Proc. of Int. Conf. on Recent Trends in Information, Telecommunication and Computing, ITC
Digital Signature based Proxy Multi-Signature Scheme Sivashankari.R1 , Hariharan.R2 and Piyush Singhai3 Assistant Professor1, SITE, VIT University, Vellore,Tamilnadu - 632014, India Email: sivashankari.r@vit.ac.in Assistant Professor2, AMCET, Vellore Tamilnadu - 632517, India Email: rhariharan88@yahoo.com Knowlarity Communications3 Private Limited Email: singhai.piyush@gmail.com
Abstract— A Proxy signature scheme enables a proxy signer to sign a message on behalf of the original signer. In this paper, we propose ECDLP based solution for chen et. al [1] scheme. We describe efficient and secure Proxy multi signature scheme that satisfy all the proxy requirements and require only elliptic curve multiplication and elliptic curve addition which needs less computation overhead compared to modular exponentiations also our scheme is withstand against original signer forgery and public key substitution attack. Index Terms— ECC, ECDLP, Proxy signature, digital signature, Proxy multi-signature and cryptography.
I. INTRODUCTION A signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. A digital signature allows an entity, called the designator or original signer, to generate a signature on any message using his private key such that the receiver can verify the validity of the signature and authentication of the signer using signer’s certified public key. But in the case of absence of original signer, digital signature schemes are not applicable. Proxy signature schemes[15] were proposed to address the problem in traditional signature schemes. Proxy signature allows the original signer to delegate his signing power to a person called proxy signer who can replace the original signer, in case of say, temporal absence, lack of time or computational power, etc. Then the verifier can check the validity of signature, identity of the proxy signer and the original signer’s agreement using original signers, proxy signer’s certified public keys. Proxy signatures have been used in numerous practical applications, like e-commerce, electronic agreement, mobile agents, mobile communications, distributed computing, electronic voting, etc.The concept of proxy signature [Figure 1] was first proposed in 1996 by Mambo et. al [2]. Based on the delegations types, they classified proxy signature into full delegation, partial delegation and, delegation by warrant schemes. In a full delegation, As name implies, the complete delegation (the private key of original signer) is transferred to proxy signer. So a signature by proxy signer is indistinguishable from that created by an original signer. In a Partial delegation. A new secret key (proxy signature key) is computed by the original signer using his private key. Using this secret key, the proxy signer can generate a proxy signature on any message. For security requirements, it is computationally infeasible for the proxy signer to derive the original signer’s private key from the proxy signature key. However, in such schemes the range of messages a proxy signer DOI: 02.ITC.2014.5.57 © Association of Computer Electronics and Electrical Engineers, 2014
can sign is not limited. This weakness eliminated by warrant schemes so using delegation by warrant specifies the types of messages, delegation period and identity of signer (proxy or original), etc. In paper [3] they mention two kinds of proxy signature schemes[13] depending on whether the original signer can generate the same proxy signature as the proxy signers do. The one is proxy-unprotected and other is proxy protected in which anyone else, including the original signer, cannot generate the same proxy signatures. This difference is important in practical applications and this thing also avoids potential disputes between the original signer and proxy signer. After the Mambo’s scheme [2] that is one to one i.e. one original signer and one proxy signer there are so many proxy signature scheme have been proposed [4]. To meet the requirements of various rapidly growing applications, different types of proxy signature schemes[11] have been evolved. Those are threshold proxy signatures, nominative proxy signatures, onetime proxy signatures, multi-proxy signatures, proxy multisignatures, proxy blind signatures, etc. Unlike one to one scheme the proxy multi-signature scheme proposed by Yi et al’s [5] allows two or more original signers to delegate his signing power to single proxy signer to sign the messages for all original signers. Yi et al’s [5] proposed two types of proxy multi-signature scheme one is Mambo like proxy multi-signature scheme and another is Kim like proxy multisignature scheme. Sun et. al [6] showed that both scheme are insecure. The Mambo-like proxy multi-signature scheme in [5] suffers from the public key substitution attack easily. The Kimlike proxy multi-signature scheme in [5] suffers from a kind of direct forgery. After that Sun et. al [6] proposed two proxy multi-signature schemes one is Proxy protected proxy multisignature scheme (Mambo like) and another is Proxy unprotected proxy multi-signature scheme (Kim like). Between these two schemes, one scheme provides the protection for proxy signers while another scheme does not. In these schemes, the secure channel is not necessary. However, Sun et. al [6] and Yi et al [5] schemes have the common disadvantage that is size of the proxy signature depend on the number of original signers and both schemes involve exponential operation to verify proxy signature. To overcome this problem chen et. Al [1] proposed a new scheme. In [1] another solution for preventing Public key substitution attack and for original signer forgery is proposed. [1] Describes the DLP based solution for proxy multisignature scheme. This solution has several advantages. One is that it provides the fair protection for both original signer and proxy signer. In [1] scheme, the proxy signer must obtain the authorization of the original signers during the generation of common certificate and original signer also need to help the proxy signer to generate the common certificate. The proxy signature is generated by the proxy signer’s private key so the the original signer cannot forge the proxy signature alone. Therefore the original signer and the proxy signer have the fair protection. One more advantage is that proxy signer participates the generation of the common certificate. In this scheme, verifier checks the validity of the common certificate before the verification of proxy multisignature and the verifier consequently identifies the mistake caused by the common certificate or the proxy signature.
Fig 1. Proxy signature scheme
On the basis of [1] we are going to propose new type of proxy multisignature scheme and that will be based on ECDLP. Our proposed scheme don’t require any modular exponentiations, requires elliptic curve multiplications and additions. Compared to the DLP based cryptosystems[14], ECC provides same security with minimal key lengths and requires less storage requirements. According to [7] EC multiplication and EC additions requires less computational time overhead compared to modular exponentiation. Hence, our proposed scheme requires minimal execution times compared to [1] scheme and having same advantages. In this paper we propose an efficient and secure proxy multisignature scheme and analyze the security of the scheme. We show that our schemes are secure against the original signers forgery and public key substitution attack. The rest of the paper is organized as follows. Section 2 we show the proxy requirements and security assumptions. Section 3 introduce the chen et. al [1] proxy multi signature scheme [Figure 1]. In section 4 we show our proxy multi signature [Figure 2] propose scheme and analyze its security and efficiency. Finally, section 5 discusses some application. 307
II. PRELIMINARIES A. Proxy Requirements In 1996, Mambo, Usuda and Okamoto [2] first addressed the basic properties that a proxy signature scheme for partial delegation should satisfy and defined them as follows: • Verifiability • Identifiably • Unforgeability • Undeniability • Prevention of misuse B. Security assumption The proxy multi signature scheme [Figure 2] in this paper is based on some security assumption. • Elliptic curve Discrete logarithm Problem (ECDLP): Consider the equation Q = kP where Q, P, Ep(a; b) and k < p. It is relatively easy to calculate Q given k and P, but it is relatively hard to determine k given Q and P. This is called the discrete logarithm problem for elliptic curves. III. CHEN ET. AL SCHEME In this scheme, p and q are two prime numbers such that q is a large prime factor of p-1. The generator g with order q in Z*p. This scheme also involves three parties: original signers Ui 1 ≤ i ≤ n , proxy signer U0 and verifier v. The original signer Ui has his private key xi and public key yi = gxi mod p. On the other hand proxy signer U0 also selects his private key x0 and public key y0= gx0 modp. The function h is a cryptographic hash function and we are using mw as a message warrant that contain the id’s of all original signers and proxy signer, and the public keys of the signers etc. This scheme also contains three phases, the common certificate generation phase, the proxy multisignature phase and the proxy multisignature verification phase. A. The common certificate generation phase In this phase all the original signers and the proxy signer cooperatively generate the proxy certificate. Steps for generation of proxy certificate as follows: Each signer Ui first selects a random number ki∈Z*p. • Then each signer calculate Ki= gki mod p and broadcast Ki to all signers including proxy signer. • Each signer calculates K = ∏ i mod p for i = 0,1, 2, 3,........, n. • Now each signer Ui calculates vi = h(mw)xiyi +ki k mod q and broadcast vi to all signers including proxy signer. • Each signer Ui verifies the correctness of vi by the equation gvi ≡ yih(mw)yi Kik mod p. Now the proxy signer computes V = ∑ i mod q. Finally, n original signer have authorized the proxy signer U0. The proxy certificate is (K, V ).
