Multi-proxy Signature Schemes for Partial Delegation with Cheater Identification Chih-Yin Lin1, Tzong-Chen Wu2 and Jing-Jang Hwang3 Institute of Information Management, National Chiao Tung University, Hsinchu, Taiwan 300, R.O.C. 1 Email: [email protected] 2 Department of Information Management, National Taiwan University of Science and Technology, Taipei, Taiwan 106, R.O.C. 2 Email: [email protected] 1, 3

the proxy signature and the warrant. ABSTRACT The authors propose two multi-proxy signature schemes for partial delegation, in which the original signer can delegate his signing power to a set of proxy signers. One of the proposed schemes is designated on the proxyunprotected approach and the other is on the proxyprotected approach. Both proposed schemes satisfy the basic properties for partial delegation addressed by Mambo, Usuda, and Okamoto. The proxy-unprotected scheme is only applicable to the case that the original signer is honest, and however it is more efficient than the proxy-protected one. The proxy-protected scheme also has the ability to prevent attempts from cheating plotted by the original signer or by malicious proxy signer(s).

In 1996, Mambo, Usuda and Okamoto first addressed the basic properties that a proxy signature scheme for partial delegation should satisfy, and defined them as follows [8-9]: Unforgeability: Only the delegated proxy signer(s) can generate the proxy signature for a given message on behalf of the original signer. Proxy signer’s deviation: A proxy signer cannot generate a valid proxy signature not detected as his signature. Secret key’s dependence: A proxy signer’s proxy key should always be generated from the original signer’s private key.

KEY WORDS Digital signature, Proxy signature, Multi-proxy signature.

Verifiability: From the proxy signature, a verifier can be convinced of the original signer’s agreement on the signed message.

1.

Distinguishability: Valid proxy signatures generated by the proxy signer are distinguishable from valid normal signatures generated by the original signer.

Introduction

A proxy signature scheme is a variation of well-known normal signature schemes, in which an original signer can delegate his signing power to another signer, called the proxy signer, for signing messages [8-9]. The signature generated by the proxy signer is called the proxy signature for the original signer. There are three different types for delegation: full delegation, partial delegation, and delegation by warrant. In the case of full delegation, the proxy signer is given a proxy key the same as the original signer’s private key. This implies that the proxy signer can act exactly as the original signer in signing any message, which makes it impossible to distinguish a normal signature from a proxy signature. In the case of partial delegation, the proxy signer is given a proxy key generated from the original signer’s private key. However, the proxy signer cannot derive the original signer’s private key from the proxy key. As to the case of delegation by warrant, the original signer signs a warrant that certifies the legitimacy of the proxy signer. Note that in both approaches of partial delegation and delegation by warrant, a proxy signature is differentiated from a normal signature in terms of its representation. Usually, partial delegation is more efficient than delegation by warrant, because the latter approach requires verification of both

Identifiability: The original signer can identify the proxy signer corresponding to a proxy signature from that signature. Undeniability: A proxy signer cannot disavow a proxy signature generated by him. Mambo et al. [8-9] also proposed three proxy signature schemes for partial delegation based on ElGamal’s signature scheme [1], Schnorr’s signature scheme [13], and Okamoto’s signature scheme [12], respectively. Since then, several proxy signature schemes or their variations have been developed [2-3, 6, 11, 15-17]. One well-known variation of the proxy signature scheme is the so-called threshold proxy signature scheme, such as the schemes proposed in [2, 15-17], in which the original signer can delegate his signing power to a set of proxy signers. Threshold proxy signature schemes were investigated more closely because they earn specific contribution to authorization sharing, fault tolerance, and separation of duty [10]. In some practical applications, the original signer may delegate his signing power to all of the specified proxy

signers while ensuring individual accountability to each participant signer. The proxy signature scheme achieves such purpose is called the multi-proxy signature scheme. The signature generated by the specified proxy signers is called the multi-proxy signature for the original signer. Note that the multi-proxy signature scheme is the special case of the t-out-of-n threshold proxy signature scheme with t=n. As one can see, using a general case solution to resolve the special case problem usually requires extra computational overheads. Therefore, it is worthwhile to design a new scheme, instead of directly adopting the threshold proxy signature scheme, for generating a multi-proxy signature in an efficient way. Based on the intractability of the discrete logarithm (DL) problem [1], we will propose two multi-proxy signature schemes for partial delegation, one is designated on the proxy-unprotected approach and the other is on the proxy-protected approach. Both proposed schemes satisfy the basic properties for partial delegation addressed by Mambo et al. [8-9]. In the proxyunprotected scheme, the proxy signer uses only the proxy key, which is given by the original signer, to sign messages. Hence, this scheme is only applicable to the case that the original signer is honest. In the proxyprotected scheme, the proxy signer uses both the proxy key and his own private to sign messages. Therefore, this scheme has the ability to prevent attempts from cheating plotted by the original signer or by malicious proxy signer(s). However, the proxy-unprotected scheme is more efficient than the proxy-protected one in practice.

2.

Proposed Schemes

private/public key pair and the public key certificate for U 0 , and ( xi , yi ) and Cert ( Pi , yi ) be the private/public key pair and the public key certificate for Pi , where y0 = g x0 mod p , yi = g xi mod p and the public key certificate could be generated by following the specification defined by X.509 and put on the system’s public key directory [4-5]. Notice that a valid public key certificate Cert ( Pi , yi ) implies the legitimacy of Pi ’s public key yi as well as the fact that Pi knows the discrete logarithm of yi , i.e., the private key xi , with base g modulo p. Proxy key generation phase: First of all, U 0 randomly selects n distinct integers zi ∈ Z q* (for i = 1, 2, ..., n), and computes a delegation for each Pi , denoted as d i , and a delegation for the set {P1 , P2 ,..., Pn } , denoted as D, where d i = g zi mod p and D = ∏in=1 d i d i mod p . Then, U 0 computes a proxy key for each Pi in the form of ki = zi ⋅ di + x0 ⋅ D ⋅ n −1 mod q ,

(1)

where n −1 is the inverse of n modulo q. Finally, U 0 sends {ki , di } to Pi via a secure channel and makes D public. Upon receiving {ki , di } , Pi first gets certificate Cert (U 0 , y0 ) from the directory, checks its validity, and then verifies the authenticity of {ki , di } by testing if −1

g ki = di d i ⋅ y0 D⋅n (mod p ) .

