A New Multi-Proxy Signature Scheme for Partial Delegation with Warrant Sunder Lal1 and Amit K Awasthi Department of Mathematics, IBS, Khandari, Agra – 282002(UP) – INDIA Department of Applied Science, Hindustan College of Science & Technology, Farah, Mathura – 281122 (UP) - INDIA, E-mail:
[email protected]
Abstract
In some cases, the original signer may delegate its signing power to a specified proxy group while ensuring individual accountability of each participant signer. The proxy signature scheme that achieves such purpose is called the multi-proxy signature scheme and the signature generated by the specified proxy group is called multiproxy signature for the original signer. Recently such scheme has been discussed by Lin et al. Lin’s scheme is based on partial delegation by Mambo et al. In present paper we introduce a new multi-proxy signature scheme, which requires less computational overhead in comparison to Lin et al, and also fulfill the requirement of partial delegation with warrant simultaneously.
1. Introduction Mambo et al introduced a proxy signature scheme in which an original signer delegates his signing power to another signer called the proxy signer. They also proposed three proxy signature schemes for partial delegation based on ElGamal’s, Okamoto’s and Schnorr’s scheme. Since then several proxy-signature schemes have been developed [6, 7, 9, 10, 12-19]. One well-known variation of the proxy signature scheme by Kim et al includes a warrant in the proxy signature. The warrant is a message, which includes information of the messages types that are delegated and proxy signer’s identity that prevent the transfer of proxy power to another party. Another variation, viz, threshold proxy signature scheme was proposed in [7] in which original signer delegates its signing power to a set of n proxy signers in such a way that any t out of these n proxy signers may produce a valid proxy signature. In some cases, the original signer may delegate its signing power to the specified proxy group while ensuring individual accountability of each participant signer. The proxy signature scheme that achieves such purpose is called the multi-proxy signature scheme and the signature generated by the specified proxy group is called multi-proxy signature for the original signer. Recently such scheme has discussed by Lin et al. In the present paper we introduce a new multi-proxy signature scheme, which requires less computational overhead in comparison to Lin et al, and also fulfills the requirement of partial delegation with warrant simultaneously. Our scheme is based on Kim et al’s scheme. For ordinary signing operation we use Schnorr’s scheme. The rest of the paper is summarized thus: In section 2, we give review of literature. In section 3 Kim’s scheme is discussed. Section 4 contains the proposed scheme. Section 5 contains proofs for correct ness of the scheme and in section 6 we discuss performance. Finally, Section 7 concludes the discussion. 2. Review of Literature Mambo et al. [13-14] developed a systematic approach to proxy or delegated signatures. Neuman [15] introduced the scheme for delegation by warrant, which was further extended by Kim et al [7] to partial delegation by warrant. Till now we have the following types of delegations in literature Full delegation − This happens when the original signer Alice gives its private key ‘xAlice’ to the proxy signer Bob. In this case a proxy signature by Bob is indistinguishable from the original signature of Alice. 1
Research partially supported by UGC grant No. 8–9/98(SR-I)
Partial delegation − This happens when the original signer ‘Alice’ computes a proxy key ‘σ ’ from her private key ‘xAlice’ and gives it to the proxy signer in a secure way. In this case the proxy signature by Bob is distinguishable from the original signature created by Alice. Delegation by warrant − Warrant is a certificate composed of a message part that the proxy signer is authorized to sign and a public key which ensures the involvement of original signer. Partial delegation with warrant − This delegation of proxy key is computed by original signer Alice’s private key ‘xAlice’ and warrant message issued to her. The proxy signature scheme of Kim et al.[7] included a warrant in their proxy signature key. Yi et al, in 2000, proposed proxy multisignature scheme which allows a group of original signers to delegate it’s signing power to a single proxy signer. Proxy signer can sign any message on behalf of whole group. Further, Hwang et al, in 2001, introduced a new proxy multi-signature scheme. On the other hand Lee et al’s scheme states a multi proxy signature scheme which fulfills similar criteria discussed as before. This scheme also allows a group of original signers to delegate its signing capability to a single proxy signer. We feel the nomenclature used by Lee et al is not proper. To remove this ambiguity we define these terms: multi proxy signature and proxy multi signature as follows: Definition 1: An original signer delegates its signing power to the specified proxy group while ensuring individual accountability of each participant signer. The proxy signature that is generated by such a specified proxy group, we call, multi proxy signature. Definition 2: A specified original signers group delegate the group’s signing power to a single proxy signer. The proxy signature that is generated by such a proxy signer, we call, proxy multi- signature.
