Provable secure identity-based multi-proxy ... - Wiley Online Library

INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS Int. J. Commun. Syst. 2015; 28:497–512 Published online 9 October 2013 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/dac.2683

Provable secure identity-based multi-proxy signature scheme Rajeev Anand Sahu and Sahadeo Padhye* ,† Department of Mathematics, Motilal Nehru National Institute of Technology, Allahabad-211004, India

SUMMARY Multi-proxy signature is one of the useful primitives of the proxy signature. Till now, only a few schemes of identity-based multi-proxy signature (IBMPS) have been proposed using bilinear pairings, but most of the schemes are insecure or lack a formal security proof. Because of the important application of IBMPS scheme in distributed systems, grid computing, and so on , construction of an efficient and provable-secure IBMPS scheme is desired. In 2005, Li & Chen proposed an IBMPS scheme from bilinear pairings, but their paper lacks a formal model and proof of the security. Further, in 2009, Cao & Cao presented an IBMPS scheme with the first formal security model for it. Unfortunately, their scheme is not secure against the Xiong et al’s attack. In this paper, first, we present an IBMPS scheme, then we formalize a security model for the IBMPS schemes and prove that the presented scheme is existential unforgeable against adaptive chosen message and identity attack in the random oracle model under the computational Diffie–Hellman assumption. Also, our scheme is not vulnerable for the Xiong et al’s attack. The presented scheme is more efficient in the sense of computation and operation time than the existing IBMPS schemes. Copyright © 2013 John Wiley & Sons, Ltd. Received 8 May 2013; Revised 30 July 2013; Accepted 13 September 2013 KEY WORDS:

ID-based signature scheme; bilinear pairings; CDHP; multi-proxy signature; provablesecurity; random oracle model

1. INTRODUCTION The idea of identity-based cryptography (IBC) [1] replaced the certificate-based setting and remains a great area of research since the last three decades. Motivated by the idea of IBC, many encryption, key agreement protocols, signcryptions, and signature schemes [2–9] have been proposed on the identity (ID)-based setting. Combination of various signature schemes with the ID-based setting provides a lot of new extensions, ID-based blind signature scheme, ID-based ring signature scheme, ID-based proxy signature scheme, ID-based group signature scheme, and so on [10–12]. The property of linearity in both components makes bilinear pairing effective in terms of both efficiency and functionality. After the work of Boneh and Franklin [2], the application of bilinear pairings are highly suggested in the construction of ID-based digital signatures [13–16]. In a proxy signature scheme, an original signer can delegate its signing rights to a proxy signer to sign any document on its behalf. The notion of proxy signature was introduced by Mambo et al. [17] in 1996. Further, in 2003, Zhang and Kim [12] proposed the first proxy signature scheme on ID-based setting with relatively easier key distribution. As per the requirements of different situations, the proxy signature can be used in various extensions, proxy blind signature [18], anonymous proxy signature [19], short proxy signature [20], threshold proxy signature [21], and so on. Also, according to the number of users in the original and proxy group, the proxy signature scheme can be categorized in multi-proxy signature scheme (MPS), proxy multi-signature scheme, and multi-proxy *Correspondence to: Sahadeo Padhye, Department of Mathematics, Motilal Nehru National Institute of Technology, Allahabad-211004, India. † E-mail: [email protected] Copyright © 2013 John Wiley & Sons, Ltd.

498

R. A. SAHU AND S. PADHYE

multi-signature scheme. In many real world scenarios, any user may need to transfer its signing rights to more than one agent designated by him. As, if the president of an organization wants to delegate its signing rights to the heads of different departments to manage related issues, MPS is a solution for such situation. The MPS was first introduced by Hwang and Shi [22] in 2000. In a MPS, an original signer can authorize a group of proxy signers to sign any document on its behalf. In 2005, Li & Chen [23] proposed an IBMPS scheme from bilinear pairings. Their scheme seems motivated by the work of Hwang & Chen [24]. Moreover, their IBMPS scheme simply follows the properties of a general proxy signature scheme given by Lee et al. [25] and lacks a formal security model and proof. Xu et al. [26] have also proposed an IBMPS scheme with a seq uential combination of partial proxy signatures, but their scheme also lacks a formal security proof as [23]. In 2009, Cao & Cao [27] proposed the first formal definition and security model for the IBMPS scheme and proposed an IBMPS scheme from bilinear pairings. Security model of their scheme is based on the work of Boldyreva [28], Wang & Cao [29], Wang et al. [30], and Xu et al. [31]. But recently, Xiong et al. [32] pointed out a weakness in their scheme. The weakness is due to direct employment of the ID-based signature of Sakai et al. [33]. For more details of the weakness of [27] and its improvement, one can refer [32]. In 2011, Mishra et al. [34] proposed an IBMPS scheme from pairing by k-plus problem and based on the inverse computation Diffie–Hellman assumption. In the view of computation cost and operation time, their scheme is very efficient, but the scheme simply follows the security properties of a proxy signature scheme and requires a formal model and proof of security. Now, because the IBMPS scheme enjoys crucial applications in distributed systems, grid computing, global distribution networks, mobile agent environment, and so on, hence, efficiency and security of the IBMPS scheme are important. In this paper, first, we propose an IBMPS scheme based on the work of Li & Chen, which can be considered as a revised version of their IBMPS scheme, then we formalize a security model for the IBMPS schemes and prove that the presented scheme is existential unforgeable against adaptive chosen-message and adaptive chosen-ID attack in the random oracle model under the computational Diffie–Hellman (CDH) assumption in the gap Diffie-Hellman group G1 [13]. Moreover, the scheme is more efficient in the sense of computation and operation time [35] than the IBMPS schemes of Li & Chen [23] and Cao & Cao [27]. Also, because the presented IBMPS does not use the ID-based signature of Sakai et al. [33] as a building block, the scheme is not vulnerable for the attack given in [32]. The rest of this paper is organized as follows. We introduce the definition of bilinear pairing and some related mathematical problems in Section 2. In Section 3, we first present a formal definition of the IBMPS scheme then describe a security model for such a scheme. We present the revised IBMPS scheme and a flow chart diagram for it in Section 4. In Section 5, we analyze the correctness, prove the security, and investigate the efficiency of our scheme. Finally, Section 6 gives a brief conclusion. 2. PRELIMINARIES In this section, we briefly describe the concept of bilinear pairing over an elliptic curve and some related mathematical problems. 2.1. Bilinear pairing Let G1 be an additive cyclic group with generator P , and G2 be a cyclic multiplicative group. Let G1 and G2 both be the groups of a same large prime order q. Then a map e W G1  G1 ! G2 satisfying the following properties, is called bilinear pairing or bilinear map: (1) Bilinearity: e.aP , bQ/ D e.P , Q/ab , 8a, b 2 Zq , and P , Q 2 G1 . In other way, e.P C Q, R/ D e.P , R/e.Q, R/ and e.P , Q C R/ D e.P , Q/e.P , R/, 8P , Q, R 2 G1 . (2) Non-degeneracy: There exists P , Q 2 G1 such that e.P , Q/ ¤ 1, in other words, P ¤ 0 ) e.P , P / ¤ 1. Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

