Cryptanalysis and Performance Evaluation of Enhanced Threshold Proxy Signature Scheme Based on RSA for Known Signers

Kumar, Raman; Verma, Harsh Kumar; Dhir, Renu

doi:https://doi.org/10.1155/2013/790257

Mathematical Problems in Engineering

On this page

Abstract Introduction Implementation Conclusion References Copyright Related Articles

Research Article | Open Access

Volume 2013 | Article ID 790257 | https://doi.org/10.1155/2013/790257

Cryptanalysis and Performance Evaluation of Enhanced Threshold Proxy Signature Scheme Based on RSA for Known Signers

Raman Kumar,¹Harsh Kumar Verma,¹and Renu Dhir¹

Academic Editor: Hung Nguyen-Xuan

Received24 Jul 2012

Accepted16 Nov 2012

Published28 Mar 2013

Abstract

In these days there are plenty of signature schemes such as the threshold proxy signature scheme (Kumar and Verma 2010). The network is a shared medium so that the weakness security attacks such as eavesdropping, replay attack, and modification attack. Thus, we have to establish a common key for encrypting/decrypting our communications over an insecure network. In this scheme, a threshold proxy signature scheme based on RSA, any or more proxy signers can cooperatively generate a proxy signature while or fewer of them cannot do it. The threshold proxy signature scheme uses the RSA cryptosystem to generate the private and the public key of the signers (Rivest et al., 1978). Comparison is done on the basis of time complexity, space complexity, and communication overhead. We compare the performance of four schemes (Hwang et al. (2003), Kuo and Chen (2005), Yong-Jun et al. (2007), and Li et al. (2007), with the performance of a scheme that has been proposed earlier by the authors of this paper. In the proposed scheme, both the combiner and the secret share holder can verify the correctness of the information that they are receiving from each other. Therefore, the enhanced threshold proxy signature scheme is secure and efficient against notorious conspiracy attacks.

1. Introduction

Today Internet is an inseparable part of our life and millions of people will be using the Internet. Reading the news, chatting with friends, purchasing a new product, and researching for a paper, the number of uses of the Internet is endless. One of the attractions of the Internet is that one can do almost anything from the comfort of his/her own home and with a relative sense of anonymity.

Unfortunately, the data going across the Internet may not be as secure as we would like to think. It is not especially difficult for a person with the right technical skills to intercept the data going from one computer to another. Usually this is not a problem; people do not really care if someone knows that they went to http://www.google.com/ and started researching Number Theory. However, if the intercepted data contains a credit card number, password, social security number, or some other private information, it becomes a whole different story.

Online banking and a host of other services rely heavily upon the security of credit card numbers, PINs, and other private information as it goes across the network. But if it is easy to intercept these numbers, how do these services work? The answer is cryptography.

In today’s commercial environment, establishing a framework for the authentication of computer-based information requires a familiarity with concepts and professional skills from both the legal and computer security fields. Combining these two disciplines is not an easy task because concepts from the information security field often correspond only loosely to concepts from the legal fields, even in situations where the terminology is similar. For example, from the information security point of view, “digital signature” means the result of applying to specific technical processes. The historical legal concept of “signature” is broader. It recognizes any mark made with the intention of authenticating the marked document [1].

In this research paper, we discuss threshold proxy signature scheme. In a threshold proxy signature schemes, an original signer delegates a group of n proxy signers to sign message on behalf of him or her. When the proxy signature is created, or more proxy signers cooperate to generate valid proxy signatures and less than proxy signers cannot cooperatively produce valid proxy signatures. In essence, we have tested our enhanced threshold proxy signature scheme by undergoing some fruitful attacks.

2. Review of Threshold Proxy Signature Schemes

2.1. History of Threshold Proxy Signature Schemes

In the history of proxy signature technological development, the threshold proxy signature technique was the first to come. In proxy signature schemes, a legal proxy signature can be generated by a designated proxy signer by using a proxy signing key. The proxy signing key is computed from the original signer’s private key, but the private key should not be computed from the proxy signing key in any way. In the eye of a modern user, such schemes are simple but not flexible. In order to extend proxy signature schemes to fit various practical situations, many threshold proxy signature schemes have been proposed. For example, we have threshold proxy signature schemes that allow any or more proxy signers from a designated group of n members to cooperatively sign messages, while or fewer members cannot generate the legal proxy signature. In practice, the original signer can flexibly choose the threshold . The approach agrees with , , and threshold delegations.

Rivest et al. [1] and Blakley firstly proposed the threshold secret sharing scheme based upon Lagrange interpolating polynomial and linear projective geometry, respectively, in 1979. In a threshold secret sharing scheme, secret holder delivers the distinct secret values (called shares or shadows) to n participants. At least or more participants can combine their shares and reconstruct the secret, but only or fewer members cannot. Based on these properties, secret sharing is an important part of modern cryptography and has been used in many fields of modern cryptography. In 1996, Mambo et al. [12] proposed the concept of proxy signature. In their schemes, the original signer can delegate his/her right to the proxy signers who can sign the message instead of the original signer.

Recently, many threshold proxy signature schemes were proposed. The history of threshold proxy signature schemes is made up in Table 1.

The concept of threshold cryptosystems was also brought up by Denmedt and Frankel in 1991. They adapted the ElGamal public key cryptosystem and used the Lagrange interpolation or geometry to produce shadows.

To make proxy signature applicable to group-oriented situations, Sun [13] and Kim et al. [5] proposed a threshold proxy signature in 1997, which is a variant of proxy signature by using the ideas of secret sharing and threshold cryptosystems. The basic strategy used in Kim et al.’s scheme is a random number generation.

