Download pdf - Provably secure proxy-protected signature schemes based on factoring

Applied Mathematics and Computation 164 (2005) 83–98

www.elsevier.com/locate/amc

Provably secure proxy-protectedsignature schemes based on factoring

Yuan Zhou *, Zhenfu Cao, Rongxing Lu

Department of Computer Science, Shanghai Jiaotong University, 1954 Huashang road,

Shanghai 200030, People�s Republic of China

Abstract

Proxy signature is an active cryptographic research topic, and a wide range of liter-

ature can be found nowadays, which suggest improvement and generalization of exist-

ing protocols in various direction. However, most of previously proposed schemes in

these literature are based on discrete logarithm problem. To our best knowledge, there

still does not exist an indeed proxy signature scheme based on integer factorization

problem. In this paper, we propose two efficient provably secure proxy-protected signa-

ture scheme in Random Oracle Model. The first scheme is based on RSA problem and

the second one is based on integer factorization problem. Compared to early proxy sig-

nature schemes, our schemes are more efficient and easy to implement. We believe they

are particularly suitable for low-computation devices, such as smart cards, cell phones,

pages etc.

� 2004 Elsevier Inc. All rights reserved.

Keywords: RSA; Factoring; Proxy signature; Proxy-protected signature; Random Oracle Model

0096-3003/$ - see front matter � 2004 Elsevier Inc. All rights reserved.

doi:10.1016/j.amc.2004.04.032

* Corresponding author.

E-mail address: [email protected] (Y. Zhou).

mailto:[email protected]

84 Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98

1. Introduction

1.1. Proxy signature

The notion of proxy signature was introduced by Mambo et al. (1996)

[10,11]. A proxy signature scheme is a cryptographic primitive involving threeentities: an original signer, a proxy signer and a verifier. It allows the original

signer to delegate her signing capability to a designated proxy signer. Then the

proxy signer can sign some specific kinds of messages on behalf of the original

one. After receiving the proxy signature, the verifier, which knows the public

keys of the original and proxy signers, verified the validity of the proxy

signature.

Informally, a proxy signature consists of three algorithm described as

follows.Key generation. For a given security parameter, it outputs a pair of private

and public keys for the original signer and a private key for the proxy signer.

The key generation usually involves a two-party protocol run between the orig-

inal and proxy signers.

Signing. For an input that consists of a message to be signed and a proxy

private key kept by proxy signer, it outputs a valid signature.

Verifying. For an input that includes a pair (a message and a signature) and

the public keys of the original and proxy signers, it outputs either accept orreject.

The proxy-protected signature scheme satisfies the following three basic

security properties.

Verifiability. From a proxy signature, any verifier can be convinced of the

original signer�s agreement on the signed message.

Unforgeability. Only a designated proxy signer can create a valid proxy

signature for the original signer (even the original signer cannot do it).

Non-repudiation. Neither the origin signer nor the proxy signer must be ableto sign in place of the other party. In other words, they cannot deny their

signatures against anyone.

1.2. Related work

After Mambo et al.�s initiate work on proxy signature, many scholars have

done a lot of work in this field, and several kinds of proxy signature schemes

have been put forth [3–6,8,9,13–15,17]. The proxy signature schemes have beenproposed in [8,9]. The multi-proxy signature schemes have been proposed in

[5,15,17]. And the threshold proxy signature schemes also have been proposed

in [3,6,13,14]. However, most of these proposed schemes are based on the dis-

crete logarithm problem. Moreover, the above schemes all have no proof of

security.

Y. Zhou et al. / Appl. Math. Comput. 164 (2005) 83–98 85

Recently, mobile computation environments have been paid great atten-

tions. Many low-powered and resource-constrained small devices have arisen,

such as smart cards, cell phones and pagers. To adapt to these devices, Kim

et al. [7] proposed a one-time proxy signature scheme based on discrete loga-

rithm problem. In Asiacrypt 2003, Huaxiong Wang and Josef Pieprzyk also

presented an efficient one-time proxy signature scheme based on one-way func-tions without trapdoors [16]. As one-time proxy signature is much efficient and

can be easily implemented, it is particularly fir for mobile computation envi-

ronments. However, just as its name suggests, one-time proxy signature scheme

cannot be applied to sign an unlimited number of messages.

