A New Identity-based Proxy Signature Scheme from Bilinear Pairings

Page 1

A New Identity-based Proxy Signature Scheme from Bilinear Pairings
Hamid Mala
Department ofElectrical &
Computer Engineering, Isfahan
University ofTechnology (IUT),
Isfahan, Iran
mala@ec. iut.ac. ir
Mohammad Dakhil-alian
Department ofElectrical &
Computer Engineering, Isfahan
University ofTechnology (IUT),
Isfahan, Iran
mdalian@cc. iut.ac. ir
Mehdi Brenjkoub
Department ofElectrical &
Computer Engineering, Isfahan
University ofTechnology (IUT),
Isfahan, Iran
brnjkb@cc. iut.ac. ir
Abstract
Proxy signature schemes allow a proxy signer to
generate a proxy signature on behalf of an original
signer. In thispaper wepropose an Identity-basedproxy
signature schemefrom bilinear pairings. In comparison
with the Xu et al's scheme, our scheme is more efficient
in computation and requires fewer pairing operations
especially in verificationphase.
1. Introduction
In a certificate-based public key system, before using
the public key of a user, the participants must verify the
certificate of the user at first. As a consequence, this
system requires a large storage and computing time to
store
and
verify
each
corresponding certificate. In 1984, Shamir introduced
the idea of identity(ID)-based public key cryptosystem
[1], which enables any pair of users to communicate
securely without exchanging public key certificates,
without keeping a public key directory, and without
using online service of a third party, as long as a trusted
key generation center issues a private key to each user
when he
scheme resembles an ideal mail system. If you know
somebody's name and address, you can send him a
message that only he can read, and you can verify the
signatures that only he could have produced. Shamir
proposed an identity-based signature scheme in 1984 but
invention of an Identity-based encryption scheme last till
2001 which Boneh and Franklin proposed an "Identity-
Based Encryption from the Weil Pairing" [2]. Since
then, many ID-based
crypto
proposed using bilinear pairings. One of them is proxy
signature.
In 1996, Mambo, Usuda, and Okamoto introduced the
concept of "proxy signature" [3]. In such a scheme an
original signer delegates his signing authority to proxy
signer in such a way that the proxy signer can sign any
messages on behalf of the original signer. There are
three
types
of delegation:
delegation and delegation by warrant.
delegation, the original signer just gives his signing
(private) key to the proxy signer as the proxy signing
key. Therefore, the signature generated between the
original signer and the proxy signer is indistinguishable.
user's
public key
and the
first joins the network. An identity-based
primitives have been
full
delegation;partial
full
In the
In the case ofpartial delegation, the proxy singing key is
derived from the original signer's private key by the
original signer. On the other side, it is computational
hard for the proxy signer to derive the private key ofthe
original signer. However, the original signer can still
forge a proxy signature of the proxy signer. In the
delegation by warrant, the original signer signs a warrant
that certifies the legitimacy of the proxy signer. Proxy
signatures have found numerous practical applications,
particularly in distributed computing where delegation of
rights is quite common.
Bilinear pairings have attractive properties; consist of
"bilinearity", "Non-degeneracy" and "Computability"
thathavemade them
applications. The Weil and Tate pairings have recently
been used to construct cryptosystems, such as signature
schemes of Sakai, Ohgishi and Kasahara
tripartite Diffie-Hellman protocol of Joux
identity-based encryption scheme ofBoneh and Franklin
[2], the short signature scheme of Boneh et al [6], the
ID-based key exchange system of Smart [7] and the ID-
based signature scheme ofHess [8].
In this paper we propose an Identity-based proxy
signature scheme from bilinear pairings. In our scheme
delegation is done by warrant. As compared with the
Xu-Zhang-Feng
scheme
efficient in computation and requires fewer pairing
operations especially in verification phase.
From security aspects our scheme provides properties
that a strong proxy signature scheme should have,
defined by Lee et al. [10].
1.
distinguishable from normal signatures by everyone.
2. Verifiability: From the proxy signature, the verifier
can be convinced of the original signer's agreement on
the signed message.
3. Strong non-forgeability: A designated proxy signer
can create a valid proxy signature for the original signer.
But the original signer and other third parties who are
not designated as a proxy signer cannot create a valid
proxy signature.
4. Strong identifiability: Anyone can determine the
identity of the corresponding proxy signer from the
proxy signature.
5. Strong non-deniability: Once a proxy signer creates a
valid proxy signature of an original signer, he/she cannot
repudiate the signature creation.
suitablefor
cryptographic
[4], the
[5],
the
[9],
our scheme is more
Distinguishability:
Proxy
signatures
are
0-7803-9521-2/06/$20.00 §2006 IEEE.
3304