Fig 2. Multi Signature
308
B. The Proxy multisignature generation phase Suppose proxy signer U0 wants to generate the proxy signature on a message m on behalf of the n original signers[12]. The proxy signer selects an random number t ∈ Z*p. Then proxy signer computes r = gt mod p. Now proxy signer calculates s satisfying s = Vt + x0h(m)r mod q. Finally the proxy signature of the message m is (r,ss). • The proxy signer sends the (m, (r, s), m, (K, V )). C. The Proxy multisignature verification phase After re-ceiving (m, (r, s), mw, (K, V )) the verifier verifies the proxy multisignature in two stage. Step 1: Verifier first checks the mw, then verify the proxy certificate (K, V ) using following equation g V yi h(m ) K ≡ (∏ i ) w K mod p. Step 2 : The verifier v checks the signature (r, s) using following equation gs ≡ rVy0hmrmod p IV. OUR DIGITAL SIGNATURE BASED PROXY MULTI-SIGNATURE SCHEME The proposed scheme is independent to the number of original signer and we are also using the merits of ECC so the overhead of computation and communication cost due to modular exponential operation also reduced. Our scheme also secure against original signer forgery attack and public key substitution attack. This scheme also involves three parties: original signers Ui , 1 ≤ i ≤ n , proxy signer U0 and verifier v. All original signers and the designated proxy signer are authorized to select their own individual secret keys. All original signer and proxy signer randomly selects a number di ∈ [1, t─1] this number is his private key and then using this they calculate public key that is Qi = di × B = (xQi,yQi). If xQi ≠ 0, di is the secret key and Qi is the public one. The function h is a cryptographic hash function and we are using m w as a message warrant that contain the id’s of all original signers and proxy signer, and the public keys of the signers etc. This scheme also contains four phases, System initialization phase, the common certificate generation phase, the proxy multisignature phase and the proxy multisignature verification phase. A. System initialization phase The following parameters over the elliptic curve domain must be known Fp : A field size p(a large prime number of 512 bits). E : An elliptic curve of the form (y2 ≡ x3 +ax+b mod p) over Fp, where a, b ∈ Fp such that 4a3 + 27b2 ≠ 0(mod p) represents a set of points (x, y) ∈ Fp × Fp which satisfy E and with an additional point called point at infinity O. The cardinality of E should be divisible by a large Prime number because of the issue of security raised by Pohlig and Hellman [8]. B : (B ≠ O) A finite point on E with an order t (a large prime number). Table I is an example of calculating elliptic curve . TABLE I. E(1,1):Y2 =X3 +X+1 MOD 23 (0,1)
(6,4)
(0,22)
(6,19)
(12,19) (13,7)
(1,7)
(7,11)
(13,16)
(1,16)
(7,12)
(17,3)
(3,10)
(9,7)
(17,20)
(3,13)
(9,16)
(18,3)
(4,0)
(11,3)
(18,20)
(5,4)
(11,20)
(19,5)
(5,19)
(12,4)
(19,18)
B. The common certificate generation phase In this phase all the original signers and the proxy signer cooperatively generate the proxy certificate. Steps for generation of proxy certificate as follows: • Each signer Ui first selects a random number ki ∈ {1, 2, 3, . . . ,t ─ 1}, where t is the order of elliptic curve. • Then each signer calculate Ki = ki × B and broadcast Ki to all signers including proxy signer. 309
Each signer calculates K i = â&#x2C6;&#x2018; i mod p = (XK,YK) for i = 0, 1, 2, 3, . . . , n. Now each signer Ui calculates vi = h(mw)diXQi + ki XK and broadcast vi to all signers including proxy signer. â&#x20AC;˘ Each signer Ui veriďŹ es the correctness of v by the equation vi Ă&#x2014; B = h(mw)QiKQi + KiXK. â&#x20AC;˘ Now the proxy signer computes V Finally, n original signer have authorized the proxy signer U0. The proxy certiďŹ cate is (K, V ).
