A novel proxy key generation protocol and its application

Computer Standards & Interfaces 29 (2007) 191 – 195 www.elsevier.com/locate/csi

A novel proxy key generation protocol and its application Xiaoming Hu ⁎, Shangteng Huang Department of Computer Application Technology, Shanghai Jiao Tong University, Shanghai 200030, PR China Received 20 November 2005; accepted 16 March 2006 Available online 4 May 2006

Abstract Proxy signature is an important technology in secure e-commerce. Short signature and fast verification are of paramount importance for its practical application. In this paper, we propose a proxy signature key generation protocol in which the warrant is the proxy public key for the first time. This protocol can be combined with ID-based signature scheme from bilinear pairing to construct an ID-based proxy signature scheme. Furthermore, compared with all previous proxy signature schemes, the scheme constructed has two virtues: (1) the proxy signature is shorter because it does not include any parameters for rebuilding the proxy public key; (2) the verification of the proxy signature is faster because the public proxy key does not have to be computed. Also we give such a proxy signature scheme. © 2006 Elsevier B.V. All rights reserved. Keywords: Proxy signature; Bilinear pairings; Proxy key; ID-based signature

1. Introduction In 1996 [1], Mambo, Usuda, and Okamoto introduced the concept of proxy signature. A proxy signature scheme consists of three entities: original signer, proxy signer and verifier. In this scheme, an original signer can delegate his signing capability to a proxy signer in such a way that the proxy signer can sign any message on behalf of the original signer and the verifier can verify and distinguish between original signature and proxy signature by a verification equation. There are three types of delegation, full delegation, partial delegation and delegation by warrant. In 1997, S. Kim et al. gave a new type of delegation called partial delegation with warrant [2], which can be considered as the combination of partial delegation and delegation by warrant. After Mambo et al.'s first scheme was proposed, many proxy signature schemes have been proposed [2–5]. In 1984, Shamir [6] asked for an ID-based public key encryption scheme in which the public key can be an arbitrary string. In 2001, Dan Boneh et al. [7] proposed a fully functional IDbased encryption scheme from bilinear pairing. From then on, some ID-based proxy signature schemes were proposed ⁎ Corresponding author. E-mail addresses: [email protected], [email protected] (X. Hu). 0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2006.03.005

as such [8–11]. In their schemes, the proxy signer generates the proxy key according to the delegation of the original signer. And the proxy public key is a function of the proxy warrant, the original signer's public key, the proxy's public key and some parameters introduced in the proxy key generation protocol, so the proxy signatures would include the parameters for rebuilding the proxy public keys. Furthermore, the proxy public keys would be computed to verify the proxy signatures. So these schemes are complicated and computational cost is high. In this paper, we propose a novel proxy signature key generation protocol in which we consider the warrant as the proxy public key for the first time. The protocol consists of three entities: original signer, proxy signer and KGC that establishes the identity-based cryptosystem and generates private keys for users. The proxy key pair is a tuple (warrant, secret key). It is an ID-based key pair as (ID, secret key), so this protocol can be combined with any ID-based signature scheme from bilinear pairing to construct an ID-based proxy signature scheme. Compared with all previous proxy signature schemes, the scheme has two virtues: (1) the proxy signature is shorter because it does not include any parameters for rebuilding the proxy public key; (2) the verification of the proxy signature is faster because the public proxy key does not have to be computed. If the ID-based

