Considering the security of both the customers’ hosts and the eShops’ servers, we introduce the idea of a key-insulated undetachable digital signature, enabling mobile agents to generate undetachable digital signatures on remote hosts with the key-insulated property of the original signer’s signing key. From the theoretical perspective, we provide the formal definition and security notion of a key-insulated undetachable digital signature. From the practical perspective, we propose a concrete scheme to secure mobile agents in electronic commerce. The scheme is mainly focused on protecting the signing key from leakage and preventing the misuse of the signature algorithm on malicious servers. Agents do not carry the signing key when they generate digital signatures on behalf of the original signer, so the key is protected on remote servers. Furthermore, if a hacker gains the signing key of the original signer, the hacker is still unable to forge a signature for any time period other than the key being accessed. In addition, the encrypted function is combined with the original signer’s requirement to prevent the misuse of signing algorithm. The scheme is constructed on gap Diffie–Hellman groups with provable security, and the performance testing indicates that the scheme is efficient.

1. Introduction

Agents are a type of computer program that acts autonomously on behalf of a person or an organization. Mobile agents can easily transport themselves from one system in a network to another. They can also automatically suspend execution on one platform and migrate to another to resume their computations. Compared with traditional computing models (e.g., client/server), mobile agent technology has several significant advantages in electronic commerce applications, including autonomy and fault tolerance [1, 2].

However, these benefits cannot be achieved without suitable security and trust technologies, which are critical for ensuring that all business data has been appropriately protected and business partners can collaborate with integrity and confidence. One significant threat is that malicious hosts might endanger passing agents because the attacks from owners of hosts are too strong to defeat with traditional security countermeasures. As a typical example, a mobile agent needs to sign a contract on behalf of the original signer (the customer) when an appropriate product has been found, while an attacker controlling the host can extract the secret signing key from the agent’s code or even generate a signature on the contract by simply forcefully calling the signing function that is “carried” on the agent. Furthermore, the risk of leakage of the signing key on the customer’s PC may stem from a variety of threats such as the “SSL Heartbleed.”

Therefore, in the research field of mobile agent security, it is a challenge to protect the digital signature functionality against attacks from remote malicious hosts and meanwhile control the security risk of signing key leakage on the original signer’s host. Motivated by this security challenge, we propose a category of digital signature schemes for mobile agents, namely, the key-insulated undetachable digital signature (KIUDS). Major contributions of this work are previewed as follows:(i)We contributed the novel idea of key-insulated undetachable digital signature, which enables mobile agents to generate undetachable digital signatures on remote hosts with the key-insulated property of the original signer’s signing key.(ii)Theoretically, we provided the formal definition and security notion of the KIUDS schemes.(iii)Practically, we proposed a concrete KIUDS scheme for securing mobile agents in electronic commerce.(iv)We provided the security proof and efficiency analysis of the proposed scheme and conducted the performance testing which has indicated the good efficiency of the scheme.

The rest of this paper is organized as follows. Section 2 presents backgrounds and preliminaries of this work, including the mobile agent systems and applications in electronic commerce, the undetachable digital signature schemes and the key-insulated signature schemes, and the security analysis of threats on mobile agents from malicious hosts. The formal definition and security notion of KIUDS schemes are provided in Section 3. A concrete KIUDS scheme is described in Section 4, along with the theoretical analysis in terms of security, correctness, and computational costs, as well as a set of experimental results. Comparisons with related works are presented in Section 5. Finally, the paper concludes with a discussion on the findings.

2. Backgrounds and Preliminaries

2.1. Mobile Agent Systems and Applications in Electronic Commerce

An agent is a software entity that acts autonomously on behalf of a person or organization. Each agent has its own thread of execution, so tasks can be performed on its own initiative. A mobile agent is not bound to the system where it begins execution. It has the capability of transporting itself from one host to another in a network. We briefly introduce the backgrounds of mobile agents and the related system architecture [11] as follows.