2.2. Review of Kim et al.’s Scheme

2.2.1. The Random Number Generation Phase

This scheme requires a protocol to generate a random number among the group without the dealer. Let be the original signer, and let be the n proxy signers of the proxy group.(1)Each proxy signer selects secret polynomial of degree such that where , , , and are random numbers.(2)Then, each computes mod and sends it to for all and . Furthermore, computes and broadcasts them.(3)After receiving (for and ), confirms that the validity of by checking whether or not satisfies the following equation: (4)If the verifications in Step 3 hold, each computes the secret share and computes public outputs

2.2.2. The Proxy Sharing Phase

(1)Group Key Generation. First, the proxy group must execute the above protocol to obtain the share and the public outputs mod , mod , where (2)Proxy Generation. The original signer computes mod and , where is a random number, is a warrant, and is one way hash function. After this, computes where is a private key of the original signer. (3)Proxy Sharing. randomly chooses a polynomial such that where , , are random numbers. Then, computes and sends it to each in a secret manner; also computes and publishes .(4)Proxy Share Generation. After receiving , each has to validate using where is the original signer’s public key. If it holds, each proxy signer, , computes the proxy sharing

2.2.3. The Proxy Issuing and Verification Phase

(1)The or more actual signers have to execute the random number generation phase to obtain the secret output and public outputs where (2)Then each actual signer uses his proxy signature key to issue a partial proxy signature such that and , where is message. Then, each actual signer reveals .(3)Everyone can verify the validity of by the following equation: (4)If the previous verification holds, the signature, on is , where can be computed by applying the Lagrange formula. (5)To verify the validity of the signature, anyone can examine the following equation:

2.3. Security Analysis of Kim et al. and Related Schemes

The Kim et al.’s [13] scheme has been shown insecure by Sun et al. [6] using the public key updating attack. Kim et al. proposed two types of threshold proxy signature schemes, which were the proxy-protected scheme and the proxy-unprotected scheme. In the proxy-protected scheme, the original cannot impersonate a proxy signer to issue a valid proxy signature. The proxy signing key combines the original signer’s secret sharing key and a secret value among the proxy signers. Therefore, the original signer cannot obtain the proxy signing keys. This property is called proxy-protected. One major drawback in Kim et al.’s scheme is that the actual signers cannot be identified. This can be very inconvenient for internal auditing. Kim et al.’s scheme does not satisfy the known signer’s requirement, proxy protection requirement, and the time constrain requirement. It does not satisfy the known signer’s requirement as the actual signer cannot be identified. Also, it is necessary for a verifier to use the public information to check the validity of proxy signature. If the pubic information is not authenticated, the original signer is able to execute the threshold proxy signature scheme to generate a valid proxy signature key by himself; that is, he plays the roles of the original signer and the proxy signers simultaneously. This is because a verifier is unable to distinguish whether the public information is created by the legal proxy group or by others (a dishonest original signer or unauthorized group). Hence, it does not satisfy the proxy protection requirement. This scheme does not have the ability to put time constraints on the threshold delegation.

In order to remedy the problem of unknown signers, Sun et al. [6] revised Kim et al.’s [13] proxy-protected type threshold proxy signature scheme and made the actual signers able to be identified. Sun et al.’s scheme is also insecure since any proxy signers in the group can conspire to obtain secret key needed by the remainder of the group. Also, the computational as well as communicational overhead of Sun’s scheme is high. With or more proxy signers, it issues a proxy signature which has to generate and share a random number among them. In essence, it requires several expansion modular exponential computations and communications.

Unfortunately, Zhang’s scheme [13] has also shown to be insecure by Lee, Hwang, and Wang. They have shown a dishonest proxy signer can cheat to get a signature which is generated by the original signer on any message with the condition that a conventional digital signature scheme is a variation of ElGamal type signature.

In 1991, Desmedt and Frankel proposed a threshold RSA signature scheme. This technique allows out of individuals to generate a signature for a message. The signature is on the behalf of group of n members; hence, we also call it group signature. Rivest et al. [1] extended the concepts and principles from Desmedt and Frankel’s threshold RSA signature to develop a threshold RSA proxy signature scheme.

In 1999, Okamoto et al. [14] also suggested an enhanced proxy signature scheme based on both the Mambo-Usuda-Okamoto and Kim-Park-Won schemes. Later on, Sun, Lee, and Hwang examined the security of the Sun-Hsieh scheme based on the Kim-Park-Won scheme and proved that the scheme is not nonrepudiable. And also, a slightly modified version was suggested by them.

Hwang et al. [7] have shown that Sun’s scheme has a security weakness. An adversary can impersonate a legal proxy signer to generate a proxy signature and the real proxy signer cannot deny having signed the proxy signature.

Lee et al. [15] have proposed the generalization of the proxy signature scheme based on factorization of the square root modulo of a composite number. They proposed three kinds of proxy signature schemes: the , the , and the proxy signature schemes. In this, the actual original signer cannot deny delegating the warrant or proxy signature either.

Tzeng et al. [16] have proposed a batch verification scheme for multiple proxy signature to reduce proxy verification time. The proposed scheme is not efficient because it does not verify each proxy signature separately, but somehow it is secure because it can detect forged multiple proxy signatures without failure.

Hwang et al. [17] have proposed a multiproxy multisignature scheme which allows any or more proxy signers from a designated group of proxy signers to sign messages on behalf of any or more original signers from a group of original signers in total. In this, they only make proxy signers to sign on behalf of them.

Lu et al. [18] have proposed a proxy signature scheme which allows the original signer to revoke delegations whenever necessary. In this, the authentication server will not issue the time-stamp unless the delegation has not been revoked or the delegation period specified in the warrant has not expired.

Yang et al. [19] have proposed an improvement of Hsu et al.’s scheme that is somewhat efficient in terms of computational complexity and communication cost. Different from Hsu et al.’s, the original signer only computes a common proxy share and broadcasts it to the proxy group. As compared with Hsu et al.’s scheme, the secret shares calculations is not required.

