Cryptanalysis of Threshold Proxy Signature Schemes 1)

Transcription

1 MM Research Preprnts, MMRC, AMSS, Academa Snca No. 23, December 24 Cryptanalyss of Threshold Proxy Sgnature Schemes 1) Zuo-Wen Tan and Zhuo-Jun Lu Key Laboratory of Mathematcs Mechanzaton Insttute of Systems Scence, AMSS, Academa Snca Bejng 18, Chna Abstract. A (t, n) threshold proxy sgnature scheme enables an orgnal sgner to delegate the sgnature authorty to a proxy group of n member such that t or more than t proxy sgners can cooperatvely sgn messages on behalf of the orgnal sgner. In the paper, we revew the securty of two nonrepudable threshold proxy sgnature schemes. We show that Tzeng et al. s threshold proxy sgnature scheme s nsecure aganst a malcous orgnal sgner s forgery and that Hsu et al. s threshold proxy sgnature scheme s unversally forgeable. In other words, nether of the above-mentoned threshold proxy sgnature schemes holds the unforgeablty and provdes non-repudaton as clamed. 1. Introducton In a proxy sgnature scheme, an orgnal sgner delegates a user, called a proxy sgner, to sgn message on ts behalf. Snce Mambo et al. ntroduced the concept of proxy sgnature [8], many proxy sgnature schemes have been proposed [1,3,4,6,7,9,14]. Mambo et al. s proxy sgnature schemes [8] satsfy the followng property: no one except the orgnal sgner and the proxy sgner can create a vald proxy sgnature on behalf of the orgnal sgner. J. Lee et al. [6] mproved the securty property of the proxy sgnature: only the proxy sgner can create a vald proxy sgnature and anyone else, even the orgnal sgner, can not generate a vald proxy sgnature. Thus, for a vald proxy sgnature, the actual proxy sgner cannot deny that he/she has sgned the message and the orgnal sgner cannot deny that he/she has delegated the sgnng authorty to the actual proxy sgner. The proxy sgnature scheme holds non-repudaton. K. Zhang and Km et al. ndependently proposed the threshold proxy sgnature schemes [5,15], respectvely. In a (t, n) threshold proxy sgnature scheme, a proxy sgnature key s shared among the subset of the n proxy sgners such that at least t proxy sgners can cooperatvely sgn messages on behalf of the orgnal sgner. To avod dspute about who are the actual sgners, Sun proposed a nonrepudable threshold proxy sgnature scheme wth known sgners ([12]). Sun s scheme elmnates Km et al. s scheme s dsadvantage that the verfer s unable to determne whether the proxy group key s generated by the legal proxy group. However, Hwang et al. [3] ponted out that Sun s scheme s nsecure aganst the colluson attack that any malcous proxy sgners can collude to obtan the prvate key of the 1) Supported by Natonal Scence Foundaton of Chna( )

2 Threshold Proxy Sgnature Schemes 227 proxy group and then mpersonate any other proxy group to produce vald proxy sgnatures. Hwang et al. ([3]) further made an mprovement to overcome the weakness of Sun s scheme. Unfortunately, C. -L. Hsu et al. showed Hwang et al. s threshold proxy sgnature scheme s stll vulnerable by the colluson attack ([4]). Any t or fewer than t malcous proxy sgners can stll collusvely forge vald proxy sgnatures. Furthermore, C. -L. Hsu et al. proposed an effcent nonrepudable threshold proxy sgnature scheme aganst the colluson attack ([4]). S.-F Tzeng et al. [13] stll found that n Hwang et al. s threshold proxy sgnature scheme, a malcous orgnal sgner can mpersonate any t or more than t proxy sgners to generate sgnatures on any message. S.-F Tzeng et al. also constructed a nonrepudable threshold proxy sgnature scheme wth known sgners (13]) and clamed the proposed scheme mproved the securty of Hwang et al. s threshold proxy sgnature scheme and acheved the nonrepudaton requrement. In ths paper, we wll pont out that Hsu et al. s threshold proxy sgnature scheme s unversally forgeable and that Tzeng et al. s threshold proxy sgnature scheme stll s vulnerable aganst the mpersonaton attack. In Tzeng et al. s scheme, a malcous orgnal sgner can mpersonate any proxy group and forge sgnatures on any message. The rest of ths paper s organzed as follows. In Secton 2, we wll brefly revew Tzeng et al. s threshold proxy sgnature scheme [13] and then demonstrate the attack by the malcous orgnal sgner. In Secton 3, we wll revew Hsu et al. s threshold proxy sgnature scheme [4] and then show the unversal attack by any adversary. Fnally, Secton 4 s dedcated to our concluson. 2. Tzeng et al. s threshold proxy sgnature scheme and ts attack In ths secton, we revew Tzeng et al s (t, n) threshold proxy sgnature scheme [13] and show that Tzeng et al. s threshold proxy sgnature scheme s vulnerable to the orgnal sgner s forgery attack Bref Revew of Tzeng et al. s Scheme Let p, q be two large prmes such that q p 1; g a generator of a subgroup of Zp wth order q. h( ) s a publc one-way hash functon. APSID denotes the denttes of the actual proxy sgners or the group of the actual proxy sgners. The orgnal sgner O has ts prvate key x o Zq and a publc ke o = g xo mod p. Each sgner P n the proxy group G = {P 1, P 2,, P n } has ts prvate key x Zq and a publc ke = g x mod p. The orgnal sgner s and the proxy sgners publc keys are all certfed by the certfcate authorty (CA). Let y G = n y. Tzeng et al. s scheme comprses four phases Secret Share Generaton Phase In the phase, all P n G cooperate to generate the secret share by executng Pedersen s (t, n) verfable secret sharng scheme [11] as follows. [1 ] P randomly chooses a (t 1)-degree polynomal n Z q [x] f (x) = x y + a A + a 1 x + a 2 x a,t 1 x t 1, wherea = g n a. (1)