(2)

Multi-proxy signature generation phase: Let M be the message to be signed by all the specified proxy signers {P1 , P2 ,..., Pn } with the assistance of CLK. First of all, each Pi computes ri = g wi mod p , where wi ∈ Z q* is randomly chosen, and sends it to the other proxy signers. Upon receiving the ri ’s sent from all the other proxy signers, each Pi computes si = ki + wi ⋅ ri ⋅ h( M , R) mod q

The proposed schemes involve four roles: the system authority SA, the original signer U 0 , a set of proxy signers {P1 , P2 ,..., Pn } (for some constant n) delegated by U 0 , and a clerk CLK trusted by the proxy signers. SA defines necessary parameters for setting up the system and issues public key certificates for U 0 and all Pi ’s. CLK is responsible for authenticating the individual proxy signature generated by each Pi , and constructing a multi-proxy signature for the signing message. Note that no secret information is associated with CLK.

where R = ∏ in=1 ri i mod p , and sends {M , R, ri , si , d i } to CLK. Here, the 3-tuple (ri , si , d i ) is regarded as Pi ’s individual proxy signature of M. Thereafter, CLK first gets Cert (U 0 , y0 ) from the directory and checks its validity, and then verifies the authenticity of {M , R, ri , si , d i } by testing if

2.1

When all individual proxy signatures (ri , si , d i ) ’s have been verified successfully, CLK computes the value of S by S = ∑ in=1 si mod q and publishes ( R, S , D) as the multi-proxy signature of M for U 0 .

Proxy-unprotected Scheme

The proposed proxy-unprotected scheme consists of four phases: preparation, proxy key generation, multi- proxy signature generation, and multi-proxy signature verification. Details of these phases are stated below: Preparation phase: Initially, SA defines the following parameters for system setup: two large primes p and q, such that q | p − 1 , a generator g modulo p with order q, and a one-way hash function h that accepts a variablelength input but produces a fixed-length output. All parameters defined by SA are made public. After that, the original signer U 0 and each of the proxy signer Pi (for i = 1, 2, ..., n) prepare a private/public key pair and register it at SA. Let ( x0 , y0 ) and Cert (U 0 , y0 ) be the

r

g si = di d i ⋅ y0 D⋅n

−1

⋅ ri ri ⋅h( M , R ) (mod p) .

(4)

Multi-proxy signature verification phase: The verifier first gets Cert (U 0 , y0 ) from the directory and checks its validity, and then verifies the authenticity of ( R, S , D) by testing if g S = D ⋅ y0 D ⋅ R h( M , R ) (mod p ) .

2.2

(5)

Proxy-protected Scheme

As similar to the proxy-unprotected scheme described above, the proposed proxy-protected scheme consists of four phases: preparation, proxy key generation, multiproxy signature generation, and multi-proxy signature

verification. The preparation and the proxy key generation phases are just the same as that in the proxyunprotected scheme. Note that in the proxy-protected scheme, each proxy signer uses both his own private key and the proxy key to sign messages for the original signer. Prior to the multi-proxy signature generation phase, the specified proxy signers should register the group public key Y = ∏in=1 yi mod p at SA to obtain a public key certificate Cert (Ρ, Y ) , where P is the group identity. Such that, any verifier can only use this certified group public key Y to verify the multi-proxy signature cooperatively generated by these proxy signers. Details of the multi-proxy signature generation and the multi-proxy signature verification phases are stated below: Multi-proxy signature generation phase: Each Pi generates an individual proxy signature (ri , si , d i ) of M just as in the proxy-unprotected scheme, except that si is computed as si = xi ⋅ D + ki + wi ⋅ ri ⋅ h( M , R) mod q .

(3*)

Consequently, the equation for verifying (ri , si , d i ) by CLK is changed to: g s i = yiD ⋅ d i d i ⋅ y0 D ⋅ n

−1

⋅ ri ri ⋅ h( M , R ) (mod p) . (4*)

When all individual proxy signatures (ri , si , d i ) ’s have been verified successfully, CLK publishes ( R, S , D) as the multi-proxy signature of M for U 0 , where R = ∏ in=1 ri ri mod p and S = ∑ in=1 si mod q . Multi-proxy signature verification phase: The verifier first gets Cert (Ρ, Y ) and Cert (U 0 , y0 ) from the directory and checks their validity, and then verifies the authenticity of ( R, S , D) by testing if g S = D ⋅ (Y ⋅ y0 ) D ⋅ R h( M , R ) (mod p ) .

2.3

(5*)

Correctness of Proposed Schemes

Correctness of the proposed schemes is based on the achievement of the following three requirements: First, any proxy signer can verify the validity of his proxy key issued by the original signer; second, the clerk can verify the individual proxy signatures generated by the specified proxy signers; and third, the verifier can verify the multiproxy signature cooperatively generated by the specified proxy signers. Theorem 1: Pi ’s proxy key ki and delegation d i is verified if Eqn. 2 holds. Proof: Raising both sides of Eqn. 1 to exponents with base g modulo p yields g ki = g zi ⋅di + x0 ⋅D⋅n

−1

= g zi ⋅di ⋅ g x0 ⋅D⋅n

−1

,

−1

= d i di ⋅ y 0 D⋅n (mod p)

which implies Eqn. 2. Given d i and D, it is based on the intractability of the DL problem to compute ki so as to satisfy Eqn. 2 [1]. Thus, under the DL assumption, Pi

can ensure that ki is verified if the 3-tuple ( ki , d i , D) passes the equality test by Eqn. 2. Theorem 2: In the proxy-unprotected scheme, the individual proxy signature (ri , si , d i ) of M for Pi is verified if Eqn. 4 holds. Proof: Raising both sides of Eqn. 3 to exponents with base g modulo p yields that g si = g ki ⋅ g wi ⋅ri ⋅h ( M , R ) = g ki ⋅ ri ri ⋅h( M , R ) .

