 : {0, 1} G 1, H 2 : {0, 1} G 1 G 1 G 2. KeyGen1: (Alice) Choose s Z q as Alice s secret key and then compute the associated public key P sp, where P G 1 is public. Extract: (Alice) Input: the ID A {0, 1} of Alice and the ID B {0, 1} of Bob. Output: Q IDA H 1 (ID A ), Q IDB H 1 (ID B ), and Q ID = Q IDA + Q IDB. KeyGen2: (Bob) Input: x Z q and Q ID. Output: X xq ID. X is sent to Alice. KeyGen3: (Alice) Input: u Z q, s, Q ID, a, where a {0, 1} is the proxy agreement. Output: proxy public key U up, v H 2 (a, U, X) and proxy signing key K s(ux + vq ID ). The proxy tuple consists of (ID A, ID B, a, X, K). Send the tuple to Bob. Make U public. 3

4 Verify1: (Bob) Input: (ID A, ID B, a, X, K, P, U). Check Output: True or False. ê(p, K)? = ê(u, X)ê(vP, Q ID ). Claim 1: The above protocol is complete and sound. The completeness is clear: ê(p, K) = ê(p, s(ux + vq ID )) = ê(p, sux)ê(p, svq ID ) = ê(u, X)ê(vP, Q ID ). To ensure soundness, we have let Bob own a secret key x that is authorized by Alice, but Alice does not know its value. Bob must prove his knowledge on this secret key by using a SKP given below as part of a proxy signature, when signing a message as a proxy. Signature Knowledge Proof of ECDL Signature knowledge proof was introduced by Camenisch and Stadler in their group signature scheme[5]. Actually, a signature knowledge proof is equivalent to a signature. We now convert it into the one based on the pairing. Definition 5. Non-interactive Signature Knowledge proof of ECDL is denoted by SKP[x : xq ID ](m): given X = xq ID for x Z q, and message m {0, 1}, prove the knowledge of x from X to a party without revealing the value of x to the party. Assume that Bob is the prover who knows the value of x and Chris is the verifier. ID A, ID B, H 1 (.), and X are public. Bob chooses θ Z q, sets Θ θq ID, chooses a cryptographic hash function H : (G 1 ) 3 {0, 1} Z q, computes c H(Q ID, Θ, X, m) and C (θ cx)q ID. The resultant tuple of the proof consists of (ID A, ID B, m, X, Θ, C). To verify the proof, Chris computes c using the given values and verifies (Verify2): ê(θ, Q ID )? = ê(cx, Q ID )ê(q ID, C). If the equality holds, the proof succeeds. It is easy to check the verification: ê(cx, Q ID )ê(q ID, C) = ê(q ID, Q ID ) cx ê(q ID, Q ID ) (θ cx) 3.2 Proxy signing protocol = ê(q ID, Q ID ) θ = ê(θ, Q ID ). Given an authorized proxy tuple (ID A, ID B, a, X, K) and the value of x, Bob can then issue a proxy signature. Proxy Signing: (Bob) Input: the proxy signing key K and message m {0, 1}. Select a number r Z q and compute the signing commitment R rp and R ru. Compute w H 2 (m, R, R ). Compute the proxy signature S (r + w)k. Prove his knowledge on x from X to form the proof token SKP SKP[x : xq ID ](m). The proxy signature tuple is (ID A, ID B, m, R, R, S, X, SKP). 4

5 Verify3: Input: (ID A, ID B, m, R, R, S, X, SKP, P, U), Check ê(p, S)? = ê(r + wu, X)ê(v(R + wp ), Q ID ) and V erify2(skp). Output: True or False. Claim 2: The signing protocol is complete and sound. The completeness can easily be verified. ê(p, S) = ê(p, s(r + w)(ux + vq ID )) = ê((r + w)p, uxq ID + vq ID ) = ê(r + wu, X)ê(v(R + wp ), Q ID ). The soundness is due to the fact that no one else can implement the SKP except Bob. More explanations are given in the next section. 3.3 Proof of security We cannot directly apply Pointcheval-Stern s model of security proof [17] to our protocol, since in our system there exist two random oracles, one for message and the other one for ID. Instead, we adapt a variant of Pointcheval-Stern s security proof given by Cha-Cheon [16]. Assume there are two polynomial time attack algorithms A 0 and A 1. A 0 is used for adaptively chosen message and ID attacks. A 1 is used for adaptively chosen message attack with a fixed ID. We say a proxy signature is secure, if A 0 and A 1 have negligible advantage in this game. In the A 0 system, there are a signer, who responds to queries from A 0, and two random oracles H 1 and H 2. A 0 makes q H1 queries to H 1, q H2 queries to H 2, and q S queries to the signer. As a result, A 0 outputs a signature tuple, which is valid only when it satisfies the associated verification equation. Lemma 1. If algorithm A 0 is defined for an adaptively chosen message