identity-based threshold signature and mediated proxy signature schemes
TRANSCRIPT
THE JOURNAL OF CHINA UNIVERSITIES OF POSTS AND TELECOMMUNICATIONS Volume 14, Issue 2, June 2007
YU Yong, YANG Bo, SUN Ying
Identity-based threshold signature and mediated proxy
signature schemes CLC number TN 918.1 Document A
Abstract Proxy signature schemes allow an original signer to delegate his signing rights to a proxy signer. However, many proxy signahire schemes have the defect which is the inability to solve the proxy revocation problem. In this article, we firstly propose an identity-based threshold signature scheme and show that it has the properties of unforgeability and robustness. In our threshold signature scheme, we adopt such a method that the private key associated with an identity rather than the master key is shared. Then, based on the threshold signature scheme, an identity-based mediated proxy signature scheme is proposed where a security mediator (SEM) is introduced to help a proxy signer to generate valid proxy signatures, examine whether a proxy signer signs according to the warrant, and check the revocation of a proxy signer. It is shown that the proposed scheme satisfies all the security requirements of a secure proxy signature. Moreover, a proxy signer must cooperate with the SEM to generate a valid proxy signature, which makes the new scheme have an effective and fast proxy revocation .
Keywords identity-based, threshold signature, mediated proxy signature, bilinear pairings
1 lntroductlon
Identity based (ID-based) cryptosystems [ 13 were introduced by Shamir in 1984. The main idea of such systems is that each user uses his identity information such as name, telephone number or email address as his public key. In other words, a user’s public key can be calculated directly from his identity rather than being extracted from a certificate issued by a certificate authority. ID-based systems enable any pair of users to communicate securely without exchanging public key certificates, without keeping a public key directory, and without using online service of a third party, as long as a trusted private key generator (PKG) issues a private key
Received date: 2006-09-1 8 YU Yong (CZ). YANG Bo State Key laboratory of ISN, Xidian University, Xi’an 710071, China E-mail: yuyorlg (@mail.xidian.edu.cn
YANG 00, SUN Ying College of information, South China Agricultural University, Guangztiou 5 10642, China
Article ID 1005-8885 (2007) 02-0069-06
corresponding to each user’s identity when he f i s t joins the network. Therefore, ID-based systems may be a good alternative for certificate-based systems from the viewpoint of efficiency and convenience. Since Boneh and Franklin gave a practical ID-based encryption scheme [2] from Weil pairing in 2001, several ID-based signature schemes such as Refs. [3,4] have been proposed.
The idea of threshold cryptography is to distribute the secret information (i.e., a secret key) and computation (i.e., decryption or signature operation) among multiparties in order to prevent a single point of failure or abuse. For example, let Alice be the president of a committee, she shares her power of signing (or decrypting) among a number of servers in such a way that only more than a certain number of secret shares can be used to sign a message or decrypt a ciphertext on behalf of her. There are plenty of researches on threshold cryptographic schemes under certificate-based public key setting [5-81.
In 1996, Mambo et al. [9] first introduced the concept of proxy signature. In a proxy signature scheme, an original signer is allowed to delegate his signing power to a designated person, called the proxy signer and the proxy signer is able to sign messages on behalf of the original signer. The revocation of delegated rights is an essential issue of a proxy signature scheme. For instance, the employee of a company assigns his secretary to sign contracts on behalf of him. The secretary, however, may change her position in the company. Therefore, the proxy revocation, i.e. the revocation of delegated rights is needed and it is important for the situation where the delegated rights are abused. It may also happen that the original signer wants to terminate the delegated rights before the expiration of the delegation period. However, most existing schemes have the following two weaknesses. First, the declaration of a valid delegation period in the warrant is useless because the proxy signer can still create a proxy signature and claim that his signing was done during the delegation period even if the delegation period has expired. Second, even an original signer wants to revoke the delegation earlier than his plan, the original signer can do nothing. Therefore, most existing proxy signature schemes cannot provide the proxy revocation properly. Seo et al. [ 101 recently
70 The Journal of CHUPT 2007
proposed a proxy signature scheme with fast revocation, but the scheme is based on Schnorr signature [ 1 I], not ID-based.
