International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 90 Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues Feng Wang1,2 , Chin-Chen Chang2,3 , Changlu Lin4 , and Shih-Chang Chang5 (Corresponding author: Chin-Chen Chang) College of Mathematics and Physics, Fujian University of Technology1 Fuzhou, Fujian,350108, China Department of Information Engineering and Computer Science, Feng Chia University2 100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan (Email: alan3c@gmail.com) Department of Computer Science and Information Engineering, Asia University3 Taichung 41354, Taiwan School of Mathematics and Computer Science, Fujian Normal University4 Fuzhou, Fujian, 350117, China Department of Computer Science and Information Engineering, Notional Chung Cheng University5 160 San-Hsing, Ming-Hsiung, Chiayi 621,Taiwan (Received July 14, 2014; revised and accepted Jan. 16 & June 4, 2015) Abstract The term “proxy multi-signature” refers to the situation in which a proxy signer is authorized to sign a message on behalf of a group of original signers. Combined with identity-based cryptography, we proposed an efficient identity-based proxy multi-signature scheme using cubic residues without bilinear pairing. Our scheme is secure against existential forgery on adaptive chosenmessage and identity attacks under the hardness of integer factorization assumption. Compared with elliptic curve or bilinear pairing, the integer factorization assumption is more reliable and easier to use because it has been developed 2500 years ago. Furthermore, our scheme is more efficient than previous schemes based on bilinear pairing. Keywords: Cubic residues, identity-based signature, integer factorization, proxy multi-signature, random oracle model 1 Introduction Shamir [15] introduced identity-based cryptography in 1984 in order to simplify the key-management procedure of traditional, certificate-based, public-key infrastructures. Shamir’s approach allowed an entity’s public key to be derived directly from her or his identity, such as an email address, and the entity’s private key can be generated by a trusted third party which is called the private key generator (PKG). The notion of proxy signatures was proposed by Mambo et al. [10] in 1996. They identified the signers into two entities, i.e., the original signer and the proxy signer. The latter can sign a message on behalf of the former with a warrant the former delegated. Proxy signatures have many practical applications, such as distributed systems, grid computing, mobile agent applications, distributed shared object systems, global distribution networks, and mobile communications [2]. Since 1996, the proxy signature has been paid significant attention [7] and various extensions of the proxy signature have been proposed [1, 9, 11, 19, 22], one of which is the proxy multi-signature [9, 19, 22]. In 2000, Yi et al. proposed the proxy multisignature [22] in which a designated proxy signer can generate a valid signature on behalf of a group of original signers. Proxy multi-signature can be used in the following scenario, i.e., a university wants to release a document that several departments may be involved, for example, the Deans Office, the Student Affairs Office, and the Human Resources Department, etc.. The document must be signed by all of the above entities or by a proxy signer delegated by those entities. Combined with identity-based cryptography, Li and Chen [9] proposed the notion of identity-based proxy multi-signature (IBPMS) and constructed a scheme using bilinear pairings in 2005. However, most existing IBPMS schemes were based on bilinear pairing [4, 9, 14, 20], which required more computational cost than normal operations, such as modular exponentiations in finite fields. Therefore, there was a strong interest in determining how to construct a secure scheme without pairing. In 2011, Tiwari and Padhye [18] pro- 91 International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 posed a secure IBPMS scheme based on the elliptic curve discrete logarithm problem. Although they claimed that their scheme was more efficient and had a smaller key size than pairing-based schemes, the security on which their method was based on the elliptic curve discrete logarithm problem assumption which was only a few decades old [6]. In this paper, we propose a new identity-based proxy multi-signature (IBPMS) scheme using cubic residues without bilinear pairing. The security of our method is based on the integer factorization assumption which is 2500 years old. We briefly introduce our contributions. First, our scheme is the first identity-based proxy multisignature scheme using the cubic residues problem. Second, our scheme has been proven to be secure in the random oracle model under the hardness of integer factorization problem assumption. Third, our scheme is made more efficient than Cao and Cao’s IBPMS scheme [4] based