An Identity Based Strong Bi-Designated Verifier (t, n) Threshold Proxy Signature Scheme

1 An Identity Based Strong Bi-Designa ted Verifier (t, n) Threshold P roxy Signature Sche me Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India E-mail- sunder_lal2 @rediffmail.co m , vandaniver ma@rediffmail.com Abstract: Proxy signature schemes have been invented to delegate signing rights. The paper proposes a new concep t of Identify Based Strong Bi-Designated Verifier threshold proxy signature (ID-SBDVT PS) schemes. Such scheme enables an original signer to delegate the signature authorit y to a group of ‘n’ prox y signers with the condition that ‘t’ or more proxy signers can coope ratively sign messages on behalf of the original signer and the signatures can only be verified by any t wo designated verifiers and that they cannot convince an yone else of this fact. Keywords: ID Based Cryptography, Prox y Signatures, Threshold Proxy Signatures, Bilinear Pairing, Designated Ver ifiers . 1. Introduction Certificate based cryptography allows a user to use an arbitrary string, unrelated to his identity, as his public key. When another user wants to use this public key, she has to obtain an authorized certificate that contains this public key. This creates the certificate management problem . To address this problem , Shamir [13] introduced the concept of ID based cryptography in 1984. In ID- based public key cryptography (ID-PKC) user’s publi c key is derived from certain aspects of his identity (em ail address, phone no. etc.) and a trusted th ird party called key generating center (KGC) generates secret key for the users. Mambo et al [11] introduced the concept of proxy signatures in 1996. In a proxy signature scheme, an original signer delegates his signing capability to another user called proxy signer. Proxy signer signs message on behalf of the original signer, howeve r proxy signatures are different from the original signatures. In the same year, Jakobsson et al [2] proposed the concept of designated verifier signatures (DVS). In DVS schemes, only the designated verifier can check the validity of the signatures but cannot convince any third party about the validity of the signatures. Saeednia et al [12] introduced the feature of strongness in DVS in 2003. Strong Designated Verifier Signature (SDVS) s cheme forces the designated verifier to use his secret key at t he time of verification. Since then sev eral SDVS [5, 6, 10, 14] schemes have been proposed. In 2003, Desmedt [1] raised the problem of generating multi-designated verifier schem e. However, the first bi-designated verifier signature scheme using bilinear maps was proposed by Laguillaum ie et at [ 9] in 2004. In 2006, the authors [7] pr oposed the ID-based strong bi -designated verifier signature scheme. They also proposed the first ID based st rong bi-designated verifier proxy signature schemes in which the designated proxy signature can only be verified by the two designated verifiers using their secret keys. Zhang [15] and Kim et al [4] independently constructed a threshold proxy sig nature scheme. I n a (t, n) threshold proxy signature schem e, the original signer delegates parts of his signing power t o a group of n proxy signers such that t or more proxy signers pooling their shares of delegation can generate proxy signatures but any (t-1) or fewer proxy signers cannot create a valid proxy signature. The first ID based threshold proxy signature scheme was proposed by Xu et al [16] in 2004 and the first ID-based designated verifier threshold proxy signature scheme was proposed by Juan et al [3] in 2007. In such schemes, the designated verifie r 2 can only verify the threshold proxy signatures. The paper presen ts the extension of Juan et al [3] scheme to bi-designated verifier. In our proposed scheme, any of the two designated verifiers can check the validity of the threshold proxy si gnatures but they cannot convince any third party about the validity of the signature. Anyone of them can check the validity of the signatures even if he is not aware of other’s identity. Our scheme is useful in the situations where the signature verifier does not want to rely on a single sou rce for the true ness of the signatu res. The rest of the paper is organized as follows – section 2 contains some preliminaries about bilinear pairings and Gap Diffie Hellman g roup. In section 3 we present our I D-SBDVTPS schem e. In section 4 we ana lyze its security and concluding re mark s in section 5. 