Efficient ID-based proxy multi-signature scheme ...

4 downloads 65327 Views 319KB Size Report
Keywords ID-based signature scheme, bilinear pairings, proxy multi-signature ... The concept of proxy multi-signature was proposed by Yi et al. [11] in 2000 ..... and H1(IDp) = apP. B computes Up = x .... is ID-Based digital signature. Presently.
Front. Comput. Sci. DOI 10.1007/s11704-012-2851-y

Efficient ID-based proxy multi-signature scheme secure in random oracle Rajeev Anand SAHU, Sahadeo PADHYE Department of Mathematics, Motilal Nehru National Institute of Technology, Allahabad-211004, India

c Higher Education Press and Springer-Verlag 2012 

Abstract Proxy signature schemes enable an entity to delegate its signing rights to any other party, called proxy signer. As a variant of proxy signature primitive, proxy multisignature allows a group of original signers to delegate their signing capabilities to a single proxy signer in such a way that the proxy signer can sign a message on behalf of the group of original signers. We propose a concrete ID-based proxy multi-signature scheme from bilinear pairings. The proposed scheme is existential unforgeable against adaptively chosen message and given ID-attack in random oracle model under the computational Diffie-Hellman (CDH) assumption. The fascinating property of new scheme is that the size of a proxy multi-signature is independent of the number of the original signers. Furthermore the proposed scheme is simple and computationally more efficient than other ID-based proxy multisignature schemes. Keywords ID-based signature scheme, bilinear pairings, proxy multi-signature, computational Diffie-Hellman problem (CDHP), random oracle.

1

Introduction

The proposal of ID-based cryptosystem and signature by Shamir [1] in 1984, simplified the key management procedure and added moderate security in comparison to the certificate-based settings. Later, this result directed a new way to construct efficient ID-based cryptosystems and Received May 19, 2011; accepted November 14, 2011 E-mail: [email protected]

signature schemes [2–5]. The idea of bilinear pairing provides an ease in computation and makes system simple. Its characteristic property of linearity in both components makes it effective in terms of both, efficiency and functionality. After the work of Boneh and Franklin [6], the bilinear pairings are highly suggested to construct efficient ID-based key agreement protocols and signature schemes [7–9]. The notion of proxy signature was introduced by Mambo, Usuda and Okamoto [10] in 1996. In a proxy signature scheme, an original signer is authorized to delegate its signing capability to a proxy signer to sign a document on its behalf. Depending on the number of signers in original and proxy group, the proxy signature primitive can be categorized in multi-proxy signature, proxy multi-signature and multi-proxy multi-signature. The concept of proxy multi-signature was proposed by Yi et al. [11] in 2000, where a group of original signers can authorize a proxy signer to sign any message on their behalf. Previously Li et al. [12] proposed a proxy multi-signature scheme from bilinear pairings and Li and Chen [13] proposed ID-based proxy multi-signature scheme from bilinear pairings; but both of the schemes simply follows the security properties of a general proxy signature scheme proposed by Li et al. [14] and lacks a formal security model, hence the full security proof. In 2006, Gu et al. [15] proposed an IDbased proxy multi-signature scheme from bilinear pairings which is proved secure against existential delegation forgery and existential proxy multi-signature forgery under the hardness assumption of the computational Diffi-Hellman problem (CDHP), but the scheme lacks strong security proof against adaptively chosen message and ID attack. In 2007, Wang and Cao [16] proposed an ID-based proxy multi-signature based

2

Front. Comput. Sci.

on the work of Gentry and Ramzan [17] and proved its security in random oracle, but Zuhua Shao [18] pointed out a weakness and cheat attack in their scheme and proposed an improvement over the scheme. In [18], Shao has also formalized a new security model for his ID-based proxy multisignature scheme which is based on the CDH assumption. Cao and Cao [19] proposed the first formal definition and security model for ID-based proxy multi-signature scheme based on the work of Boldyreva [20], Wang and Cao [21], Wang et al. [22] and Xu et al. [23]. In this paper we have constructed an ID-based proxy multi-signature scheme from bilinear pairings to improve the efficiency of existing ID-based proxy multi-signature schemes. Building blocks for the security model of our scheme is formal security models of Cao and Cao [19] and Shao [18]. The scheme is proved existential unforgeable against adaptively chosen message and given ID attack in random oracle model under the CDH assumption. The rest of this paper is organized as follows: In Section 2, we introduce some related mathematical definitions and problems. We formalize a security model for ID-based proxy multi-signature schemes in Section 3. The proposed scheme is described in Section 4. In Section 5, we prove the security of proposed scheme in random oracle model. We compare the computational efficiency of our scheme with others in Section 6. Finally conclusion is given in Section 7.

