A Secure Anonymous Proxy Multi-signature Scheme

Transcription

1 A Secure Aoymous Proxy Multi-sigature Scheme Vishal Saraswat ad Rajeev Aad Sahu C.R.Rao Advaced Istitute of Mathematics Statistics ad Computer Sciece Hyderabad, Idia {vishal.saraswat, Keywords: Abstract: Idetity-based Cryptography, Biliear Map, CDHP, Provable Security, Digital Sigature, Sigig Rights Delegatio, Proxy Multi-sigature, Aoymity, Accoutability. A proxy sigature scheme eables a siger to delegate its sigig rights to ay other user, called the proxy siger, to produce a sigature o its behalf. I a proxy multi-sigature scheme, the proxy siger ca produce oe sigle sigature o behalf of multiple origial sigers. We propose a efficiet ad provably secure threshold-aoymous idetity-based proxy multi-sigature (IBPMS) scheme which provides aoymity to the proxy siger while also providig a threshold mechaism to the origial sigers to expose the idetity of the proxy siger i case of misuse. The proposed scheme is proved secure agaist adaptive chose-message ad adaptive chose-id attacks uder the computatioal Diffie-Hellma assumptio. We compare our scheme with the recetly proposed aoymous proxy multi-sigature scheme ad other ID-based proxy multi-sigature schemes, ad show that our scheme requires sigificatly less operatio time i the practical implemetatio ad thus it is more efficiet i computatio tha the existig schemes. 1 INTRODUCTION Digital sigature is a cryptographic primitive to guaratee data itegrity, etity autheticatio ad siger s o-repudiatio. A proxy sigature scheme eables a siger, O, also called the desigator or delegator, to delegate its sigig rights (without trasferrig the private key) to aother user P, called the proxy siger, to produce, o the delegator s behalf, sigatures that ca be verified by a verifier V uder the delegator O s public key. For example, the director of a compay may authorize the deputy director to sig certai messages o his behalf durig a certai period of his absece. Proxy multi-sigature is a proxy sigature primitive which eables a group of origial sigers O 1,...,O to trasfer their sigig rights to a proxy siger P who ca produce oe sigle sigature which covices the verifier V of the cocurrece of all the origial sigers. Threshold aoymous proxy multisigature provides aoymity to the proxy siger while also providig a (t, )-threshold mechaism to the origial sigers to expose the idetity of the proxy siger i case of misuse. The proxy idetificatio algorithm i the stadard proxy sigature protocol is replaced by a proxy exposure protocol where ay t (or more) out of origial sigers ca come together to expose the idetity of the proxy siger. Note that the threshold aoymous proxy multi-sigature is differet from threshold proxy sigatures i the sese that while i threshold proxy sigatures, ay t (or more) out of proxy sigers must come together to produce a valid sigature, i threshold aoymous proxy multi-sigature ay t (or more) out of origial sigers must come together to revoke the aoymity of the proxy siger. Cosider the followig example i a secure multiparty computatio settig, multiple parties O 1,...,O start a process P after autheticatig themselves. Oce the process P is started, the parties do ot eed to stay coected while the process P may remai active ad eed access to additioal resources that require further autheticatio. The parties thus delegate their rights to the process P ad the resources allow access to P as log as the resources ca verify that P was ideed authorised by the origial parties. The resources do ot eed to kow the idetity of the process at all ad P may remai aoymous to them. I fact, most of the times the resources do ot eve eed to kow whether it is actually the set of origial parties who were autheticated or their proxy P. But i case of a malicious process, the origial parties should be able to expose the process ad restrict ay further activities by it o their behalf. 55

2 SECRYPT2014-IteratioalCofereceoSecurityadCryptography 1.1 Related Work The otio of proxy sigature has bee aroud sice 1989 (Gasser et al., 1989) but it took almost seve years for the first costructio (Mambo et al., 1996) of a proxy sigature scheme to be proposed. Sice the may variats of the proxy sigature have bee proposed ad may extesios of the basic proxy sigature primitive have bee studied. The formal security model of proxy sigatures was first formalized i (Boldyreva et al., 2003) ad further stregtheed ad exteded to the idetity-based settig i (Schuldt et al., 2008). A formal security model for aoymous proxy sigatures was itroduced relatively recetly i (Fuchsbauer ad Poitcheval, 2008) by uifyig the otios of proxy sigatures ad group sigatures. The otio of proxy-aoymous proxy sigatures was itroduced i (Shum ad Wei, 2002). Their scheme was based o the proxy sigature scheme of (Lee et al., 2001) which was show isecure i (Su ad Hsieh, 2003). The aoymizatio techique itself was show to cause isecurity (Lee ad Lee, 2005) showed that the origial siger ca geerate valid proxy sigatures, thus violatig the property of the strog uforgeability. May proxy sigature schemes have sice bee proposed with the aim of providig aoymity of the proxy sigers (Yu et al., 2009; Toluee et al., 2012) provide proxy-aoymity by havig a large rig of proxy-sigers; (Wu et al., 2008; Fuchsbauer ad Poitcheval, 2008) require a large group of proxy sigers with oe or more group maagers to revoke the aoymity of a malicious proxy-siger; ad (Lee et al., 2005; Du ad Wag, 2013) require a trusted third-party or trusted authority or trusted dealer to provide the required fuctioality. I the rig-based ad group-based settigs, the proxy sigature schemes require