(IJCNS) International Journal of Computer and Network Security, 93

Vol. 2, No. 6, June 2010

Proxy Blind Signature based on ECDLP

Asis Kumar Tripathy1, Ipsita Patra2 and Debasish Jena3
1,2
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
1
asistripathy@gmail.com , 2ipsi.lucky@gmail.com
3
Center For IT Education
Biju Pattanaik University of Technology,Bhubaneswar, India
debasishjena@hotmail.com

1.4 Proxy Blind Signature

Abstract: Proxy blind signature is the combination of
properties and behavior of two most common digital signature
schemes i.e. proxy signature and blind signature. In this scheme
proxy signer generates the blind signature on behalf of the
original signer without knowing the content of the message.
Proxy blind signature can be used in various applications such
as e-voting, e-payment, mobile agent communication. In this
paper cryptanalysis of DLP based proxy blind signature scheme
with low computation by Aung et al. has been done. An efficient
proxy blind signature scheme based on ECDLP has been
proposed.
Keywords: Proxy Signature ,Blind signature,Proxy blind
signature,ECDLP.
A proxy blind signature scheme is a digital signature
scheme which combines the properties of proxy signature
and blind signature schemes. A proxy blind signature
scheme is a protocol played by two parties in which a user
obtains a proxy signer’s signature for a desired message and
the proxy signer learns nothing about the message. With
such properties, the proxy blind signature scheme is useful
in several applications
such as e-voting, e-payment and mobile agent environments.
In a proxy blind signature scheme, the proxy signer is
allowed to generate a blind signature on behalf of the
original signer.

1. Introduction 1.5 Properties of the Proxy Blind Signature

1.1 Digital Signature
A digital code that can be attached to an electronically
transmitted that uniquely identifies the sender. Digital
signatures are especially important for electronic commerce
and are a key component of most authentication schemes.
To be effective, digital signatures must be unforgeable.
There are a number of different encryption techniques to
guarantee this level of security.
1.2 Proxy signature
The proxy signature scheme is a kind of digital signature
scheme . In the proxy signature scheme , one user called the
original signer ,can delegate his/her signing capability to
another user called the proxy signer. This is similar to a
person delegating his/her seal to another person in the real
world.
1.3 Blind Signature
The signer cannot determine which transformed message
received for signing corresponds with which digital
signature, even though the signer knows that such a
correspondence must exist.
Scheme
In addition to the properties of Digital signature and proxy
blind signature should satisfy the following properties.
1.Distinguish-ability: The proxy signature must be
distinguishable from the normal signature.
2. Non-repudiation: Neither the original signer nor the
proxy signer can sign message instead of the other party.
Both the original signer and the proxy signer can not deny
their signatures against anyone.
3. Unforgeability: Only a designated proxy signer can
generate a valid proxy signature for the original signer (even
the original signer cannot do it).
4. Verifiability: The receiver of the signature should be able
to verify the proxy signature in a similar way to the
verification of the original signature.
5. Identifiability: Anyone can determine the identity of the
corresponding proxy signer from a proxy signature.
6. Prevention of misuse: It should be confident that proxy
key pair should be used only for creating proxy signature,
which conforms to delegation information. In case of any
misuse of proxy key pair, the responsibility of proxy signer
should be determined explicitly.
7. Unlinkability: When the signature is revealed, the proxy
signer can not identify the association between the message
and the blind signature he generated. When the signature is
verified, the signer knows neither the message nor the
signature associated with the signature scheme.
In this paper, cryptanalysis of Aung et al[12] has been done
and an efficient proxy digital signature based on ECDLP has
94 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010

