05487357
TRANSCRIPT
8/3/2019 05487357
http://slidepdf.com/reader/full/05487357 1/4
Published in IET Information Security
Received on 17th March 2009
Revised on 24th September 2009
doi: 10.1049/iet-ifs.2009.0033
ISSN 1751-8709
On the security of an identity-based proxymulti-signature schemeB. WangInformation Engineering College of Yangzhou University, No. 36 Middle JiangYang Road, Yangzhou City, Jiangsu Province,
People’s Republic of ChinaE-mail: [email protected]
Abstract: In 2000, Yi et al. proposed two proxy multi-signature schemes which enable two or more original signers
to delegate their signing power to a proxy signer. Combining proxy multi-signature with identity-based
cryptography, Wang et al. proposed an identity-based proxy multi-signature scheme in 2007. Their scheme is
claimed to be secure in the random oracle model. However, in this study, the author shows that Wang et al.’s
scheme is vulnerable to a forgery attack described in this study.
1 Introduction
The notion of proxy signature was first introduced by Mamboet al. [1] in 1996. A proxy signature scheme enables an originalsigner to delegate his signing capability to a designated proxy signer. Then the proxy signer can generate proxy signatures onbehalf of the original signer. There are four types of delegation:full delegation; partial delegation; delegation by warrant; andpartial delegation by warrant. In general, the basic security properties of proxy signature are unforgeability and
verifiability. Unforgeability means that only the designatedproxy signer can sign messages on behalf of the originalsigner. Verifiability means that any verifier can be convincedof the original signer’s agreement on the signed message by
verifying the corresponding proxy signature. Since Mamboet al. introduced the concept of proxy signature, several kindsof proxy signature schemes have been proposed [2, 3].Furthermore, there are various extensions of the proxy signature primitive, such as threshold proxy signature [4],proxy multi-signature [5].
Proxy multi-signature means a proxy signer can signmessages on behalf of several original signers. In 2000, Yiet al. [5] proposed two proxy multi-signature schemes.However, no formal analysis is provided to prove thesecurity of the schemes in [5]. Recently, Wang et al. [6]
proposed an identity-based proxy multi-signature schemeand claimed their scheme to be secure in the random oraclemodel under the computational Diffie-Hellman assumption
over pairing-friendly groups. Nevertheless, we show that the original signers can collude to forge a proxy multi-signature on a message that was not signed by the proxy signer in Wang et al.’s scheme. Then we explain why
Wang et al.’s scheme is insecure.
2 Review of Wang et al.’s scheme
We briefly review Wang et al.’s identity-based proxy multi-signature scheme in this section. Their scheme is based onan identity-based aggregate signature scheme proposed by Gentry and Ramzan (GR scheme) [7]. The details of
Wang et al.’s scheme can be described as follows:
KeyGen: The Private Key Generator (PKG) generatesparameters and keys as follows:
1. Generates groups G 1 and G 2, where G 1 is a cyclic additivegroup generated by P , whose order is a large prime q , andG 2 is a cyclic multiplicative group of the same order. Thenlet e : G 1 Â G 1 ! G 2 be a bilinear pairing that satisfies thefollowing conditions:
† Bilinear: For any Q , R , T [ G 1, we have e (Q þR ,T ) ¼ e (Q , T )e (R , T ) and e (Q , R þT ) ¼ e (Q , R )e (Q , T )
† Non-degenerate: There exists R , T [ G 1, such that e (R , T )= 1
IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 – 48 45
doi: 10.1049/iet-ifs.2009.0033 & The Institution of Engineering and Technology 2010
www.ietdl.org
8/3/2019 05487357
http://slidepdf.com/reader/full/05487357 2/4
† Computable: There exists an efficient algorithm tocompute e (R , T ) for any R , T [ G 1.
