Ji-Seon Lee, Jik Hyun Chang Dept. Computer Science, Sogang University,
1 Sinsu-dong, Mapo-gu, Seoul, Korea
Abstract- In this paper, we propose a revocable proxy signature scheme which allows the original signer to revoke proxy delegations whenever necessary. In the proposed scheme, once the original signer revokes the proxy delegations, he can also generate a proxy signature which is indistinguishable from the proxy signatures generated by the proxy signer. This confirms to the verifier that the proxy signer does not have any authority to sign a message on behalf of the original signer anymore. In addition to this, in the proposed scheme, after the original signer revokes the delegations, he can delegate the signing capability more efficiently than other schemes if the original signer wants to delegate the signing capability to the same proxy signer again.
Ⅰ. INTRODUCTION
Digital signature schemes are used to provide security services such as user authentication, data integrity and non-repudiations. Traditionally, the signer uses his secret key to sign messages by using some signature schemes. However, the signer may not be able to sign messages himself. For example, there are times when the signer could be away from the workplace. Therefore, the signer needs a proxy signer to sign messages in his behalf. In 1996, Mambo, Usuda, and Okamoto [7,8] first introduced the concept of proxy signature. Since then a number of proxy signature schemes have been proposed.
There are four types of proxy delegation: full delegation, partial delegation, delegation by warrant, and partial delegation with warrant. In full delegation schemes, the proxy signer is given the private key of the original signer. The main weakness of this scheme is that the proxy signature is indistinguishable from the original signer's signature. In partial delegation schemes [4,7,8], the original signer generates a proxy delegation key and delivers it to the proxy signer. The proxy signer can then generate a proxy signature key with this proxy delegation key and his secret key. However, since the partial delegation does not restrict the proxy signer's signing capability, the proxy signer can abuse his delegated rights. For the delegation by warrant scheme [3,10], a proxy warrant is given to the proxy signer to generate proxy signatures. The proxy warrant usually contains the identity of the proxy signer, the period of delegation, and other possible restrictions on the signing capability delegated to the proxy signer. The partial delegation with warrant scheme combines the benefit of the delegation by warrant and partial delegation schemes. Most work on proxy signature schemes has focused on partial delegation with warrant.
If the original signer is available to generate a signature or the proxy signer abuses his delegated rights, the original signer needs to revoke the proxy signer's signing capability. Sun [10]
proposed a timestamped proxy signature scheme and claimed that the revocation problem can be solved by using a timestamp. However, Lu and Huang [5] showed that Sun's scheme is insecure and they have proposed a timestamping proxy signature scheme. Recently, several proxy signature schemes with revocation mechanism were proposed [1,6,9]. In all of these schemes, it can be verified whether a proxy signature was generated during the valid delegation period or not. These schemes also allow early termination of delegations if the original signer wants to revoke the proxy delegation before the delegation period expires. The downside is that in all of these schemes, if the original signer needs to delegate the signing capability to the same proxy signer again, the whole procedure should be processed again.
Our Contribution: In this paper, we present a new revocable proxy signature scheme which allows the original signer to revoke proxy delegations whenever necessary. To accomplish this purpose, we solve the revocation problem using designated verifier signature scheme. In our scheme, if the original signer Alice wants to revoke her proxy delegation, she gets trapdoor information from a trusted server called RS to make her possible to simulate a proxy signature indistinguishable from the signatures generated by the proxy signer. Therefore, after the revocation, the signatures generated by the proxy signer are meaningless. In our scheme, we split the message warrant into two parts. In this way, we make our scheme efficient when the original signer needs to delegate the signing capability to the same proxy signer again after the revocation. We believe that it is usual situation that the original signer delegates signing capability on similar kinds of messages to the same proxy signer multiple times in the workplace.
The rest of this paper is organized as follows. In section 2, we outlines the notations used throughout this paper, the basic idea of our scheme, designated verifier signature scheme used to construct our scheme, and the security requirements of the proposed scheme. In section 3, we propose a revocable proxy signature scheme and discuss its security properties in section 4. Finally, we make a conclusion in section 5.
Ⅱ. PRELIMINARIES
A. Notations
T. Sobh et al. (eds.), Innovative Algorithms and Techniques in Automation, Industrial Electronics and Telecommunications, 193–197.
© 2007 Springer.
