- Email: [email protected]
Proxy signature scheme with a semi-trusted third party
Available online at www.sciencedirect.com Available online at www.sciencedirect.com
Procedia Engineering
Procedia Engineering 00 (2011) 000–000 Procedia Engineering 15 (2011) 3195 – 3199 www.elsevier.com/locate/procedia
Advanced in Control Engineeringand Information Science
Proxy signature scheme with a semi-trusted third party LIU Peiyua,b, CUI Taoa, Xu Mingyingb a* b
a School of Information Science and Engineering, Shandong Normal University, Jinan Shandong 250014, China; Shandong Provincial Key Laboratory for Distributed Computer Software Novel Technology, Jinan 250014, China
Abstract Authorization mechanism is introduced to prevent the on-line original signer problem in this scheme. The semitrusted third party’s secret value in the proxy signature strengthens the unforgeability. The proxy signer’s common signature is added into the proxy signature which ensures the undeniability. And the time stamp makes it possible to revoke the proxy signer’s power. What’s more, the scheme needs shorter time to generate proxy signature since it is based on Schnorr signature.
© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS 2011] Key Words: digital signature; proxy signature; discrete logarithm problem
1. Introduction The concept of proxy signature was first introduced by Mambo, Usuda and Okamato[1] in 1996, and also they gave several early proxy signature schemes. Later, the on-line original signer problem, the efficiency and the security of the proxy signature come to be the main problems that hinder the development of proxy signature. In the research of the above problems, papers [2-4] integrate threshold secret values sharing into proxy signature to propose a threshold proxy signature scheme. The proxy key is shared by a proxy group of n proxy signers instead of one proxy signer. So the authority of the proxy signer is reduced. And at the same time, the unforgeability of the proxy signature is strengthened. Papers [5-7] integrate forward
* CUI Tao. Tel.:+8615964501912. E-mail address: [email protected].
1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2011.08.600
3196 2
LIUTao,XU Peiyu etMingying/ al. / Procedia Engineering 15 (2011) 3195 –000–000 3199 LIU Peiyu,CUI Procedia Engineering 00 (2011)
security into proxy signature to propose a forward secure proxy signature scheme. In the scheme, the lifetime of the public key is divided into discrete time periods. Different secret keys will be used in these different time periods while the public key is fixed, so that all generated proxy signatures in previous time periods are still considered to be valid even if the current secret key is compromised. But through the analysis of the above papers, we can find out that there is much exponentiation and product computation in the above schemes which will reduce the efficiency. What’s more, the on-line original signer problem is not solved in the mentioned schemes. In this paper, we introduce the authorization mechanism, so that the on-line original signer problem in itself is solved. The semi-trusted third party’s secret value in the proxy signature makes the scheme more secure. The common signature [8] in the proxy signature ensures the undeniability, and time stamp [9] gives revocability to the proxy signature. 2. the design of the scheme In this section, we introduce a semi-trusted third party into the proxy signature. The whole scheme involves in the original signer A, the proxy signer B, the semi-trusted third party T and the verifier C. 2.1. System initialization
p is a large prime number, and q is a large prime factor of p − 1 , g is a generator of Z P* . x A ∈ Z q* is the original signer’s private key, x B ∈ Z q* is the proxy signer’s private key, and xT ∈ Z q* is the semi-trusted third party’s private key. Based on the discrete logarithm problem, we can get
y A = g x A mod p, y B = g xB mod p, yT = g xT mod p to be their public keys. Let h() : {0,1}* → Z p be a one-way hash function. Sign xi ()和Verify yi (), i = A, B, T are standard
signature algorithm and verification algorithm with message recovery. 2.2. The original signer’s proxy delegation *
The original signer A chooses r0 andrA ∈ Z q as random numbers, and he generates the authorization message mW which contains the original signer’s identity, the proxy signer’s identity, scope of proxy
signing and the valid period D. And then, he calculates the following formulas,
K A = g rA mod p
(1)
S A = x A h(mW || K A ) + rA mod q S 0 = Signx A ( S A , K A , mW , r0 ) Finally, S 0 should be sent to the semi-trusted third party T. In the above formulas, formula (1) can be
precomputed.
When T receives S 0 , he calculates Verify y A ( S 0 ) to get
verifies g
SA
yA
− h ( mW || K A )
= K A mod p .
S A , K A , mW' , r0' . And then, he
3197 3
LIU PeiyuTao,XU et al. / Procedia 15 (2011) 3195 – 3199000–000 LIU Peiyu,CUI MingyingEngineering / Procedia Engineering 00 (2011) '
'
'
If the above equation is not established, T responses nothing, or he calculates S 0 = Sign xT ( m w , r0 ) . Finally,
S 0' is sent to the original signer A.