499

Alternatively, if P is a generator of G1 , then e.P , P / is a generator of G2 . (3) Computability: There exists an efficient algorithm to compute e.P , Q/ 2 G2 , 8 P , Q 2 G1 . More precisely, the previous bilinear pairing is called a symmetric pairing (Type 1 pairing [36]). Weil pairing and Tate pairing are examples of cryptographic bilinear maps. Remark In the computational view, pairing has been considered an expensive tool [37–39], but, recent researches [40, 41] show that the pairing can be computed and implemented so faster that the cost of scheme can be significantly reduced. Hence, in the view of recent developments on the pairing, cryptographic scheme and its security from bilinear pairing is of worth interest and research. 2.2. Computational Diffie–Hellman problem in G1 For given P , aP , bP 2 G1 , to compute abP 2 G1 , where a, b 2 Zq . In our scheme, we assume that such computation in G1 is hard. 2.3. Computational Diffie–Hellman assumption in G1 If G1 is a group of prime order q with a generator P , then a .t , /-CDH assumption holds in G1 , if there is no polynomial-time algorithm which takes at most t running time and can solve CDHP with at least  probability. Alternatively, the CDH assumption holds in group G1 if for every probabilistic, polynomial-time, 0=1-valued algorithm (adversary) A; probability of success to compute CDHP in G1 is negligible. 1 is a Where a function f .n/ W N ! R is said to be negligible if its reciprocal, that is, f .n/ non-polynomially-bounded function in n. 2.4. Decisional Diffie–Hellman problem in G1 If G1 is a group of prime order q with a generator P , then for given P , aP , bP , cP 2 G1 , to decide whether c D ab mod q, where a, b, c 2 Zq . 2.5. Gap Diffie–Hellman group A prime order group G1 is a GDH group if there exists an efficient (polynomial-time) algorithm, which solves the decisional Diffie–Hellman problem in G1 but there is no probabilistic polynomial-time algorithm which solves the CDHP in G1 with a non-negligible probability of success. Remark 1 (1) The domains of bilinear pairing provide examples of GDH groups. The Menezes–Okamoto– Vanstone reduction [42] provides a method to solve decisional Diffie–Hellman problem in G1 , whereas there is no known efficient algorithm to solve CDHP in G1 . (2) In our scheme, the elliptic group G1 is a GDH group, it is simply written group G1 everywhere. 3. IDENTITY-BASED MULTI-PROXY SIGNATURE SCHEME AND A SECURITY MODEL FOR IT In this section, we formalize a definition of an IBMPS scheme and propose a security model for it. The formal definition of IBMPS scheme is motivated by [27, 29, 30]. 3.1. Definition- Identity-based multi-proxy signature scheme Let A be the original signer with identity IDA , and Bi be the proxy signers with corresponding identities IDBi , for 1 6 i 6 n. Private keys of all the signers are generated by a private key Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

500

R. A. SAHU AND S. PADHYE

generator (PKG), using their corresponding identities. Precisely, an IBMPS scheme is consists of the following phases: Setup: For a security parameter k, the PKG runs this algorithm and generates the public parameters Params of the system and a master secret key mk. The PKG publishes Params and keeps the master secret confidential to itself. Extraction: This is a private key generation algorithm. By this algorithm, the PKG outputs private key SID , for the given identity ID, public parameters Params, and a secret key. Finally, the PKG provides all the private keys through a secure channel to the users. Signature: This is a probabilistic polynomial-time signature issuing algorithm. On input public parameters Params, message m, identity ID of the signer, its private key SID ; this algorithm outputs a signature  on message m. Verification: This is a deterministic verification algorithm, which takes input public parameters Params, signer’s identity ID, message m, and the signature  for message m, outputs 1 if  is a valid signature on m for identity ID, and outputs 0 otherwise. Proxy key generation: This is a protocol between the original signer and all the proxy signers. All participants input their identities IDA , IDBi , private keys SIDA , SIDBi (for 1 6 i 6 n) and the message warrant (or simply, warrant) w which includes some specific information regarding the message as restrictions on the message; time of delegation, identity of original and proxy signers, period of validity, and so on. After the successful interaction, each proxy signer Bi for 1 6 i 6 n outputs its partial proxy signing key say Spki . Multi-proxy signature: This is a randomized algorithm, which takes partial proxy signing key of each proxy signer, message m, warrant w, and outputs an IBMPS say p . Multi-proxy verification: This is a deterministic algorithm. This algorithm takes input the identities IDA , IDBi (for 1 6 i 6 n) of all the users, message m, warrant w, and the IBMPS p . The algorithm outputs 1 if the signature p is a valid IBMPS on message m by the proxy group on behalf of the original signer, and outputs 0 otherwise. 3.2. Security model for identity-based multi-proxy signature scheme Here, we propose a security model for the IBMPS schemes, motivated by the works of Cao & Cao [27] and Shao [43]. In our model, an adversary A tries to forge the IBMPS, working against a single user (say user 1), either the original signer or one of the proxy signers. The adversary has been given the oracle access to Hash queries, Extraction queries, Delegation queries, and Multi-proxy signature queries. The goal of adversary A is to produce one of the following forgeries: (1) A standard signature by user 1 for a message that was not submitted to the standard signature oracle. (2) An IBMPS for a message m on behalf of the original signer, where user 1 is one of the proxy signers, such that either the original signer never designated user 1, or m was not submitted in the multi-proxy signature queries. (3) An IBMPS for a message m by the proxy signers on behalf of user 1, such that user 1 is the original signer and the proxy signers were never designated by user 1. Consider the following game between the adversary A and challenger C: (1) Setup: C runs the Setup algorithm and provides the public parameters Params to A. (2) Extraction queries: When A asks private key of any user (except of the user 1) with identity IDi 2 ¹0, 1º , C runs the Extraction algorithm and responds the private key SIDi associated with the identity IDi . (3) Signature queries: To query a standard signature from user 1 with identity ID1 , A selects a message m0 2 ¹0, 1º of its choice and sends to user 1. User 1 uses its private key SID1 , output a signature  D S ign .SID1 , m0 / on it, and send it to A. The message m0 is finally added to list Ls . Here, A access this oracle adaptively, on arbitrary number of messages of its choice. Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

