Provably secure proxy-protected signature schemes based on factoring

Applied Mathematics and Computation 164 (2005) 83–98 www.elsevier.com/locate/amc

Provably secure proxy-protected signature schemes based on factoring Yuan Zhou *, Zhenfu Cao, Rongxing Lu Department of Computer Science, Shanghai Jiaotong University, 1954 Huashang road, Shanghai 200030, People
s Republic of China

Abstract Proxy signature is an active cryptographic research topic, and a wide range of literature can be found nowadays, which suggest improvement and generalization of existing protocols in various direction. However, most of previously proposed schemes in these literature are based on discrete logarithm problem. To our best knowledge, there still does not exist an indeed proxy signature scheme based on integer factorization problem. In this paper, we propose two efficient provably secure proxy-protected signature scheme in Random Oracle Model. The first scheme is based on RSA problem and the second one is based on integer factorization problem. Compared to early proxy signature schemes, our schemes are more efficient and easy to implement. We believe they are particularly suitable for low-computation devices, such as smart cards, cell phones, pages etc.
2004 Elsevier Inc. All rights reserved. Keywords: RSA; Factoring; Proxy signature; Proxy-protected signature; Random Oracle Model

*

Corresponding author. E-mail address: [email protected] (Y. Zhou).

0096-3003/$ - see front matter
2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.04.032

84

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

1. Introduction 1.1. Proxy signature The notion of proxy signature was introduced by Mambo et al. (1996) [10,11]. A proxy signature scheme is a cryptographic primitive involving three entities: an original signer, a proxy signer and a verifier. It allows the original signer to delegate her signing capability to a designated proxy signer. Then the proxy signer can sign some specific kinds of messages on behalf of the original one. After receiving the proxy signature, the verifier, which knows the public keys of the original and proxy signers, verified the validity of the proxy signature. Informally, a proxy signature consists of three algorithm described as follows. Key generation. For a given security parameter, it outputs a pair of private and public keys for the original signer and a private key for the proxy signer. The key generation usually involves a two-party protocol run between the original and proxy signers. Signing. For an input that consists of a message to be signed and a proxy private key kept by proxy signer, it outputs a valid signature. Verifying. For an input that includes a pair (a message and a signature) and the public keys of the original and proxy signers, it outputs either accept or reject. The proxy-protected signature scheme satisfies the following three basic security properties. Verifiability. From a proxy signature, any verifier can be convinced of the original signer
s agreement on the signed message. Unforgeability. Only a designated proxy signer can create a valid proxy signature for the original signer (even the original signer cannot do it). Non-repudiation. Neither the origin signer nor the proxy signer must be able to sign in place of the other party. In other words, they cannot deny their signatures against anyone. 1.2. Related work After Mambo et al.
s initiate work on proxy signature, many scholars have done a lot of work in this field, and several kinds of proxy signature schemes have been put forth [3–6,8,9,13–15,17]. The proxy signature schemes have been proposed in [8,9]. The multi-proxy signature schemes have been proposed in [5,15,17]. And the threshold proxy signature schemes also have been proposed in [3,6,13,14]. However, most of these proposed schemes are based on the discrete logarithm problem. Moreover, the above schemes all have no proof of security.

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

85

Recently, mobile computation environments have been paid great attentions. Many low-powered and resource-constrained small devices have arisen, such as smart cards, cell phones and pagers. To adapt to these devices, Kim et al. [7] proposed a one-time proxy signature scheme based on discrete logarithm problem. In Asiacrypt 2003, Huaxiong Wang and Josef Pieprzyk also presented an efficient one-time proxy signature scheme based on one-way functions without trapdoors [16]. As one-time proxy signature is much efficient and can be easily implemented, it is particularly fir for mobile computation environments. However, just as its name suggests, one-time proxy signature scheme cannot be applied to sign an unlimited number of messages. 1.3. Our contributions In this paper, we present two provably secure proxy-protected signature schemes, which are based on RSA problem and integer factorization problem respectively. The second scheme is modified version from RSA problem to integer factorization problem. The second scheme is more efficient than the first one. Furthermore, the reduction in the proof of security in the second scheme is tighter than the one in first scheme. At the same time, since the second scheme is based on Rabin signature scheme, thus its computation is much lower than other proposed schemes (including the first scheme). The rest of the paper is organized as follows. In Sections 2 and 3, we will present two proxy-protected signature schemes, their proof of security and their efficiency analysis. The final section is our conclusion.