During an agent’s travel process, the agent state (including the execution state and the attributes) and code are being transported. The agent’s authority identifies the person or organization for which the agent acts. The names of the agents are usually required for identification, management, and locating. Commonly, agents are named by their authority, identity, and agent system type, whose combination can be mapped into a unique value for identifying a particular agent instance within the scope of the authority.

By definition, an agent system is an integrated platform that can create, interpret, execute, transfer, and terminate agents. An agent system is usually associated with an authority that identifies the person or organization for which the agent system acts. An agent system is uniquely identified by its name and address, and a host can contain one or more agent systems. An instance of the architecture of mobile agent system is illustrated in Figure 1.

Agents transfer themselves between places over the network, where a place hereby is a context in which an agent executes. An agent is associated with a location, which consists of the place name and the address of the agent system where the place resides. An agent system may contain one or multiple places while a place can also host a number of agents. If an agent system does not support places, then it acts as a default place. When a client requests for the location of an agent, it retrieves the address of the place where the agent is executing.

The agent technology seems an attractive paradigm to support e-commerce applications [12, 13], because agents are capable of acting on behalf of customers to reduce the effort required for performing transactions. Agents are autonomous by nature and therefore can be easily personalized to embody customers’ preferences. In addition, they are adaptive in terms of the capabilities of learning from both past actions and their environment, coping with changing network conditions and evolving user requirements. The above features permit the agent technology to add value to three primary e-commerce dimensions: information filtering, information gathering and retrieval, and dynamic and flexible execution of transactions. As typical applications, agent-based electronic commerce, product recommendation, and decision making have been demonstrated in the recent years [1416].

Furthermore, mobile agents not only can autonomously act and negotiate on behalf of their creators in one host, but also can autonomously decide to move itself from one host to another as necessary [13]. Such mobility achieves better network utilization and allows mobile users to disconnect with their agents roaming in the network, thus reducing connection costs. In the context of electronic marketplaces, for example, the mobility permits the agent to perform all required operations locally in the involved marketplace without reliable connection or bandwidth engagement.

Some eShop and e-marketplace applications based on mobile agent technology have been recently proposed. A typical application of mobile agents in electronic commerce is shown in Figure 2. The figure illustrates an intelligent trade agent (ITA) that roams the Internet buying goods or services from the servers of three eShops in the network. Other applications include a silicon intellectual property automatic trading platform [17], an agent-based English auction protocol using an elliptic curve cryptosystem for mobile commerce [18], a novel multiagent system architecture to cope with the flexibility requirements of virtual enterprises [19], and an approach aiming to deploy the mobile agent paradigm for mobile business applications [20].

2.2. Digital Signature Schemes and Attack Models

Digital signature schemes allow a signer who has established a public key to sign a message such that any other party can verify that the message originated from the signer and was not modified in any way. A digital signature scheme typically consists of three algorithms: the key generation algorithm, the signing algorithm, and the verification algorithm.

There are three main attack models according to the capabilities of an adversary to attack cryptosystems [21], for example, a digital signature scheme. The first is the black-box model. It is a traditional attack model where an adversary only has access to the functionality of a cryptosystem. This limited access increases the effort and is time required to start attacks. The second is the grey-box model, which refers to a model where a leakage function is present. In such an attack context, the adversary can deploy side-channel cryptanalysis techniques. Owing to the large variety of leakage functions, the grey-box model can further be classified into several subgroups. The third is the white-box model, where the adversary has total visibility of the software implementation of the cryptosystem and full control over its execution platform.

As shown in Figure 3, the white-box model is the worst-case model. The white-box model is used to analyze algorithms that are running in a nontrustable environment, that is, an environment in which applications are subject to attacks from the execution platform.

Secure computing in a white-box model is a challenge because the model assumes that [22] (1) fully privileged attack software shares a host with the cryptographic software, having complete access to the implementation of the algorithms, (2) dynamic execution (with instantiated cryptographic keys) can be observed, and (3) internal details of cryptographic algorithms are both completely visible and alterable.