501

(4) Delegation queries: Anytime A can request to interact with anyone from either the original signer or the proxy signers. (1) To interact with user 1, user 1 playing the role of a proxy signer; A sends the original signer’s delegation on warrant w 0 to C. Challenger C responds by running the Proxy key generation algorithm, taking warrant w 0 as input. Eventually, C outputs a corresponding partial proxy signing key Sp0 k , then adds the tuple < w 0 , Sp0 k > in list LDp . Note that, A does not have access to the elements of LDp . (2) To interact with user 1, user 1 playing the role of original signer; A creates a message warrant w 0 . C then responds by running the Proxy key generation algorithm for the message warrant w 0 selected by A. After a successful run, C adds the input message warrant w 0 to a list LDo . (5) Multi-proxy signature queries: Proceeding adaptively, when A requests for an IBMPS on message m0 2 ¹0, 1º of its choice, satisfying the warrant w 0 , where Sp0 k exists such that < w 0 , Sp0 k >2 LDp and w 0 satisfies m0 . C responds by running the multi-proxy signature algorithm, inputs the corresponding partial proxy signing key Sp0 k on list LDp . Eventually, C outputs a partial proxy signature 1 on message m. 1 is sent to the clerk in the proxy group who combines all the partial proxy signatures. The query .m0 , w 0 / is added to a list Lmps . uf .k/ is defined to be the probability of success in the The advantage of adversary A, AdvIBMPS previous game.

Definition 1 An IBMPS forger (adversary) A .t , qH , qE , qs , qD , qmps , n C 1, /-breaks the n C 1 users IBMPS scheme by the adaptive chosen-message and adaptive chosen-ID attack, if A runs in at most t time; makes at most qH hash queries; at most qE extraction queries; at most qs standard signature queries, at most qD Delegation queries; at most qmps multi-proxy signature queries; and the success probability of A is at least . Definition 2 An IBMPS scheme is .t , qH , qE , qs , qD , qmps , n C 1, /-secure against adaptive chosen-message and adaptive chosen-ID attack, if no adversary .t , qH , qE , qs , qD , qmps , n C 1, /-breaks it. 4. IDENTITY-BASED MULTI-PROXY SIGNATURE SCHEME In this section, we present an IBMPS scheme based on the IBMPS scheme [23]. The scheme is described in following phases: system setup, key extraction, signature, verification, proxy key generation, multi-proxy signature, and the multi-proxy Verification. Setup: For a security parameter k, the PKG randomly selects s 2 Zq and computes the system’s public value Ppub D sP 2 G1 . PKG then publishes the system’s public parameters Params D .k, G1 , G2 , q, e, H1 , H2 , H3 , P , Ppub / and keeps the master secret s confidential. In Params, G1 is an additive cyclic group of a large prime order q with generator P , and G2 is a multiplicative cyclic group of the same prime order q. e W G1  G1 ! G2 is a bilinear pairing as defined previously. H1 , H2 , and H3 are hash functions for security purpose, defined as H1 W ¹0, 1º ! G1 , H2 W ¹0, 1º ! Zq and H3 W ¹0, 1º  ¹0, 1º ! Zq . Extraction: For a user with ID, the PKG computes its public key as QID D H1 .ID/ 2 G1 and private key as SID D sQID 2 G1 . Thus the original signer say A, has its public key QIDA and corresponding private key SIDA . Similarly, for the n proxy signers, the public keys are QIDBi and corresponding private keys are SIDBi (for 1 6 i 6 n). Signature: To sign a message m 2 ¹0, 1º , with a private key SID , randomly select x 2 Zq , compute Vs D xP , H D H2 .m/, and Ws D HSID C xPpub . The signature on message m is  D .Ws , Vs /. Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

502

R. A. SAHU AND S. PADHYE

Verification: To verify a signature  D .Ws , Vs / on message m for an ID, the verifier computes QID D H1 .ID/ and H D H2 .m/. Accepts the signature if e.Ws , P / D e.HQID C Vs , Ppub /, rejects otherwise. Proxy key generation: In this phase, the original signer interacts with all the proxy signers to delegate its signing rights. For this, the original signer performs the following job to make a message warrant w, jointly with the n proxy signers. The warrant w includes some specific information about the message, restrictions on the message, time of delegation, identity of original and proxy signers, period of validity, and so on. Delegation: To delegate the signing rights to the n proxy signers, the original signer A randomly chooses t 2 Zq and computes V D tP 2 G1 , h D H2 .w/ 2 Zq , W D hSIDA C tPpub 2 G1 and broadcasts .W , V , w/ to the group of proxy signers through a secure channel. Delegation verification: Each proxy signer Bi (for 1 6 i 6 n), computes h D  H2 .w/ and accepts the delegation value .W , V , w/ on warrant w, if the equality e.W , P / D e hQIDA C V , Ppub holds. Otherwise, asks for a new one or terminates the protocol. Proxy key generation: After receiving the valid delegation value .W , V , w/, each proxy signer Bi (for 1 6 i 6 n), generates its proxy signing key as: Spki D W C hSIDBi . Multi-proxy signature: In this phase, one of the proxy signers in proxy group acts as a clerk. The task of clerk is to generate the final IBMPS, combining all the partial proxy signatures of the proxy signers. In this phase, each proxy signer Bi (for 1 6 i 6 n), chooses randomly xi 2 Zq and computes h0 D H3 .m, w/ 2 Zq , Upi D xi P . Broadcasts Upi to the other .n  1/ proxy signers. P Each Bi then computes Up D niD1 Upi and pi D h0 Spki C xi Ppub thus the partial proxy signature by a proxy signer Bi on the intended message m is pi . Each proxy signer Bi sends its partial proxy signature pi to the clerk in the proxy group to generate the final IBMPS. Receiving signatures pi , for 1 6 i 6 n, the clerk computes a public value  all the partial proxy 

Qpki D h QIDA C QIDBi C V and verifies the partial proxy signature by checking the equality:     e P , pi D e Ppub , h0 Qpki C Upi . If the clerk verifies all the partial proxyPsignatures valid, he finally generates the IBMPS on message m as .p , V , w, Up /, where p D niD1 pi . Multi-proxy verification: Receiving an IBMPS .p , V , w, Up / and message m, the verifier proceeds as follows: (1) Checks the message m and the warrant w. Continue, if the message and warrant are valid corresponding to each other, rejects otherwise. (2) Checks whether or not the n proxy signers are authorized by the original signer on warrant w. Stop, if not. Continue otherwise. h i P (3) Computes h D H2 .w/, h0 D H3 .m, w/ and Qpk D h nQIDA C niD1 QIDBi C nV then accepts the IBMPS on message m, if and only if the following equality holds:   e.P , p / D e Ppub , h0 Qpk C Up . 4.1. Flow chart of our identity-based multi-proxy signature scheme The presented IBMPS scheme as previously mentioned can also be described by a simple flow chart as shown in Figure 1. Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

503

Figure 1. Our ID-based multi-proxy signature scheme.