2. The first proposed signature scheme In this section, we will present the first scheme, which is based on RSA problem and prove that its security is related to the RSA problem. 2.1. Related definitions Definition 2.1 (RSA problem) [INPUT] N = pq with p, q prime numbers; e: an integer such that gcd(e, (p
1)(q
1)) = 1; c 2 Z N . [OUTPUT] the unique integer m 2 Z N satisfying me  c (mod N). Definition 2.2 (RSA assumption). An RSA problem solver is a probabilistic algorithm A such that with an advantage
> 0:

86

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

e ¼ Pr½m

AðN ; e; me ðmod N ÞÞ ;

where the input to A is defined in Definition 2.1. Let GRSA be an RSA instance generator that on input 1k, runs in time polynomial in k, and outputs (i) a 2kbit modulus N = pq where p and q are two distinct uniformly random primes. Each is k-bit long. (ii) e 2 Z ðp
1Þðq
1Þ . We say that GRSA satisfies the RSA assumption if there exists no RSA problem solver for GRSA (1k) with advantage e > 0 non-negligible in k for all sufficiently large k.

2.2. The proposed scheme In the public cryptosystems based on RSA problem, each user should choose his RSA private key. The signer chooses two large primes p and q at random, and computes a public modulus N = pq. Then the signer chooses a pair of integers e and d satisfying the properties ed  1(mod / (N)) and d is large enough, where / (N) is the Euler function of N. The signer chooses a public one-way hash function h( ). The private key {p, q, d} is kept secret by the signer, while the public key of the signer is {N, e}, which is certified by a CA. To illustrate clearly, we divide our scheme into four phases: system initialization phase, proxy private key generation phase, signing phase and verifying phase. 2.2.1. System initialization phase The original signer Uo chooses his private key {po, qo, do} and public key {No, eo} and the proxy signer Up chooses his private key {pp, qp, dp} and public key {Np, ep}. Furthermore, let Ho be a universal secure hash function which accepts an variable-length input string of bits and produces a fixed-length output string of size nr and let Hp be a universal secure hash function which accepts two variable-length input strings of bits and produces a fixed-length output string of size nr. 2.2.2. Proxy private key generation phase When the original signer Uo delegates his signing capability to the proxy signer Up, they will run the following steps: (1) The original signer Uo first makes a warrant mw, which records the delegation policy including limits of authority, valid period of delegation etc. then he publishes mw. (2) Uo computes a proxy private key so. so ¼ ðH o ðmw ÞÞd o ðmod N o Þ: Then he sends {so, mw} to proxy signer Up via a secure channel.

ð2:1Þ

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

87

(3) After receiving {so, mw}, the proxy signer Up verifies the proxy private key by checking the following equation: seoo  H o ðmw Þðmod N o Þ:

ð2:2Þ

2.2.3. Signing phase Assume that according the limit of authority, the proxy signer Up has right to proxy sign a message m on behalf of the original signer Uo. He does the following steps: (1) Up randomly chooses an integer r 2 {0, 1}nr, and computes R, r1 and r2, respectively. R ¼ ðreo mod N o Þ;

ð2:3Þ

r1 ¼ ðso  rÞðmod N o Þ;

ð2:4Þ

r2 ¼ ðH p ðm; RÞÞd p ðmod N p Þ:

ð2:5Þ

(2) He sends {m, r1, r2} to the verifier.

2.2.4. Verifying phase When the verifier has received the proxy signature {m, r1, r2}, he can verify the proxy signature as follows: (1) The verifier computes
1

R0 ¼ ðre1o ðH o ðmw ÞÞ ðmod N o ÞÞ:

ð2:6Þ

(2) The verifier checks equation e

r2p ¼ H p ðm; R0 Þðmod N p Þ:

ð2:7Þ

2.3. Security analysis In this part, we shall prove that the proposed scheme can work correctly and satisfy the basic security requirements. Theorem 2.1. The proposed proxy signature scheme is verifiable, if the original signer, the proxy signer and the verifier all follow the issuing protocol. Proof. From Eqs. (2.1)–(2.7), it is obvious that the proposed scheme satisfies verifiability.