1.3. Our contributions

In this paper, we present two provably secure proxy-protected signatureschemes, which are based on RSA problem and integer factorization problem

respectively. The second scheme is modified version from RSA problem to inte-

ger factorization problem. The second scheme is more efficient than the first

one. Furthermore, the reduction in the proof of security in the second scheme

is tighter than the one in first scheme. At the same time, since the second

scheme is based on Rabin signature scheme, thus its computation is much

lower than other proposed schemes (including the first scheme).

The rest of the paper is organized as follows. In Sections 2 and 3, we willpresent two proxy-protected signature schemes, their proof of security and

their efficiency analysis. The final section is our conclusion.

2. The first proposed signature scheme

In this section, we will present the first scheme, which is based on RSA prob-

lem and prove that its security is related to the RSA problem.

2.1. Related definitions

Definition 2.1 (RSA problem)

[INPUT] N = pq with p,q prime numbers;

e: an integer such that gcd(e, (p � 1)(q � 1)) = 1;

c 2 Z�N .[OUTPUT] the unique integer m 2 Z�N satisfying me � c (modN).

Definition 2.2 (RSA assumption). An RSA problem solver is a probabilistic

algorithm A such that with an advantage � > 0:


e ¼ Pr½m AðN ; e;meðmodNÞÞ;where the input to A is defined in Definition 2.1. Let GRSA be an RSA instance

generator that on input 1k, runs in time polynomial in k, and outputs (i) a 2k-bit modulus N = pq where p and q are two distinct uniformly random primes.

Each is k-bit long. (ii) e 2 Z�ðp�1Þðq�1Þ. We say that GRSA satisfies the RSA

assumption if there exists no RSA problem solver for GRSA(1k) with advantage

e > 0 non-negligible in k for all sufficiently large k.

2.2. The proposed scheme

In the public cryptosystems based on RSA problem, each user should

choose his RSA private key. The signer chooses two large primes p and q at

random, and computes a public modulus N = pq. Then the signer chooses a

pair of integers e and d satisfying the properties ed � 1(mod/ (N)) and d is

large enough, where / (N) is the Euler function of N. The signer chooses a pub-

lic one-way hash function h( ). The private key {p,q,d} is kept secret by the

signer, while the public key of the signer is {N,e}, which is certified by a CA.

To illustrate clearly, we divide our scheme into four phases: system initiali-zation phase, proxy private key generation phase, signing phase and verifying

phase.

2.2.1. System initialization phase

The original signer Uo chooses his private key {po,qo,do} and public key

{No,eo} and the proxy signer Up chooses his private key {pp,qp,dp} and public

key {Np,ep}. Furthermore, let Ho be a universal secure hash function which ac-

cepts an variable-length input string of bits and produces a fixed-length outputstring of size nr and let Hp be a universal secure hash function which accepts

two variable-length input strings of bits and produces a fixed-length output

string of size nr.

2.2.2. Proxy private key generation phase

When the original signer Uo delegates his signing capability to the proxy

signer Up, they will run the following steps:

(1) The original signer Uo first makes a warrant mw, which records the delega-

tion policy including limits of authority, valid period of delegation etc.

then he publishes mw.

(2) Uo computes a proxy private key so.

so ¼ ðHoðmwÞÞdoðmodNoÞ: ð2:1ÞThen he sends {so,mw} to proxy signer Up via a secure channel.


