#### Abstract

Proxy signature is a useful cryptographic primitive that has been widely used in many applications. It has attracted a lot of attention since it was introduced. There have been lots of works in constructing efficient and secure proxy signature schemes. In this paper, we identify a new attack that has been neglected by many existing proven secure proxy signature schemes. We demonstrate this attack by launching it against an identity-based proxy signature scheme which is proven secure. We then propose one method that can effectively prevent this attack. The weakness in some other proxy signature schemes can also be fixed by applying the same method.

#### 1. Introduction

Proxy signature is a special type of digital signature which allows one user (original signer) to delegate his/her signing right to another signer (proxy signer). The latter can then issue signatures on behalf of the former. The corresponding proxy signature can be verified by the public that it is indeed generated by the proxy signer with proper delegation from the original signer [1, 2]. Proxy signature has been found useful in many applications, such as distributed computing [3], electronic commerce [4], mobile agents [5], and grid computing [6]. It is worth noticing that proxy signature can also serve as a useful tool in Internet of things (IoT), since most of the RFID tags in IoT only have limited storage and computing ability. For those operations involving a large amount of computation, those tags can authorize the tag readers with strong computing ability to perform those operations with the help of a proxy signature scheme [7, 8].

The concept of proxy signature was introduced by Mambo, Usuda, and Okamoto in 1996 [9]. They presented three different types of proxy signature, namely, full delegation, partial delegation, and delegation by warrant in their seminal work. Shortly after Mambo et al.’s work, Kim et al. [10] proposed a new type of proxy signature combing partial delegation and warrant. They demonstrated that schemes combining partial delegation and warrant can provide a higher level of security than schemes based on partial delegation or warrant separately. Since then, proxy signature has been extensively researched in different settings, such as blind proxy signature [11], anonymous proxy signature [12], and identity-based proxy signature [13].

These delegation-by-warrant proxy signature schemes can be further classified into two categories according to whether the proxy signature is generated by the proxy signer using his own private key or not. In the first type, the proxy signer generates a new proxy signing key using the delegation information and his own private key. The proxy signatures are generated under the new proxy signing key. The proxy signature schemes in [5, 14–17] fall into the first type. In the second type, the proxy signer issues a proxy signature using his own private key. The proxy signatures are essentially combinations of the original signer’s signature on the warrant and the proxy signer’s signature on the message. Such proxy signature schemes could be found in [13, 18–21].

On the security modelling of proxy signature, Boldyreva et al. [22] proposed a comprehensive security model for the delegation-by-warrant proxy signature, where an original signer can also perform self-delegation. Malkin et al. [23] extended the security model to allow fully hierarchical proxy signatures. They also proved that proxy signatures are essentially equivalent to key-insulated signatures. The security model proposed in [22, 23] is in the registered key model, which means the adversary has to submit every public and private key pair in the security game except the challenge one. Later, Schuldt et al. [24] proposed an enhanced security model for proxy signature by allowing the adversary to query arbitrary proxy signing keys. Roughly speaking, a secure proxy signature scheme should satisfy the following requirements.(i)**Verifiability**: given a proxy signature, a verifier can be convinced that the proxy signature is indeed a valid signature generated by the proxy signer with proper delegation from an original signer on the signed message.(ii)**Identifiability**: given a proxy signature, a verifier is able to determine the identities of the corresponding original signer and proxy signer.(iii)**Unforgeability**: no one, except the designated proxy signer, can create a valid proxy signature.(iv)**Untenability**: a proxy signer cannot deny at a later time on a proxy signature that he has created before.(v)**Prevention of misuse**: it is required in the first type of proxy signature schemes that the proxy signing key cannot be used for purposes other than creating proxy signatures. Once misused, the identity of the misbehaving proxy signer can be determined explicitly.

##### 1.1. Our Contribution

We revisit proxy signature and show an attack that has been neglected by the second type of proxy signature schemes [13, 18–21] that have been proven secure. In these schemes, a proxy signature is essentially the combination of the original signer’s standard signature on a warrant and the proxy signer’s standard signature on a message. In the security analysis, it is assumed that an adversary has access to the original signer and proxy signer’s standard signature oracles. We show that, under such a circumstance, some proxy signature schemes [13, 18–21] that have been previously proved secure are in fact not secure.