Page 2

6. Prevention ofmisuse: The proxy signer cannot use the
proxy key for other purposes than generating a valid
proxy signature. That is, he/she cannot sign messages
that have not been authorized by the original signer.
This paper is organized as follows: the bilinear
pairing is introduced in section 2, Xu-Zhang-Feng's
identity-based proxy signature scheme is reviewed in
section 3, our new scheme is proposed in section 4 and
the efficiency and security analysis is given in section 5
;finally we draw the conclusion.
2. Preliminaries
In this section, we briefly review some preliminaries
that will be used throughout this paper.
2.1. Bilinear Pairings
Let G1 be an additive cyclic group of prime order q,
generated by P; and G2 be a multiplicative cyclic group
of the same order. As mentioned in [2]
considered as a subgroup of points on an elliptic curve
or hyper elliptic curve over a finite field. A bilinear
pairing is a map
properties:
1)
P,QC G1
e(aP, bQ) = e(bP, aQ) = e(P,Q)ab
2) Non-degenerate: there exist a Q E G1
e(Q, Q)
3) Computablegiven P,Q cG1 there is an efficient
algorithm to compute e(P, Q) in polynomial time.
Such bilinear pairing has been successfully realized
on certain elliptic curves, such as the modified Weil
pairing and Tate pairing [2].
G1
can be
e:G1 xG1 -*G2 with the following
Bilinear:for alland
a,b CZq
such that
1.
2.2. Complexity assumptions
Let G1 be an additive cyclic group generated by P
with the prime order q. Assume that the inversion and
multiplication
G1
can be computed
Followingproblems
mean aER G, to choose an element in group G
random.
1)
elements P,Q
Q= nP whenever such an integer exists.
2) Computational Diffie-Hellman Problem (CDHP):
given P, aP, bP for some a, b CR Zq
3) Decisional Diffie-Hellman Problem (DDHP): given
P, aP, bP,cP
c= abmodq.
in
efficiently.
in G1.
are
introduced
We
at
Discrete Logarithm Problem (DLP):
GC1, find an integer n c Zq
given two
such that
, compute abP.
for a, b, c EZq
decide
whether
4) Bilinear Pairing Inversion Problem (BPIP): given
PE G1 and e(P, Q) E G2, find QE G1.
As specified in
problem in G1 should be easy. The DDHP in G2, the
CDHP and DLP in both G1 and G2 should be hard.
Also the BPIP should be hard. The group G1 with these
conditions is called a Gap Diffie-Hellman (GDH) group.
[2], the decisional diffie-hellman
3.
signature scheme
Review of
Xu-Zhang-Feng's
proxy
The scheme uses SOK-IBSI as its identity-based plain
signature
Thescheme
algorithms:
Setup: Assume
k
system. Let G1 be a GDH group of prime order q > 2k
generated by P, G2 be a multiplicative cyclic group of
the same order, and e: G1 x G1 ->G2 be a bilinear map.
Private Key Generator (PKG) picks a random master key
S CR Zq
and setsP,,b= sP. Then he chooses hash
functions H1,H2,H3:{O,1}* -G1, and hash function
H4: {O,1} X Zq
Then he publishes parameters of the
system: params
Key Extract:
given a user's identity
computes QID
H1 (ID) E G1 and the associated private
key SID = SQID C G1.
Sign
(signer) IDd, in order to sign the messagem,
1.
Randomly
pick
Ud rdP C G1
and
Hd H2 (IDd,mw,Ud) CG
2. Compute Vd = SIDd + rdHd C G1.
The signature on mw is the warrant w =< Ud, Vd >.
Verify
message mwfor the identity IDd, the verifier computes
QIDd = H1 (IDd) and Hd=H2 (IDd,mw,Ud) firstly. He
then
accepts
e(P, Vd ) =e(PoUb' QIDd)e(Ud, Hd)
Proxy designation : in order to designate userIDPas a
proxy signer, the original signer sends user IDP
message mw and corresponding warrant w. The user
ID,verifies this signature w
computes
a
proxy
skp =H4 (IDd,IDP,mW,UW)SIDP+ Vd
[4].
consistsof following
is the security parameter of the
{q, G1, G2, e, P, H1,H2,H3,H4,POub}
ID, PKG
: given the private key Sd of original designator
:
rd CR Zq
and
compute
then
put
: to verify a signature W=<Ud, Vd >
on a
the
signature
if
and
only
if
-
a
and if it is valid he
signing key
as
1 Sakai-Ogishi-Kasahara Identity Based Signature
0-7803-9521-2/06/$20.00 §2006 IEEE.
3305

