Upload
euphemia-cathy
View
33
Download
2
Embed Size (px)
DESCRIPTION
On the efficiency of nonrepudiable threshold proxy signature scheme with known signers. Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507 – 514 Author: Cheng-Ying Yang ; Shiang-Feng Tzeng ; Min-Shiang Hwang Advisor:Dr. Chang, Chin-Chen - PowerPoint PPT Presentation
Citation preview
2004/11/23 1
On the efficiency of nonrepudiable threshold proxy signaturescheme with known signers
Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514Author: Cheng-Ying Yang ; Shiang-Feng Tzeng ; Min-Shiang HwangAdvisor:Dr. Chang, Chin-ChenReporter:Wang, Shing-ShoungDate :2004/11/23
2004/11/23 2
Outline Review of Hsu et al.’s scheme Improvement of Hsu et al.’s scheme Security Analysis Conclusions
2004/11/23 3
Review of Hsu et al.’s scheme
system authourity,SA(1)
(t,n) proxy group(3)
original signer(2)
clerk(3)
verifier(4)
(2)
(1)
(3) (3)
(1)Secret share generation phase
(2)Proxy share generation phase
(3)Proxy signature generation phase
(4)Proxy signature verification phase
Divides the sheme into 4 phases as followung:
t:# of original signer
n:# of proxy signer
2004/11/23 4
Review of Hsu et al.’s scheme(Cont.)
System initialing: System Authority(SA) selects and publishes the follow paramete
rs: p a large prime q a large prime factor of p - 1 g a generator in GF(p) of order q h(.) a One-way hash function mw a warrant which records the identities of the original signer and the proxy signers of the proxy group, the parameters t and n, and the valid delegation time, etc. ASID (Actual Signers’ ID) the identities of the actual signers.
2004/11/23 5
Review of Hsu et al.’s scheme(Cont.) Notation: Pi each user
P0 original signer G={P1,P2,P3...,Pn} the proxy group of n proxy sig
ners.
pgy
x
v
xii
Zi
Zqi
q
mod
*
the public identifier
user i’s private key
user i’s public key
2004/11/23 6
Review of Hsu et al.’s scheme(Cont.) 1.Secret share generation phase: (1)chooses the group private key XG.
(2)computes the public key YG=gXG mod p (3)randomly generates a (t-1) polynomial f(v)= XG +a1v+a2v2+...+at-1vt-1 mod q where ai Zq(i=1,2,...,t-1) (4)for each Pi G,computes the secret share γi=f(vi) τi=gγi mod p vi:public identifier for Pi
(5)separately sends γi to Pi via a secure channel (6)publishes all τi’s
2004/11/23 7
Review of Hsu et al.’s scheme(Cont.) 2.Proxy share generation phase : (1)chooses a random integer k Z*q. and computes K=gkmod p (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q (3)chooses a polynomial f(v)=σ+b1v+b2v2+...+bt-1vt-1 mod q where the random integers bj Zq(i=1,2,...,t-1) (4)publishes Bj=gbj mod p for j=1,2,...,t-1 (5)sends σi=f0(vi) to Pi via a secure channel (6)broadcasts (mw,K) to G How to verify?
Receives σi,each Pi can check the following equation:
if true,
Pi computes σi’= σi +γih(mw||K)mod q
pBKygt
j
vj
Kmh jiwi mod
1
1
)||(0
2004/11/23 8
Review of Hsu et al.’s scheme(Cont.) 3.Proxy signature generation phase : given a message m,D ={P1,P2,P3...,Pt} (1)each Pi D chooses a random integer ki Z*q and broadcasts ri=gki mod p (2)obtains all ri , si=kiR+(Liσi’+xi)h(R||ASID||m)mod q where (3)Upon receiving si, clerk checks
if it holds(ri,si) is the valid individual signature of m the proxy signature is (R,S,K,mw,ASID)
t
ji prR
1
mod
t
ijj jiji qvvvL,1
1mod))((
pyKByrg
mASIDRh
i
Lt
j
vj
Kmhi
Ri
s
i
jiwi mod)(
)||||(1
1
)||(0
t
jj qsS
1
mod
2004/11/23 9
Review of Hsu et al.’s scheme(Cont.) 4.Proxy signature verification phase:
if the proxy signature (R,S,K,mw,ASID) from m is valid.
pyYyKRgmASIDRht
ii
KmhG
Rs w mod)()||||(
1
)||(0
2004/11/23 10
Improvement of Hsu et al.’s scheme
(t,n) proxy group(2)
original signer(1)
clerk(2)
verifier(3)
(1) (2) (2)
(1)Proxy share generation phase
(2)Proxy signature generation phase
(3)Proxy signature verification phase
Divides the sheme into 3 phase as followung:
2004/11/23 11
Improvement of Hsu et al.’s scheme(Cont.) 1.Proxy share generation phase: (1)chooses a random integer k Z*q. and computes K=gkmod p (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q (3)broadcasts (σ,mw,K) to G How to verify?
Check
pKyg Kmh w mod)||(0
2004/11/23 12
Improvement of Hsu et al.’s scheme(Cont.) 2.Proxy signature generation phase given a message m,D ={P1,P2,P3...,Pt} (1)each Pi D chooses a random integer ki Z*q and broadcasts ri=gki mod p (2)obtains all ri , si=kiR+(t-1σi’+xi)h(R||ASID||m)mod q where t:# of actual proxy signers. (3)Upon receiving si, clerk checks
if it holds(ri,si) is the valid individual signature of m the proxy signature is (R,S,K,mw,ASID)
t
ji prR
1
mod
pyKyrgmASIDRh
itR
is
Kwmhi mod)(
)||||(1
0
)||(
t
jj qsS
1
mod
2004/11/23 13
Improvement of Hsu et al.’s scheme(Cont.) 3.Proxy signature verfication phase (1)according to mw and ASID, we get the proxy and original signer’s public key. and know who is the original signer. (2)verify t. (3)verify the following equation:
if true the proxy signature is (R,S,K,mw,ASID) of m is valid.
pyYyKRgmASIDRht
ii
KmhG
Rs w mod)()||||(
1
)||(0
2004/11/23 14
Security Analysis Security analysis: 1.Plaintext attack 2.Conspiracy attack 3.Forgery attack given m’,ASID’,V0’
pyVRg
mASIDRht
ji
Rs mod
)||||(
10
2004/11/23 15
Conclusions The improved scheme has the same property
that any t or more proxy signers may work together to generate a valid proxy signature on behalf of the original signer.
The improved scheme also provides the ability to identity the actual proxy signers for avoiding the abuse of the signing capability.
the improved scheme satisfies the nonrepudiation property.