PDF Links PDF Links PubReader PubReaderePub Link ePub Link

Mashhadi: Analysis of Warrant Attacks on Some Threshold Proxy Signature Schemes

Abstract

In 2004, Yang et al. proposed a threshold proxy signature scheme that efficiently reduced the computational complexity of previous schemes. In 2009, Hu and Zhang presented some security leakages of Yang’s scheme and proposed an improvement to eliminate the security leakages that had been pointed out. In this paper, we will point out that both Yang and Hu’s schemes still have some security weaknesses, which cannot resist warrant attacks where an adversary can forge valid proxy signatures by changing the warrant mW. We also propose two secure improvements for these schemes.

1. Introduction

The concept of a proxy signature was first introduced in [1]. A proxy signature scheme can be considered as a variation of the ordinary digital signature scheme [2], which enables a proxy signer to generate signatures on behalf of an original signer. So far, many proxy signature schemes have been discussed [115].
In a (t, n) threshold proxy signature scheme, the original signer conditionally delegates his/her authority of singing a message to a group of n members, the so-called proxy signers. The delegation condition is that any t or more proxy signers can corporately sign a message on behalf of the original signer, while any group of signers with less than t members cannot do so [115]. In general, a secure (t, n) threshold proxy signature scheme has the following inevitable properties: unforgeability, non-repudiation, secrecy, proxy protection, time constraint, and known signers. The unforgeability property is to ensure that any group of proxy signers with less than t members can never sign any message on behalf of the original signer. “Non-repudiation property” means that the proxy group cannot repudiate any proxy signature created by them, and the original signer cannot deny that he/she has delegated his/her authority of signing a message to the proxy group.
In 2004, Yang et al. [14] proposed a new threshold proxy signature scheme, which was more efficient than the previous one. In 2009, Hu and Zhang [5] presented frame and public-key substitute attacks on Yang’s scheme. This security leakage was treated in that paper. In this paper, we found the weakness of warrant in Yang and Hu’s schemes. A warrant attack is when a malicious original signer or any proxy signer can forge valid proxy signatures by changing the warrant mW. So far, various kinds of warrant attacks on proxy signature schemes have been discussed [3,7,11,13]. In this paper, we point out that both Yang and Hu’s schemes still have some security weaknesses, which cannot resist warrant attacks. To remedy these weaknesses, we propose two new improvements for these schemes with higher safety. The rest of this paper is laid out as follows: In Section 2, we review Yang’s scheme. In Section 3, we point out the security leak inherent in Yang’s scheme. In Sections 4 and 5 we review Hu’s scheme and show that it cannot resist a warrant attack, and we propose a method to eliminate this weakness. A novel improvement for Yang’s scheme is proposed in Section 6. In Section 7, we analyze the security of our scheme. The performance of the proposed scheme is discussed in Section 8. Finally, we give our conclusions in Section 9.

2. Brief Review of Yang’s Scheme

In this section, we briefly review Yang’s scheme [14]. The scheme consists of 4 phases: initialization, proxy share generation, proxy signature generation, and proxy signature verification.

2.1 Initialization Phase

Let p be a large prime, q be a prime divisor of p – 1, g be a generator of order q in p*, and h(.) be a secure one-way hash function. The parameters (p,q,g) are public. Suppose that P0 stands for the original signer, and let G = {P1, P2, …, Pn} be the proxy group of n proxy signers. The original signer P0 determines its private key by choosing an arbitrary x0q* and the public key as y0 = gx0modp. By the same way, each proxy signer PiG owns its private key xiq* and public key yi = gximodp, which are certified by the certificate authority (CA). Let mW stand for a warrant that records the parameters t, n, the valid delegation time, and the identities of the original and proxy signers of the proxy group, etc. Also, ASID denotes the identities of the actual proxy signers.

2.2 Proxy Share Generation Phase

The original signer P0 chooses a random integer kq* and then computes K = gkmodp. Then, P0 computes σ = x0h(mW,K) + kmodq as the proxy group’s key and reports (σ,mW,K) to the proxy signers of G. After receiving (σ,mW,K), each proxy signer PiG checks whether the equation gσ=y0h(mW,K)Kmodp holds or not. If it holds, each Pi regards σ as its proxy key.

