Cryptanalysis and improvement of a threshold proxy signature scheme

Available online at www.sciencedirect.com

Computer Standards & Interfaces 31 (2009) 169 – 173 www.elsevier.com/locate/csi

Cryptanalysis and improvement of a threshold proxy signature scheme Jianghong Hu a,b , Jianzhong Zhang a,⁎ a b

College of Mathematics and Information Science, Shaanxi Normal University, Xi'an 710062, PR China Department of Mathematics, Baoji University of Arts and Sciences, Baoji, Shaanxi 721300, PR China Received 22 April 2007; received in revised form 22 October 2007; accepted 18 November 2007 Available online 28 November 2007

Abstract A (t, n) threshold proxy signature scheme allows any t or more proxy signers to cooperatively sign messages on behalf of an original signer, but t − 1 or fewer proxy signers cannot. In a recent work [C.H. Yang, S.F. Tzeng, M.S. Hwang, On the efficiency of nonrepudiable threshold proxy signature scheme with known signers, Systems and Software 73(3) (2004) 507–514], C.H. Yang, S.F. Tzeng and M.S. Hwang proposed a new threshold proxy signature scheme (called as YTH scheme), which is more efficient in algorithm and communication than Hsu et al.'s scheme proposed in 2001. However, YTH scheme still has some security weaknesses. In this paper, we show that YTH scheme cannot resist frame attack and public-key substitute attack. A new improvement with high safety and efficiency is proposed. The new scheme remedies the weaknesses of YTH scheme, especially, it can resist public-key substitute attack successfully by Zero-Knowledge Proof. Furthermore, the system doesn't need a security channel and computational complexity can be lowered. © 2007 Elsevier B.V. All rights reserved. Keywords: Proxy signature; Threshold proxy signature; Frame attack; Public-key substitute attack

1. Introduction In 1996, Mambo et al. [1] first introduced the concept of proxy signature. In a proxy signature scheme, it allows an original signer to delegate its signing power to a designated person, called the proxy signer, who can generate proxy signature of a message on behalf of the original signer. The verifier can verify and distinguish between original signature and proxy signature in verification stage. According to the delegation type, the proxy signature schemes are usually classified into three types [1]: full delegation, partial delegation, and delegation by warrant. Mambo et al. [2] also gave seven important conditions that a secure proxy signature scheme should have. There are unforgeability, verifiability, proxy signer's deviation, distinguishability, identifiability, secret key's dependence and undeniability conditions. Proxy signatures have been shown to be useful in many applications. For example, a manager can delegate his secretaries to sign documents while he is on vocation. Proxy signature schemes can also be used in electronics commerce, electronics payment and mobile agent environment [3–6]. ⁎ Corresponding author. E-mail address: [email protected] (J. Zhang). 0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2007.11.002

As the proxy signature is researched deeply, in a situation that an original signer might want to delegate its signing capability to a proxy group of proxy signers for shared signing responsibility. Since then, many kinds of threshold proxy signature scheme are proposed [9–18]. A threshold proxy signature is partial delegation, which is more practical, flexible and secure. In a (t, n) threshold proxy signature scheme, the proxy secret key generated by an original signer is shared among a proxy group of n proxy signers delegated by the original signer. In a proxy group, any t or more proxy signers can cooperatively recover the proxy secret to generate a valid proxy signature, but any t − 1 or less proxy signers cannot. A secure (t, n) threshold proxy signature scheme should satisfy the following security requirements [13]: secrecy, proxy protection, unforgeability, nonrepudiation, time constraint and known signers. In 1997, Kim et al. [7] and Zhang et al. [8] first proposed a (t, n) threshold proxy signature scheme respectively. In 1999, Sun et al. [10] showed that these schemes could not resist collusion attack and proposed a new threshold proxy signature with known signers. In 2001, Hsu et al. [11] pointed out that Sun et al.'s scheme [10] was also vulnerable to collusion attack, especially, the proxy signers could change the parameter t in the process of

