About this Journal Submit a Manuscript Table of Contents
Advances in Multimedia
Volume 2012 (2012), Article ID 427961, 10 pages
http://dx.doi.org/10.1155/2012/427961
Research Article

A Novel Anonymous Proxy Signature Scheme

Department of Information Management, Nanhua University, Chiayi 622, Taiwan

Received 30 April 2012; Accepted 18 July 2012

Academic Editor: Joonki Paik

Copyright © 2012 Jue-Sam Chou. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Recently, several studies about proxy signature schemes have been conducted. In 2009, Yu et al. proposed an anonymous proxy signature scheme attempting to protect the proxy signer's privacy from outsiders. They claimed that their scheme can make the proxy signer anonymous. However, based on our research, we determined that this was not the case and the proxy signer's privacy was not anonymous. Hence, in this paper, we propose a new anonymous proxy signature scheme that truly makes the proxy signer anonymous while making it more secure and efficient when compared with Yu et al.'s scheme. Our proxy signature scheme consists of two contributions. First, we mainly use random numbers and bilinear pairings to attain the anonymous property. Secondly, we increase the security and efficiency of our proxy in the design.

1. Introduction

Proxy signature schemes can be used in many business applications such as signing important documents when the original signer is not present. For example, an important document needs to be signed by the CEO, but the CEO is out of the office or not immediately available. At this time, the CEO can use the proxy signature scheme to designate the general manager or business executive to sign the document on his or her behalf. The signed document will be valid and can be verified by everyone without the CEO actually signing it. Any proxy signature scheme has to meet the identifiability, undeniability, verifiability, and unforgeability security requirements. It may be necessary to protect the proxy signer’s privacy from outsiders or third parties. In 1996, Mambo et al. [1] first proposed the concept of proxy signature. In their proposal, there are three parties: a user also called original signer, a proxy signer whom is delegated to sign a message on behalf of the original signer, and a verifier who verifies whether a signed message is legal or not.

Since Mambo et al.’s 1996 scheme, many proxy signature schemes have been proposed [127] (some other schemes though are signature schemes whereas not proxy signatures such as [2833]). Generally speaking, there are two main categories of proxy signature schemes, the first category is one-to-one and the other is one-to-many. In the former, there is one original signer and one proxy signer, but in the latter, except for the original signer, there are a group of proxy signers. The one-to-one schemes are [4, 7, 10, 12, 13, 1517, 2527] and the proxy blind signature [2], which is based on a special digital signature scheme first introduced by Chaum [34] in 1983. In the one-to-many, there are two subsets, one is the proxy multisignature and the other is the (𝑡,𝑛) threshold proxy signature. In the proxy multisignature [5, 6, 9, 1922], the original signer has an authorized proxy signer group, each proxy signer has to generate a partial proxy signature. If all partials of signatures are correct, the proxy signature will be generated by summation or multiplication operations of the partial proxy signatures. In the (𝑡,𝑛) threshold proxy signature [3, 11, 18, 23, 24], the original signer can choose the threshold and a proxy signing key is shared by 𝑛  proxy signers. Any 𝑡 of proxy signers can cooperatively derive the proxy signing key to sign the message.

In any proxy signature, the following four security properties are required.

(i) Unforgeability
Only a designated proxy signer can create a valid proxy signature for the original signer. In other words, nobody can forge a valid proxy signature without the delegation of the original signer.

(ii) Verifiability
After checking and verifying the proxy signature, a verifier can be convinced that the received message is signed by the proxy signer authorized by the original signer.

(iii) Undeniability
The proxy signer cannot repudiate the signature he produced.

(iv) Identifiability
Anyone including the original signer can determine the corresponding proxy signer’s identity from the proxy signature. That is, from the proxy signature any verifier can determine the proxy signer’s identity.

Although proxy signatures incorporate the above-mentioned security functions, they still face many threats such as man-in-the-middle, replay, frame, and public-key substitute attacks. In frame attacks [23], the malicious original signer can forge a signature after intercepting sent information and the forged signature can be accepted by the verifier. In public-key substitute attacks [24], the attacker can be either the original signer or any proxy signer. By changing their public keys, he can forge a valid proxy signature [11]. This indicates that when designing a proxy signature scheme, care should be taken to avoid these kinds of attacks.

Researchers, Shum and Wei’s [26] and Yang, and Peng [10], presented two one-to-one anonymous proxy signature (APS) schemes. They point that an APS scheme should possess not only the security features of unforgeability, verifiability, and undeniability, but also the properties of anonymity and anonymity revocation. The anonymity means that only one of the proxy signers can sign the message in the proxy signer group, other proxy signers cannot know who the signer is. And the anonymity revocation indicates that once required, the proxy signer can assure the others that he is the real signer. However, N. Y. Lee and M. F. Lee [27] indicate that Shum and Wei’s scheme [26] violates the property of the unforgeability. Yang and Peng [10] therefore proposed a modified one-to-one APS scheme. In 2009, Yu et al. [8] first proposed a one-to-many APS scheme. In their scheme, there is a group of proxy signers, but only one proxy signer can anonymously signs the message. By using a group of signers, Yu et al. want to provide privacy and anonymous protection for the real proxy signer. They claim that their scheme is provably secure. However, based on our research by just using some of the transmitted data along with public information, we were able to isolate and identify the proxy signer. More details of the analysis are described in Section 3.2.

The rest of the paper is organized as follows. In Section 2, we present the basic concepts of bilinear pairings and some related mathematical problems. In Section 3, we review and show the weakness of Yu et al.’s scheme. Section 4 shows the proposed scheme, and Section 5 makes comparison of computation efficiency between Yu et al.’s scheme and ours. Finally, a conclusion is given in Section 6.