88

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

We will prove that the proposed scheme satisfies the unforgeability and the non-repudiation. Our proof idea comes from Bellare and Rogaway
s paper [1] and Goh and Jarecki
s paper [2]. The following theorem proves a security reduction from the hardness of RSA problem to the adaptive chosen message attack (CMA) security of the proposed scheme in the Random Oracle model. We denote tcost as the main cost of reduction. h Theorem 2.2. If the RSA problem is (s 0 , e 0 )-hard, then for any qHp, qsig the proposed scheme is (s, qHp, qsig, e)-secure against existential forgery on adaptive chosen message attack in the Random Oracle model, where e ¼ qH p ðe0 þ qsig  qH p  2
nr Þ;

ð2:8Þ

s ¼ s0
ðqH p þ qsig þ 1Þ  tcos t :

ð2:9Þ

Proof. Let A be an original signer, which has his RSA key tuple {No, eo, do} and can (s, qHp, qsig, e)-break the proposed scheme and forge a valid signature. We construct a simulator algorithm M, which can solve the RSA problem. In other word, when GRSA (defined in Definition 2.2) generates an RSA instance {N, p, q, e, d} and the algorithm M takes (e, N) and u 2 Z N as inputs, M can use the A algorithm to compute v (here v  ud (mod N)) in s 0 steps and e 0 probability where e0 ¼

1  e
qsig  qH p  2
nr ; qH p

s0  s þ ðqH p þ qsig þ 1Þ  tcos t

ð2:10Þ ð2:11Þ

and the probability are mainly taken over the randomness used by M and A. Algorithm M simulates a run of a signature scheme to the original signer A. Algorithm M answers A
s hash function queries, signature oracle queries, and it tries to translate A
s possible forgery {m, r} into an answer to the RSA problem (the answer to ud (mod N)). Algorithm M starts the simulation. Here, algorithm A takes (N, No, e, eo, do) as input Then algorithm M answers A
s queries as follows. Answering Ho-oracle query. Algorithm M picks a random string so2R ZNo at random and computes h  seoo ðmod N o Þ. Then M outputs h as the query Ho(mw). The Ho-oracle query is done only once. Answering Hp-oracle queries. If the original signer A provides a new query (m, R) as input to the Hp-oracle, algorithm M works as follows:

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

89

If Hp(m, R)  u(mod N), he outputs u as the query Hp (m, R). Otherwise he picks w in RZN at random and compute y  we (mod N), then maintain a hash oracle query table, take (m, R, w, y) as one entry, and output y as the query Hp(m, R). Answering signature queries. Suppose the original signer A asks for a signature on message m. Algorithm M has to create a valid signature tuple without knowing the private key d. In the process, algorithm M defines some values of the hash function Hp. The algorithm M proceeds as follows: (1) Pick a random string r {0,1}nr, compute R = (re mod N). Then check the hash oracle. If Hp has been queried on input (m, R), it abort. (2) Pick w2R ZN at random and compute ywe(mod N), and defines H p ðm; RÞ D y. ¼ (3) Compute r1 = so Æ r(mod No) and r2 = w(mod N). (4) Return the tuple {m, r1, r2}. Solving the RSA problem. If the original signer A returns a valid message and signature pair (m, r) (where r = {r1, r2}) for some previously unsigned m, then algorithm M tries to translate this forgery into computing v  ud (mod N) as follows: If r2 f v(mod N), then M aborts. Otherwise algorithm M outputs v. Let esig abort be the probability that M aborts the simulation for the failure of signature queries and let eRSA be the probability that A produces a valid forgery but r2 f v (mod N). Observe that the computational view shown to algorithm A by algorithm M has the same distribution as A
s conversation with an actual signature scheme and a random hash function except for the probability esig abort . Hence the probability that M outputs a correct solution to the RSA problem ud(mod N) is at least e
ðesig abort þ eRSA ). (1) Algorithm M might abort at Step 1 of the signature oracle simulation. This event occurs if M chooses a r that was previously given as input to the Hporacle. Since there are at most qHp such r
s, the probability of aborting is at most qHp Æ 2
nr. Therefore, the probability esig abort that algorithm M aborts at Step 1 for any of the qsig signature queries is less than qsig Æ qHp Æ 2
nr. (2) Let NHp be the event that algorithm A does not query the Hp-oracle on the tuple (m, R) which can be got by its forgery. It is apparent that the probability of Pr[NH
p] is  at most 2
nN. So we have eRSA ¼
 1
q1

Hp

 ðe
2
nN Þ  1
q 1

Hp

 e.

