Analysis of Warrant Attacks on Some Threshold Proxy Signature Schemes

Article information

Journal of Information Processing Systems. 2016;12(2):249-262

Publication date (electronic) : 2016 June 30

doi : https://doi.org/10.3745/JIPS.03.0050

Samaneh Mashhadi

^*Dept. of Mathematics, Iran University of Science & Technology, Tehran, Iran (smashhadi@iust.ac.ir)

Corresponding Author: Samaneh Mashhadi (smashhadi@iust.ac.ir)

Received 2015 January 28; Revised 2015 June 29; Accepted 2015 August 28.

Abstract

In 2004, Yang et al. proposed a threshold proxy signature scheme that efficiently reduced the computational complexity of previous schemes. In 2009, Hu and Zhang presented some security leakages of Yang’s scheme and proposed an improvement to eliminate the security leakages that had been pointed out. In this paper, we will point out that both Yang and Hu’s schemes still have some security weaknesses, which cannot resist warrant attacks where an adversary can forge valid proxy signatures by changing the warrant m_W. We also propose two secure improvements for these schemes.

Keywords: Non-repudiation; Proxy Signature Scheme; Signature Scheme; Threshold Proxy Signature; Unforgeability

1. Introduction

The concept of a proxy signature was first introduced in [1]. A proxy signature scheme can be considered as a variation of the ordinary digital signature scheme [2], which enables a proxy signer to generate signatures on behalf of an original signer. So far, many proxy signature schemes have been discussed [1–15].

In a (t, n) threshold proxy signature scheme, the original signer conditionally delegates his/her authority of singing a message to a group of n members, the so-called proxy signers. The delegation condition is that any t or more proxy signers can corporately sign a message on behalf of the original signer, while any group of signers with less than t members cannot do so [1–15]. In general, a secure (t, n) threshold proxy signature scheme has the following inevitable properties: unforgeability, non-repudiation, secrecy, proxy protection, time constraint, and known signers. The unforgeability property is to ensure that any group of proxy signers with less than t members can never sign any message on behalf of the original signer. “Non-repudiation property” means that the proxy group cannot repudiate any proxy signature created by them, and the original signer cannot deny that he/she has delegated his/her authority of signing a message to the proxy group.

In 2004, Yang et al. [14] proposed a new threshold proxy signature scheme, which was more efficient than the previous one. In 2009, Hu and Zhang [5] presented frame and public-key substitute attacks on Yang’s scheme. This security leakage was treated in that paper. In this paper, we found the weakness of warrant in Yang and Hu’s schemes. A warrant attack is when a malicious original signer or any proxy signer can forge valid proxy signatures by changing the warrant m_W. So far, various kinds of warrant attacks on proxy signature schemes have been discussed [3,7,11,13]. In this paper, we point out that both Yang and Hu’s schemes still have some security weaknesses, which cannot resist warrant attacks. To remedy these weaknesses, we propose two new improvements for these schemes with higher safety. The rest of this paper is laid out as follows: In Section 2, we review Yang’s scheme. In Section 3, we point out the security leak inherent in Yang’s scheme. In Sections 4 and 5 we review Hu’s scheme and show that it cannot resist a warrant attack, and we propose a method to eliminate this weakness. A novel improvement for Yang’s scheme is proposed in Section 6. In Section 7, we analyze the security of our scheme. The performance of the proposed scheme is discussed in Section 8. Finally, we give our conclusions in Section 9.

2. Brief Review of Yang’s Scheme

In this section, we briefly review Yang’s scheme [14]. The scheme consists of 4 phases: initialization, proxy share generation, proxy signature generation, and proxy signature verification.

2.1 Initialization Phase

Let p be a large prime, q be a prime divisor of p – 1, g be a generator of order q in ℤp*, and h(.) be a secure one-way hash function. The parameters (p,q,g) are public. Suppose that P₀ stands for the original signer, and let G = {P_1, P₂, …, P_n} be the proxy group of n proxy signers. The original signer P₀ determines its private key by choosing an arbitrary x0∈ℤq* and the public key as y₀ = g^x^₀modp. By the same way, each proxy signer P_i ∈ G owns its private key xi∈ℤq* and public key y_i = g^x_imodp, which are certified by the certificate authority (CA). Let m_W stand for a warrant that records the parameters t, n, the valid delegation time, and the identities of the original and proxy signers of the proxy group, etc. Also, ASID denotes the identities of the actual proxy signers.

