8/3/2019 05487357

http://slidepdf.com/reader/full/05487357 1/4

Published in IET Information Security

Received on 17th March 2009

Revised on 24th September 2009

doi: 10.1049/iet-ifs.2009.0033

ISSN 1751-8709

On the security of an identity-based proxymulti-signature schemeB. WangInformation Engineering College of Yangzhou University, No. 36 Middle JiangYang Road, Yangzhou City, Jiangsu Province,

People’s Republic of ChinaE-mail: jxbin76@yahoo.cn

Abstract: In 2000, Yi et al. proposed two proxy multi-signature schemes which enable two or more original signers

to delegate their signing power to a proxy signer. Combining proxy multi-signature with identity-based

cryptography, Wang et al. proposed an identity-based proxy multi-signature scheme in 2007. Their scheme is

claimed to be secure in the random oracle model. However, in this study, the author shows that Wang et al.’s

scheme is vulnerable to a forgery attack described in this study.

1 Introduction

 The notion of proxy signature was first introduced by Mamboet al. [1] in 1996. A proxy signature scheme enables an originalsigner to delegate his signing capability to a designated proxy signer. Then the proxy signer can generate proxy signatures onbehalf of the original signer. There are four types of delegation:full delegation; partial delegation; delegation by warrant; andpartial delegation by warrant. In general, the basic security properties of proxy signature are unforgeability and

  verifiability. Unforgeability means that only the designatedproxy signer can sign messages on behalf of the originalsigner. Verifiability means that any verifier can be convincedof the original signer’s agreement on the signed message by 

  verifying the corresponding proxy signature. Since Mamboet al. introduced the concept of proxy signature, several kindsof proxy signature schemes have been proposed [2, 3].Furthermore, there are various extensions of the proxy signature primitive, such as threshold proxy signature [4],proxy multi-signature [5].

Proxy multi-signature means a proxy signer can signmessages on behalf of several original signers. In 2000, Yiet al. [5] proposed two proxy multi-signature schemes.However, no formal analysis is provided to prove thesecurity of the schemes in [5]. Recently, Wang  et al. [6]

proposed an identity-based proxy multi-signature schemeand claimed their scheme to be secure in the random oraclemodel under the computational Diffie-Hellman assumption

over pairing-friendly groups. Nevertheless, we show that the original signers can collude to forge a proxy multi-signature on a message that was not signed by the proxy signer in Wang  et al.’s scheme. Then we explain why 

 Wang et al.’s scheme is insecure.

2 Review of Wang et al.’s scheme

 We briefly review Wang et al.’s identity-based proxy multi-signature scheme in this section. Their scheme is based onan identity-based aggregate signature scheme proposed by Gentry and Ramzan (GR scheme) [7]. The details of 

 Wang et al.’s scheme can be described as follows:

KeyGen: The Private Key Generator (PKG) generatesparameters and keys as follows:

1. Generates groups G 1 and G 2, where G 1 is a cyclic additivegroup generated by  P , whose order is a large prime q , andG 2 is a cyclic multiplicative group of the same order. Thenlet  e : G 1 Â G 1 ! G 2 be a bilinear pairing that satisfies thefollowing conditions:

† Bilinear: For any  Q , R , T [ G 1, we have e (Q þR ,T ) ¼ e (Q , T )e (R , T ) and e (Q , R þT ) ¼ e (Q , R )e (Q , T )

† Non-degenerate: There exists R , T [ G 1, such that e (R , T )= 1

IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 – 48 45

doi: 10.1049/iet-ifs.2009.0033 & The Institution of Engineering and Technology 2010

www.ietdl.org

8/3/2019 05487357

http://slidepdf.com/reader/full/05487357 2/4

† Computable: There exists an efficient algorithm tocompute e (R , T ) for any R , T [ G 1.

2. Picks a random s [ Z q Ã and sets Q ¼ sP .

3. Chooses three cryptographic secure hash functions H 1, H 2,

H 3, which are defined as follows: H 1 : {0, 1}Ã ! G 1, H 2 : {0,1}Ã ! G 1 and H 3 : {0, 1}Ã ! Z q .