on bilinear pairing. The rest of the paper is organized as follows. In Section 2, we introduce the cubic residues problem and integer factorization problem assumption. In Section 3, we give the formal definition and security model of identitybased proxy multi-signature. In Section 4, we propose a new identity-based proxy multi-signature scheme using cubic residues. In Section 5, we give the formal security proof for the proposed scheme under the random oracle model. In Section 6, we compare the efficiency and performance of our scheme with Cao and Cao’s IBPMS scheme. Finally, we present our conclusions in Section 7. ξ = aη·β (mod q), τ ≡ hλ·β   0, 1, b=  2, (mod q), and if τ = 1 if τ = ξ if τ = ξ 2 , then C = ab · h is a cubic residue modulo q. Theorem 1. Let p, q be as mentioned above and n = p · q. Then C = ab · h is a cubic residue modulo n, and η−1 s ≡ C [2 (p−1)(q−1)−3]/9 (mod n) is a cubic root of C −1 . Theorem 2. Let n = p · q. If there is s31 ≡ s32 ≡ C (mod n), and s1 6≡ s2 (mod n), then gcd(s1 − s2 , n) is a non-trivial divisor of n. 2.2 Integer Factorization Problem Assumption The integer factorization problem assumption is one of the fundamental hardness problems, which has been studied extensively and used to construct cryptographic schemes. We will analyze the security of our proposed scheme based on this assumption. From [23], we have Definition 2 and Definition 3. Definition 2. Given n = p · q, where p and q are prime numbers and they are unknown publicly, the integer factorization problem is defined to output a prime number p(1 < p < n) such that p can divide n. Definition 3 (Integer factorization problem assumption). The integer factorization problem (IFP) is ′ ′ 2 Preliminaries a (t , ǫ )-hard assumption, if there is no polynomial time ′ algorithm in time at most t , can solve the integer factorIn this section, we review cubic residues and the method ization problem with probability at least ǫ′ . of their construction mentioned in [21] and integer factorization problem assumption 3 2.1 Cubic Residues Definition 1. For a positive integer n, if there is some x that satisfies the expression x3 ≡C (mod n), we say that C is a cubic residue modulo n, and x is called the cubic root of C modulo n. Formal Definition and Security Model We give a formal definition and security model of the identity-based proxy multi-signature scheme based on the works of Cao and Cao [4], Singh and Verma [16], and Sun et al. [17]. From [21], we have Lemma 1, Theorem 1, and Theo3.1 rem 2. Formal Definition of the Identitybased Proxy Multi-signature Scheme Lemma 1. Let p be a prime number, 3p = gcd(3, p − 1), In an identity-based proxy multi-signature scheme, there and C ∈ Zp∗ . We say that C is a cubic residue modulo p are two entities named as a group of the original signers (p−1) (mod p) ≡ 1. if and only if C 3p and the proxy signer. We use IDi , for i = 1, 2, · · · , n, to denote the identity of original signer i, and IDps to Obviously, if p is prime number and p ≡ 2 (mod 3), denote the identity of the proxy signer. From [4], we have then every C ∈ Zp∗ is a cubic residue modulo p. Definition 4. If q is prime number, and q ≡ 4 or 7 (mod 9), for every h ∈ Zp∗ , we can construct a cubic residue modulo q Definition 4. An identity-based proxy multi-signature scheme (IBPMS) is a tuple of seven algorithms as as follows. Let a be a non-cubic modulo q, we compute η = IBPMS=(Setup, Extract, DelGen, DelVeri, PMK[(q − 1) (mod 9)] /3, λ = η (mod 2) + 1, β = (q − 1)/3, Gen, PMSign, PMVeri). International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 92 Setup. PKG takes a security parameter as input, and original signers, except for signer n. If she or he has a outputs public parameter P P and its master key valid delegation, Dn→ps , she or he can output a valid M K. proxy multi-signature herself or himself with the secret keys of the other original signers and proxy signer. So, Extract. PKG takes its master key M K and a user’s the objective of the Type 2 adversary is to output a valid identity IDi as inputs, and outputs the user’s public delegation, D n→ps . key and secret key pair (HIDi , sIDi ). With regard to the Type 3 adversary A3 , since she or DelGen. For i = 1, 2, · · · , n, the original signer i takes he has all of the secret keys of the original signers, she or her or his secret key sIDi and a warrant w as inputs, he can output a valid delegation Di→ps , i = 1, 2, · · · , n, and outputs her or his delegation Di→ps to the proxy herself or himself. So, the objective of the Type 3 adversary is to output a valid proxy multi-signature under signer. delegations Di→ps , i = 1, 2, · · · , n. DelVeri. For i = 1, 2, · · · , n, the proxy signer takes delLet an adversary At (t = 2 or 3) be a probabilistic Turegation Di→ps from the original signer i and her or ing machine, At takes public parameter P P and a random his identity IDi as inputs, and verifies whether or tape