A novel proxy key generation protocol and its application

1. A novel proxy key generation protocol and its application Author: Xiaoming Hu, Shangteng Huang Periodical: Computer Standards & Interfaces 29 (2007) 191–195 Data: Received 20 November 2005; accepted 16 March 2006

2. Outline • Introduction • Related work • Proxy Key Generation Protocol • Proxy Signature Scheme • Conclusion

3. Introduction Proxy signer Delegated Original signer Verifier

4. Related Work • Tree types of delegation • Full delegation • Partial delegation • Delegation by warrant • Proxy key pair (Warrant, Secret key) • ID-based key pair (ID, Secret key)

5. Properties of Proxy Signature Scheme • Strong unforgeability • A designated signer, called proxy signer, can create a valid proxy signature for the original signer. But the original signer and third parties who are not authorized cannot create a valid proxy signature. • Verifiability • From proxy signature a verifier can be convinced of the original signer's agreement on the signed message either by a self-authenticating form or by an interactive form. • Strong identity • any one can determine the identity of the corresponding proxy signer from a proxy signature. • Strong undeniability • Once a proxy signer creates a valid proxy signature for an original signer, the proxy signer cannot repudiate his signature creation. • Prevention of misuse • it should be confident that proxy key pair cannot be used for other purposes. Because the responsibility of proxy signer should be determined with warrant explicitly.

6. Bilinear Pairings • G1 a cyclic additive group generated by P • G2 be cyclic multiplicative group of the same order q • H1 and H2 are two hash functions. • A bilinear pairing is map e: G1×G1→G2

7. IDo IDp Qo=H1(IDo) Qp=H1(IDp) So=tQo Sp=tQp Proxy Key Generation Protocol KGC Original Signer Proxy Signer Chooses q,e and P  G1,G2 Define H1,H2 t as master key, tPpub {G1,G2,e,q,P,Ppub,H1,H2} Create a warrant W Compute S1=H2(W,So) (W,S1) Verify S1=H2(W,S0) Compute Qw=H1(W) Sk=tQw (W,S2) S2=Sk+Sp Compute Sw=S2-Sp • (W,Sw) is an ID-based key pair • Sw = S2-Sp = (Sk+Sp)-Sp = Sk = tQw = tH1(W) Verify e(Sw,P)=e(H1(W),Ppub)

8. Theorem 1 • Theorem 1 • A can impersonate the original signer and forge a valid (W, S1) to KGC with a probability 1/q. • Proof • Suppose A tries to impersonate the original signer and forge a valid (W, S1) to KGC. S1=H2(W,So)

9. Theorem 2 • Theorem 2. • A can impersonate the KGC and forge a valid (W,S2) to the proxy signer with a probability 1/q. • Proof. • Suppose A tries to impersonate the KGC and forge a valid (W, S2) to the proxy signer. Sw = tH1(W) S2 = Sw + Sp

10. IDo IDp Qo=H1(IDo) Qp=H1(IDp) So=tQo Sp=tQp Proxy Signature Scheme KGC Original Signer Proxy Signer Chooses q,e and P  G1,G2 Define H1,H2 t as master key, tPpub {G1,G2,e,q,P,Ppub,H1,H2} Qw=H1(W) Sw=S2-Sp Qw as proxy public key proxy key (Qw, Sw) e(V,P) = e(U+H1(m,U)Qw,Ppub) U=rQw h=H2(m,U) V=(r+h)Sw Then (U, V) is the proxy signature of the message m.

11. Conclusions • Propose a proxy signature key generation protocol in which proxy public key. • The protocol consists of three entities: original signer, proxy signer and KGC. • The scheme has two virtues • The proxy signature is shorter because it does not include any parameters for rebuilding the proxy public key • The verification of the proxy signature is faster because the public proxy key does not have to be computed.