Our contributions: recently, Cheng et al. [12] proposed an D-based threshold signature scheme where the master key is shared in the private key distribution protocol. This method is inefficient. We propose a new identity-based threshold signature scheme, where we adopt such a method that the private key associated with an identity rather than the master key is shared. Then, based on the ID-based threshold signature scheme an ID-based mediated proxy signature scheme is proposed, in which the proxy signature generation can be viewed as the (2,2) threshold version of our ID-based (t,n)
threshold signature.
2 Blllnear palrlngs
Let GI be a cyclic additive group generated by P , whose order is a prime q, and G2 be a cyclic multiplicative group of
the same order q. Let a, b be elements of Zi and
C; = GI \ { 0} where 0 is the identity element of the group GI . We assume that the discrete logarithm problem in both Gl and G, is hard. A bilinear pairing is a map e : G, X G, + G2
with the following properties: I ) Bilinear: e(aP,bQ) =e(P,Q)uh for all P , QE GI.
2) Non-degenerate: there exists P , Q G GI such that
3) Computable: for all P, Q E GI , there is an efficient e ( P , Q ) f 1.
algorithm to compute e (P , Q ) .
8 ID4tawd threshold rlgnature scheme and security analyds
In this section, we propose an ID-based threshold signature scheme and give the security analysis of the scheme. The underlying signature scheme is a variant of Hess's ID-based signature 141, and the security proof of the variant scheme has been given in Ref. [121.
3.1 ID-based threshold signature scheme
The JD-based (t,n) threshold signature scheme is described
as follows: 1 ) Setup: given a security parameter k , the PKG chooses
groups GI and G, of prime order q, a generator P of G, , a
bilinear map e : GI x G, + G, , and hash functions H , : (0, 1)'
-+ GI and H, : {O, 1)' + Z,' . It chooses a master key s E Zd
and computes P,,,, = s P . The PKG publishes system's
parameters {GI, G,, e, P , P,,,,, HI, H,, H, l .
2) Private key extraction and distribution: given an identity ID, the PKG computes Q,=H, ( ID) and the private key S, = sQ, . Then the PKG plays the role of the trusted dealer. The PKG generates n shares (Si}i=l, 2, ,,,, of S , and
sends the share Si to the signer < via a secure channel for i = l , 2, ..., n . The PKG performs the following distribution protocol.
a) The PKG chooses 4 , F,,...,&-, uniformly at random
from Gl* , constructs a polynomial F(x ) = S, + xF, +... + X'-'F,-~ , and computes S, = F ( i ) for i = I, 2 ,.... n . Note that
S,=S,.
b) The PKG sends Si to the player r: for i = 1, 2, ..., n secretly, and broadcasts a. = e( P , S,) and aJ = e( P , F I ) for j=1, 2 ,..., t-1.
The values aj for j = O , 1, ..., t-1 as verification keys
can be used to check the validity of each share S, for i = 1, 2 ,..., n . Each party I: can verify whether its share S,
is valid or not by checking if e (P ,S i ) = nd( holds. If the
equation holds, the share Si is valid. Otherwise, broadcasts that an error has been found, publishes S, and
then requests a valid one. 3) Threshold signature generation: from the definition of
threshold scheme, any t (1dtdn) or more players can jointly
generate a signature. Without loss of generality, we assume that 4, 4, ...,C are the t players to join the signing on message m , In addition, a player will be randomly selected from {q}lGiG, as a designated clerk, who is responsible for collecting and verifying the partial signature, and then computing the final signature. The steps are as follows.
a) Each player 4 chooses xi E Zl , computes U, = x,P
1-1
j = O
and sends Ui to the clerk.
b) The clerk computes U = k U i and h= H,(rn, U ) , i = l
broadcasts h to { 4 I l Q L g r . c) Each player r: computes his partial signature
V , =xicub +ha@, and sends it to the clerk, where
q = fi 2- . . denotes the Lagrange coefficient. ]=I, j t i 2 - J
After the clerk receives V, , he can verifies its validity by
checking if e (P , q)=e(U/ , , <ub)(nay)h4 holds. If all the
individual signatures are valid, the clerk computes V = .
