Insider attacks on multi-proxy multi-signature schemes

Computers and Electrical Engineering 33 (2007) 88–93 www.elsevier.com/locate/compeleceng

Insider attacks on multi-proxy multi-signature schemes Lifeng Guo a

a,*

, Guilin Wang

b

State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences, Beijing 100049, China b Institute for Infocomm Research, 21 Heng Mui Keng Terrace, Singapore 119613, Singapore Received 9 January 2006; received in revised form 6 June 2006; accepted 30 August 2006 Available online 21 December 2006

Abstract In 2004, Hwang and Chen demonstrated new multi-proxy multi-signature schemes that allow a group of authorized proxy signers to sign messages on behalf of a group of original signers. Later, Lyuu and Wu pointed out Hwang et al.’s schemes were not secure and then proposed a modified scheme. They claimed that their modified schemes were secure. But in this paper we show a new attack on the Lyuu–Wu et al.’s schemes. Moreover, the original Hwang–Chen’s schemes are also vulnerable to this insider attack. Furthermore, we point out some improvements for the Lyuu–Wu scheme and Hwang–Chen schemes according to Wang et al.’s methods [Wang GL, Han XX, Zhu B. On the security of two threshold signature schemes with traceable signers. In: Applied Cryptography and Network Security (ACNS 2003). Lect Notes Comput Sci (LNCS), vol. 2846, Springer-Verlag; 2003. p. 111–222]. These improvements can resist our insider attack. Ó 2006 Elsevier Ltd. All rights reserved. Keywords: Proxy signature; Multi-proxy; Multi-signature; Insider attack

1. Introduction The concept of the proxy signature scheme was first proposed by Mambo et al. [10,11] in 1996. A proxy signature scheme allows a signer to delegate the signing capability to a person, called a proxy signer, to sign on behalf of an original signer. For the group-oriented applications, the threshold proxy signature scheme is proposed. A (t,n) threshold proxy signature scheme is a variant of the proxy signature scheme in which the proxy signature key is shared by a group of n proxy signers in such a way that any t or more proxy signers can cooperatively employ the proxy signature key to sign messages on behalf of an original signer, but t  1 or fewer proxy signers cannot. So far, there have been many threshold proxy signature schemes [7,8,12,14,16,18]. In 2000, Hwang and Shi [4] proposed a multi-proxy signature scheme. In fact, a multi-proxy signature scheme is a special threshold proxy signature scheme in which only the cooperation of all the proxy signers can generate proxy signatures on behalf of the original signer. At the same time, some proxy multi-signature schemes were proposed [5,17]. That is, the group of original signers authorize one person as their proxy

*

Corresponding author. E-mail addresses: [email protected] (L. Guo), [email protected] (G. Wang).

0045-7906/$ - see front matter Ó 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.compeleceng.2006.08.003

L. Guo, G. Wang / Computers and Electrical Engineering 33 (2007) 88–93

89

signer. In [6], a new kind of proxy signature scheme, multi-proxy multi-signature schemes were proposed. In the multi-proxy multi-signature schemes, only the original signer group can authorize the proxy signer group to sign message. Subsequently, Lyuu and Wu [9] analyzed the security of Hwang et al.’s schemes. They claimed that Hwang’s schemes are vulnerable to insider attack. That is, a malicious proxy signer can forge a multi-proxy multi-signature for a message secretly while participating in a normal message signing process with other proxy signers. Furthermore, they proposed modified schemes and claimed their schemes were secure. In this paper, we demonstrate an insider attack on the Lyuu–Wu schemes. A malicious proxy signer can forge a valid multi-proxy multi-signature. At the same time the Hwang–Chen [6] schemes are also vulnerable to this attack. The rest of this paper is organized as follows. Section 2 reviews the Lyuu et al.’s multi-proxy multi-signature scheme and demonstrates our security analysis on their scheme. Section 3 simply analyzes the Hwang–Chen’s scheme. Furthermore, we point out some improvements for the Lyuu–Wu scheme and Hwang–Chen schemes. These improvements can resist our insider attack. The conclusion is drawn in Section 4.