2. Picks a random s [ Z q à and sets Q ¼ sP .
3. Chooses three cryptographic secure hash functions H 1, H 2,
H 3, which are defined as follows: H 1 : {0, 1}Ã ! G 1, H 2 : {0,1}Ã ! G 1 and H 3 : {0, 1}Ã ! Z q .
The system parameters are params ¼ k(G 1, G 2, e , P , Q , H 1,H 2, H 3)l. The PKG’s secret key is s [ Z Ãq .
KeyExt: The client with identity IDi receives sP i,j , for j [ 0,1, from the PKG as secret keys, where P i,j ¼H 1(IDi ,j) [ G 1.
Sign: At first, the signer with identity IDi chooses a randomstring m to sign a message m. In the following, the signer proceeds as follows:
1. computes P m ¼H 2(m ) [ G 1;
2. computes c ¼H 3(m, IDi , m ) [ Z q ;
3. generates a random r [ Z q ;
4. computes his signature (m , S, T ), where S ¼ rP m þ (sP i ,0)þ c (sP i ,1) and T ¼ rP .
Verify: The verifier checks that e (S , P ) ¼ e (T , P m
)e (Q , P i ,0 þ c P i ,1), where P m , c , P i,j , for j [ 0, 1, are defined as above.
ProxyKeyGen:1. Make warrant: To delegate their signing capability to theproxy signer identified by identity IDP, the original signersID1, . . . , IDn jointly generate a warrant mv , which includesthe restrictions on the class of messages to be delegated, theidentities of the original signers and the proxy signer, theperiod of delegation, and so on. The original signers alsochoose a string m that is never used before.
2. Subproxy generation: Every original signer IDi ,1 i n, computes P m ¼H 2(m ), c i ¼H 3(mv , IDi , m ),S i ¼ r i P m þ (s P i ,0)þ c i (sP i ,1) and T ¼ r i P , where r i [ Z q .
Then IDi sends (mv , m , S i , T i ) to the proxy signer IDP .
3. Subproxy verification: Forall1 i n, the proxy signer IDP
verifies the validity of (mv , m , S i , T i ) by checking e (S i , P ) ¼ e (T i , P
m )e (Q , P i ,0 þ c i P i ,1). If the verification fails,
IDP requests IDi to providea validsignature forthe warrant mv .
4. Proxy generation: If IDP confirms the validity of all (mv , m ,S i , T i ), 1 i n, he computes S O ¼
Pni ¼1 S i , T O ¼
Pni ¼1 T i .
The corresponding proxy secret key of IDP isPSk ¼ (S O , T O , sP P , j , j [ {0, 1}):
ProxyMultiSign:
1. ProxySign: When IDP signs a message m on behalf of ID1, . . . , IDn, he computes P
m ¼ H 2(m ), c P , ¼ H 3(m
v km,
IDP , m ), S P ¼ rP m þ (sP P ,0)þ c P (sP P ,1) and T P ¼ rP ,
where r [ Z q .
2. Aggregate: IDP computes S ¼ S O þ S P , T ¼ T O þT P .(mv , m, m , S , T ) is a proxy multi-signature from IDP onbehalf of ID1, . . ., IDn.
ProxyMultiVerify: To verify a proxy multi-signature (mv , m,m , S , T ) of a message m under the warrant mv , a verifier checks that
e (S , P )¼ e (T , P m
)e Q ,Xn
i ¼1
P i ,0 þP P ,0 þXn
i ¼1
c i P i ,1 þ c P P P ,1
!
3 Cryptanalysis of Wang et al.’sscheme
In this section, we will show that the original signers cancollude to forge a proxy multi-signature from the proxy signer IDP by intercepting valid proxy multi-signaturesissued by IDP . The attack can be described as follows.