as inputs and performs an experiment with the algonot the delegation is valid. rithm B. Inspired from [17], we define the following two definitions. PMKGen. The proxy signer takes her or his secret key sIDps and delegations Di→ps , i = 1, 2, · · · , n, as in- Definition 5. For an identity-based proxy multiputs, and generates her or his private signing key signature scheme, we define an experiment of the adversk ps . sary At (t = 2 or 3) with the security parameter λ as follows: PMSign. The proxy signer takes her or his signing key sk ps , message m, and delegations Di→ps , i = Step 1. Algorithm B runs the Setup algorithm and re1, 2, · · · , n, as inputs, and generates the proxy multiturns public parameter P P to the adversary At . signature σ of the message m. Step 2. B maintains several lists, e.g., Elist , Dlist , PMVeri. The verifier takes the proxy multi-signature Slist , and initializes them as null. σ and the original signers’ identities, IDi , i = 1, 2, · · · , n, and the proxy signer’s identity IDps as Step 3. When the adversary At makes adaptive queries inputs, and verifies whether or not the proxy multifrom the algorithm B, B maintains several oracles signature is valid. and answers as follows: 3.2 Security Model Compared with Cao and Cao’s method [4], and Sun et al.’s method [17], we use the security model of the proxy multi-signature which is described in [17]. And, we extend Sun et al.’s model into an identity-based proxy multisignature to prove the security of our scheme. The adversaries in their model can be classified into three types as follows: Type 1. The adversary, A1 , knows nothing except the identities of the original signers and the proxy signer. • Extract oracle: The oracle takes a user’s identity IDi as input, returns her or his private key sIDi , and puts the tuple (IDi , sIDi ) into Elist . • DelGen oracle: The oracle takes the original signer’s identity IDi and the warrant w as inputs, returns the delegation Di→ps , and puts the tuple (IDi , w, Di→ps ) into Dlist . • PMSign oracle: The oracle takes the message m and the delegations Di→ps , i = 1, 2, · · · , n as inputs, returns a proxy multi-signature σ signed by the proxy signer and puts the tuple (m, w, σ) into Slist . Type 2. The adversary, A2 , knows the secret keys of n − 1 original signers and proxy signer in addition Step 4. Eventually, At outputs a forgery. to what A1 knows in Type 1. • If t = 2, then it is the Type 2 adversary A2 . Type 3. The adversary, A3 , knows the secret keys of all The forgery is of the tuple (IDn , w, Dn→ps ), and of the original signers in addition to what A1 knows (IDn , w, Dn→ps ) is valid delegation of IDn with in Type 1, but does not know the secret key of the warrant w, and IDn 6∈ Elist , (IDn , w) 6∈ Dlist . proxy signer. • If t = 3, then it is the Type 3 adversary A3 . The Obviously, if an adversary in Type 1 can forge a valid forgery is of the tuple (m, w, σ), and (m, w, σ) is signature of the scheme, the adversary in Type 2 or Type a valid proxy multi-signature, and IDp 6∈ Elist , 3 also can forge a valid signature. So, we only consider (w, m) 6∈ Slist . the Type 2 and Type 3 adversaries in this paper. If the output satisfies one of the above two items, At ’s With regard to the Type 2 adversary A2 , we can asattack was successful. sume that she or he has all of the secret keys of the n − 1 International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 Definition 6. For any polynomial adversary At (t = 2 or 3), if the probability of At ’s success in the above experiment is negligible, then, the identity-based proxy multi-signature scheme is said to be secure against existential forgery on adaptive chosen-message and identity attacks. 4 Our Proposed IBPMS Scheme In this section, we describe a new identity-based proxy multi-signature scheme. We designed our scheme, which extends the identity-based signature [21], based on the cubic residues. The proposed scheme includes the following seven algorithms: 93 1) Randomly selects ri ∈ Zn∗ , computes Ri ≡ ri3 (mod n), and broadcasts Ri to the other original signers. Qn (mod n), hw = 2) Computes R ≡ i=1 Ri w (mod n). H2 (w, R), Vi ≡ ri · shID i Each original signer i sends her or his delegation Di→ps = (IDi , bi , w, Ri , Vi ) to the proxy signer. DelVeri. To verify each delegation Di→ps with Qn warrant w, the proxy signer computes R ≡ i=1 Ri (mod n), hw = H2 (w, R), Ci ≡ abi · H1 (IDi ) (mod n), and checks Vi3 · Ci hw ≡ Ri (mod n) for i = 1, 2, · · · , n. If the equation holds, she or he accepts Di→ps as a valid delegation; otherwise, it is rejected. Setup. Given the security parameters k and l, PKG carries out the algorithm and returns public parameters PMKGen. If the proxy signer accepts all delegations Di→ps , for i = 1, 2, · · · , n, sheQ or he computes P P and master key M K as follows: n (mod n), hps = H3 (IDps , w, R), V ≡ i=1 Vi hps 1) Randomly generates two k-bits prime numbers p