An improved nominative proxy signature scheme ... - Semantic Scholar
An Improved Nominative Proxy Signature Scheme for Mobile Communication Jianhong Zhang,Qianhong Wu, Jilin Wang, Yumin Wang (Key Laboratory of the Ministry Education, Xidian University , Xi’an 710071, P.R.China ) E-mail:[email protected], [email protected] Abstract Recently, Seung-Hyun et al proposed a nominative proxy signature scheme for mobile communication. However, we show that the scheme hasn’t nonrepudiation, note that a malicious original signer can forge the proxy signer to sign on any message. Finally, we also present a modification of the scheme to repair the security flaw.
1. Introduction With the rapid expansion of mobile communication, an explosive growth of interest in wireless networks that support the mobility of users is more attractive. These networks serve as mobile and ubiquitous personal communication system. Wireless networks have many features such as the mobility of users, the transmission of signals through open-air and the requirement of low power consumption by a mobile user, distinctively different from the wired networks. Especially, because the wireless networks transmit signals through open-air, the mobile communication is more vulnerable to security attacks such as interception and unauthorized access than the wired network communications. Hence services for securing mobile communication are vital in guaranteeing authentication, non-repudiation and privacy of legitimate users [1, 5, 8]. Recently, Park and Lee [6] proposed a nominative proxy signature scheme for mobile communication. The nominative proxy signature scheme is a method in which the designated proxy signer generates a nominative signature and transmits it to a verifier, instead of the original signer. It is a useful method in the mobile communication environment, because it provides mobile users’ anonymity through the nominative signature [3] and decreases the mobile users’ computational cost through the proxy signature[6]. But, their scheme does not provide non-repudiation, even though they claimed that their scheme provides it. So, the original signer or proxy signer can falsely deny later the fact that he generated the signature. Therefore a dispute between the original signer and the proxy signer may be happened. In 2003, Seung-Hyum Seo and Sang-Ho Lee gives a new
nominative proxy signature for mobile communication. Unfortunately, in this paper, we first point out the problem of Seung-Hyum et al scheme; i.e., unlike their claim, the scheme does not satisfy non-repudiation. Next we propose an improved nominative proxy signature scheme that provides the non-repudiation, and does not require a secure channel between the original signer and the proxy signer. The rest of the paper is organized as follows. In section 2, we briefly review some properties of the nominative proxy signature scheme, and give brief descriptions of Seung-Hyum et al scheme. Next, we explain why their scheme does not satisfy the non-repudiation. We present the improved nominative proxy signature scheme in section 4, and analyze the security of our scheme in section 5. Finally, we draw our conclusions in section 6.
2. Nominative Proxy Signature Requirements The nominative proxy signature scheme is the method that the designated proxy signer generates the nominative signature and transmits it to a verifier on behalf of an original signer. To construct a nominative proxy signature scheme, the following four conditions must be satisfied [3, 4]; 1. The original signer can delegate his signing capability to the proxy signer. 2. Only the delegated proxy signer can nominate the verifier, and create the nominative proxy signature. 3. Only the nominee (verifier) can verify the nominator (proxy signer)’s signature. 4. If necessary, only the nominee can prove to the third party that the signature was issued to him by the nominator and it is valid. According to the above properties, we know that only the nominated verifier can verify the signature, the third party cannot know who is the actual signer given a nominative proxy signature without the verifier’s help. Therefore, this nominative proxy signature scheme can provide the signer’s anonymity. If we use the nominative proxy signature scheme in mobile communication, we can obtain two benefits. First, the anonymity of mobile user and proxy agent can be guaranteed. Second, since a mobile user can designate a proxy agent as the proxy signer, the mobile user’s computational cost for signing
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
can be decreased by the proxy agent. Hence, this nominative proxy signature scheme is a useful method in mobile communication environment.
