A Model of Bilinear-Pairings Based Designated-Verifier Proxy Signatue Scheme*

Transcription

1 A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme Fengyng L,, Qngshu Xue, Jpng Zhang, Zhenfu Cao Department of Educaton Informaton Technology, East Chna Normal Unversty, 0006, Shangha, Chna School of Technques, Shangha Jao Tong Unversty, 00, Shangha, Chna Dept. of Computer Scence Engneerng, Shangha Jao Tong Unversty, 0040, Shangha, Chna Abstract. In a proxy sgnature scheme, one orgnal sgner delegates a proxy sgner to sgn messages on behalf of the orgnal sgner. When the proxy sgnature s created, the proxy sgner generates vald proxy sgnatures on behalf of the orgnal sgner. Based on Cha Cheon s ID-based sgnature scheme, a model of desgnated-verfer proxy sgnature scheme from the blnear parng s proposed. The proposed scheme can provde the securty propertes of proxy protecton, verfablty, strong dentfablty, strong unforgeablty, strong repudablty, dstngushablty preventon of msuse of proxy sgnng power. That s, nternal attacks, external attacks, colluson attacks, equaton attacks publc key substtuton attacks can be ressted. Introducton The proxy sgnature scheme [], a varaton of ordnary dgtal sgnature schemes, enables a proxy sgner to sgn messages on behalf of the orgnal sgner. Proxy sgnature schemes are very useful n many applcatons such as electroncs transacton moble agent envronment. Mambo et al. [] provded three levels of delegaton n proxy sgnature: full delegaton, partal delegaton delegaton by warrant. In full delegaton, the orgnal sgner gves ts prvate key to the proxy sgner. In partal delegaton, the orgnal sgner produces a proxy sgnature key from ts prvate key gves t to the proxy sgner. The proxy sgner uses the proxy key to sgn. As far as delegaton by warrant s concerned, warrant s a certfcate composed of a message part a publc sgnature key. The proxy sgner gets the warrant from the orgnal sgner uses the correspondng prvate key to sgn. Snce the concepton of the proxy sgnature was brought forward, a lot of proxy sgnature schemes have been proposed []-[4][6-8]. Ths paper s supported by the Natonal Natural Scence Foundaton of Chna under Grant No E. Bertno J.B.D. Josh (Eds.): CollaborateCom 008, LNICST 0, pp , 009. ICST Insttute for Computer Scences, Socal-Informatcs Telecommuncatons Engneerng 009