5. ANALYSIS OF THE PRESENTED SCHEME In this section, we first analyze the correctness of verification and then prove the security of the scheme. Finally, we analyze the computational efficiency of our scheme with respect to other IBMPS schemes [23, 27]. 5.1. Correctness The property of correctness in multi-proxy verification phase is satisfied as follows:  Xn  e.P , p / D e P , pi i D1  Xn   h0 Spki C xi Ppub D e P, i D1  Xn   D e Ppub , h0 Qpki C xi P i D1     Xn Xn D e Ppub , h0 Qpki e Ppub , xi P i D1 i D1   Xn   D e Ppub , h0 Qpk e Ppub , Upi i D1

h0

D e.Ppub , Qpk / e.Ppub , Up /.   D e Ppub , h0 Qpk C Up . Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

504

R. A. SAHU AND S. PADHYE

5.2. Security proof Following the model described in Section 3, we will prove here existential unforgeability of the presented IBMPS scheme on adaptive chosen-message and adaptive chosen-ID attack in the random oracle model, under the CDH assumption. As discussed in Section 3, the adversary A is given oracle access to obtain the private keys associated to all identities but one of the user 1. A can also access the standard signature oracles on its selected messages, delegation oracles on its selected warrants w 0 , and multi-proxy signature oracles on arbitrary number of (messages and warrant) pairs .m0 , w 0 / of its choice. Precisely, in this game, the challenger interacts with the adversary A. With all responses of this interaction, A (whose goal is an existential forgery of a new IBMPS for any warrant w and message m) constructs a new adversary B to show that an instance of the CDHP can be solved by B, if the scheme is forged by A. Definition 3 An IBMPS scheme is said to be existential unforgeable against adaptive chosen-message and adaptive chosen-ID attack if no probabilistic polynomial-time adversary (algorithm) A has a non-negligible advantage against the challenger in the previous game (Section 3). Theorem For the random oracle of hash functions, if there exists an adversary A .t , qH1 , qH2 , qH3 , qE , qs , qD , q  IBMPS scheme, then there exists an adversary B mps , / which breaks the presented 0 0 0 0 0 0 , qH , qH , qE , qs0 , qD , qmps ,  0 which solves the CDHP in time at most t 0  t C .qH1 C t 0 , qH 1 2 3 0

2qE C3qs C4qD C5qmps C1/CG1 with success probability at least  > Where CG1 denotes the number of scalar multiplications in G1 .

  1 1 q 

M.qE Cqs CqD Cqmps CnC1/

.

Proof The challenger runs an algorithm to obtain < q, G1 , G2 , e, P , sP , dP > for B. Here, A is a forger algorithm (adversary) whose goal is to break the presented IBMPS scheme. The adversary B simulates the challenger and interacts with A. The goal of B is to solve CDHP by computing sdP 2 G1 , having < q, G1 , G2 , e, P , sP , dP > and using the algorithm A.  Key generation: For a security parameter k, B generates the system’s public parameter Params D< q, G1 , G2 , e, P , Ppub , H1 , H2 , H3 > and provides Ppub D sP to A as a public value. H1 -queries: When an identity IDi 2 ¹0, 1º is submitted to the hash oracle, algorithm B responds as follows: (1) If the query IDi already appears on the list LH1 in some tuple < IDi , h1 , b, H1  coi n > then algorithm B responds with h1 D H1 .IDi /. (2) Otherwise B generates a random H1 coi n 2 ¹0, 1º with probability PrŒH1 coi n D 0 D ˛, for some ˛, which will be determined later . (3) Now if H1  coi n D 0, then B picks a random integer b 2 Zq , and computes h1 D b.dP /. If H1  coi n D 1, B computes h1 D bP and responds to A. (4) Algorithm B adds the tuple < IDi , h1 , b, H1  coi n > to the list LH1 . H2 -queries: When any warrant w 0 2 ¹0, 1º is submitted to this hash oracle, algorithm B picks a random integer f 2 Zq and responds to A with h2 D H2 .w 0 / D f and adds the tuple < w 0 , h2 , f > to the list LH2 . H3 -queries: When A submits a message m0 2 ¹0, 1º and its corresponding warrant w 0 2 ¹0, 1º to hash oracle, algorithm B picks a random integer r 2 Zq and responds to A with h3 D H3 .m0 , w 0 / D r and adds the tuple < .m0 , w 0 /, h3 , r > to the list LH3 . Extraction queries: When A requests a private key on identity IDi ¤ ID1 (where ID1 is identity of user 1), B responds this query as follows: Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