193
- p,q : large primes such that q|p−1
- g : a generator of a multiplicative subgroup of Z*p of order q
- H(⋅) : a collision resistant one-way hash function mapping H:{0,1}*→Zq
- m : message to be signed by the proxy signer
- mw : message warrant composed of IDs of the original signer and the proxy signer, and other information on the proxy delegation except the delegation period
- mwp : the warrant for the proxy delegation period related with mw
- (xA,yA): the key pair of the original signer (Alice) - (xB,yB): the key pair of the proxy signer (Bob) - (xT,yT): the key pair of the timestamp server (TS)
- (xrk,yrk) : the revocation key pair generated by the revocation key generation server (RS)
B. Basic Idea
The proposed scheme consists of a verifier and four participants – the original signer, the proxy signer, the revocation key generation server RS, and the timestamp server TS. The verifier can be anyone. RS generates a revocation key pair (xrk,yrk) for the original signer and maintains a bulletin board where information about the proxy delegation and revocation are posted. This bulletin board is accessible to anyone with a read-only permission. Only RS can write on the bulletin board. TS is responsible for issuing three timestamps -
begin
t , tsign, or tend. The timestamp tbegin is issued to RS to record the time when the proxy delegation begins and tend to record the revocation time of the proxy delegation. The timestamp tsign is issued to the proxy signer to record the exact time of the proxy signature generation. Usually the message warrant is composed of the IDs of the original signer and the proxy signer, proxy delegation period, and some other information related to the message. In our scheme, we split the message warrant into two parts - mw, mwp. In our scheme, mw is called the message warrant and mwp is called the warrant for the proxy delegation period. mw is composed of the IDs of the original signer and the proxy signer, and other information on the proxy delegation except for the proxy delegation period. mwp only contains the valid proxy delegation period.
If Alice wants to delegate the signing capability to Bob, Alice sends (mw,mwp) to RS to request the revocation key pair. RS gets tbegin from TS and generates a revocation key pair (xrk,yrk). RS then posts (mw,mwp,yrk,tbegin)on the bulletin board and sends it to Alice and Bob. Alice creates a partial proxy delegation key (mw,rA,sA) and delivers it to
Bob. Bob gets tsign from TS and generates a proxy signature with the partial proxy delegation key, public revocation key yrk, his own secret key, and tsign. Later, if the proxy delegation period specified in mwp expires or Alice wants to revoke the proxy delegation before mwp expires, RS gets tend, posts it on the bulletin board, and sends the corresponding secret key xrk to Alice. Thereafter, Alice can generate a proxy signature which is indistinguishable from the signatures generated by Bob using xrk . Therefore, the signatures generated by Bob after tend is useless and anyone will know the exact times when the proxy delegation period begins and ends.
After the revocation of the proxy delegation, if Alice wants to delegate the proxy capability to Bob again with the same message warrant mw, she does not have to generate a new partial proxy delegation key (mw,rA,sA). Whenever Alice wants to delegate her signing capability to the same proxy signer again, she sends mw and new mwp to RS. RS then generates a new revocation key pair and posts new yrk and new tbegin on the bulletin board. Bob can use the partial proxy delegation key previously received from Alice. We believe that in the workplace, it happens often that one delegates the signing capability on similar kinds of messages to the same proxy signer several times in the workplace. In such situations, our scheme would be advantageous than previously proposed revocable proxy signature schemes.
C. Designated Verifier Signature Scheme
In our scheme, the way of simulating proxy signatures by Alice is an important concern to success the revocation. To accomplish this, we apply designated verifier signature scheme proposed by Jakobsson, Sako, and Impagliazzo [2]. In their scheme, a designated verifier himself can efficiently simulate signatures indistinguishable from the signer's signatures. Since the public keys of the signer and the designated verifier are both included in the verification step, anyone can verify the signature. However, unlike ordinary digital signature schemes, no one can be convinced that who the real signer is, except the signer and the designated verifier.
In our scheme, if the original signer Alice can get xrk, she can simulate the proxy signature which is indistinguishable from the signatures generated by Bob. Since Alice cannot simulate a signature without xrk, xrk can be viewed as a trapdoor for Alice to simulate a proxy signature for any messages. xrk is generated by RS and kept secret until the revocation. If the revocation occurs, xrk is revealed only to Alice.
D. Security Requirements
The security requirements for proxy signature are first specified in [8,9], and later enhanced by [4]. We discuss the LEE AND CHANG
194
security requirements of the proposed scheme based on [4] , but with some additions on those related to the revocation functionality.
(ⅰ) Verifiability: From the proxy signature, a verifier can be convinced of the original signer's agreement on the signed message.
(ⅱ) Strong identifiability: Anyone can determine the identities of the corresponding proxy signer from a proxy signature.
