About this Journal Submit a Manuscript Table of Contents 
Advances in Multimedia
Volume 2012 (2012), Article ID 427961, 10 pages
doi:10.1155/2012/427961
Research Article

A Novel Anonymous Proxy Signature Scheme

Jue-Sam Chou

Department of Information Management, Nanhua University, Chiayi 622, Taiwan

Received 30 April 2012; Accepted 18 July 2012

Academic Editor: Joonki Paik

Copyright © 2012 Jue-Sam Chou. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Recently, several studies about proxy signature schemes have been conducted. In 2009, Yu et al. proposed an anonymous proxy signature scheme attempting to protect the proxy signer's privacy from outsiders. They claimed that their scheme can make the proxy signer anonymous. However, based on our research, we determined that this was not the case and the proxy signer's privacy was not anonymous. Hence, in this paper, we propose a new anonymous proxy signature scheme that truly makes the proxy signer anonymous while making it more secure and efficient when compared with Yu et al.'s scheme. Our proxy signature scheme consists of two contributions. First, we mainly use random numbers and bilinear pairings to attain the anonymous property. Secondly, we increase the security and efficiency of our proxy in the design.

1. Introduction

Proxy signature schemes can be used in many business applications such as signing important documents when the original signer is not present. For example, an important document needs to be signed by the CEO, but the CEO is out of the office or not immediately available. At this time, the CEO can use the proxy signature scheme to designate the general manager or business executive to sign the document on his or her behalf. The signed document will be valid and can be verified by everyone without the CEO actually signing it. Any proxy signature scheme has to meet the identifiability, undeniability, verifiability, and unforgeability security requirements. It may be necessary to protect the proxy signer’s privacy from outsiders or third parties. In 1996, Mambo et al. [1] first proposed the concept of proxy signature. In their proposal, there are three parties: a user also called original signer, a proxy signer whom is delegated to sign a message on behalf of the original signer, and a verifier who verifies whether a signed message is legal or not.

Since Mambo et al.’s 1996 scheme, many proxy signature schemes have been proposed [127] (some other schemes though are signature schemes whereas not proxy signatures such as [2833]). Generally speaking, there are two main categories of proxy signature schemes, the first category is one-to-one and the other is one-to-many. In the former, there is one original signer and one proxy signer, but in the latter, except for the original signer, there are a group of proxy signers. The one-to-one schemes are [4, 7, 10, 12, 13, 1517, 2527] and the proxy blind signature [2], which is based on a special digital signature scheme first introduced by Chaum [34] in 1983. In the one-to-many, there are two subsets, one is the proxy multisignature and the other is the ( 𝑡 , 𝑛 ) threshold proxy signature. In the proxy multisignature [5, 6, 9, 1922], the original signer has an authorized proxy signer group, each proxy signer has to generate a partial proxy signature. If all partials of signatures are correct, the proxy signature will be generated by summation or multiplication operations of the partial proxy signatures. In the ( 𝑡 , 𝑛 ) threshold proxy signature [3, 11, 18, 23, 24], the original signer can choose the threshold and a proxy signing key is shared by 𝑛   proxy signers. Any 𝑡 of proxy signers can cooperatively derive the proxy signing key to sign the message.

In any proxy signature, the following four security properties are required.

(i) Unforgeability
Only a designated proxy signer can create a valid proxy signature for the original signer. In other words, nobody can forge a valid proxy signature without the delegation of the original signer.

(ii) Verifiability
After checking and verifying the proxy signature, a verifier can be convinced that the received message is signed by the proxy signer authorized by the original signer.

(iii) Undeniability
The proxy signer cannot repudiate the signature he produced.

(iv) Identifiability
Anyone including the original signer can determine the corresponding proxy signer’s identity from the proxy signature. That is, from the proxy signature any verifier can determine the proxy signer’s identity.

Although proxy signatures incorporate the above-mentioned security functions, they still face many threats such as man-in-the-middle, replay, frame, and public-key substitute attacks. In frame attacks [23], the malicious original signer can forge a signature after intercepting sent information and the forged signature can be accepted by the verifier. In public-key substitute attacks [24], the attacker can be either the original signer or any proxy signer. By changing their public keys, he can forge a valid proxy signature [11]. This indicates that when designing a proxy signature scheme, care should be taken to avoid these kinds of attacks.

Researchers, Shum and Wei’s [26] and Yang, and Peng [10], presented two one-to-one anonymous proxy signature (APS) schemes. They point that an APS scheme should possess not only the security features of unforgeability, verifiability, and undeniability, but also the properties of anonymity and anonymity revocation. The anonymity means that only one of the proxy signers can sign the message in the proxy signer group, other proxy signers cannot know who the signer is. And the anonymity revocation indicates that once required, the proxy signer can assure the others that he is the real signer. However, N. Y. Lee and M. F. Lee [27] indicate that Shum and Wei’s scheme [26] violates the property of the unforgeability. Yang and Peng [10] therefore proposed a modified one-to-one APS scheme. In 2009, Yu et al. [8] first proposed a one-to-many APS scheme. In their scheme, there is a group of proxy signers, but only one proxy signer can anonymously signs the message. By using a group of signers, Yu et al. want to provide privacy and anonymous protection for the real proxy signer. They claim that their scheme is provably secure. However, based on our research by just using some of the transmitted data along with public information, we were able to isolate and identify the proxy signer. More details of the analysis are described in Section 3.2.

The rest of the paper is organized as follows. In Section 2, we present the basic concepts of bilinear pairings and some related mathematical problems. In Section 3, we review and show the weakness of Yu et al.’s scheme. Section 4 shows the proposed scheme, and Section 5 makes comparison of computation efficiency between Yu et al.’s scheme and ours. Finally, a conclusion is given in Section 6.

2. Background

In this section, we describe the concept of bilinear pairings which is used as the mathematical basis for this design.