2. Insider attack on Lyuu–Wu multi-proxy multi-signature schemes In the Lyuu–Wu scheme, they only modified the Hwang–Wu scheme without a clerk. But the same modifications can be applied to the scheme with a clerk and obtain the same results. In this section, we first review the Lyuu–Wu scheme. Then we proceed with the security analysis on the Lyuu–Wu scheme. 2.1. Review of the Lyuu–Wu schemes In [9], Lyuu and Wu showed two multi-proxy multi-signature schemes: one needs the help of a clerk, whereas the other does not. Both schemes use the same calculations to generate the proxy certificate and signatures. Here we only review the scheme without a clerk in this subsection. Our attack also works against the scheme with a clerk. The scheme without a clerk has two types of participants: the original signers {U1, U2, . . . , Un} and the proxy signers {P1, P2, . . . , Pm}. The scheme can be divided into four phases: system set-up, proxy certificate generation, multi-proxy multi-signature generation, and multi-proxy multi-signature verification. We describe Lyuu–Wu’s multi-proxy multi-signature scheme as follows. 2.1.1. System set-up phase The proposed scheme parameters are listed as follows: N = p1p2 a public odd integer, where pi are large primes such that each pi  1 has a large prime factor qi; Q = q1q2 a public integer; g a public integer with order Q in Z N ; h a public one-way hash function; the unique ID of the original signer Ui; IDui IDpj the unique ID of the proxy signer Pj; xui 2 Z Q the secret key of the original signer Ui; y ui ¼ gxui mod N the certified public key of the original signer Ui; xpj 2 Z Q the secret key of the proxy signer Pj; y pj ¼ gxpj mod N the certified public key of the original signer Pj; w the proxy warrant that specifies the public proxy details such as IDui ; IDpj ; y ui ; and y pj . 2.1.2. Proxy certificate generation phase In this phase, all proxy signers P1, P2, . . . , Pm cooperate with all original signers U1, U2, . . . , Un to generate the proxy certificate (K,V) as follows:

90

L. Guo, G. Wang / Computers and Electrical Engineering 33 (2007) 88–93

Step 1: Each original signer Ui selects a random integer k ui 2 Z Q , computes K ui ¼ gkui mod N, and broadcasts K ui to the other n  1 original signers and all m proxy signers. Each proxy signer Pj selects a random k pj 2 Z Q , computes K pj ¼ gkpj mod N, and broadcasts K pj to all n original signers and the other m  1 proxy signers. Q Q  n m Step 2: Every original signer Ui and every proxy signer Pj compute K ¼ K K mod N. u p i j¼1 j¼1 j Step 3: Each original signer Ui computes vui ¼ hðwÞxui y ui þ k ui K mod Q and sends vui to the other n  1 original signers and all m proxy signers. Each proxy signer Pj computes vpj ¼ hðwÞxpj y pj þ k pj K mod Q and sends vpj to all n original signers and the other m  1 proxy signers.  y hðwÞ Step 4: Each proxy signer verifies the correctness of vui with the equations gvui  y uui i K Kui mod N,  y hðwÞ p K Kpj mod N, i = 1, 2, . . . , n. He also verifies the correctness of vpj with the equations gvpj  y pj j j = 1, 2, . . . , m. If any of the equations are violated, the phase fails. P  Pm n Step 5: If all the above equations hold, each proxy signer computes V ¼ mod Q. i¼1 vui þ j¼1 vpj (K,V) is the proxy certificate available to all the proxy signers. 2.1.3. Multi-proxy multi-signature generation phase Suppose the proxy group wants to sign a message M on behalf of the n original signers, they can proceed with the following steps: Step 6: Each proxy signer Pj randomly selects an integer tj 2 Z Q : Step 7: Each proxy signer Pj computes rj ¼ gtj mod N and broadcasts rj to the other m  1 proxy signers. Qm Step 8: Each proxy signer Pj computes R and sj, where R ¼ j¼1 rj mod N, sj ¼ Vtj þ xpj y pj R2 hðMÞ mod Q. Step 9: Each Pj broadcasts sj to the other m  1 proxy signers. R2 y p hðMÞ Step 10: Each proxy signer Pj checks the validity of (rj,sj) by testing gsj P  rVj y pj j (mod N), j = 1, 2, . . . , m. m If all of the equations hold, each proxy signer computes S ¼ i¼1 sj mod Q. Therefore, the multi-proxy multi-signature of message M is (w, K, V, M, R, S). 2.1.4. Multi-proxy multi-signature verification phase After receiving the signature is (w, K, V, M, R, S) for message M, the verifier needs two steps to verify the signature. Q  y ui hðwÞ n K V Step 11: Verify the warrant w and the proxy certificate (K,V) by testing g  K y  ui i¼1 Q  y pj hðwÞ m ðmod N Þ: j¼1 y pj Q  2 y pj R hðMÞ m Step 12: Checking the correctness of (R,S) by testing gS  RV ðmod N Þ: j¼1 y pj Accept the signature if both equations hold. 2.2. Insider attack of the Lyuu–Wu schemes We now demonstrate a new insider attack on the Lyuu–Wu schemes. Assume that an insider attacker – proxy signer P1 wants his victims P2,. . . , Pm to sign a message M 0 with him. They may reject, but agree to sign another message M with him. Therefore, each proxy signer Pi (for all i 2 {2, 3, . . . , m}) chooses a random number ti 2 Z Q and computes ri ¼ gti mod N. Pi sends ri to other members through a broadcast channel. P1 waits until he received r2, r3, . . . , rm. He randomly chooses t1 2 Z Q . He computes r1 ¼ gt1 mod N. Then he privately computes R ¼ gt1

m Y i¼2

rj mod N :

