Strongly Unforgeable and Efficient Proxy Signature Scheme with Fast ...

Hindawi Publishing Corporation International Journal of Distributed Sensor Networks Volume 2016, Article ID 3205206, 12 pages http://dx.doi.org/10.1155/2016/3205206

Research Article Strongly Unforgeable and Efficient Proxy Signature Scheme with Fast Revocation Secure in the Standard Model Liaojun Pang,1,2 Huiyang Zhao,1 Xia Zhou,1 and Huixian Li2,3 1

State Key Lab of Integrated Services Networks, School of Life Science and Technology, Xidian University, Xi’an 710071, China Department of Computer Science, Wayne State University, Detroit, MI 48202, USA 3 School of Computer Science and Engineering, Northwestern Polytechnical University, Xi’an 710072, China 2

Correspondence should be addressed to Liaojun Pang; [email protected] Received 1 August 2015; Revised 2 November 2015; Accepted 10 November 2015 Academic Editor: Amiya Nayak Copyright © 2016 Liaojun Pang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The existing proxy signature schemes with the proxy revocation function are proven to be malleable and do not possess strong unforgeability. Motivated by these concerns, a new proxy signature scheme with fast revocation is proposed, and it can be proved that the proposed scheme can achieve strong unforgeability in the standard model. By using this scheme, the original signer can generate the delegation warrant for the proxy signer, and at the same time, he/she can perform the immediate revocation to completely terminate the delegation when needed. Analyses show that the proposed scheme satisfies all of the security requirements of proxy signature and has shorter public parameters than the existing ones.

1. Introduction As a variation of digital signature [1], proxy signature [2] allows the original signer to delegate his/her signature rights to a proxy signer. In this case, the designated proxy signer can generate valid signatures like the original signer. Proxy signature has many important applications in our daily life. For example, in the sensor networks aiming at collecting temperature data, sensor nodes are responsible for collecting data and sending them to the sink node. With data from sensor nodes, the sink node processes them and issues the analysis result publicly through Internet. Generally, it is necessary for people to judge where this result comes from, and in this case the analysis result should be signed by the sink node before releasing it. Normally, the sink node is able to carry out the signature process by itself. However, it maybe has to choose a trustworthy and capable equipment to replace itself to implement signature for some reason, and the selected equipment is called a proxy signer. This is a typical case for sensor-based application systems. In fact, proxy signature has found even wider applications, including electronic commerce, e-cash, and mobile agents, where delegation of rights is quite common [3]. Thus, proxy

signature becomes one of the hot topics in the field of information security, and many schemes [4–9] have been proposed recently. In proxy signature, it is important to securely process the proxy revocation problem when a valid delegation expires or the original signer wants to revoke a valid delegation ahead of schedule for some reason. For instance, in the above example, the signature rights can be assigned to other equipment by the sink node. However, during the period of delegation, the sink node maybe wants to repeal the rights before the end of the delegation. In this case, the delegation revocation function is needed. Although fast revocation has already been taken into account in several proxy signature schemes [10– 13], none of them have achieved the security notion of the secure existential unforgeablility, since an adversary can still generate a valid signature on the same message without the private key. That is to say, the adversary is still able to forge a signature after the proxy signer is revoked. The basic reason is that these proxy signature schemes are designed by using 2level hierarchical Waters’ schemes, but Waters et al.’s scheme is malleable [5, 14]. Motivated by the above concerns, we proposed a new proxy signature scheme with fast revocation in the standard

2 model under the computational Diffie-Hellman assumption and proved that it can achieve strong unforgeability in the standard model. Compared with the existing proxy signature schemes, the proposed scheme has the following merits: shorter size of public parameters and tighter security reduction. At the same time, the proposed scheme has the property of fast revocation. In a word, our scheme achieves strong unforgeability of the proxy signature scheme with revocation. The rest of this paper is organized as follows: in Section 2, we shall briefly review related works in the field of proxy signature. Hard problems and security notions are given in Section 3. In Section 4, we introduce the new proxy signature scheme. In Section 5, we analyze the correctness and security of our scheme and compare our scheme with existing schemes in terms of computational efficiency, the number of public parameters, and security. Finally, we conclude this paper in Section 6.

2. Related Works The concept of proxy signature was first introduced by Mambo et al. [2], and it has been considered the most promising technique to solve the delegation problem of signature rights [15]. Since then, proxy signature has attracted a considerable amount of interest from researchers. According to the delegation types [2], proxy signature can be classified into three types: full delegation, partial delegation, and delegation by warrant. For the full delegation [15], the original signer directly sends his/her private key to the proxy signer. It is easy to implement the full delegation, but the signature produced by the proxy signer is completely indistinguishable from the one produced by the original signer. In fact, such schemes are obviously impractical and insecure, because the proxy signer has the same right as the original signer, and the original signer cannot achieve revocation of delegated rights. For the partial delegation [15], the original signer generates a proxy key from his/her private key and securely transfers it to the proxy signer, and the proxy signer uses this proxy key to sign messages on behalf of the original signer. Moreover, partial delegation is classified as proxyunprotected and proxy-protected based on the protection of the proxy signer [15]. However, the signed messages by the proxy signer are not limited, so the proxy signer may sign some messages that the original signer is not willing to sign. To eliminate this drawback, Kim et al. [16] presented the partial delegation scheme with warrant, which combines the merits of the partial delegation and the delegation by warrant. In the delegation by warrant, the original signer specifies what kind of message is delegated in the warrant and produces a signature on the warrant. Then, the proxy signer uses this signature and his private key to create a valid proxy signature on behalf of the original signer. But this scheme was proven insecure later. Recently, several proxy signature schemes have been put forward. In 2008, Liu et al. [6] presented a proxy multisignature scheme in the standard model, which allows a proxy signer to generate proxy signatures on behalf of two or more

International Journal of Distributed Sensor Networks original signers. In 2012, Hwang et al. [17] proposed a variation of proxy signature scheme called threshold multiproxy multisignature scheme with shared verification based on the RSA problem. Sahu and Saraswat [18], in 2015, proposed an efficient and provably secure identity-based multi-proxy signature scheme, which allows a user to transfer its signature rights to a group of proxy signers. However, most of the existing proxy signature schemes have the following essential shortcomings [19]. First, the declaration of a valid delegation in the warrant is useless. The proxy signer can still produce a signature even if the delegation period has expired. Second, when the original signer wants to revoke the delegation earlier than his/her schedule, he/she can do nothing. Thus, the revocation of delegated rights is an essential problem of proxy signature. To solve these problems, some schemes with revocation have been proposed. For example, Sun and Chen [20] proposed a time-stamped proxy signature scheme and claimed that the revocation problem can be solved by using a timestamp. However, their scheme suffers from security weakness and cannot solve the second problem [21]. Seo et al. [19] proposed a mediated proxy signature scheme to solve the proxy revocation problem by using a special entity, called SEM, which is an online partially trusted server. But the shortcoming of the above schemes [19–21] is that they cannot be proven secure in the random oracle model or in the standard model. In order to eliminate this shortcoming, in 2009, Liu et al. [10] first proposed a provable secure proxy signature with revocation in the standard model. For the lack of formal security definitions, many early schemes were proven insecure later. Therefore, security notion and security concept are important for designing the proxy signature schemes. In 2003, Boldyreva et al. [22] first defined the security model of proxy signature schemes. Although their model is efficient, it has received many criticisms, since the security of their model is unable to describe the security in the standard model. Consequently, their scheme is proved secure in the random oracle model, but it is vulnerable to the proxy key exposure attack. So, it is an interesting problem to design a proxy signature scheme, which can be proven secure in the standard model and avoid the proxy key exposure attack. In 2006, Huang et al. [4] divided the attackers into three types to make the security model much clearer and proposed a secure proxy signature in the standard model. Based on Huang et al.’s scheme and Waters’ technique, Liu et al. [10] proposed a formal security model for proxy signature with fast revocation in the standard model. After that, many proxy signature schemes with revocation in the standard model have been proposed [10– 13], and they are demonstrated by using a 2-level hierarchical Waters signature. However, there are two drawbacks in these schemes [10–12]. One is that they have a large number of public parameters, and the other is that they are not strongly unforgeable since an adversary is still able to forge a valid signature on the same message without the private key after the proxy signer is revoked. Later, many new schemes were proposed. In 2013, Kim et al. [23] and Swapna et al. [24] constructed the provably secure ID-based proxy signature schemes based on the lattice

International Journal of Distributed Sensor Networks problems, respectively and independently, but these schemes increased the length of the proxy private key significantly. In 2014, Hu et al. [25] presented a novel ID-based proxy signature scheme, and the proposed scheme is provably secure in the standard model. In the same year, Cao et al. [26] also presented a weak blind signature scheme by combing the requirements for proxy signature and weak blind signature. Unfortunately, Zhang and Jia [27] found that there exists a security problem in Cao et al.’s scheme. That is to say, the receiver of the signature can forge a valid signature on any message without being perceived, and at the same time, Zhang and Jia provided the detailed attack strategy and the possible improved schemes. The existing proxy signature schemes are existentially unforgeable under adaptive chosen-message attacks and adaptive chosen-warrant attacks, which means that an adversary should not be able to produce a valid signature for a new message. However, most existing signature schemes are randomized and may produce some valid signatures for the same message, because they do not have the property of strong unforgeability, which is desirable in some applications [28]. A scheme is said to be strongly unforgeable if it is existentially unforgeable under adaptive chosen message attacks and an adversary cannot generate a different valid signature on the same message. Although strong unforgeability is an important property of proxy signature schemes, there are few proxy signatures that possess the property of strong unforgeability in the standard model because of the malleability of Waters’ signature. In 2011, Sun et al. [7] proposed the first strongly unforgeable proxy signature in the standard model with the Waters’ scheme and Boneh et al. [29]. This scheme shows the formal security of a strongly unforgeable proxy signature. However, Sun et al. could not solve the revocation problem of delegated rights described above. Overall, although fast revocation has been taken into account in several proxy signature schemes, these schemes do not possess strong unforgeability. Therefore, a strongly unforgeable proxy signature with fast revocation in the standard model is an interesting topic. We need to construct a strongly unforgeable proxy signature with revocation under the computational Diffie-Hellman assumption. Our scheme is based on Sun et al.’s work [7] and the SEM revocation mechanism [19–21].

