International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
90
Secure and Efficient Identity-based Proxy
Multi-signature Using Cubic Residues
Feng Wang1,2 , Chin-Chen Chang2,3 , Changlu Lin4 , and Shih-Chang Chang5
(Corresponding author: Chin-Chen Chang)
College of Mathematics and Physics, Fujian University of Technology1
Fuzhou, Fujian,350108, China
Department of Information Engineering and Computer Science, Feng Chia University2
100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan
(Email: alan3c@gmail.com)
Department of Computer Science and Information Engineering, Asia University3
Taichung 41354, Taiwan
School of Mathematics and Computer Science, Fujian Normal University4
Fuzhou, Fujian, 350117, China
Department of Computer Science and Information Engineering, Notional Chung Cheng University5
160 San-Hsing, Ming-Hsiung, Chiayi 621,Taiwan
(Received July 14, 2014; revised and accepted Jan. 16 & June 4, 2015)
Abstract
The term “proxy multi-signature” refers to the situation in which a proxy signer is authorized to sign a
message on behalf of a group of original signers. Combined with identity-based cryptography, we proposed an
efficient identity-based proxy multi-signature scheme using cubic residues without bilinear pairing. Our scheme
is secure against existential forgery on adaptive chosenmessage and identity attacks under the hardness of integer
factorization assumption. Compared with elliptic curve
or bilinear pairing, the integer factorization assumption
is more reliable and easier to use because it has been developed 2500 years ago. Furthermore, our scheme is more
efficient than previous schemes based on bilinear pairing.
Keywords: Cubic residues, identity-based signature, integer factorization, proxy multi-signature, random oracle
model
1
Introduction
Shamir [15] introduced identity-based cryptography in
1984 in order to simplify the key-management procedure of traditional, certificate-based, public-key infrastructures. Shamir’s approach allowed an entity’s public
key to be derived directly from her or his identity, such as
an email address, and the entity’s private key can be generated by a trusted third party which is called the private
key generator (PKG).
The notion of proxy signatures was proposed by
Mambo et al. [10] in 1996. They identified the signers
into two entities, i.e., the original signer and the proxy
signer. The latter can sign a message on behalf of the
former with a warrant the former delegated. Proxy signatures have many practical applications, such as distributed systems, grid computing, mobile agent applications, distributed shared object systems, global distribution networks, and mobile communications [2]. Since
1996, the proxy signature has been paid significant attention [7] and various extensions of the proxy signature have
been proposed [1, 9, 11, 19, 22], one of which is the proxy
multi-signature [9, 19, 22].
In 2000, Yi et al.
proposed the proxy multisignature [22] in which a designated proxy signer can generate a valid signature on behalf of a group of original
signers. Proxy multi-signature can be used in the following scenario, i.e., a university wants to release a document
that several departments may be involved, for example,
the Deans Office, the Student Affairs Office, and the Human Resources Department, etc.. The document must be
signed by all of the above entities or by a proxy signer delegated by those entities. Combined with identity-based
cryptography, Li and Chen [9] proposed the notion of
identity-based proxy multi-signature (IBPMS) and constructed a scheme using bilinear pairings in 2005. However, most existing IBPMS schemes were based on bilinear
pairing [4, 9, 14, 20], which required more computational
cost than normal operations, such as modular exponentiations in finite fields. Therefore, there was a strong interest in determining how to construct a secure scheme
without pairing. In 2011, Tiwari and Padhye [18] pro-
91
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
posed a secure IBPMS scheme based on the elliptic curve
discrete logarithm problem. Although they claimed that
their scheme was more efficient and had a smaller key size
than pairing-based schemes, the security on which their
method was based on the elliptic curve discrete logarithm
problem assumption which was only a few decades old [6].
In this paper, we propose a new identity-based proxy
multi-signature (IBPMS) scheme using cubic residues
without bilinear pairing. The security of our method is
based on the integer factorization assumption which is
2500 years old. We briefly introduce our contributions.
First, our scheme is the first identity-based proxy multisignature scheme using the cubic residues problem. Second, our scheme has been proven to be secure in the random oracle model under the hardness of integer factorization problem assumption. Third, our scheme is made
more efficient than Cao and Cao’s IBPMS scheme [4]
based on bilinear pairing.
The rest of the paper is organized as follows. In Section 2, we introduce the cubic residues problem and integer factorization problem assumption. In Section 3, we
give the formal definition and security model of identitybased proxy multi-signature. In Section 4, we propose
a new identity-based proxy multi-signature scheme using
cubic residues. In Section 5, we give the formal security
proof for the proposed scheme under the random oracle
model. In Section 6, we compare the efficiency and performance of our scheme with Cao and Cao’s IBPMS scheme.
Finally, we present our conclusions in Section 7.
ξ = aη·β (mod q), τ ≡ hλ·β
0,
1,
b=
2,
(mod q), and
if τ = 1
if τ = ξ
if τ = ξ 2 ,
then C = ab · h is a cubic residue modulo q.
Theorem 1. Let p, q be as mentioned above and n =
p · q. Then C = ab · h is a cubic residue modulo n, and
η−1
s ≡ C [2 (p−1)(q−1)−3]/9 (mod n) is a cubic root of C −1 .
Theorem 2. Let n = p · q. If there is s31 ≡ s32 ≡ C
(mod n), and s1 6≡ s2 (mod n), then gcd(s1 − s2 , n) is a
non-trivial divisor of n.
2.2
Integer Factorization Problem Assumption
The integer factorization problem assumption is one of the
fundamental hardness problems, which has been studied
extensively and used to construct cryptographic schemes.