505

(1) Runs the previous algorithm for responding to H1 query on IDi ¤ ID1 . Suppose < IDi , h1 , b, H1  coi n > is the corresponding tuple on the list LH1 . If H1  coi n D 0, then B outputs ‘failure’ and terminates. (2) For H1  coi n D 1, h1 D bP . B computes SIDi D bPpub 2 G1 as a private key corresponding to the identity IDi . One can check that e.SIDi , P / D e.bPpub , P / D e.bP , Ppub / D e.H1 .IDi /, Ppub / D e.Q.IDi /, Ppub /. So, SIDi is a valid private key of the user with identity IDi . Finally, B provides the private key SIDi to A as a response to the extraction query. The probability of success is .1  ˛/ (as the private key is calculated for the case when H1  coi n D 1). Signature queries: When A requests a standard signature by user 1 with identity ID1 , on its selected message m0 , B responds as follows: (1) B runs the previous algorithm for responding to H1  queries to obtain QID1 D H1 .ID1 /. If H1  coi n D 0, then B outputs ‘failure’ and terminates. For H1  coi n D 1, H1 .ID1 / D h1 D b 1 P . (2) Further, algorithm B computes H 0 D H2 .m/ 2 Zq , selects x 0 2 Zq randomly, and computes   Vs0 D x 0 P H 0 b1 P and Ws0 D x 0 Ppub . It can be verified that  D Ws0 , Vs0 is a valid signature on message m0 under identity ID1 . Algorithm B provides  to A. Finally, message m0 is added to a list Ls . The probability of success is .1  ˛/ (as the valid signature has been generated for the case H1  coi n D 1). Delegation queries: Now, anytime, A can request to interact with either the original signer or anyone from the group of proxy signers. B responds the query as follows: (1) Suppose, A requests to interact with user 1, user 1 is playing the role of a proxy signer. For this, A outputs a message warrant w 0 and computes the delegation W 0 for w 0 , using the private key of the original signer obtained from the extraction queries. A then sends .W 0 , w 0 / to B. Checking the validity of W 0 , B adds the message warrant w 0 to a list LDp . (2) Alternatively, suppose, A requests to interact with user 1, user 1 playing the role of original signer. For this, A creates a warrant w 0 and requests the user 1 to sign the warrant w 0 . B queries w 0 to its signature oracle. Upon receiving an answer ( 0 ), it forwards ( 0 ) to A and adds the warrant w 0 to a list LDo . In any of the previous cases, B runs the previous algorithm to reply on H2 queries for w 0 having the corresponding tuple < w 0 , h2 , f >, on LH2 list. Now, h2 D f , if H1  coi n D 0, then B reports ‘failure’ and terminates. If H1  coi n D 1, then we know that H1 .ID/ D bP . For this, B computes W 0 D f bA Ppub C t 0 Ppub , for an integer bA 2 Zq , randomly selected by B on H1 queries. One can check that:     e h2 H1 .IDA / C V 0 , Ppub D e f H1 .IDA / C t 0 P , Ppub   D e f bA P C t 0 P , Ppub   D e f bA Ppub C t 0 Ppub , P D e.W 0 , P / Hence, the previous provided partial proxy signing key is valid, which involves W 0 . We have emphasized previously that A cannot access the elements of LDp . The success probability is .1˛/ (as the previous validity holds for the case H1  coi n D 1). Multi-proxy signature queries: Now the adversary A proceeds adaptively and requests for a multiproxy signature on message m0 of its choice, satisfying the warrant w 0 , B does the following to respond on this query: Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

506

R. A. SAHU AND S. PADHYE

(1) Runs the previous algorithm for responding to H1 -queries on tuple< IDi , h1 , b, H1 coi n > to obtain h1 . If H1  coi n D 0 then B reports ‘failure’ and terminates. If H1  coi n D 1, then we know that h1 D bP . (2) Runs the previous algorithm for responding to H2 -queries on w 0 , obtaining the tuple < w 0 , h2 , f > on LH2 list. (3) Runs the previous algorithm for responding to H3 -queries on .m0 , w 0 /, obtaining the tuple < .m0 , w 0 /, h3 , r > on LH3 list.  0 (4) Now B randomly selects x 0 2 Zq computes Up0 D x 0 P and Qpk D f nQIDA C ° i Pn 0 0 i D1 QIDBi C nV . Finally, he computes the multi-proxy signature p D r f .nbA C ±  0 bB1 C bB2 C .. C bBn Ppub C ntpub C x 0 Ppub . The signature can be verified as follow:   0 e Ppub , h3 Qpk C Up0  h3   0 D e Ppub , Qpk e Ppub , Up0  h i r Xn D e Ppub , f nQIDA C QIDBi C nV 0 e.Ppub , x 0 P / i D1       r  D e Ppub , f nH1 .IDA /CH1 IDB1 CH1 IDB2 C..CH1 .IDBn / CnV 0 e.Ppub , x 0 P/ r      D e Ppub , f nbA P C bB1 P C bB2 P C .. C bBn P C nV 0 e Ppub , x 0 P  ®  ¯   D e Ppub , r f nbA C bB1 C bB2 C .. C bBn P C nt 0 P C x 0 P  °  ±   0 D e P , r f nbA C bB1 C bB2 C .. C bBn Ppub C ntpub C x 0 Ppub   D e P , p0   Hence, the produced multi-proxy signature p0 , V 0 , w 0 , Up0 on message m0 is valid. The success probability is .1  ˛/ (as the previous equality holds for the case H1  coi n D 1). Now, Pr[B does not abort during the simulation]D .1  ˛/qE Cqs CqD Cqmps . Output: If B never reports ‘failure’ in the previous game, then A outputs a valid IBMPS .p , V , w, Up / on a message m under a warrant w for the identities < IDA , IDB1 , IDB2 , .., IDBn >, which satisfies:  h0   e.P , p / D e Ppub , Qpk e Ppub , Up . If responses to all the hash functions are picked randomly, then the probability that the previous verification equality holds, is less than 1=q. Hence, A outputs a new valid IBMPS .p , V , w, Up / on message m, with the success probability .1  ˛/qE Cqs CqD Cqmps .1  1=q/. Now, for both cases, when the adversary A plays role of either an original signer or a proxy signer, we can show that the algorithm B can solve an instance of the CDHP, when A successfully forge the presented IBMPMS scheme. Case 1 Now, when A simulates B and requests to interact with user 1 with identity say IDB1 , where the user 1 with identity IDB1 is playing role of one of the proxy signers. For IDB1 , A did not request the private key, A did not request a delegation query including < w, IDB1 > and A did not request  a multi-proxy signature query including < IDB1 , w, m >. If H1  coi n D 1, then H1 IDBi D bBi P for 2 6 i 6 n, and H1 .IDA / D bA P . B computes, p D p0  h °  ± i  0 r f nbA C bB2 C .. C bBn Ppub C ntpub C x 0 Ppub . Finally, B uses A’s forgery to solve the CDHP as following: By the equality: Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

507

  e P , p0       r    D e Ppub , f nH1 .IDA /CH1 IDB1 CH1 IDB2 C .. C H1 .IDBn / CnV 0 e Ppub , x 0 P      r   D e Ppub , f nbA P C H1 IDB1 C bB2 P C .. C bBn P C nV 0 e Ppub , x 0 P       D e Ppub , r f nbA P C bB2 P C .. C bBn P C nt 0 P C x 0 P    e Ppub , rf H1 IDB1  °  ±   0 D e P , r f nbA C bB2 C .. C bBn Ppub C ntpub C x 0 Ppub    e Ppub , rf H1 IDB1      or e P , p D e Ppub , rf H1 IDB1   D e Ppub , rf bB1 .dP / .for H1  coi n D 0, h1 D b.dP //   D e P , rf bB1 .sdP /   or say e P , p D e.P , K.sdP //   for K D rf bB1 2 Zq . Hence, B can compute K 1 p D sdP , which is equivalent to solving an instance of CDHP in G1 . The success probability is ˛.1  ˛/n . Case 2 When A simulates B and requests to interact with user 1 with identity say IDA , where the user 1 with identity IDA is playing role of the original signer. For IDA , A did not request the private key, A did not request a delegation query including < w, IDA > and A did not request a multi-proxy signature query including < IDA , w, m >. Then similarly as case 1, we can show that B can compute sdP with the success probability ˛.1  ˛/n . Hence, the success probability that B solves an instance of CDHP in the previous attack game is at least ˛.1  ˛/qE Cqs CqD Cqmps Cn 1  q1 . Now the maximum possible value of the previous probability occurs for ˛ D 

