Table of Contents Author Guidelines Submit a Manuscript
Journal of Applied Mathematics
Volume 2012, Article ID 508981, 6 pages
http://dx.doi.org/10.1155/2012/508981
Research Article

Attacks on One Designated Verifier Proxy Signature Scheme

Computer Science and Software Institution, Tianjin Polytechnic University, 399 Binshuixi road, Tianjin 300387, China

Received 5 April 2012; Accepted 5 June 2012

Academic Editor: Debasish Roy

Copyright © 2012 Baoyuan Kang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

In a designated verifier proxy signature scheme, there are three participants, namely, the original signer, the proxy signer, and the designated verifier. The original signer delegates his or her signing right to the proxy signer, then the proxy signer can generate valid signature on behalf of the original signer. But only the designated verifier can verify the proxy signature. Several designated verifier proxy signature schemes have been proposed. However, most of them were proven secure in the random oracle model, which has received a lot of criticism since the security proofs in the random oracle model are not sound with respect to the standard model. Recently, by employing Water's hashing technique, Yu et al. proposed a new construction of designated verifier proxy signature. They claimed that the new construction is the first designated verifier proxy signature, whose security does not rely on the random oracles. But, in this paper, we will show some attacks on Yu et al.'s scheme. So, their scheme is not secure.

1. Introduction

The concept of proxy signature was first introduced by Mambo et al. [1] in 1996. Proxy signature is very useful when a user, called an original signer, wants to delegate his or her signing rights to the other user, called a proxy signer. In a proxy signature scheme, the proxy signer can generate a valid signature on behalf of the original signer. Anyone can verify the authenticity of the purported signature by using the public keys of the original signer and proxy signer. But, when a verifier receives a proxy signature, he should not only verify the correctness by a given verification procedure, but also be convinced of the original signer’ agreement on the signed message. Proxy signature schemes have been suggested for use in a number of applications, including electronic commerce, e-cash, and distributed shared object systems.

Unlike standard signature, In order to protect signature privacy, Jakobsson et al. [2] introduced a new primitive named designated verifier proofs in 1996. Such a proof enables a prover convince a designated verifier that a statement is true, while the designated verifier cannot use the proof to convince others of this fact, since the designated verifier himself can simulate such a proof. Furthermore, Jakobsson et al. proposed a designated verifier signature scheme in the sense that only the designated verifier can be convinced that a signature is produced by the claimed signer. Jakobsson et al. also discussed a stronger concept called strong designated verifier signature in the same paper.

In 2003, based on the concepts of proxy signatures and designated verifier signatures, Dai et al. [3] consider a scenario where the proxy signer wishes to protect his signing privilege from knowing by other parties. In other words, the proxy signer only wants to convince the designated receiver that he has signed the specific message. They proposed such a scheme called designated verifier proxy signature, which provides authentication of a message without providing a nonrepudiation property of traditional digital signature. A designated verifier proxy signature scheme can be used to convince the designated verifier and only the designated verifier whether a signature is valid or not. This is due to the fact that the designated verifier can always generate a valid signature intended for himself that is indistinguishable from an original signature. This kind of signature is useful in electronic commerce applications. Unfortunately, Wang [4] pointed out there exists a forgery attack in Dai et al.’s scheme. Huang et al. [5] proposed a short designated verifier proxy signature from pairings to improve the communication efficiency. Lu and cao [6] proposed a designated verifier proxy signature with message recovery in 2005. Zhang and Mao [7] proposed a novel ID-based designated verifier proxy signature scheme. Although several designated verifier proxy signature schemes have been proposed. However, most of them were proven secure in the random oracle model, which has received a lot of criticism since the security proofs in the random oracle model are not sound with respect to the standard model. Recently, by employing Water’s hashing technique [8], Yu et al. [9] proposed a new construction of designated verifier proxy signature scheme. They claimed that the new construction is the first designated verifier proxy signature scheme, whose security does not rely on the random oracles. But in this paper, we will show some attacks on their scheme. So, their scheme is not secure.

The paper is organized as follows. In the next section, we will review Yu et al.’s designated verifier proxy signature scheme. The attacks on Yu et al.'s scheme are presented in Section 3. Finally, Section 4 concludes the paper.

2. Review of Yu et al.’s Designated Verifier Proxy Signature Scheme

In this section, we review the designated verifier proxy signature scheme proposed by Yu et al.. There are three participants in Yu et al.’s scheme, namely, Alice, Bob, and Cindy, who act as the original signer, the proxy signer, and the designated verifier, respectively. Yu et al.’s scheme consists of the following algorithms.