(ⅲ) Strong unforgeability: Only the designated proxy signer can create a valid proxy signature on behalf of the original signer. In other words, the original signer and other third parties who are not designated as proxy signers cannot create a valid proxy signature before revocation.
(ⅳ) Strong undeniability: Once a proxy signer creates a valid proxy signature on behalf of an original signer, he cannot repudiate the signature creation against anyone else.
(ⅴ) Prevention of misuse: The proxy signer cannot use the proxy secret key for purposes other than generating valid proxy signatures. In case of misuse, the responsibility of the proxy signer should be determined explicitly.
(ⅵ) Revocability of the proxy delegation: Once the secret revocation key is disclosed to the original signer, she can generate a signature which is indistinguishable from the signature generated by the proxy signer. This confirms the verifier that the proxy signer does not have any authority to sign a message on behalf of the original signer anymore.
(ⅶ) Efficient multiple proxy delegation: After the revocation, if the original signer wants to delegate the signing capability to the same proxy signer with the same message warrant again, the proxy signer can reuse the proxy signature generation key.
Ⅲ. PROPOSED SCHEME
Our scheme is based on the discrete logarithm problem and uses partial delegation with warrant scheme. Our revocable proxy signature scheme is as follows:
Phase 1. Revocation Key Pair Generation
1. The original signer Alice sends mw and mwp to the proxy time when the revocation key pair is generated. This means that the proxy delegation begins.
4. RS posts (mw,mwp,yrk,tbegin) on the bulletin board accessible by anyone and sends (mw,mwp,yrk,tbegin) to Alice and Bob.
5. Alice and Bob will check that (mw,mwp,yrk,tbegin) from RS is the same as the information on the bulletin board.
Phase 2. Proxy Key Generation
1. Alice chooses a random number kA∈Z*q and computes the following equation holds:
.
3. If this holds, Bob computes the proxy signature generation key xp as:
The corresponding proxy signature verification key is then .
mod )
(y y ( , )r p
yp= A B H mwrA A
Phase 3. Proxy Signature Generation
Bob generates a proxy signature on the message m as follows:
6. The proxy signature consists of the following:
) Phase 4. Proxy Signature Verification
The verifier checks the validity of tsign, computes yp, and
REVOCABLE PROXY SIGNATURE SCHEME 195
Phase 5. Proxy Revocation
There are two cases when the proxy revocation could occur.
One is when mwp expires and the other is when Alice wants to revoke the proxy delegation before mwp expires. In both cases, RS gets tend and posts it on the bulletin board to notify that the revocation occurred. That is, (mw,mwp,yrk,tbegin,tend) is left on the bulletin board. RS also sends the secret revocation key xrk to Alice. Once Alice gets the secret revocation key xrk, she can generate a proxy signature on the message m, mw, and mwp just like Bob does in an indistinguishable way
4. The simulated proxy signature is:
)
We can show that this transcript is valid. Equations (1) and (2) can be checked and computed easily. The validity of (3) is checked as follows:
).
Phase 6. Multiple Proxy Delegation to the Same Proxy Signer
Later, if Alice wants to delegate the signing capability to the same proxy signer Bob again with the same mw and new mwp, Alice sends the mw and new mwp to Bob and RS. That is, phase 1 for the revocation key pair generation is executed.
Alice can skip phase 2 this time. That is, Bob can use the same proxy signature generation key xp. In phase 3, Bob generates a proxy signature with xp and newly generated public revocation key yrk. Phase 4, phase 5, and phase 6 can be processed as before.
Ⅳ. ANALYSIS OF THE PROPOSED SCHEME
In this section, we analyze that the proposed scheme satisfies the security requirements of proxy signatures. The proposed scheme also provides a revocation mechanism.
(ⅰ) Verifiability: The proxy signature consists of ) scheme. From message warrant mw , any verifier can determine the identity of the original signer and the proxy signer. That is, the verifier can be convinced of the original signer's agreement on the proxy signed message.
(ⅱ) Strong identifiability: In our scheme, identity information of a proxy signer is included explicitly in the message warrant mw. Thus, anyone can determine the identity of the proxy signer.
(ⅲ) Strong unforgeability: We consider two attack scenarios as follows. First, the original signer would try to forge a proxy signature before he revokes the proxy delegation. Second, a malicious attacker would try to forge a proxy signature by eavesdropping (mw,rA,sA) in phase 2. In both cases, the proxy secret key xp is needed to generate the proxy signature generation and the secret key xB of the proxy signer Bob is needed to get xp. Since xB is protected under the discrete logarithm assumption, the proposed scheme is unforgeable in both cases.
