A Proxy Multi-Signature Scheme with Forward-Secure

Xiang-Qian Liang, Yun Zhang, Yong-Hua Zhang College of Information and Computer Science

Shandong University of Science and Technology Shandong Qingdao, P. R. China

liangxq87@126.com, zhangyun2dahai@126.com Zhangyh90@126.com

Abstract—The proxy multi-signature scheme allow a proxy signer to represent a group of users to sign a document. Like most of digital signature schemes, its security wholly depends on the security of secret keys. Once secret keys are exposed, all preciously assigned signatures must be reissued. Forward-secure signatures are used to address this problem, in which all previously generated signatures are still considered to be valid even after secret keys are compromised. In this paper, by borrowing the idea of hierarchical ID-based signature (HIBS), we integrated forward security into the proxy multi-signature scheme and proposed a proxy multi-signature scheme with forward-secure which supports the efficient batch verification of several signatures of the same message under different public keys. The security of our scheme relies on the hardness of computational Diffie-Hellman problem(CDHP) and Hash function.

Keywords- forward security; proxy multi-signature; bilinear mapping; computational Diffie-Hellman problem(CDHP); hierarchical ID-based signature(HIBS)

I. INTRODUCTION

The concept of proxy signature was firstly introduced by M. Mambo et al. [1] in 1996. Sun and Hsieh[2] pointed out that Mambo et al.’s scheme [1] is unfair to the original signer because the proxy signer can transfer the signing rights to others. Afterwards, there are many papers to discuss the proxy signature and its security requirements. In a proxy signature scheme, a designated proxy signer generally proxy one original signer, but sometimes we need one proxy signer to sign a document standing for a group of original signers simultaneously. For example, the company will report a document which refers to administrative department, development department, and sale department and so on, for the secure reasons the document must be signed by these departments together or by a proxy signer who is trusted by all of these departments on behalf of them. The proxy multi-signature primitive and the first efficient solution were introduced by L.J. Yi et al.[3] to address this problem, since then, many schemes in this field have been proposed.

For most of digital signature schemes, there exists the same problem, the key exposure problem. In a conventional system, the system security wholly depends on the security of secret

keys. Once the keys are exposed, the system security will be completely compromised with cryptographic computations that performed more frequently on poorly protected devices (smart-cards, mobile phones, even PCs). The threat of the key exposure is becoming more acute and new techniques are needed to deal with this concern. Recently, several different approaches have been suggested. As one of these methods, the forward-secure signature system which is firstly proposed by R. Anderson[4] and firstly formalized by M. Bellare and S. Miner in the context of a forward-secure signature scheme [5], is used to mitigate the damage of the key exposure.

The basic idea of the forward-secure signature system is the use of a key-evolving signature scheme. In this scheme, the whole life time is divided into T time periods which are stamped from 0 to 1T � , in period j a new private key jSK is used, which is derived from the previous period private key 1jSK � . The old secret keys are securely erased such that even when an adversary breaks into the system, he can’t get the previous keys. In this way, users can have its secret key changed from time to time but the public key is fixed during the whole life time. Following the initial work by [5], a large number of schemes of the forward secure signature were suggested. M. Abdalla and L. Reyzin proposed an improved forward-secure signature scheme with much shorter keys than those outlined in [6]; G. Itkis G and L. Reyzin proposed a scheme with optimal signing and verifying but had slower key updates in [7]; H. Krawczyk[8] suggested a method for constructing a forward-secure scheme from any signature scheme, and thus made the forward security of standard signature schemes (RSA, DSS) possible; In 2003, the forward-secure signature scheme based on Bilinear Maps was firstly proposed by F. Hu et al. in [9], and this scheme is efficiently constructed with a complexity of no more than (log )O T , with flexibility based on underlying bilinear map; In 2005, S.S.M. Chow et al. [10] proposed a forward-secure multi-signature scheme using bilinear pairings integrated the forward-secure with multi-signature techniques; In 2011, J. Yu et al.[11] integrated forward security into identity-based signatures and proposed forward-secure identity-based signature scheme.