When A receives
S 0' , he calculates Verify yT ( S 0' ) to get mW' and r0' . If equations
mW = mW' and r0 = r0' are established at the same time, A will be sure that his proxy delegation is
finished, or he continues to make proxy delegation.
2.3. The semi-trusted third party’s proxy authorization The authorization message mW will be taken care of by the semi-trusted third party T until the proxy signature should be generated. Then, T completes proxy authorization as the following steps: *
T chooses rT andr1 ∈ Z q as random numbers. And then, he calculates the following formulas,
K T = g rT mod p ST = S A + xT h(mW || KT ) + rT mod q S1 = Sign xT ( S T , K T , mW , r1 )
(2)
Finally, S1 should be sent to the proxy signer B. In the above formulas, formula (2) can be precomputed. When B receives S1 , he calculates
Verify yT ( S1 ) to get S T , K T , mW , r1' . And then, he
g ST y A- h ( mW ||K A ) yT- h ( mW ||KT ) = K A K T mod p . If the above equation is not established, B ' ' ' responses nothing, or he calculates S1 = Sign xB (r1 ) . Finally, S1 is sent to T. verifies
'
'
'
When T receives S1 , he calculates Verify y B ( S1 ) to get r1 . If equation
r1 = r1' is established, T will be
'
sure that his proxy authorization is finished, or he will continue to send S1 . 2.4. Proxy signature generation *
When proxy signer B receives authorization message mW , he chooses rB ∈ Z q as random number.
t
is a time stamp, and m is the message to be signed. B firstly calculates Sign xB (m) , and then, he calculates the following formulas,
K B = g rB mod p x p = ST + xB mod q
(3)
x p is the proxy private key, and he calculates equation y P = g xP mod p to get the proxy public key. = x P h(m || m W || t || K B ) + rB mod q . So the proxy signature for message m generated by B is {m, mW , Sign x B ( m), S , t , K A , K B , K T } . In the above formulas, formula (3) can be Finally, B calculates S precomputed.
3198 4
LIUTao,XU Peiyu etMingying/ al. / Procedia Engineering 15 (2011) 3195 –000–000 3199 LIU Peiyu,CUI Procedia Engineering 00 (2011)
2.5. Proxy signature verification Every one who wants to verify the proxy signature can perform the following steps: First, he may compare time stamp t with the valid period D of proxy signing. If inequation t>D is established, the proxy signature will be considered invalid, or he calculates Verify y B ( Signx B (m)) . And if
Verify y B ( Sign xB (m)) = m is not established, the proxy signature will still be considered
invalid, or he can verify the final equation g proxy signature
S
yp
− h ( m||mW ||t || K B )
= K B mod p . If it is also established, the
{m, mW , Sign xB (m), S , t , K A , K B , K T } is valid.
3. Performance Analysis 3.1. Correctness Any verifier C can verify the equation signature is valid. Proof : Since Therefore
g S y P− h ( m||mW ||t||K B ) = K B mod p to be sure whether the proxy
S = x P h(m || mW || t || K B ) + rB mod q g S y −p h ( m||mW ||t||K B ) = g S g − xP h ( m||mW ||t||K B ) mod p
= g xP h ( m||mW ||t || K B ) + rB g
− x p h ( m|| mW ||t || K B )
mod p =
g rB mod p = K B mod p We can see from the above proof that
{m, mW , Sign xB (m), S , t , K A , K B , K T } is a valid proxy
signature for message m generated by proxy signer B. 3.2. Unforgeability
Any malicious attacker who wants to forge valid proxy signature must get proxy secret key x p . We can see from the equation y p
=g
xp
mod p that, the difficulty from y p to x p is equal to solve discrete
logarithm problem. Therefore, in the safety assumptions of discrete logarithm, proxy signature is unforgeability. 3.3. Undeniability
Sign xB (m) is added to the proxy signature, which ensures that the proxy signature must be generated by B himself. If proxy signer B transfers the proxy signing power to anyone else only instead of his private key x B , the generated proxy signature will be invalid. If The proxy signer B’s common signature
a valid proxy signature is generated, and B still denies, he will be punished.