Otherwise, the clerk rejects it and requests a new one. The
1-1
j - 0
1
i=l
No. 2 YU Yong, et al.: Identity-based threshold signature and mediated proxy signature schemes 71
final threshold signature on message rn is o = ( U , V ) . 4) Threshold signature verification: after receiving O=
( U , V ) , the verifier computes h = H,(rn, U ) and accepts the
signature if e ( P , V) = e ( U , P,,)e(P,,, Q,)h ; otherwise,
rejects it.
3.2 Security analysis
The correctness of the scheme is obvious. To analyze the security, the properties of robustness and unforgeability of the scheme should be considered.
Definition 1 An adversary chooses the players he wants to corrupt in advance. Here, corruption means that the adversary can manage to know the private keys of the corrupted players. Unforgeability means that an adversary, even if having corrupted t-1 players, cannot produce a valid signature ( m , o ) , where m is a message having never been signed
signer by the signers. Definition 2 Robustness means that even t - 1 corrupted
cooperated malicious players cannot prevent it from generating a valid signature, where nB2t -1.
Definition 3 A threshold signature scheme is called secure if it has the properties of robustness and unforgeability.
Theorem 1 The proposed threshold signature scheme has the property of robustness.
Proof The final threshold signature is reconstructed from at least t partial signatures. The clerk first verifies all the partial signatures and then chooses the valid ones to reconstruct a threshold signature. Even if having corrupted t - 1 players, since there is no way to get the tth valid partial signature, the adversary still cannot produce a valid threshold signature. Only the clerk can get t partial signatures, thus can produce a valid threshold signature.
In order to prove the unforgeability of the scheme, we use the method given by Gennaro et al. [13] which indicates that a threshold signature is unforgeable if the underlying signature is secure and the threshold signature is simulatable.
Definition 4 A threshold signature scheme is simulatable if the private key generation and distribution protocol and threshold signature generation protocol are both simulatable.
Theorem 2 The proposed threshold signature scheme is simulatable.
Proof The private key generation and distribution protocol in our scheme is Baek and Zheng’s pairing-based verifiable secret sharing scheme, whose security proof can be found in Ref. [14]. In the following, we will show that the threshold signature generation protocol is simulatable. Let Th-Sig-Gen denote the threshold signature generation protocol. We assume that an adversary F has corrupted up to 2 - 1 players 4, P *,..., t-, . The only uncorrupted honest signer is 4. The
view of the adversary F consists of the system parameters, a message rn, the private keys of the corrupted signers S,, S, ,..., S,-, , and the signature o = (U,V) . To prove that the
threshold signature generation protocol is simulatable, we should construct a simulator SIM to simulate Th-Sig-Gen. SIM’s inputs are the system parameters, the private keys S,, S, ,..., SL-l of the corrupted signers, the message rn , and
the signature o = (U,V) . SIM chooses randomly X:E Z,*
( l< i<t - l ) , computes Ut’=x:P, h = H , ( m , U ) and y‘= x&, + h q S , . 4’s partial signature on rn is 4 = (Ut’,V,’) ( 1 6 i d t - 1 ) . The information produced by SIM is
computationally indistinguishable from that of the view of the adversary F, because x, and x: are both chosen randomly
from Z i and obviously, they have the same distribution.
Therefore, U,, V,, U,’ and V,‘ are all random elements of G I . As a result, O, and 4 have the same probability
distribution and we can conclude that SIM simulates Th-Sig-Gen perfectly.
3.3 Efficiency
We compare our signature scheme with Cheng et al. [12] scheme from computation overhead view point. We only consider two expensive cryptology operations and denote PA as the pairing operation and PM the point scalar multiplication on G, . We summarize the result in Table 1.
Table 1 Comparison of our scheme and Cheng et al. scheme Schemes Private key extraction Threshold Threshold
signature signature generation verification
Proposed (n(f-l)+l) PM+(n+r) PA 31 PM+2rPA 2 PA+1 PM Cheng et al. [12] n(t+l) PM+h PA 31 PM+31 PA 3 PA
Note that the computation of the pairing is the most time-consuming, e.g. it requires a 1 GHz Pentium 111 processor 581 ms to compute a Tate pairing defined on elliptic curve y = x - x + 1 over F,,,, . From the table we can see that our
scheme requires less pairing computations than Cheng et al. scheme and therefore, our scheme is much more efficient.