2

Preliminaries

In this section, we briefly introduce some related mathematical problems. Bilinear pairing Given two groups G1 and G2 of prime order q, a map e : G1 × G1 → G2 satisfying the following properties, is called bilinear pairing: (a) Bilinearity: e(aP, bQ) = e(P, Q)ab , ∀a, b ∈ Zq∗ and P, Q ∈ G1 . This can be stated in other way as: For P, Q, R ∈ G1 , e(P + Q, R) = e(P, R)e(Q, R) and e(P, Q + R) = e(P, Q)e(P, R). (b) Non-degeneracy: There exists P, Q ∈ G1 such that e(P, Q)  1. Alternatively, if P is a generator of G1 , then e(P, P) is a

generator of G2 , in other words e(P, P)  1. (c) Computability: There exists an efficient algorithm to compute e(P, Q) ∈ G2 , ∀P, Q ∈ G1 . CDHP For given P, aP, bP ∈ G1 , to compute abP ∈ G1 , where a, b ∈ Zq∗ . CDH assumption If G1 is a group of prime order q with a generator P, then a (t, )-CDH assumption holds in G1 if there is no algorithm which takes at most t running time and can solve CDHP with at least  probability.

3 ID-based proxy multi-signature schemes and their security Here we formally define the ID-based proxy multi-signature schemes and propose a security model for it. 3.1 ID-based proxy multi-signature schemes We give here a formal definition of ID-based proxy multisignature schemes based on the work of Wang and Cao [21], Wang et al. [22] and Cao & Cao [19]. In such a scheme, group of original signers are authorized to transfer their signing rights to a single proxy signer to sign any document on their behalf. Public and private keys of original and proxy signers are generated by a private key generator (PKG), using their corresponding identities. Let Ai be the n original signer with identity IDAi for 1  i  n. and B be the proxy signer with corresponding identity IDB . An ID-based proxy multisignature scheme can be defined consisting the following: Setup: For a security parameter k, the PKG runs this algorithm and generates the public parameters params and a master secret of the system. Further, the PKG publishes params and keeps the master secret confidential. Extract: This is a private key generation algorithm. For a given identity ID, public parameters params and master secret, PKG runs this algorithm to generate private key S ID of the user with identity ID, and provides those private keys through a secure channel to all the users. Proxy-key generation: In this phase, the group of original signers interact with the proxy signer to delegate their signing rights. This algorithm takes identities of all the users IDAi for 1  i  n, IDB , private keys of all the users S IDAi , S IDB , and message warrant mw as input. Finally, after the successful in-

Rajeev Anand SAHU et al. Efficient ID-based proxy multi-signature scheme secure in random oracle

teraction, the proxy signer B outputs its partial proxy signing key S p . Proxy multi-signature generation: The proxy signer runs this algorithm to generate a proxy multi-signature on an intended message m. This algorithm takes partial proxy signing key of the proxy signer, the message warrant mw , message m and outputs the proxy multi-signature σP . Verification: When receiving a proxy multi-signature σP on any message m, this algorithm is run by any third party, with inputs of the public identities IDAi , IDB of all the users, message warrant mw , the message m and proxy multisignature σP ; this algorithm outputs 1 if the signature σP is a valid proxy multi-signature on m by the proxy signer on behalf of the group of original signers, and outputs 0 otherwise. 3.2 Security model for ID-based proxy multi-signature schemes Here we give a formal security model for an ID-based proxy multi-signature scheme based on the work of Cao and Cao [19] and Zuhua Shao [18]. In this model we consider a case where an adversary A tries to forge the proxy multi-signature working against a single user, once against an original signer say Ai and once against the proxy signer say B. We consider that IDAi (1  i  n) denotes identities of the original signers and ID p denotes identity of the proxy signer. The adversary A is given power to access hash queries, extraction queries, proxy key generation queries and proxy multisignature queries. Consider that response to each query is provided to A using the random oracle. The goal of adversary A is to produce one of the following forgeries: (1) A proxy multi-signature for a message m by user 1 on behalf of the original signers, such that either the original signers never designated user 1, or the message m was not submitted in the proxy multi-signature queries. (2) A proxy multi-signature for a message m by some user B  1 on behalf of the original signers, such that user B was never designed by the original signers, and user 1 is one of the original signers. Consider the following game between the adversary A and the challenger C (1) Setup: Challenger C runs the Setup algorithm and provides the public parameters params to the adversary A. The adversary is also given a challenge identity say ID1 of user 1. (2) Hash query: On hash query of adversary A, challenger C responds through the random oracle and maintains list say

