id-based proxy signature scheme with message recovery
TRANSCRIPT
I
HD
a
ARRAA
KIPMBS
1
trbtatwtabi
1
ptpfnnP
0d
The Journal of Systems and Software 85 (2012) 209–214
Contents lists available at SciVerse ScienceDirect
The Journal of Systems and Software
journa l homepage: www.e lsev ier .com/ locate / j ss
D-based proxy signature scheme with message recovery
arendra Singh, Girraj Kumar Verma ∗
epartment of Mathematics, Hindustan College of Science and Technology, Farah, Mathura, India
r t i c l e i n f o
rticle history:eceived 8 February 2011eceived in revised form 28 July 2011ccepted 16 August 2011vailable online 26 August 2011
a b s t r a c t
A proxy signature scheme, introduced by Mambo, Usuda and Okamoto, allows an entity to delegate itssigning rights to another entity. Identity based public key cryptosystems are a good alternative for acertificate based public key setting, especially when efficient key management and moderate securityare required. From inception several ID-based proxy signature schemes have been discussed, but nomore attention has been given to proxy signature with message recovery. In this paper, we are proposing
eywords:D-based signatureroxy signatureobile agent
ilinear pairingignature with message recovery
provably secure ID-based proxy signature scheme with message recovery and we have proved that ourscheme is secure as existential forgery-adaptively chosen message and ID attack. As proposed schemeis efficient in terms of communication overhead and security, it can be a good alternative for certificatebased proxy signatures, used in various applications such as wireless e-commerce, mobile agents, mobilecommunication and distributed shared object systems, etc.
© 2011 Elsevier Inc. All rights reserved.
. Introduction
A digital signature scheme with message recovery is a signa-ure scheme in which the original message of the signature is notequired to be transmitted together with the signature since it haseen appended to the signature and can be recovered accordingo the verification/message recovery process. It is different to anuthenticated encryption scheme or signcryption scheme, since inhis scheme, the embeded message can be recovered by anyoneithout the secret information. The purpose of this kind of signa-
ures is to minimize the total length of the original message and theppended signature. So, these are useful in any organization whereandwidth is one of the main concern or useful for the application
n which small message should be signed.
.1. Related work
In 1984, Shamir (1985) introduced the idea of identity basedublic key cryptography to simplify key management procedure ofraditional certificate based public key infrastructure. In ID-basedublic key cryptography, an entity’s public key is directly derivedrom certain aspects of its identity, such as e-mail address, phone
umber, an IP address belonging to a network, or its social securityumber. Private keys are generated by a third trusted party calledrivate Key Generator (PKG). The direct derivation of public keys∗ Corresponding author.E-mail address: [email protected] (G.K. Verma).
164-1212/$ – see front matter © 2011 Elsevier Inc. All rights reserved.oi:10.1016/j.jss.2011.08.018
in these infrastructures eliminates the need for the certificate andsome of the problem associated with them.
Mambo et al. (1996) proposed the concept of proxy signaturein 1996, which allows a designated person, called proxy signer, tosign on behalf of an original signer. The proxy signature plays animportant role in many applications (Boldyreva et al., 2003; Hongand Chen, 2007; Hwang and Chen, 2000; Shao, 2003; Zhang andKim, 2003) and have been received great attention since inception.In 2003, Zhang and Kim (2003) proposed an ID-based proxy signa-ture scheme using bilinear pairing. The scheme is similar to Kimet al.’s (1993) scheme which is based on certificate based publickey infrastructure. Later in 2004, Zhou et al. (2008) proposed a newprovable secure ID-based proxy signature scheme using pairing andduring the same, Malkin et al. (2004) proposed a generic construc-tion of proxy signature using self delegation. In 2005, Gu and Zhu(2005) proposed a new security model for a provable secure ID-based proxy signature scheme and during the same Zhang et al.(2005) proposed an ID-based digital signature scheme with mes-sage recovery for shortening the signature length and Li et al. (2005)proposed a new proxy signature scheme with message recovery. In2006, Gu and Zhu (2008) proposed an efficient version of Zhangand Kim (2003) scheme using the security model described in Guand Zhu (2005). During the same, Galindo et al. (2006) proposed ageneric construction of some identity based signatures with specialproperties and mentioned how to construct identity based proxysignatures and during the same Tso et al. (2007) proposed an effi-
cient version of scheme by Zhang et al. (2005) using pairing. In2007, Wu et al. (2007) proposed a new proxy signature schemewhich improves the security aspects of an ID-based proxy signa-ture scheme. Recenrtly, in 2008, Schuldt et al. (2008) has given a
2 System
stgahswIpms(
srmaisflbHsu
s
wrechs
2
2
gpe
1
23
tD
1
2
10 H. Singh, G.K. Verma / The Journal of
tronger model and gave a new generic construction from (sequen-ial) aggreegate signatures. During the same, Wang (2008) hasiven a new identity based proxy signature in random oracle modelnd secure against proxy key exposure. Recently, Wu et al. (2009)as given a proxy signature scheme with message recovery usingelf certified public keys. Many ID-based proxy signature schemesere given since 2003, but no more attention has been given to an
D-based proxy signature scheme with message recovery. In thisaper, we are introducing an ID-based proxy signature scheme withessage recovery and we have proved the security of proposal. Our
cheme is based on work done by Zhang et al. (2005) and Tso et al.2007).