Inspired by the works in [10], [11] and [12], we integrated the forward-secure signature with multi-proxy techniques and borrowed the idea of hierarchical ID-based signature(HIBS) This research is supported by Qingdao science and technology development

project(11-2-4-6-1-jch)

___________________________________ 978-1-4673-2101-3/12/$31.00 ©2012 IEEE

and proposed a proxy multi-signature scheme with forward secure. Its security relies on the hardness of computational Diffie-Hellman problem and Hash function.

This paper is organized as follows: In section 2, some fundamental background used in this paper is introduced. In section 3, a proxy multi-signature scheme with forward secure is presented. In section 4, the security analysis of our scheme is provided.

II. PRELIMINARIES

In this section, we will review some fundamental backgrounds used in this paper, including bilinear pairings, complexity assumptions, the frameworks of a proxy signature scheme and a forward-secure signature scheme.

A. Bilinear pairings A Bilinear Diffie-Hellman(BDH) parameter generator is

define as a probabilistic polynomial time algorithm that takes as input a security parameter k and output a uniformly random tuple 1 2( , , , , )q G G e p of bilinear parameters, where q is a prime number of size k , 1G is a cyclic additive group of order q , 2G is a cyclic multiplicative group with the same

order q as 1G , P is a generator of 1G ,and 1 1 2:e G G G� � is a bilinear mapping with the following properties :

Bilinearity:

( , ) ( , ) ( , ) ,abe aP bQ e abP Q e P Q� �

( , ) ( , ) ( , )e P R Q e P Q e R Q� �for all 1, ,P Q R G� and , qa b Z� .

Non-degenerative: there exist 1,P Q G� such that ( , ) 1e P Q � .

Computability: there is an efficient algorithm to compute ( , )e P Q for all 1,P Q G� .

Notice that e is also symmetric (i.e. ( , ) ( , )e P Q e Q P� for all 1,P Q G� ), since e is bilinear and 1G is a cyclic group.

B. Complexity assumptions Definition2.1(Computational Diffie-Hellman problem

(CDHP)). Given a group 1G of prime order q with generator P and elements 1,aP bP G� , where *, qa b Z� are selected randomly to compute abP .

Definition2.2(Decisional Diffie-Hellman problem (DDHP)). Given a group 1G of prime order q with generator P and elements 1, ,aP bP cP G� where *, , qa b c Z� are selected randomly to decide whether mod( )c ab q .

We call 1G a gap Diffie-Hellman group if DDHP can be solved in polynomial time but there is no polynomial time algorithm to solve CDHP with non-negligible probability.

Definition 2.3. We say that the ( , )t -CDH assumption holds in a group 1G if no algorithm running in polynomial time at most t can solve the CDH problem in 1G with probability at least .

C. Framework of a proxy multi-signature scheme A proxy signature scheme is specified as the following four

algorithms:

1) KeyGen: Takes a security parameter 1k as input, a random algorithm returns system parameters, including some cryptographic hash functions. Each original signer

( 1,... )iA i N� chooses its key pair ( , )i iSK PK and the original signer B chooses its key pair ( , )p pSK PK respectively.

2) Proxy generation: For the proxy user B with the public key pPK , each original signer iA composes a warrant � ,which records the delegation policy, including limits of authority, valid periods of delegation and public keys of original signers. Each of the original signers creates a signature i� for the warrant � with his private key, then sends the signature i� to the proxy signer. The proxy signer receives the signature i� and verifies it.

a) Proxy sign: For any message M �� , the proxy signer B generates the proxy signature ( , )M � using his secret key.

b) Proxy signature verify: Anyone can validate the proxy signature ( , )M � with the public key of the proxy signer.

