Proxy Blind Signature based on ECDLP

(IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 6, June2010

Proxy Blind Signature based on ECDLP Asis Kumar Tripathy1, Ipsita Patra2 and Debasish Jena3 1,2

Department of Computer Science and Engineering International Institute of Information Technology, Bhubaneswar 751 013, India 1 [email protected] , [email protected] 3

Center For IT Education Biju Pattanaik University of Technology,Bhubaneswar, India [email protected]

Abstract: Proxy blind signature is the combination of properties and behavior of two most common digital signature schemes i.e. proxy signature and blind signature. In this scheme proxy signer generates the blind signature on behalf of the original signer without knowing the content of the message. Proxy blind signature can be used in various applications such as e-voting, e-payment, mobile agent communication. In this paper cryptanalysis of DLP based proxy blind signature scheme with low computation by Aung et al. has been done. An efficient proxy blind signature scheme based on ECDLP has been proposed. Keywords: proxy signature ,Blind signature,Proxy blind signature,ECDLP.

1 Introduction

1.1 Digital Signature A digital code that can be attached to an electronically transmitted that uniquely identifies the sender. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are a number of different encryption techniques to guarantee this level of security.

1.2 Proxy signature The proxy signature scheme is a kind of digital signature scheme . In the proxy signature scheme , one user called the original signer ,can delegate his/her signing capability to another user called the proxy signer. This is similar to a person delegating his/her seal to another person in the real world. 1.3 Blind Signature The signer cannot determine which transformed message received for signing corresponds with which digital signature, even though the signer knows that such a correspondence must exist. 1.4 Proxy Blind Signature A proxy blind signature scheme is a digital signature scheme which combines the properties of proxy signature and blind signature schemes. A proxy blind signature scheme is a protocol played by two parties in which a user obtains a proxy signer’s signature for a desired message and the proxy signer learns nothing about the message. With such properties, the proxy blind signature scheme is useful in several applications such as e-voting, e-payment and mobile agent environments. In a proxy blind signature scheme, the proxy signer is allowed to generate a blind signature on behalf of the original signer.

1


1.5 Properties of the Proxy Blind Signature Scheme In addition to the properties of Digital signature and proxy blind signature should satisfy the following properties. 1.Distinguish-ability: The proxy signature must be distinguishable from the normal signature. 2. Non-repudiation: Neither the original signer nor the proxy signer can sign message instead of the other party. Both the original signer and the proxy signer can not deny their signatures against anyone. 3. Unforgeability: Only a designated proxy signer can generate a valid proxy signature for the original signer (even the original signer cannot do it). 4. Verifiability: The receiver of the signature should be able to verify the proxy signature in a similar way to the verification of the original signature. 5. Identifiability: Anyone can determine the identity of the corresponding proxy signer from a proxy signature. 6. Prevention of misuse: It should be confident that proxy key pair should be used only for creating proxy signature, which conforms to delegation information. In case of any misuse of proxy key pair, the responsibility of proxy signer should be determined explicitly. 7. Unlinkability: When the signature is revealed, the proxy signer can not identify the association between the message and the blind signature he generated. When the signature is verified, the signer knows neither the message nor the signature associated with the signature scheme. In this paper, cryptanalysis of Aung et al[12] has been done and an efficient proxy digital signature based on ECDLP has been proposed. The proposed scheme satisfies all the properties of a proxy blind signature scheme. The rest of this paper is organized as follows. In Section 2,some related work are discussed. Overview Of Aung et al.’s DLP Based Proxy Blind Signature scheme with Low Computation has been done in section 3 . In Section 4, Cryptanalysis of Aung et al.’s scheme has been done. An introduction to ECC is being described in section 5. In Section 6, Proposed scheme is being described. Security analysis of the proposed scheme has been done in section 7. In Section 8, Efficiency of the proposed scheme is being compared with the previous schemes and

concluding remarks are being described in Section 9.

2 RelatedWork D. Chaum [4]introduced the concept of a blind signature scheme in 1982. In 1996 Mambo et al [2] introduced the concept of proxy signature. The two types of scheme: proxy unprotected (proxy and original signer both can generate a valid proxy signature) and proxy protected (only proxy can generate a valid proxy signature) ensures among other things, non-repudiation and unforgeability . The first proxy blind signature was proposed by Lin and Jan [1] in 2000. Recently Tan et al. [7] introduced a proxy blind signature scheme, which ensures security properties of the schemes, viz., the blind signature schemes and the proxy signature schemes. The scheme is based on Schnorr blind signature scheme Lee et al.[3] showed that a strong proxy signature scheme should have properties of strong unforgeability, verifiability, strong identifiability, strong nonrepudiation and prevention of misuse. Hung-Min Sun and Bin Tsan Hsieh [8] show that Tan et al.[6] schemes do not satisfy the unforgeability and unlinkability properties. In addition, they also point out that Lal and Awasthi [7] scheme does not possess the unlinkability property either. In 2004, Xue and Cao [9] showed there exists one weakness in Tan et al. scheme [5] and Lal et al. scheme [7] since the proxy signer can get the link between the blind message and the signature or plaintext with great probability. Xue and Cao introduced concept of strong unlinkability and they also proposed a proxy blind signature scheme. In 2007 Li et al.[10] proposed a proxy blind signature scheme using verifiable self-certified public key, and their scheme is more efficient than schemes published earlier. Recently, Xuang Yang and Zhaoping Yu[11] proposed new scheme and showed their scheme is more efficient than Li et al.[10]. In 2009 Aung et al.[12] proposed a new proxy blind signature scheme which satisfied all the security requirements of both the blind signature scheme and the proxy signature scheme.