1 1 q





least

M.qE Cqs CqD Cqmps CnC1/

˛D

1 ). qE Cqs CqD Cqmps CnC1

1 . qE Cqs CqD Cqmps CnC1

(where

1 M

Hence, the optimal success probability is at

is the maximum value of .1  ˛/qE Cqs CqD Cqmps Cn , for 

0

Therefore,  >

 1 1 q 

M.qE Cqs CqD Cqmps CnC1/

.

This way, the previous description shows that A’s forgery on the scheme implies a solution to the CDHP. But as per assumption, the CDHP is intractable in G1 , so no existential forgery on adaptive chosen-message and adaptive chosen-ID attack is possible in the random oracle to the presented scheme, hence, the scheme is proved existential unforgeable. 5.3. Security analysis Additionally, the scheme also satisfies other security properties of a general proxy signature scheme as follows: (1) Strong unforgeability: As previously mentioned, it is proved that our IBMPS scheme is existential unforgeable on adaptive chosen-message attack and adaptive chosen-ID attack. Hence, no adversary can forge a valid IBMPS, thus the scheme has property of strong unforgeability. (2) Proxy protection: Because the final IBMPS is constituted combining all the partial proxy signatures, which are generated using the partial proxy (private) keys of each proxy signer, where each partial proxy (private) key is constructed by an individual proxy signer using its private Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

508

(3)

(4)

(5)

(6)

(7)

R. A. SAHU AND S. PADHYE

key, hence, no one other than the authorized proxy signers can generate a valid IBMPS. Thus, the proxy signers are protected in our scheme. Verifiability: As the correctness of verification is described previously; any verifier can easily verify the proposed IBMPS and can check whether the signed message confirms to the delegation warrant or not. Strong identifiability: Because the identities of all the proxy signers are included in the warrant w and their public keys are required for verification of the signature as   e.P , p / D e Ppub , h0 Qpk C Up h i P where Qpk D h nQIDA C niD1 QIDBi C nV . Hence, anyone can determine the identities of the proxy signers. Strong non-repudiability: Because the clerk in the proxy group validates each partial proxy signature by checking the equation     e P , pi D e Ppub , h0 Qpki C Upi   where Qpki D h QIDA C QIDBi C V , hence no proxy signer can repudiate its signature of earlier session and thus its participation in signature protocol. Distinguishability: Because the final IBMPS is generated combining all the partial proxy signatures, which uses private keys derived by the identities of proxy signers, hence, the final IBMPS is clearly distinguishable from normal signatures by everyone. Prevention of misuse: Because the message warrant is attached, specifying the period of delegation, nature of message, identities of the original signers, and so on, the group of proxy signers cannot sign any message which does not confirms to the warrant and has not been authorized by the original signers.

Remark In the view that the existing IBMPS schemes [23, 27] either do not discuss any additional security property as we do or analyze only a few properties heuristically, our scheme proves more competent and secure satisfying all the security requirements with a formal proof of security. Further, it can be observed that the running time of algorithm B is same as running time of A plus time taken to respond the Hash queries, Extraction queries, Standard signature queries, Delegation queries, and Multi-proxy signature queries that  is, qH1 CqH2 CqH3 CqE Cqs CqD Cq  mps . Hence, the maximum running time is given by t C qH1 C 2qE C 3qs C 4qD C 5qmps C 1 CG1 , as each H1 Hash query requires one scalar multiplication in G1 , Extraction query requires two scalar multiplications in G1 , Standard signature query requires three scalar multiplications in G1 , Delegation query requires four scalar multiplications in G1 , Multi-proxy signature query requires five scalar multiplications in G1 and to output a solution of the CDHP from A’s forgery, B requires  at most one scalar multiplication in G1 . Hence, t 0  t C qH1 C 2qE C 3qs C 4qD C 5qmps C 1 CG1 . 5.4. Efficiency comparison We compare here the efficiency of the presented scheme with the existing IBMPS schemes of Li & Chen [23] and Cao & Cao [27], and show that the presented scheme is more efficient in the sense of computation and, hence, the total operation time than [23, 27]. We compare the total number of bilinear pairings (P), map-to-point hash functions (H), modular-exponentiations (E), pairing-based scalar multiplications and consequently the total operation time (OT) in the in Proxy key generation phase, Multi-proxy signature phase, and Multi-proxy verification phase. We also note that the operation time for one pairing computation is 20.04 ms, that for one pairing-based scalar multiplications it is 6.38 ms, for computation of one modular exponentiation it is 5.31 ms, and for computation of one map-to-point hash function it is 3.04 ms (we have omitted the OT because of a general hash function, as it takes < 0.001 ms) [35]. For the computation of operation time, we refer [35] where the operation time for various cryptographic operations have been obtained using Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