The mobile agent (Hong and Chen, 2007) is an autonomousoftware entity which can migrate across different execution envi-onments through network. The characteristics of the mobile agent,obility and autonomy, make it ideal for electronic commerce
pplications. One of the tasks of a mobile agent is to sign a dig-tal signature on behalf of its owner. For example, we consider acenario that a mobile agent is ordered to search the price of aight ticket and book it on behalf of a customer. To make it possi-le, the mobile agent must act as a proxy signer of the customer.ence proxy signatures can be used for such booking. Our proposed
cheme provides an efficient proxy signature and hence it can besed for mobile agent.
Our real contribution is to design a provably secure signaturecheme and to provide the security proof also.
The rest of the paper is organized as follows:In Section 2 we call some preliminary work. In Section 3
e present an ID-based proxy signature scheme with messageecovery. In Section 4 we analyzed our schemes according to thefficiency and security point of view and shown a Table 1 for effi-iency comparison with related existing schemes. In Section 5 weave considered an example showing the need of proxy signaturecheme. In Section 6 we have concluded our discussion.
. Preliminaries
.1. Bilinear pairing
Let G1 be a cyclic additive group and G2 be a cyclic multiplicativeroup of same prime order q. We assume that the discrete logarithmroblem in both G1and G2 is hard. A bilinear pairing e is a map: G1×G1→G2, which satisfies the following properties:
. Bilinear: For any P, Q∈G1 and a, b ∈ Z∗q , we havee(aP, bP) = e(P, P)ab.
. Non-degeneracy: There exist P, Q∈G1 such that e(P, Q) /= 1.
. Computability: There is an efficient algorithm to compute e(P,Q) for all P, Q∈G1. Basically G1 is a set of points of elliptic curveand e be the Weil or Tate pairing.
We now describe two mathematically hard problems, namelyhe Decisional Diffie-Hellmen Problem (DDHP) and Computationaliffie-Hellmen Problem (CDHP) and the GDH Group.
. Definition (DDHP). For a, b, c ∈ Z∗q , given P, aP, bP, cP∈G1 and todecide whether c = ab mod q. The DDHP is easy in G1, since it iseasy to compute e(aP, bP) = e(P, P)ab and to decide wheteher e(P,P)ab = e(P, P)c.
. Definition (CDHP). For a, b ∈ Z∗q , given P, aP, bP∈G1 to computeabP∈G1. A (�, �)-CDH adversary in G1 is a probabilisic machine
A running in time � such that AdvCDHG1(A) = Pr[A(P, aP, bP) =
abP] ≥ � where the probability is taken over the random val-ues a and b. The CDH problem is (�, �)-interactable if there is no(�, �)adversary in G1.
s and Software 85 (2012) 209–214
3. Definition (GDH Group). In group G1, the DDHP can be solvedin polynomal time and no polynomial time algorithm can solveCDHP with non negligible advantage, we reffered G1 as a GapDiffie-Hellmen group.
2.2. Framework of an ID-based proxy signature scheme withmessage recovery
In this section, we provide a formal framework of an ID-basedproxy signature scheme with message recovery (IDPSWM), ourmodel is inspired by Gu and Zhu (2005). There are mainly threeentities original signer, proxy signer and verifier in this protocol.
Definition. (IDPSWM) An IDPSWM consists of the followingeight polynomial time algorithms: Setup, Extract, DelGen, DelVerify,PKgen, PSign, SignVerify/Message Recovery, ID.
1. Setup: This algorithm takes as input a security parameter � andoutputs the key generation center KGC’s master key, global pub-lic key and system parameters params.
2. Extract: An algorithm, which takes as input an identity IDA ∈{0, 1
}∗, of a user A and master key of KGC and then outputs
the public key and private key pair (qA, dA).3. DelGen: In this algorithm the original signer A computes the del-
egation WA→B from his secret key dA and warrant mw and sendsto the proxy signer in a secure way.
4. DelVerify: The delegation verification algorithm, takes as inputIDA, WA→B and verifies whether WA→B is a valid deligation comefrom A.
5. PKGen: The proxy key generation algorithm, takes as input WA→Band some secret information (for example the secret key of exe-cuter) and outputs a signing key dp for proxy signer.
