View
212
Download
0
Category
Preview:
Citation preview
Applied Mathematics and Computation 164 (2005) 83–98
www.elsevier.com/locate/amc
Provably secure proxy-protectedsignature schemes based on factoring
Yuan Zhou *, Zhenfu Cao, Rongxing Lu
Department of Computer Science, Shanghai Jiaotong University, 1954 Huashang road,
Shanghai 200030, People�s Republic of China
Abstract
Proxy signature is an active cryptographic research topic, and a wide range of liter-
ature can be found nowadays, which suggest improvement and generalization of exist-
ing protocols in various direction. However, most of previously proposed schemes in
these literature are based on discrete logarithm problem. To our best knowledge, there
still does not exist an indeed proxy signature scheme based on integer factorization
problem. In this paper, we propose two efficient provably secure proxy-protected signa-
ture scheme in Random Oracle Model. The first scheme is based on RSA problem and
the second one is based on integer factorization problem. Compared to early proxy sig-
nature schemes, our schemes are more efficient and easy to implement. We believe they
are particularly suitable for low-computation devices, such as smart cards, cell phones,
pages etc.
� 2004 Elsevier Inc. All rights reserved.
Keywords: RSA; Factoring; Proxy signature; Proxy-protected signature; Random Oracle Model
0096-3003/$ - see front matter � 2004 Elsevier Inc. All rights reserved.
doi:10.1016/j.amc.2004.04.032
* Corresponding author.
E-mail address: zhouyuan@sjtu.edu.cn (Y. Zhou).
84 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
1. Introduction
1.1. Proxy signature
The notion of proxy signature was introduced by Mambo et al. (1996)
[10,11]. A proxy signature scheme is a cryptographic primitive involving threeentities: an original signer, a proxy signer and a verifier. It allows the original
signer to delegate her signing capability to a designated proxy signer. Then the
proxy signer can sign some specific kinds of messages on behalf of the original
one. After receiving the proxy signature, the verifier, which knows the public
keys of the original and proxy signers, verified the validity of the proxy
signature.
Informally, a proxy signature consists of three algorithm described as
follows.Key generation. For a given security parameter, it outputs a pair of private
and public keys for the original signer and a private key for the proxy signer.
The key generation usually involves a two-party protocol run between the orig-
inal and proxy signers.
Signing. For an input that consists of a message to be signed and a proxy
private key kept by proxy signer, it outputs a valid signature.
Verifying. For an input that includes a pair (a message and a signature) and
the public keys of the original and proxy signers, it outputs either accept orreject.
The proxy-protected signature scheme satisfies the following three basic
security properties.
Verifiability. From a proxy signature, any verifier can be convinced of the
original signer�s agreement on the signed message.
Unforgeability. Only a designated proxy signer can create a valid proxy
signature for the original signer (even the original signer cannot do it).
Non-repudiation. Neither the origin signer nor the proxy signer must be ableto sign in place of the other party. In other words, they cannot deny their
signatures against anyone.
1.2. Related work
After Mambo et al.�s initiate work on proxy signature, many scholars have
done a lot of work in this field, and several kinds of proxy signature schemes
have been put forth [3–6,8,9,13–15,17]. The proxy signature schemes have beenproposed in [8,9]. The multi-proxy signature schemes have been proposed in
[5,15,17]. And the threshold proxy signature schemes also have been proposed
in [3,6,13,14]. However, most of these proposed schemes are based on the dis-
crete logarithm problem. Moreover, the above schemes all have no proof of
security.
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 85
Recently, mobile computation environments have been paid great atten-
tions. Many low-powered and resource-constrained small devices have arisen,
such as smart cards, cell phones and pagers. To adapt to these devices, Kim
et al. [7] proposed a one-time proxy signature scheme based on discrete loga-
rithm problem. In Asiacrypt 2003, Huaxiong Wang and Josef Pieprzyk also
presented an efficient one-time proxy signature scheme based on one-way func-tions without trapdoors [16]. As one-time proxy signature is much efficient and
can be easily implemented, it is particularly fir for mobile computation envi-
ronments. However, just as its name suggests, one-time proxy signature scheme
cannot be applied to sign an unlimited number of messages.