D. Forward-secure signature scheme by bilinear pairings[10]

The idea of hierarchical ID-based signature (HIBS) was proposed in [9] and can be used to construct the forward-signature scheme in [10]. In HIBS, there is a tree structure of private key generators (PKGs), each PKG verifies the PKGs at one level lower in the hierarchy and generates privates for them. Finally, the end-users at the leaf node of the hierarchy receive certification and its own private key from the chain of PKGs. In this setting, PKGs at high level of hierarchy can generate the private key of its children (this process is also known as “key extraction”), but the converse is not true. If we name the root PKG as (the empty string), and use binary representation of its position in j bits, where j is the depth of the node, to name the “intermediate” PKGs(e.g. the children of node are0 and 1, respectively ), then a PKG hierarchy of height l can be used to implement a forward-secure signature scheme, where each leave node of the tree will be used to represent one of the 2 1l � time period of a forward-secure scheme.

The construction is as follows. For each “key extract” operation, a node will use its private key to generate private keys for its children node. In the first time period, the master secret key of the node is randomly chosen, then the node

and the node 10,00,000, ,0l�� subsequently execute the extract operation to generate the “local keys” of the nodes 0,00,000, ,0l� , noticing that the keys for the nodes

21,01,001, ,0 1l�� have been generated in these operations too. In the next time period, the key updated is done by using the local key of the node 10l� to generate the local key for the node

10 1l� . At the same time, the local key of the node 0l is deleted. Since this new key is randomly generated and the old local key is deleted, the knowledge of evolved private key cannot help in getting the old private key. In the third time period, we no longer use the local key for the node 10l� to generate the new key but use the local key of the node 20 1l� to generate the local key for the node 20 10l� . Again, the old local key is deleted to ensure the forward security. A similar process continues until the local key of the node 1l has been generated, which means the forward-secure scheme has come to the end of its service time.

III. OUR PROXY MULTI-SIGNATURE SCHEME WITH FORWARD-SECURE

Based on [10], [11], and [12], by employing the binary tree structure,we combined a proxy multi-signature scheme with forward-secure, and proposed a proxy multi-signature scheme with forward-secure, which through update the secure keys of the original signer iA ( 1,..., )i N� to limit the key exposure problem. It was constructed as follows:

A. Definitions and notations Define 1 2, ,G G P and the bilinear pairing ( , ) as above.

Let iA , B denote original signers and the proxy signer respectively. Let *

1 1:{0,1}H G� , * *2 :{0,1} qH Z� , and

*3 1:{0,1}H G� be cryptographic hash functions.

We define the total number of time-periods T to be a power of 2( 2lT � ). Therefore, each time-period j ( 0 2 1ii� � � )can be represented using a binary representation in l bits, that is 1,..., lj j j� �� . We construct a full a full binary tree of height l to cover all time-periods. Let S � � (the additive identity) and �� � � � (the null set), where is defined as the root of the binary tree. The root contains the “root secret” s and a “root verification point” Q . Each of the

nodes contains a “node secret” s� , a “local secret” 1S G� � ,and a “verification point” Q� . The “Local secret key” for node � is ( , )SK S Q� � �� , where

1 1 2 1 2 1( , , , )

rQ Q Q Q� � � � � � � �� �� ,

where r is the depth of the node � . Generally, ( )ijSK

indicates the secret key held by the signer i in period j . BIDis the identification of the proxy signer and pubP is his public key. We use � to represent the auxiliary secret for key updates, Q and � to represent the verification point and the set of verification point respectively.

B. The key of the original signers generation and evolution 1) Generation

a) For l-1= { , 0, 00, . . . , 0 )},� do

� Randomly chooses ( ) *s iR q� � � and computes

(i) ( )Q =s i P� � .

� Computes (i) ( ) ( )( ||0) 1S ( || 0)i iS s H� � � �� � and

(i) ( ) ( )( ||1) 1S ( ||1)i iS s H� � � �� � .

� Stores ( ) ( ) (i)( ||1)0 0

Sl li i

�� � � � , while ( )is� and ( )iS� aredeleted.