2 A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme 47 Recently, many threshold proxy sgnature schemes were proposed [] [6]-[4]. In threshold proxy sgnature schemes, a group of n proxy sgners share the secret proxy sgnature key. To produce a vald proxy sgnature on the message m, ndvdual proxy sgners produce ther partal sgnatures on that message, then combne them nto a full proxy sgnature on m. In a ( t, n) threshold proxy sgnature scheme, the orgnal sgner authorzes a proxy group wth n proxy members. Only the cooperaton of t or more proxy members s allowed to generate the proxy sgnature. Threshold sgnatures are motvated both by the dem whch arses n some organzatons to have a group of employees agree on a gven message or document before sgnng, by the need to protect sgnature keys from attacks of nternal external adversares. In 999, Sun proposed a threshold proxy sgnature scheme wth known sgners [9]. Then Hwang et al. [7] ponted out that Sun s scheme was nsecure aganst colluson attack. By the colluson, any t proxy sgners among t proxy sgners can cooperatvely obtan the secret key of the remer one. They also proposed an mproved scheme whch can guard aganst the colluson attack. After that, [6] showed that Sun s scheme was also nsecure aganst the conspracy attack. In the conspracy attack, t malcous proxy sgners can mpersonate some other proxy sgners to generate vald proxy sgnatures. To resst the attack, they also proposed a scheme. Hwang et al ponted out [8] that the scheme n [7] was also nsecure aganst the attack by the cooperaton of one malcous proxy sgner the orgnal sgner. In 00, L et al. [] proposed a threshold proxy sgnature scheme full of good propertes performance. The mult-proxy sgnature scheme was frst proposed n [4]. The mult-proxy sgnature scheme s a specal case of the threshold proxy sgnature scheme. The multproxy sgnature scheme allows an orgnal sgner to authorze a group of proxy members can generate the mult-sgnature on behalf of the orgnal sgner. In a desgnated-verfer proxy sgnature scheme, the proxy sgnature wll be verfed only by a desgnated verfer chosen by the proxy sgner. In 996, Jakobsson et al. desgned a desgnated-verfer proxy sgnature scheme for the frst tme []. In [], Da et al. proposed a desgnated-verfer proxy sgnature scheme based on dscrete logarthm problems. However, n 00, Wang ponted out that the orgnal sgner alone can forge vald proxy sgnatures to frame the proxy sgner [6]. In 004, L et al. proposed a desgnated-verfer proxy sgnature scheme from blnear parngs [7]. In 984, Shamr proposed dentty (ID)-based cryptography to smplfy key management remove the necessty of publc key certfcates [8]. In 00, a practcal ID-based encrypton scheme was found by Boneh Frankln, who took advantage of the propertes of sutable blnear parngs (the Wel or Tate parng) over supersngular ellptc curves [9]. Desgnated-verfer proxy sgnature scheme provdes both the securty propertes of desgnated verfer sgnatures those of proxy sgnatures. As far as the property of verfablty s concerned, the desgnated-verfer proxy sgnature scheme should meet the property of restrctve verfablty whch means that only the desgnated verfer can verfer the valdty of proxy sgnatures. In 00, Cha Cheon [0] desgned an ID-based sgnature scheme usng GDH groups. Under the rom oracle model, ther scheme s proved to be secure aganst exstental forgery on adaptvely chosen messages ID attacks supposng CDHP (Computatonal Dffe-Hellman Problem) s ntractable.

3 48 F. L et al. Based on Cha Cheon s ID-based sgnature scheme, a model of desgnatedverfer proxy sgnature scheme s proposed. The proposed scheme can provde the securty propertes of proxy protecton, verfablty, strong dentfablty, strong unforgeablty, strong nonrepudablty, dstngushablty, known sgners preventon of msuse of proxy sgnng power. That s, nternal attacks, external attacks, colluson attacks publc key substtuton attacks can be effcently ressted. In the paper, we organze the content as follows. In secton, we wll detal the related knowledge. We wll revew Cha Cheon s ID-based sgnature scheme n secton. In secton 4, we wll propose our model of proxy sgnature scheme usng blnear parngs. The correctness of the proposed scheme wll dscuss n secton 5. Fnally, the concluson s gven. Related Knowledge The In the secton, the blnear parngs the related mathematcal problems are ntroduced [9].. Blnear Parngs Let G be a cyclc addtve group produced by P, wth a prme order q, G be a cyclc multplcatve group wth the same order q. Then, e : G G G s a blnear parng wth the followng propertes: ab () Blnearty: e ( ap, bq) P, Q) for all P, Q G, a, b Zq. () Non-degeneracy: There exsts P, Q G such that e ( P, Q). () Computablty: There exsts an effcent algorthm to calculate e ( P, Q) for all P, Q G. A blnear map satsfed the three propertes above s sad to be an admssble blnear map. It s well known that Wel Tate parngs related wth supersngular ellptc curves or abelan varetes can be modfed to get such blnear maps.. Some Mathematcal Problems () DLP (Dscrete Logarthm Problem): Gven two group elements P Q, fnd an nteger a Z q such that Q = ap whenever such an nteger exsts. () DDHP (Decson Dffe-Hellman Problem): For a, b, c Z q, gven P, ap, bp, cp, decde whether c abmod q. If t holds, ( P, ap, bp, cp) s called a vald Dffe- Hellman tuple. () CDHP (Computatonal Dffe-Hellman Problem): For a, b Zq, gven P, ap, bp, compute abp. (4) GDHP (Gap Dffe-Hellman Problem): A class of problem where DDHP s easy whle CDHP s hard.