1.3. Our contributions
In this paper, we present two provably secure proxy-protected signatureschemes, which are based on RSA problem and integer factorization problem
respectively. The second scheme is modified version from RSA problem to inte-
ger factorization problem. The second scheme is more efficient than the first
one. Furthermore, the reduction in the proof of security in the second scheme
is tighter than the one in first scheme. At the same time, since the second
scheme is based on Rabin signature scheme, thus its computation is much
lower than other proposed schemes (including the first scheme).
The rest of the paper is organized as follows. In Sections 2 and 3, we willpresent two proxy-protected signature schemes, their proof of security and
their efficiency analysis. The final section is our conclusion.
2. The first proposed signature scheme
In this section, we will present the first scheme, which is based on RSA prob-
lem and prove that its security is related to the RSA problem.
2.1. Related definitions
Definition 2.1 (RSA problem)
[INPUT] N = pq with p,q prime numbers;
e: an integer such that gcd(e, (p � 1)(q � 1)) = 1;
c 2 Z�N .[OUTPUT] the unique integer m 2 Z�N satisfying me � c (modN).
Definition 2.2 (RSA assumption). An RSA problem solver is a probabilistic
algorithm A such that with an advantage � > 0:
86 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
e ¼ Pr½m AðN ; e;meðmodNÞÞ;where the input to A is defined in Definition 2.1. Let GRSA be an RSA instance
generator that on input 1k, runs in time polynomial in k, and outputs (i) a 2k-bit modulus N = pq where p and q are two distinct uniformly random primes.
Each is k-bit long. (ii) e 2 Z�ðp�1Þðq�1Þ. We say that GRSA satisfies the RSA
assumption if there exists no RSA problem solver for GRSA(1k) with advantage
e > 0 non-negligible in k for all sufficiently large k.
2.2. The proposed scheme
In the public cryptosystems based on RSA problem, each user should
choose his RSA private key. The signer chooses two large primes p and q at
random, and computes a public modulus N = pq. Then the signer chooses a
pair of integers e and d satisfying the properties ed � 1(mod/ (N)) and d is
large enough, where / (N) is the Euler function of N. The signer chooses a pub-
lic one-way hash function h( ). The private key {p,q,d} is kept secret by the
signer, while the public key of the signer is {N,e}, which is certified by a CA.
To illustrate clearly, we divide our scheme into four phases: system initiali-zation phase, proxy private key generation phase, signing phase and verifying
phase.
2.2.1. System initialization phase
The original signer Uo chooses his private key {po,qo,do} and public key
{No,eo} and the proxy signer Up chooses his private key {pp,qp,dp} and public
key {Np,ep}. Furthermore, let Ho be a universal secure hash function which ac-
cepts an variable-length input string of bits and produces a fixed-length outputstring of size nr and let Hp be a universal secure hash function which accepts
two variable-length input strings of bits and produces a fixed-length output
string of size nr.
2.2.2. Proxy private key generation phase
When the original signer Uo delegates his signing capability to the proxy
signer Up, they will run the following steps:
(1) The original signer Uo first makes a warrant mw, which records the delega-
tion policy including limits of authority, valid period of delegation etc.
then he publishes mw.
(2) Uo computes a proxy private key so.
so ¼ ðHoðmwÞÞdoðmodNoÞ: ð2:1ÞThen he sends {so,mw} to proxy signer Up via a secure channel.
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 87
(3) After receiving {so,mw}, the proxy signer Up verifies the proxy private key
by checking the following equation:
seoo � HoðmwÞðmodN oÞ: ð2:2Þ
2.2.3. Signing phase
Assume that according the limit of authority, the proxy signer Up has right
to proxy sign a message m on behalf of the original signer Uo. He does the fol-
lowing steps:
(1) Up randomly chooses an integer r 2 {0,1}nr, and computes R, r1 and r2,
respectively.