170

J. Hu, J. Zhang / Computer Standards & Interfaces 31 (2009) 169–173

cooperatively generating the proxy signature. To remedy the weaknesses, they gave a new improvement. In 2004, Yang et al. [13] proposed a new threshold proxy signature scheme (called as YTH scheme), which was more efficient than Hsu et al.'s scheme [11]. Unfortunately, in this paper, we would like to show that YTH scheme [13] still have some security weaknesses, which cannot resist frame attack and public-key substitute attack. Finally, to overcome these weaknesses, we propose a new improvement with high safety and efficiency in this paper. Furthermore, the system doesn't need a security channel. The rest of this paper is organized as follows: In Section 2, we briefly review YTH scheme. In Section 3, our cryptanalysis on YTH scheme is given out. The new improvement is given out in Section 4. Section 5 gives discussion and analysis of the new improvement. Finally, we draw our conclusions and remarks in Section 6.

m the message to be signed. Then D as a proxy group performs the following steps:

2. Briefly review of YTH scheme

If it holds, that (ri, Si) is a valid partial proxy signature, then t P Si . Therefore, (R, S, K, mw, ASID) is the he computes S ¼

In this section, we briefly review YTH scheme [13]. The scheme consists of four phases: the initialization phase, the proxy share generation phase, the proxy signature generation phase and the proxy signature verification phase.

(1) Each Pi ∈ D chooses random ki ∈Zq⁎, computes and broadcasts ri ¼ g ki modp. (2) After receiving rj (j = 1, 2,…, t, j ≠ i), each Pi ∈ D computes R ¼ jtj¼1 rj modp;
 Si ¼ ki R þ t 1 r þ xi hð R; m; ASIDÞmodq Then, they send Si to the designated receiver C via a secret channel. (3) After receiving Si, the receiver C checks whether the following equation holds  t1 hðR;m;ASIDÞ hðmw ;K Þ Si R g ¼ ri d Ky0  yi modp

i¼1

threshold proxy signature of message m. 2.4. Proxy signature verification phase

2.1. Initialization phase

The verifier checks the validity of proxy signature (R, S, K, mw, ASID) for the message m by the following equality

Let p be a large prime, q a prime divisor of p − 1, g a generater in Zp⁎ with order q and h() a secure one-way hash function. The parameters (p, q, g) are public. Suppose that P0 be the original signer and G = {P1, P2,…, Pn} the proxy group of n proxy signers. The original signer P0 determines its private key and public key as x0 ∈ Zq⁎, y0 ¼ gx0 modp. By the same way, each proxy signer Pi ∈ G owns its private key xi ∈ Zq⁎ and public key yi ¼ g xi modp, which are certified by the certificate authority (CA). mw be a warrant which records the identities of the original signer and proxy signers of the proxy group, the parameters of t, n and the valid delegation time, etc. ASID denotes the identities of the actual proxy signers.

 hðR;m;ASIDÞ t hðm ;K Þ modp gS ¼ RR  Ky0 w  j yi i¼1

3. Cryptanalysis of YTH scheme YTH scheme [13] was more secure and efficient than Hsu et al's scheme [11]. Although YTH scheme could prevent collusion attack and had the property of nonrepudiation, it still could not prevent other attacks, such as frame attack and publickey substitute attack. In this section, we would like to show that YTH scheme cannot resist frame attack and public-key substitute attack.

2.2. Proxy share generation phase (1) The original signer P0 randomly chooses an integer k ∈ Zq⁎, computes K = gk modp. (2) P0 computes σ = x0h(mw, K) + kmodq as the proxy group's key, then broadcasts (σ, mw, K) to the proxy signers of G. (3) After receiving (σ, mw, K), each proxy signer Pi ∈ G checks whether the following equation holds or not hðmw ;K Þ

g r ¼ y0

 Kmodp

If it holds, each Pi regards σ as its proxy key. 2.3. Proxy signature generation phase For convenience, let D = {P1, P2 ,…, Pt} be the t actual proxy signers, ASID the identities of t proxy signers, C the receiver and

3.1. Frame attack Recently, Haiyong Bao et al. [17] presented the frame attack on Tzeng et al.'s scheme [14]. An adversary after intercepting some accessible information can frame some subsets of the proxy group to generate a valid proxy signature of any message. Assume that the original signer P0 can forge a valid threshold proxy signature of any message m', which was generated by other t proxy signers D' = {P'1, P'2,…, P't}, while the proxy group D don't know it. Let ASID be the identities of group D'. P0 chooses random a, b ∈ Zq⁎, computes R V¼ gb modp  t −1 a modp K V¼ g j yi i¼1