2 3
4 ID-Based medlated proxy signature scheme and secum analysls
4.1 IDBased mediated proxy signature scheme
In this section, we propose an ID-based mediated proxy signature scheme. There are a verifier and three main participants: an original signer, a proxy signer, and a SEM [15]. Anyone can be a verifier of the proxy signature. The SEM is an online partially trusted server who has
72 The Journal of CHUPT 2007
responsibilities for verifying a proxy warrant and issuing a partial proxy token. Through the verification phase of the proxy warrant, the SEM confims whether the period of delegation is valid and the identity of the proxy signer exists on the revocation list or not. And then, the SEM issues the partial proxy token only if above conditions are satisfied. Without this token, the proxy signer cannot generate a proxy signature on messages. So, he cannot claim that his signing was done during the delegation period if the delegation period has expired. Moreover, our ID-based proxy signature scheme can perform the immediate revocation. If the original signer wants to revoke the delegation before an expiration date, he only instructs the SEM to stop issuing the token for the proxy signer. Therefore, we can solve the two weaknesses of proxy signature schemes described in Sect. 1. The proposed scheme is constructed as follows:
1) Setup: sharing the same parameters with the proposed ID-based threshold signature scheme.
2) Extract: given an identity ID , the PKG computes Q, = H,(ID) and the private key S, = sQ, . Suppose the original signer Alice's public key and private key are QA and
S, , proxy signer Bob's public key and private key are QB and S, , and SEM's public key and private key are Q, and
ss ' 3) Mediated proxy key generation: to delegate the signing
power to the proxy signer Bob, the original signer Alice follows the steps below to generate the signed warrant w and then, Bob and the SEM compute their proxy signing keys respectively. The warrant w specifies the delegation period, the kind of messages to be delegated, and the identity information of the original signer and the proxy signer, etc.
a) Alice chooses x,, xz from Z i randomly and computes
x = x , + x , , U = x P and h,=H,(w, U ) . Then Alice
chooses a random S, E G,* , computes S, = h,Sr + x& and
S, = h,(S, - s,) + x2Ppub . b) Alice sends (w, U , Sop) and (w, U , S,) to Bob and
the SEM, respectively. The SEM stores (w, U ) to his
storage list. c) Bob and the SEM first verify the correctness of their
receipts. Bob computes RB = e ( P , Sop) and sends (0, R,)
to the SEM. The SEM computes 4 =e(P, S,) and sends it to Bob. They compute h, = H,(w, U ) , respectively and verify if R,& =e(Cub, h,Q, + U ) holds. If this fails, Bob
and the SEM request a valid one; otherwise, Bob and the SEM compute their proxy private key S, =S,+h,S, and
S,, = S, + hass , respectively.
4) Mediated proxy signature generation: to generate a proxy
signature on a message m , Bob must cooperate with the SEM. Bob sends (m, U , RB, m) to the SEM. The SEM
confirms (0, U , RE) is the same as that was received in
proxy key generation phase. And then, the SEM must ascertain the following conditions, before he generates a partial proxy signature on the message m.
a) The period of proxy delegation specified in w should be valid.
b) The(@, U ) should not be in the public revocation list
maintained by the SEM. If the validation step is finished correctly, then the SEM
performs the proxy signature generation steps. a) Bob chooses randomly 5 E Z: , computes U, = r,P ,
and sends it to the SEM. b) After receiving U, , the SEM chooses randomly
r , E Z i , computes U , = r , P , U , , = U , + U , , h,=H,(m, U , , ) ,
and V, =r2%uh+hmSAs . The SEM sends (U,, U , , , V,)
back to Bob. c) After receiving (4, U,, V,) , Bob computes h, = H,(m, U,, )
and verifies whether e(P, V,) =e(U,, <,,>($e(p,,,, h,Q,))h,
holds. If the verification of the token is successful, Bob computes V, = C P , ~ + h,S, and V = V, + V, . The final
mediated proxy signature on the message m is
5) Mediated proxy signature verification: a verifier accepts the mediated proxy signature a = ( w , U , U, , , V) on m if
e(P, V ) = e(P,,, h,U + U,, + h,h,<Q, + Q, + Qs>> holds.
6) Proxy revocation: if the original signer Alice wants to revoke the delegation before the specific delegation period or any misuse of the delegated rights is noticed, then she asks the SEM to put the corresponding (u, U ) in the public revocation list. If the delegation period has expired or (0, V )
exists in the revocation list, the SEM will not issue proxy tokens for Bob. Once the delegation period has expired, the corresponding (a, U)on the public revocation list can be
removed to avoid the infinite growth of the revocation list.
a=(@, u, u,,, V ) .
4.2 Security analysis
In this section, we discuss the security of the proposed mediated proxy signature scheme. We show that our scheme satisfies all the security requirements stated in Ref. [ 161.
1) Distinguishability: this is obvious, because there is a warrant w in a valid mediated proxy signature, at the same time, this warrant and the public keys of the original signer and the proxy signer must occur in the verification equation of the mediated proxy signature.
2) Verifiability: because the warrant w contains the
No. 2 YU Yong, et al.: Identity-based threshold signature and mediated proxy signature schemes 73
identity information and the limit of the delegated signing power, the verifier can verify the mediated proxy signature and check whether the signed message conforms to the delegation warrant or not.
3) Strong unforgeability: in fact, the mediated proxy signature can be viewed as the (2.2) threshold version of our ( 1 , n ) threshold signature scheme. The security of the ( r , n ) threshold signature scheme has been given in Sect. 3. Therefore, a proxy signer must cooperate with the SEM to generate B valid mediated proxy signature. Anyone, even the original signer and the SEM cannot produce a valid mediated proxy signature. 4) Strong identifiability: from the warrant W , a verifier can
determine the identity of the proxy signer. 5) Strong undeniability: anyone cannot know Bob’s private
key due to the difficulty of the discrete logarithm problem in G, . Therefore, once a proxy signer Bob creates a valid
mediated proxy signature, he cannot repudiate it because the signature was created using his private key.
6) Prevention of misuse: due to the use of warrant W , a proxy signer can only sign messages that have been authorized by the original signer. Furthermore, a proxy signer must cooperate with the SEM to generate a valid mediated proxy signature, and only a proxy signer can generate a valid mediated proxy signature. Therefore, he must be responsible for his mediated proxy signature. Once the delegated rights are abused, the original signer instructs the SEM to stop issuing the token for the proxy signer at once. Therefore, our LD-based mediated proxy signature scheme can perform the immediate revocation. Moreover, the original signer or the malicious attacker’s misuse is also prevented, because they cannot generate a valid mediated proxy signature.
5 Concluslonr
In this article, we proposed a new identity-based threshold signature scheme. Our construction method is different from that of Cheng’s scheme 1121. We adopt such a method that the private key associated with an identity rather than the master key is shared. Then based on the threshold signature scheme, we constructed an ID-based mediated proxy signature scheme wherein the advantage over the existing proxy signature schemes is that it can perform the immediate proxy revocation. Finally, we showed that the proposed scheme satisfies all the security requirements of a secure proxy signature scheme. How to prove that the security of Identity-Based mediated proxy signature scheme would be guaranteed using the provable robust security method is the objective of our future work.
Acknowledgements The authors would like to thank anonymous reviewers for their valuable comments. This work is supported by the National Natural Science Foundation of China (60573043,60372046).