R ¼ ðreo modNoÞ; ð2:3Þ
r1 ¼ ðso � rÞðmodN oÞ; ð2:4Þ
r2 ¼ ðHpðm;RÞÞdpðmodN pÞ: ð2:5Þ(2) He sends {m, r1, r2} to the verifier.
2.2.4. Verifying phase
When the verifier has received the proxy signature {m, r1, r2}, he can verifythe proxy signature as follows:
(1) The verifier computes
R0 ¼ ðreo1 ðHoðmwÞÞ�1ðmodNoÞÞ: ð2:6Þ(2) The verifier checks equation
rep2 ¼ Hpðm;R0ÞðmodNpÞ: ð2:7Þ
2.3. Security analysis
In this part, we shall prove that the proposed scheme can work correctly and
satisfy the basic security requirements.
Theorem 2.1. The proposed proxy signature scheme is verifiable, if the original
signer, the proxy signer and the verifier all follow the issuing protocol.
Proof. From Eqs. (2.1)–(2.7), it is obvious that the proposed scheme satisfies
verifiability.
88 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
We will prove that the proposed scheme satisfies the unforgeability and the
non-repudiation. Our proof idea comes from Bellare and Rogaway�s paper [1]
and Goh and Jarecki�s paper [2]. The following theorem proves a security
reduction from the hardness of RSA problem to the adaptive chosen message
attack (CMA) security of the proposed scheme in the Random Oracle model.
We denote tcost as the main cost of reduction. h
Theorem 2.2. If the RSA problem is (s 0, e 0)-hard, then for any qHp, qsig the pro-
posed scheme is (s, qHp, qsig, e)-secure against existential forgery on adaptive cho-
sen message attack in the Random Oracle model, where
e ¼ qHpðe0 þ qsig � qHp
� 2�nrÞ; ð2:8Þ
s ¼ s0 � ðqHpþ qsig þ 1Þ � tcos t: ð2:9Þ
Proof. Let A be an original signer, which has his RSA key tuple {No,eo,do}
and can (s,qHp,qsig, e)-break the proposed scheme and forge a valid signature.
We construct a simulator algorithm M, which can solve the RSA problem. In
other word, when GRSA (defined in Definition 2.2) generates an RSA instance
{N,p,q,e,d} and the algorithm M takes (e,N) and u 2 Z�N as inputs, M can use
the A algorithm to compute v (here v � ud (modN)) in s 0 steps and e 0 probabil-ity where
e0 ¼ 1
qHp
� e� qsig � qHp� 2�nr ; ð2:10Þ
s0 � sþ ðqHpþ qsig þ 1Þ � tcos t ð2:11Þ
and the probability are mainly taken over the randomness used by M and
A.Algorithm M simulates a run of a signature scheme to the original signer A.
Algorithm M answers A�s hash function queries, signature oracle queries, and
it tries to translate A�s possible forgery {m,r} into an answer to the RSA
problem (the answer to ud (modN)). Algorithm M starts the simulation. Here,
algorithm A takes (N,No,e,eo,do) as input Then algorithm M answers A�squeries as follows.
Answering Ho-oracle query. Algorithm M picks a random string so2R ZNoat
random and computes h � seoo ðmodNoÞ. Then M outputs h as the queryHo(mw). The Ho-oracle query is done only once.
Answering Hp-oracle queries. If the original signer A provides a new query
(m,R) as input to the Hp-oracle, algorithm M works as follows:
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 89
If Hp(m,R) � u(modN), he outputs u as the query Hp(m,R). Otherwise he picks
w in RZN at random and compute y � we (modN), then maintain a hash oracle
query table, take (m,R,w,y) as one entry, and output y as the query Hp(m,R).
