Proxy Re-signature Scheme Based on Quadratic ... - Semantic Scholar
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
1459
Proxy Re-signature Scheme Based on Quadratic Residues Deng Yuqiao Guangdong University of Business Studies, Mathematics and Computer Science College, Guangzhou 510640 Email: [email protected]
Song Ge Harbin Institute of Technology Shenzhen Graduate School, Shenzhen 150001 Email: [email protected]
Abstract—In 1998, Blaze, Bleumer, and Strauss (BBS) proposed proxy re-signatures, in which a semi trusted proxy acts as a translator between Alice and Bob. The proxy resignature schemes can be applied in many applications. However, the existing proxy re-signature schemes were all based on Diffie-Hellman assumption. In this paper, we present a proxy re-signature scheme based on quadratic residues, which is Bidirectional. The scheme is safety under the random oracle model. At the same time, the definition of forward-secure proxy re-signature is given, then a corresponding scheme is presented which can maintain the former signature’s safety even if current cycle’s Signature key has been leaked. Index Terms—quadratic residues, proxy re-signature, forward-secure, random oracle model
I. INTRODUCTION Proxy re-signature schemes, introduced by Blaze, Bleumer, and Strauss [1], and formalized later by Ateniese and Hohenberger [2]. Digital signature schemes allow a signer to transform any message into a signed message, such that anyone can verify the validity of the signed message using the signer’s public key, but only the signer can generate signed messages. In a proxy resignature scheme, a semi-trusted proxy is given some information which allows it to transform Alice’s signature on a message m into Bob’s signature on m , but the proxy cannot, on its own, generate signatures for either Alice or Bob. A proxy re-signature scheme has eight desirable properties [2] as follows, though none of existing schemes satisfies all properties at the same time, see Table 1. 1. Unidirectional: In a unidirectional scheme, a resignature key allows the proxy to transform A’s signature to B’s but not vice versa. In a bidirectional scheme, on the other hand, the re-signature key allows the proxy to transform A’s signature to B’s as well as B’s signature to A’s. Manuscript received December 1, 2010; revised February 1, 2011; accepted March 1, 2011. Supported by University Foundation of Guangdong University of Business Studies,. No. 10BS41302
© 2011 ACADEMY PUBLISHER doi:10.4304/jnw.6.10.1459-1465
2. Multi-use: A transformed signature can be retransformed again by the proxy. 3. Private Proxy: The re-signature key can be kept secret by the proxy. 4. Transparent: A signature on the same message signed by the delegator is computationally indistinguishable from a signature transformed by a proxy. 5. Key-Optimal: In a key-optimal scheme, a user is required to protect and store only a small constant amount of secrets no matter how many signature delegations the user gives or accepts. 6. Non-interactive: The delegatee is not required to participate in a delegation process. 7. Non-transitive: A re-signing right cannot be redelegated by the proxy alone. 8. Temporary: A re-signing right is temporary. The proxy re-signature schemes can be applied in many applications, for instance, we can use proxy resignature schemes to simplify key management [1], provide proofs for a path that has been taken, manage group signatures, simplify certificate management [2], construct a Digital Rights Management (DRM) interoperable system [3]. Up to now, the security proven of existing proxy resignature schemes is under Diffie-Hellman assumption [1,2,6,7,8,9]. In this paper, we first propose a proxy resignature scheme based on quadratic residues, it satisfies bidirectional, multi-use, private proxy, transparent TABLE I.
THE PROPERTIES THAT SOME PROXY RE-SIGNATURE SCHEMES AND OURS SATISFY. Property
BBS [2]
Sbi[1]
Suni[1]
1 2 3 4 5 6 7 8
No No No Yes Yes No No No
Yes No No Yes Yes No No No
No Yes Yes No Yes Yes Yes Yes
Our Scheme 1 Yes No No Yes Yes No No No
Our Scheme 2 Yes No No Yes Yes No No No
1460
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
properties. We prove that it can resist adaptive chosen message attack. Exposure of secret keys can be a devastating attack on a digital signature scheme since such an attack typically implies that all security guarantees are lost. The notion of forward security was recently proposed by Anderson [4] and later formalized by Bellare and Miner [5]. Based on the framework of the first scheme, we propose a forward secure proxy re-signature scheme, which can be considered as a forward secure extension of the first scheme.
时间段 1
时间段 2
时间段 T
…….. SK0
SK1
SK2
Figure 1
……..
SKT
Forward Secure Signature.
II. BACKGROUND
A. quadratic residue In number theory, an integer q is called a quadratic residue modulo n if it is congruent to a perfect square (mod n); i.e., if there exists an integer x such that: x 2 ≡ q(mod n) Otherwise, q is called a quadratic nonresidue (mod n). Originally an abstract mathematical concept from the branch of number theory known as modular arithmetic, quadratic residues are now used in applications ranging from acoustical engineering to cryptography and the factoring of large numbers. B. Remarks on the BBS Scheme The authors of the BBS paper proposed some potential applications of proxy re-signatures. By taking a careful look at how one can use these proxy re-signatures in practice, we can see no that the BBS construction has its own limitations. In brief, their scheme is actually “proxyless” since it is possible to recover the information that would be stored at the proxy by looking at the original signature and its transformation. This precludes the possibility of having a proxy in the first place since anyone would be able to impersonate the proxy itself once a single re-signature is released. C. Forward secure signatures The goal of forward security is to protect the risk of key exposure, but in a simple way, in particular without requiring distribution or protected storage devices, and without increasing key management costs. A user begins, as usual, by registering a public key pk and keeping private the corresponding secret key, which we denote sk0 . The time during which the public key pk is desired to be valid is divided into periods, say T of them. While the public key stays fixed, the user “evolves” the secret key with time. Thus in each period, the user produces signatures using a different signing key: sk1 in period 1, sk2 in period 2, and so on. The secret key in period i is derived as a function of the one in the previous period. The key evolution paradigm is illustrated in Figure 1.
© 2011 ACADEMY PUBLISHER
III. DEFINITIONS A. Bidirectional Proxy Re-Signature Definition 1: A proxy re-signature scheme is a tuple of polynomial time algorithms (KeyGen, ReKey, Sign, ReSign, Verify), where: z (KeyGen, Sign, Verify) form the standard key generation, signing, and verification algorithms. z On input ( sk A , sk B ) , the re-signature key generation algorithm, ReKey, outputs a key rk A→ B for the proxy. z On input rk A→ B , a public key pk A , a message m and a signature σ A (m) , the resignature function, ReSign, outputs B’s signature σ B (m) if Verify ( pk A , m, σ A (m)) and ⊥ otherwise. z Correctness. For any message m in the message space and any key pairs ( pk , sk ), ( pk ', sk ') ← KeyGen(1k ) , let σ = Sign( sk , m) and rk = Re Key ( sk , sk ') . then the following two conditions must hold: Verify ( pk , m, σ ) = 1 Verify ( pk ', m, Re Sign(rk , pk , m, σ )) = 1 We define security for bidirectional proxy re-signature schemes by the following game between a challenger and an adversary: (Note that we adopt the method in [6] to define the security notion of bidirectional proxy reencryption schemes: static corruption, i.e., in this security notion, the adversary has to determine the corrupted parties before the computation starts, and it does not allow adaptive corruption of proxies between corrupted and uncorrupted parties.) z Queries. The adversary adaptively makes a number of different queries to the challenger. Each query can be one of the following. z Uncorrupted Key Generation OUKeyGen : Obtain a new key pair as ( pk , sk ) ← KeyGen(1k ) . The adversary is given pk .