S V¼ bR Vþ ða þ x0 hðmw ; K VÞÞhð R V; m V; ASIDÞmodp

J. Hu, J. Zhang / Computer Standards & Interfaces 31 (2009) 169–173

since V ðaþx0 hðmw ;K ÞV ÞhðR ;Vm ;VASIDÞ modp gS V ¼ g bR þ

 bR V a x0 hðmw ;K ÞV hðR ;Vm ;VASIDÞ modp ¼g g g  hðR ;Vm ;VASIDÞ t hðm ;K ÞV ¼ R VR V K Vy0 w j yi modp i¼1

That is, (R', S', K', mw, ASID) satisfies the verifiable equality. Therefore, the malicious original signer P0 can forge a valid threshold proxy signature of any message m' while the proxy group don't know it. 3.2. Public-key substitute attack JiGuo Li and ZhenFu Cao [18] presented an efficient publickey substitute attack on Sun et al.'s scheme [10]. A malicious attacker (consisting of the original signer and any proxy signer) can forge a valid proxy signature of any message by changing its public key. Assume that the original signer P0 or any proxy signer P i(1 ≤ i ≤ n) can forge a valid threshold proxy signature of any message m' through public-key substitute attack as follows: Without loss of generality, assume that P1 wants to forge a valid threshold proxy signature of any message m'. P1 chooses random a, b, K' ∈ Zq⁎ and a forged ASID, computes R V¼ gb modp S V¼ bR Vþ ða þ x1 hðmw ; K VÞÞhð R V; m V; ASIDÞmodq  t 1 V a hðmw ;K ÞV hðmw ;K ÞV V 1 y1 ¼ g y1 y0 j yi K modp i¼2

Then, he requests CA to change his public key with y'1. Similarly, since the following verifiable equality also holds  hðR ;Vm ;VASID ÞV hðmw ;K Þy V 1V t SV RV g ¼ R V K Vy0 j yi modp i¼2

Therefore, (R', S', K', mw, ASID) is a valid threshold proxy signature of any message m'.

171

the Zero-Knowledge Proof of its private key about its public key as follows: (1) CA randomly chooses e ∈ Zq⁎, computes E = gemodp, then sends E to P0 and each Pi. (2) P0 computes L0 ¼ Ex0 modp and each Pi computes Li ¼ E xi modp, then they send L0 and Li to CA. (3) CA checks whether the quality ye0 =L0 and yie =Li hold or not, if it does, CA accepts their certification, otherwise CA refuses. 4.2. Proxy share generation phase In this paragraph, we perform a (t, n)-VSS scheme to share the proxy key σ among n proxy signers in D instead of simple sending σ to each proxy signer as their proxy key in YTH scheme. The original signer P0 performs the following steps to generate the proxy key. (1) P0 randomly chooses an integer k ∈ Zq⁎, computes K = gk modp. (2) P0 computes σ = x0h(mw, K) + kK modq as the proxy group's key, accordingly, its public-key is Q = gσ modp. (3) P0 chooses a t − 1 degree polynomial in Zq f ð xÞ ¼ r þ a1 x þ a2 x2 þ N þ at1 xt1 modp where aj ∈ Zq⁎, j = 1, 2,…, t − 1. Then P0 obtains each proxy signers' public key yi and computes Ri = f (yi)modp (1 ≤ i ≤ n, i ≠ j) as each proxy signer P'is secret key. He computes Qi ¼ gRi modp, Aj ¼ g aj modp. (4) P0 sends (yi, Ri, mw, K) to each proxy signer Pi via a public channel and broadcasts Aj and Qi. (5) After each proxy signer Pi receiving (yi, Ri, mw, K), they check whether the following equality holds or not hðmw ;K Þ

g Ri ¼ K K y0

t1

yl

j Al i modp

l¼1

If it does, each Pi accepts this proxy share, otherwise, they refuse.