2.3. Attacks and Threats against Mobile Agents and Their Signing Routines

While mobile agent-based technologies are already in use, mobile agents are still exposed to serious security threats. Mobile agent-based applications cannot be successfully implemented without suitable security technologies to ensure that the sensitive business data are appropriately protected and business partners can work together with integrity and confidence. One of the most challenging threats to mobile agent security is attacks from platforms (malicious hosts). In general, there are two main kinds of attacks from malicious hosts [23], eavesdropping attacks and manipulation attacks. A substantial number of attacks are identified in detail in [24], including spying out code, spying out data, spying out control flow, manipulation of code, manipulation of data, manipulation of control flow, incorrect execution of code, masquerading of the host, denial of execution, spying out interaction with other agents, manipulation of interaction with other agents, and returning wrong system call results issued by the agent.

Clearly, mobile agents executed on a malicious host are in a white-box attack context. In traditional digital signature schemes, mobile agents must carry the private key when they generate digital signatures on behalf of the original user. Possible attacks from malicious remote hosts endanger the digital signature functionality provided by a mobile agent because the signing algorithm may be misused and the signing key may be compromised. Furthermore, many mobile agent systems are implemented in Java because of the language’s suitable performance across various platforms. Unfortunately, the key in a class file (the Java byte code) is extremely vulnerable, as illustrated in Figure 4. Hence, traditional digital signature schemes are not suitable for mobile agents, while new signature techniques are required.

Meanwhile, digital signature functionalities also face a significant key leakage problem on the local host of the original signer. A serious security issue is presented in the event that the original signer’s local host is under the control of a hacker because the original private signing key may be compromised.

The severity of the potential threats increases with the rapid development of advanced persistent threats (APTs) such as “Operation Aurora” against Gmail accounts, the “Stuxnet Worm” against the control system of nuclear devices in Iran, “Operation Shady RAT” against more than 70 organizations (including several defense contractors), and the recently discovered “Havex” against industrial control systems. An APT is a set of stealthy and continuous hacking processes often orchestrated by people targeting a specific entity. Additionally, security vulnerabilities such as the “SSL Heartbleed,” which was disclosed in April 2014 in the OpenSSL cryptography library, could also enable hackers to extract information from remote hosts.

2.4. Undetachable Digital Signatures for Mobile Agents

The idea of the undetachable digital signature was proposed by Sander and Tschudin in [25] based on the reasoning that mobile agents do not have to be executed in clear text form. The undetachable digital signature technique allows a mobile agent to effectively produce a digital signature inside a remote and possibly malicious host without allowing the host to deduce the agent’s secret or to reuse the signature routine for arbitrary documents. A brief introduction to this idea is presented as follows.

Let be a rational function used by (a customer) to produce the digital signature of an arbitrary message . Furthermore, suppose the message is the result of a rational function applied to some input data . Finally, the verification function that publishes to allow others to check the validity of the digital signature is regarded to be a valid signature of if and only if

To allow the customer’s mobile agent to create “undetachable” signatures, the following is computed:where is an auxiliary binding function that binds a constraint (e.g., a restriction or a limitation) on the signing function. For example, in the case of electronic commerce, a typical constraint could be “an iPhone 6 costing no more than 916 Dollars.” and are then migrated to (the eShop) with the mobile agent. evaluates

However, Sander and Tschudin did not provide a concrete implementation of the undetachable digital signature scheme. The first undetachable digital signature scheme was proposed by Kotzanikolaou et al. in the form of an RSA implementation [3]. This was improved by Lee et al. [4] with bilateral security, whose scheme provides server’s nonrepudiation because it contains server’s signature at the same time. Han et al. proposed a security scheme for e-transactions using mobile agents with an agent broker [5], while they gave an undetachable signature function pair but without presenting the signing function subject to (2). Another undetachable signature scheme based on pairings was proposed in prior work [8], which is based on the short signature scheme proposed in prior work [26]. To solve the problem in which a host may force an agent to commit to a suboptimal transaction, Borselius et al. [6] introduced the notion of undetachable threshold signatures and proposed an RSA-based implementation. In prior work [9], an implementation of undetachable threshold digital signature based on conic curves was proposed, and computational studies indicated that the implementation in [9] was superior to the RSA-based implementation in [6]. The latest published undetachable signature scheme was presented in prior work [10], which provides forward security by following the BLS short signature [26]. However, except for the scheme in [10], none of the proposed undetachable digital signature schemes can simultaneously protect digital signature functionalities against attacks from remote malicious hosts and mitigate the security risk of signing key leakage on the original signer’s host. Moreover, even with the scheme in [10], an adversary can forge any signature during any period after he/she has got the signing key (e.g., via cracking the host of the original signer). Therefore, stronger undetachable digital signature schemes are demanded, which motivate us to develop undetachable signature schemes with the key-insulated property.