We will analyze the security of our proposed scheme based
on this assumption. From [23], we have Definition 2 and
Definition 3.
Definition 2. Given n = p · q, where p and q are prime
numbers and they are unknown publicly, the integer factorization problem is defined to output a prime number
p(1 < p < n) such that p can divide n.
Definition 3 (Integer factorization problem assumption). The integer factorization problem (IFP) is
′
′
2 Preliminaries
a (t , ǫ )-hard assumption, if there is no polynomial time
′
algorithm in time at most t , can solve the integer factorIn this section, we review cubic residues and the method ization problem with probability at least ǫ′ .
of their construction mentioned in [21] and integer factorization problem assumption
3
2.1
Cubic Residues
Definition 1. For a positive integer n, if there is some x
that satisfies the expression x3 ≡C (mod n), we say that
C is a cubic residue modulo n, and x is called the cubic
root of C modulo n.
Formal Definition and Security
Model
We give a formal definition and security model of the
identity-based proxy multi-signature scheme based on the
works of Cao and Cao [4], Singh and Verma [16], and Sun
et al. [17].
From [21], we have Lemma 1, Theorem 1, and Theo3.1
rem 2.
Formal Definition of the Identitybased Proxy Multi-signature Scheme
Lemma 1. Let p be a prime number, 3p = gcd(3, p − 1),
In an identity-based proxy multi-signature scheme, there
and C ∈ Zp∗ . We say that C is a cubic residue modulo p
are two entities named as a group of the original signers
(p−1)
(mod p) ≡ 1.
if and only if C 3p
and the proxy signer. We use IDi , for i = 1, 2, · · · , n,
to denote the identity of original signer i, and IDps to
Obviously, if p is prime number and p ≡ 2 (mod 3), denote the identity of the proxy signer. From [4], we have
then every C ∈ Zp∗ is a cubic residue modulo p.
Definition 4.
If q is prime number, and q ≡ 4 or 7 (mod 9), for
every h ∈ Zp∗ , we can construct a cubic residue modulo q Definition 4. An identity-based proxy multi-signature
scheme (IBPMS) is a tuple of seven algorithms as
as follows.
Let a be a non-cubic modulo q, we compute η = IBPMS=(Setup, Extract, DelGen, DelVeri, PMK[(q − 1) (mod 9)] /3, λ = η (mod 2) + 1, β = (q − 1)/3, Gen, PMSign, PMVeri).
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
92
Setup. PKG takes a security parameter as input, and original signers, except for signer n. If she or he has a
outputs public parameter P P and its master key valid delegation, Dn→ps , she or he can output a valid
M K.
proxy multi-signature herself or himself with the secret
keys of the other original signers and proxy signer. So,
Extract. PKG takes its master key M K and a user’s the objective of the Type 2 adversary is to output a valid
identity IDi as inputs, and outputs the user’s public delegation, D
n→ps .
key and secret key pair (HIDi , sIDi ).
With regard to the Type 3 adversary A3 , since she or
DelGen. For i = 1, 2, · · · , n, the original signer i takes he has all of the secret keys of the original signers, she or
her or his secret key sIDi and a warrant w as inputs, he can output a valid delegation Di→ps , i = 1, 2, · · · , n,
and outputs her or his delegation Di→ps to the proxy herself or himself. So, the objective of the Type 3 adversary is to output a valid proxy multi-signature under
signer.
delegations Di→ps , i = 1, 2, · · · , n.
DelVeri. For i = 1, 2, · · · , n, the proxy signer takes delLet an adversary At (t = 2 or 3) be a probabilistic Turegation Di→ps from the original signer i and her or ing machine, At takes public parameter P P and a random
his identity IDi as inputs, and verifies whether or tape as inputs and performs an experiment with the algonot the delegation is valid.
rithm B. Inspired from [17], we define the following two
definitions.
PMKGen. The proxy signer takes her or his secret key
sIDps and delegations Di→ps , i = 1, 2, · · · , n, as in- Definition 5. For an identity-based proxy multiputs, and generates her or his private signing key signature scheme, we define an experiment of the adversk ps .
sary At (t = 2 or 3) with the security parameter λ as follows:
PMSign. The proxy signer takes her or his signing
key sk ps , message m, and delegations Di→ps , i = Step 1. Algorithm B runs the Setup algorithm and re1, 2, · · · , n, as inputs, and generates the proxy multiturns public parameter P P to the adversary At .
signature σ of the message m.
Step 2. B maintains several lists, e.g., Elist , Dlist ,
PMVeri. The verifier takes the proxy multi-signature
Slist , and initializes them as null.
σ and the original signers’ identities, IDi , i =
1, 2, · · · , n, and the proxy signer’s identity IDps as Step 3. When the adversary At makes adaptive queries
inputs, and verifies whether or not the proxy multifrom the algorithm B, B maintains several oracles
signature is valid.
and answers as follows:
3.2
Security Model
Compared with Cao and Cao’s method [4], and Sun et
al.’s method [17], we use the security model of the proxy
multi-signature which is described in [17]. And, we extend
Sun et al.’s model into an identity-based proxy multisignature to prove the security of our scheme. The adversaries in their model can be classified into three types as
follows:
Type 1. The adversary, A1 , knows nothing except the
identities of the original signers and the proxy signer.
• Extract oracle: The oracle takes a user’s identity IDi as input, returns her or his private key
sIDi , and puts the tuple (IDi , sIDi ) into Elist .
• DelGen oracle: The oracle takes the original
signer’s identity IDi and the warrant w as inputs, returns the delegation Di→ps , and puts the
tuple (IDi , w, Di→ps ) into Dlist .