3 228 Z.-W Tan, Z.-J, Lu [2 ] P publshes A l = g a l modp, l = 1, 2,, t 1 (2) [3 ] P computes f (j) and sends t to P j va a secure channel, where 1, j n, j. t 1 [4 ] P j valdates f (j) by checkng g f(j) = AA l=1 Ajl l mod p, and then computes the publc value A l (l = 1, 2,, t 1) and ts secret share s j, A l = A l mod p, (3) n s j = f (j) = f() mod q. (4) Proxy Share Generaton Phase Let m w be the warrant whch ncludes the dentty of O and each P n G, the threshold value t, and the vald delegaton tme, etc. The orgnal sgner O delegates the proxy group G by performng the followng steps. [1 ] The orgnal sgner O randomly chooses k Z q, and computes K = g k (mod p), and σ = x o h(m w K) + k (mod q). [2 ]O, as a dealer, dstrbutes the proxy key σ among the proxy group as follows. O randomly chooses a polynomal of degree t 1: f (x) = σ + b 1 x + b 2 x b t 1 x t 1 (mod q), and computes and secretly sends σ = f () (mod q) to each P ( = 1, 2,, n). Then, O publshes (m w, K) and B j = g b j (j = 1, 2,, t 1). [3 ]P accepts (σ, m w, K) f the equaton g σ = y h(mw K) o K t 1 Bj j P computes hs proxy share σ = σ + s h(m w K)( mod q) Proxy Sgnature Generaton Phase Wthout loss of generalty, let {P 1, P 2,, P t } be the actual proxy group. [1 ] Each P n APSID randomly chooses a (t 1)-degree polynomal n mod p holds. Then, f (z) = x y + c C + c 1 z + + c,t 1 z t 1 (mod q). (5) t c where y = C = g mod p. P ( = 1, 2,, t) publshes C l = g c l mod p, l = 1, 2,, t 1. (6) P computes f (j) and sends t to P j va a secure channel, where 1, j t, j. P j valdates f (j) by checkng gf (j) = t 1 Cy C jl l mod p, and then computes the publc value C l and ts secret share s j, l=1 C l = C l mod p, (7)

4 Threshold Proxy Sgnature Schemes 229 s j = t f (j) = f (j) mod q. (8) [2 ] Each P computes the ndvdual proxy sgnature γ = s y + σ h(ap SID m) (mod q) and sends γ to P j (j ) n a secure manner. P j can verfy the valdty of γ through the followng equaton: g γ = [ ( t 1 ( y G A A ) ( C j t 1 A j )] y [( Ky h(mw K) ) h(mw K) ] h(ap SID m) [3 ]Each P can apply Lagrange nterpolaton formula to generate t 1 mod p. ) B j T = f ()y + [f() + f ()]h(ap SID m) (1) Then, (m, m w, K, AP SID, y, A, T ) s a proxy sgnature on m Proxy Sgnature Verfcaton Phase The verfer can check the valdty of the proxy sgnature through the equaton: g T = [ KA A yh(mw K) ] h(ap SID m) ( (9) ) y mod p. (11) 2.2. Cryptanalyss of Tzeng et al. s scheme In the secton, we show that Tzeng et al. s scheme s nsecure aganst the orgnal sgner s forgery. Assume a malcous orgnal sgner wll mpersonate an actual proxy group AP SID and forge a proxy sgnature on message m. O chooses two random ntegers y, A n Z p and a random nteger a n Z q. The orgnal sgner O computes K = g a (A A s = h(ap SID m) 1 mod q, (12) ) 1 ( ) 1 s mod p. (13) O computes T = (x o h(m w K) + a)h(ap SID m) mod q, (14) Now, the proxy sgner O forges a vald proxy sgnature (m w, K, AP SID, y, A, T ) on message m. Ths s because: [ KA A yh(mw K) ] h(ap SID m) ( ) y