Answering signature queries. Suppose the original signer A asks for a
signature on message m. Algorithm M has to create a valid signature tuple
without knowing the private key d. In the process, algorithm M defines somevalues of the hash function Hp. The algorithm M proceeds as follows:
(1) Pick a random string r {0,1}nr, compute R = (remodN). Then check
the hash oracle. If Hp has been queried on input (m,R), it abort.
(2) Pick w2R ZN at random and compute y�we(modN), and defines
Hpðm;RÞD¼ y.(3) Compute r1 = so Æ r(modNo) and r2 = w(modN).
(4) Return the tuple {m, r1, r2}.
Solving the RSA problem. If the original signer A returns a valid message and
signature pair (m,r) (where r = {r1, r2}) for some previously unsigned m, then
algorithm M tries to translate this forgery into computing v � ud (modN) as
follows: If r2 f v(modN), then M aborts. Otherwise algorithm M outputs v.
Let esigabort be the probability that M aborts the simulation for the failure of
signature queries and let eRSA be the probability that A produces a valid
forgery but r2 f v (modN). Observe that the computational view shown toalgorithm A by algorithm M has the same distribution as A�s conversation with
an actual signature scheme and a random hash function except for the
probability esigabort. Hence the probability that M outputs a correct solution to
the RSA problem ud(modN) is at least e� ðesigabort þ eRSA).
(1) Algorithm M might abort at Step 1 of the signature oracle simulation. This
event occurs if M chooses a r that was previously given as input to the Hp-
oracle. Since there are at most qHpsuch r�s, the probability of aborting is at
most qHpÆ 2�nr. Therefore, the probability esigabort that algorithm M aborts at
Step 1 for any of the qsig signature queries is less than qsig Æ qHpÆ 2�nr.
(2) Let NHp be the event that algorithm A does not query the Hp-oracle on
the tuple (m,R) which can be got by its forgery. It is apparent that the
probability of Pr[NHp] is at most 2�nN. So we have eRSA ¼1� 1
qHp
� �� ðe� 2�nN Þ � 1� 1
qHp
� �� e.
So we can see that algorithm M solves the RSA inverse permutationproblem with probability at least 1
qHp� e� qsig � qHp
� 2�nr .Running Time of M. The running time of algorithm M is that of running the
algorithm A, Ho-oracle queries Hp-oracle queries and signature oracle queries.
Thus by adding these values, we can give the running time in Eq. (2.9).
90 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
We have proved that even the original signer cannot forge a valid proxy
signature in theorem. In the lecture [1], Bellare and Rogaway has proved that
the signature based on trapdoor permutation is cannot be forged. In our
proposed scheme, the generation of the proxy private key adopts the RSA
signature scheme. So we have the following theorem. h
Theorem 2.3. In the proposed proxy signature scheme, the proxy private key
generated by the original signer cannot be forged.
From Definitions 2.2 and 3.3, we get the following corollary.
Corollary 2.1. The proposed proxy signature scheme satisfies the unforgeability
and the non-repudiation.
2.4. Efficiency
The proposed scheme is efficient. Compared with other schemes based on
discrete logarithm problem, the scheme reduces the amount of time-consuming
computation.
• In the proxy private key generation phase, the original signer performs
dlogðdoÞe multiplication computations and a hash computation.
• In the signing phase, the proxy signer performs dlogðdpÞe þ dlogðeoÞe þ 1
modular multiplication computations and a hash computation.
• in the signature verification phase, the verifier requires dlogðeoÞeþdlogðepÞe þ 1 modular multiplication computations, two hash computations
and an inverse computation.
3. The second proposed signature scheme
In this section, we will present the second scheme, which is based on integer
factorization problem and prove that its security is tightly related to the integer
factorization problem.
3.1. Related definitions
Definition 3.1 (Integer factorization problem)
[INPUT] N: odd composite integer with at least two distinct prime factors.
[OUTPUT] prime p such that p jN.