Tzeng et al. [20] have proposed a threshold multiproxy multisignature scheme with shared verification. They have proposed the security on the basis of one-way hash function and discrete logarithm problem. They considered only a few attacks.

Tzeng et al. [21] have presented security analysis of the Hwang-Lin-Lu scheme. The Hwang-Lin-Lu scheme is vulnerable to forge attack.

Hwang et al. [22] have presented a generalized version of proxy signature scheme. A generalization version of the proxy signature scheme is based on the elliptic curve discrete logarithm problem only. In this paper, the actual original signer cannot deny delegating the warrant or the proxy signature.

In 2001, Hsu et al. proposed a nonrepudiable threshold proxy signature scheme. Tsai et al. [23] proposed a scheme to remedy the weakness of the Hsu-Wu-Wu scheme. In this, neither the original signer nor a malicious proxy signer can forge the legal proxy signature.

Li et al. [24] have presented a generalized version of proxy signature scheme. A generalization version of the is based on the discrete logarithm problem only. They discussed three kinds of proxy signature schemes: the , the , and the proxy signature schemes. The actual original signer cannot deny delegating the warrant or the proxy signature.

Hwang et al. [25] have discussed Hwang and Shi’s scheme without using a one-way hash function. In their scheme, an original signer needs not send a proxy certificate to proxy signer through secure channels. This scheme is vulnerable to the public key substitution attacks.

Hwang et al. [26] have presented a cryptanalysis of Sun’s threshold proxy signature scheme. They have shown only that the secret key can be compromised by collusion attack.

Raman Kumar et al. [27] have presented a new scheme which includes the features and benefits of four schemes: Hwang et al., Wen et al., Geng et al. and Feng et al. They have compared these schemes and optimized their own proposed scheme on the basis of different parameters.

2.4. Review of Hwang et al.’s Scheme

In the HLL scheme, Hwang et al. [7] proposed a practical and efficient threshold proxy signature scheme based on the RSA cryptosystem. This scheme uses only an RSA digital signature scheme and a simple Lagrange formula to share the proxy signature key.

There are three types of participants in the scheme: the original signer, the proxy signer, and the combiner. The original signer allows a group of proxy signers to sign a message. The combiner can be the secretary of the original signer. The proposed threshold proxy signature scheme can be divided into three phases:(1)The proxy sharing phase;(2)The proxy issuing phase;(3)The verification phase.

In the proxy generation phase, the original signer computes the partial proxy signing keys from his private key and sends them to each designated proxy signer. In the proxy signature issuing phase, the proxy signers cooperatively create a valid signature on a message . In the verification phase, the verifier can identify not only the original signer, but also the actual signers. stands for the original signer and stand for the proxy signers. is a public RSA modulus for such that is a public RSA modulus for and , where and are two secret large primes, while is the private key for and its corresponding public key is , such that mod , where . The parameters and can be published. The parameters and are kept secret by the holder. represents signed with ’s private key , and represents encrypted with ’s public key using the ordinary RSA cryptosystem. The message stands for a warrant that is minted by the original signer and it contains important information such as the validity period of the proxy key, the identities of the proxy signers, and the original signer. In the proposed scheme, let .

2.4.1. The Proxy Sharing Phase

Assume that an original signer delegates the power to sign messages to members during stipulated period. The steps to generate the proxy key are as follows.

Proxy Generation. produces the group proxy signing key and proxy verification key , where where mod .

is the validity period of proxy signatures, is the sum of identities of , and is a random number.

Then publishes .

Proxy Sharing. selects a degree polynomial, where , are random numbers. Meanwhile, calculates proxy signer ’s partial proxy signing key and sends mod to the proxy signer .

2.4.2. Proxy Share Generation

When proxy signer receives mod , he or she can get by his or her secret key . And then confirms the validity of and keeps it secret.

The Proxy Signature Issuing Phase. Let denote the group members including any or more proxy signers who want to generate a proxy signature on message on behalf of cooperatively. Each proxy signer uses the partial proxy signing key to generate the partial signature Then sends to the combiner.

When the combiner receives all partial signature from , firstly, he or she verifies the validity of the partial proxy signature by checking if or not. If all partial signatures are valid, the combiner computes the value of Here,

So is an integer and the combiner need not compute the inverse of

Finally, the combiner generates the signature as follows:

The result of proxy signature is .

2.4.3. The Proxy Signature Verification Phase

The verifier can verify the signature signed on behalf of the original signer by the following equation:

The original signer can differentiate the actual signer from the signature . Then the original signer can trace the actual signers by .

2.5. Conclusions from the Threshold Proxy Signature Schemes

All analyses indicated that the scheme fails to satisfy all the requirements except one or two. So, an enhanced threshold proxy signature scheme must satisfy all of the following basic requirements which can be called proxy requirements [7, 9–11].

Secrecy. The original signer’s private key is very important. It must be kept secret. If it is discovered, the security of the system is ruined. Therefore, the system must ensure that the private key never gets derived from any information such as the sharing of the proxy signing key or the original signer’s public key. Furthermore, no proxy signers should be able to cooperatively derive the original signer’s private key.

Proxy Protected. Only a delegated proxy signer can generate his partial proxy signature. Even the original signer cannot masquerade as a proxy signer to generate a partial proxy signature. This property protects the authority of the proxy signer.

Unforgeability. A valid proxy signature can only be cooperatively generated by or more proxy signers. Nondelegated signers have no capability to generate a valid proxy signature. Also, or less proxy signers have no capability of forging a valid proxy signature.

Nonrepudiation. Any valid proxy signature must be generated by or more proxy signers. The verifier can make sure that the signed message is a correct one by using the proxy signing keys. The original signer cannot deny having delegated the power of signing messages to the proxy signers. Furthermore, the proxy signers cannot deny that they have signed the message.