� Sets ( ) ( ) ( ) ( )||0 ||1 { }i i i iQ� � � �� � � � � � .

b) Randomly chooses ( ) *0

s li

R q� � and keeps it secret,

computes ( ) ( )0l

i iQ s P� .

c) Chooses ( ) ( ) ( ) ( ) ( ) ( )0 0 0 0 0 0

{ , , , { }}l l l l li i i i i iSK s S Q� � � � as the

private key of the original signer iA , and makes ( ) ( )0 0

{ }l li iQ� �

public.

d) Chooses � �( )PK = , iP Q as the public key of the ithsigner.

2) Key evolution a) If -1j T� , delete (i)

<j>SK and (i)<j>SK = � , the

algorithm stops;

b) If 0lj � , get (i)<j+1>S from ( )i

j� and set ( ) ( ) ( )

1 1{ }i i ij j jS� � � � � � � �� � � � .

c) Else, assume that r (1 )r l� � is the maximum possible value that satisfies 0rj � .

� Let 0 1 -1 , , . . . , 1rn j j j� , where 0j denotes for convenience (i.e. 1 0l rj n �� � �� ).

� Get ( )inS from ( )i

j� �� and set ( ) ( ) ( )

1 { }i i ij j nS� � � � �� � � � .

� For 1{ , 0,... 0 }l rn n n� � �� , do � Randomly chooses ( ) *s i

R q� � � and computes ( ) ( )i iQ s P� �� .

� Computes (i) ( ) ( )( ||0) 1S ( || 0)i iS s H� � � �� � and

(i) ( ) ( )( ||1) 1S ( ||1)i iS s H� � � �� � .

� Stores ( ) ( ) (i)( ||1)0 0

Sl li i

�� � � � while ( )is� and ( )iS� aredeleted.

� Sets ( ) ( ) ( ) ( )||0 ||1 { }i i i iQ� � � �� � � � � � .

d) Randomly chooses ( ) *1s i

j R q� � � � � and computes ( ) ( )

1 1i ij jQ s P� � � � � �� .

e) If 0lj � , sets ( ) ( ) ( )1

i i ij j jQ� � � � � � �� � � � .

f) Sets ( ) ( ) ( ) ( ) ( ) ( )1 1 1 1 1 1{ , , , { }}i i i i i i

j j j j j jSK s S Q� � � � � � � � � � � � � � � � � �� � � � .

g) Deletes (i)<j>SK .

C. Framework of a proxy multi-signature scheme s In order to delegate the signing capability to B , original

signers should do something to make the signed warrant � which specifies the necessary proxy details, such as the identity information of original signers and the proxy signer, the type of the information delegated, and the period of delegation. Suppose � is the group of the original signers, at the j period, each signer of � computes the signature on� (i) ( ){j,V , }i

j� �� , where (i) ( ) ( )1 1V ( ,... || )i i

j j NS s H i i �� � � �� � and

1

( ) ( ),...,

1

{ }m

li ij j j

m

Q� ��

� �� .

Then anyone of the signers or another third part does the

following steps to compute the final signature: 1) In the event that the robustness is desired, the proxy

signer verifies the validity of each signature (i) ( ){j,V , }ij� �� on

� that he has received. a) Computes

1,

1( ) ( )

,... 1 1,2

( , ) ( , ( ,... ))m

li i

j j mm

X e P V e Q H j j�

�

� �� � �

� � .

b) Computes ( ) ( )1 1 1( , ( )) ( , ( ,..., || )i i

j lY e Q H j e Q H j j �� �� .

If X Y� , then return 1 else return 0.

2) If the robustness is not desired, we can use the batch

verifications. For {1, 2, , }r l� � , computes

1 ,...1

( ),... r j jr

ij j i

Q Q��

�! .

Construct the signature as ( ){ , , }ijj V � �� , where ( )i

iV V

��

� !and � �1

( ) ( ),...,

1m

li ij j j

m

Q� ��

� �� .

Verification: At the time period j , the proxy signer can verify the validity of the signature ( ){j,V, }i

j� �� as follows:

a) Computes1, 1

1( )

,... 1 1,2

( , ) ( , ( ,... ))m

li

j j mm

X e P V e Q H j j�

�

�

� �� � �

� � .

b) Computes ( ) ( )

1 1 1 1( , ( )) ( , ( ,... || )i ij l

i iY e Q H j e Q H j j �� �

�� ��

� ! ! ,

where ( )iQ represents the public key of the ith signer.

