DESIGNATED-VERIFIER PROXY SIGNATURES ... - Semantic Scholar

Download PDF
54 downloads 0 Views 77KB Size Report
Comment
tial delegation scheme, a proxy signer has a new key, called proxy private key, which is different from Alice's private key. So, proxy signatures generated by ...
DESIGNATED-VERIFIER PROXY SIGNATURES FOR E-COMMERCE Guilin Wang Infocomm Security Department Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 http://www.i2r.a-star.edu.sg/icsd/staff/guilin/ [email protected] ABSTRACT In a designated-verifier proxy signature scheme, a user delegates her/his signing capability to another user in such a way that the latter can sign messages on behalf of the former, but the validity of generated signatures can only be checked by the designated verifier. In this paper, we first point out one such scheme proposed recently by Dai et al. is insecure. To overcome the weaknesses in their scheme, based on the two-party Schnorr signature by Nicolosi et al., we present a new designated-verifier proxy signature scheme which is efficient and secure. Finally, we suggest to use our scheme in electronic commerce applications, such as sale of digital products (digital music, movies, and books etc.). Keywords: Digital Signature, Proxy Signature, Digital Product, Electronic Commerce, Information Security. 1. INTRODUCTION In a proxy signature scheme, one user Alice, called original signer, delegates her signing capability to another user Bob, called proxy signer. After that, the proxy signer Bob can sign messages on behalf of the original signer Alice. Upon receiving a proxy signature on some message, a verifier not only can validate its correctness by a given verification procedure, but also be convinced of the original signer’s agreement on the signed message. Proxy signature schemes have been suggested for use in a number of applications, including e-cash, electronic commerce, distributed shared object systems etc [1, 2, 12]. Mambo, Usuda, and Okamoto firstly introduced the concept of proxy signatures and proposed several constructions in [7, 8]. Based on the delegation type, they classified proxy signatures as full delegation, partial delegation, and delegation by warrant schemes. In full delegation, Alice’s private key is given to Bob directly so Bob has the same signing capability as Alice. For most of real-world settings, such schemes are obviously impractical and insecure. In a partial delegation scheme, a proxy signer has a new key, called

proxy private key, which is different from Alice’s private key. So, proxy signatures generated by using proxy private key are different from Alice’s standard signatures. However, in such schemes the range of messages a proxy signer can sign is not limited. This weakness is eliminated in delegation by warrant schemes by adding a warrant that specifies what kinds of messages are delegated, the identities of Alice and Bob, the delegation period, etc. According to whether the original signer knows the proxy private key, proxy signatures can be classified into proxyunprotected and proxy-protected schemes. That is, in a proxyprotected scheme only the proxy signer can generate proxy signatures, while in a proxy-unprotected scheme either the proxy signer or the original signer can generate proxy signatures since both of them know the proxy private key. In many practical applications proxy-protected schemes are required to avoid the potential disputes between the original signer and the proxy signer. Aiming to distinguish the rights and responsibilities of both parties clearly, the proxyprotected partial delegation by warrant schemes have attracted much more investigations than others. Sometimes, this special type of schemes is refereed to proxy signature scheme for simplicity. Followed by the first constructions given in [7, 8], a number of new schemes and improvements have been proposed [4, 5, 6, 1, 2]; however, most of them do not fully meet the desired security requirements. In [4], Kim, Park and Won introduced the concept of partial delegation by warrant, and proposed a threshold proxy signature, in which the original signer’s signing ability is shared among a delegated group of n proxy singers such that only t or more of them can generate proxy signatures cooperatively. In [5], Lee, Kim and Kim constructed mobile agents for electronic commerce applications from non-designated proxy signature, in which a warrant does not specify the identity of a proxy signer so any possible proxy signer may respond this delegation and become a proxy signer. In [6], Lee, Cheon, and Kim investigated whether a secure channel for delivery of a signed warrant is necessary in existing schemes. Their