 The system parameters are params ¼ k(G 1, G 2, e , P , Q , H 1,H 2, H 3)l. The PKG’s secret key is s [ Z Ãq .

KeyExt: The client with identity IDi  receives sP i,j , for j [ 0,1, from the PKG as secret keys, where P i,j ¼H 1(IDi ,j) [ G 1.

Sign: At first, the signer with identity IDi  chooses a randomstring  m  to sign a message m. In the following, the signer proceeds as follows:

1. computes P m ¼H 2(m ) [ G 1;

2. computes c ¼H 3(m, IDi , m ) [ Z q ;

3. generates a random r [ Z q ;

4. computes his signature (m , S, T ), where S ¼ rP m þ (sP i ,0)þ c (sP i ,1) and T ¼ rP .

Verify: The verifier checks that e (S , P ) ¼ e (T , P m 

)e (Q , P i ,0 þ c P i ,1), where P m , c , P i,j , for j [ 0, 1, are defined as above.

ProxyKeyGen:1. Make warrant: To delegate their signing capability to theproxy signer identified by identity IDP, the original signersID1, . . . , IDn jointly generate a warrant  mv , which includesthe restrictions on the class of messages to be delegated, theidentities of the original signers and the proxy signer, theperiod of delegation, and so on. The original signers alsochoose a string m  that is never used before.

2. Subproxy generation: Every original signer IDi ,1 i  n, computes P m ¼H 2(m ), c i ¼H 3(mv , IDi , m ),S i ¼ r i P m þ (s P i ,0)þ c i (sP i ,1) and T ¼ r i P , where r i [ Z q .

 Then IDi sends (mv , m , S i , T i ) to the proxy signer IDP .

3. Subproxy verification: Forall1 i  n, the proxy signer IDP 

  verifies the validity of (mv , m , S i , T i ) by checking e (S i , P ) ¼ e (T i , P 

m )e (Q , P i ,0 þ c i P i ,1). If the verification fails,

IDP requests IDi to providea validsignature forthe warrant mv .

4. Proxy generation: If IDP  confirms the validity of all (mv , m ,S i , T i ), 1 i  n, he computes S O ¼

Pni ¼1 S i , T O ¼

Pni ¼1 T i .

  The corresponding proxy secret key of IDP  isPSk ¼ (S O , T O , sP P , j , j [ {0, 1}):

ProxyMultiSign:

1. ProxySign: When IDP  signs a message m on behalf of ID1, . . . , IDn, he computes P 

m ¼ H 2(m ), c P , ¼ H 3(m

v km,

IDP , m ), S P  ¼ rP m þ (sP P ,0)þ c P (sP P ,1) and T P ¼ rP ,

 where r [ Z q .

2. Aggregate: IDP  computes S ¼ S O þ S P , T ¼ T O þT P .(mv , m, m , S , T ) is a proxy multi-signature from IDP  onbehalf of ID1, . . ., IDn.

ProxyMultiVerify: To verify a proxy multi-signature (mv , m,m , S , T ) of a message m under the warrant  mv , a verifier checks that 

e (S , P )¼ e (T , P m 

)e Q ,Xn

i ¼1

P i ,0 þP P ,0 þXn

i ¼1

c i P i ,1 þ c P P P ,1

!

3 Cryptanalysis of Wang et al.’sscheme

In this section, we will show that the original signers cancollude to forge a proxy multi-signature from the proxy signer IDP  by intercepting valid proxy multi-signaturesissued by IDP . The attack can be described as follows.