5 23 Z.-W Tan, Z.-J, Lu ) 1 ( ) s = g (A a A ( y y ) 1 A A yh(mw K) ( ) s ] h(ap SID m) ( ) y = [g a ( y y ) 1 y h(mw K) ) [ = g a y h(mw K) ] 1 ( ) y h(ap SID m) ( y y [ = g a y h(mw K) ] h(ap SID m) mod p = g T mod p. h(ap SID m) ( In fact, the orgnal sgner O has not delegated the sgnng authorty to the group AP SID, even G. So Tzeng et al. s scheme cannot provde the securty property nonrepudaton. 3. Hsu et al. s threshold proxy sgnature scheme and ts attack In ths secton, we revew Hsu et al s (t, n) threshold proxy sgnature scheme [4] and show that Hsu et al. s threshold proxy sgnature scheme s unversally forgeable Bref Revew of Hsu et al. s Scheme The parameters (p, q, g, h( ), y G ) n Hsu et al. s scheme are the same as those of Tzeng et al. s scheme. Let O be the orgnal sgner and G = {P 1, P 2,, P n } the proxy group. The orgnal sgner O has ts prvate key x o Zq, a publc ke o = g xo mod p and a publc dentfer v o Zq. Each sgner P n G has ts prvate key x Zq, a publc key y = g x mod p and a publc dentfer v Zq. Both O s publc key and P s publc keys are all certfed by the certfcate authorty (CA). Hsu et al. s scheme s composed of the followng four phases Secret Share Generaton Phase All the proxy sgners P n G cooperates to generate the secret share by executng Pedersen s (t, n) verfable secret sharng scheme [11]. [1 ] P randomly chooses a (t 1)-degree polynomal n Z q [x] f (x) = (x + a ) + a 1 x + a 2 x a,t 1 x t 1, (15) [2 ] Each P publshes A l = g a l modp (l =, 1, 2,, t 1). P computes f (v j ) and sends t to P j va a secure channel, where 1, j n, j. [3 ] P j valdates f (j) by checkng the equaton g f (v j ) t 1 = y A vl j l mod p, and then computes the publc value A l (l =, 1, 2,, t 1) and ts secret share γ j, l= ) y A l = A l mod p, (16) n γ j = f (v j ) mod q. (17)

6 Threshold Proxy Sgnature Schemes Proxy Share Generaton Phase The orgnal sgner O produces the warrant m w and delegates the proxy group G as follows. [1 ] The orgnal sgner O randomly chooses k Z q, and computes K = g k (mod p), and σ = x o h(m w K) + k (mod q). [2 ]O shares the proxy key σ among the proxy group by performng Pedersen s (t, n) verfable secret sharng scheme ([11]). O randomly generates a polynomal of degree t 1: f (x) = σ + b 1 x + b 2 x b t 1 x t 1 (mod q). O computes and secretly sends σ = f (v ) (mod q) to each P ( = 1, 2,, n). Fnally, O publshes (m w, K) and B j = g b j (j = 1, 2,, t 1). [3 ]If the equaton g σ = yo h(mw K) K t 1 Bvj j mod p holds, P accepts (σ, m w, K) and computes hs proxy share σ = σ + γ h(m w K)( mod q) Proxy Sgnature Generaton Phase Wthout loss of generalty, assume that {P 1, P 2,, P t } are the actual proxy group AP SID to produce the proxy sgnature on message m. They cooperatvely perform the followng steps. [1 ] Each P n APSID randomly chooses an nteger k Zq and broadcasts r = g k (mod q) among the proxy sgners n APSID. [2 ] Upon recevng all r j (j = 1, 2,, t), each P n APSID computes where L =,j R = r mod p, (18) s = k R + (L σ + x )h(a R ASID m) mod q, (19) ( v j )(v v j ) 1 mod q, and sends s to a desgnated clerk. The desgnated clerk s any proxy sgner n APSID. [3 ] The clerk valdates s by checkng the equaton g s = r R t 1 y o y G A A vj j h(m w K) t 1 K B vj j L y h(a R AP SID m) If all the ndvdual proxy sgnatures on m are vald, the clerk computes mod p. (2) t S = s j mod q. (21) Then, (m, m w, K, AP SID, R, A, S) s the proxy sgnature on m.