2.5. Key-Insulated Digital Signatures

The exposure of secret keys is perhaps the most devastating attack on a cryptosystem because it typically leads to a full loss of security. This problem is probably the greatest threat to cryptography in the real world: in practice, it is typically easier for an adversary to obtain a secret key from a naive user than to break the computational assumption on which the system is based. This threat is currently increasing as new APTs are quickly developed.

Complete prevention of key exposure—even for the original signer on his local host—usually requires some degree of physical security, which can be expensive and inconvenient. Thus, some security countermeasures assume that key exposure will inevitably occur and therefore focus on minimizing the damage which results when keys are obtained by an attacker.

A category of such damage-minimization security countermeasures is key-insulated cryptography [27, 28]. In the security model of key-insulated cryptography, physical security (and hence the secrecy of stored data) is guaranteed for a single device that holds a “master” secret key corresponding to a fixed public key. Day-to-day cryptographic operations such as signing a message, however, are performed by an insecure device (e.g., the customer’s PC) which “refreshes” its private key periodically by interacting with the physically secure device. In a -key-insulated cryptosystem, an attacker who compromises the insecure device and obtains secret keys for up to time periods is unable to violate the security of the cryptosystem for any of the remaining periods. The principle of key-insulated signature schemes is illustrated in Figure 5.

3. Key-Insulated Undetachable Digital Signature

In this section, we propose a novel category of digital signature schemes for mobile agents, the KIUDS scheme. This scheme simultaneously protects the digital signature functionality against attacks from remote malicious hosts and mitigates the security risk of signing key leakage on the original signer’s host. We begin by defining the KIUDS scheme and then provide its security model and security notion.

3.1. Definition

A KIUDS scheme consists of six algorithms as follows:(1), the key generation algorithm, is a probabilistic algorithm taking as input a security parameter and the total number of time periods . It returns a public key , a master secret signing key , and an initial key .(2), the device key update algorithm, is a probabilistic algorithm taking as input indices for time periods (throughout, we assume ) and the master key . It returns a partial secret key .(3), the user key update algorithm, is a deterministic algorithm taking as input indices , a secret key , and a partial secret key . It returns the secret key for time period .(4), the undetachable signing function generation algorithm, is a probabilistic polynomial time algorithm which takes the requirement of a customer , the customer’s identity , and the index of the current time period as inputs. The algorithm outputs a function .(5), the undetachable signing algorithm, is a polynomial time algorithm which takes the contract (or its hash value) as input. The algorithm outputs an undetachable signature .(6), the undetachable signature verification algorithm, is a polynomial time algorithm which takes the contract (or its hash value) and an undetachable signature as input. The algorithm outputs either “Accept” or “Reject,” simply 1 or 0.

To aid in further discussions, the frequently used symbols are listed as follows:: a security parameter, (),: the public key,: the master secret signing key,: indices of the time period,: the initial key,: the secret key for time period ,: a partial secret key,: shop ’s bid information and identity,: customer ’s requirement and identity,: an implementation of the undetachable signing function for time period ,: the auxiliary function of ,: message (usually a contract),: an undetachable signature,: a prime number,, : two cyclic groups whose orders are both ,: a generator of ,: a bilinear pairing from to .