2. Background

In this section, we describe the concept of bilinear pairings which is used as the mathematical basis for this design.

Let 𝐺1 be a cyclic additive group of order 𝑞 generated by a base point 𝑃 on Elliptic curve and 𝐺2 a cyclic multiplicative group with the same order. It is assumed that solving the Elliptic curve discrete logarithm problem (ECDLP) in 𝐺1 and discrete logarithm problem (DLP) problem in 𝐺2 is difficult. A bilinear map 𝑒 is defined as 𝑒𝐺1×𝐺1𝐺2, which has the following properties:(1)bilinearity: 𝑒(𝑎𝑃,𝑏𝑄)=𝑒(𝑃,𝑄)𝑎𝑏, where 𝑃,𝑄𝐺1 and all 𝑎,𝑏𝑍𝑞;(2)nondegeneracy: there exists 𝑃,𝑄𝐺1 such that 𝑒(𝑃,𝑄)1; in other words, the map does not send all pairs in 𝐺1×𝐺1 to the identity in 𝐺2;(3)computability: there is an efficient algorithm to compute 𝑒(𝑃,𝑄) for all 𝑃,𝑄𝐺1.

3. Review of Yu et al.’s Scheme

In this section, we review Yu et al.’s APS scheme [8] and demonstrate that the original APS cannot satisfy the anonymous property in Section 3.2.

3.1. Yu et al.’s APS Scheme

There are six phases in Yu et al.’s APS scheme: (1) the parameter generation phase, (2) the key generation phase, (3) the delegation signing phase, (4) the delegation verification phase, (5) the APS generation phase, and (6) the APS verification phase. We describe them as follows.(1)In the parameter generation phase, on input of security parameter 𝑘, a system parameter generation algorithm outputs a cyclic additive group 𝐺1 of order 𝑞, a multiplicative group 𝐺2 of the same order, a bilinear map 𝑒𝐺1×𝐺1𝐺2, and a generator 𝑃 of 𝐺1. This algorithm also outputs two cryptographic hash functions: 𝐻0{0,1}×𝐺1𝑍𝑞 and 𝐻1{0,1}𝐺1. (2)In the key generation phase as shown in Figure 1, the original signer  𝐴𝑙𝑖𝑐𝑒 selects 𝑥𝑜𝑍𝑞 as her private key and computes her public key as 𝑌𝑜=𝑥𝑜𝑃. Each proxy signer  𝑢𝑖𝒰 randomly selects 𝑥𝑖𝑍𝑞 as his/her private key and sets the corresponding public key as 𝑌𝑖=𝑥𝑖𝑃. (3)In the delegation signing phase, 𝐴𝑙𝑖𝑐𝑒 firstly generates a warrant 𝑚𝑤 which contains some explicit descriptions about the delegation relation such as the identities of both 𝐴𝑙𝑖𝑐𝑒 and the proxy signers, the expiration time of the delegation, and the signing power in the warrant. Then, 𝐴𝑙𝑖𝑐𝑒 randomly picks a number 𝑟𝑍𝑞 and computes 𝑅=𝑟𝑃 and 𝑠=𝑟+𝑥𝑜𝐻0(𝑚𝑤,𝑅)mod𝑞. Finally, 𝐴𝑙𝑖𝑐𝑒 sends (𝑚𝑤,𝑅,𝑠) to the proxy signers in set 𝒰={𝑢1,,𝑢𝑛}.(4)Upon receiving (𝑚𝑤,𝑅,𝑠), each proxy signer  𝑢𝑖 checks if the equation 𝑠𝑃=𝑅+𝐻0(𝑚𝑤,𝑅)𝑌𝑜 holds. If it does not, the delegation will be rejected. Otherwise, it will be accepted and each proxy signer  𝑢𝑖 computes his/her proxy secret key as psk𝑖=𝑠+𝑥𝑖𝐻0(𝑚𝑤,𝑅)mod𝑞. (5)In the APS generation phase as shown in Figure 2, proxy signer  𝑢𝑠𝒰 signs on a message 𝑚 with his proxy secret key  psk𝑠 on behalf of the original signer, 𝐴𝑙𝑖𝑐𝑒, in an anonymous way. 𝑢𝑠 first chooses random numbers 𝑟𝑖𝑍𝑞, where 𝑖{1,2,,𝑛} and 𝑖𝑠, computes both 𝜎𝑖=𝑟𝑖𝑃 and 𝜎𝑠=(1/psk𝑠)(𝐻1(𝑚𝑚𝑤)𝑖𝑠𝑟𝑖(𝑅+𝐻0(𝑚𝑤,𝑅)(𝑌𝑜+𝑌𝑖))), and sends 𝜎=(𝜎1,𝜎2,,𝜎𝑛,𝑚,𝑚𝑤,𝑅) to the verifier.(6)In the APS verification phase, given public keys 𝑌𝑜,𝑌1,,𝑌𝑛 and a received anonymous proxy signature 𝜎, the verifier can examine the validity of the signature 𝜎 by checking whether the following expression holds: 𝑛𝑖=1𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝜎𝑖=𝑛𝑖=1,𝑖𝑠𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝜎𝑖𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑠,𝜎𝑠=𝑛𝑖=1,𝑖𝑠𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑠,1psk𝑠×𝐻1𝑚𝑚𝑤𝑖𝑠𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖=𝑛𝑖=1,𝑖𝑠𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃𝑒𝑃,𝐻1𝑚𝑚𝑤𝑖𝑠𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖=𝑒𝑃,𝐻1𝑚𝑚𝑤.(1)

427961.fig.001
Figure 1: Key generation, delegation signing, and delegation verification phases of Yu et al.’s scheme.
427961.fig.002
Figure 2: APS generation phase and the APS verification phase of Yu et al.’s scheme.
3.2. Weakness of Yu et al.’s Scheme

After reviewing Yu et al.’s scheme above, we now explain the violation of the scheme’s anonymous property which they emphasized as follows.