192

X. Hu, S. Huang / Computer Standards & Interfaces 29 (2007) 191–195

signature scheme is secure, the proxy signature scheme has the properties listed as follows [12]: 1. Strong unforgeability: A designated signer, called proxy signer, can create a valid proxy signature for the original signer. But the original signer and third parties who are not authorized cannot create a valid proxy signature. 2. Verifiability: From proxy signature a verifier can be convinced of the original signer's agreement on the signed message either by a self-authenticating form or by an interactive form. 3. Strong identity: any one can determine the identity of the corresponding proxy signer from a proxy signature. 4. Strong undeniability: Once a proxy signer creates a valid proxy signature for an original signer, the proxy signer cannot repudiate his signature creation. 5. Prevention of misuse: it should be confident that proxy key pair cannot be used for other purposes. Because the responsibility of proxy signer should be determined with warrant explicitly. The rest of the paper is organized as follows: The next section briefly explains bilinear pairings. In Section 3, the proposed proxy key generation protocol is presented. Section 4 gives the analysis of the protocol. Section 5 gives its application in proxy signature scheme. Section 6 concludes this paper. 2. Bilinear pairings Let G1,+ be a cyclic additive group generated by P, whose order is prime q, and denotes by (G1+). And let G2 be cyclic multiplicative group of the same order q. H1 and H2 are two cryptographic hash functions. A bilinear pairing is map e: G1 × G1 → G2 with the following properties: 1. Bilinear: For all P, Q ∈ G1 and all a, b ∈ zq⁎, we have e(aP, bQ) = e(P,Q)ab. 2. Non-degenerate: There exists P, Q ∈ G1 such that e(P, Q) ≠ 1. 3. Computable: There is an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1. Now we describe some mathematical problems in relation to bilinear pairing. – Discrete logarithm problem (DLP): Given two group elements P and Q ∈ G1, where P is a generator of G1, find an integer n, such that Q = nP whenever such an integer exists. – Decision Diffie–Hellman Problem (DDHP): For a, b, c ∈ zq⁎, given P, aP, bP, cP ∈ G1, where P is a generator of G1, decide whether c = ab mod q. – Computational Diffie–Hellman Problem (CDHP): For a, b ∈ zq⁎, given P, aP, bP ∈ G1, where P is a generator of G1, compute abP ∈ G1. We assume through this paper that CDHP and DLP are intractable. When the DDHP is easy but the CDHP is hard on the group G, we call G Gap Diffie–Hellman (GDH) group.

Such groups can be found on supersingular elliptic curves or hyperelliptic curves over finite field, and the bilinear parings can be derived from the Weil or Tate pairing. We can refer to Galbraith et al. [13] for more details. 3. Proposed protocol In this section, we propose a novel proxy signature key generation protocol from bilinear pairing which consists of three entities: original signer, proxy signer and key generation center (KGC). There are three procedures in the scheme: Setup, Extract, Generation of the proxy key. 3.1. Setup Initially, KGC selects q, G1, G2, and e, as defined in the previous section. Then KGC chooses P as the generator of G1 and defines two one-way hash functions H1:{0,1}⁎ → G1 and H2:{0,1}⁎ → zq. KGC selects t ∈ zq⁎ and computes Ppub = tP, then he keeps t secretly as master key and publishes Params = {G1, G2, e, q, P, Ppub, H1, H2}. 3.2. Extract – The original signer and the proxy submit their identity information IDo, IDp, to KGC. – KGC computes a public/private key pair for them according to the following equations: Qo ¼ H1 ðIDo Þ;

Qp ¼ H1 ðIDp Þ;

So ¼ tQo ;

Sp ¼ tQp :

– KGC return them to the original signer and the proxy respectively. In this way, the public and private key of the original signer and the proxy can be denoted by Qo, So and Q p, S p. 3.3. Generation of the proxy key To delegate the signing capacity to proxy signer, the original signer uses Hess's ID-based signature scheme [15] to make the signed warrant W. The proxy key generation protocol is shown in Fig. 1. – The original signer creates a warrant W where there is an explicit description of the delegation relation including the identity of the original signer and the proxy signer, the message to be signed, and so on. The original signer publish W and compute S1 = H2(W, So). S/He sends (W, S1) to KGC. – Since KGC know the secret keys So and Sp, KGC can verify S1 ¼ H2 ðW; So Þ: KGC accepts (W, S1) if the above equation holds, then computes Qw ¼ H1 ðW Þ Sw ¼ tQw

X. Hu, S. Huang / Computer Standards & Interfaces 29 (2007) 191–195

Original Signer

KGC

193

Proxy Signer

Create a warrant W, Compute

S1 = H2(W, So) (W, S1) Verify S1 = H2(W, So) Compute Qw = Hl(W) Sk =tQw S2 = Sk + Sp (W, S2) Compute

Sw= S2-Sp Verify e(Sw, P)= e(H1(W), Ppub) Fig. 1. The proxy key generation protocol.