3 Table 1: Notations. Name

Meaning

𝑃 𝐺 𝐺𝑇 𝑍𝑝 𝑔 𝑒

Large prime integer Additive group of order 𝑝 Multiplicative group of order 𝑝 The set of positive integers which are less than 𝑝 Generator of 𝐺 Bilinear mapping, that is, 𝑒: 𝐺 × 𝐺 → 𝐺𝑇 Cryptographic hash function: {0, 1}∗ × 𝐺 × 𝐺𝑇 → 𝑍𝑝 (𝑖 = 1, 2) Hash function: {0, 1}∗ → {0, 1}𝑛 Private key of 𝑖, where 𝑖 ∈ {𝐴, 𝐵} Public key of 𝑖, where 𝑖 ∈ {𝐴, 𝐵} Warrant including the period of delegation, and so forth Message to sign Computational Diffie-Hellman problem Probability of polynomial algorithm The probability of an event

ℎ𝑖 𝐻0 sk𝑖 pk𝑖 𝑤 𝑀 CDH 𝜀 pr

𝑍𝑝 , to compute 𝑔𝑎𝑏 ∈ 𝐺, the probability that a polynomial algorithm 𝐴 can solve the CDH problem is defined as = pr [𝑔𝑎𝑏 ←󳨀 𝐴 (𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 )] . SuccCDH 𝐴

(1)

Definition 2 (computational Diffie-Hellman (CDH) assumption in 𝐺). Given 𝑔, 𝑔𝑎 , 𝑔𝑏 ∈ 𝐺 for two unknown values 𝑎 and 𝑏 ∈ 𝑍𝑝 , SuccCDH is negligible. 𝐴 3.2. Algorithm Model. In this section, we will give the outline of a strongly unforgeable proxy signature with fast revocation. There exist three parties: an original signer Alice shorted by 𝐴, a proxy signer Bob shorted by 𝐵, and a security mediator SEM shorted by 𝑆, which is an online partial third server, introduced to check whether the proxy signer signs a message according to the warrant or he/she exists on the revocation list. 𝐵 is picked by 𝐴. For other entities, 𝑆 is supposed to be a partially trusted third party, who has to perform this protocol strictly. A proxy signature scheme with fast revocation consists of the following algorithms.

3. Preliminaries

(1) Setup. Given the system security parameter, this algorithm outputs the system parameter 𝜋, which is publicly known.

Before introducing our scheme, we shall briefly introduce the difficult problems and security models related to our scheme. Notations used throughout the paper are summarized in Table 1.

(2) Key-Gen. Given 𝜋, this algorithm generates a privatepublic key pair (sk𝑖 , pk𝑖 ) for 𝑖 ∈ {𝐴, 𝐵}. The private keys of signers must be kept secret.

3.1. Hard Problems. The security of the proposed scheme is based on the hardness of the well-known hard mathematical problem, the computational Diffie-Hellman problem.

(3) Delegation-Gen. Given 𝜋, the private key of 𝐴 sk𝐴, and a warrant 𝜔 to be delegated, this algorithm outputs a revocation identifier 𝑅𝐴 , and two partial delegation keys 𝜎𝐵 and 𝜎𝑆 . 𝐴 sends (𝜔, 𝜎𝐵 , 𝑅𝐴 ) to 𝐵 and (𝜔, 𝜎𝑆 , 𝑅𝐴 ) to 𝑆.

Definition 1 (computational Diffie-Hellman (CDH) problem in 𝐺). Given 𝑔, 𝑔𝑎 , 𝑔𝑏 ∈ 𝐺 for unknown values 𝑎 and 𝑏 ∈

(4) Delegation-Verify. After receiving (𝜔, 𝜎𝐵 , 𝑅𝐴 ) and (𝜔, 𝜎𝑆 , 𝑅𝐴 ), both 𝑆 and 𝐵 prove the validity of the delegation.

4

International Journal of Distributed Sensor Networks

(5) Proxy-Valid. 𝐵 wants to sign a message 𝑀. 𝑆 must guarantee that the period of proxy delegation specified in the warrant 𝜔 is valid, and 𝐵 is not on the public revocation list.

private/public key pair (sk𝐵 , pk𝐵 ). Then, 𝐶 sends pk𝐴 , sk𝐵 , and pk𝐵 to an adversary 𝐴 II .

(6) ProxySign-Gen. Given 𝜋, a warrant 𝜔, a message 𝑀, two delegation keys 𝜎𝐵 and 𝜎𝑆 , and the secret key sk𝐵 of 𝐵, this algorithm outputs a proxy signature 𝜎. (7) ProxySign-Verify. Given 𝜋, a warrant 𝜔, a message 𝑀, the signature 𝜎, and the public keys pk𝐴 and pk𝐵 , this algorithm outputs 1 if 𝜎 is valid and 0 otherwise. (8) Proxy-Revocation. If 𝐴 wants to revoke the delegation of 𝐵 before the specific delegation period expires, he/she asks 𝑆 to put (𝜔, 𝑅𝐴) on the public revocation list. Therefore, if the delegation period has expired or (𝜔, 𝑅𝐴 ) exists in the revocation list, 𝑆 will not issue any token for the proxy signer. 3.3. Security Models. For proxy signature schemes, the first security model was proposed by Mambo et al. [15]. However, this model was vulnerable to proxy key exposure attacks. In order to avoid proxy key exposure attacks, Huang et al. [4] provided a new security model of proxy signatures, where adversaries are divided into three types to make the security model much clearer. We modified this model a little to make it adapt to our scheme and strengthen its strong unforgeability of proxy signature. Three types of adversaries are shown as follows. Type I. Adversary 𝐴 I only has the public keys of 𝐴 and 𝐵. It is an outside attacker in this case. Type II. Adversary 𝐴 II has the public keys of 𝐴 and 𝐵, and at the same time, he/she has corrupted the secret key of the proxy signer. It is an inside attacker in this case. Type III. Adversary 𝐴 III has the public keys of 𝐴 and 𝐵. In addition, he/she has corrupted the secret key of the original signer. It is also an inside attacker in this case. Clearly, if a proxy signature scheme is strongly unforgeable against type II and type III adversaries, it is also strongly unforgeable against type I. Therefore, if we show that our scheme is strongly unforgeable against type II and type III adversaries, it means that our scheme is strongly unforgeable against all three types of adversaries. In the following security model, we only consider the type II adversary 𝐴 II and type III adversary 𝐴 III . 3.3.1. Strong Existential Unforgeability against the Adaptive 𝐴 II Adversary. The strong unforgeability of the proxy signature scheme with fast revocation under 𝐴 II adversary requests that it is difficult for an attacker to forge a valid signature on 𝑀 under a warrant if he/she does not obtain the delegation of the warrant 𝜔. It is defined as the following game between a challenger 𝐶 and an adversary 𝐴 II . (1) 𝐶 runs the Setup algorithm to obtain the system parameter 𝜋 and runs the Key-Gen algorithm to obtain 𝐴’s private/public key pair (sk𝐴, pk𝐴) and 𝐵’s

(2) 𝐴 II makes a series of queries. (a) SEM-Delegation queries: 𝐴 II requests 𝑆’s delegation key on a warrant 𝜔. 𝐶 runs the Delegation-Gen algorithm to obtain the partial delegation key 𝜎𝑆 , and a revocation identifier 𝑅𝐴 , and then returns (𝜔, 𝜎𝑆 , 𝑅𝐴 ) to an adversary 𝐴 II . (b) User-Delegation queries: 𝐴 II requests 𝑆’s delegation key on a warrant 𝜔. 𝐶 runs the DelegationGen algorithm to obtain the partial delegation key 𝜎𝐵 , and a revocation identifier 𝑅𝐴 , and then returns (𝜔, 𝜎𝐵 , 𝑅𝐴 ) to an adversary 𝐴 II . (c) SEM-Sign queries: 𝐴 II requests 𝑆’s partial proxy signature on a message 𝑀, which satisfies the warrant 𝜔. 𝐶 runs the ProxySign-Gen algorithm and obtains the partial proxy signature 𝜎ps . (d) User-Sign queries: 𝐴 II requests 𝐵’s complete signature on a message 𝑀. 𝐶 runs the ProxySignGen algorithm and obtains a proxy signature 𝜎. (3) Finally, 𝐴 II outputs a pair (𝑀∗ , 𝜔∗ , 𝜎∗ ), such that (a) 𝜔∗ has not been queried in the SEM-Delegation or User-Delegation query, (b) 𝜎∗ is a valid signature of the message 𝑀∗ under the warrant 𝜔∗ , (c) (𝑀∗ , 𝜔∗ , 𝜎∗ ) is not among the triplets (𝑀𝑖 , 𝜔𝑖 , 𝜎𝑖 ) during the User-Sign query. The advantage of an adversary 𝐴 II in the above game is defined to be Succ𝐴 II = pr [𝐴 II succeeds] .