2.2 Proxy Share Generation Phase

The original signer P₀ chooses a random integer k∈ℤq* and then computes K = g^kmodp. Then, P₀ computes σ = x₀h(m_W,K) + kmodq as the proxy group’s key and reports (σ,m_W,K) to the proxy signers of G. After receiving (σ,m_W,K), each proxy signer P_i ∈ G checks whether the equation gσ=y0h(mW,K)Kmodp holds or not. If it holds, each P_i regards σ as its proxy key.

2.3 Proxy Signature Generation Phase

For convenience, let D = {P₁, P₂, …, P_t} be the t actual proxy signers, ASID be the identities of them, C be the receiver, and m be the message to be signed. Then, D as a proxy group performs the following steps: 1) each P_i ∈ D chooses a random integer ki∈ℤq*, and then computes and reports r_i_; = g^k_imodp; 2) after receiving r_j (j = 1,2, …, t, j ≠ i), each P_i ∈ D computes R=∏j=1trj modp and then S_t = k_iR + (t⁻¹σ + x_i)h(R,m,ASID)modq; 3) they send S_i to the designated receiver C via a secret channel; and 4) after receiving S_i, the receiver C checks whether the following equation holds:

(1) gSi=riR [(Ky0h(mW,K))t-1yi]h(R,m,ASID) modp.

If it holds, (r_iS_i) is a valid partial proxy signature; then he computes S=∑i=1tSimodq. Therefore, (R, S, K, m_W, ASID) is the threshold proxy signature of the message m.

2.4 Proxy Signature Verification Phase

From m_W, the verifier can get the threshold value t, and from ASID, he can know the number of actual proxy signers. The verifier checks the validity of the proxy signature (R, S, K, m_W, ASID) for the message m by checking the validity of the following equation

(2) gS=RR (Kyoh(mW,K)∏i=1tyi)h(R,m,ASID) modp.

3. Our Attacks on Yang’s Scheme

In this section, we show that Yang’s scheme cannot resist warrant attacks (i.e., the warrant m_w in the proxy signature can be replaced by any other warrant the adversary wants). Therefore, the adversary can forge a valid proxy signature.

3.1 Case 1

In this case, we describe that after intercepting a valid proxy signature (R,S,K,m_W,ASID), an adversary (each malicious original or proxy signer) can change m_W, y_i and forge a proxy signature S (without knowing or changing secret partial signature S_j).

Without loss of generality, assume that P₁ is a malicious proxy signer who decides to forge a threshold proxy signature of a message m. Although, P₁ cannot generate a valid warrant m_W of the original signer, he can generate a valid warrant mW′. As a result, he can change the content of the warrant such as the threshold value t, the time constraint, etc.

Assume that P₁ decides to forge a threshold proxy signature of m and claim that it is generated by t′ proxy signers D′ = {P₁,P₂, …, P_t}, while the proxy group D′ knows nothing about the decision. Let ASID′ be the identities of the group D′. First, P₁ generates the warrant mW′ as he wants, chooses two random integers α, β∈ℤq*, and computes:

(3) R′=gβmodp, K′=gαmodp.

Then, he computes

(4) y1=y0-h(mW′,K′)(∏i=2t′yi)-1modp,

and requests CA to replace his public key by y₁. Next he computes:

(5) S′=βR′+αh(R′,m,ASID′)modp.

Since:

(6) gS′=gβR′ gαh(R′,m,ASID′)modp=R′R′ gαh(R′,m,ASID′)=R′R′ (K′yoh(mW′,K′)∏i=1t′yi)(R′,m,ASID′)

(R′,S′, K′, mW′, ASID′) is a valid threshold proxy signature of the message m. This kind of attack can be prevented using a policy such as restricting the proxy to update their keys or if CA asks P₁ for the Zero-Knowledge Proof of his private key x′₁ associated to new public key y₁.

3.2 Case 2

In 2007, Shao et al. [11], proposed another warrant attack on Yang’s scheme. In this case, we review this attack. Shao described how after intercepting a valid proxy signature (R,S,K,m_W,ASID) an adversary (each malicious original or proxy signer) can change m_W, σ and forge a proxy signature S (without knowing or changing secret partial signature S_j) in Yang’s scheme.