(ⅳ) Strong Undeniability: No one can know the proxy signer's secret key due to the difficulty of the discrete logarithm problem, only the proxy signer knows his secret key.
Therefore, once a proxy signer creates a valid proxy signature, he cannot repudiate it, because the proxy signature is created by using his private key xB.
(ⅴ) Prevention of misuse: If the proxy signer uses the proxy key pair for other purposes, it is his responsibility because only he can generate the proxy signature with his secret key.
Therefore, the scenario of proxy signer's misuse is impossible.
Moreover, the original signer or the malicious attacker's misuse is also prevented, because they cannot compute for a valid proxy key pair.
We show that the proposed proxy signature scheme provides a multiple revocation mechanism.
(ⅵ) Revocability of the proxy delegation: Once the original signer gets the revocation secret key xrk and the timestamp tsign, he can simulate the proxy signature indistinguishable from the signature generated by the proxy signer as many times as he wants.
(ⅶ) Efficient multiple proxy delegation: After the revocation of the proxy delegation of the original signer, if the original signer needs to delegate the signing right to the same proxy signer with the same warrant mw, the original signer would request the revocation key to RS again. Once RS generates a key pair and posts the public key of the pair with tbegin on the bulletin board, the proxy signer can generate a proxy signature without going through the proxy key generation step. That is, the proxy signer can use the same proxy signature generation key and the verification key. Therefore, it is efficient to LEE AND CHANG
196
delegate the signing capability to the same proxy signer with the same message warrant.
Ⅴ. CONCLUSIONS
In this paper, we propose a proxy signature with revocation mechanism using designated verifier signature scheme. In our scheme, it is possible to verify whether or not the proxy signature was generated during the valid delegation period. If the original signer wants to revoke the delegation rights of the proxy signer, the original signer has the ability to generate a proxy signature by himself with the help of the revocation key generation server. Therefore, the proxy signer's signature becomes meaningless. After the revocation, if the original signer wants to delegate the signing rights to the same proxy signer on the same message warrant mw again, only RS needs to generate a new pair. And the same proxy signature generation/verification key can be used. Therefore, it is easy for our scheme to delegate to the same proxy signer with the same message warrant several times.
REFERENCES
[1] M.L.Das, A.Saxena, and V.P.Gulati, “An efficient proxy signature scheme with revocation,” Int. Journal Informatica, vol. 15, no. 4, pp.455-464, 2004.
[2] M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifier proofs and their applications,” Advances in Cryptology - EUROCRYPT '96, volume 1070 of LNCS, pp.143-154, 1996.
[3] S. Kim, S. Park, and D. Won, “ Proxy signatures, revisited,” Proceedings of International Conference on Information and Communications Security, volume 1334 of LNCS, pp. 2223-232, 1997.
[4] B. Lee, H. Kim, and K. Kim, “Strong proxy signature and its applications,”
Proceedings of 2001 Symposium on Cryptography and Information Security (SCIS 2001), Japan. pp. 603-608, 2001.
[5] E.J.-L. Lu and C.-J. Huang, “ Cryptanalysis of a time-stamped proxy signature scheme,” Int. Journal of Computational and Numerical Analysis and Applications, Vol.5, No.2, pp. 106-115, 2004.
[6] E.J.-L. Lu,, M.-S. Hwang, and C.-J. Huang, “A new proxy signature scheme with revocation,” Applied mathematics and Computation 161, pp.799-806, 2005.
[7] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation,” Proceedings of 3rd ACM conference on Computer and Communications Security, pp. 48-57. 1996.
[8] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Trans. Fundament., Vol. E79-A, No. 9, pp.1338-1353, 1996.
[9] S.-H. Seo, K.-A. Shim, and S.-H. Lee, “A mediated proxy signature scheme with fast revocation for electronic transactions,” TrustBus 2005, volume 3592 of LNCS, pp. 216-225, 2005.
[10] H.-M. Sun, “ Design of Time-stamped proxy signatures with traceable receivers,” IEE Proc. Comp. Digital Techn. 147 (6), pp. 462-466, 2000.
REVOCABLE PROXY SIGNATURE SCHEME 197
Abstract—Registration is a fundamental stage in the 3–D reconstruction process. We consider the problem of Euclidean alignment of two arbitrarily-oriented, partially-overlapped
Abstract—Registration is a fundamental stage in the 3–D reconstruction process. We consider the problem of Euclidean alignment of two arbitrarily-oriented, partially-overlapped