(6)

Substituting Eqn. 2 into Eqn. 6, we obtain Eqn. 4. Thus, given M, R, d i and D, it is based on the intractability of the DL problem to compute ri or si so as to satisfy Eqn. 4 [1]. Thus, under the DL assumption, the 3-tuple (ri , si , d i ) is verified if it passes the equality test of Eqn. 4. Corollary 1: In the proxy-protected scheme, the individual proxy signature (ri , si , d i ) of M for Pi is verified if Eqn. 4* holds. Theorem 3: In the proxy-unprotected scheme, the multi-proxy signature ( R, S , D) of M for U 0 is verified if Eqn. 5 holds. Proof: Recall that the values of D, R, and S are obtained by D = ∏in=1 d i d i mod p , R = ∏ in=1 ri ri mod p , and S = ∑ in=1 si mod q . Multiplying Eqn. 4 (for i = 1, 2, ..., n) will lead to Eqn. 5. Thus, given M and D, it is based on the intractability of the DL problem to compute R or S so as to satisfy Eqn. 5 [1]. Under the DL assumption, the 3-tuple (R, S, D) is verified if it passes the equality test of Eqn. 5. Corollary 2: In the proxy-protected scheme, the multiproxy signature (R, S, D) of M for U 0 is verified if Eqn. 5* holds.

3.

Achievement of Basic Properties for Partial Delegation

This section shows that both the proposed schemes satisfy the basic properties for partial delegation addressed by Mambo et al. [8-9]. Achievement of unforgeability – To achieve the property of unforgeability, the proposed schemes should withstand attempts at creating a fake but valid multi-proxy signature ( R′, S ′, D) for the specified proxy signers {P1 , P2 ,..., Pn } or at creating a fake but valid individual proxy signature (ri′, si′ , d i ) for certain proxy signer Pi . Under the DL assumption, it is computationally infeasible to create (ri′, si′ , d i ) for Pi that can pass the equality test by Eqn. 4 (or 4*), as shown in Theorem 2 (or Corollary 1). Again, it is computationally infeasible to create ( R′, S ′, D) for {P1 , P2 ,..., Pn } that can pass the equality test by Eqn. 5 (or 5*), as shown in Theorem 3 (or Corollary 2). Recall here, each Pi uses his private key xi , together with the proxy key ki , to generate the individual proxy signature in the proxy-protected scheme. However, the private key xi is protected under the DL assumption and only known

to Pi . Without knowing xi , the original signer still cannot create a fake but valid (ri′, si′ , d i ) to flame Pi . For the same reason, the original signer cannot create a fake but valid ( R′, S ′, D) to flame the specified proxy signers {P1 , P2 ,..., Pn } . Achievement of proxy signer’s deviation – If the proxy signer Pi can create a fake but valid individual proxy signature (ri′, si′ , d i ) not detected as his signature, he should have the ability to compute another proxy key ki′ satisfying Eqn. 2. To achieve this, Pi should first know the original signer’s private key x0 . However, x0 is protected under the DL assumption. Achievement of secret-key’s dependence – From Eqn. 1, it can be seen that all proxy keys ki ’s for the specified proxy signers {P1 , P2 ,..., Pn } are generated by using the original signer’s private key x0 . Achievement of verifiability – From Eqns. 4 and 4*, it can be seen that it requires the original singer’s public key y0 to verify the individual proxy signature (ri , si , d i ) for each Pi . Meanwhile, from Eqns. 5 and 5*, it can be seen that it requires the original signer’s public key y0 to verify the multi-proxy signature (R, S, D) for the specified proxy signers {P1 , P2 ,..., Pn } . These two facts imply that the original signer’s private key x0 is implicitly used during the multi-proxy signature generation phase. Thus, it accounts for the agreement of the original signer on the signed message. Achievement of distinguishability – It requires a publicly verifiable delegation D to verify a multi-proxy signature of a given message. No publicly verifiable delegation D is required so as to verify a normal signature generated by the original signer. Achievement of identifiability – Except for the original signer, it is computationally infeasible to create a valid delegation d i for each Pi or a valid delegation D for the specified proxy signers {P1 , P2 ,..., Pn } under the DL assumption. This implies that D and d i ’s are unique and unforgeable. Through the equation test by Eqns. 4 and 4*, the original signer can assure who has generated the individual proxy signature for the given message. Achievement of undeniability – If all individual proxy signatures generated by the specified proxy signers are valid, then the corresponding multi-proxy signature constructed by the trusted CLK is valid, too. Equality test by Eqns. 4 and 4* prevents proxy signers from denying that they have signed the given message, since the delegation d i ’s and D are specified by the original signer in advance.

4.

Protection against cheating

Assume that the channels among the specified proxy signers and the original signer are noise-free and tamperresistant. Here, we discuss two possible ways of cheating against the proposed schemes, and show that the proposed schemes can withstand these attempts in effect. The first way concerns the cheating plotted by the original signer

during the proxy key generation phase, and the second way concerns the cheating plotted by malicious signer(s) during the multi-proxy signature generation phase. Cheating by the original signer – Consider the case that the original signer U 0 attempts to issue an invalid proxy key ki′ ≠ ki or an invalid delegation d i′ ≠ d i to Pi in the proxy key generation phase. Through the equality test by Eqn. 2, Pi can successfully identify the invalid ki′ or d i′ , unless U 0 has the ability to solve the DL problem [1]. Cheating by proxy signer(s) – Suppose that a malicious proxy signer Pi attempts to generate a fake but valid individual proxy signature (ri′, si′ , d i ) such that he can avoid accountability during the verification of the corresponding multi-proxy signature. This attempt is successful only when (ri′, si′ , d i ) can pass the equality test by Eqn. 4 in the proxy-unprotected scheme or by Eqn. 4* in the proxy-protected scheme. As shown in Theorem 2 and Corollary 1, it is computationally infeasible for Pi to find ri′ and si′ under the DL assumption. It is with the same reason that some malicious proxy signers cannot plot such attempt.

5.