2.3 Proxy Signature Generation Phase

For convenience, let D = {P1, P2, …, Pt} be the t actual proxy signers, ASID be the identities of them, C be the receiver, and m be the message to be signed. Then, D as a proxy group performs the following steps: 1) each PiD chooses a random integer kiq*, and then computes and reports ri; = gkimodp; 2) after receiving rj (j = 1,2, …, t, ji), each PiD computes R=j=1trjmodp and then St = kiR + (t−1σ + xi)h(R,m,ASID)modq; 3) they send Si to the designated receiver C via a secret channel; and 4) after receiving Si, the receiver C checks whether the following equation holds:
(1)
gSi=riR[(Ky0h(mW,K))t-1yi]h(R,m,ASID)modp.
If it holds, (riSi) is a valid partial proxy signature; then he computes S=i=1tSimodq. Therefore, (R, S, K, mW, ASID) is the threshold proxy signature of the message m.

2.4 Proxy Signature Verification Phase

From mW, the verifier can get the threshold value t, and from ASID, he can know the number of actual proxy signers. The verifier checks the validity of the proxy signature (R, S, K, mW, ASID) for the message m by checking the validity of the following equation
(2)
gS=RR(Kyoh(mW,K)i=1tyi)h(R,m,ASID)modp.

3. Our Attacks on Yang’s Scheme

In this section, we show that Yang’s scheme cannot resist warrant attacks (i.e., the warrant mw in the proxy signature can be replaced by any other warrant the adversary wants). Therefore, the adversary can forge a valid proxy signature.

3.1 Case 1

In this case, we describe that after intercepting a valid proxy signature (R,S,K,mW,ASID), an adversary (each malicious original or proxy signer) can change mW, yi and forge a proxy signature S (without knowing or changing secret partial signature Sj).
Without loss of generality, assume that P1 is a malicious proxy signer who decides to forge a threshold proxy signature of a message m. Although, P1 cannot generate a valid warrant mW of the original signer, he can generate a valid warrant mW. As a result, he can change the content of the warrant such as the threshold value t, the time constraint, etc.
Assume that P1 decides to forge a threshold proxy signature of m and claim that it is generated by t′ proxy signers D′ = {P1,P2, …, Pt}, while the proxy group D′ knows nothing about the decision. Let ASID′ be the identities of the group D′. First, P1 generates the warrant mW as he wants, chooses two random integers α, βq*, and computes:
(3)
R=gβmodp,K=gαmodp.
Then, he computes
(4)
y1=y0-h(mW,K)(i=2tyi)-1modp,
and requests CA to replace his public key by y1. Next he computes:
(5)
S=βR+αh(R,m,ASID)modp.
Since:
(6)
gS=gβRgαh(R,m,ASID)modp=RRgαh(R,m,ASID)=RR(Kyoh(mW,K)i=1tyi)(R,m,ASID)
(R′,S′, K′, mW, ASID′) is a valid threshold proxy signature of the message m. This kind of attack can be prevented using a policy such as restricting the proxy to update their keys or if CA asks P1 for the Zero-Knowledge Proof of his private key x′1 associated to new public key y1.

3.2 Case 2

In 2007, Shao et al. [11], proposed another warrant attack on Yang’s scheme. In this case, we review this attack. Shao described how after intercepting a valid proxy signature (R,S,K,mW,ASID) an adversary (each malicious original or proxy signer) can change mW, σ and forge a proxy signature S (without knowing or changing secret partial signature Sj) in Yang’s scheme.
Suppose that a malicious original signer P0 decides to forge a proxy signature generated by the proxy group D = {P1,P2, …, Pt}. Let ASID be the identities of D. Let (R,S,K,mW,ASID) be a legal proxy signature of a message m generated by D on behalf of P0. The malicious original signer P0 can change the content of the warrant, such as the time constraint. P0 forges a new warrant mW as he wants, chooses an integer kq* and computes K′ = gk′modp. Then, P0 computes σ=x0h(mW,K)+kmodq and:
(7)
S=S+(σ-σ)h(R,m,ASID)modq.
Then, (R,S′,K′, mW,ASID′) can pass the verification equation, since:
(8)
gS=gSg(σ-σ)h(R,m,ASID)=gi=1tSig(σ-σ)h(R,m,ASID)=gi=1t(kiR+xih(R,m,ASID))gσh(R,m,ASID)=RR(Kyoh(mW,K)i=1tyi)h(R,m,ASID)modp.