(3) After receiving {so,mw}, the proxy signer Up verifies the proxy private key

by checking the following equation:

seoo � HoðmwÞðmodN oÞ: ð2:2Þ

2.2.3. Signing phase

Assume that according the limit of authority, the proxy signer Up has right

to proxy sign a message m on behalf of the original signer Uo. He does the fol-

lowing steps:

(1) Up randomly chooses an integer r 2 {0,1}nr, and computes R, r1 and r2,

respectively.

R ¼ ðreo modNoÞ; ð2:3Þ

r1 ¼ ðso � rÞðmodN oÞ; ð2:4Þ

r2 ¼ ðHpðm;RÞÞdpðmodN pÞ: ð2:5Þ(2) He sends {m, r1, r2} to the verifier.

2.2.4. Verifying phase

When the verifier has received the proxy signature {m, r1, r2}, he can verifythe proxy signature as follows:

(1) The verifier computes

R0 ¼ ðreo1 ðHoðmwÞÞ�1ðmodNoÞÞ: ð2:6Þ(2) The verifier checks equation

rep2 ¼ Hpðm;R0ÞðmodNpÞ: ð2:7Þ

2.3. Security analysis

In this part, we shall prove that the proposed scheme can work correctly and

satisfy the basic security requirements.

Theorem 2.1. The proposed proxy signature scheme is verifiable, if the original

signer, the proxy signer and the verifier all follow the issuing protocol.

Proof. From Eqs. (2.1)–(2.7), it is obvious that the proposed scheme satisfies

verifiability.


We will prove that the proposed scheme satisfies the unforgeability and the

non-repudiation. Our proof idea comes from Bellare and Rogaway�s paper [1]

and Goh and Jarecki�s paper [2]. The following theorem proves a security

reduction from the hardness of RSA problem to the adaptive chosen message

attack (CMA) security of the proposed scheme in the Random Oracle model.

We denote tcost as the main cost of reduction. h

Theorem 2.2. If the RSA problem is (s 0, e 0)-hard, then for any qHp, qsig the pro-

posed scheme is (s, qHp, qsig, e)-secure against existential forgery on adaptive cho-

sen message attack in the Random Oracle model, where

e ¼ qHpðe0 þ qsig � qHp

� 2�nrÞ; ð2:8Þ

s ¼ s0 � ðqHpþ qsig þ 1Þ � tcos t: ð2:9Þ

Proof. Let A be an original signer, which has his RSA key tuple {No,eo,do}

and can (s,qHp,qsig, e)-break the proposed scheme and forge a valid signature.

We construct a simulator algorithm M, which can solve the RSA problem. In

other word, when GRSA (defined in Definition 2.2) generates an RSA instance

{N,p,q,e,d} and the algorithm M takes (e,N) and u 2 Z�N as inputs, M can use

the A algorithm to compute v (here v � ud (modN)) in s 0 steps and e 0 probabil-ity where

e0 ¼ 1

qHp

� e� qsig � qHp� 2�nr ; ð2:10Þ

s0 � sþ ðqHpþ qsig þ 1Þ � tcos t ð2:11Þ

and the probability are mainly taken over the randomness used by M and

A.Algorithm M simulates a run of a signature scheme to the original signer A.

Algorithm M answers A�s hash function queries, signature oracle queries, and

it tries to translate A�s possible forgery {m,r} into an answer to the RSA

problem (the answer to ud (modN)). Algorithm M starts the simulation. Here,

algorithm A takes (N,No,e,eo,do) as input Then algorithm M answers A�squeries as follows.

Answering Ho-oracle query. Algorithm M picks a random string so2R ZNoat

random and computes h � seoo ðmodNoÞ. Then M outputs h as the queryHo(mw). The Ho-oracle query is done only once.

Answering Hp-oracle queries. If the original signer A provides a new query

(m,R) as input to the Hp-oracle, algorithm M works as follows:


If Hp(m,R) � u(modN), he outputs u as the query Hp(m,R). Otherwise he picks

w in RZN at random and compute y � we (modN), then maintain a hash oracle

query table, take (m,R,w,y) as one entry, and output y as the query Hp(m,R).

