Efficient Pairing-Based Threshold Proxy Signature Scheme with Known Signers

Since threshold proxy signature has been proposed, all threshold proxy signature schemes are based on the discrete logarithm problems in the modular multiplicative group which has an element g with a large prime order. Nowadays this kind of threshold proxy signature schemes become more and more complex and time-consuming for security and specific requirement. In this paper, we propose a (bilinear) pairing-based threshold proxy signature scheme with known signers, analyze its security and check the following properties the proposed scheme has: non-repudiation, unforgeability, identifiability, distinguishability, verifiability, prevention of misuse of proxy signing right, etc. Moreover, we point out that the proposed scheme is of great efficiency by comparing it with Sun's and Hsu et al.'s scheme.


Introduction
The proxy signature scheme (Mambo et al., 1996a;Mambo et al., 1996b) a variation of ordinary digital signature schemes, which enables a proxy signer to sign messages on behalf of the original signer, has many applications in mobile agent environment and electronic transaction.There are, so far,three types of delegation: full delegation, partial delegation, and delegation by warrant.In the full delegation, a proxy signer is given the same private key as the original signer has, and computes the same signatures as the original signer does.In the partial delegation (Mambo et al., 1996b), the original signer uses his private key to create a proxy signature key and sends it to the proxy signer in a secret way.The proxy signer uses the proxy signature key to compute proxy signatures on behalf of the original signer.For the security reason, it must be computationally infeasible to compute the original signer's private key from the proxy signer's proxy signature key.In the delegation by warrant (Neuman, 1993), the original signer gives the proxy signer a warrant, composed of a message part and a public signature key, which certifies that the proxy signer is legal.Then the proxy signer use the corresponding private key to sign the message on behalf of the original signer.
Following the development of proxy signature scheme (Hsu et al., 2001;Hwang et al., 2000;Hwang and Chen, 2003;Li and Cao, 2002;Li et al., 2002;Li et al., 2003a;Li et al., 2003b;Mambo et al., 1996a;Mambo et al., 1996b;Neuman, 1993;Sun, 1999;Sun et al., 1999;Zhang and Kim, 1997;Zhang and Kim, 2003), the threshold proxy signature was also widely studied in (Hwang and Chen, 2003;Hsu et al., 2001;Hwang et al., 2000;Li and Cao, 2002;Sun, 1999;Zhang and Kim, 1997;Zhang and Kim, 2003).In a (t, n) threshold proxy signature scheme, the original signer authorizes a proxy group with n proxy members.Any t or more proxy signers can cooperatively employ the proxy signature keys to sign messages on behalf of an original signer, but t − 1 or fewer proxy signers cannot.Threshold proxy signature with known signers is proposed by Sun (Sun, 1999) in 1999, which has the property that the t proxy signers' identity who cooperate to generate the proxy signature can be verified in the equation of verification.After that, Hwang and Sun et al. (Hwang et al., 2000) pointed out that Sun's scheme was insecure against collusion attack.By the collusion, any t − 1 proxy signers among the t proxy signers can cooperatively obtain the secret key of the remainder one.Then they also proposed an improved scheme which can guard against the collusion attack.However, Sun's scheme is vulnerable against conspiracy attack for another weakness.That is, any t malicious proxy signers can collusively derive the secret keys of the other proxy signers in the group and can impersonate some other proxy signers to generate proxy signatures.
Up to the present, all threshold proxy signature schemes are still based on the discrete logarithm problems in the multiplicative group Z * p where p is a large prime.This kind of threshold proxy signature schemes become more and more complex and time-consuming for security and specific requirement.Since the GDH signature (short signature scheme) in (Boneh et al., 2001) has been proposed by Bonel et al many cryptosystems based on bilinear, non-degenerate, efficiently computable mappings (called pairings) over certain groups have been widely studied.So in this paper we propose a new kind of threshold proxy signature with known signers based on pairings which could be built from Weil pairing or Tate pairing on an elliptic curve or a supersinglar elliptic curve.
At first we will introduce some related work about the bilinear pairings, then state the proposed threshold proxy signature scheme based on bilinear pairings.Next we analyze the security of the proposed scheme.After that, we will compare the proposed scheme with Sun's and Hsu et al.'s scheme in terms of computational complexities in some cases.Finally, we will draw a conclusion on the whole paper.

Background and Related Work
Here we summarize some concepts of bilinear pairings using similar notations as in (Zhang and Kim, 2003).