2. Definitions 2.1 Bilinear pairings Let G 1 be a cyclic additive group generated by P, whose order is a large prime number q and G 2 be a cyclic multiplic ative group with the same order q. Let e: G 1  G 1  G 2 be a map with the following properties: Bilinearity : e (aP, bQ) = e (P, Q) ab  P, Q  G 1 and a, b  Z q * . Non-degeneracy :  P, Q  G 1 , such that e (P, Q)  1, the identity of G 2 . Computability : There is an efficient a lgorithm to compute e (P, Q)  P, Q  G 1 . Such pairings may be obtained by suitable modification in the Weil-pairing or the Tate-pairing on an elliptic curve de fined over a finite field. 2.2 Computationa l problems Decisional Diffie-Hel lman Problem (DDHP) : Given P, aP, bP, cP in G 1 , decide whethe r c = ab mod q. Computational Dif fie-Hellman Problem (CDHP ) : Given P, aP, bP in G 1 compute abP Bilinear Diffie- Hellman Problem (BDHP): Given P, aP, bP, cP in G 1 compute e(P, P) abc in G 2 . Gap Diffie-Hellman Problem (GDHP) : A class of problems, where DDHP can be solved in polynom ial time but no probabilistic algorithm exists that can solve CD HP in poly nomial time. 3. Identity Based Strong Bi-Designated Verifier (t, n) Threshold Proxy Signature Scheme. Our scheme is an extension of Juan et al [3] schem e. The single designated verifier is extended to bi-designated verifier to form our ID-SBDVTPS scheme. In our scheme, we have assumed Alice as the original s igner, PS = {P 1 , P 2 ,…P n } as the group of ‘n’ proxy signers and Bob and Cindy as the two designated verifiers and KGC stands for key generating ce ntre. The scheme is divided into six stages: setup, key-generation, secret-share generation, proxy-share generation, proxy-signature generation and prox y signature verification.  Setup: For a given security parameter k, G 1 is a GDH group prime order q>2 k generated by P and e: G 1  G 1  G 2 is a bilinear map. KGC chooses a master key s  Z q * and sets P pub = sP. Chooses two cryptog raphic hash functions H 1 : {0,1} *  Z q * , H 2 : {0,1} *  G 1  Z q * and H 3 :{0,1} *  G 1  G 2  Z q * . The system parameters (q, G 1, G 2 , e, P, P pub, , H 1 , H 2 , H 3 ) are made public and ‘s’ is k ept secret with KGC.  Key generat ion: Giv en a users identity ID, KGC computes his public key Q ID = H 1 (ID) and the associated secret key S ID = s -1 Q ID .P. 3  Secret share generation: The proxy group applies a (t, n) verifiable secret sharing scheme to generate secret shar es for all the proxy signers in PS as follows:  Each P i  PS = {P 1 , P 2 ,…P n } randomly chooses a (t - 1) degree poly nomial io t l l il i a x a x f      1 1 ) ( with random coeffi cients a il  Z q * and publishes A il = a il P, l = 0, 1, 2, …t – 1. P i sends f i (j) to P j via a secure channel for j ≠ i .  On receiving f i (j), P j can validate it by checking the equality     1 0 ) ( t k ik k i A j P j f , If it holds, each P i computes his secret share    n k k i i f r 1 ) ( and publishes U i = r i P.  Proxy share generation: Each proxy signer P i  PS gets his own proxy signing key share as follows:  The original signer Alice first random ly chooses r w  Z q * and computes U w = r w Q IDA. P, h w = H 2 (m w , U w ), V w = (r w + h w ) S IDA The signature on m w is w = (U w , V w ). Finally, Alice sends w and m w to each P i  PS  To verify a signature, the proxy signer P i computes h w = H 2 (m w , U w ) and accepts the signature iff e(P pub , V w ) = e(P, U w + h w Q IDA P) and rejects it otherwise. If the signature w is accepted, P i computes S i = S IDi + V w as his own proxy secret.  P i randomly chooses a (t - 1) degree polynomial i t l l il i S x b x g      1 1 ) ( with random coefficients b il  G 1 and publishes B il = e (P, b il ) for l = 1, 2, …t-1. B io can be computed by each proxy signer as B io = e(P, U w + (Q IDPi + h w Q IDA )P) . Furthermore, P i sends g i (j) to P j via a secure channel for i ≠ j.  On receiving g j (i), P i can validate it by checking the equality     1 0 )) ( , ( t k i jk j pub B k i g P e Finally, P i computes his proxy signing key share     1 0 Pi ) ( SK t k k i g and publishes e(P pub , SK Pi ).  Proxy signature generation: Let D = {P 1 , P 2 ,…P t } be the group of ‘t’ proxy signers who want to sign m essage ‘m’ on behalf of the original signer Alice.  Apply the Lagrange i nterpolation form ula to compute X = Q IDB Q IDC , G V i = e(XP, S ID i ), Y G i Vi r i  ,    t i i i Y Y 0  ,      } ,... 2 , 1 { t j i j i i j j  ,    t i i i U U 1  Let H = H 3 (m, U, Y). Each P i  D computes V i = U i + H SK Pi and σ i = (U i , V i ) be his own proxy signature sha re.  On receiving σ i , the designated clerk validates it by checking e(P, V i ) = e(P, U i ) e(P, SK Pi ) H If it holds, then σ i is the valid individual proxy signature share on ‘m’ . If all the individual 4 proxy signature shares for ‘m’ are valid, then the clerk computes    t i i i V V 1  . The proxy signature on ‘m ’ is σ = (m, V w , m w , U, V)  Proxy signature verification: To verify the proxy signature σ, the designated verifiers Bob (and Cindy) compute Q IDC = Q IDB -1 X, (Bob) Y * = e(S IDB Q IDC , U( ∑Q IDPi )) and accepts the signature iff e(P pub , V) = e(P pub , U + nHV w ) e(P, ( ∑Q IDPi )P) H . 