4 A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme 49 When the DDHP s easy but the CDHP s hard on the group G, we call G a gap Dffe-Hellman (GDH) group.. Basc ID-Based Desgnated-Verfer Proxy Sgnature Scheme Usually, the knd of scheme conssts of fve phases: Setup, Extract, Proxy key par generaton, Proxy sgnature generaton proxy sgnature verfcaton. In the phase of Setup, a securty parameter k s taken as nput system parameters whch nclude a descrpton of a fnte message space M master key are returned. In general, the system parameters wll be publcly known, whle the master key wll be known only to the Prvate Key Generator (PKG). In the phase of Extract, the system parameters, master key an arbtrary ID {0,} are taken as nput a correspondng prvate key d ID s returned as output. In the phase of Proxy key par generaton, the orgnal sgner s prvate key, a warrant whch specfes the orgnal sgner, the proxy sgner other applcaton dependent delegaton nformaton explctly, the proxy sgner s dentty are taken as nput, a proxy key s returned as output. Only the proxy sgner can get the knowledge of the proxy prvate key, whle the proxy publc key s publc. In the phase of Proxy sgnature generaton, a message, the warrant, the desgnated verfer s dentty the proxy prvate key are taken as nput a desgnatedverfer sgnature s returned as output. In the phase of Proxy sgnature verfcaton, a sgnature the desgnated verfer s prvate key are taken as nput, or 0 s returned as output, meanng accept or reect, the nformaton that the sgnature s vald wth respect to a specfc orgnal sgner a proxy sgner. Revew of Cha Cheon s ID-Based Sgnature Scheme The scheme conssts of four phases: Setup, Extract, Sgn, Verfy. () Setup: Select a rom nteger :{0, } G Zq s Z q set P pub = sp. {0, } H : G H are two cryptographc hash functons. The system parameters are params= ( q, G, G, e, P, Ppub, H, H ). s Z q s the master key. () Extract: For a gven strng ID {0,}, the PKG computes Q ID = H ( ID ), get the correspondng prvate key d = sq. () Sgn: Gven a secret key d ID a message m, select an nteger romly, compute output a sgnature σ = ( U, V ). ID ID r Z q U = rqid, h = H( m, U ) () V = ( r + h). () d ID

5 40 F. L et al. (4) Verfy: To verfy a sgnature σ = ( U, V ) of a message m for an dentty ID, check whether e P, V ) P, U + H ( m, U ) Q ). () ( pub ID 4 A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnature Scheme The followng partcpants are nvolved n the scheme: the orgnal group G o, the proxy group G p, the desgnated verfer or recever Cndy, etc. In the scheme, we specfy that any t or more out of n orgnal sgners ( t n ) can delegate the sgnng capablty to the proxy group on behalf of G o. Smlarly, any t or more out of n proxy sgners ( t n) can represent G p to sgn a message on behalf of G o. Only desgnated verfer V can verfy the proxy sgnature. Throughout the paper, the system parameters are defned as follows: m w : a warrant that records the denttes of the orgnal sgners n G o the proxy sgners n G p, the parameters ( t, n ), ( t, n ), the vald delegaton perod, etc; AOSID: (Actual orgnal sgners ID) the denttes of the actual orgnal sgners; APSID: (Actual proxy sgners ID) the denttes of the actual proxy sgners. In addton, each user U has a romly selected prvate key d U publc key Q U. For each user U, ts dentty s ID. Suppose that G o = { O, O,..., On} G = P, P,..., P } are the groups of n orgnal sgners n proxy sgners p { n respectvely. The proposed scheme s stated as follows. The scheme s composed of three phases: proxy share generaton phase, proxy sgnature generaton phase proxy sgnature verfcaton phase. 4. Proxy Share Generaton Phase Step. Each of actual orgnal sgners O ( =,,..., t; t t) selects a rom nteger r Z q, calculates U = r Q (4) sends U to other orgnal sgners. Step. After O receves O ( =,,..., t; ), O computes t = ID O U U = (5)

