A New Identitybased Proxy Signature Scheme from Bilinear Pairings
ABSTRACT Proxy signature schemes allow a proxy signer to generate a proxy signature on behalf of an original signer. In this paper we propose an identitybased proxy signature scheme from bilinear pairings. In comparison with the Xu et al.'s scheme, our scheme is more efficient in computation and requires fewer pairing operations especially in verification phase
 [Show abstract] [Hide abstract]
ABSTRACT: Braids groups provide an alternative to number theoretic public cryptography and can be implemented quite efficiently. The paper proposes five signature schemes: Proxy Signature, Designated Verifier, BiDesignated Verifier, Designated Verifier Proxy Signature And BiDesignated Verifier Proxy Signature scheme based on braid groups. We also discuss the security aspects of each of the proposed schemes. Comment: 15 pages04/2009;
Page 1
A New Identitybased Proxy Signature Scheme from Bilinear Pairings
Hamid Mala
Department ofElectrical &
Computer Engineering, Isfahan
University ofTechnology (IUT),
Isfahan, Iran
mala@ec. iut.ac. ir
Mohammad Dakhilalian
Department ofElectrical &
Computer Engineering, Isfahan
University ofTechnology (IUT),
Isfahan, Iran
mdalian@cc. iut.ac. ir
Mehdi Brenjkoub
Department ofElectrical &
Computer Engineering, Isfahan
University ofTechnology (IUT),
Isfahan, Iran
brnjkb@cc. iut.ac. ir
Abstract
Proxy signature schemes allow a proxy signer to
generate a proxy signature on behalf of an original
signer. In thispaper wepropose an Identitybasedproxy
signature schemefrom bilinear pairings. In comparison
with the Xu et al's scheme, our scheme is more efficient
in computation and requires fewer pairing operations
especially in verificationphase.
1. Introduction
In a certificatebased public key system, before using
the public key of a user, the participants must verify the
certificate of the user at first. As a consequence, this
system requires a large storage and computing time to
store
and
verify
each
corresponding certificate. In 1984, Shamir introduced
the idea of identity(ID)based public key cryptosystem
[1], which enables any pair of users to communicate
securely without exchanging public key certificates,
without keeping a public key directory, and without
using online service of a third party, as long as a trusted
key generation center issues a private key to each user
when he
scheme resembles an ideal mail system. If you know
somebody's name and address, you can send him a
message that only he can read, and you can verify the
signatures that only he could have produced. Shamir
proposed an identitybased signature scheme in 1984 but
invention of an Identitybased encryption scheme last till
2001 which Boneh and Franklin proposed an "Identity
Based Encryption from the Weil Pairing" [2]. Since
then, many IDbased
crypto
proposed using bilinear pairings. One of them is proxy
signature.
In 1996, Mambo, Usuda, and Okamoto introduced the
concept of "proxy signature" [3]. In such a scheme an
original signer delegates his signing authority to proxy
signer in such a way that the proxy signer can sign any
messages on behalf of the original signer. There are
three
types
of delegation:
delegation and delegation by warrant.
delegation, the original signer just gives his signing
(private) key to the proxy signer as the proxy signing
key. Therefore, the signature generated between the
original signer and the proxy signer is indistinguishable.
user's
public key
andthe
first joins the network. An identitybased
primitives have been
full
delegation;partial
full
In the
In the case ofpartial delegation, the proxy singing key is
derived from the original signer's private key by the
original signer. On the other side, it is computational
hard for the proxy signer to derive the private key ofthe
original signer. However, the original signer can still
forge a proxy signature of the proxy signer. In the
delegation by warrant, the original signer signs a warrant
that certifies the legitimacy of the proxy signer. Proxy
signatures have found numerous practical applications,
particularly in distributed computing where delegation of
rights is quite common.
Bilinear pairings have attractive properties; consist of
"bilinearity", "Nondegeneracy" and "Computability"
thathavemadethem
applications. The Weil and Tate pairings have recently
been used to construct cryptosystems, such as signature
schemes of Sakai, Ohgishi and Kasahara
tripartite DiffieHellman protocol of Joux
identitybased encryption scheme ofBoneh and Franklin
[2], the short signature scheme of Boneh et al [6], the
IDbased key exchange system of Smart [7] and the ID
based signature scheme ofHess [8].
In this paper we propose an Identitybased proxy
signature scheme from bilinear pairings. In our scheme
delegation is done by warrant. As compared with the
XuZhangFeng
scheme
efficient in computation and requires fewer pairing
operations especially in verification phase.