3. Reviews of Seung-Hyum et al scheme The system parameters consist of a large prime p, a prime factor q of p−1, and an element g ∈ Zp of order q. The original signer A’s private key is a random element xA ∈ Zq, and the corresponding public key is
y A = g (mod p) . The proxy agent G’s private key is xA
a random element xG ∈ Zq, and the corresponding public key is yG = g
xG
the nominative proxy signature on a message M is ( M , D, α , SP , K , T , M w ) . 2.(Nominative proxy signature verification) After the verifier B obtains signature ( D, α , SP , K , T , M w ) , he computes E = H ( y B || α || D ||| M | M w ) and b = y hA( M w ||K ||T ) ( yG K ) K mod p and then, the verifier B verifies the nominative proxy signature by checking a congruence such that ?
(mod p) . The verifier B’s private key
is also a random element xB ∈ Z q , and the corresponding public key is y B = g
xB
(mod p) . H(.) is
a secure one-way hash function. Seung-Hyun et al scheme is constructed as follows: [Proxy signature key generation phase] 1.
E = H ( y B || α || D ||| M | M w ) S P = r − δ p E (mod q)
(Proxy generation) the original signer A chooses a random number k ∈R Z q , and then computes *
K = g k (mod p ) , e = h(M w || K || T ) and δ = x A ⋅ e + k ⋅ K (mod q ) where M w is a warrant message and T is a timestamp. .
( g S P ⋅ b E ⋅ α ) xB = D
4. Security Analysis of Seung Hyun et al Scheme Seung-Hyun [1] argued that their scheme satisfied non-repudiation. The non-repudiation denotes that the original signer and the proxy signer cannot falsely deny a signature that is produced by himself. Unfortunately, in this subsection, we show Seung-Hyun scheme has nonrepudiation. The original signer can forge the signature of the proxy signer, and the forging procedure is as follows: Step1: the original signer randomly chooses three numbers k ′, R ′, r ′ ∈ Z q and computes K ′ = yG−1 y Ak ′ (mod p)
α ′ = g R′− r ′ (mod p) D′ = y BR′ mod p E ′ = h( y B || α ′ || D′ || M || M w ) S P′ = r ′ − xA E ′(h(M w || K ′ || T ) + k ′K ′)(mod q)
2. (Proxy delivery) the original signer A sends (δ , M w , T , K ) to a proxy agent G in a secure manner. Because M w contains the information on the proxy agent, no one obtaining δ can falsely pretend to be the proxy agent.
then the forging nominative proxy signature is ( M , yB , D′, α ′, S P′ , K ′, T , M w ) ,when the
(Proxy verification) the proxy agent G checks the validity of (δ , M w , T , K ) by the following
verifier B verifies the nominative proxy signature, he computes the following equation E ′ = h( y B || α ′ || D′ || M || M w )
equation g δ = y Ah ( M w ||K ||T ) K K (mod p ) , if it holds, then the proxy agent G computes the proxy signature key
δ p = δ + xG K (mod q ) [Nominative Proxy Signature Generation Phase] 1. (Nominative proxy signing by the proxy signer) The proxy signer G randomly chooses r, R ∈ Zp
′
b′ = y hA( M w ||K ||T ) ( yG K ′) K ′ mod p
( g S P′ b′ E′α ′) xB = D′ mod p (1) we can proof that the forging nominative signature can pass the checking equation (1). Because ′ ′ ′ b′ = y Ah ( M w ||K ||T ) ( yG K ′) K ′ mod p = y Ah ( M w ||K ||T ) + k K (mod p ) ( g S P′ b′ E ′α ′) xB = ( g S P′ y A( h( M w || K ||T ) + k ′K ′) E ′α ′) xB = g R ′xB = y BR ′
R− r
mod p , and then the proxy and computes α = g agent G computes D = y BR mod p
(2) D′ = y BR′ mod p
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
(3)
then the equation (1) holds according to the above equation(2) and (3), Hence, we claim that the signature is valid proxy signature.
