240 likes | 270 Views
A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem. Source: IEEE TRANSACTIONS KNOWLEDGE AND DATA ENGINEERING, VOL 15,NO 5, SEPTEMBER/OCTOBER, 2003 Author: Min-Shiang Hwang, Eric Jui-Lin, Iuon-Chang Lin Speaker : 林育正 Team member: 童毅峰 林峻鋒 Date: Dec. 8, 2003.
E N D
A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem Source: IEEE TRANSACTIONS KNOWLEDGE AND DATA ENGINEERING, VOL 15,NO 5, SEPTEMBER/OCTOBER, 2003 Author: Min-Shiang Hwang, Eric Jui-Lin, Iuon-Chang Lin Speaker :林育正 Team member: 童毅峰 林峻鋒 Date: Dec. 8, 2003
Outline • Introduction • Proposed Scheme • Discussion • Property Analysis • Comparisons • Application • Conclusion
Introduction 1 • Proxy signature: • The proxy signature allows proxy signers to sign messages on behalf of the original signer without exposing the original signer’s private key
Introduction 2 • (1,n) threshold proxy signature: • A legal proxy signature can be generated by a designated proxy signer by using a proxy signing key. • (t,n) threshold proxy signature: • (t,n) threshold proxy signature schemes allow any t or more proxy signers from a designated group of n members to cooperatively sign messages while (t-1) or less members cannot generate the legal proxy signature.
Introduction 3 • Proxy requirements • Secrecy: • The original signer’s private key must be kept secret. • Proxy protected: • Only a delegated proxy signer can generate his partial proxy signature. • Unforgeability: • (t-1) or less proxy signers have no capability of forging a valid proxy signature.
Introduction 4 • Proxy requirement (cont.) • Non-repudiation: • The original signer cannot deny having delegated the power of signing messages to the proxy signers. The proxy signers cannot deny that they having signed the message. • Time constraint: • The proxy signing keys can be used only during a stipulated period. • Known signers: • For internal auditing purposes, the system is able to identify the actual signers in the proxy group.
Introduction 5 • This paper propose a new (t,n) threshold proxy signature scheme based on the RSA cryptosystem. • This new scheme only requires the Lagrange formula to share the proxy signing key.
Proposed Scheme • Three phases • The proxy sharing phase • The proxy signature issuing phase • The verification phase
Threshold proxy signature based on the RSA cryptosystem • P0 ︰ Original signer • P1, P2, ..., Pn ︰Proxy signers • Ni = pi ×qi where pi and qiare two secret large primes. • di is a private key for Pi and its corresponding public key be ei, such that di * ei = 1 mod Φ(Ni). • Φ(Ni) = (pi - 1)(qi - 1)
Threshold proxy signature based on the RSA cryptosystem • The parameters ei and Ni can be published. • The parameter di and Φ(Ni) are kept secret by the holder. • [M]di mod Ni : M encrypted with Pi’s private key di • [M]ei mod Ni : M encrypted with Pi’s public key ei using the ordinary RSA cryptosystem. • mw : contains period of proxy key, the identities of the proxy signers and the original signer, etc
Threshold proxy signature based on the RSA cryptosystem • D : group proxy signature key generated by P0 • E : verification key of D
The Proxy Sharing Phase • Step 1. Proxy generation • D = d0mw mod Φ(N0) • E = e0mw mod Φ(N0) • P0 publishes {mw, E, [mw || E] d0mod N0}
The Proxy Sharing Phase • Step 2 (proxy sharing) • Ki = f(x) = D + a1X + a2X2 + … +at-1Xt-1 mod Φ(N0) where a1, a2, … at-1 are random numbers. • The original signer P0 computes Pi’s partial proxy signing key, ki = f(i) and sends [[Ki]do mod N0 || ki ]ei mod Ni to the proxy signer Pi, where iis user’s identity and for all Li Z
The Proxy Sharing Phase • Step 3. (proxy share generation) • After receiving [[Ki]do mod N0 || ki ]eimod Ni each proxy signer can decrypt the ciphertext to obtain {[ki]d0 mod n0, ki} • Then each proxy signer Pi can confirm the validity of ki and keep it secret.
The Proxy Signature Issuing Phase • Step 1. • Each member of T signs the message M with his partial proxy signing key ki, where i T. • The partial proxy signature si for each actual proxy signer pi. • si = M (Li × Ki) mod N0 • Li = Π–j / i-j • Each actual proxy signer sends {[si]dimod Ni,si}to the combiner. i, jεT, j ≠ i
The Proxy Signature Issuing Phase • Step 2. • The combiner verifies the si using the public key of the proxy signer Pi, and collects [si]dimod Ni. • S: the proxy signature on message M • S = Π si mod N0 = Π(M Li × Ki) mod N0 = MΣi εT (Li × f(i)) mod N0 = M f(0) mod N0 = MD mod N0 iεT iεT
The Verification Phase • Ni, ei, mw, and E are publicly known • Step 1. • Any receiver computes mw and E with the original signer’s public key. • The receiver checks the validity of the stipulated period. • If the period has expired, the proxy verification key is invalid.
The Verification Phase • Step 2. • SE mod N0 = (MD)E mod N0 = M (d0 × e0)mw mod N0 = M
The Verification Phase • Step 3. • For internal auditing purposes, the original signer can differentiate the actual signers from the signatures [si]di mod Ni on message si, where i t.
Discussion – Property analysis • Secrecy • Proxy protected • Unforgability • Non-repudiation • Time constraint • Known signer
Discussion – Comparison COMPUTATIONAL OVERHEADS
Discussion – Comparison (cont.) COMMUNICATIONAL OVERHEADS
Application • Mobile Agent • Electronic Contract
Conclusion • Flexibly choose the threshold • Repeatedly use of the participant’s RSA key pairs which can also be used in other work • Put time constraints on the threshold delegation • Identify the actual signers