A New Identity-based Proxy Signature Scheme from Bilinear Pairings

Conference Paper · January 2006with42 Reads
DOI: 10.1109/ICTTA.2006.1684946 · Source: IEEE Xplore
Conference: Information and Communication Technologies, 2006. ICTTA '06. 2nd, Volume: 2
Abstract
Proxy signature schemes allow a proxy signer to generate a proxy signature on behalf of an original signer. In this paper we propose an identity-based proxy signature scheme from bilinear pairings. In comparison with the Xu et al.'s scheme, our scheme is more efficient in computation and requires fewer pairing operations especially in verification phase
A
New
Identity-based
Proxy
Signature
Scheme
from
Bilinear
Pairings
Hamid
Mala
Department
of
Electrical
&
Computer
Engineering,
Isfahan
University
of
Technology
(IUT),
Isfahan,
Iran
mala@ec.
iut.
ac.
ir
Mohammad
Dakhil-alian
Department
of
Electrical
&
Computer
Engineering,
Isfahan
University
of
Technology
(IUT),
Isfahan,
Iran
mdalian@cc.
iut.
ac.
ir
Mehdi
Brenjkoub
Department
of
Electrical
&
Computer
Engineering,
Isfahan
University
of
Technology
(IUT),
Isfahan,
Iran
brnjkb@cc.
iut.
ac.
ir
Abstract
Proxy
signature
schemes
allow
a
proxy
signer
to
generate
a
proxy
signature
on
behalf
of
an
original
signer.
In
this
paper
we
propose
an
Identity-based
proxy
signature
scheme
from
bilinear
pairings.
In
comparison
with
the
Xu
et
al's
scheme,
our
scheme
is
more
efficient
in
computation
and
requires
fewer
pairing
operations
especially
in
verification
phase.
1.
Introduction
In
a
certificate-based
public
key
system,
before
using
the
public
key
of
a
user,
the
participants
must
verify
the
certificate
of
the
user
at
first.
As
a
consequence,
this
system
requires
a
large
storage
and
computing
time
to
store
and
verify
each
user's
public
key
and
the
corresponding
certificate.
In
1984,
Shamir
introduced
the
idea
of
identity(ID)-based
public
key
cryptosystem
[1],
which
enables
any
pair
of
users
to
communicate
securely
without
exchanging
public
key
certificates,
without
keeping
a
public
key
directory,
and
without
using
online
service
of
a
third
party,
as
long
as
a
trusted
key
generation
center
issues
a
private
key
to
each
user
when
he
first
joins
the
network.
An
identity-based
scheme
resembles
an
ideal
mail
system.
If
you
know
somebody's
name
and
address,
you
can
send
him
a
message
that
only
he
can
read,
and
you
can
verify
the
signatures
that
only
he
could
have
produced.
Shamir
proposed
an
identity-based
signature
scheme
in
1984
but
invention
of
an
Identity-based
encryption
scheme
last
till
2001
which
Boneh
and
Franklin
proposed
an
"Identity-
Based
Encryption
from
the
Weil
Pairing"
[2].
Since
then,
many
ID-based
crypto
primitives
have
been
proposed
using
bilinear
pairings.
One
of
them
is
proxy
signature.
In
1996,
Mambo,
Usuda,
and
Okamoto
introduced
the
concept
of
"proxy
signature"
[3].
In
such
a
scheme
an
original
signer
delegates
his
signing
authority
to
proxy
signer
in
such
a
way
that
the
proxy
signer
can
sign
any
messages
on
behalf
of
the
original
signer.
There
are
three
types
of
delegation:
full
delegation;
partial
delegation
and
delegation
by
warrant.
In
the
full
delegation,
the
original
signer
just
gives
his
signing
(private)
key
to
the
proxy
signer
as
the
proxy
signing
key.
Therefore,
the
signature
generated
between
the
original
signer
and
the
proxy
signer
is
indistinguishable.
In
the
case
of
partial
delegation,
the
proxy
singing
key
is
derived
from
the
original
signer's
private
key
by
the
original
signer.