6. PSign: In this probabilistic algorithm, the proxy signer computes
the proxy signature ı on a message m ∈{
0, 1}l
using the proxysigning key.
7. SignVerify/Message Recovery: In this deterministic algorithm theverifier recieves the signature and takes the identity of originalsigner and the identity of the proxy signer as input and thenrecover the message and dispalys accept or reject.
8. ID: The proxy identification algorithm, it takes as input a validproxy signature and outputs the identity of proxy signer.
9. Correctness: This algorithm shows the proof of correctness ofSignVerify/Message Recovery.
2.3. Security model
We consider the security model described in Gu and Zhu (2005),in which an adversary A which is assumed to be a probabilisticTuring machine, takes as input the global scheme parameters anda random tape and perform an experiment, as described below.
Definition. For an ID-based proxy signature scheme with mes-sage recovery (IDPSWM), we define an experiment ExpIDPSWM
A (�) ofadversary A and security parameter � as follows:
1. A challenger C runs setup and gives the system parameters paramto A.
2. Set Clist←�, Dlist←�, Glist←�, Slist←�.3. Adversary A can make the following requests or queries adap-
tively:• Extract(.): This oracle takes as input a user’s IDi, and returns
the corresponding private key di. If A gets di←Extract(IDi), let{ }
Clist ← Clist ∪ (IDi, di) .• Delegate(.): This oracle takes as input the designater’s identityID and a warrant mw and output a delegation W. If A gets W ←Delegate(ID, mw), let Dlist ← Dlist ∪
{(ID, mw, W)
}.
System
45
Drt(n
P
2
••••••
3m
sd(
1
2
3
whose input only consists of the public data. Assume that, withina time bound T, A can produce a valid signature (m, �1, h, �2) with
H. Singh, G.K. Verma / The Journal of
• PKGen(.): This oracle takes as input the proxy signer’s identityID and a delegation W and outputs a proxy signing key dp. If Agets dp←PKgen(ID, W), let Glist ← Glist ∪
{(ID, W, dp)
}.
• PSign(.): This oracle takes as input the delegation W and
message m ∈{
0, 1}l
, outputs a proxy signature created byproxy signer. If A gets (m, ı)←PSign(W, m), let Slist ← Slist ∪{
(W, m, ı)}
.. A outputs (ID, mw, W) or (W, m, ı).. If A’s output satisfies one of the following terms, A’s attack is
successful.• The output is (ID, mw, W), and satisfies: DelVerify(W,ID)=1,
(ID,.)/∈Clist, (ID,.,.)/∈Glist and (ID, mw, .) /∈ Dlist . ExpIDPSWMA (�)
returns 1.• The output is (W, m, ı), and satisfies SignVerify/Message Recov-
ery((m, ı)IDi)=1, (W, m, .) /∈ Slist, (IDj, .) /∈Clist, (IDj, W, .) /∈Glist,where IDi and IDj are the identities of the designator and theproxy signer defined by W, respectively. ExpIDPSWM
A (�) returns2 otherwise returns 0.
efinition. An ID-based proxy signature scheme with messageecovery IDPSWM is said to be existential delegation and signa-ure unforgeable under adaptively chosen message and ID attackDS-EUF-ACMIA), if for any polynomial time adversaryA, any poly-omial p(.) and big enough �,
r[ExpIDPSWMA = 1] <
1p(�)
and Pr[ExpIDPSWMA = 2] <
1p(�)
.4. Notations
The following notations will be used throughout the paper.
a ‖b: a concatanation of two strings a and b.⊕: X-OR computation in the binary system.[x]10: the decimal representation of x ∈
{0, 1
}∗.
[y]2: the binary representation of y∈ Z.l
∣∣ˇ∣∣: the first l bits of ˇ from the left side.∣∣ˇ∣∣l: the first l bits of ˇ from the right side.
. Proposed ID-based proxy signature scheme withessage recovery
In this section, we are describing our proposed proxy signaturecheme with message recovery. Our scheme is based on the workone in Tso et al. (2007), Zhang and Kim (2003), and Zhang et al.2005).
. Setup. Takes as input a security parameter �, and returns a mas-ter key s and system parameters param=(G1, G2, H0, H1, H2,F1, F2, e, P, Ppub, q, �, l1, l2), where G1 is an additive cyclicgroup of order q, G2 is a multiplicative cyclic group of sameorder q. H0 :
{0, 1
}∗ → G∗1, H1 :{
0, 1}∗ × G2 → Zq, H2 : G2 →
Z∗q, F1 :{
0, 1}l2 →
{0, 1
}l1 , F2 :{
0, 1}l1 →
{0, 1
}l2 are hashfunctions. e : G1×G1→G2 is a bilinear pairing, l1, l2 are positiveintegers such that l1 + l2 = |q|, � is a secuity parameter, P∈G1,Ppub = sP global public key of PKG and q is a prime.