3

LH1 and LH2 for each hash queries. (3) Extract query: When the adversary A asks private key of any user with identity IDi (IDi  ID1 ), The challenger runs the Extract algorithm and responds the private keys to the adversary. (4) Proxy key generation query: When the adversary A requests to interact with the user 1 for the proxy secret key by proxy key generation query on the warrant mw and identities IDi (IDi  ID1 ) of its choice where the user 1 may be either one of the original signers or the proxy signer, the challenger C runs the proxy key generation algorithm to respond the proxy secret key to the adversary and maintains a query list say L ps . (5) Proxy multi-signature query: Proceeding adaptively when the adversary A requests for a proxy multi-signature on message m and warrant mw of its choice, C responds by running the proxy multi-signature algorithm and maintains a list say L pms for it. Definition 1 An ID-based proxy multi-signature forger A (t, qH , qE , q ps , q pms , n + 1, )-breaks the n + 1 users ID-based proxy multi-signature scheme by the adaptive chosen message and given ID attack, if A runs in at most t time; makes at most qH hash queries; at most qE extraction queries; at most q ps proxy key generation queries; at most q pms proxy multi-signature queries; and the success probability of A is at least . Definition 2 An ID-based proxy multi-signature scheme is (t, qH , qE , q ps , q pms , n + 1, )-secure against adaptive chosen message and given ID attack, if no adversary (t, qH , qE , q ps , q pms , n + 1, )-breaks it.

4

Proposed scheme

In this section, we propose an ID-based proxy multi-signature scheme using bilinear pairings. Our scheme is divided into five phases: System setup, Extraction, Proxy key generation, Proxy multi-signature generation and Verification. Setup For a given security parameter k, let G1 be a cyclic additive group of prime order q with generator P and G2 be a cyclic multiplicative group of the same prime order q. Let e : G1 × G1 → G2 be a bilinear map as defined above. H1 and H2 are two hash functions defined as H1 : {0, 1}∗ → G1 and H2 : {0, 1}∗ → Zq∗ . PKG selects s ∈R Zq∗ and sets P pub = sP, publishes P pub as a public key and keeps the master secret s

4

Front. Comput. Sci.

confidential.

is (U p , σ p , U, mw ).

Extract Let for 1  i  n, Ai be the n original signers with identity IDAi . Let B be the proxy signer with identity ID p . For 1  i  n, the PKG computes public and private keys of Ai as QIDAi = H1 (IDAi ) and S IDAi = sQIDAi respectively and similarly the public and private key of B as QID p = H1 (ID p ) and S ID p = sQID p respectively.

Verification Receiving a proxy multi-signature (U p , σ p , U, mw ) and message m, the verifier checks the following:

Proxy key generation To delegate the signing capability to the proxy signer B, the n original signers do the following jobs to make a signed warrant mw . The warrant includes the nature of message to be delegated, period of delegation, identity information of original signers and proxy signer etc. In successfully completion of the process, proxy signer gets a proxy signing key S p . • For 1  i  n, each Ai selects xi ∈R Zq∗ computes Ui = xi P broadcasts Ui to the other n − 1 original signers. • For 1  i  n, each Ai  computes U = ni=1 Ui and Vai = H2 (mw U)S IDAi + xi P pub . sends (mw , Ui , Vai ) to the proxy signer B . • For 1  i  n, B confirms (mw , Ui , Vai ) by checking e(P, Vai ) = e(P pub , QIDAi )H2 (mw U) e(Ui , P pub ). If the above equality holds for 1  i  n, B accepts (mw , Ui , Vai ) otherwise, requests from Ai a valid one, or terminates this protocol. • Confirming (mw , Ui , Vai ) for 1  i  n, B computes its proxy signing key S p as Sp =

n 

Vai + H2 (mw U)S ID p .

i=1

where U =

n

i=1

Ui .