Let 𝐺 1 be a cyclic additive group of order 𝑞 generated by a base point 𝑃 on Elliptic curve and 𝐺 2 a cyclic multiplicative group with the same order. It is assumed that solving the Elliptic curve discrete logarithm problem (ECDLP) in 𝐺 1 and discrete logarithm problem (DLP) problem in 𝐺 2 is difficult. A bilinear map 𝑒 is defined as 𝑒 𝐺 1 × 𝐺 1 𝐺 2 , which has the following properties:(1)bilinearity: 𝑒 ( 𝑎 𝑃 , 𝑏 𝑄 ) = 𝑒 ( 𝑃 , 𝑄 ) 𝑎 𝑏 , where 𝑃 , 𝑄 𝐺 1 and all 𝑎 , 𝑏 𝑍 𝑞 ;(2)nondegeneracy: there exists 𝑃 , 𝑄 𝐺 1 such that 𝑒 ( 𝑃 , 𝑄 ) 1 ; in other words, the map does not send all pairs in 𝐺 1 × 𝐺 1 to the identity in 𝐺 2 ;(3)computability: there is an efficient algorithm to compute 𝑒 ( 𝑃 , 𝑄 ) for all 𝑃 , 𝑄 𝐺 1 .

3. Review of Yu et al.’s Scheme

In this section, we review Yu et al.’s APS scheme [8] and demonstrate that the original APS cannot satisfy the anonymous property in Section 3.2.

3.1. Yu et al.’s APS Scheme

There are six phases in Yu et al.’s APS scheme: ( 1 ) the parameter generation phase, ( 2 ) the key generation phase, ( 3 ) the delegation signing phase, ( 4 ) the delegation verification phase, ( 5 ) the APS generation phase, and ( 6 ) the APS verification phase. We describe them as follows.(1)In the parameter generation phase, on input of security parameter 𝑘 , a system parameter generation algorithm outputs a cyclic additive group 𝐺 1 of order 𝑞 , a multiplicative group 𝐺 2 of the same order, a bilinear map 𝑒 𝐺 1 × 𝐺 1 𝐺 2 , and a generator 𝑃 of 𝐺 1 . This algorithm also outputs two cryptographic hash functions: 𝐻 0 { 0 , 1 } × 𝐺 1 𝑍 𝑞 and 𝐻 1 { 0 , 1 } 𝐺 1 . (2)In the key generation phase as shown in Figure 1, the original signer   𝐴 𝑙 𝑖 𝑐 𝑒 selects 𝑥 𝑜 𝑍 𝑞 as her private key and computes her public key as 𝑌 𝑜 = 𝑥 𝑜 𝑃 . Each proxy signer   𝑢 𝑖 𝒰 randomly selects 𝑥 𝑖 𝑍 𝑞 as his/her private key and sets the corresponding public key as 𝑌 𝑖 = 𝑥 𝑖 𝑃 . (3)In the delegation signing phase, 𝐴 𝑙 𝑖 𝑐 𝑒 firstly generates a warrant 𝑚 𝑤 which contains some explicit descriptions about the delegation relation such as the identities of both 𝐴 𝑙 𝑖 𝑐 𝑒 and the proxy signers, the expiration time of the delegation, and the signing power in the warrant. Then, 𝐴 𝑙 𝑖 𝑐 𝑒 randomly picks a number 𝑟 𝑍 𝑞 and computes 𝑅 = 𝑟 𝑃 and 𝑠 = 𝑟 + 𝑥 𝑜 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) m o d 𝑞 . Finally, 𝐴 𝑙 𝑖 𝑐 𝑒 sends ( 𝑚 𝑤 , 𝑅 , 𝑠 ) to the proxy signers in set 𝒰 = { 𝑢 1 , , 𝑢 𝑛 } .(4)Upon receiving ( 𝑚 𝑤 , 𝑅 , 𝑠 ) , each proxy signer   𝑢 𝑖 checks if the equation 𝑠 𝑃 = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) 𝑌 𝑜 holds. If it does not, the delegation will be rejected. Otherwise, it will be accepted and each proxy signer   𝑢 𝑖 computes his/her proxy secret key as p s k 𝑖 = 𝑠 + 𝑥 𝑖 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) m o d 𝑞 . (5)In the APS generation phase as shown in Figure 2, proxy signer   𝑢 𝑠 𝒰 signs on a message 𝑚 with his proxy secret key   p s k 𝑠 on behalf of the original signer, 𝐴 𝑙 𝑖 𝑐 𝑒 , in an anonymous way. 𝑢 𝑠 first chooses random numbers 𝑟 𝑖 𝑍 𝑞 , where 𝑖 { 1 , 2 , , 𝑛 } and 𝑖 𝑠 , computes both 𝜎 𝑖 = 𝑟 𝑖 𝑃 and 𝜎 𝑠 = ( 1 / p s k 𝑠 ) ( 𝐻 1 ( 𝑚 𝑚 𝑤 ) 𝑖 𝑠 𝑟 𝑖 ( 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) ( 𝑌 𝑜 + 𝑌 𝑖 ) ) ) , and sends 𝜎 = ( 𝜎 1 , 𝜎 2 , , 𝜎 𝑛 , 𝑚 , 𝑚 𝑤 , 𝑅 ) to the verifier.(6)In the APS verification phase, given public keys 𝑌 𝑜 , 𝑌 1 , , 𝑌 𝑛 and a received anonymous proxy signature 𝜎 , the verifier can examine the validity of the signature 𝜎 by checking whether the following expression holds: 𝑛 𝑖 = 1 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝜎 𝑖 = 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝜎 𝑖 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑠 , 𝜎 𝑠 = 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑠 , 1 p s k 𝑠 × 𝐻 1 𝑚 𝑚 𝑤 𝑖 𝑠 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 = 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 𝑖 𝑠 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 = 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 1 )

427961.fig.001
Figure 1: Key generation, delegation signing, and delegation verification phases of Yu et al.’s scheme.
427961.fig.002
Figure 2: APS generation phase and the APS verification phase of Yu et al.’s scheme.
3.2. Weakness of Yu et al.’s Scheme

After reviewing Yu et al.’s scheme above, we now explain the violation of the scheme’s anonymous property which they emphasized as follows.