LIU PeiyuTao,XU et al. / Procedia 15 (2011) 3195 – 3199000–000 LIU Peiyu,CUI MingyingEngineering / Procedia Engineering 00 (2011)
3.4. Misuse The authorization mechanism is introduced into the scheme, so the original signer can send the authorization message mW to the semi-trusted third party in the original signer’s proxy delegation period. Before proxy signing’s valid period’s coming,
mW is kept by the semi-trusted third party, so that the
proxy signer can’t generate valid proxy signature. 4. Conclusion
This paper analyses two kinds of proxy signature schemes, and proposes a proxy signature scheme with a semi-trusted third party, which keeps the efficiency and prevents the on-line original signer problem in itself. But during the proxy signature verification period, we should verify a common signature, which brings in some inconvenience. So how to design an efficient, safe and convenient proxy signature scheme is still well worth further research. Acknowledgements the National Natural Science Foundation of China (No.60873247); High-tech self-innovation project of Shandong Province (No.2008ZZ28); the Natural Science Foundation of Shandong Province of China (No.ZR2009GZ007). References [1] MAMBO M, USUDA K, OKAMOTO E. Proxy signatures for delegating signing operation.Proc 3rd ACM Conference on Computer and Communications Security. ACM Press,1996.48-57. [2]YAN De-qin , ZHAO Hong-bo . Secure (t, n) Threshold proxy signature without a trusted party. Computer Science, 2009, 36(7):82-84. [3]MI Li-jun , LI Su-bei , ZHANG Jian-zhong . (t, n) threshold proxy signature scheme with designated receiver. Computer Engineering and Application, 2010, 46(23):85-87. [4]ZUO Zhen-yuan , XIE Qi. Cryptanalysis and improvement of (t, n) threshold proxy signature scheme. Computer Engineering and Application, 2010, 46(21):119-121. [5]YANG Jie , QIAN Hai-feng , LI Zhi-bin. Strong forward security proxy signature scheme. Computer Engineering, 2008, 34(17):162-164. [6]NIU Jiang-pin, ZHANG Jian-zhong. Forward-secure proxy signature scheme based on bilinear pairings. Computer Engineering, 2009, 35(6):164-165. [7]SUN Mei, WEI Shi-min, ZHAO Bing. Cryptanalysis and improvement of forward secure threshold proxy signature scheme.ComputerEngineering and Application, 2010,46(36):109-111. [8]CAO Zheng-jun , LIU Li-hua. Security Analysis of two designated-verifier signature scheme. Journal of Software, 2008, 19(7):1753-1757. [9]HU Liang, CHU Jian-feng, LIN Hai-qun . The key management mechanism of IBE system. Chinese Journal of Computers, 2009, 32(3):543-551.
3199 5
Procedia Engineering
Procedia Engineering 00 (2011) 000–000 Procedia Engineering 15 (2011) 3195 – 3199 www.elsevier.com/locate/procedia
Advanced in Control Engineeringand Information Science
Proxy signature scheme with a semi-trusted third party LIU Peiyua,b, CUI Taoa, Xu Mingyingb a* b
a School of Information Science and Engineering, Shandong Normal University, Jinan Shandong 250014, China; Shandong Provincial Key Laboratory for Distributed Computer Software Novel Technology, Jinan 250014, China
Abstract Authorization mechanism is introduced to prevent the on-line original signer problem in this scheme. The semitrusted third party’s secret value in the proxy signature strengthens the unforgeability. The proxy signer’s common signature is added into the proxy signature which ensures the undeniability. And the time stamp makes it possible to revoke the proxy signer’s power. What’s more, the scheme needs shorter time to generate proxy signature since it is based on Schnorr signature.
© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS 2011] Key Words: digital signature; proxy signature; discrete logarithm problem
1. Introduction The concept of proxy signature was first introduced by Mambo, Usuda and Okamato[1] in 1996, and also they gave several early proxy signature schemes. Later, the on-line original signer problem, the efficiency and the security of the proxy signature come to be the main problems that hinder the development of proxy signature. In the research of the above problems, papers [2-4] integrate threshold secret values sharing into proxy signature to propose a threshold proxy signature scheme. The proxy key is shared by a proxy group of n proxy signers instead of one proxy signer. So the authority of the proxy signer is reduced. And at the same time, the unforgeability of the proxy signature is strengthened. Papers [5-7] integrate forward
* CUI Tao. Tel.:+8615964501912. E-mail address: [email protected].
