On the efficiency of nonrepudiable threshold proxy signature scheme with known signers Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514 Author: Cheng-Ying Yang ; Shiang-Feng Tzeng ; Min-Shiang Hwang Advisor:Dr. Chang, Chin-Chen Reporter:Wang, Shing-Shoung Date :2004/11/23 2004/11/23

Outline Review of Hsu et al.’s scheme Improvement of Hsu et al.’s scheme Security Analysis Conclusions 2004/11/23

Review of Hsu et al.’s scheme Divides the sheme into 4 phases as followung: system authourity, SA (1) (1) (3) (3) original signer (2) (2) (t,n) proxy group (3) clerk (3) verifier (4) (1)Secret share generation phase (2)Proxy share generation phase (3)Proxy signature generation phase (4)Proxy signature verification phase t:# of original signer n:# of proxy signer 2004/11/23

Review of Hsu et al.’s scheme(Cont.) System initialing: System Authority(SA) selects and publishes the follow parameters: p a large prime q a large prime factor of p－1 g a generator in GF(p) of order q h(.) a One-way hash function mw a warrant which records the identities of the original signer and the proxy signers of the proxy group, the parameters t and n, and the valid delegation time, etc. ASID (Actual Signers’ ID) the identities of the actual signers. 2004/11/23

Review of Hsu et al.’s scheme(Cont.) Notation: Pi each user P0 original signer G={P1,P2,P3...,Pn} the proxy group of n proxy signers. the public identifier user i’s private key user i’s public key 2004/11/23

Review of Hsu et al.’s scheme(Cont.) 1.Secret share generation phase: (1)chooses the group private key XG. (2)computes the public key YG=gXG mod p (3)randomly generates a (t-1) polynomial f(v)= XG +a1v+a2v2+...+at-1vt-1 mod q where ai Zq(i=1,2,...,t-1) (4)for each Pi G,computes the secret share γi=f(vi) τi=gγi mod p vi:public identifier for Pi (5)separately sends γi to Pi via a secure channel (6)publishes all τi’s 2004/11/23

Review of Hsu et al.’s scheme(Cont.) Receives σi,each Pi can check the following equation: if true, Pi computes σi’= σi +γih(mw||K)mod q 2.Proxy share generation phase : (1)chooses a random integer k Z*q. and computes K=gkmod p (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q (3)chooses a polynomial f(v)=σ+b1v+b2v2+...+bt-1vt-1 mod q where the random integers bj Zq(i=1,2,...,t-1) (4)publishes Bj=gbj mod p for j=1,2,...,t-1 (5)sends σi=f0(vi) to Pi via a secure channel (6)broadcasts (mw,K) to G How to verify? 2004/11/23

Review of Hsu et al.’s scheme(Cont.) 3.Proxy signature generation phase : given a message m,D ={P1,P2,P3...,Pt} (1)each Pi D chooses a random integer ki Z*q and broadcasts ri=gki mod p (2)obtains all ri , si=kiR+(Liσi’+xi)h(R||ASID||m)mod q where (3)Upon receiving si, clerk checks if it holds(ri,si) is the valid individual signature of m the proxy signature is (R,S,K,mw,ASID) 2004/11/23

Review of Hsu et al.’s scheme(Cont.) 4.Proxy signature verification phase: if the proxy signature (R,S,K,mw,ASID) from m is valid. 2004/11/23

Improvement of Hsu et al.’s scheme Divides the sheme into 3 phase as followung: (2) (2) original signer (1) (1) (t,n) proxy group (2) clerk (2) verifier (3) (1)Proxy share generation phase (2)Proxy signature generation phase (3)Proxy signature verification phase 2004/11/23

Improvement of Hsu et al.’s scheme(Cont.) 1.Proxy share generation phase: (1)chooses a random integer k Z*q. and computes K=gkmod p (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q (3)broadcasts (σ,mw,K) to G How to verify? Check 2004/11/23

Improvement of Hsu et al.’s scheme(Cont.) 2.Proxy signature generation phase given a message m,D ={P1,P2,P3...,Pt} (1)each Pi D chooses a random integer ki Z*q and broadcasts ri=gki mod p (2)obtains all ri , si=kiR+(t-1σi’+xi)h(R||ASID||m)mod q where t:# of actual proxy signers. (3)Upon receiving si, clerk checks if it holds(ri,si) is the valid individual signature of m the proxy signature is (R,S,K,mw,ASID) 2004/11/23

Improvement of Hsu et al.’s scheme(Cont.) 3.Proxy signature verfication phase (1)according to mw and ASID, we get the proxy and original signer’s public key. and know who is the original signer. (2)verify t. (3)verify the following equation: if true the proxy signature is (R,S,K,mw,ASID) of m is valid. 2004/11/23

Security Analysis Security analysis: 1.Plaintext attack 2.Conspiracy attack 3.Forgery attack given m’,ASID’,V0’ 2004/11/23

Conclusions The improved scheme has the same property that any t or more proxy signers may work together to generate a valid proxy signature on behalf of the original signer. The improved scheme also provides the ability to identity the actual proxy signers for avoiding the abuse of the signing capability. the improved scheme satisfies the nonrepudiation property. 2004/11/23