Since 𝑅 , 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) , and ( 𝑌 𝑜 + 𝑌 𝑠 ) are public, we can obtain p s k 𝑠 𝑃 by deducing p s k 𝑠 𝑃 = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) ( 𝑌 𝑜 + 𝑌 𝑠 ) because p s k 𝑠 𝑃 = 𝑠 + 𝑥 𝑖 𝐻 0 𝑚 𝑤 𝑃 = , 𝑅 𝑟 + 𝑥 𝑜 𝐻 0 𝑚 𝑤 , 𝑅 + 𝑥 𝑖 𝐻 0 𝑚 𝑤 𝑃 = 𝑥 , 𝑅 𝑟 + 𝑜 + 𝑥 𝑖 𝐻 0 𝑚 𝑤 𝑃 = 𝑥 , 𝑅 𝑟 𝑃 + 𝑜 + 𝑥 𝑖 𝐻 0 𝑚 𝑤 𝑃 , 𝑅 = 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑠 . ( 2 )

Next, we define an inspector 𝐗 to be 𝑒 ( p s k 𝑥 𝑃 , 𝜎 𝑗 ) , where p s k 𝑥 is 𝑢 𝑥 ’s secret proxy key, 𝜎 𝑗 is a specific subsignature in 𝜎 , and 𝑥 , 𝑗 { 1 , 𝑛 } . In addition, we define 𝐘 to be 𝑛 𝑖 = 1 , 𝑖 𝑥 𝑒 ( ( 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) ( 𝑌 𝑜 + 𝑌 𝑖 ) ) , 𝜎 𝑖 ) . Then, if there exist some 𝑥 and 𝑗 satisfying 𝐗 𝐘 = 𝑒 ( 𝑃 , 𝐻 1 ( 𝑚 𝑚 𝑤 ) ) , we can determine that 𝑥 should be equal to 𝑗 , and 𝑢 𝑗 is then the right proxy signer. This is because if 𝑢 𝑗 is the right proxy signer, then the corresponding subsignature 𝜎 𝑗 must have the factor 1 / p s k 𝑗 , and therefore only applying the right p s k 𝑥 𝑃 , that is, 𝑥 = 𝑗 , can cancel the factor result in the holing of the end. Otherwise, we continue to examine next possible 𝑥 or 𝑗 . By doing this way, we can deduce the right proxy signer at most 𝑛 2 times.

For more clarity, we take three proxy signers, 𝑢 1 , 𝑢 2 , 𝑢 3 , as an example. Suppose 𝑢 2 is the real proxy signer, then 𝜎 1 = 𝑟 1 𝑃 , 𝜎 2 = ( p s k 2 ) 1 ( 𝐻 1 ( 𝑚 𝑚 𝑤 ) 3 𝑖 = 1 , 𝑖 1 𝑟 𝑖 ( 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) ( 𝑌 𝑜 + 𝑌 𝑖 ) ) ) and 𝜎 3 = 𝑟 3 𝑃 .

If we first try 𝜎 1 with different 𝑥 = 1 , 2 , 3 , then we have three tries as in the following. (1.1) When 𝑥 = 1 and thus 𝐗 = 𝑒 ( p s k 1 𝑃 , 𝜎 1 ) , the value 𝐗 𝐘 should be 𝑒 p s k 1 𝑃 , 𝜎 1 3 𝑖 = 1 , 𝑖 2 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 1 𝜎 1 3 𝑖 = 1 , 𝑖 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑟 𝑖 𝑃 = 𝑒 𝑃 , p s k 1 𝑟 1 𝑃 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 , 𝜎 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 , 𝜎 3 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 3 ) (1.2) When 𝑥 = 2 and thus 𝐗 = 𝑒 ( p s k 2 𝑃 , 𝜎 1 ) , the value 𝐗 𝐘 should be 𝑒 p s k 2 𝑃 , 𝜎 1 3 𝑖 = 1 , 𝑖 2 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 2 𝜎 1 3 𝑖 = 1 , 𝑖 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑟 𝑖 𝑃 = 𝑒 𝑃 , p s k 2 𝑟 1 𝑃 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 , 𝜎 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 , 𝜎 3 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 4 ) (1.3) When 𝑥 = 3 and thus 𝐗 = 𝑒 ( p s k 3 𝑃 , 𝜎 1 ) , the value 𝐗 𝐘 should be 𝑒 p s k 3 𝑃 , 𝜎 1 3 𝑖 = 1 , 𝑖 2 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 3 𝜎 1 3 𝑖 = 1 , 𝑖 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑟 𝑖 𝑃 = 𝑒 𝑃 , p s k 3 𝑟 1 𝑃 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 2 , 𝜎 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 , 𝜎 3 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 5 )