Since 𝑅, 𝐻0(𝑚𝑤,𝑅), and (𝑌𝑜+𝑌𝑠) are public, we can obtain psk𝑠𝑃 by deducing psk𝑠𝑃=𝑅+𝐻0(𝑚𝑤,𝑅)(𝑌𝑜+𝑌𝑠) because psk𝑠𝑃=𝑠+𝑥𝑖𝐻0𝑚𝑤𝑃=,𝑅𝑟+𝑥𝑜𝐻0𝑚𝑤,𝑅+𝑥𝑖𝐻0𝑚𝑤𝑃=𝑥,𝑅𝑟+𝑜+𝑥𝑖𝐻0𝑚𝑤𝑃=𝑥,𝑅𝑟𝑃+𝑜+𝑥𝑖𝐻0𝑚𝑤𝑃,𝑅=𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑠.(2)

Next, we define an inspector 𝐗 to be 𝑒(psk𝑥𝑃,𝜎𝑗), where psk𝑥 is 𝑢𝑥’s secret proxy key, 𝜎𝑗 is a specific subsignature in 𝜎, and 𝑥,𝑗{1,𝑛}. In addition, we define 𝐘 to be 𝑛𝑖=1,𝑖𝑥𝑒((𝑅+𝐻0(𝑚𝑤,𝑅)(𝑌𝑜+𝑌𝑖)),𝜎𝑖). Then, if there exist some 𝑥 and 𝑗 satisfying 𝐗𝐘=𝑒(𝑃,𝐻1(𝑚𝑚𝑤)), we can determine that 𝑥 should be equal to 𝑗, and 𝑢𝑗 is then the right proxy signer. This is because if 𝑢𝑗 is the right proxy signer, then the corresponding subsignature 𝜎𝑗 must have the factor 1/psk𝑗, and therefore only applying the right psk𝑥𝑃, that is, 𝑥=𝑗, can cancel the factor result in the holing of the end. Otherwise, we continue to examine next possible 𝑥 or 𝑗. By doing this way, we can deduce the right proxy signer at most 𝑛2 times.

For more clarity, we take three proxy signers, 𝑢1, 𝑢2, 𝑢3, as an example. Suppose 𝑢2 is the real proxy signer, then 𝜎1=𝑟1𝑃, 𝜎2=(psk2)1(𝐻1(𝑚𝑚𝑤)3𝑖=1,𝑖1𝑟𝑖(𝑅+𝐻0(𝑚𝑤,𝑅)(𝑌𝑜+𝑌𝑖))) and 𝜎3=𝑟3𝑃.

If we first try 𝜎1 with different 𝑥=1,2,3, then we have three tries as in the following. (1.1) When 𝑥=1 and thus 𝐗=𝑒(psk1𝑃,𝜎1), the value 𝐗𝐘 should be 𝑒psk1𝑃,𝜎13𝑖=1,𝑖2𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk1𝜎13𝑖=1,𝑖2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑟𝑖𝑃=𝑒𝑃,psk1𝑟1𝑃𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1,𝜎2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3,𝜎3𝑒𝑃,𝐻1𝑚𝑚𝑤.(3)(1.2) When 𝑥=2 and thus 𝐗=𝑒(psk2𝑃,𝜎1), the value 𝐗𝐘 should be 𝑒psk2𝑃,𝜎13𝑖=1,𝑖2𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk2𝜎13𝑖=1,𝑖2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑟𝑖𝑃=𝑒𝑃,psk2𝑟1𝑃𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1,𝜎2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3,𝜎3𝑒𝑃,𝐻1𝑚𝑚𝑤.(4)(1.3) When 𝑥=3 and thus 𝐗=𝑒(psk3𝑃,𝜎1), the value 𝐗𝐘 should be 𝑒psk3𝑃,𝜎13𝑖=1,𝑖2𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk3𝜎13𝑖=1,𝑖2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑟𝑖𝑃=𝑒𝑃,psk3𝑟1𝑃𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌2,𝜎2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1,𝜎3𝑒𝑃,𝐻1𝑚𝑚𝑤.(5)

Secondly, if we try 𝜎2 with different 𝑥=1,2,3, then we have three tries as in the following. (2.1) When 𝑥=1 and thus 𝐗=𝑒(psk1𝑃,𝜎2), the value 𝐗𝐘 should be 𝑒psk1𝑃,𝜎23𝑖=1,𝑖2𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk1𝜎23𝑖=1,𝑖2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑟𝑖𝑃=𝑒𝑃,psk1𝑟2𝑃𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1,𝜎1𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3,𝜎3𝑒𝑃,𝐻1𝑚𝑚𝑤.(6)(2.2)When 𝑥=2 and thus 𝐗=𝑒(psk2𝑃,𝜎2), the value 𝐗𝐘 should be𝑒psk2𝑃,𝜎23𝑖=1,𝑖1𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk2𝜎23𝑖=1,𝑖1𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk21psk2𝐻1𝑚𝑚𝑤𝑖𝑠𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖3𝑖=1,𝑖1𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,𝐻1𝑚𝑚𝑤𝑖1𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖3𝑖=1,𝑖1𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖=𝑒,𝑃𝑃,𝐻1𝑚𝑚𝑤𝑒𝑃,𝑟1𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1𝑒𝑃,𝑟3𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3𝑒P,𝑟1𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1𝑒𝑃,𝑟3𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3=𝑒𝑃,𝐻1𝑚𝑚𝑤𝑒𝜎1,𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1𝜎𝑒3,𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3𝜎𝑒1,𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1𝑒𝜎3,𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3=𝑒𝑃,𝐻1𝑚𝑚𝑤.(7)(2.3) When 𝑥=3 and thus 𝐗=𝑒(psk3𝑃,𝜎2), the value 𝐗𝐘 should be 𝑒psk3𝑃,𝜎23𝑖=1,𝑖2𝑒𝑟𝑖𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑃=𝑒𝑃,psk3𝜎23𝑖=1,𝑖2𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌𝑖,𝑟𝑖𝑃=𝑒𝑃,psk3𝑟2𝑃𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌1,𝜎1𝑒𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜+𝑌3,𝜎3𝑒𝑃,𝐻1𝑚𝑚𝑤.(8)