So we can see that algorithm M solves the RSA inverse permutation problem with probability at least q 1  e
qsig  qH p  2
nr . Hp Running Time of M. The running time of algorithm M is that of running the algorithm A, Ho-oracle queries Hp-oracle queries and signature oracle queries. Thus by adding these values, we can give the running time in Eq. (2.9).

90

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

We have proved that even the original signer cannot forge a valid proxy signature in theorem. In the lecture [1], Bellare and Rogaway has proved that the signature based on trapdoor permutation is cannot be forged. In our proposed scheme, the generation of the proxy private key adopts the RSA signature scheme. So we have the following theorem. h

Theorem 2.3. In the proposed proxy signature scheme, the proxy private key generated by the original signer cannot be forged. From Definitions 2.2 and 3.3, we get the following corollary. Corollary 2.1. The proposed proxy signature scheme satisfies the unforgeability and the non-repudiation.

2.4. Efficiency The proposed scheme is efficient. Compared with other schemes based on discrete logarithm problem, the scheme reduces the amount of time-consuming computation. • In the proxy private key generation phase, the original signer performs dlogðd o Þe multiplication computations and a hash computation. • In the signing phase, the proxy signer performs dlogðd p Þe þ dlogðeo Þe þ 1 modular multiplication computations and a hash computation. • in the signature verification phase, the verifier requires dlogðeo Þeþ dlogðep Þe þ 1 modular multiplication computations, two hash computations and an inverse computation.

3. The second proposed signature scheme In this section, we will present the second scheme, which is based on integer factorization problem and prove that its security is tightly related to the integer factorization problem. 3.1. Related definitions Definition 3.1 (Integer factorization problem) [INPUT] N: odd composite integer with at least two distinct prime factors. [OUTPUT] prime p such that p j N.

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

91

Definition 3.2 (Integer factorization assumption). An integer factorizer is a probabilistic algorithm A such that with an advantage e > 0: e ¼ Pr½AðN Þ divides N and 1 < AðN Þ < N Þ ; where the input to A is defined in Definition 3.1. Let GIF be an integer instance generator that on input 1k, runs in time polynomial in k, and outputs a 2k-bit modulus N = pq where p and q are each a k-bit uniformly random odd prime. We say that GIF satisfies the integer factorization assumption if there exists no integer factorizer for GIF(1k) with advantage 2 > 0 non-negligible in k for all sufficiently large k. 3.2. The proposed scheme In the public signature system based on integer factorization problem, which was first proposed in [12] by Rabin, each user should choose his private key. The signer randomly chooses two large secure primes p and q, satisfying p  q  3(mod 4), and computes a public modulus N = pq. Then the signer chooses a integer a satisfying Jacobi symbol ðNa Þ ¼
1. The signer chooses a public one-way hash function h( ). The private key {p, q} is kept secret by the signer, while the public key of the signer is {N, a}, which is certified by a CA. As the first proposed scheme, we also divide our scheme into four phases: System initialization phase, Proxy private key generation phase, Signing phase and Verifying phase. 3.2.1. System initialization The original signer Uo chooses his private key {po, qo} and public key {No, ao} and the proxy signer Up chooses his private key {pp, qp} and public key {Np, ap}. Furthermore, let Ho be a universal secure hash function which accepts an variable-length input string of bits and produces a fixed-length output string of size nr and let Hp be a universal secure hash function which accepts two variable-length input strings of bits and produces a fixed-length output string of size nr. 3.2.2. Proxy private key generation phase When the original signer Uo delegates his signing capability to the proxy signer Up, they will run the following steps: (1) The original signer Uo first makes a warrant mw, which records the delegation policy including limits of authority, valid period of delegation etc. then he publishes mw.