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 91
Definition 3.2 (Integer factorization assumption). An integer factorizer is a
probabilistic algorithm A such that with an advantage e > 0:
e ¼ Pr½AðNÞ divides N and 1 < AðNÞ < NÞ;
where the input to A is defined in Definition 3.1. Let GIF be an integer instancegenerator that on input 1k, runs in time polynomial in k, and outputs a 2k-bit
modulus N = pq where p and q are each a k-bit uniformly random odd prime.
We say that GIF satisfies the integer factorization assumption if there exists no
integer factorizer for GIF(1k) with advantage 2 > 0 non-negligible in k for all
sufficiently large k.
3.2. The proposed scheme
In the public signature system based on integer factorization problem, which
was first proposed in [12] by Rabin, each user should choose his private key.The signer randomly chooses two large secure primes p and q, satisfying
p � q � 3(mod4), and computes a public modulus N = pq. Then the signer
chooses a integer a satisfying Jacobi symbol ðaNÞ ¼ �1. The signer chooses a
public one-way hash function h( ). The private key {p,q} is kept secret by the
signer, while the public key of the signer is {N,a}, which is certified by a CA.
As the first proposed scheme, we also divide our scheme into four phases:
System initialization phase, Proxy private key generation phase, Signing phase
and Verifying phase.
3.2.1. System initialization
The original signer Uo chooses his private key {po,qo} and public key
{No,ao} and the proxy signer Up chooses his private key {pp,qp} and public
key {Np,ap}. Furthermore, let Ho be a universal secure hash function which ac-
cepts an variable-length input string of bits and produces a fixed-length output
string of size nr and let Hp be a universal secure hash function which accepts
two variable-length input strings of bits and produces a fixed-length outputstring of size nr.
3.2.2. Proxy private key generation phase
When the original signer Uo delegates his signing capability to the proxy
signer Up, they will run the following steps:
(1) The original signer Uo first makes a warrant mw, which records the delega-
tion policy including limits of authority, valid period of delegation etc.
then he publishes mw.
92 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
(2) Uo computes a proxy private key as follows:
• Uo first applies Ho to produce Ho(mw), then he computes co1
co1 ¼0; if
HoðmwÞNo
� �¼ 1;
1; ifHoðmwÞ
No
� �¼ �1:
8>>><>>>:
ð3:1Þ
• Uo computes lo
lo ¼ aco1
o � HoðmwÞ: ð3:2Þ
Then he computes co2
co2 ¼0; if
lopo
� �¼ 1;
1; ifloqo
� �¼ �1:
8>>><>>>:
ð3:3Þ
• Finally Uo computes so from the equation
s2o ¼ ð�1Þco2 � aco1HoðmwÞðmod N oÞ: ð3:4Þ
Then he sends fso; co1 ; co2 ;mwg to proxy signer Up via a secure channel.
(3) After receiving fso; co1 ; co2 ;mwg, the proxy signer Up verifies the proxy pri-
vate key by checking the following equation:
s2o � ð�1Þco2 � aco1HoðmwÞðmodNoÞ: ð3:5Þ
3.2.3. Signing phase
Assume that according the limit of authority, the proxy signer Up has right
to proxy sign a message m on behalf of the original signer Uo. He does the fol-
lowing steps:
(1) Up randomly chooses an integer r2{0,1}nr (here nr < No), and computes R
R ¼ ðr2 modN oÞ: ð3:6Þ(2) Up applies Hp to produce Hp(m,R), then he computes cp1.
cp1 ¼0; if
Hpðm;RÞNp
� �¼ 1;
1; ifHpðm;RÞ
Np
� �¼ �1:
8>>><>>>:
ð3:7Þ
(3) Up computes lp.