Suppose that a malicious original signer P₀ decides to forge a proxy signature generated by the proxy group D = {P₁,P₂, …, P_t}. Let ASID be the identities of D. Let (R,S,K,m_W,ASID) be a legal proxy signature of a message m generated by D on behalf of P₀. The malicious original signer P₀ can change the content of the warrant, such as the time constraint. P₀ forges a new warrant mW′ as he wants, chooses an integer k′∈ℤq* and computes K′ = g^k′modp. Then, P₀ computes σ′=x0h(mW′,K′)+k′modq and:

(7) S′=S+(σ′-σ)h(R,m,ASID)modq.

Then, (R,S′,K′, mW′,ASID′) can pass the verification equation, since:

(8) gS′=gSg(σ′-σ)h(R,m,ASID)=g∑i=1tSig(σ′-σ)h(R,m,ASID)=g∑i=1t(kiR+xih(R,m,ASID))gσ′h(R,m,ASID)=RR (K′yoh(mW′,K′)∏i=1tyi)h(R,m,ASID) modp.

4. Brief Review of Hu’s Scheme

In this section, we review Hu’s scheme [5]. The scheme consists of 4 phases: initialization, proxy share generation, proxy signature generation, and proxy signature verification.

4.1 Initialization Phase

The system parameters are the same as those in Section 2.1. However, the only difference is that in Hu’s scheme, CA requires that the original signer P₀ and each proxy signer P_i(1≤ i ≤n) offer the Zero-Knowledge Proof of its private key associated with its public key as follows: 1) CA randomly chooses e∈ℤq*, computes E = g^emodp, and sends E to P₀ to each P_i; 2) then, P_i, for i = 0, 1, ..., n, computes L_i=E^x_imodp, and sends L_i to CA; and 3) for each i = 0,1, ..., n, the certificate authority (CA) checks the equation yie=Li; if it holds, CA accepts their certification, otherwise he refuses it.

4.2 Proxy Share Generation Phase

The original signer P₀ chooses a random integer k∈ℤq* and then computes K = g^kmodp. Then, P₀ computes σ = x₀h(m_w,K) + kKmodq as the proxy group’s key. Accordingly, its public key is Q = g^σmodp. Then, P₀ chooses a t − 1 degree polynomial f(x) = σ + a₁x + ··· + a_i₋₁x^t−¹modp and computes R_i = f(y_i)modp as each proxy signer secret key. He computes Q_i = g^R_imodp, A_j = g^σ_j modp and sends (y_i,R_i,m_w,K) to each proxy signer P_i via a secret channel and broadcasts Q_i,A_j. After receiving (y_i,R_i,m_w,K), each proxy signer P_i ∈ G checks whether the equation gRi=KKyoh(mW,K)∏l=1t-1Alyilmodp holds or not.

4.3 Proxy Signature Generation Phase

For convenience, let D = {P₁, P₂,...,P_t} be the t actual proxy signers, ASID be the identities of them, C be the receiver, and m be the message to be signed. Then, D as a proxy group performs the following steps: 1) each P_i ∈ D chooses a random integer ki∈ℤq* and then computes and reports r_i = g^k_imodp; 2) after receiving r_j (j = 1,2,... ,t, j ≠ i), each P_i ∈ D computes R=∏j=1trjmodp and the S_i = k_iR + (R_iW_i+ x_i)h(R, m, ASID) modq, where Wi=∏j=1,j≠ityjyj-yi

; 3) each P_i sends S_i to the designated receiver C via a secret channel; and 4) after receiving S_i, the receiver C checks whether the following equation holds:

(9) gSi=riR[QiWiyi]h(R,m,ASID) modp

If it holds, C computes S=∑i=1tSimodq. Therefore, (R, S, K, m_w, ASID) is the threshold proxy signature of the message m.

4.4 Proxy Signature Verification Phase

The verifier checks the validity of the proxy signature (R, S, K, m_w, ASID) for the message m by checking the validity of the following equation:

(10) gS=RR (KKyoh(mW,K)∏i=1tyi)h(R,m,ASID) modp.

5. Warrant Attack on Hu’s Scheme

5.1 Warrant Attack

In the following section, we show that Hu’s scheme cannot resist warrant attacks, similarly to how we did so in Subsection 3.2. After intercepting a valid proxy signature generated by a subset of a proxy group, a malicious original signer can change the warrant and forge new proxy signatures.