• PMSign oracle: The oracle takes the message
m and the delegations Di→ps , i = 1, 2, · · · , n as
inputs, returns a proxy multi-signature σ signed
by the proxy signer and puts the tuple (m, w, σ)
into Slist .
Type 2. The adversary, A2 , knows the secret keys of
n − 1 original signers and proxy signer in addition Step 4. Eventually, At outputs a forgery.
to what A1 knows in Type 1.
• If t = 2, then it is the Type 2 adversary A2 .
Type 3. The adversary, A3 , knows the secret keys of all
The forgery is of the tuple (IDn , w, Dn→ps ), and
of the original signers in addition to what A1 knows
(IDn , w, Dn→ps ) is valid delegation of IDn with
in Type 1, but does not know the secret key of the
warrant w, and IDn 6∈ Elist , (IDn , w) 6∈ Dlist .
proxy signer.
• If t = 3, then it is the Type 3 adversary A3 . The
Obviously, if an adversary in Type 1 can forge a valid
forgery is of the tuple (m, w, σ), and (m, w, σ) is
signature of the scheme, the adversary in Type 2 or Type
a valid proxy multi-signature, and IDp 6∈ Elist ,
3 also can forge a valid signature. So, we only consider
(w, m) 6∈ Slist .
the Type 2 and Type 3 adversaries in this paper.
If the output satisfies one of the above two items, At ’s
With regard to the Type 2 adversary A2 , we can asattack
was successful.
sume that she or he has all of the secret keys of the n − 1
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
Definition 6. For any polynomial adversary At (t =
2 or 3), if the probability of At ’s success in the above
experiment is negligible, then, the identity-based proxy
multi-signature scheme is said to be secure against existential forgery on adaptive chosen-message and identity
attacks.
4
Our Proposed IBPMS Scheme
In this section, we describe a new identity-based proxy
multi-signature scheme. We designed our scheme, which
extends the identity-based signature [21], based on the cubic residues. The proposed scheme includes the following
seven algorithms:
93
1) Randomly selects ri ∈ Zn∗ , computes Ri ≡ ri3
(mod n), and broadcasts Ri to the other original
signers.
Qn
(mod n), hw =
2) Computes R ≡
i=1 Ri
w
(mod
n).
H2 (w, R), Vi ≡ ri · shID
i
Each original signer i sends her or his delegation
Di→ps = (IDi , bi , w, Ri , Vi ) to the proxy signer.
DelVeri. To verify each delegation Di→ps with
Qn warrant w, the proxy signer computes R ≡
i=1 Ri
(mod n), hw = H2 (w, R), Ci ≡ abi · H1 (IDi )
(mod n), and checks Vi3 · Ci hw ≡ Ri (mod n) for
i = 1, 2, · · · , n. If the equation holds, she or he accepts Di→ps as a valid delegation; otherwise, it is
rejected.
Setup. Given the security parameters k and l, PKG carries out the algorithm and returns public parameters PMKGen. If the proxy signer accepts all delegations
Di→ps , for i = 1, 2, · · · , n, sheQ or he computes
P P and master key M K as follows:
n
(mod n),
hps = H3 (IDps , w, R), V ≡
i=1 Vi
hps
1) Randomly generates two k-bits prime numbers p
sk ps ≡ sIDps · V (mod n) and takes sk ps as her or
and q, satisfying p ≡ 2 (mod 3) and q ≡ 4 or 7
his private signing key.
(mod 9), respectively; then computes n = p · q.
PMSign. The proxy signer takes sk ps as input
η−1
2) Computes d = [2
(p − 1) (q − 1) − 3]/9, η =
and randomly selects rps ∈ Zn∗ , computes
3
[(q − 1) (mod 9)] /3, λ = η (mod 2) + 1, β =
Rps ≡ rps
(mod n), hm = H4 (IDps , w, m, Rps ),
(q − 1)/3.
Vps ≡ rps · sk hpsm (mod n). The tuple (ID1 , ID2 ,
· · · , IDn , IDps , b1 , b2 , · · · , bn , bps , m, w, R, Rps , Vps )
3) Randomly selects a non-cubic residue a modulo
is the proxy signature of message m on behalf of all
q and computes ξ ≡ aη·β (mod q).
original signers i, for i = 1, 2, · · · , n.
∗
4) Selects four hash functions H1 : {0, 1} →
∗
l
Zn∗ ,H2 , H3 ,H4 : {0, 1} → {0, 1} .
PMVeri. In order to verify the proxy multisignature (ID1 , ID2 , · · · , IDn , IDps , b1 , b2 , · · · , bn ,
PKG publishes (n, a, η, λ, H1 ,H2 ,H3 ,H4 ) as the pubbps , m, w, R, Rps , Vps ) of message m under warrant
lic parameter P P and keeps (p, q, d, β) secret as the
w, the verifier conducts the following: computes
master key M K.
hps = H3 (IDps , w, R), hw = H2 (w, R) , hm =
Qn
bi
· H1 (IDi ))
H4 (IDps , m, w, Rps ), C ≡
i=1 (a
Extract. Given public parameter P P , the master key
bps
· H1 (IDps ) (mod n), then
(mod n) , Cps ≡ a
M K, and identity IDi of user i, for i = 1, 2, · · · , n,
3
checks Vps
·Cps hps ·hm ·C hw ·hm ≡ RP s ·Rhm (mod n);
PKG computes the corresponding secret key as folif the equation holds, then she or he accepts it;
lows:
otherwise, it is rejected.