3. Kim’s scheme for Partial Delegation [7] Before introducing our proposed scheme it is necessary to introduce Kim et al’s scheme [7]. Here p denotes a large prime with 2511 < p < 2512 and g denotes a generator for Zp*. Each user x
selects a secret key xu ∈ Zq and computes a public key yu = g u mod p. Basic protocol consists of the following: (Proxy key generation phase) 1. (Proxy generation) – Original signer Alice chooses a random number k ∈ Zq, k ≠ 1 and computes K = gk mod p , e = h(mw , K) and σ = e xAlice + k mod q Here mw is warrant message having the information about delegation and h is publicly known hash function. 2. (Proxy delivery) – Alice gives (mw,σ , K) to a proxy signer, Bob, in a secure way. 3. (Proxy verification) − Bob checks, that e = h(mw, K), and gσ = y eAlice K mod p He accepts σ as proxy secret key if above congruence holds. (Signing by the proxy signer) To sign a message M, Bob uses ‘σ’ as proxy key and executes the ordinary signing operation. Then the proxy signature on M is (m, mw , Signσ (M), K). where Signσ (M) refers to signing a message M with private key σ . (Verification of the proxy signatures) The verification is similar to verification in the original signature scheme except for extra computation and y′ = yeAlice .K mod p. e = h(mw, K) The value y′ is dealt with as new public key, which shows the involvement of Alice.
4. Proposed Scheme 4.1.1. System setup- Choose two large primes p and q such that q| p – 1, a generator g∈ Z*p with order q. All parameters are made public. h(.) is a one way hash function. The original signer O has its private key as xo ∈ Zq and public key yo where yo = gxo mod p. If {P1, P2, …, Pn} is the set of delegated signers. Then each Pi has its private key xi and public key yi where yi = gxi mod p. 4.1.2. Proxy generation phase- Original signer selects n random numbers ki ∈ Zq (for i = 1, 2, …, n) and computes a commitment ri = g ki mod p for each i. Now he computes r = ∏ ri (mod p) and e = h (mw, r), where the information on delegation is included in i
4.1.3. 4.1.4. 4.1.5.
4.1.6.
4.1.7.
a warrant mw. After that the original signer computes σi = xo e + ki mod q and makes Y = g σi mod p [= yone r mod p] public, which is dealt with as the new proxy public key of the original signer. Proxy delivery- Original signer gives (mw,σi, ri, r) to a proxy signer Pi , in a secure way. Proxy verification- Each proxy Pi confirms e = h (mw, r) and gσi = yoe ri mod p. Multi-signature by the proxy group- Let m be the message to be signed. Each signer uses σi as secret signing key and executes signing operation. Each proxy randomly chooses αi ∈ Zq and computes Ri = gαi mod p and publishes Ri. Then each of them computes R = Π Ri and e′ = h (m, R). After that each proxy signer computes si = σi + αi e′ mod q and sends it as his partial signature (si, Ri, m) to the combiner. Multi-signature generation- The combiner computes R = Π Ri and checks that e′ = h (m, R) gsi = yi Ri e′ mod p where yi′ = yoe ri mod p. The value yi′ is dealt with as the new public value explicitly showing involvement of original signer. After confirming all equations the confirmer combines all si, S = si and produces a multi-signature (m, mw, S, R) Verification of the multi-signature- The verifier computes e′ = h(m, R) and checks gS = Y Re′ mod p where Y is dealt with as a new public value representing involvement of original signer and is [yone r].
5. Correctness of the scheme Theorem 1: Proxy key σi and commitment ri is verified if gσi = yoe ri (mod p) holds, where e = h(mw, r). gσi = gxo e+ki = yoe ri (mod p) Theorem 2:
The individual proxy signature (Si, Ri, m, R) on message m, is verified if gSi = yi′ Ri e′ (mod p) holds. gSi
= gσi + αie′ = gσi gαie′ = (yoe ri ) Rie′ = yi′ Rie′ (mod p)
Theorem 3:
The proxy multisignature (m, mw, S, R) is verified if gS = Y Re′ (mod p) holds. = g Si = g σi + αie′ gS = Π (gσi) Π (gαi)e′ = Π (yoe ri ) Π(Ri)e′
= (yone r ) Re′ = Y Re′ 6. Performance Let E, M and I respectively denote the computational load for exponentiation, multiplication and inversion. Then following table 1 shows the computational load of Lin et al’s while table 2 is about our scheme. Computational Load
Phases Proxy generation with verification Multi proxy signature generation (including proxy verification) Multi-signature verification
(n+4)E+(2n+4)M+2I (5n+2)E + (4n +4)M + 2H 3E + 3M + H
Table 1: Lin et al’s scheme
Computational Load
Phases Proxy generation with verification Multi proxy signature generation (including proxy verification) Multi-signature verification
(n+3)E+(2n)M+H (2n+2)E + (n2 +2n)M + (n+1)H 2E + M + H
Table 2: Our proposed scheme
Each phase in our scheme has less computational load than Lin et al’s scheme. In our scheme computational load in verification phase is 2E + M + H, whereas in Lin et al’s scheme it is 3E + 3M +H. In some applications digital information is signed once but verified more than once. In such situation the efficiency of our scheme increases with the number of times verification is done. Security of scheme is inherited from original scheme used. Further the total computation cost in our scheme is less than other existing schemes (Comparison is based on [12]). Thus, our scheme has computational advantage over other schemes. 7. Conclusion In present paper we introduced a new multi-proxy signature scheme, which requires less computational overhead in comparison to Lin et al, and also fulfill the requirement of partial delegation with warrant simultaneously. Our scheme is based on Kim et al’s scheme. We also remarked about the ambiguity in nomenclature of multi proxy signature and proxy multi signature. We redefine these both signatures on the basis of existing literature.