6 A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme 4 V = ( r + H( m, AOSID, U )) d (6) passes m, AOSID, U, U, V ) to all of proxy sgners. ( w w Step. Each of proxy sgners P =,,..., n ) accepts m, AOSID, U, U, V ) by ( checkng whether the followng equaton holds: ID O ( w e P, V ) P, U + H ( m, AOSID, U ) Q ) (7) ( pub w IDO Step 4 If all ( m, AOSID, U, U, V ) s are vald, P computes hs proxy key par as w Then d P = V + H ( mw, AOSID, U ) d = ID P Q P = U + H( mw, AOSID, U )( QID + Q P can sgn messages whch conforms to = O ID P (8) ). (9) m w on behalf of the orgnal sgners. 4. Proxy Sgnature Generaton Phase Step. Each of proxy sgners, b Zq a calculates P = ) chooses two rom ntegers (,,..., t; t t X = a P, (0) IDCndy pub a Y = ( e( Q, P )) () B = b Q. () Meanwhle, he/she passes X, Y, B ) to other proxy sgners. Step. P also computes ( t = P X X =, () t Y Y =, (4) =

7 4 F. L et al. t B = B = (5) S = ( b + H( m, ) d. (6) H s a secure hash functon. Step 4. P sends m, m, AOSID, X, U, B, S ) to the sgnature combner. ( w Step 5. Upon The sgnature combner receves all of ndvdual proxy sgnature m, m, AOSID, X, U, B, S ) from all of proxy sgners, he or she calculates ( w t S = S =, then the sgnature combner passes ( m, m w, AOSID, X, U, B, as the proxy sgnature on the message m to the desgnated proxy sgnature verfer Cndy. 4. Proxy Sgnature Verfcaton Phase After recevng the proxy sgnature ( m, m w, AOSID, X, U, B,, the desgnated verfer Cndy operates as follows. Step. Check whether the message m parameters t, t P conforms to the warrant m w. If not, the scheme stop. Otherwse, contnue. Step. Check whether the actual orgnal sgners the actual proxy sgners are specfed as the orgnal sgners the proxy sgners, respectvely, n the warrant m w. If not, stop. Otherwse, contnue. Step. Cndy calculates Y d, X ) (7) ID Cndy Q = U + H ( m, AOSID, U )( Q ) + H ( m, AOSID, U ) Q ). (8) P w = IDO He or she accepts the proxy sgnature ( m, m w, AOSID, X, U, B, f only f the followng congruence holds: P w = IDP e ( P, P, B + H ( m, X, Y, Q ). (9) pub 5 Correctness of above Scheme Theorem : If the tuple ( m, m w, AOSID, X, U, B, s a sgnature by the above scheme, the desgnated verfer Cndy wll accept t.

8 A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme 4 Proof: S = = = = = s = P P = (( b ( b d = e( P, P, s pub pub S + H ( b Q t, = P + H P ( b Q, B + H ( m, ) d + H P ( m, d P P ( m, Q t t b Q P = = ( m, Q P ) )) P + H ( m, )) + H ( m, Q P )) Q P ) (0) () 6 Conclusons In the paper, based on Cha Cheon s ID-based sgnature scheme, a model of blnear-parngs based desgnated-verfer proxy sgnature scheme s proposed. As far as we know, t s the frst model of blnear-parngs based desgnated-verfer proxy sgnature scheme. The proposed scheme can provde the securty propertes of proxy protecton, verfablty, strong dentfablty, strong unforgeablty, strong nonrepudablty, dstngushablty preventon of msuse of proxy sgnng power,.e., nternal attacks, external attacks, colluson attacks, equaton attacks publc key substtuton attacks can be ressted. References. Mambo, M., Usuda, K., Okamoto, E.: Proxy Sgnature for Delegatng Sgnng Operaton. In: Proceedngs of the rd ACM Conference on Computer Communcatons Securty, pp ACM Press, New York (996). L, J.G., Cao, Z.F.: Improvement of a Threshold Proxy Sgnature Scheme. Journal of Computer Research Development 9(), (00) (n Chnese). L, J.G., Cao, Z.F., Zhang, Y.C.: Improvement of M-U-O K-P-W Proxy Sgnature Schemes. Journal of Harbn Insttute of Technology (New Seres) 9(), (00)