1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2011.08.600
3196 2
LIUTao,XU Peiyu etMingying/ al. / Procedia Engineering 15 (2011) 3195 –000–000 3199 LIU Peiyu,CUI Procedia Engineering 00 (2011)
security into proxy signature to propose a forward secure proxy signature scheme. In the scheme, the lifetime of the public key is divided into discrete time periods. Different secret keys will be used in these different time periods while the public key is fixed, so that all generated proxy signatures in previous time periods are still considered to be valid even if the current secret key is compromised. But through the analysis of the above papers, we can find out that there is much exponentiation and product computation in the above schemes which will reduce the efficiency. What’s more, the on-line original signer problem is not solved in the mentioned schemes. In this paper, we introduce the authorization mechanism, so that the on-line original signer problem in itself is solved. The semi-trusted third party’s secret value in the proxy signature makes the scheme more secure. The common signature [8] in the proxy signature ensures the undeniability, and time stamp [9] gives revocability to the proxy signature. 2. the design of the scheme In this section, we introduce a semi-trusted third party into the proxy signature. The whole scheme involves in the original signer A, the proxy signer B, the semi-trusted third party T and the verifier C. 2.1. System initialization
p is a large prime number, and q is a large prime factor of p − 1 , g is a generator of Z P* . x A ∈ Z q* is the original signer’s private key, x B ∈ Z q* is the proxy signer’s private key, and xT ∈ Z q* is the semi-trusted third party’s private key. Based on the discrete logarithm problem, we can get
y A = g x A mod p, y B = g xB mod p, yT = g xT mod p to be their public keys. Let h() : {0,1}* → Z p be a one-way hash function. Sign xi ()和Verify yi (), i = A, B, T are standard
signature algorithm and verification algorithm with message recovery. 2.2. The original signer’s proxy delegation *
The original signer A chooses r0 andrA ∈ Z q as random numbers, and he generates the authorization message mW which contains the original signer’s identity, the proxy signer’s identity, scope of proxy
signing and the valid period D. And then, he calculates the following formulas,
K A = g rA mod p
(1)
S A = x A h(mW || K A ) + rA mod q S 0 = Signx A ( S A , K A , mW , r0 ) Finally, S 0 should be sent to the semi-trusted third party T. In the above formulas, formula (1) can be
precomputed.
When T receives S 0 , he calculates Verify y A ( S 0 ) to get
verifies g
SA
yA
− h ( mW || K A )
= K A mod p .
S A , K A , mW' , r0' . And then, he
3197 3
LIU PeiyuTao,XU et al. / Procedia 15 (2011) 3195 – 3199000–000 LIU Peiyu,CUI MingyingEngineering / Procedia Engineering 00 (2011) '
'
'
If the above equation is not established, T responses nothing, or he calculates S 0 = Sign xT ( m w , r0 ) . Finally,
S 0' is sent to the original signer A.
When A receives
S 0' , he calculates Verify yT ( S 0' ) to get mW' and r0' . If equations
mW = mW' and r0 = r0' are established at the same time, A will be sure that his proxy delegation is
finished, or he continues to make proxy delegation.
2.3. The semi-trusted third party’s proxy authorization The authorization message mW will be taken care of by the semi-trusted third party T until the proxy signature should be generated. Then, T completes proxy authorization as the following steps: *
T chooses rT andr1 ∈ Z q as random numbers. And then, he calculates the following formulas,
K T = g rT mod p ST = S A + xT h(mW || KT ) + rT mod q S1 = Sign xT ( S T , K T , mW , r1 )
(2)
Finally, S1 should be sent to the proxy signer B. In the above formulas, formula (2) can be precomputed. When B receives S1 , he calculates
Verify yT ( S1 ) to get S T , K T , mW , r1' . And then, he
g ST y A- h ( mW ||K A ) yT- h ( mW ||KT ) = K A K T mod p . If the above equation is not established, B ' ' ' responses nothing, or he calculates S1 = Sign xB (r1 ) . Finally, S1 is sent to T. verifies
'
'
'
When T receives S1 , he calculates Verify y B ( S1 ) to get r1 . If equation
r1 = r1' is established, T will be
'
sure that his proxy authorization is finished, or he will continue to send S1 . 2.4. Proxy signature generation *
When proxy signer B receives authorization message mW , he chooses rB ∈ Z q as random number.
t
is a time stamp, and m is the message to be signed. B firstly calculates Sign xB (m) , and then, he calculates the following formulas,
K B = g rB mod p x p = ST + xB mod q
(3)
x p is the proxy private key, and he calculates equation y P = g xP mod p to get the proxy public key. = x P h(m || m W || t || K B ) + rB mod q . So the proxy signature for message m generated by B is {m, mW , Sign x B ( m), S , t , K A , K B , K T } . In the above formulas, formula (3) can be Finally, B calculates S precomputed.
