Towards Provably Secure Proxy Signature ... - Semantic Scholar

Towards Provably Secure Proxy Signature Scheme Based on Isomorphisms of Polynomials Shaohua Tang, Lingling Xu School of Computer Science and Engineering, South China University of Technology, Guangzhou 510640, China

Abstract Proxy signatures are important cryptosystems that are widely adopted in different applications. Most of the proxy signature schemes so far are based on the hardness of integer factoring, discrete logarithm, and/or elliptic curve. However, Peter Shor proved that the emerging quantum computers can solve the problem of prime factorization and discrete logarithm in polynomial time, which threatens the security of current RSA, ElGamal, ECC, and the proxy signature schemes based on these problems. We propose a proxy signature scheme based on the problem of Isomorphism of Polynomials (IP) which belongs to a major category of Multivariate Public Key Cryptography (MPKC). The most attractive advantage of our scheme should be its feature to potentially resist the future quantum computing attacks. A formal security proof is also given, which shows that our scheme can reach Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure assuming that the underlying IP signature is Existential Unforgeability under an Adaptive Chosen Message Attack. It is a valuable attempt to explore the provable security in the area of MPKCs. The scheme is implemented in C/C++ programming language, and the performance shows that the scheme is efficient. The parameters we choose can let the security level of our implementation up to 286.59 . Keywords: Post-Quantum Cryptography, Multivariate Public Key Cryptography, Isomorphism of Polynomials, Proxy Signature, Provable Security

1. Introduction A proxy signature protocol allows an entity, called original signer or delegator, to delegate another entity, called a proxy signer, to sign messages on

Email addresses: [email protected], [email protected] (Shaohua Tang), [email protected] (Lingling Xu) The material in this paper was presented in part at the 6-th International Conference on Network and System Security (NSS’2012) [23], Nov 2012.

Preprint submitted to Future Generation Computer Systems

May 2, 2013

behalf of the original signer. The first efficient proxy signature was introduced in [15, 14]. The types of delegation can be classified into full delegation, delegation by warrant, partial delegation and partial delegation with warrant [12]. A considerable number of proxy signature schemes have been constructed for each of these delegation types, as shown in [3]. Proxy signatures have found numerous practical applications, particularly in distributed computing where delegation of rights is quite common, for example, grid computing, mobile agent applications, and mobile communications. The basic proxy signature has been extended to own various features, for example, threshold proxy signatures [25], blind proxy signatures [1], anonymous proxy signatures [8], etc. Almost all the proxy signature schemes so far are based on the difficulty problem of integer factoring, discrete logarithm, and/or elliptic curve. However, Peter Shor [21] proved that the emerging quantum computers can solve the problem of prime factorization and discrete logarithm in polynomial-time, which threatens the security of current RSA, ElGamal, DSA, ECC, and proxy signature schemes based on these problems. In order to resist the attacks of quantum computing, the Post-Quantum Cryptography has attracted cryptographers’ intensive attentions. Some cryptosystems, such as hash-based cryptography, coding-based cryptography, latticebased cryptography, and Multivariate Public Key Cryptography (MPKC), belong to the area of Post-Quantum Cryptography [2]. The security of MPKC is based on the hardness of solving a set of multivariate polynomial equations over a finite field, which is proven to be an NP-hard problem [9], and quantum computers do not appear to have any advantages when dealing with this NP-hard problems. A lot of research have already been focused on MPKCs, for example, a group signature based on MPKC was proposed in [24], a fast hardware implementation of MPKC was presented in [22], etc. Cryptosystem based on the problem of Isomorphism of Polynomials (IP) is a major category of MPKC. Therefore, our proposed proxy signature scheme based on IP problem has the potential advantage of resisting the attacks of future quantum computers. 1.1. Our Contribution After the introduction of the problem of Isomorphism of Polynomials, we simplify Patarin’s signature algorithm [17] based on IP problem to become a compact and workable digital signature scheme that we call IP signature. Then we propose a proxy signature scheme based on IP signature, which includes the stages of initialization, delegation and proxy key generation, generation of proxy signature, and verification of proxy signature. After that, we present a strict security proof for our proxy signature scheme under the assumption that the underlying IP signature is secure. More concretely, if we assume that the underlying IP signature is Existential Unforgeability under an Adaptive Chosen Message Attack (euf-cma), then our proxy signature scheme is Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure (ps-uf-pke).

2

Finally, we implement the scheme in C/C++ programming language. The performance shows that our scheme can run efficiently, and our chosen parameters can let the security level of the implementation up to 286.59 . 1.2. Organization The rest of the paper is organized as follows. In Section 2, we introduce the problem of Isomorphisms of Polynomials and IP signature scheme. In Section 3, we present the security model in which we will prove our proxy signature scheme. Then the proposed proxy signature scheme based on IP signature is described in Section 4. We present the security proof of our scheme in Section 5. The implementation and performance of our scheme are described in Section 6. Finally, the conclusion is summarized in Section 7. 2. Preliminaries Some basic building blocks adopted by our scheme are introduced in this section, which includes the problem of Isomorphism of Polynomials (IP), the signature algorithm based on IP, and the procedure to verify the IP signature. 2.1. Problem of Isomorphism of Polynomials The problem of Isomorphism of Polynomials was introduced in [17]. It is a fundamental problem of multivariate public key cryptography, since it is related to the hardness of key recovery of such cryptosystems. The concept of IP is briefly described as follows. For more details, we refer the reader to [17]. Let K be a finite field, and all the arithmetic operations hereafter are over this field. Let n and u be positive integers. Let A be a set of u quadratic equations with n variables x1 , · · · , xn that give y values from x values: XX X yk = γijk xi xj + µik xi + δk , for k = 1, · · · , u. (1) i