Answering signature queries. Suppose the original signer A asks for a

signature on message m. Algorithm M has to create a valid signature tuple

without knowing the private key d. In the process, algorithm M defines somevalues of the hash function Hp. The algorithm M proceeds as follows:

(1) Pick a random string r {0,1}nr, compute R = (remodN). Then check

the hash oracle. If Hp has been queried on input (m,R), it abort.

(2) Pick w2R ZN at random and compute y�we(modN), and defines

Hpðm;RÞD¼ y.(3) Compute r1 = so Æ r(modNo) and r2 = w(modN).

(4) Return the tuple {m, r1, r2}.

Solving the RSA problem. If the original signer A returns a valid message and

signature pair (m,r) (where r = {r1, r2}) for some previously unsigned m, then

algorithm M tries to translate this forgery into computing v � ud (modN) as

follows: If r2 f v(modN), then M aborts. Otherwise algorithm M outputs v.

Let esigabort be the probability that M aborts the simulation for the failure of

signature queries and let eRSA be the probability that A produces a valid

forgery but r2 f v (modN). Observe that the computational view shown toalgorithm A by algorithm M has the same distribution as A�s conversation with

an actual signature scheme and a random hash function except for the

probability esigabort. Hence the probability that M outputs a correct solution to

the RSA problem ud(modN) is at least e� ðesigabort þ eRSA).

(1) Algorithm M might abort at Step 1 of the signature oracle simulation. This

event occurs if M chooses a r that was previously given as input to the Hp-

oracle. Since there are at most qHpsuch r�s, the probability of aborting is at

most qHpÆ 2�nr. Therefore, the probability esigabort that algorithm M aborts at

Step 1 for any of the qsig signature queries is less than qsig Æ qHpÆ 2�nr.

(2) Let NHp be the event that algorithm A does not query the Hp-oracle on

the tuple (m,R) which can be got by its forgery. It is apparent that the

probability of Pr[NHp] is at most 2�nN. So we have eRSA ¼1� 1

qHp

� �� ðe� 2�nN Þ � 1� 1

qHp

� �� e.

So we can see that algorithm M solves the RSA inverse permutationproblem with probability at least 1

qHp� e� qsig � qHp

� 2�nr .Running Time of M. The running time of algorithm M is that of running the

algorithm A, Ho-oracle queries Hp-oracle queries and signature oracle queries.

Thus by adding these values, we can give the running time in Eq. (2.9).


We have proved that even the original signer cannot forge a valid proxy

signature in theorem. In the lecture [1], Bellare and Rogaway has proved that

the signature based on trapdoor permutation is cannot be forged. In our

proposed scheme, the generation of the proxy private key adopts the RSA

signature scheme. So we have the following theorem. h

Theorem 2.3. In the proposed proxy signature scheme, the proxy private key

generated by the original signer cannot be forged.

From Definitions 2.2 and 3.3, we get the following corollary.

Corollary 2.1. The proposed proxy signature scheme satisfies the unforgeability

and the non-repudiation.

2.4. Efficiency

The proposed scheme is efficient. Compared with other schemes based on

discrete logarithm problem, the scheme reduces the amount of time-consuming

computation.

• In the proxy private key generation phase, the original signer performs

dlogðdoÞe multiplication computations and a hash computation.

• In the signing phase, the proxy signer performs dlogðdpÞe þ dlogðeoÞe þ 1

modular multiplication computations and a hash computation.

• in the signature verification phase, the verifier requires dlogðeoÞeþdlogðepÞe þ 1 modular multiplication computations, two hash computations

and an inverse computation.

3. The second proposed signature scheme

In this section, we will present the second scheme, which is based on integer

factorization problem and prove that its security is tightly related to the integer

factorization problem.

3.1. Related definitions

Definition 3.1 (Integer factorization problem)

[INPUT] N: odd composite integer with at least two distinct prime factors.