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
z
Corrupted Key Generation OCKeyGen : Obtain a new
z
key pair as ( pk , sk ) ← KeyGen(1 ) . The adversary is given pk and sk . Hash queries OH : On input a message m and a R ∈ Z , return h = H (m, R ) . Re-Signature key Generation ORe yKey : On input k
z
( pk , pk ') by the adversary, where pk , pk ' were generated before by KeyGen, return the resignature key rk pk → pk ' = Re Key ( sk , sk ') ,
where sk , sk ' are the secret keys that correspond to pk , pk ' . Here, we also require that both pk , pk ' are corrupted, or both are uncorrupted. z Re-signature ORe Sign : On input ( pk , pk ', m, σ ) ,
z
z
where pk , pk ' were generated before by KeyGen. The adversary is given the re-signed signature σ ' = Re Sign(Re Key ( sk , sk '), pk , m, σ ) , where sk , sk ' are the secret keys that correspond to pk , pk ' . Signature OSign : On input a public key pk , a message m , where pk was generated before by KeyGen. The adversary is given the corresponding signature σ = Sign( sk , m) ,where sk is the secret key that correspond to pk . Forgery. The adversary outputs a message m * , a public key pk * , and a string σ * . The adversary succeeds if the following hold true: 1. Verify ( pk *, m*, σ *) = 1. . 2. pk * is not from OCKeyGen .
3. ( pk *, m*) is not a query to OSign . 4.
(◊, pk *, m*, ∆) is
not
a
query
to ORe Sign ,
where ◊ denotes any public key, and ∆ denotes any signature. The advantage of an adversary A in the above game is defined to be: AdvA = Pr[ A succeeds] Where the probability is taken over all coin tosses made by the challenger and the adversary. B. Bidirectional forward-secure Proxy Re-Signature Definition 2: A forward-secure proxy re-signature scheme is a tuple of polynomial time algorithms (KeyGen, ReKey, Update, Sign, ReSign, Verify), where: z The key generation algorithm, KeyGen, takes as input a security parameter1k and the total number of time periods N . It returns a public key pk and an initial secret key sk0 .
© 2011 ACADEMY PUBLISHER
1461
z
The key update algorithm, Update, takes as input a secret key ski −1 as well as the index i of the current time period. It returns a secret key ski for period i . (Note that, the key for the proxy also uses the Update algorithm to update its proxy key.) z On input an key pair ( sk A , sk B ) , the re-signature key generation algorithm, ReKey, outputs an key rk A→ B for the proxy. z On input an ith secret key of the current time period ski , a message m , the sign algorithm, Sign, outputs signature σ (m) . z On input an ith re-sign key rki of the current time period, public key pair pk A , pk B , a message m and a signature σ A (m) , the re-signature function, ReSign, outputs B’s signature σ B (m) if Verify ( pk A , m, i, σ A (m)) = 1 and ⊥ otherwise. z On input a public key pk , a message m , an index i of the current time period, a signature σ , the verify algorithm, Verify, outputs 1 if σ (m) = sign( ski , m) and 0 otherwise. z Correctness. For any message m in the message space and any ith key pairs of the current period: ( pk , ski ), ( pk ', ski ') , let: σ = Sign( ski , m) and rki = Re Key ( ski , ski ') . Then the following two conditions must hold: Verify ( pk , m, i, σ ) = 1 Verify ( pk ', m, i, Re Sign( rki , pk , pk ', m, σ )) = 1 We also define the security notion of bidirectional forward-secure proxy re-signature with static corruption by a game between a challenger and an adversary. z Queries. The adversary adaptively makes a number of different queries to the challenger. Each query can be one of the following. z Uncorrupted Key Generation OUKeyGen : Obtain a
z
z z
new initial key pair as ( pk , sk0 ) ← KeyGen(1k ) . The adversary is given pk . Corrupted Key Generation OCKeyGen : Obtain a new key pair as ( pk , sk0 ) ← KeyGen(1k ) . The adversary is given pk and sk0 . Hash queries OH : On input a message m and a R ∈ Z ,return h = H (m, R ) . Re-Signature key Generation ORe yKey : On input initial public key ( pk , pk ') by the adversary and an index i of current time period, where ( pk , pk ') were generated before by ith re-signature KeyGen, return the key rk pk → pk ' = Re Key ( ski , ski ') . Here, we also require that both pk , pk ' are corrupted, or both are uncorrupted.
1462
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
z
Re-signature ORe Sign : On input (i, pk , pk ', m, σ ) ,
that Verify ( pk A , m, σ ) = 1 . If σ A does not verify, output ⊥ ; otherwise, output σ ' = ( R ', S ') = ( R, rk A→ B H ( m, R ) × S ) . Verify: On input a public key pk , a message m , and a purported signature σ = ( R, S ) , output 1,
z
where pk , pk ' were generated before by KeyGen, i is the index of the current time period. The adversary is given the re-signed signature σ ' = Re Sign(Re Key ( ski , ski '), pk , pk ', m, σ ) , where ski , ski ' are the ith keys that correspond to pk , pk ' of current time period. Signature OSign : On input a public key pk , a
z
message m and a time period i , where pk was generated before by KeyGen. The adversary is given the corresponding signature σ = Sign( ski , m) , where ski is the secret key that correspond to pk in ith time period . Forgery. The adversary outputs a message m * , a public key pk * , an index i * of current time period, and a string σ * . The adversary succeeds if the following hold true: 1. Verify ( pk *, m*, i*, σ *) = 1. 2. pk * is not from OCKeyGen . 3. ( pk *, m*, i*) is not a query to OSign . 4. (i*, ◊, pk *, m*, ∆) is not a query to ORe Sign ,
where ◊ denotes any public key, and ∆ denotes any signature. The advantage of an adversary A in the above game is defined to be AdvA = Pr[ A succeeds] , where the probability is taken over all coin tosses made by the challenger and the adversary. IV. BIDIRECTIONAL PROXY RE-SIGNATURE SCHEMES A. Bidirectional Proxy Re-signature Schemes Based on quadratic residues KeyGen: On input the security parameter k , it chooses two security prime numbers p = 2 p1 + 1 , q = 2q1 + 1 , where p1 , q1 are also prime numbers. Let n = p × q and
log 2 n > k
.