(2)

Definition 3. An adversary 𝐴 II is said to be an (𝜀, 𝑡, 𝑞𝑤 , 𝑞ps ) forger of a proxy signature scheme with revocation if 𝐴 II has the advantage of at least 𝜀 in the above game, runs in time at most 𝑡, and makes at most 𝑞𝑤 SEM-Delegation queries and User-Delegation queries, and 𝑞ps SEM-Sign queries and UserSign queries. If no (𝜀, 𝑡, 𝑞𝑤 , 𝑞ps ) forger 𝐴 II exists, the scheme is said to be (𝜀, 𝑡, 𝑞𝑤 , 𝑞ps ) strongly unforgeable against adaptive chosen warrant/message attacks. 3.3.2. Strong Existential Unforgeability against Adaptive 𝐴 III Adversary. The strong unforgeability of the proxy signature scheme with fast revocation under an 𝐴 III adversary requests that it is difficult for 𝐴 to forge a valid signature on 𝑀∗ which has not been signed by 𝐵. It is defined as the following game between a challenger 𝐶 and an adversary 𝐴 III . (1) 𝐶 runs the Setup algorithm to obtain system’s parameters 𝜋 and runs the Key-Gen algorithm to obtain 𝐴’s private/public key pair (sk𝐴, pk𝐴 ), and 𝐵’s private/public key pair (sk𝐵 , pk𝐵 ). Then, 𝐶 sends pk𝐴 , sk𝐴, and pk𝐵 to the adversary 𝐴 III .


5

(2) 𝐴 III makes a series of queries: User-Sign queries: 𝐴 III requests 𝐵’s the complete proxy signature on a message 𝑀. 𝐶 runs the ProxySign-Gen algorithm and obtains a proxy signature 𝜎. (3) Finally, 𝐴 III outputs a pair (𝑀∗ , 𝜔∗ , 𝜎∗ ), such that (a) 𝜎∗ is a valid signature of the message 𝑀∗ under the warrant 𝜔∗ , (b) (𝑀∗ , 𝜔∗ , 𝜎∗ ) is not among the triplets (𝑀𝑖 , 𝜔𝑖 , 𝜎𝑖 ) during the User-Sign query. The advantage of an adversary 𝐴 III in the above game is defined to be Succ𝐴 III = pr [𝐴 III succeeds] .

(3)

Definition 4. An adversary 𝐴 III is said to be an (𝜀, 𝑡, 0, 𝑞ps ) forger of a proxy signature scheme with revocation if 𝐴 III has the advantage of at least 𝜀 in the above game, runs in time at most 𝑡, and makes at most 𝑞ps SEM-Sign queries and UserSign queries. If no (𝜀, 𝑡, 0, 𝑞ps ) forger 𝐴 III exists, the scheme is said to be (𝜀, 𝑡, 0, 𝑞ps ) strongly unforgeable against adaptive chosen warrant/message attacks.

4. The Proposed Scheme In this section, we shall introduce the strongly unforgeable proxy signature scheme with fast revocation in the standard model in detail, and this scheme is based on the existing works [5, 14]. Waters et al.’s scheme [14] is a basic algorithm prototype of Sun et al.’s scheme [5], and Sun et al. proposed the first proxy signature scheme based on Waters et al.’s model. Unfortunately, their schemes were proved to be insecure later [7]. So we analyzed their schemes and proposed a new proxy signature scheme with fast revocation, and this is our main contribution. Let 𝐴 denote the original signer Alice, 𝐵 denote the proxy signer Bob, and 𝑆 denote the security mediator SEM who is an online partially trusted server. In the following, all the warrants to be signed will be regarded as a bit string of length 𝑛. Note: to construct a more flexible scheme which allows warrants of arbitrary length, a collision resistant hash function 𝐻0 : {0, 1}∗ → {0, 1}𝑛 should be employed. The proposed scheme is illustrated in Figure 1 and elaborated on as follows. (1) Setup. Let (𝐺, 𝐺𝑇 ) be bilinear groups where |𝐺| = |𝐺𝑇 | = 𝑝 for a prime order 𝑝, and 𝑔 is the generator of 𝐺. Let 𝑒 denote a bilinear pairing 𝑒: 𝐺×𝐺 → 𝐺𝑇 . Additionally, choose random parameters 𝑢󸀠 , 𝑢1 , 𝑢2 , . . . , 𝑢𝑛 , V ∈ 𝐺, and a collision resistant hash function 𝐻: {0, 1}∗ × 𝐺 × 𝐺𝑇 → 𝑍𝑝 , and then set 𝑢 = (𝑢1 , 𝑢2 , . . . , 𝑢𝑛 ). The system’s public parameters are denoted as 𝜋 = (𝐺, 𝐺𝑇 , 𝑒, 𝑝, 𝑔, 𝑢󸀠 , V, 𝑢, 𝐻). (2) Key-Gen. 𝐴 randomly picks 𝑥𝐴 and 𝑦𝐴 ∈ 𝑍𝑝 and sets her private key sk𝐴 = (𝑥𝐴, 𝑦𝐴 ). Then, 𝐴 computes her public key pk𝐴 = (pk𝐴𝑥 , pk𝐴𝑦 ) = (𝑔𝑥𝐴 , 𝑔𝑦𝐴 ). Similarly, 𝐵 sets his secret key sk𝐵 = (𝑥𝐵 , 𝑦𝐵 ), and the public key pk𝐵 =

(pk𝐵𝑥 , pk𝐵𝑦 ) = (𝑔𝑥𝐵 , 𝑔𝑦𝐵 ). All public keys are certified by a Certification Authority (AS). (3) Delegation-Gen. The warrant 𝜔 is signed by 𝐴 and contains important information such as valid time of delegation of the signing rights, the identities of the original signer and the proxy signer, and other information of the delegation. Let 𝜔𝑖 denote the 𝑖th bit of 𝜔, and set 𝑊 = {𝑖 | 𝜔𝑖 = 1, 𝑖 = 1, 2, . . . , 𝑛}. The original signer chooses randomly 𝑥𝐴1 , 𝑥𝐴2 , 𝑟𝐵 , 𝑟𝑆 ∈ 𝑍𝑝 , such that 𝑥𝐴1 +𝑥𝐴2 = 𝑥𝐴, and computes 𝑟𝐵 + 𝑟𝑠 = 𝑟𝐴 , 𝑅𝐴 = 𝑔𝑟𝐴 , 𝜎𝐵 = (𝜎𝐵1 , 𝜎𝐵2 ) = (𝑔

𝑥𝐴1 𝑦𝐴

𝑟𝐵

󸀠

(𝑢 ∏ 𝑢𝑖 ) , 𝑔𝑟𝐵 ) ,

(4)

𝑖∈𝑊

𝑟𝑆

𝜎𝑆 = (𝜎𝑆1 , 𝜎𝑆2 ) = (𝑔𝑥𝐴2 𝑦𝐴 (𝑢󸀠 ∏ 𝑢𝑖 ) , 𝑔𝑟𝑆 ) . 𝑖∈𝑊

Then, 𝐴 sends (𝜔, 𝜎𝐵 , 𝑅𝐴 ) to 𝐵 and (𝜔, 𝜎𝑆 , 𝑅𝐴 ) to 𝑆, respectively. (4) Delegation-Verify. To confirm the correctness of (𝜔, 𝜎𝐵 , 𝑅𝐴), 𝐵 computes 𝑅𝐵 = 𝑒(𝜎𝐵1 , 𝑔), and sends (𝜔, 𝜎𝐵 ) to 𝑆. After 𝐵 receives 𝑅𝑆 = 𝑒(𝜎𝑆1 , 𝑔) from 𝑆, he verifies whether the following equation holds: 𝑅𝐵 𝑅𝑠 = 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 ) 𝑒 (𝑢󸀠 ∏ 𝑢𝑖 , 𝑅𝐴 ) .