and ID attack to our proxy signature protocol with running time t 0 and advantage ɛ 01. Then, there is an algorithm A 1, for adaptively chosen message attack and a given ID, that has the running time t 1 t 0 and advantage ɛ 1 ɛ01 q H1 (1 1/q), where q H1 is the number of queries to H 1 asked by A 0. The proof of this lemma has been given in [16]. Conceptually, the game (say, Game A) is played as follows. A 1 wants to take advantage of A 0 s power to find the secret key corresponding to the wanted ID. As A 0 makes q H1 queries to H 1 for q H1 randomly chosen IDs, A 1 randomly replaces one of these IDs with the one wanted by itself. In the end, A 0 outputs a signature tuple on message m for a certain ID, denoted by (ID out, m, c, σ), where we denote by c the signature commitment and by σ the signature. If ID out is the one wanted by A 1 and the signature meets the verification equation, the signature token is said valid, otherwise fail. The probability of A 1 finding a valid signature without knowing the secret key is evaluated as Pr[ID out = ID wanted, (ID out, m, c, σ) is valid] ɛ 01 q H1 (1 1/q). 5

6 According to Forking lemma[17], once a valid signature is found, there exists another Turing machine (A 1, in our case) that can output two valid signatures that have the same signature commitment. This leads to extracting the secret signing key. We will show this later. We now construct an algorithm of solving CDHP, assuming A 1 exists. It is the same as that given in [17, 16]. Lemma 2. If A 1 launches an adaptively chosen message attack with a fixed ID against our scheme for a running time t 1 by querying H 2 and the signer at most q H2, and q S times, respectively, and advantage ɛ 1 10(q S + 1)(q S + q H2 )/q, then the CDHP can be solved with probability ɛ 2 1/9 with running time t 2 23q H2 t 1 /ɛ 1. The reader is referred to the original papers for the proof. Using Lemmas 1 and 2, we can obtain the following theorem for A 0 : Theorem 1. An algorithm A 0 can launch an adaptively chosen message and ID attack against our system by querying H 1, H 2, and the signer at most q H1, q H2, and q S times, respectively, and has running time t 0 and advantage ɛ 01 10(q S +1)(q S +q H2 )q H1 /(q 1), then CDHP can be solved with probability 1/9 and with running time 23q H 1 q H2 t 0 ɛ 01 (1 1/q) T 1. Proof of security for our protocol Based on the security proofs above we now prove security of our proxy signature scheme. Assume there exist an original signer (Alice), a proxy (Bob), and a signature recipient (Chris). There exist three possible attacks against our protocol: Scenario 1: Bob against Alice. Bob plays a game with Alice and tries to extract Alice s secret key that can be used to authorize proxy signers. The proxy signing key is constructed by using a variant of Schnorr s signature algorithm. Actually, both a and X (see Section 3.1) are signed by Alice using her private key sq ID. We may directly apply the security proof given above, provided we slightly amend the attack algorithms. The attack by A 0 should now be an adaptively chosen message plus adaptively chosen ID A and ID B. We now denote A 0 by A 0. Therefore, in the implementation of query, A 0 has to ask H 1 q H1 questions for each of ID A and ID B. A 1 needs to randomly replace an adaptively chosen ID in each of two separate sets of queries. We refer to this game as Game B. As a result, we should amend the results of the security proof given previously as follows. Lemma 3. Assume that A 0 queries H 1 for ID A and ID B with running time t 0 respectively, and has advantage ɛ 02. Then, there is an algorithm A 1, for adaptively chosen message attack and the given ID A and ID B, which has the running time t 1 t 0 and advantage ɛ 1 ɛ 02 q H1 q H 1 (1 1/q) 2, where (q H1, q H 1 ) are the numbers of queries to H 1 wrt (ID A, ID B ) asked by A 0, respectively. 6