been proposed. The proposed scheme satisfies all the 3. Overview Of Aung et al.’s DLP Based Proxy
properties of a proxy blind signature scheme. Blind Signature scheme With Low
The rest of this paper is organized as follows. In Section
2,some related work are discussed. Overview Of Aung et
Computation
al.’s DLP Based Proxy Blind Signature scheme with Low
Computation has been done in section 3 . In Section 4, In this section,DLP Based Proxy Blind Signature scheme
Cryptanalysis of Aung et al.’s scheme has been done. An With Low Computation has been discussed.
introduction to ECC is being described in section 5. In
Section 6, Proposed scheme is being described. Security
analysis of the proposed scheme has been done in section 7. 3.1 Proxy Delegation Phase
In Section 8, Efficiency of the proposed scheme is being
compared with the previous schemes and concluding
Original signer selects random number and
remarks are being described in Section 9.
computes:
(1)
(2)
2. Related Work
sends along with the warrant to the proxy
D. Chaum [4]introduced the concept of a blind signature signer. And then proxy signer checks:
scheme in 1982. In 1996 Mambo et al [2] introduced the
concept of proxy signature. The two types of scheme: proxy (3)
unprotected (proxy and original signer both can generate a
valid proxy signature) and proxy protected (only proxy can If it is correct, P accepts it and computes proxy signature
generate a valid proxy signature) ensures among other secret key as follow:
things, non-repudiation and unforgeability . (4)
The first proxy blind signature was proposed by Lin and Jan
[1] in 2000. Recently Tan et al. [7] introduced a proxy blind
Note: responding proxy public key
signature scheme, which ensures security properties of the
schemes, viz., the blind signature schemes and the proxy
signature schemes. The scheme is based on Schnorr blind
signature scheme Lee et al.[3] showed that a strong proxy
signature scheme should have properties of strong 3.2 Blind Signing Phase
unforgeability, verifiability, strong identifiability, strong
nonrepudiation and prevention of misuse. Proxy signer selects random number and
Hung-Min Sun and Bin Tsan Hsieh [8] show that Tan et
computes:
al.[6] schemes do not satisfy the unforgeability and
unlinkability properties. In addition, they also point out that
(5)
Lal and Awasthi [7] scheme does not possess the
unlinkability property either. In 2004, Xue and Cao [9]
and then sends to signature asker . To obtain the
showed there exists one
blind signature of message m, original signer randomly
weakness in Tan et al. scheme [5] and Lal et al. scheme [7]
choose two random numbers and computes:
since the proxy signer can get the link between the blind
message and the signature or plaintext with great (6)
probability. Xue and Cao introduced concept of strong (7)
unlinkability and they also proposed a proxy blind signature (8)
scheme.
In 2007 Li et al.[10] proposed a proxy blind signature If =0 then has to select new tuple Otherwise
scheme using verifiable self-certified public key, and their sends to . After receiving proxy signer computes :
scheme is more efficient than schemes published earlier.
Recently, Xuang Yang and Zhaoping Yu[11] proposed new (9)
scheme and showed their scheme is more efficient than Li et
al.[10]. and sends the sign message to .
In 2009 Aung et al.[12] proposed a new proxy blind
signature scheme which satisfied all the security
requirements of both the blind signature scheme and the 3.3 Extraction Phase
proxy signature scheme.
While receiving , computes:

(10)

Finally the signature of message is .

 (IJCNS) International Journal of Computer and Network Security, 95
Vol. 2, No. 6, June 2010

3.4 Verification Phase 5.1.2 Point Addition

Consider two distinct points J and K such that

The recipient of the signature can verify the proxy blind
signature by checking whether and Let where,
then,
(11)
Where
If it is true, the verifier accepts it as a valid proxy blind
signature, otherwise rejects. (12)

Verifiability where, s is the slope of the line through J and K. If ,

then where, O is the point at infinity. If
The verifier can verify the proxy blind signature by checking
then, ; point doubling equations are used. Also,

holds.

5.1.3 Point Doubling

4. Cryptanalysis Of the Aung et al.’s Scheme
The scheme doesn’t satisfy the property of verifiability as Consider a point such that where, . Let
mentioned in Aung et al.[12]’s scheme. The verification where, . Then,
steps are not correct.

(13)

5. Elliptic Curve Cryptography

where, s is the tangent at point and is one of the
parameters chosen with the elliptic curve. If = 0
5.1 Elliptic Curve over Finite Field then, where, O is the point at infinity.

The elliptic curve operations defined on real numbers are

slow and inaccurate due to round-off error. Cryptographic
operations need to be faster and accurate. To make
operations on elliptic curve accurate and more efficient,
ECC is defined over two finite fields— prime field and
binary field . The field is chosen with finitely large
number of points suited for cryptographic operations.
5.1.1 EC over Prime Field
6. Proposed Scheme
In this section, we propose an efficient proxy blind
signature scheme based on ECC.The proposed scheme is
divided into five phases: system parameters, proxy
delegation, blind signing, signature extraction and
signature verification.
6.1 System Parameters

The equation of the elliptic curve on a prime field is

where, . Here, the elements of the
finite field are integers between 0 and . All the
operations such as addition, subtraction, division, and
multiplication involves integers between 0 and . The
prime number p is chosen such that there is finitely large
number of points on the elliptic curve to make the
cryptosystem secure. Standards for Efficient Cryptography
(SEC) specifies curves with p ranging between 112-521 bits
. The algebraic rules for point addition and point doubling
can be adapted for elliptic curves over .
The entities involved are three parties.We denote the x-
coordinate of a point on the elliptic curve by . The
scheme is constructed as follows. We make conventions
that lowercases denote the elements in and capital
letters denote the points in the curve .
O: the original signer
P: the proxy signer
A: the signature asker
: the original signer O's secret key
: the original signer O's public key,
: the proxy signer P's secret key
: the proxy signer P's public key,