(5)

𝑖∈𝑊

Similarly, 𝑆 verifies the above equation by 𝑅𝐵 . If the verification is not valid, 𝐵 and 𝑆 would request valid delegations from 𝐴 again or terminate this protocol. (5) Proxy-Valid. To produce a proxy signature on a message 𝑀, 𝐵 has to cooperate with 𝑆. 𝐵 transmits his identity and (𝜔, 𝑀, 𝑅𝐴 , 𝑅𝐵 ) to 𝑆. 𝑆 confirms that (𝜔, 𝑀, 𝑅𝐴 , 𝑅𝐵 ) was received in the Delegation-Gen and Delegation-Verify phases. Then, 𝑆 must assure the following conditions, before he/she generates the partial proxy signature on the message 𝑀. (a) The period of proxy delegation specified in the warrant 𝜔 should be valid. (b) (𝜔, 𝑅𝐴) should not be in the public revocation list. If (𝜔, 𝑅𝐴) is in the list, it means that the delegation has been revoked. If the two conditions hold, 𝑆 can perform the ProxySignGen stage. (6) ProxySign-Gen. Let 𝑀 be an 𝑛-bit message. The proxy signer has to cooperate with 𝑆 to generate a proxy signature on 𝑀.

6

International Journal of Distributed Sensor Networks Setup:

PKG Params = ⟨G, GT , e, p, g, u󳰀 , , u, H⟩

User i

Key-Gen:

AS

ski = (xi , yi ) (i ∈ {A, B})

pki

pki = (pkix , pkiy ) = (gx𝑖 , gy𝑖 )

Certify it

Delegation-Gen: w: the warrant A

󳰀

r𝐵

r

󳰀

r𝑆

r𝑆

𝜔,

𝜎B = (gx𝐴1 y𝐴 (u ∏ ui ) , g 𝐵 )

𝜎S = (g Delegation-Verify:

(𝜔

RA = gr𝐵

x𝐴2 y𝐴

) ,RA B 𝜎 ,

𝜎S

B

,R

A)

( u ∏ ui ) , g )

S

(𝜔, 𝜎B )

B

S

(𝜔, 𝜎S )

Both judge RB Rs = e(pkAx , pkAy )e(u󳰀 ∏ i∈W ui , RA )? Proxy Valid:

B

S (𝜔, M, RA , RB )

Want to sign M

Valid? Yes!

ProxySign-Gen: x𝐴2 y𝐴

𝜎ps = (g

Compute partial signature r1 + r𝑆 (M)h1 k1 , gr1 , gh1 k1 ) (u ∏ ui ) 󳰀

i∈W

𝜎ps

Compute signature

̃r

̃

r

𝜎 = (gx𝐴 y𝐴 gx𝐵 y𝐵 (u󳰀 ∏ ui ) (M)h , g 1

+r2

̃

, gh )

i∈W

ProxySign-Verify:

Verifier

Judge (𝜎1 , g) = e(pkAx , pkAy )e(pkBx , pkBy )e(u󳰀 ∏ i∈W ui , RA 𝜎2 )e(M, 𝜎3 )?

Proxy-Revocation:

A

S

Want to revocate B

(𝜔, RA )

Put it in the revocation list

Figure 1: The proposed proxy signature scheme with revocation.

(a) 𝑆 randomly chooses 𝑟1 , 𝑘1 ∈ 𝑍𝑝 and computes ℎ1 = 𝐻(𝑀 ‖ 𝜔, 𝜎𝑆2 , 𝑔𝑘1 ). Then, he sends the following partial proxy signature 𝜎ps to 𝐵:

(b) 𝐵 checks whether the following equation holds:

𝑒 (𝜎ps1 , 𝑔) 𝑅𝐵 𝜎ps = (𝑔

𝑥𝐴2 𝑦𝐴

𝑟1 +𝑟𝑆

󸀠

(𝑢 ∏ 𝑢𝑖 ) 𝑖∈𝑊

(𝑀V)ℎ1 𝑘1 , 𝑔𝑟1 , 𝑔ℎ1 𝑘1 ) .

(6)

= 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 ) 𝑒 (𝑢󸀠 ∏ 𝑢𝑖 , 𝑅𝐴𝜎ps2 ) 𝑒 (𝑀V, 𝜎ps3 ) . 𝑖∈𝑊

(7)


7

If yes, 𝐵 chooses two random values 𝑟2 , 𝑘2 ∈ 𝑍𝑝 and computes ℎ2 = 𝐻(𝑀 ‖ 𝜔, 𝜎𝐵2 , 𝑔𝑘2 ). The proxy signature is computed as in the following equation: 𝑟2

𝑒(𝑔𝑥𝐴1 𝑦𝐴 , 𝑔𝑥𝐴2 𝑦𝐴 ) = 𝑒(𝑔𝑥𝐴1 +𝑥𝐴2 , 𝑔𝑦𝐴 ) = 𝑒(pk𝐴𝑥 , pk𝐴𝑦 ). Thus, we have 𝑅𝐵 𝑅𝑠 = 𝑒 (𝜎𝐵1 , 𝑔) 𝑒 (𝜎𝑠1 , 𝑔) = 𝑒 (𝑔

𝜎 = (𝜎ps1 𝜎𝐵1 (𝑢󸀠 ∏ 𝑢𝑖 ) (𝑀V)ℎ2 𝑘2

𝑥𝐴1 𝑦𝐴

(𝑢 ∏ 𝑢𝑖 ) , 𝑔) 𝑖∈𝑊

𝑖∈𝑊

𝑟𝑆

⋅ 𝑒 (𝑔𝑥𝐴2 𝑦𝐴 (𝑢󸀠 ∏ 𝑢𝑖 ) , 𝑔) = 𝑒 (𝑔𝑥𝐴1 𝑦𝐴 𝑔𝑥𝐴2 𝑦𝐴 , 𝑔)

⋅ 𝑔𝑥𝐵 𝑦𝐵 , 𝜎ps2 𝑔𝑟2 , 𝜎ps3 𝑔ℎ2 𝑘2 )

𝑖∈𝑊

𝑟1 +𝑟2 +𝑟𝐵 +𝑟𝑆

(8)

𝑖∈𝑊

⋅ (𝑀V)

,𝑔

𝑟1 +𝑟2

,𝑔

ℎ1 𝑘1 +ℎ2 𝑘2

̃𝑟

= (𝑔

𝑥𝐴 𝑦𝐴 𝑥𝐵 𝑦𝐵

𝑔

)

, 𝑔) = 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 )

𝑖∈𝑊

𝑖∈𝑊

̃

̃

Theorem 6. The proxy signature verification algorithm in our algorithm is correct.

𝑖∈𝑊

where ̃𝑟 = 𝑟1 + 𝑟2 + 𝑟𝐵 + 𝑟𝑆 , and ℎ̃ = ℎ1 𝑘1 + ℎ2 𝑘2 . (7) ProxySign-Verify. The verifier verifies whether the proxy signature 𝜎 on the message 𝑀 is valid by judging whether the following equation holds:

⋅ 𝑒 (𝑢 ∏ 𝑢𝑖 , 𝑅𝐴 𝜎2 ) 𝑒 (𝑀V, 𝜎3 ) .

Proof. In our algorithm, we have the equations 𝜎ps1 𝑔𝑥𝐴2 𝑦𝐴 (𝑢󸀠 ∏𝑖∈𝑊𝑢𝑖 )𝑟1 +𝑟𝑆 (𝑀V)ℎ1 𝑘1 and 𝑅𝐵 = 𝑒(𝜎𝐵1 , 𝑔) 𝑒(𝑔𝑥𝐴1 𝑦𝐴 (𝑢󸀠 ∏𝑖∈𝑊𝑢𝑖 )𝑟𝐵 , 𝑔). Thus, we have

= =

𝑒 (𝜎ps1 , 𝑔) 𝑅𝐵 = 𝑒 (𝑔𝑥𝐴2 𝑦𝐴 (𝑢󸀠 ∏ 𝑢𝑖 )

𝑒 (𝜎1 , 𝑔) = 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 ) 𝑒 (pk𝐵𝑥 , pk𝐵𝑦 ) 󸀠

⋅ 𝑒 ((𝑢 ∏ 𝑢𝑖 ) ⋅ 𝑒 (𝑢󸀠 ∏ 𝑢𝑖 , 𝑅𝐴 ) .

(𝑢 ∏ 𝑢𝑖 ) (𝑀V)ℎ , 𝑔𝑟1 +𝑟2 , 𝑔ℎ ) , 󸀠

(10)

𝑟𝐵 +𝑟𝑆

󸀠

= (𝑔𝑥𝐴 𝑦𝐴 𝑔𝑥𝐵 𝑦𝐵 (𝑢󸀠 ∏ 𝑢𝑖 ) ℎ1 𝑘1 +ℎ2 𝑘2

𝑟𝐵

󸀠

𝑟1 +𝑟𝑆

(𝑀V)ℎ1 𝑘1 , 𝑔)

𝑖∈𝑊

(9)

𝑖∈𝑊

⋅ 𝑒 (𝑔

𝑥𝐴1 𝑦𝐴

𝑟𝐵

󸀠

(11)

(𝑢 ∏ 𝑢𝑖 ) , 𝑔) = 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 ) 𝑖∈𝑊

⋅ 𝑒 (𝑢󸀠 ∏ 𝑢𝑖 , 𝑅𝐴𝜎ps2 ) 𝑒 (𝑀V, 𝜎ps3 ) . (8) Proxy-Revocation. When a valid delegation period expires or 𝐴 wants to revoke a valid delegation ahead of schedule for some reason, she asks 𝑆 to put (𝜔, 𝑅𝐴 ) in a public revocation list. When 𝐵 issues a proxy token for a message 𝑀, 𝑆 will check the valid period of the delegation in the warrant and (𝜔, 𝑅𝐴) in the public revocation list. If the delegation period has expired or (𝜔, 𝑅𝐴 ) exists in the revocation list, 𝑆 does not issue the proxy token for 𝐵. Once the period of delegation has expired, (𝜔, 𝑅𝐴 ) of the public revocation list could be eliminated. So, the size of the public revocation list will not increase.