j

i

Let B be a set of u quadratic equations with n variables x01 , · · · , x0n that give y values from x0 values: XX X 0 yk0 = γijk x0i x0j + µ0ik x0i + δk0 , for k = 1, · · · , u. (2) 0

i

j

i

Let S be a bijective affine transformation of variables y1 , . . . , yu , which is defined by S(y1 , · · · , yu ) = (y10 , · · · , yu0 ); (3) and T be a bijective affine transformation of variables x01 , . . . , x0n , which is defined by T (x01 , · · · , x0n ) = (x1 , · · · , xn ). (4) If there exists such transformation pair (S, T ) which satisfies B = S ◦ A ◦ T , then we call A and B are “isomorphic”, and the bijective affine transformation pair (S, T ) is an “isomorphism” from A to B. 3

Definition 1. ( IP Problem ) The Problem of Isomorphism of Polynomials (abbreviated IP Problem) is the problem to find an isomorphism (S, T ) from A to B, where A and B are two public sets of u quadratic equations, and A and B are isomorphic. 2.2. Security of IP Problem and MPKCs 2.2.1. Provable Security of MPKCs In the aspect of provable security of MPKCs, a lot of researchers have paid intensive attention on it, which is to prove that a given MPKC is indeed secure with some reasonable theoretical assumptions. Some security models, for example random oracle model and standard model, can be adopted to formally prove the security of traditional cryptosystems based on integer factoring, discrete logarithm, and/or elliptic curve. However, these security models cannot be directly applied to MPKCs. Even though there have been some works related to this area, for example [6, 7, 5, 19], there are still little essential progress in this topic. Therefore, the most common ways to analyze the security of MPKCs are to launch existing effective attacks against the targeted MPKC to test its ability to resist these attacks. 2.2.2. Security of IP Problem Cryptosystems based on IP problem belong to a major category of Multivariate Public Key Cryptosystems (MPKCs). Many researches have been devoting their efforts to solve the IP problem in an efficient way. The “To and Fro” technique proposed in [16] is a significant approach to solve the IP problem, which assumes the ability to invert the polynomial systems, and has an exponential complexity. Moreover, the authors gave an upper bound on the theoretical complexity of IP problem. But [7] pointed out that the proof in [16] is not complete. They gave an upper bound on the theoretical complexity of “IP-like” problems, and presented a new algorithm to solve IP problem when S and T are linear mappings. An improved algorithm proposed in [4] integrates some new techniques, and claims to get the best result on the state of the art. An important special case of IP is the IP problem with one secret (IP1S for short). Although most of the algorithms for IP can be applied to IP1S almost directly, several more efficient algorithms are proposed to solve IP1S problem. The algorithm to solve IP1S proposed in [10] conducts an exhaustive search to find the solutions of an algebraic system of equations. Later, Levy-dit-Vehel and Perret improved it by using the Gr¨obner basis computation in [13]. Perret presented a new approach for solving IP1S using the Jacobian matrix in [18], and the computational complexity of which is polynomial when the number of polynomials u is equal to the number of variables n, but is inefficient when u is much smaller than n. We summarize, as far as we know, the best algorithms to solve the IP and IP1S problems in Table 1. We can observe that solving the IP problem is computationally hard if we choose the parameters properly, since the best algorithm for some categories of IP problem is still exponential. For example, if the transformations S and T in Eq.(3) and (4) are affine, the polynomials in A and B 4

Table 1: Best Algorithms to Solve IP and IP1S Problems

Problem IP1S IP

Subcase degree = 2 degree = 3, u  n, inhomogeneous degree = 3, u  n, homogeneous degree = 2, u = n, inhomogeneous degree = 2, u ≤ n, homogeneous

Complexity O(n6 ) O(n6 ) O(n6 · mn/2 ) Heuristic:O(n3 ); Rigorous:O(n6 ) O(n3.5 · mn/2 )

Notation in Table 1 : u is the number of polynomials in A described in Eq.(1), n is the number of variables in polynomials, m = ||K|| is the cardinality of the finite field K.

in Eq.(1) and (2) are homogeneous, and the number of polynomials u is not greater than the number of variables n, then the computational complexity to solve the IP problem is O(n3.5 · mn/2 ), which is exponential. 2.3. IP Signature Zero-knowledge Proofs of Knowledge allow a prover to demonstrate the knowledge of a secret without leaking any useful information about the secret. A Non-interactive Zero-knowledge Proofs of Knowledge scheme based on the Problem of Isomorphism Polynomials was presented in [17]. We now simplify Patarin’s algorithm to become a compact and workable digital signature scheme that we call IP signature, which is described as follows. 2.3.1. Generation of IP Signature. Let K be a finite field, and n, u and q be positive integers. Let H be a collision-resistant hash function H : {0, 1}∗ → {0, 1}q , which maps a binary string of arbitrary length to a q-bit hash value. Let H = H(·), and we denote the i-th bit of H by H[i], where H[i] ∈ {0, 1}, and i = 1, . . . , q, then the binary format of H can be represented as H[q] . . . H[2]H[1] ∈ {0, 1}q . Let A and B be two sets of u quadratic equations with n variables, which are defined in (1) and (2), respectively; and S and T be two bijective affine transformations defined in (3) and (4) respectively, and (S, T ) be an isomorphism from A to B. Suppose that Alice is a signer whose private key is (S, T ), and its corresponding public key is (A, B). Let m be the message to sign. Alice can sign a message based on the IP problem by invoking IPSign, which is described in Algorithm 1. Algorithm 1. IPSign( m, (S, T ), (A, B) ) /* to generate a digital signature on message based on IP problem; */