5. An Improved Nominative Proxy Signature Scheme In this subsection, we present an improved vision of Seung-Hyun et al scheme. In order to prevent the above forgery attack, we devise a solution to improve SeungHyun et al scheme. The setup of system parameter is the same as ones of Seung-Hyun et al scheme. T denotes timestamp. SPK denotes signature of knowledge proof.
5.1 Proxy Generation and Nominative Proxy Signature Generation Phase In proxy signature key generation phase: besides (δ , M w , T , K ) (Note that: δ, Mw, T, K are produced the same as those of Seung-Hyun et al scheme), the original signer need send a signature based on a knowledge proof γ
of K to the base g (c,s)=SPK[ γ :K= g (mod p) ]. Then, after the proxy signer receives (δ , M w , T , K ) and (c, s), he checks whether the equation g δ = y hA( M w ||K ||T ) K K mod n and signature based on knowledge proof (c, s) hold. If all hold, he produces the signature of message M as follows: Step1: The proxy signer G randomly chooses r, R ∈ Zp R− r
and computes α = g mod p . Step 2: then the proxy signer G computes D = y BR mod p E = H ( y B || α || D ||| M | M w ) S P = r − δ p E (mod q)
Finally, ( M , D, α , S P , K , T , M w , (c, s )) is the resulting nominative proxy signature on a message M .
5.2 Nominative Verification
Proxy
Signature
Step 1: the verifier B first verifies whether signature(c , s) based on knowledge proof of K to the base g holds.
Step2: then computes E = H ( yB || α || D ||| M | M w ) and b = y Ah ( M w ||K ||T ) ( yG K ) K mod p Step3: he checks ?
( g SP ⋅ b E ⋅α ) xB = D mod p
(1) In order to prevent malicious original signer attack, signature based on knowledge proof of K to the base g is introduced. It makes that the original signer cannot change the form of K, hence the method prevent our attack way. (2) The security of the improved scheme is also based on the difficulty of computing the discrete logarithm problem and the difficulty of solving one-way function inverse. (3) The modified scheme is efficient as the Seung-Hyun et al scheme in terms of the size of the secret keys and the computation of the digital signature.
6. Conclusion In this paper, we have shown that Seung-Hyun et al scheme suffer from the original signer attack. By introducing signature based on knowledge proof, we devised a solution that successfully repairs the security flaw.
Reference [1]Seung-Hyun Seo, Sang-Ho Lee," New Nominative Proxy Signature Scheme for Mobile Communcatin" Proceedings of SPI(Security and protection of Information) 2003, ISBN: 80-85960-50-8, pp.149 ~ pp.154 April, 2003. [2] Hee-Un Park A1, Im-Yeong Lee A Digital Nominative Proxy Signature Scheme for Mobile Communication Information and Communications Security: Third International Conference, ICICS 2001, [3] Mavridis, I., and Pangalos, G.: Security Issues in a Mobile Computing Paradigm, in Proc. of CMS’97,Communications and Multimedia Security, Vol.3, pp.60-76, 1997. [4] Kim, S., Park, S., and Won, D.: Proxy Signatures, Revisited, in Proc. of ICICS 1997, LNCS 1334,pp.223232,1997. [5] Kim, S., Park, S., and Won, D.: Zero-Knowledge Nominative Signatures, in Proc. of ragocrypt’96, International Conference on the Theory and Applications of Cryptology, pp.380-392, 1996. [6] Mambo, M., Usuda, K., and Okamoto, E.: Proxy signatures: Delegation of the Power to Sign Messages, in IEICE Trans. Fundamentals, vol.E79-A, no.9, pp.1338-1354, 1996. [7] Mu, Y., and Varadharajan, V.: On the Design of Security Protocols for Mobile Communications, in Proc. of ACISP’96, Australasian Conference on Information Security and Privacy, pp.134-145,1996. [8]Zhang Kan. Threshold Proxy Signature Schemes, in Proc. of ISW’97, Information Security Workshop,pp.191197, 1997.
