IMPROVEMENT OF NONREPUDIABLE THRESHOLD MULTI-PROXY THRESHOLD MULTI-SIGNATURE SCHEME WITH SHARED

  • 格式:pdf
  • 大小:211.76 KB
  • 文档页数:6

、b1.24 No.6 JOURNAL OF ELECTRONICS(CHINA November 2007 IMPROVEMENT OF NONREPUDIABLE TⅡRESHOLD MUI』TI.PROXY THRESHOLD MUI』TI—SIGNATURE SCHEME WITH SHARED VERIFICATION 

Xie Qi Wang Jilin Yu Xiuyuan (College of Science,Hangzhou Normal University,Hangzhou 310036,Chin01 (School of Information,Zhejiang University Finance&Economics,Hangzhou 310036,Chi几0] …(Department of Mathematics and Physics,Quzhou College,Quzhou 324000,Chi几01 

Abstract In 2005,Bao,et a1.[App1.Math.and Comput.,vo1.169,No.2,2005]showed that Tzeng,e a1.’s nonrepudiable threshold multi—proxy multi—signature scheme with shared verificationⅥ豫s insecur.e. and proposed an improved scheme with no Share Distribution Center(SDC).This paper shows that 

Bao,et a1.s scheme suffers from the proxy relationship inversion attack and forgery attack,and pro— 

poses an improvement of Bao,et a1.’s sdheme. 

Key words Digital signature;Proxy signature;Threshold proxy signature;Threshold multi—proxy threshold multi.signature;Threshold verification 

CLC index TP309 DOI 10.1007/s11767—006—0047一z 

I.Introduction The concept of proxy signature was first pro— posed by Mambo,et a1.in 1996[ 1.A proxy signature scheme allows a signer to delegate the signing ca— pability to a designated person(called a proxy signer);the proxy signer can generate a proxy signature for a message on behMf of the or!gihal signer. Following the development of the proxy signa— ture scheme,some threshold proxy signature schemes were discussed[2 a1.A(1,t/n1 threshold proxy signature scheme is a scheme where the proxy signature key is shared among a group of n proxy signers delegated by the original signer.Any t or more proxy signers can cooperatively sign messages on behalf of the original signer,while t-1 or fewer proxy signers cannot.In 2003,Li,et a1._g1 proposed a( /n1, /n2)threshold multi—proxy threshold multi-signature scheme.Their scheme allows tl or more signers of n1 original signers to delegate the Manuscript received date:March 20,2006;revised date: October 25.2o06. Supported by the National Natural Science Foundation of China fNo.10671051)and the Natural Science Foundation of Zhejiang Province fNo.Yl 05067). Communication author:Xie Qi.born in 1968.male.Ph.D. professor.College of Science,Hangzhou Normal University Hangzhou 310036,China. Email:qixie68@yahoo.com.an. signing capability to the designated proxy group, and or more proxy signers of n2 proxy signers can cooperatively sign messages on behalf of the 

original group,any verifier can verify the proxy signature with the knowledge of the identities of the actual original signers and the actual proxy signers. Li.e≠a1.’s scheme can be applied to the situation of 

(1,1)proxy signature,(1, /n2)proxy signature, and(tl/n1,1)proxy signature,where tl or more signers of n1 original signers to delegate the sign— mg capability to one proxy signer,and the proxy signer can generate the proxy signature.However, in all the existing threshold proxy signature 

schemes,any outsider can verify the proxy signa- ture.In some applications,there is a need to have some specified verifiers verify the proxy signature and authenticate themessage.In 2004,Tzeng,et 

a1. proposed a nonrepudiable threshold multi— proxy multi-signature scheme with shared verifi- cation.Their scheme allows the group of original signers to delegate the signing capability to a designated group of proxy signers,and a set of verifiers in the designated verifier group to all_ thenticate the proxy signature.Recently,Bao,et 

a1.【¨1 showed that Tzeng.et a1.’s scheme was inse- 

cure due to the fact that an adversary can forge valid proxy signatures,which can be authenticated as if they were generated by the subset of the proxy 

维普资讯 http://www.cqvip.com XIE et a1.Improvement of Nonrepudiable Threshold Multi—proxy Threshold Multi—signature Scheme 807 group on behalf of the adversary.To overcome this weakness,they proposed an improved scheme with no Share Distribution Center fSDC1. In this paper,we propose a new attack called the proxy relationship inversion attack,where the proxy group can generate a valid proxy signature that is likely generated by the original group on behalf of the proxy group.Suppose some managers (called group A)in a company need to go on a business trip,they will delegate the signing capa- bility to the rest of the managers(called group B), and vice versa.Therefore,the aim of the proxy relationship inversion attack is that group B can generate a valid proxy signature that is likely generated by group A on behalf of group B, showing that the damage that can be caused by the relationship inversion attack is the same as that by the forgery attack.Ⅵ will show that Bao.et a1.’s scheme suffers from the proxy relationship inver— sion attack and forgery attack.In Section II,we present a brief review of Bao,et a1.’s scheme,then a security analysis of their scheme is given in Section III,our improved scheme and security analysis are presented in Sections IV.The final Section provides the conc】usions. II.Brief Review of Bao.et al’s Scheme Let P be a large prime,q a prime divisor of p-1; g a generator of a multiplicative subgroup of Z。 with order g; (・)a one—way collusion resistant cryptographic hash function;m a warrant the records the identity of the original signers in the original group,the proxy signers in the proxy group and the verifiers in the verifier group,the valid delegation time,and the parameters(t , )(i= 1,2,3)where are the threshold values of佗】 original signers,佗2 proxy signers and verifiers, respectively,etc.;AOSID and APSID denote the identities of the actual original signers and the actual proxy signers,respectively ̄ Let Go={ , 。,…, ),G ={ , ,…, )and ={Uvl,Uv2,…, 。)be the group of佗1 original signers, proxy signers and佗3 verifiers.Each original signer owns a private key ∈ and a public key Y0 =g mod P, each proxy signer U or verifier Uvt also owns a private key z ∈Z or z ∈z and a public key Y =gxp,rood P or Y =g “modP,which are all certified by the Certificate Authority(CA).Bao,et a1.’s scheme can be divided into three phases:the proxy share generation phase,the proxy signature generation phase and the proxy signature verifica- tion phase. The verifier group performs the following steps to generate their secret shadows and group public key: (1)Each ∈Gv randomly chooses a ta一1 degree polynomial: ( )= + .1 +…+b<t _。 , f= (a-=1 1