4. New improvement

4.3. Proxy signature generation phase

Our improved scheme is based on YTH scheme. As we have discussed in Section 3, their scheme cannot resist the frame attack and the public-key substitute attack. Different from YTH scheme, our improvement not only can get rid of the security weaknesses we have pointed out above, but also can resist collusion attack. Furthermore, the system doesn't need a security channel. The new improvement can also be divided into four phases: the initialization phase, the proxy share generation phase, the proxy signature generation phase and the proxy signature verification phase.

Without loss of generality, let D = {Pl, P2,…, Pt} be the t actual proxy group who want to cooperatively generate a proxy signature, m the message to be signed and B the signature receiver.

4.1. Initialization phase The system parameters are the same as those in Section 2.1, but the only difference is that in our new scheme CA requires the original signer P0 and each proxy signer Pi(1 ≤ i ≤ n) offer

(1) Each Pi ∈ D chooses random ki ∈ Zq⁎, computes and broadcasts ri ¼ gki modp. (2) After receiving rj (j = 1, 2,…t, j ≠ i), each Pi computes R ¼ jtj¼1 rj modp and his partial signature Si ¼ ki R þ ðRi Wi þ xi Þhð R; m; ASIDÞmodq 0y

where Wi ¼ jtj¼1; j p i yi yjj . Then, each Pi sends Si to the receiver B. (3) After receiving Si, B checks whether the following equation holds or not
i hðR;m;ASIDÞ g Si ¼ riR  QW modp i yi

172

J. Hu, J. Zhang / Computer Standards & Interfaces 31 (2009) 169–173

If it does, B computes S ¼

t P

Si . Thus, (R, S, K, mw, ASID)

i¼1

is the threshold proxy signature of message m. 4.4. Proxy signature verification phase

P0 wants to forge K', R', S' in order to satisfy the verifiable equality  hðR;m;ASIDÞ t hðm ;K Þ g S ¼ RR y0 w K K j yi i¼1

When the verifier receivers (R, S, K, mw, ASID), he checks whether the following equality holds or not  hðR;m;ASIDÞ t K hðmw ;K Þ g ¼ R  K y0  j yi modp S

R

i¼1

If it does, (R, S, K, mw , ASID) is the valid proxy signature of message m. Since t X

Si gS modp ¼ g i¼1 modp t X ki R þ ðRi Wi þ xi Þhð R; m; ASIDÞ modp ¼ g i¼1 0 t 1hðR;m;ASIDÞ X  t R B R i Wi t C B i¼1 C ki ¼ j g j g xi C modp Bg i¼1 i¼1 @ A

However, to derive K', R', S' is equivalent to solve the difficulty problem of discrete logarithm. Moreover, R' is protected under the secure one-way hash function h(). Thus, the original signer P0 cannot forge a valid threshold proxy signature of any message m', which generated by other t proxy signers P'1, P'2,…, P't. (2) Consider the public-key substitute attack in the new improvement. Without loss of generality, suppose that P1 try to forge a threshold proxy signature of any message m' by publickey substitute attack, P1 chooses random a, b, K' ∈ Zq⁎and a forged ASID, computes R V¼ g b modp S V¼ bRVþ ða þ x1 hðmw ; K VÞÞ  hð R V; m V; ASIDÞmodq  t 1 V a hðmw ;K ÞV hðmw ;K ÞV  V 1 y1 ¼ g y1 y0  K  j yi i¼2

 t hðR;m;ASIDÞ ¼ R g r j yi modp i¼1  hðR;m;ASIDÞ t modp ¼ RR gx0 hðmw ;K ÞþkK j yi i¼1  hðR;m;ASIDÞ t hðm ;K Þ ¼ R R y0 w K K j yi modp R

i¼1

5. Discussion and analysis of new improvement 5.1. Security analysis The security of our new scheme is based on the difficulty problem of solving discrete logarithm and the well-known difficulty of computing secure one-way hash function. We will prove that none of possible attacks can successfully break our new scheme. (1) First of all, let us consider the frame attack in our new improvement. Suppose that P0 wants to forge a threshold proxy signature, which generated by other t proxy signers P'1, P'2,…, P't, while the actual proxy group D don't know it.