5.3 Discuss
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
[9] Zheng, Y.: An Authentication and Security Protocol for Mobile Computing, in Proc. of IFIP World Conference on Mobile Communications, pp.249-257, 1996.
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
1. Introduction With the rapid expansion of mobile communication, an explosive growth of interest in wireless networks that support the mobility of users is more attractive. These networks serve as mobile and ubiquitous personal communication system. Wireless networks have many features such as the mobility of users, the transmission of signals through open-air and the requirement of low power consumption by a mobile user, distinctively different from the wired networks. Especially, because the wireless networks transmit signals through open-air, the mobile communication is more vulnerable to security attacks such as interception and unauthorized access than the wired network communications. Hence services for securing mobile communication are vital in guaranteeing authentication, non-repudiation and privacy of legitimate users [1, 5, 8]. Recently, Park and Lee [6] proposed a nominative proxy signature scheme for mobile communication. The nominative proxy signature scheme is a method in which the designated proxy signer generates a nominative signature and transmits it to a verifier, instead of the original signer. It is a useful method in the mobile communication environment, because it provides mobile users’ anonymity through the nominative signature [3] and decreases the mobile users’ computational cost through the proxy signature[6]. But, their scheme does not provide non-repudiation, even though they claimed that their scheme provides it. So, the original signer or proxy signer can falsely deny later the fact that he generated the signature. Therefore a dispute between the original signer and the proxy signer may be happened. In 2003, Seung-Hyum Seo and Sang-Ho Lee gives a new
nominative proxy signature for mobile communication. Unfortunately, in this paper, we first point out the problem of Seung-Hyum et al scheme; i.e., unlike their claim, the scheme does not satisfy non-repudiation. Next we propose an improved nominative proxy signature scheme that provides the non-repudiation, and does not require a secure channel between the original signer and the proxy signer. The rest of the paper is organized as follows. In section 2, we briefly review some properties of the nominative proxy signature scheme, and give brief descriptions of Seung-Hyum et al scheme. Next, we explain why their scheme does not satisfy the non-repudiation. We present the improved nominative proxy signature scheme in section 4, and analyze the security of our scheme in section 5. Finally, we draw our conclusions in section 6.
2. Nominative Proxy Signature Requirements The nominative proxy signature scheme is the method that the designated proxy signer generates the nominative signature and transmits it to a verifier on behalf of an original signer. To construct a nominative proxy signature scheme, the following four conditions must be satisfied [3, 4]; 1. The original signer can delegate his signing capability to the proxy signer. 2. Only the delegated proxy signer can nominate the verifier, and create the nominative proxy signature. 3. Only the nominee (verifier) can verify the nominator (proxy signer)’s signature. 4. If necessary, only the nominee can prove to the third party that the signature was issued to him by the nominator and it is valid. According to the above properties, we know that only the nominated verifier can verify the signature, the third party cannot know who is the actual signer given a nominative proxy signature without the verifier’s help. Therefore, this nominative proxy signature scheme can provide the signer’s anonymity. If we use the nominative proxy signature scheme in mobile communication, we can obtain two benefits. First, the anonymity of mobile user and proxy agent can be guaranteed. Second, since a mobile user can designate a proxy agent as the proxy signer, the mobile user’s computational cost for signing
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
can be decreased by the proxy agent. Hence, this nominative proxy signature scheme is a useful method in mobile communication environment.
3. Reviews of Seung-Hyum et al scheme The system parameters consist of a large prime p, a prime factor q of p−1, and an element g ∈ Zp of order q. The original signer A’s private key is a random element xA ∈ Zq, and the corresponding public key is
y A = g (mod p) . The proxy agent G’s private key is xA
a random element xG ∈ Zq, and the corresponding public key is yG = g
xG
the nominative proxy signature on a message M is ( M , D, α , SP , K , T , M w ) . 2.(Nominative proxy signature verification) After the verifier B obtains signature ( D, α , SP , K , T , M w ) , he computes E = H ( y B || α || D ||| M | M w ) and b = y hA( M w ||K ||T ) ( yG K ) K mod p and then, the verifier B verifies the nominative proxy signature by checking a congruence such that ?