. Extract. Takes as input identity IDU ∈{
0, 1}∗
of user U, computesdU = sH0(IDU), secret key and qU = H0(IDU), corresponding publickey.
. Delegate. Takes as input the secret key dA of original signer anda warrant mw and selects kA∈RZ∗q and computes rA = e(P, P)kA ,hA = H1(mw, rA) and S = hA . dA + kAP and outputs the delegationWA→B = (mw, rA, S).
s and Software 85 (2012) 209–214 211
4. DelVerify. Once B recieves WA→B = (mw, rA, S), he computes hA =H1(mw, rA), qA = H0(IDA) and accepts the delegation if and onlyif e(S, P) = e(qA, Ppub)hA . rA.
5. PKGen. If B accepts the delegation WA→B = (mw, rA, S), hecomputes the proxy signing key dp = hA . dB + S, where hA =H1(mw, rA).
6. PSign. Proxy signer B chooses kB∈RZ∗q and message m ∈{
0, 1}l2
and computes the proxy signature ı = (rA, VB, mw, U), where• rB = e(P, P)kB
• v = rA.rB• ˇ = F1(m) ‖ (F2(F1(m))⊕m)• ˛ = [ˇ]10• VB = H2(v)+ ˛• U = kBP + dp
7. SignVerify/Message Recovery. For a proxy signatureı = (rA, VB, mw, U), a recipient first check if the proxy signerconform to warrant mw . Then he computes the following:• hA = H1(mw, rA)• ˛ = VB−H2(e(U, P) . e(qA + qB, Ppub)−hA )• ˇ = [˛]2• Recover m′ = F2(l1
∣∣ˇ∣∣)⊕ ∣∣ˇ∣∣l2
Then accepts the signature and
message m′ as valid if and only if l1
∣∣ˇ∣∣ = F1(m′).8. ID. The proxy signer’s identity IDB can be revealed by mw .9. Correctness. The correctness of the verification/message recovery
is as follows:
e(U, P).e(qA + qB, Ppub)−hA = e(kBP + dp, P).e(qA + qB, sP)−hA
= e(kAP + kBP + hAdB + hAdA, P).e(qA + qB, sP)−hA
= e(kAP + kBP, P).e(hAdB + hAdA, P).e(qA + qB, sP)−hA
= e(kAP + kBP, P).e(dA + dB, P)hA .e(qA + qB, sP)−hA
= e(P, P)kA+kB .e(qA + qB, sP)hA .e(qA + qB, sP)−hA
= v.e(qA + qB, sP)hA .e(qA + qB, sP)−hA = v
˛ = VB −H2(v), so ˇ = [˛]2 = F1(m) ‖ (F2(F1(m))⊕m). Nowl1
∣∣ˇ∣∣ = F1(m), F2(F1(m))⊕m =∣∣ˇ∣∣
l2. So,F2(l1
∣∣ˇ∣∣)⊕ ∣∣ˇ∣∣l2=
F2(F1(m))⊕ F2(F1(m))⊕m = m and the integrity of message canbe proved by l1
∣∣ˇ∣∣ = F1(m′).
4. Security and efficiency analysis
4.1. Security analysis
In this section, we give a concrete security proof of our pro-posed scheme. Our proposed security proof is motivated by Guand Zhu (2005), Tso et al. (2007), Zhang and Kim (2003), Zhanget al. (2005), and Zhu et al. (2005). We will show that the proposedscheme is secure as existential forgery-adaptively chosen messageand ID attack in the random oracle model, assuming the hardnessof CDH problem. The following definition will be used as a core ofthe proof.
Definition. Forking Lemma Pointcheval and Stern (2000) Let(G, �, V) be a generic digital signature scheme with security param-eter k. Let A be a probabilistic polynomial time turing machine,
probability �≥10 . (qs + 1) . (qs + qh)/2k by making qs signing queriesand qh random oracle queries. If the triple (�1, h, �2) can be simu-lated without knowing the private key, within an indistinguishabledistribution probability, then there exist another Turing machine
2 System
A(T
ToarndAa1
s
•
•
•
Lmb
ı
ı
PnP
f
P
12 H. Singh, G.K. Verma / The Journal of
′, that uses A to produce two valid signatures (m, �1, h, �2) andm, � ′ 1, h ′ , � ′ 2) such that h /= h ′ in expected time T ′ ≤120686 . qh ./�.
heorem. Let we denote our scheme by IDPSWM in randomracle model, let A be a polynomial time adversary, who man-ge an experiment ExpIDPSWM
A (�) within a time bound T, and geteturn 2 by unnegligible probability �. We denote respectively by
h0, nh1
, nh2,and ns the number of queries that A can asks to the ran-
om oracle H0(.), H1(.), H2(.) and the proxy signing oracle PSign(.).ssume that � ≥ 10.(ns + 1).(ns + nh2
).(nh0+ nh1
)/q, then there is andversary A′, who can solve CDHP within expected time less then20686.ns.nh0
.nh1.nh2
.T/�.