7 It can be proven straightforward from Lemma 1, by noting that the queries for ID A and ID B are independently processed. Accordingly, we need to amend Theorem 1 below. Theorem 2. An algorithm A 0 can launch an adaptively chosen message and ID attack against our system by querying H 1 for ID A and ID B at most q H1, q H 1 times, and H 2 and the signer at most q H2, and q S times, with running t 0 respectively and advantage ɛ 02 10(q S + 1)(q S + q H2 )q H1 q H 1 q(1 1/q) 2, then CDHP can be solved with probability 1/9 and with running time 23q H 1 q H 1 q H2 t 0 ɛ 02 (1 1/q) T 2. After playing Game B, A 0 outputs a proxy tuple (ID out, ID out, a, X, K). If (ID out, ID out ) happens to be (ID A, ID B ) and it satisfies Verify1, then the proxy tuple is valid. According to Forking Lemma[17, 16], we can obtain two valid proxy tuples, (ID out, ID out, a, X, K) and (ID out, ID out, a, X, K ), where ux in K, K is treated as a signature commitment. As a result, A 1 finds two equations K = s(ux + vq ID ) and K = s(ux + v Q ID ), with the probability and time described in Theorem 2. The secret key can then be found: sq ID = (K K )/(v v ). This implies the correctness of Theorem 2 in this security proof. Scenario 2: Alice against Bob. Alice plays a game with Bob with an aim on extracting Bob s secret key xq ID. The success in this game will gain the right to sign on behalf of Bob. The game is played on the SKP. We can still apply the proof model that has been used in Game B. Lemma 3 and Theorem 2 are still correct to the SKP. As a result, A 0 outputs a proof tuple, (ID out, ID out, m, X, Θ, C), which is valid if (ID out, ID out ) = (ID A, ID B ) and it satisfies Verify2. Again, based on Forking Lemma, A 1 can find two valid proofs, (ID A, ID B, m, X, Θ, C) and (ID A, ID B, m, X, Θ, C ), with the probability and running time, described in Theorem 2. The equations wrt the proofs are C = (θ cx)q ID and C = (θ c x)q ID, from which we can find the secret key xq ID. Scenario 3: Chris against Bob. Chris plays a game with Bob to extract Bob s secret proxy key. Our proxy signature is more secure than a normal signature, because to break our scheme, Chris needs to extract two secret keys K and xq ID. A 0 and A 1 should now play two separate games against K and xq ID, respectively. The game against K is the same as that proposed by Cha and Cheon[16] as summarized in the preceding subsection. The game against xq ID is the same as that of Scenario 2. Remark 1: Scenario 3 can be considered as an attack which is carried out through two independent attacks or two independent approaches to solve two CDHPs respectively. From Theorems 1 and 2, in Scenario 3 if there are A 0 and A 0 satisfying the conditions in Theorems 1 and 2, then the probability of solving two CDHPs is at least 1/81 with running time max(t 1, T 2 ). 7

8 4 The Group Signature Scheme We are interested in the scenario where a group signature can be related to a group with the unique group ID. Hence, if there are multiple groups owned by a party, signature recipients can still identify the original group of a group signature. It is therefore different to a normal group signature scheme. In general, a sound group signature should possess four essential properties (PROP): (1) Non-repudiation. Only a legitimate group member can construct a valid group signature. No one else, including the group manager, can sign on behalf of a group member. (2) Dynamic key management. The group public key must be independent of the size of the group. (3) Untraceability. Given a group signature, it is infeasible for a signature recipient to identify the signer. (4) Revocation: A group manager can identify the signer of a group signature when necessary. 4.1 Setup of a group Alice is now a group manager who is responsible for implementing a protocol SETUP to set a group up. She is also responsible for updating the group and revoking group signatures. All proxies become group members. Bob is one of them. Chris is one of group signature recipients. Alice runs IG(1 l ) with the input l Z and set (G 1, G 2, ê) as the output. She then picks strong hash functions H 1 : {0, 1} G 1, H 2 : {0, 1} G 1 G 2. Alice selects a large number s Z q and a corresponding set {d i } i=1,2,...,n. d i satisfies the condition, d i s = s mod q. Note that q is not prime as defined earlier in the paper, so n can be sufficiently large (see the proof of security in Section 4.4). Each of {d i } can be used for one potential member to construct its private signing key. Since the value of n can be very large, without loss of generality, we assume l << n be the