Proxy multi-signature generation To sign a message m on behalf of the group of n original signers, the proxy signer B performs the following steps: selects x ∈R Zq∗ computes U p = xP σ p = H2 (mU p )S p + xP pub . The proxy multi-signature on message m, with warrant mw

(1) Checks whether or not the message m confirms to the warrant mw . If not, stop, continue otherwise. (2) Checks whether or not the proxy signer is authorized by the group of n original signers in the warrant mw . If not, stop, continue otherwise. (3) Recovers the proxy public key Q p = H2 (mw   U)( ni=1 QIDAi + QID p ) + U. (4) Accepts the proxy multi-signature if and only if the following equality holds: e(P, σ p ) = e(P pub , Q p )H2 (mU p ) e(P pub , U p ).

5

Analysis of proposed scheme

In this section, we first give the correctness of verification and then prove the security of our scheme in random oracle, under the above described model. The security analysis is according to the Security against existential forgery on adaptively chosen message and given ID attack, given by Cha and Cheon in [7]. Finally, we compare the computational efficiency of our scheme with other similar schemes [13,16,18,19]. 5.1 Correctness The property of correctness is satisfied as follows: e(P, σ p ) = e(P, H2 (m  U p )S p + xP pub ) = e(P, H2 (m  U p )S p )e(P, xP pub ) = e(P, H2 (m  U p )sQ p )e(P, xsP) = e(P pub , Q p )H2 (mU p ) e(P pub , U p ). 5.2 Security proof We claim that the proposed scheme is secure against existential forgery under adaptive chosen message and given ID attack like the ID-based proxy multi-signature scheme of Cao [19] and Shao [18]. In our model, we facilitate the adversary to select the identities on which it wants to forge the signature. The adversary is also given the power to obtain the private keys associated to those identities but one say ID1 . The identity ID1 may be identity of one of the original signers or that of the proxy signer. The adversary also can

Rajeev Anand SAHU et al. Efficient ID-based proxy multi-signature scheme secure in random oracle

access the proxy key generation oracles on warrants mw of its choice, and proxy multi-signature oracles on the warrant, messages pair (mw , m ) of its choice, as many times it wants. Definition 3 An ID-based proxy multi-signature scheme is said to be existential unforgeable against adaptive chosen message and given ID attack if the probabilistic polynomial time adversary A has a non-negligible advantage against the challenger C in the following game: (1) The challenger C runs the setup algorithm to generate the system’s public parameters params and sends them to the adversary A. (2) The adversary A performs a series of queries adaptively: • Key extraction queries: A produces an identity IDi (IDi  ID1 ), and receives its corresponding private key S IDi . • Proxy key generation queries: A produces a valid warrant mw with respect to selected identities IDi and receives its corresponding proxy secret key. • Proxy multi-signature queries: A produces a message m , a valid warrant mw with respect to the message m and identities IDi and receives a proxy multi-signature on its selected message. (3) After the series of queries, A outputs a new proxy multi-signature (U p , σ p , U, mw ) on message m under a warrant mw for identities IDAi and ID p . Where A has not requested private keys for IDAi and ID p in extraction queries. A did not request a proxy key generation query including warrant mw and identities IDAi . A never requests a proxy multi-signature query on message m with warrant mw and identity ID p . The adversary A wins the above game if it is able to provide a validity proof of proxy multi-signature (U p , σ p , U, mw ) on message m. Theorem We consider the random oracle for reply to hash queries. If there exists an adversary A (t, qH1 , qH2 , qE , q ps , q pms , ) which breaks the proposed IDbased proxy multi-signature scheme, then there exists an adversary B (t , qH1 , qH2 , qE , qps , qpms ,   ) which solves CDHP in time at most t  t + (qH1 + 2qE + 2q ps + 4q pms + 1)CG1 with success probability at least    (1 − 1q )/(m(qE + q ps + q pms + n + 1)). Proof First of all the challenger runs an algorithm and provides public values params = < q, G1 , G2 , e, P, sP, bP > to