Suppose that a malicious original signer P₀ wants to forge proxy signatures generated by the proxy group D = {P₁, P₂, ..., P_t}. Let ASID be the identities of D. Let (R,S,K,m_w,ASID) be a legal proxy signature of a message m generated by D on behalf of P₀. The malicious original signer P₀ can change the content of the warrant, such as the time constraint, etc. P₀ forges a new warrant mW′ as he wants, chooses an integer k′∈ℤq*, and computes K′ = g^k′ modp. Then, P₀ computes σ′=x0h(mW′,K′)+k′K′modq and replaces Q = g^σ modp with Q′ = g^σ′modp,Q_i = g^R_imodp for 1≤ i ≤ n, and A_j for an arbitrary 1 ≤ j ≤ t,j ≠ i with arbitrary numbers Qi′ for 1 ≤ i ≤ n and Aj′, respectively. Then, P₀ computes:

(11) S′=S+(σ′-σ)h(R,m,ASID)modq.

Similarly, (R,S′,K′, mW′, ASID) can pass the verification equation, since:

(12) gS′=gSg(σ′-σ)h(R,m,ASID)=g∑i=1tSig(σ′-σ)h(R,m,ASID)=g∑i=1tkiR+(RiWi+xi)h(R,m,ASID)g(σ′-σ)h(R,m,ASID)=RR(gσ∏i=1tyi)h(R,m,ASID)g(σ′-σ)h(R,m,ASID)=RR(gσ′∏i=1tyi)h(R,m,ASID)=RR (K′K′yoh(mW′,K′)∏i=1tyi)h(R,m,ASID) modp.

5.2 Our Improvement

In order to protect Hu’s scheme against the above attack, we recommend that the partial signature S_i be replaced by:

(13) Si=kiR+(RiWi+xi)h(R,m,mW,ASID),

the partial signature verification equation is replaced by:

(14) gSi=riR[QiWiyi]h(R,m,mW,ASID) modp,

and the threshold proxy signature verification equation is replaced by:

(15) gS=RR (KKyoh(mW,K)∏i=1tyi)h(R,m,mW,ASID)

Since m_w is a part of S_i_, it is impossible for anyone to change m_w and forge a proxy signature after intercepting a valid proxy signature (R, S, K, m_w, ASID). Thus, a malicious original signer cannot forge a valid threshold proxy signature by a warrant attack.

6. A Novel Proxy Signature Scheme

In this section, we propose an improvement to the Yang scheme. Our scheme can be divided into 4 phases: initialization, proxy share generation, proxy signature generation, and proxy signature verification.

6.1 Initialization Phase

This phase is similar to Hu’s scheme, CA requires that the original signer P₀ and each proxy signer P_i(1≤ i ≤ n) offer the Zero-Knowledge Proof of its private key associated with its public key as follows: CA randomly chooses a∈ℤq*, computes A = g^amodp, and sends A to P₀ to each P_i. Then, P_i for i = 0,1,..., n computes A_i = A^X_imodp and sends A_i to CA. For each i = 0,1,..., n, the CA checks the equation yia=Ai. If it holds, CA accepts their certification, otherwise he refuses it.

6.2 Proxy Share Generation Phase

This phase is the same as that in Subsection 2.2.

6.3 Proxy Signature Generation Phase

For convenience, let D = {P₁, P₂,...,P_t} be t actual proxy signers, ASID the identities of these t proxy signers, C the receiver of partial signatures, and m a message to be signed. Then D, as a proxy group, performs the following steps: 1) each P_i ∈ D chooses a random ki∈ℤq* and then computes and broadcasts r_i = g^k_imodp; 2) after receiving r_j (j = 1,2,..., t,j ≠ i), each P_i ∈ D computes:

(16) R=∏j=1trj modp,

(17) Si=ki+(t-1σ+xiK)h(R,m,mW,ASID)modq.

3) then, he sends S_i to the designated receiver C via a secret channel; and 4) after receiving S_i_, the receiver C checks whether the following equation holds:

(18) gSi=ri [(Ky0h(mW,K))t-1 yiK]h(R,m,mW,ASID) modp.

If it holds, (r_i,S_i) is a valid partial proxy signature, and then he computes S=∑i=1tSi. Therefore, (R, S, K, m_W, ASID ) is the threshold proxy signature of the message m.

6.4 Proxy Signature Verification Phase

The verifier checks the validity of the proxy signature (R,S, K, m_W, ASID) for the message m by the following equation:

(19) gS=R [Kyoh(mW,K)(∏i=1tyi)K]h(R,m,mW,ASID) modp.