3.2. Workflow of Using a KIUDS Scheme

First, a trusted authority, for example, a certification authority or a key distribution center, should publish all public parameters of the cryptosystem to all participants. The trusted authority then generates cryptographic keys for all participants by running the algorithm ; and the private key (i.e., the master key and the initial key) of each participant is sent via a correspondingly secure communication channel. The customer stores the private signing key in a physically secure device. Day-to-day cryptographic operations are performed by an insecure device (e.g., the customer’s PC) which periodically refreshes its key by interacting with the secure device using key update algorithms ( and ).

When a customer wants a mobile agent to do the shopping, the customer runs the algorithm to prepare the mobile agent before it starts migrating. The mobile agent then begins migrating to search for shops that are willing to satisfy the customer’s requirement.

Finally, anyone can check the validity of a contract by using the algorithm.

Figure 6 illustrates the workflow of using the algorithms in the proposed scheme.

3.3. Security Model and Security Notion

A KIUDS scheme differs from conventional digital signature schemes, as do its security model and security notion. However, the starting point of the discussion of the security model of KIUDS schemes is still the classical security model of conventional digital signature schemes.

There are four subclasses of known-message attacks against digital signature schemes [29]: the plain known-message attack, the generic chosen-message attack, the oriented chosen-message attack, and the adaptively chosen-message attack (ACMA). ACMA is the most dangerous scenario because the adversary is supposed to have such privilege, asking the signer to sign any message that he wants and then adapting his queries according to previous message-signature pairs.

The expected results of an attack are classified as follows [30]: (1) disclosing the secret key of the signer; (2) constructing an efficient algorithm which is able to sign any message; and (3) providing a new message-signature pair. The third category is called existential forgery. In many cases this attack is not dangerous because the output message is likely to be meaningless. Nevertheless, a signature scheme which is not existentially unforgeable (and thus that admits existential forgeries) cannot be used to certify random-looking elements such as keys.

Besides the attack model of ACMA, the following three security threats must be included in the attack model of KIUDS schemes.(1)Implementation Exposures. A shop owner is capable of obtaining the implementation of . This corresponds to an attack from malicious hosts. Note that an implementation exposure indicates ACMA because can run the implementation of the signing algorithm.(2)Key Exposures. In some time periods, an attacker may break the defense system of a customer’s computer and extract the corresponding signing key from the disk or memory.(3)Adaptively Chosen-Restriction Attack. This attack is an extension of the first threat. Consider the case where a friend () of customer asks to purchase an item. The restriction of an undetachable signature is probably set up by instead of . Then, if colludes with a shop owner, is also capable of obtaining the implementation of .

The first threat is easy to model by giving the adversary the description of the implementation of .

To model the second threat, we give the adversary access to a key exposure oracle that performs the following operations on input . The oracle first checks whether period has been “activated”; if so, the oracle returns the value already stored for . Otherwise, the key exposure oracle runs followed by , returns and stores the value , and labels period as “activated.”

To model the third threat, we give the adversary access to a chosen-restriction oracle that performs the following operations on input . The oracle first checks whether period has been “activated”; if so, the oracle returns the output of . Otherwise, the key exposure oracle runs followed by , stores the value , labels period as “activated,” and returns the output of . Moreover, the first threat is also covered by the chosen-restriction oracle because the chosen-restriction oracle models a stronger adversary rather than a simple malicious eShop owner.

Note that storing the values of the secret signing keys for activated time periods is only necessary when the algorithm is probabilistic; when is deterministic, the oracles ( and ) may simply run “from scratch” whenever needed to answer a query.

Definition 1 ((t,N)-KIUDS scheme). Let be a KIUDS scheme. For any adversary , the probability of a successful attack is defined as follows:

We say that is a ()-KIUDS scheme if is negligible for any probabilistic polynomial time (PPT) adversary who submits at most queries to the key exposure oracle . Moreover, following the convention of key-insulated cryptography, we say is perfectly key-insulated if equals .

4. A Concrete Scheme

In this section, we propose a construction of a KIUDS scheme and provide the proofs of correctness and security. In addition, we present the results of the complexity analysis and performance testing. Note that the proposed scheme utilizes the signature scheme in [31] as a building block.