4. Brief Review of Hu’s Scheme

In this section, we review Hu’s scheme [5]. The scheme consists of 4 phases: initialization, proxy share generation, proxy signature generation, and proxy signature verification.

4.1 Initialization Phase

The system parameters are the same as those in Section 2.1. However, the only difference is that in Hu’s scheme, CA requires that the original signer P0 and each proxy signer Pi(1≤ in) offer the Zero-Knowledge Proof of its private key associated with its public key as follows: 1) CA randomly chooses eq*, computes E = gemodp, and sends E to P0 to each Pi; 2) then, Pi, for i = 0, 1, ..., n, computes Li=Eximodp, and sends Li to CA; and 3) for each i = 0,1, ..., n, the certificate authority (CA) checks the equation yie=Li; if it holds, CA accepts their certification, otherwise he refuses it.

4.2 Proxy Share Generation Phase

The original signer P0 chooses a random integer kq* and then computes K = gkmodp. Then, P0 computes σ = x0h(mw,K) + kKmodq as the proxy group’s key. Accordingly, its public key is Q = gσmodp. Then, P0 chooses a t − 1 degree polynomial f(x) = σ + a1x + ··· + ai−1xt−1modp and computes Ri = f(yi)modp as each proxy signer secret key. He computes Qi = gRimodp, Aj = gσj modp and sends (yi,Ri,mw,K) to each proxy signer Pi via a secret channel and broadcasts Qi,Aj. After receiving (yi,Ri,mw,K), each proxy signer PiG checks whether the equation gRi=KKyoh(mW,K)l=1t-1Alyilmodp holds or not.

4.3 Proxy Signature Generation Phase

For convenience, let D = {P1, P2,...,Pt} be the t actual proxy signers, ASID be the identities of them, C be the receiver, and m be the message to be signed. Then, D as a proxy group performs the following steps: 1) each PiD chooses a random integer kiq* and then computes and reports ri = gkimodp; 2) after receiving rj (j = 1,2,... ,t, ji), each PiD computes R=j=1trjmodp and the Si = kiR + (RiWi+ xi)h(R, m, ASID) modq, where Wi=j=1,jityjyj-yi
; 3) each Pi sends Si to the designated receiver C via a secret channel; and 4) after receiving Si, the receiver C checks whether the following equation holds:
(9)
gSi=riR[QiWiyi]h(R,m,ASID)modp
If it holds, C computes S=i=1tSimodq. Therefore, (R, S, K, mw, ASID) is the threshold proxy signature of the message m.

4.4 Proxy Signature Verification Phase

The verifier checks the validity of the proxy signature (R, S, K, mw, ASID) for the message m by checking the validity of the following equation:
(10)
gS=RR(KKyoh(mW,K)i=1tyi)h(R,m,ASID)modp.

5. Warrant Attack on Hu’s Scheme

5.1 Warrant Attack

In the following section, we show that Hu’s scheme cannot resist warrant attacks, similarly to how we did so in Subsection 3.2. After intercepting a valid proxy signature generated by a subset of a proxy group, a malicious original signer can change the warrant and forge new proxy signatures.
Suppose that a malicious original signer P0 wants to forge proxy signatures generated by the proxy group D = {P1, P2, ..., Pt}. Let ASID be the identities of D. Let (R,S,K,mw,ASID) be a legal proxy signature of a message m generated by D on behalf of P0. The malicious original signer P0 can change the content of the warrant, such as the time constraint, etc. P0 forges a new warrant mW as he wants, chooses an integer kq*, and computes K′ = gk′ modp. Then, P0 computes σ=x0h(mW,K)+kKmodq and replaces Q = gσ modp with Q′ = gσ′modp,Qi = gRimodp for 1≤ i ≤ n, and Aj for an arbitrary 1 ≤ j ≤ t,j ≠ i with arbitrary numbers Qi for 1 ≤ i ≤ n and Aj, respectively. Then, P0 computes:
(11)
S=S+(σ-σ)h(R,m,ASID)modq.
Similarly, (R,S′,K′, mW, ASID) can pass the verification equation, since:
(12)
gS=gSg(σ-σ)h(R,m,ASID)=gi=1tSig(σ-σ)h(R,m,ASID)=gi=1tkiR+(RiWi+xi)h(R,m,ASID)g(σ-σ)h(R,m,ASID)=RR(gσi=1tyi)h(R,m,ASID)g(σ-σ)h(R,m,ASID)=RR(gσi=1tyi)h(R,m,ASID)=RR(KKyoh(mW,K)i=1tyi)h(R,m,ASID)modp.