From security aspects our scheme provides properties
that a strong proxy signature scheme should have,
defined by Lee et al. [10].
1.
distinguishable from normal signatures by everyone.
2. Verifiability: From the proxy signature, the verifier
can be convinced of the original signer's agreement on
the signed message.
3. Strong nonforgeability: A designated proxy signer
can create a valid proxy signature for the original signer.
But the original signer and other third parties who are
not designated as a proxy signer cannot create a valid
proxy signature.
4. Strong identifiability: Anyone can determine the
identity of the corresponding proxy signer from the
proxy signature.
5. Strong nondeniability: Once a proxy signer creates a
valid proxy signature of an original signer, he/she cannot
repudiate the signature creation.
suitablefor
cryptographic
[4], the
[5],
the
[9],
our schemeis more
Distinguishability:
Proxy
signatures
are
0780395212/06/$20.00 §2006 IEEE.
3304
Page 2
6. Prevention ofmisuse: The proxy signer cannot use the
proxy key for other purposes than generating a valid
proxy signature. That is, he/she cannot sign messages
that have not been authorized by the original signer.
This paper is organized as follows: the bilinear
pairing is introduced in section 2, XuZhangFeng's
identitybased proxy signature scheme is reviewed in
section 3, our new scheme is proposed in section 4 and
the efficiency and security analysis is given in section 5
;finally we draw the conclusion.
2. Preliminaries
In this section, we briefly review some preliminaries
that will be used throughout this paper.
2.1. Bilinear Pairings
Let G1 be an additive cyclic group of prime order q,
generated by P; and G2 be a multiplicative cyclic group
of the same order. As mentioned in [2]
considered as a subgroup of points on an elliptic curve
or hyper elliptic curve over a finite field. A bilinear
pairing is a map
properties:
1)
P,QC G1
e(aP, bQ) = e(bP, aQ) = e(P,Q)ab
2) Nondegenerate: there exist a Q E G1
e(Q, Q)
3) Computable given P,Q cG1 there is an efficient
algorithm to compute e(P, Q) in polynomial time.
Such bilinear pairing has been successfully realized
on certain elliptic curves, such as the modified Weil
pairing and Tate pairing [2].
G1
can be
e:G1 xG1 *G2 with the following
Bilinear:foralland
a,b CZq
such that
1.
2.2. Complexity assumptions
Let G1 be an additive cyclic group generated by P
with the prime order q. Assume that the inversion and
multiplication
G1
can be computed
Followingproblems
mean aER G, to choose an element in group G
random.
1)
elements P,Q
Q= nP whenever such an integer exists.
2) Computational DiffieHellman Problem (CDHP):
given P, aP, bP for some a, b CR Zq
3) Decisional DiffieHellman Problem (DDHP): given
P, aP, bP,cP
c= abmodq.
in
efficiently.
in G1.
are
introduced
We
at
Discrete Logarithm Problem (DLP):
GC1, find an integer n c Zq
given two
such that
, compute abP.
for a, b, c EZq
decide
whether
4) Bilinear Pairing Inversion Problem (BPIP): given
PE G1 and e(P, Q) E G2, find QE G1.
As specified in
problem in G1 should be easy. The DDHP in G2, the
CDHP and DLP in both G1 and G2 should be hard.
Also the BPIP should be hard. The group G1 with these
conditions is called a Gap DiffieHellman (GDH) group.
[2], the decisional diffiehellman
3.
signature scheme
Reviewof
XuZhangFeng's
proxy
The scheme uses SOKIBSI as its identitybased plain
signature
Thescheme
algorithms:
Setup: Assume
k
system. Let G1 be a GDH group of prime order q > 2k
generated by P, G2 be a multiplicative cyclic group of
the same order, and e: G1 x G1 >G2 be a bilinear map.
Private Key Generator (PKG) picks a random master key
S CR Zq
and setsP,,b= sP. Then he chooses hash
functions H1,H2,H3:{O,1}* G1, and hash function
H4: {O,1} X Zq
Then he publishes parameters of the
system: params
Key Extract:
given a user's identity
computes QID
H1 (ID) E G1 and the associated private
key SID = SQID C G1.
Sign
(signer) IDd, in order to sign the messagem,
1.
Randomly
pick
UdrdP C G1
and
HdH2 (IDd,mw,Ud) CG
2. Compute Vd = SIDd + rdHd C G1.
The signature on mw is the warrant w =< Ud, Vd >.