Given a protocol Proto, the view of an adversary  A ,denoted by  ViewProto( A ), is defined as the probability distribution on the knowledge of the adversary, namely,the computational and memory history of the corruptedparties and the public communication and output of theprotocol. Assume the adversary  A  corrupts all the originalsigners ID1, . . . , IDn in Wang  et al.’s scheme. Then A  isable to compute S O  and T O , which are also computed by 

the proxy signer IDP  at the Proxy generation stage. In thefollowing, let us assume A  intercepts the following validproxy multi-signatures on distinct messages issued by IDP 

(mv 

, m1, m , S 1, T 1), (mv 

, m2, m , S 2, T 2), (mv 

, m3, m , S 3, T 3)

  where the warrant  mv  and the string  m  are fixed by theoriginal signers at the Make warrant stage and theSubproxy generation stage, respectively. These values definethe view of  A . Then A  proceeds as follows:

1. Computes

S 1P  ¼ S 1 À S O , S 2P  ¼ S 2 À S O , S 3P  ¼ S 3 À S O 

T 1P  ¼ T 1 À T O , T 2P  ¼ T 2 À T O , T 3P  ¼ T 3 À T O 

 whereS 1P  ¼ r P 1P 

m þ (sP P ,0)þ c 1P (sP P ,1),

T 1P  ¼ r P 1P , c 1P  ¼ H 3(mv km1, IDP , m )

S 2P  ¼ r P 2P m þ (sP P ,0)þ c 2P (sP P ,1),

T 2P  ¼ r P 2P , c 2P  ¼ H 3(mv km2, IDP , m )

S 3

P  ¼ r P 3P m þ (sP P ,0)þ c 3

P (sP P ,1),T 3P  ¼ r P 3P , c 3P  ¼ H 3(m

v km3, IDP , m )

46 IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45–48

& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-ifs.2009.0033

www.ietdl.org

8/3/2019 05487357

http://slidepdf.com/reader/full/05487357 3/4

2. Computes c P  ¼ H 3(mv km, IDP , m ), where m is a message

chosen by the adversary.

3. Computes x ¼ (c 1P À c 2P )À1(c P À c 3P )mod q , where (c P 

12

c P 2)21 is the multiplicative inverse of (c P 

12 c P 

2) over  Z Ãq . Notethat since the chosen hash functions are collision resistant,

the probability of  c P 1 ¼ c P 2 is negligible.

4. Computes

S P  ¼ x (S 1P À S 2P )þ S 3P 

¼ x (r P 1 À r P 2)P m þ (c P À c 3P )(sP P ,1)

þ r P 3P m þ (sP P ,0)þ c 3P (sP P ,1)

¼ (x (r P 1 À r P 2)þ r P 3)P m þ (sP P ,0)þ c P (sP P ,1)

T P  ¼ x (T 1P À T 2P )þ T 3P 

S ¼ S P þ S O , T ¼ T P þ T O 

5. The forged proxy multi-signature is (mv 

, m, m , S , T ).

6. For the sake of simplicity, we use r  to denote (x (r P 12 r P 2)þr P 3)mod q . Since we have S P  ¼ rP 

m þ sP P ,0 þ c P (sP P ,1),

T P  ¼ rP , it is easy to check the following equations

e (S , P )

¼ e (S P þS O, P )

¼ e (rP m þ sP P ,0þ c P (sP P ,1)þS O, P )

¼ e Xn

i ¼1

r i þ r 

!P m 

, P 

!

 e P , s Xn

i ¼1

P i ,0þP P ,0þXn

i ¼1

c i P i ,1þ c P P P ,1

! !

¼ e (T P þT O , P m 

)

 e Q ,Xn

i ¼1

P i ,0þP P ,0þXn

i ¼1

c i P i ,1þ c P P P ,1

!

¼ e (T , P m 

)e Q ,X

n

i ¼1

P i ,0þP P ,0þX

n

i ¼1

c i P i ,1þ c P P P ,1

!

 where c P ¼H 3(mv km, IDP ,m ), where each c i  is fixed at the

Subproxy generation stage by the corresponding original signer.Hence the forged proxy multi-signature can be verifiedsuccessfully.