509

MIRACAL [44], a standard cryptographic library, and the hardware platform is a PIV (Pentium-4) 3 GHZ processor with 512 M bytes memory and the Windows XP operating system. For the pairingbased scheme, to achieve the 1024-bit RSA level security, Tate pairing defined over the supersingular elliptic curve E D Fp W y 2 D x 3 C x with embedding degree 2 has been used, where q is a 160-bit Solinas prime q D 2159 C 217 C 1 and p a 512-bit prime satisfying p C 1 D 12qr. For the ECCbased schemes, to achieve the same security level, the parameter secp160r1 [45], recommended by the Certicom Corporation has been employed, where p D 2160  231  1. Remark Because the scheme of Mishra et al. [34] is based on the INV-CDH assumption, whereas the proposed scheme depends on the CDH assumption, we do not consider the scheme [34] for comparison of efficiency here. Proxy key generation: Scheme P H E PSM O.T. Li & Chen [23] 3 0 1 6 103.71 ms Cao & Cao [27] 3 2 0 3 85.34 ms Our scheme 2 0 0 5 71.98 ms Multi-proxy signature: Scheme P H E PSM O.T. Li & Chen [23] 3 0 1 3 84.57 ms Cao & Cao [27] 5 1 1 2 121.31 ms Our scheme 2 0 0 6 78.36 ms Multi-proxy Verification: Scheme P H E PSM O.T. Li & Chen [23] 3 0 1 2 78.19 ms Cao & Cao [27] 4 2 0 2 99.0 ms Our scheme 2 0 0 4 65.6 ms To evaluate the efficiency of computation and operation time in the previous schemes, we have used the simple method from [46, 47]. For example, in [27], the Proxy key generation algorithm carry out three bilinear pairings, two map-to-point hash functions, and three pairing-based scalar multiplications thus the resulting running time is 20.04  3 C 3.04  2 C 6.38  3 D 85.34 ms. Similarly, we have computed the total OT in other phases for all the schemes. From the previous comparison tables, it is obvious that our scheme is overall more efficient in the sense of computation and operation time than the IBMPS schemes given in [23, 27]. In particular, we have reduced the total computational complexity and, hence, the total operation time by approximate 19% compared with [23] and approximate 29% compared with [27]. 5.5. Application Application of the presented IBMPS scheme can be suggested in many electronic communication systems as in distributed system, grid computing, global distribution networks, and so on. In distributed system, where the delegation of rights is quite common, this scheme can be employed to delegate the execution of rights to the users available in some target PCs in the same network. Also, in commercial transitions, this scheme can be employed in grid computing by an agent (or owner) who wish to transfer its rights to other users (its agents) on a common network for purchase or sale of certain shares, policies, goods, and so on. Also, because the presented IBMPS scheme is designed for low communication overhead with provable-security feature like [48], it can be employed for Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

510

R. A. SAHU AND S. PADHYE

online purchase or bookings of goods or tickets through various agent programs. As, if Alice wants to purchase different items online at the same time, she consult her agent programs and provide them all her priorities and conditions like total money to spent, number of items she wants, and so on. The agent programs suggest her all the feasible options for every items and on confirmation of Alice, the programs purchase the items or book the tickets for Alice. During the purchase or booking, the various agent programs work as proxy agents for Alice (say the original signer). Moreover, this scheme also enjoys application in distributed shared object system, distributed networks, mobile agent environment, and so on. Furthermore, for implementation of the presented and similar schemes, authors favor the PBC library (http://crypto.stanford.edu/pbc/), SAGE, Globus toolkits, RELIC (http://code.google.com/p/relic-toolkit/)software and toolkits. 6. CONCLUSION Because of lack of formal security proof, most of the existing IBMPS schemes cannot be considered relevant to be useful for various electronic communication setups, distributed system, grid computing, mobile agent environment, and so on. In 2005, Li & Chen proposed an IBMPS scheme from bilinear pairings, but the scheme is not proved secure. In this paper, first we have presented an IBMPS scheme based on the work of Li & Chen; further, we have formalized a security model for the IBMPS schemes and have proved the existential unforgeablity of the presented scheme against adaptive chosen-message and adaptive chosen-ID attack in the random oracle model under the CDH assumption. Moreover, the presented scheme is more efficient in the sense of computation and operation time than the existing IBMPS schemes. Lastly, some applications of the proposed scheme are also suggested. REFERENCES 1. Shamir A. Identity-based Cryptosystems and Signature Schemes. Advances in Cryptology, Proceedings of CRYPTO’84, Santa Barbara, California, USA, August 19-22, 1984, Proceedings, Vol. 196, Springer, New York, USA, 1984; 47–53. 2. Boneh D, Franklin M. Identity Based Encryption from the Weil Pairing. Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings, Vol. 2139, Springer, New York, USA, 2001; 213–229. 3. Tseng Y-M, Huang Y-H, Chang Y-J. Privacy-preserving multireceiver ID-based encryption with provable security. International Journal of Communication System 2012. DOI: 10.1002/dac.2395. 4. Han W, Zhu Z. An ID-based mutual authentication with key agreement protocol for multiserver environment on elliptic curve cryptosystem. International Journal of Communication System 2012. DOI: 10.1002/dac.2405. 5. Barreto PSLM, Libert B, McCullagh N. Efficient and Provably-secure Identity-based Signature and Signcryption from Bilinear Maps. Advances in cryptology ASIACRYPT’05, Lecture Notes in Computer Science, Vol. 3788, Springer, New York, USA, 2005; 515–532. 6. Chuang YH, Tseng YM. Towards generalized ID-based user authentication for mobile multi-server environment. International Journal of Communication System 2012; 25(4):447–460. 7. Delos O, Quisquater JJ. An Identity-Based Signature Scheme with Bounded Life-Span. Advances in Cryptology - CRYPTO’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings, Vol. 839, Lecture Notes in Computer Science, Springer, New York, USA, 1994; 83–94. 8. Han K, Chan YY, Shon T, Park J, Kim K. A scalable and efficient key escrow model for lawful interception of IDBC-based secure communication. International Journal of Communication System 2011; 24(4):461–472. 9. Smart NP. An identity based authenticated key agreement protocol based on the Weil pairing. Electronic Letters 2002; 38(13):630–632. 10. Popescu C. An efficient ID-based group signature scheme. Studia Univ. Babes-Bolyai, Informatica 2002; 47(2): 29–36. 11. Zhang F, Kim K. ID-based Blind Signature and Ring Signature from Pairings. Advances in Cryptology-ASIACRYPT 2002, 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1-5, 2002, Proceedings, Vol. 2501, Springer, New York, USA, 2002; 533–547. 12. Zhang F, Kim K. Efficient ID-based Blind Signature and Proxy Signature from Bilinear Pairings. ACISP’03 Proceedings of the 8th Australasian conference on Information security and privacy, Vol. 2727, Springer-Verlag, Berlin, Heidelberg, 2003; 312–323. 13. Cha JC, Cheon JH. An Identity-based Signature from Gap Diffie-Hellman Groups. PKC’03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography, Vol. 2567, Springer-Verlag, London, UK, 2003; 18–30. Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