On
the
other
side,
it
is
computational
hard
for
the
proxy
signer
to
derive
the
private
key
of
the
original
signer.
However,
the
original
signer
can
still
forge
a
proxy
signature
of
the
proxy
signer.
In
the
delegation
by
warrant,
the
original
signer
signs
a
warrant
that
certifies
the
legitimacy
of
the
proxy
signer.
Proxy
signatures
have
found
numerous
practical
applications,
particularly
in
distributed
computing
where
delegation
of
rights
is
quite
common.
Bilinear
pairings
have
attractive
properties;
consist
of
"bilinearity",
"Non-degeneracy"
and
"Computability"
that
have
made
them
suitable
for
cryptographic
applications.
The
Weil
and
Tate
pairings
have
recently
been
used
to
construct
cryptosystems,
such
as
signature
schemes
of
Sakai,
Ohgishi
and
Kasahara
[4],
the
tripartite
Diffie-Hellman
protocol
of
Joux
[5],
the
identity-based
encryption
scheme
of
Boneh
and
Franklin
[2],
the
short
signature
scheme
of
Boneh
et
al
[6],
the
ID-based
key
exchange
system
of
Smart
[7]
and
the
ID-
based
signature
scheme
of
Hess
[8].
In
this
paper
we
propose
an
Identity-based
proxy
signature
scheme
from
bilinear
pairings.
In
our
scheme
delegation
is
done
by
warrant.
As
compared
with
the
Xu-Zhang-Feng
scheme
[9],
our
scheme
is
more
efficient
in
computation
and
requires
fewer
pairing
operations
especially
in
verification
phase.
From
security
aspects
our
scheme
provides
properties
that
a
strong
proxy
signature
scheme
should
have,
defined
by
Lee
et
al.
[10].
1.
Distinguishability:
Proxy
signatures
are
distinguishable
from
normal
signatures
by
everyone.
2.
Verifiability:
From
the
proxy
signature,
the
verifier
can
be
convinced
of
the
original
signer's
agreement
on
the
signed
message.
3.
Strong
non-forgeability:
A
designated
proxy
signer
can
create
a
valid
proxy
signature
for
the
original
signer.
But
the
original
signer
and
other
third
parties
who
are
not
designated
as
a
proxy
signer
cannot
create
a
valid
proxy
signature.
4.
Strong
identifiability:
Anyone
can
determine
the
identity
of
the
corresponding
proxy
signer
from
the
proxy
signature.
5.
Strong
non-deniability:
Once
a
proxy
signer
creates
a
valid
proxy
signature
of
an
original
signer,
he/she
cannot
repudiate
the
signature
creation.
0-7803-9521-2/06/$20.00
§2006
IEEE.
3304
6.
Prevention
of
misuse:
The
proxy
signer
cannot
use
the
proxy
key
for
other
purposes
than
generating
a
valid
proxy
signature.
That
is,
he/she
cannot
sign
messages
that
have
not
been
authorized
by
the
original
signer.
This
paper
is
organized
as
follows:
the
bilinear
pairing
is
introduced
in
section
2,
Xu-Zhang-Feng's
identity-based
proxy
signature
scheme
is
reviewed
in
section
3,
our
new
scheme
is
proposed
in
section
4
and
the
efficiency
and
security
analysis
is
given
in
section
5
;finally
we
draw
the
conclusion.
2.
Preliminaries
In
this
section,
we
briefly
review
some
preliminaries
that
will
be used
throughout
this
paper.
2.1.
Bilinear
Pairings
Let
G1
be
an
additive
cyclic
group
of
prime
order
q,
generated
by
P;
and
G2
be
a
multiplicative
cyclic
group
of
the
same
order.
As
mentioned
in
[2]
G1
can
be
considered
as
a
subgroup
of
points
on
an
elliptic
curve
or
hyper
elliptic
curve
over
a
finite
field.
A
bilinear
pairing
is
a
map
e:
G1
x
G1
-*
G2
with
the
following
properties:
1)
Bilinear:
for
all
P,Q
C
G1
and
a,b
C
Zq
e(aP,
bQ)
=
e(bP,
aQ)
=
e(P,
Q)ab
2)
Non-degenerate:
there
exist
a
Q
E
G1
such
that
e(Q,
Q)
1.
