Abstract
Recently, several studies about proxy signature schemes have been conducted. In 2009, Yu et al. proposed an anonymous proxy signature scheme attempting to protect the proxy signer's privacy from outsiders. They claimed that their scheme can make the proxy signer anonymous. However, based on our research, we determined that this was not the case and the proxy signer's privacy was not anonymous. Hence, in this paper, we propose a new anonymous proxy signature scheme that truly makes the proxy signer anonymous while making it more secure and efficient when compared with Yu et al.'s scheme. Our proxy signature scheme consists of two contributions. First, we mainly use random numbers and bilinear pairings to attain the anonymous property. Secondly, we increase the security and efficiency of our proxy in the design.
1. Introduction
Proxy signature schemes can be used in many business applications such as signing important documents when the original signer is not present. For example, an important document needs to be signed by the CEO, but the CEO is out of the office or not immediately available. At this time, the CEO can use the proxy signature scheme to designate the general manager or business executive to sign the document on his or her behalf. The signed document will be valid and can be verified by everyone without the CEO actually signing it. Any proxy signature scheme has to meet the identifiability, undeniability, verifiability, and unforgeability security requirements. It may be necessary to protect the proxy signer’s privacy from outsiders or third parties. In 1996, Mambo et al. [1] first proposed the concept of proxy signature. In their proposal, there are three parties: a user also called original signer, a proxy signer whom is delegated to sign a message on behalf of the original signer, and a verifier who verifies whether a signed message is legal or not.
Since Mambo et al.’s 1996 scheme, many proxy signature schemes have been proposed [1–27] (some other schemes though are signature schemes whereas not proxy signatures such as [28–33]). Generally speaking, there are two main categories of proxy signature schemes, the first category is one-to-one and the other is one-to-many. In the former, there is one original signer and one proxy signer, but in the latter, except for the original signer, there are a group of proxy signers. The one-to-one schemes are [4, 7, 10, 12, 13, 15–17, 25–27] and the proxy blind signature [2], which is based on a special digital signature scheme first introduced by Chaum [34] in 1983. In the one-to-many, there are two subsets, one is the proxy multisignature and the other is the threshold proxy signature. In the proxy multisignature [5, 6, 9, 19–22], the original signer has an authorized proxy signer group, each proxy signer has to generate a partial proxy signature. If all partials of signatures are correct, the proxy signature will be generated by summation or multiplication operations of the partial proxy signatures. In the threshold proxy signature [3, 11, 18, 23, 24], the original signer can choose the threshold and a proxy signing key is shared by proxy signers. Any of proxy signers can cooperatively derive the proxy signing key to sign the message.
In any proxy signature, the following four security properties are required.
(i) Unforgeability
Only a designated proxy signer can create a valid proxy signature for the original signer. In other words, nobody can forge a valid proxy signature without the delegation of the original signer.
(ii) Verifiability
After checking and verifying the proxy signature, a verifier can be convinced that the received message is signed by the proxy signer authorized by the original signer.
(iii) Undeniability
The proxy signer cannot repudiate the signature he produced.
(iv) Identifiability
Anyone including the original signer can determine the corresponding proxy signer’s identity from the proxy signature. That is, from the proxy signature any verifier can determine the proxy signer’s identity.
Although proxy signatures incorporate the above-mentioned security functions, they still face many threats such as man-in-the-middle, replay, frame, and public-key substitute attacks. In frame attacks [23], the malicious original signer can forge a signature after intercepting sent information and the forged signature can be accepted by the verifier. In public-key substitute attacks [24], the attacker can be either the original signer or any proxy signer. By changing their public keys, he can forge a valid proxy signature [11]. This indicates that when designing a proxy signature scheme, care should be taken to avoid these kinds of attacks.
Researchers, Shum and Wei’s [26] and Yang, and Peng [10], presented two one-to-one anonymous proxy signature (APS) schemes. They point that an APS scheme should possess not only the security features of unforgeability, verifiability, and undeniability, but also the properties of anonymity and anonymity revocation. The anonymity means that only one of the proxy signers can sign the message in the proxy signer group, other proxy signers cannot know who the signer is. And the anonymity revocation indicates that once required, the proxy signer can assure the others that he is the real signer. However, N. Y. Lee and M. F. Lee [27] indicate that Shum and Wei’s scheme [26] violates the property of the unforgeability. Yang and Peng [10] therefore proposed a modified one-to-one APS scheme. In 2009, Yu et al. [8] first proposed a one-to-many APS scheme. In their scheme, there is a group of proxy signers, but only one proxy signer can anonymously signs the message. By using a group of signers, Yu et al. want to provide privacy and anonymous protection for the real proxy signer. They claim that their scheme is provably secure. However, based on our research by just using some of the transmitted data along with public information, we were able to isolate and identify the proxy signer. More details of the analysis are described in Section 3.2.
The rest of the paper is organized as follows. In Section 2, we present the basic concepts of bilinear pairings and some related mathematical problems. In Section 3, we review and show the weakness of Yu et al.’s scheme. Section 4 shows the proposed scheme, and Section 5 makes comparison of computation efficiency between Yu et al.’s scheme and ours. Finally, a conclusion is given in Section 6.
2. Background
In this section, we describe the concept of bilinear pairings which is used as the mathematical basis for this design.
Let be a cyclic additive group of order generated by a base point on Elliptic curve and a cyclic multiplicative group with the same order. It is assumed that solving the Elliptic curve discrete logarithm problem (ECDLP) in and discrete logarithm problem (DLP) problem in is difficult. A bilinear map is defined as , which has the following properties:(1)bilinearity: , where and all ;(2)nondegeneracy: there exists such that ; in other words, the map does not send all pairs in to the identity in ;(3)computability: there is an efficient algorithm to compute for all .
3. Review of Yu et al.’s Scheme
In this section, we review Yu et al.’s APS scheme [8] and demonstrate that the original APS cannot satisfy the anonymous property in Section 3.2.
3.1. Yu et al.’s APS Scheme
There are six phases in Yu et al.’s APS scheme: the parameter generation phase, the key generation phase, the delegation signing phase, the delegation verification phase, the APS generation phase, and the APS verification phase. We describe them as follows.(1)In the parameter generation phase, on input of security parameter , a system parameter generation algorithm outputs a cyclic additive group of order , a multiplicative group of the same order, a bilinear map , and a generator of . This algorithm also outputs two cryptographic hash functions: and . (2)In the key generation phase as shown in Figure 1, the original signer selects as her private key and computes her public key as . Each proxy signer randomly selects as his/her private key and sets the corresponding public key as . (3)In the delegation signing phase, firstly generates a warrant which contains some explicit descriptions about the delegation relation such as the identities of both and the proxy signers, the expiration time of the delegation, and the signing power in the warrant. Then, randomly picks a number and computes and . Finally, sends to the proxy signers in set .(4)Upon receiving , each proxy signer checks if the equation holds. If it does not, the delegation will be rejected. Otherwise, it will be accepted and each proxy signer computes his/her proxy secret key as . (5)In the APS generation phase as shown in Figure 2, proxy signer signs on a message with his proxy secret key on behalf of the original signer, , in an anonymous way. first chooses random numbers , where and , computes both and , and sends to the verifier.(6)In the APS verification phase, given public keys and a received anonymous proxy signature , the verifier can examine the validity of the signature by checking whether the following expression holds:
3.2. Weakness of Yu et al.’s Scheme
After reviewing Yu et al.’s scheme above, we now explain the violation of the scheme’s anonymous property which they emphasized as follows.
Since , , and are public, we can obtain by deducing because
Next, we define an inspector to be , where is ’s secret proxy key, is a specific subsignature in , and . In addition, we define to be . Then, if there exist some and satisfying , we can determine that should be equal to , and is then the right proxy signer. This is because if is the right proxy signer, then the corresponding subsignature must have the factor , and therefore only applying the right , that is, , can cancel the factor result in the holing of the end. Otherwise, we continue to examine next possible or . By doing this way, we can deduce the right proxy signer at most times.
For more clarity, we take three proxy signers, , , , as an example. Suppose is the real proxy signer, then , and .
If we first try with different , then we have three tries as in the following. (1.1) When and thus , the value should be (1.2) When and thus , the value should be (1.3) When and thus , the value should be
Secondly, if we try with different , then we have three tries as in the following. (2.1) When and thus , the value should be (2.2)When and thus , the value should be(2.3) When and thus , the value should be
From the above demonstration, for inspector , only when the subscript , the result of is . Therefore, we determined that is the right proxy signer and the anonymous property that they emphasized is broken.
4. Proposed Scheme
In this section, we propose a new one-to-many APS scheme to correct the anonymous flaw as discovered in Section 3. Our scheme is the same as theirs in the first two phases. The differences are in the last four phases, the delegation signing, delegation verification, APS generation, and APS verification phase. More details of our APS are shown in Section 4.1. Its correctness is demonstrated in Section 4.2 and the APS requirements are analyzed in Section 4.3. Before describing our protocol, we define some basic notations listed in Table 1.
4.1. The New Proposed APS Scheme
In our APS scheme, there also exist an original signer and a proxy signer group , and only one proxy signer in the proxy signers group can sign the message. For more clarity, we show our scheme in detail as follows. The proposed scheme consists of six phases: (1) the parameter generation phase, (2) key generation phase, (3) delegation signing phase, (4) delegation verification phase, (5) APS generation phase, and (6) APS verification phase. Phases (1) and (2) are the same as in Yu et al.’s scheme, which has been delineated in Section 3.1. We omit these phases in the following but show phases (3) and (4) in Figure 3 and phases (5) and (6) in Figure 4.(3) In the delegation signing phase, as shown in Figure 3, the original signer randomly selects a number and uses to compute and . Then, the original signer sends to each proxy signer with warrant , where warrant contains the records of the original signer’s and proxy signer’s identities, delegation, authorization period, valid period, and so forth.(4) In the delegation verification phase, after receiving the proxy signer first checks whether the equation holds. If it does not, stop the protocol, otherwise, he stores . Second, when signing message chooses random numbers , to , and computes , , and the proxy secret key, .(5) In the APS generation phase, as shown in Figure 4, let be the real proxy signer. He computes , where and and computes , then sets , and , as , , , , , and , respectively. Finally, outputs as the anonymous proxy signature and sends to the verifier. (6) In APS verification phase, upon receiving the proxy signature the verifier computes and checks whether the equation holds. If it holds, the verifier accepts the signature, otherwise rejects it.
4.2. Correctness
In the delegation verification phase, each proxy signer can check whether the equation holds as follows.
Proof (first proof).
If it holds, the proxy signer can know that the message is sent from the original signer. Because in the verification equation, he use the original signer’s public key to examine it. If any adversary intercepts the message and modify it, it cannot pass the verification equation.
In the proxy signature verification phase, the following equation gives the correctness of the verification.
Proof (second proof).
4.3. Security Analyses
In this section, we demonstrate that our APS scheme can satisfy the security properties as discussed in Section 1 for (1) verifiability, (2) unforgeability, (3) undeniability, (4) anonymity, and (5) anonymity revocation. Now, we demonstrate why our scheme can satisfy these five security properties as follows.
(1) Verifiability
In APS verification phase, after checking and verifying the proxy signature , where , the verifier can calculate to check whether the verification equation holds. If it does, the verifier can be convinced that the received message is signed by one of the proxy signer members authorized by the original signer because and are used in the verification equation.
(2) Unforgeability
It means that any entity (other than the real proxy signer ), including the original signer, cannot generate a valid proxy signature. Only an authorized proxy signer can create a valid proxy signature . If any attacker wants to forge a proxy signature, he must be authorized by the original signer signing on a warrant and use the proxy signer’s proxy secret key to compute . However, this is impossible since the identity of the attacker wasn not in signed by the original signer. Not to mention, he does not know . Under this situation, even if he want to (1) fake the proxy signer key as , (2) change value to , or (3) randomly select , trying to counterfeit the proxy signature, we demonstrate that his attempt deems to fail. We demonstrate the reasons for the failures of these three cases in the following.
Case 1. If an attacker does not know the proxy secret key , he cannot generate valid , , , , and . Even if he uses a random to sign the message, since , he cannot evaluate the right value for computing to be successfully verified in the verification equation.
Case 2. Because is changed to , this results in at least one of the random numbers should also be modified. Without loss of generality, we let . Accordingly, all the parameters , , , , , , , , and are changed as well. That is ). Apparently, the verification equation cannot hold. Below, we only show the inequality of portion of the verification equation :
Case 3. In this case, if any attacker randomly selects , trying to generate the valid proxy signature . Accordingly, the parameters , , , , , , , , and are all changed. Therefore, the signature now becomes , . As in Case 1, the verifier checks whether holds or not. Apparently, it cannot pass the verification.
(3) Undeniability
As in Section 4.2 proof (second proof), the verifier uses the verification equation: to check whether the proxy signature comes from one of the members in the proxy signer group. Since the equation includes the original signer’s public key and , it means the original signer and the proxy signer group cannot repudiate their participations in the signature generation.
(4) Anonymity
In the APS generation phase, all the parameters A, B, C, D, and have to be multiplied by to make the proxy signature anonymous. If any attacker wants to know who is the real proxy signer, he must know the value to use for unrandomizing all parameters to get , , , , and . But now , even the attacker knows , without the knowledge of and , he cannot know who the real signer is. Not to mention, he cannot know the value of . It means that anyone cannot know who signs the signature. Hence, the anonymity holds.
(5) Anonymity Revocation
In our scheme, only the proxy signer knows and the secret . He can convince the others that he is the real proxy signer by just showing them and the holdness of the equation without revealing in polynomial time.
5. Comparisons
In this section, we compare the computational cost between Yu et al.’s APS scheme and ours and summarize the result in Table 2. We denote by the pairing operation, Pm and Pa the point multiplication and point addition on respectively, and by the number of proxy signers. In Yu et al.’s APS scheme, the generation and verification of should be instead of operations. Because in Yu et al.’s scheme, the generation and verification of are and , the should be computed by proxy signers. The APS verification should be rather than the original as listed in the table of [8]. From Table 2, we can see that our scheme is more efficient than Yu et al.’s protocol.
6. Conclusions
In 2009, Yu et al. first proposed a one-to-many APS scheme attempting to protect the proxy signer’s privacy while maintaining secrecy to outsiders. However, after analyses, we determined that Yu et al.’s original protocol could not satisfy the anonymous property. Accordingly, we proposed a novel one-to-many APS scheme to reach the goal. Our construction makes use of a random number , one-way hash function and bilinear pairings to make the proxy signature anonymous. After comparisons, we conclude that our new protocol is a significant improvement against attackers trying to reveal the identity of the real signer and is more efficient in computational cost as demonstrated in Table 2.