To prove the theorem, we define a generic digital signaturecheme with message recovery, called IDWM, as follows:
KeyGen.Given a security parameter �∈N, generates the key pairas follows:1. (s, param)← (Setup(1�)), where params = (G1, G2, q, e, P, Ppub,
H0, H1), Ppub = sP. Picks randomly Q, qA ∈ G∗1, and set dA = sqA,d = sQ.
2. Picks a random mw ∈{
0, 1}∗
and use Hesse’s Gu and Zhu(2005) signature scheme to compute the signature (mw, rA, UA)on mw with secret key dA.
3. Compute hA = H1(mw, rA) and dp = hA . d + UA.4. The public key is (G1, G2, H0, H1, H2, F1, F2, e, q, P, Ppub, Q, qA,
mw, hA, rA) and private key is dp.Sign. To sign a message m ∈
{0, 1
}|l2|, chooses k1∈RZ∗q , computerp = e(P, P)k1 , v = rA.rp, ˇ = F1(m) ‖ (F2(F1(m))⊕m), ˛ = [ˇ]10, VB =H2(v)+ ˛, U = k1P + dp. Let ı = (rA, VB, mw, U) be the signature ofmessage m.Verify. For a signature with message recovery (rA, VB, mw, U), arecipient compute ˛ = VB−H2(e(U, P) . e(qA + Q, Ppub)−hA , wherehA = H1(mw, rA) and ˇ = [˛]2 and verify the signature by check-ing l1
∣∣ˇ∣∣ = F1(F2(l1
∣∣ˇ∣∣)⊕ ∣∣ˇ∣∣l2
) and accepts F2(l1
∣∣ˇ∣∣)⊕ ∣∣ˇ∣∣l2
as
valid message.
emma 1. Given (G1, G2, H0, H1, H2, F1, F2, e, P, Ppub, q, Q, qA, rA,
w, l1, l2, hA), let � = e(qA + Q, Ppub)hA , then the following two distri-utions are same.
=
⎧⎪⎪⎨⎪⎪⎩ (r, V, U)
∣∣∣∣∣∣∣∣k∈RZ∗q
V∈RZ,∣∣V∣∣ ≤ |q|
r = e(P, P)k
U = kP + dp
⎫⎪⎪⎬⎪⎪⎭
′ =
⎧⎪⎪⎨⎪⎪⎩ (r, V, U)
∣∣∣∣∣∣∣∣U′∈RG1
V∈RZ,∣∣V∣∣ ≤ |q|
U = U′, r = e(U, P).(�.rA)−1
r /= 1
⎫⎪⎪⎬⎪⎪⎭
roof. First, we choose a triplet (˛, ˇ, ) from the set of sig-ature. Let ˛ ∈ G∗2, ˇ ∈ Zq, ∈ G1 such that ˛ = e( , P)(rA . e(qA + Q,pub)hA )−1 /= 1.
We then compute the probability of appearance of this tripleollowing each distribution of probabilities:
rı
[(r, V, U) = (˛, ˇ, )
]= Prk /= 0
[e(P, P)k = ˛V = ˇ
]
U = = dp + kP= 1(q− 1).2|q|
s and Software 85 (2012) 209–214
Prı′[(r, V, U) = (˛, ˇ, )
]= Prr /= 1
[˛ = e(U, P).(�.rA)−1
V = ˇU =
]
= 1(q− 1).2|q|
�
Proof of The Theorem. Without loss of generality, we mayassume that for any ID, A queries H0(.) with ID before ID is usedas (part of) an input of any query to Extract(.), Delegate(.), PKGen(.)and PSign(.) using a simple wrapper of A.
From the adversaryA, we can construct a probabilistic algorithmB such that B computes aQ on input P, aP, Q ∈ G∗1 as follows:
1. A challenger C runs Setup(1�) to generate (G1, q, P, a, Q)and gives (G1, q, P, aP, Q) to B. B itself generates param =(G1, G2, H0, H1, H2, F1, F2, e, P, Ppub, q, Q, qA, rA, mw, l1, l2, hA)from the recieved input by C.
2. B sets Ppub← aP and i←1.3. Clist←�, Dlist←�, Glist←�, Slist←�4. B picks randomly t, 1 ≤ t ≤ nh0
and xi ∈ Zq, i = 1, 2, . . . , nh0.