Secondly, if we try 𝜎 2 with different 𝑥 = 1 , 2 , 3 , then we have three tries as in the following. (2.1) When 𝑥 = 1 and thus 𝐗 = 𝑒 ( p s k 1 𝑃 , 𝜎 2 ) , the value 𝐗 𝐘 should be 𝑒 p s k 1 𝑃 , 𝜎 2 3 𝑖 = 1 , 𝑖 2 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 1 𝜎 2 3 𝑖 = 1 , 𝑖 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑟 𝑖 𝑃 = 𝑒 𝑃 , p s k 1 𝑟 2 𝑃 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 , 𝜎 1 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 , 𝜎 3 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 6 ) (2.2)When 𝑥 = 2 and thus 𝐗 = 𝑒 ( p s k 2 𝑃 , 𝜎 2 ) , the value 𝐗 𝐘 should be 𝑒 p s k 2 𝑃 , 𝜎 2 3 𝑖 = 1 , 𝑖 1 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 2 𝜎 2 3 𝑖 = 1 , 𝑖 1 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 2 1 p s k 2 𝐻 1 𝑚 𝑚 𝑤 𝑖 𝑠 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 3 𝑖 = 1 , 𝑖 1 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 𝑖 1 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 3 𝑖 = 1 , 𝑖 1 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 = 𝑒 , 𝑃 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 𝑒 𝑃 , 𝑟 1 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 𝑒 𝑃 , 𝑟 3 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 𝑒 P , 𝑟 1 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 𝑒 𝑃 , 𝑟 3 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 = 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 𝑒 𝜎 1 , 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 𝜎 𝑒 3 , 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 𝜎 𝑒 1 , 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 𝑒 𝜎 3 , 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 = 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 7 ) (2.3) When 𝑥 = 3 and thus 𝐗 = 𝑒 ( p s k 3 𝑃 , 𝜎 2 ) , the value 𝐗 𝐘 should be 𝑒 p s k 3 𝑃 , 𝜎 2 3 𝑖 = 1 , 𝑖 2 𝑒 𝑟 𝑖 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑃 = 𝑒 𝑃 , p s k 3 𝜎 2 3 𝑖 = 1 , 𝑖 2 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 𝑖 , 𝑟 𝑖 𝑃 = 𝑒 𝑃 , p s k 3 𝑟 2 𝑃 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 1 , 𝜎 1 𝑒 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 + 𝑌 3 , 𝜎 3 𝑒 𝑃 , 𝐻 1 𝑚 𝑚 𝑤 . ( 8 )

From the above demonstration, for inspector 𝐗 = 𝑒 ( p s k 𝑥 𝑃 , 𝜎 𝑗 ) , only when the subscript 𝑥 = 𝑗 = 2 , the result of 𝐗 𝐘 is 𝑒 ( 𝑃 , 𝐻 1 ( 𝑚 𝑚 𝑤 ) . Therefore, we determined that 𝑢 2 is the right proxy signer and the anonymous property that they emphasized is broken.

4. Proposed Scheme

In this section, we propose a new one-to-many APS scheme to correct the anonymous flaw as discovered in Section 3. Our scheme is the same as theirs in the first two phases. The differences are in the last four phases, the delegation signing, delegation verification, APS generation, and APS verification phase. More details of our APS are shown in Section 4.1. Its correctness is demonstrated in Section 4.2 and the APS requirements are analyzed in Section 4.3. Before describing our protocol, we define some basic notations listed in Table 1.

tab1
Table 1: The definitions of used notations

4.1. The New Proposed APS Scheme

In our APS scheme, there also exist an original signer   𝐴 𝑙 𝑖 𝑐 𝑒 and a proxy signer group   { 𝒫 1 , 𝒫 2 , , 𝒫 𝑛 } , and only one proxy signer in the proxy signers group can sign the message. For more clarity, we show our scheme in detail as follows. The proposed scheme consists of six phases: (1) the parameter generation phase, (2) key generation phase, (3) delegation signing phase, (4) delegation verification phase, (5) APS generation phase, and (6) APS verification phase. Phases (1) and (2) are the same as in Yu et al.’s scheme, which has been delineated in Section 3.1. We omit these phases in the following but show phases (3) and (4) in Figure 3 and phases (5) and (6) in Figure 4.(3) In the delegation signing phase, as shown in Figure 3, the original signer randomly selects a number 𝑟 𝑍 𝑞 and uses 𝑟 to compute 𝑅 = 𝑟 𝑃 and 𝑣 = 𝑟 + 𝑥 0 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) . Then, the original signer sends ( 𝑚 𝑤 , 𝑅 , 𝑣 ) to each proxy signer   𝒫 𝑖 { 𝒫 1 , 𝒫 2 , , 𝒫 𝑛 } with warrant 𝑚 𝑤 , where warrant contains the records of the original signer’s and proxy signer’s identities, delegation, authorization period, valid period, and so forth.(4) In the delegation verification phase, after receiving ( 𝑚 𝑤 , 𝑅 , 𝑣 ) the proxy signer   𝒫 𝑖 first checks whether the equation 𝑣 𝑃 ? = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) 𝑌 𝑜 holds. If it does not, stop the protocol, otherwise, he stores ( 𝑚 𝑤 , 𝑅 ) . Second, when signing message 𝑚 , 𝒫 𝑖 chooses random numbers 𝑟 𝑖 𝑍 𝑞 , 𝑖 = 1 to 𝑛 , and 𝑉 = 𝑣 𝑃 computes 𝑐 = 𝐻 1 ( 𝑟 1 𝑟 𝑛 ) , 𝑈 = 𝑐 𝑃 , and the proxy secret key, p s k 𝑖 = 𝑟 𝑖 1 𝑥 𝑖 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) .(5) In the APS generation phase, as shown in Figure 4, let 𝒫 𝑠 be the real proxy signer. He computes 𝜎 𝑖 = 𝑟 𝑖 𝑉 , where 𝑖 { 1 , 2 , , 𝑛 } and 𝑖 𝑠 and computes 𝐿 = 𝑐 𝑥 𝑠 1 𝑉 , then sets 𝑌 , 𝜎 𝑠 , 𝑝 𝜎 s u m = 𝑛 𝑖 = 1 𝜎 𝑖 , 𝐴 , 𝐵 , 𝐶 , and 𝐷 , as 𝑌 = 𝑛 𝑖 = 1 𝑌 𝑖 , 𝜎 𝑠 = p s k 𝑠 𝑌 = 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 , 𝐴 = 𝑟 𝑠 𝑐 p s k 𝑠 𝑃 , 𝐵 = 𝑟 𝑠 𝜎 𝑠 , 𝐶 = 𝑟 𝑠 𝑝 𝜎 s u m , and 𝐷 = 𝑟 𝑠 𝑐 𝑉 , respectively. Finally, 𝒫 𝑠 outputs 𝜎 = ( 𝜎 1 , 𝜎 2 , , 𝜎 𝑛 , 𝑚 , 𝑚 𝑤 , 𝑐 , 𝐴 , 𝐵 , 𝐶 , 𝐷 , 𝐿 , 𝑈 , 𝑉 ) as the anonymous proxy signature and sends 𝜎 to the verifier. (6) In APS verification phase, upon receiving the proxy signature the verifier computes 𝑛 𝑖 = 1 𝑌 𝑖 = 𝑌 and checks whether the equation 𝑒 ( 𝐷 , 𝑛 𝑖 = 1 𝜎 𝑖 ) 𝑒 ( 𝐴 , 𝑌 ) ? = 𝑒 ( 𝑐 𝑉 , 𝐶 𝐵 ) 𝑒 ( 𝐿 , 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 ) 𝑒 ( 𝑈 , 𝐵 ) holds. If it holds, the verifier accepts the signature, otherwise rejects it.