9 44 F. L et al. 4. L, J.G., Cao, Z.F., Zhang, Y.C.: Nonrepudable Proxy Mult-sgnature Scheme. Journal of Computer Scence Technology 8(), (00) 5. L, J.G., Cao, Z.F., Zhang, Y.C., L, J.Z.: Cryptographc Analyss Modfcaton of Proxy Mult-sgnature Scheme. Hgh Technology Letters (4), 5 (00) (n Chnese) 6. Hsu, C.L., Wu, T.S., Wu, T.C.: New Nonrepudable Threshold Proxy Sgnature Scheme wth Known Sgners. The Journal of Systems Software 58, 9 4 (00) 7. Hwang, M.S., Ln, I.C., Lu Erc, J.L.: A Secure Nonrepudable Threshold Proxy Sgnature Scheme wth Known Sgners. Internatonal Journal of Informatca (), 8 (000) 8. Hwang, S.J., Chen, C.C.: Cryptanalyss of Nonrepudable Threshold Proxy Sgnature Scheme wth Known Sgners. Informatca 4(), 05 (00) 9. Sun, H.M.: An Effcent Nonrepudable Threshold Proxy Sgnature Scheme wth Known Sgners. Computer Communcatons (8), 77 7 (999) 0. Sun, H.M., Lee, N.Y., Hwang, T.: Threshold Proxy Sgnature. IEEE Proceedngscomputers & Dgtal Technques 46(5), 59 6 (999). Zhang, K.: Threshold Proxy Sgnature Schemes. In: Informaton Securty Workshop, Japan, pp (997). Hsu, C.L., Wu, T.S., Wu, T.C.: Improvement of Threshold Proxy Sgnature Scheme. Appled Mathematcs Computaton 6, 5 (00). Tsa, C.S., Tzeng, S.F., Hwang, M.S.: Improved Nonrepudable Threshold Proxy Sgnature Scheme wth Known Sgners. Informatca 4(), 9 40 (00) 4. Hwang, S.J., Sh, C.H.: A Smple Mult-Proxy Sgnature Scheme. In: Proceedng of the Tenth Natonal Conference on Informaton Securty, Tawan (000) 5. Jakobsson, M., Sako, K., Impaglazzo, R.: Desgnated verfer proofs ther applcaton. In: Maurer, U.M. (ed.) EUROCRYPT 996. LNCS, vol. 070, pp Sprnger, Hedelberg (996) 6. Wang, G.: Desgnated-verfer proxy sgnatures for e-commerce. In: Proc. IEEE 004 Int. Conf. on Multmeda Expo (ICME 004), vol., pp (004) 7. L, X., Chen, K., L, S.: Desgnated-verfer proxy sgnatures for e-commerce from blnear parngs. In: Proc. of Int. Conf. on Computer Communcaton, pp (004) 8. Shamr, A.: Identty-based cryptosystems sgnature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 984. LNCS, vol. 96, pp Sprnger, Hedelberg (985) 9. Boneh, D., Frankln, M.: Identty-based encrypton from the Wel parng. In: Klan, J. (ed.) CRYPTO 00. LNCS, vol. 9, pp. 9. Sprnger, Hedelberg (00) 0. Cha, J.C., Cheon, J.H.: An dentty-based sgnature from gap dffe-hellman groups. In: Desmedt, Y.G. (ed.) PKC 00. LNCS, vol. 567, pp Sprnger, Hedelberg (00). Da, J., Yang, X., Dong, J.: Desgnated-receverproxy sgnature scheme for electronc commerce. In: Proc. of IEEE Internatonal Confernece on System, Man Cybernetcs, October 5-8, vol., pp (00)