5. B gives A params and let A manages ExpIDPSWMA (�). During the
execution, B emulates A’s oracle as follows:• H0(.): For input ID,B checks if H0(ID) defined, if not he defines
H0(ID) ={
Q, i = txiP, i /= t
and sets IDi← ID, i← i + 1. B returns H0(ID) to A• H1(.): IfAmakes a querry (m, r) to random oracle H1(.),B checks
if H1(m, r) is defined. If not, it picks a random c ∈ Z∗q and setsH1(m, r)← c. Then returns H1(m, r) to A.• Extract(.): For input IDi, if i = t, then abort, otherwise, B lets
di = xiPpub be the reply to A and sets Clist ← Clist ∪{
(IDi, di)}
.• Delegate(.):For input IDi, and warrant mw , if i /= t, B uses
di = xiPpub as his private key to sign mw , with Hess’s signa-ture scheme (Gu and Zhu, 2005) and gets (r0, S0). Otherwise, Bsimulates IDi
′s proxy designation as follows:◦ Picks randomly S0 ∈G1, h0 ∈ Zq
◦ Computes r0 = e(S0, P) . e(Q, Ppub)−h0
◦ If A has made the querry (mw, r0) to H1(.), thenabort(a collision appears). Otherwise set H1(mw, r0) = h0.Let W = (mw, r0, S0) be the reply and set Dlist ← Dlist ∪{
(IDi, mw, W)}
.• PKGen(.): For input proxy signer’s IDj and delegation W =
(mw, r0, S0), if j = t, then abort. Otherwise, B computes dp =H1(mw, r0).xj.Ppub + S0 as the reply to A and set Glist ← Glist ∪{
(W, IDj, dp)}
.• PSign(.): Let the input be W = (mw, r0, S0) and message m,
designator’s identity be IDi and proxy signer’s identity be IDj.If j /= t B computes the proxy signature (rp, Vp, UP) on mwith secret signing key dp = H1(mw, r0)xjPpub + S0 and returnı = (r0, Vp, mw, Up) as the reply to A. Otherwise B simulatesIDi′ s proxy signature on behalf of IDi as follows:
◦ Picks randomly U ′ ∈G1, V∈ Z such that∣∣V∣∣ ≤ |q|
◦ Checks whether H1(mw, r0) is defined. If not, request oracleH1(.) with (mw, r0). Let h = H1(mw, r0).◦ Computes rp = e(U ′ , P) . (e(xi . P + Q, Ppub)h . r0)−1 and Up = U′.◦ If A has made the querry (rp, r0) to H2(.), he abort(a col-
lision appears), otherwise sets Vp = H2(r0 . rp) + [ˇ]10, whereˇ = F1(m) ‖ (F2(F1(m))⊕m).◦ Let ı = (r0, Up, mw, Vp) be the reply of PSign(.). From lemma,
the semulation is inditiguishable from the real one. Let Slist ←Slist ∪
{(W, m, ı)
}.
6. If A’s output (W, m, ı) = ((mw, r0, S0), m, (r0, Up, mw, Vp)) withdesignator’s identity IDi and proxy signer’s identity IDj,
H. Singh, G.K. Verma / The Journal of Systems and Software 85 (2012) 209–214 213
Table 1Comparison between related existing proxy signatures and proposed scheme.
Scheme Total length Delegate DelVerify PKGen PSign SignVerify
Zhang and Kim (2003) |m| + |mw | + 1Zq + 1G1 + 1G2 2M + 1E 2e + 1E + 1H 1M 2M + 1E 2e + 2E + 2HGu and Zhu (2008) |m| + |mw | + 1G1 + 2G2 1M + 2E 1e + 2M + 2E 1M 1M + 1E 1e + 2M + 2EZhu et al. (2005) |m| + |m | + 3G 2M + 1H 3e + 1H 1H 2M + 1E 2e + 1E + 2H
7
�
TE
4
pppmS(T
nbtospbIttsnos
w 1
Proposed scheme |mw | + 3G2 2M + 1E
satisfying PVerify((m, ı), IDi) = 1, (W, m, . .) /∈ Slist, (IDj, . .) /∈Clist,(IDJ, W, . .) /∈Glist and j = t. B can get a forgery (r0, Up, mw, Vp)of IDWM corresponding to private key dp = aQ, where h =H1(mw, r0).