We demonstrate a new attack by launching it against an identity-based proxy signature scheme [13] that has been proven secure. We show that a malicious adversary can create a proxy signature on a message, if he has access to the standard signature of the original signer and proxy signer, which is as defined in the security models in [13, 18]. Thus, these proxy signature schemes [13, 18–21], which we believe is not a complete list, are in fact not secure. We propose an efficient solution by revising the identity-based proxy signature scheme [13] to thwart this attack. It is worth noticing that the same method can also be applied to [18–21] to resist this attack.

We have noticed there have been several works [5, 22] aiming to transform normal proxy signature schemes into strong ones. The authors in [22] suggested to add two different prepositive tags “00” and “11” to distinguish the signatures generated by the original signer and proxy signer. However, this simple solution cannot prevent the attack proposed in this paper according to the original security model in [13]. The adversaries are able to query any message of their choices. To stop the proxy signer from misusing the proxy signing key, the authors in [5] classified existing proxy signature schemes into strong and weak ones and proposed one method to transform weak proxy signature schemes into strong ones. However, as have been mentioned above, their method is only applicable when a proxy signature is generated from a proxy signing key which is created by the proxy signer using the delegation information and his own private key. Therefore, the method proposed in [5] is not suitable for the scenarios discussed in this paper.

*Paper Organization*. The rest of the paper is organized as follows. We introduce some preliminaries in Section 2. Then we present a new attack in some proxy signature schemes in Section 3 by attacking an identity-based proxy signature scheme. The security model for proxy signature that captures the attack is presented in Section 4. We then revise the identity-based proxy signature scheme in Section 5. The security proof and efficiency analysis are presented in Section 6 and the paper is concluded in Section 7.

#### 2. Preliminaries

In this section, we introduce some preliminaries used throughout this paper.

##### 2.1. Bilinear Map

Let , be two cyclic groups of prime order and a generator of . The is said to be an admissible bilinear map if the following conditions hold:(i)Bilinearity: for all and .(ii)Nondegeneracy: there exists such that .(iii)Computability: there is an efficient algorithm to compute for all .

##### 2.2. Complexity Assumption

*Definition 1 (computational Diffie-Hellman (CDH) problem). *Given for some random , compute . Define the success probability of a polynomial algorithm in solving the CDH problem as where is the security parameter. The CDH assumption states that, for any polynomial algorithm adversary , is negligible in .

#### 3. A New Attack in Some Proxy Signature Schemes

In this section, we present an attack that has been neglected by many existing proxy signature schemes [13, 18–21]. To better explain how an attacker works, we demonstrate this attack via a concrete example. Before we start to introduce the attack, we first review an identity-based proxy signature scheme proposed in [13].

##### 3.1. An Identity-Based Proxy Signature Scheme

(1)**Setup**: let be a bilinear pairing map, where and are of prime order . Let be a generator of . Choose a random number and set . Select three collision-resistant hash functions such that . The system parameters , the master secret key .(2)**KeyExtract**: on input a user’s identity , output the secret key for this identity .(3)**StandardSign**: on input a message , the standard signature on under identity is such that and , where .(4)**StandardVer**: on input a standard signature of message under identity , output “1” if ; otherwise, output “0”.(5)**DelegationGen**: let be a warrant that includes the delegation information such as the identities of the original signer and the designated proxy signer, the delegation period, the types of messages that a proxy signer can sign, and so on. Then the original signer with identity generates the delegation information such that and , where . The original signer sends the delegation signing key to the proxy signer.(6)**ProSign**: upon receiving the delegation information and from the original signer, the proxy signer with identity generates a proxy signature on a message such that , , .(7)**ProVer**: on input the identities of the original signer and proxy signer, a warrant and a message and the proxy signature , output “1” if Otherwise, output “0”.

##### 3.2. An Attack against the ID-Based Proxy Signature Scheme

Wu et al.’s identity-based proxy signature scheme [13] is proven secure. However, we show below that if the original signer and proxy signer also use their private keys to generate standard signatures, which is just as defined in their security models, then their scheme could be broken by a malicious outsider attacker. Assume the identities of the original signer and proxy signer are , respectively, in the security model in [13], three types of adversaries are defined, namely,(i), which is an outsider adversary that has knowledge of ,(ii), which is a malicious proxy signer that has knowledge of ,(iii), which is a malicious original signer that has knowledge of .