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 93
lp ¼ acp1
p � Hpðm;RÞ: ð3:8ÞThen he computes cp2.
cp2 ¼0; if
lppp
� �¼ 1;
1; iflpqp
� �¼ �1:
8><>: ð3:9Þ
(4) Up computes r1.
r1 ¼ ðso � rÞðmodN oÞ: ð3:10Þ(5) Up computes r2 from the equation
r22 ¼ ð�1Þcp2 � ac
p
1 � Hpðm;RÞðmodN pÞ: ð3:11Þ(6) Finally, he sends fm; co1 ; co2 ; sc
p1 ; c
p2 ; r1; r2g to the verifier. Here co1 and cp1 also
can be computed by the verifier himself.
3.2.4. Verifying phase
When the verifier has received the proxy signature fm; co1 ; co2 ; cp1 ; c
p2 ; r1; r2g, he
can verify the proxy signature as follows:
(1) The verifier computes R1 and R2.
R1 � r21ðmodNoÞ; ð3:12Þ
R2 � r22ðmodNpÞ: ð3:13Þ(2) The verifier computes W and R 0.
W ¼ ð�1Þco2 � aco1 � HoðmwÞðmodN oÞ; ð3:14Þ
R0 ¼ ðW � R�11 ðmod nÞÞ: ð3:15Þ(3) The verifier checks equation
R2 ¼ ð�1Þcp
2 � acp
1 � Hpðm;R0ÞðmodNpÞ: ð3:16Þ
3.3. Security analysis
In this part, we shall prove that the proposed scheme can work correctly and
satisfy the basic security requirements.
Theorem 3.1. The proposed proxy signature scheme is verifiable, if the original
signer, the proxy signer and the verifier all follow the issuing protocol.
94 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
Proof. From Eqs. (3.1)–(3.16), it is obvious that the proposed scheme satisfies
verifiability.
We will prove that the second proposed scheme satisfies the unforgeabil-
ity and the non-repudiation. Our proof idea also comes from Bellare
and Rogaway�s paper [1] and Goh and Jarecki�s paper [2]. The following
theorem will also prove a tight security reduction from the hardness of theinteger factorization problem to the adaptive chosen message security of
the proposed scheme in the Random Oracle model. Here, we denote tcost as
the main cost of reduction. For proving theorem simply and clearly, we assume
c1 = c2 = 0. h
Theorem 3.2. If the integer factorization problem is (s 0, e 0)-hard, then for any
qHp, qsig the proposed scheme is (s, qHp
,qsig, e)-secure against existential forgeryon adaptive chosen message attack in the Random Oracle model, where
e ¼ 2 � e0 þ qsig � qHp� 2�nr þ 2�jN j; ð3:17Þ
s ¼ s0 � ðqHpþ qsig þ 1Þ � tcos t: ð3:18Þ
Proof. Let A be an original signer, which has his key tuple {No,po,qo} and can
(s,qHp,qsig, e)-break the proposed scheme and forge a valid signature. We con-
struct a simulator algorithm M, which can solve the integer factorization prob-
lem. In other word, when GIF (defined in Definition 3.2) generates integer
instance {N,p,q} and the algorithm M takes N as input, M can use the A algo-
rithm to compute p, q in s 0 steps and e 0 probability where
e0 ¼ 1
2ðe� qsig � qHp
� 2�nr � 2�nN Þ; ð3:19Þ
s0 ¼ sþ ðqHpþ qsig þ 1Þ � tcos t ð3:20Þ
and the probability are mainly taken over the randomness used by M and A.
Algorithm M simulates a run of a signature scheme to the original signer A.
Algorithm M answers A�s hash function queries, signature oracle queries, and
it tries to translate A�s possible forgery {m,r} into a condition to compute p, q.
Algorithm M starts the simulation. Here, algorithm A takes (N,No,po,qo) as
input Then algorithm M answers A�s queries as follows.Answering Ho-oracle query. Algorithm M picks a random string so2R ZNo
at
random and computes h � s2oðmodNoÞ. Then M outputs h as the query
Ho(mw). The Ho-oracle query is done only once.