λ·β
1) Computes τ i ≡ H1 (IDi )
(mod q).
Our scheme is correct because the following equation
holds:
0, if τ i = 1
3
Vps
· Cps hps ·hm · C hw ·hm
1, if τ i = ξ , and Ci =
2) Computes bi =
3
2, if τ i = ξ 2
≡ (rps · sk hpsm ) · Cps hps ·hm · C hw ·hm
d
hm 3
abi · H1 (IDi ) (mod n), sIDi ≡ (Ci ) (mod n).
hps
· V ) ) · Cps hps ·hm · C hw ·hm
≡ (rps · (dID
ps
3
Qn
hps
PKG transmits secret key (sIDi , bi ), for i =
hw hm
)
· Cps hps ·hm · C hw ·hm
)
·
r
·
s
≡ (rps · (dID
i
ID
i=1
i
ps
1, 2, · · · , n to user i via a secure channel.
hw hm
Qn
hps Qn
3
3
3
·
≡ rps
· ((dIDps ) · i=1 ri3 · i=1 (sIDi ) )
DelGen. Let IDi , for i = 1, 2, · · · , n, be the identity of
hps ·hm
hw ·hm
·C
Cps
the original signer i, and IDps be the identity of the
hw hm
Qn
hps Qn
proxy signer. The original signer i, for i = 1, 2, · · · , n,
3
3
3
≡ rps
· ((dIDps ) · i=1 ri3 · i=1 (sIDi ) )
·
wants to delegate the proxy signer to get a warrant
hps ·hm
hw ·hm
·C
Cps
w of message m, so she or he takes her or his secret
Qn
hm
· Cps hps ·hm ·
≡ Rps · (Cps −hps · R · i=1 Ci −hw )
key (sIDi , bi ), and warrant w as inputs and outputs
hw ·hm
C
the delegation Di→ps . Then, the original signer i, for
≡ Rps · Rhm (mod n).
i = 1, 2, · · · , n, continues as follows:
94
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
5
Security Proof of Our Proposed
Scheme
In this section, we give the security proof of our proposed
scheme. We show that our scheme is secure against existential forgery under adaptive chosen-message and identity attacks in the random oracle model. We prove our
scheme against Type 2 adversaries and Type 3 adversaries, respectively.
If a Type 2 adversary A2 has the ability to break our
scheme, we can construct a polynomial time algorithm B,
by interacting with A2 , to solve the integer factorization
problem.
Theorem 3. Given a pair of security parameters
′
′
(k, l), if the integer factorization problem is (t , ǫ )-hard,
then our identity-based proxy multi-signature scheme is
(t, qH2 , qD , ǫ2 )-secure against existential forgery under
adaptive chosen-message and identity attacks for the Type
2 adversary A2 , which satisfies:
Ã
!
2
′
4
ǫ2 − δ 2
(ǫ2 − δ 2 )
ǫ ≥ ·
−
,
9
qH2 + 1
2l
¡
¢
′
t = 2t + O k 2 · l + k 3 ,
• Extract oracle: A2 requests Extract algorithm on IDi , and B checks if IDi existed
in Elist . If not, B returns to H1 -oracle and
gets (IDi , h1,i , si , bi ) of H1,list ; then, B returns
(si , bi ) to A2 and adds the tuple (IDi , si , bi ) into
Elist .
• DelGen oracle: A2 requests delegation on
(IDn , w). According to the assumption, A2
has the secret keys of the original signers i,
i = 1, 2, · · · , n − 1, by requesting Extract oracle. For i = 1, 2, · · · , n − 1, A2 randomly selects
ri ∈ Zn∗ , computes Ri ≡ ri3 (mod n), and sends
Ri , where i = 1, 2, · · · , n − 1, to B. B randomly
l
selects Vn , τ ∈ {0, 1} , computes Rn ≡ Vn3 ·
Qn
b
τ
(a n · H1 (IDn )) (mod n), and R ≡
i=1 Ri
(mod n); if R already exists in H2,list , failure is
returned; else (IDn , bn , w, Rn , Vn ) is returned as
the original signer n’s delegation to A2 ; also, τ
is returned for the sake of helping A2 completing
the delegation on (IDi , w) for i = 1, 2, · · · , n−1.
B adds the tuple (IDn , bn , w, Rn , Vn ) into Dlist
and adds (w, R, τ ) into H2,list .
Step 4. A2 outputs a delegation forgery of warrant w∗
∗
and ID∗n with Dn→ps
= (ID∗n , b∗n , w∗ , Rn∗ , Vn∗ ), which
∗
∗
(IDn , w ) is not requested on the DelGen oracle, and
ID∗n is not requested on the Extract oracle.
where qH2 and qD denote the number of queries that A2
can ask to the random oracle H2 and DelGen oracle, re- Step 5. Finally, we will show how B resolves the integer
q ·(qH2 +qD )
factorization problem with A2 ’s delegation forgery.
.
spectively, and δ 2 = D 3·2
k
We apply the oracle replay technique describes in Forking Lemma [12, 13] to factor n, i.e., B resets A2 two times.
For the first time, B records all the transcripts that interacted with A2 . For the second time, B starts with the first
time random tape and returns the same answers to A2 ,
except H2 -oracle. Each time, when A2 asks H2 -oracle, B
chooses different random numbers, e∗ ,e∗∗ , as the answer,
respectively.