5

B. Here, A is a forger algorithm whose goal is to break the proposed ID-based proxy multi-signature scheme. The adversary B simulates the challenger and interacts with A. The goal of B is to solve CDHP by computing sbP ∈ G1 . Key Generation For security parameter 1k , B generates the system’s public parameter params = < q, G1 , G2 , e, P, P pub , H1 , H2 > and provides P pub = sP to A as a public value. Hash queries When A makes H1 and H2 queries, B responds the queries maintaining lists LH1 and LH2 respectively. H1 -queries When an identity IDi ∈ {0, 1}∗ is submitted to the hash oracle, algorithm B responds as follows: (1) If the query IDi already appears on the list LH1 in some tuple < IDi , h1 , a, c > then algorithm B responds with h1 = H1 (IDi ). (2) Otherwise B generates a random coin c ∈ {0, 1} with probability Pr[c = 0] = λ, for some λ. (3) Now if c = 0, B picks a random integer a ∈ Zq∗ and computes h1 = a(bP). If c = 1, B computes h1 = aP and responds to A. (4) Algorithm B adds the tuple < IDi , h1 , a, c > to the list L H1 . H2 -queries When a warrant mw ∈ {0, 1}∗ and U  = x P ∈ G1 is submitted to the hash oracle (where x ∈ Zq∗ is selected randomly by A), algorithm B picks a random integer f ∈ Zq∗ and responds to A with h2 = H2 (mw U  ) = f and adds the tuple < mw , U  , h2 > to the list LH2 . Extraction queries If A requests a private key on identity IDi  ID1 f, B responds this query as follows: (1) Runs the above algorithm for responding to H1 queries on IDi  ID1 . Suppose < IDi , h1 , a, c > is the corresponding tuple on the list LH1 . If c = 0, then B outputs ‘failure’ and terminates. (2) For c = 1 we know that h1 = aP. Let S = aP pub ∈ G1 . One can check that e(S , P) = e(aP pub , P) = e(P pub , aP) = e(P pub , H1 (IDi )). So, S is a valid private key of the user with identity IDi . Finally B provides the private key S to A as response of the extraction query. The probability of success is (1 − λ). Proxy key generation queries When A requests to interact

6

Front. Comput. Sci.

with either the proxy signer or anyone from the group of original signers, then B responds as follow. (1) Suppose, A requests to interact with user ID1 , where ID1 is playing the role of proxy signer. For this, A creates a warrant mw and computes the signatures Va i = H2 (mw U  )S IDAi + xi P pub . Where S IDAi is private key of the original signer Ai which can be collected by A in extraction query, and U  = x P for a random x ∈ Zq∗ , also xi ∈ Zq∗ is selected randomly by A. Then A sends (mw , Va i ) to B. B provides a corresponding partial proxy signing key S p to A which involves all Va i , (1  i  n). Finally B adds the tuple < mw , S p > to the proxy key generation list L ps p . (2) Suppose, A requests to interact with user ID1 , who is playing the role of one of the original signers. For this, A creates a warrant mw and requests the user with identity ID1 to sign the warrant mw and receives a response Va 1 . B responds a partial proxy signing key S p which involves Va 1 and adds the tuple < mw , S p > to the proxy key generation list L pso .

check that:

In either of the above cases, B runs the above algorithm for responding to H2 queries on mw having the corresponding tuple < mw , U  , h2 >, on LH2 list. Now, since h2 = f , so if c = 0, then B reports ‘failure’ and terminates. If c = 1, then we know that, H1 (IDAi ) = ai P. Considering these events let Va i = aAi f P + xi P pub , then one can check that:

Hence, the produced proxy multi-signature (U p , σp , U  , mw ) on message m is valid, which satisfies   e(P pub , Q p )H2 (m U p ) e(P pub , U p ) = e(P, σp ). The success probability is (1 − λ).





e(P pub , QIDAi )H2 (mw U ) e(Ui , P pub ) = e(P pub H1 (IDAi ) f e(Ui , P pub ) = e(P pub , aAi f P)e(P pub , xi P) = e(P pub , aAi f P + xi P) = e(P pub , Va i ). Hence the above provided proxy secret key which involves is valid. The success probability is (1 − λ).