5

Input m: the message to sign; (S, T ): the private key to sign the message; (A, B): the public key corresponding to (S, T ); Output V : the signature on message m; Begin Step 1. The signer selects q random bijective affine transformation pairs (S10 , T10 ), (S20 , T20 ), · · · , (Sq0 , Tq0 ); Step 2. The signer computes C1 = S10 ◦ A ◦ T10 , C2 = S20 ◦ A ◦ T20 , ······ Cq = Sq0 ◦ A ◦ Tq0 ; Step 3. The signer computes hash value H = H(mkC1 kC2 k . . . kCq ), where k is the concatenation function. The signer computes  if H[i] == 0 (Si0 , Ti0 ), , for i = 1, . . . , q, (Si , Ti ) = (Si0 ◦ S −1 , T −1 ◦ Ti0 ), if H[i] == 1 where H[i] stands for the i-th bit of H; Step 4. Let V = (H, (S1 , T1 ), (S2 , T2 ), . . . , (Sq , Tq )), and return V ; End

Definition 2. ( IP Signature )

The (q + 1)-tuples

V = (H, (S1 , T1 ), (S2 , T2 ), . . . , (Sq , Tq ))

(5)

is called an IP signature on message m by a signer corresponding to public key (A, B).

2.3.2. Verification of IP Signature. After receiving the public key (A, B), message m , and IP signature V , any verifier can invoke IPVerify to check the validity of the signature, which is described in Algorithm 2. Algorithm 2. IPVerify( m, V, (A, B) ) /* to verify the validity of an IP signature on a message; */ Input m: the message to sign; V : the IP signature on m, here V = (H, (S1 , T1 ), . . . , (Sq , Tq )); (A, B): the public key of the signer; Output

6

true/f alse: identifying whether the IP signature V is valid or not; Begin Step 1. The verifier computes q sets of u quadratic equations via  Si ◦ A ◦ Ti , if H[i] == 0 0 Ci = , for i = 1, . . . , q; Si ◦ B ◦ Ti , if H[i] == 1 Step 2. The verifier computes hash value H 0 = H(mkC10 kC20 k . . . kCq0 ) ; Step 3. if (H 0 == H), return true; otherwise, return f alse; End

3. Security Model for Proxy Signature The security notion Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure (ps-uf-pke) for multi-level proxy signature schemes was presented in [20]. In this paper, we modify this notion to apply to our single-level proxy signature scheme. Assume that an ordinary signature scheme consists of four algorithms Setup, KeyGen, Sign, Verify. Then a proxy signature scheme is an extension of an ordinary signature scheme with the following additional algorithms: (Delegate, ProxyKeyGen), ProxySign, ProxyVerify. In the proxy scheme, a delegator and a proxy are included. (pkA , skA ) and (pkB , skB ) are the pair of keys of the delegator and proxy for an ordinary signature scheme, respectively. (Delegate, ProxyKeyGen) is a pair of randomized interactive algorithms for delegation of signing rights. Delegate is run by the delegator with input (w, skA ) where the warrant w is a tuple (pkA , pkB , t) and t is a time period which denotes that w is valid in time t. The output of (Delegate, ProxyKeyGen) is a proxy key psk which can be used to create proxy signatures on behalf of the delegator. ProxySign is run by the proxy, takes as input (w, psk, m) and outputs a proxy signature σm . ProxyVerify takes as input (m, (w, σm )) where m is a message and (w, σm ) is a proxy signature as generated by the ProxySign algorithm and outputs either ‘true’ or ‘f alse’. The security notion for our proxy signature scheme is based on the security game which is played between a challenger C and an adversary A. In the game, the challenger first generates a pair of public/private keys (pk ∗ , sk ∗ ) for a user u∗ . A will control all but the user u∗ , that is, the public/private key pairs of all the other users will be generated by A, and it will not be required of A to register generated keys or prove knowledge of the private keys corresponding to the public keys used in the game. The goal of the adversary is to produce a forgery. In this case, a forgery is one of the following: (i) an ordinary signature which verifies under u∗ ’s public key, (ii) a proxy signature that appears to be constructed by u∗ on behalf of one of the users controlled by the adversary, or (iii) a proxy signature on behalf of u∗ that is computed by one of the users controlled by the adversary which has not been delegated the signing rights of u∗ . In our notion, it is required for 7