After two rounds of interacting with B, A2 forges two
Step 1. Algorithm B sends (n, a) to adversary A2 as
delegations (ID∗n , b∗n , w∗ , Rn∗ , Vn∗ ), (ID∗n , b∗n , w∗ , Rn∗ , Vn∗∗ ),
public parameters.
together with delegations of original signers 1, 2, · · · , n−1,
Step 2. B maintains several lists, i.e., H1,list , sends them to B. Then, B executes as follows:
Qn
H2,list ,Elist , and Dlist and initializes them as
• B computes R∗ ≡ i=1 Ri∗ (mod n), returns to the
null.
previous three records of H2,list lists for (w∗ , R∗ ), obtains, e∗ , e∗∗ , and checks whether or not they satisfy
Step 3. B responds to A2 ’s queries as follows:
(e∗ − e∗∗ ) ≡ 0 (mod 3); if so, then B aborts it.
Proof. Assuming that adversary A2 breaks the proposed
scheme, we can construct an algorithm B to resolve the
integer factorization problem.
Given an integer n = p · q (for some unknown p and
q), and a non-cubic residue a (mod n), we will design
an algorithm B to output p and q with non-negligible
probability.
• H1 -oracle: A2 requests H1 on IDi , and B
checks if IDi existed in H1,list . If not, B picks
a random si ∈ Zn∗ and bi ∈ {0, 1, 2}, computes
s3
h1,i = H1 (IDi ) ≡ abii (mod n), and adds the
tuple (IDi , h1,i , si , bi ) into H1,list ; then, B returns h1,i to A2 .
• H2 -oracle: A2 requests H2 on (w, R), and B
checks if (w, R) existed in H2,list . If not, B picks
l
a random e ∈ {0, 1} , adds the tuple (w, R, e)
into H2,list , then, B returns e to A2 .
3
e∗
3
• Else B can obtain(Vn∗ ) · (Cn∗ )
= Rn∗ , (Vn∗∗ ) ·
∗∗
∗
e
(Cn∗ )
≡ Rn∗ (mod n), where Cn∗ ≡ abn · H1 (ID∗n )
(mod n).
3
• B obtains (Vn∗ /Vn∗∗ ) ≡ (Cn∗ )
e∗∗ −e∗
(mod n).
• If (e∗∗ − e∗ ) ≡ 1 (mod 3), there is some x ∈ Z ∗p satisfies the equation (e∗∗ − e∗ ) = 3x + 1. So we ob3
3x+1
tain (Vn∗ /Vn∗∗ ) ≡ (Cn∗ )
(mod n), and therefore
³
´3
∗
V
n
Cn∗ ≡ V ∗∗ ·(C
(mod n).
∗ )x
n
n
95
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
• If (e∗∗ − e∗ ) ≡ 2 (mod 3), there is some x ∈ Z ∗p satisfies the equation (e∗∗ − e∗ ) = 3x − 1. So we ob3
3x−1
tain (Vn∗ /Vn∗∗ ) ≡ (Cn∗ )
(mod n), and therefore
³ ∗∗ ∗ x ´3
Vn ·(Cn )
∗
Cn ≡
(mod n).
V∗
≥
µ
ǫ2 −
qD ·(qH2 +qD )
(3·2k )
qH2 + 1
¶2
−
ǫ2 −
qD ·(qH2 +qD )
(3·2k )
2l
.
Taking (e∗∗ − e∗ ) 6≡ 0 (mod 3) and the difference of
of
the two cubic roots of Cn∗ into account,
³ the probability ´
Then, if (e∗∗ − e∗ ) 6≡ 0 (mod 3), B obtains the cubic factoring n is ǫ′ ≥ 4 PqH2 +1 P ≥ 4 · (ǫ2 −δ2 )2 − ǫ2 −δ2 ,
i
i=1
9
9
qH2 +1
2l
root of Cn∗ . And B can look up the list H1,list and obtain
qD ·(qH2 +qD )
∗
. So, the theorem is proved.
another cubic root of Cn . Then, B obtains two cubic where δ 2 =
3·2k
roots of Cn∗ . If the two cubic roots are not equal, B can
As to the running time, according to [3], B has to run
factor n according to Theorem 2.
A2 twice and perform some other operations to factor n.
∗ ∗∗
Since e , e are picked randomly, the probability of
′
So B should spend the time t = 2t + O(k 2 · l + k 3 ) to
(e∗∗ − e∗ ) 6≡ 0 (mod 3) is 32 , and the probability that
factor n.
the two cubic roots of Cn∗ are inequal is 23 .
Next, we will analyze the probability of A2 successfully Theorem 4. Given a security parameter (k, l), if
′
′
forging two valid delegations similar to [3].
the integer factorization problem is (t , ǫ )-hard, then
Let ǫ∗2 denote the probability of A2 forging a delegation our identity-based proxy multi-signature scheme is
in a single run, and ǫ2 denote the probability of A2 forging (t, qH4 , qS , ǫ3 )-secure against existential forgery under
a delegation in the real attack.
adaptive chosen-message and identity attacks for the Type
In H2,list , all the records (w, R, e) are filled by H2 - 3 adversary A3 , which satisfies:
oracle query and DelGen oracle query. So there are, at
!