(mod p) . The verifier B’s private key
is also a random element xB ∈ Z q , and the corresponding public key is y B = g
xB
(mod p) . H(.) is
a secure one-way hash function. Seung-Hyun et al scheme is constructed as follows: [Proxy signature key generation phase] 1.
E = H ( y B || α || D ||| M | M w ) S P = r − δ p E (mod q)
(Proxy generation) the original signer A chooses a random number k ∈R Z q , and then computes *
K = g k (mod p ) , e = h(M w || K || T ) and δ = x A ⋅ e + k ⋅ K (mod q ) where M w is a warrant message and T is a timestamp. .
( g S P ⋅ b E ⋅ α ) xB = D
4. Security Analysis of Seung Hyun et al Scheme Seung-Hyun [1] argued that their scheme satisfied non-repudiation. The non-repudiation denotes that the original signer and the proxy signer cannot falsely deny a signature that is produced by himself. Unfortunately, in this subsection, we show Seung-Hyun scheme has nonrepudiation. The original signer can forge the signature of the proxy signer, and the forging procedure is as follows: Step1: the original signer randomly chooses three numbers k ′, R ′, r ′ ∈ Z q and computes K ′ = yG−1 y Ak ′ (mod p)
α ′ = g R′− r ′ (mod p) D′ = y BR′ mod p E ′ = h( y B || α ′ || D′ || M || M w ) S P′ = r ′ − xA E ′(h(M w || K ′ || T ) + k ′K ′)(mod q)
2. (Proxy delivery) the original signer A sends (δ , M w , T , K ) to a proxy agent G in a secure manner. Because M w contains the information on the proxy agent, no one obtaining δ can falsely pretend to be the proxy agent.
then the forging nominative proxy signature is ( M , yB , D′, α ′, S P′ , K ′, T , M w ) ,when the
(Proxy verification) the proxy agent G checks the validity of (δ , M w , T , K ) by the following
verifier B verifies the nominative proxy signature, he computes the following equation E ′ = h( y B || α ′ || D′ || M || M w )
equation g δ = y Ah ( M w ||K ||T ) K K (mod p ) , if it holds, then the proxy agent G computes the proxy signature key
δ p = δ + xG K (mod q ) [Nominative Proxy Signature Generation Phase] 1. (Nominative proxy signing by the proxy signer) The proxy signer G randomly chooses r, R ∈ Zp
′
b′ = y hA( M w ||K ||T ) ( yG K ′) K ′ mod p
( g S P′ b′ E′α ′) xB = D′ mod p (1) we can proof that the forging nominative signature can pass the checking equation (1). Because ′ ′ ′ b′ = y Ah ( M w ||K ||T ) ( yG K ′) K ′ mod p = y Ah ( M w ||K ||T ) + k K (mod p ) ( g S P′ b′ E ′α ′) xB = ( g S P′ y A( h( M w || K ||T ) + k ′K ′) E ′α ′) xB = g R ′xB = y BR ′
R− r
mod p , and then the proxy and computes α = g agent G computes D = y BR mod p
(2) D′ = y BR′ mod p
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
(3)
then the equation (1) holds according to the above equation(2) and (3), Hence, we claim that the signature is valid proxy signature.
5. An Improved Nominative Proxy Signature Scheme In this subsection, we present an improved vision of Seung-Hyun et al scheme. In order to prevent the above forgery attack, we devise a solution to improve SeungHyun et al scheme. The setup of system parameter is the same as ones of Seung-Hyun et al scheme. T denotes timestamp. SPK denotes signature of knowledge proof.