Page 3

Proxy signing: given proxy signing key skp, proxy
signer signs a message m on behalf of user IDd
follows:
1.
Randomly picks
r.E Zq
Up=rpPE G1 and then putsHp=H2(IDP,m,Up)
2. ComputesVP= skp +reHPEGI
The proxy signature on message m on behalf of user
IDd
produced
by
psig =(mw, IDP,Ud, Up, V
Proxy
QIDd =HI(IDd) E G1
Hd=H2(IDd,mw,Ud)
He then accepts the signature if
e(P,V)
xe(Up,Hp) xe(Ud,Hd)
as
and
computes
.
user
IDP
is
verifi'cation
:
The
verifier
firsttakes
QIDP =HI(IDP) C1
andH,=H2(IDp,m,Up)
,
e(PQ)H4(IDd,IDP,m,Ud)x e(P,,b,QID)
4. Review of Hess's signature scheme
This scheme consists of four algorithms, setup, key
extract, sign and verify. Setup and key extract algorithms
are the same as Xu et al's except that instead of hash
functions H2,H3 and H4 we define H:{O,1}* X Zq*.
The two latter algorithms are defined as follows.
Sign: a user with identity ID and public/private key
pair QID I SID signs a message m in the following steps:
1. Randomly pick k eR Zq* and compute r = e(P, p)k
c =H(m, r).
2. ComputesU = CSID + kP .
The signature on m will be < c,U > .
Verify: to verify a signature < c,U > on a message m
for the identity ID, the verifier
1.
computes
r'=e(U, P)e(QID, Ppub) which if the signature is valid,
should be equal to r .
2. He then
accepts
c =H(m, r').
The
signature
and
consistent, because from bilinearity ofthe pairing map e
we have:
r'
e(U, P)e(QID, PUb)
= e(cSID + kP, P)e(-CSQID, P)
= e(cSID + kP- cSID,P)
e(kP,P) =e(P, p)k =r
Firstly
QID = H1 (ID)
and
the
signature
if and only
if
verification
algorithms
are
c
5. Our proposed scheme
Although Xu et al's identity-based proxy signature
provides all the security requirements defined in section
1, but from efficiency viewpoint it doesn't have any
basic difference with the most natural proxy signature
scheme whichfollows:
"the designator arranges
warrant consist of proxy's name and conditions of the
proxy and signs this warrant. Whenever the proxy signer
wants to sign a message on behalf of the designator,
attach the signed warrant to his signed message and
sends them to the verifier. The verifier first verifies the
signature of the designator on the warrant and then if it
is valid, verifies the signature on message m with the
proxy's public key whose identity is mentioned in the
warrant." In this scenario and using SOK-IBS whose
verification needs one hash evaluation and three pairing
evaluation, we will need 2 hash and 6 pairing evaluation.
While verification in Xu et al's proxy signature scheme
preserves only one pairing evaluation and still needs 2
hash and 5 pairing evaluations. The only difference
between this scenario and Xu et al's proxy signature is
that in the latter, proxy signing key is different from
proxy's private key. We propose a more efficient proxy
signature scheme based on Hess's signature scheme.
In Our ID-based proxy signature original signer uses
Hess's signature scheme to sign the warrant for the
proxy. Having verified the signed warrant, proxy signer
uses one of its part and his private key to form the proxy
key. Then he uses proxy key in a mathematically
attractive way to sign a message on behalfofthe original
signer. Verifier can verify the signature just by two
pairing
two
multiplication,
one hash computing and two point
addition. The complete description of the scheme is
given as a set of sequential algorithms:
a
evaluation,
elliptic
curve
point
Setup: Let G1 be a GDH group of prime order q
generated by P, G2 be a multiplicative cyclic group of
the same order, and e: G1 x G1-G2 be a bilinear map.
PKG picks a random master key
Ppub =sP.
HI:{0,1} -*G1, and hash function H:{O,1}*
Then he
publishes
parameters
params ={q,GI,G2,e,P,HI,H2,H3,H4, pub}
s eR Zq*
hash
and sets
functions
Then
he
chooses
1
Zq.
of the
system:
Key
computes QID= H1 (ID) E G1 and the associated private
key SID= SQID E G1.
Extract:
given
a
user's
identity
ID, PKG
Sign : given the private key Sd of original signer IDd,
in order to sign the message mw He uses Hess's
signature:
1.
Randomly
picks
kd eR Zq
and
computes
rd = e(P,P)kd and Cd =H(mw,rd).
2. Computes Ud = CdSd + kdP E G.
The signature on mw is the warrant w =< Cd,Ud > .
0-7803-9521-2/06/$20.00 §2006 IEEE.
3306