that the umber of proxy sigers authorized by the origial siger is large eough to provide sufficiet aoymity to the proxy siger. The cost (time, space, etc.) of providig aoymity is rather large ad the aoymity is ot eve absolute but oly 1-out-of- where is the size of group or rig. The trusted third-party settig has its fair share of well-kow issues icludig the requiremet of a absolutely trustworthy authority/ dealer who is always available. The recetly proposed scheme of (Du ad Wag, 2013) is most otable i its attempt but it comes with several flaws. First ad foremost, their implemetatio of the aoymizatio techique is ot correct ad because of that the sigature verificatio caot be doe. I particular their proxy key geeratio is ot cosistet they are addig a group elemet with scalar elemets (itegers). Thus their scheme is ot cosistet ad is i fact icorrect. Secod, it is ot eve a proxy multi-sigature scheme but is just a cocateatio of proxy sigature schemes, where is the umber of origial sigers, sice each origial siger i the scheme issues a warrat with a differet pseudoym: Q pseui = R O + R Pi + Q P. Third, each origial siger O i ca reveal the idetity of the proxy siger P ad eve try to (partially) demostrate by usig the sigature of the proxy. Fourth, durig the proxy multi-sigature verificatio PMSVeri, it is required that the verifier checks whether or ot the proxy siger P is authorized by the origial sigers O 1,...,O i the warrat w. Nevertheless, if the verifier ca already check the authority of the proxy siger P the P ever remais aoymous! Fifth, the dealer D of the secret sharig scheme used by the origial sigers also kows the idetity of P ad ca also compute R Pi from the R O (which he computes himself) ad publicly available values Q P ad Q pseu. Fially, the scheme of (Du ad Wag, 2013) is based o the proxy multi-sigature scheme of (Cao ad Cao, 2009) which ca be show to be isecure (Xiog et al., 2011) whe = Our Cotributio To the best of our kowledge, almost all available proxy-aoymous sigature schemes are either too costly or iefficiet to be practical or have ot bee proved secure. We propose a efficiet ad provably secure threshold-aoymous ID-based proxy multisigature scheme which provides aoymity to the proxy siger while also providig a threshold mechaism to the origial sigers to expose the idetity of the proxy siger i case of misuse. The proposed scheme is proved secure agaist adaptive chosemessage ad adaptive chose-id attacks uder the computatioal Diffie-Hellma (CDH) assumptio. I this paper, we build our scheme o the techique of pseudoym ad secret sharig as suggested by (Du ad Wag, 2013) to provide the required fuctioality the idetity of the proxy siger is hidde but i case of misuse of the delegated rights, t or more of the origial sigers ca come together to reveal the proxy siger s idetity. I our scheme we modify the structure of the warrat slightly. As i usual proxy sigature schemes, the warrat i our scheme icludes the ature of message to be delegated, period of delegatio, idetity iformatio of origial sigers, etc. But ulike usual proxy sigature schemes, it does ot iclude the idetity iformatio of the proxy siger. Istead, the warrat icludes the proxy siger s pseudoym, which 56

3 ASecureAoymousProxyMulti-sigatureScheme is a proxy sigature verificatio key that caot be liked to the idetity of the proxy siger easily t or more origial sigers must come together to reveal the proxy siger s idetity. Compared with the scheme of (Du ad Wag, 2013), our scheme allows the proxy siger to act as the dealer of the secret sharig scheme ad uses a verifiable secret sharig scheme (Pederse, 1991) to restrict the proxy from actig as a malicious dealer. Our scheme requires oly 2 broadcasts compared to of Du s scheme to costruct the pseudoym of the proxy ad thus our scheme requires 33% less broadcasts to provide aoymity. Also we use a much more efficiet ad provably secure proxy multisigature scheme of (Sahu ad Padhye, 2012) as our basic scheme so that the overall proxy sigature has less operatio time ad thus more efficiet (14%-23% more) tha the existig best schemes i computatio. 1.3 Outlie of the Paper The rest of this paper is orgaized as follows. I Sectio 2, we itroduce some related mathematical defiitios, problems ad assumptios. I Sectio 3, we preset the formal defiitio of a aoymous ID-based proxy multi-sigature scheme ad a security model for it. Our proposed aoymous ID-based proxy multi-sigature scheme is preseted i Sectio 4. I Sectio 5 we aalyze the security of our scheme. Fially, Sectio 6 icludes the efficiecy compariso. 2 PRELIMINARIES I this sectio, we itroduce some relevat defiitios, mathematical problems ad assumptios ad briefly discuss the verifiable secret sharig scheme. 2.1 Biliear Map Let G 1 be a additive cyclic group with geerator P ad G 2 be a multiplicative cyclic group with geerator g. Let the both groups are of the same prime order q. The a map e : G 1 G 1 G 2 satisfyig the followig properties, is called a cryptographic biliear map: 1. Biliearity: For all a,b Z q, e(ap,bp) = e(p,p) ab, or equivaletly, for all Q,R,S G 1, e(q + R,S) = e(q,s)e(r,s) ad e(q,r + S) = e(q, R)e(Q, S). 2. No-Degeeracy: There exists Q,R G 1 such that e(q,r) 1. Note that sice G 1 ad G 2 are groups of prime order, this coditio is equivalet to the coditio e(p,p) 1, which agai is equivalet to the coditio that e(p,p) is a geerator of G Computability: There exists a efficiet algorithm to compute e(q,r) G 2, for ay Q,R G Discrete log (DL) Assumptio Let G 1 be a cyclic group with geerator P. Defiitio 1. Give a radom elemet Q G 1, the discrete log problem (DLP) i G 1 is to compute a iteger Z q such that Q = P. Defiitio 2. The DL assumptio o G 1 states that the probability of ay polyomial-time algorithm to solve the DL problem i G 1 is egligible. 