result is that if secure channels are not provided, the MUO scheme [7] and the LKK scheme [5] all are insecure. To remove secure channels and overcome some other weaknesses, they proposed new improvements. However, Wang et al. showed that all of the original schemes and improvements proposed in [5, 6] are insecure by demonstrating several attacks [12]. Boldyreva, Palacio, and Warinschi presented the formal definition and security notion for proxy signature [1], i.e., the existential unforgeablity against adaptive chosen-message attacks [3]. At the same time, they proposed a provably secure scheme, called triple Schnorr proxy signature scheme, which can be viewed as a modified version of the KPW scheme [4]. In [2], Dai et al. proposed a designated-verifier proxy signature scheme, in which the validity of proxy signatures can only be checked by the designated verifier. More specifically, in their scheme the original signer Alice nominates a user Cindy as signature receiver when she delegates her signing capability to the proxy signer Bob so that Bob can generate valid proxy signatures on behalf of Alice but only Cindy can check the validity of such signatures, since Cindy’s secret key is needed in signature verification procedure. Based on the security requirements for (ordinary) proxy signatures [7, 8, 5], Dai et al. specified that a secure designated-verifier proxy signature scheme should satisfy the following five requirements [2] 1 : • Verifiability: From the proxy signature, a verifier can be convinced of the original signer’s agreement on the signed message. • Identifiability: Anyone can determine the identity of the corresponding proxy signer from a proxy signature. • Unforgeability: Only the designated proxy signer can create a valid proxy signature on behalf of the original signer. In other words, neither the original signer nor other third party who is not designated as a proxy signer can produce a valid proxy signature. • Restrictive Verifiability: Only the designated-verifier nominated by the original signer can validate the validity of proxy signatures. • Undeniability of Nomination: The original signer cannot deny his nomination of the designated-receiver. Furthermore, Dai et al. presented security analysis of their scheme and concluded that it is secure. In this paper, 1 Actually, two other requirements are specified in [2], i.e., Undeniability (Once a proxy signer creates a proxy signature, he cannot repudiate this fact later.) and Unchangeability of Verifier (The proxy signer cannot change the designated verifier on behalf of the original signer). However, those two requirements are omitted here because we notice that they are implied by Unforgeability.

however, we point out that in fact their scheme is not secure by identifying a forgery attack. In this attack, the original signer alone can forge valid proxy signatures to frame the proxy signer. To avoid this attack and other weaknesses in their scheme, based on the two-party Schnorr signature by Nicolosi et al. in [9], we present a new designated-verifier proxy signature scheme which is efficient and secure. Furthermore, we also discuss how to use designated-verifier proxy signatures in electronic commerce applications, such as sale of digital products (digital music, movies, and books etc.). The rest of this paper is organized as follows. The DYD scheme [2] is reviewed and analyzed in Section 2 and 3, respectively. Then, our new scheme is presented in Section 4, while Section 5 discusses applications. 2. REVIEW OF THE DYD SCHEME System Parameters: p, q: two large primes such that q|(p − 1); g: a q-order generator in Z∗p ; xA , xB , xC : the private keys of original signer Alice, proxy signer Bob, and designated verifier Cindy, respectively; yA = g xA mod p: Alice’s public key; yB = g xB mod p: Bob’s public key; yC = g xC mod p: Cindy’s public key; H(·): a secure hash function. Delegation Parameter Generation: Original signer Alice selects random number kA ∈R Z∗q , computes a Schnorr signature (rA , sA ) on message (M, yC ) as equation (1), and then sends (M, rA , sA , yC , yA ) to proxy signer Bob securely. rA = g kA mod p, eA = H(M, yC , rA ), sA = kA + xA eA mod q.

(1)

Proxy Key Generation: On receiving (M, rA , sA , yC , yA ), H(M,yC ,rA ) Bob first checks its validity by g sA = yA rA mod p. If this is true, Bob sets his proxy key pair (xP , yP ) as follows xP = sA + xB mod q, H(M,yC ,rA ) yP = g xP (≡ yA rA yB

mod p).

(2)

Proxy Signature Generation: To generate a designatedverifier proxy signature on a message M , Bob first selects two random numbers r, R ∈ Z∗q , computes (K, D, eB , s) as equation (3), and sends σ = (M, rA , K, D, s, yA , yB ) to the designated verifier Cindy. K = g R−r mod p, R D = yC mod p, eB = H(yC , K, D, M ), s = r − xP · eB mod q.

(3)