Ã
2
most qH2 + qD , different R’s. For every DelGen ora′
4
(ǫ3 − δ 3 )
ǫ ≥ ·
− 2−l · (ǫ3 − δ 3 )
l
cle, B randomly selects Vn , τ ∈ {0, 1} , computes Rn =
9
qH4 + 1
Q
b
τ
n
Vn3 · (a n · H1 (IDn )) and R = i=1 Ri , therefore, R can
¡
¢
′
be considered as the random cubic residue modulo n. Obt = 2t + O k 2 · l + k 3 ,
viously, the number of elements in cubic residues modulo
where qH4 and qS denote the number of queries that
n is (3 · 2k ). So the probability that R is in the H2,list
qH2 +qD
A
3 can ask to the random oracle H4 and PMSign, respecis, at most 3·2k . So the probability of A2 forging a
q ·(qH4 +qS )
tively, and δ 3 = S 3·2
.
q ·(qH2 +qD )
k
delegation in a single run is ǫ∗2 ≥ ǫ2 − D 3·2
.
k
Let pi denote the probability of forgery based on the Proof. This proof is similar to that of Theorem 3. So,
ith H2 -oracle query in a single run; then
we just describe the main difference with Theorem 3 as
follows:
qH2 +1
X
ǫ∗2 =
pi .
Step 1. Algorithm B does the same as Step 1 of Theoi=1
rem 3.
n
Let pi,s denote the probability of forgery together Step 2. B deletes Dlist list and adds H3,list , H4,list , Slist
based on ith H2 -oracle query with input s, where s is a
lists, and initializes them as null.
specific random tape input of length m. Then
Step 3. B deletes DelGen oracle and adds H3 , H4 and
X
PMSign oracle accordingly.
m
pi,s .
2 · pi =
s∈{0,1}m
For a specific random tape s, since twice valid forgery
need different outputs of H2 -oracle query, the probability
of twice forgery based on the same ith H2 -oracle query is
pi,s · (pi,s − 2−l ). Let Pi denote the probability of twice
forgery based on the same ith H2 -oracle query in two runs;
then
X
2−m · pi,s · (pi,s − 2−l ) ≥ p2i − 2−l · pi .
Pi =
s∈{0,1}m
So, the probability of twice forgery based on the same
PqH2 +1
Pi . We have
H2 -oracle query in two runs is i=1
qH2 +1
qH2 +1
X
X
i=1
Pi ≥
i=1
qH2 +1
p2i
−
X
i=1
2
2−l · pi ≥
(ǫ∗2 )
ǫ∗
− 2l
qH2 + 1 2
• H3 -oracle: A3 requests H3 on (IDps , w, R), B
checks if (IDps , w, R) existed in H3,list . If not,
l
B picks a random µ ∈ {0, 1} and adds the tuple (IDps , w, R, µ) into H3,list ; then B returns
H3 (IDps , w, R) = µ to A3 .
• H4 -oracle: A3 requests H4 on (IDps , w, m,
Rps ), and B checks if (IDps , w, m, Rps ) existed
l
in H4,list . If not, B picks a random η ∈ {0, 1}
and adds the tuple (IDps , w, m, Rps , η) into
H4,list ; then, B returns H4 (IDps , w, m, Rps ) =
η to A3 .
• PMSign oracle: A3 requests PMSign algorithm on (w, m). A3 randomly selects Q
ri ∈ Zn∗
n
3
and computes Ri = ri (mod n), R = i=1 Ri
(mod n), and requests H2 -oracle query and obtains H2 (w, R) = e. Since A3 knows all the
96
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
Table 1: Comparison of security
Scheme
Security Proof Method Mathematics Tool Assumption*
Cao and Cao [4] Random oracle
bilinear pairings
CDH
Our scheme
Random oracle
Cubic residues
IFP
*CDH stands for computational Diffie-Hellman assumption, and IFP stands for integer factorization problem.
Table 2: Comparison with other schemes
Scheme
Extract
DelGen
DelVeri
PMKGen
PMSign
Cao and
Cao [4]
1Mp
+1HM
2Mp
+1HM
2HM
+3OP
1Mp
2Mp
+1HM
Our scheme
1En
1En
1En
1En
1En
PMVeri
Total
1Mp
+3HM
+4OP
3En
7Mp
+8HM
+7OP
8En
Total
Time (ms)
209.26
42.48
Table 3: Cryptographic running time (ms)
Modular Exponentiation
5.31
Pairing
20.04
Pairing-based Scalar Multiplication
6.38
secret keys of original signers, A3 can compute Vi ≡ ri · seIDi (mod n) and obtain all
the delegation Di→ps = (IDi , bi , w, Ri , Vi ), i =
1, 2, · · · , n. A3 sends Di→ps , i = 1, 2, · · · , n,
to B to request PMSign
Qn algorithm on (w, m).
B computes R ≡
i=1 Ri (mod n) and obtains H3 (IDps , w, R) = µ by looking up the
list H3,list - in H3 -oracle. B picks random
Qn
l
b
Vp , ς ∈ {0, 1} , and computes C ≡ i=1 (a i ·
bp
h
) (mod n), Cps ≡ a · h1,ps (mod n), V =
Q1,i
ς
n
µ
η
3
i=1 Vi , Rps ≡ Vps · ((Cps ) · C /R) (mod n).
If Rps already exists in H4,list , B returns failure, else returns (ID1 , ID2 , · · · , IDn , IDp , b1 ,
b2 , · · · , bn , bp , m, w, R, Rp , Vp ) as proxy multisignature of (w, m) to A3 . B adds the tuple
(ID1 , ID2 , · · · , IDn , IDp , b1 , b2 , · · · , bn , bp ,
m, w, R, Rp , Vp ) into Slist , and adds (IDps , w,
m, Rps , ς) into H4,list .
Map-to-point Hash
3.04
Furthermore, by Theorems 3 and 4, we can conclude
Theorem 5 easily.
Theorem 5. Given a security parameter (k, l), if the
′
′
factoring problem is (t , ǫ )-hard, then our identity-based
proxy multi-signature scheme is (t, qH2 , qH4 , qD , qS , ǫ)secure against existential forgery under adaptive chosenmessage and identity attacks, which satisfies:
Ã
!