92

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

(2) Uo computes a proxy private key as follows: • Uo first applies Ho to produce Ho(mw), then he computes co1 8   H o ðmw Þ > > > 0; if ¼ 1; < No o   c1 ¼ > H o ðmw Þ > > ¼
1: 1; if : No

ð3:1Þ

• Uo computes lo co

lo ¼ ao1  H o ðmw Þ:

ð3:2Þ

Then he computes co2 8   lo > > > 0; if ¼ 1; < p  o co2 ¼ > lo > > ¼
1: : 1; if qo

ð3:3Þ

• Finally Uo computes so from the equation co

o

s2o ¼ ð
1Þ 2  ac1 H o ðmw Þðmod N o Þ:

ð3:4Þ

Then he sends fso ; co1 ; co2 ; mw g to proxy signer Up via a secure channel. (3) After receiving fso ; co1 ; co2 ; mw g, the proxy signer Up verifies the proxy private key by checking the following equation: co

o

s2o  ð
1Þ 2  ac1 H o ðmw Þðmod N o Þ:

ð3:5Þ

3.2.3. Signing phase Assume that according the limit of authority, the proxy signer Up has right to proxy sign a message m on behalf of the original signer Uo. He does the following steps: (1) Up randomly chooses an integer r2{0,1}nr (here nr < No), and computes R R ¼ ðr2 mod N o Þ: (2) Up applies Hp to produce Hp(m, R), then he computes 8   H p ðm; RÞ > > > ¼ 1; < 0; if Np   cp1 ¼ > H p ðm; RÞ > > ¼
1: : 1; if Np (3) Up computes lp.

ð3:6Þ cp1 . ð3:7Þ

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 cp

lp ¼ ap1  H p ðm; RÞ:

93

ð3:8Þ

cp2 .

Then he computes 8
 > < 0; if plp ¼ 1; p
 cp2 ¼ lp > : 1; if q ¼
1:

ð3:9Þ

p

(4) Up computes r1. r1 ¼ ðso  rÞðmod N o Þ:

ð3:10Þ

(5) Up computes r2 from the equation p

c

p

r22 ¼ ð
1Þ 2  ac1  H p ðm; RÞðmod N p Þ:

ð3:11Þ

fm; co1 ; co2 ; scp1 ; cp2 ; r1 ; r2 g

(6) Finally, he sends to the verifier. Here co1 and cp1 also can be computed by the verifier himself. 3.2.4. Verifying phase When the verifier has received the proxy signature fm; co1 ; co2 ; cp1 ; cp2 ; r1 ; r2 g, he can verify the proxy signature as follows: (1) The verifier computes R1 and R2. R1  r21 ðmod N o Þ;

ð3:12Þ

R2  r22 ðmod N p Þ:

ð3:13Þ

(2) The verifier computes W and R 0 . co

o

W ¼ ð
1Þ 2  ac1  H o ðmw Þðmod N o Þ;

ð3:14Þ

R0 ¼ ðW  R
1 1 ðmod nÞÞ:

ð3:15Þ

(3) The verifier checks equation cp

p

R2 ¼ ð
1Þ 2  ac1  H p ðm; R0 Þðmod N p Þ:

ð3:16Þ

3.3. Security analysis In this part, we shall prove that the proposed scheme can work correctly and satisfy the basic security requirements. Theorem 3.1. The proposed proxy signature scheme is verifiable, if the original signer, the proxy signer and the verifier all follow the issuing protocol.

94

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

Proof. From Eqs. (3.1)–(3.16), it is obvious that the proposed scheme satisfies verifiability. We will prove that the second proposed scheme satisfies the unforgeability and the non-repudiation. Our proof idea also comes from Bellare and Rogaway
s paper [1] and Goh and Jarecki
s paper [2]. The following theorem will also prove a tight security reduction from the hardness of the integer factorization problem to the adaptive chosen message security of the proposed scheme in the Random Oracle model. Here, we denote tcost as the main cost of reduction. For proving theorem simply and clearly, we assume c1 = c2 = 0. h Theorem 3.2. If the integer factorization problem is (s 0 , e 0 )-hard, then for any qHp, qsig the proposed scheme is (s, qHp, qsig, e)-secure against existential forgery on adaptive chosen message attack in the Random Oracle model, where e ¼ 2  e0 þ qsig  qH p  2
nr þ 2
jN j ;

ð3:17Þ

s ¼ s0
ðqH p þ qsig þ 1Þ  tcos t :