It
chooses
a
security
hash
function H :{0,1}* → {0,1}k . It selects a random s ∈R Z n* , and output the key pair pk = s mod n , the public parameters (k , n, p, q, H , pk ) . ReKey: On input two secret keys sk A = s, sk B = t , output the re-signature key rk A→ B = t / s . (Note that we make use of the same method in [2] to get the re-signature key) Sign: On input a secret key sk = s and a message m , compute R = r 2 mod n, h = H (m, R) , output σ = ( R, S ) = (r 2 mod n, r × sk Ah mod n) . ReSign: On input a re-signature key rk A→ B , a public key pk A , a message m and a signature σ A , check 2
© 2011 ACADEMY PUBLISHER
if S 2 = R × pk H ( m, R ) and 0 otherwise. B. Security Analysis G be a group, Lemma 1[10] Let e1 , e2 ∈ Z , gcd(e1 , e2 ) = 1 ,given a, b ∈ G ,we have a e1 = be2 , then we can compute c ∈ G , where c e2 = a (or c e1 = b ). Theorem 1 (Security) In the random oracle model, the bidirectional proxy re-signature scheme we presented is correct and existentially unforgeable under the lemma 1. Proof. The correctness property is easily observable. We show security using forking lemma [11]. If there exists an adversary A that can break the above proxy re-signature scheme with non-negligible probability ε after making at most qS sign queries, qR resign queries, qK (un)corrupted key queries and qH hash queries, then there also exists an adversary B that can solve the quadratic residues problem q 1 (1 − Hk ) qS ε . in G with probability ε ' ≥ 2 qH 2 On input x 2 = y ∈ QRn , it is difficult to calculate the quadratic residues of y , that is, x . Quadratic residues adversary B simulates a bidirectional proxy re-signature security game for A as follows: Queries: B builds the following oracles: OUKeyGen : B chooses a random xi ∈R Z n* , and outputs pki = xxi2 = yxi2 . OCKeyGen : B chooses a random xi ∈R Z n* , and outputs ( pki , ski ) = ( xi2 , xi ) . OH : B maintains a hash table {(mi , rmi , Rmi , hmi )} , we noted it as TH . For each query to OH on input mi , check if there is an entry in TH . If so, output the corresponding value, otherwise B chooses a random rmi ∈R Z n* , let
Rmi = rmi 2 mod n
,
then
B
chooses
a
random hmi ∈ {0,1}k and output hmi as the corresponding value. Record the pair (mi , rmi , Rmi , hmi ) in table TH . OSign : On input ( pki , m) , if pki is corrupted, B returns the signature σ = ( R, S ) = (r 2 mod n, r × skih mod n) , where h = H (m, R ) . Otherwise, B performs as follows. B maintains a signature table {(mi , rmi , Rmi , Smi )} , where i = 1, 2,..., qS , we noted it as TS . If (mi , •, •, •) ∈ TS , B returns S mi ; otherwise, B chooses a i , bi ∈ Z n* ,
let rmi = y ai mod n ,
hmi = 2bi , Rmi = y 2 ai mod n ,
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
1463
if (mi , •, Rmi , •) ∈ TH , B outputs ⊥ . The probability of this
A. Forward Secure Proxy Re-signature Scheme
qH , otherwise, computes S mi = y ai + bi and output 2k σ = ( Rmi , Smi ) . Record the pair (mi , rmi , Rmi , Smi ) in
KeyGen: On input the security parameter k , it chooses two security prime numbers p = 2 p1 + 1 , q = 2q1 + 1 , where p1 , q1 are also prime numbers. Let n = p × q and
event is
table TS . ORe yKey : On input ( pki , pk j ) , if pki and pk j are both B corrupted or both uncorrupted, returns rki → j = ( xi / x j ) mod p ; else, this input is illegal.
ORe Sign
:
On
input
(rki → j , pki , m, σ )
.
If
Verify ( pki , m, σ ) ≠ 1 , B outputs ⊥ . Otherwise, B does: If pki and pk j are both corrupted or both uncorrupted,
output ReSign (ORe yKey ( pki , pk j ), pki , m, σ ) . Else, B output OSign ( pk j , m) . B runs the algorithm for 1/ ε times, according to the assumption, we can get a signature σ = ( Rm* , S m* ) . Run the above algorithm twice. In each run, B queries the random oracle for a sequence of new input, then B will get two signatures: σ = ( Rm* , S m* ) and σ ' = ( Rm* ', Sm* ') . According to forking lemma, if m* = m *' , then we can get rm* , rm* ', Rm* , Rm* ' from H table, where:
H :{0,1}* → {0,1}
k
a
security
.
It
hash
selects
a
random s ∈R Z and a total time interval number T , output * n
T +1
the key pair pk = s 2 mod n , the public parameters (k , n, p, q, H , T , pk ) . ReKey: On input two secret keys sk A = s 2 , sk B = t 2 for i
i
period i , output the re-signature key rk A→ B = (t / s ) 2 . Update: On input secret key ski −1 for period i − 1 , i
output ski = ski −12 for period i . Sign: On input a secret key sk = s 2 for period i and a i
T +1−i
message m , compute R = r 2 T +1−i
output σ = ( R, S ) = (r 2
mod n , h = H (m, R ) ,
mod n, S = r × sk A(i ) h mod n)
ReSign: On input a re-signature key rk A→ B for period i , a public key pk A , a message m and a signature σ A , check that Verify ( pk A , m, σ ) = 1 . If σ A does ⊥ ; otherwise, not verify, output output σ ' = ( R ', S ') = ( R, rk A→ B H ( m , R ) × S ) .
(5)
S m* = Rm* × y
(6)
Verify: On input a public key pk , a message m , and a output 1, purported signature σ = ( R, S ) ,
(7)
if S 2
(8)
B. Forward Security The correctness property is easily observable. If an adversary gets a secret key ski for period i , he can not compute a secret key sk j ( j < i ) , otherwise, he can
hm*
2
y ( hm* − hm* ') = (
Sm* rm* ' 2 ) S m* ' rm*
(9)
If gcd(hm* − hm* ', 2) = 1 , according to lemma 1, we can find the quadratic residues of y 。 The probability that the signature pair (mi , •, Rmi , •) not qH , the probability 2k that gcd(hm* − hm* ', 2) = 1 holds is 1/2. In forking lemma,
is
T +1−i
= R × pk H ( m , R ) and 0 otherwise.
2
S m* r = m* 2 y ( hm* − hm* ') 2 S m* ' rm* '
table
chooses
Rm* ' = rm* ' mod n S m* '2 = Rm* '× y hm* '
H
It
(4)
2
in
function
.
Rm* = rm*2 mod n 2
(6) ÷ (7)
log 2 n > k
1−
the probability of m* = m *' holds is the
Quadratic Residues q 1 (1 − Hk ) qS ε . probability ε ' ≥ 2 qH 2
1 , so, B can solve qH problem with
Ⅳ. A FORWARD SECURE PROXY RE-SIGNATURE SCHEME
Based on the above proxy re-signature scheme, we present a forward secure proxy re-signature scheme as follows. The scheme’s security is base on the Strong RSA Assumption[9].