2
′
4
(ǫ − δ)
−l
− 2 · (ǫ − δ)
ǫ ≥ ·
9
2 · max {qH2 + 1, qH4 + 1}
¡
¢
′
t = 2t + O k 2 · l + k 3 ,
where ǫ = ǫ2 + ǫ3 and δ = δ 2 + δ 3 .
We conclude that our scheme is secure against existential forgery under adaptive chosen-message and identity
attacks under integer factorization problem assumption.
Step 4. A3 outputs a proxy multi-signature forgery of
(w, m) with σ ∗ = (ID∗1 , ID∗2 , · · · , ID∗n , ID∗ps , b∗1 , b∗2 ,
6 Comparison and Performance
∗
∗
· · · , b∗n , b∗ps , m∗ , w∗ , R∗ , Rps
, Vps
), which ID∗ps has
not be requested on the Extract oracle, and (m∗ , w∗ ) In this section, we compare our scheme with Cao and
has not be requested on the PMSign oracle.
Cao’s IBPMS scheme [4]. The two schemes are provable
Step 5. Similar with Theorem 3, B resets A3 twice with security based on different hardness assumptions in the
the same random tape, and gives the different ran- random oracle model. We describe them in detail in Tadom number until A3 asks H4 -oracle. And A3 can ble 1.
In order to simplify the complexity, we used the
forge two proxy multi-signatures with the same value
method
of [5], which considers only a single original
Rps . B can resolve integer factorization problem with
signer.
Let
Mp , HM , OP , En denote one pairing-based
A3 ’s proxy multi-signature forgery.
scalar multiplication, map-to-point hash function, pairAs to the probability and running time, both of them ing operation, and modular exponentiation, respectively.
are similar with Theorem 3.
In order to make our analysis clearer, we changed the
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
total computation cost into running time in the last column of Table 2 according to Table 3, which is referred to
reference [8].
According to Tables 1 and 2, our schemes total running
time decreased drastically compared with Cao and Cao’s
scheme [4]. The security of our scheme is based on integer factorization problem assumption without bilinear
pairing. We note that the integer factorization problem
assumption is 2500 years old.
7
Conclusions
Identity-based proxy multi-signature has proposed for
years, and several schemes have been proposed. However,
most of the existing scheme is based on bilinear pairing
or elliptic curve. In this paper, we propose an efficient
identity-based proxy multi-signature scheme using cubic
residues. The security of our scheme is based on the integer factorization problem assumption, which is more reliable and easier to use because it has been developed 2500
years ago. Our scheme is prove security against existential
forgery under adaptive chosen-message and identity attacks. Furthermore, the efficiency of our scheme is higher
than the existing scheme based on bilinear pairing such
as Cao and Cao’s scheme etc.
Acknowledgments
The authors gratefully acknowledge the anonymous reviewers for their valuable comments.
References
[1] M. R. Asaar, M. Salmasizadeh, and W. Susilo, “An
identity-based multi-proxy multi-signature scheme
without bilinear pairings and its variant,” The Computer Journal, vol. 58 , no. 4, pp. 1021–1039, 2015.
[2] A. Boldyreva, A. Palacio, and B. Warinschi, “Secure proxy signature schemes for delegation of signing rights,” Journal of Cryptology, vol. 25, no. 1,
pp. 57–115, 2012.
[3] Z. C. Cai, X. L. Dong, and Z. F. Cao, “Identity
based signature scheme based on quadratic residues,”
Science in China Series F: Information Sciences,
vol. 39, no. 2, pp. 199–204, 2009.
[4] F. Cao, and Z. F. Cao, “A secure identity-based
proxy multi-signature scheme,” Information Sciences, vol. 179, no. 3, pp. 292–302, 2009.
[5] X. F. Cao, and W. D. Kou, “A pairing-free identitybased authenticated key agreement protocol with
minimal message exchanges,” Information Sciences,
vol. 180, no. 15, pp. 2895–2903, 2010.
[6] Cryptography Stack Exchange, Why Is Elliptic
Curve Cryptography Not Widely Used, Compared to
RSA?, Nov. 15, 2011. (http://crypto.stackexchange.
com/questions/1190/why-is-elliptic-curvecryptography-not-widely-used-compared-to-rsa).
97
[7] M. L. Das, A. Saxena, and D. B. Phata, “Algorithms
and approaches of proxy signature: A survey,” International Journal of Network Security, vol. 9, no. 3,
pp. 264–284, 2009.
[8] D. B. He, J. H. Chen, and R. Zhang, “Efficient and
provably-secure certificateless signature scheme without bilinear pairings,” International Journal of Communication Systems, vol. 25, no. 11, pp. 1432–1442,
2012.
[9] X. X. Li, and K. F. Chen, “ID-based multi-proxy
signature, proxy multi-signature and multi-proxy
multi-signature schemes from bilinear pairings,” Applied Mathematics and Computation, vol. 169, no. 1,
pp. 437–450, 2005.
[10] M. Mambo, K. Usuda, and E. Oamoto, “Proxy signatures: delegation of the power to sign messages,”
IEICE Transactions on Fundamentals of Electronic
Communications and Computer Science, vol. E79-A,
no. 9, pp. 1338–1354, 1996.
[11] C. H. Pan, S. P Li, Q. H. Zhu, C. Z. Wang, and M.
W. Zhang, “Notes on proxy signcryption and multiproxy signature schemes,” International Journal of
Network Security, vol. 17, no. 1, pp. 29–33, 2015.