The original signer and proxy signer could use the same key pairs to generate normal signatures using the standard signature scheme introduced in [13]. Suppose aims to generate a proxy signature on a message with a warrant ; it is worth noticing that might obtain such a genius warrant when verifying a valid proxy signature. Then acts as follows:(i) requires a standard signature on warrant of the original signer with identity , where is a warrant containing the delegation information. The original signer chooses a random and generates the standard signature such that and .(ii)Upon receiving the standard signature on from the original signer. aborts if .(iii) requires a standard signature on message of the proxy signer with identity , where is a message. The proxy signer chooses a random and generates the standard signature such that and .(iv)Upon receiving the standard signature on from the proxy signer. aborts if .(v)If both and are valid. outputs a proxy signature on message with warrant such that , and .

It can be verified that is a valid proxy signature. Thus, the proposed identity-based proxy signature is insecure, since given a proxy signature , it might come from a malicious adversary. The proposed attack is a practical attack since a malicious adversary could launch such an attack without notice of both the original signer and the proxy signer. Besides the scheme mentioned in this paper, we have found that the proxy signature schemes in [18–21] are also subjected to this attack.

#### 4. Security Model for Proxy Signature

##### 4.1. Malicious Attackers

We revise the security model for identity-based proxy signature defined in [13] to capture the new attack in this section. In the security model for proxy signature, the capability of an adversary is modelled by its ability to query different oracles. Before we formally define each adversarial game, we first introduce four types of oracle queries that will appear in the models:(i)**Key extract query**: can query an identity , where represents the identity space, to the key extract oracle . The corresponding key is then generated and returned to .(ii)**Original signer’s standard signing query**: can query the original signer’s signing oracle with any warrant under the original signer’s identity , where represents the warrant space. The private key on identity is generated using the key extraction algorithm. The corresponding original signer’s signature on warrant is generated and returned to .(iii)**Proxy signing query**: can query the proxy signing oracle with any message with warrant of his choice under the original signer’s identity and the proxy signer’s identity such that , where represents the message space. The private keys and on identities , are generated using the key extraction algorithm. A valid proxy signature on is then generated and returned to .(iv)**Proxy signer’s signing query**: can query the standard signature with any message of his choice to the proxy signer’s standard signing oracle . A valid standard signature of the proxy signer on under the proxy signer’s identity is then generated and returned to .

According to the information held by an attacker, three different types of adversaries are defined:(1): an outsider attacker who only has the identities of the original signer and the proxy signer that aims to forge a valid proxy signature.(2): a malicious proxy signer who possesses the private key of the proxy signer and the identity of the original signer, and tries to forge a valid proxy signature without knowledge of the private key of the original signer.(3): a malicious original signer that possesses the private key of the original signer and the identity of the proxy signer, and tries to forge a valid proxy signature without knowing the private key of the proxy signer.

##### 4.2. Adversarial Game with a Malicious Outsider Adversary

We first define the adversarial game between a malicious outsider adversary and a simulator as follows:(i)**Setup**: the simulator runs algorithm to generate the and and sends to as well as keeping secret.(ii)**Original signer’s standard signing queries**: can choose any warrant with the original signer’s identity and queries the original signer’s standard signing oracle . generates the private key using the key extract algorithm ; then generates the delegation information and sends to .(iii)**Proxy Signer’s Standard Signature Queries**: queries the proxy signer’s standard signing oracle with a message of his choice under the proxy signer’s identity . generates the private key using the key extract algorithm ; then generates the standard signature and sends to .(iv)**Forgery Phase**: finally, outputs a proxy signature on message for a warrant with the original signer’s identity and the proxy signer’s identity .

We say wins the game if(i)**ProVer**;(ii) has been queried to the original signer’s standard signing oracle ;(iii) has been queried to the proxy signer’s standard signing oracle .

Define the advantage of a malicious adversary in winning the game as

*Definition 2. *We say an identity-based proxy signature scheme is secure against an outsider adversary if for any probabilistic polynomial time , is negligible in .

##### 4.3. Adversarial Game with a Malicious Proxy Signer

We first define the adversarial game between a malicious proxy signer and a simulator as follows:(i)**Setup**: the simulator runs algorithm to generate the and and sends to as well as keeping secret.(ii)**Key extract queries**: selects an identity such that , the simulator runs and returns to .(iii)**Original signer’s standard signing queries**: can choose any warrant with an identity and queries original signer’s standard signing oracle . generates the private key using the key extract algorithm ; then generates the original signer’s standard signature and sends to .(iv)**Proxy signing queries**: chooses a warrant and a message and queries the proxy signing oracle with the original signer’s identity and the proxy signer’s identity . generates and returns to .(v)**Forgery Phase**: finally, outputs a proxy signature on message for a warrant with the original signer’s identity and the proxy signer’s identity .