a type (i) or type (ii) forgery that the signature was not obtained in a query to the challenger. However, when considering a message/proxy signature pair (m, (w, σm )) produced by the adversary as a type (ii) forgery, we will treat any query on a different m or with a different w, as being unrelated. In the game, we let the challenger maintain a list pskList(w) which is initially empty. The security game is formally defined as follows. • Setup. The challenger C runs Setup with input 1κ and generates a public/private key pair for u∗ by running (pk ∗ , sk ∗ ) ← KeyGen. C then passes pk ∗ to the adversary A and stores sk ∗ . • Queries. While A is running, it can adaptively make any of the following queries which are answered by C: 1. Ordinary signature. On input m from A, C runs σ ← Sign(sk ∗ , m) and returns σ to A. 2. Delegation to u∗ . On input w from A, C interacts with A through the protocol of Delegation and ProxyKeyGen with the key pair (pk ∗ , sk ∗ ). Upon completion, C will obtain the proxy signing key psk. Then, C adds psk to the pskList(w) list. 3. Delegation from u∗ . (1) Delegation of sk ∗ . On input w from A, C interacts with A through the protocol of Delegation and ProxyKeyGen. (2) Self-delegation. C interacts with itself through the protocol of Delegation and ProxyKeyGen on input w = (pk ∗ , pk ∗ , t), generates the proxy key psk, adds psk to pskList(w) and sends the transcript of the delegation to A. 4. Proxy signature. On input (w, m), C looks up the proxy key, psk, in pskList(w) and returns ‘⊥’ to A if no such key exists. Otherwise, C computes σ ← ProxySign(w, psk, m) and sends σ to A. 5. Proxy key exposure. On input w, C returns the proxy key in pskList(w) if such a key exists. Otherwise, C returns ‘⊥’ to A. • Forgery. The forgery can be one of the following forms: (1) Ordinary signature of u∗ . The adversary outputs (m, σ). This forgery is said to be valid if Verify(pk ∗ , m, σ) = accept and m has not been submitted in an ordinary signature query. (2) Proxy signature of u∗ . The adversary outputs a message/signature tuple (w, m, σ) where the public key of forged delegator is pkd . This forgery is said to be valid if it is verified in the protocol of Verification of Proxy Signature, (w, m) has not been submitted in a proxy signature query and w has not been submitted in a proxy key exposure query. (3) Proxy signature on behalf of u∗ . The adversary outputs a message/signature tuple (m, w, σ) as a forgery where w = (pk ∗ , pkd , t). The forgery is said to 8

be valid if it is verified in the protocol of Verification of Proxy Signature and the proxy key was not generated by the challenger and w has not been submitted in a proxy key exposure query. If the forgery output by the adversary is valid, return 1 as a result of the game. Otherwise, return 0. Let Gameps-uf-pke PS,A (κ) be the outcome of running the above security game with proxy signature scheme PS, adversary A and security parameter κ. We then define the advantage of the adversary in the security game as ps-uf-pke Advps-uf-pke PS,A (κ) = Pr[GamePS,A (κ) = 1],

where the probability is taken over all random coins tosses made by the adversary and the challenger. Definition 3. An adversary A is said to be a (, t, qd , qs )-forger of a proxy signature scheme if A has advantage at least  in the above game, runs in time at most t and makes at most qd and qs delegation and signing queries to the challenger. A proxy signature scheme is said to be (, t, qd , qs )-secure if no (, t, qd , qs )-forger exists. 4. The Proposed IP-based Proxy Signature 4.1. Initialization Similarly to the scheme in [20], we assume that users can be uniquely identified by their public keys. So a delegator and a proxy will be uniquely identified by their public keys. This requirement can be met in practice by requiring the certification authority not to issue certificates for two different users on the same public key. The following procedure, denoted by KeyGen algorithm, is run by users to generate their individual long-term private key for ordinary signing, and the corresponding public key for verifying signatures. Suppose that Alice and Bob are users, where Alice is the delegator, and Bob is the proxy signer. Alice’s private key skA consists of (SA , TA ) which is a pair of randomly-chosen invertible affine transformations and in the forms of (3) and (4), and the corresponding public key pkA is (FA , F¯A ) satisfying F¯A = SA ◦ FA ◦ TA ,

(6)

where FA and F¯A are two set of u quadratic polynomials in the forms of (1) and (2). Similarly, Bob’s private key consists of (SB , TB ) which is a pair of randomly-chosen bijective affine transformations and in the forms of (3) and (4), and the corresponding public key pkB is (FB , F¯B ) that satisfies F¯B = SB ◦ FB ◦ TB , 9

(7)

where FB and F¯B are two set of u quadratic polynomials in the forms of (1) and (2). The public keys of Alice and Bob, i.e., pkA = (FA , F¯A ) and pkB = (FB , F¯B ), are published to the public bulletin board. 4.2. Delegation and Proxy Key Generation At this stage, a delegation token represents the proxy signing power authorized to Bob by Alice, is computed by Alice and delivered to Bob. Then Bob can generate the proxy signing key by invoking its own private key and the delegation token. The detailed procedures, denoted by Delegate and ProxyKeyGen algorithm, are described as follows. Step 1. [ Delegate ] Alice randomly chooses two bijective affine transformations S and T in the forms of (3) and (4) respectively, then computes −1 0 SA = S ◦ SA ,

(8)

TA0 = TA−1 ◦ T,

(9)

and 0 F¯A0 = SA ◦ F¯A ◦ TA0 .

(10)

The affines S and T should be kept secret by Alice. 0 , TA0 , F¯A0 ) and the warrant (w, cert) to Bob via an authentiAlice sends (SA cated channel, where w = (pkA , pkB , t) and cert is an ordinary signature on w generated by Alice, namely, cert = IPSign(w, skA , pkA ). Step 2. [ ProxyKeyGen ] 0 After receiving (SA , TA0 , F¯A0 , w, cert), Bob selects two random bijective affine 0 transformations S and T 0 in the forms of (3) and (4) respectively, and computes 0 Sp = SA ◦ SB −1 ◦ S 0−1 ,

(11)

Tp = T 0−1 ◦ TB −1 ◦ TA0 ,

(12)

F¯AB = S 0 ◦ SB ◦ F¯A ◦ TB ◦ T 0 .