: the designated proxy warrant which contains the

identities information of the original signer and the proxy
96 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010

signer, message type to be signed by the proxy signer, the The recipient of the signature can verify the proxy blind
delegation limits of authority, valid periods of delegation, signature by checking whether
etc.
h(.) a secure one-way hash function. (24)
|| the concatenation of strings. where

6.2 Proxy Delegation Phase If it is true, the verifier accepts it as a valid proxy blind
signature, otherwise rejects.
Original Signer randomly chooses ,1< < n ; and
computes:
7. Security Analysis of the proposed scheme
(14)

The Scheme has stronger security property because

(15)
ECDLP is more difficult than DLP. While maintaining the
security, the scheme requires less data size and less
sends along with the warrant to the proxy
computations, so it is efficient. In this subsection , we
signer. And then proxy signer checks:
show that our scheme satisfies all the security
requirements of a strong proxy blind signature.
(16)
Distinguish-ability: On the one hand, the proxy blind
If the equation holds, P computes proxy signature secret
signature contains the warrant . On
as follow:
the other hand, anyone can verify the validity of the proxy
blind signature, so he can easily distinguish the proxy
(17) blind signature from the normal signature.

and corresponding proxy public key Nonrepudiation: The original signer does not obtain the
proxy signer’s secret key and proxy signer does not
obtain original signer’s secret key . Thus, neither the
original signer nor the proxy signer can sign in place of
6.3 Blind Signing Phase the other party. At the same time, through the valid proxy
blind signature, the verifier can confirm that the
Proxy Signer randomly choose , where 1 < < n and signature of the message has been entitled by the original
computes: signer, because the verifier must use the original signer’s
public key during the verification. Likewise, the proxy
signer cannot repudiate the signature. The scheme offers
(18) nonrepudiation property.

and then sends to signature asker A. To obtain the Unforgeability: An adversary (including the original
blind signature of message m, original signer O randomly signer and the receiver) wants to impersonate the proxy
choose two random numbers u,v and computes: signer to sign the message m. He can intercept the
delegation information but he cannot obtain
(19) the proxy signature secret key . From Equation (15),
(20) we know that only the proxy signer holds the proxy
(21) signature secret key . Because of 1 < < n , the
adversary can obtain the proper proxy signature secret
If then A has to select new tuple (u,v),Otherwise key by guessing it with at most a probability .That is,
O sends e to P. After receiving e proxy signer P computes : anyone else (even the original signer and the receiver)
can forge the proxy blind signature successfully with a
(22) probability .

Verifiability: The proposed scheme satisfies the property

6.4 Extraction Phase of verifiability. The verifier can verify the proxy blind
signature by checking
holds. This is
While receiving , computes:
(23) because:
Finally the signature of message is

6.5 Verification Phase

 (IJCNS) International Journal of Computer and Network Security, 97
Vol. 2, No. 6, June 2010

= Verifiability, unforgeability, Identifiability, Prevention of

misuse and Unlinkability. The proposed scheme is
compared with the known proxy blind signature scheme
which are given below.
=
Table 1: Comparative statement among proxy blind
signature schemes
Scheme Basis 80-Bit
Security
Strength
interger IFP 1024-bit
fractorizatio modulus
n problem
discrete DLP |p| = 1024,
logarithm |q| = 160
problem
Proposed ECDLP m= 163 bits
schemes

9. Conclusion
We analyzed that Aung et al.’s DLP based proxy blind
Identifiability: The proxy blind signature signature scheme with low computation does not satisfy
contains the warrant . Moreover, in the verifiability property of proxy blind signature scheme
the verification equation .Compared with Aung et al’s scheme , we present a more
which includes the original signer O’s public key and efficient and secure proxy blind signature scheme to
the proxy signer P’s public key . Hence, anyone can overcome the pointed out drawback of the Aung et al’s
determine the identity of the corresponding proxy signer scheme.We proved that our scheme is more efficient and
from a proxy signature. secure than the previous schemes.