Time Constraint. The proxy signing keys can be used only during a stipulated period. Once expired, proxy signing keys become invalid; as a result, the signing capability of the proxy signers disappears. However, the original signer’s private key can be repeatedly used. This is more suitable for use in the real world.

Known Signers. For internal auditing purposes, the system is able to identify the actual signers in the original signer’s private key. The proxy signer has the capability to sign on the behalf of the original signer, but from the proxy signing key, the proxy signer cannot recover the original signer’s private key.

3. Our Scheme

The concept of threshold cryptosystems was first proposed by Katzenbeisser [28]. They adapted the ElGamal [3] public key cryptosystem and used the Lagrange interpolation or geometry to produce the shadows. In the history of proxy signature technological development, the threshold proxy signature technique was the first to come [7]. In proxy signature schemes [12, 14, 29], a legal proxy signature can be generated by a designated proxy signer by using a proxy signing key. However, in a threshold proxy signature scheme, the original signer delegates the power of signing messages to a designated proxy group of members. Any or more proxy signers of the group can cooperatively issue a proxy signature on the behalf of the original signer, but or fewer proxy signers cannot. Previously, all of the proposed threshold proxy signature schemes, for instance, Lee et al. [30], ElGamal [2], Sun [13], and Mambo et al. [12], have been based on the discrete logarithm problem. However, the recently proposed threshold proxy signature schemes are based on the RSA cryptosystem [1] and the Lagrange coefficient. In 2003, Hwang et al. [7] proposed a practical and efficient threshold proxy signature scheme based on the RSA cryptosystem. This scheme uses only an RSA digit signature scheme and a simple Lagrange formula to share the proxy signature key. In 2004, Wang et al. [8] pointed out a problem on the correctness of the HLL scheme. In 2005, Kuo and Chen [9] also indicated two security weaknesses in the HLL scheme and proposed a new scheme to overcome these weaknesses.

We compare the performance of four schemes, Hwang et al. [7], Kuo and Chen [9], Yong-Jun et al. [11], and Li et al. [10], with the performance of a scheme that has been proposed by the authors of this paper earlier and proposed an enhanced secure threshold proxy signature scheme. In the proposed scheme, both the combiner and the secret share holder can verify the correctness of the information that they are receiving from each other. Therefore, the enhanced threshold proxy signature scheme is secure and efficient against notorious conspiracy attacks. Table 2 gives the comparison of threshold proxy signature schemes based on the proxy requirements of each scheme.

4. Security Analysis of the Proposed Scheme

4.1. Factorization of the RSA Module

Factoring : the fastest known factoring algorithm developed by Pollard is the General Number Field Sieve [1], which has running time for factoring a large number of size , of order The method relies upon the observation that if integers and are, such that (mod ) and , then gcd and gcd are nontrivial factors of .

Tables 3(a) and 3(b) give the number of operations needed to factor with the GNFS method and the time required if each operation uses one microsecond, for various lengths of the number (in decimal digits).

Computing without factoring “”:

assume that , ,

since ,

then so ;

guess and then find , so .

Example 1. Suppose .
So, and ; then and , , .

4.2. Lattices and Lattice Reduction of RSA Module

4.2.1. Lattice-Based Attacks on RSA

The following attacks have been tested for RSA modules:(i)Hastad’s attack;(ii)Franklin-Reiter attack;(iii)extension to Wiener’s attack.

4.2.2. Lattices and Lattice Reduction

Given a set of linearly independent vectors, in , the set of all real linear combinations of these vectors is a vector subspace.

Gram-Schmidt process [28] takes one basis and produces a basis which is pairwise orthogonal:

Example 2. Consider Given a set of basis vectors in and , a lattice is a set of all integer linear combinations of the .

Definition 3. A basis is called LLL reduced if the associated Gram-Schmidt basis satisfies
For all nonzero, , we have

4.2.3. Security Levels of the RSA Module on Different Platforms

The following are the creation of key in seconds for different security levels which can be used for encryption and decryption.

The fields in Tables 4(a) and 4(b) have been generated by varying the values of security levels for both the Pentium and AlphaStation, respectively. It shows the various parameters generated for different security levels.

4.2.4. A General Coalition Attack against Threshold Signature Schemes

Though our modification can withstand the forgery attack suffered by the said to be [7, 9–11] threshold group signature scheme, there is a general coalition attack against threshold signature schemes. In the ordinary threshold signature scheme, the group’s secret key is , and each member has the secret share . If or more malicious members pool their secret shares together, they can recover by applying the Lagrange interpolating polynomial. Then each one of them can alone compute valid signatures for new messages on behalf of the group afterwards without the cooperation of other signers and without being detected by verifiers. Obviously, this violates the group’s signing policy. Otherwise, if such coalition is permissive, other signers would follow this kind of dishonesty. Thus, each user can also alone compute valid group signatures after one coalition. It is terrible for threshold signature schemes. This coalition attack is inherent in many threshold signature schemes using threshold secret share scheme, as long as the secret key can be recovered from secret shares.

4.2.5. The Probability of Catching a User

The probability of catching a user in enhanced threshold proxy signature scheme depends on the number of identity pairs used in it. The more the pairs used, the greater the chance of catching the anonymous user. The probability of catching the anonymous user is where is the number of pairs used.

For example, if , then the chance of catching a user is 0.97.

4.2.6. An Algorithm to Check Primality of Any General Number Given

The algorithm is as follows.

Input: integer .(1)If for integers and , output composite.(2)Find the smallest r such that .(3)If for some , output composite.(4)If , output prime. For to do if , output composite.(6)Output prime.

Here is the multiplicative order of modulo , log is the binary logarithm, and is Euler’s totient function of .