From the above demonstration, for inspector 𝐗=𝑒(psk𝑥𝑃,𝜎𝑗), only when the subscript 𝑥=𝑗=2, the result of 𝐗𝐘 is 𝑒(𝑃,𝐻1(𝑚𝑚𝑤). Therefore, we determined that 𝑢2 is the right proxy signer and the anonymous property that they emphasized is broken.

4. Proposed Scheme

In this section, we propose a new one-to-many APS scheme to correct the anonymous flaw as discovered in Section 3. Our scheme is the same as theirs in the first two phases. The differences are in the last four phases, the delegation signing, delegation verification, APS generation, and APS verification phase. More details of our APS are shown in Section 4.1. Its correctness is demonstrated in Section 4.2 and the APS requirements are analyzed in Section 4.3. Before describing our protocol, we define some basic notations listed in Table 1.

tab1
Table 1: The definitions of used notations

4.1. The New Proposed APS Scheme

In our APS scheme, there also exist an original signer  𝐴𝑙𝑖𝑐𝑒 and a proxy signer group  {𝒫1,𝒫2,,𝒫𝑛}, and only one proxy signer in the proxy signers group can sign the message. For more clarity, we show our scheme in detail as follows. The proposed scheme consists of six phases: (1) the parameter generation phase, (2) key generation phase, (3) delegation signing phase, (4) delegation verification phase, (5) APS generation phase, and (6) APS verification phase. Phases (1) and (2) are the same as in Yu et al.’s scheme, which has been delineated in Section 3.1. We omit these phases in the following but show phases (3) and (4) in Figure 3 and phases (5) and (6) in Figure 4.(3) In the delegation signing phase, as shown in Figure 3, the original signer randomly selects a number 𝑟𝑍𝑞 and uses 𝑟 to compute 𝑅=𝑟𝑃 and 𝑣=𝑟+𝑥0𝐻0(𝑚𝑤,𝑅). Then, the original signer sends (𝑚𝑤,𝑅,𝑣) to each proxy signer  𝒫𝑖{𝒫1,𝒫2,,𝒫𝑛} with warrant 𝑚𝑤, where warrant contains the records of the original signer’s and proxy signer’s identities, delegation, authorization period, valid period, and so forth.(4) In the delegation verification phase, after receiving (𝑚𝑤,𝑅,𝑣) the proxy signer  𝒫𝑖 first checks whether the equation 𝑣𝑃?=𝑅+𝐻0(𝑚𝑤,𝑅)𝑌𝑜 holds. If it does not, stop the protocol, otherwise, he stores (𝑚𝑤,𝑅). Second, when signing message 𝑚,𝒫𝑖 chooses random numbers 𝑟𝑖𝑍𝑞, 𝑖=1 to 𝑛, and 𝑉=𝑣𝑃 computes 𝑐=𝐻1(𝑟1𝑟𝑛), 𝑈=𝑐𝑃, and the proxy secret key, psk𝑖=𝑟𝑖1𝑥𝑖1𝐻2(𝑚𝑤𝑚,𝑉,𝑈).(5) In the APS generation phase, as shown in Figure 4, let 𝒫𝑠 be the real proxy signer. He computes 𝜎𝑖=𝑟𝑖𝑉, where 𝑖{1,2,,𝑛} and 𝑖𝑠 and computes 𝐿=𝑐𝑥𝑠1𝑉, then sets 𝑌,𝜎𝑠,𝑝𝜎sum=𝑛𝑖=1𝜎𝑖,𝐴,𝐵,𝐶, and 𝐷, as 𝑌=𝑛𝑖=1𝑌𝑖, 𝜎𝑠=psk𝑠𝑌=𝑟𝑠1𝑥𝑠1𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌, 𝐴=𝑟𝑠𝑐psk𝑠𝑃, 𝐵=𝑟𝑠𝜎𝑠, 𝐶=𝑟𝑠𝑝𝜎sum, and 𝐷=𝑟𝑠𝑐𝑉, respectively. Finally, 𝒫𝑠 outputs 𝜎=(𝜎1,𝜎2,,𝜎𝑛,𝑚,𝑚𝑤,𝑐,𝐴,𝐵,𝐶,𝐷,𝐿,𝑈,𝑉) as the anonymous proxy signature and sends 𝜎 to the verifier. (6) In APS verification phase, upon receiving the proxy signature the verifier computes 𝑛𝑖=1𝑌𝑖=𝑌 and checks whether the equation 𝑒(𝐷,𝑛𝑖=1𝜎𝑖)𝑒(𝐴,𝑌)?=𝑒(𝑐𝑉,𝐶𝐵)𝑒(𝐿,𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌)𝑒(𝑈,𝐵) holds. If it holds, the verifier accepts the signature, otherwise rejects it.