Prevention of misuse: The proposed scheme can prevent References

proxy key pair misuse because the warrant mw includes
original signer and proxy signer identities information,
message type to be signed by the proxy signer, delegation
period, etc. With the proxy key, the proxy signer cannot
sign messages that have not been authorized by the
original signer.
Unlinkability: During generation of the signature
, the proxy signer has the view of
transcripts .Since are specified
by the original signer for all the signatures under the
same delegation condition. The proxy unlinkability holds
if and only if there is no conjunction between and
. This is obvious from Equations (16)-
(21). The value is only included in Equation (17) and
connected to through Equation (18). For this, one must
be able to compute R which is masked with two random
numbers. Similarly, and may be associated with the
signature through Equation (19) and (20) respectively.
They fail again due to the random numbers. Even they are
combined, the number of unknowns is still more than
that of the equations. So, the proposed scheme provides
indeed the proxy blindness property.
8. Efficiency of the proposed scheme
The proposed scheme has been proved to be correct. It
also satisfies the properties of proxy blind signature
scheme, i.e, Distinguish-ability, Nonrepudiation,
[1] W. D. Lin, and J. K. Jan, "A security
personal learning tools using a proxy blind
signature scheme", Proc. Of International
Conference on Chinese Language Computing, 2000,
pp.273- 277.
[2] M. Mambo, K. Usuda, and E. Okamoto, "Proxy
signatures: Delegation of the power to sign
messages", IEICE Transaction on Fundamentals,
E79-A (1996), pp.1338-1353.
[3] B. Lee, H. Kim, and K. Kim,"Strong proxy signature
and its application", Australasian Conference on
Information Security and Privacy(ACISP 2001),
LNCS2119, Springer- Verlag, Sydney, 2001, pp.603-
608.
[4] D Chaum," Blind signature for untraceable
payments, Advances in C ryptology", proceeding of
CRYPTO 82, Springer- Verlag, New York, 1983,
pp.199-203.
[5] Z. W. Tan, Z. J. Liu, and C. M. Tang, "A proxy blind
signature scheme based on DLP", Journal of
Software, Vol14, No11, 2003, pp.1931-1935.
[6] Tan Z. Liu Z. Tang C. "Digital proxy blind signature
schemes based on DLP and ECDLP". In MM
Research Preprints, No. 21, MMRC,
AMSS,Academia, Beijing, 2002, 212- 217.
[7] Lal S. Awasthi A K. Proxy" Blind Signature Scheme".
Journal of Information Science and Engineering.
Cryptology ePrint Archive, Report 2003/072.
Available at http://eprint.iacr.org/.
98 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010

[8] Hung-Min Sun, Bin-Tsan Hsieh "On the Security of

Some Proxy Blind Signature Schemes".
Australasian InformationvSecurityWorkshop(AIS
W2 004),Dunedin: Australian Computer Society
press, 2004,75-78.
[9] Q. S. Xue, and Z. F. Cao, "A new proxy blind signature
scheme with warrant", IEEE Conference on
Cybernetics and Intelligent Systems (CIS and RAM
2004), Singapore, 2004, pp.1385-1390.
[10] J.G. Li, and S. H.Wang, "New Efficient Proxy Blind
Signature Scheme Using Verifiable Self-certified
Public Key", International Journal of Network
Security, Vol.4, No.2, 2007, pp.193-200.
[11] Xuan Yang, Zhaoping Yu , "Efficient Proxy Blind
Signature Scheme based on DLP", International
Conference on Embedded Software and Systems (
ICESS2008).
[12] Aung Nway Oo and Nilar "The DLP based proxy
blind signature scheme with low computation",
2009 Fifth International Joint Conference on INC,
IMS and IDC.

Authors Profile
Asis Kumar Tripathy received the B.E.
degree in Information Technology from
bialasore College of Engineering and
Technology in 2006. He has joned the
same college as Lecturer since
26.12.2006. Now, he is persuing his
M.Tech degree at International Institute
of Information Technology-Bhubaneswar,
Orissa, India. His research area of interest is Information Security

Ipsita Patra received the MCA degree

from National Institute of Technology
,Rourkela . Now, she is persuing her
M.Tech degree at International Institute of
Information Technology-Bhubaneswar,
Orissa, India. Her research area of interest
are Information Security and Network
security.

Debasish Jena was born in 18th

December, 1968. He received his B
Tech degree in Computer Science and
Engineering, his Management Degree and
his MTech Degree in 1991,1997 and
2002 respectively. He has joined Centre
for IT Education as Assistant Professor
since 01.02.2006. He has submitted his
thesis for Ph.D. at NIT, Rourkela on 5th April 2010. .His research
areas of interest are Information Security , Web Engineering, Bio-
Informatics and Database Engineering.