7. Security Analysis

In the following section, we first proof some lemma and theorems and then examine the security of the proposed scheme (subsections 7.1–7.6).

Lemma 1. If ∏i=1tyi=gc mod p, and gr=K′=(∏i=1tyi)-K′gα mod p, then K′ = (α − r)c⁻¹ mod q.

Proof

Indeed, we have:

(20) gr=K′=(∏i=1tyi)-K′gα mod p=g-cK′gα mod p=g-cK′+α mod p.

Thus, K′ = (α − r)c⁻¹ mod q.

Theorem 2. (R′,S′,K′,m_W, ASID) given by:

(21) R=gβ mod p,K′=(∏i=1tyi)-K′gα mod p, andS′=β+[α+x0h(mw,K′)]h(R′,m,mW,ASID).

is a valid proxy signature.

Proof

It is a valid proxy signature of the message m because:

(22) gS′=gβ(gα+x0h(mw,K′))h(R′,m,mW,ASID)=R′(K′y0h(mW,K′)(∏i=1tyi)K′)h(R′,m,mW,ASID).

Theorem 3. If y1=(y0h(mWK′)(∏i=2tyi)K′)-K′-1 mod p, then (R′,S′,K′ ,m_w, ASID) given by:

(23) R′=gβ mod p, K′=gα mod p, andS′=β+αh(R′,m′,mW,ASID) mod q,

is a valid proxy signature.

proof

It is a valid proxy signature of the message m because:

(24) gS′=gβgαh(R′,m′,mW,ASID)=gβ(gαy0h(mW,K′)y0-h(mW,K′)(∏i=2tyi)K′(∏i=2tyi)-K′)h(R′,m′,mW,ASID)=R′(K′y0h(mW,K′)(∏i=1tyi)K′)h(R′,m′,mW,ASID).

Next, we examine the security of the proposed scheme.

7.1 Secrecy

In the proposed scheme, both signing and verification are based on discrete logarithm problems. Hence, no one can compute the original signer’s private key x₀ from his/her public key y₀ = g^x^₀ mod p. Similarly, no one can compute the original signer’s private key x₀ from A₀ = A^x^₀ mod p. On the other hand, no one can compute x₀ from the group proxy signature key σ = x₀h(m_w,K) + k mod q, because the parameter σ is computed by the Schnorr signature scheme, which is a provable secure random oracle model. Therefore, the original signature’s private key can be kept secretly and be reused during the span of the system.

Based on discrete logarithms, it is virtually impossible to obtain any proxy signer’s secret key x_i from the corresponding public key y_i = g^X_i mod p or from A_i = A^X_i mod p. Again, according to the Schnorr signature scheme, no one can compute x_i from the partial proxy signature S_i = k_i + (t⁻¹ σ + x_iK)h(R,m,m_w, ASID). Hence, our scheme preserves the security.

7.2 Proxy Protection

Although the proxy signing key σ is created by the original signer, the original signer cannot compute the partial proxy signature,

(25) Si=ki+(t-1σ+xiK)h(R,m,mW,ASID).

The original signer does not know P_t’s private key x_i, so according to the Schnorr signature scheme, it is very difficult for anyone to generate the partial proxy signature S_i of m. For the security of the Schnorr signature scheme, the random number k_i should not be reused with a different plain text. Therefore, the original signer cannot masquerade as a proxy signer to create a partial proxy signature. This protects the authority of the proxy signer.

7.3 Unforgeability

An intruder may try to derive a forged proxy signature by various ways. In the subsections below we will show that our scheme is secure against various attacks.

Attack 1

An attacker may try to derive P_i’s private key x_i from S_i.

Analysis: Once P_i broadcasts S_i, the intruder cannot derive x_i from S_i because the random number k_i is unknown.

Attack 2

An attacker may try to forge P_i’s partial signature S_i.

Analysis: Without the proxy signing key σ and P_i’s private key x_i, no one can forge the proxy signer P_i to construct S_i = k_i + (t⁻¹ σ + x_iK)h(R,m,m_w,ASID) modq.

Frame attack

A malicious original signer P₀, without any knowledge about P_i’s private key x_i, may try to forge a valid general proxy signature (R′,S′,K′,m_w,ASID) for his/her arbitrary chosen message m’ and dishonestly claim that it is generated by other t proxy signers D = {P₁, P₂,..., P_t}.