© 2011 ACADEMY PUBLISHER
i− j
compute a number c ∈ Z n* , where c 2 mod n = ski , that is, he can solve the Strong RSA Assumption. Thus, the scheme is forward secure. The scheme is also existentially unforgivable. B. Security Analysis Theorem 2 (Security) In the random oracle model, the forward secure proxy re-signature scheme we presented is correct and existentially unforgivable under the lemma 1. Proof. The correctness property is easily observable. We show security using forking lemma [11]. If there exists an adversary A that can break the above proxy re-signature scheme with non-negligible probability ε after making at most qS sign queries, qR resign queries, qK (un)corrupted key queries and qH hash queries, then there also exists an adversary B that can solve the quadratic residues problem q 1 (1 − Hk ) qS ε . in G with probability ε ' ≥ 2 qH 2
1464
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
T +1−i
On input c 2 = α mod n , it is difficult to calculate c ∈ Z n* . adversary B simulates a bidirectional proxy resignature security game for A as follows: Queries: B builds the following oracles: OUKeyGen : B chooses a random xi ∈R Z n* , and
Rm* ' = rm* ' S m*
S m* '
value, otherwise B chooses a random rmi ∈R Z n* , let
Rmi = rmi
2T +1−i
mod n
,
then
B
chooses
a
random hmi ∈ {0,1}k and output hmi as the corresponding value. Record the pair (mi , rmi , Rmi , hmi ) in table TH . OSign : On input ( pki , m) , if pki is corrupted, B returns
the signature σ = ( R, S ) = (r mod n, r × sk mod n) , where h = H (m, R ) . Otherwise, B performs as follows. B maintains a signature table {(mi , rmi , Rmi , S mi )} , 2
h i
where i = 1, 2,..., qS , we noted it as TS . If (mi , •, •, •) ∈ TS , B returns S mi ; otherwise, B chooses a i , bi ∈ Z n* , T +1−i
let rmi = y ai mod n , hmi = 2T +1− i bi , Rmi = y 2
ai
mod n ,
if (mi , •, Rmi , •) ∈ TH , B outputs ⊥ . The probability of this qH , otherwise, computes S mi = y ai + bi and output 2k σ = ( Rmi , Smi ) . Record the pair (mi , rmi , Rmi , Smi ) in
(11)
mod n
= Rm* × y
hm*
(12)
= Rm* '× y hm* '
S m*
2T +1−i
S m* '
OCKeyGen : B chooses a random xi ∈R Z n* , and
noted it as TH . For each query to OH on input mi , check if there is an entry in TH . If so, output the corresponding
2T +1−i
(12) ÷ (13)
outputs pki = xxi2 = yxi2 . outputs ( pki , ski ) = ( xi2 , xi ) . OH : B maintains a hash table {(mi , rmi , Rmi , hmi )} , we
2T +1−i
2T +1−i
y ( hm* − hm* ') = (
2T +1−i
=
(13) rm*
2T +1−i
rm* '
2T +1−i
S m* rm* ' 2T +1−i ) S m* ' rm*
y ( hm* − hm* ')
(14)
If gcd(hm* − hm* ', 2) = 1 , according to lemma 1, we can find the quadratic residues of y 。 The probability that the signature pair (mi , •, Rmi , •) not qH , the probability 2k that gcd(hm* − hm* ', 2) = 1 holds is 1/2. In forking lemma,
in
H
table
is
1−
the probability of m* = m *' holds is the
Quadratic Residues q 1 probability ε ' ≥ (1 − Hk ) qS ε . 2 qH 2
1 , so, B can solve qH problem with
V. CONCLUSION We have presented two proxy re-signature schemes based on quadratic residues problem which are proven secure in the random oracle model. Especially, the second one is an forward secure proxy re-signature scheme, which can greatly reduce the impact that the leakage of secret key.
event is
table TS . ORe yKey : On input ( pki , pk j ) , if pki and pk j are both corrupted or both uncorrupted, B returns rki → j = ( xi / x j ) mod p ; else, this input is illegal. ORe Sign
:
On
input
(rki → j , pki , m, σ )
.
If
Verify ( pki , m, σ ) ≠ 1 , B outputs ⊥ . Otherwise, B does:
If pki and pk j are both corrupted or both uncorrupted, output ReSign (ORe yKey ( pki , pk j ), pki , m, σ ) . Else, B output OSign ( pk j , m) . B runs the algorithm for 1/ ε times, according to the assumption, we can get a signature σ = ( Rm* , S m* ) . Run the above algorithm twice. In each run, B queries the random oracle for a sequence of new input, then B will get two signatures: σ = ( Rm* , S m* ) and
σ ' = ( Rm* ', Sm* ') . According to forking lemma, if m* = m *' , then we can get rm* , rm* ', Rm* , Rm* ' from H table, where: T +1−i
Rm* = rm*2
mod n
© 2011 ACADEMY PUBLISHER
(10)
REFERENCES [1] M. Blaze, G. Bleumer, and M. Strauss. “Divertible protocols and atomic proxy cryptography”, In: EUROCRYPT 1998, LNCS 1403, pp. 127-144, 1998. [2] Ateniese, G., Hohenberger, S. Proxy Re-signatures: New Definitions, Algorithms and Applications. In: ACM Conference on Computer and Communications Security, pp. 310–319 (2005). [3] G. Taban, A.A. Cardenas and V.D. Gligor. Towards a Secure and Interoperable DRM Architecture. In: ACM DRM 2006, pp. 69-78, 2006. [4] R. Anderson. Two Remarks on Public-Key Cryptology. Invited lecture, CCCS ’97. Available at http://www.cl.cam.ac.uk/users/rja14/. [5] M. Bellare and S. Miner. A Forward-Secure Digital Signature Scheme. Crypto ’99. [6] Jun S, Zhenfu C, Licheng W, Xiaohui L. Proxy reSignature schemes without random oracles. Progress in Cryptology - INDOCRYPT 2007, Chennai, India, 2007, 4859:197-209. [7] Sherman C, Raphael P. Proxy Re-signatures in the Standard Model. ISC 2008, LNCS 5222, pp. 260–276, 2008. [8] Kitae K, Ikkwon Y and Seongan L. Remark on Shao et al's Bidirectional Proxy Re-Signature Scheme In Indocrypt'07. International Journal of Network Security, Vol.9, No.1, PP.8-11, July 2009.
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
[9] Benoit L, Damien V. Multi-Use Unidirectional Proxy ReSignatures. http://eprint.iacr.org/2007/371.pdf,2007. [10] Mao W. Modern Cryptography: Theory and Practice. Beijing : Publishing House of Electronics Industry , 2004 : 55-362 [11] Pointcheval D , Stern J . Security proofs for signature schemes. In: Proceedings of the Eurocrypt’96. Zaragoza , Spain ,1996:387-398. [12] Kozlov A. , Reyzin L. Forward-secure signature with fast key update. In : Proceedings of Security in Communication Networks , Amalf , Italy , 2002 , 241~256
Yuqiao Deng was born in China in 1980. He received the PhD degrees in south China University of technology, Guangdong, China, in 2010. He became a lecturer in Guangdong University of Business Studies, China, in 2010. His research interests include encryption, digital signature, cryptographic protocol and digital right management.
Ge Song was born in China in 1984. She is a doctoral student in Harbin Institute of Technology, Harbin, China, in 2010. Her research interests include data mining, short texts analysis, digital signature.