2.3 Computatioal Diffie-Hellma (CDH) Assumptio Let G 1 be a cyclic group with geerator P. Defiitio 3. Let a,b Z q be radomly chose ad kept secret. Give P,aP,bP G 1, the computatioal Diffie-Hellma problem (CDHP) is to compute abp G 1. Defiitio 4. The (t, ε)-cdh assumptio holds i G 1 if there is o algorithm which takes at most t ruig time ad ca solve CDHP with at least a oegligible advatage ε. 2.4 Verifiable Secret Sharig The otio of secret sharig was itroduced idepedetly by (Shamir, 1979) ad (Blakley, 1979) to eable a secret to be shared amog a group of users so that the secret ca be recostructed oly whe a sufficiet umber of them come together. For itegers ad t such that 1 < t, a (t,)-secret sharig scheme cosists of two phases: 1. i the splittig phase, a dealer shares a secret σ amog users; 2. i the combiig phase, oly t or more users i the group ca recostruct the secret σ. Verifiable secret sharig (VSS), itroduced i (Chor et al., 1985), eables each user to verify the correctess of their shares to prevet malicious attack performed by the dealers. For the purpose of this paper, we use Pederse s o-iteractive ad iformatio theoretic secure VSS (Pederse, 1991). This scheme protects the secret to be distributed ucoditioally for ay value of t, (1 < t ), ad the correctess of the shares depeds o the assumptio that the dealer caot fid discrete logarithms before the distributio has bee completed. 57

4 SECRYPT2014-IteratioalCofereceoSecurityadCryptography 3 ANONYMOUS ID-BASED PROXY MULTI-SIGNATURE SCHEME AND ITS SECURITY MODEL Here we give a formal defiitio of a aoymous ID-based proxy multi-sigature scheme ad a formal security model for it as preseted i (Cao ad Cao, 2009; Sahu ad Padhye, 2012) built upo the work of (Boldyreva et al., 2003) ad (Schuldt et al., 2008). 3.1 Aoymous ID-based Proxy Multi-Sigature Scheme I a (t, )-threshold aoymous ID-based proxy multi-sigature scheme, group of origial sigers are authorized to trasfer their sigig rights to a sigle proxy siger to sig ay documet aoymously o their behalf but i case of misuse of the delegated rights by the proxy siger, t or more of the origial sigers ca come together to reveal ad demostrate the idetity of the proxy siger. Public ad private keys of origial ad proxy sigers are geerated by a Private Key Geerator (PKG), usig their correspodig idetities. Let the origial sigers O i have the idetities ID Oi, i = 1,...,, ad the proxy siger P has the idetity ID P. A (t,)-threshold aoymous ID-based proxy multi-sigature scheme ca be defied cosistig the followig: Setup: For a security parameter k, the PKG rus this algorithm ad geerates the public parameters params ad a master secret of the system. Further, the PKG publishes params ad keeps the master secret cofidetial. Extract: This is a private key geeratio algorithm. For a give idetity ID, public parameters params ad master secret, PKG rus this algorithm to geerate private key S ID of the user with idetity ID, ad provides this private key through a secure chael to the user correspodig to the idetity ID. Proxy multi-geeratio: This is a iteractive protocol amog the origial sigers ad the proxy siger. I this phase, the group of origial sigers iteract with the proxy siger to agree o a pseudoym to aoymize the idetity of the proxy siger ad a warrat w which icludes the ature of message to be delegated, period of delegatio, idetity iformatio of origial sigers, the pseudoym for the proxy siger etc. Fially the origial sigers delegate their sigig rights to the proxy siger ad the proxy siger produces the (secret) proxy sigig key. This algorithm takes as iput, the idetities ID Oi,ID P ad private keys S IDOi,S IDP of all the users ad outputs the pseudoym Q IDQ, the warrat w, the shares ρ Oi of the origial sigers, the delegatio V Oi, i = 1,...,, ad the proxy sigig key S P. Proxy multi-sigature: This is a radomized algorithm, the proxy siger rus this algorithm to geerate a proxy multi-sigature o a iteded message m. This algorithm takes proxy sigig key of the proxy siger, the warrat w, message m ad outputs the proxy multi-sigature σ P. Proxy multi-verificatio: This is a determiistic algorithm ru by the verifier o receivig a proxy multi-sigature σ P o ay message m. This algorithm takes as iputs the proxy multi-sigature σ P, the message m, the warrat w, the idetities ID Oi of all the origial sigers, Q IDQ ad outputs 1 if the sigature σ P is a valid proxy multi-sigature o behalf of the group of origial sigers o m, ad outputs 0 otherwise. We emphasize that the actual idetity ID P of the proxy siger is ot required but the pseudoym Q IDQ, as i the warrat, is required for the verificatio. Reveal & Demostrate: To reveal ad demostrate the proxy siger s idetity, t or more origial sigers combie their shares ρ Oi to recover the shared secret ρ O ad proceed to reveal the proxy siger s idetity from the pseudoym. 3.2 Security Model for Aoymous ID-based Proxy Multi-Sigature Schemes Uforgeability I this model we cosider a case where a adversary A tries to forge the proxy multi-sigature workig agaist a sigle user, oce agaist a origial siger say O i ad oce agaist the proxy siger P. We cosider that ID Oi (i = 1,...,) deotes idetities of the origial sigers ad ID P deotes idetity of the proxy siger. The adversary A is allowed to access polyomial umber of hash queries, extractio queries, proxy multi-geeratio queries ad proxy multi-sigature queries. The goal of the adversary A is to produce oe of the followig forgeries: 58