𝑖∈𝑊

So, we prove the correctness of the proxy signature in the following way: 𝑟2

𝑒 (𝜎1 , 𝑔) = 𝑒 (𝜎ps1 𝜎𝐵1 (𝑢󸀠 ∏ 𝑢𝑖 ) (𝑀V)ℎ2 𝑘2 𝑔𝑥𝐵 𝑦𝐵 , 𝑔) 𝑖∈𝑊

= 𝑒 (𝑔

𝑥𝐴 𝑦𝐴 𝑥𝐵 𝑦𝐵

𝑔

𝑟1 +𝑟2 +𝑟𝐵 +𝑟𝑆

󸀠

(𝑢 ∏ 𝑢𝑖 ) 𝑖∈𝑊

(12)

⋅ (𝑀V)ℎ1 𝑘1 +ℎ2 𝑘2 , 𝑔) = 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 ) 𝑒 (pk𝐵𝑥 , pk𝐵𝑦 )

5. Correctness and Security 5.1. Correctness Theorem 5. The delegation verification algorithm in our algorithm is correct. Proof. In our algorithm, we have 𝜎𝐵1 = 𝑔𝑥𝐴1 𝑦𝐴 (𝑢󸀠 ∏𝑖∈𝑊𝑢𝑖 )𝑟𝐵 and 𝜎𝑠1 = 𝑔𝑥𝐴2 𝑦𝐴 (𝑢󸀠 ∏𝑖∈𝑊𝑢𝑖 )𝑟𝑆 . In addition, we have

⋅ 𝑒 (𝑢󸀠 ∏ 𝑢𝑖 , 𝑅𝐴 𝜎2 ) 𝑒 (𝑀V, 𝜎3 ) . 𝑖∈𝑊

5.2. Security. The proposed scheme satisfies the security requirements of verifiability, strong identifiability, strong

8


undeniability, and prevention of misuse, which can be briefly explained as follows: (1) verifiability: any verifier can be assured of 𝐴’s agreement on the signature; (2) strong undeniability: no one can know the private key of 𝐵; when 𝐵 generates a signature, he/she cannot repudiate it because the signature is produced by his/her private key; (3) strong identifiability: the identity information is included in the valid signature and the warrant as a form of public key; (4) prevention of misuse: once the delegated right is misused, 𝐴 asks 𝑆 to stop sending the proxy token to 𝐵. More importantly, our scheme can achieve strong unforgeability in the standard model, which makes our scheme different from the existing proxy signature schemes proven secure in the standard model. Therefore, in this section, we shall prove the proposed scheme is strongly unforgeable against three types of adversaries mentioned above. If a proxy signature scheme is strongly unforgeable against a Type II or Type III adversary, it is also strongly unforgeable against Type I. Therefore, in this section, we will only prove that our scheme is strongly unforgeable against type II and type III under adaptive chosen message/warrant attacks in the standard model under the computational Diffie-Hellman assumption. Theorem 7. If there exists a type II adversary 𝐴 II who can (𝜀, 𝑡, 𝑞𝑤 , 𝑞ps ) break our proxy signature scheme, there exists an algorithm 𝐶 which can use 𝐴 II to solve an instance of the CDH problem in 𝐺 with a probability SuccCDH 𝐶

𝜉 ≥ 8 (𝑛 + 1) 𝑞𝑤

Then, 𝐶 assigns a set of public parameters as follows: (1) 𝐶 sets the public key of the original signer (pk𝐴𝑥 , pk𝐴𝑦 ) = (𝑔𝑎 , 𝑔𝑏 ), where (𝑔𝑎 , 𝑔𝑏 ) are from the input of the instance of the CDH problem. (2) 𝐶 randomly picks two values sk𝐵𝑥 , sk𝐵𝑦 ∈ 𝑍𝑝 and sets the public key of the proxy signer (pk𝐵𝑥 , pk𝐵𝑦 ) = (𝑔sk𝐵𝑥 , 𝑔sk𝐵𝑦 ). (3) 𝐶 sets V = 𝑔𝑐 , where 𝑐 ∈ 𝑍𝑝 . 𝑝−𝑙𝑘+𝑥󸀠 𝑦󸀠

(4) 𝐶 assigns 𝑢󸀠 = pk𝐴𝑥 𝑢⃗ = (𝑢1 , 𝑢2 , . . . , 𝑢𝑛 ).

Note that under the assignment 𝐽(𝑊) 𝑢󸀠 ∏ 𝑢𝑖 = pk𝐹(𝑊) 𝐴𝑥 𝑔

Proof. Assume that 𝐶 receives a random CDH problem instance (𝑔, 𝑔𝑎 , 𝑔𝑏 ) in 𝐺 whose order is a prime number 𝑝, and his/her goal is to output 𝑔𝑎𝑏 . 𝐶 will run the adversary 𝐴 II as a subroutine, act as 𝐴 II ’s challenger, and respond to 𝐴 II ’s requests in the following ways. (i) Setup. Let 𝑙 = 4𝑞𝑤 . 𝐶 randomly chooses (1) an integer 𝑘 (0 ≤ 𝑘 ≤ 𝑛) (it is assumed that 𝑙(𝑛+1) < 𝑝 for the given values 𝑞𝑤 , 𝑞ps , 𝑛), (2) an integer 𝑥󸀠 ∈ 𝑍𝑙 and an 𝑛-dimensional vector X = (𝑥𝑖 ) (𝑥𝑖 ∈ 𝑍𝑙 ), (3) an integer 𝑦󸀠 ∈ 𝑍𝑝 and an 𝑛-dimensional vector Y = (𝑦𝑖 ) (𝑦𝑖 ∈ 𝑍𝑝 ). For the ease of analysis, the following functions are defined: 𝐹 (𝑊) = (𝑝 − 𝑙𝑘) + 𝑥󸀠 + ∑ 𝑥𝑖 ,

𝐶 returns (𝐺, 𝐺𝑇 , 𝑒, 𝑝, 𝑔, 𝑢󸀠 , V, 𝑢, 𝐻) and (pk𝐴𝑥 , pk𝐴𝑦 , pk𝐵𝑥 , pk𝐵𝑦 , sk𝐵𝑥 , sk𝐵𝑦 ) to the adversary. (ii) C runs 𝐴 II and responds to queries of 𝐴 II . (1) SEM-Delegation Query. 𝐶 first selects two random integers 𝑥1 , 𝑟1 ∈ 𝑍𝑝 and computes 𝜎𝑆 =

𝑥 (pk𝐴𝑦1

𝑟1

󸀠

(𝑢 ∏ 𝑢𝑖 ) , 𝑔𝑟1 ) .

{0, 𝐾 (𝑊) = { {1,

(2) User-Delegation Query. If 𝐾(𝑊) = 0, 𝐶 terminates the simulation and reports failure and if 𝐾(𝑊) ≠ 0, which implies 𝐹(𝑊) ≠ 0 mod 𝑝, 𝐶 does not know the private key of 𝐴, but he/she can construct a delegation key related to 𝐴. Choose a random 𝑟2 ∈ 𝑍𝑝 and compute a delegation key: 𝜎𝐵 𝑟2

−𝑥

= (pk−𝐽(𝑊)/𝐹(𝑊) (𝑢󸀠 ∏ 𝑢𝑖 ) pk𝐴𝑦1 , pk−1/𝐹(𝑊) 𝑔𝑟2 ) . 𝐴𝑦 𝐴𝑦

(14)

Let 𝑥2 = 𝑎 − 𝑥1 and ̃𝑟2 = 𝑟2 − (𝑏/𝐹(𝑊)) (𝐶 does not know these values). Then, the correction of delegation key 𝜎𝐵 can be proven as follows: 𝜎𝐵1 =

pk−𝐽(𝑊)/𝐹(𝑊) 𝐴𝑦

𝑟2

󸀠

otherwise.