Verify
message mwfor the identity IDd, the verifier computes
QIDd = H1 (IDd) and Hd=H2 (IDd,mw,Ud) firstly. He
then
accepts
e(P, Vd ) =e(PoUb' QIDd)e(Ud, Hd)
Proxy designation : in order to designate userIDPas a
proxy signer, the original signer sends user IDP
message mw and corresponding warrant w. The user
ID,verifies this signature w
computes
a
proxy
skp =H4 (IDd,IDP,mW,UW)SIDP+ Vd
[4].
consistsof following
is the security parameter of the
{q, G1, G2, e, P, H1,H2,H3,H4,POub}
ID, PKG
: given the private key Sd of original designator
:
rd CR Zq
and
compute
then
put
: to verify a signature W=<Ud, Vd >
on a
the
signature
if
and
only
if

a
and if it is valid he
signingkey
as
1 SakaiOgishiKasahara Identity Based Signature
0780395212/06/$20.00 §2006 IEEE.
3305
Page 3
Proxy signing: given proxy signing key skp, proxy
signer signs a message m on behalf of user IDd
follows:
1.
Randomlypicks
r.E Zq
Up=rpPE G1 and then putsHp=H2(IDP,m,Up)
2. ComputesVP= skp +reHPEGI
The proxy signature on message m on behalf of user
IDd
produced
by
psig =(mw, IDP,Ud, Up, V
Proxy
QIDd =HI(IDd) E G1
Hd=H2(IDd,mw,Ud)
He then accepts the signature if
e(P,V)
xe(Up,Hp) xe(Ud,Hd)
as
and
computes
.
user
IDP
is
verifi'cation
:
The
verifier
firsttakes
QIDP =HI(IDP) C1
andH,=H2(IDp,m,Up)
,
e(PQ)H4(IDd,IDP,m,Ud)x e(P,,b,QID)
4. Review of Hess's signature scheme
This scheme consists of four algorithms, setup, key
extract, sign and verify. Setup and key extract algorithms
are the same as Xu et al's except that instead of hash
functions H2,H3 and H4 we define H:{O,1}* X Zq*.
The two latter algorithms are defined as follows.
Sign: a user with identity ID and public/private key
pair QID I SID signs a message m in the following steps:
1. Randomly pick k eR Zq* and compute r = e(P, p)k
c =H(m, r).
2. ComputesU = CSID + kP .
The signature on m will be < c,U > .
Verify: to verify a signature < c,U > on a message m
for the identity ID, the verifier
1.
computes
r'=e(U, P)e(QID, Ppub) which if the signature is valid,
should be equal to r .
2. He then
accepts
c =H(m, r').
The
signature
and
consistent, because from bilinearity ofthe pairing map e
we have:
r'
e(U, P)e(QID, PUb)
= e(cSID + kP, P)e(CSQID, P)
= e(cSID + kP cSID,P)
e(kP,P) =e(P, p)k =r
Firstly
QID = H1 (ID)
and
the
signature
if and only
if
verification
algorithms
are
c
5. Our proposed scheme
Although Xu et al's identitybased proxy signature
provides all the security requirements defined in section
1, but from efficiency viewpoint it doesn't have any
basic difference with the most natural proxy signature
scheme whichfollows:
"the designator arranges
warrant consist of proxy's name and conditions of the
proxy and signs this warrant. Whenever the proxy signer
wants to sign a message on behalf of the designator,
attach the signed warrant to his signed message and
sends them to the verifier. The verifier first verifies the
signature of the designator on the warrant and then if it
is valid, verifies the signature on message m with the
proxy's public key whose identity is mentioned in the
warrant." In this scenario and using SOKIBS whose
verification needs one hash evaluation and three pairing
evaluation, we will need 2 hash and 6 pairing evaluation.
While verification in Xu et al's proxy signature scheme
preserves only one pairing evaluation and still needs 2
hash and 5 pairing evaluations. The only difference
between this scenario and Xu et al's proxy signature is
that in the latter, proxy signing key is different from
proxy's private key. We propose a more efficient proxy
signature scheme based on Hess's signature scheme.