Proxy Signature Verification: To check the validity of a proxy signature σ, Cindy first computes eA = H(M, yC , rA ), and eB = H(yC , K, D, M ). Then, he accepts it if and only if the following equality holds: xC eA ≡ D mod p. (4) g s (yA rA yB )eB K 3. SECURITY OF THE DYD SCHEME In [2], the authors presented security analysis in detail to show their scheme is secure, i.e., satisfying all security requirements listed in Section 1. Particularly, Dai et al. concluded their scheme is unforgeable since the proxy signer Bob’s secret key xB is needed to generate the proxy private key xP . Therefore, even the original singer Alice cannot forge a valid proxy private key and generate proxy signatures under the name of Bob. However, this is not the fact. The reason is that Alice can select a specific rA to eliminate xB in the definition of xP . More specifically, we demonstrate the following attack that allows the original singer Alice to forge a proxy key pair (¯ xP , y¯P ): (1) For any message M , select a random number c. −1 (2) Define r¯A = g c yB mod p. (3) Set x ¯P = c + xA · H(M, yC , r¯A ) mod q. (4) Set y¯P = g x¯P mod p. It is not difficult to know the forged pair (¯ xP , y¯P ) is a valid proxy key pair with respect to r¯A , since y¯P = g x¯P = H(M,yC ,¯ rA ) yA r¯A yB mod p. Using (¯ xP , y¯P , r¯A ), Alice can generate a proxy signature on message M as Bob does in proxy signature generation. When such a forged but valid proxy signature is presented, Bob cannot deny that he did not generate it. In addition, according to equation (1) we know that the delegation parameters (M, rA , sA , yC , yA ) has no essential relationship with Bob, though it is securely delivered to Bob. So it can be used by anybody, not only proxy signer Bob. That is, Alice or Bob can dishonestly forward it to a third party Even such that Even also becomes a proxy signer by setting his proxy key pair by equation (2). Finally, in the DYD scheme, the same message M is used in delegation parameters and proxy signature generation. This means that for each individual message, Alice has to delegate her signing capability to Bob by generating different delegation parameters. Obviously, such mechanism is an inefficient way in practice. 4. OUR NEW SCHEME To avoid the above shortcomings in the DYD scheme, we propose a new scheme in this section. The basic idea is to use a provably secure two-party Schnorr signature scheme [9] generating a proxy key pair (xP , yP ) that satisfies g xP = yP = (yA · yB )h(Mw ,rP ) · rP

mod p,

(5)

where rP is a public value, and Mw is a warrant, which specifies the delegation period, what kind of message is delegated, the identity information of the original signer and the proxy signer, and all potential designated verifiers (e.g. customers), etc. Bob then can use the same proxy signature generation algorithm as [2] to generate a designated-verifier proxy signature on any message M that confirms to the warrant Mw . Proxy signatures can be validated in a similar way. We now describe our scheme in detail. It is assumed that Alice and Bob have agreed on a warrant Mw before generating a proxy key pair. Other system parameters are the same as [2] (see Section 2). Proxy Key Generation: To generate a proxy key pair, the original signer Alice and the proxy signer Bob execute the following interactive protocol jointly. (1) Alice picks a random number kA ∈R Z∗q , computes rA = g kA mod p and c = H(rA ), and then sends c to Bob. (2) Similarly, Bob chooses a random number kB ∈R Z∗q , computes rB = g kB mod p, and replies Alice with (c, rB ). q (3) When (c, rB ) is received, Alice checks whether rB ≡1 mod p. If the validation goes through, she computes rP = rA · rB mod p, sA = kA + xA · H(Mw , rP ) mod q, and sends the pair (rA , sA ) to Bob.

(4) Upon receiving (rA , sA ), Bob first computes rP = q rA · rB mod p, and then checks whether rA ≡ 1 H(M ,r ) w P sA ≡ yA · rA mod p, c ≡ H(rA ), and g mod p. If all validations pass, he calculates sB = kB + xB · H(Mw , rP ) mod q, and finally sets his proxy key pair (xP , yP ) by xP = sA +sB

mod q,

and yP = g xP

mod p.

It is easy to know that the above defined pair (xP , yP ) satisfies equation (5), i.e., (rP , xP ) is a standard Schnorr signature [11] on the warrant Mw with respect to the public key yA · yB . Proxy Signature Generation: To generate a designatedverifier proxy signature for Cindy on a message M that conforms to the warrant Mw , Bob performs similarly as in DYD scheme. That is, he first selects two random numbers r, R ∈ Z∗q , computes (K, D, s) by equation (6), and sends the proxy signature σ = (M, Mw , rP , K, D, s) to the designated verifier Cindy. K = g R−r mod p, R D = yC mod p, s = r − xP · H(M, Mw , yC , K, D)

(6) mod q.

Proxy Signature Verification: To verify the validity of σ, the designated-verifier Cindy operates as follows:

(1) Check whether the message M conforms to the warrant Mw . If not, stop. Otherwise, continue. (2) Check whether Alice, Bob, and Cindy are specified as the original signer, the proxy signer, and possible designated verifier, respectively, in the warrant Mw . (3) Recover the proxy public key yP = (yA ·yB )h(Mw ,rP ) · rP mod p. (4) Accept the proxy signature σ if and only if the following equality holds: H(M,Mw ,yC ,K,D)

g s yP

K

xC

≡D

mod p.