Performance

Performance of the proposed schemes is measured by the time complexity and communication costs required. We also give comparison of the proposed scheme with some well-known t-out-of-n threshold proxy signature schemes (e.g., Kim et al.’s scheme [6] and Sun et al.’s scheme [16]) with t=n. For convenience, the following notations are used: TH:

the time of producing the message digest for the given hash function h

TEa: the time for computing a modular exponentiation with modulo a TMa: the time for computing a modular multiplication with modulo a TIa: the time for computing a modular inverse with modulo a |a|:

size (or bit-length) for integer a

Note that the time for computing modular addition/ subtraction is ignored regarding performance evaluation of the proposed schemes, since it is negligible to modular multiplication or modular exponentiation with a large modulo. Tables 1 and 2 respectively list the comparison of the proposed schemes with Kim et al.’s scheme [6] and Sun et al.’s scheme [16]. Table 1 shows that both proposed schemes are more efficient than the t-out-of-n threshold proxy signature schemes (with t=n) proposed by Kim et al. and Sun et al. Furthermore, from Table 2, both the proposed schemes require smaller communication costs than these two threshold proxy signature schemes. The overhead inherent in Kim et al.’s and Sun et al.’s threshold proxy

signature schemes is caused by the construction of an (n-1)-degree interpolating polynomial for sharing all

proxy keys.

Table 1 - Time complexities required for the proposed schemes and other well-known t-out-of-n threshold proxy signature schemes with t=n Proposed scheme Proposed scheme Kim et al.’s scheme Sun et al.’s scheme (proxy-unprotected) (proxy-protected) By U0: By U0: By U0: By U0: (n-1)TEp+TH+ TEp+(n-1)TMp+ (n+1)TEp+ (n+1)TEp+ (2n2-3n+1)TMq 2TMq+TIq+TH (2n+2)TMq+TIq (2n+2)TMq+TIq Proxy key generation By each Pi : By each Pi : By each Pi : By each Pi : (including proxy key verification) (n+1)TEp+TMp+ (2n+4)TEp+ 3TEp+TMp+ 3TEp+TMp+ (n-2)TMq (2n+4)TMp+ TMq+TIq TMq+TIq (2n2-4)TMq+ TIp+TIq+TH By each Pi :† By each Pi :† By each Pi : By each Pi : (3n2+n+2)TEp+ (3n+6)TEp+ (n+1)TEp+ (n+2)TEp+ 2 2 -6n-12)TMp+ +3n+4)TMp+ (n (n-1)TMp+ (n-1)TMp+ (5n Multi-proxy signature (3n2-9n+7)TMq+ (3n2-2)TMq+ 2TMq+TH 3TMq+TH generation (including TH+C‡ TH+C‡ individual proxy By CLK: By CLK: signature verification) 4nTEp+TH+ 4nTEp+TH+ (n+1)TMp+ (2n+1)TMp+ (n+1)TMq+TIq (n+1)TMq+TIq Multi-proxy signature 3TEp+2TMp+ 4TEp+(n+2)TMp+ 3TEp+2TMp+TH 3TEp+3TMp+TH verification TIp+2TH TMq+2TH † Each Pi acts as the CLK to generate the multi-proxy signature. ‡ C is the time complexity for calculating the constant of an (n-1)-degree Lagrange interpolating polynomial in field Z *p with order q, which roughly requires (2n-3)TMq + (n-1)TIq [7].

Table 2 - Communication costs for the proposed schemes and other well-known t-out-of-n threshold proxy signature schemes with t=n Kim et al.’s scheme Sun et al.’s scheme Both proposed schemes

6.

Proxy key generation

2n | p | + n | q |

n 2 | p | +n 2 | q |

2n | q |

Multi-proxy signature generation

(n 2 − 1) | p | + n 2 | q |

n | p | +n 2 | q |

3n | p | +2n | q |

Conclusions

We have presented two multi-proxy signature schemes for partial delegation. We have also shown that both the proposed schemes achieve the basic requirements for partial delegation addressed by Mambo et al. Furthermore, they earn more efficiency with respect to the required time complexities and communication costs, as compared with previously proposed t-out-of-n threshold proxy signature schemes with t = n. Our proposed proxyunprotected scheme is only applicable to the case that the original signer is honest, although it is more efficient than the proxy-protected one. Our proposed proxy-protected also has the ability to prevent attempts from cheating plotted by the original signer or by malicious proxy signer(s), and thus, more secure than the proxyunprotected one in practice.

References [1]

T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Trans. Information Theory, IT-31(4), 1985, pp. 469-472.

[2]

C.L. Hsu, T.S. Wu, and T.C. Wu, “New nonrepudiable threshold proxy signature scheme with known signers”, The Journal Systems and Software, 58(2), 2001, pp. 119-124.

[3]

S.J. Hwang, and C.H. Shi, “A simple multi-proxy signature scheme”, Proc. Tenth National Conf. Inf. Security, Taiwan, 2000, pp. 134-138.

[4]

IETF RFC 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 1999.

[5]

ITU-T,

Recommendation

X.509,

Information

Technology - Open Systems Interconnection - The Directory: Authentication Framework, 1997. [6]

[7]

[8]

[9]

S. Kim, S. Park, S., and D. Won, “Proxy signatures, Revised”, Proc. 1997 International Conference on Information and Communications Security, Beijing, China, 1997, pp. 223-232. D.E. Knuth, The Art of Computer programming: Volume 2, Seminumerical Algorithms, second ed., Addison-Wesley, 1981. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: Delegation of the power to sign messages”, IEICE Trans. Fundamentals, E97-A(9), 1996, pp. 1338-1353. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation”, Proc. Third ACM Conf. Computer and Comm. Security, ACM press, 1996, pp. 48-57.

[10] National Research Council, Computers at Risk: Safe Computing in the Information Age, Computer Science and Telecommunication Board, National Academy Press, Washington DC, 1991.