Va i

Proxy multi-signature queries Proceeding adaptively when the adversary A requests for a proxy multi-signature on message m of its choice, satisfying the warrant mw , B does the following jobs: (1) B runs the above algorithm for responding to H2 queries on mw , obtaining the tuple < mw , h2 , f > on LH2 list. (2) If c = 0 then B reports ‘failure’ and terminates. If c = 1, then we know that h1 = aP. Now B randomly selects x , t ∈ Zq∗ and computes U p = x P and U  = tP then having f from H2 query for H2 (mw U  ) B  again computes Q p = f ( ni=1 QIDAi + QID p ) + U  . Finally B computes the proxy multi-signature σp = [{ f (aA1 + aA2 + .. + aAn + a p ) + t}H2 (m U p ) + x ]P pub on message m . One can





e(P pub , Q p )H2 (m U p ) e(P pub , U p ) = e(P pub , f (H1 (IDA1 ) + H1 (IDA2 ) + .. + H1 (IDAn )   +H1 (ID p )) + tP)H2 (m U p ) e(P pub , U p ) = e(P pub , f (aA1 P + aA2 P + .. + aAn P + a p P)   +tP)H2 (m U p ) e(P pub , U p ), (for the case when c=1). = e(P, f (aA1 + aA2 + .. + aAn + a p )P pub   +tP pub )H2 (m U p ) e(P pub , U p ) = e(P, { f (aA1 + aA2 + .. + aAn + a p ) + t)}H2 (m U p ) P pub )e(P, x P pub ) = e(P, [{ f (aA1 + aA2 + .. + aAn + a p ) + t}H2 (m U p ) +x ]P pub ) = e(P, σp ).

Hence, Pr[B does not abort during the simulation]= (1 − λ)qE +q ps +q pms . Output If B never reports ‘failure’ in the above game, A outputs a valid ID-based proxy multi-signature (U p , σ p , U, mw ) on message m which satisfies e(P pub , Q p )H2 (mU p ) e(P pub , U p ) = e(P, σ p ). If A does not queried any hash function, i.e. response to all the hash functions are picked randomly then the probability that verification equality holds is less that 1/q. Hence, A outputs a new valid ID-based proxy multisignature (U p , σ p , U, mw ) on message m with the probability (1 − λ)qE +q ps +q pms (1 − 1/q). Case 1 When A simulates B and requests to interact with a user IDA1 , where the user IDA1 is playing role of the original signer. For IDA1 , A did not request the private key in Extraction queries, A did not request a Proxy key generation query including < mw , IDA1 > and A did not request a Proxy multi-signature query including < IDA1 , mw , m >. If c = 1, then H1 (IDAi ) = aAi P for 1  i  n, i  1, and H1 (ID p ) = a p P. B computes U p = x P and σ p = σp − ([{ f (aA2 + aA3 + .. + aAn + a p ) + t}H2 (m U p ) + x ]P pub ), then proceeds to solve CDHP using the equality:

Rajeev Anand SAHU et al. Efficient ID-based proxy multi-signature scheme secure in random oracle

e(P, σp ) = e(P pub , f (H1 (IDA1 ) + H1 (IDA2 ) + .. + H1 (IDAn )   +H1 (ID p )) + tP)H2 (m U p ) e(P pub , U p ) = e(P, [{ f (aA2 + aA3 + .. + aAn + a p ) + t)}H2 (m U p ) +x ]P pub )e(P pub , f H2 (m U p )H1 (IDA1 )), or, by above we can write e(P, σ p ) = e(P pub , f H2 (m U p )H1 (IDA1 )) = =



e(P pub , f H2 (m U p )aA1 (bP)), e(P, aA1 f H2 (m U p )(bsP))