We say wins the game if(i)**ProVer**;(ii) has not been queried to the key extraction oracle ;(iii) has not been queried to the delegation oracle ;(iv) has not been queried to the proxy signing oracle .

Define the advantage of a malicious adversary in winning the game as

*Definition 3. *We say an identity-based proxy signature scheme is secure against the under chosen identity and warrant attacks if for any probabilistic polynomial time , is negligible in .

##### 4.4. Adversarial Game with Malicious Original Signer

The adversarial game between a malicious original signer and a simulator is defined as follows:(i)**Setup**,** Key Extract Queries** and** Proxy Signing Queries** are the same as those in the adversarial game against a malicious proxy signer.(ii)**Proxy Signer’s Standard Signature Queries**: queries the proxy signer’s standard signing oracle with a message of his choice under an identity . generates the private key using the key extract algorithm ; then generates the standard signature and sends to .(iii)**Forgery Phase**: finally, outputs a proxy signature on message for a warrant with the original signer’s identity and the proxy signer’s identity .

We say wins the game if(i)**ProVer**;(ii) has not been queried to the key extraction oracle ;(iii) has not been queried to the proxy signer’s standard signing oracle ;(iv) has not been queried to the proxy signing oracle .

Define the advantage of a malicious adversary in winning the game as

*Definition 4. *We say an identity-based proxy signature scheme is secure against the under chosen identity and message attacks if for any probabilistic polynomial time , is negligible in .

#### 5. The Revised Identity-Based Proxy Signature Scheme

We present the revised ID-based proxy signature scheme that efficiently thwarts the proposed attack in this section.(1)**Setup**: let be a bilinear pairing map, where and are of prime order . Let be a generator of . Choose a random number and set . Select three collision-resistant hash functions such that . The system parameters , the master secret key .(2)**KeyExtract**: on input a user’s identity , output the secret key for this identity .(3)**StandardSign**: on input a message , the standard signature on under identity is such that and , where .(4)**StandardVer**: on input a standard signature of message under identity , output “” if ; otherwise, output “0”.(5)**DelegationGen**: let be a warrant that includes the delegation information such as the identities of the original signer and the designated proxy signer, the delegation period, the types of messages that a proxy signer can sign, and so on. Then the original signer with identity generates the delegation information such that and , where . The original signer sends the delegation information to the proxy signer.(6)**ProSign**: upon receiving the delegation information and from the original signer, the proxy signer with identity generates a proxy signature on a message such that , , .(7)**ProVer**: on input the identities of the original signer and proxy signer, a warrant and a message and the proxy signature , outputs “1” if . Otherwise, output “0”.

#### 6. Security Analysis

In this section, we analyse the security of the revised ID-based proxy signature scheme against , , and adversaries.

Theorem 5. *The revised ID-based proxy signature scheme is secure against an outsider adversary if the CDH assumption holds.*

*Proof. *The proof is by contradiction under the random oracle model. Suppose there exists an outsider adversary that has a nonnegligible advantage in attacking the proposed scheme; then we can build another algorithm that uses to solve the CDH problem. Let be a bilinear pairing group of prime order ; is given which is a random instance of the CDH problem. Its goal is to compute . Algorithm will simulate the challenger and interact with the forger as described below. (1)**Setup**: selects a bilinear map where and are of prime order . chooses a generator of . Let be the inputs of the CDH problem. sets the master public key , where . selects three collision-resistant hash functions . sends to .(2)**Hash queries**: in the security proof, the hash functions are modelled as random oracles. We regard the identity, warrant, and message queries as , , and queries, respectively. Assume keeps hash tables , , and for these queries.(a)** Query**: for each query on identity , if has existed in , the same value is returned to . Otherwise, chooses a random and sets . sends to as well as stores to .(b)** Query**: assume makes warrant queries; selects a random number , for each query on warrant such that ; if has existed in , the same value is returned to . Otherwise,(i) if , chooses a random and sets . sends to as well as storing to .(ii)If , sets . sends to .(c)** Query**: for each query on message accompanying with a warrant , if has existed in , the same value is returned to . Otherwise, chooses a random and sets . sends to as well as storing to .(3)**Original signer’s standard signing queries**: can query the original signer’s standard signature on a warrant . Assume makes queries with the original signer’s identity , for each query on , assume and have existed in and ; if they are not the cases, performs the above algorithms to assign values for and . Assume , simulates as follows:(i)If , assume ; then chooses randomly and sets such that and .(ii)If , then chooses randomly and sets such that and .(4)**Proxy signer’s standard signing queries**: assume makes standard signature queries under the proxy signer’s identity . For each query on , assume and have existed in and ; if they are not the cases, performs the above algorithms to assign values for and . Assume ; chooses a number and simulates as follows:(i)If , assume ; then chooses randomly and sets such that and .(ii)If , assume ; then sets such that and .(5)**Forgery**: assume outputs a valid proxy signature on message under a warrant with the proxy signer’s identity and the proxy signer’s identity . Besides,(i) has been queried in the original signer’s standard signing queries;(ii) has been queried in the proxy signer’s standard signing queries. If or , will abort. Otherwise, given the forged proxy signature . can solve the CDH problem will not abort when and . Thus, if there exists an outsider adversary that has a nonnegligible probability in breading the proposed identity-based proxy signature scheme, then there exists another probabilistic polynomial time algorithm that has a probabilitywhich is nonnegligible. Thus, we reach a contradiction.