. Now without loss of generality, we assume thatB have got two delegation and signature pairs(W, m, ı) = ((mw, r0, S0), m, (r0, Up, mw, Vp)) and(W ′, m, ı′) = ((m′w, r0, S′0), m, (r0, U′p, m′w, V ′p)), whereS0 = H1(mw, r0).dp + k0P and S′0 = H1(m′w, r0).dp + k0P corre-sponding to private key dp = aQ. Now B can compute and outputsaQ as follows:◦ �1 ← (H1(mw, r0)−H1(m′w, r0))−1 mod q◦ aQ = dp← �1 . (S0− S ′ 0)
Otherwise, set H1(mw, r0) = e, i = 1 and go to step 5. During B’sexecution, if A manages an ExpIDWM
A (�) and gets return 2, colli-sion appears with negligible probability, as mentioned in Mamboet al. (1996). So, B’s simulations are indistinguishable from A’soracles. Because t is chosen randomly, B can output a forgeryof IDWM scheme corresponding to private key dp = haQ + U0within expected time T with probability �/nh1
. IDWM schemeis a generic digital signature scheme based on Forking Lem-mma (Mambo et al., 1996), B can produce two valid signatures(mw, r0, S0, h0) and (mw, r0, S′0, h′0), such that h0 /= h ′ 0 withinexpected time less then 120686.ns.nh0
.nh1.nh2
.T/�. So,B can out-put aQ. Thus the theorem has proved.
heorem. In the random oracle model, our proposed scheme is DS-UF-ACMIA under the assumption of hardness of the CDHP.
.2. Efficiency analysis
In this section, we denote by M an ordinary scalar multi-lication in (G1, +), by E an exponentiation in (G2, .), by e theairing computation and by H the hashing operation. We com-are our proposed scheme with existing related schemes withessage signature length and computational cost point of view.
ome hash functions in our scheme are so efficient and genericTso et al., 2007), that there is no need to consider then inable 1.
From Table 1 it is clear that the full length of our message sig-ature pair is less then schemes considered, i.e. it is providing theenefit of being a message recovery signature scheme. In delega-ion phase our scheme requires approximately same number ofperations as other scheme. In delegation verification phase ourcheme is more efficient then existing schemes as it need only oneairing and one exponentiation. In proxy key generation the num-er of operations are approximately same as in other schemes.n proxy signing phase our scheme needs one multiplication lesshen Zhang and Kim (2003) as well as Zhu et al. (2005). In signa-ure verification/message recovery phase our scheme needs approx
ame number of operations as others. Hence over all our schemeeeds low band width as message signature length is less thenther existing schemes and three operations less then the otherchemes.1e + 1E 1H 1M + 1E 2e + 1E + 2H
5. Application
Imagine Bob wants to go on a trip to a new holiday destination.He contacts his travel agent program and describes his prefer-ences and his constraints (such as how much money he is willingto spend, when he want to travel, etc.). The travel agent programsuggests where he can spend his holidays after consulting severalinformation sources such as tourist guides and flight schedules andverifying the availability of airline tickets and hotel rooms. WhenBob confirms his destination, the program books the flight ticketsand reserves the hotel rooms for him. At the time of ticket bookingand hotel room reservation, the agent is working as a proxy signeron behalf of Bob. For this proxy signing our ID-based proxy signa-ture scheme can be used as it is designed for low communicationoverhead with provable security feature.
6. Conclusion
In this paper, we have proposed an ID-based proxy signaturescheme with message recovery. This scheme needs smaller band-width in contrast to previous ID-based proxy signature schemes.Hence this scheme can be a good alternative for certificate basedproxy signatures used for mobile agent. The scheme has beenproved DS-EUF-ACMIA under the assumption of hardness of theCDHP in random oracle model. The efficiency comparison, alsogiven for showing usefulness of proposal. Although, scheme hasdesigned for a message of fixed length, non the less it provides aninnovation about proxy signatures for low bandwidth. This schemecan be extended to a message of arbitrary length, using partialmessage recovery.
Acknowledgements
The author would like to thank, Prof. C. Gu, Information Engi-neering University, Zhengzhou, PR China, Prof. Sunder Lal, ViceChancellor, VBS Purvanchal University, Jaunpur, India and Prof.Jacob C.N. Schuldt, University of Tokyo, Japan, for their valuableco-operation. The author would like to thank Prof. P.S. Kushwaha,HCST, Mathura, India for their valuable discussion and motivation.The author also would like to thank, the international review com-mittee of the journal.
References
Boldyreva, A., Palacio, B., Warinschi, B., 2003. Secure proxy signature schemes fordelegation of signing rights. Cryptology Eprint Archive Report. Available at:http://www.eprint.iacr.org/2003/096.
Galindo, D., Herranz, J., Kiltz, E.,2006. On the generic constructuion of Identity basedsignatures with additional properties. In: Asiacrypt-2006. Springer-Verlag.
Gu, C., Zhu, Y.,2005. Probable secuirty of ID-based proxy signature schems. In: Pro-ceedings of ICCNM’05. Springer-Verlag, pp. 1277–1286, LNCS-3619.