5.1 Proxy Generation and Nominative Proxy Signature Generation Phase In proxy signature key generation phase: besides (δ , M w , T , K ) (Note that: δ, Mw, T, K are produced the same as those of Seung-Hyun et al scheme), the original signer need send a signature based on a knowledge proof γ
of K to the base g (c,s)=SPK[ γ :K= g (mod p) ]. Then, after the proxy signer receives (δ , M w , T , K ) and (c, s), he checks whether the equation g δ = y hA( M w ||K ||T ) K K mod n and signature based on knowledge proof (c, s) hold. If all hold, he produces the signature of message M as follows: Step1: The proxy signer G randomly chooses r, R ∈ Zp R− r
and computes α = g mod p . Step 2: then the proxy signer G computes D = y BR mod p E = H ( y B || α || D ||| M | M w ) S P = r − δ p E (mod q)
Finally, ( M , D, α , S P , K , T , M w , (c, s )) is the resulting nominative proxy signature on a message M .
5.2 Nominative Verification
Proxy
Signature
Step 1: the verifier B first verifies whether signature(c , s) based on knowledge proof of K to the base g holds.
Step2: then computes E = H ( yB || α || D ||| M | M w ) and b = y Ah ( M w ||K ||T ) ( yG K ) K mod p Step3: he checks ?
( g SP ⋅ b E ⋅α ) xB = D mod p
(1) In order to prevent malicious original signer attack, signature based on knowledge proof of K to the base g is introduced. It makes that the original signer cannot change the form of K, hence the method prevent our attack way. (2) The security of the improved scheme is also based on the difficulty of computing the discrete logarithm problem and the difficulty of solving one-way function inverse. (3) The modified scheme is efficient as the Seung-Hyun et al scheme in terms of the size of the secret keys and the computation of the digital signature.
6. Conclusion In this paper, we have shown that Seung-Hyun et al scheme suffer from the original signer attack. By introducing signature based on knowledge proof, we devised a solution that successfully repairs the security flaw.
Reference [1]Seung-Hyun Seo, Sang-Ho Lee," New Nominative Proxy Signature Scheme for Mobile Communcatin" Proceedings of SPI(Security and protection of Information) 2003, ISBN: 80-85960-50-8, pp.149 ~ pp.154 April, 2003. [2] Hee-Un Park A1, Im-Yeong Lee A Digital Nominative Proxy Signature Scheme for Mobile Communication Information and Communications Security: Third International Conference, ICICS 2001, [3] Mavridis, I., and Pangalos, G.: Security Issues in a Mobile Computing Paradigm, in Proc. of CMS’97,Communications and Multimedia Security, Vol.3, pp.60-76, 1997. [4] Kim, S., Park, S., and Won, D.: Proxy Signatures, Revisited, in Proc. of ICICS 1997, LNCS 1334,pp.223232,1997. [5] Kim, S., Park, S., and Won, D.: Zero-Knowledge Nominative Signatures, in Proc. of ragocrypt’96, International Conference on the Theory and Applications of Cryptology, pp.380-392, 1996. [6] Mambo, M., Usuda, K., and Okamoto, E.: Proxy signatures: Delegation of the Power to Sign Messages, in IEICE Trans. Fundamentals, vol.E79-A, no.9, pp.1338-1354, 1996. [7] Mu, Y., and Varadharajan, V.: On the Design of Security Protocols for Mobile Communications, in Proc. of ACISP’96, Australasian Conference on Information Security and Privacy, pp.134-145,1996. [8]Zhang Kan. Threshold Proxy Signature Schemes, in Proc. of ISW’97, Information Security Workshop,pp.191197, 1997.
5.3 Discuss
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
[9] Zheng, Y.: An Authentication and Security Protocol for Mobile Computing, in Proc. of IFIP World Conference on Mobile Communications, pp.249-257, 1996.
Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE