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13
Shamir A. Identity-based cryptosystems and signature schemes. Advances in Cryptology-Crypto,l984. Berlin: Springer-Verlag, 1984 47-53 Boneh D, Franklin M. Identity-based encryption from the Weil pairings. Advances in Cryptology-Crypto, 2001. Berlin: Springer- Verlag, 2001: 2 13-229 Cha J C, Cheon J H. An identity-based signature from gap Diffie-Hellman groups. PKC, 2003. Berlin: Springer-Verlag, 2003: 18-30 Hess F. Efficient identity based signature schemes based on pairings. SAC, 2002. Berlin: Springer-Verlag, 2002: 3 10-324 Li Li-yuan, Xu Qiu-liang. A threshold proxy signature scheme with actual signers. Journal of Beijing University of Posts and Telecommunications, 2006, 29(4): 103-106 (in Chinese) Shamir A. How to share a secret. Communications of the ACM, 1979,22(11): 612-613 Jia Xiao-yun, Luo Shou-shan, Yuan Chao-wei. A new signature scheme with shared verification. The Journal of China Universities of Posts and Telecommunications, 2006,13(2): 66-69 Mi Jun-li, Zhang Jim-zhong. Newdynamic threshold signature scheme. Journal of Chongqing University of Posts and Telecommunications, 2006, 18(3): 390-392 (in Chinese) Mambo M, Usuda K, Okamoto E. Proxy signature for delegating signing operation. Proceedings of the 3rd ACM Conference on Computer and Communications Security, Mar 14-16, 1996, New Delhi, India. New York, NY, USA: ACM, 1996: 48-56 Seo S H, Shim K A, Lee S H. A mediated proxy signature scheme with fast revocation for electronic transactions. Porceedings of 2nd International Conference on Trust, Privacy and Security in Digital Business, Aug 22-26.2005. Copenhagen, Denmark. Berlin: Springer-Verlag, 2005: 2 16-225 Schnorr C. Efficient identification and signature for smart cards. Advances in Cryptology-Eurocrypt, 1989. Berlin: Springer-Verlag, 1989:239-25 1 Cheng Xiang-guo, Liu Jing-mei, Wane Xin-mei. An identity- based signature and its threshold version. Proceedings of 19th International Conference on Advanced Information Networking and Applications: Vol 1, Mar 28-30, 2005, Taipei,, China. Piscataway, NJ, USA: EEE, 2005: 973-977 Gennaro R, Jarecki S, Krawczyk H, et al. Robust threshold DSS signatures. Advances in Cryptology-Eurocrypt, 1996. Berlin: Springer-Verlag. 1996: 354-37 1
14. Baek J, Zheng Y. Identity-based threshold signature from the
74 The Journal of CHUPT 2007
bilinear pairings. Proceedings of the International Conference on Information Technology: Coding and Computing: Vol 1, Apr 5-7, 2004, Las Vegas, NV. Piscataway, NJ, USA: IEEE Computer Society, 2004: 124-128
15. Boneh D, Ding X, Tsudik G , et al. A method for fast revocation of public key certificates and security capabilities. Proceedings of the loth USENIX Security Symposium, Aug 13-17, 2001, Washington DC, USA. 2001: 297-308
16. Lee B, Kim H, Kim K. Strong proxy signature and its applications. proceedings of the 2001 Symposium on Cryptography and Information Security: Vol2, Jan 23-26, 2001, Oiso, Japan. 2001: 603-608
14.
15.
16.
17.
Biographies: W Yong, Ph. D. Candidate of Xidian University, interested in the research on information security.
YANG Bo, professor and doctoral supervisor of Xi’dian University and South China Agricultural University. He is interested in information security and network security.
SUN Ying, lecturer of South China Agricultural University, interested in the research on information security.
-
From p. 68 Meguerdichian S, Koushanfar F, Potkonjak M, et al. Worst and best-case coverage in sensor networks. IEEE Transactions on Mobile Computing. 2005,4(1): 84-92 Veltri G , Qu Gang, Huang Qing-feng, et al. Minimal and maximal exposure path algorithms for wireless emended sensor networks. Proceedings of 15th International Conference on Embedded Networked Sensor Systems, Nov 5-7, 2003, Los Angeles, CA, USA. New York, NY, USA: ACM, 2003: 40-50 Cortes J, Martinez S, Karatas T, et al. Coverage control for mobile sensing networks. IEEE Transactions on Robotics and
Li X Y, Wan P J, Frieder 0. Coverage in wireless Ad-hoc sensor networks. IEEE Transactions on Computers, 2003, 52(6): 753-763
Automation, 2004, 20(2): 243-255
Biographies: QIN Ning-ning, Ph. D. Candidate in the School of Communication and Control Engineering, Southern Yangtze University, interested in coverage control of WSN.
ZHANG Lin, Ph. D. He is now an assistant professor at Tsinghua University. His research interests include wireless networks, distributed data fusion, and information theory.
SHAN Xiu-ming, professor, the Electronic Engineering Department of Tsinghua University. He received B. S . from Tsinghua University in 1970. Now, his research interests include radar signal processing, computer networks, and complex systems.
XU Bao-guo, professor, assistant president of Southern Yangtze University. He got B. S. from Southeast University in 1977. His interests include computer communication, intelligent control.