current size of the group. The redundant n l numbers can be used for update. Alice needs to have an additional private key pair, (u, v) Z q Z q. Alice s public key tuple is now (P, U), where P sp and U (u + v)p. The public key tuple is never changed unless it is necessary (see Section 4.3). To become a group member, Bob generates a secret key x Z q and sets X xq IDA and then sends X to Alice for authorization. Assume d i is the secret parameter associate with Bob, then the private signing key for Bob is constructed by Alice as K d i (X + uq IDA ) + vq IDA, which is actually a signature on X. The verification of K is done by checking ê(p, K)? = ê(p, X)ê(U, Q IDA ). Claim 3: The protocol SETUP is complete and sound. The completeness is obvious: ê(p, K) = ê(p, d i (X + uq IDA ) + vq IDA ) = ê(d i sp, (X + uq IDA ))ê(sp, vq IDA ) 8

9 = ê(p, X + uq IDA )ê(v, Q IDA ) = ê(p, X)ê(uP, Q IDA )ê(vp, Q IDA ) = ê(p, X)ê(U, Q IDA ) The soundness is due to the fact that Alice does not know the secret key x; therefore she does not own K. This will be also explained in the section of security proof. Our group signature scheme is naturally suitable for the subgroup construction. Actually, a subgroup structure can be straightforward achieved by simply partitioning the secret key set {d i } i=1,2,...,n into several intended subsets; each can be used for a subgroup assigned an ID (or Q ID ). Without loss of generality, we still use ID A to represent one of subgroups. The setup procedure given above still stands. 4.2 Signing protocol Signing can be carried out by any group member. As stated in the essential requirements for a group signature scheme, only a legitimate group member can sign on the group s behalf and no one else, except the group member itself, can construct a group signature in which its identity is hidden. Therefore, a group signature is untraceable and unlinkable by signature recipients. Assume that Bob are carrying out a signing protocol (GSign). Select a number r Z q and compute the signing commitment R rq IDA. Compute w H 2 (m, R). Select b Z q. Compute the signature S b(r + w)k. Set P bp, X xp U bu. Construct the knowledge proof of ECDL: SKP SKP[x : X = xp ], SKPEQ SKPEQ[b : U = bu P = bp ]. SKP has been defined in the preceding section. SKPEQ is defined as follows. Definition 6. Signature knowledge proof of equality of ECDL is denoted by SKPEQ[b : U bu P bp ](m): Given U, P G 1, U bu, P bp for b Z q, and message m {0, 1}, prove the knowledge of b from U, P and the equality of two ECDLs to a party without revealing the value of b to the party. The original proof for equality of discrete logs is referred to as bi-proof given in [18]. We now give the non-interactive version based on the pairing: Bob (prover): computes R r U for r Z q, chooses a cryptographic hash function H : (G 1 ) 5 {0, 1} Z q, computes c h(u, P, R, U, P, m) and w r cx, and sends to Chris: w, U, P, R, U, P. Chris (verifier): computes c using the given values, checks ê(r, P )? = ê(cu, P )ê(w U, P )? = ê(u, cp )ê(w U, P ). 9

10 If the equalities hold, the proof succeeds. It is easy to check the correctness. The group signature is now a 7-tuple (M, R, S, X, U, SKP, SKPEQ). To verify the signature, check ê(p, S)? = ê(x + U, R + wq IDA ), Claim 4: The protocol GSign is complete and sound. It is easy to check the completeness: ê(p, S) = ê(p, (r + w)[d i (X + uq IDA ) + vq IDA ]) Verify(SKP, SKPEQ) True. = ê(xp, R + wq IDA )ê(up, R + wq IDA )ê(vp, R + wq IDA ) = ê(xp + up + vp, R + wq IDA ) = ê(x + U, R + wq IDA ). The soundness of the protocol GSign is based again on the ECDL proofs. Only Bob can prove the knowledge of x. Claim 5: GSign possesses all essential properties PROP. Response to Property 1 (Non-repudiation). Only the party who has the private signing key K authorized by Alice can sign on behalf of the group. Response to Property 2 (Dynamic key menagement). The group public key P will never be changed whenever any new member is added. Response to Property 3 (Untraceability). Because of a blind factor b in the protocol GSign, a group signature is untraceable and unlinkable to a signature recipient. Response to Property 4 (Revocation). To enable revocation, Alice needs to store X at the time issuing Bob s signing key. When a revocation is needed, Alice can check ê(x, Q IDA )? = ê(p, X) to find which X matches X for identifying the signer. 