â&#x20AC;˘ â&#x20AC;˘
C. The Proxy multisignature generation phase Suppose proxy signer U0 wants to generate the proxy signature on a message m on behalf of the n original signers. â&#x20AC;˘ The proxy signer selects an random number l â&#x2C6;&#x2C6; {1, 2, 3, . . . , t â&#x201D;&#x20AC; 1}. â&#x20AC;˘ Then proxy signer computes r = l Ă&#x2014; B mod p =(Xr,Yr). â&#x20AC;˘ Now proxy signer calculates s satisfying = Vh(mw) + tXQ0 + d0h(m,mw)Xr. Finally the proxy signature of the message is (r,s). â&#x20AC;˘ The proxy signer sends the (m, (r, s), mw, (K, V )). D. The Proxy multisignature veriďŹ cation phase After re-ceiving (m, (r, s), mw, (K, V )) the veriďŹ er veriďŹ es the proxy multisignature in two stage. Step 1: VeriďŹ er ďŹ rst checks the mw, then verify the proxy certiďŹ cate (K, V ) using following equation V Ă&#x2014; B = h(mw)â&#x2C6;&#x2018; Qi + KXK. Step 2: The veriďŹ er v checks the signature (r, s) using following equation s Ă&#x2014; B = (h(mw)â&#x2C6;&#x2018; Qi + KXK ) h(mw) + rXQ0 + Q0h(m, mw)Xr. V. SECURITY ANALYSIS AND D ISCUSSIONS Let us ďŹ rst consider the security of Proxy certiďŹ cate (K, V ). The proxy certiďŹ cate (K, V) is actually a digital multisignature so it is very hard to forge without knowing the private key of original signers and proxy signer. Now let us talk about public key substitution attack, suppose any signer Un wants to generate the proxy certiďŹ cate alone. Because he does not know the private key of any signer so the possible attack is to construct a public key Qâ&#x20AC;&#x2122;n such that Îą Ă&#x2014; B = â&#x2C6;&#x2018; iXQi + Qâ&#x20AC;&#x2122;nXQâ&#x20AC;&#x2122;n mod p
where Îą is a random number. Then by using Îą and Qâ&#x20AC;&#x2122;n as his private key and public key respectively he is able to generate the proxy certiďŹ cate without agreement of the other signers. However it is hard to ďŹ nd Qâ&#x20AC;&#x2122;n iXQi mod p. If the value of Qn is determine ďŹ rst then and Îą that satisfy the equation Qâ&#x20AC;&#x2122;nXQĘšn = Îą Ă&#x2014; B - â&#x2C6;&#x2018;
ďŹ nding Îą is Elliptic curve Discrete logarithm problem that is extremely hard problem. So public key substitution attack is not possible in our case. Now we are going to discuss the security of proxy signature (r, s). The proxy signature is actually a digital signature so it is hard to forge (r, s) without knowing the private key of proxy signer. The attacker has to ďŹ rst overcome the difďŹ culty to forge the proxy certiďŹ cate. According to the above discussion related to security of (K, V), no one can forge (K, V) without the agreement of the proxy signer. Now security of (r, s) that is dependent on the equation s Ă&#x2014; B = (h(mw)â&#x2C6;&#x2018; Qi + KXK ) h(mw) + rXQ0 + Q0h(m,mw)Xr. So the proxy multisignature can be generated by the signer who owns the private key d0 . So the original signer can not forge the prosy signature that means our scheme is protected from original signer forgery. Hence both proxy signers and original signers obtain the protection in our scheme. There are many advantages in our scheme. First it provides fair protection for both original signer and proxy signer and size of the proxy signature is not dependent to the number of original sign er. Since the size of the proxy certiďŹ cate is ďŹ xed ,the storage and communication cost are reduced. In [1] scheme they have given solution for public key substitution attack and original signer forgery attack. On the basis of [1] we have given the solution based on Elliptic curve and our solution is more efďŹ cient then his solution because our proposed scheme dont require any modular exponentiations, requires elliptic curve multiplications and additions. Compared to the DLP based cryptosystems[14], ECC provides same security with minimal key lengths and requires less storage requirements. One more advantage is that our scheme does not need any secure channel. The proxy certiďŹ cate (K, V) can directly transmitted to the proxy signer. Due to the security analysis of the proxy signature, nobody has the ability to create the proxy signature by only using the common certiďŹ cate.