If is a prime number, the algorithm will always return prime: since is prime, Steps 1 and 3 will never return composite. Step 5 will also never return composite because Step 2 is true for all prime numbers . Therefore, the algorithm will return prime either in Step 4 or in Step 6.

Conversely, if is composite, the algorithm will always return composite: if the algorithm returns prime, then this will occur in either Step 4 or Step 6. In the first case, since , has a factor such that , which will return composite. The remaining possibility is that the algorithm returns prime in Step 6. The authors’ paper proves that this will not happen because the multiple equalities tested in Step 5 are sufficient to guarantee that the output is composite [31].

4.2.7. An Algorithm to Determine If a Number Is a Probable Prime

The Fermat primality test is a probabilistic test to determine if a number is a probable prime. The algorithm is as follows. Inputs: : a value to test for primality; : a parameter that determines the number of times to test for primality Output: composite if is composite, otherwise probably prime

repeat times: pick randomly in the range if (mod ), then return composite

Return Probably Prime. Using fast algorithms for modular exponentiation, the running time of this algorithm is , where is the number of times we test a random and is the value we want to test for primality [32].

4.2.8. The Commonly Supported and Used Algorithms in Protocol

Here are some of the more commonly supported and used algorithms in protocol (see Table 5).

5. Performance Analysis of the Proposed Scheme

The analysis reports of the proposed hypothesis for enhanced threshold proxy signature scheme are given as the following.

5.1. Entropy

In this case, the value of entropy is the measure of the tendency of a process, to be entropically favored or to proceed in a particular direction. Moreover, entropy provides an indication for a specific encryption method. We have analyzed our hypothesis on the basis of entropy generated.

Figure 1 shows that entropy for enhanced threshold proxy signature scheme. Figure 2 shows the compression ratio required in each scheme. Table 6 lists the name and compression ratio required in each scheme.

5.2. Floating Frequencies/Intuitive Synthesis

Floating frequencies/intuitive synthesis in its completed three parts entirety takes full advantage of the time complexity, space complexity, and communication overhead provided by the digital medium. We have calculated floating frequency of the threshold proxy signature scheme. Figure 3 shows that floating frequencies/intuitive synthesis for the enhanced threshold proxy signature scheme.

5.3. ASCII Histogram

The ASCII histogram proved to be very useful since it helped enormously in debugging code involving probability calculations with simple print statements. Probabilistic simulations are extremely hard to test because the results of a given operation are never strictly the same. However, they should have the same probability distribution, so by looking at the rough shape of the histogram, it tells you if your calculations are going in the right direction. In this context, we have calculated ASCII histogram for our threshold proxy signature scheme. Figure 4 shows that ASCII Histogram for enhanced threshold proxy signature.

5.4. Autocorrelation

This is mathematical representation of the degree of similarity between a given time series and a lagged version of itself over successive time intervals. It is the same a calculating the correlation between two different time series, except that the same time series is used twice—once in its original form and once lagged one or more time periods. The term can also be referred to as “lagged correlation” or “serial correlation”. In this, we have calculated autocorrelation for threshold proxy signature scheme. Figure 5 shows the Autocorrelation for the enhanced threshold proxy signature scheme.

5.5. Histogram Analysis

A histogram is a graphical representation showing a visual impression of the distribution of data. We have analyzed histogram of for all threshold proxy signature schemes.

Detailed View. The detailed view of the histogram analysis of all schemes can be represented as follows.

Experiment 1. Histogram analysis of . File size 12581 bytes. Descending sorted on frequency.

Figure 6 shows that radar chart showing histogram analysis for HLL threshold proxy signature scheme. Table 7 lists the histogram analysis for the HLL threshold proxy signature scheme.

Experiment 2. Histogram analysis of . File size 11733 bytes. Descending sorted on frequency.

Figure 7 shows that radar chart showing histogram Analysis for KUOCHEN threshold proxy signature scheme. Table 8 lists the histogram analysis for the KUOCHEN threshold proxy signature scheme.

Experiment 3. Histogram Analysis of . File size 11259 bytes. Descending sorted on frequency.

Figure 8 shows that radar chart showing histogram analysis for the GENGVRF threshold proxy signature scheme. Table 9 lists the histogram analysis for the GENGVRF threshold proxy signature scheme.

Experiment 4. Histogram ANALYSIS of . File size 12067 bytes. Descending sorted on frequency.

Figure 9 shows that radar chart showing histogram analysis for the FNGVRF threshold proxy signature scheme. Table 10 lists the histogram analysis for the FNGVRF threshold proxy signature scheme.

Experiment 5. Histogram analysis of . File size 16897 bytes. Descending sorted on frequency.
Figure 10 shows that Radar Chart showing histogram analysis for the enhanced threshold proxy signature scheme. Table 11 lists the histogram analysis for enhanced threshold proxy signature scheme.
Figure 11 shows that radar chart showing overall histogram analysis for all threshold proxy signature schemes. Table 17 lists the histogram analysis for the overall threshold proxy signature schemes.

5.6. Collusion Attack

The collusion attack is an action carried out by a given set of malicious users in possession of a copy of protected content that join together in order to obtain at the end of the attack procedure an unprotected asset. The attack is carried out by properly combining the protected copies of the multimedia documents collected by the colluders, according to the type of content and the kind of adopted protection system.