© 2011 ACADEMY PUBLISHER
1465
1459
Proxy Re-signature Scheme Based on Quadratic Residues Deng Yuqiao Guangdong University of Business Studies, Mathematics and Computer Science College, Guangzhou 510640 Email: [email protected]
Song Ge Harbin Institute of Technology Shenzhen Graduate School, Shenzhen 150001 Email: [email protected]
Abstract—In 1998, Blaze, Bleumer, and Strauss (BBS) proposed proxy re-signatures, in which a semi trusted proxy acts as a translator between Alice and Bob. The proxy resignature schemes can be applied in many applications. However, the existing proxy re-signature schemes were all based on Diffie-Hellman assumption. In this paper, we present a proxy re-signature scheme based on quadratic residues, which is Bidirectional. The scheme is safety under the random oracle model. At the same time, the definition of forward-secure proxy re-signature is given, then a corresponding scheme is presented which can maintain the former signature’s safety even if current cycle’s Signature key has been leaked. Index Terms—quadratic residues, proxy re-signature, forward-secure, random oracle model
I. INTRODUCTION Proxy re-signature schemes, introduced by Blaze, Bleumer, and Strauss [1], and formalized later by Ateniese and Hohenberger [2]. Digital signature schemes allow a signer to transform any message into a signed message, such that anyone can verify the validity of the signed message using the signer’s public key, but only the signer can generate signed messages. In a proxy resignature scheme, a semi-trusted proxy is given some information which allows it to transform Alice’s signature on a message m into Bob’s signature on m , but the proxy cannot, on its own, generate signatures for either Alice or Bob. A proxy re-signature scheme has eight desirable properties [2] as follows, though none of existing schemes satisfies all properties at the same time, see Table 1. 1. Unidirectional: In a unidirectional scheme, a resignature key allows the proxy to transform A’s signature to B’s but not vice versa. In a bidirectional scheme, on the other hand, the re-signature key allows the proxy to transform A’s signature to B’s as well as B’s signature to A’s. Manuscript received December 1, 2010; revised February 1, 2011; accepted March 1, 2011. Supported by University Foundation of Guangdong University of Business Studies,. No. 10BS41302
© 2011 ACADEMY PUBLISHER doi:10.4304/jnw.6.10.1459-1465
2. Multi-use: A transformed signature can be retransformed again by the proxy. 3. Private Proxy: The re-signature key can be kept secret by the proxy. 4. Transparent: A signature on the same message signed by the delegator is computationally indistinguishable from a signature transformed by a proxy. 5. Key-Optimal: In a key-optimal scheme, a user is required to protect and store only a small constant amount of secrets no matter how many signature delegations the user gives or accepts. 6. Non-interactive: The delegatee is not required to participate in a delegation process. 7. Non-transitive: A re-signing right cannot be redelegated by the proxy alone. 8. Temporary: A re-signing right is temporary. The proxy re-signature schemes can be applied in many applications, for instance, we can use proxy resignature schemes to simplify key management [1], provide proofs for a path that has been taken, manage group signatures, simplify certificate management [2], construct a Digital Rights Management (DRM) interoperable system [3]. Up to now, the security proven of existing proxy resignature schemes is under Diffie-Hellman assumption [1,2,6,7,8,9]. In this paper, we first propose a proxy resignature scheme based on quadratic residues, it satisfies bidirectional, multi-use, private proxy, transparent TABLE I.
THE PROPERTIES THAT SOME PROXY RE-SIGNATURE SCHEMES AND OURS SATISFY. Property
BBS [2]
Sbi[1]
Suni[1]
1 2 3 4 5 6 7 8
No No No Yes Yes No No No
Yes No No Yes Yes No No No
No Yes Yes No Yes Yes Yes Yes
Our Scheme 1 Yes No No Yes Yes No No No
Our Scheme 2 Yes No No Yes Yes No No No
1460
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
properties. We prove that it can resist adaptive chosen message attack. Exposure of secret keys can be a devastating attack on a digital signature scheme since such an attack typically implies that all security guarantees are lost. The notion of forward security was recently proposed by Anderson [4] and later formalized by Bellare and Miner [5]. Based on the framework of the first scheme, we propose a forward secure proxy re-signature scheme, which can be considered as a forward secure extension of the first scheme.
时间段 1
时间段 2
时间段 T
…….. SK0
SK1
SK2
Figure 1
……..
SKT
Forward Secure Signature.
II. BACKGROUND
A. quadratic residue In number theory, an integer q is called a quadratic residue modulo n if it is congruent to a perfect square (mod n); i.e., if there exists an integer x such that: x 2 ≡ q(mod n) Otherwise, q is called a quadratic nonresidue (mod n). Originally an abstract mathematical concept from the branch of number theory known as modular arithmetic, quadratic residues are now used in applications ranging from acoustical engineering to cryptography and the factoring of large numbers. B. Remarks on the BBS Scheme The authors of the BBS paper proposed some potential applications of proxy re-signatures. By taking a careful look at how one can use these proxy re-signatures in practice, we can see no that the BBS construction has its own limitations. In brief, their scheme is actually “proxyless” since it is possible to recover the information that would be stored at the proxy by looking at the original signature and its transformation. This precludes the possibility of having a proxy in the first place since anyone would be able to impersonate the proxy itself once a single re-signature is released. C. Forward secure signatures The goal of forward security is to protect the risk of key exposure, but in a simple way, in particular without requiring distribution or protected storage devices, and without increasing key management costs. A user begins, as usual, by registering a public key pk and keeping private the corresponding secret key, which we denote sk0 . The time during which the public key pk is desired to be valid is divided into periods, say T of them. While the public key stays fixed, the user “evolves” the secret key with time. Thus in each period, the user produces signatures using a different signing key: sk1 in period 1, sk2 in period 2, and so on. The secret key in period i is derived as a function of the one in the previous period. The key evolution paradigm is illustrated in Figure 1.
© 2011 ACADEMY PUBLISHER
III. DEFINITIONS A. Bidirectional Proxy Re-Signature Definition 1: A proxy re-signature scheme is a tuple of polynomial time algorithms (KeyGen, ReKey, Sign, ReSign, Verify), where: z (KeyGen, Sign, Verify) form the standard key generation, signing, and verification algorithms. z On input ( sk A , sk B ) , the re-signature key generation algorithm, ReKey, outputs a key rk A→ B for the proxy. z On input rk A→ B , a public key pk A , a message m and a signature σ A (m) , the resignature function, ReSign, outputs B’s signature σ B (m) if Verify ( pk A , m, σ A (m)) and ⊥ otherwise. z Correctness. For any message m in the message space and any key pairs ( pk , sk ), ( pk ', sk ') ← KeyGen(1k ) , let σ = Sign( sk , m) and rk = Re Key ( sk , sk ') . then the following two conditions must hold: Verify ( pk , m, σ ) = 1 Verify ( pk ', m, Re Sign(rk , pk , m, σ )) = 1 We define security for bidirectional proxy re-signature schemes by the following game between a challenger and an adversary: (Note that we adopt the method in [6] to define the security notion of bidirectional proxy reencryption schemes: static corruption, i.e., in this security notion, the adversary has to determine the corrupted parties before the computation starts, and it does not allow adaptive corruption of proxies between corrupted and uncorrupted parties.) z Queries. The adversary adaptively makes a number of different queries to the challenger. Each query can be one of the following. z Uncorrupted Key Generation OUKeyGen : Obtain a new key pair as ( pk , sk ) ← KeyGen(1k ) . The adversary is given pk .