(7)

Security Discussion: In our scheme, we use Nicolosi et al.’s provably secure two-party Schnorr signature scheme [9] to generate proxy key pair (xP , yP ). That is, in their scheme a two-party Schnorr signature for a message can only be generated by the two related parties jointly. Note that the proxy key pair (xP , yP ) in our scheme (defined by equation (5)) is exactly Alice and Bob’s valid two-party Schnorr signature on the warrant Mw in Nicolosi et al.’s scheme. Therefore, anybody (including Alice or Bob) cannot generate a valid proxy key pair independently. At the same time, without a valid proxy key pair anybody cannot generate a designated-verifier proxy signature such that equation (7) is satisfied. Because the proxy signature generation algorithm is a modified Schnorr scheme, which is also secure. From the above discussion, we conclude that our scheme is unforgeable. Other security requirements are also met in our new scheme since Dai et al.’s analysis can be adapted easily to our scheme. 5. APPLICATIONS When a customer Cindy buys a digital product M from an Internet vendor Bob, who sells some digital products (e.g. digital music, movies, and books etc.), she needs a digital receipt from Bob to guarantee the quality, authenticity, and legality of M . This is reasonable since Cindy does not completely trust Bob and his goods. Furthermore, Cindy would expect the receipt is bounded with not only the identity of the vendor Bob but also that of the good producer, say Alice. With such receipts, Cindy will be convinced that the digital product M is produced by Alice and sold by Bob. At the same time, to prevent Cindy illegally distributes M to others, Alice and Bob wants the validity of Cindy’s receipt can only be validated by Cindy herself. In such situations, designated-verifier proxy signatures, instead of ordinary digital signatures, can be used as such receipts. That is, Alice delegates her signing capability to Bob so that he can generate designated-verifier proxy signatures for all potential customers as digital receipts.

6. REFERENCES [1] A. Boldyreva, A. Palacio, and B. Warinschi. Secure proxy signature schemes for delegation of signing rights. Available at http://eprint.iacr.org/2003/096 [2] J.-Z. Dai X.-H. Yang, and J.-X. Dong. Designated-receiver proxy signature scheme for electronic commerce. In: Proc. of IEEE International Conference on Systems, Man and Cybernetics, Vol. 1, pp. 384-389. Oct. 5-8, 2003. IEEE, 2003. [3] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, April 1988, 17(2): 281-308. [4] S. Kim, S. Park, and D. Won. Proxy signatures, revisited. In: Information and Communications Security (ICICS’97), LNCS 1334, pp. 223-232. Springer-Verlag, 1997. [5] B. Lee, H. Kim, and K. Kim. Secure mobile agent using strong nondesignated proxy signature. In: Information Security and Privacy (ACISP’01), LNCS 2119, pp. 474-486. Springer-Verlag, 2001. [6] J.-Y. Lee, J. H. Cheon, and S. Kim. An analysis of proxy signatures: Is a secure channel necessary? In: Topics in Cryptology - CT-RSA 2003, LNCS 2612, pp. 68-79. Springer-Verlag, 2003. [7] M. Mambo, K. Usuda, and E. Okamoto proxy signature: Delegation of the power to sign messages. IEICE Trans. Fundamentals, Sep. 1996, Vol. E79-A, No. 9, pp. 1338-1353. [8] M. Mambo, K. Usuda, E. Okamoto. Proxy signatures for delegating signing operation. In: Proc. of 3rd ACM Conference on Computer and Communications Security (CCS’96), pp. 48-57. ACM Press, 1996. [9] A. Nicolosi, M. Krohn, Y. Dodis, and D. Mazieres. Proactive twoparty signatures for user authentication. In: Proc. of 10th Annual Network and Distributed System Security Symposium (NDSS’03). The Internet Society, 2003. http://www.isoc.org/isoc/conferences/ndss/ [10] H.-U. Park and I.-Y. Lee. A digital nominative proxy signature scheme for mobile communications. In: Information and Communications Security (ICICS’01), LNCS 2229, pp. 451-455. SpringerVerlag, 2001. [11] C. Schnorr. Efficient signature generation by smart cards. Journal of Cryptography, 1991, 4(3): 161-174. [12] G. Wang, F. Bao, J. Zhou, and R. H. Deng. Security analysis of some proxy signatures. In: Information Security and Cryptology (ICISC’03) (to appear). Preliminary version is available at http://eprint.iacr.org/2003/196. [13] K. Zhang. Threshold proxy signature schemes. In: Information Security Workshop (ISW’97), LNCS 1396, pp. 282-290. SpringerVerlag, 1997.