L. Guo, G. Wang / Computers and Electrical Engineering 33 (2007) 88–93

Now let d = h(M 0 )h(M)1 mod Q, R 0 = Rd mod N and r01 ¼ R0 signers. Now each proxy signer Pi computes R0 ¼ r01 

t Y

Qm

1 j¼2 rj mod

91

N . P1 sends r01 instead of r1 to other

ð1Þ

rj mod N ;

j¼2 2

s0j ¼ ðVtj þ xpj y pj R0 hðMÞÞ mod Q:

ð2Þ

Then each proxy signer Pj (j 2 {2, 3, . . . , m}) broadcasts s0j . P1 computes 2

s01 ¼ ðVt1 þ xp1 y p1 R0 hðMÞÞ mod Q:

ð3Þ

Pm

Now P1 computes S 0 ¼ d  i¼1 s0i ðmod QÞ: Then (w, K, V, M 0 , R 0 , S 0 ) is a valid multi-proxy multi-signature of message M 0 . Because m m !dV !dR0 2 hðMÞ P P m m d s0i d Vti þxpi y pi R0 2 hðMÞÞ Y Y ð 0 y gS  g i¼1  g i¼1  gti  y ppi i i¼1 m Y

 RdV 

!dR0 2 hðMÞ

y

 R0

y ppi i

m Y

V

i¼1

i¼1

!R0 2 hðM 0 Þ

y

y ppi i

:

i¼1

3. Security of the Hwang–Chen schemes The Hwang–Wu’s schemes are also vulnerable to the above described insider attack on Lyuu–Wu’s schemes. 3.1. The difference between the Lyuu–Wu’s schemes and Hwang–Chen’s schemes In the Hwang–Wang’s schemes, the participants and the notations are identical to the Lyuu–Wu schemes. There are also four phases: system set-up, proxy certificate generation, multi-proxy multi-siganture generation, and multi-proxy multi-signature verification. The main differences are the choice of moduli and the replacement of R with R2 in the calculations. 3.2. Insider attack on the Hwang–Wu’s schemes The attacking method of the Hwang–Wu’s schemes is the same as that of the Lyuu–Wu’s schemes. Here we only verify this forged multi-proxy multi-signature (w,K,V,M 0 ,R 0 , S 0 ). Because S0

d

g g

m P

s0i

i¼1

 RdV 

d

m P

g m Y i¼1

ðVti þxpi y pi R0 hðMÞÞ

i¼1

y

y ppi i



m Y i¼1

!dR0 hðMÞ  R0

V

m Y

y

y ppi i

!dV g

ti



m Y

y y ppi i

!dR0 hðMÞ

i¼1

!R0 hðM 0 Þ :

i¼1

3.3. Improvements We now present some effective countermeasures to thwart our attack. First of all, notice that our attack is successful due to the fact that the malicious proxy signer P1 can reveal the value r1 after he already knew the values ri’s generated by other honest proxy signers. Therefore, to improve the Lyuu–Wu scheme we can further require that each member should publish his individual value ri simultaneously. Though this seems