In Our IDbased proxy signature original signer uses
Hess's signature scheme to sign the warrant for the
proxy. Having verified the signed warrant, proxy signer
uses one of its part and his private key to form the proxy
key. Then he uses proxy key in a mathematically
attractive way to sign a message on behalfofthe original
signer. Verifier can verify the signature just by two
pairing
two
multiplication,
one hash computing and two point
addition. The complete description of the scheme is
given as a set of sequential algorithms:
a
evaluation,
elliptic
curve
point
Setup: Let G1 be a GDH group of prime order q
generated by P, G2 be a multiplicative cyclic group of
the same order, and e: G1 x G1G2 be a bilinear map.
PKG picks a random master key
Ppub =sP.
HI:{0,1} *G1, and hash function H:{O,1}*
Thenhe
publishes
parameters
params ={q,GI,G2,e,P,HI,H2,H3,H4, pub}
s eR Zq*
hash
and sets
functions
Then
he
chooses
1
Zq.
ofthe
system:
Key
computes QID= H1 (ID) E G1 and the associated private
key SID= SQID E G1.
Extract:
given
a
user's
identity
ID, PKG
Sign : given the private key Sd of original signer IDd,
in order to sign the message mw He uses Hess's
signature:
1.
Randomly
picks
kd eR Zq
and
computes
rd = e(P,P)kd and Cd =H(mw,rd).
2. Computes Ud = CdSd + kdP E G.
The signature on mw is the warrant w =< Cd,Ud > .
0780395212/06/$20.00 §2006 IEEE.
3306
Page 4
Verify: to verify a signature < Cd, Ud > on a message
mw for the identity IDd, the verifier
1.computes
r
2. He then
accepts
the
Cd =H(mw,r').
Proxy designation : in order to designate userIDPas a
proxy signer, the original signer sends user IDP
message mw and corresponding warrant w. The user
IDPverifies this signature w
computes a proxy signing key using his private keySP
and the first element ofthe warrant:
skp=CdSp
Proxy signing: given proxy signing key skp, proxy
signer signs a message m on behalf of user IDd
follows:
1.
Randomlypicks
kp E Zq
Firstly
QIDd =HI(IDd) and
=e(U, P)e(QID, PPUb)
signature
if and only
if
a
and if it is valid he
(1)
as
and
computes
r.
2. ComputesUp=cP.skp+kpP.
The proxy signature on message m on behalf of user
IDd produced by userIDPis announced as:
psig =(mw,IDP,IDd,Ud,Up,cp,Cd)
Proxy
The
QIDd=H1(IDd ) E GI
by calculating two pairing operation can obtain:
r = e(Up +Ud,P)e(Qd+cpQp,Ppub)Cd
He then accepts the signature as a valid proxy signature
from user IDP on behalf of user IDd
equation (4) is hold.
cp= H(m, r')
e(P,P)kPandthenputs cp
H(m,rrd)
(2)
verifi'cation:
verifierfirst
takes
, QIDP=H1(IDP) E G1
, and then
(3)
if and only if
(4)
5.1. Correctness
The
signature
and
verification
algorithms
are
consistent, because from bilinearity ofthe pairing map e
we have:
r'= e(UP+Ud,P)e(Qd+cpQp,PpUb)Cd
=e(cp.skp +kpP+ CdSd + kdP, P)e(Sd +cpdp,P) Cd
=e(cp.cdSp+kpP+ CdSd + kP,P)e(CdSd
=e(kpP+ kdP, P)e(O,P)
= e(P,P)kd+kp1
= rd.rp
6. Security and Efficiency analysis
CdCpSp,P)
(5)
The identity based proxy signature we proposed is
more efficient than Xu et al's scheme, especially in
proxy verification p phase. We can divide a proxy
signature into four phases: "phase (1), signing the proxy
and issuing the warrant", "phase (2) warrant verification
and proxy signing key generation", "phase (3) proxy
signature generation" and "phase (4) final verification".
Table (1) gives a complete comparison between our
proxy signature scheme and Xu et al's one in their four
phases.
Table (1): Efficiency comparison
scheme
Xu et al's
phase (1)
2M +H+Ac
Proposed
3M +H
+AG+e
2P +2MG0
+H+e
3MG1+H
+ Ac1 + e
2P +2MG1 +H
+2Ac +e
phase (2)
3P +
+2H+Ac
2MG0+H +AG1
phase (3)
phase (4)
5P+MG0
+2H+e
In this tableMG,and AG1 mean scalar multiplication
and Addition in group G1 respectively , H
function evaluation whose output is an elliptic curve
point, P is a pairing operation which is the most time
consuming operation and e is exponentiation in Zq
Other computation costs are negligible. Notice that it is
unnecessary to do a pairing operation to computer.or
rd each time we generate a signature, because e(P,P)
can be recomputed and then with an exponentiation in
G2,r.or rd is computed.