3)
Computable
given
P,
Q
c
G1
there
is
an
efficient
algorithm
to
compute
e(P,
Q)
in
polynomial
time.
Such
bilinear
pairing
has
been
successfully
realized
on
certain
elliptic
curves,
such
as
the
modified
Weil
pairing
and
Tate
pairing
[2].
2.2.
Complexity
assumptions
Let
G1
be
an
additive
cyclic
group
generated
by
P
with
the
prime
order
q.
Assume
that
the
inversion
and
multiplication
in
G1
can
be
computed
efficiently.
Following
problems
are
introduced
in
G1.
We
mean
a
ER
G,
to
choose
an
element
in
group
G
at
random.
1)
Discrete
Logarithm
Problem
(DLP):
given
two
elements
P,
Q
GC1,
find
an
integer
n
c
Zq
such
that
Q
=
nP
whenever
such
an
integer
exists.
2)
Computational
Diffie-Hellman
Problem
(CDHP):
given
P,
aP,
bP
for
some
a,
b
CR
Zq
,
compute
abP.
3)
Decisional
Diffie-Hellman
Problem
(DDHP):
given
P,
aP,
bP,
cP
for
a,
b,
c
EZq
decide
whether
4)
Bilinear
Pairing
Inversion
Problem
(BPIP):
given
P
E
G1
and
e(P,
Q)
E
G2,
find
Q
E
G1.
As
specified
in
[2],
the
decisional
diffie-hellman
problem
in
G1
should
be
easy.
The
DDHP
in
G2,
the
CDHP
and
DLP
in
both
G1
and
G2
should
be
hard.
Also
the
BPIP
should
be
hard.
The
group
G1
with
these
conditions
is
called
a
Gap
Diffie-Hellman
(GDH)
group.
3.
Review
of
Xu-Zhang-Feng's
proxy
signature
scheme
The
scheme
uses
SOK-IBSI
as
its
identity-based
plain
signature
[4].
The
scheme
consists
of
following
algorithms:
Setup:
Assume
k
is
the
security
parameter
of
the
system.
Let
G1
be
a
GDH
group
of
prime
order
q
>
2k
generated
by
P,
G2
be
a
multiplicative
cyclic
group
of
the
same
order,
and
e:
G1
x
G1
->
G2
be
a
bilinear
map.
Private
Key
Generator
(PKG)
picks
a
random
master
key
S
CR
Zq
and
sets
P,,b
=
sP.
Then
he
chooses
hash
functions
H1,H2,H3:{O,1}
*
-G1,
and
hash
function
H4:
{O,
1}
X
Zq
Then
he
publishes
parameters
of
the
system:
params
{q,
G1,
G2,
e,
P,
H1,
H2,
H3,
H4,
POub
}
Key
Extract:
given
a
user's
identity
ID,
PKG
computes
QID
H1
(ID)
E
G1
and
the
associated
private
key
SID
=
SQID
C
G1.
Sign
:
given
the
private
key
Sd
of
original
designator
(signer)
IDd,
in
order
to
sign
the
message
m,
:
1.
Randomly
pick
rd
CR
Zq
and
compute
Ud
rdP
C
G1
and
then
put
Hd
H2
(IDd,
mw,
Ud)
C
G
2.
Compute
Vd
=
SIDd
+
rdHd
C
G1.
The
signature
on
mw
is
the
warrant
w
=<
Ud,
Vd
>.
Verify
:
to
verify
a
signature
W
=<
Ud,
Vd
>
on
a
message
mw
for
the
identity
IDd,
the
verifier
computes
QIDd
=
H1
(IDd)
and
Hd
=
H2
(IDd,
mw,
Ud)
firstly.
He
then
accepts
the
signature
if
and
only
if
e(P,
Vd
)
=
e(PoUb'
QIDd
)e(Ud,
Hd)
-
Proxy
designation
:
in
order
to
designate
user
IDP
as
a
proxy
signer,
the
original
signer
sends
user
IDP
a
message
mw
and
corresponding
warrant
w.