(13)

and Let skp = (Sp , Tp ), and pkp = (F¯AB , F¯A0 ). Note that skp is a private key for IP signature, and the corresponding public key is pkp , which is proved by Lemma 1. Then Bob computes a signature σprx by running σprx = IPSign((w, cert, pkp ), skB , pkB )). skp is set as the proxy signing key that Bob uses to generate proxy signatures on behalf of Alice, and pkp and (w, cert, pkp , σprx ) are set as the proxy verifying key.

10

Remark 1. The proxy signer Bob cannot derive the original signer Alice’s 0 private key (SA , TA ) from the received message (SA , TA0 , F¯A0 ) in the algorithm Delegate, since the affine transformations S and T are kept secret by Alice. 0 Besides, anyone who gets (SA , TA0 , F¯A0 ) by eavesdropping or other methods, for example disclosing the information by Bob intentionally or unintentionally, can not compute Alice’s private key, either. Lemma 1. (Sp , Tp ) is an isomorphism from F¯AB to F¯A0 , and (Sp , Tp ) is the private key for IP signature corresponding to the public key (F¯AB , F¯A0 ). proof. Eq.(10) can be converted to: −1 0 0 F¯A0 = SA ◦ F¯A ◦TA0 = SA ◦SB ◦S 0−1 ◦S 0 ◦SB ◦ F¯A ◦TB ◦T 0 ◦T 0−1 ◦TB−1 ◦TA0 . (14)

By applying (11), (12) and (13) to (14), we can get F¯A0 = Sp ◦ F¯AB ◦ Tp ,

(15)

which means that (Sp , Tp ) is an isomorphism from F¯AB to F¯A0 . Therefore (Sp , Tp ) is the private key for IP signature corresponding to the public key (F¯AB , F¯A0 ). 4.3. Generation of Proxy Signature The following procedures, denoted by ProxySign algorithm, can let the proxy signer Bob generate a proxy signature on behalf of the delegator Alice. For any given message m, Bob invokes the algorithm IPSign to generate an IP signature using skp = (Sp , Tp ) as private key and pkp = (F¯AB , F¯A0 ) as public key: σ = IPSign(m, skp , pkp ). (16) As a result, (σ, (w, cert, pkp , σprx )) is defined to be the proxy signature on m by Bob on behalf of Alice. 4.4. Verification of Proxy Signature The following procedures, denoted by ProxyVerify algorithm, can let anyone verify the validity of a proxy signature. After receiving the message m and proxy signature (σ, (w, cert, pkp , σprx )), the verifier executes the following steps: Step 1. Get Alice’s public key pkA = (FA , F¯A ) and Bob’s public key ¯ pkB = (FB , FB ) from the public bulletin board. Step 2. Check the validity of σ by verifying the following conditions: 1) Check the validity of the signature cert on w by running the algorithm IPVerify: IPVerify(w, cert, pkA ) == true? 2) Invoke the the algorithm IPVerify to check the validity of the signature σprx on (w, cert, pkp ) by: IPVerify((w, cert, pkp ), σprx , pkB ) == true? 11

3) Check whether or not t described in w is a valid time period. If all the above conditions hold true, proceed to the next step; otherwise, terminate the protocol. Step 3. Verify the proxy signature by invoking the algorithm IPVerify(m, σ, pkp ) == true? If the above condition holds true, then the proxy signature is valid, and the algorithm returns true; otherwise, it is invalid, and the algorithm returns f alse. Remark 2. If the time period t in the warrant w is expired, the delegated signing privilege is revoked automatically. Besides, the original signer can also broadcast a signed message to announce the invalidation of the warrant w. Then the proxy signature generated by Bob hereafter will become invalid. 5. Security Analysis With the knowledge of the most efficient attacks on IP problems, in order to strengthen the security of our scheme, we suggest that the parameters of our scheme should satisfy the following conditions: 1) the transformations S and T in Eq.(3) and (4) should be affine; 2) the polynomials in A and B in Eq.(1) and (2) should be homogeneous; 3) u < n, i.e., the number of polynomials should be less than the number of variables. Taking our implementation in Section 6 as an example, if the parameters we choose are as follows: the finite field K = GF (28 ), n = 18, u = 10, and m = ||K|| = 28 , then the attacking complexity should be greater than . n3.5 · mn/2 = 183.5 · (28 )18/2 = 286.59 . Usually, it is considered to be a computationally secure MPKC scheme if the attacking complexity is greater than 280 . Therefore, our implementation and the parameters we choose should be a secure IP-based proxy signature scheme. The standard notion of security for signature schemes is Existential Unforgeability under a Chosen Message Attack (euf-cma) in [11]. Though IP signature scheme has not been proven in a standard security model, however, basing on the analysis above, here we assume that IP signature scheme is (, t, qs )-secure. In the following, we will present the concrete security proof for our proxy signature scheme in the security model shown in Section 3. Theorem 1. If the underlying IP signature scheme is (, t, qs )-secure, then our proxy signature scheme is (0 , t0 , qd0 , qs0 )-secure. proof. We will show that if there exists an adversary A who can (0 , t0 , qd0 , qs0 )break the proxy signature scheme, then we can construct an algorithm β who