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
z
Corrupted Key Generation OCKeyGen : Obtain a new
z
key pair as ( pk , sk ) ← KeyGen(1 ) . The adversary is given pk and sk . Hash queries OH : On input a message m and a R ∈ Z , return h = H (m, R ) . Re-Signature key Generation ORe yKey : On input k
z
( pk , pk ') by the adversary, where pk , pk ' were generated before by KeyGen, return the resignature key rk pk → pk ' = Re Key ( sk , sk ') ,
where sk , sk ' are the secret keys that correspond to pk , pk ' . Here, we also require that both pk , pk ' are corrupted, or both are uncorrupted. z Re-signature ORe Sign : On input ( pk , pk ', m, σ ) ,
z
z
where pk , pk ' were generated before by KeyGen. The adversary is given the re-signed signature σ ' = Re Sign(Re Key ( sk , sk '), pk , m, σ ) , where sk , sk ' are the secret keys that correspond to pk , pk ' . Signature OSign : On input a public key pk , a message m , where pk was generated before by KeyGen. The adversary is given the corresponding signature σ = Sign( sk , m) ,where sk is the secret key that correspond to pk . Forgery. The adversary outputs a message m * , a public key pk * , and a string σ * . The adversary succeeds if the following hold true: 1. Verify ( pk *, m*, σ *) = 1. . 2. pk * is not from OCKeyGen .
3. ( pk *, m*) is not a query to OSign . 4.
(◊, pk *, m*, ∆) is
not
a
query
to ORe Sign ,
where ◊ denotes any public key, and ∆ denotes any signature. The advantage of an adversary A in the above game is defined to be: AdvA = Pr[ A succeeds] Where the probability is taken over all coin tosses made by the challenger and the adversary. B. Bidirectional forward-secure Proxy Re-Signature Definition 2: A forward-secure proxy re-signature scheme is a tuple of polynomial time algorithms (KeyGen, ReKey, Update, Sign, ReSign, Verify), where: z The key generation algorithm, KeyGen, takes as input a security parameter1k and the total number of time periods N . It returns a public key pk and an initial secret key sk0 .
© 2011 ACADEMY PUBLISHER
1461
z
The key update algorithm, Update, takes as input a secret key ski −1 as well as the index i of the current time period. It returns a secret key ski for period i . (Note that, the key for the proxy also uses the Update algorithm to update its proxy key.) z On input an key pair ( sk A , sk B ) , the re-signature key generation algorithm, ReKey, outputs an key rk A→ B for the proxy. z On input an ith secret key of the current time period ski , a message m , the sign algorithm, Sign, outputs signature σ (m) . z On input an ith re-sign key rki of the current time period, public key pair pk A , pk B , a message m and a signature σ A (m) , the re-signature function, ReSign, outputs B’s signature σ B (m) if Verify ( pk A , m, i, σ A (m)) = 1 and ⊥ otherwise. z On input a public key pk , a message m , an index i of the current time period, a signature σ , the verify algorithm, Verify, outputs 1 if σ (m) = sign( ski , m) and 0 otherwise. z Correctness. For any message m in the message space and any ith key pairs of the current period: ( pk , ski ), ( pk ', ski ') , let: σ = Sign( ski , m) and rki = Re Key ( ski , ski ') . Then the following two conditions must hold: Verify ( pk , m, i, σ ) = 1 Verify ( pk ', m, i, Re Sign( rki , pk , pk ', m, σ )) = 1 We also define the security notion of bidirectional forward-secure proxy re-signature with static corruption by a game between a challenger and an adversary. z Queries. The adversary adaptively makes a number of different queries to the challenger. Each query can be one of the following. z Uncorrupted Key Generation OUKeyGen : Obtain a
z
z z
new initial key pair as ( pk , sk0 ) ← KeyGen(1k ) . The adversary is given pk . Corrupted Key Generation OCKeyGen : Obtain a new key pair as ( pk , sk0 ) ← KeyGen(1k ) . The adversary is given pk and sk0 . Hash queries OH : On input a message m and a R ∈ Z ,return h = H (m, R ) . Re-Signature key Generation ORe yKey : On input initial public key ( pk , pk ') by the adversary and an index i of current time period, where ( pk , pk ') were generated before by ith re-signature KeyGen, return the key rk pk → pk ' = Re Key ( ski , ski ') . Here, we also require that both pk , pk ' are corrupted, or both are uncorrupted.
1462
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
z
Re-signature ORe Sign : On input (i, pk , pk ', m, σ ) ,
that Verify ( pk A , m, σ ) = 1 . If σ A does not verify, output ⊥ ; otherwise, output σ ' = ( R ', S ') = ( R, rk A→ B H ( m, R ) × S ) . Verify: On input a public key pk , a message m , and a purported signature σ = ( R, S ) , output 1,
z
where pk , pk ' were generated before by KeyGen, i is the index of the current time period. The adversary is given the re-signed signature σ ' = Re Sign(Re Key ( ski , ski '), pk , pk ', m, σ ) , where ski , ski ' are the ith keys that correspond to pk , pk ' of current time period. Signature OSign : On input a public key pk , a
z
message m and a time period i , where pk was generated before by KeyGen. The adversary is given the corresponding signature σ = Sign( ski , m) , where ski is the secret key that correspond to pk in ith time period . Forgery. The adversary outputs a message m * , a public key pk * , an index i * of current time period, and a string σ * . The adversary succeeds if the following hold true: 1. Verify ( pk *, m*, i*, σ *) = 1. 2. pk * is not from OCKeyGen . 3. ( pk *, m*, i*) is not a query to OSign . 4. (i*, ◊, pk *, m*, ∆) is not a query to ORe Sign ,
where ◊ denotes any public key, and ∆ denotes any signature. The advantage of an adversary A in the above game is defined to be AdvA = Pr[ A succeeds] , where the probability is taken over all coin tosses made by the challenger and the adversary. IV. BIDIRECTIONAL PROXY RE-SIGNATURE SCHEMES A. Bidirectional Proxy Re-signature Schemes Based on quadratic residues KeyGen: On input the security parameter k , it chooses two security prime numbers p = 2 p1 + 1 , q = 2q1 + 1 , where p1 , q1 are also prime numbers. Let n = p × q and
log 2 n > k
.