[OUTPUT] prime p such that p jN.


Definition 3.2 (Integer factorization assumption). An integer factorizer is a

probabilistic algorithm A such that with an advantage e > 0:

e ¼ Pr½AðNÞ divides N and 1 < AðNÞ < NÞ;

where the input to A is defined in Definition 3.1. Let GIF be an integer instancegenerator that on input 1k, runs in time polynomial in k, and outputs a 2k-bit

modulus N = pq where p and q are each a k-bit uniformly random odd prime.

We say that GIF satisfies the integer factorization assumption if there exists no

integer factorizer for GIF(1k) with advantage 2 > 0 non-negligible in k for all

sufficiently large k.

3.2. The proposed scheme

In the public signature system based on integer factorization problem, which

was first proposed in [12] by Rabin, each user should choose his private key.The signer randomly chooses two large secure primes p and q, satisfying

p � q � 3(mod4), and computes a public modulus N = pq. Then the signer

chooses a integer a satisfying Jacobi symbol ðaNÞ ¼ �1. The signer chooses a

public one-way hash function h( ). The private key {p,q} is kept secret by the

signer, while the public key of the signer is {N,a}, which is certified by a CA.

As the first proposed scheme, we also divide our scheme into four phases:

System initialization phase, Proxy private key generation phase, Signing phase

and Verifying phase.

3.2.1. System initialization

The original signer Uo chooses his private key {po,qo} and public key

{No,ao} and the proxy signer Up chooses his private key {pp,qp} and public

key {Np,ap}. Furthermore, let Ho be a universal secure hash function which ac-

cepts an variable-length input string of bits and produces a fixed-length output

string of size nr and let Hp be a universal secure hash function which accepts

two variable-length input strings of bits and produces a fixed-length outputstring of size nr.

3.2.2. Proxy private key generation phase

When the original signer Uo delegates his signing capability to the proxy

signer Up, they will run the following steps:

(1) The original signer Uo first makes a warrant mw, which records the delega-

tion policy including limits of authority, valid period of delegation etc.

then he publishes mw.


(2) Uo computes a proxy private key as follows:

• Uo first applies Ho to produce Ho(mw), then he computes co1

co1 ¼0; if

HoðmwÞNo

� �¼ 1;

1; ifHoðmwÞ

No

� �¼ �1:

8>>><>>>:

ð3:1Þ

• Uo computes lo

lo ¼ aco1

o � HoðmwÞ: ð3:2Þ

Then he computes co2

co2 ¼0; if

lopo

� �¼ 1;

1; ifloqo

� �¼ �1:

8>>><>>>:

ð3:3Þ

• Finally Uo computes so from the equation

s2o ¼ ð�1Þco2 � aco1HoðmwÞðmod N oÞ: ð3:4Þ

Then he sends fso; co1 ; co2 ;mwg to proxy signer Up via a secure channel.

(3) After receiving fso; co1 ; co2 ;mwg, the proxy signer Up verifies the proxy pri-

vate key by checking the following equation:

s2o � ð�1Þco2 � aco1HoðmwÞðmodNoÞ: ð3:5Þ

3.2.3. Signing phase

Assume that according the limit of authority, the proxy signer Up has right

to proxy sign a message m on behalf of the original signer Uo. He does the fol-

lowing steps:

(1) Up randomly chooses an integer r2{0,1}nr (here nr < No), and computes R

R ¼ ðr2 modN oÞ: ð3:6Þ(2) Up applies Hp to produce Hp(m,R), then he computes cp1.

cp1 ¼0; if

Hpðm;RÞNp

� �¼ 1;

1; ifHpðm;RÞ

Np

� �¼ �1:

8>>><>>>:

ð3:7Þ

(3) Up computes lp.


lp ¼ acp1

p � Hpðm;RÞ: ð3:8ÞThen he computes cp2.

cp2 ¼0; if

lppp

� �¼ 1;

1; iflpqp

� �¼ �1:

8><>: ð3:9Þ

(4) Up computes r1.

r1 ¼ ðso � rÞðmodN oÞ: ð3:10Þ(5) Up computes r2 from the equation

r22 ¼ ð�1Þcp2 � ac

p

1 � Hpðm;RÞðmodN pÞ: ð3:11Þ(6) Finally, he sends fm; co1 ; co2 ; sc

p1 ; c

p2 ; r1; r2g to the verifier. Here co1 and cp1 also

can be computed by the verifier himself.