2


3 Overview Of Aung et al.’s DLP Based Proxy Blind Signature scheme With Low Computation In this section,DLP Based Proxy Blind Signature scheme With Low Computation has been discussed.

number (1) (2)

sends , along with the warrant to the proxy signer. And then proxy signer checks: ! ||

.

3.3 Extraction Phase While receiving s , A computes: F;

s gE

>?GHI ||-J

R%

Finally the signature m, mK , s, e , R% .

3.1 Proxy Delegation Phase Original signer selects random and computes:

. ||

and sends the sign message s to A.

(3)

If it is correct, P accepts it and computes proxy signature secret key "# as follow: "# s% x' (4) Note: responding proxy public key || "# . ( . ! )*

(10) of

message

m

is

3.4 Verification Phase The recipient of the signature can verify the proxy blind signature by checking whether >L mod p ||mmod q e hs. y'D (11) GH ||- Where y'D y% . y= . R% I J If it is true, the verifier accepts it as a valid proxy blind signature, otherwise rejects.

Verifiability The verifier can verify the proxy blind signature by checking >L e hs. y'D mod p ||mmod q holds.

3.2 Blind Signing Phase Proxy signer P selects random number k - Z/ and computes: r g 2 mod p

(5)

and then sends R % , r to signature asker A. To obtain the blind signature of message m, original signer A randomly choose two random numbers u, v - Z/ and computes: r rg ; y% y= >? mod p (6) e hr ||mmod q (7) e e C v mod q (8) If r =0 then A has to select new tuple u, v. Otherwise A sends e to P. After receiving e proxy signer P computes :

s k es'D

(9)

4 Cryptanalysis Of the Aung et al.’s Scheme The scheme doesn’t satisfy the property of verifiability as mentioned in Aung et al.[12]’s scheme. The verification steps are not correct.

5 Elliptic Curve Cryptography

5.1 Elliptic Curve over Finite Field The elliptic curve operations defined on real numbers are slow and inaccurate due to roundoff error. Cryptographic operations need to be

3


faster and accurate. To make operations on elliptic curve accurate and more efficient, ECC is defined over two finite fields— prime field F' and binary field FNH . The field is chosen with finitely large number of points suited for cryptographic operations. 5.1.1 EC over Prime Field OP The equation of the elliptic curve on a prime field F' is y N mod p x Q ax bmod p where,4aQ 27bN mod p W 0. Here, the elements of the finite field are integers between 0 and p C 1. All the operations such as addition, subtraction, division, and multiplication involves integers between 0 and p C 1. The prime number p is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. Standards for Efficient Cryptography (SEC) specifies curves with p ranging between 112-521 bits . The algebraic rules for point addition and point doubling can be adapted for elliptic curves over F' . 5.1.2 Point Addition Consider two distinct points J and K such that J [x\ , y\ ] and K x_ , y_ . Let L J K where, L xa , ya then, xa [s N C x\ C x_ ]mod p

ya bCy\ s[x\ C xa ]c mod p s y\ , y_/[x\ C x_ ]mod p

(12)

where, s is the slope of the line through J and K. If K CJ, then J K O where, O is the point at infinity. If K J then, J K 2J; point doubling equations are used. Also, J K K J.

where, s is the tangent at point J and a is one of the parameters chosen with the elliptic curve. If y\ = 0 then, 2J = O where, O is the point at infinity.

6 Proposed Scheme In this section, we propose an efficient proxy blind signature scheme based on ECC.The proposed scheme is divided into five phases: system parameters, proxy delegation, blind signing, signature extraction and signature verification.

6.1 System Parameters The entities involved are three parties.We denote the x-coordinate of a point Q on the elliptic curve E by xv . The scheme is constructed as follows. We make conventions that lowercases denote the elements in F/ and capital letters denote the points in the curve E. O: the original signer P: the proxy signer A: the signature asker d% : the original signer O's secret key Q % : the original signer O's public key, Q % = d% G d= : the proxy signer P's secret key Q = : the proxy signer P's public key, Q = = d= G mK : the designated proxy warrant which contains the identities information of the original signer and the proxy signer, message type to be signed by the proxy signer, the delegation limits of authority, valid periods of delegation, etc. h(.) a secure one-way hash function. || the concatenation of strings.

5.1.3 Point Doubling Consider a point J such that J x\ , y\ where, y\ W 0. Let L 2J where, L xa , ya . Then, xa [s N C 2x\ ]mod p ya Cy\ s[x\ C xa ]mod p s 3x\N a/[2y\ ]mod p

(13)

6.2 Proxy Delegation Phase

Original Signer O randomly chooses k % , 1