3198 4
LIUTao,XU Peiyu etMingying/ al. / Procedia Engineering 15 (2011) 3195 –000–000 3199 LIU Peiyu,CUI Procedia Engineering 00 (2011)
2.5. Proxy signature verification Every one who wants to verify the proxy signature can perform the following steps: First, he may compare time stamp t with the valid period D of proxy signing. If inequation t>D is established, the proxy signature will be considered invalid, or he calculates Verify y B ( Signx B (m)) . And if
Verify y B ( Sign xB (m)) = m is not established, the proxy signature will still be considered
invalid, or he can verify the final equation g proxy signature
S
yp
− h ( m||mW ||t || K B )
= K B mod p . If it is also established, the
{m, mW , Sign xB (m), S , t , K A , K B , K T } is valid.
3. Performance Analysis 3.1. Correctness Any verifier C can verify the equation signature is valid. Proof : Since Therefore
g S y P− h ( m||mW ||t||K B ) = K B mod p to be sure whether the proxy
S = x P h(m || mW || t || K B ) + rB mod q g S y −p h ( m||mW ||t||K B ) = g S g − xP h ( m||mW ||t||K B ) mod p
= g xP h ( m||mW ||t || K B ) + rB g
− x p h ( m|| mW ||t || K B )
mod p =
g rB mod p = K B mod p We can see from the above proof that
{m, mW , Sign xB (m), S , t , K A , K B , K T } is a valid proxy
signature for message m generated by proxy signer B. 3.2. Unforgeability
Any malicious attacker who wants to forge valid proxy signature must get proxy secret key x p . We can see from the equation y p
=g
xp
mod p that, the difficulty from y p to x p is equal to solve discrete
logarithm problem. Therefore, in the safety assumptions of discrete logarithm, proxy signature is unforgeability. 3.3. Undeniability
Sign xB (m) is added to the proxy signature, which ensures that the proxy signature must be generated by B himself. If proxy signer B transfers the proxy signing power to anyone else only instead of his private key x B , the generated proxy signature will be invalid. If The proxy signer B’s common signature
a valid proxy signature is generated, and B still denies, he will be punished.
LIU PeiyuTao,XU et al. / Procedia 15 (2011) 3195 – 3199000–000 LIU Peiyu,CUI MingyingEngineering / Procedia Engineering 00 (2011)
3.4. Misuse The authorization mechanism is introduced into the scheme, so the original signer can send the authorization message mW to the semi-trusted third party in the original signer’s proxy delegation period. Before proxy signing’s valid period’s coming,
mW is kept by the semi-trusted third party, so that the
proxy signer can’t generate valid proxy signature. 4. Conclusion
This paper analyses two kinds of proxy signature schemes, and proposes a proxy signature scheme with a semi-trusted third party, which keeps the efficiency and prevents the on-line original signer problem in itself. But during the proxy signature verification period, we should verify a common signature, which brings in some inconvenience. So how to design an efficient, safe and convenient proxy signature scheme is still well worth further research. Acknowledgements the National Natural Science Foundation of China (No.60873247); High-tech self-innovation project of Shandong Province (No.2008ZZ28); the Natural Science Foundation of Shandong Province of China (No.ZR2009GZ007). References [1] MAMBO M, USUDA K, OKAMOTO E. Proxy signatures for delegating signing operation.Proc 3rd ACM Conference on Computer and Communications Security. ACM Press,1996.48-57. [2]YAN De-qin , ZHAO Hong-bo . Secure (t, n) Threshold proxy signature without a trusted party. Computer Science, 2009, 36(7):82-84. [3]MI Li-jun , LI Su-bei , ZHANG Jian-zhong . (t, n) threshold proxy signature scheme with designated receiver. Computer Engineering and Application, 2010, 46(23):85-87. [4]ZUO Zhen-yuan , XIE Qi. Cryptanalysis and improvement of (t, n) threshold proxy signature scheme. Computer Engineering and Application, 2010, 46(21):119-121. [5]YANG Jie , QIAN Hai-feng , LI Zhi-bin. Strong forward security proxy signature scheme. Computer Engineering, 2008, 34(17):162-164. [6]NIU Jiang-pin, ZHANG Jian-zhong. Forward-secure proxy signature scheme based on bilinear pairings. Computer Engineering, 2009, 35(6):164-165. [7]SUN Mei, WEI Shi-min, ZHAO Bing. Cryptanalysis and improvement of forward secure threshold proxy signature scheme.ComputerEngineering and Application, 2010,46(36):109-111. [8]CAO Zheng-jun , LIU Li-hua. Security Analysis of two designated-verifier signature scheme. Journal of Software, 2008, 19(7):1753-1757. [9]HU Liang, CHU Jian-feng, LIN Hai-qun . The key management mechanism of IBE system. Chinese Journal of Computers, 2009, 32(3):543-551.
3199 5