Bilinear Pairings
Let G 1 and G 2 be additive and multiplicative groups of the same prime order q, respectively.Let P be a generator of G 1 .Assume that the discrete logarithm problems in both G 1 and G 2 are hard to solve.Let ê : G 1 × G 1 → G 2 be a pairing which satisfies the following properties: 1. Bilinear : ê(aP, bP ) = ê(P, P ) ab for all P , P ∈ G 1 and all a, b ∈ Z. 2. Non-degenerate: If ê (P, P ) = 1,∀P ∈ G 1 then P = O .3. Computable: There is an efficient algorithm to compute ê(P,P ) for any P,P ∈ G 1 .
To construct the bilinear pairing, we can use the Weil pairing or revised Tate pairing associated with supersinglar elliptic curves.
With such a group G 1 , we can define the following hard cryptographic problems: • Discrete Logarithm (DL) Problem: Given P, P ∈ G 1 , find an integer n such that P = nP whenever such integer exists.• Computational Diffie-Hellman (CDH) Problem: Given a triple (P, aP, bP ) ∈ G 3 1 , for a, b ∈ Z * q , find the element abP .• Decision Diffie-Hellman (DDH) Problem: Given a quaternion (P, aP, bP, abP ) ∈ G 4 1 , for a, b, c ∈ Z * q , decide whether c = ab (mod q) or not.• Gap Diffie-Hellman (GDH) Problem: A class of problems where the CDH problem is hard but the DDH problem is easy.
Groups where the CDH problem is hard but the DDH problem is easy are called Gap Diffie-Hellman (GDH) groups Details about them can be seen in (Boldyreva, 2003;Boneh et al., 2001;Boneh and Franklin, 2001;Boneh et al., 2003;Joux and Nguyen, 2001).

A GDH Signature Scheme
A signature scheme S consists three algorithms.A randomized key generation algorithm K takes a global information I and outputs a pair (sk, pk) of a secret and a public keys.A randomized signature generation algorithm S takes a message M to sign and global information I and a secret key sk and outputs M and a signature σ.A deterministic verification algorithm V takes a public key pk, and a message and a signature σ and output 1 (accepts) if the signature is valid and 0 (rejects) otherwise.
The widely-accepted notion of security for signature schemes is unforgeability under chosen-message attacks, the notion adjusted to the random oracle model is given in (Boneh et al., 2001).Now we introduce the GDH signature scheme in (Boneh et al., 2001).Let G 1 be a GDH group.Let [{0, 1} * → G * 1 ] be a hash function family, each member of which maps arbitrary long strings to group G * 1 and H be a random member of this family.The global information I contain the generator P of G 1 , prime order q and a description of H.The algorithms (K, S, V) of the GDH group signature scheme GS[G 1 ] are defined as follows.
In (Boneh et al., 2001) the authors state and prove the following result.
Theorem 1.Let G be a GDH group, Then GS[G] is a secure signature scheme in the random oracle model.

Proposed Scheme
In this section we propose a partial delegation threshold proxy signature scheme with warrant m ω which records the identities of the original signer and the proxy signers of the proxy group, parameters t and n, the valid delegation time, etc.It is also a proxyprotected threshold proxy signature scheme.
The system parameters are the same as those in the GDH signature scheme assuming that G 1 and G 2 are additive and multiplicative groups of the same prime order q, P is a (Boneh et al., 2003), are two cryptographic hash functions and the original signer has a secret key sk = x o randomly chosen from Z * q and a public key pk = Y = x o P which is certified by CA (Certificate Authority).Let p 1 , p 2 , p 3 , • • • , p n be the n proxy signers.Each proxy signer has a secret key sk = x i randomly chosen from Z * q and a public key pk = Y = x i P which is certified by CA as well.Let ASID (Actual Signers'ID) denotes the identities of the actual signers.Our scheme mainly consists of three protocols: Proxy share generation protocol T PK, Generation of the proxy signature without revealing shares T PS, and Proxy signature verification protocol T PV.