It
chooses
a
security
hash
function H :{0,1}* → {0,1}k . It selects a random s ∈R Z n* , and output the key pair pk = s mod n , the public parameters (k , n, p, q, H , pk ) . ReKey: On input two secret keys sk A = s, sk B = t , output the re-signature key rk A→ B = t / s . (Note that we make use of the same method in [2] to get the re-signature key) Sign: On input a secret key sk = s and a message m , compute R = r 2 mod n, h = H (m, R) , output σ = ( R, S ) = (r 2 mod n, r × sk Ah mod n) . ReSign: On input a re-signature key rk A→ B , a public key pk A , a message m and a signature σ A , check 2
© 2011 ACADEMY PUBLISHER
if S 2 = R × pk H ( m, R ) and 0 otherwise. B. Security Analysis G be a group, Lemma 1[10] Let e1 , e2 ∈ Z , gcd(e1 , e2 ) = 1 ,given a, b ∈ G ,we have a e1 = be2 , then we can compute c ∈ G , where c e2 = a (or c e1 = b ). Theorem 1 (Security) In the random oracle model, the bidirectional proxy re-signature scheme we presented is correct and existentially unforgeable under the lemma 1. Proof. The correctness property is easily observable. We show security using forking lemma [11]. If there exists an adversary A that can break the above proxy re-signature scheme with non-negligible probability ε after making at most qS sign queries, qR resign queries, qK (un)corrupted key queries and qH hash queries, then there also exists an adversary B that can solve the quadratic residues problem q 1 (1 − Hk ) qS ε . in G with probability ε ' ≥ 2 qH 2 On input x 2 = y ∈ QRn , it is difficult to calculate the quadratic residues of y , that is, x . Quadratic residues adversary B simulates a bidirectional proxy re-signature security game for A as follows: Queries: B builds the following oracles: OUKeyGen : B chooses a random xi ∈R Z n* , and outputs pki = xxi2 = yxi2 . OCKeyGen : B chooses a random xi ∈R Z n* , and outputs ( pki , ski ) = ( xi2 , xi ) . OH : B maintains a hash table {(mi , rmi , Rmi , hmi )} , we noted it as TH . For each query to OH on input mi , check if there is an entry in TH . If so, output the corresponding value, otherwise B chooses a random rmi ∈R Z n* , let
Rmi = rmi 2 mod n
,
then
B
chooses
a
random hmi ∈ {0,1}k and output hmi as the corresponding value. Record the pair (mi , rmi , Rmi , hmi ) in table TH . OSign : On input ( pki , m) , if pki is corrupted, B returns the signature σ = ( R, S ) = (r 2 mod n, r × skih mod n) , where h = H (m, R ) . Otherwise, B performs as follows. B maintains a signature table {(mi , rmi , Rmi , Smi )} , where i = 1, 2,..., qS , we noted it as TS . If (mi , •, •, •) ∈ TS , B returns S mi ; otherwise, B chooses a i , bi ∈ Z n* ,
let rmi = y ai mod n ,
hmi = 2bi , Rmi = y 2 ai mod n ,
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
1463
if (mi , •, Rmi , •) ∈ TH , B outputs ⊥ . The probability of this
A. Forward Secure Proxy Re-signature Scheme
qH , otherwise, computes S mi = y ai + bi and output 2k σ = ( Rmi , Smi ) . Record the pair (mi , rmi , Rmi , Smi ) in
KeyGen: On input the security parameter k , it chooses two security prime numbers p = 2 p1 + 1 , q = 2q1 + 1 , where p1 , q1 are also prime numbers. Let n = p × q and
event is
table TS . ORe yKey : On input ( pki , pk j ) , if pki and pk j are both B corrupted or both uncorrupted, returns rki → j = ( xi / x j ) mod p ; else, this input is illegal.
ORe Sign
:
On
input
(rki → j , pki , m, σ )
.
If
Verify ( pki , m, σ ) ≠ 1 , B outputs ⊥ . Otherwise, B does: If pki and pk j are both corrupted or both uncorrupted,
output ReSign (ORe yKey ( pki , pk j ), pki , m, σ ) . Else, B output OSign ( pk j , m) . B runs the algorithm for 1/ ε times, according to the assumption, we can get a signature σ = ( Rm* , S m* ) . Run the above algorithm twice. In each run, B queries the random oracle for a sequence of new input, then B will get two signatures: σ = ( Rm* , S m* ) and σ ' = ( Rm* ', Sm* ') . According to forking lemma, if m* = m *' , then we can get rm* , rm* ', Rm* , Rm* ' from H table, where:
H :{0,1}* → {0,1}
k
a
security
.
It
hash
selects
a
random s ∈R Z and a total time interval number T , output * n
T +1
the key pair pk = s 2 mod n , the public parameters (k , n, p, q, H , T , pk ) . ReKey: On input two secret keys sk A = s 2 , sk B = t 2 for i
i
period i , output the re-signature key rk A→ B = (t / s ) 2 . Update: On input secret key ski −1 for period i − 1 , i
output ski = ski −12 for period i . Sign: On input a secret key sk = s 2 for period i and a i
T +1−i
message m , compute R = r 2 T +1−i
output σ = ( R, S ) = (r 2
mod n , h = H (m, R ) ,
mod n, S = r × sk A(i ) h mod n)
ReSign: On input a re-signature key rk A→ B for period i , a public key pk A , a message m and a signature σ A , check that Verify ( pk A , m, σ ) = 1 . If σ A does ⊥ ; otherwise, not verify, output output σ ' = ( R ', S ') = ( R, rk A→ B H ( m , R ) × S ) .
(5)
S m* = Rm* × y
(6)
Verify: On input a public key pk , a message m , and a output 1, purported signature σ = ( R, S ) ,
(7)
if S 2
(8)
B. Forward Security The correctness property is easily observable. If an adversary gets a secret key ski for period i , he can not compute a secret key sk j ( j < i ) , otherwise, he can
hm*
2
y ( hm* − hm* ') = (
Sm* rm* ' 2 ) S m* ' rm*
(9)
If gcd(hm* − hm* ', 2) = 1 , according to lemma 1, we can find the quadratic residues of y 。 The probability that the signature pair (mi , •, Rmi , •) not qH , the probability 2k that gcd(hm* − hm* ', 2) = 1 holds is 1/2. In forking lemma,
is
T +1−i
= R × pk H ( m , R ) and 0 otherwise.
2
S m* r = m* 2 y ( hm* − hm* ') 2 S m* ' rm* '
table
chooses
Rm* ' = rm* ' mod n S m* '2 = Rm* '× y hm* '
H
It
(4)
2
in
function
.
Rm* = rm*2 mod n 2
(6) ÷ (7)
log 2 n > k
1−
the probability of m* = m *' holds is the
Quadratic Residues q 1 (1 − Hk ) qS ε . probability ε ' ≥ 2 qH 2
1 , so, B can solve qH problem with
Ⅳ. A FORWARD SECURE PROXY RE-SIGNATURE SCHEME
Based on the above proxy re-signature scheme, we present a forward secure proxy re-signature scheme as follows. The scheme’s security is base on the Strong RSA Assumption[9].