5 ASecureAoymousProxyMulti-sigatureScheme 1. A proxy multi-sigature for a message m by user 1 o behalf of the origial sigers, such that either the origial sigers ever desigated user 1, or the message m was ot submitted i the proxy multisigature queries. 2. A proxy multi-sigature for a message m by some user i (i 1) o behalf of the origial sigers, such that user i was ever desigated by the origial sigers, ad user 1 is oe of the origial sigers. A ID-based proxy multi-sigature scheme is said to be existetial uforgeable agaist adaptive chosemessage ad adaptive chose-id attack if there is o probabilistic polyomial time adversary A with a o-egligible advatage agaist the challeger C i the followig game: 1. Setup: Challeger C rus the Setup algorithm ad provides the public parameters params to the adversary A. 2. Extract query: Whe the adversary A asks private key of ay user with idetity ID i, the challeger rus the Extract algorithm ad respods the private keys to the adversary. 3. Proxy multi-geeratio query: Whe the adversary A requests to iteract with the user 1 for the proxy sigig key by proxy multi-geeratio query o the warrat w ad idetities ID i of its choice where the user 1 may be either oe of the origial sigers or the proxy siger, the challeger C rus the proxy multi-geeratio algorithm to respod the proxy sigig key to the adversary ad maitais correspodig lists. 4. Proxy multi-sigature query: Proceedig adaptively whe the adversary A requests for a proxy multi-sigature o message m ad warrat w of its choice, C respods by ruig the proxy multisigature algorithm ad maitais a query list say L pms for it. 5. Output: After the series of queries, A outputs a ew proxy multi-sigature (U P,σ P,U,w) o message m uder a warrat w for idetities ID Oi ad ID P. Where A has ever requested private keys for ID Oi ad ID P i extractio queries. A has ever requested a Proxy multi-geeratio query icludig warrat w ad idetities ID Oi. A has ever requested a proxy multi-sigature query o message m with warrat w ad idetity ID P. The adversary A wis the above game if the ew ID-based proxy multi-sigature (U P,σ P,U,w) o message m is valid. Defiitio 5. A ID-based proxy multi-sigature forger A (t,q H,q E,q pmg,q pms,+1,ε)-breaks the + 1 users ID-based proxy multi-sigature scheme by the adaptive chose-message ad adaptive chose-id attack, if A rus i at most t time; makes at most q H hash queries; at most q E extractio queries; at most q pmg proxy multi-geeratio queries; at most q pms proxy multi-sigature queries; ad the success probability of A is at least ε. Defiitio 6. A ID-based proxy multi-sigature scheme is (t,q H,q E,q pmg,q pms, + 1,ε)- secure agaist adaptive chose-message ad adaptive chose-id attacks, if o adversary (t,q H,q E,q pmg,q pms, + 1,ε)-breaks it Aoymity ad Accoutability Defiitio 7 (Aoymity). By aoymity we mea that o oe except the origial sigers should be able to determie the idetity of the proxy siger from the proxy sigatures or the warrat. Defiitio 8 (Threshold Aoymity). By (t, )- threshold aoymity we mea that eve the origial sigers O i who kow the idetity of the proxy siger P should ot be able to prove that P is the siger of a certai proxy multi-sigature uless at least t of the origial sigers participate i the proof. Defiitio 9 (Accoutability). Accoutability esures that the proxy siger P does ot abuse its aoymity. Ay t (or more) out of origial sigers ca come together to prove that P is the siger of ay verifiable desigated proxy multi-sigature. Remark: Note that each of the origial sigers always kow the idetity of the proxy siger P sice they delegate their rights to P. Our defiitios require that ay group of less tha t origial sigers is ot able to prove to a third party that P is ideed the proxy siger. 4 PROPOSED SCHEME I this sectio, we preset our efficiet ad provably secure threshold-aoymous idetity-based proxy multi-sigature (IBPMS) scheme which provides aoymity to the proxy siger while also providig a threshold mechaism to the origial sigers to expose the idetity of the proxy siger i case of misuse. Our scheme cosists of the followig phases: setup, extract, proxy multi-geeratio, proxy multi-sigature, proxy multi-verificatio, reveal & demostratio. The scheme uses the followig sigature scheme which was proved to be secure i (Sahu ad Padhye, 2012) (with Setup ad Extract as defied below i the defiitio of the threshold aoymous proxy multisigature): 59

6 SECRYPT2014-IteratioalCofereceoSecurityadCryptography Sigature: To sig a message m {0,1}, radomly selects r Z q, computes U = rp G 1, h = H 2 (m U) ad V = hs ID + rpub. The sigature o message m is σ = U,V. Verificatio: To verify a sigature σ = U,V o message m for a idetity ID, the verifier first computes Q ID = H 1 (ID), ad h = H 2 (m U). The accepts the sigature if ad rejects otherwise. e(p,v ) = e(pub,hq ID +U), 4.1 Our Aoymous IBPMS Scheme Setup: For a give security parameter 1 k, let G 1 be a additive cyclic group of prime order q with geerator P ad G 2 be a multiplicative cyclic group of the same prime order q. Let e : G 1 G 1 G 2 be a cryptographic biliear map as defied above. Let H 1 ad H 2 are two hash fuctios defied for security purpose as H 1 : {0,1} G 1 ad H 2 : {0,1} Z q. The PKG radomly selects s Z q ad sets Pub = sp as public value. Fially, the PKG publishes system s public parameter params = k,e,q,g 1,G 2,H 1,H 2,P,Pub ad keeps the master secret s cofidetial to itself oly. Give a user s idetity ID, the PKG com- Extract: putes its public key as: Q ID = H 1 (ID) ad private key as: S ID = sq ID respectively. Proxy multi-geeratio: To delegate the sigig capability to the proxy siger P, the origial sigers do the followig jobs to make a siged warrat w. The