Given a protocol Proto, the view of an adversary A ,denoted by ViewProto( A ), is defined as the probability distribution on the knowledge of the adversary, namely,the computational and memory history of the corruptedparties and the public communication and output of theprotocol. Assume the adversary A corrupts all the originalsigners ID1, . . . , IDn in Wang et al.’s scheme. Then A isable to compute S O and T O , which are also computed by
the proxy signer IDP at the Proxy generation stage. In thefollowing, let us assume A intercepts the following validproxy multi-signatures on distinct messages issued by IDP
(mv
, m1, m , S 1, T 1), (mv
, m2, m , S 2, T 2), (mv
, m3, m , S 3, T 3)
where the warrant mv and the string m are fixed by theoriginal signers at the Make warrant stage and theSubproxy generation stage, respectively. These values definethe view of A . Then A proceeds as follows:
1. Computes
S 1P ¼ S 1 À S O , S 2P ¼ S 2 À S O , S 3P ¼ S 3 À S O
T 1P ¼ T 1 À T O , T 2P ¼ T 2 À T O , T 3P ¼ T 3 À T O
whereS 1P ¼ r P 1P
m þ (sP P ,0)þ c 1P (sP P ,1),
T 1P ¼ r P 1P , c 1P ¼ H 3(mv km1, IDP , m )
S 2P ¼ r P 2P m þ (sP P ,0)þ c 2P (sP P ,1),
T 2P ¼ r P 2P , c 2P ¼ H 3(mv km2, IDP , m )
S 3
P ¼ r P 3P m þ (sP P ,0)þ c 3
P (sP P ,1),T 3P ¼ r P 3P , c 3P ¼ H 3(m
v km3, IDP , m )
46 IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45–48
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-ifs.2009.0033
www.ietdl.org
8/3/2019 05487357
http://slidepdf.com/reader/full/05487357 3/4
2. Computes c P ¼ H 3(mv km, IDP , m ), where m is a message
chosen by the adversary.
3. Computes x ¼ (c 1P À c 2P )À1(c P À c 3P )mod q , where (c P
12
c P 2)21 is the multiplicative inverse of (c P
12 c P
2) over Z Ãq . Notethat since the chosen hash functions are collision resistant,
the probability of c P 1 ¼ c P 2 is negligible.
4. Computes
S P ¼ x (S 1P À S 2P )þ S 3P
¼ x (r P 1 À r P 2)P m þ (c P À c 3P )(sP P ,1)
þ r P 3P m þ (sP P ,0)þ c 3P (sP P ,1)
¼ (x (r P 1 À r P 2)þ r P 3)P m þ (sP P ,0)þ c P (sP P ,1)
T P ¼ x (T 1P À T 2P )þ T 3P
S ¼ S P þ S O , T ¼ T P þ T O
5. The forged proxy multi-signature is (mv
, m, m , S , T ).
6. For the sake of simplicity, we use r to denote (x (r P 12 r P 2)þr P 3)mod q . Since we have S P ¼ rP
m þ sP P ,0 þ c P (sP P ,1),
T P ¼ rP , it is easy to check the following equations
e (S , P )
¼ e (S P þS O, P )
¼ e (rP m þ sP P ,0þ c P (sP P ,1)þS O, P )
¼ e Xn
i ¼1
r i þ r
!P m
, P
!
 e P , s Xn
i ¼1
P i ,0þP P ,0þXn
i ¼1
c i P i ,1þ c P P P ,1
! !
¼ e (T P þT O , P m
)
 e Q ,Xn
i ¼1
P i ,0þP P ,0þXn
i ¼1
c i P i ,1þ c P P P ,1
!
¼ e (T , P m
)e Q ,X
n
i ¼1
P i ,0þP P ,0þX
n
i ¼1
c i P i ,1þ c P P P ,1
!
where c P ¼H 3(mv km, IDP ,m ), where each c i is fixed at the
Subproxy generation stage by the corresponding original signer.Hence the forged proxy multi-signature can be verifiedsuccessfully.