sk ps ≡ sIDps · V (mod n) and takes sk ps as her or and q, satisfying p ≡ 2 (mod 3) and q ≡ 4 or 7 his private signing key. (mod 9), respectively; then computes n = p · q. PMSign. The proxy signer takes sk ps as input η−1 2) Computes d = [2 (p − 1) (q − 1) − 3]/9, η = and randomly selects rps ∈ Zn∗ , computes 3 [(q − 1) (mod 9)] /3, λ = η (mod 2) + 1, β = Rps ≡ rps (mod n), hm = H4 (IDps , w, m, Rps ), (q − 1)/3. Vps ≡ rps · sk hpsm (mod n). The tuple (ID1 , ID2 , · · · , IDn , IDps , b1 , b2 , · · · , bn , bps , m, w, R, Rps , Vps ) 3) Randomly selects a non-cubic residue a modulo is the proxy signature of message m on behalf of all q and computes ξ ≡ aη·β (mod q). original signers i, for i = 1, 2, · · · , n. ∗ 4) Selects four hash functions H1 : {0, 1} → ∗ l Zn∗ ,H2 , H3 ,H4 : {0, 1} → {0, 1} . PMVeri. In order to verify the proxy multisignature (ID1 , ID2 , · · · , IDn , IDps , b1 , b2 , · · · , bn , PKG publishes (n, a, η, λ, H1 ,H2 ,H3 ,H4 ) as the pubbps , m, w, R, Rps , Vps ) of message m under warrant lic parameter P P and keeps (p, q, d, β) secret as the w, the verifier conducts the following: computes master key M K. hps = H3 (IDps , w, R), hw = H2 (w, R) , hm = Qn bi · H1 (IDi )) H4 (IDps , m, w, Rps ), C ≡ i=1 (a Extract. Given public parameter P P , the master key bps · H1 (IDps ) (mod n), then (mod n) , Cps ≡ a M K, and identity IDi of user i, for i = 1, 2, · · · , n, 3 checks Vps ·Cps hps ·hm ·C hw ·hm ≡ RP s ·Rhm (mod n); PKG computes the corresponding secret key as folif the equation holds, then she or he accepts it; lows: otherwise, it is rejected. λ·β 1) Computes τ i ≡ H1 (IDi ) (mod q). Our scheme is correct because the following equation  holds:  0, if τ i = 1 3 Vps · Cps hps ·hm · C hw ·hm 1, if τ i = ξ , and Ci = 2) Computes bi =  3 2, if τ i = ξ 2 ≡ (rps · sk hpsm ) · Cps hps ·hm · C hw ·hm d hm 3 abi · H1 (IDi ) (mod n), sIDi ≡ (Ci ) (mod n). hps · V ) ) · Cps hps ·hm · C hw ·hm ≡ (rps · (dID ps 3 Qn hps PKG transmits secret key (sIDi , bi ), for i = hw hm ) · Cps hps ·hm · C hw ·hm ) · r · s ≡ (rps · (dID i ID i=1 i ps 1, 2, · · · , n to user i via a secure channel. hw hm Qn hps Qn 3 3 3 · ≡ rps · ((dIDps ) · i=1 ri3 · i=1 (sIDi ) ) DelGen. Let IDi , for i = 1, 2, · · · , n, be the identity of hps ·hm hw ·hm ·C Cps the original signer i, and IDps be the identity of the hw hm Qn hps Qn proxy signer. The original signer i, for i = 1, 2, · · · , n, 3 3 3 ≡ rps · ((dIDps ) · i=1 ri3 · i=1 (sIDi ) ) · wants to delegate the proxy signer to get a warrant hps ·hm hw ·hm ·C Cps w of message m, so she or he takes her or his secret Qn hm · Cps hps ·hm · ≡ Rps · (Cps −hps · R · i=1 Ci −hw ) key (sIDi , bi ), and warrant w as inputs and outputs hw ·hm C the delegation Di→ps . Then, the original signer i, for ≡ Rps · Rhm (mod n). i = 1, 2, · · · , n, continues as follows: 94 International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 5 Security Proof of Our Proposed Scheme In this section, we give the security proof of our proposed scheme. We show that our scheme is secure against existential forgery under adaptive chosen-message and identity attacks in the random oracle model. We prove our scheme against Type 2 adversaries and Type 3 adversaries, respectively. If a Type 2 adversary A2 has the ability to break our scheme, we can construct a polynomial time algorithm B, by interacting with A2 , to solve the integer factorization problem. Theorem 3. Given a pair of security parameters ′ ′ (k, l), if the integer factorization problem is (t , ǫ )-hard, then our identity-based proxy multi-signature scheme is (t, qH2 , qD , ǫ2 )-secure against existential forgery under adaptive chosen-message and identity attacks for the Type 2 adversary A2 , which satisfies: Ã ! 2 ′ 4 ǫ2 − δ 2 (ǫ2 − δ 2 ) ǫ ≥ · − , 9 qH2 + 1 2l ¡ ¢ ′ t = 2t + O k 2 · l + k 3 , • Extract oracle: A2 requests Extract algorithm on IDi , and B checks if IDi existed in Elist . If not, B returns to H1 -oracle and gets (IDi , h1,i , si , bi ) of H1,list ; then, B returns (si , bi ) to A2 and adds the tuple (IDi , si , bi ) into Elist . • DelGen oracle: A2 requests delegation on (IDn , w). According to the assumption, A2 has the secret keys of the original signers i, i = 1, 2, · · · , n − 1, by requesting Extract oracle. For i = 1, 2, · · · , n − 1, A2 randomly selects ri ∈ Zn∗ , computes Ri ≡ ri3 (mod n), and sends Ri , where i = 1, 2, · · · , n − 1, to B. B randomly l selects Vn , τ ∈ {0, 1} , computes Rn ≡ Vn3 · Qn b τ (a n · H1 (IDn )) (mod n), and R ≡ i=1 Ri (mod n); if R already exists in H2,list , failure is returned; else (IDn , bn , w, Rn , Vn ) is returned as the original signer n’s delegation to A2 ; also, τ is returned for the sake of helping A2 completing the delegation on (IDi , w) for i = 1, 2, · · · , n−1. B adds the tuple (IDn , bn , w, Rn , Vn ) into Dlist and adds (w, R, τ ) into H2,list . Step 4. A2 outputs a delegation forgery of warrant w∗ ∗ and ID∗n with Dn→ps = (ID∗n , b∗n , w∗ , Rn∗ , Vn∗ ), which ∗ ∗ (IDn , w ) is not requested on the DelGen oracle, and ID∗n is not requested on the Extract oracle. where qH2 and qD denote the number of queries that A2 can ask to the random oracle H2 and DelGen oracle, re- Step 5. Finally, we will show how B resolves the integer q ·(qH2 +qD ) factorization problem with A2 ’s delegation forgery. . spectively, and δ 2 = D 3·2 k We apply the oracle replay technique describes in Forking Lemma [12, 13] to factor n, i.e., B resets A2 two times. For the first time, B records all the transcripts that interacted with A2 . For the second time, B starts with the first time random tape and returns the same answers to A2 , except H2 -oracle. Each time, when A2 asks H2 -oracle, B chooses different random numbers, e∗ ,e∗∗ , as the answer, respectively. After two rounds of interacting with B, A2 forges two Step 1. Algorithm B sends (n, a) to adversary A2 as delegations (ID∗n , b∗n , w∗ , Rn∗ , Vn∗ ), (ID∗n , b∗n , w∗ , Rn∗ , Vn∗∗ ), public parameters. together with delegations of original signers 1, 2, · · · , n−1, Step 2. B maintains several lists, i.e., H1,list , sends them to B. Then, B executes as follows: Qn H2,list ,Elist , and Dlist and initializes them as • B computes R∗ ≡ i=1 Ri∗ (mod n), returns to the null. previous three records of H2,list lists for (w∗ , R∗ ), obtains, e∗ , e∗∗ , and checks whether or not they satisfy Step 3. B responds to A2 ’s queries as follows: (e∗ − e∗∗ ) ≡ 0 (mod 3); if so, then B aborts it. Proof. Assuming that adversary A2 breaks the proposed scheme, we can construct an algorithm B to resolve the integer factorization problem. Given an integer n = p · q (for some unknown p and q), and a non-cubic residue a (mod n), we will design an algorithm B to output p and q with non-negligible probability. • H1 -oracle: A2 requests H1 on IDi , and B checks if IDi existed in H1,list . If not, B picks a random si ∈ Zn∗ and bi ∈ {0, 1, 2}, computes s3 h1,i = H1 (IDi ) ≡ abii (mod n), and adds the tuple (IDi , h1,i , si , bi ) into H1,list ; then, B returns h1,i to A2 . • H2 -oracle: A2 requests H2 on (w, R), and B checks if (w, R) existed in H2,list . If not, B picks l a random e ∈ {0, 1} , adds the tuple (w, R, e) into H2,list , then, B returns e to A2 . 3 e∗ 3 • Else B can obtain(Vn∗ ) · (Cn∗ ) = Rn∗ , (Vn∗∗ ) · ∗∗ ∗ e (Cn∗ ) ≡ Rn∗ (mod n), where Cn∗ ≡ abn · H1 (ID∗n ) (mod n). 3 • B obtains (Vn∗ /Vn∗∗ ) ≡ (Cn∗ ) e∗∗ −e∗ (mod n). • If (e∗∗ − e∗ ) ≡ 1 (mod 3), there is some x ∈ Z ∗p satisfies the equation (e∗∗ − e∗ ) = 3x + 1. So we ob3 3x+1 tain (Vn∗ /Vn∗∗ ) ≡ (Cn∗ ) (mod n), and therefore ³ ´3 ∗ V n Cn∗ ≡ V ∗∗ ·(C (mod n). ∗ )x n n 95 International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 • If (e∗∗ − e∗ ) ≡ 2 (mod 3), there is some x ∈ Z ∗p satisfies the equation (e∗∗ − e∗ ) = 3x − 1. So we ob3 3x−1 tain (Vn∗ /Vn∗∗ ) ≡ (Cn∗ ) (mod n), and therefore ³ ∗∗ ∗ x ´3 Vn ·(Cn ) ∗ Cn ≡ (mod n). V∗ ≥ µ ǫ2 − qD ·(qH2 +qD ) (3·2k ) qH2 + 1 ¶2 − ǫ2 − qD ·(qH2 +qD ) (3·2k ) 2l . Taking (e∗∗ − e∗ ) 6≡ 0 (mod 3) and the difference of of the two cubic roots of Cn∗ into account, ³ the probability ´ Then, if (e∗∗ − e∗ ) 6≡ 0 (mod 3), B obtains the cubic factoring n is ǫ′ ≥ 4 PqH2 +1 P ≥ 4 · (ǫ2 −δ2 )2 − ǫ2 −δ2 , i i=1 9 9 qH2 +1 2l root of Cn∗ . And B can look up the list H1,list and obtain qD ·(qH2 +qD ) ∗ . So, the theorem is proved. another cubic root of Cn . Then, B obtains two cubic where δ 2 = 3·2k roots of Cn∗ . If the two cubic roots are not equal, B can As to the running time, according to [3], B has to run factor n according to Theorem 2. A2 twice and perform some other operations to factor n. ∗ ∗∗ Since e , e are picked randomly, the probability of ′ So B should spend the time t = 2t + O(k 2 · l + k 3 ) to (e∗∗ − e∗ ) 6≡ 0 (mod 3) is 32 , and the probability that factor n. the two cubic roots of Cn∗ are inequal is 23 . Next, we will analyze the probability of A2 successfully Theorem 4. Given a security parameter (k, l), if ′ ′ forging two valid delegations similar to [3]. the integer factorization problem is (t , ǫ )-hard, then Let ǫ∗2 denote the probability of A2 forging a delegation our identity-based proxy multi-signature scheme is in a single run, and ǫ2 denote the probability of A2 forging (t, qH4 , qS , ǫ3 )-secure against existential forgery under a delegation in the real attack. adaptive chosen-message and identity attacks for the Type In H2,list , all the records (w, R, e) are filled by H2 - 3 adversary A3 , which satisfies: oracle query and DelGen oracle query. So there are, at ! Ã 2 most qH2 + qD , different R’s. For every DelGen ora′ 4 (ǫ3 − δ 3 ) ǫ ≥ · − 2−l · (ǫ3 − δ 3 ) l cle, B randomly selects Vn , τ ∈ {0, 1} , computes Rn = 9 qH4 + 1 Q b τ n Vn3 · (a n · H1 (IDn )) and R = i=1 Ri , therefore, R can ¡ ¢ ′ be considered as the random cubic residue modulo n. Obt = 2t + O k 2 · l + k 3 , viously, the number of elements in cubic residues modulo where