4.1. The Algorithms

Let be a cyclic group generated by a generator , whose order is a prime number , and let be a cyclic multiplicative group of the same order . Suppose that discrete logarithm problems in both and are hard. Let be a pairing that satisfies the following three conditions.

Bilinear. Equations (5) and (6) together or (7) are as follows:where .

Nondegenerate. There exist and subject to

Computability. There is an efficient algorithm to compute for all .

We note that the Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modified to create such bilinear maps.

Suppose that is an additive group. Four well-known mathematical problems are defined as follows.(1) Discrete Logarithm Problem (DLP). Given two group elements and , and an integer , (9) is satisfied whenever such an integer exists:(2) Decision Diffie–Hellman Problem (DDHP). For , given decide whether(3) Computational Diffie–Hellman Problem (CDHP). For , given compute without any knowledge about the value of either or .(4) Gap Diffie–Hellman Problem.

We assume throughout this paper that CDHP and DLP are intractable, meaning that there is no polynomial time algorithm to solve CDHP or DLP with nonnegligible probability. When the DDHP is easy but the CDHP is hard on group , is called a gap Diffie–Hellman (GDH) group. Our scheme can be built on any GDH group. Further mathematical background can be found in [32, 33].

We now define some system parameters. Let be a generator of . Suppose that the total number of time periods is a shared public value. Two secure hash functions are given here: and . The implementations of these hash functions can be found in works such as [3436].

The public parameters should be published to all participants by the trusted authority. Moreover, a public function that outputs 1 when the input is a valid Diffie–Hellman tuple and outputs 0 otherwise is shared among all parties.

(i) The Key Generation Algorithm . It takes a security parameter where as input and returns the public key and the master secret key as shown in Algorithm 1.


Because the total number of time periods is already a system-wide public value and the initial key is not demanded in the proposed scheme, we omit them in the input and output, respectively.

(ii) The Device Key Update Algorithm . In the proposed scheme, the device key update algorithm updates the signing key directly as shown in Algorithm 2.


(iii) The User Key Update Algorithm . The user key update algorithm can be defined as an identical transformation to fulfill the definition as shown in Algorithm 3.


(iv) The Undetachable Signing Function Generation Algorithm . First, the customer generates the description of his/her requirement . Next, the customer should run the algorithm to prepare his/her mobile agent before the agent starts migrating. The process is illustrated in Figure 7 and the algorithm is presented as shown in Algorithm 4.

 return a function as follows.

(v) The Undetachable Signing Algorithm . If a shop owner is going to make a deal with the customer, he/she should generate bid information satisfying and run the algorithm on input to sign a contract (see Algorithm 5).


(vi) The Undetachable Signature Verification Algorithm . Anyone can verify a contract by running the algorithm that works as shown in Algorithm 6.

 If ( does NOT satisfy )
  return 0
  return 0
  return 1
  return 0
4.2. Correctness of the Scheme

First, we prove the correctness of the verification algorithm.

Proposition 2. If is generated by the undetachable signing algorithm on and , and satisfies , then the verification algorithm outputs 1.

Proof. Since is a generator of , .
Although it is difficult to calculate the value of , the following equations hold:whereThus, according to (11), (12), and (13), we haveMoreover, Because of (11) and (16), we haveHence, the verification algorithm outputs 1. This completes the proof.

The next proposition indicates that the proposed scheme satisfies (2) in Section 2.3.

Proposition 3. Let and ; then .

Proof. Consider the following:

4.3. Security of the Scheme

Theorem 4. The proposed scheme is a perfectly KIUDS scheme.