4.3 Update Once a group public key P is set up, there is normally no need to update it when a new member is enrolled. This is because the value of l could be very large (see the next section for the proof). However, if there is a need for enlarge the size of the group, it can be done as follows. Assume a group public key must be signed by the group manager to form a certificate and the verification key is made public. The signature token consists of the public key, a timestamp, and a group ID. The timestamp indicates the issue time of public key. Alice selects a number s s Z q and the corresponding set {d i } i=1,2,...,l, where d i satisfies the condition, d i s = s mod q. The public key is now set as P 2 s P. This new public key is then signed by Alice to construct the corresponding public key certificate. It is clear that the new public key can still be used to verify group signatures constructed by using one of old signing keys, while the old public key P is no longer valid for the new subgroup. This is fine since a group signature must come with a timestamp and group ID that will tell which public key has to be used for verification. 10

11 4.4 Proof of Security Again, there are three possible attacks against our protocol. We can still apply the security proof model for our proxy signature; however, because the protocol is also based on the security of {d i } and s, then we must also consider this factor in the security proof. Scenario 1: Bob against Alice. Scenario 1.1: Bob tries to find Alice s secrets by attacking the parameters d i. Bob can try all numbers in Z q and find all matches for d? P mod q = s to form a set { d i } i=1,2,...,β. We will prove that β is large. Bob needs to collaborate with another member (say, Don), hoping that two valid equations wrt d i and d j can be found: K i d i (X + Q 1 ) + Q 2 for Bob and K j d j (X + Q 1 ) + Q 2 for Don, so Q 1 and Q 2 can be found. However, picking two correct equations from β possible choices is hard. Moreover, Bob does not know which two are correct. Let s say that Bob wants to randomly pick two of them, then the probability is Pr( d i = d i, d j = d j d i, d j Z q ) = 2 β(β 1). We will show below that it is infeasible, since it is easy to find a set of {d i } such that β(β 1)/2 > q. Theorem 3. The size of the set {d i } is bounded by α = GCF(s, q), the greatest common factor of s and q. Proof: Set s s/α and q q/α. Noting that d i s mod q = s is equivalent to d i 1 = κq s = κq/α s/α = κq s, for some κ. By noting that GCF(q, s ) = 1, d i 1 or d i is an integer iff κ = γs for some integer γ. Thus, d i = γq + 1. As required, d i q = αq. It gives i.e. γq + 1 = d i αq γ α 1/q. (1) Since s < q, we have α < q and q = q/α > 1. Thus, from (1), the integer γ has to be α 1. It can be showed that, for each γ α 1, there is an unique d i such that d i s mod q = s. For each such d i, there is an unique γ a 1 such that d i s s = γs q. Therefore, given s and q, the total number of different d i 1 satisfying d i s mod q = s is α 1. If d i = 1, then the size of {d i } is bounded by α. Remark 2: According to the result from Theorem 3, for given q, it is easy to find s such that α =GCF(s, q) satisfies α(α 1)/2 > q. Therefore, the probability of finding a correct d i, Q 1, and Q 2 is smaller than 1/q. In other words, it is harder than solving an ECDL program. 11

12 Scenario 1.2: Bob takes advantage of A 2, where A 2 is capable of launching an adaptively chosen ID attack with a fixed message. We will not define A 2 in detail. It is similar to the Turing machine defined in [17], except that that we treat the ID as a message that can be adaptively chosen. It is clear that our system falls in the category of Pointcheval-Stern s security proof, as we can assume there exists a Turing machine B that can output two valid signatures (i.e., the signing keys) in terms of Forking Lemma: K d i (xq IDA + uq IDA ) + vq IDA, K d i (x Q IDA + uq IDA ) + vq IDA. By solving these equations, the adversary obtains the value of d i Q IDA. Then, the adversary can compute new signing keys. The probability of a success and the time required for it are the same as those given in Lemma 2. Scenario 2: Alice against Bob. Alice tries to extract Bob s secret key xq ID. The security proof of the SKP has also been given in the section of proxy signature. Since b is randomly chosen by Bob, the security proof of the SKPEQ is the only one random oracle, Theorem 1 still applies. Scenario 3: Chris against Bob. Chris tries to find the secret signing key K and secret key xq ID. The SKPEQ can be done easily once K and xq ID have be found. Actually, we can use Lemma 2 and Theorem 2 directly to this scenario. 