The
user
ID,
verifies
this
signature
w
and
if
it
is
valid
he
computes
a
proxy
signing
key
as
skp
=
H4
(IDd,
IDP,
mW,
UW)SIDP
+
Vd
c=
abmodq.
1
Sakai-Ogishi-Kasahara
Identity
Based
Signature
0-7803-9521-2/06/$20.00
§2006
IEEE.
3305
Proxy
signing:
given
proxy
signing
key
skp,
proxy
signer
signs
a
message
m
on
behalf
of
user
IDd
as
follows:
1.
Randomly
picks
r.
E
Zq
and
computes
Up
=
rpP
E
G1
and
then
puts
Hp
=
H2(IDP,
m,
Up)
2.
Computes
VP
=
skp
+
reHP
E
GI
.
The
proxy
signature
on
message
m
on
behalf
of
user
IDd
produced
by
user
IDP
is
psig
=
(mw,
IDP,
Ud,
Up,
V
Proxy
verifi'cation
:
QIDd
=HI
(IDd)
E
G1
The
verifier
first
takes
QIDP
=HI(IDP)
C1
,
Hd
=
H2(IDd,mw,Ud)
and
H,
=
H2(IDp,m,Up)
He
then
accepts
the
signature
if
e(P,
V
)
e(P
Q
)H4
(IDd
,IDP
,m,
Ud)
x
e(P,,b,
QID)
xe(Up,
Hp
)
x
e(Ud,
Hd)
4.
Review
of
Hess's
signature
scheme
This
scheme
consists
of
four
algorithms,
setup,
key
extract,
sign
and
verify.
Setup
and
key
extract
algorithms
are
the
same
as
Xu
et
al's
except
that
instead
of
hash
functions
H2,H3
and
H4
we
define
H:{O,1}*
X
Zq*.
The
two
latter
algorithms
are
defined
as
follows.
Sign:
a
user
with
identity
ID
and
public/private
key
pair
QID
I
SID
signs
a
message
m
in
the
following
steps:
1.
Randomly
pick
k
eR
Zq*
and
compute
r
=
e(P,
p)k
c
=
H(m,
r).
2.
Computes
U
=
CSID
+
kP
.
The
signature
on
m
will
be
<
c,
U
>
.
Verify:
to
verify
a
signature
<
c,U
>
on
a
message
m
for
the
identity
ID,
the
verifier
1.
Firstly
computes
QID
=
H1
(ID)
and
r'
=
e(U,
P)e(QID,
Ppub)
which
if
the
signature
is
valid,
should
be
equal
to
r
.
2.
He
then
accepts
the
signature
if
and
only
if
c
=
H(m,
r').
The
signature
and
verification
algorithms
are
consistent,
because
from
bilinearity
of
the
pairing
map
e
we
have:
r'
e(U,
P)e(QID,
PUb)
c
=
e(cSID
+
kP,
P)e(-CSQID,
P)
=
e(cSID
+
kP-
cSID,
P)
e(kP,
P)
=
e(P,
p)k
=r
5.
Our
proposed
scheme
Although
Xu
et
al's
identity-based
proxy
signature
provides
all
the
security
requirements
defined
in
section
1,
but
from
efficiency
viewpoint
it
doesn't
have
any
basic
difference
with
the
most
natural
proxy
signature
scheme
which
follows:
"the
designator
arranges
a
warrant
consist
of
proxy's
name
and
conditions
of
the
proxy
and
signs
this
warrant.
Whenever
the
proxy
signer
wants
to
sign
a
message
on
behalf
of
the
designator,
attach
the
signed
warrant
to
his
signed
message
and
sends
them
to
the
verifier.
The
verifier
first
verifies
the
signature
of
the
designator
on
the
warrant
and
then
if
it
is
valid,
verifies
the
signature
on
message
m
with
the
proxy's
public
key
whose
identity
is
mentioned
in
the
warrant."
In
this
scenario
and
using
SOK-IBS
whose
verification
needs
one
hash
evaluation
and
three
pairing
evaluation,
we
will
need
2
hash
and
6
pairing
evaluation.