Proof. First, we construct a security game which consists of two subgames (Game 1 and Game 2), as shown in Figure 8. In this security game, there are three players: , , and a simulator of the signature scheme in [31] called . The game proceeds in the random oracle model (ROM). is a PPT adversary against the proposed key-insulated undetachable signature scheme. The message is in the form of . The forger plays between and . is capable of making queries , , , and . is responsible for answering these queries with the help of . should answer queries , , , and , from . Note that the input parameter of is the unitary form , where is the order of .
Algorithms 7 and 8 are used by the forger to answer queries from the adversary in the security game.
At the end of the security game, the algorithm is used to forge a signature of from the output of . The algorithm proceeds as shown in Algorithm 9.
Clearly, in the security game that is illustrated in Figure 8, we haveSuppose that the adversary can win Game 1 that queries , , , and at most , , , and times, respectively, and has a running time of and an advantage . Then, can win Game 2 with queries , , , and at most , , , and times, respectively, and has a running time of and an advantage . Recall that the simulator simulates the signature scheme in [31], and therefore Game 2 depicts attacks against the signature scheme in Section of [31] in an equivalence form. Based on Lemma   in [30] (the Forking Lemma), Theorem   in [31] stated that “if there is an algorithm for an adaptively chosen message and ID attack to our scheme which queries , and Sign and Extract at most , , , and times, respectively, and has running time and advantagethen the CDHP can be solved with probability and within running timeBy substituting , , , , and into (20) and (21), we have that ifthen the CDHP can be solved with probability no less than 1/9 and within running timeAccording to the assumption that CDHP is hard, is negligible with respect to the value of , and so is . This completes the proof.

 return a function as follows.
 If ( does NOT satisfy )
  retrun ⊥
  return ⊥
4.4. Complexity Analysis

The mathematical operations used in this scheme are mainly scalar addition (SA; ), random selection (RS; ), scalar multiplication (SM; ), point addition (PA; ), bilinear map (BM; , ), and the two hash functions and . All of these operations are polynomial-bounded and can be computed efficiently.

Let be the size of an element in and let be the size of an element in . Let be the length of , the length of the , and the size of the implementation of without , , and . In Table 1, we show the numbers of operations needed for the algorithms proposed in Section 4.1.

Since the first implementation of undetachable digital signatures was proposed by Kotzanikolaou et al. [3], several concrete constructions of undetachable digital signature schemes have been proposed from 2001 to 2015 [4, 5, 710]. Compared with these prior undetachable digital signature schemes, the most significant feature of our proposed scheme lies in its key-insulation property. Different from most of prior studies, we have formally proved the security of the scheme. Moreover, the security of related schemes depends on a variety of diverse assumptions on the computational infeasibility of mathematical problems. Comprehensive comparisons in terms of the above three factors are summarized in Table 2.

The forward-secure undetachable digital signature (FSUDS) scheme in prior work [10] is currently the latest published study on undetachable signatures. In terms of the security, the “perfectly key-insulated” property implies the “forward-secure” property, but the inverse is not valid. Therefore, the proposed KIUDS scheme is stronger than the FSUDS scheme.

Compared with other key-insulated signature schemes, the proposed scheme is undetachable. The private key of the original signer (i.e., the customer) will hardly be compromised, even in a white-box attack context (e.g., a malicious host). For attackers, the misuse of signing functions carried with mobile agents is also infeasible even in white-box attack contexts, because the related restriction is combined with the “encrypted” signing function.

We further present the comparison in the field of software obfuscation. Obfuscation is a process that transforms a program into an unintelligible one without changing the original functionalities. If the signing algorithm has been obfuscated, the attacker cannot extract the signing key from the obfuscated implementation. However, it is still an open research problem that whether there exists an obfuscator for the signing algorithm in a digital signature scheme. Some obfuscators for specialized encrypted signatures have been developed since Hada’s work was reported in EuroCrypt 2010 [37]. For example, an obfuscator for encrypted verifiably encrypted signatures [38] and an obfuscator for encrypted group signatures [39] were presented in recent years. However, obfuscated implementation of the generation algorithm of encrypted signatures cannot prevent misusing attacks, (i.e., an attacker can call the algorithm to generate a signature). Therefore, compared with obfuscation approaches for encrypted signatures, the proposed scheme is capable of providing further protection against misuse of the signing algorithm.

6. Experimental Results and Comparison

6.1. Performance Testing

We have implemented the algorithms in Java. Java has been used instead of C/C++ because many mobile agent platforms are developed in Java, although C/C++ is known to be more efficient. We used an open source Java Pairing-Based Cryptography Library (JPBC) [40] in our implementation. The configurations of the testing platforms are listed in Table 3, and the experimental results are shown in Figures 9 and 10.