Analysis: Let ASID be the identities of D. For this purpose, P₀ can choose random integers α, β∈ℤq* and compute R′ = g^β mod p. Now, according to Theorem 2, P₀ should determine:

(26) K′=(∏i=1tyi)-K′gαmodp,

and:

(27) S′=β+[α+x0h(mW,K′)]h(R′,m,mW,ASID).

However, according to Lemma 1, P₀ should solve the discrete logarithm problem ∏i=1tyi=gc in order to compute K′. Thus, P₀ cannot forge a valid general proxy signature of any message m′ that is generated by D.

Public key substitute attack

Without the loss of generality, suppose that a malicious proxy signer P₁ decides to forge a general proxy signature scheme of a message m′ by himself or herself, without the assistance of other proxy signers.

Analysis: For this purpose, according to Theorem 3, P₁ chooses random α, β∈ℤq* and computes

(27) R′=gβ mod p, K′=gα mod p,S′=β+αh(R′,m′,mW,ASID) mod q,y1=(y0h(mW,K′)(∏i=2tyi)K′)-K′-1 mod p.

Then he wants CA to replace his public key with the above y₁. The certificate authority, CA, again asks P₁ for the Zero-Knowledge Proof of his private key x′₁ associated to new public key y₁, but P₁ cannot obtain x′₁, s.t. y₁ = g^x′^₁ mod p because of the difficulty of solving the discrete logarithm problem. Hence, P₁ cannot again perform a Zero-Knowledge Proof with CA when he changes his public key.

Warrant attack

After intercepting a valid proxy signature (R, S, K, m_w, ASID) the adversary may try to replace (m_w, σ) with (m′_w, σ′).

Analysis: However, m_w is protected under the hash function, h(R,m,m_w,ASID) in the individual signature S_i = k_i + (t⁻¹σ + x_iK)h(R,m,m_W, ASID)mod q. So, the probability of obtaining m′_w such that h(R,m,m_W,ASID) = h(R,m,m_W,ASID) is equivalent to performing an exhaustive search on m′_w. Thus, after intercepting a valid proxy signature (R,S,K,m_w,ASID), it is impossible for anyone to change (m_w, σ) Hence, our scheme can resist Shao’s warrant attack.

Warrant attack

An attacker may generate a warrant m_w′ and try to forge a threshold proxy signature of a message m′.

Analysis: For this purpose, similar to Theorem 2, P₁ chooses random α, β∈ℤq* and computes:

(29) R′=gβ mod p, K′=gα mod p,S′=β+αh(R′,m′,mW′,ASID′) mod q,y1=(y0h(mW′,K′)(∏i=2tyi)K′)-K′-1 mod p.

Then, he wants CA to replace his public key with the above y₁. The certificate authority, CA, again asks P₁ for the Zero-Knowledge Proof of his private key x′₁ associated with the new public key y₁. However, P₁ cannot obtain x′₁, s.t. y₁ = g^x′^₁ mod p because of the difficulty of solving the discrete logarithm problem. Hence, P₁ cannot again perform the Zero-Knowledge Proof with CA when he changes his public key.

Similarly, no proxy signer P_i can forge a valid threshold proxy signature with this type of attack.

Attack 7

t − 1 or fewer proxy signers may try to sign a message m.

Analysis: The attackers may try to derive a forged proxy signature by using the previous attacks. But, we have shown that all attacks fail on our scheme. The proxy signature can be only generated by any t or more delegated proxy signers. Since the threshold value t is defined in the warrant m_w, if the number of actual proxy signers does not achieve t, the proxy signature is invalid. Furthermore, as discussed above, we know that our improved scheme can resist warrant attacks. Therefore, our scheme satisfies the property of unforgeability.

7.4 Non-repudiation

The property of non-repudiation is that both the original signer and the actual proxy signers cannot deny the generation of a valid proxy signature. Any valid proxy signature (R,S,K,m_w,ASID) of a message m should be generated by t or more proxy signers. This is because only P_i has the private key x_i. Thus, P_i cannot deny signing the partial proxy signature. Moreover, the warrant m_w and K are created by the original signer. The original signer cannot deny the proxy signers the power of signing messages. Therefore, the valid proxy signature can be signed on behalf of the original signer. Hence, both the original signer and the actual proxy signers cannot deny generating the valid proxy signature.