PROVABLE SECURE ID-BASED MULTI-PROXY SIGNATURE SCHEME

511

14. Hess F. Efficient Identity-based Signature Schemes based on Pairings. SAC ’02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography, Vol. 2595, Springer-Verlag, London, UK, 2002; 310–324. 15. Paterson KG. ID-based Signatures from Pairings on Elliptic Curves. Cryptology ePrint Archive, Report 2002/004 (2002). Available at http://eprint.iacr.org/2002/004 [Accessed on 28 July 2013]. 16. Yi X. An identity-based signature scheme from the Weil pairing. IEEE Communication Letters 2003; 7(2):76–78. 17. Mambo M, Usuda K, Okamoto E. Proxy signatures: delegation of the power to sign messages. IEICE Transactions Fundamentals 1996; E79-A(9):1338–1353. 18. Yang X, Yu Z. Efficient Proxy Blind Signature Scheme based on DLP. ICESS’08 Proceedings of the 2008 International Conference on Embedded Software and Systems, IEEE Computer Society Washington, DC, USA; 163–166. 19. Yu Y, Xu C, Huang X, Mu Y. An efficient anonymous proxy signature scheme with provable security. Computer Standards and Interfaces 2009; 31(2):348–353. 20. Zhang J, Yu Y. Short Computational Diffi-Hellman-based Proxy Signature Scheme in the Standard Model. International Journal of Communication Systems 2012. DOI: 10.1002/dac.2441. 21. Liu D, Wang X, Huang M. Strongly unforgeable threshold multi-proxy multi-signature scheme with different proxy groups. International Journal of Communication System 2013. DOI: 10.1002/dac.2567. 22. Hwang S, Shi C. A Simple Multi-proxy Signature Scheme. Proc. 10th National Conf. on Information Security, Hualien, Taiwan China, 2000; 134–138. 23. Li X, Chen K. ID-based multi-proxy signature, proxy multi-signature and multi-proxy multi-signature schemes from bilinear pairings. Applied Mathematics and Computation 2005; 169:437–450. 24. Hwang SJ, Chen CC. New multi-proxy multi-signature schemes. Applied Mathematics and Computation 2004; 147:57–67. 25. Lee B, Kim H, Kim K. Strong Proxy Signature and its Applications. The 2001 Symposium on Cryptography and Information Security Oiso, Japan, January 23-26, 2001, The Institute of Electronics, Information and Communication Engineers, 2001; 603–608. 26. Xu GS, Yang YX, Gu LZ, Niu XX. ID-based Multi-proxy Sequential Signature System from Bilinear Pairing. WIIATW’07 Proceedings of the 2007 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology - Workshops, IEEE Computer Society Washington, DC, USA, 2007; 315–318. 27. Cao F, Cao F. A secure identity-based multi-proxy signature scheme. Computers and Electronics Engineering 2009; 35:86–95. 28. Boldyreva A, Palacio A, Warinschi B. Secure proxy signature schemes for delegation of signing rights, Cryptology ePrint Archive, Report 2003/096, 2003. Available at http://eprint.iacr.org/2003/096 [Accessed on 28 July 2013]. 29. Wang Q, Cao Z. Security Arguments for Partial Delegation with Warrant Proxy Signature Schemes, Cryptology ePrint Archive, Report 2004/315, 2004. Available at http://eprint.iacr.org/2004/315 [Accessed on 28 July 2013]. 30. Wang Q, Cao Z, Wang S. Formalized Security Model of Multi-proxy Signature Schemes. CIT ’05 Proceedings of the The Fifth International Conference on Computer and Information Technology, IEEE Computer Society Washington, DC, USA, 2005; 668–672. 31. Xu J, Zhang Z, Feng D. ID-based Proxy Signature using Bilinear Pairings, Cryptology ePrint Archive, Report 2004/206 (2004). Available at http://eprint.iacr.org/2004/206.pdf [Accessed on 28 July 2013]. 32. Xiong H, Hu J, Chen Z, Li F. Computers and Electronics Engineering 2011; 37:129–135. 33. Sakai R, Ohgishi K, Kasahara M. Cryptosystem based on Pairings. SICS 2000, Symposium on Cryptography and Information Security, 2000; 26–28. 34. Mishra S, Sahu RA, Padhye S, Yadav R S. Efficient ID-Based Multi-proxy Signature Scheme from Bilinear Pairing based on k-plus Problem. First International Conference, INTECH 2011, Sao Carlos, Brazil, May 31–June 2, 2011. Proceedings, Vol. 165, Springer-Verlag, Berlin, Heidelberg, 2011; 113–122. 35. He D, Chen J, Hu J. An ID-based proxy signature scheme without bilinear pairings. Annalas of Telecommunication 2011; 66:657–662. 36. Galbraith S, Paterson K, Smart N. Pairings for cryptographers. Discrete Applied Mathematics 2008; 156: 3113–3121. 37. He D, Chen J, Hu J. A pairing-free certificateless authenticated key agreement protocol. International Journal of Communication System 2012; 25(2):221–223. 38. He D, Chen J, Zhang R. An efficient and provably-secure certificateless signature scheme without bilinear pairings. International Journal of Communication System 2012; 25:1432–1442. 39. Tiwari N, Padhye S. Provable secure proxy signature scheme without bilinear pairings. International Journal of Communication System 2013; 26:644–650. 40. Beuchat JL, Gonzalez-Diaz JE, Mitsunari S, Okamoto E, Rodriguez-Henriquez F, Teruya T. High-speed Software Implementaion of the Optimal Ate Pairing over Barreto-Naehrig Curves. Pairing’10 Proceedings of the 4th international conference on Pairing-based cryptography, Vol. 6487, Springer-Verlag, Berlin, Heidelberg, 2010; 21–39. 41. Chen J, Lim HW, Ling S, Wang H, Wee H. Shorter IBE and Signatures via Asymmetric Pairings. Pairing’12 Proceedings of the 5th international conference on Pairing-Based Cryptography, Vol. 7708, Springer-Verlag, Berlin, Heidelberg, 2012; 122–140. Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac

512

R. A. SAHU AND S. PADHYE

42. Menezes A, Okamoto T, Vanstone S. Reducing elliptic curve logarithms in a finite field. IEEE transaction on Information theory 1993; 39:1639–1646. 43. Shao Z. Improvement of identity-based proxy multi-signature scheme. The Journal of System and Software 2009; 82:794–800. 44. Shamus Software Ltd. Miracl Library. Available at http://certivox.org/display/EXT/MIRACL [Accessed on 28 July 2013]. 45. The Certicom Corporation. SEC 2: Recommended Elliptic Curve Domain Parameters. Available at http://www.secg. org/collateral/sec2_final.pdf [Accessed on 28 July 2013]. 46. Cao X, Kou W, Du X. A pairing-free identity-based authenticated key agreement protocol with, minimal message exchanges. Information Sciences 2010; 180:2895–2903. 47. He D, Chen J, Hu J. An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Information Fusion 2012; 13:223–230. 48. Singh H, Verma GK. ID-based proxy signature scheme with message recovery. The Journal of Systems and Software 2012; 85:209–214.

Copyright © 2013 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2015; 28:497–512 DOI: 10.1002/dac