© 2011 ACADEMY PUBLISHER
i− j
compute a number c ∈ Z n* , where c 2 mod n = ski , that is, he can solve the Strong RSA Assumption. Thus, the scheme is forward secure. The scheme is also existentially unforgivable. B. Security Analysis Theorem 2 (Security) In the random oracle model, the forward secure proxy re-signature scheme we presented is correct and existentially unforgivable under the lemma 1. Proof. The correctness property is easily observable. We show security using forking lemma [11]. If there exists an adversary A that can break the above proxy re-signature scheme with non-negligible probability ε after making at most qS sign queries, qR resign queries, qK (un)corrupted key queries and qH hash queries, then there also exists an adversary B that can solve the quadratic residues problem q 1 (1 − Hk ) qS ε . in G with probability ε ' ≥ 2 qH 2
1464
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
T +1−i
On input c 2 = α mod n , it is difficult to calculate c ∈ Z n* . adversary B simulates a bidirectional proxy resignature security game for A as follows: Queries: B builds the following oracles: OUKeyGen : B chooses a random xi ∈R Z n* , and
Rm* ' = rm* ' S m*
S m* '
value, otherwise B chooses a random rmi ∈R Z n* , let
Rmi = rmi
2T +1−i
mod n
,
then
B
chooses
a
random hmi ∈ {0,1}k and output hmi as the corresponding value. Record the pair (mi , rmi , Rmi , hmi ) in table TH . OSign : On input ( pki , m) , if pki is corrupted, B returns
the signature σ = ( R, S ) = (r mod n, r × sk mod n) , where h = H (m, R ) . Otherwise, B performs as follows. B maintains a signature table {(mi , rmi , Rmi , S mi )} , 2
h i
where i = 1, 2,..., qS , we noted it as TS . If (mi , •, •, •) ∈ TS , B returns S mi ; otherwise, B chooses a i , bi ∈ Z n* , T +1−i
let rmi = y ai mod n , hmi = 2T +1− i bi , Rmi = y 2
ai
mod n ,
if (mi , •, Rmi , •) ∈ TH , B outputs ⊥ . The probability of this qH , otherwise, computes S mi = y ai + bi and output 2k σ = ( Rmi , Smi ) . Record the pair (mi , rmi , Rmi , Smi ) in
(11)
mod n
= Rm* × y
hm*
(12)
= Rm* '× y hm* '
S m*
2T +1−i
S m* '
OCKeyGen : B chooses a random xi ∈R Z n* , and
noted it as TH . For each query to OH on input mi , check if there is an entry in TH . If so, output the corresponding
2T +1−i
(12) ÷ (13)
outputs pki = xxi2 = yxi2 . outputs ( pki , ski ) = ( xi2 , xi ) . OH : B maintains a hash table {(mi , rmi , Rmi , hmi )} , we
2T +1−i
2T +1−i
y ( hm* − hm* ') = (
2T +1−i
=
(13) rm*
2T +1−i
rm* '
2T +1−i
S m* rm* ' 2T +1−i ) S m* ' rm*
y ( hm* − hm* ')
(14)
If gcd(hm* − hm* ', 2) = 1 , according to lemma 1, we can find the quadratic residues of y 。 The probability that the signature pair (mi , •, Rmi , •) not qH , the probability 2k that gcd(hm* − hm* ', 2) = 1 holds is 1/2. In forking lemma,
in
H
table
is
1−
the probability of m* = m *' holds is the
Quadratic Residues q 1 probability ε ' ≥ (1 − Hk ) qS ε . 2 qH 2
1 , so, B can solve qH problem with
V. CONCLUSION We have presented two proxy re-signature schemes based on quadratic residues problem which are proven secure in the random oracle model. Especially, the second one is an forward secure proxy re-signature scheme, which can greatly reduce the impact that the leakage of secret key.
event is
table TS . ORe yKey : On input ( pki , pk j ) , if pki and pk j are both corrupted or both uncorrupted, B returns rki → j = ( xi / x j ) mod p ; else, this input is illegal. ORe Sign
:
On
input
(rki → j , pki , m, σ )
.
If
Verify ( pki , m, σ ) ≠ 1 , B outputs ⊥ . Otherwise, B does:
If pki and pk j are both corrupted or both uncorrupted, output ReSign (ORe yKey ( pki , pk j ), pki , m, σ ) . Else, B output OSign ( pk j , m) . B runs the algorithm for 1/ ε times, according to the assumption, we can get a signature σ = ( Rm* , S m* ) . Run the above algorithm twice. In each run, B queries the random oracle for a sequence of new input, then B will get two signatures: σ = ( Rm* , S m* ) and
σ ' = ( Rm* ', Sm* ') . According to forking lemma, if m* = m *' , then we can get rm* , rm* ', Rm* , Rm* ' from H table, where: T +1−i
Rm* = rm*2
mod n
© 2011 ACADEMY PUBLISHER
(10)
REFERENCES [1] M. Blaze, G. Bleumer, and M. Strauss. “Divertible protocols and atomic proxy cryptography”, In: EUROCRYPT 1998, LNCS 1403, pp. 127-144, 1998. [2] Ateniese, G., Hohenberger, S. Proxy Re-signatures: New Definitions, Algorithms and Applications. In: ACM Conference on Computer and Communications Security, pp. 310–319 (2005). [3] G. Taban, A.A. Cardenas and V.D. Gligor. Towards a Secure and Interoperable DRM Architecture. In: ACM DRM 2006, pp. 69-78, 2006. [4] R. Anderson. Two Remarks on Public-Key Cryptology. Invited lecture, CCCS ’97. Available at http://www.cl.cam.ac.uk/users/rja14/. [5] M. Bellare and S. Miner. A Forward-Secure Digital Signature Scheme. Crypto ’99. [6] Jun S, Zhenfu C, Licheng W, Xiaohui L. Proxy reSignature schemes without random oracles. Progress in Cryptology - INDOCRYPT 2007, Chennai, India, 2007, 4859:197-209. [7] Sherman C, Raphael P. Proxy Re-signatures in the Standard Model. ISC 2008, LNCS 5222, pp. 260–276, 2008. [8] Kitae K, Ikkwon Y and Seongan L. Remark on Shao et al's Bidirectional Proxy Re-Signature Scheme In Indocrypt'07. International Journal of Network Security, Vol.9, No.1, PP.8-11, July 2009.
JOURNAL OF NETWORKS, VOL. 6, NO. 10, OCTOBER 2011
[9] Benoit L, Damien V. Multi-Use Unidirectional Proxy ReSignatures. http://eprint.iacr.org/2007/371.pdf,2007. [10] Mao W. Modern Cryptography: Theory and Practice. Beijing : Publishing House of Electronics Industry , 2004 : 55-362 [11] Pointcheval D , Stern J . Security proofs for signature schemes. In: Proceedings of the Eurocrypt’96. Zaragoza , Spain ,1996:387-398. [12] Kozlov A. , Reyzin L. Forward-secure signature with fast key update. In : Proceedings of Security in Communication Networks , Amalf , Italy , 2002 , 241~256
Yuqiao Deng was born in China in 1980. He received the PhD degrees in south China University of technology, Guangdong, China, in 2010. He became a lecturer in Guangdong University of Business Studies, China, in 2010. His research interests include encryption, digital signature, cryptographic protocol and digital right management.
Ge Song was born in China in 1984. She is a doctoral student in Harbin Institute of Technology, Harbin, China, in 2010. Her research interests include data mining, short texts analysis, digital signature.
© 2011 ACADEMY PUBLISHER
1465