7.5 Time Constraint

Time constraint means the time during which the signing power of the proxy group is valid. In our scheme, only the original signer creates the warrant m_w, which contains the time constraint, and it is impossible for anyone to change m_w. In the verification stage, the verifier checks whether or not the warrant has expired. Therefore, our scheme satisfies the property of time constraint.

7.6 Known Signers

Finally, from ASID, the verifier can notice who the actual signers are. In our scheme, any receiver is able to identify the actual signers in the proxy group. Furthermore, the adversary cannot replace ASID by ASID′ satisfying h(R,m,m_w,ASID) = h(R,m,m_W, ASID′). Since h(·) is a collision resistant hash function, it is computationally infeasible to get such an ASID′. Therefore, our scheme satisfies the property of known signers.

From what has been analyzed above, we are certain that the necessary requirements of the (t, n) threshold proxy signature scheme are fulfilled in our scheme. Moreover, we compared the security of our scheme with the threshold proxy signature schemes proposed in [5,11,14] and summarized the results in Table 1.

Table 1

Security comparison of threshold schemes with proposed scheme

8. Performance

In this section, we compare the complexity of the new proxy signature scheme with that of the threshold proxy signature schemes proposed in [4,5,11,12,14]. The results are summarized in Tables 2 and 3. For convenience, the following notations were used to analyze computational complexity.

Table 2

Computational complexities

Table 3

Overall computational complexities

T_e the time for one exponentiation computation.
T_m the time for one mod ular multiplication computation.
T_H the time for hash function computation.
T_i the time for one inverse computation.

The time complexities for modular exponentiation, multiplication, and inverse computation are 0(log³p), 0(log²p), and 0(log²p), respectively. As shown in Table 2, the computational complexity of our presented scheme for share generation, signature generation, and signature verification are 3T_e + 2T_m + T_H,(3t + 2)T_e + (2t + 3)T_m + 2T_H + T_i, and 3T_e + (t + 2)T_m + 2T_H, respectively, which are less than those of previous schemes. Also, from Table 3, we can see that the overall computation costs of our improved scheme is (3t + Q)T_e + (3t + 7)T_m + 5T_H + T_i, which is less than that of previous schemes.

Therefore, our scheme can reduce computation costs, and it is the most efficient and the most secure non-repudiable threshold proxy signature scheme with known signers.

Also, a comparison of our attacks with the previous attacks on Yang’s scheme is given in Table 4.

Table 4

Comparison of attacks

9. Conclusion

In this paper, we have pointed out the both Yang and Hu’s schemes still have some security weaknesses, which cannot resist warrant attacks. Finally, to remedy these weaknesses, we proposed new improvements for these schemes.

References

1. Mambo M, Usuda K, Okamoto E. Proxy signature: delegation of the power to sign messages. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 79A(9):1338–1354. 1996;

2. Huang S, Shi CH. A simple multi-proxy signature scheme. In : Proceedings of the 10th National Conference on Information Security. Hualien, Taiwan; 2000. p. 134–138.

3. Bao H, Cao Z, Wang S. Improvement on Tzeng et al.’s nonrepudiable threshold multi-proxy multi-signature scheme with shared verification. Applied Mathematics and Computation 169(2):1419–1430. 2005;

4. Hsu C, Wu T, Wu T. New nonrepudiable threshold proxy signature scheme with known signers. Journal of Systems and Software 58(2):119–124. 2001;

5. Hu J, Zhang J. Cryptanalysis and improvement of a threshold proxy signature scheme. Computer Standards and Interfaces 31(1):169–173. 2009;

6. Huang HF, Chang CC. A novel efficient (t,n) threshold proxy signature scheme. Information Sciences 176(10):1338–1349. 2006;

7. Mashhadi S. Analysis of frame attack on Hsu et al.’s non-repudiable threshold multi-proxy multi-signature scheme with shared verification. Scientia Iranica 19(3):674–679. 2012;

8. Mashhadi S. A novel non-repudiable threshold proxy signature scheme with known signers. International Journal of Network Security 15(4):231–236. 2013;

9. Mashhadi S, Abdi M. A Secure non-repudiable general proxy signature. International Journal of Cyber-Security and Digital Forensics 4(2):380–389. 2015;

10. Mashhadi S. A novel secure self proxy signature scheme. International Journal of Network Security 14(1):22–26. 2012;

11. Shao J, Cao Z, Lu R. Improvement of Yang et al.’s threshold proxy signature scheme. Journal of Systems and Software 80(2):172–177. 2007;

12. Sun HM. An efficient nonrepudiable threshold proxy signature scheme with known signers. Computer Communications 22(8):717–722. 1999;

13. Tan Z, Liu Z, Wang M. On the security of some nonrepudiable threshold proxy signature schemes. Information Security Practice and Experience Heidelberg: Springer; 2005. p. 374–385.