Gu, C., Zhu, Y.,2008. An efficient ID-based proxy signature scheme from pairing. In:Proc. of Information Security and Cryptology. Springer, Berlin/Heidelberg, pp.
40–50, LNCS-4990.Hong, X., Chen, K., 2007. Secure key-insulated proxy signature scheme for mobileagent. In: Proc. ICICIC 2007, pp. 513–516.
Hwang, S., Chen, C., 2000. A new multi proxy signature scheme. In: Proc. IWCNS2000, pp. 134–138.
2 System
K
L
M
M
M
P
S
S
S
T
W
W
W
Z
Z
1979). He received his M.Sc. (Mathematics & ComputerScience) in 2003. Presently, he is working as an AssistantProfessor of Mathematics in Hindustan College of Scienceand Technology, Mathura, India. His research interest is inNetwork Security and Cryptography.
14 H. Singh, G.K. Verma / The Journal of
im, S., Park, S., Won, D., 1993. Proxy signatures: revisited. In: Han, Y., Okamoto, T.,Quing, S. (Eds.), Proc. of International Conference on Information and Commu-nications Security (ICICS’93). Springer-Verlag, pp. 223–232, LNCS-1334.
i, J., Zhang, Y., Zhu, Y., 2005. A New Proxy signature scheme with message recoveryusing self certified public keys. WUJNS 10 (1), 219–222.
alkin, T., Obana, S., Yung, M.,2004. The Hierarchy of key evolving signatures and acharacterization of proxy signatures. In: Eurocrypt 2004. Springer-Verlag, LNCS.
ambo, M., Usuda, K., Okamoto, E.,1996. Proxy signatures for deligating signingoperation. In: Proceedings of the 3rd ACM Conference on Computer and Com-munication Security (CCS). ACM Press, New York, pp. 48–57.
ambo, M., Usuda, K., Okamoto, E., 1996. Proxy signatures: delegation of the powerto sign messages. IEICE Trans. Funct. E79-A (9), 1338–1352.
ointcheval, D., Stern, J., 2000. Security arguments for digital signatures and blindsignatures. J. Cryptol. 13 (3), 361–396, Springer-Verlag.
chuldt, J., Matsuura, K., Paterson, K.,2008. Proxy signatures secure against proxykey exposure. In: PKC 2008. Springer-Verlag, pp. 141–161, LNCS-4939.
hamir, A.,1985. Identity based cryptosystems and signature. In: Proc. Crypto 84.Springer-Verlag, pp. 47–53, LNCS-196.
hao, Z., 2003. Proxy signature scheme based on factoring. Inform. Process. Lett. 85(3), 137–143.
so, R., Gu, C., Okamoto, T., Okamoto, E.,2007. An efficient ID-based digital signaturescheme with message recovery. In: Cryptology and Network Security. Springer,Berlin/Heidelberg, pp. 47–59, LNCS-4856.
ang, B., 2008. A new identity based proxy signature scheme. Cryptology EprintArchive Report. Available at: http://www.eprint.iacr.org/2008/323.
u, T., Hsu, C., Lin, H., 2009. Self certified multiproxy signature scheme with messagerecovery. J. Zhejiang Univ. Sci. A 10 (2), 290–300.
u, W., Mu, Y., Susilo, W., Seberry, J., Huang, X.,2007. Identity based proxy signature
from pairing. In: Proc. ATC-2007. Springer-Verlag, pp. 22–31, LNCS-4610.hang, F., Kim, K.,2003. Efficient ID-based blind signature and proxy signature frombilinear pairing. In: Proc. ACISP’03. Springer-Verlag, pp. 312–323, LNCS-2727.
hang, F., Susilo, W., Mu, Y., 2005. Identity based partial message recovery signature(or How to shorten ID-based signature). In: FC’05, pp. 45–56, LNCS-3570.
s and Software 85 (2012) 209–214
Zhou, J., Zhang, Y., Zhu, Y.,2008. Security arguments for a class of ID-based signa-tures. In: International Conference on Digital Society. IEEE Computer Society,pp. 165–170.
Zhu, J., Zhang, Z., Feng, D.,2005. ID-based proxy signature using bilinear pairing.In: Parallel and Distributed Processing and Applications, ISPA-2005. Springer,Berlin/Heidelberg, pp. 359–367, LNCS-3759.
Dr. Harendra Singh born in Agra, India (15 June 1968).He completed his Ph.D. in 1997, from Agra University,Agra. Initially he started research in Operations Research,Applied Mechanics and in Fracture Mechanics. His currentresearch interest is Operations research, Fracture mechan-ics and in Network Security. He is teaching Mathematicsin Hindustan College of Science and Technology, Mathura,India for last 15 years. Presently, he is Associate Professorof Mathematics.
Mr. Girraj Kumar Verma born in Agra, India (01 march