Proxy Share Generation Protocol T PK
Proxy share generation protocol makes use of Verifiable Secret Sharing (V SS) proposed by Pederson (Pedersen, 1991).To delegate the signing capability to proxy signers, the original signer Alice uses the Schnorr signature scheme to make the warrant m ω signed (since the Schnorr signature scheme is known to be provably-secure (Pointcheval and Stern, 1996) in the random-oracle model).There is an explicit description of the delegation relation in the warrant m ω .If the following process is finished successfully, each proxy signer will get his or her proxy share key.
Step 1.The original signer picks a random number r v), then Alice (the original signer) sends σ and m ω to each proxy signer.
Step 2. Each proxy signer verifies the validity of the signature on m ω by checking whether the following equation sounds or not.
and accept σ if and only if the above equation sounds.If the signature σ is valid, proxy signer p i picks up a random number k i , broadcasts k i P and computes s i ≡ n −1 v + x i + k i , mod q with his own secret key.
Step 3. Proxy signer p i picks up randomly a polynomial then p i computes and broadcasts a i,j P for j = 1, 2, 3, • • • , t − 1, doesnot need to broadcast a i,0 P for a i,0 P = n −1 vP + Y i + k i P ; sends f i (j) secretly to each proxy signer p j for j = 1, 2, 3, Step 4. Proxy signer p i after receiving (3) If the check fails, p i broadcasts a complaint against p j .Assume that none of the proxy signers has a complaint.Then the proxy signer p i computes the secret proxy share , and computes the public proxy share Y i = x i P .
In this protocol if we let f (z) = n i=1 f i (z), we will get the secret proxy share x i = f (i) in fact.The public proxy share Y i must be f (i)P .

Generation of the Proxy Signature T PS
Let m be a message to be signed.Without loss of generality, we assume that p 1 , p 2 , p 3 , • • • , p t are the t proxy signers who want to cooperate to sign a message m on behalf of the original signer Alice.
Setp 1.Each proxy signer p i for (i = 1, 2, • • • , t) uses his or her secret proxy share x i to sign the message m.Referring to the signature scheme in (Boneh et al., 2001) each proxy signer Setp 2. The t proxy signers after gathering σ i , verify σ i by checking If the above equation doesn't hold, They will know p i does not send the correct partial signature or p i is not honest one, we may ask another one or p i to do Step 1 again.Now we assume the equation holds, they can compute the proxy signature σ = t i=1 σ i and K = n m=1 k m P , record the t proxy singers' ID on ASID.So the complete valid proxy signature will be the tuple < m, U, m ω , σ , K, ASID >.REMARK 1.In Step 2 we may designate one of the t proxy signers or a clerk who is assumed honest to check the correctness of the partial signature and generate the complete signature.If we use {i 1 , i 2 , • • • , i t } to represent the t proxy signers' ID which is a subset of {1, 2, • • • , n}, we may use t k=1 2 i k represent ASID, So ASID is only an n-bit-long string.

Proxy Signature Verification Protocol T PV
Receiving the threshold proxy signature < m, U, m ω , σ , K, ASID > of m, any verifier can confirm the validity of the proxy signature and identify the actual signers.The steps of the phase are stated as follows: Setp 1.The verifier can identify the original signer and the proxy signers from m ω and ASID, and get their public keys from the CA.Besides, he/she can also identify the actual proxy signers.
Setp 2. A recipient can verify the validity of the proxy signature by checking if the following equation holds or not. (5) If it holds, the recipient accepts the signature, otherwise rejects.

Correctness
The verification of the signature is justified by the following equations: So the correctness of verification protocol is proved.

Security Analysis of the Proposed Scheme
In the following section, we will prove that the proposed scheme can resist all kinds of known attack including the forgery attack, conspiracy attack, public key substitution attack etc.Like the general proxy signature, our proposed signature scheme satisfies the requirements stated in abstract as well.
Distinguishability: This is obvious, because there is a warrant m ω in a valid proxy signature, at the same time, this warrant m ω and the public keys of the original signer and proxy signer must occur in the verification equation of proxy signature.