3.2.4. Verifying phase

When the verifier has received the proxy signature fm; co1 ; co2 ; cp1 ; c

p2 ; r1; r2g, he

can verify the proxy signature as follows:

(1) The verifier computes R1 and R2.

R1 � r21ðmodNoÞ; ð3:12Þ

R2 � r22ðmodNpÞ: ð3:13Þ(2) The verifier computes W and R 0.

W ¼ ð�1Þco2 � aco1 � HoðmwÞðmodN oÞ; ð3:14Þ

R0 ¼ ðW � R�11 ðmod nÞÞ: ð3:15Þ(3) The verifier checks equation

R2 ¼ ð�1Þcp

2 � acp

1 � Hpðm;R0ÞðmodNpÞ: ð3:16Þ

3.3. Security analysis

In this part, we shall prove that the proposed scheme can work correctly and

satisfy the basic security requirements.

Theorem 3.1. The proposed proxy signature scheme is verifiable, if the original

signer, the proxy signer and the verifier all follow the issuing protocol.


Proof. From Eqs. (3.1)–(3.16), it is obvious that the proposed scheme satisfies

verifiability.

We will prove that the second proposed scheme satisfies the unforgeabil-

ity and the non-repudiation. Our proof idea also comes from Bellare

and Rogaway�s paper [1] and Goh and Jarecki�s paper [2]. The following

theorem will also prove a tight security reduction from the hardness of theinteger factorization problem to the adaptive chosen message security of

the proposed scheme in the Random Oracle model. Here, we denote tcost as

the main cost of reduction. For proving theorem simply and clearly, we assume

c1 = c2 = 0. h

Theorem 3.2. If the integer factorization problem is (s 0, e 0)-hard, then for any

qHp, qsig the proposed scheme is (s, qHp

,qsig, e)-secure against existential forgeryon adaptive chosen message attack in the Random Oracle model, where

e ¼ 2 � e0 þ qsig � qHp� 2�nr þ 2�jN j; ð3:17Þ

s ¼ s0 � ðqHpþ qsig þ 1Þ � tcos t: ð3:18Þ

Proof. Let A be an original signer, which has his key tuple {No,po,qo} and can

(s,qHp,qsig, e)-break the proposed scheme and forge a valid signature. We con-

struct a simulator algorithm M, which can solve the integer factorization prob-

lem. In other word, when GIF (defined in Definition 3.2) generates integer

instance {N,p,q} and the algorithm M takes N as input, M can use the A algo-

rithm to compute p, q in s 0 steps and e 0 probability where

e0 ¼ 1

2ðe� qsig � qHp

� 2�nr � 2�nN Þ; ð3:19Þ

s0 ¼ sþ ðqHpþ qsig þ 1Þ � tcos t ð3:20Þ

and the probability are mainly taken over the randomness used by M and A.

Algorithm M simulates a run of a signature scheme to the original signer A.

Algorithm M answers A�s hash function queries, signature oracle queries, and

it tries to translate A�s possible forgery {m,r} into a condition to compute p, q.

Algorithm M starts the simulation. Here, algorithm A takes (N,No,po,qo) as

input Then algorithm M answers A�s queries as follows.Answering Ho-oracle query. Algorithm M picks a random string so2R ZNo

at

random and computes h � s2oðmodNoÞ. Then M outputs h as the query

Ho(mw). The Ho-oracle query is done only once.