14. Yang CY, Tzeng SF, Hwang MS. On the efficiency of nonrepudiable threshold proxy signature scheme with known signers. Journal of Systems and Software 73(3):507–514. 2004;

15. Zhang K. Threshold proxy signature schemes. Information Security Heidelberg: Springer; 1997. p. 191–197.

Biography

Samaneh Mashhadi

She was born in Tafresh, Iran, on March 27, 1982. She received the B.Sc. and M.Sc. degrees with honors in Mathematics from Iran University of Science and Technology (IUST), and Amirkabir University of Technology (AUT) in 2003 and 2005, respectively. She received her Ph.D. with honors in Mathematics (Cryptography) in 2008 from IUST. She is currently an Assistant Professor in Department of Mathematics of IUST. She is a member of IMS as well. Her research is the analysis, design, and application of digital signatures, secret sharing schemes, security protocols, etc.

Article information Continued

(open-access) :

This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/by-nc/3.0/) which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Security features	Yang	Shao	Hu	Our scheme
Secrecy	Yes	Yes	Yes	Yes
Proxy protection	Yes	Yes	Yes	Yes
Unforgeability	No	No	Yes	Yes
Non-repudiation	No	No	Yes	Yes
Time constraint	No	Yes	Yes	Yes
Known signers	No	No	Yes	Yes
Secure channel	No	No	No	No
Scheme can resist frame attacks	No	No	Yes	Yes
Scheme can resist public-key substitute attacks	No	No	Yes	Yes
Scheme can resist warrant attacks	No	Yes	Yes	Yes
At least t proxy signers can generate valid proxy signature	No	No	Yes	Yes

Scheme	Share generation	Signature generation	Signature verification
Sun [12]	(5n + 2t)T_e + (nt + 2t)T_m + T_H	(4t² − t)T_e + (10t² − 14t)T_m + 2T_H+ (t² − t)T_i	4T_e + tT_m + 2T_H
Hsu et al. [4]	(5n + 2t)T_e + (nt + 2t)T_m + T_H	(t² + 4t)T_e + (4t² + 2t)T_m + 2T_H + t²T_i	4T_e + tT_m + 2T_H
Yang et al. [14]	3T_e + 2T_m + T_H	4tT_e + 3tT_m + 2T_H + Ti	4T_e + tT_m + 2T_H
Shao et al. [11]	3T_e + 2T_m + T_H	4tT_e + 3tT_m + 2T_H	4T_e + tT_m + 2T_H
Hu and Zhang [5]	(4n + t)T_e + ntT_m + T_H	4tT_e + 3tT_m + 2T_H	5T_e + tT_m + 2T_H
Present study	3T_e + 2T_m + T_H	3tT_e + 2tT_m + 2T_H + T_i	3T_e + tT_m + 2T_H

Scheme	Overall
Sun [12]	4t²T_e + (10t² + (n−11)t)T_m + 5T_H + t²)T_i
Hsu et al. [4]	(4t² + 5n)T_e + (4t² + (n + 5)t)T_m + 5T_H + (t² − 1)T_i
Yang et al. [14]	(4t + 9)T_e + (4t + 7)T_m + 5T_H + T_i
Shao et al. [11]	(4t + 9)T_e + (4t + 7)T_m + 5T_H
Hu and Zhang [5]	(4n + 5t)T_e + ((n + 4)t)T_m + 5T_H
Present study	(3t + 8)T_e + (3t + 7)T_m + 5T_H +T_i

Attack on	Attack	Method of attack
Yang scheme	Frame attack [13]	m → m′, but y_i, m_w are constant
Yang scheme	Warrant attack [11]	mW→mW′, but y_i, m are constant
Yang scheme	Public-key attack [5]	m → m′, yi→yi′ but m_w is constant
Yang scheme	Warrant attack (present study)	mW→mW′, yi→yi′, but m is constant
Hu scheme	Warrant attack (present study)	mW→mW′, but y_i_, m are constant