= e(P, k(bsP)), where k = aA1 f H2 (m U p ). Comparing the components on both sides σ p = k(bsP) which implies that k−1 σ p = bsP. Hence B can solve an instance of CDHP. The probability of success is λ(1 − λ)n . Case 2 When A simulates B and requests to interact with a user ID p , where user ID p is the proxy signer. For ID p , A did not request the private key, A did not request a Proxy key generation query including < mw , ID p > and A did not request a Proxy multi-signature query including < ID p , mw , m >. As the above case, we can show that B can derive sbP with the same success probability λ(1 − λ)n . Hence the success probability that B solves the CDHP in the above attack game is:   = λ(1 − λ)qE +q ps +q pms +n (1 − 1q ). Now the maximum possible value of the above probability occurs for λ = qE +q ps +q1 pms +n+1 . Hence the optimal success

probability is (1 − 1q )/(M(qE + q ps + q pms + n + 1)). Therefore     (M(qE + q ps + q pms + n + 1))/(1 − 1q ). Where M1 is the maximum value of (1 − λ)qE +q ps +q pms +n for λ = qE +q ps +q1 pms +n+1 .

Now taking care of running time, one can observe that running time of algorithm B is same as A’s running time plus time taken to respond the Hash, Extraction, Proxy key generation and Proxy multi-signature queries i.e. qH1 + qH2 + qE + q ps + q pms . Hence, the maximum running time is given by t + (qH1 + 2qE + 2q ps + 4q pms + 1)CG1 , as each H1 Hash query requires one scalar multiplication in G1 , Extraction query requires two scalar multiplications in G1 , Proxy key generation query requires two scalar multiplications in G1 , Proxy multi-signature query requires four scalar multiplications in G1 and to output CDH solution from A’s forgery, B requires at most one scalar multiplication in G1 . Hence t  t + (qH1 + 2qE + 2q ps + 4q pms + 1)CG1 . Where CG1 denotes number of scalar multiplications in G1 .

6

7

Efficiency comparison

In this section, we compare the computational efficiency of our scheme with other ID-based proxy multi-signature schemes [13,16,18,19]. We consider the computational complexity due to pairing, exponentiation and hashing operation during following phases Table 1

Proxy key generation phase

Scheme

Pairing

Exponentiation

Hashing

Scheme [13]

3

1

1

Scheme [16]

3

0

4

Scheme [18]

3

0

2

Scheme [19]

3

0

3

Our scheme

3

1

1

Table 2

Proxy multi-signature generation phase

Scheme

Pairing

Exponentiation

Hashing

Scheme [13]

1

1

1

Scheme [16]

0

0

1

Scheme [18]

0

0

1

Scheme [19]

0

0

1

Our scheme

0

0

1

Table 3

Verification phase

Scheme

Pairing

Exponentiation

Hashing

Scheme [13]

3

2

2

Scheme [16]

3

0

3

Scheme [18]

3

0

2

Scheme [19]

4

0

3

Our scheme

3

1

1

From the above tables it is clear that, the proposed scheme is computationally more efficient than previously proposed ID-based proxy multi-signature schemes [13,16,18,19].

7

Conclusion

In this paper, we have proposed an ID-based proxy multisignature scheme which is proved existentially unforgeable against adaptively chosen message and given ID attack in the random oracle model under the CDH assumption. Furthermore, the proposed scheme is very simple and computationally more efficient than other ID-based proxy multi-signature schemes [13,16,18,19]. Acknowledgements Authors are thankful to the Editor and anonymous reviewers for their valuable suggestions.

References 1.

Shamir A. Identity-based cryptosystem and signature scheme. In: Pro-

8

Front. Comput. Sci.