2.1. Setup

The system parameters are as follows. Let (𝐺,𝐺𝑇) be bilinear groups, where |𝐺|=|𝐺𝑇|=𝑝 for some prime, 𝑔 is a generator of 𝐺. 𝑒 denotes an admissible pairing 𝐺×𝐺𝐺𝑇. Pick 𝑢,𝑚𝐺 and vectors 𝑢=(𝑢𝑖),𝑚=(𝑚𝑖) of length 𝑛, whose entries are random elements from 𝐺. The public parameters are (𝐺,𝐺𝑇,𝑒,𝑢,𝑚,𝑢,𝑚).

2.2. Keygen

Alice picks randomly 𝑥𝑎,𝑦𝑎𝑍𝑝 and sets her secret key 𝑘𝑎=(𝑥𝑎,𝑦𝑎). Then she computes her public key: 𝑝𝑘𝑎=𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦=(𝑔𝑥𝑎,𝑔𝑦𝑎).(2.1) Similarly, Bob’s secret key is 𝑠𝑘𝑏=(𝑥𝑏,𝑦𝑏), and the public key is 𝑝𝑘𝑏=𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦=(𝑔𝑥𝑏,𝑔𝑦𝑏).(2.2) Cindy’s secret key is 𝑠𝑘𝑐=(𝑥𝑐,𝑦𝑐), and the public key is 𝑝𝑘𝑐=𝑝𝑘𝑐𝑥,𝑝𝑘𝑐𝑦=(𝑔𝑥𝑐,𝑔𝑦𝑐).(2.3)

2.3. DelegationGen

Let 𝑊 be an n-bit message called warrant to be signed by the original signer and 𝑊𝑖 denotes the 𝑖-bit of, and let 𝑤{1,2,,𝑛} be the set of all 𝑖 for which 𝑊𝑖=1. The original signer picks a random 𝑟𝑎𝑍𝑝 and computes the delegation 𝜎𝜔=(𝜎𝜔1,𝜎𝜔2) and sends it to the proxy signer Bob, where 𝜎𝜔1=𝑔𝑥𝑎𝑦𝑎𝑢𝑖𝑤𝑢𝑖𝑟𝑎,𝜎𝜔2=𝑔𝑟𝑎.(2.4)

2.4. ProxySign

Let 𝑀 be an n-bit message to be signed by the proxy signer Bob and 𝑀𝑖 denotes the 𝑖-bit of, and let 𝑚{1,2,,𝑛} be the set of all 𝑖 for which 𝑀𝑖=1. The proxy signature is generated as follows. First, the proxy signer Bob picks two random values 𝑟𝑎,𝑟𝑏𝑍𝑝. Then the proxy signature 𝜎=(𝜎1,𝜎2,𝜎3) on 𝑀 is constructed as 𝜎1𝜎=𝑒𝜔1𝑢𝑖𝑤𝑢𝑖𝑟𝑎𝑔𝑥𝑏𝑦𝑎𝑚𝑖𝑚𝑚𝑖𝑟𝑏,𝑝𝑘𝑐𝑥,𝜎2=𝜎𝜔2𝑔𝑟𝑎,𝜎3=𝑔𝑟𝑏.(2.5)

2.5. Verification

To check whether 𝜎=(𝜎1,𝜎2,𝜎3) is a valid proxy signature on the message 𝑀 under the warrant, Cindy uses her secret key to verify whether the following equation holds:𝜎1=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑥𝑐.(2.6)

2.6. Transcript Simulation

Cindy can use her private key to compute a signature on an arbitrary message 𝑀 with the warrant 𝑊. She picks two random values 𝑟1,𝑟2𝑍𝑝 and computes 𝜎=(𝜎1,𝜎2,𝜎3), where 𝜎2=𝑔𝑟1,𝜎3=𝑔𝑟2,𝜎1=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑥𝑐.(2.7)

3. Attacks on Yu et al.’s Designated Verifier Proxy Signature Scheme

In this section, we will give some attacks on Yu et al.’s designated verifier proxy signature scheme.

3.1. Attack 1

On receiving the delegation 𝜎𝜔=(𝜎𝜔1,𝜎𝜔2) and the warrant, the attacker randomly selects 𝑟𝑎𝑍𝑝 and alters the delegation as 𝜎𝜔=(𝜎𝜔1,𝜎𝜔2), where 𝜎𝜔1=𝜎𝜔1𝑢𝑖𝑤𝑢𝑖𝑟𝑎,𝜎(3.1)𝜔2=𝜎𝜔2𝑔𝑟𝑎.(3.2)

3.2. Attack 2

On receiving the proxy signature 𝜎=(𝜎1,𝜎2,𝜎3) on one message 𝑀, everybody can forge another valid proxy signature 𝜎=(𝜎1,𝜎2,𝜎3) on 𝑀 as follows: 𝜎1=𝜎1𝑚𝑒𝑖𝑚𝑚𝑖𝑟𝑏,𝑝𝑘𝑐𝑥,𝜎2=𝜎2,𝜎3=𝜎3𝑔𝑟𝑏(3.3)𝑟𝑏𝑍𝑝 is  a  random  number.