427961.fig.003
Figure 3: The delegation signing and delegation verification phases of our scheme.
427961.fig.004
Figure 4: Anonymous proxy signature generation phase and the verification phase of our scheme.
4.2. Correctness

In the delegation verification phase, each proxy signer can check whether the equation 𝑣 𝑃 ? = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) 𝑌 𝑜 holds as follows.

Proof (first proof). 𝑣 𝑃 ? = 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 𝑣 𝑃 = 𝑟 + 𝑥 𝑜 𝐻 0 𝑚 𝑤 𝑃 , 𝑅 = 𝑟 𝑃 + 𝑥 𝑜 𝐻 0 𝑚 𝑤 𝑃 , 𝑅 = 𝑅 + 𝐻 0 𝑚 𝑤 𝑌 , 𝑅 𝑜 . ( 9 )

If it holds, the proxy signer can know that the message is sent from the original signer. Because in the verification equation, he use the original signer’s public key 𝑌 𝑜 to examine it. If any adversary intercepts the message and modify it, it cannot pass the verification equation.

In the proxy signature verification phase, the following equation gives the correctness of the verification.

Proof (second proof). 𝑛 𝑖 = 1 𝑒 𝐷 , 𝜎 𝑖 𝑒 ( 𝐴 , 𝑌 ) ? = 𝑒 ( 𝑐 𝑉 , 𝐶 𝐵 ) 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) 𝑛 𝑖 = 1 𝑒 𝐷 , 𝜎 𝑖 = 𝑒 ( 𝐴 , 𝑌 ) 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝜎 𝑖 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝜎 𝑠 𝑟 𝑒 𝑠 𝑐 p s k 𝑠 = 𝑃 , 𝑌 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝜎 𝑖 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 𝑌 ) 𝑒 𝑐 𝑃 , 𝑟 𝑠 p s k 𝑠 𝑌 = 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝜎 𝑖 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 𝑌 ) 𝑒 𝑐 𝑃 , 𝑟 𝑠 𝜎 𝑠 = 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝜎 𝑖 𝑥 𝑒 𝑠 1 𝑐 𝑉 , 𝐻 2 𝑚 𝑤 = 𝑚 , 𝑉 , 𝑈 𝑌 𝑒 ( 𝑈 , 𝐵 ) 𝑛 𝑖 = 1 , 𝑖 𝑠 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝜎 𝑖 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) = 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝑛 𝑖 = 1 , 𝑖 𝑠 𝜎 𝑖 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) = 𝑒 𝑐 𝑟 𝑠 𝑉 , 𝑝 𝜎 s u m 𝜎 𝑠 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) = 𝑒 𝑐 𝑉 , 𝑟 𝑠 𝑝 𝜎 s u m 𝜎 𝑠 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) = 𝑒 𝑐 𝑉 , 𝑟 𝑠 𝑝 𝜎 s u m 𝜎 𝑠 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) = 𝑒 ( 𝑐 𝑉 , 𝐶 𝐵 ) 𝑒 𝐿 , 𝐻 2 𝑚 𝑤 𝑌 𝑚 , 𝑉 , 𝑈 𝑒 ( 𝑈 , 𝐵 ) . ( 1 0 )

4.3. Security Analyses

In this section, we demonstrate that our APS scheme can satisfy the security properties as discussed in Section 1 for (1) verifiability, (2) unforgeability, (3) undeniability, (4) anonymity, and (5) anonymity revocation. Now, we demonstrate why our scheme can satisfy these five security properties as follows.

(1) Verifiability
In APS verification phase, after checking and verifying the proxy signature 𝜎 , where 𝜎 = ( 𝜎 1 , 𝜎 2 , , 𝜎 𝑛 , 𝑚 , 𝑚 𝑤 , 𝑐 , 𝐴 , 𝐵 , 𝐶 , 𝐷 , 𝐿 , 𝑈 , 𝑉 ) , the verifier can calculate to check whether the verification equation ( 𝑛 𝑖 = 1 𝑒 ( 𝐷 , 𝜎 𝑖 ) ) 𝑒 ( 𝐴 , 𝑌 ) ? = 𝑒 ( 𝑐 𝑉 , 𝐶 𝐵 ) 𝑒 ( 𝐿 , 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 ) 𝑒 ( 𝑈 , 𝐵 ) holds. If it does, the verifier can be convinced that the received message is signed by one of the proxy signer members authorized by the original signer because 𝑌 ( = 𝑛 𝑖 = 1 𝑌 𝑖 ) and 𝑉 ( = 𝑣 𝑃 = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) 𝑌 𝑜 ) are used in the verification equation.

(2) Unforgeability
It means that any entity (other than the real proxy signer   𝒫 𝑠 ), including the original signer, cannot generate a valid proxy signature. Only an authorized proxy signer   𝒫 𝑠 can create a valid proxy signature 𝜎 . If any attacker wants to forge a proxy signature, he must be authorized by the original signer signing on a warrant 𝑚 𝑤 and use the proxy signer’s proxy secret key   p s k 𝑠 to compute 𝜎 𝑠 . However, this is impossible since the identity of the attacker wasn not in 𝑚 𝑤 signed by the original signer. Not to mention, he does not know p s k 𝑠 . Under this situation, even if he want to (1) fake the proxy signer key as p s k 𝑠 , (2) change value 𝑐 to 𝑐 , or (3) randomly select 𝑟 𝑠 𝑍 𝑞 , trying to counterfeit the proxy signature, we demonstrate that his attempt deems to fail. We demonstrate the reasons for the failures of these three cases in the following.