ceedings of Crypto’84 on Advances in cryptology. 1984, 47–53 2. Hesss F, Efficient identity based signature schemes based on pairings. In: Proceedings of the 9th Annual International Workshop on Selected Areas in Cryptography. 2003, 310–324 3. Paterson K G. ID-based signatures from pairings on elliptic curves. IEEE Electronic Letters, 2002, 38(18): 1025–1026 4. Tanaka H. A realization scheme for the identity-based cryptosystem. In: Proceedings of CRYPTO ’87 Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology. 1987, 340–349 5. Tsuji S, Itoh T. An ID-based cryptosystem based on the discrete logarithm problem. IEEE Journal of Selected Areas in Communications, 1989, 7(4): 467–473 6. Boneh D, Franklin M K. Identity-based encryption from the Weil pairing. In: Proceedings of 21st Annual International Cryptology Conference. 2001, 213–229 7. Cha J C, Cheon J H. An identity-based signature from gap DiffieHellman groups. In: Proceedings of 6th International Workshop on Theory and Practice in Public Key Cryptography. 2003, 18–30 8. Smart N P. An identity based authenticated key agreement protocol based on the Weil pairing. IEEE Electronic Letters, 2002, 38(13): 630– 632 9. Yi X. An identity-based signature scheme from the Weil pairing. IEEE Communications Letters, 2003, 7(2): 76–78 10.

11.

12.

13.

14.

15.

16. 17.

Mambo M, Usuda K, Okmamoto E. Proxy signatures: delegation of the power to sign messages. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, 1996, E79-A (9): 1338–1354 Yi L, Bai G, Xiao G. Proxy multi-signature scheme: a new type of proxy signature scheme. IEEE Electronics Letters, 2000, 36(6): 527– 528 Li X, Chen K, Li S. Multi-proxy signature and proxy multi-signature schemes from bilinear pairings. In: Proceedings of the 5th International Conference on Parallel and Distributed Computing: Applications and Technologies. 2004, 591–595 Li X, Chen K. ID-based multi-proxy signature, proxy multi-signature and multi-proxy multi-signature schemes from bilinear pairings. Applied Mathematics and Computation, 2005, 169(1): 437–450 Lee B, Kim H, Kim K. Strong proxy signature and its applications. In: Proceedings of 2001 Symposium on Cryptography and Information Security. 2001, 603–608 Gu C X, Pan H, Zhu Y F. A new ID-based proxy multi-signature scheme from bilinear pairings. Wuhan University Journal of Natural Sciences, 2006, 11(1): 193–197 Wang Q, Cao Z. Identity based proxy multi-signature. Journal of Systems and Software, 2007, 80(7): 1023–1029 Gentry C, Ramzan Z. Identity-based aggregate signatures. In: Proceedings of 9th International Conference on Theory and Practice of Public-

18. 19. 20. 21. 22.

23.

Key Cryptography. 2006, 257–273 Shao Z. Improvement of identity-based proxy multi-signature scheme. Journal of Systems and Software, 2009, 82(5): 794–800 Cao F, Cao Z. A secure identity-based proxy multi-signature scheme. Information Sciences, 2009, 179(3): 292–302 Boldyreva A, Palacio A, Warinschi B, Secure proxy signature schemes for delegation of signing rights. 2003, http://eprint.iacr.org/2003/096 Wang, Q, Cao Z. Security arguments for partial delegation with warrant proxy signature schemes. 2004, http://eprint.iacr.org/2004/315 Wang Q, Cao Z, Wang S. Formalized security model of multi-proxy signature schemes. In: Proceedings of the 5th International Conference on Computer and Information Technology. 2005, 668–672 Xu J, Zhang Z, Feng D. ID-based proxy signature using bilinear pairings. In: Proceedings of International Workshop on Information Assurance in Distributed Systems. 2005, 359–367

Rajeev Anand Sahu received his BSc and MSc degree from Guru Ghasidas University, Bilaspur, India in the year 2003 and 2005 respectively. He is a life member of Cryptology Research Society of India (CRSI). His area of interest is ID-Based digital signature. Presently he is pursuing his PhD degree from Motilal Nehru National Institute of Technology, Allabahad, India. Sahadeo Padhye received his BSc and MSc degree in Mathematics form Pt. Ravishankar Shukla University, Raipur, Chhattisgarh, India in 1999 and 2001. Council of Scientific and Industrial Research (CSIR), India has granted him Junior Research Fellowship (20022004). He received his PhD degree from Pt. Ravishankar Shukla University, Raipur, India in 2006. He is a life member of Cryptology Research Society of India (CRSI) and a member of International Association of Cryptologic Research (IACR). His area of interest is Public Key Cryptography (RSA) and Digital signature. Presently he is working as Assistant Professor in Motilal Nehru National Institute of Technology, Allabahad, India.