−𝑥

(𝑢 ∏ 𝑢𝑖 ) pk𝐴𝑦1 𝑖∈𝑊

𝑟2

−𝑥

𝐽(𝑊) = pk−𝐽(𝑊)/𝐹(𝑊) (pk𝐹(𝑊) ) pk𝐴𝑦1 𝐴𝑦 𝐴𝑥 𝑔 𝐽(𝑊) = (pk𝐹(𝑊) ) 𝐴𝑥 𝑔

𝑟2 −(𝑏/𝐹(𝑊))

= pk𝐴𝑦 1 (𝑢󸀠 ∏ 𝑢𝑖 )

=

𝑥 pk𝐴𝑦2

̃𝑟2

󸀠

(𝑢 ∏ 𝑢𝑖 ) . 𝑖∈𝑊

−𝑥

pk𝑏𝐴𝑥 pk𝐴𝑦1

𝑟2 −(𝑏/𝐹(𝑊))

𝑖∈𝑊

󸀠

𝑖∈𝑊

(17)

𝑖∈𝑊

𝑎−𝑥

if 𝑥 + ∑ 𝑥𝑖 = 0 (mod 𝑙)

(16)

𝑖∈𝑊

𝑖∈𝑊

𝑖∈𝑊

(15)

𝑖∈𝑊

(13)

within running time 𝑡+((𝑛+5)𝑞𝑤 +(𝑛+6)𝑞ps +𝑛+4)𝑇𝑚 +(10𝑞𝑤 + 12𝑞ps +2𝑛+8)𝑇𝑒 , where 𝑇𝑚 denotes the time for a multiplication in 𝐺, and 𝑇𝑒 denotes the time for an exponentiation in 𝐺, respectively.

𝐽 (𝑊) = 𝑦󸀠 + ∑ 𝑦𝑖 ,

𝑥

𝑖 𝑔 and 𝑢𝑖 = pk𝐴𝑥 𝑔𝑦𝑖 , and sets

(18)


9

Additionally, 𝜎𝐵2 = pk−1/𝐹(𝑊) 𝑔𝑟2 = 𝑔𝑟2 −(𝑏/𝐹(𝑊)) = 𝑔̃𝑟2 . 𝐴𝑦 𝑟1 ̃𝑟2

𝐶 computes 𝑅𝐴 = 𝑔 𝑔 and gives 𝐴 II the SEMDelegation key 𝜎𝑆 and User-Delegation key 𝜎𝐵 . If 𝐹(𝑊) ≠ 0 mod 𝑝, 𝐶 first produces delegation keys 𝜎𝑆 and 𝜎𝐵 by the Delegation-Gen query described above, and then he/she runs the SEM-Sign algorithm and UserSign algorithm to answer 𝐴 II ’s query since he/she knows the private key of 𝐵. Otherwise, 𝐶 will construct a proxy signature in the same way as the construction of the delegation keys in the Delegation-Gen query. Then, 𝐶 constructs the 𝑆’s partial proxy signature and the user’s complete proxy signature of 𝜔 on 𝑀 in the following ways.

Since 𝜎∗ is a valid proxy signature of the message 𝑀∗ under the warrant 𝜔∗ , we have 𝑒 (𝜎1∗ , 𝑔) = 𝑒 (pk𝐴𝑥 , pk𝐴𝑦 ) 𝑒 (pk𝐵𝑥 , pk𝐵𝑦 ) ⋅ 𝑒 (𝑢󸀠 ∏ 𝑢𝑖 , 𝜎2∗ ) 𝑒 (𝑀V, 𝜎3∗ ) = 𝑒 (𝑔𝑎 , 𝑔𝑏 ) 𝑖∈𝑊∗

∗

⋅ 𝑒 (𝑔sk𝐵𝑥 , 𝑔sk𝐵𝑦 ) 𝑒 (𝑔𝐽(𝑊 ) , 𝜎2∗ ) 𝑒 (𝑀V, 𝜎3∗ ) . Then, we can compute out 𝑔𝑎𝑏 =

(3) SEM-Sign Query. 𝐶 first chooses four random integers 𝑥1 , 𝑟1 , 𝑟𝑠 , 𝑘1 ∈ 𝑍𝑝 and computes ℎ1 = 𝐻 (𝑀 ‖

𝜔, pk−1/𝐹(𝑊) 𝐴𝑥

⋅𝑔

𝑟1 +𝑟𝑠

𝑥

𝜎ps = (pk𝐴𝑦1 (𝑢󸀠 ∏ 𝑢𝑖 )

𝑟1 +𝑟𝑠

,𝑔 ), (19)

(4) User-Sign Query. 𝐶 chooses three integers 𝑟2 , 𝑟𝐵 , 𝑘2 ∈ 𝑍𝑝 and computes ℎ2 = 𝐻 (𝑀 ‖

⋅𝑔

𝑟2 +𝑟𝐵

𝜎1∗ (𝑀V)ℎ1 𝑘1 +ℎ2 𝑘2 𝑔sk𝐵𝑥 sk𝐵𝑦

.

(23)

(1) 𝐾(𝑊∗ ) ≠ 0 mod 𝑙 during the Delegation-Gen queries. (2) 𝐹(𝑊∗ ) = 0 mod 𝑝 in the forgery phase.

𝑖∈𝑊

𝜔, pk−1/𝐹(𝑊) 𝐴𝑥

𝐽(𝑊∗ ) (𝜎2∗ )

This completes the description of the simulation. Now we have to assess 𝐶’s probability of success. 𝐶 will not abort if the following conditions hold.

𝑘1

(𝑀V)ℎ1 𝑘1 , 𝑔𝑟𝑠 +𝑟1 , 𝑔ℎ1 𝑘1 ) .

(22)

The success probability is SuccCDH = pr[𝐴 ∧ 𝐵]. Now we 𝐶 use Waters’ technique [14] to compute a lower bound of 𝐶’s success probability: pr [𝐴 ∧ 𝐵]

𝑘2

,𝑔 ),

𝑞𝑤

= pr [⋂𝐾 (𝑊𝑖 ) ≠ 0 ∧ 𝐹 (𝑊∗ ) = 0 mod 𝑝]

𝑟1 +𝑟2 +𝑟𝑠 +𝑟𝐵

𝜎 = (pk−𝐽(𝑊)/𝐹(𝑊) 𝑔sk𝐵𝑥 sk𝐵𝑦 (𝑢󸀠 ∏ 𝑢𝑖 ) 𝐴𝑦

1

(20)

𝑖∈𝑊

𝑞𝑤

= pr [⋂𝐾 (𝑊𝑖 ) ≠ 0] 𝑖=1

⋅ (𝑀V)ℎ1 𝑘1 +ℎ2 𝑘2 , pk−1/𝐹(𝑊) 𝑔𝑟1 +𝑟2 +𝑟𝑠 +𝑟𝐵 , 𝑔ℎ1 𝑘1 +ℎ2 𝑘2 ) . 𝐴𝑦

𝑞𝑤

⋅ pr [𝐹 (𝑊∗ ) = 0 mod 𝑝 | ⋂𝐾 (𝑊𝑖 ) ≠ 0] We will prove the correctness of the proxy signature as follows: 𝑟1 +𝑟2 +𝑟𝑠 +𝑟𝐵

𝑔sk𝐵𝑥 sk𝐵𝑦 (𝑢󸀠 ∏ 𝑢𝑖 ) 𝜎1 = pk−𝐽(𝑊)/𝐹(𝑊) 𝐴𝑦

𝑖=1

𝑞

𝑤 𝑞 ≥ (1 − 𝑤 ) pr [𝑥󸀠 + ∑ 𝑥𝑖 = 𝑙𝑘 | ⋂𝐾 (𝑊𝑖 ) ≠ 0] 𝑙 𝑖∈𝑊 𝑖=1

=(

𝑖∈𝑊

𝑞 1 ) (1 − 𝑤 ) 𝑛+1 𝑙 𝑞𝑤

ℎ1 𝑘1 +ℎ2 𝑘2

⋅ (𝑀V)

= pk𝑏𝐴𝑥 𝑔sk𝐵𝑥 sk𝐵𝑦 (𝑢󸀠 ∏ 𝑢𝑖 )

𝑟1 +𝑟2 +𝑟𝑠 +𝑟𝐵 −(𝑏/𝐹(𝑊))

⋅ pr [𝐾 (𝑊∗ ) = 0 | ⋂𝐾 (𝑊𝑖 ) ≠ 0] ≥ ( 𝑖=1

(21)

𝑖∈𝑊

⋅ (𝑀V)ℎ1 𝑘1 +ℎ2 𝑘2 , 𝜎2 = pk−1/𝐹(𝑊) 𝑔𝑟1 +𝑟2 +𝑟𝑠 +𝑟𝐵 = 𝑔𝑟1 +𝑟2 +𝑟𝑠 +𝑟𝐵 −(𝑏/𝐹(𝑊)) . 𝐴𝑦 (iii) If 𝐶 does not abort during the simulation, the adversary will return a proxy signature 𝜎∗ = (𝜎1∗ , 𝜎2∗ , 𝜎3∗ ) on the message 𝑀∗ under the warrant 𝜔∗ with the probability of ∗ at least 𝜀 for 𝐵. If 𝐹(𝑊∗ ) = 0 mod 𝑝, 𝑢󸀠 ∏𝑖∈𝑊∗ 𝑢𝑖 = 𝑔𝐽(𝑊 ) .