[11] W.B. Lee, and C.C. Chang, “Efficient proxyprotected proxy signature scheme based on discrete logarithm”, Proc. Tenth National Conf. Inf. Security, Taiwan, 2000, pp. 4-7. [12] T. Okamoto, “Provably secure and practical identification schemes and corresponding signature schemes”, Advances in Cryptology – CRYPTO’92, Springer-Verlag, 1983, pp. 31-53. [13] C.P. Schnorr, “Efficient signature generation by smart cards”, Journal of Cryptology, 4(3), 1991, pp. 161-174. [15] H.M. Sun, “An efficient nonrepudiable threshold proxy signature scheme with known signers”, Computer Communications, 22(8), 1999, pp. 717 722. [16] H.M. Sun, N.Y. Lee, and T. Hwang, “Threshold proxy signatures”, IEE Proc. Computers & Digital Techniques, 146(5), 1999, pp. 259-263. [17] K. Zhang, “Threshold proxy signature schemes”, Proc. 1997 Information Security Workshop, Japan, 1997, pp. 191-197.

the proxy signature and the warrant. ABSTRACT The authors propose two multi-proxy signature schemes for partial delegation, in which the original signer can delegate his signing power to a set of proxy signers. One of the proposed schemes is designated on the proxyunprotected approach and the other is on the proxyprotected approach. Both proposed schemes satisfy the basic properties for partial delegation addressed by Mambo, Usuda, and Okamoto. The proxy-unprotected scheme is only applicable to the case that the original signer is honest, and however it is more efficient than the proxy-protected one. The proxy-protected scheme also has the ability to prevent attempts from cheating plotted by the original signer or by malicious proxy signer(s).

In 1996, Mambo, Usuda and Okamoto first addressed the basic properties that a proxy signature scheme for partial delegation should satisfy, and defined them as follows [8-9]: Unforgeability: Only the delegated proxy signer(s) can generate the proxy signature for a given message on behalf of the original signer. Proxy signer’s deviation: A proxy signer cannot generate a valid proxy signature not detected as his signature. Secret key’s dependence: A proxy signer’s proxy key should always be generated from the original signer’s private key.

KEY WORDS Digital signature, Proxy signature, Multi-proxy signature.

Verifiability: From the proxy signature, a verifier can be convinced of the original signer’s agreement on the signed message.

1.

Distinguishability: Valid proxy signatures generated by the proxy signer are distinguishable from valid normal signatures generated by the original signer.

Introduction

A proxy signature scheme is a variation of well-known normal signature schemes, in which an original signer can delegate his signing power to another signer, called the proxy signer, for signing messages [8-9]. The signature generated by the proxy signer is called the proxy signature for the original signer. There are three different types for delegation: full delegation, partial delegation, and delegation by warrant. In the case of full delegation, the proxy signer is given a proxy key the same as the original signer’s private key. This implies that the proxy signer can act exactly as the original signer in signing any message, which makes it impossible to distinguish a normal signature from a proxy signature. In the case of partial delegation, the proxy signer is given a proxy key generated from the original signer’s private key. However, the proxy signer cannot derive the original signer’s private key from the proxy key. As to the case of delegation by warrant, the original signer signs a warrant that certifies the legitimacy of the proxy signer. Note that in both approaches of partial delegation and delegation by warrant, a proxy signature is differentiated from a normal signature in terms of its representation. Usually, partial delegation is more efficient than delegation by warrant, because the latter approach requires verification of both

Identifiability: The original signer can identify the proxy signer corresponding to a proxy signature from that signature. Undeniability: A proxy signer cannot disavow a proxy signature generated by him. Mambo et al. [8-9] also proposed three proxy signature schemes for partial delegation based on ElGamal’s signature scheme [1], Schnorr’s signature scheme [13], and Okamoto’s signature scheme [12], respectively. Since then, several proxy signature schemes or their variations have been developed [2-3, 6, 11, 15-17]. One well-known variation of the proxy signature scheme is the so-called threshold proxy signature scheme, such as the schemes proposed in [2, 15-17], in which the original signer can delegate his signing power to a set of proxy signers. Threshold proxy signature schemes were investigated more closely because they earn specific contribution to authorization sharing, fault tolerance, and separation of duty [10]. In some practical applications, the original signer may delegate his signing power to all of the specified proxy

signers while ensuring individual accountability to each participant signer. The proxy signature scheme achieves such purpose is called the multi-proxy signature scheme. The signature generated by the specified proxy signers is called the multi-proxy signature for the original signer. Note that the multi-proxy signature scheme is the special case of the t-out-of-n threshold proxy signature scheme with t=n. As one can see, using a general case solution to resolve the special case problem usually requires extra computational overheads. Therefore, it is worthwhile to design a new scheme, instead of directly adopting the threshold proxy signature scheme, for generating a multi-proxy signature in an efficient way. Based on the intractability of the discrete logarithm (DL) problem [1], we will propose two multi-proxy signature schemes for partial delegation, one is designated on the proxy-unprotected approach and the other is on the proxy-protected approach. Both proposed schemes satisfy the basic properties for partial delegation addressed by Mambo et al. [8-9]. In the proxyunprotected scheme, the proxy signer uses only the proxy key, which is given by the original signer, to sign messages. Hence, this scheme is only applicable to the case that the original signer is honest. In the proxyprotected scheme, the proxy signer uses both the proxy key and his own private to sign messages. Therefore, this scheme has the ability to prevent attempts from cheating plotted by the original signer or by malicious proxy signer(s). However, the proxy-unprotected scheme is more efficient than the proxy-protected one in practice.

2.

Proposed Schemes

private/public key pair and the public key certificate for U 0 , and ( xi , yi ) and Cert ( Pi , yi ) be the private/public key pair and the public key certificate for Pi , where y0 = g x0 mod p , yi = g xi mod p and the public key certificate could be generated by following the specification defined by X.509 and put on the system’s public key directory [4-5]. Notice that a valid public key certificate Cert ( Pi , yi ) implies the legitimacy of Pi ’s public key yi as well as the fact that Pi knows the discrete logarithm of yi , i.e., the private key xi , with base g modulo p. Proxy key generation phase: First of all, U 0 randomly selects n distinct integers zi ∈ Z q* (for i = 1, 2, ..., n), and computes a delegation for each Pi , denoted as d i , and a delegation for the set {P1 , P2 ,..., Pn } , denoted as D, where d i = g zi mod p and D = ∏in=1 d i d i mod p . Then, U 0 computes a proxy key for each Pi in the form of ki = zi ⋅ di + x0 ⋅ D ⋅ n −1 mod q ,

(1)

where n −1 is the inverse of n modulo q. Finally, U 0 sends {ki , di } to Pi via a secure channel and makes D public. Upon receiving {ki , di } , Pi first gets certificate Cert (U 0 , y0 ) from the directory, checks its validity, and then verifies the authenticity of {ki , di } by testing if −1

g ki = di d i ⋅ y0 D⋅n (mod p ) .