S2 ¼ Sw þ Sp – The proxy signer computes Sw = S2 − Sp, accepts (W, S2) if e (Sw, P) = e(H1(W), Ppub). Then s/he keep Sw as proxy private key.

Given a warrant W, there is only one proper S1. Since So is hidden from A, he can obtain S1 only by guess. He succeeds in doing so with the probability 1/q. □ Theorem 2. A can impersonate the KGC and forge a valid (W, S2) to the proxy signer with a probability 1/q.

4. Security analysis of the protocol

Proof. Suppose A tries to impersonate the KGC and forge a valid (W, S2) to the proxy signer. The following equations must hold:

4.1. Correctness

Sw ¼ tH1 ðW Þ

ð2Þ

Sw ¼ S2  Sp

S2 ¼ S w þ Sp

ð3Þ

¼ tQw

Given a warrant W, there is only one proper (Sw, S2). Since A do not know either t or Sp, so he can obtain S2 only by guess. He succeeds in doing so with the probability 1/q. □ Through the above two theorems, we know that the adversary cannot impersonate the original signer or the KGC easily. Therefore, the proxy key generation protocol is secure.

¼ tH1 ðW Þ

5. Application in proxy signature scheme

So (W, Sw) is an ID-based key pair.

In this section, we will show the proxy key generation protocol's application in the proxy signature scheme. We remark that the proposed protocol can be combined with IDbased signature scheme from bilinear pairing to construct an IDbased proxy signature scheme. Here we give a scheme as a sample. Also we analyze the proposed scheme.

¼ ðSk þ Sp Þ  Sp ¼ Sk

4.2. Security Assume that A is the adversary holding the system parameters params = {G1, G2, e, q, P, Ppub, H1, H2}. Theorem 1. A can impersonate the original signer and forge a valid (W, S1) to KGC with a probability 1/q. Proof. Suppose A tries to impersonate the original signer and forge a valid (W, S1) to KGC. The following equations must hold: S1 ¼ H2 ðW;So Þ

ð1Þ

5.1. The proxy signature scheme We will give a proxy signature scheme that combines the proposed protocol and the Cha-Cheon's ID-based signature scheme [14] as a sample. The scheme is given as follows: − (Setup, Extract, Generation of the proxy key): Refers to the proposed protocol in Section 3.

194

X. Hu, S. Huang / Computer Standards & Interfaces 29 (2007) 191–195

In the following, we use Qw as proxy public key because Qw is computed from W. The proxy signer contains the proxy key (Qw, Sw) now. – (Proxy sign): Given the message m, The proxy signer randomly chooses a number r ∈ Zq⁎, computes,

Tad Tmu

exp

the time for the point addition on G1; the time for the multiplication in Zq.

The verification equation of Zhang's scheme [11]: cP ¼ H1 ðmtrP Þ;

where

rP ¼ eðUP ;PÞðeðQA þ QB ;Ppub ÞH1 ðmw trA Þ rA ÞcP :

U ¼ rQw ; h ¼ H2 ðm;U Þ;

ð4Þ

The verification equation of Zhang's scheme [17]: cP ¼ H1 ðmteðUP ;PÞeðH2 ðwÞ;PKo þ PKp ÞCP Þ

V ¼ ðr þ hÞSw Then (U, V) is the proxy signature of the message m. – (Verification): The verifier or recipient of the proxy signature accepts the proxy signature if and only if

ð5Þ

The verification equation of Xu's scheme [10]: eðP;VPÞ¼eðPpub ;QjÞH4 ðIDi ;IDj ;mw ;Uw Þ eðPpub ;Qi ÞeðUP ;HP ÞeðUw ;Hw Þ: ð6Þ

eðV ;PÞ ¼ eðU þ H1 ðm;U ÞQw ;Ppub Þ:

5.2. Correctness The verification of the signature is justified by the following equations: eðV ;PÞ

The verification method of Wang's scheme [16]: Check whether (P,v0 + vp,U + hH2(w),V) is a Diffie–Hellman tuple. According to [18], deciding whether (P,v0 + vp,U + hH2(w),V) is a Diffie–Hellman tuple can be done by testing eðP;V Þ ¼ eðvo þ vp ;U þ hH2 ðwÞÞ:

ð7Þ

The verification equation of the proposed scheme: eðV ;PÞ ¼ eðU þ H1 ðm;U ÞQw ;Ppub :

¼ eððr þ hÞSw ;PÞ ¼ eððr þ H1 ðm;U ÞÞQw ;Ppub Þ Anyone can verify the validity of the proxy signature. Obviously, he can easily distinguish the proxy's signature from normal signature.

ð8Þ

From the above equations (4), (5), (6), (7) and (8) we can see that our signature scheme is the shortest and simplest. From Table 1, it is also easy to see that the proposed scheme is more efficient in various phases than Zhang's schemes, Xu's scheme and Wang's scheme.

5.3. Efficient

5.4. Security

In this section, we compare our proxy signature scheme with the schemes in [10], [11], [16] and [17] from computation overhead and summarize the result in Table 1. For the convenience of describing our work, we ignore the cost of hashing computation of H1 and H2. We denote.

By the above analysis, we have proved that our proxy key generation protocol is secure. On the other hand, the signature and the verifying equation are same as Cha-Cheon's ID-based signature scheme. Due to Cha-Cheon's proof on their ID-based signature scheme, we claim that our proxy signature scheme is secure.

Tpa Tpae Tpm

the time for the paring operation; the time for the paring operation with the exponentiation; the time for the point scalar multiplication on G1;

Strong unforgeability: Anyone except the proxy signer cannot generate a valid proxy key pair under the name of the proxy signer because only the proxy signer has the private

Table 1 Comparison of computational cost with existing schemes Schemes

Proxy generation

Proxy signature generation

Proxy signature verification

Zhang's scheme [17] Zhang's scheme [11] Xu's scheme [10] Wang's scheme [16] Proposed scheme

2Tpm + 1Tad + 2Tpa 4Tpm + 2Tad + 1Tpa + 1Tpae 3Tpm + 2Tad + 3Tpa 2Tpm + 1Tad + 2Tpa 1Tpm + 2Tad + 2Tpa

2Tpm + 1Tad + 1Tpa + 1Tpae 3Tpm + 1Tad 2Tpm + 1Tad 2Tpm + 1Tad 2Tpm

1Tad + 1Tpae+2Tpa 1Tad + 1Tpa+1Tpae+1Tmu+1Tmu exp 4Tpa + 1Tpae 1Tpm + 2Tad + 2Tpa 1Tpm + 1Tad + 2Tpa

X. Hu, S. Huang / Computer Standards & Interfaces 29 (2007) 191–195

key Sw. For an attacker, to forge the proxy signer' valid signature without knowing Sw is equivalent to solve DLP in G1. But we assume that DLP in G1 is intractable. Verifiability: The public key Qw is computed from the warrant W, thus the original signer cannot deny his agreement. Strong undeniability: Once the proxy signer creates a valid proxy signature, he cannot repudiate it because only he has the private key Sw. Strong identifiability: In signature verification phase, the public key Qw must occur, so the original signature is distinguishable from the proxy signature. Prevention of misuse: The original signer has determined limit of the delegated signing capacity in the warrant W, so the proxy signer cannot sign some messages that have not been authorized by the original signer. Furthermore, compared with all previous ID-based proxy signature schemes, the scheme has two virtues: (1) the proxy signature is shorter because it does not include any parameters for rebuilding the proxy public key; (2) the verification of the proxy signature is faster because the public do not have to be computed. 6. Conclusions In this paper, we propose a novel proxy signature key generation protocol in which the warrant is the proxy public key for the first time. The protocol consists of three entities: original signer, proxy signer and KGC. The proxy key pair is (warrant, secret key). It is an ID-based key pair as (ID, secret key), so this protocol can be combined with ID-based signature scheme from bilinear pairing to construct an ID-based proxy signature scheme. If the signature scheme is secure, the proxy signature scheme constructed satisfies the properties of secure proxy signature scheme. Furthermore, compared with all previous proxy signature schemes, the scheme has two virtues: (1) the proxy signature is shorter because it does not include any parameters for rebuilding the proxy public key; (2) the verification of the proxy signature is faster because the public proxy key does not have to be computed. References [1] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures: delegation of the power to sign messages, IEICE Trans. E79-A (9) (1996) 1338–1354. [2] S. Kim, S. Park, D. Won, Proxy signatures, revisited, Proc. ICICS'97, Int. Conf. Information and Communications Security. LNCS, vol. 1334, 1997, p. 223-23. [3] B. Lee, H. Kim, K. Kim, Secure mobile agent using strong non-designated proxy signature, Proc. of ACISP2001, LNCS, vol. 2119Springer Verlag, 2001, pp. 474–486. [4] T. Okamoto, M. Tada, E. Okamoto, Extended proxy signatures for smart cards, ISW'99, LNCS, vol. 1729, Springer-Verlag, 1999, pp. 247–258.