Page 4

Verify: to verify a signature < Cd, Ud > on a message
mw for the identity IDd, the verifier
1.computes
r
2. He then
accepts
the
Cd =H(mw,r').
Proxy designation : in order to designate userIDPas a
proxy signer, the original signer sends user IDP
message mw and corresponding warrant w. The user
IDPverifies this signature w
computes a proxy signing key using his private keySP
and the first element ofthe warrant:
skp=CdSp
Proxy signing: given proxy signing key skp, proxy
signer signs a message m on behalf of user IDd
follows:
1.
Randomlypicks
kp E Zq
Firstly
QIDd =HI(IDd)and
=e(U, P)e(QID, PPUb)
signature
if and only
if
a
and if it is valid he
(1)
as
and
computes
r.
2. ComputesUp=cP.skp+kpP.
The proxy signature on message m on behalf of user
IDd produced by userIDPis announced as:
psig =(mw,IDP,IDd,Ud,Up,cp,Cd)
Proxy
The
QIDd=H1(IDd ) E GI
by calculating two pairing operation can obtain:
r = e(Up +Ud,P)e(Qd+cpQp,Ppub)Cd
He then accepts the signature as a valid proxy signature
from user IDP on behalf of user IDd
equation (4) is hold.
cp= H(m, r')
e(P,P)kPandthenputs cp
H(m,rrd)
(2)
verifi'cation:
verifierfirst
takes
, QIDP=H1(IDP) E G1
, and then
(3)
if and only if
(4)
5.1. Correctness
The
signature
and
verification
algorithms
are
consistent, because from bilinearity ofthe pairing map e
we have:
r'= e(UP+Ud,P)e(Qd+cpQp,PpUb)Cd
=e(cp.skp +kpP+ CdSd + kdP, P)e(Sd +cpdp,P) Cd
=e(cp.cdSp+kpP+ CdSd + kP,P)e(-CdSd
=e(kpP+ kdP, P)e(O,P)
= e(P,P)kd+kp1
= rd.rp
6. Security and Efficiency analysis
CdCpSp,P)
(5)
The identity based proxy signature we proposed is
more efficient than Xu et al's scheme, especially in
proxy verification p phase. We can divide a proxy
signature into four phases: "phase (1), signing the proxy
and issuing the warrant", "phase (2) warrant verification
and proxy signing key generation", "phase (3) proxy
signature generation" and "phase (4) final verification".
Table (1) gives a complete comparison between our
proxy signature scheme and Xu et al's one in their four
phases.
Table (1): Efficiency comparison
scheme
Xu et al's
phase (1)
2M +H+Ac
Proposed
3M +H
+AG+e
2P +2MG0
+H+e
3MG1+H
+ Ac1 + e
2P +2MG1 +H
+2Ac +e
phase (2)
3P +
+2H+Ac
2MG0+H +AG1
phase (3)
phase (4)
5P+MG0
+2H+e
In this tableMG,and AG1 mean scalar multiplication
and Addition in group G1 respectively , H
function evaluation whose output is an elliptic curve
point, P is a pairing operation which is the most time-
consuming operation and e is exponentiation in Zq
Other computation costs are negligible. Notice that it is
unnecessary to do a pairing operation to computer.or
rd each time we generate a signature, because e(P,P)
can be recomputed and then with an exponentiation in
G2,r.or rd is computed.
Xu et al propose a security proof for their scheme.
Their proof has been done under the random oracle
model (The random oracle model means that underlying
hash functions used in the scheme are assumed to be
ideal random functions [ 1]) and we now that security in
this model can not be a good support for the whole
security of the scheme
mentioned in section 1, distinguish ability, verifiability,
strong
strong
prevention of misuse
obviously. We show that our scheme provides "strong
non-forgeability" property too.
is a hash
[12].
Security requirements
identifiably,
non-deniability
in our scheme
and
are achieved
6.1. Achievement of strong non-forgeability
It
is obvious that the original signer has more
facilities than the other users to forge a proxy signature
from his proxy signer. We shoe that even the original
signer can not forge a proxy's proxy signature. Suppose
the designator wants to forge a proxy signature on a
message m. The only secrets he doesn't know is the
private key of the proxy, Sp and proxy signing key
skp . He picks a random k E Zq*and computesr.and
CPafterwards. Now he must find aUpsuch that rP.rd
0-7803-9521-2/06/$20.00 §2006 IEEE.
3307