Case 1. If an attacker does not know the proxy secret key   p s k 𝑠 , he cannot generate valid 𝜎 𝑠 ( = p s k 𝑠 𝑌 ) , 𝑝 𝜎 s u m ( = 𝑛 𝑖 = 1 𝜎 𝑖 ) , 𝐴 ( = 𝑟 𝑠 𝑐 p s k 𝑠 𝑃 ) , 𝐵 ( = 𝑟 𝑠 𝜎 𝑠 ) , and 𝐶 ( = 𝑟 𝑠 𝑝 𝜎 s u m ) . Even if he uses a random p s k 𝑠 to sign the message, since p s k 𝑠 = 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) , he cannot evaluate the right value 𝑥 𝑠 1 for computing 𝐿 to be successfully verified in the verification equation.

Case 2. Because 𝑐 is changed to 𝑐 , this results in at least one of the random numbers 𝑟 𝑖 should also be modified. Without loss of generality, we let 𝑟 𝑖 = 𝑟 1 𝑟 𝑠 . Accordingly, all the parameters 𝑈 ( = 𝑐 𝑃 ) , p s k 𝑠 ( = 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) ) , 𝜎 𝑠 ( = p s k 𝑠 𝑌 ) , 𝑝 𝜎 s u m ( = 𝑛 𝑖 = 1 𝜎 𝑖 ) , 𝐴 ( = 𝑟 𝑠 𝑐 p s k 𝑠 𝑃 ) , 𝐵 ( = 𝑟 𝑠 𝜎 𝑠 ) , 𝐶 ( = 𝑟 𝑠 𝑝 𝜎 s u m ) , 𝐷 ( = 𝑟 𝑠 𝑐 𝑉 ) , and 𝐿 ( = 𝑐 𝑥 𝑠 1 𝑉 ) are changed as well. That is 𝜎 = ( 𝜎 1 , 𝜎 2 , , 𝜎 𝑠 , 𝜎 𝑠 + 1 , , 𝜎 𝑛 , 𝑚 , 𝑚 𝑤 , 𝑐 , 𝐴 , 𝐵 , 𝐶 , 𝐷 , 𝐿 , 𝑈 , 𝑉 ). Apparently, the verification equation ( 𝑛 𝑖 = 1 𝑒 ( 𝐷 , 𝜎 𝑖 ) ) 𝑒 ( 𝐴 , 𝑌 ) = 𝑒 ( 𝑐 𝑉 , 𝐶 𝐵 ) 𝑒 ( 𝐿 , 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 ) 𝑒 ( 𝑈 , 𝐵 ) cannot hold. Below, we only show the inequality of portion of the verification equation 𝑒 ( 𝐴 , 𝑌 ) = 𝑒 ( 𝑈 , 𝐵 ) : 𝑒 𝐴 𝑟 , 𝑌 = 𝑒 𝑠 𝑐 p s k 𝑠 𝑐 𝑃 , 𝑌 = 𝑒 𝑃 , 𝑟 𝑠 p s k 𝑠 𝑌 𝑐 = 𝑒 𝑃 , 𝑟 𝑠 𝜎 𝑠 𝑒 ( 𝑈 , 𝐵 ) . ( 1 1 )

Case 3. In this case, if any attacker randomly selects 𝑟 𝑠 𝑍 𝑞 , trying to generate the valid proxy signature 𝜎 . Accordingly, the parameters 𝑈 ( = 𝑐 𝑃 ) , p s k 𝑠 ( = 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) ) , 𝜎 𝑠 ( = 𝑟 𝑠 1 𝑥 𝑠 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 ) , 𝑝 𝜎 s u m ( = 𝑛 𝑖 = 1 𝜎 𝑖 ) , 𝐴 ( = 𝑟 𝑠 𝑐 p s k 𝑠 𝑃 ) , 𝐵 ( = 𝑟 𝑠 𝜎 𝑠 ) , 𝐶 ( = 𝑟 𝑠 𝑝 𝜎 s u m ) , 𝐷 ( = 𝑟 𝑠 𝑐 𝑉 ) , and 𝐿 ( = 𝑐 𝑥 𝑠 1 𝑉 ) are all changed. Therefore, the signature now becomes 𝜎 = ( 𝜎 1 , 𝜎 2 , , 𝜎 𝑠 , 𝜎 𝑠 + 1 , , 𝜎 𝑛 , 𝑚 , 𝑚 𝑤 , 𝑐 , 𝐴 , 𝐵 , 𝐶 , 𝐷 , 𝐿 , 𝑈 , 𝑉 ) . As in Case 1, the verifier checks whether 𝑒 ( 𝐴 , 𝑌 ) = 𝑒 ( 𝑈 , 𝐵 ) holds or not. Apparently, it cannot pass the verification.

(3) Undeniability
As in Section 4.2 proof (second proof), the verifier uses the verification equation: ( 𝑛 𝑖 = 1 𝑒 ( 𝐷 , 𝜎 𝑖 ) ) 𝑒 ( 𝐴 , 𝑌 ) = 𝑒 ( 𝑐 𝑉 , 𝐶 𝐵 ) 𝑒 ( 𝐿 , 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 ) 𝑒 ( 𝑈 , 𝐵 ) to check whether the proxy signature comes from one of the members in the proxy signer group. Since the equation 𝑉 ( = 𝑣 𝑃 = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) 𝑌 𝑜 ) includes the original signer’s public key 𝑌 𝑜 and 𝑌 = 𝑛 𝑖 = 1 𝑌 𝑖 , it means the original signer and the proxy signer group cannot repudiate their participations in the signature generation.