When the computing platform is a PC, we focus on the speed of the algorithms. In Figure 9, we show the speed of the algorithms on two different portable computers in single-thread mode. When the computing platform is a server, the most important index of performance is the number of transactions that can be processed in a short time span (e.g., a second). Hence, Figure 10 shows the number of operations of each algorithm on a PC server in multithread mode. The experimental results indicate that the algorithms in the proposed scheme are quite efficient.

6.2. Experimental Comparison with Related Work

With regard to the standard undetachable digital signature scheme based on bilinear pairings [8] and the FSUDS scheme [10], a group of experimental comparisons on computational costs has been performed on the server described in Table 3. The scheme in [8] has been selected for comparison because it is based on the same mathematical structure as the proposed scheme is. As the standard scheme does not include a key update algorithm, we use “0” to fill the data form. In Figure 11, the result shows that the algorithms of the proposed scheme execute faster than those of the FSUDS scheme, except for the algorithm. In particular, the key generation algorithm of the proposed scheme executes approximately 50 times faster than that of the FSUDS scheme. Furthermore, the performance of the proposed KIUDS scheme is similar to that of the standard scheme (denoted as Std in the figure), but the KIUDS scheme offers higher-level security than the standard scheme does.

The sizes of the input/output of the three algorithms (KI, FS, and Std) have also been compared. The result is obtained by analyzing and testing the software implementations of the schemes. As shown in Figure 12, most of the algorithms of the KIUDS scheme have smaller inputs and outputs than those of the FSUDS scheme. Furthermore, although the sizes of the inputs of and and the output of of the KIUDS scheme are larger than those of the standard scheme, the increased cost is acceptable in consideration of acquiring extra key-insulated security.

6.3. An Example of KIUDS Implementation

To further demonstrate the feasibility of the proposed scheme in practice, we have implemented a KIUDS solution for purchasing/selling books with mobile agents as a concrete example. The implementation is based on the Java Agent DEvelopment Framework (JADE) [41], which is an open source software framework that supports implementation of multiagent systems through a middleware complying with the FIPA specifications [42] and a set of tools supporting debugging and deployment phases. A JADE-based system can be distributed across various hosts while the configuration can be controlled via remote connections. The configuration can even be modified at run-time by moving agents from one host to another as necessary.

As an example, we created three instances of e-bookstores that sell books and a buyer agent that represents a customer who purchases books. Each e-bookstore has a number of books for sale with specified prices. The buyer agent aims to purchase the cheapest copy of the book titled “Thinking in Java” by visiting the three e-bookstores in an autonomous manner and comparing the prices retrieved. When the buyer agent purchases the book, a KIUDS is generated to sign the contract. Figure 13 illustrates the process of the book purchasing example.

The implementation has demonstrated the feasibility of the KIUDS scheme and solution, which serves as a proof-of-concept that complements the theoretical analysis and comparisons in previous sections. We also plan to further apply the KIUDS solution in more domains and identify more research issues that are worth in-depth exploration and study in future work.

7. Conclusion

In this paper, we introduce the definition and provide the security model and security notion of KIUDS schemes. KIUDS schemes are capable of protecting the digital signature functionality against attacks from remote malicious hosts and controlling the security risk of signing key leakage on the original signer’s host at the same time. Practically, a concrete KIUDS scheme with provable security is proposed for secure mobile agents in electronic commerce. The scheme is constructed on bilinear pairings and the security of the scheme is proven to rely on the hardness of the computational Diffie–Hellman problem on gap Diffie–Hellman groups which is infeasible to solve in practice. Our experimental results have demonstrated that the proposed scheme is efficient.

Competing Interests

The authors declare that there are no competing interests regarding the publication of this paper.


This research has been supported by the National Natural Science Foundation of China (no. 61202382), the Fundamental Research Funds for the Central Universities, and the Scientific Research Foundation for the Returned Overseas Chinese Scholars.