Page 5

is equal to r' from equation (3). To find such aU.he
should solve the equation
e(Up, P) = a
for Up, in which
a = e(Ud, P) 'e(Qd +cpQp,Ppub)Cd .rPrd
Which is a BPIP. So assuming BPIP is a NP-complete
problem, our identity based proxy signature scheme is
strongly nonforgabe even for the designator signer.
7. Conclusion
In this paper, we proposed a new identity-based proxy
signature scheme that is based on Hess's ID-based
signature scheme and has more efficiency than Xu et
al's scheme. Our scheme provides all the six security
requirements of a proxy signature.
[10] B. Lee, H. Kim and K. Kim, Secure mobile agent using
strong non-designatedproxy signature, Proc. ofACISP2001,
LNCS 2119, pp.474-486, Springer Verlag, 2001.
[11] M.
Practical: A Paradigm for Designing E cient Protocols,
Proceedings of the First ACM Conference on Computer and
Communications Security 1993, pages 62-73.
Bellare and P. Rogaway, Random Oracles are
[12] R. Canetti, 0. Goldreich and S. Halevi, The Random
Oracle AMethodology, Revisited, Proceedings of 30th Annual
ACM Symposium on the Theory of Computing, pages 209-
218, May 1998, ACM
8. References
[1] A. Shamir, Identity-based Cryptosystems and Signature
Schemes, Proceedings of CRYPTO'84, LNCS 196, pages 47-
53, Springer-Verlag, 1984.
[2] D. Boneh and M. Franklin, Identity-Based Encryptionfrom
the Weil Pairing, Proceedings of CRYPTO 2001, LNCS 2139,
pages 213{229, Springer-Verlag, 2001.
[3] M. Mambo, K. Usuda and E. Okamoto, "Proxy signatures
for delegating signing operation," Proc. 3rd ACM Conference
on Computer and Communications Security, ACM Press,
pp.48-57, 1996.
[4] R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based
on pairing, In The 2000 Sympoium on Cryptography and
Information Security, Okinawa, Japan, January 2000.
[5] A. Joux, One Round Protocol for Tripartite Diffie-Hellman,
Algorithmic Number Theory Symposium
ANTS 2002, LNCS 1838, pages 385{394, Springer-Verlag,
2000.
{ Proceedings of
[6] D. Boneh, B. Lynn, and H. Shacham, Short Signatures
from the Weil Pairing, Advances in Cryptology -Proceedings
of ASIACRYPT 2001, LNCS 2248, pages 566-582, Springer-
Verlag, 2001.
[7]. N.P. Smart. An Identity based authenticated Key greement
protocol based on the Weil Pairing. Cryptology ePrint rchive,
Report 2001/ 111, 2001. http://eprint.iacr.org/.
[8] F. Hess, Efficient Identity Based Signature Schemes ased
on Pairings, Selected Areas in Cryptography { Proceedings of
SAC 2002, LNCS 2595, pages 310-324, Springer-Verlag,
2002.
[9] J. Xu, Z. Zhang, D. Feng. ID-Based Proxy Signature Using
Bilinear Pairings, available at http://eprint.iacr.org/2004/206/
0-7803-9521-2/06/$20.00 §2006 IEEE.
3308