If X Y� , then return 1 and he accepts it as a valid delegation and continues; otherwise, he requests a valid one from iA ,

D. Proxy secret key generation If B accepts all delegations ( ){ , , }i

jj V � �� ( = 1, 2, . . . , N)i ,he computes the proxy key as 2 ( || || )

BB B j IDsk V H ID d� � �� � �

where 1( )B IDBID Bd sQ sH ID� � , ( )

1

Ni

j ji

� � � ��

� � �� and s is the

master-key chosen by the PKG randomly.

E. The generation of the proxy multiple signature with forward-secure Using Bsk , B can sign the message M under � on behalf

of the original signers 1, , NA A� as follows:

Randomly picks *qr Z� , computes ,U rP�

3 ( || || || )B BH H ID M U�� and B B BV sk rH� � . The proxy signature for message M on behalf of the original signers 1, , NA A� is ( , , , )B jU V� � � �� � .

F. The verification of the proxy multiple signature with forward-secure The verifier can verify the proxy multi-signature ( , , , )B jU V� � � �� � for message M under a warrant ,� in

period j as follows:

1) Checks whether the message M conforms to the warrant � . If not, then stops. Otherwise, continues.

2) Checks whether the proxy signer B is authorized by original signers 1, , NA A� in the warrant� . If not, then stops. Otherwise, continues to compute

1( )IDB BQ H ID� , 3 ( || || || )B BH H ID M U�� .

Then the verifier checks:

2( , ) ( , ) ( , ( || || ) ) ( , ).BB pub B j ID Be P V e P V e P H ID Q e U H� � �� �

If this holds, then accepts it. Otherwise, rejects it.

IV. SECURITY ANALYSIS

A. Correctness We can verify the correctness of the proxy multi-signature

with forward secure as following:

( , ) ( , ) ( , ) ( , )B B B B Be P V e P sk rH e P sk e P rH� � �

2( , ( || || ) ) ( , )BB j ID Be P V H ID d e rP H� � �� � �

2( , ) ( , ( || || ) ) ( , )BB j ID Be P V e P H ID d e U H� � �� �

2( , ) ( , ( || || ) ) ( , )BB j ID Be P V e sP H ID Q e U H� � �� �

2( , ) ( , ( || || ) ) ( , )Bpub B j ID Be P V e P H ID Q e U H� � �� �

Next, we will discuss that the proposed scheme conforms to the security requirements of signature.

B. Forward-secure property In the original key evolution phase, the new secret key

of iA

( ) ( ) ( ) ( ) ( ) ( )1 1 1 1 1 1{ , , , { }}i i i i i i

j j j j j jSK s S Q� � � � � � � � � � � � � � � � � �� � � �

including five parts, is computed based on CDH problem and by hash function, so it is hard to get ( )

1ijSK� � � from ( )i

jSK� � .Therefore, even though an adversary breaks into and gets the present key, he cannot generate the past keys and the signatures signed before are also valid. The property of forward-secure is provided in [8].

C. Proxy secure property Strong unforgeability: Except the proxy signer B , no one

can generate a valid proxy key pair on behalf of ( 1, , )iA i N� � because the proxy key Bsk and BV can be

generated only by B .

Verifiability: The warrant information� which includes the original signers’ assignment material and so on, is implied in the hash value 1( , , || )NH i i �� , and the hash value is used in the verifying process. Therefore, if the proxy signature passes the checking successfully, the original signers’ agreement on the message M is also verified explicitly.

Strong identifiability: Identity information of the proxy signer B is included in the public key 1( )

IDB BQ H ID� , so anyone can determine the identity of the corresponding proxy signer because

IDBQ is required in order to check a proxy

signature in the verification proxy signature phase.