Answering Hp-oracle Queries. If the original signer A provides a new query

(m,R) as input to the Hp-oracle, algorithm M works as follows:


Pick w2R ZN at random and compute y�w2(modN), then maintain a hash

oracle query table, take (m,R,w,y) as one entry, and output y as the query

Hp(m,R).

Answering signature queries. Suppose the original signer A asks for a

signature on message m. Algorithm M has to create a valid signature tuple

without knowing the factorization of N. In the process, algorithm M definessome values of the hash function Hp. The algorithm M proceeds as follows:

(1) Pick a random string r {0,1}nr, compute R � (r2modN). Then check the

hash oracle. If Hp has been queried on input (m,R), it abort.

(2) Pick w 2 RZN at random and compute y � w2(modN), and takes y as the

query Hp(m,R).

(3) Compute r1 = so Æ r(modNo) and r2 = w(modN).

(4) Return the tuple {m, r1, r2}.

Solving the integer factorization problem. If the original signer A returns a

valid message and signature pair (m,r) (where r = {r1, r2}) for some previously

unsigned m, then algorithm M tries to translate this forgery into computing p, q

as follows:

(1) M computes R1 � r21ðmodNoÞ and R = (h�1 Æ R1(modNo)).

(2) If A has not queried the Hp-oracle on (m,R), M aborts.(3) Otherwise, there is a probability 1/2 that r2 differs from w in the entry. So

M can get a factor N by gcd(r2�w,N).

(4) Finally, algorithm M output p and q.

Let esigabort be the probability that M aborts the simulation for the failure of

signature queries and let eNH be the probability that A produces a valid forgery

but does not query the Hp-oracle. Observe that the computational view shown

to algorithm A by algorithm M has the same distribution as A�s conversationwith an actual signature scheme and a random hash function except for the

probability eNH. Hence the probability that M outputs output p and q is at least

e� ðesigabort þ eNH ).

(1) Algorithm M might abort at Step 1 of the signature oracle simulation. This

event occurs if M chooses a r such that (m,R) was previously given as input

to the Hp-oracle. Since there are at most qHpsuch r�s, the probability of

aborting is at most qHpÆ 2�nr. Therefore, the probability ðesigabort that algo-

rithm M aborts at Step 1 for any of the qsig signature queries is less than

qsig Æ qHpÆ 2�nr.

(2) Let NHp be the event that algorithm A does not query the Hp-oracle on the

tuple (m,R) which can be got by its forgery. It is apparent that the prob-

ability of [Pr[NHS] is at most 2�nN, that is eNH = 2�nN.


So we can see that algorithm M solves the integer factorization problem

with probability at least e 0 = �qsig Æ qHpÆ 2�nr�2�nN.

Running time of M. The running time of algorithm M is that of running the

algorithm A, Ho-oracle queries Hp-oracle queries and signature oracle queries.Thus by adding these values, we can give the running time in Eq. (3.19).

Similar to Theorem 2.3, we have the following theorem. h

Theorem 3.3. In the proposed proxy signature scheme, the proxy private key

generated by the original signer cannot be forged.

From Theorems 3.2 and 3.3, we get the following corollary.

Corollary 3.1. The proposed proxy signature scheme satisfies the unforgeability

and the non-repudiation.

3.4. Efficient

• In the proxy private key generation phase, the original signer performs amultiplication computation and a hash computation.

• In the signing phase, the proxy signer performs three modular multiplication

computations, a square root computation and a hash computation.

• In the signature verification phase, the verifier requires three modular mul-

tiplication computations, two hash computations and an inverse

computation.

3.5. Remark

The second scheme is modified version of the first one from RSA problem to

integer factorization problem. Apparently, the second scheme is more efficient

than the first one. Furthermore, the reduction in the proof of security in the

second scheme is tighter than the one in first scheme.