Theorem 6. *The revised ID-based proxy signature scheme is secure against the chosen identity and chosen warrant attacks if the CDH assumption holds.*

*Proof. *Let us recall the definition of ; is a malicious proxy signer possessing the private key of the proxy signer. With this in mind, the simulation is as follows: (1)**Setup**: selects a bilinear map , where and are of prime order . chooses a generator of . Let be the inputs of the CDH problem. sets the master public key . selects three collision-resistant hash functions . sends to .(2)**Hash queries**: regard the identity, warrant, and message queries as , , and queries, respectively. keeps hash tables , , and for these queries.(a)** Query**: assume makes identity queries, choose , for each query on identity such that , if has existed in , the same value is returned to . Otherwise,(i)If , chooses a random and sets . sends to as well as storing to .(ii)If , sets , where and returns to . adds to .(b)** Query**: assume makes warrant queries; selects a random number , for each query on warrant such that , if has existed in , the same value is returned to . Otherwise,(i)if , which means is included in and the user with identity plays the role of original signer in the system. chooses a random and sets . sends to as well as storing to ;(ii)if , which means is included in and the user with identity plays the role of proxy signer in the system. chooses a random and sets . sends to as well as stores to ;(iii)if , chooses a random and sets . sends to as well as storing to .(c)** Query**: assume makes message queries, selects a random number , for each query on message accompanying with a warrant such that , if has existed in , the same value is returned to . Otherwise,(i)if , chooses a random and sets . sends to as well as storing to ;(ii)if , the same as the case when ;(iii)if , the same as the case when ;(iv)if , chooses a random and sets . sends to as well as storing to .(3)**Key extraction queries**: can make key extraction queries on any identity such that . If makes key extraction query on identity , just terminates the simulation and reports a failure. Assume makes key extractions queries, for each query on identity for .(i)If has existed in table , assume ; then returns to .(ii)Otherwise, chooses a random and sets . returns to and adds to .(4)**Original signer’s standard signing queries**: can query original signer’s standard signature on a warrant under an identity . Assume makes original signer’s standard signing queries. For each query, assume and have been submitted to the and queries, respectively. If they are not the cases, performs the above algorithms to set values for and ; then simulates as follows:(i)If and , assume and , respectively; then chooses a random and returns the original signer’s standard signature such that and and to .(ii)If and , assume and , respectively; then chooses a random and returns original signer’s standard signature such that and to .(iii)If and , assume and , respectively; then simulates the original signer’s standard signature by setting , where and . It can be verified that is a correct simulation since (iv)If and , since we do not consider self-delegation in our scheme, then just terminates the simulation and reports failure.(v)If and , terminates the simulation and reports failure.(5)**Proxy signing queries**: can query a proxy signature on a message under a warrant with the proxy signer’s identity and the original signer’s identity such that . Assume have been submitted to the query and and have been submitted to the and queries, respectively. If they are not the cases, the above algorithms will be performed to assign new values , , , and . Assume makes proxy signing queries. For each queries on a message with warrant such that , simulates the corresponding proxy signature as follows:(a)If , assume , ; then chooses two random numbers and returns the proxy signature such that , and to . It is a correct simulation since (b)If , , assume , ; then(i)If or , terminates the simulation and reports failure.(ii)If and , assume and ; simulates the proxy signature by setting , and , where . It can be verified that it is a correct simulation since (iii)If or , performs the same as that in case (ii).(iv)If and , terminates the simulation and reports failure.(c)If , , assume , , then(i)if and , assume and . chooses and simulates the proxy signature by setting , and . It is a correct simulation since