(2)

Multi-proxy signature generation phase: Let M be the message to be signed by all the specified proxy signers {P1 , P2 ,..., Pn } with the assistance of CLK. First of all, each Pi computes ri = g wi mod p , where wi ∈ Z q* is randomly chosen, and sends it to the other proxy signers. Upon receiving the ri ’s sent from all the other proxy signers, each Pi computes si = ki + wi ⋅ ri ⋅ h( M , R) mod q

The proposed schemes involve four roles: the system authority SA, the original signer U 0 , a set of proxy signers {P1 , P2 ,..., Pn } (for some constant n) delegated by U 0 , and a clerk CLK trusted by the proxy signers. SA defines necessary parameters for setting up the system and issues public key certificates for U 0 and all Pi ’s. CLK is responsible for authenticating the individual proxy signature generated by each Pi , and constructing a multi-proxy signature for the signing message. Note that no secret information is associated with CLK.

where R = ∏ in=1 ri i mod p , and sends {M , R, ri , si , d i } to CLK. Here, the 3-tuple (ri , si , d i ) is regarded as Pi ’s individual proxy signature of M. Thereafter, CLK first gets Cert (U 0 , y0 ) from the directory and checks its validity, and then verifies the authenticity of {M , R, ri , si , d i } by testing if

2.1

When all individual proxy signatures (ri , si , d i ) ’s have been verified successfully, CLK computes the value of S by S = ∑ in=1 si mod q and publishes ( R, S , D) as the multi-proxy signature of M for U 0 .

Proxy-unprotected Scheme

The proposed proxy-unprotected scheme consists of four phases: preparation, proxy key generation, multi- proxy signature generation, and multi-proxy signature verification. Details of these phases are stated below: Preparation phase: Initially, SA defines the following parameters for system setup: two large primes p and q, such that q | p − 1 , a generator g modulo p with order q, and a one-way hash function h that accepts a variablelength input but produces a fixed-length output. All parameters defined by SA are made public. After that, the original signer U 0 and each of the proxy signer Pi (for i = 1, 2, ..., n) prepare a private/public key pair and register it at SA. Let ( x0 , y0 ) and Cert (U 0 , y0 ) be the

r

g si = di d i ⋅ y0 D⋅n

−1

⋅ ri ri ⋅h( M , R ) (mod p) .

(4)

Multi-proxy signature verification phase: The verifier first gets Cert (U 0 , y0 ) from the directory and checks its validity, and then verifies the authenticity of ( R, S , D) by testing if g S = D ⋅ y0 D ⋅ R h( M , R ) (mod p ) .

2.2

(5)

Proxy-protected Scheme

As similar to the proxy-unprotected scheme described above, the proposed proxy-protected scheme consists of four phases: preparation, proxy key generation, multiproxy signature generation, and multi-proxy signature

verification. The preparation and the proxy key generation phases are just the same as that in the proxyunprotected scheme. Note that in the proxy-protected scheme, each proxy signer uses both his own private key and the proxy key to sign messages for the original signer. Prior to the multi-proxy signature generation phase, the specified proxy signers should register the group public key Y = ∏in=1 yi mod p at SA to obtain a public key certificate Cert (Ρ, Y ) , where P is the group identity. Such that, any verifier can only use this certified group public key Y to verify the multi-proxy signature cooperatively generated by these proxy signers. Details of the multi-proxy signature generation and the multi-proxy signature verification phases are stated below: Multi-proxy signature generation phase: Each Pi generates an individual proxy signature (ri , si , d i ) of M just as in the proxy-unprotected scheme, except that si is computed as si = xi ⋅ D + ki + wi ⋅ ri ⋅ h( M , R) mod q .

(3*)

Consequently, the equation for verifying (ri , si , d i ) by CLK is changed to: g s i = yiD ⋅ d i d i ⋅ y0 D ⋅ n

−1

⋅ ri ri ⋅ h( M , R ) (mod p) . (4*)

When all individual proxy signatures (ri , si , d i ) ’s have been verified successfully, CLK publishes ( R, S , D) as the multi-proxy signature of M for U 0 , where R = ∏ in=1 ri ri mod p and S = ∑ in=1 si mod q . Multi-proxy signature verification phase: The verifier first gets Cert (Ρ, Y ) and Cert (U 0 , y0 ) from the directory and checks their validity, and then verifies the authenticity of ( R, S , D) by testing if g S = D ⋅ (Y ⋅ y0 ) D ⋅ R h( M , R ) (mod p ) .

2.3

(5*)

Correctness of Proposed Schemes

Correctness of the proposed schemes is based on the achievement of the following three requirements: First, any proxy signer can verify the validity of his proxy key issued by the original signer; second, the clerk can verify the individual proxy signatures generated by the specified proxy signers; and third, the verifier can verify the multiproxy signature cooperatively generated by the specified proxy signers. Theorem 1: Pi ’s proxy key ki and delegation d i is verified if Eqn. 2 holds. Proof: Raising both sides of Eqn. 1 to exponents with base g modulo p yields g ki = g zi ⋅di + x0 ⋅D⋅n

−1

= g zi ⋅di ⋅ g x0 ⋅D⋅n

−1

,

−1

= d i di ⋅ y 0 D⋅n (mod p)

which implies Eqn. 2. Given d i and D, it is based on the intractability of the DL problem to compute ki so as to satisfy Eqn. 2 [1]. Thus, under the DL assumption, Pi

can ensure that ki is verified if the 3-tuple ( ki , d i , D) passes the equality test by Eqn. 2. Theorem 2: In the proxy-unprotected scheme, the individual proxy signature (ri , si , d i ) of M for Pi is verified if Eqn. 4 holds. Proof: Raising both sides of Eqn. 3 to exponents with base g modulo p yields that g si = g ki ⋅ g wi ⋅ri ⋅h ( M , R ) = g ki ⋅ ri ri ⋅h( M , R ) .