5.2 Our Improvement

In order to protect Hu’s scheme against the above attack, we recommend that the partial signature Si be replaced by:
(13)
Si=kiR+(RiWi+xi)h(R,m,mW,ASID),
the partial signature verification equation is replaced by:
(14)
gSi=riR[QiWiyi]h(R,m,mW,ASID)modp,
and the threshold proxy signature verification equation is replaced by:
(15)
gS=RR(KKyoh(mW,K)i=1tyi)h(R,m,mW,ASID)
Since mw is a part of Si, it is impossible for anyone to change mw and forge a proxy signature after intercepting a valid proxy signature (R, S, K, mw, ASID). Thus, a malicious original signer cannot forge a valid threshold proxy signature by a warrant attack.

6. A Novel Proxy Signature Scheme

In this section, we propose an improvement to the Yang scheme. Our scheme can be divided into 4 phases: initialization, proxy share generation, proxy signature generation, and proxy signature verification.

6.1 Initialization Phase

This phase is similar to Hu’s scheme, CA requires that the original signer P0 and each proxy signer Pi(1≤ i ≤ n) offer the Zero-Knowledge Proof of its private key associated with its public key as follows: CA randomly chooses aq*, computes A = gamodp, and sends A to P0 to each Pi. Then, Pi for i = 0,1,..., n computes Ai = AXimodp and sends Ai to CA. For each i = 0,1,..., n, the CA checks the equation yia=Ai. If it holds, CA accepts their certification, otherwise he refuses it.

6.2 Proxy Share Generation Phase

This phase is the same as that in Subsection 2.2.

6.3 Proxy Signature Generation Phase

For convenience, let D = {P1, P2,...,Pt} be t actual proxy signers, ASID the identities of these t proxy signers, C the receiver of partial signatures, and m a message to be signed. Then D, as a proxy group, performs the following steps: 1) each PiD chooses a random kiq* and then computes and broadcasts ri = gkimodp; 2) after receiving rj (j = 1,2,..., t,j ≠ i), each Pi ∈ D computes:
(16)
R=j=1trjmodp,
(17)
Si=ki+(t-1σ+xiK)h(R,m,mW,ASID)modq.
3) then, he sends Si to the designated receiver C via a secret channel; and 4) after receiving Si, the receiver C checks whether the following equation holds:
(18)
gSi=ri[(Ky0h(mW,K))t-1yiK]h(R,m,mW,ASID)modp.
If it holds, (ri,Si) is a valid partial proxy signature, and then he computes S=i=1tSi. Therefore, (R, S, K, mW, ASID ) is the threshold proxy signature of the message m.

6.4 Proxy Signature Verification Phase

The verifier checks the validity of the proxy signature (R,S, K, mW, ASID) for the message m by the following equation:
(19)
gS=R[Kyoh(mW,K)(i=1tyi)K]h(R,m,mW,ASID)modp.

7. Security Analysis

In the following section, we first proof some lemma and theorems and then examine the security of the proposed scheme (subsections 7.1–7.6).
Lemma 1. If i=1tyi=gcmod p, and gr=K=(i=1tyi)-Kgαmod p, then K′ = (α − r)c−1 mod q.