92

L. Guo, G. Wang / Computers and Electrical Engineering 33 (2007) 88–93

difficult in the scenarios of computer networks and distributed computing, we can exploit some cryptographic techniques to implement this requirement. One simple way is to require that all members should first commit their ri’s and then open their commitments to reveal ri’s by using some standard cryptographic commitment schemes. Another method is to require that before generating partial signatures, each member should prove his knowledge of the discrete logarithm of ri to the base g by using interactive or non-interactive knowledge proof protocols [1]. Alternatively, our attack can be avoided by properly modifying the proxy signature generation equation. The simplest way seems to be that adding the value R into the inputs of the hash function. That is, we now replace all occurrences of h(M) by h(R,M) in the whole Lyuu–Wu scheme. Therefore, if a dishonest proxy signer wants to forge a proxy signature for another message by mounting the above internal attack, he has to compute a value R 0 such that both of the following equations are satisfied: d ¼ hðR; MÞ1  hðR0 ; M 0 Þ mod N ; R0 ¼ Rd mod N : However, this is difficult due to the fact that the hash function h(Æ) is assumed to be a one-way pseudorandom function. Namely, it is infeasible to find a new message M 0 such that d = h(R, M)1 Æ h(Rd mod N, M 0 ) mod N for any number d, when the values of R, M are given. Actually, this improvement is inspired by the famous Schnorr signature scheme [13], where a similar technique is used. 4. Conclusion In this paper, we propose an insider attack on the Lyuu–Wu multi-proxy multi-signature scheme. That is, a malicious proxy signer can forge a multi-proxy multi-signature. At the same time the Hwang–Chen’s schemes are vulnerable to this attacking method. In addition, some countermeasures are provided to prevent our attack according to Wang et al.’s methods [15]. Acknowledgement This research is funded by NSFC 60573053, 60573041. References [1] Camenisch J, Stadler M. Efficient group signature schemes for large groups. Advances in cryptology. In: Proceedings of Crypto’97. Lect Notes Comput Sci (LNCS), vol. 1294. Springer-Verlag; 1997. p. 410–24. [4] Hwang SJ, Shi CH. A simple multi-proxy signature schemes. In: Proceedings of the Tenth National Conference on Information Security. Hualien, Taiwan, ROC, 2000. p. 134–8. [5] Hwang SJ, Chen CC. A new proxy multi-signature scheme. in: Proc of International Workshop on Cryptology and Network Security. Taipei, Taiwan, ROC, September 2001. p. 199–204. [6] Hwang SJ, Chen CC. New multi-proxy multi-signature schemes. Appl Math Comput 2004;147:57–67. [7] Kim S, Park S, Won D. Proxy signatures, revisited. In: Proceedings of International Conference on Information and Communications Security (ICICS’97). Lect Notes Comput Sci (LNCS), vol. 1334. Springer-Verlag; 1997. p. 223–32. [8] Lee NY, Hwang T, Wang CH. On Zhang’s nonrepudiable proxy signature schemes. In: Proceedings of the Third Australasian Conference (ACISP’98). p. 415–22. [9] Lyuu YD, Wu ML. Cryptanalysis of and improvement on the Hwang–Chen multi-proxy multi-signature schemes. Appl Math Comput 2005;167:729–39. [10] Mambo M, Usada K, Okamoto E. Proxy signatures: delegation of the power to sign messages. In: Proceedings of the IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E79-A(9) 1996. p. 1338–54. [11] Mambo M, Usada K, Okamoto E. Proxy signatures for delegating signing operation. In: Proceedings of the Third ACM Conference on Computer and Comunication Security. New Delhi, India, January 1996. p. 48–57. [12] Sun HM. An efficient nonrepudiable threshold proxy signatures with known signers. Comput Commun 1999;22(8):717–22. [13] Schnorr C. Efficient signature generation by smart cards. J Cryptography 1991;4(3):161–74. [14] Tzeng SF, Hwang MS, Yang CY. An improvement of nonrepudiable threshold proxy signature scheme with known signers. Comput Security 2004;23:174–8.

L. Guo, G. Wang / Computers and Electrical Engineering 33 (2007) 88–93

93

[15] Wang GL, Han XX, Zhu B. On the security of two threshold signature schemes with traceable signers. In: Applied Cryptography and Network Security (ACNS 2003). Lect Notes Comput Sci (LNCS), vol. 2846. Springer-Verlag; 2003. p. 111–222. [16] Yang CY, Tzeng SF, Hwang MS. On the efficiency of nonrepudiable threshold proxy signatures with known signers. J Syst Software 2004;73:507–14. [17] Yi L, Bai G, Xiao G. Proxy multi-signature scheme: a new type of proxy signature scheme. Electron Lett 2000;36(6):527–8. [18] Zhang K. Threshold proxy signature schemes. In: Proceedings of the 1997 Information Security Workshop. Japan, September 1997. p. 191–7.

Lifeng Guo received BS degree in Department of Mathematics from Yanbei Normal University, Shanxi, PR China in 2000 and MS degree in Department of Mathematics in 2003 from Shanxi University, Shanxi, PR China. She received her PhD degree in Academy of Mathematics and System Sciences, Chinese Academy of Sciences, PR China. She is presently a Postdoctor in State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences, China. Her current research interests include applied cryptography and computer security.

Guilin Wang is currently a research scientist with the Institute for Infocomm Research (I2R), Singapore. His main research interests include the analysis, design, and application of digital signatures, secret sharing schemes, and security protocols etc. Dr. Wang has served for a number of international conferences, workshops and journals. His homepage is http://www.i2r.a-star.edu.sg/icsd/staff/guilin.