Xu et al propose a security proof for their scheme.
Their proof has been done under the random oracle
model (The random oracle model means that underlying
hash functions used in the scheme are assumed to be
ideal random functions [ 1]) and we now that security in
this model can not be a good support for the whole
security of the scheme
mentioned in section 1, distinguish ability, verifiability,
strong
strong
prevention of misuse
obviously. We show that our scheme provides "strong
nonforgeability" property too.
is a hash
[12].
Security requirements
identifiably,
nondeniability
in our scheme
and
are achieved
6.1. Achievement of strong nonforgeability
It
is obvious that the original signer has more
facilities than the other users to forge a proxy signature
from his proxy signer. We shoe that even the original
signer can not forge a proxy's proxy signature. Suppose
the designator wants to forge a proxy signature on a
message m. The only secrets he doesn't know is the
private key of the proxy, Sp and proxy signing key
skp . He picks a random k E Zq*and computesr.and
CPafterwards. Now he must find aUpsuch that rP.rd
0780395212/06/$20.00 §2006 IEEE.
3307
Page 5
is equal to r' from equation (3). To find such aU.he
should solve the equation
e(Up, P) = a
for Up, in which
a = e(Ud, P) 'e(Qd +cpQp,Ppub)Cd .rPrd
Which is a BPIP. So assuming BPIP is a NPcomplete
problem, our identity based proxy signature scheme is
strongly nonforgabe even for the designator signer.
7. Conclusion
In this paper, we proposed a new identitybased proxy
signature scheme that is based on Hess's IDbased
signature scheme and has more efficiency than Xu et
al's scheme. Our scheme provides all the six security
requirements of a proxy signature.
[10] B. Lee, H. Kim and K. Kim, Secure mobile agent using
strong nondesignatedproxy signature, Proc. ofACISP2001,
LNCS 2119, pp.474486, Springer Verlag, 2001.
[11] M.
Practical: A Paradigm for Designing E cient Protocols,
Proceedings of the First ACM Conference on Computer and
Communications Security 1993, pages 6273.
Bellare and P. Rogaway, Random Oracles are
[12] R. Canetti, 0. Goldreich and S. Halevi, The Random
Oracle AMethodology, Revisited, Proceedings of 30th Annual
ACM Symposium on the Theory of Computing, pages 209
218, May 1998, ACM
8. References
[1] A. Shamir, Identitybased Cryptosystems and Signature
Schemes, Proceedings of CRYPTO'84, LNCS 196, pages 47
53, SpringerVerlag, 1984.
[2] D. Boneh and M. Franklin, IdentityBased Encryptionfrom
the Weil Pairing, Proceedings of CRYPTO 2001, LNCS 2139,
pages 213{229, SpringerVerlag, 2001.
[3] M. Mambo, K. Usuda and E. Okamoto, "Proxy signatures
for delegating signing operation," Proc. 3rd ACM Conference
on Computer and Communications Security, ACM Press,
pp.4857, 1996.
[4] R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based
on pairing, In The 2000 Sympoium on Cryptography and
Information Security, Okinawa, Japan, January 2000.
[5] A. Joux, One Round Protocol for Tripartite DiffieHellman,
Algorithmic Number Theory Symposium
ANTS 2002, LNCS 1838, pages 385{394, SpringerVerlag,
2000.
{ Proceedings of
[6] D. Boneh, B. Lynn, and H. Shacham, Short Signatures
from the Weil Pairing, Advances in Cryptology Proceedings
of ASIACRYPT 2001, LNCS 2248, pages 566582, Springer
Verlag, 2001.
[7]. N.P. Smart. An Identity based authenticated Key greement
protocol based on the Weil Pairing. Cryptology ePrint rchive,
Report 2001/ 111, 2001. http://eprint.iacr.org/.
[8] F. Hess, Efficient Identity Based Signature Schemes ased
on Pairings, Selected Areas in Cryptography { Proceedings of
SAC 2002, LNCS 2595, pages 310324, SpringerVerlag,
2002.
[9] J. Xu, Z. Zhang, D. Feng. IDBased Proxy Signature Using
Bilinear Pairings, available at http://eprint.iacr.org/2004/206/
0780395212/06/$20.00 §2006 IEEE.
3308