Strong undeniability: Once a proxy signer created a legal proxy signature at the time j before the key is compromised, B cannot repudiate it in the future because he is the only person who can compute the proxy key pairs.

Prevention of misuse: If B uses the proxy key for other applications that the warrant � does not state, he must be responsible for it, because no one, except him, can generate the proxy signature under the name of B . Accordingly, illegal proxy transfer is prevented and signing capability of proxy signer is limited.

V. CONCLUSION

Key exposure threatens the security of digital signatures seriously, and many different approaches have been suggested to address this problem. In this paper, we applied the forward-secure technique to proxy multi-signature scheme, and proposed a proxy multi-signature scheme with forward-

secure. Key insulated cryptography and intrusion resilient cryptography were recently introduced to achieve a higher level of security. However, these two approaches require time synchronization and interaction between the device and server for each time-period. Therefore, they may not be applicable in some scenarios.

ACKNOWLEDGMENT

Authors would like to thank Prof. Dezhi Gao and anonymous reviewers for their helpful suggestions and valuable comments to improve this paper. This research is supported by Qingdao science and technology development project (11-2-4-6-1-jch)

REFERENCES

[1] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures for delegating signing operation. Proceedings of the 3rd ACM Conference on Computer and Communications Security, New York:ACM Press, 1996, pp: 48-57.

[2] H.M. Sun and B.T. Hsieh, Remarks on two nonrepudiable proxy signature schemes, Proc. Of 9th National Conference on Information Security, 1999, pp:241-246.

[3] L.J. Yi, G.Q. Bai and G.Z. Xiao, Proxy multi-signature scheme: a new type of proxy signature, Electronics Letter, 2000, 36(6), pp: 527-528.

[4] R. Anderson, Two remarks on public key cryptology. In:Proc.of the Invited Lecture, ACM-CCS'97. 1997. http://www.cl.cam.ac.uk/ techreports/ UCAM-CL-TR-549.pdf

[5] M. Bellare, S. Miner, A forward-secure digital signature scheme. Advances in Cryptology-Crypto’99: Proc. of the 19th Ann. International Crypto. Conference (Santa Barbara, CA,USA,15-19 August, 1999) (Lectures Notes in Computer Science vol 1666), Berlin:Springer-Verlag, 1999, pp:431-448.

[6] M. Abdalla, L. Reyzin, A new forward-secure digital signature scheme. Advance in Cryptology-ASIACRYPT 2000(Lecture Notes in Computer Science vol 1976) , Berlin:Springer-Verlag, 2000, pp:116-129.

[7] G. Itkis, L . Reyzin, Forward-Secure signatures with optimal signing and verifying. Advances in Cryptology-Crypto’01, (Santa Barbara, CA,USA, 19-23 August, 2001) (Lectures Notes in Computer Science vol 2139), Berlin:Springer-Verlag, 2001, pp:499-514.

[8] H. Krawczyk, Simple forward-secure signatures for any signature scheme, Proc. of the 7th ACM Conference on Computer and Communications Security, ACM press, 2000, pp: 108-115.

[9] C. Gentry, A. Silverberg, Hierarchical ID-Based Cryptography, Advances in Cryptology-ASIACRYPT 2002, Proc. Of the 8th Interenational Conference on the Theory and Application of Cryptology and Information Security, 2002, Queenstown, New Zealand, Lectures Notes in Computer Science, vol. 2501, Springer, Newwork, 2002.

[10] F. Hu, C.H. Wu, J.D. Irwin, A new forward secure signature scheme using bilinear maps. Cryptology ePrint Archive, 2003. http://eprint.iacr.org/2003/188.pdf.

[11] S.S. M. Chow, L.C.K. Hui, S.M. Yiu and K.P.Chow, Forward-secure multisignature and blind signature schemes, Applied Mathematics and Computation, 2005, 168(2), pp:895-908.

[12] J. Yu, R. Hao, X. Cheng, J. Fan and Y. Chen, Forward-secure identity-based signature: Security notions and construction, Information Sciences, 2010, 181(3), pp:648-659.