qH4 and qS denote the number of queries that n is (3 · 2k ). So the probability that R is in the H2,list qH2 +qD A 3 can ask to the random oracle H4 and PMSign, respecis, at most 3·2k . So the probability of A2 forging a q ·(qH4 +qS ) tively, and δ 3 = S 3·2 . q ·(qH2 +qD ) k delegation in a single run is ǫ∗2 ≥ ǫ2 − D 3·2 . k Let pi denote the probability of forgery based on the Proof. This proof is similar to that of Theorem 3. So, ith H2 -oracle query in a single run; then we just describe the main difference with Theorem 3 as follows: qH2 +1 X ǫ∗2 = pi . Step 1. Algorithm B does the same as Step 1 of Theoi=1 rem 3. n Let pi,s denote the probability of forgery together Step 2. B deletes Dlist list and adds H3,list , H4,list , Slist based on ith H2 -oracle query with input s, where s is a lists, and initializes them as null. specific random tape input of length m. Then Step 3. B deletes DelGen oracle and adds H3 , H4 and X PMSign oracle accordingly. m pi,s . 2 · pi = s∈{0,1}m For a specific random tape s, since twice valid forgery need different outputs of H2 -oracle query, the probability of twice forgery based on the same ith H2 -oracle query is pi,s · (pi,s − 2−l ). Let Pi denote the probability of twice forgery based on the same ith H2 -oracle query in two runs; then X 2−m · pi,s · (pi,s − 2−l ) ≥ p2i − 2−l · pi . Pi = s∈{0,1}m So, the probability of twice forgery based on the same PqH2 +1 Pi . We have H2 -oracle query in two runs is i=1 qH2 +1 qH2 +1 X X i=1 Pi ≥ i=1 qH2 +1 p2i − X i=1 2 2−l · pi ≥ (ǫ∗2 ) ǫ∗ − 2l qH2 + 1 2 • H3 -oracle: A3 requests H3 on (IDps , w, R), B checks if (IDps , w, R) existed in H3,list . If not, l B picks a random µ ∈ {0, 1} and adds the tuple (IDps , w, R, µ) into H3,list ; then B returns H3 (IDps , w, R) = µ to A3 . • H4 -oracle: A3 requests H4 on (IDps , w, m, Rps ), and B checks if (IDps , w, m, Rps ) existed l in H4,list . If not, B picks a random η ∈ {0, 1} and adds the tuple (IDps , w, m, Rps , η) into H4,list ; then, B returns H4 (IDps , w, m, Rps ) = η to A3 . • PMSign oracle: A3 requests PMSign algorithm on (w, m). A3 randomly selects Q ri ∈ Zn∗ n 3 and computes Ri = ri (mod n), R = i=1 Ri (mod n), and requests H2 -oracle query and obtains H2 (w, R) = e. Since A3 knows all the 96 International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 Table 1: Comparison of security Scheme Security Proof Method Mathematics Tool Assumption* Cao and Cao [4] Random oracle bilinear pairings CDH Our scheme Random oracle Cubic residues IFP *CDH stands for computational Diffie-Hellman assumption, and IFP stands for integer factorization problem. Table 2: Comparison with other schemes Scheme Extract DelGen DelVeri PMKGen PMSign Cao and Cao [4] 1Mp +1HM 2Mp +1HM 2HM +3OP 1Mp 2Mp +1HM Our scheme 1En 1En 1En 1En 1En PMVeri Total 1Mp +3HM +4OP 3En 7Mp +8HM +7OP 8En Total Time (ms) 209.26 42.48 Table 3: Cryptographic running time (ms) Modular Exponentiation 5.31 Pairing 20.04 Pairing-based Scalar Multiplication 6.38 secret keys of original signers, A3 can compute Vi ≡ ri · seIDi (mod n) and obtain all the delegation Di→ps = (IDi , bi , w, Ri , Vi ), i = 1, 2, · · · , n. A3 sends Di→ps , i = 1, 2, · · · , n, to B to request PMSign Qn algorithm on (w, m). B computes R ≡ i=1 Ri (mod n) and obtains H3 (IDps , w, R) = µ by looking up the list H3,list - in H3 -oracle. B picks random Qn l b Vp , ς ∈ {0, 1} , and computes C ≡ i=1 (a i · bp h ) (mod n), Cps ≡ a · h1,ps (mod n), V = Q1,i ς n µ η 3 i=1 Vi , Rps ≡ Vps · ((Cps ) · C /R) (mod n). If Rps already exists in H4,list , B returns failure, else returns (ID1 , ID2 , · · · , IDn , IDp , b1 , b2 , · · · , bn , bp , m, w, R, Rp , Vp ) as proxy multisignature of (w, m) to A3 . B adds the tuple (ID1 , ID2 , · · · , IDn , IDp , b1 , b2 , · · · , bn , bp , m, w, R, Rp , Vp ) into Slist , and adds (IDps , w, m, Rps , ς) into H4,list . Map-to-point Hash 3.04 Furthermore, by Theorems 3 and 4, we can conclude Theorem 5 easily. Theorem 5. Given a security parameter (k, l), if the ′ ′ factoring problem is (t , ǫ )-hard, then our identity-based proxy multi-signature scheme is (t, qH2 , qH4 , qD , qS , ǫ)secure against existential forgery under adaptive chosenmessage and identity attacks, which satisfies: Ã ! 