7 232 Z.-W Tan, Z.-J, Lu Proxy Sgnature Verfcaton Phase The verfer can dentfy the orgnal sgner and the proxy group G from the warrant m w, and check the valdty of the proxy sgnature through the equaton: ( )) h(a R AP SID m) g S = R ((y R o y G A ) h(mw K) K y mod p. (22) 3.2. Cryptanalyss of Hsu et al. s scheme In the secton, we show that Hsu et al. s scheme s nsecure aganst unversal forgery. An adversary can mpersonate any actual proxy group AP SID and forge a proxy sgnature on any message m. The adversary performs the followng steps. The adversary chooses random ntegers a, b, c n Z q. The adversary computes K = g a ( y ) 1 mod p, (23) A = y 1 G y 1 o g b mod p, (24) R = g c mod p. (25) Fnally, the adversary computes S = Rc + (bh(m w K) + a)h(a R AP SID m) mod q. (26) Now, the adversary forges a vald proxy sgnature (m w, K, AP SID, R, A, S) on message m. Ths s because: ( )) h(a R AP SID m) R ((y R o y G A ) h(mw K) K y ( ( ( = R R y o y G yg 1 y 1 o g b) h(m w K) )) h(a R AP SID m) g a ( y ) 1 y ( = g cr g bh(mw K) g a) h(a R AP SID m) = g cr+bh(mw K)+a)h(A R AP SID m) mod p = g S mod p. Therefore, Hsu et al. s scheme s nsecure aganst unveral forgery and cannot provde the securty property nonrepudaton. 4. Conclusons In the paper, we have analyzed the securty of two nonrepudable threshold proxy sgnature schemes wth known sgners. We have found that n Tzeng et al. s threshold proxy sgnature scheme, a malcous orgnal sgner can frame any actual proxy group and forge vald proxy sgnatures on any message. Hsu et al. s threshold proxy sgnature scheme s unversally forgeable. Thus, these proxy sgnature schemes cannot posses the clamed securty propertes.

8 Threshold Proxy Sgnature Schemes 233 References [1] A.Boldyreva, A. Palaco, B. Warnsch, Secure Proxy Sgnature Schemes for Delegaton of Sgnng Rghts Avalable at [2] S. J. Hwang and C. C. Chen, A new proxy mult-sgnature scheme, Internatonal workshop on cryptology and network securty, Tamkang Unversty, Tape, Tawan, Sep , 21. [3] M.-S. Hwang, I.-C. Ln and K.-F. Lu, A secure nonrepudable threshold proxy sgnature scheme wth known sgners, Internatonal Journal of Informatca 11(2), pp.1-8, 2. [4] C.-L Hsu and T-S Wu, Effcent nonrepudable threshold proxy sgnature scheme wth known sgners agast the colluson attack Appled Mathematcs And Computaton, 24. [5] S. J. Km, S. J. Park, D. H. Won, Proxy Sgnatures, revsted. ICICS 97, LNCS 1334, Sprnger- Verlag pp , [6] B. Lee, H. Km, and K. Km, Strong proxy sgngture and ts applcatons, Proceedngs of SCIS, 21, pp , 21. [7] B. Lee, H. Km, and K. Km, Secure moble agent usng strong non-desgnated proxy sgnature, Proc. ACISP 21, pp , 21. [8] M. Mambo, K. Usuda and E. Okamoto, Proxy sgnatures for delegatng sgnng operaton, Proc. 3rd ACM Conference on Computer and Communcatons Securty, ACM Press, pp , [9] Tal Malkn, Satosh Obana, and Mot Yung, The herarchy of key evovlvng sgnatures and a characterzaton proxy sgnatures, Proc. Advance n Cryptology-EUROCRYPTO 4, LNCS 327, Sprnger-Verlag, pp , 24. [1] H.-U. Park and L.-Y. Lee, A dgtal nomnatve proxy sgnature scheme for moble communcatons, ICICS 21, LNCS 2229, Sprnger-Verlag, pp , 21. [11] T. P. Pedersen. Dstrbuted Provers wth Applcatons to Undenable Sgnatures. Proc. Advance n Cryptology-EUROCRYPTO 91, LNCS 547, Sprnger-Verlag, pp , [12] H. M. Sun, An effcent nonrepudable threshold proxy sgnatures wth known sgners, Computer Communcatons 22(8),1999, pp [13] S.-F. Tzeng, M.-S. Hwang, and C.-Y. Yang, An mprovement of nonrepudable threshold proxy sgnature schemem wth known sgners, Computers & Securty 23,24, pp [14] S.-F. Tzeng, C.-Y. Yang, and M.-S. Hwang, A nonrepudable threshold mult-proxy multsgnature scheme wth shared verfcaton, Future Generaton Computer Systems 2, 24, pp [15] K. Zhang, Threshold proxy sgnature schemes, Informaton Securty Workshop, Japan, 1997, pp