Remark: It is obvious that the original signers can collude toforge a proxy multi-signature on a message that was not signedby the proxy signer by our attack. However, the standardsignature scheme used in Wang et al.’s scheme is the same
as that of [7]. Does our attack imply that the identity-basedaggregate signature scheme (GR scheme) [7] is insecure?Certainly not. At this point, please note that the security of
GR scheme relies on the freshness of the string m . Then let us review Wang et al.’s scheme carefully. We discover that the proxy signer always uses the same string m as fixed by the original signers at the Subproxy generation stage toproduce proxy multi-signatures. Obviously, this fact violatesthe security requirement of GR scheme. Hence it is not
surprising to state that Wang et al.’s scheme is not unforgeable. To foil our attack, the proxy signer is requiredto pick a fresh string m when producing a proxy multi-signature. But this modification hurts the efficiency of their scheme. On the other hand, Li et al. [8] also presented a different attack on the scheme in [6]. They demonstratedthat an adversary that corrupts all users who delegate their signing capability to a proxy is able to forge a proxy multi-signature on a particular message, but only if he obtains a conventional signature issued by the proxy on the samemessage. Hence the proxy can avoid their attack by choosing distinct key pairs to issue conventional signatures. In contrast
with their attack [8], our adversary is more powerful since it can make forgery on messages of its choice by intercepting
valid proxy multi-signatures issued by the proxy.
4 Conclusion
In this paper, we present a cryptanalysis of an identity-based proxy multi-signature scheme [6]. In the first place,
we show that the original signers can collude to forge a valid proxy multi-signature from the proxy signer in Wang et al.’s scheme. That is, their scheme does not satisfy the unforgeability property required by a secure
proxy multi-signature scheme. Then we explain why Wang et al.’s scheme is insecure. The reason is that the proxy signer in Wang et al.’s scheme always usesthe same string m as fixed by the original signers at theSubproxy generation stage to produce proxy multi-signatures. Obviously, this fact violates the security requirement of GR scheme. To foil our attack, the proxy signer is required to pick a fresh string m whenproducing a proxy multi-signature. But this modificationhurts the efficiency of their scheme.
5 Acknowledgment
We thank the anonymous referees for their helpful commentson earlier drafts of this paper.
6 References
[1] MAMBO M., USUDA K., O KA MOT O E .: ‘Proxy
signatures for delegating signing operation’. Proc. Third
ACM Conf. on Computer and Communications Security,
1996, pp. 48–57
[2] LEE B., KIM H., KIM K.: ‘Strong proxy signature and itsapplications’. Proc. ICICS’97, Int. Conf. on Information and
Communication Security, 2001, pp. 603–608
IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 – 48 47
doi: 10.1049/iet-ifs.2009.0033 & The Institution of Engineering and Technology 2010
www.ietdl.org
8/3/2019 05487357
http://slidepdf.com/reader/full/05487357 4/4
[3] KIM S., PARK S., WON D.: ‘Proxy signature, revisited’. Proc.
SCIS2001, Int. Conf. on Information and Communication
Security, 1997, pp. 223–232
[4] HSU C.L., WU T.S., WU T.C.: ‘New nonrepudiable threshold
proxy signature scheme with known signers’, J. Syst.
Software, 2001, 58, pp. 119–124
[5] YI L ., BAI G., XIAO G.: ‘Proxy multi-signature scheme:
a new type of proxy signature scheme’, Electron. Lett.,
2000, 36, (6), pp. 527–528
[6] WANG Q., CAO Z.F.: ‘Identity based proxy multi-signature’,
J. Syst. Softw., 2007, 80, pp. 1023–1029
[7] GENTRY C., RAMZAN Z.: ‘Identity based
aggregate signatures’. PKC2006 2006, (LNCS, 3958),
pp. 257–273
[8] FAGEN L., SHIJIE Z., RONG S.: ‘Cryptanalysis of an identity
based proxy multi-signature scheme’, IEICE Trans.
Fundam. Electron. Commun. Comput. Sci., 2008, E91-A,
(7), pp. 1820–1823
48 IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45–48
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-ifs.2009.0033
www.ietdl.org