2004/11/23 1

On the efficiency of nonrepudiable threshold proxy signaturescheme with known signers

Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514Author: Cheng-Ying Yang ; Shiang-Feng Tzeng ; Min-Shiang HwangAdvisor:Dr. Chang, Chin-ChenReporter:Wang, Shing-ShoungDate :2004/11/23

2004/11/23 2

Outline Review of Hsu et al.’s scheme Improvement of Hsu et al.’s scheme Security Analysis Conclusions

2004/11/23 3

Review of Hsu et al.’s scheme

system authourity,SA(1)

(t,n) proxy group(3)

original signer(2)

clerk(3)

verifier(4)

(2)

(1)

(3) (3)

(1)Secret share generation phase

(2)Proxy share generation phase

(3)Proxy signature generation phase

(4)Proxy signature verification phase

Divides the sheme into 4 phases as followung:

t:# of original signer

n:# of proxy signer

2004/11/23 4

Review of Hsu et al.’s scheme(Cont.)

System initialing: System Authority(SA) selects and publishes the follow paramete

rs: p a large prime q a large prime factor of p － 1 g a generator in GF(p) of order q h(.) a One-way hash function mw a warrant which records the identities of the original signer and the proxy signers of the proxy group, the parameters t and n, and the valid delegation time, etc. ASID (Actual Signers’ ID) the identities of the actual signers.

2004/11/23 5

Review of Hsu et al.’s scheme(Cont.) Notation: Pi each user

P0 original signer G={P1,P2,P3...,Pn} the proxy group of n proxy sig

ners.

pgy

x

v

xii

Zi

Zqi

q

mod

*

the public identifier

user i’s private key

user i’s public key

2004/11/23 6

Review of Hsu et al.’s scheme(Cont.) 1.Secret share generation phase: (1)chooses the group private key XG.

(2)computes the public key YG=gXG mod p (3)randomly generates a (t-1) polynomial f(v)= XG +a1v+a2v2+...+at-1vt-1 mod q where ai Zq(i=1,2,...,t-1) (4)for each Pi G,computes the secret share γi=f(vi) τi=gγi mod p vi:public identifier for Pi

(5)separately sends γi to Pi via a secure channel (6)publishes all τi’s

2004/11/23 7

Review of Hsu et al.’s scheme(Cont.) 2.Proxy share generation phase : (1)chooses a random integer k Z*q. and computes K=gkmod p (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q (3)chooses a polynomial f(v)=σ+b1v+b2v2+...+bt-1vt-1 mod q where the random integers bj Zq(i=1,2,...,t-1) (4)publishes Bj=gbj mod p for j=1,2,...,t-1 (5)sends σi=f0(vi) to Pi via a secure channel (6)broadcasts (mw,K) to G How to verify?

Receives σi,each Pi can check the following equation:

if true,

Pi computes σi’= σi +γih(mw||K)mod q

pBKygt

j

vj

Kmh jiwi mod

1

1

)||(0

2004/11/23 8

Review of Hsu et al.’s scheme(Cont.) 3.Proxy signature generation phase : given a message m,D ={P1,P2,P3...,Pt} (1)each Pi D chooses a random integer ki Z*q and broadcasts ri=gki mod p (2)obtains all ri , si=kiR+(Liσi’+xi)h(R||ASID||m)mod q where (3)Upon receiving si, clerk checks

if it holds(ri,si) is the valid individual signature of m the proxy signature is (R,S,K,mw,ASID)

t

ji prR

1

mod

t

ijj jiji qvvvL,1

1mod))((

pyKByrg

mASIDRh

i

Lt

j

vj

Kmhi

Ri

s

i

jiwi mod)(

)||||(1

1

)||(0

t

jj qsS

1

mod

2004/11/23 9

Review of Hsu et al.’s scheme(Cont.) 4.Proxy signature verification phase:

if the proxy signature (R,S,K,mw,ASID) from m is valid.

pyYyKRgmASIDRht

ii

KmhG

Rs w mod)()||||(

1

)||(0

2004/11/23 10

Improvement of Hsu et al.’s scheme

(t,n) proxy group(2)

original signer(1)

clerk(2)

verifier(3)

(1) (2) (2)

(1)Proxy share generation phase

(2)Proxy signature generation phase

(3)Proxy signature verification phase

Divides the sheme into 3 phase as followung:

2004/11/23 11

Improvement of Hsu et al.’s scheme(Cont.) 1.Proxy share generation phase: (1)chooses a random integer k Z*q. and computes K=gkmod p (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q (3)broadcasts (σ,mw,K) to G How to verify?

Check

pKyg Kmh w mod)||(0

2004/11/23 12

Improvement of Hsu et al.’s scheme(Cont.) 2.Proxy signature generation phase given a message m,D ={P1,P2,P3...,Pt} (1)each Pi D chooses a random integer ki Z*q and broadcasts ri=gki mod p (2)obtains all ri , si=kiR+(t-1σi’+xi)h(R||ASID||m)mod q where t:# of actual proxy signers. (3)Upon receiving si, clerk checks

if it holds(ri,si) is the valid individual signature of m the proxy signature is (R,S,K,mw,ASID)

t

ji prR

1

mod

pyKyrgmASIDRh

itR

is

Kwmhi mod)(

)||||(1

0

)||(

t

jj qsS

1

mod

2004/11/23 13

Improvement of Hsu et al.’s scheme(Cont.) 3.Proxy signature verfication phase (1)according to mw and ASID, we get the proxy and original signer’s public key. and know who is the original signer. (2)verify t. (3)verify the following equation:

if true the proxy signature is (R,S,K,mw,ASID) of m is valid.

pyYyKRgmASIDRht

ii

KmhG

Rs w mod)()||||(

1

)||(0

2004/11/23 14

Security Analysis Security analysis: 1.Plaintext attack 2.Conspiracy attack 3.Forgery attack given m’,ASID’,V0’

pyVRg

mASIDRht

ji

Rs mod

)||||(

10

2004/11/23 15

Conclusions The improved scheme has the same property

that any t or more proxy signers may work together to generate a valid proxy signature on behalf of the original signer.

The improved scheme also provides the ability to identity the actual proxy signers for avoiding the abuse of the signing capability.

the improved scheme satisfies the nonrepudiation property.