1 / 24

A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem

A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem. Source: IEEE TRANSACTIONS KNOWLEDGE AND DATA ENGINEERING, VOL 15,NO 5, SEPTEMBER/OCTOBER, 2003 Author: Min-Shiang Hwang, Eric Jui-Lin, Iuon-Chang Lin Speaker : 林育正 Team member: 童毅峰 林峻鋒 Date: Dec. 8, 2003.

jcatalina
Download Presentation

A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem Source: IEEE TRANSACTIONS KNOWLEDGE AND DATA ENGINEERING, VOL 15,NO 5, SEPTEMBER/OCTOBER, 2003 Author: Min-Shiang Hwang, Eric Jui-Lin, Iuon-Chang Lin Speaker :林育正 Team member: 童毅峰 林峻鋒 Date: Dec. 8, 2003

  2. Outline • Introduction • Proposed Scheme • Discussion • Property Analysis • Comparisons • Application • Conclusion

  3. Introduction 1 • Proxy signature: • The proxy signature allows proxy signers to sign messages on behalf of the original signer without exposing the original signer’s private key

  4. Introduction 2 • (1,n) threshold proxy signature: • A legal proxy signature can be generated by a designated proxy signer by using a proxy signing key. • (t,n) threshold proxy signature: • (t,n) threshold proxy signature schemes allow any t or more proxy signers from a designated group of n members to cooperatively sign messages while (t-1) or less members cannot generate the legal proxy signature.

  5. Introduction 3 • Proxy requirements • Secrecy: • The original signer’s private key must be kept secret. • Proxy protected: • Only a delegated proxy signer can generate his partial proxy signature. • Unforgeability: • (t-1) or less proxy signers have no capability of forging a valid proxy signature.

  6. Introduction 4 • Proxy requirement (cont.) • Non-repudiation: • The original signer cannot deny having delegated the power of signing messages to the proxy signers. The proxy signers cannot deny that they having signed the message. • Time constraint: • The proxy signing keys can be used only during a stipulated period. • Known signers: • For internal auditing purposes, the system is able to identify the actual signers in the proxy group.

  7. Introduction 5 • This paper propose a new (t,n) threshold proxy signature scheme based on the RSA cryptosystem. • This new scheme only requires the Lagrange formula to share the proxy signing key.

  8. Proposed Scheme • Three phases • The proxy sharing phase • The proxy signature issuing phase • The verification phase

  9. Threshold proxy signature based on the RSA cryptosystem • P0 ︰ Original signer • P1, P2, ..., Pn ︰Proxy signers • Ni = pi ×qi where pi and qiare two secret large primes. • di is a private key for Pi and its corresponding public key be ei, such that di * ei = 1 mod Φ(Ni). • Φ(Ni) = (pi - 1)(qi - 1)

  10. Threshold proxy signature based on the RSA cryptosystem • The parameters ei and Ni can be published. • The parameter di and Φ(Ni) are kept secret by the holder. • [M]di mod Ni : M encrypted with Pi’s private key di • [M]ei mod Ni : M encrypted with Pi’s public key ei using the ordinary RSA cryptosystem. • mw : contains period of proxy key, the identities of the proxy signers and the original signer, etc

  11. Threshold proxy signature based on the RSA cryptosystem • D : group proxy signature key generated by P0 • E : verification key of D

  12. The Proxy Sharing Phase • Step 1. Proxy generation • D = d0mw mod Φ(N0) • E = e0mw mod Φ(N0) • P0 publishes {mw, E, [mw || E] d0mod N0}

  13. The Proxy Sharing Phase • Step 2 (proxy sharing) • Ki = f(x) = D + a1X + a2X2 + … +at-1Xt-1 mod Φ(N0) where a1, a2, … at-1 are random numbers. • The original signer P0 computes Pi’s partial proxy signing key, ki = f(i) and sends [[Ki]do mod N0 || ki ]ei mod Ni to the proxy signer Pi, where iis user’s identity and for all Li Z

  14. The Proxy Sharing Phase • Step 3. (proxy share generation) • After receiving [[Ki]do mod N0 || ki ]eimod Ni each proxy signer can decrypt the ciphertext to obtain {[ki]d0 mod n0, ki} • Then each proxy signer Pi can confirm the validity of ki and keep it secret.

  15. The Proxy Signature Issuing Phase • Step 1. • Each member of T signs the message M with his partial proxy signing key ki, where i  T. • The partial proxy signature si for each actual proxy signer pi. • si = M (Li × Ki) mod N0 • Li = Π–j / i-j • Each actual proxy signer sends {[si]dimod Ni,si}to the combiner. i, jεT, j ≠ i

  16. The Proxy Signature Issuing Phase • Step 2. • The combiner verifies the si using the public key of the proxy signer Pi, and collects [si]dimod Ni. • S: the proxy signature on message M • S = Π si mod N0 = Π(M Li × Ki) mod N0 = MΣi εT (Li × f(i)) mod N0 = M f(0) mod N0 = MD mod N0 iεT iεT

  17. The Verification Phase • Ni, ei, mw, and E are publicly known • Step 1. • Any receiver computes mw and E with the original signer’s public key. • The receiver checks the validity of the stipulated period. • If the period has expired, the proxy verification key is invalid.

  18. The Verification Phase • Step 2. • SE mod N0 = (MD)E mod N0 = M (d0 × e0)mw mod N0 = M

  19. The Verification Phase • Step 3. • For internal auditing purposes, the original signer can differentiate the actual signers from the signatures [si]di mod Ni on message si, where i  t.

  20. Discussion – Property analysis • Secrecy • Proxy protected • Unforgability • Non-repudiation • Time constraint • Known signer

  21. Discussion – Comparison COMPUTATIONAL OVERHEADS

  22. Discussion – Comparison (cont.) COMMUNICATIONAL OVERHEADS

  23. Application • Mobile Agent • Electronic Contract

  24. Conclusion • Flexibly choose the threshold • Repeatedly use of the participant’s RSA key pairs which can also be used in other work • Put time constraints on the threshold delegation • Identify the actual signers

More Related