warrat icludes the ature of message to be delegated, period of delegatio, idetity iformatio of origial sigers, the pseudoym for the proxy siger etc. I successfully completio of the protocol, proxy siger gets a proxy sigig key S P. Delegatio geeratio: (a) Pseudoym geeratio: Each origial siger with idetity ID Oi selects a radom umber ρ Oi Z q ad seds it to the proxy siger P i a secure chael. P computes ρ O = ρ O1 +ρ O2 + +ρ O Z q ad uses a (t,)- threshold verifiable secret sharig scheme (Pederse, 1991) to split ρ O ito shares ρ si, i = 1,2,...,. P the sets R O = ρ O P ad seds R O,ρ si to the correspodig origial siger O i for i = 1,2,..., through a secure chael. P also selects a radom umber ρ P Z q, computes R P = ρ P P ad its stadard sigature s RP. Fially P seds R P,s RP to all the origial sigers O i for i = 1,2,..., through a secure chael. Each origial siger computes Q IDQ = Q IDP +R P +R O as the proxy siger s pseudoym, which will be icluded i the warrat ad will be used as the sigature verificatio key. Remark: Note that all the origial sigers ca come together with the ρ Oi that they set to P ad compute ρ O = ρ O1 +ρ O2 + +ρ O to expose the idetity of the proxy siger i case of misuse. We are usig a threshold secret sharig scheme to provide a threshold mechaism to the origial sigers so that oly t of the origial sigers are sufficiet to participate to expose the idetity of the proxy siger. Also ote that we use a verifiable secret sharig scheme so that a malicious proxy siger caot mislead the origial sigers with a icorrect ρ si to avoid beig held resposible for its proxy-sigatures. The origial sigers ca verify their shares as soo as they receive it ad are assured that the ρ si they receive will correctly costruct to ρ O correspodig to the R O which they receive. Also, P s sigature is required for orepudiatio. (b) Delegatio geeratio: For i = 1,...,, each O i selects r i Z q, computes U i = r i P ad broadcasts U i to the other 1 origial sigers. For i = 1,...,, each O i computes U = U i, h = H 2 (w U), ad V Oi = hs IDOi + r i Pub ad seds (w,u i,v Oi ) to the proxy siger P, with V Oi as a delegatio value. Delegatio verificatio: For i = 1,...,, P verifies the delegatio by U = U i ad h = H 2 (w U) ad checkig e(p,v Oi ) = e(pub,hq IDOi +U i ). If the above equality does ot hold for some i = 1,...,, P requests a valid delegatio (w,u i,v Oi ) or termiates the protocol. 60

7 ASecureAoymousProxyMulti-sigatureScheme Proxy sigig key geeratio: Havig accepted delegatios (w,u i,v Oi ), i = 1,...,, P computes S IDQ = S IDP + ρ P Pub + ρ O Pub ad sets the proxy sigig key S P as S P = V O + hs IDQ, where V O = V O i ad h = H 2 (w U). Remark: Note that S IDQ = S IDP + ρ P Pub + ρ O Pub = sq IDP + ρ P sp + ρ O sp = s(q IDP + ρ P P + ρ O P) = s(q IDP + R P + R O ) = sq IDQ. So, (Q IDQ,S IDQ ) is a valid public-key / private-key pair. Proxy multi-sigature: To sig a message m aoymously o behalf of the group of origial sigers, the proxy siger P computes the followig: Radomly picks r P Z q, ad computes - U P = r P P, - h P = H 2 (m U P ) ad - V P = h P S P + r P Pub. The aoymous proxy multi-sigature o message m, by P o behalf of the origial sigers is σ P = (w,u P,V P,U). Proxy multi-verificatio: To verify a aoymous proxy multi-sigature σ P = (w,u P,V P,U) for message m uder a warrat w, the verifier proceeds as follows: Checks whether or ot the message m coforms to the warrat w. If ot, stop. Cotiue otherwise. Checks whether or ot the pseudoym Q IDQ is authorized by the group of origial sigers i the warrat w. If ot, stop. Cotiue otherwise. Computes h P = H 2 (m U P ), h = H 2 (w U) ad accepts the proxy sigature if ad oly if the followig equality holds: e(p,v P ) = e(pub,h P (h( Q IDOi +Q IDQ )+U)+U P ). Remark: Note that the idetity of the proxy siger P or its public key Q IDP is ot required for the verificatio. Reveal & Demostrate: To reveal the idetity of the proxy siger, ay origial siger O i ca reveal R O ad R P ad show that Q IDQ = Q IDP + R P + R O. That R P was ideed set by P is proved usig the sigature s RP. To prove that R O is ot just a solutio to the equatio Q IDQ = Q IDP + R P + R O, t or more origial sigers combie their shares to recover the secret ρ O ad show that R O = ρ O P. 5 SECURITY ANALYSIS I this sectio, we aalyze the correctess, security, threshold-aoymity ad accoutability of our scheme. First we prove the correctess of the scheme, the we prove that the uderlyig IBPMS scheme is existetial uforgeable agaist adaptive chosemessage ad adaptive chose-id attacks ad fially we aalyze the threshold-aoymity ad accoutability of the proposed aoymous proxy multi-sigature scheme. 5.1 Correctess Theorem 10. The preseted threshold aoymous proxy multi-sigature scheme is correct. Proof. This follows sice e(p,v P ) = e(p,h P S P + r P Pub) = e(p,h P (V O + hs IDQ ) + r P Pub) = e(p,h P ( + r P Pub) = e(pub,h P ( + r P P) = e(pub,h P ( +U P ) (hs IDOi + r i Pub) + hs IDQ ) = e(pub,h P (h( +U P ). (hq IDOi + r i P) + hq IDQ ) hq IDOi + r i P + hq IDQ ) Q IDOi + Q IDQ ) +U) 5.2 Security Proof of the IBPMS Scheme We ow prove that the uderlyig IBPMS scheme is existetial uforgeable agaist adaptive chose- 61