Remark: It is obvious that the original signers can collude toforge a proxy multi-signature on a message that was not signedby the proxy signer by our attack. However, the standardsignature scheme used in Wang  et al.’s scheme is the same

as that of  [7]. Does our attack imply that the identity-basedaggregate signature scheme (GR scheme) [7] is insecure?Certainly not. At this point, please note that the security of 

GR scheme relies on the freshness of the string  m . Then let us review Wang  et al.’s scheme carefully. We discover that the proxy signer always uses the same string  m  as fixed by the original signers at the Subproxy generation stage toproduce proxy multi-signatures. Obviously, this fact violatesthe security requirement of GR scheme. Hence it is not 

surprising to state that Wang  et al.’s scheme is not unforgeable. To foil our attack, the proxy signer is requiredto pick a fresh string  m  when producing a proxy multi-signature. But this modification hurts the efficiency of their scheme. On the other hand, Li et al. [8] also presented a different attack on the scheme in [6]. They demonstratedthat an adversary that corrupts all users who delegate their signing capability to a proxy is able to forge a proxy multi-signature on a particular message, but only if he obtains a conventional signature issued by the proxy on the samemessage. Hence the proxy can avoid their attack by choosing distinct key pairs to issue conventional signatures. In contrast 

 with their attack [8], our adversary is more powerful since it can make forgery on messages of its choice by intercepting 

 valid proxy multi-signatures issued by the proxy.

4 Conclusion

In this paper, we present a cryptanalysis of an identity-based proxy multi-signature scheme [6]. In the first place,

  we show that the original signers can collude to forge a   valid proxy multi-signature from the proxy signer in Wang  et al.’s scheme. That is, their scheme does not satisfy the unforgeability property required by a secure

proxy multi-signature scheme. Then we explain why  Wang  et al.’s scheme is insecure. The reason is that the proxy signer in Wang  et al.’s scheme always usesthe same string  m  as fixed by the original signers at theSubproxy generation stage to produce proxy multi-signatures. Obviously, this fact violates the security requirement of GR scheme. To foil our attack, the proxy signer is required to pick a fresh string  m  whenproducing a proxy multi-signature. But this modificationhurts the efficiency of their scheme.

5 Acknowledgment

 We thank the anonymous referees for their helpful commentson earlier drafts of this paper.

6 References

[1] MAMBO M., USUDA K., O KA MOT O E .: ‘Proxy

signatures for delegating signing operation’. Proc. Third

ACM Conf. on Computer and Communications Security,

1996, pp. 48–57

[2] LEE B., KIM H., KIM K.: ‘Strong proxy signature and itsapplications’. Proc. ICICS’97, Int. Conf. on Information and

Communication Security, 2001, pp. 603–608

IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 – 48 47

doi: 10.1049/iet-ifs.2009.0033 & The Institution of Engineering and Technology 2010

www.ietdl.org

8/3/2019 05487357

http://slidepdf.com/reader/full/05487357 4/4

[3] KIM S., PARK S., WON D.: ‘Proxy signature, revisited’. Proc.

SCIS2001, Int. Conf. on Information and Communication

Security, 1997, pp. 223–232

[4] HSU C.L., WU T.S., WU T.C.: ‘New nonrepudiable threshold

proxy signature scheme with known signers’, J. Syst.

Software, 2001, 58, pp. 119–124

[5] YI L ., BAI G., XIAO G.: ‘Proxy multi-signature scheme:

a new type of proxy signature scheme’, Electron. Lett.,

2000, 36, (6), pp. 527–528

[6] WANG Q., CAO Z.F.: ‘Identity based proxy multi-signature’,

  J. Syst. Softw., 2007, 80, pp. 1023–1029

[7] GENTRY C., RAMZAN Z.: ‘Identity based

aggregate signatures’. PKC2006 2006, (LNCS, 3958),

pp. 257–273

[8] FAGEN L., SHIJIE Z., RONG S.: ‘Cryptanalysis of an identity

based proxy multi-signature scheme’, IEICE Trans.

Fundam. Electron. Commun. Comput. Sci., 2008, E91-A,

(7), pp. 1820–1823

48 IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45–48

& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-ifs.2009.0033

www.ietdl.org