References 1. 2.
3.
Boyd, C.: “ Digital Multi-signatures”, in H. Baker & F. Piper, editors, Cryptography and Coding, pages 241-246, Clare don Press, 1986. Desmedt Y. and Frankel Y.: “Threshold Cryptosystems”, in G. Brassard, editor, Proc., CRYPTO’89, LNCS 435, Springer – Verlag, 1990.ardjono, T. and Zheng, Y. [1992]: “ A Practical Digital Multisignature scheme based on discrete logarithms”. Advances in Cryptology. Auscrypto92 Newyork: Springer- Verlag 16-21. Desmedt Y.[1988] : “Society and Group oriented Cryptography : A New Concept”, in Carl Pomerance, editor, proc. CRYPTO’87, LNCS 293, Springer Verlag.
4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.
Harn, L. and Kiesler, T. [1989]: “ New Scheme for digital Multisignature” Electronic Letters, Vol 25, No.15, 1989, pp 1002-1003. Harn, L.: “Group oriented (t, n) Digital Signature Scheme and Digital Multisignature”. IEE proceeding Comp. Digit. Tech. 141(5), Sept 1994. Hwang S J, Chen C C, “A new proxy multisignature scheme”, International workshop on cryptology and network security, Tamkang University Taipei, Taiwan, 2001, pp 26 – 28 Kim S, Park S, Won D, [1997] “Proxy Signatures, Revisited,” ICICS’97, LNCS – 1334, Springer– Verlag, pp 223 – 232 Langford S.[1996] : “Threshold DSS Signature without a Trusted Party”, Proc. CRYPTO’95, LNCS 963, Springer – verlag. Lee B, Kim H, Kim K, “ Strong proxy signatures and its applications”, Proc of SCIS 2001, pp 603 – 608 Lee W B, Chang C Y, [2000]“Efficient Proxy – Protected Proxy Signature Scheme based on Discrete Logarithm,” Proceedings of 10th Conference on Information Security, Hualien, Taiwan, ROC, pp 4 – 7 Lin C Y, Wu T C, Hwang J J, “Multi proxy signature scheme for partial delegation with cheater identification”, Institute of Information Management, NCTU. Li C., Hwang T. and Lee N [1995]: “ (t, n) threshold signature scheme based on discrete logarithms “ Proc. EUROCRYPT’94 Springer verlag. Mambo M, Usuda K, Okamoto E, [1996] “Proxy Signature: Delegation of the Power to Sign Messages,” IEICE Trans. Fundamentals, E79 – A: 9 1338 – 1353 Mambo M, Usuda K, Okamoto E, [1996] “Proxy Signatures for Delegating Signing Operation,” 3rd ACM Conference on Computer and Communication Security, pp 48 – 57.
15. Neuman B C, [1993] “Proxy-based authorization and accounting for distributed systems,”
Proc. 13th International conference on Distributed Computing systems, pp 283 – 291.
16. Shum K, Wei V K, [2002] “ A Strong Proxy Signature Scheme with Proxy Signer Privacy Protection.” Proceedings of the eleventh IEEE International Workshops on Enabling Tech 17. Sun H M, “On proxy (multi) signature schemes”, International Computer Symposium, Chiayi, Taiwan, ROC, 2000, pp 65 – 72 18. Sun H M, Hsieh B T, “On the security of proxy signature schemes”, www.eprint.iacr.org, 2003. 19. Yi L, Bai G, Xiao G, “Proxy multisignature scheme: A new type of proxy signature scheme”, Electronic letters, Vol. 36, No. 6, 2000, pp 527 – 528