427961.fig.003
Figure 3: The delegation signing and delegation verification phases of our scheme.
427961.fig.004
Figure 4: Anonymous proxy signature generation phase and the verification phase of our scheme.
4.2. Correctness

In the delegation verification phase, each proxy signer can check whether the equation 𝑣𝑃?=𝑅+𝐻0(𝑚𝑤,𝑅)𝑌𝑜 holds as follows.

Proof (first proof). 𝑣𝑃?=𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜𝑣𝑃=𝑟+𝑥𝑜𝐻0𝑚𝑤𝑃,𝑅=𝑟𝑃+𝑥𝑜𝐻0𝑚𝑤𝑃,𝑅=𝑅+𝐻0𝑚𝑤𝑌,𝑅𝑜.(9)

If it holds, the proxy signer can know that the message is sent from the original signer. Because in the verification equation, he use the original signer’s public key 𝑌𝑜 to examine it. If any adversary intercepts the message and modify it, it cannot pass the verification equation.

In the proxy signature verification phase, the following equation gives the correctness of the verification.

Proof (second proof). 𝑛𝑖=1𝑒𝐷,𝜎𝑖𝑒(𝐴,𝑌)?=𝑒(𝑐𝑉,𝐶𝐵)𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵)𝑛𝑖=1𝑒𝐷,𝜎𝑖=𝑒(𝐴,𝑌)𝑛𝑖=1,𝑖𝑠𝑒𝑐𝑟𝑠𝑉,𝜎𝑖𝑒𝑐𝑟𝑠𝑉,𝜎𝑠𝑟𝑒𝑠𝑐psk𝑠=𝑃,𝑌𝑛𝑖=1,𝑖𝑠𝑒𝑐𝑟𝑠𝑉,𝜎𝑖𝑒𝑐𝑟𝑠𝑉,𝑟𝑠1𝑥𝑠1𝐻2𝑚𝑤𝑚,𝑉,𝑈𝑌)𝑒𝑐𝑃,𝑟𝑠psk𝑠𝑌=𝑛𝑖=1,𝑖𝑠𝑒𝑐𝑟𝑠𝑉,𝜎𝑖𝑒𝑐𝑟𝑠𝑉,𝑟𝑠1𝑥𝑠1𝐻2𝑚𝑤𝑚,𝑉,𝑈𝑌)𝑒𝑐𝑃,𝑟𝑠𝜎𝑠=𝑛𝑖=1,𝑖𝑠𝑒𝑐𝑟𝑠𝑉,𝜎𝑖𝑥𝑒𝑠1𝑐𝑉,𝐻2𝑚𝑤=𝑚,𝑉,𝑈𝑌𝑒(𝑈,𝐵)𝑛𝑖=1,𝑖𝑠𝑒𝑐𝑟𝑠𝑉,𝜎𝑖𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵)=𝑒𝑐𝑟𝑠𝑉,𝑛𝑖=1,𝑖𝑠𝜎𝑖𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵)=𝑒𝑐𝑟𝑠𝑉,𝑝𝜎sum𝜎𝑠𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵)=𝑒𝑐𝑉,𝑟𝑠𝑝𝜎sum𝜎𝑠𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵)=𝑒𝑐𝑉,𝑟𝑠𝑝𝜎sum𝜎𝑠𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵)=𝑒(𝑐𝑉,𝐶𝐵)𝑒𝐿,𝐻2𝑚𝑤𝑌𝑚,𝑉,𝑈𝑒(𝑈,𝐵).(10)

4.3. Security Analyses

In this section, we demonstrate that our APS scheme can satisfy the security properties as discussed in Section 1 for (1) verifiability, (2) unforgeability, (3) undeniability, (4) anonymity, and (5) anonymity revocation. Now, we demonstrate why our scheme can satisfy these five security properties as follows.

(1) Verifiability
In APS verification phase, after checking and verifying the proxy signature 𝜎, where 𝜎=(𝜎1,𝜎2,,𝜎𝑛,𝑚,𝑚𝑤,𝑐,𝐴,𝐵,𝐶,𝐷,𝐿,𝑈,𝑉), the verifier can calculate to check whether the verification equation (𝑛𝑖=1𝑒(𝐷,𝜎𝑖))𝑒(𝐴,𝑌)?=𝑒(𝑐𝑉,𝐶𝐵)𝑒(𝐿,𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌)𝑒(𝑈,𝐵) holds. If it does, the verifier can be convinced that the received message is signed by one of the proxy signer members authorized by the original signer because 𝑌(=𝑛𝑖=1𝑌𝑖) and 𝑉(=𝑣𝑃=𝑅+𝐻0(𝑚𝑤,𝑅)𝑌𝑜) are used in the verification equation.

(2) Unforgeability
It means that any entity (other than the real proxy signer  𝒫𝑠), including the original signer, cannot generate a valid proxy signature. Only an authorized proxy signer  𝒫𝑠 can create a valid proxy signature 𝜎. If any attacker wants to forge a proxy signature, he must be authorized by the original signer signing on a warrant 𝑚𝑤 and use the proxy signer’s proxy secret key  psk𝑠 to compute 𝜎𝑠. However, this is impossible since the identity of the attacker wasn not in 𝑚𝑤 signed by the original signer. Not to mention, he does not know psk𝑠. Under this situation, even if he want to (1) fake the proxy signer key as psk𝑠, (2) change value 𝑐 to 𝑐, or (3) randomly select 𝑟𝑠𝑍𝑞, trying to counterfeit the proxy signature, we demonstrate that his attempt deems to fail. We demonstrate the reasons for the failures of these three cases in the following.