(4) Anonymity
In the APS generation phase, all the parameters A, B, C, D, and 𝐿 have to be multiplied by 𝑟 𝑠 𝑍 𝑞 to make the proxy signature 𝜎 anonymous. If any attacker wants to know who is the real proxy signer, he must know the value 𝑟 𝑠 to use 𝑟 𝑠 1 for unrandomizing all parameters to get 𝐴 ( = 𝑐 p s k 𝑠 𝑃 ) , 𝐵 ( = 𝜎 𝑠 ) , 𝐶 ( = 𝑝 𝜎 s u m ) , 𝐷 ( = 𝑐 𝑉 ) , and 𝜎 𝑠 ( = 𝑥 𝑠 1 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 ) . But now 𝜎 𝑖 = 𝑟 𝑖 𝑉 , 𝑖 𝑠 , even the attacker knows 𝑟 𝑠 , without the knowledge of 𝑟 𝑖 and 𝑥 𝑠 , he cannot know who the real signer is. Not to mention, he cannot know the value of 𝑟 𝑠 . It means that anyone cannot know who signs the signature. Hence, the anonymity holds.

(5) Anonymity Revocation
In our scheme, only the proxy signer knows 𝑟 𝑠 1 and the secret 𝑥 𝑠 1 . He can convince the others that he is the real proxy signer by just showing them 𝑟 𝑠 1 and the holdness of the equation 𝑟 𝑠 𝑥 𝑠 𝜎 𝑠 = 𝐻 2 ( 𝑚 𝑤 𝑚 , 𝑉 , 𝑈 ) 𝑌 without revealing 𝑥 𝑠 in polynomial time.

5. Comparisons

In this section, we compare the computational cost between Yu et al.’s APS scheme and ours and summarize the result in Table 2. We denote by 𝑒 the pairing operation, Pm and Pa the point multiplication and point addition on 𝐺 1 respectively, and by 𝑛 the number of proxy signers. In Yu et al.’s APS scheme, the generation and verification of p s k should be ( 2 𝑛 + 1 ) P m + 𝑛 P a instead of ( 𝑛 + 1 ) P m operations. Because in Yu et al.’s scheme, the generation and verification of p s k are 𝑅 = 𝑟 𝑃 and 𝑠 𝑃 = 𝑅 + 𝐻 0 ( 𝑚 𝑤 , 𝑅 ) 𝑌 0 , the 𝑠 𝑃 should be computed by 𝑛   proxy signers. The APS verification should be ( 𝑛 + 1 ) 𝑒 + 𝑛 P m + 2 𝑛 P a rather than the original ( 𝑛 + 1 ) 𝑒 + 𝑛 P m + ( 𝑛 + 1 ) P a as listed in the table of [8]. From Table 2, we can see that our scheme is more efficient than Yu et al.’s protocol.

tab2
Table 2: Comparison of computational costs of our scheme and Yu et al.'s scheme.

6. Conclusions

In 2009, Yu et al. first proposed a one-to-many APS scheme attempting to protect the proxy signer’s privacy while maintaining secrecy to outsiders. However, after analyses, we determined that Yu et al.’s original protocol could not satisfy the anonymous property. Accordingly, we proposed a novel one-to-many APS scheme to reach the goal. Our construction makes use of a random number 𝑟 𝑠 , one-way hash function and bilinear pairings to make the proxy signature anonymous. After comparisons, we conclude that our new protocol is a significant improvement against attackers trying to reveal the identity of the real signer and is more efficient in computational cost as demonstrated in Table 2.