Answering Hp-oracle Queries. If the original signer A provides a new query
(m,R) as input to the Hp-oracle, algorithm M works as follows:
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 95
Pick w2R ZN at random and compute y�w2(modN), then maintain a hash
oracle query table, take (m,R,w,y) as one entry, and output y as the query
Hp(m,R).
Answering signature queries. Suppose the original signer A asks for a
signature on message m. Algorithm M has to create a valid signature tuple
without knowing the factorization of N. In the process, algorithm M definessome values of the hash function Hp. The algorithm M proceeds as follows:
(1) Pick a random string r {0,1}nr, compute R � (r2modN). Then check the
hash oracle. If Hp has been queried on input (m,R), it abort.
(2) Pick w 2 RZN at random and compute y � w2(modN), and takes y as the
query Hp(m,R).
(3) Compute r1 = so Æ r(modNo) and r2 = w(modN).
(4) Return the tuple {m, r1, r2}.
Solving the integer factorization problem. If the original signer A returns a
valid message and signature pair (m,r) (where r = {r1, r2}) for some previously
unsigned m, then algorithm M tries to translate this forgery into computing p, q
as follows:
(1) M computes R1 � r21ðmodNoÞ and R = (h�1 Æ R1(modNo)).
(2) If A has not queried the Hp-oracle on (m,R), M aborts.(3) Otherwise, there is a probability 1/2 that r2 differs from w in the entry. So
M can get a factor N by gcd(r2�w,N).
(4) Finally, algorithm M output p and q.
Let esigabort be the probability that M aborts the simulation for the failure of
signature queries and let eNH be the probability that A produces a valid forgery
but does not query the Hp-oracle. Observe that the computational view shown
to algorithm A by algorithm M has the same distribution as A�s conversationwith an actual signature scheme and a random hash function except for the
probability eNH. Hence the probability that M outputs output p and q is at least
e� ðesigabort þ eNH ).
(1) Algorithm M might abort at Step 1 of the signature oracle simulation. This
event occurs if M chooses a r such that (m,R) was previously given as input
to the Hp-oracle. Since there are at most qHpsuch r�s, the probability of
aborting is at most qHpÆ 2�nr. Therefore, the probability ðesigabort that algo-
rithm M aborts at Step 1 for any of the qsig signature queries is less than
qsig Æ qHpÆ 2�nr.
(2) Let NHp be the event that algorithm A does not query the Hp-oracle on the
tuple (m,R) which can be got by its forgery. It is apparent that the prob-
ability of [Pr[NHS] is at most 2�nN, that is eNH = 2�nN.
96 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
So we can see that algorithm M solves the integer factorization problem
with probability at least e 0 = �qsig Æ qHpÆ 2�nr�2�nN.
Running time of M. The running time of algorithm M is that of running the
algorithm A, Ho-oracle queries Hp-oracle queries and signature oracle queries.Thus by adding these values, we can give the running time in Eq. (3.19).
Similar to Theorem 2.3, we have the following theorem. h
Theorem 3.3. In the proposed proxy signature scheme, the proxy private key
generated by the original signer cannot be forged.
From Theorems 3.2 and 3.3, we get the following corollary.
Corollary 3.1. The proposed proxy signature scheme satisfies the unforgeability
and the non-repudiation.
3.4. Efficient
• In the proxy private key generation phase, the original signer performs amultiplication computation and a hash computation.
• In the signing phase, the proxy signer performs three modular multiplication
computations, a square root computation and a hash computation.
• In the signature verification phase, the verifier requires three modular mul-
tiplication computations, two hash computations and an inverse
computation.
3.5. Remark
The second scheme is modified version of the first one from RSA problem to
integer factorization problem. Apparently, the second scheme is more efficient
than the first one. Furthermore, the reduction in the proof of security in the
second scheme is tighter than the one in first scheme.