While
verification
in
Xu
et
al's
proxy
signature
scheme
preserves
only
one
pairing
evaluation
and
still
needs
2
hash
and
5
pairing
evaluations.
The
only
difference
between
this
scenario
and
Xu
et
al's
proxy
signature
is
that
in
the
latter,
proxy
signing
key
is
different
from
proxy's
private
key.
We
propose
a
more
efficient
proxy
signature
scheme
based
on
Hess's
signature
scheme.
In
Our
ID-based
proxy
signature
original
signer
uses
Hess's
signature
scheme
to
sign
the
warrant
for
the
proxy.
Having
verified
the
signed
warrant,
proxy
signer
uses
one
of
its
part
and
his
private
key
to
form
the
proxy
key.
Then
he
uses
proxy
key
in
a
mathematically
attractive
way
to
sign
a
message
on
behalf
of
the
original
signer.
Verifier
can
verify
the
signature
just
by
two
pairing
evaluation,
two
elliptic
curve
point
multiplication,
one
hash
computing
and
two
point
addition.
The
complete
description
of
the
scheme
is
given
as
a
set
of
sequential
algorithms:
Setup:
Let
G1
be
a
GDH
group
of
prime
order
q
generated
by
P,
G2
be
a
multiplicative
cyclic
group
of
the
same
order,
and
e:
G1
x
G1
-
G2
be
a
bilinear
map.
PKG
picks
a
random
master
key
s
eR
Zq*
and
sets
Ppub
=sP.
Then
he
chooses
hash
functions
HI:{0,1}
-*G1,
and
hash
function
H:{O,1}*
1
Zq
.
Then
he
publishes
parameters
of
the
system:
params
=
{q,GI,G2,e,P,HI,H2,H3,H4,
pub}
Key
Extract:
given
a
user's
identity
ID,
PKG
computes
QID=
H1
(ID)
E
G1
and
the
associated
private
key
SID=
SQID
E
G1.
Sign
:
given
the
private
key
Sd
of
original
signer
IDd,
in
order
to
sign
the
message
mw
He
uses
Hess's
signature:
1.
Randomly
picks
kd
eR
Zq
and
computes
rd
=
e(P,P)kd
and
Cd
=
H(mw,rd)
.
2.
Computes
Ud
=
CdSd
+
kdP
E
G.
The
signature
on
mw
is
the
warrant
w
=<
Cd,
Ud
>
.
0-7803-9521-2/06/$20.00
§2006
IEEE.
3306
Verify:
to
verify
a
signature
<
Cd,
Ud
>
on
a
message
mw
for
the
identity
IDd,
the
verifier
1.
Firstly
computes
QIDd
=
HI
(IDd)
and
r
=
e(U,
P)e(QID,
PPUb)
2.
He
then
accepts
the
signature
if
and
only
if
Cd
=
H(mw,r').
Proxy
designation
:
in
order
to
designate
user
IDP
as
a
proxy
signer,
the
original
signer
sends
user
IDP
a
message
mw
and
corresponding
warrant
w.
The
user
IDP
verifies
this
signature
w
and
if
it
is
valid
he
computes
a
proxy
signing
key
using
his
private
key
SP
and
the
first
element
of
the
warrant:
skp
=CdSp
(1)
Proxy
signing:
given
proxy
signing
key
skp,
proxy
signer
signs
a
message
m
on
behalf
of
user
IDd
as
follows:
1.
Randomly
picks
kp
E
Zq
and
computes
r.
e(P,
P)
kPand
then
puts
cp
H(m,
rrd)
2.
Computes
Up
=
cP.skp
+
kpP.
The
proxy
signature
on
message
m
on
behalf
of
user
IDd
produced
by
user
IDP
is
announced
as:
psig
=
(mw,
IDP,
IDd,
Ud,
Up,
cp,
Cd)
(2)
Proxy
verifi'cation:
The
verifier
first
takes
QIDd
=
H1
(IDd
)
E
GI
,
QIDP
=
H1
(IDP)
E
G1
,
and
then
by
calculating
two
pairing
operation
can
obtain:
r
=
e(Up
+Ud,P)e(Qd
+cpQp,Ppub)
Cd
(3)
He
then
accepts
the
signature
as
a
valid
proxy
signature
from
user
IDP
on
behalf
of
user
IDd
if
and
only
if
equation
(4)
is
hold.
cp
=
H
(m,
r')
(4)
5.1.