Proof

Indeed, we have:
(20)
gr=K=(i=1tyi)-Kgαmod p=g-cKgαmod p=g-cK+αmod p.
Thus, K′ = (α − r)c1 mod q.
Theorem 2. (R′,S′,K′,mW, ASID) given by:
(21)
R=gβmod p,K=(i=1tyi)-Kgαmod p,         andS=β+[α+x0h(mw,K)]h(R,m,mW,ASID).
is a valid proxy signature.

Proof

It is a valid proxy signature of the message m because:
(22)
gS=gβ(gα+x0h(mw,K))h(R,m,mW,ASID)=R(Ky0h(mW,K)(i=1tyi)K)h(R,m,mW,ASID).
Theorem 3. If y1=(y0h(mWK)(i=2tyi)K)-K-1mod p, then (R′,S′,K′ ,mw, ASID) given by:
(23)
R=gβmod p,K=gαmod p,andS=β+αh(R,m,mW,ASID)mod q,
is a valid proxy signature.

proof

It is a valid proxy signature of the message m because:
(24)
gS=gβgαh(R,m,mW,ASID)=gβ(gαy0h(mW,K)y0-h(mW,K)(i=2tyi)K(i=2tyi)-K)h(R,m,mW,ASID)=R(Ky0h(mW,K)(i=1tyi)K)h(R,m,mW,ASID).
Next, we examine the security of the proposed scheme.

7.1 Secrecy

In the proposed scheme, both signing and verification are based on discrete logarithm problems. Hence, no one can compute the original signer’s private key x0 from his/her public key y0 = gx0 mod p. Similarly, no one can compute the original signer’s private key x0 from A0 = Ax0 mod p. On the other hand, no one can compute x0 from the group proxy signature key σ = x0h(mw,K) + k mod q, because the parameter σ is computed by the Schnorr signature scheme, which is a provable secure random oracle model. Therefore, the original signature’s private key can be kept secretly and be reused during the span of the system.
Based on discrete logarithms, it is virtually impossible to obtain any proxy signer’s secret key xi from the corresponding public key yi = gXi mod p or from Ai = AXi mod p. Again, according to the Schnorr signature scheme, no one can compute xi from the partial proxy signature Si = ki + (t1 σ + xiK)h(R,m,mw, ASID). Hence, our scheme preserves the security.

7.2 Proxy Protection

Although the proxy signing key σ is created by the original signer, the original signer cannot compute the partial proxy signature,
(25)
Si=ki+(t-1σ+xiK)h(R,m,mW,ASID).
The original signer does not know Pt’s private key xi, so according to the Schnorr signature scheme, it is very difficult for anyone to generate the partial proxy signature Si of m. For the security of the Schnorr signature scheme, the random number ki should not be reused with a different plain text. Therefore, the original signer cannot masquerade as a proxy signer to create a partial proxy signature. This protects the authority of the proxy signer.

7.3 Unforgeability

An intruder may try to derive a forged proxy signature by various ways. In the subsections below we will show that our scheme is secure against various attacks.

Attack 1

An attacker may try to derive Pi’s private key xi from Si.
  • Analysis: Once Pi broadcasts Si, the intruder cannot derive xi from Si because the random number ki is unknown.

Attack 2

An attacker may try to forge Pi’s partial signature Si.
  • Analysis: Without the proxy signing key σ and Pi’s private key xi, no one can forge the proxy signer Pi to construct Si = ki + (t1 σ + xiK)h(R,m,mw,ASID) modq.

Frame attack

A malicious original signer P0, without any knowledge about Pi’s private key xi, may try to forge a valid general proxy signature (R′,S′,K′,mw,ASID) for his/her arbitrary chosen message m’ and dishonestly claim that it is generated by other t proxy signers D = {P1, P2,..., Pt}.
  • Analysis: Let ASID be the identities of D. For this purpose, P0 can choose random integers α, βq* and compute R′ = gβ mod p. Now, according to Theorem 2, P0 should determine:

    (26)
    K=(i=1tyi)-Kgαmodp,
    and:
    (27)
    S=β+[α+x0h(mW,K)]h(R,m,mW,ASID).
However, according to Lemma 1, P0 should solve the discrete logarithm problem i=1tyi=gc in order to compute K′. Thus, P0 cannot forge a valid general proxy signature of any message m′ that is generated by D.