(24)

⋅ (1 −

1 ) 𝑛+1

2

𝑞𝑤 1 2𝑞 1 1 ) ≥( ) (1 − 𝑤 ) . 𝑙 𝑙 𝑛+1 𝑙 𝑙

≥ (1/(𝑛 + 1)𝑙)(1 − (2𝑞𝑤 /𝑙))𝜀. We can Therefore, SuccCDH 𝐶 optimize it by setting 𝑙 = 4𝑞𝑤 ; then ≥ SuccCDH 𝐶

𝜀 . 8 (𝑛 + 1) 𝑞𝑤

(25)

Algorithm 𝐶’s running time equals 𝐴 II ’s running time which adds the time it takes to simulate the security proof. 2𝑛 + 5 exponentiation operations and 𝑛 + 1 multiplication

10


operations in 𝐺 are needed in the Setup phase. Ten exponentiation operations and 5 + 𝑛 multiplication operations are required in every Delegation-Gen query. ProxySign-Gen query needs 12 exponentiation operations and 6 + 𝑛 multiplication operations. In the forgery phase, 3 exponentiation operations and 3 multiplication operations are needed. If we assume each exponentiation operation takes time 𝑇𝑒 , and multiplication operation takes time 𝑇𝑚 , so the total running time of algorithm 𝐶 is at most 𝑡 + ((𝑛 + 5)𝑞𝑤 + (𝑛 + 6)𝑞ps + 𝑛 + 4)𝑇𝑚 + (10𝑞𝑤 + 12𝑞ps + 2𝑛 + 8)𝑇𝑒 . Theorem 8. The strongly unforgeable proxy signature with fast revocation is (𝜀󸀠 , 𝑡󸀠 , 0, 𝑞ps ) secure against a type adversary 𝐴 III assuming that the (𝜀󸀠 , 𝑡󸀠 ) CDH assumption holds in 𝐺, where SuccCDH ≥ 𝐶

𝜀󸀠 𝑛𝑙

(26)

within running time 𝑡󸀠 ≤ 𝑡 + ((𝑛 + 6)𝑞ps + 𝑛 + 4)𝑇𝑚 + (12𝑞ps + 2𝑛 + 8)𝑇𝑒 . Proof. This proof is similar to that of Theorem 7 and thus we omit the detailed proof to save space. Here, we only illustrate the differences between them. First, we recall the capacity of adversary 𝐴 III . This type has the public keys of 𝐴 and 𝐵, and the secret key of the original signer. Therefore, 𝐴 III does not need Delegation-Gen queries and can generate delegations on arbitrary warrants. Secondly, in the Setup phase, the simulator should set the public key of the proxy signer as (pk𝐵𝑥 , pk𝐵𝑦 ) = (𝑔𝑎 , 𝑔𝑏 ), where 𝑔𝑎 and 𝑔𝑏 are the inputs of the given CDH problem instance. Other parts of this proof are similar to those of Theorem 7. From Theorems 7 and 8, it can be seen that the proposed scheme can prevent Type II or Type III attacks; that is to say, our scheme has the strong unforgeability in the standard model. In fact, the reason why the existing proxy signature schemes with revocation cannot achieve the strong unforgeability results from their design method. From the aspect of the algorithm construction mechanism, the existing schemes can be regarded as 2-level hierarchical Waters’ signature. However, Waters et al.’s scheme is malleable [5, 14], in which an adversary can generate a different valid signature on the same message even without the private key. In more details, in Waters’ signature, we suppose that the signature of a message is denoted by 𝜎 = (𝜎1 , 𝜎2 ). Anyone can create a valid signature in the following way: First, pick up an integer 𝑟 and make the following equations hold: 𝜎1 = 𝜎1 (𝑢󸀠 ∏𝑖∈𝑀𝑢𝑖 )𝑟 and 𝜎2 = 𝜎2 𝑔𝑟 . Then, 𝜎 = (𝜎1 , 𝜎2 ) can be proven to be a valid signature. This weakness makes the existing proxy signature schemes with revocation not strongly unforgeable. However, in our scheme, we adopt different algorithm construction method, and our scheme is not 2-level hierarchical Waters’ signature. Therefore, our scheme avoids the above attack and achieves the strong unforgeability. 5.3. Comparison with Existing Schemes. In this section, we will compare our scheme with other existing proxy signature

Table 2: Symbol meaning. Symbols Meaning 𝑛 The numbers of the warrant/message 𝑡 The threshold in the threshold proxy signature The number of the original or proxy signers in the 𝑚 multiproxy signature or proxy multisignature scheme 𝑇𝑚 Time for multiplication operations in 𝐺 𝑇𝑒 Time for exponentiation operations in 𝐺 𝐸 Time for multiplication operations in 𝐺𝑇 𝑃 Time for pairing operations

schemes [3–12] in terms of the number of the public parameters, the size of the signature, the computational efficiency of the delegation stage, the proxy sign stage, and proxy sign verification stage. In order to facilitate the description, we define the symbols shown in Table 2. First, we will discuss the proxy signature process. In the proposed scheme, we consider the computational complexity. In order to delegate the proxy signer, the scheme needs 7 exponentiation operations in 𝐺, and 𝑛+2 multiplication operations in 𝐺. In the phase of ProxySign-Gen, our scheme needs 9 exponentiation operations in 𝐺, and 2𝑛 + 8 multiplication operations in 𝐺. In order to verify the signature, 5 pairing operations, 3 multiplication operations in 𝐺𝑇 , and 𝑛 + 1 multiplication operations in 𝐺 are needed. For public parameters, only 𝑛 + 2 group elements are needed in our scheme. From this point, our scheme is more suitable for low storage requirement of applications such as in an Ad hoc network [30]. The specific comparison results are shown in Table 3, from which we can find that our scheme is much better than most of the existing schemes. Although strong unforgeability and fast revocation are achieved simultaneously, our scheme has almost no increase in computational efficiency as to other proxy signatures with revocation schemes. Compared to existing schemes, our scheme has some advantages that other schemes do not have. Moreover, as we all know, if pairing operations are executed by sensor nodes, it would affect the efficiency of the sensor networks. But from Table 3, we can know that just ProxySign-Verify needs 5 pairing operations, and it should be executed by a sink node or one proxy equipment but not sensor nodes, so the pairing operations will not affect the efficiency of sensorbased network systems. The merit/demerit comparison between the existing schemes and our scheme is summarized in Table 4. From Table 4, we can see that (1) all existing proxy signatures in the standard model are proved secure and (2) our scheme is the only proxy signature scheme that has strong unforgeability and fast revocation in the standard model. Overall, compared with other proxy signatures [3–12] in the standard model, our scheme has stronger security because it has strong unforgeability and has low storage requirement because it has a shorter system parameter. At the same time, the scheme can achieve fast revocation.


11

Table 3: Proxy signature scheme efficiency comparison. Schemes Scheme [3] Scheme [4] Scheme [5] Scheme [6] Scheme [7] Scheme [8] Scheme [9] Scheme [10] Scheme [11] Scheme [12] Our scheme

Size 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺| 3|𝐺|

Parameter 2n + 2 2n + 2 n+4 2n + 2 n+4 2n + 2 2n + 2 2n + 2 2n + 2 2n + 2 n+2

Delegation 3T e + (n + 1)T m 3T e + (n + 1)T m 3T e + (n + 1)T m (3m + 3)T e + (n + 3m + 1)T m 3mT e + (n + m)T m nP + (2n + 1)T e + 2nT m 3T e + (n + 1)T m 7T e + (n + 2)T m 7T e + (n + 2)T m (m + n + 1)T e + (3m + 4)T m 7T e + (n + 2)T m

ProxySign 5T e + (2n + 4)T m + P 5T e + (2n + 4)T m 4T e + 3T m 2T e + (n + 1)T m 4T e + (2m + 1)T m 4nT e + 6nT m + tP + (t − 1)E 5T e + (2n + 4)T m + P 9T e + (2n + 8)T m 9T e + (2n + 8)T m + P 8mT e + (2n + 10m − 1)T m 9T e + (2n + 8)T m

Verify 4P + 3E + 2nT m 5P + 3E + 2nT m 5P + 3E + (n + 1)T m + T e (m + 4)P + (m + 2)E + 2nT m (m + 4)P + (m + 2)E + (n + 1)T m + T e 4P + 3E + 2nT m 5P + 3E + 2nT m 5P + 3E + (2n + 1)T m 4P + 3E + 2nT m 3P + E + (2n + m)T m 5P + 3E + (n + 1)T m

Size: length of signature. Parameter: the number of system public parameters. Delegation: the computational efficiency in the Delegation-Gen phase. ProxySign: the computational efficiency in the ProxySign-Gen phase. Verify: the computational efficiency in the ProxySign-Verify phase.

Table 4: Comparison of merits and demerits. Schemes Scheme [3] Scheme [4] Scheme [5] Scheme [6] Scheme [7] Scheme [8] Scheme [9] Scheme [10] Scheme [11] Scheme [12] Our scheme

F.R No No No No No No No Yes Yes Yes Yes

S.M Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

S.U No No No No No No No No No No Yes

F.R: whether the proxy signature can achieve fast revocation. S.M: whether the scheme has security proof in the standard model. S.U: whether the scheme is strongly unforgeable.