Correctness
The
signature
and
verification
algorithms
are
consistent,
because
from
bilinearity
of
the
pairing
map
e
we
have:
r'=
e(UP+Ud,P)e(Qd+cpQp,PpUb)
Cd
=
e(cp
.skp
+
kpP
+
CdSd
+
kdP,
P)e(Sd
+
cpdp,
P)
Cd
=
e(cp
.cd
Sp
+
kpP
+
Cd
Sd
+
kP,
P)e(-Cd
Sd
Cd
CpSp,
P)
=
e(kpP
+
kd
P,
P)e(O,
P)
=
e(P,
P)kd
+kp1
(5)
=
rd
.rp
6.
Security
and
Efficiency
analysis
The
identity
based
proxy
signature
we
proposed
is
more
efficient
than
Xu
et
al's
scheme,
especially
in
proxy
verification
p
phase.
We
can
divide
a
proxy
signature
into
four
phases:
"phase
(1),
signing
the
proxy
and
issuing
the
warrant",
"phase
(2)
warrant
verification
and
proxy
signing
key
generation",
"phase
(3)
proxy
signature
generation"
and
"phase
(4)
final
verification".
Table
(1)
gives
a
complete
comparison
between
our
proxy
signature
scheme
and
Xu
et
al's
one
in
their
four
phases.
Table
(1):
Efficiency
comparison
scheme
Xu
et
al's
Proposed
phase
(1)
2M
+H+Ac
3M
+H
+
AG
+e
phase
(2)
3P
+
2P
+
2MG0
+2H+Ac
+H+e
phase
(3)
2MG0
+
H
+
AG1
3MG1
+
H
+
Ac1
+
e
phase
(4)
5P+MG0
2P
+
2MG1
+
H
+2H+e
+2Ac
+e
In
this
table
MG,
and
AG1
mean
scalar
multiplication
and
Addition
in
group
G1
respectively
,
H
is
a
hash
function
evaluation
whose
output
is
an
elliptic
curve
point,
P
is
a
pairing
operation
which
is
the
most
time-
consuming
operation
and
e
is
exponentiation
in
Zq
Other
computation
costs
are
negligible.
Notice
that
it
is
unnecessary
to
do
a
pairing
operation
to
compute
r.
or
rd
each
time
we
generate
a
signature,
because
e(P,P)
can
be
recomputed
and
then
with
an
exponentiation
in
G2,
r.
or
rd
is
computed.
Xu
et
al
propose
a
security
proof
for
their
scheme.
Their
proof
has
been
done
under
the
random
oracle
model
(The
random
oracle
model
means
that
underlying
hash
functions
used
in
the
scheme
are
assumed
to
be
ideal
random
functions
[
1])
and
we
now
that
security
in
this
model
can
not
be
a
good
support
for
the
whole
security
of
the
scheme
[12].
Security
requirements
mentioned
in
section
1,
distinguish
ability,
verifiability,
strong
identifiably,
strong
non-deniability
and
prevention
of
misuse
are
achieved
in
our
scheme
obviously.
We
show
that
our
scheme
provides
"strong
non-forgeability"
property
too.
6.1.
Achievement
of
strong
non-forgeability
It
is
obvious
that
the
original
signer
has
more
facilities
than
the
other
users
to
forge
a
proxy
signature
from
his
proxy
signer.
We
shoe
that
even
the
original
signer
can
not
forge
a
proxy's
proxy
signature.
Suppose
the
designator
wants
to
forge
a
proxy
signature
on
a
message
m.
The
only
secrets
he
doesn't
know
is
the
private
key
of
the
proxy,
Sp
and
proxy
signing
key
skp
.
He
picks
a
random
k
E
Zq
*
and
computes
r.
and
CP
afterwards.