4. Conclusions
In this paper, we have presented two provably secure proxy-protected signa-
ture schemes, which are based on RSA problem and integer factorization prob-
lem respectively. The second scheme is modified version from RSA problem to
integer factorization problem. Compared to the other schemes, our schemes
Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 97
reduce the mount of time-consuming computations. Therefore, in the mobile
computation environments, our schemes can be applied in many low-computa-
tion devices, such as cell phones, pages, smart cards etc.
Acknowledgements
This research is partially supposed by the National Science Foundation of
China under Grant No. 60072018, the National Natural Science Foundation
of China for Distinguished Young Scholars under Grant No. 60225007 and
the National Research Fund for the Doctoral Program of Higher Education
of China under Grant No. 20020248024.
References
[1] M. Bellare, P. Rogaway, Random Oracle are practical: a paradigm for designing efficient
protocols, in: Proceedings of the 1st ACM conference on Computer and Communications
Security, 1993, pp. 62–73.
[2] E.J. Goh, S. Jarecki, A signature scheme as secure as the Diffie–Hellman problem, in:
Proceedings of Eurocyrpt�2003, LNCS2656, 2003, pp. 401–415.
[3] C.-L. Hsu, T.-S. Wu, T.-C. Wu, New nonrepudiable threshold proxy signature scheme wit
known signers, The Journal of System and Software 58 (2001) 119–124.
[4] S.J. Hwang, C.-H. Shi, A simple multi-proxy signature scheme, in: Proceedings of the Tenth
National Conference on Information Security, Hualien, Taiwan, ROC, 2000, pp. 134–138.
[5] S.J. Hwang, C.-C. Chen, A new proxy multi-signature scheme, in: International Workshop on
Cryptology and Network Security, Taipei, Taiwan, ROC, December 2000, pp. 134–138.
[6] M.-S. Hwang, L.-C. Lin, J.-L.L.U. Eric, A secure nonrepudiable threshold proxy signature
scheme with known signers, Information 11 (2) (2000) 137–144.
[7] H. Kim, J. Baek, B. Lee and K. Kim, Secret Computation with secrets for mobile agent using
one-time proxy signature, in: The 2001 Symposium on Cryptography and Information
Security, Oiso, Japan.
[8] S. Kim, S. Park, D. Won, Proxy signature, revisited, in: Proceedings of ICICS� 97,
International Conference on Information and Communication Security, 1997, pp. 223–232.
[9] B. Lee, H. Kim, K. Kim, Strong proxy signature and its applications, in: Proceedings of SCIS
2001, 2001, pp. 603–608.
[10] M. Mambo, K. Usuda, E. Okmamoto, Proxy signatures: delegation of the power to sign
message, IEICE Transaction Functional E79-A (9) (1996) 1338–1354.
[11] M. Mambo, K. Usuda, E. Okmamoto, Proxy signatures for delegation signing operation, in:
Proceedings of the Third ACM Conference on Computer and Communication Security, New
Delhi, India, January 1996, pp. 48–57.
[12] M.O. Rabin, Digitalized signatures Foundations of Secure communication, Academic Press,
1978, pp. 155–168.
[13] H.-M. Sun, an efficient nonrepudiable threshold proxy signature scheme with known signers,
Computer Communications 22 (1999) 717–722.
[14] H.-M. Sun, N.-Y. Lee, T. Hwang, Threshold proxy signatures, IEE Proceedings Computers
and Digital Techniques 146 (5) (1999) 259–263.
98 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98
[15] H.-M. Sun, On proxy (multi-) signature schemes, in: 2000 International Computer Sympo-
sium, Chiayi, Taiwan, ROC, December 6–8, 2000, pp. 65–72.
[16] H.X. Wang, J. Pieprzyk, Efficient one-time proxy signatures, in: Proceedings of Asiacrypt�2003, LNCS 2894, 2003, pp. 507–522.
[17] L. Yi, G. Bai, G. Xiao, Proxy multi-signature scheme: a new type of proxy signature scheme,
Electronics Letter 36 (6) (2000) 527–528.
Recommended