5 Conclusion We have proposed two novel delegated signature schemes, proxy signature and group signature, based on the pairing. These schemes have some novel properties that have not been explored before. Our proxy signature scheme allows a proxy signature to naturally have a linkage to the associated proxy s identity, as a verification requires the ID as an input parameter. Our group signature satisfies all basic requirements for group signatures. The distinct feature of our group signature scheme is its suitability for multiple signing groups, as signature recipients can identify the group identification of a signer but not the identity of the signer. Our schemes have been proven secure against adaptively chosen message and ID attacks and well fit into the security proof models due to Pointcheval-Stern[17] and Cha-Cheon[16]. References 1. M. Mambo, K. Usuda, and E. Okamoto, Proxy signatures for delegating signing operation, in Proc. of the Third ACM Conf. on Computer and Communications Security, pp , D. Chaum and E. van Heijst, Group signatures, in Advances in Cryptology, Proc. EUROCRYPT 91, LNCS 547, pp , Springer-Verlag, L. Chen and T. P. Pedersen, New group signature schemes, in Adances in cryptology - EUROCRYPT 94, Lecture Notes in Computer Secience 950, pp , Springer-Verlag, Berlin,

13 4. J. Camenisch, Efficient and generalized group signatures, in Adances in cryptology - EUROCRYPT 97, Lecture Notes in Computer Secience 1233, pp , Springer-Verlag, Berlin, J. Camenisch and M. Stadler, Efficient group signature schemes for large groups, in Advances in Cryptology, Proc. CRYPTO 97, LNCS 1296, pp , Springer- Verlag, Berlin, J. Camenisch and M. Michels, A group signature scheme with improved efficiency, in Advances in Cryptology ASIACRYPT 98, LNCS 1514, pp , Springer-Verlag, Berlin, G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, A pratical and provably secure coalition-resistant group signature scheme, in Advances in Cryptology, Proc. CRYPTO 2000, LNCS 1880, pp , Springer-Verlag, Berlin, A. Menezes, T. Okamoto, and S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transaction on Information Theory, vol. 39, pp , A. Joux, A one round protocol for tripartite deffie-hellman, in Proc. of the ANTS- IV conference, Lecture Notes in Computer Science (W. Bosma, ed.), pp , Springer Verlag, D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, in Advances in Cryptology, Proc. CRYPTO 2001, LNCS 2139 (J. Kilian, ed.), pp , Springer Verlag, D. Boneh, B. Lynn, and H. Shacham, Short signatures from the weil pairing, in Advances in Cryptology ASIACRYPT 2001, LNCS 2248, pp , Springer Verlag, E. R. Verheul, Self-blindable credential certificates from the weil pairing, in Advances in Cryptology ASIACRYPT 2001, LNCS 2248, pp , Springer Verlag, I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography. Cambridge Unversity Press, A. Joux and K. Nguyen, Separate decision deffie-hellman from deffie-hellman in cryptographic groups, (available from eprint.iacr.org). 15. T. Okamoto and D. Pointcheval, The gap problems: a new class of problems for the security of cryptographic schemes, in PKC 2001, Lecture Notes in Computer Science 1992, pp , Springer Verlag, Berlin, J. C. Cha and J. H. Cheon, An identity-based signature from gap Diffie-Hellman groups, in PKC 2003, Lecture Notes in Computer Science, Springer Verlag, D. Pointcheval and J. Stern, Security arguments for digital signatures and blind signatures, Cryptology, vol. 13, no. 3, pp , A. Fujioka, T. Okamoto, and K. Ohta, Interactive bi-proof systems and undeniable signature schemes, in Advances in Cryptology, Proc. EUROCRYPT 91, LNCS 547, pp , Springer-Verlag, Berlin,