2 ′ 4 (ǫ − δ) −l − 2 · (ǫ − δ) ǫ ≥ · 9 2 · max {qH2 + 1, qH4 + 1} ¡ ¢ ′ t = 2t + O k 2 · l + k 3 , where ǫ = ǫ2 + ǫ3 and δ = δ 2 + δ 3 . We conclude that our scheme is secure against existential forgery under adaptive chosen-message and identity attacks under integer factorization problem assumption. Step 4. A3 outputs a proxy multi-signature forgery of (w, m) with σ ∗ = (ID∗1 , ID∗2 , · · · , ID∗n , ID∗ps , b∗1 , b∗2 , 6 Comparison and Performance ∗ ∗ · · · , b∗n , b∗ps , m∗ , w∗ , R∗ , Rps , Vps ), which ID∗ps has not be requested on the Extract oracle, and (m∗ , w∗ ) In this section, we compare our scheme with Cao and has not be requested on the PMSign oracle. Cao’s IBPMS scheme [4]. The two schemes are provable Step 5. Similar with Theorem 3, B resets A3 twice with security based on different hardness assumptions in the the same random tape, and gives the different ran- random oracle model. We describe them in detail in Tadom number until A3 asks H4 -oracle. And A3 can ble 1. In order to simplify the complexity, we used the forge two proxy multi-signatures with the same value method of [5], which considers only a single original Rps . B can resolve integer factorization problem with signer. Let Mp , HM , OP , En denote one pairing-based A3 ’s proxy multi-signature forgery. scalar multiplication, map-to-point hash function, pairAs to the probability and running time, both of them ing operation, and modular exponentiation, respectively. are similar with Theorem 3. In order to make our analysis clearer, we changed the International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 total computation cost into running time in the last column of Table 2 according to Table 3, which is referred to reference [8]. According to Tables 1 and 2, our schemes total running time decreased drastically compared with Cao and Cao’s scheme [4]. The security of our scheme is based on integer factorization problem assumption without bilinear pairing. We note that the integer factorization problem assumption is 2500 years old. 7 Conclusions Identity-based proxy multi-signature has proposed for years, and several schemes have been proposed. However, most of the existing scheme is based on bilinear pairing or elliptic curve. In this paper, we propose an efficient identity-based proxy multi-signature scheme using cubic residues. The security of our scheme is based on the integer factorization problem assumption, which is more reliable and easier to use because it has been developed 2500 years ago. Our scheme is prove security against existential forgery under adaptive chosen-message and identity attacks. Furthermore, the efficiency of our scheme is higher than the existing scheme based on bilinear pairing such as Cao and Cao’s scheme etc. Acknowledgments The authors gratefully acknowledge the anonymous reviewers for their valuable comments. References [1] M. R. Asaar, M. Salmasizadeh, and W. Susilo, “An identity-based multi-proxy multi-signature scheme without bilinear pairings and its variant,” The Computer Journal, vol. 58 , no. 4, pp. 1021–1039, 2015. [2] A. Boldyreva, A. Palacio, and B. Warinschi, “Secure proxy signature schemes for delegation of signing rights,” Journal of Cryptology, vol. 25, no. 1, pp. 57–115, 2012. [3] Z. C. Cai, X. L. Dong, and Z. F. Cao, “Identity based signature scheme based on quadratic residues,” Science in China Series F: Information Sciences, vol. 39, no. 2, pp. 199–204, 2009. [4] F. Cao, and Z. F. Cao, “A secure identity-based proxy multi-signature scheme,” Information Sciences, vol. 179, no. 3, pp. 292–302, 2009. [5] X. F. Cao, and W. D. Kou, “A pairing-free identitybased authenticated key agreement protocol with minimal message exchanges,” Information Sciences, vol. 180, no. 15, pp. 2895–2903, 2010. [6] Cryptography Stack Exchange, Why Is Elliptic Curve Cryptography Not Widely Used, Compared to RSA?, Nov. 15, 2011. (http://crypto.stackexchange. com/questions/1190/why-is-elliptic-curvecryptography-not-widely-used-compared-to-rsa). 97 [7] M. L. Das, A. Saxena, and D. B. Phata, “Algorithms and approaches of proxy signature: A survey,” International Journal of Network Security, vol. 9, no. 3, pp. 264–284, 2009. [8] D. B. He, J. H. Chen, and R. Zhang, “Efficient and provably-secure certificateless signature scheme without bilinear pairings,” International Journal of Communication Systems, vol. 25, no. 11, pp. 1432–1442, 2012. [9] X. X. Li, and K. F. Chen, “ID-based multi-proxy signature, proxy multi-signature and multi-proxy multi-signature schemes from bilinear pairings,” Applied Mathematics and Computation, vol. 169, no. 1, pp. 437–450, 2005. [10] M. Mambo, K. Usuda, and E. Oamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Transactions on Fundamentals of Electronic Communications and Computer Science, vol. E79-A, no. 9, pp. 1338–1354, 1996. [11] C. H. Pan, S. P Li, Q. H. Zhu, C. Z. Wang, and M. W. Zhang, “Notes on proxy signcryption and multiproxy signature schemes,” International Journal of Network Security, vol. 17, no. 1, pp. 29–33, 2015. [12] D. Pointcheval, and J. Stern, “Security proofs for signature schemes,” in Advances in Cryptology (Eurocrypt’96), LNCS 1070, pp. 387–398, Springer, May 1996. [13] D. Pointcheval, and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptography, vol. 13, no. 3, pp. 361–396, 2000. [14] R. A. Sahu, and S, Padhye, “Provable secure identity-based multi-proxy signature scheme,” International Journal of Communication Systems, vol. 28, no. 3, pp. 497–512, 2015. [15] A. Shamir, “Identity based cryptosystems and signature schemes,” in Proceedings of Advances in Cryptology (CRYPTO’84), LNCS 