ð3:18Þ

Proof. Let A be an original signer, which has his key tuple {No, po, qo} and can (s, qHp, qsig, e)-break the proposed scheme and forge a valid signature. We construct a simulator algorithm M, which can solve the integer factorization problem. In other word, when GIF (defined in Definition 3.2) generates integer instance {N, p, q} and the algorithm M takes N as input, M can use the A algorithm to compute p, q in s 0 steps and e 0 probability where 1 e0 ¼ ðe
qsig  qH p  2
nr
2
nN Þ; 2

ð3:19Þ

s0 ¼ s þ ðqH p þ qsig þ 1Þ  tcos t

ð3:20Þ

and the probability are mainly taken over the randomness used by M and A. Algorithm M simulates a run of a signature scheme to the original signer A. Algorithm M answers A
s hash function queries, signature oracle queries, and it tries to translate A
s possible forgery {m, r} into a condition to compute p, q. Algorithm M starts the simulation. Here, algorithm A takes (N, No, po, qo) as input Then algorithm M answers A
s queries as follows. Answering Ho-oracle query. Algorithm M picks a random string so2R ZNo at random and computes h  s2o ðmod N o Þ. Then M outputs h as the query Ho(mw). The Ho-oracle query is done only once. Answering Hp-oracle Queries. If the original signer A provides a new query (m, R) as input to the Hp-oracle, algorithm M works as follows:

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

95

Pick w2R ZN at random and compute yw2(mod N), then maintain a hash oracle query table, take (m, R, w, y) as one entry, and output y as the query Hp(m, R). Answering signature queries. Suppose the original signer A asks for a signature on message m. Algorithm M has to create a valid signature tuple without knowing the factorization of N. In the process, algorithm M defines some values of the hash function Hp. The algorithm M proceeds as follows: (1) Pick a random string r {0,1}nr, compute R  (r2 mod N). Then check the hash oracle. If Hp has been queried on input (m, R), it abort. (2) Pick w 2 RZN at random and compute y  w2(mod N), and takes y as the query Hp(m, R). (3) Compute r1 = so Æ r(mod No) and r2 = w(mod N). (4) Return the tuple {m, r1, r2}. Solving the integer factorization problem. If the original signer A returns a valid message and signature pair (m, r) (where r = {r1, r2}) for some previously unsigned m, then algorithm M tries to translate this forgery into computing p, q as follows: (1) M computes R1  r21 ðmod N o Þ and R = (h
1 Æ R1(mod No)). (2) If A has not queried the Hp-oracle on (m, R), M aborts. (3) Otherwise, there is a probability 1/2 that r2 differs from w in the entry. So M can get a factor N by gcd(r2
w, N). (4) Finally, algorithm M output p and q. Let esig abort be the probability that M aborts the simulation for the failure of signature queries and let eNH be the probability that A produces a valid forgery but does not query the Hp-oracle. Observe that the computational view shown to algorithm A by algorithm M has the same distribution as A
s conversation with an actual signature scheme and a random hash function except for the probability eNH. Hence the probability that M outputs output p and q is at least e
ðesig abort þ eNH ). (1) Algorithm M might abort at Step 1 of the signature oracle simulation. This event occurs if M chooses a r such that (m, R) was previously given as input to the Hp-oracle. Since there are at most qHp such r
s, the probability of aborting is at most qHp Æ 2
nr. Therefore, the probability ðesig abort that algorithm M aborts at Step 1 for any of the qsig signature queries is less than qsig Æ qHp Æ 2
nr. (2) Let NHp be the event that algorithm A does not query the Hp-oracle on the tuple (m, R) which can be got by its forgery. It is apparent that the probability of [Pr[NHS] is at most 2
nN, that is eNH = 2
nN.

96

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

So we can see that algorithm M solves the integer factorization problem with probability at least e 0 =
qsig Æ qHp Æ 2
nr
2
nN. Running time of M. The running time of algorithm M is that of running the algorithm A, Ho-oracle queries Hp-oracle queries and signature oracle queries. Thus by adding these values, we can give the running time in Eq. (3.19). Similar to Theorem 2.3, we have the following theorem. h

Theorem 3.3. In the proposed proxy signature scheme, the proxy private key generated by the original signer cannot be forged. From Theorems 3.2 and 3.3, we get the following corollary. Corollary 3.1. The proposed proxy signature scheme satisfies the unforgeability and the non-repudiation.