Public key substitute attack

Without the loss of generality, suppose that a malicious proxy signer P1 decides to forge a general proxy signature scheme of a message m′ by himself or herself, without the assistance of other proxy signers.
  • Analysis: For this purpose, according to Theorem 3, P1 chooses random α, βq* and computes

    (27)
    R=gβmod p,K=gαmod p,S=β+αh(R,m,mW,ASID)mod q,y1=(y0h(mW,K)(i=2tyi)K)-K-1mod p.
Then he wants CA to replace his public key with the above y1. The certificate authority, CA, again asks P1 for the Zero-Knowledge Proof of his private key x′1 associated to new public key y1, but P1 cannot obtain x′1, s.t. y1 = gx′1 mod p because of the difficulty of solving the discrete logarithm problem. Hence, P1 cannot again perform a Zero-Knowledge Proof with CA when he changes his public key.

Warrant attack

After intercepting a valid proxy signature (R, S, K, mw, ASID) the adversary may try to replace (mw, σ) with (m′w, σ′).
  • Analysis: However, mw is protected under the hash function, h(R,m,mw,ASID) in the individual signature Si = ki + (t1σ + xiK)h(R,m,mW, ASID)mod q. So, the probability of obtaining m′w such that h(R,m,mW,ASID) = h(R,m,mW,ASID) is equivalent to performing an exhaustive search on m′w. Thus, after intercepting a valid proxy signature (R,S,K,mw,ASID), it is impossible for anyone to change (mw, σ) Hence, our scheme can resist Shao’s warrant attack.

Warrant attack

An attacker may generate a warrant mw′ and try to forge a threshold proxy signature of a message m′.
  • Analysis: For this purpose, similar to Theorem 2, P1 chooses random α, βq* and computes:

    (29)
    R=gβmod p,K=gαmod p,S=β+αh(R,m,mW,ASID)mod q,y1=(y0h(mW,K)(i=2tyi)K)-K-1mod p.
Then, he wants CA to replace his public key with the above y1. The certificate authority, CA, again asks P1 for the Zero-Knowledge Proof of his private key x′1 associated with the new public key y1. However, P1 cannot obtain x′1, s.t. y1 = gx′1 mod p because of the difficulty of solving the discrete logarithm problem. Hence, P1 cannot again perform the Zero-Knowledge Proof with CA when he changes his public key.
Similarly, no proxy signer Pi can forge a valid threshold proxy signature with this type of attack.

Attack 7

t − 1 or fewer proxy signers may try to sign a message m.
  • Analysis: The attackers may try to derive a forged proxy signature by using the previous attacks. But, we have shown that all attacks fail on our scheme. The proxy signature can be only generated by any t or more delegated proxy signers. Since the threshold value t is defined in the warrant mw, if the number of actual proxy signers does not achieve t, the proxy signature is invalid. Furthermore, as discussed above, we know that our improved scheme can resist warrant attacks. Therefore, our scheme satisfies the property of unforgeability.

7.4 Non-repudiation

The property of non-repudiation is that both the original signer and the actual proxy signers cannot deny the generation of a valid proxy signature. Any valid proxy signature (R,S,K,mw,ASID) of a message m should be generated by t or more proxy signers. This is because only Pi has the private key xi. Thus, Pi cannot deny signing the partial proxy signature. Moreover, the warrant mw and K are created by the original signer. The original signer cannot deny the proxy signers the power of signing messages. Therefore, the valid proxy signature can be signed on behalf of the original signer. Hence, both the original signer and the actual proxy signers cannot deny generating the valid proxy signature.

7.5 Time Constraint

Time constraint means the time during which the signing power of the proxy group is valid. In our scheme, only the original signer creates the warrant mw, which contains the time constraint, and it is impossible for anyone to change mw. In the verification stage, the verifier checks whether or not the warrant has expired. Therefore, our scheme satisfies the property of time constraint.