310
VI. CONCLUSION We have proposed a proxy multi signature scheme based on elliptic curve cryptosystem[14] (ECC). The proposed scheme is secure then Tzer-Shyong Chen [9], Kuo-Hsuan et. als [10] and Sun’s scheme [6] and computation cost is independent of the number of original signers. Our scheme uses Diffie-Hellman for sending the sub delegation parameter and we are not using any encryption and decryption method for sending parameter. So we also reduce the cost of encryption and decryption. Besides this our scheme is able to withstand the public key substitution attack and original signer forgery attack. REFERENCES [1] Chiu-Chin Chen, “The group-oriented design on proxy signature schemes”, 2002. [2] Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto, “Proxy signatures for delegating signing operation”, in Proceedings of the 3rd ACM Conference on Computer and Communications Security, Clifford Neuman, Ed., New Delhi, India, Mar. 1996, pp. 48–57, ACM Press. [3] Byoungcheon Lee Nonmember and Kwangjo Kim Member, “Strong proxy signatures”, Dec. 13 1999. [4] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited”, in Proc. 1st International Information and Communications Security Conference, 1997, pp. 223–232. [5] G. Xiao L. Yi, G. Bai, “Proxy multi-signature scheme: a new type of proxy signature scheme”, in Electronics Letters 36, 2000. [6] H.M. Sun, “On proxy multi-signature schemes”, in Proceedings of the International Computer Symposium,, 2000, pp. ‘65–72. [7] Koblitz, Menezes, and Vanstone, “The state of elliptic curve cryptography”, IJDCC: Designs, Codes and Cryptography, vol. 19, 2000. [8] Pohlig and Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance”, IEEETIT: IEEE Transactions on Information Theory, vol. 24, 1978. [9] Tzer-Shyong Chen, Yu-Fang Chung, and Kuo-Hsuan Huang, “A traceable proxy multisignature scheme based on the elliptic curve cryptosystem”, Applied Mathematics and Computation, vol. 159, no. 1, pp. 137–145, Nov. 2004. [10] Chien-Lung Hsu, Tzong-Sun Wu, and Wei-Hua He, “New proxy multisignature scheme”, Applied Mathematics and Computation, vol. 162,no. 3, pp. 1201–1206, Mar. 2005. [11] Je Hong Park, Bo Gyeong Kang, and Sangwoo Park, “Cryptanalysis of some group-oriented proxy signature schemes”, in WISA, JooSeok Song, Taekyoung Kwon, and Moti Yung, Eds. 2005, vol. 3786 of Lecture Notes in Computer Science, pp. 10–24, Springer. [12] Jianying Guilin Wang, Feng Bao and Robert H. Deng, “Proxy signature scheme with multiple original signers for wireless e-commerce applications”, Infocomm Security Department, Institute for Infocomm Research (I2R) 21 Heng Mui keng terrace, Singapore 119613, 2004, IEEE. [13] Feng Cao and Zhenfu Cao, “Cryptanalysis on a proxy multi-signature scheme”, in IMSCCS (2), Jun Ni and Jack Dongarra, Eds. 2006, pp. 117–120, IEEE Computer Society. [14] Tzer-Shyong Chen, Yu-Fang Chung, and Gwo-Shiuan Huang, “Efficient proxy multisignature schemes based on the elliptic curve cryptosystem”, Computers & Security, vol. 22, no. 6, pp. 527–534, 2003. [15] Yumin Yuan, “Improvement of hsu-wu-he’s proxy multi-signature schemes”, in Secure Data Management, Willem Jonker and Milan Petkovic, Eds. 2005, vol. 3674 of Lecture Notes in computer Science, pp. 234–240, Springer.
311