Case 1. If an attacker does not know the proxy secret key  psk𝑠, he cannot generate valid 𝜎𝑠(=psk𝑠𝑌), 𝑝𝜎sum(=𝑛𝑖=1𝜎𝑖), 𝐴(=𝑟𝑠𝑐psk𝑠𝑃), 𝐵(=𝑟𝑠𝜎𝑠), and 𝐶(=𝑟𝑠𝑝𝜎sum). Even if he uses a random psk𝑠 to sign the message, since psk𝑠=𝑟𝑠1𝑥𝑠1𝐻2(𝑚𝑤𝑚,𝑉,𝑈), he cannot evaluate the right value 𝑥𝑠1 for computing 𝐿 to be successfully verified in the verification equation.

Case 2. Because 𝑐 is changed to 𝑐, this results in at least one of the random numbers 𝑟𝑖 should also be modified. Without loss of generality, we let 𝑟𝑖=𝑟1𝑟𝑠. Accordingly, all the parameters 𝑈(=𝑐𝑃), psk𝑠(=𝑟𝑠1𝑥𝑠1𝐻2(𝑚𝑤𝑚,𝑉,𝑈)), 𝜎𝑠(=psk𝑠𝑌), 𝑝𝜎sum(=𝑛𝑖=1𝜎𝑖), 𝐴(=𝑟𝑠𝑐psk𝑠𝑃), 𝐵(=𝑟𝑠𝜎𝑠), 𝐶(=𝑟𝑠𝑝𝜎sum), 𝐷(=𝑟𝑠𝑐𝑉), and 𝐿(=𝑐𝑥𝑠1𝑉) are changed as well. That is 𝜎=(𝜎1,𝜎2,,𝜎𝑠,𝜎𝑠+1,,𝜎𝑛,𝑚,𝑚𝑤,𝑐,𝐴,𝐵,𝐶,𝐷,𝐿,𝑈,𝑉). Apparently, the verification equation (𝑛𝑖=1𝑒(𝐷,𝜎𝑖))𝑒(𝐴,𝑌)=𝑒(𝑐𝑉,𝐶𝐵)𝑒(𝐿,𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌)𝑒(𝑈,𝐵) cannot hold. Below, we only show the inequality of portion of the verification equation 𝑒(𝐴,𝑌)=𝑒(𝑈,𝐵): 𝑒𝐴𝑟,𝑌=𝑒𝑠𝑐psk𝑠𝑐𝑃,𝑌=𝑒𝑃,𝑟𝑠psk𝑠𝑌𝑐=𝑒𝑃,𝑟𝑠𝜎𝑠𝑒(𝑈,𝐵).(11)

Case 3. In this case, if any attacker randomly selects 𝑟𝑠𝑍𝑞, trying to generate the valid proxy signature 𝜎. Accordingly, the parameters 𝑈(=𝑐𝑃), psk𝑠(=𝑟𝑠1𝑥𝑠1𝐻2(𝑚𝑤𝑚,𝑉,𝑈)), 𝜎𝑠(=𝑟𝑠1𝑥𝑠1𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌), 𝑝𝜎sum(=𝑛𝑖=1𝜎𝑖), 𝐴(=𝑟𝑠𝑐psk𝑠𝑃), 𝐵(=𝑟𝑠𝜎𝑠), 𝐶(=𝑟𝑠𝑝𝜎sum), 𝐷(=𝑟𝑠𝑐𝑉), and 𝐿(=𝑐𝑥𝑠1𝑉) are all changed. Therefore, the signature now becomes 𝜎=(𝜎1,𝜎2,,𝜎𝑠,𝜎𝑠+1,,𝜎𝑛, 𝑚,𝑚𝑤,𝑐,𝐴,𝐵,𝐶,𝐷,𝐿,𝑈,𝑉). As in Case 1, the verifier checks whether 𝑒(𝐴,𝑌)=𝑒(𝑈,𝐵) holds or not. Apparently, it cannot pass the verification.

(3) Undeniability
As in Section 4.2 proof (second proof), the verifier uses the verification equation: (𝑛𝑖=1𝑒(𝐷,𝜎𝑖))𝑒(𝐴,𝑌)=𝑒(𝑐𝑉,𝐶𝐵)𝑒(𝐿,𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌)𝑒(𝑈,𝐵) to check whether the proxy signature comes from one of the members in the proxy signer group. Since the equation 𝑉(=𝑣𝑃=𝑅+𝐻0(𝑚𝑤,𝑅)𝑌𝑜) includes the original signer’s public key 𝑌𝑜 and 𝑌=𝑛𝑖=1𝑌𝑖, it means the original signer and the proxy signer group cannot repudiate their participations in the signature generation.

(4) Anonymity
In the APS generation phase, all the parameters A, B, C, D, and 𝐿 have to be multiplied by 𝑟𝑠𝑍𝑞 to make the proxy signature 𝜎 anonymous. If any attacker wants to know who is the real proxy signer, he must know the value 𝑟𝑠 to use 𝑟𝑠1 for unrandomizing all parameters to get 𝐴(=𝑐psk𝑠𝑃), 𝐵(=𝜎𝑠), 𝐶(=𝑝𝜎sum), 𝐷(=𝑐𝑉), and 𝜎𝑠(=𝑥𝑠1𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌). But now 𝜎𝑖=𝑟𝑖𝑉,𝑖𝑠, even the attacker knows 𝑟𝑠, without the knowledge of 𝑟𝑖 and 𝑥𝑠, he cannot know who the real signer is. Not to mention, he cannot know the value of 𝑟𝑠. It means that anyone cannot know who signs the signature. Hence, the anonymity holds.