8 SECRYPT2014-IteratioalCofereceoSecurityadCryptography message ad adaptive chose-id attacks. We facilitate the adversary to adaptively select the idetity o which it wats to forge the sigature. Further the adversary ca obtai the private keys associated to the idetities. The adversary also ca access the proxy multi-geeratio oracles o warrats w of its choice, ad proxy multi-sigature oracles o the warrat, messages pair (w,m ) of its choice, as may times it wats. Theorem 11. We cosider the radom oracle for reply to hash queries. If there exists a adversary A(t,q H1,q H2,q E,q pmg,q pms,ε) which breaks the proposed ID-based proxy multisigature scheme, the there exists a adversary B(t,q H 1,q H 2,q E,q pmg,q pms,ε ) which solves CDHP i time at most t t + (q H1 + q E + 2q pmg + 4q pms + 1)C G1 with success probability at least ε ε(1 1/q) M(q E + q pmg + q pms + + 1) where C G1 deotes the umber of scalar multiplicatios i group G 1. Proof. First of all the challeger rus the setup algorithm ad provides the params = q,g 1,G 2,e,P,sP,bP to B. Here, A is a forger algorithm whose goal is to break the uderlyig ID-based proxy multi-sigature scheme. The adversary B simulates the challeger ad iteracts with A. The goal of B is to solve CDHP by computig sbp G 1. Key Geeratio: For security parameter 1 k, B geerates the system s public parameter params = q,g 1,G 2,e,P,Pub,H 1,H 2 ad provides Pub = sp to A. H 1 -queries: To respod to the H 1 hash fuctio queries, B maitais a list L H1 = { ID,h,a,c }. Whe A queries the H 1 hash fuctio o some idetity ID i {0,1}, B respods as follows: 1. If the query ID i already appears i the list L H1 i some tuple ID i,h i,a i,c i the algorithm B respods to A with H 1 (ID i ) = h i. 2. Otherwise B picks a radom iteger a i Z q ad geerates a radom coi c i {0,1} with probability Pr[c i = 0] = λ, for some λ [0,1]. 3. If c i = 0, B computes h i = a i (bp) ad if c i = 1, B computes h i = a i P. 4. Algorithm B adds the tuple ID i,h i,a i,c i to the list L H1 ad respods to A with h i. H 2 -queries: To respod to the H 2 hash fuctio queries, B maitais a list L H2 = { w,u, f }. Whe A requests the H 2 query o (w,u ) for some warrat w, B respods as follows: 1. If the query (w,u ) already appears o the list L H2 i some tuple w,u, f the algorithm B respods to A with H 2 (w U ) = f. 2. Otherwise B picks a radom iteger f Z q ad adds the tuple w,u, f to the list L H2 ad respods to A with H 2 (w U ) as H 2 (w U ) = f. Extractio queries: If A requests a private key o idetity ID i, B respods as follows: 1. B rus the above algorithm for respodig to H 1 queries o ID i ad obtais the correspodig tuple ID i,h i,a i,c i o the list L H1. 2. If c i = 0, the B outputs failure ad termiates. 3. If c i = 1, the B respods to A with S IDi = a i Pub G 1. Remark: Note that H 1 (ID i ) = h i = a i P so that e(s IDi,P) = e(a i Pub,P) = e(a i P,Pub) = e(h 1 (ID i ),Pub) = e(q IDi,Pub). Thus, S is a valid private key correspodig to the idetity ID i ad the probability of success is (1 λ), because we have cosidered the case for c i = 1. Proxy multi-geeratio queries: Whe the adversary A requests to iteract with either the proxy siger or ayoe from the origial sigers, the challeger B respods as follows: 1. Suppose, A requests to iteract with the user ID Oi, who is playig the role of oe of the origial sigers. For this, A creates a warrat w ad requests ID Oi to sig the warrat. B queries w to its sigig oracle ad upo receivig a respose U O i,v O i, seds w,u O i,v O i to A ad adds the warrat w to the delegatio geeratio list say L del. 2. Suppose, A requests to iteract with user ID P, where ID P is playig the role of the proxy siger. For this, A creates a warrat w ad computes the 62

9 ASecureAoymousProxyMulti-sigatureScheme sigatures V O i = H 2 (w U )S IDOi + x i Pub. Where U = x i P for radomly selected x i Z q ad S IDOi is private key of the origial siger O i which ca be collected by A i the extractio query. The A seds (w,v O i ) (for i = 1,...,) to B. B provides the correspodig proxy sigig key S P to A ad adds the tuple w,s P to the proxy multi-geeratio list say L pmg. I either of the above cases, 1. B rus the above algorithm for respodig to H 2 queries o w obtaiig the correspodig tuple w,u, f, o L H2 list. 2. For H 1 query, if c = 0, the B reports failure ad termiates. If c = 1, the, H 1 (ID Oi ) = a Oi P. The for V O i = f a Oi Pub + x i Pub, oe ca check that: e(pub, f Q IDOi +U i ) = e(pub, f H 1 (ID Oi ) +U i ) = e(pub, f a Oi P + x ip) = e(p, f a Oi Pub + x ipub) = e(p,v O i ). Hece the above provided proxy sigig key is valid. The success probability is (1 λ), because we have cosidered the case for c = 1. Proxy multi-sigature queries: Proceedig adaptively whe adversary A requests for a proxy multisigature o message m of its choice (with satisfyig the warrat w ), by the proxy siger P o behalf of the origial sigers O i, (i = 1,2,..,). B does the followig: 1. rus the above algorithm to respod H 2 -queries o w, obtaiig the tuple w,u, f o L H2 list. 2. If c = 0 the reports failure ad termiates. If c = 1, the by the correspodig H 1 -query h = ap. Now B radomly selects r P,r Z q ad computes U P = r P P ad U = r P the havig H 2 (w U ) = f from H 2 query, for the tuple w,u, f ad H 2 (m U P ) = f P from H 2 query, for the tuple m,u P, f P, B agai computes Q P = f ( Q ID Oi + Q IDP ) +U. Fially B computes V P = [ f P { f (a O1 + + a O + a P ) + r } + r P ]Pub for the sigature o message m. Oe ca check that: e(pub, f P { f ( Q IDOi + Q IDP ) +U } +U P ) = e(pub, f P { f (H 1 (ID O1 ) + + H 1 (ID O ) + H 1 (ID P )) +U } +U P ) = e(pub, f P { f (a O1 P + + a O P + a P P) + r P} + r P P) (for the case whe c = 1) = e(pub, f P { f (a O1 + + a O + a P ) + r }P + r P P) = e(p, f P { f (a O1 + + a O + a P ) + r }Pub + r P Pub) = e(p,[ f P { f (a O1 + + a O + a P ) + r } + r P ]Pub) = e(p,v P ). Hece, the produced proxy multi-sigature (w,u P,V P,U ) o message m is valid, which satisfies e(p,v P ) = e(pub,h P (h( Q IDOi +Q IDP )+U )+U P ). The success probability is (1 λ), because we have cosidered the case for c = 1. Hece, the probability that B does ot abort durig the simulatio is (1 λ) q E +q pmg +q pms. Output: If B ever reports failure i the above game, A outputs a valid ID-based proxy multisigature (w,u P,V P,U) o message m which satisfies e(p,v P ) = e(pub,h P (h( Q IDOi +Q IDP )+U)+U P ). If A does ot query ay hash fuctio, that is, if resposes to all the hash fuctio queries are picked radomly the the probability that verificatio equality holds is less tha 1/q. Hece, A outputs a ew valid ID-based proxy multi-sigature (w,u P,V P,U) o message m with the probability (1 λ) q E +q pmg +q pms (1 1/q). Now we compute the success probability of B for the solutio of CDHP usig the above forgeries (by A). We cosider both the possible cases, viz., success probability i case whe A plays agaist a origial siger ad whe A plays agaist the proxy siger. 63