3.4. Efficient • In the proxy private key generation phase, the original signer performs a multiplication computation and a hash computation. • In the signing phase, the proxy signer performs three modular multiplication computations, a square root computation and a hash computation. • In the signature verification phase, the verifier requires three modular multiplication computations, two hash computations and an inverse computation.

3.5. Remark The second scheme is modified version of the first one from RSA problem to integer factorization problem. Apparently, the second scheme is more efficient than the first one. Furthermore, the reduction in the proof of security in the second scheme is tighter than the one in first scheme.

4. Conclusions In this paper, we have presented two provably secure proxy-protected signature schemes, which are based on RSA problem and integer factorization problem respectively. The second scheme is modified version from RSA problem to integer factorization problem. Compared to the other schemes, our schemes

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

97

reduce the mount of time-consuming computations. Therefore, in the mobile computation environments, our schemes can be applied in many low-computation devices, such as cell phones, pages, smart cards etc.

Acknowledgements This research is partially supposed by the National Science Foundation of China under Grant No. 60072018, the National Natural Science Foundation of China for Distinguished Young Scholars under Grant No. 60225007 and the National Research Fund for the Doctoral Program of Higher Education of China under Grant No. 20020248024.

References [1] M. Bellare, P. Rogaway, Random Oracle are practical: a paradigm for designing efficient protocols, in: Proceedings of the 1st ACM conference on Computer and Communications Security, 1993, pp. 62–73. [2] E.J. Goh, S. Jarecki, A signature scheme as secure as the Diffie–Hellman problem, in: Proceedings of Eurocyrpt
2003, LNCS2656, 2003, pp. 401–415. [3] C.-L. Hsu, T.-S. Wu, T.-C. Wu, New nonrepudiable threshold proxy signature scheme wit known signers, The Journal of System and Software 58 (2001) 119–124. [4] S.J. Hwang, C.-H. Shi, A simple multi-proxy signature scheme, in: Proceedings of the Tenth National Conference on Information Security, Hualien, Taiwan, ROC, 2000, pp. 134–138. [5] S.J. Hwang, C.-C. Chen, A new proxy multi-signature scheme, in: International Workshop on Cryptology and Network Security, Taipei, Taiwan, ROC, December 2000, pp. 134–138. [6] M.-S. Hwang, L.-C. Lin, J.-L.L.U. Eric, A secure nonrepudiable threshold proxy signature scheme with known signers, Information 11 (2) (2000) 137–144. [7] H. Kim, J. Baek, B. Lee and K. Kim, Secret Computation with secrets for mobile agent using one-time proxy signature, in: The 2001 Symposium on Cryptography and Information Security, Oiso, Japan. [8] S. Kim, S. Park, D. Won, Proxy signature, revisited, in: Proceedings of ICICS
97, International Conference on Information and Communication Security, 1997, pp. 223–232. [9] B. Lee, H. Kim, K. Kim, Strong proxy signature and its applications, in: Proceedings of SCIS 2001, 2001, pp. 603–608. [10] M. Mambo, K. Usuda, E. Okmamoto, Proxy signatures: delegation of the power to sign message, IEICE Transaction Functional E79-A (9) (1996) 1338–1354. [11] M. Mambo, K. Usuda, E. Okmamoto, Proxy signatures for delegation signing operation, in: Proceedings of the Third ACM Conference on Computer and Communication Security, New Delhi, India, January 1996, pp. 48–57. [12] M.O. Rabin, Digitalized signatures Foundations of Secure communication, Academic Press, 1978, pp. 155–168. [13] H.-M. Sun, an efficient nonrepudiable threshold proxy signature scheme with known signers, Computer Communications 22 (1999) 717–722. [14] H.-M. Sun, N.-Y. Lee, T. Hwang, Threshold proxy signatures, IEE Proceedings Computers and Digital Techniques 146 (5) (1999) 259–263.

98

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

[15] H.-M. Sun, On proxy (multi-) signature schemes, in: 2000 International Computer Symposium, Chiayi, Taiwan, ROC, December 6–8, 2000, pp. 65–72. [16] H.X. Wang, J. Pieprzyk, Efficient one-time proxy signatures, in: Proceedings of Asiacrypt
2003, LNCS 2894, 2003, pp. 507–522. [17] L. Yi, G. Bai, G. Xiao, Proxy multi-signature scheme: a new type of proxy signature scheme, Electronics Letter 36 (6) (2000) 527–528.