References

  1. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signature: delegation of the power to sign messages,” IEICE—Transactions on Fundamentals of Electronics, vol. E79-A, no. 9, pp. 1338–1354, 1996.
  2. R. Lu, Z. Cao, and Y. Zhou, “Proxy blind multi-signature scheme without a secure channel,” Applied Mathematics and Computation, vol. 164, no. 1, pp. 179–187, 2005. View at Publisher · View at Google Scholar · View at Scopus
  3. H. F. Huang and C. C. Chang, “A novel efficient (t, n) threshold proxy signature scheme,” Information Sciences, vol. 176, no. 10, pp. 1338–1349, 2006. View at Publisher · View at Google Scholar · View at Scopus
  4. B. Kang, C. Boyd, and E. Dawson, “Identity-based strong designated verifier signature schemes: attacks and new construction,” Computers and Electrical Engineering, vol. 35, no. 1, pp. 49–53, 2009. View at Publisher · View at Google Scholar · View at Scopus
  5. K. L. Wu, J. Zou, X. H. Wei, and F. Y. Liu, “Proxy group signature: a new anonymous proxy signature scheme,” in Proceedings of the 7th International Conference on Machine Learning and Cybernetics (ICMLC'08), pp. 1369–1373, Kunming, China, July 2008. View at Publisher · View at Google Scholar · View at Scopus
  6. Z. Shao, “Improvement of identity-based proxy multi-signature scheme,” The Journal of Systems and Software, vol. 82, no. 5, pp. 794–800, 2009. View at Publisher · View at Google Scholar · View at Scopus
  7. Z. H. Liu, Y. P. Hu, X. S. Zhang, and H. Ma, “Secure proxy signature scheme with fast revocation in the standard model,” Journal of China Universities of Posts and Telecommunications, vol. 16, no. 4, pp. 116–124, 2009. View at Publisher · View at Google Scholar · View at Scopus
  8. Y. Yu, C. Xu, X. Huang, and Y. Mu, “An efficient anonymous proxy signature scheme with provable security,” Computer Standards and Interfaces, vol. 31, no. 2, pp. 348–353, 2009. View at Publisher · View at Google Scholar · View at Scopus
  9. F. Cao and Z. Cao, “A secure identity-based proxy multi-signature scheme,” Information Sciences, vol. 179, no. 3, pp. 292–302, 2009. View at Publisher · View at Google Scholar · View at Scopus
  10. A. Yang and W. P. Peng, “A modified anonymous proxy signature with a trusted party,” in Proceedings of the 1st International Workshop on Education Technology and Computer Science (ETCS'09), pp. 233–236, Wuhan, China, March 2009. View at Publisher · View at Google Scholar · View at Scopus
  11. J. H. Hu and J. Zhang, “Cryptanalysis and improvement of a threshold proxy signature scheme,” Computer Standards and Interfaces, vol. 31, no. 1, pp. 169–173, 2009. View at Publisher · View at Google Scholar · View at Scopus
  12. Y. Yu, C. X. Xu, X. S. Zhang, and Y. J. Liao, “Designated verifier proxy signature scheme without random oracles,” Computers and Mathematics with Applications, vol. 57, no. 8, pp. 1352–1364, 2009. View at Publisher · View at Google Scholar · View at Scopus
  13. J. H. Zhang, C. L. Liu, and Y. I. Yang, “An efficient secure proxy verifiably encrypted signature scheme,” Journal of Network and Computer Applications, vol. 33, no. 1, pp. 29–34, 2010. View at Publisher · View at Google Scholar · View at Scopus
  14. B. D. Wei, F. G. Zhang, and X. F. Chen, “ID-based ring proxy signatures,” in Proceedings of the IEEE International Symposium on Information Theory (ISIT'07), pp. 1031–1035, Nice, France, June 2007. View at Publisher · View at Google Scholar
  15. T. S. Wu and H. Y. Lin, “Efficient self-certified proxy CAE scheme and its variants,” The Journal of Systems and Software, vol. 82, no. 6, pp. 974–980, 2009. View at Publisher · View at Google Scholar · View at Scopus
  16. S. Lal and V. Verma, “Identity based Bi-designated verifier proxy signature schemes,” Cryptography Eprint Archive Report 394, 2008.
  17. S. Lal and V. Verma, “Identity based strong designated verifier proxy signature schemes,” Cryptography Eprint Archive Report 394, 2006.
  18. C. Y. Yang, S. F. Tzeng, and M. S. Hwang, “On the efficiency of nonrepudiable threshold proxy signature scheme with known signers,” The Journal of Systems and Software, vol. 73, no. 3, pp. 507–514, 2004. View at Publisher · View at Google Scholar · View at Scopus
  19. H. Xiong, J. Hu, Z. Chen, and F. Li, “On the security of an identity based multi-proxy signature scheme,” Computers and Electrical Engineering, vol. 37, no. 2, pp. 129–135, 2011. View at Publisher · View at Google Scholar · View at Scopus
  20. Y. Sun, C. Xu, Y. Yu, and Y. Mu, “Strongly unforgeable proxy signature scheme secure in the standard model,” The Journal of Systems and Software, vol. 84, no. 9, pp. 1471–1479, 2011. View at Publisher · View at Google Scholar · View at Scopus
  21. Y. Sun, C. Xu, Y. Yu, and B. Yang, “Improvement of a proxy multi-signature scheme without random oracles,” Computer Communications, vol. 34, no. 3, pp. 257–263, 2011. View at Publisher · View at Google Scholar · View at Scopus
  22. Z. Liu, Y. Hu, X. Zhang, and H. Ma, “Provably secure multi-proxy signature scheme with revocation in the standard model,” Computer Communications, vol. 34, no. 3, pp. 494–501, 2011. View at Publisher · View at Google Scholar · View at Scopus
  23. H. Bao, Z. Cao, and S. Wang, “Improvement on Tzeng et al.'s nonrepudiable threshold multi-proxy multi-signature scheme with shared verification,” Applied Mathematics and Computation, vol. 169, no. 2, pp. 1419–1430, 2005. View at Publisher · View at Google Scholar · View at Scopus
  24. J. G. Li and Z. F. Cao, “Improvement of a threshold proxy signature scheme,” Computer Research and Development, vol. 39, no. 11, pp. 1513–1518, 2002. View at Scopus
  25. Y. Yu, Y. Mu, W. Susilo, Y. Sun, and Y. Ji, “Provably secure proxy signature scheme from factorization,” Mathematical and Computer Modelling, vol. 55, no. 3-4, pp. 1160–1168, 2012. View at Publisher · View at Google Scholar
  26. K. Shum and V. K. Wei, “A strong proxy signature scheme with proxy signer privacy protection,” in Proceedings of the 11th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'02), pp. 55–56, Pittsburgh, Pa, USA, 2002. View at Publisher · View at Google Scholar
  27. N. Y. Lee and M. F. Lee, “The security of a strong proxy signature scheme with proxy signer privacy protection,” Applied Mathematics and Computation, vol. 161, no. 3, pp. 807–812, 2005. View at Publisher · View at Google Scholar · View at Scopus
  28. S. Saeednia, “An identity-based society oriented signature scheme with anonymous signers,” Information Processing Letters, vol. 83, no. 6, pp. 295–299, 2002. View at Publisher · View at Google Scholar · View at Scopus
  29. C. L. Hsu, T. S. Wu, and T. C. Wu, “Group-oriented signature scheme with distinguished signing authorities,” Future Generation Computer Systems, vol. 20, no. 5, pp. 865–873, 2004. View at Publisher · View at Google Scholar · View at Scopus
  30. C. Y. Lin, T. C. Wu, F. Zhang, and J. J. Hwang, “New identity-based society oriented signature schemes from pairings on elliptic curves,” Applied Mathematics and Computation, vol. 160, no. 1, pp. 245–260, 2005. View at Publisher · View at Google Scholar · View at Scopus
  31. Z. Shao, “Certificate-based verifiably encrypted signatures from pairings,” Information Sciences, vol. 178, no. 10, pp. 2360–2373, 2008. View at Publisher · View at Google Scholar · View at Scopus
  32. J. Zhang and J. Mao, “A novel ID-based designated verifier signature scheme,” Information Sciences, vol. 178, no. 3, pp. 766–773, 2008. View at Publisher · View at Google Scholar · View at Scopus
  33. Y. F. Chung, Z. Y. Wu, and T. S. Chen, “Ring signature scheme for ECC-based anonymous signcryption,” Computer Standards and Interfaces, vol. 31, no. 4, pp. 669–674, 2009. View at Publisher · View at Google Scholar · View at Scopus
  34. D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptology: Proceedings of CRYPTO '82, pp. 199–203, Springer, New York, NY, USA, 1983.