Verifiability:
The valid proxy signature for message m will be the tuple < m, U, m ω , σ , K, ASID >.From the construction of < U, σ , K > and the verification phase, the verifier can be convinced that the proxy signer has the original signer's signature on the warrant m ω .In general the warrant m ω contains the identity information and the limit of the delegated signing capacity etc, so our scheme satisfies the verifiability.
Strong non-forgeability: First, the third adversary who wants to forge the proxy signature of message m for the proxy signers and original signer must have the original signer's signature σ on the warrant m ω , but cannot forge this since Schnorr signature scheme is secure.And we can see even third adversary knows the signature σ sent by the original signer he cannot make a forgery signature on any other message m ω , so he cannot make a forgery proxy signature on m either.
Second, the original signer cannot create a valid proxy signature, since the proxy signature is obtained by the proxy signers using the GDH signature scheme (a secure signature scheme) and the proxy signers' secret proxy shares {x i } which contain the private key {x i } of each proxy signer.And also the original signer doesn't know n i=1 (x i + k i ) and t i=1 x i , so the original signer cann't forge a valid proxy signature.Now we can see the proposed scheme is a proxy protected one.
Third, proxy signer can't forge valid proxy signatures.From the proxy signature < m, U, m ω , σ , K, ASID >, any proxy signer can't obtain the private keys of other proxy signers.He/she can't get k 1 , k 1 , • • • , k n randomly chosen by the proxy signers and t i=1 (x i +x i ) either because of difficult Discrete Logarithm problems.Therefore, proxy signatures can't be forged by any proxy signer.
Fourth, the designated proxy signer or clerk in Step 2 of protocol T PS (Generation of the proxy signature) can't forge the proxy signatures either.From the partial signature σ i the clerk can't get the knowledge x i ω i +x i of because of difficult Discrete Logarithm problems.Of course, the clerk is unable to obtain the knowledge of x i or x i either.From the equation σ = t i=1 σ i , the clerk can't get t i=1 (x i ω i + x i ) either because of the same reason.Therefore, the proxy signature can't be forged by the designated one.

Identifiability:
The valid signature contains the warrant m ω , so any one can determine the identities of the corresponding proxy signers from the warrant.As the verifier also receives ASID from the valid proxy signature < m, U, m ω , σ , K, ASID > which records the identity of the actual t proxy signers who cooperate in generating the proxy signature.So the proposed threshold proxy signature is identifiable.

Strong nonrepudiation:
As the identifiability, the valid signature contain the warrant m ω and ASID, which must be verified in the process of verification, it cannot be modified by the proxy signers.Thus once proxy signers creates a valid proxy signature for the original signer, he cannot repudiate the signature creation.In the verification phase the verifier also takes in the public keys of the proxy signers including actual signer's identity (ASID) and original signer, so the signers cannot repudiate the signature creation either.

Prevention of misuse:
In our proposed proxy signature scheme, using the warrant m ω , We had determined the limit of delegated signing capacity in the warrant m ω .we can conclude that any one who even knows the signature v on m ω can't sign any other message on behalf of the original signer since Schnorr signature scheme is secure.So our proposed signature yields the property of prevention of misuse.
Next we will show that even when t − 1 proxy signers are corrupted (who have the warrant m ω ), the proposed threshold proxy signature will still be secure.So we can conclude our scheme is a threshold proxy signature scheme.
Theorem 2.Even there exists an adversary who can corrupt t − 1 proxy signers among n proxy signers, The T PK and T PS protocols still complete successfully.
Proof.In the T PK protocol we use the technique of V V S, when each proxy signer receives v he must use his private key to generate a polynomial f i (z)

And in
Step 4 each proxy signer p i will check each f i (j), So the t − 1 proxy signers cannot do anything to cheat or forge.
In the T PS protocol every partial signature σ i is verified by the corresponding public proxy share Y i in the equation (4) of Step 2.Even at most t − 1 signers can be corrupted, the adversary still needs to get one partial signature from the other signers (which the adversary can't forge) to form t valid signature shares.Only with t valid signature shares, the adversary can produce a valid signature.
What we want to point out next is that our threshold proxy signature can avoid conspiracy attack in (Hsu et al., 2001) which says t malicious proxy signers can impersonate some other proxy signers to generate valid proxy signatures even may know the secret keys of the other signers for misuse.In our scheme if t malicious proxy signers want to impersonate some other t proxy signers to generate valid proxy signatures, they must use , each proxy signer randomly chooses k i and publishes k i P that makes it impossible to know other proxy signers' secret keys by facing difficult Discrete Logarithm problem.
At last, the scheme can resist the public key substitution attack from the original signer or any proxy signer.In the scheme, CA (Certificate Authority) is need.If the original signer or any proxy signer wants to substitute a new public key for the original public key, he/she must know the corresponding private key.In the public key substitution attack, generally speaking, the attacker doesn't know the corresponding private key.Thus, the attacker can't change its public key in the system public directory which is managed by CA.So the public key substitution attack doesn't work, either.
Through the analysis of security what we want to point out is that our proxy signature scheme does not need secure channel for delivery of the signed warrant since Schnorr signature scheme is secure.More precisely, the original signer can send the signature v on the warrant m ω to the proxy signers through a public channel.