In fact, because 𝜎=(𝜎1,𝜎2,𝜎3) is valid proxy signature, the following verification equation holds: 𝜎1=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑥𝑐.(3.4) Then, 𝜎1=𝜎1𝑚𝑒𝑖𝑚𝑚𝑖𝑟𝑏,𝑝𝑘𝑐𝑥=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑥𝑐𝑚𝑒𝑖𝑚𝑚𝑖𝑟𝑏,𝑝𝑘𝑐𝑥=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑥𝑐𝑚𝑒𝑖𝑚𝑚𝑖,𝑔𝑟𝑏𝑥𝑐=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑔𝑟𝑏𝑥𝑐=𝑒𝑝𝑘𝑎𝑥,𝑝𝑘𝑎𝑦𝑥𝑐𝑒𝑝𝑘𝑏𝑥,𝑝𝑘𝑏𝑦𝑥𝑐𝑢𝑒𝑖𝑤𝑢𝑖,𝜎2𝑥𝑐𝑒𝑚𝑖𝑚𝑚𝑖,𝜎3𝑥𝑐.(3.5) So,𝜎=(𝜎1,𝜎2,𝜎3)is  a  valid  proxy  signature  on𝑀.

3.3. Attack 3

Anyone who gets 𝑔𝑥𝑎𝑦𝑎 can personate the original signer to delegate signing rights of the original signer. On the other hand, in some scenarios the original signer may reveal 𝑔𝑥𝑎𝑦𝑎 without revealing his private key (𝑥𝑎,𝑦𝑎) to make confusion about the delegation of signing rights on purpose.

3.4. Attack 4

Similarly, anyone who gets 𝑔𝑥𝑏𝑦𝑏 can personate the proxy signer to generate proxy signatures. On the other hand, in some scenarios the proxy signer may reveal 𝑔𝑥𝑏𝑦𝑏 without revealing his private key (𝑥𝑏,𝑦𝑏) to make confusion about the production of proxy signatures on purpose.

4. Conclusion

A designated verifier proxy signature scheme can be used to convince the designated verifier and only the designated verifier whether a signature is valid or not. This is due to the fact that the designated verifier can always generate a valid signature intended for him that is indistinguishable from an original signature. This kind of signature is useful in electronic commerce applications. Recently, Yu et al. proposed a new construction of designated verifier proxy signature scheme. As for the security, they classified the potential adversaries into three kinds according to their attack power and proved that their scheme is unforgeable against all kinds of adversaries in the standard model. But, in this paper, we show some attacks on their scheme. So, their scheme is not secure.

References

  1. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E79-A, no. 9, pp. 1338–1353, 1996. View at Google Scholar · View at Scopus
  2. M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifier proofs and their applications,” in Proceedings of the 15th Annual International Conference on Theory and Application of Cryptographic Techniques (EUROCRYPT '96), vol. 1070 of Lecture Notes in Computer Science, pp. 143–154, May 1996.
  3. J. Z. Dai, X. H. Yang, and J. X. Dong, “Designated-receiver proxy signature scheme for electronic commerce,” in Proceedings of IEEE International Conference on Systems, Man and Cybernetics, vol. 1, pp. 384–389, IEEE Press, October 2003. View at Scopus
  4. G. Wang, “Designated-verifier proxy signatures for e-commerce,” in Proceedings of IEEE International Conference on Multimedia and Expo (ICME '04), vol. 3, pp. 1731–1734, IEEE Press, June 2004. View at Scopus
  5. X. Huang, Y. Mu, W. Susilo, and F. Zhang, “Short designated verifier proxy signature from pairings,” in Proceedings of the International Conference on Embedded and Ubiquitous Computing Workshops (EUC '05), vol. 3823 of Lecture Notes in Computer Science, pp. 835–844, December 2005.
  6. R. X. Lu and Z. F. Cao, “Designated verifier proxy signature scheme with message recovery,” Applied Mathematics and Computation, vol. 169, no. 2, pp. 1237–1246, 2005. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at Scopus
  7. J. Zhang and J. Mao, “A novel ID-based designated verifier signature scheme,” Information Sciences, vol. 178, no. 3, pp. 766–773, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at Scopus
  8. B. Waters, “Efficient identity-based encryption without random oracles,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '05), vol. 3494 of Lecture Notes in Computer Science, pp. 114–127, Springer, Berlin, Germany, May 2005. View at Scopus
  9. Y. Yu, C. Xu, X. Zhang, and Y. Liao, “Designated verifier proxy signature scheme without random oracles,” Computers and Mathematics with Applications, vol. 57, no. 8, pp. 1352–1364, 2009. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at Scopus