(6)

Substituting Eqn. 2 into Eqn. 6, we obtain Eqn. 4. Thus, given M, R, d i and D, it is based on the intractability of the DL problem to compute ri or si so as to satisfy Eqn. 4 [1]. Thus, under the DL assumption, the 3-tuple (ri , si , d i ) is verified if it passes the equality test of Eqn. 4. Corollary 1: In the proxy-protected scheme, the individual proxy signature (ri , si , d i ) of M for Pi is verified if Eqn. 4* holds. Theorem 3: In the proxy-unprotected scheme, the multi-proxy signature ( R, S , D) of M for U 0 is verified if Eqn. 5 holds. Proof: Recall that the values of D, R, and S are obtained by D = ∏in=1 d i d i mod p , R = ∏ in=1 ri ri mod p , and S = ∑ in=1 si mod q . Multiplying Eqn. 4 (for i = 1, 2, ..., n) will lead to Eqn. 5. Thus, given M and D, it is based on the intractability of the DL problem to compute R or S so as to satisfy Eqn. 5 [1]. Under the DL assumption, the 3-tuple (R, S, D) is verified if it passes the equality test of Eqn. 5. Corollary 2: In the proxy-protected scheme, the multiproxy signature (R, S, D) of M for U 0 is verified if Eqn. 5* holds.

3.

Achievement of Basic Properties for Partial Delegation

This section shows that both the proposed schemes satisfy the basic properties for partial delegation addressed by Mambo et al. [8-9]. Achievement of unforgeability – To achieve the property of unforgeability, the proposed schemes should withstand attempts at creating a fake but valid multi-proxy signature ( R′, S ′, D) for the specified proxy signers {P1 , P2 ,..., Pn } or at creating a fake but valid individual proxy signature (ri′, si′ , d i ) for certain proxy signer Pi . Under the DL assumption, it is computationally infeasible to create (ri′, si′ , d i ) for Pi that can pass the equality test by Eqn. 4 (or 4*), as shown in Theorem 2 (or Corollary 1). Again, it is computationally infeasible to create ( R′, S ′, D) for {P1 , P2 ,..., Pn } that can pass the equality test by Eqn. 5 (or 5*), as shown in Theorem 3 (or Corollary 2). Recall here, each Pi uses his private key xi , together with the proxy key ki , to generate the individual proxy signature in the proxy-protected scheme. However, the private key xi is protected under the DL assumption and only known

to Pi . Without knowing xi , the original signer still cannot create a fake but valid (ri′, si′ , d i ) to flame Pi . For the same reason, the original signer cannot create a fake but valid ( R′, S ′, D) to flame the specified proxy signers {P1 , P2 ,..., Pn } . Achievement of proxy signer’s deviation – If the proxy signer Pi can create a fake but valid individual proxy signature (ri′, si′ , d i ) not detected as his signature, he should have the ability to compute another proxy key ki′ satisfying Eqn. 2. To achieve this, Pi should first know the original signer’s private key x0 . However, x0 is protected under the DL assumption. Achievement of secret-key’s dependence – From Eqn. 1, it can be seen that all proxy keys ki ’s for the specified proxy signers {P1 , P2 ,..., Pn } are generated by using the original signer’s private key x0 . Achievement of verifiability – From Eqns. 4 and 4*, it can be seen that it requires the original singer’s public key y0 to verify the individual proxy signature (ri , si , d i ) for each Pi . Meanwhile, from Eqns. 5 and 5*, it can be seen that it requires the original signer’s public key y0 to verify the multi-proxy signature (R, S, D) for the specified proxy signers {P1 , P2 ,..., Pn } . These two facts imply that the original signer’s private key x0 is implicitly used during the multi-proxy signature generation phase. Thus, it accounts for the agreement of the original signer on the signed message. Achievement of distinguishability – It requires a publicly verifiable delegation D to verify a multi-proxy signature of a given message. No publicly verifiable delegation D is required so as to verify a normal signature generated by the original signer. Achievement of identifiability – Except for the original signer, it is computationally infeasible to create a valid delegation d i for each Pi or a valid delegation D for the specified proxy signers {P1 , P2 ,..., Pn } under the DL assumption. This implies that D and d i ’s are unique and unforgeable. Through the equation test by Eqns. 4 and 4*, the original signer can assure who has generated the individual proxy signature for the given message. Achievement of undeniability – If all individual proxy signatures generated by the specified proxy signers are valid, then the corresponding multi-proxy signature constructed by the trusted CLK is valid, too. Equality test by Eqns. 4 and 4* prevents proxy signers from denying that they have signed the given message, since the delegation d i ’s and D are specified by the original signer in advance.

4.

Protection against cheating

Assume that the channels among the specified proxy signers and the original signer are noise-free and tamperresistant. Here, we discuss two possible ways of cheating against the proposed schemes, and show that the proposed schemes can withstand these attempts in effect. The first way concerns the cheating plotted by the original signer

during the proxy key generation phase, and the second way concerns the cheating plotted by malicious signer(s) during the multi-proxy signature generation phase. Cheating by the original signer – Consider the case that the original signer U 0 attempts to issue an invalid proxy key ki′ ≠ ki or an invalid delegation d i′ ≠ d i to Pi in the proxy key generation phase. Through the equality test by Eqn. 2, Pi can successfully identify the invalid ki′ or d i′ , unless U 0 has the ability to solve the DL problem [1]. Cheating by proxy signer(s) – Suppose that a malicious proxy signer Pi attempts to generate a fake but valid individual proxy signature (ri′, si′ , d i ) such that he can avoid accountability during the verification of the corresponding multi-proxy signature. This attempt is successful only when (ri′, si′ , d i ) can pass the equality test by Eqn. 4 in the proxy-unprotected scheme or by Eqn. 4* in the proxy-protected scheme. As shown in Theorem 2 and Corollary 1, it is computationally infeasible for Pi to find ri′ and si′ under the DL assumption. It is with the same reason that some malicious proxy signers cannot plot such attempt.

5.

Performance

Performance of the proposed schemes is measured by the time complexity and communication costs required. We also give comparison of the proposed scheme with some well-known t-out-of-n threshold proxy signature schemes (e.g., Kim et al.’s scheme [6] and Sun et al.’s scheme [16]) with t=n. For convenience, the following notations are used: TH:

the time of producing the message digest for the given hash function h

TEa: the time for computing a modular exponentiation with modulo a TMa: the time for computing a modular multiplication with modulo a TIa: the time for computing a modular inverse with modulo a |a|:

size (or bit-length) for integer a

Note that the time for computing modular addition/ subtraction is ignored regarding performance evaluation of the proposed schemes, since it is negligible to modular multiplication or modular exponentiation with a large modulo. Tables 1 and 2 respectively list the comparison of the proposed schemes with Kim et al.’s scheme [6] and Sun et al.’s scheme [16]. Table 1 shows that both proposed schemes are more efficient than the t-out-of-n threshold proxy signature schemes (with t=n) proposed by Kim et al. and Sun et al. Furthermore, from Table 2, both the proposed schemes require smaller communication costs than these two threshold proxy signature schemes. The overhead inherent in Kim et al.’s and Sun et al.’s threshold proxy

signature schemes is caused by the construction of an (n-1)-degree interpolating polynomial for sharing all

proxy keys.