12

can (, t, qs )-break the underlying IP signature scheme. That is, the security of our proxy scheme depends on that of IP signature scheme. The challenger is given a challenge public key pk 0 = (F 0 , F¯ 0 ) of IP signature scheme and access to an IP signing oracle Osig (m, σ) for the secret key sk 0 corresponding to pk 0 . Before interacting with the adversary A in the security game, β flips a fair coin c. If c = 0, β sets pk ∗ = pk 0 , and sk ∗ = φ. Otherwise, β generates a fresh key pair (pk ∗ , sk ∗ ) ← KeyGen where pk ∗ = (F ∗ , F¯ ∗ ), and chooses i∗ ∈ {1, 2, . . . , qd0 }. β runs A with input pk ∗ . As the challenger in the security game, β will maintain a set of lists pskList(w) where each list pskList(w) will hold all proxy keys generated by β with the warrant w. While running, A is allowed to make qs0 ordinary signature queries and qd0 delegation queries which β will answer as follows: • Ordinary signature. On input m from A, if c = 0, β simply makes query to his own IP signing oracle and obtains an answer σ; if c = 1, β generates a signature σ by running IPSign(m, sk ∗ , pk ∗ ) and returns σ to A. • Delegation to u∗ . A submits the delegation message (w, cert, Sd0 , Td0 , F¯d0 ) where w = (pkd , pk ∗ , t) and pkd = (Fd , F¯d ). β verifies whether both cert = IPSign(w, skd , pkd ) and F¯d0 = Sd0 ◦ F¯d ◦ Td0 are correct. If c = 0, β chooses randomly two bijective affine transformations S and T , and computes Sp = Sd0 ◦ S −1 , Tp = T −1 ◦ Td0 , and F¯du = S ◦ F¯d ◦ T . Let pkp = (F¯du , F¯d0 ) and skp = (Sp , Tp ). β makes a query to his own IP signing oracle for (w, cert, pkp ) and obtains a signature σprx . If c = 1 and this is not the i∗ -th query, β similarly chooses randomly two bijective affine transformations and computes Sp = Sd0 ◦ S −1 , Tp = T −1 ◦ Td0 , and F¯du = S ◦ F¯d ◦ T where pkp = (F¯du , F¯d0 ) and skp = (Sp , Tp ). Then β runs σprx = IPSign((w, cert, pkp ), sk ∗ , pk ∗ ). If c = 1 and this is the i∗ -th query, β directly lets pkp = pk 0 , skp = φ and runs σprx = IPSign((w, cert, pkp ), sk ∗ , pk ∗ ). Finally, β stores ((w, cert, pkp , σprx ), skp ) in pskList(w). • Delegation from u∗ . (1) Delegation of sk ∗ . On input (w) from A where w = (pk ∗ , pkd , t), β chooses randomly two bijective affine transformations (S, T ) and com∗ putes F¯0 = S ◦ F¯ ∗ ◦ T . If c = 0, than β makes query to his signing oracle for w and obtains a signature cert. If c = 1, then β generates cert by running cert ← IPSign(w, sk ∗ , pk ∗ ) and sends the delegation message ∗ (w, cert, S, T, F¯0 ) to A. (2) Self-delegation. Depending on the input w = (pk ∗ , pk ∗ , t) submitted by A, β will do as follows. If c = 0 or c = 1 and this is not the i∗ -th query, β chooses randomly two bijective affine transformations (S, T ), computes ∗ F¯0 = S ◦ F¯ ∗ ◦ T , makes query to his signing oracle for w and obtains a ∗ signature cert, and also queries for (w, cert, (F¯ ∗ , F¯0 )) and obtains σprx . If c = 1 and this is the i∗ -th query, β directly lets pkp = pk 0 , computes σprx = IPSign((w, cert, pkp ), sk ∗ , pk ∗ ) and stores ((w, cert, pkp , σprx ), skp ). 13

• Proxy signature. On input (w, m) from A, β looks up the proxy key, in pskList(w) and parses it as (skp , (w, cert, pkp , σprx ). Then, if c = 0, β makes query to his signing oracle for m and obtains a signature σm ; if c = 1, computes σm ← IPSign(m, skp , pkp ). Then β returns (m, (w, cert, pkp , σprx ), σm ) to A. • Proxy key exposure. On input w, β looks up the proxy key in pskList(w) and parses it as (skp , (w, cert, pkp , σprx ). If skp = φ, β aborts. Otherwise, β returns (skp , (w, cert, pkp , σprx ) to A. Noth that β’s choices of c will be completely hidden from A, unless an abort occurs. If β is not forced to abort, A will eventually output a forgery. The forgeries are classified into two different categories: • Category A forgeries are either a valid type (i) forgery (m, σ), a valid type (ii) forgery (m, σm , (w, cert, pkp , σprx )) where pkp was not generated by β, or a valid forgery type (iii) forgery (m, σm , (w, cert, pkp , σprx )) where w was not submitted to the ordinary signature query. • Category B forgeries are all valid forgeries that are not in category A, i.e. a type (ii) or type(iii) forgery where β has generated the public proxy key pkp . Let’s first consider the case c = 0. In this case, β sets pk ∗ = pk 0 . If A constructs a valid category B forgery, β will abort. otherwise, if A constructs a valid category A forgery, then • If the forgery is of type (i), i.e. (m, σ), then A will not request a signature on m, and β will therefore not have submitted m to his own signature oracle. Hence, σ is a valid forgery of an IP signature under the public key pk 0 . • If the forgery is of type (ii), i.e. (m, σm , (w, cert, pkp , σprx )), σprx is a valid signature for (w, cert, pkp ) under the public key pk 0 , then β will not have submitted (w, cert, pkp ) to his own signing oracle. Hence σprx will be a valid IP signature forgery under the public key pk 0 . • If the forgery is of type (iii), i.e. (m, σm , (w, cert, pkp , σprx )), cert will be a valid forgery for w, and β will therefore not have submitted w to his signing oracle. Hence cert is a valid forgery of an IP signature under the public key pk 0 . Let’s now consider the case c = 1 where β inserts pk 0 as a proxy public key. In this case, if the forgery is category A forgery, β will abort. On the other hand, if the forgery is a category B forgery (m, σm , (w, cert, pkp , σprx )) where pkp = pk 0 , then β outputs (m, σm ) as a valid forgery for the underlying IP signature scheme. Otherwise, β aborts. Note that if A constructs such a forgery, then A will not have queried the proxy key (w, cert, pkp , σprx ). 14