When the protection is assured by a data hiding algorithm, the collusion usually can take place in one of two different application frameworks: multimedia fingerprinting and ownership verification. In multimedia fingerprinting, a content owner, to protect his/her copyright, embeds a different code into each copy of the content distributed to each customer in order to be able to trace possible illegal usage of data and discover the source of the leakage of information; in this case, then, each colluder possesses a slightly different copy of the same multimedia content, and the attack consists in averaging all documents they have, trying to produce a new document in which the watermark is no longer present. If the number of averaged documents is large enough, the attack is very effective even without the introduction of perceptually significant degradation between the averaged multimedia document and the original one. In ownership verification, a content owner, to demonstrate that he/she is the authorized holder of the distributed content, embeds always the same code, linked to his/her identity, into different watermarked documents before they are distributed to the customers in such a way that the hidden code can be used to prove ownership in court if someone will infringe on his/her copyrights; in this case, then, each colluder possesses different multimedia documents, with the same hidden code, so that the attack is carried out by estimating the watermark by means of an average of all the different contents they have (this approach is suitable only for data-hiding systems in which the hidden watermark does not depend on the host data). Then the estimated watermark can be removed from all the documents hiding in it or even falsely inserted in other ones to generate fake watermarked documents [33].

One advantage of enhanced threshold proxy signature schemes is that they can prevent a “collusion attack” in which two key generation servers communicate with each other to get useful information about the user’s private key. In essence, Figure 19 shows the overall communication architecture for the secure threshold proxy signature scheme based on RSA cryptosystem for known signers.

5.7. Security of RSA Signature

Existential forgery using a key-only attack: Choose a random Compute We have , a valid signature of . Existential forgery using a known message attack: Suppose and Can check So . Existential forgery using a chosen message attack: To get a signature for , find Query for signatures of and .

5.8. Forgery Attack

RSA function is a multiplicative homomorphism; for all , , More generally, The property not only is exploited in most forgery attacks on RSA signatures, but also enhances recent security proofs.

5.9. Friedman Test

The Friedman test is a nonparametric statistical test developed by the US economist Milton Friedman. Similar to the parametric repeated measures ANOVA, it is used to detect differences in treatments across multiple test attempts. The procedure involves ranking each row (or block) together, then considering the values of ranks by columns. Applicable to complete block designs, it is thus a special case of the Durbin test. The Friedman test is used for one-way repeated measures analysis of variance by ranks. In its use of ranks, it is similar to the Kruskal-Wallis one-way analysis of variance by ranks. We have tested our hypothesis against the Friedman test [31].

Figure 12 shows the chart showing Friedman test for all threshold proxy signature schemes.

6. Implementation and Comparison of the Proposed Scheme

The implementation of the schemes has been done.

6.1. Time Complexity

When determining the time complexity of an algorithm, we measure how fast the computing requirements grow as the size of the input grows.

6.1.1. Readings

Readings are taken for two scenarios described below. Each reading shown in Table 11 is the average of 30 readings.

Scenario 1: when number of threshold signers, .

Scenario 2: when number of threshold signers, .

Table 12 shows the readings of execution time (in microseconds) when the number of threshold signers is equal to 11 and Table 13 shows the readings of execution time (in microseconds) and when the number of threshold signers is equal to number of proxy signers.

6.1.2. Graphs

We plot the graphs with the following:(1)execution time (in microseconds) on -axis, (2)number of proxy signers () on -axis.

Scenario 1: when number of threshold signers, .

Scenario 2: when number of threshold signers, .

6.1.3. Results

Figures 13(a), 13(b), 14(a), and 14(b) show that for both scenarios, Geng et al. scheme has the maximum time complexity and the proposed scheme has the minimum time complexity; also Fengying et al.’s time complexity falls very near the proposed scheme. We find that the proposed and Fengying et al.’s schemes have minimum time complexities. The time complexity of HLL scheme is more in case of scenario 1 (for ) but less in case of scenario (). This is because it has an extra constant overhead to verify the validity of the stipulated period. As this overhead is constant, hence, for scenario 1, HLL scheme has more time complexity as compared to other schemes. The proposed scheme has less time complexity as compared to other schemes because it need not compute the inverse when we compute the value of Lagrange coefficient (Figure 15), which makes the scheme more efficient [11]. Also, we do not verify message warrant, which saves the extra overhead, that was incurred in case of KC scheme.

(a)

(b)

(a)

(b)

Figures 13(a), 13(b), 14(a), and 14(b) show that for both scenarios, the execution time increases with the increase in the number of proxy signers. This is because as the number of proxy signers increases, the number of computations also increases, due to, which the execution time increases. The number of computations increases because for each proxy signers, following parameters have to be computed.(1)RSA modulus, .(2)Private key, .(3)Public key, .(4) and . (5).(6).

The more the number of proxy signers, the more the computations. The graphs generated also confirm this point. Also, we observe that in the graphs in Figures 14(a) and 14(b) the execution time is more in case of than in case of . It is because the number of computations increases with the number of threshold signers as well. For each threshold signer, the following computations have to done.(1)Partial proxy signatures, .(2)The Lagrange coefficient, .

The more the number of threshold proxy signers, the more the computations as confirmed by the graphs generated.

Scenario 3: when number of threshold signers, and .

Table 14 shows the readings of execution time (in microseconds) when the number of threshold signers is equal to 1 and is equal to number of proxy signers, where number of Signers , days = 80, and threshold number of Signers .

Scenario 3: when number of threshold signers, and .

6.2. Space Complexity

The space complexity of a program is the number of elementary objects that this program needs to store during its execution. We generate graphs to analyze the space complexity of the schemes.

6.2.1. Estimation Based on Number of Variables

Table 14 lists the name and number of variables required in each scheme. Beside the variables shown in Table 14, a character string is required to store the message which has to be signed.

6.2.2. Graphs

We plot the graphs with the following:(1)memory overhead (in terms of number of variables) on -axis,(2)Number of proxy signers () on -axis.

The graphs have been shown in Figures 16 and 17.

6.2.3. Results

Figures 16 and 17 have been generated by varying the values of for both scenarios in Table 15, which shows the memory overhead in terms of memory variables required for each scheme. In Figures 16 and 17, we see that for both scenarios, the proposed scheme has the maximum space complexity and the HLL scheme has the minimum space complexity. The complexity of KC, Geng et al., and Fengying et al. scheme falls between the two schemes’ space complexity with KC and Fengying et al. schemes having the same space complexity. We note that in Table 4, the proposed scheme requires only more variables than the HLL scheme, which has the minimum space complexity. For example, the proposed scheme requires only 4 extra variables than the HLL scheme for , which has the minimum space complexity, and for , the proposed scheme requires only 13 more variables than the HLL scheme. Also, this difference can be easily accommodated with the development of very large storage devices. Hence, we can see that the space complexities of the schemes are almost equal and the performance of the schemes in the case of the space complexity is almost the same.

Scenario 1: when number of threshold signers, .

Scenario 2: when number of threshold signers, .

Figures 16 and 17 also show that for both the scenarios, the space complexity increases with the increase in the number of proxy signers. This is because as the number of proxy signers increases, the number of variables also increases due to which the memory requirements increase. Memory overhead increases because for each proxy signers, the following parameters are required.(1)RSA modulus, .(2)Private key, .(3)Public key, .(4) and . (5).(6).

The more the number of proxy signers, the more the memory requirements. The figures generated also confirm this point.

Also, we observe in the graphs that memory overhead is more in the case of than in the case of . It is because the number of variables increases with the number of threshold signers as well. For each threshold signer, the following variables have to be declared.(1)Partial proxy signatures, .(2)The Lagrange coefficient, .

The more the number of threshold proxy signers, the more the memory requirements as confirmed by the graphs generated.

6.3. Communication Overhead

The communication overhead includes two types of communication in the schemes:(1)number of transmissions;(2)number of broadcasts.

6.3.1. Comparison of the Schemes

Table 6 shows the communication overhead for each scheme for various phases. In Figure 6, we find that the communication overhead of all the schemes is the same.

6.3.2. Results

Figure 18 has been generated from Table 15, which can be referred to to find the number of transmissions and broadcasts to compute the communication overhead for all the schemes. Table 16 can be referred to to find the comparison between threshold proxy signature schemes based upon proxy requirements. As evident from Figure 18, the communication overhead of all the schemes is the same.

Figure 19 shows the overall communication architecture for the secure threshold proxy signature scheme based on RSA cryptosystem for known signers. It sends a message after logging in to the system. It also sends a message to the other client using the secure threshold proxy signature scheme based on the RSA cryptosystem for known signers. In this, the delegates can send the message to the n proxy signers with security. After sending the message, it logs out from the system. We have improved the results after improving the performance of four schemes: Hwang et al. [7], Kuo and Chen [9], Yong-Jun et al. [11], and Li et al. [10], with the performance of a scheme that has been proposed by the authors of this paper earlier. In this paper, we compared the various threshold proxy signature schemes based on how they violate proxy signature requirements. Table 16 summarizes the comparison of four threshold proxy signature schemes: Kim et al.’s scheme, Sun’s scheme, HLL scheme, and Wen et al.’s scheme. We also propose a new scheme which includes the features and benefits of the two schemes: Fengying et al. and Geng et al. The main advantages of our proposed scheme are as follows.(i)It achieved the property of nonrepudiation.(ii)Anyone cannot forge the legal proxy signature.(iii)The verifier can identify the actual proxy signer of its group.(iv)It also provides more refined result against its time complexity, space complexity, and communication overhead. (v)The proposed scheme is secure and efficient against notorious conspiracy attacks.

7. Conclusion

As the proxy signature is the solution to the delegation of signing capabilities in any electronic environment, in this paper, various threshold proxy signature schemes have been compared based on whether they fulfill the proxy signature requirements or not and proposed an enhanced secure threshold proxy signature scheme. Some of these schemes are based on an RSA cryptosystem for known signers, as the RSA cryptosystem is a popular security technique. In this, we also propose a new scheme which includes the features and benefits of the two schemes: Fengying et al. and Geng et al. The implementation of the encryption and decryption functions justifies the real-life applicability of the proposed scheme. In this, we have analyzed our enhanced threshold proxy signature scheme for various parameters. In essence, the results show that the enhanced threshold proxy signature scheme is an efficient one and it can provide great capabilities for various applications.

Acknowledgment

The authors wish to thank many anonymous referees for their suggestions to improve this paper.

References

R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the Association for Computing Machinery, vol. 21, no. 2, pp. 120–126, 1978.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” in Proceedings of the Advances in Cryptology (Crypto'89), pp. 307–315, 1989.
View at: Google Scholar
K. Zhang, “Threshold Proxy Signature Schemes,” in Proceedings of the Information Security Workshop, pp. 191–197, 1997.
View at: Google Scholar
S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in Proceedings of the 1st International Conference on Information and Communication Security (ICICS'97 ), vol. 1334 of Lecture Notes in Computer Science, pp. 223–232, 1997.
View at: Google Scholar | Zentralblatt MATH
H. M. Sun, N. Y. Lee, and T. Hwang, “Threshold proxy signatures,” IEE Proceedings: Computers and Digital Techniques, vol. 146, no. 5, pp. 259–263, 1999.
View at: Publisher Site | Google Scholar
M. S. Hwang, E. J. L. Lu, and I. C. Lin, “A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem,” IEEE Transactions on Knowledge and Data Engineering, vol. 15, no. 6, pp. 1552–1560, 2003.
View at: Publisher Site | Google Scholar
G. Wang, F. Bao, J. Zhou, and R. H. Deng, “Comments on ‘A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem’,” IEEE Transactions on Knowledge and Data Engineering, vol. 16, no. 10, pp. 1309–1311, 2004.
View at: Publisher Site | Google Scholar
W. C. Kuo and M. Y. Chen, “A modified (t, n) threshold proxy signature scheme based on the RSA cryptosystem,” in Proceedings of the 3rd International Conference on Information Technology and Applications (ICITA'05), vol. 2, pp. 576–579, July 2005.
View at: Google Scholar
F. Li, Q. Xue, and Z. Cao, “Crypanalysis of Kuo and Chen's threshold proxy signature scheme based on the RSA,” in Proceedings of the 4th International Conference on Information Technology-New Generations (ITNG'07), pp. 815–818, Las Vegas, Nev, USA, April 2007.
View at: Publisher Site | Google Scholar
G. Yong-Jun, T. Hui, and H. Fan, “A modified and practical threshold proxy signature scheme based on RSA,” in Proceedings of the 9th International Conference on Advanced Communication Technology (ICACT'07), pp. 1958–1960, Gangwon-Do, South Korea, February 2007.
View at: Publisher Site | Google Scholar
M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 79, no. 9, pp. 1338–1353, 1996.
View at: Google Scholar
H. M. Sun, “Efficient nonrepudiable threshold proxy signature scheme with known signers,” Computer Communications, vol. 22, no. 8, pp. 717–722, 1999.
View at: Publisher Site | Google Scholar
T. Okamoto, T. Mitsuru, and E. Okamoto, Extended Proxy Signature For Smart Cards, Lecture Notes in Computer Science, Springer, New York, NY, USA, 1999.
C. C. Lee, T. C. Lin, S. F. Tzeng, and M. S. Hwang, “Generalization of proxy signature based on factorization,” International Journal of Innovative Computing, Information and Control, vol. 7, no. 3, pp. 1039–1054, 2011.
View at: Google Scholar
S. F. Tzeng, C. C. Lee, and M. S. Hwang, “A batch verification for multiple proxy signature,” Parallel Processing Letters, vol. 21, no. 1, pp. 77–84, 2011.
View at: Publisher Site | Google Scholar
M. S. Hwang, S. F. Tzeng, and S. F. Chiou, “A non-repudiable multi-proxy multi-signature scheme,” Innovative Computing, Information and Control Express Letters, vol. 3, no. 3, pp. 259–264, 2009.
View at: Google Scholar
E. J. L. Lu, M. S. Hwang, and C. J. Huang, “A new proxy signature scheme with revocation,” Applied Mathematics and Computation, vol. 161, no. 3, pp. 799–806, 2005.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
C. Y. Yang, S. F. Tzeng, and M. S. Hwang, “On the efficiency of nonrepudiable threshold proxy signature scheme with known signers,” Journal of Systems and Software, vol. 73, no. 3, pp. 507–514, 2004.
View at: Publisher Site | Google Scholar
S. F. Tzeng, C. Y. Yang, and M. S. Hwang, “A nonrepudiable threshold multi-proxy multi-signature scheme with shared verification,” Future Generation Computer Systems, vol. 20, no. 5, pp. 887–893, 2004.
View at: Publisher Site | Google Scholar
S. F. Tzeng, M. S. Hwang, and C. Y. Yang, “An improvement of nonrepudiable threshold proxy signature scheme with known signers,” Computers and Security, vol. 23, no. 2, pp. 174–178, 2004.
View at: Publisher Site | Google Scholar
M. S. Hwang, S. F. Tzeng, and C. S. Tsai, “Generalization of proxy signature based on elliptic curves,” Computer Standards and Interfaces, vol. 26, no. 2, pp. 73–84, 2004.
View at: Publisher Site | Google Scholar
C. S. Tsai, S. F. Tzeng, and M. S. Hwang, “Improved non-repudiable threshold proxy signature scheme with known signers,” Informatica, vol. 14, no. 3, pp. 393–402, 2003.
View at: Google Scholar | Zentralblatt MATH
L. H. Li, S. F. Tzeng, and M. S. Hwang, “Generalization of proxy signature-based on discrete logarithms,” Computers and Security, vol. 22, no. 3, pp. 245–255, 2003.
View at: Publisher Site | Google Scholar
M. S. Hwang, C. C. Lee, and S. J. Hwang, “Cryptanalysis of the Hwang-Shi proxy signature scheme,” Fundamenta Informaticae, vol. 53, no. 2, pp. 131–134, 2002.
View at: Google Scholar | Zentralblatt MATH
M. S. Hwang, I. C. Lin, and E. J. L. Lu, “A secure nonrepudiable threshold proxy signature scheme with known signers,” Informatica, vol. 11, no. 2, pp. 137–144, 2000.
View at: Google Scholar | Zentralblatt MATH
R. Kumar and H. K. Verma, “Secure threshold proxy signature scheme based on RSA for known signers,” Journal of Information Assurance and Security, vol. 5, no. 4, pp. 319–326, 2010.
View at: Google Scholar
S. Katzenbeisser, Recent Advances in RSA Cryptography, Springer, New York, NY, USA, 2001.
M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation,” in Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 48–56, March 1996.
View at: Google Scholar
N. Y. Lee, T. Hwang, C. H. Wang, and O. Zhang, “Nonrepudiable proxy signature schemes,” in Proceedings of the Australasian Conference on Information Security and Privacy (ACISP'8), pp. 415–422, 1998.
View at: Google Scholar
M. Agrawal, N. Kayal, and N. Saxena, “PRIMES is in P,” Annals of Mathematics, vol. 160, no. 2, pp. 781–793, 2004.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, “Section 31.8: primality testing,” in Introduction to Algorithms, pp. 889–890, MIT Press, McGraw-Hill, Cambridge, Mass, USA, 2nd edition, 2001.
View at: Google Scholar
C. T. Li, Multimedia Foresics and Security, IGI Global, 1st edition, 2008.

Copyright

Copyright © 2013 Raman Kumar et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1287

Downloads

2379

Citations