4. Security analysis: In this section we an alyze the se curity of the propo sed ID- SBDVPS schemes. 4.1 Correctness: The following equation gives the correctness of the schem e for Bob nH w pub H Q pub nH w pub H IDP i pub w IDP i pub pub H t i n k k i pub pub t i H i P i pub t i i i pub t i Pi i i pub t i i i pub pub V P e P P e U P e V P e P Q s sP e U P e H nV S P e U P e i g P e U P e SK P e U P e SK H U P e V P e V P e IDPi ) , ( ) , ( ) , ( ) , ( ) , ( ) , ( ) ). ( , ( ) , ( ) ) ( , ( ) , ( ) , ( ) , ( ) ) . ( , ( ) , ( ) , ( ) ( 1 1 1 1 1 1 1                               e(P pub , V) = e( P pub , U + nHV w ) e(P, ( ∑Q IDPi )P) H 4.2 Strongness: In the proposed scheme proxy signatures are generated in such a manner that only the two designa ted verifier Bob and Cindy can check the validity of the signatures using his secret key. Hence, o ur schem e provides the strongness property. 4.3 Proxy protected: Alice cannot generate a valid signa ture share on behalf of P i , since he does not have any information about the secret key S IDPi of each P i. Hence, our scheme is proxy protected. 4.4 Secrecy: In our proposed scheme, the original signer Alice secret key cannot be derived from any information such as the shares of the proxy signing key , proxy si gnature etc. Even if ‘t’ out of ‘n’ proxy signers collaborates to deliver the proxy share, they cannot calculate the Alice secret key. Hence, o ur schem e is secure. 5 5. Conclusion: In this paper, we have presented a new concept of Identity based strong bi-designated verifier (t, n) threshold proxy signature scheme. The proposed schem e can also be viewed as a double threshold signature scheme as it uses threshold in signature generation and signature verification phase. The scheme is applicable in the situations where receiver wants the signatures to be verified by two designated persons and no one other than these two designated persons can check the trueness of the signatures. References: 1. Y.Desmedt . Verifier-De signated Signatures, Rump Session, Crypto’03 (2 003). 2. M.Jakobsson, K.Sako, K.R.Impaliazzo. Designated verifier proo fs and their applicati ons. Eurocr ypt 1996, LNCS #1070, Sp ringer-Verlag, 19 96, 142-154. 3. Xu Li-Juan, Xu Qiu-Liang, Zheng Zhi-hua. Ide ntity based designated verifier threshold signature scheme, Journal of Co mputer Applications 10 58-1061, 2007 27 (05). 4. S.Kim, S.Par k, D.Won. Proxy signatures revisited, Proc. Information and Communic ation Security (ICICS’97), LNCS#1334 , Springer-Verlag, 1 997, 223-232. 5. K.P Kumar, G.Shailaja, Ashutosh Saxena. Identity based strong d esignated verifier signature scheme. Cryptography eprint Archive Report 2 006/134. Available at http://eprint.iacr.o rg/2006/134.pdf 6. Sunder Lal, Vanda ni Verma. Identit y based strong desig nated verifier prox y signature scheme. Cryptography eprint Archive Report 2 006/394. Available at http://eprint.iacr.or g/2006/394.pdf 7. Sunder Lal, Vandani Verma. Some identit y based strong bi-designated verifier signature scheme. Cryptography eprint Archive Report 2 007/193. Available at http://eprint.iacr.or g/2007/193.pdf 8. Sunder Lal, Vandani Verma. Identity based strong bi-designated verifier prox y signature scheme. Cryptography eprint Archive Report 2 008/024. Available at http://eprint.iacr.or g/2008/024.pdf 9. F.Laguillaumie, D.Vergnau d. Multi-designated verifiers signatures. ICIC S 2004 , LNCS #3269 Springer-Verlag, 2004 , 495-507. 10. R.Lu, Z.Cao. Designated verifier proxy scheme with message recovery. Applied Mathe matics and Computation, 169(2), 2005, 1237-12 46. 11. M. Mambo, K. Usuda, and E. Oka moto. Prox y signatures for delegating signing operatio n, revisited, In Proc. Of 3 rd ACM conference on computer and co mmunication sec urity (CCS), 1996, 48-57 . 12. S.Saeednia, S.Kreme, O.M arkotwich. An efficient stro ng designated verifier signature sc heme. ICICS 2003, LNCS #2971, Sp ringer-Verlag, 20 03, 40-54. 13. A. Shamir. ID based cryptosystems and signature scheme. Crypto’84, LNCS #196 , Springer-Verlag, 1984, 47-53. 14. G. Wang. Designated verifier proxy signature for e-commerce. IEEE International Conferences on Multimedia and Expo (ICME 2004) CD-ROM, ISBN- 0-7803-8604 -3, Taipei, T aiw an, 20 04, 27-30 . 15. J.Xu, Z . Zheng, D.Feng. ID based threshold proxy signa ture, Cryptography eprint Archive Report 2004/250. Available at http://eprint.iacr.org/200 4/250.pdf 16. K.Zhang. Threshold proxy signature schemes, Proc . Inf ormation Securit y Worksh op (ISW’97), LNCS#1396, Springer-Verla g, 19 97, 282-290.