195

[5] K. Zhang, Threshold proxy signature schemes, 1997 Information Security Workshop, Japan, Sep., 1997, pp. 191–197. [6] A. Shamir, Identity-based cryptosystems and signature schemes, Advances in Cryptology-Crypto '84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1984, pp. 47–53. [7] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, Advances in Cryptology-Crypto 2001, LNCS, vol. 2139. Springer-Verlag, 2001, pp. 213–229. [8] Amit K. Awasthi, Sunder Lal. ID-based Ring Signature and Proxy Ring Signature Schemes from Bilinear Pairings. http://eprint.iacr.org/2004/184/. [9] Jing Xu, Zhenfeng Zhang, Dengguo Feng. Identity Based Threshold Proxy Signature. http://eprint.iacr.org/2004/250/. [10] Jing Xu, Zhenfeng Zhang, Dengguo Feng, ID-Based Proxy Signature Using Bilinear Pairings, http://eprint.iacr.org/2004/206.pdf. [11] Fangguo Zhang, Kwangjo Kim, Efficient ID-Based blind signature and proxy signature from bilinear pairings, ACISP'03, LNCS, vol. 2727, Springer-Verlag, 2003, pp. 312–323. [12] B. Lee, H. Kim, K. Kim, Strong proxy signature and its applications, The 2001 Symposium on Cryptography and Information Security, 2001. [13] S.D. Galbraith, K. Harrison, D. Soldera, Implementing the Tate pairing, ANTS 2002, LNCS, vol. 2369, Springer-Verlag, 2002, pp. 324–337. [14] J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie– Hellman groups, Public Key Cryptography—PKC 2003, LNCS, vol. 2139, Springer-Verlag, 2003, pp. 18–30. [15] F. Hess, Efficient identity based signature schemes based on pairings, SAC 2002, LNCS, vol. 2595, Springer-Verlag, 2002, pp. 310–324. [16] Fangguo Zhang, Reihaneh Safavi-Naini, New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairing. http://eprint.iacr.org/2003/104.pdf. [17] Qin Wang, Zhenfu Cao, Security Arguments for Partial Delegation with Warrant Proxy Signature Schemes. http://eprint.iacr.org/2004/315. pdf. [18] A. Joux, K. Nguyen, Separating decision Diffie-Hellman from DiffieHellman in cryptographic groups. Cryptology ePring Archive, 2001/003, 2001. http://eprint.iacr.org/. Xiaoming Hu got her BS degree and MS degree in Computer Science and Engineering from Hebei Yanshan University in 1998 and 2002, respectively. Now, she is a doctoral candidate in the Department of Computer Application Technology, Shanghai Jiao Tong University. Her research interests are in database, database security and information security.

Shangteng Huang is the professor and the doctoral supervisor of Computer Application Technology at Department of Computer Science of Shanghai Jiao Tong University. His main research areas are database, distributed information management system, computer integration manufacture and information security, etc. He is the member of database specialty committee of China Computer Academy, the member of Shanghai expert group for “863” CIMS promoted application, the gainer of State Council Government Subsidy.