(5) Anonymity Revocation
In our scheme, only the proxy signer knows 𝑟𝑠1 and the secret 𝑥𝑠1. He can convince the others that he is the real proxy signer by just showing them 𝑟𝑠1and the holdness of the equation𝑟𝑠𝑥𝑠𝜎𝑠=𝐻2(𝑚𝑤𝑚,𝑉,𝑈)𝑌 without revealing 𝑥𝑠 in polynomial time.

5. Comparisons

In this section, we compare the computational cost between Yu et al.’s APS scheme and ours and summarize the result in Table 2. We denote by 𝑒 the pairing operation, Pm and Pa the point multiplication and point addition on 𝐺1 respectively, and by 𝑛 the number of proxy signers. In Yu et al.’s APS scheme, the generation and verification of psk should be (2𝑛+1)Pm+𝑛Pa instead of (𝑛+1)Pm operations. Because in Yu et al.’s scheme, the generation and verification of psk are 𝑅=𝑟𝑃 and 𝑠𝑃=𝑅+𝐻0(𝑚𝑤,𝑅)𝑌0, the 𝑠𝑃 should be computed by 𝑛  proxy signers. The APS verification should be (𝑛+1)𝑒+𝑛Pm+2𝑛Pa rather than the original (𝑛+1)𝑒+𝑛Pm+(𝑛+1)Pa as listed in the table of [8]. From Table 2, we can see that our scheme is more efficient than Yu et al.’s protocol.

tab2
Table 2: Comparison of computational costs of our scheme and Yu et al.'s scheme.

6. Conclusions

In 2009, Yu et al. first proposed a one-to-many APS scheme attempting to protect the proxy signer’s privacy while maintaining secrecy to outsiders. However, after analyses, we determined that Yu et al.’s original protocol could not satisfy the anonymous property. Accordingly, we proposed a novel one-to-many APS scheme to reach the goal. Our construction makes use of a random number 𝑟𝑠, one-way hash function and bilinear pairings to make the proxy signature anonymous. After comparisons, we conclude that our new protocol is a significant improvement against attackers trying to reveal the identity of the real signer and is more efficient in computational cost as demonstrated in Table 2.

References

  1. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signature: delegation of the power to sign messages,” IEICE—Transactions on Fundamentals of Electronics, vol. E79-A, no. 9, pp. 1338–1354, 1996.
  2. R. Lu, Z. Cao, and Y. Zhou, “Proxy blind multi-signature scheme without a secure channel,” Applied Mathematics and Computation, vol. 164, no. 1, pp. 179–187, 2005. View at Publisher · View at Google Scholar · View at Scopus
  3. H. F. Huang and C. C. Chang, “A novel efficient (t, n) threshold proxy signature scheme,” Information Sciences, vol. 176, no. 10, pp. 1338–1349, 2006. View at Publisher · View at Google Scholar · View at Scopus
  4. B. Kang, C. Boyd, and E. Dawson, “Identity-based strong designated verifier signature schemes: attacks and new construction,” Computers and Electrical Engineering, vol. 35, no. 1, pp. 49–53, 2009. View at Publisher · View at Google Scholar · View at Scopus
  5. K. L. Wu, J. Zou, X. H. Wei, and F. Y. Liu, “Proxy group signature: a new anonymous proxy signature scheme,” in Proceedings of the 7th International Conference on Machine Learning and Cybernetics (ICMLC'08), pp. 1369–1373, Kunming, China, July 2008. View at Publisher · View at Google Scholar · View at Scopus
  6. Z. Shao, “Improvement of identity-based proxy multi-signature scheme,” The Journal of Systems and Software, vol. 82, no. 5, pp. 794–800, 2009. View at Publisher · View at Google Scholar · View at Scopus
  7. Z. H. Liu, Y. P. Hu, X. S. Zhang, and H. Ma, “Secure proxy signature scheme with fast revocation in the standard model,” Journal of China Universities of Posts and Telecommunications, vol. 16, no. 4, pp. 116–124, 2009. View at Publisher · View at Google Scholar · View at Scopus
  8. Y. Yu, C. Xu, X. Huang, and Y. Mu, “An efficient anonymous proxy signature scheme with provable security,” Computer Standards and Interfaces, vol. 31, no. 2, pp. 348–353, 2009. View at Publisher · View at Google Scholar · View at Scopus
  9. F. Cao and Z. Cao, “A secure identity-based proxy multi-signature scheme,” Information Sciences, vol. 179, no. 3, pp. 292–302, 2009. View at Publisher · View at Google Scholar · View at Scopus
  10. A. Yang and W. P. Peng, “A modified anonymous proxy signature with a trusted party,” in Proceedings of the 1st International Workshop on Education Technology and Computer Science (ETCS'09), pp. 233–236, Wuhan, China, March 2009. View at Publisher · View at Google Scholar · View at Scopus
  11. J. H. Hu and J. Zhang, “Cryptanalysis and improvement of a threshold proxy signature scheme,” Computer Standards and Interfaces, vol. 31, no. 1, pp. 169–173, 2009. View at Publisher · View at Google Scholar · View at Scopus
  12. Y. Yu, C. X. Xu, X. S. Zhang, and Y. J. Liao, “Designated verifier proxy signature scheme without random oracles,” Computers and Mathematics with Applications, vol. 57, no. 8, pp. 1352–1364, 2009. View at Publisher · View at Google Scholar · View at Scopus
  13. J. H. Zhang, C. L. Liu, and Y. I. Yang, “An efficient secure proxy verifiably encrypted signature scheme,” Journal of Network and Computer Applications, vol. 33, no. 1, pp. 29–34, 2010. View at Publisher · View at Google Scholar · View at Scopus
  14. B. D. Wei, F. G. Zhang, and X. F. Chen, “ID-based ring proxy signatures,” in Proceedings of the IEEE International Symposium on Information Theory (ISIT'07), pp. 1031–1035, Nice, France, June 2007. View at Publisher · View at Google Scholar
  15. T. S. Wu and H. Y. Lin, “Efficient self-certified proxy CAE scheme and its variants,” The Journal of Systems and Software, vol. 82, no. 6, pp. 974–980, 2009. View at Publisher · View at Google Scholar · View at Scopus
  16. S. Lal and V. Verma, “Identity based Bi-designated verifier proxy signature schemes,” Cryptography Eprint Archive Report 394, 2008.
  17. S. Lal and V. Verma, “Identity based strong designated verifier proxy signature schemes,” Cryptography Eprint Archive Report 394, 2006.
  18. C. Y. Yang, S. F. Tzeng, and M. S. Hwang, “On the efficiency of nonrepudiable threshold proxy signature scheme with known signers,” The Journal of Systems and Software, vol. 73, no. 3, pp. 507–514, 2004. View at Publisher · View at Google Scholar · View at Scopus
  19. H. Xiong, J. Hu, Z. Chen, and F. Li, “On the security of an identity based multi-proxy signature scheme,” Computers and Electrical Engineering, vol. 37, no. 2, pp. 129–135, 2011. View at Publisher · View at Google Scholar · View at Scopus
  20. Y. Sun, C. Xu, Y. Yu, and Y. Mu, “Strongly unforgeable proxy signature scheme secure in the standard model,” The Journal of Systems and Software, vol. 84, no. 9, pp. 1471–1479, 2011. View at Publisher · View at Google Scholar · View at Scopus
  21. Y. Sun, C. Xu, Y. Yu, and B. Yang, “Improvement of a proxy multi-signature scheme without random oracles,” Computer Communications, vol. 34, no. 3, pp. 257–263, 2011. View at Publisher · View at Google Scholar · View at Scopus
  22. Z. Liu, Y. Hu, X. Zhang, and H. Ma, “Provably secure multi-proxy signature scheme with revocation in the standard model,” Computer Communications, vol. 34, no. 3, pp. 494–501, 2011. View at Publisher · View at Google Scholar · View at Scopus
  23. H. Bao, Z. Cao, and S. Wang, “Improvement on Tzeng et al.'s nonrepudiable threshold multi-proxy multi-signature scheme with shared verification,” Applied Mathematics and Computation, vol. 169, no. 2, pp. 1419–1430, 2005. View at Publisher · View at Google Scholar · View at Scopus
  24. J. G. Li and Z. F. Cao, “Improvement of a threshold proxy signature scheme,” Computer Research and Development, vol. 39, no. 11, pp. 1513–1518, 2002. View at Scopus
  25. Y. Yu, Y. Mu, W. Susilo, Y. Sun, and Y. Ji, “Provably secure proxy signature scheme from factorization,” Mathematical and Computer Modelling, vol. 55, no. 3-4, pp. 1160–1168, 2012. View at Publisher · View at Google Scholar
  26. K. Shum and V. K. Wei, “A strong proxy signature scheme with proxy signer privacy protection,” in Proceedings of the 11th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'02), pp. 55–56, Pittsburgh, Pa, USA, 2002. View at Publisher · View at Google Scholar
  27. N. Y. Lee and M. F. Lee, “The security of a strong proxy signature scheme with proxy signer privacy protection,” Applied Mathematics and Computation, vol. 161, no. 3, pp. 807–812, 2005. View at Publisher · View at Google Scholar · View at Scopus
  28. S. Saeednia, “An identity-based society oriented signature scheme with anonymous signers,” Information Processing Letters, vol. 83, no. 6, pp. 295–299, 2002. View at Publisher · View at Google Scholar · View at Scopus
  29. C. L. Hsu, T. S. Wu, and T. C. Wu, “Group-oriented signature scheme with distinguished signing authorities,” Future Generation Computer Systems, vol. 20, no. 5, pp. 865–873, 2004. View at Publisher · View at Google Scholar · View at Scopus
  30. C. Y. Lin, T. C. Wu, F. Zhang, and J. J. Hwang, “New identity-based society oriented signature schemes from pairings on elliptic curves,” Applied Mathematics and Computation, vol. 160, no. 1, pp. 245–260, 2005. View at Publisher · View at Google Scholar · View at Scopus
  31. Z. Shao, “Certificate-based verifiably encrypted signatures from pairings,” Information Sciences, vol. 178, no. 10, pp. 2360–2373, 2008. View at Publisher · View at Google Scholar · View at Scopus
  32. J. Zhang and J. Mao, “A novel ID-based designated verifier signature scheme,” Information Sciences, vol. 178, no. 3, pp. 766–773, 2008. View at Publisher · View at Google Scholar · View at Scopus
  33. Y. F. Chung, Z. Y. Wu, and T. S. Chen, “Ring signature scheme for ECC-based anonymous signcryption,” Computer Standards and Interfaces, vol. 31, no. 4, pp. 669–674, 2009. View at Publisher · View at Google Scholar · View at Scopus
  34. D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptology: Proceedings of CRYPTO '82, pp. 199–203, Springer, New York, NY, USA, 1983.