Table 2: Time Complexity and Running Time of each Procedure

Procedure Delegation computation by Alice Delegation computation by Bob Generate of proxy signature Verification of proxy signature

Complexity O(3u + 3n3 + 2un3 + qun3 ) O(2u3 + 2n3 + 3un3 + 2qun3 ) O(qun3 ) O(3qun3 ) 3

Time(ms) 110 203 93 266

Notation in Table 2 : u is the number of polynomials in A described in Eq.(1), n is the number of variables in polynomials, q is the length of output bits of the hash function H. Let E1 be the event that A constructs a category A forgery, E2 be the event that A constructs a category B forgery, and E3 denote that β guesses the correct value of i∗ in a category B forgery. The success probability of A is P r[E1 ] + P r[E2 ]. Then the success probability of β can be ε =

P r[c = 0 ∧ E1 ] + P r[c = 1 ∧ E2 ∧ E3 ]

=

1/2 · P r[E1 ] + P r[E3 |c = 1 ∧ E2 ] · P r[c = 1|E2 ] · P r[E2 ]

=

1/2 · P r[E1 ] + 1/qd · 1/2 · P r[E2 ]

≥

0 2qd

Since we assume that the underlying IP signature scheme is (, t, qs )-secure, we have the proxy signature scheme is (0 , t0 , qd0 , qs0 )-secure. 6. Implementation and Performance Our proposed scheme is implemented in C/C++ programming language. The hardware and software of the machine to run our program is as follows: the CPU is Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHZ, the memory is 1GB, the operating system is Windows XP, and the programming environment is Microsoft Visual Studio 2008. The parameters described in Section 2 is assigned the values as follows: the finite field K = GF (28 ), n = 18, u = 10, and q = 64. As mentioned in Section 5, the security level of our scheme adopting these parameters can be up to 286.59 and can reach the practical security requirement. The complexity and running time of each procedure is shown in Table 2. We can observe that our implementation can efficiently generate a proxy signature in about 93 ms, and the verification of proxy signature takes about 266 ms. 7. Conclusion A proxy signature scheme based on the problem of Isomorphism of Polynomials (IP) is proposed, which is possible to be the first proxy signature scheme 15

based on Multivariate Public Key Cryptography (MPKC) towards provable security. The main advantage of our scheme over other proxy schemes should be its post-quantum feature, since MPKC and cryptsystems based on IP problems can potentially resist the future quantum computing attacks. Through formal security analysis, our scheme is proved to reach Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure assuming that the underlying IP signature is Existential Unforgeability under an Adaptive Chosen Message Attack. The proposed scheme is implemented in C/C++ programming language. The measured performance shows that our implementation can run efficiently, and the parameters we choose can let the security level of our implementation up to 286.59 , which is considered to be computationally secure. The method to formally prove the security of our scheme is a very good exploration and valuable attempt in the area of MPKC provable security. Traditionally, MPKC cryptosystems are very difficult to achieve provable security. Acknowledgment This work is supported by the National Natural Science Foundation of China under Grant No. U1135004, 61170080 and 61202466, and Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2011), and Guangzhou Metropolitan Science and Technology Planning Project under grant No. 2011J4300028, and High-level Talents Project of Guangdong Institutions of Higher Education (2012), and Guangdong Provincial Natural Science Foundation of China under grant No. 9351064101000003. The authors thank Ms. Li Yang and Mr. Guangdong Yang, who were the former students of the first author, for doing the implementation to verify the applicability of our scheme. [1] Awasthi, A., Lal, S.: Proxy Blind Signature Scheme. Transaction on cryptology, 2(1), 5-11 (2005) [2] Bernstein, D.J., Buchmann, J., Dahmen, E.: Post Quantum Cryptography, Department of Computer Science, University of Illinois, Chicago. Springer, Heidelberg (2009) [3] Boldyreva, A., Palacio, A., Warinschi, B.: Secure Proxy Signature Schemes for Delegation of Signing Rights. Journal of Cryptology, 25(1), 57-115 (2012) [4] Bouillaguet, C., Faug`ere, J., Fouque, P., Perret, L.: Differential Algorithms for the Isomorphism of Polynomials Problem. manuscript (2009), http: //eprint.iacr.org/2009/583.pdf [5] Bulygin, S., Petzoldt, A., Buchmann, J.: Towards Provable Security of the Unbalanced Oil and Vinegar Signature Scheme under Direct Attacks. In: INDOCRYPT 2010. LNCS, vol. 6498, pp. 17-32. Springer, Heidelberg (2010) 16