Table 1 - Time complexities required for the proposed schemes and other well-known t-out-of-n threshold proxy signature schemes with t=n Proposed scheme Proposed scheme Kim et al.’s scheme Sun et al.’s scheme (proxy-unprotected) (proxy-protected) By U0: By U0: By U0: By U0: (n-1)TEp+TH+ TEp+(n-1)TMp+ (n+1)TEp+ (n+1)TEp+ (2n2-3n+1)TMq 2TMq+TIq+TH (2n+2)TMq+TIq (2n+2)TMq+TIq Proxy key generation By each Pi : By each Pi : By each Pi : By each Pi : (including proxy key verification) (n+1)TEp+TMp+ (2n+4)TEp+ 3TEp+TMp+ 3TEp+TMp+ (n-2)TMq (2n+4)TMp+ TMq+TIq TMq+TIq (2n2-4)TMq+ TIp+TIq+TH By each Pi :† By each Pi :† By each Pi : By each Pi : (3n2+n+2)TEp+ (3n+6)TEp+ (n+1)TEp+ (n+2)TEp+ 2 2 -6n-12)TMp+ +3n+4)TMp+ (n (n-1)TMp+ (n-1)TMp+ (5n Multi-proxy signature (3n2-9n+7)TMq+ (3n2-2)TMq+ 2TMq+TH 3TMq+TH generation (including TH+C‡ TH+C‡ individual proxy By CLK: By CLK: signature verification) 4nTEp+TH+ 4nTEp+TH+ (n+1)TMp+ (2n+1)TMp+ (n+1)TMq+TIq (n+1)TMq+TIq Multi-proxy signature 3TEp+2TMp+ 4TEp+(n+2)TMp+ 3TEp+2TMp+TH 3TEp+3TMp+TH verification TIp+2TH TMq+2TH † Each Pi acts as the CLK to generate the multi-proxy signature. ‡ C is the time complexity for calculating the constant of an (n-1)-degree Lagrange interpolating polynomial in field Z *p with order q, which roughly requires (2n-3)TMq + (n-1)TIq [7].

Table 2 - Communication costs for the proposed schemes and other well-known t-out-of-n threshold proxy signature schemes with t=n Kim et al.’s scheme Sun et al.’s scheme Both proposed schemes

6.

Proxy key generation

2n | p | + n | q |

n 2 | p | +n 2 | q |

2n | q |

Multi-proxy signature generation

(n 2 − 1) | p | + n 2 | q |

n | p | +n 2 | q |

3n | p | +2n | q |

Conclusions

We have presented two multi-proxy signature schemes for partial delegation. We have also shown that both the proposed schemes achieve the basic requirements for partial delegation addressed by Mambo et al. Furthermore, they earn more efficiency with respect to the required time complexities and communication costs, as compared with previously proposed t-out-of-n threshold proxy signature schemes with t = n. Our proposed proxyunprotected scheme is only applicable to the case that the original signer is honest, although it is more efficient than the proxy-protected one. Our proposed proxy-protected also has the ability to prevent attempts from cheating plotted by the original signer or by malicious proxy signer(s), and thus, more secure than the proxyunprotected one in practice.

References [1]

T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Trans. Information Theory, IT-31(4), 1985, pp. 469-472.

[2]

C.L. Hsu, T.S. Wu, and T.C. Wu, “New nonrepudiable threshold proxy signature scheme with known signers”, The Journal Systems and Software, 58(2), 2001, pp. 119-124.

[3]

S.J. Hwang, and C.H. Shi, “A simple multi-proxy signature scheme”, Proc. Tenth National Conf. Inf. Security, Taiwan, 2000, pp. 134-138.

[4]

IETF RFC 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 1999.

[5]

ITU-T,

Recommendation

X.509,

Information

Technology - Open Systems Interconnection - The Directory: Authentication Framework, 1997. [6]

[7]

[8]

[9]

S. Kim, S. Park, S., and D. Won, “Proxy signatures, Revised”, Proc. 1997 International Conference on Information and Communications Security, Beijing, China, 1997, pp. 223-232. D.E. Knuth, The Art of Computer programming: Volume 2, Seminumerical Algorithms, second ed., Addison-Wesley, 1981. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: Delegation of the power to sign messages”, IEICE Trans. Fundamentals, E97-A(9), 1996, pp. 1338-1353. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation”, Proc. Third ACM Conf. Computer and Comm. Security, ACM press, 1996, pp. 48-57.

[10] National Research Council, Computers at Risk: Safe Computing in the Information Age, Computer Science and Telecommunication Board, National Academy Press, Washington DC, 1991.

[11] W.B. Lee, and C.C. Chang, “Efficient proxyprotected proxy signature scheme based on discrete logarithm”, Proc. Tenth National Conf. Inf. Security, Taiwan, 2000, pp. 4-7. [12] T. Okamoto, “Provably secure and practical identification schemes and corresponding signature schemes”, Advances in Cryptology – CRYPTO’92, Springer-Verlag, 1983, pp. 31-53. [13] C.P. Schnorr, “Efficient signature generation by smart cards”, Journal of Cryptology, 4(3), 1991, pp. 161-174. [15] H.M. Sun, “An efficient nonrepudiable threshold proxy signature scheme with known signers”, Computer Communications, 22(8), 1999, pp. 717 722. [16] H.M. Sun, N.Y. Lee, and T. Hwang, “Threshold proxy signatures”, IEE Proc. Computers & Digital Techniques, 146(5), 1999, pp. 259-263. [17] K. Zhang, “Threshold proxy signature schemes”, Proc. 1997 Information Security Workshop, Japan, 1997, pp. 191-197.