Now
he
must
find
a
Up
such
that
rP.rd
0-7803-9521-2/06/$20.00
§2006
IEEE.
3307
is
equal
to
r'
from
equation
(3).
To
find
such
a
U.
he
should
solve
the
equation
e(Up,
P)
=
a
for
Up,
in
which
a
=
e(Ud,
P)
'e(Qd
+
cpQp,
Ppub
)Cd
.rPrd
Which
is
a
BPIP.
So
assuming
BPIP
is
a
NP-complete
problem,
our
identity
based
proxy
signature
scheme
is
strongly
nonforgabe
even
for
the
designator
signer.
7.
Conclusion
In
this
paper,
we
proposed
a
new
identity-based
proxy
signature
scheme
that
is
based
on
Hess's
ID-based
signature
scheme
and
has
more
efficiency
than
Xu
et
al's
scheme.
Our
scheme
provides
all
the
six
security
requirements
of
a
proxy
signature.
[10]
B.
Lee,
H.
Kim
and
K.
Kim,
Secure
mobile
agent
using
strong
non-designated
proxy
signature,
Proc.
of
ACISP2001,
LNCS
2119,
pp.474-486,
Springer
Verlag,
2001.
[11]
M.
Bellare
and
P.
Rogaway,
Random
Oracles
are
Practical:
A
Paradigm
for
Designing
E
cient
Protocols,
Proceedings of
the
First
ACM
Conference
on
Computer
and
Communications
Security
1993,
pages
62-73.
[12]
R.
Canetti,
0.
Goldreich
and
S.
Halevi,
The
Random
Oracle
AMethodology,
Revisited,
Proceedings
of
30th
Annual
ACM
Symposium
on
the
Theory
of
Computing,
pages
209-
218,
May
1998,
ACM
8.
References
[1]
A.
Shamir,
Identity-based
Cryptosystems
and
Signature
Schemes,
Proceedings
of
CRYPTO'84,
LNCS
196,
pages
47-
53,
Springer-Verlag,
1984.
[2]
D.
Boneh
and
M.
Franklin,
Identity-Based
Encryption
from
the
Weil
Pairing,
Proceedings
of
CRYPTO
2001,
LNCS
2139,
pages
213
{229,
Springer-Verlag,
2001.
[3]
M.
Mambo,
K.
Usuda
and
E.
Okamoto,
"Proxy
signatures
for
delegating
signing
operation,"
Proc.
3rd
ACM
Conference
on
Computer
and
Communications
Security,
ACM
Press,
pp.48-57,
1996.
[4]
R.
Sakai,
K.
Ohgishi,
M.
Kasahara,
Cryptosystems
based
on
pairing,
In
The
2000
Sympoium
on
Cryptography
and
Information
Security,
Okinawa,
Japan,
January
2000.
[5]
A.
Joux,
One
Round
Protocol
for
Tripartite
Diffie-Hellman,
Algorithmic
Number
Theory
Symposium
{
Proceedings
of
ANTS
2002,
LNCS
1838,
pages
385{394,
Springer-Verlag,
2000.
[6]
D.
Boneh,
B.
Lynn,
and
H.
Shacham,
Short
Signatures
from
the
Weil
Pairing,
Advances
in
Cryptology
-
Proceedings
of
ASIACRYPT
2001,
LNCS
2248,
pages
566-582,
Springer-
Verlag,
2001.
[7].
N.P.
Smart.
An
Identity
based
authenticated
Key
greement
protocol
based
on
the
Weil
Pairing.
Cryptology
ePrint
rchive,
Report
2001/
111,
2001.
http://eprint.iacr.org/.
[8]
F.
Hess,
Efficient
Identity
Based
Signature
Schemes
ased
on
Pairings,
Selected
Areas
in
Cryptography
{
Proceedings
of
SAC
2002,
LNCS
2595,
pages
310-324,
Springer-Verlag,
2002.
[9]
J.
Xu,
Z.
Zhang,
D.
Feng.
ID-Based
Proxy
Signature
Using
Bilinear
Pairings,
available
at
http://eprint.iacr.org/2004/206/
0-7803-9521-2/06/$20.00
§2006
IEEE.
3308