[12] D. Pointcheval, and J. Stern, “Security proofs for
signature schemes,” in Advances in Cryptology (Eurocrypt’96), LNCS 1070, pp. 387–398, Springer, May
1996.
[13] D. Pointcheval, and J. Stern, “Security arguments
for digital signatures and blind signatures,” Journal
of Cryptography, vol. 13, no. 3, pp. 361–396, 2000.
[14] R. A. Sahu, and S, Padhye, “Provable secure
identity-based multi-proxy signature scheme,” International Journal of Communication Systems, vol. 28,
no. 3, pp. 497–512, 2015.
[15] A. Shamir, “Identity based cryptosystems and signature schemes,” in Proceedings of Advances in
Cryptology (CRYPTO’84), LNCS 196, pp. 47–53,
Springer, 1984.
[16] H. Singh, and G. K. Verma, “ID-based proxy signature scheme with message recovery,” Journal of
Systems and Software, vol. 85, no. 1, pp. 209–214,
2012.
[17] Y. Sun, C. X. Xu, Y. Yu, and B. Yang, “Improvement
of a proxy multi-signature scheme without random
oracles,” Computer Communications, vol. 34, no. 3,
pp. 257–263, 2011.
[18] N. Tiwari, and S. Padhye, “An ID-based proxy multi
signature scheme without bilinear pairings,” in Proceedings of First International Conference on Security Aspects in Information Technology, LNCS 7011,
pp. 83–92, Springer, 2011.
[19] N. Tiwari, S. Padhye, and D. He “Provably secure
proxy multi-signature scheme based on ECC,” Information Technology And Control, vol. 43, no. 2.
pp. 198–203, 2014.
[20] Q. Wang, and Z. F. Cao, “Identity based proxy multisignature,” Journal of Systems and Software, vol. 80,
no. 7, pp. 1023–1029, 2007.
International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016
[21] Z. W. Wang, L. C. Wag, S. H. Zheng, Y. X. Yang,
and Z. M. Hu, “Provably secure and efficient identitybased signature scheme based on cubic residues”.
International Journal of Network Security, vol. 14,
no. 1, pp. 104–109, 2012.
[22] L. J. Yi, G. Q. Bai, and G. Z. Xiao, “Proxy multisignature scheme: A new type of proxy signature
scheme,” Electronics Letters, vol. 36, no. 6, pp. 527–
528, 2000.
[23] Y. Yu, Y. Mu, W. Susilo, Y. Sun, and Y. F. Ji,
“Provably secure proxy signature scheme from factorization,” Mathematical and Computer Modelling,
vol. 55, no. 3-4, pp. 1160–1168, 2012.
Feng Wang was born in Shandong province, China,
in 1978. He received his B.S. degree in Mathematics
from Yantai Normal University (now named Ludong
University), Yantai, in 2000 and the M.S. degree in
Applied Mathematics from the Guangzhou University,
Guangzhou, in 2006. Currently, he is a Lecturer in the
College of Mathematics and Physics at Fujian University
of Technology and a visiting scholar in Department of
Information Engineering and Computer Science at Feng
Chia University. His research interests include computer
cryptography and information security.
Changlu Lin received the BS degree and MS degree in
mathematics from the Fujian Normal University, P.R.
China, in 2002 and in 2005, respectively, and received the
Ph.D degree in information security from the state key
laboratory of information security, Graduate University
of Chinese Academy of Sciences, P.R. China, in 2010.
He works currently for the School of Mathematics
and Computer Science, and the Fujian Provincial Key
Laboratory of Network Security and Cryptology, Fujian
Normal University. He is interested in cryptography and
network security, and has conducted research in diverse
areas, including secret sharing, public key cryptography
and their applications.
Shih-Chang Chang received his B.S. degree in 2005 and
his M.S. degree in 2007, both in Department of Information Engineering and Computer Science from Feng Chia
University, Taichung, Taiwan. He is currently pursuing
his Ph.D. degree in Computer Science and Information
Engineering from National Chung Cheng University, Chiayi, Taiwan. His current research interests include electronic commerce, information security, computer cryptography, and mobile communications.
98
Chin-Chen Chang received his Ph.D. degree in
computer engineering from National Chiao Tung University. His first degree is Bachelor of Science in Applied
Mathematics and master degree is Master of Science in
computer and decision sciences. Both were awarded in
National Tsing Hua University. Dr. Chang served in
National Chung Cheng University from 1989 to 2005.
His current title is Chair Professor in Department of
Information Engineering and Computer Science, Feng
Chia University, from Feb. 2005. Prior to joining
Feng Chia University, Professor Chang was an associate
professor in Chiao Tung University, professor in National
Chung Hsing University, chair professor in National
Chung Cheng University. He had also been Visiting
Researcher and Visiting Scientist to Tokyo University
and Kyoto University, Japan. During his service in
Chung Cheng, Professor Chang served as Chairman
of the Institute of Computer Science and Information
Engineering, Dean of College of Engineering, Provost
and then Acting President of Chung Cheng University
and Director of Advisory Office in Ministry of Education, Taiwan. Professor Chang has won many research
awards and honorary positions by and in prestigious
organizations both nationally and internationally. He is
currently a Fellow of IEEE and a Fellow of IEE, UK. On
numerous occasions, he was invited to serve as Visiting
Professor, Chair Professor, Honorary Professor, Honorary
Director, Honorary Chairman, Distinguished Alumnus,
Distinguished Researcher, Research Fellow by universities
and research institutes. His current research interests
include database design, computer cryptography, image
compression and data structures.