Performance Evaluation and Numerical Computation Sample
In this section, we compare our scheme with Sun's scheme and Hsu et al.'s scheme in terms of computation time, then we provide a simple numerical computation example of our proposed scheme.

Performance Evaluation
We denote the following notations to facilitate the performance evaluation: m: The time of performing a modular multiplication computation.in: The time of performing a modular inverse computation.exp: The time of performing a exponentiation computation.h: The time of performing a cryptographic hash function mapping strings to a modular group (such as hash functions in Sun's scheme and Hsu et al.'s scheme or H 1 in our scheme).
Add: The time of performing a point addition computation.

Sca:
The time of performing a scalar multiplication computation.NA: Not available.

P:
The time of performing a pair computation.

H:
The time of performing a cryptographic hash function mapping strings to a GDH group (such as H 2 in our scheme).
Table 1 shows us the time cost in computations of Sun's scheme, Hsu et al.'s scheme and our scheme which shows our threshold proxy signature is of great efficiency.The Table 1 excludes the computation cost on validating f i (v j ) in Sun's scheme and Hsu et al.'s scheme or corresponding f i (j) in our scheme.We also assume Y G = n i=1 y i , (mod p) in Sun's, Hsu et al.'s scheme and corresponding n i=1 Y i in our scheme are precomputed before verification phase.
Since our scheme works on an elliptic curve or a supersinglar elliptic curve, we may have small size keys as a advantage.Moreover the signature size is also small by using c ∈ F * q k such that a = bc m .Given the point P compute a function g such that the divisor of g is equal to l((P )−(O)).Then compute a divisor D which is equivalent to (Q)−(O) such that D is disjoint from the support of g.Then the value of the Tate pairing (up to lth powers) is < P, Q >= g(D) where g(D) For each pair of points U, V on the elliptic curve E(F q k ), let g U,V be the rational function given by the line g U,V : l 1 y + l 2 x + l 3 = 0 through U and V .Naturally, if U = V , then g U,V is the given by the equation of the tangent line at U , and if either U or V is the point at infinity O, then g U,V represents the vertical line through the other point.Furthermore, for brevity, we write g U instead of g U,−U .We introduce Miller's algorithm for the Tate pairing to compute < P, Q >: • Return f .
All the other implementation of the proposed scheme's application is easy, since they all have standard algorithms.

Conclusions
We have used Schnorr signature scheme on an elliptic curve or a supersinglar elliptic curve to create an efficient pairing-based threshold proxy signature Schemes with known signers.The threshold proxy signature scheme is based on secure bilinear pairings which may be the first one using bilinear pairings to create threshold proxy signature with known signers, since bilinear pairings have been found having many good properties in cryptography.In security analysis some theorems have been proved to show the scheme's security, the requirements which the proxy signature satisfies with has been checked also, almost all kinds of attacks are shown to be useless in our scheme.Finally we compare the performance of our scheme with other threshold proxy signature scheme, which shows our scheme is also of great efficiency with small size keys and signature.
. Efficient id-based blind signature and proxy signature from bilinear parings.In Proc ofACISP'03, July 9-11, Wollongong, Australia, LNCS 2727.Springer-Verlag, Berlin.pp.312-323.Qian was awarded BS degree and a master degree (on algebraic geometry) in Mathematic Department from East China Normal University, China, in 2000 and 2003, respectively, and now is a doctoral candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University.His main research interests include network security, cryptography and algebraic geometry.Z.F.Cao received a BS degree in computer science and PhD degree in mathematics from Harbin Institute of Technology, China, in 1983 and 1999, respectively.He became the youngest associate professor and professor in China, in 1987 and 1991, respectively.Since 2002, he has been the professor and the doctoral supervisor of Shanghai Jiao Tong University.Dr. Cao is the member of many academic organizations such as Expert Group of the National Information Security Technology and director of National Association for Cryptologic Research (China).And he is a reviewer of Mathematical Reviews (USA) and Zentrallbatt MATH (Germany).His main research areas are number theory, modern cryptography, theory and technology of information security etc.He is the gainer of the first prize of Award for Science and Technology in Chinese University and the National Outstanding Youth Fund of China etc. Q.S. Xue received a BS degree in computer science and technology in Shandong Normal University and a Master degree in computer application from Shandong University, China in 1995 and 2000, respectively, and is now a doctoral candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University.His research interests include network security and cryptography. H.F.