Multi-Use Unidirectional Proxy Re-Signatures

In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive named proxy re-signatures where a proxy turns a signature computed under Alice’s secret key into one from Bob on the same message. The semi-trusted proxy does not learn either party’s signing key and cannot sign arbitrary messages on behalf of Alice or Bob. At CCS 2005, Ateniese and Hohenberger revisited the primitive by providing appropriate security definitions and efficient constructions in the random oracle model. Nonetheless, they left open the problem of designing a multi-use unidirectional scheme where the proxy is able to translate in only one direction and signatures can be re-translated several times. This paper solves this problem, suggested for the first time 10 years ago, and shows the first multi-hop unidirectional proxy re-signature schemes. We describe a random-oracle-using system that is secure in the Ateniese-Hohenberger model. The same technique also yields a similar construction in the standard model (i.e. without relying on random oracles). Both schemes are efficient and require newly defined – but falsifiable – Diffie-Hellman-like assumptions in bilinear groups.

💡 Research Summary

The paper revisits the primitive of proxy re‑signatures (PRS) originally introduced by Blaze, Bleumer and Strauss in 1998 and later formalized by Ateniese and Hohenberger in 2005. While earlier constructions were either bidirectional or single‑use, the authors address the long‑standing open problem of building a PRS scheme that is both unidirectional—allowing a proxy to translate signatures only from a delegator to a delegatee—and multi‑use, permitting a message to be re‑signed repeatedly along a chain of proxies. Their solution builds on short Boneh‑Lynn‑Shacham (BLS) signatures and introduces a leveled signature format: a level‑ℓ signature contains 2ℓ group elements, and each re‑signing step adds a new pair of elements derived from a re‑signing key R_{i→j}^{(ℓ)}. The re‑signing key is generated non‑interactively from the delegator’s public key and the delegatee’s secret key, and it can be stored privately by the proxy without revealing any signing keys.

Security is proved in two models. In the random‑oracle model the scheme’s unforgeability follows from two newly defined Diffie‑Hellman‑type assumptions: ℓ‑Flexible Diffie‑Hellman (ℓ‑FlexDH), which captures the difficulty of producing a chain of related Diffie‑Hellman values across ℓ levels, and the modified Computational Diffie‑Hellman (mCDH) problem, which remains hard even when g^{a²} is known. Both assumptions are falsifiable in Naor’s classification and inherit generic hardness results for bilinear groups. The authors also extend the construction to the standard model by applying Waters’ technique, thereby eliminating random oracles while preserving security under the same assumptions.

The paper formalizes external security (against outsiders) and three internal security notions—limited proxy security, delegatee security, and delegator security—mirroring the framework of Ateniese and Hohenberger. It demonstrates that a malicious proxy cannot forge signatures on behalf of the delegatee, that a colluding delegatee and proxy cannot learn the delegator’s secret key, and that a coalition of a proxy and a delegatee cannot frame an honest delegator.

Beyond theory, the authors discuss practical applications such as tracking a traveler’s checkpoint sequence across borders and converting certificates between untrusted and trusted certification authorities. In these scenarios, each hop adds a new signature layer, preserving the original signer’s anonymity while allowing verifiers to check only the latest public key.

Overall, the work delivers the first efficient, unidirectional, multi‑hop proxy re‑signature schemes, provides concrete security proofs in both the random‑oracle and standard models, and introduces novel, falsifiable hardness assumptions that may find broader use in pairing‑based cryptography.