7.6 Known Signers

Finally, from ASID, the verifier can notice who the actual signers are. In our scheme, any receiver is able to identify the actual signers in the proxy group. Furthermore, the adversary cannot replace ASID by ASID′ satisfying h(R,m,mw,ASID) = h(R,m,mW, ASID′). Since h(·) is a collision resistant hash function, it is computationally infeasible to get such an ASID′. Therefore, our scheme satisfies the property of known signers.
From what has been analyzed above, we are certain that the necessary requirements of the (t, n) threshold proxy signature scheme are fulfilled in our scheme. Moreover, we compared the security of our scheme with the threshold proxy signature schemes proposed in [5,11,14] and summarized the results in Table 1.

8. Performance

In this section, we compare the complexity of the new proxy signature scheme with that of the threshold proxy signature schemes proposed in [4,5,11,12,14]. The results are summarized in Tables 2 and 3. For convenience, the following notations were used to analyze computational complexity.
  • Te the time for one exponentiation computation.

  • Tm the time for one mod ular multiplication computation.

  • TH the time for hash function computation.

  • Ti the time for one inverse computation.

The time complexities for modular exponentiation, multiplication, and inverse computation are 0(log3p), 0(log2p), and 0(log2p), respectively. As shown in Table 2, the computational complexity of our presented scheme for share generation, signature generation, and signature verification are 3Te + 2Tm + TH,(3t + 2)Te + (2t + 3)Tm + 2TH + Ti, and 3Te + (t + 2)Tm + 2TH, respectively, which are less than those of previous schemes. Also, from Table 3, we can see that the overall computation costs of our improved scheme is (3t + Q)Te + (3t + 7)Tm + 5TH + Ti, which is less than that of previous schemes.
Therefore, our scheme can reduce computation costs, and it is the most efficient and the most secure non-repudiable threshold proxy signature scheme with known signers.
Also, a comparison of our attacks with the previous attacks on Yang’s scheme is given in Table 4.

9. Conclusion

In this paper, we have pointed out the both Yang and Hu’s schemes still have some security weaknesses, which cannot resist warrant attacks. Finally, to remedy these weaknesses, we proposed new improvements for these schemes.

Biography

Samaneh Mashhadi
jips-12-2-249i1.gif
She was born in Tafresh, Iran, on March 27, 1982. She received the B.Sc. and M.Sc. degrees with honors in Mathematics from Iran University of Science and Technology (IUST), and Amirkabir University of Technology (AUT) in 2003 and 2005, respectively. She received her Ph.D. with honors in Mathematics (Cryptography) in 2008 from IUST. She is currently an Assistant Professor in Department of Mathematics of IUST. She is a member of IMS as well. Her research is the analysis, design, and application of digital signatures, secret sharing schemes, security protocols, etc.

References

1. M. Mambo, K. Usuda, and E. Okamoto, "Proxy signature: delegation of the power to sign messages," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 79A, no. 9, pp. 1338-1354, 1996.

2. S. Huang, and CH. Shi, "A simple multi-proxy signature scheme," in Proceedings of the 10th National Conference on Information Security, Hualien, Taiwan, 2000, pp. 134-138.

3. H. Bao, Z. Cao, and S. Wang, "Improvement on Tzeng et al.’s nonrepudiable threshold multi-proxy multi-signature scheme with shared verification," Applied Mathematics and Computation, vol. 169, no. 2, pp. 1419-1430, 2005.
crossref
4. C. Hsu, T. Wu, and T. Wu, "New nonrepudiable threshold proxy signature scheme with known signers," Journal of Systems and Software, vol. 58, no. 2, pp. 119-124, 2001.
crossref
5. J. Hu, and J. Zhang, "Cryptanalysis and improvement of a threshold proxy signature scheme," Computer Standards and Interfaces, vol. 31, no. 1, pp. 169-173, 2009.
crossref
6. HF. Huang, and CC. Chang, "A novel efficient (t,n) threshold proxy signature scheme," Information Sciences, vol. 176, no. 10, pp. 1338-1349, 2006.
crossref
7. S. Mashhadi, "Analysis of frame attack on Hsu et al.’s non-repudiable threshold multi-proxy multi-signature scheme with shared verification," Scientia Iranica, vol. 19, no. 3, pp. 674-679, 2012.
crossref
8. S. Mashhadi, "A novel non-repudiable threshold proxy signature scheme with known signers," International Journal of Network Security, vol. 15, no. 4, pp. 231-236, 2013.

9. S. Mashhadi, and M. Abdi, "A Secure non-repudiable general proxy signature," International Journal of Cyber-Security and Digital Forensics, vol. 4, no. 2, pp. 380-389, 2015.
crossref
10. S. Mashhadi, "A novel secure self proxy signature scheme," International Journal of Network Security, vol. 14, no. 1, pp. 22-26, 2012.

11. J. Shao, Z. Cao, and R. Lu, "Improvement of Yang et al.’s threshold proxy signature scheme," Journal of Systems and Software, vol. 80, no. 2, pp. 172-177, 2007.
crossref
12. HM. Sun, "An efficient nonrepudiable threshold proxy signature scheme with known signers," Computer Communications, vol. 22, no. 8, pp. 717-722, 1999.
crossref
13. Z. Tan, Z. Liu, and M. Wang, "On the security of some nonrepudiable threshold proxy signature schemes," in Information Security Practice and Experience, Heidelberg: Springer, 2005, pp. 374-385.
crossref
14. CY. Yang, SF. Tzeng, and MS. Hwang, "On the efficiency of nonrepudiable threshold proxy signature scheme with known signers," Journal of Systems and Software, vol. 73, no. 3, pp. 507-514, 2004.
crossref
15. K. Zhang, "Threshold proxy signature schemes," in Information Security, Heidelberg: Springer, 1997, pp. 191-197.
crossref

Table 1
Security comparison of threshold schemes with proposed scheme
Security features Yang Shao Hu Our scheme
Secrecy Yes Yes Yes Yes
Proxy protection Yes Yes Yes Yes
Unforgeability No No Yes Yes
Non-repudiation No No Yes Yes
Time constraint No Yes Yes Yes
Known signers No No Yes Yes
Secure channel No No No No
Scheme can resist frame attacks No No Yes Yes
Scheme can resist public-key substitute attacks No No Yes Yes
Scheme can resist warrant attacks No Yes Yes Yes
At least t proxy signers can generate valid proxy signature No No Yes Yes
Table 2
Computational complexities
Scheme Share generation Signature generation Signature verification
Sun [12] (5n + 2t)Te + (nt + 2t)Tm + TH (4t2 − t)Te + (10t2 14t)Tm + 2TH+ (t2 − t)Ti 4Te + tTm + 2TH
Hsu et al. [4] (5n + 2t)Te + (nt + 2t)Tm + TH (t2 + 4t)Te + (4t2 + 2t)Tm + 2TH + t2Ti 4Te + tTm + 2TH
Yang et al. [14] 3Te + 2Tm + TH 4tTe + 3tTm + 2TH + Ti 4Te + tTm + 2TH
Shao et al. [11] 3Te + 2Tm + TH 4tTe + 3tTm + 2TH 4Te + tTm + 2TH
Hu and Zhang [5] (4n + t)Te + ntTm + TH 4tTe + 3tTm + 2TH 5Te + tTm + 2TH
Present study 3Te + 2Tm + TH 3tTe + 2tTm + 2TH + Ti 3Te + tTm + 2TH
Table 3
Overall computational complexities
Scheme Overall
Sun [12] 4t2Te + (10t2 + (n−11)t)Tm + 5TH + t2)Ti
Hsu et al. [4] (4t2 + 5n)Te + (4t2 + (n + 5)t)Tm + 5TH + (t2 1)Ti
Yang et al. [14] (4t + 9)Te + (4t + 7)Tm + 5TH + Ti
Shao et al. [11] (4t + 9)Te + (4t + 7)Tm + 5TH
Hu and Zhang [5] (4n + 5t)Te + ((n + 4)t)Tm + 5TH
Present study (3t + 8)Te + (3t + 7)Tm + 5TH +Ti
Table 4
Comparison of attacks
Attack on Attack Method of attack
Yang scheme Frame attack [13] mm′, but yi, mw are constant
Yang scheme Warrant attack [11] mWmW, but yi, m are constant
Yang scheme Public-key attack [5] mm′, yiyi but mw is constant
Yang scheme Warrant attack (present study) mWmW,yiyi, but m is constant
Hu scheme Warrant attack (present study) mWmW, but yi, m are constant