6. Conclusions Until now, none of the existing proxy signature schemes with revocation possesses strong unforgeablility. This leads to the fact that the adversary can even produce a new signature for a signed message, which makes the existing schemes insecure. In order to solve this security problem, this paper improves the situation and proposes a strongly unforgeable proxy signature with revocation under the computational DiffieHellman assumption in the standard model. The proposed scheme satisfies all of the security requirements for proxy signature schemes. Through a security analysis, we show that the proposed scheme is secure in the standard model and it can resist those attacks mentioned above. Furthermore, compared with several proxy signature schemes in the standard model, it is easy to conclude that the proposed scheme has advantages over other schemes, namely, stronger security and shorter system parameters. As a special kind of digital signature, the proxy signature has been widely applied in electronic commerce. With improvement of the

proxy signature with revocation, the proposed scheme can be widely used in more applications, such as mobile agent and electronic transactions.

Conflict of Interests The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments This work is supported by the National Natural Science Foundation of China under Grant nos. 61473214, 61103178, and 61103199, Natural Science Basic Research Plan in Shaanxi Province of China under Grant nos. 2015JM6294, 2014JQ8360, and 2014JQ8324, the Fundamental Research Funds for the Central Universities under Grant no. 3102015JSJ0003, Basic Science Research Fund in Xidian University, and the 111 Project of China under Grant no. B08038.

References [1] E.-J. Goh, S. Jarecki, J. Katz, and N. Wang, “Efficient signature schemes with tight reductions to the Diffie-Hellman problems,” Journal of Cryptology, vol. 20, no. 4, pp. 493–514, 2007. [2] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signature: delegation of the power to sign messages,” IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, vol. E79-A, no. 9, pp. 1338–1353, 1996. [3] Y. Yu, C. X. Xu, X. S. Zhang, and Y. J. Liao, “Designated verifier proxy signature scheme without random oracles,” Computers & Mathematics with Applications, vol. 57, no. 8, pp. 1352–1364, 2009. [4] X. Huang, W. Susilo, Y. Mu, and W. Wu, “Proxy signature without random oracles,” in Mobile Ad-Hoc and Sensor Networks, vol. 4325, pp. 473–484, Springer, Berlin, Germany, 2006. [5] Y. Sun, C. X. Xu, Y. Yu, and Y. Mu, “Strongly unforgeable proxy signature scheme secure in the standard model,” Journal of Systems and Software, vol. 84, no. 9, pp. 1471–1479, 2011.

12 [6] Z. H. Liu, Y. P. Hu, and H. Ma, “Secure proxy multi-signature scheme in the standard model,” in Provable Security: Second International Conference, ProvSec 2008, Shanghai, China, October 30–November 1, 2008. Proceedings, vol. 5324 of Lecture Notes in Computer Science, pp. 127–140, Springer, Berlin, Germany, 2008. [7] Y. Sun, C. Xu, Y. Yu, and B. Yang, “Improvement of a proxy multi-signature scheme without random oracles,” Computer Communications, vol. 34, no. 3, pp. 257–263, 2011. [8] M. Beheshti-Atashgah, M. Bayat, M. Gardshi, and M. R. Aref, “Designated verifier threshold proxy signature scheme without random oracles,” 2012, http://eprint.iacr.org/2012/488.pdf. [9] Y. Ming and Y. M. Wang, “Directed proxy signature in the standard model,” Journal of Shanghai Jiaotong University (Science), vol. 16, no. 6, pp. 663–671, 2011. [10] Z.-H. Liu, Y.-P. Hu, X.-S. Zhang, and H. Ma, “Secure proxy signature scheme with fast revocation in the standard model,” The Journal of China Universities of Posts and Telecommunications, vol. 16, no. 4, pp. 116–124, 2009. [11] M. Beheshti-Atashgah, M. Gardeshi, and M. Bayat, “A designated verifier proxy signature scheme with fast revocation without random oracles,” in Digital Information and Communication Technology and Its Applications: International Conference, DICTAP 2011, Dijon, France, June 21–23, 2011. Proceedings, Part I, vol. 166 of Communications in Computer and Information Science, pp. 535–550, Springer, Berlin, Germany, 2011. [12] Z. H. Liu, Y. P. Hu, X. S. Zhang, and H. Ma, “Provably secure multi-proxy signature scheme with revocation in the standard model,” Computer Communications, vol. 34, no. 3, pp. 494–501, 2011. [13] M. Beheshti-Atashgah, M. Gardeshi, and M. Bayat, “A new threshold proxy signature scheme with fast revocation,” International Journal of Computer and Electrical Engineering, vol. 4, no. 5, pp. 766–770, 2012. [14] B. Waters, “Efficient identity-based encryption without random oracles,” in Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques, pp. 114–127, Aarhus, Denmark, May 2005. [15] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation,” in Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 48– 56, March 1996. [16] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in Proceedings of the 1st International Conference on Information and Communication Security (ICICS ’97), pp. 223–232, Beijing, China, November 1997. [17] M.-S. Hwang, C.-C. Lee, and S.-F. Tzeng, “A new proxy signature scheme for a specified group of verifiers,” Information Sciences, vol. 227, pp. 102–115, 2013. [18] R. A. Sahu and V. Saraswat, “Secure and efficient scheme for delegation of signing rights,” in Information and Communications Security, vol. 8958 of Lecture Notes in Computer Science, pp. 258–273, Springer, Basel, Switzerland, 2015. [19] S. H. Seo, K. A. Shim, and S. H. Lee, “A mediated proxy signature scheme with fast revocation for electronic transactions,” in Proceedings of the 2nd International Conference on Trust Privacy and Security in Digital Business, pp. 216–225, Copenhagen, Denmark, August 2005. [20] H. M. Sun and B. J. Chen, “Design of time-stamped proxy signatures with traceable receivers,” in Proceedings of the 9th National Conference on Information Security, pp. 247–253, Taichung, Taiwan, May 1999.

International Journal of Distributed Sensor Networks [21] E. J. Lu, M.-S. Hwang, and C.-J. Huang, “A new proxy signature scheme with revocation,” Applied Mathematics and Computation, vol. 161, no. 3, pp. 799–806, 2005. [22] A. Boldyreva, A. Palacio, and B. Warinschi, “Secure proxy signature scheme for delegation of signing rights,” 2005, http://eprint.iacr.org/2003/096.pdf. [23] K. S. Kim, D. Hong, and I. R. Jeong, “Identity-based proxy signature from lattices,” Journal of Communications and Networks, vol. 15, no. 1, pp. 1–7, 2013. [24] G. Swapna, P. V. Reddy, and T. Gowri, “Efficient identity based multi-proxy multi-signcryption scheme using bilinear pairings over elliptic curves,” in Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI ’13), pp. 418–423, IEEE, Mysore, India, August 2013. [25] X. M. Hu, Y. C. Yang, Y. Liu, J. Wang, and X. H. Xiong, “A highly efficient and identity-based proxy signature scheme without random oracle,” in Proceedings of the 2nd International Conference on Information Technology and Electronic Commerce, pp. 204–207, Dalian, China, December 2014. [26] H.-J. Cao, Y.-Y. Zhu, and P.-F. Li, “A quantum proxy weak blind signature scheme,” International Journal of Theoretical Physics, vol. 53, no. 2, pp. 419–425, 2014. [27] K. J. Zhang and H. Y. Jia, “Cryptanalysis of a quantum proxy weak blind signature scheme,” International Journal of Theoretical Physics, vol. 54, no. 2, pp. 582–588, 2015. [28] Q. Huang, D. S. Wong, J. Li, and Y.-M. Zhao, “Generic transformation from weakly to strongly unforgeable signatures,” Journal of Computer Science and Technology, vol. 23, no. 2, pp. 240–252, 2008. [29] D. Boneh, E. Shen, and B. Waters, “Strongly unforgeable signatures based on computational Diffie-Hellman,” in Public Key Cryptography—PKC 2006: 9th International Conference on Theory and Practice in Public-Key Cryptography, New York, NY, USA, April 24–26, 2006. Proceedings, vol. 3958 of Lecture Notes in Computer Science, pp. 229–240, Springer, Berlin, Germany, 2006. [30] L. J. Pang, H. X. Li, and Q. Q. Pei, “Improved multicast key management of Chinese wireless local area network security standard,” IET Communications, vol. 6, no. 9, pp. 1126–1130, 2012.

International Journal of

Rotating Machinery

Engineering Journal of

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014


Distributed Sensor Networks

Journal of

Sensors Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014


Volume 2014


Volume 2014

Journal of

Control Science and Engineering

Advances in

Civil Engineering Hindawi Publishing Corporation http://www.hindawi.com


Volume 2014

Volume 2014

Submit your manuscripts at http://www.hindawi.com Journal of

Journal of

Electrical and Computer Engineering

Robotics Hindawi Publishing Corporation http://www.hindawi.com


Volume 2014

Volume 2014

VLSI Design Advances in OptoElectronics


Navigation and Observation Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014



Chemical Engineering Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Active and Passive Electronic Components

Antennas and Propagation Hindawi Publishing Corporation http://www.hindawi.com

Aerospace Engineering


Volume 2014


Volume 2014

Volume 2014




Modelling & Simulation in Engineering

Volume 2014


Volume 2014

Shock and Vibration Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Advances in

Acoustics and Vibration Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014