10 SECRYPT2014-IteratioalCofereceoSecurityadCryptography Case 1. Suppose, A simulates B ad requests to iteract with ay user say ID O1, where the user ID O1 is playig the role of oe origial siger. For ID O1, A did ot request the private key i Extractio queries, A did ot request a Proxy multi-geeratio query icludig w,id O1 ad A did ot request a Proxy multi-sigature query icludig ID O1,w,m. If c = 1, the H 1 (ID Oi ) = a Oi P for i = 2,...,, ad H 1 (ID P ) = a P P from the H 1 -query. Further B computes VP = V P ([ f P { f (a O2 + + a O + a P ) + r } + r P ]Pub), the proceeds to solve CDHP usig the equality: e(p,v P ) = e(pub,h P (h( Q IDOi + Q IDP ) +U ) +U P ) = e(pub, f P { f (H 1 (ID O1 ) + + H 1 (ID O ) + H 1 (ID P )) +U } +U P ) = e(pub, f P { f (a O2 + + a O + a P ) + r }P + r P P)e(Pub, f P { f H 1 (ID O1 )}) = e(p,[ f P { f (a O2 + + a O + a P ) + r } or, by above we ca write + r P ]Pub)e(Pub, f P { f H 1 (ID O1 )}) e(p,v P ) = e(pub, f P { f H 1 (ID O1 )}) = e(pub, f P f a O1 (bp)) = e(p, f P f a O1 (bsp)) = e(p,k(bsp)) where k = f P f a O1 Z q. Comparig the compoets o both sides, B gets V P = k(bsp) which implies that k 1 VP = bsp. Thus B ca solve a istace of CDHP. The probability of success is λ(1 λ). Case 2. Whe A simulates B ad requests to iteract with a user ID P, where user ID P is the proxy siger. For ID P, A did ot request the private key, A did ot request a proxy multi-geeratio query icludig w,id P ad A did ot request a proxy multisigature query icludig ID P,w,m. As the above case, we ca show that B ca derive sbp with the same success probability λ(1 λ). Hece the overall success probability that B solves the CDHP i the above attack game is: ε = λ(1 λ) q E +q pmg +q pms + (1 1/q)ε. Now the maximum possible value of the above probability occurs for 1 λ = q E + q pmg + q pms Hece the optimal success probability is ε(1 1/q) M(q E + q pmg + q pms + + 1) where M 1 is the maximum value of for Therefore λ = (1 λ) q E +q pmg +q pms + 1 q E + q pmg + q pms ε ε M(q E + q pmg + q pms + + 1). 1 1/q Now takig care of ruig time, oe ca observe that the ruig time of algorithm B is same as A s ruig time plus the time take to respod to the hash, extractio, proxy multi-geeratio ad proxy multi-sigature queries, that is, q H1 + q H2 + q E + q pmg + q pms. Hece, the maximum ruig time is give by t + (q H1 + q E + 2q pmg + 4q pms + 1)C G1, as each H 1 Hash query requires oe scalar multiplicatio i G 1, Extractio query also requires oe scalar multiplicatio i G 1, proxy multi-geeratio query requires two scalar multiplicatios i G 1, proxy multisigature query requires four scalar multiplicatios i G 1 ad to output CDH solutio from A s forgery, B requires at most oe scalar multiplicatio i G 1. Hece t t + (q H1 + q E + 2q pmg + 4q pms + 1)C G Aoymity Theorem 12. The preseted threshold aoymous proxy multi-sigature scheme is aoymous. Proof. Sice ρ Oi Z q are radom, so is ρ O ad hece so is R O = ρ O P. Also, sice ρ P Z q is radom, so is R P = ρ P P. Sice ρ Oi, ρ si, R O ad R P were commuicated through a secure chael, these are hidde from ay adversary. So, o adversary would be able to ascertai the idetity of the proxy siger from the computatio Q IDQ = Q IDP + R P + R O. I fact, ote that eve a collusio of t origial sigers (t < t) caot recover ρ O ad caot really prove that P is ideed the proxy siger. The last statemet follows from the security of the threshold verifiable secret sharig (Pederse, 1991) ad to get the value ρ O from R O, the adversary has to solve discrete log problem, which is assumed to be hard. 64

11 ASecureAoymousProxyMulti-sigatureScheme 5.4 Accoutability Theorem 13. The preseted threshold aoymous proxy multi-sigature scheme is accoutable. Proof. To reveal the idetity of the proxy siger, ay origial siger O i ca reveal R O ad R P ad show that Q IDQ = Q IDP + R P + R O. (1) That R P was ideed set by P is proved usig the sigature s RP. To prove that R O is ot just a solutio to the equatio (1), t or more origial sigers combie their shares to recover the secret ρ O ad show that R O = ρ O P. Sice R P was radomly chose by P, give Q IDP ad Q IDQ, R O is also radom, ad hece dishoest origial sigers ca produce correct ρ O oly if they ca solve the discrete log problem i G 1. 