When he wants CA to replace his public key with y'1, CA requests P1 must offer the Zero-Knowledge Proof of his private key x'1 about his public key y'1, but he cannot obtain x'1 from y1V¼ g x1 modp because of the difficulty of solving discrete logarithm. Therefore, the original signer P0 or any proxy signer Pi can't forge a valid threshold proxy signature by the public-key substitute attack. (3) Consider the collusion attack. There are two cases. Firstly, assume that any t or more proxy signers in D want to conspire to sign any message m, they all show their proxy private key Ri and cooperatively reconstruct the secret polynomial function f (x). They compute the proxy group secret key σ = f(0). Thus, they can easily derive any other proxy signer Pi's secret shadow f (yi), But they can't obtain each Pi's private key xi from yi ¼ gxi modp and ki from ri ¼ gki modp because of the difficult problem of solving discrete logarithm. Therefore, they can't derive each Pi's partial signature
 Si ¼ ki R þ t 1 r þ xi hð R; m; ASIDÞmodq In other way, they cannot achieve collusion attack successfully. Secondly, assume that t − 1 or fewer proxy signers of the group D conspire to derive the proxy group key and each proxy signer's secret key. They have to reconstruct the polynomial function f (x) and compute the proxy group secret key f (0) and each proxy signer Pi's secret shadow f (yi). But the secret the polynomial function f (x) can only be reconstructed by at least t

Table 1 Comparison of computational complexity with existing scheme

Sun scheme [10] Hsu scheme [11] YTH scheme [13] Proposed scheme

Proxy share generation

Proxy signature generation

(5n + 2t + 1)Te + (nt − n + 2t)Tm + TH (5n + 2t + 1)Te + (nt − n + 2t)Tm + TH 3Te + 2Tm + TH (4n + t + 1)Te + (nt + n + 2)Tm + TH

(4t − t − 2)Te + (10t − 14t + 6)Tm + (t − t)Ti + 2TH (t 2 + 4t + 1)Te + (4t 2 + 2t − 2)Tm + (t 2 − 1)Ti + 2TH (4t + 2)Te + (3t + 3)Tm + 2TH + Ti 4tTe + (3t + 3)Tm + 2TH 2

2

Proxy signature verification 2

4Te + (t + 3)Tm + 2TH 4Te + (t + 3)Tm + 2TH 4Te + (t + 2)Tm + 2TH 5Te + (t + 2)Tm + 2TH

J. Hu, J. Zhang / Computer Standards & Interfaces 31 (2009) 169–173

proxy signer's secret shadows f (yi). Therefore, our new scheme can resist the collusion attack made by any t − 1 or less than t − 1 proxy signers. (4) At last, in our new scheme, there are the designated warrant mw and the identities of the actual proxy signer's ASID. Furthermore, all the verifiable equalities consist of mw and ASID. Thus, the verifier can be convinced of the warrant mw published by the original signer and mw records the stipulated period of this proxy, which provides the time constraint. Therefore, our new scheme satisfies undeniability, unforgeability, verifiability and undistinguishability, etc. 5.2. Performance In this section, in terms of computational complexity, we compare the new scheme with the scheme in [10,11,13] and summarize the result in Table 1. It shows that the efficiency of our new threshold proxy signature scheme is higher. For convenience, the following notations are used to analyze the computational complexity. Te Tm TH Ti

the the the the

time time time time

for for for for

one exponentiation computation. one modular multiplication computation. hash function computation. one inverse computation.

From Table 1, we can see that the proxy signature generation and the proxy signature verification of the new scheme is more efficient than other schemes in Table 1. However, because of the (t, n)-VSS scheme to share the proxy key, the computational complexity of the new scheme in the proxy share generation is higher than the YTH scheme, but still lower than Sun scheme [10] and Hsu scheme [11]. Therefore, our scheme can reduce large amounts of computations and is a more efficient and secure threshold proxy signature scheme. 6. Conclusions In this paper, we have shown that YTH scheme is not secure against the frame attack and the public-key substitute attack. These weaknesses are inherent in many existing threshold proxy signature schemes. Finally, we propose a new improvement to defeat these attacks. Furthermore, compared with many previous proxy signature schemes, the new scheme has two advantages: (1) The new improvement can resist the public-key substitute attack by Zero-Knowledge Proof; (2)the new scheme doesn't need a security channel and is more efficient and secure than many other proxy signature schemes in terms of computational complexity. Acknowledgements The authors would like to thank anonymous referees and reviewers for their suggestions to improve this paper. Besides, this paper is Supported by the National Natural Science Foundation Grants of China (No.10571113), the Natural Science Foundation Grants of Shaanxi (No.2004A14), the Natural Science Foundation Grants of Shaanxi (No.07JK375) and Postgraduate Initiative Foundation of Shaanxi Normal University (No.2007CXS018).

