150 likes | 274 Views
On the efficiency of nonrepudiable threshold proxy signature scheme with known signers. Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507 – 514 Author: Cheng-Ying Yang ; Shiang-Feng Tzeng ; Min-Shiang Hwang Advisor:Dr. Chang, Chin-Chen
E N D
On the efficiency of nonrepudiable threshold proxy signaturescheme with known signers Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514 Author: Cheng-Ying Yang ; Shiang-Feng Tzeng ; Min-Shiang Hwang Advisor:Dr. Chang, Chin-Chen Reporter:Wang, Shing-Shoung Date :2004/11/23
Outline • Review of Hsu et al.’s scheme • Improvement of Hsu et al.’s scheme • Security Analysis • Conclusions
Review of Hsu et al.’s scheme • Divides the sheme into 4 phases as followung: system authourity, SA (1) (1) (3) (3) original signer (2) (t,n) proxy group (3) clerk (3) verifier (4) (2) (1)Secret share generation phase (2)Proxy share generation phase (3)Proxy signature generation phase (4)Proxy signature verification phase t:# of original signer n:# of proxy signer
Review of Hsu et al.’s scheme(Cont.) • System initialing: • System Authority(SA) selects and publishes the follow parameters: • p a large prime • q a large prime factor of p-1 • g a generator in GF(p) of order q • h(.) a One-way hash function • mw a warrant which records the identities of the original signer and the proxy signers of the proxy group, the parameters t and n, and the valid delegation time, etc. • ASID(Actual Signers’ ID) the identities of the actual signers.
Review of Hsu et al.’s scheme(Cont.) • Notation: Pi each user P0original signer G={P1,P2,P3...,Pn} the proxy group of n proxy signers. the public identifier user i’s private key user i’s public key
Review of Hsu et al.’s scheme(Cont.) • 1.Secret share generation phase: • (1)chooses the group private key XG. • (2)computes the public key YG=gXG mod p • (3)randomly generates a (t-1) polynomial f(v)= XG +a1v+a2v2+...+at-1vt-1 mod q where ai Zq(i=1,2,...,t-1) • (4)for each Pi G,computes the secret share γi=f(vi) τi=gγi mod p vi:public identifier for Pi • (5)separately sends γi to Pi via a secure channel • (6)publishes all τi’s
Receives σi,each Pi can check the following equation: if true, Pi computes σi’= σi +γih(mw||K)mod q Review of Hsu et al.’s scheme(Cont.) • 2.Proxy share generation phase : • (1)chooses a random integer k Z*q. and computes K=gkmod p • (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q • (3)chooses a polynomial f(v)=σ+b1v+b2v2+...+bt-1vt-1 mod q where the random integers bjZq(i=1,2,...,t-1) • (4)publishes Bj=gbj mod p for j=1,2,...,t-1 • (5)sends σi=f0(vi) to Pi via a secure channel • (6)broadcasts (mw,K) to G • How to verify?
Review of Hsu et al.’s scheme(Cont.) • 3.Proxy signature generation phase : • given a message m,D ={P1,P2,P3...,Pt} • (1)each Pi D chooses a random integer kiZ*q and broadcasts ri=gki mod p • (2)obtains all ri , si=kiR+(Liσi’+xi)h(R||ASID||m)mod q where • (3)Upon receiving si, clerk checks if it holds(ri,si) is the valid individual signature of m • the proxy signature is (R,S,K,mw,ASID)
Review of Hsu et al.’s scheme(Cont.) • 4.Proxy signature verification phase: if the proxy signature (R,S,K,mw,ASID) from m is valid.
Improvement of Hsu et al.’s scheme • Divides the sheme into 3 phase as followung: (2) (2) original signer (1) (t,n) proxy group (2) clerk (2) verifier (3) (1) (1)Proxy share generation phase (2)Proxy signature generation phase (3)Proxy signature verification phase
Check Improvement of Hsu et al.’s scheme(Cont.) • 1.Proxy share generation phase: • (1)chooses a random integer k Z*q. and computes K=gkmod p • (2)computes the proxy signature key as σ=k+x0h(mw||K)mod q • (3)broadcasts (σ,mw,K) to G • How to verify?
Improvement of Hsu et al.’s scheme(Cont.) • 2.Proxy signature generation phase • given a message m,D ={P1,P2,P3...,Pt} • (1)each Pi D chooses a random integer kiZ*q and broadcasts ri=gki mod p • (2)obtains all ri , si=kiR+(t-1σi’+xi)h(R||ASID||m)mod q where t:# of actual proxy signers. • (3)Upon receiving si, clerk checks if it holds(ri,si) is the valid individual signature of m • the proxy signature is (R,S,K,mw,ASID)
Improvement of Hsu et al.’s scheme(Cont.) • 3.Proxy signature verfication phase • (1)according to mw and ASID, we get the proxy and original signer’s public key. and know who is the original signer. • (2)verify t. • (3)verify the following equation: if true the proxy signature is (R,S,K,mw,ASID) of m is valid.
Security Analysis • Security analysis: • 1.Plaintext attack • 2.Conspiracy attack • 3.Forgery attack • given m’,ASID’,V0’
Conclusions • The improved scheme has the same property that any t or more proxy signers may work together to generate a valid proxy signature on behalf of the original signer. • The improved scheme also provides the ability to identity the actual proxy signers for avoiding the abuse of the signing capability. • the improved scheme satisfies the nonrepudiation property.