6 EFFICIENCY COMPARISON Here, we compare the efficiecy of our scheme with the IBPMS schemes of (Cao ad Cao, 2009), (Du ad Wag, 2013) ad (Shao, 2009), ad show that our scheme is more efficiet i the sese of computatio ad operatio time tha these schemes. For the computatio of operatio time, we refer to (Debiao et al., 2011) where the operatio time for various cryptographic operatios have bee obtaied usig MIR- ACL (MIRACL), a stadard cryptographic library, ad the hardware platform is a PIV 3 GHZ processor with 512 M bytes memory ad the Widows XP operatig system. For the pairig-based scheme, to achieve the 1024-bit RSA level security, Tate pairig defied over the supersigular elliptic curve E = F p : y 2 = x 3 +x with embeddig degree 2 was used, where q is a 160-bit Solias prime q = ad p a 512-bit prime satisfyig p + 1 = 12qr. We ote that the OT for oe pairig computatio is 20.04ms, for oe scalar multiplicatio it is 6.38ms, for oe map-topoit hash fuctio it is 3.04ms ad for oe geeral hash fuctio it is < 0.001ms. To evaluate the total operatio time i the efficiecy compariso tables, we use the simple method from (Cao et al., 2010; Debiao et al., 2011). I each of the three phases: proxy multigeeratio, proxy multi-sigature ad proxy multiverificatio, we compare the total umber of biliear pairigs (P), scalar multiplicatios (SM), map-topoit hash fuctios (H) ad the cosequet operatio time (OT) while omittig the operatio time due to a geeral hash fuctio which is egligible compared to the other three operatios. Further, across all the compared schemes, i the computatio table for proxy multi-geeratio, we take ito cosideratio the computatios of oly oe of the origial sigers followig the methodology of (Cao et al., 2010; Debiao et al., 2011). For example, the proxy multi-geeratio phase of our scheme takes 2 pairig operatios, 7 scalar multiplicatios ad 1 map-to-poit hash fuctio. Hece the total operatio time for this phase ca be calculated as: = 87.78ms. Similarly, we have computed the total OT i other phases for all the schemes. Table 1: Efficiecy Compariso Proxy multi-geeratio: Scheme P H SM OT (ms) (Cao ad Cao, 2009) (Du ad Wag, 2013) (Shao, 2009) Our scheme Proxy multi-sigature: Scheme P H SM OT (ms) (Cao ad Cao, 2009) (Du ad Wag, 2013) (Shao, 2009) Our scheme Proxy multi-verificatio: Scheme P H SM OT (ms) (Cao ad Cao, 2009) (Du ad Wag, 2013) (Shao, 2009) Our scheme Overall Time: Scheme P H SM OT (ms) (Cao ad Cao, 2009) (Du ad Wag, 2013) (Shao, 2009) Our scheme * The scalar multiplicatios due to pseudoym geeratio are ot cosidered. From the efficiecy compariso table (1), it is clear that our scheme is computatioally more efficiet ad havig less operatio time tha the schemes (Cao ad Cao, 2009; Du ad Wag, 2013; Shao, 2009). REFERENCES Blakley, G. R. (1979). Safeguardig cryptographic keys. I Natioal Computer Coferece, pages

12 SECRYPT2014-IteratioalCofereceoSecurityadCryptography Boldyreva, A., Palacio, A., ad Warischi, B. (2003). Secure proxy sigature schemes for delegatio of sigig rights. IACR Cryptology eprit Archive, 2003:096. Cao, F. ad Cao, Z. (2009). A secure idetity-based proxy multi-sigature scheme. Iformatio Scieces, 179(3): Cao, X., Kou, W., ad Du, X. (2010). A pairig-free idetity-based autheticated key agreemet protocol with miimal message exchages. Iformatio Scieces, 180(15): Chor, B., Goldwasser, S., Micali, S., ad Awerbuch, B. (1985). Verifiable secret sharig ad achievig simultaeity i the presece of faults (exteded abstract). I FOCS, pages Debiao, H., Jiahua, C., ad Ji, H. (2011). A id-based proxy sigature schemes without biliear pairigs. A. Telecommu., 66(11-12): Du, H. ad Wag, J. (2013). A aoymous but accoutable proxy multi-sigature scheme. Joural of Software, 8(8): Fuchsbauer, G. ad Poitcheval, D. (2008). Aoymous proxy sigatures. I Security ad Cryptography for Networks, pages Gasser, M., Goldstei, A., Kaufma, C., ad Lampso, B. (1989). The digital distributed system security architecture. I NCSC 89, pages Lee, B., Kim, H., ad Kim, K. (2001). Strog proxy sigature ad its applicatios. I Proc of SCIS, volume 1, pages Lee, N.-Y. ad Lee, M.-F. (2005). The security of a strog proxy sigature scheme with proxy siger privacy protectio. Applied mathematics ad computatio, 161(3): Lee, Y.-H., Hog, S.-M., ad Yoo, H. (2005). A secure strog proxy sigature scheme with proxy siger privacy protectio. I CCCT 05. (Iteratioal Coferece o Computig, Commuicatios ad Cotrol Techologies). Mambo, M., Usuda, K., ad Okamoto, E. (1996). Proxy sigatures: Delegatio of the power to sig messages. IEICE trasactios o fudametals of electroics, commuicatios ad computer scieces, 79(9): MIRACL. Multiprecisio iteger ad ratioal arithmetic cryptographic library. Pederse, T. P. (1991). No-iteractive ad iformatiotheoretic secure verifiable secret sharig. I Advaces i Cryptology CRYPTO 91, pages Sahu, R. A. ad Padhye, S. (2012). Efficiet id-based proxy multi-sigature scheme secure i radom oracle. Frotiers of Computer Sciece, 6(4): Schuldt, J. C. N., Matsuura, K., ad Paterso, K. G. (2008). Proxy sigatures secure agaist proxy key exposure. I Public Key Cryptography, volume 4939 of LNCS, pages Shamir, A. (1979). How to share a secret. Commuicatios of the ACM, 22(11): Shao, Z. (2009). Improvemet of idetity-based proxy multi-sigature scheme. Joural of Systems ad Software, 82(5): Shum, K. ad Wei, V. K. (2002). A strog proxy sigature scheme with proxy siger privacy protectio. I Eablig Techologies: Ifrastructure for Collaborative Eterprises, WET ICE Proceedigs. Eleveth IEEE Iteratioal Workshops o, pages IEEE. Su, H.-M. ad Hsieh, B.-T. (2003). O the security of some proxy sigature schemes. IACR Cryptology eprit Archive, 2003:068. Toluee, R., Asaar, M. R., ad Salmasizadeh, M. (2012). A aoymous proxy sigature scheme without radom oracles. IACR Cryptology eprit Archive, 2012:313. Wu, K.-L., Zou, J., Wei, X.-H., ad Liu, F.-Y. (2008). Proxy group sigature: A ew aoymous proxy sigature scheme. I Machie Learig ad Cyberetics, 2008 Iteratioal Coferece o, volume 3, pages Xiog, H., Hu, J., Che, Z., ad Li, F. (2011). O the security of a idetity based multi-proxy sigature scheme. Computers & Electrical Egieerig, 37(2): Yu, Y., Xu, C., Huag, X., ad Mu, Y. (2009). A efficiet aoymous proxy sigature scheme with provable security. Computer Stadards & Iterfaces, 31(2):