173

References [1] M. Mambo, K. Usuda, E. Okamoto, Proxy signature: delegation of the power to sign messages, IEICE Trans. Fundam. E79-A (9) (1996) 1338–1354. [2] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures for delegating signing operation, Proceedings of the Third ACM Conference on Computer and Communications Security, 1996, pp. 48–57. [3] H.U. Park, I.Y. Lee, A digital nominative proxy signature scheme for mobile communication, ICICS2001, LNCS, vol. 2229, 2001, pp. 451–455. [4] B. Lee, H. Kim, K. Kim, Strong proxy signature and its applications, IEE Proc., Comput. Digit. Tech. 146 (5) (1999) 259–263. [5] B. Lee, H. Kim, K. Kim, Secure mobile agent using strong non-designated proxy signature, Proc. of ACISP2001, LNCS, vol. 2119, Springer-Verlag, 2001, pp. 474–486. [6] T. Okamoto, M. Tada, E. Okamoto, Extended proxy signatures for smart cards, ISW1999, LNCS, Springer-Verlag, 1999, pp. 247–258. [7] S. Kim, S. Park, D. won, Proxy signatures, revisited, Proceedings of ICICS'97, LNCS 1334, 1997, pp. 223–232. [8] K. Zhang, Threshold proxy signature schemes, Proceedings of 1997 Information Security Workshop, 1997, pp. 191–197. [9] H.M. Sun, N.Y. Lee, T. Hwang, Threshold proxy signatures, IEE Proc., Comput. Digit. Tech. 146 (5) (1999) 259–263. [10] H.M. Sun, An efficient nonrepudiable threshold proxy signature scheme with known signers, Comput. Commun. 22 (8) (1999) 717–722. [11] C.L. Hsu, T.S. Wu, T.C. Wu, New nonrepudiable threshold proxy signature scheme with known signers, Syst. Softw. 58 (2) (2001) 119–124. [12] C.L. Hsu, T.S. Wu, T.C. Wu, Improvement of threshold proxy signature scheme, Appl. Math. Comput. 136 (23) (2003) 315–321. [13] C.H. Yang, S.F. Tzeng, M.S. Hwang, On the efficiency of nonrepudiable threshold proxy signature scheme with known signers, Syst. Softw. 73 (3) (2004) 507–514. [14] S.F. Tzeng, C.Y. Yang, M.S. Hwang, A nonrepudiable threshold multi-proxy multi-signature scheme with shared verification, Future Gener. Comput. Syst. 20 (5) (2004) 887–893. [15] N.Y. Lee, T. Hwang, C.H. Wang, On Zhang's nonrepudiable proxy signature schemes, ACISP'98, LNCS, vol. 1438, 1998, pp. 415–422. [16] M.S. Huang, J.L. Lu, L.C. Lin, A practical (t, n) threshold proxy signature scheme based on the RSA Cryptosystem, IEEE Trans. Knowl. Data Eng. 15 (6) (2003) 1552–1560. [17] Haiyong Bao, Zhenfu Cao, Shengbao Wang, Improvement on Tzeng et al.'s nonrepudiable threshold multi-proxy multi-signature scheme with shared verification, Appl. Math. Comput. 169 (2005) 1419–1430. [18] Jiguo Li, Zhenfu Cao, An improvement of a threshold proxy signature scheme, Comput. Res. Dev. 39 (11) (2002) 1513–1518. Jianghong Hu received her BS in 2005. Now she is a MS candidate in the college of Mathematics and Information Science, Shaanxi Normal University, Xi'an, PR China. Her current research interests are Cryptography, digital signature and information security.

Jianzhong Zhang received his MS in Shaanxi Normal University and his PhD in Xidian University, Xi'an, PR China. He is currently a professor in the college of Mathematics and Information Science, Shaanxi Normal University. His main research interests include Cryptography, information security and secure e-commerce.