[6] Dubois, V., Granboulan, L., Stern, J.: An Efficient Provable Distinguisher for HFE. In: ICALP 2006. LNCS, vol. 4052, pp. 156-167. Springer, Heidelberg (2006) [7] Faug`ere, J.C., Perret, L.: Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. In: EUROCRYPT 2006. LNCS, vol. 4004, pp. 30-47. Springer, Heidelberg (2006) [8] Fuchsbauer, G., Pointcheval, D.: Anonymous Proxy Signatures. In: SCN 2008. LNCS, vol. 5229, pp. 201-217. Springer, Heidelberg (2008) [9] Garey, M.R., Johnson, D.S.: Computers and Intractability, A Guide to the Theory of NP-completeness. W.H. Freeman (1979) [10] Geiselmann, W., Meier, W.: An Attack on the Isomorphisms of Polynomials Problem with One Secret. International Journal of Information Security. vol. 2, pp. 59-64. Springer, Heidelberg (2003) [11] Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure against Adaptive Chosen-Message Attacks. SIAM J. Comput. 17(2), 28-308 (1988) [12] Kim, S., Park, S., Won, D.: Proxy Signatures, Revisited. In: Information and Communications Security. pp. 223-232. Springer, Heidelberg (1997) [13] Levy-dit-Vehel, F., Perret, L.: Polynomial Equivalence Problems and Applications to Multivariate Cryptosystems. In: INDOCRYPT 2003. LNCS, vol. 2904, pp. 1-18. Springer, Heidelberg (2003) [14] Mambo, M., Usuda, K., Okamoto, E.: Proxy Signatures: Delegation of The Power to Sign Messages. IEICE Transactions on Fundamentals. E79-A(9), 1338-1353 (1996) [15] Mambo, M., Usuda, K., Okamoto, E.: Proxy Signatures for Delegating Signing Operation. In: Proceedings of the 3rd ACM conference on Computer and communications security. pp. 48-57. ACM (1996) [16] Patarin, J., Goubin, L., Courtois, N.: Improved Algorithms for Isomorphisms of Polynomials. In: EUROCRYPT 1998. LNCS, vol. 1403, pp. 184200. Springer, Heidelberg (1998) [17] Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: EUROCRYPT 1996. LNCS, vol. 1070, pp. 33-48. Springer, Heidelberg (1996) [18] Perret, L.: A Fast Cryptanalysis of the Isomorphism of Polynomials with One Secret Problem. In: EUROCRYPT 2005. LNCS, vol. 3494, pp. 354370. Springer, Heidelberg (2005)

17

[19] Sakumoto, K., Shirai, T., Hiwatari, H.: On Provable Security of UOV and HFE Signature Schemes against Chosen-Message Attack. In: PostQuantum Cryptography (PQC) 2011. LNCS, vol. 7071, pp. 68-82. Springer, Heidelberg (2011) [20] Schuldt, J.C.N., Matsuura, K., and Paterson, K.G.: Proxy Signatures Secure Against Proxy Key Exposure. In: PKC 2008. LNCS, vol. 4939, pp. 141-161. Springer, Heidelberg (2008) [21] Shor, P.W.: Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 26(5), 14841509 (1997) [22] Tang, S., Yi, H., Ding, J., Chen, H., Chen, G.: High-Speed Hardware Implementation of Rainbow Signature on FPGAs. In: Post-Quantum Cryptography (PQC) 2011. LNCS, vol. 7071, pp. 228-243. Springer, Heidelberg (2011) [23] Tang, S., Xu, L.: Proxy Signature Scheme Based on Isomorphisms of Polynomials. In: Network and System Security (NSS) 2012. LNCS, vol. 7645, pp. 113-125. Springer, Heidelberg (2012) [24] Yang, G., Tang, S., Yang, L.: A Novel Group Signature Scheme Based on MPKC. In: Information Security Practice and Experience (ISPEC) 2011. LNCS, vol. 6672, pp. 181-195. Springer, Heidelberg (2011) [25] Zhang, K.: Threshold Proxy Signature Schemes. In: Information Security. LNCS, vol. 1396, pp. 282-290. Springer, Heidelberg (1998)

Shaohua Tang received the B.Sc. and M.Sc. Degrees in applied mathematics from South China University of Technology, China, in 1991 and 1994, respectively, and the Ph.D. Degree in communication and information system from South China University of Technology, in 1998. He was a visiting scholar with North Carolina State University, USA, and a visiting professor with University of Cincinnati, USA. He has been a full professor with the School of Computer Science and Engineering, South China University of Technology since 2004. His current research interests include multivariate public key cryptography, crypto chip design, and distributed system security. He has authored or co-authored over 90 technical papers in journals and conference proceedings. He is a member of the IEEE and the IEEE Computer Society.

18

Lingling Xu received the B.Sc. and M.Sc. degrees in mathematics from Shandong University, China, in 2005 and 2008, respectively, and the Ph.D. degree in communication and information system from Sun Yat-sen University, in 2011. She is currently an assistant professor with the School of Computer Science and Engineering, South China University of Technology. Her current research interests include cryptography and cloud computing.

19