4. Conclusions

In this paper, we have presented two provably secure proxy-protected signa-

ture schemes, which are based on RSA problem and integer factorization prob-

lem respectively. The second scheme is modified version from RSA problem to

integer factorization problem. Compared to the other schemes, our schemes


reduce the mount of time-consuming computations. Therefore, in the mobile

computation environments, our schemes can be applied in many low-computa-

tion devices, such as cell phones, pages, smart cards etc.

Acknowledgements

This research is partially supposed by the National Science Foundation of

China under Grant No. 60072018, the National Natural Science Foundation

of China for Distinguished Young Scholars under Grant No. 60225007 and

the National Research Fund for the Doctoral Program of Higher Education

of China under Grant No. 20020248024.

References

[1] M. Bellare, P. Rogaway, Random Oracle are practical: a paradigm for designing efficient

protocols, in: Proceedings of the 1st ACM conference on Computer and Communications

Security, 1993, pp. 62–73.

[2] E.J. Goh, S. Jarecki, A signature scheme as secure as the Diffie–Hellman problem, in:

Proceedings of Eurocyrpt�2003, LNCS2656, 2003, pp. 401–415.

[3] C.-L. Hsu, T.-S. Wu, T.-C. Wu, New nonrepudiable threshold proxy signature scheme wit

known signers, The Journal of System and Software 58 (2001) 119–124.

[4] S.J. Hwang, C.-H. Shi, A simple multi-proxy signature scheme, in: Proceedings of the Tenth

National Conference on Information Security, Hualien, Taiwan, ROC, 2000, pp. 134–138.

[5] S.J. Hwang, C.-C. Chen, A new proxy multi-signature scheme, in: International Workshop on

Cryptology and Network Security, Taipei, Taiwan, ROC, December 2000, pp. 134–138.

[6] M.-S. Hwang, L.-C. Lin, J.-L.L.U. Eric, A secure nonrepudiable threshold proxy signature

scheme with known signers, Information 11 (2) (2000) 137–144.

[7] H. Kim, J. Baek, B. Lee and K. Kim, Secret Computation with secrets for mobile agent using

one-time proxy signature, in: The 2001 Symposium on Cryptography and Information

Security, Oiso, Japan.

[8] S. Kim, S. Park, D. Won, Proxy signature, revisited, in: Proceedings of ICICS� 97,

International Conference on Information and Communication Security, 1997, pp. 223–232.

[9] B. Lee, H. Kim, K. Kim, Strong proxy signature and its applications, in: Proceedings of SCIS

2001, 2001, pp. 603–608.

[10] M. Mambo, K. Usuda, E. Okmamoto, Proxy signatures: delegation of the power to sign

message, IEICE Transaction Functional E79-A (9) (1996) 1338–1354.

[11] M. Mambo, K. Usuda, E. Okmamoto, Proxy signatures for delegation signing operation, in:

Proceedings of the Third ACM Conference on Computer and Communication Security, New

Delhi, India, January 1996, pp. 48–57.

[12] M.O. Rabin, Digitalized signatures Foundations of Secure communication, Academic Press,

1978, pp. 155–168.

[13] H.-M. Sun, an efficient nonrepudiable threshold proxy signature scheme with known signers,

Computer Communications 22 (1999) 717–722.

[14] H.-M. Sun, N.-Y. Lee, T. Hwang, Threshold proxy signatures, IEE Proceedings Computers

and Digital Techniques 146 (5) (1999) 259–263.


[15] H.-M. Sun, On proxy (multi-) signature schemes, in: 2000 International Computer Sympo-

sium, Chiayi, Taiwan, ROC, December 6–8, 2000, pp. 65–72.

[16] H.X. Wang, J. Pieprzyk, Efficient one-time proxy signatures, in: Proceedings of Asiacrypt�2003, LNCS 2894, 2003, pp. 507–522.

[17] L. Yi, G. Bai, G. Xiao, Proxy multi-signature scheme: a new type of proxy signature scheme,

Electronics Letter 36 (6) (2000) 527–528.