196, pp. 47–53, Springer, 1984. [16] H. Singh, and G. K. Verma, “ID-based proxy signature scheme with message recovery,” Journal of Systems and Software, vol. 85, no. 1, pp. 209–214, 2012. [17] Y. Sun, C. X. Xu, Y. Yu, and B. Yang, “Improvement of a proxy multi-signature scheme without random oracles,” Computer Communications, vol. 34, no. 3, pp. 257–263, 2011. [18] N. Tiwari, and S. Padhye, “An ID-based proxy multi signature scheme without bilinear pairings,” in Proceedings of First International Conference on Security Aspects in Information Technology, LNCS 7011, pp. 83–92, Springer, 2011. [19] N. Tiwari, S. Padhye, and D. He “Provably secure proxy multi-signature scheme based on ECC,” Information Technology And Control, vol. 43, no. 2. pp. 198–203, 2014. [20] Q. Wang, and Z. F. Cao, “Identity based proxy multisignature,” Journal of Systems and Software, vol. 80, no. 7, pp. 1023–1029, 2007. International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 [21] Z. W. Wang, L. C. Wag, S. H. Zheng, Y. X. Yang, and Z. M. Hu, “Provably secure and efficient identitybased signature scheme based on cubic residues”. International Journal of Network Security, vol. 14, no. 1, pp. 104–109, 2012. [22] L. J. Yi, G. Q. Bai, and G. Z. Xiao, “Proxy multisignature scheme: A new type of proxy signature scheme,” Electronics Letters, vol. 36, no. 6, pp. 527– 528, 2000. [23] Y. Yu, Y. Mu, W. Susilo, Y. Sun, and Y. F. Ji, “Provably secure proxy signature scheme from factorization,” Mathematical and Computer Modelling, vol. 55, no. 3-4, pp. 1160–1168, 2012. Feng Wang was born in Shandong province, China, in 1978. He received his B.S. degree in Mathematics from Yantai Normal University (now named Ludong University), Yantai, in 2000 and the M.S. degree in Applied Mathematics from the Guangzhou University, Guangzhou, in 2006. Currently, he is a Lecturer in the College of Mathematics and Physics at Fujian University of Technology and a visiting scholar in Department of Information Engineering and Computer Science at Feng Chia University. His research interests include computer cryptography and information security. Changlu Lin received the BS degree and MS degree in mathematics from the Fujian Normal University, P.R. China, in 2002 and in 2005, respectively, and received the Ph.D degree in information security from the state key laboratory of information security, Graduate University of Chinese Academy of Sciences, P.R. China, in 2010. He works currently for the School of Mathematics and Computer Science, and the Fujian Provincial Key Laboratory of Network Security and Cryptology, Fujian Normal University. He is interested in cryptography and network security, and has conducted research in diverse areas, including secret sharing, public key cryptography and their applications. Shih-Chang Chang received his B.S. degree in 2005 and his M.S. degree in 2007, both in Department of Information Engineering and Computer Science from Feng Chia University, Taichung, Taiwan. He is currently pursuing his Ph.D. degree in Computer Science and Information Engineering from National Chung Cheng University, Chiayi, Taiwan. His current research interests include electronic commerce, information security, computer cryptography, and mobile communications. 98 Chin-Chen Chang received his Ph.D. degree in computer engineering from National Chiao Tung University. His first degree is Bachelor of Science in Applied Mathematics and master degree is Master of Science in computer and decision sciences. Both were awarded in National Tsing Hua University. Dr. Chang served in National Chung Cheng University from 1989 to 2005. His current title is Chair Professor in Department of Information Engineering and Computer Science, Feng Chia University, from Feb. 2005. Prior to joining Feng Chia University, Professor Chang was an associate professor in Chiao Tung University, professor in National Chung Hsing University, chair professor in National Chung Cheng University. He had also been Visiting Researcher and Visiting Scientist to Tokyo University and Kyoto University, Japan. During his service in Chung Cheng, Professor Chang served as Chairman of the Institute of Computer Science and Information Engineering, Dean of College of Engineering, Provost and then Acting President of Chung Cheng University and Director of Advisory Office in Ministry of Education, Taiwan. Professor Chang has won many research awards and honorary positions by and in prestigious organizations both nationally and internationally. He is currently a Fellow of IEEE and a Fellow of IEE, UK. On numerous occasions, he was invited to serve as Visiting Professor, Chair Professor, Honorary Professor, Honorary Director, Honorary Chairman, Distinguished Alumnus, Distinguished Researcher, Research Fellow by universities and research institutes. His current research interests include database design, computer cryptography, image compression and data structures.