Professional Documents
Culture Documents
The notion of proxy signature was first introduced by 2. Overview and Attacks on Hu et al’s Proxy
Mambo, Usuda and Okamoto in 1996 [3]. After that the
Ring Signature Scheme
concept of ring signature was formalized in 2001 by Rivest,
Shamir and Tauman [4]. In the ring signature an In this section, we first discuss in brief Hu et al.’s proxy
anonymous signature allows an user to anonymously sign on ring signature scheme. We then describe Zhang and Yang’s
behalf of a group, where no one can know which the actual attacks on Hu et al.’s proxy ring signature scheme.
signer is. When verifying the verifier only knows that the
signature has been produced by some member of this ring, 2.1 Overview of Hu et al.'s Proxy Ring
but he/she has no information about who is the actual of the Signature Scheme
signature. Hu et.al introduced a new type of signature scheme called
the proxy ring signature scheme with revocable anonymity
Proxy signature can be combined with other special which combines ring signature with proxy signature.
signatures to obtain some new types of proxy signatures (for
(IJCNS) International Journal of Computer and Network Security, 71
Vol. 2, No. 5, May 2010
1. Commission Generation: For the user U i , the original 2.1.5 Open Phase
Signer A0 randomly chooses ki ∈ Z q and then To open a signature and reveal the actual identity of the
signer, the original signer checks the following.
computes sˆ i = x 0 g k i + k i mod q and rˆi = g i mod q . k
y ri −1rˆ
Then A0 sends (sˆi , rˆi ) secretly to U i and keeps ki secret.
ˆ
For i = 1 to n , verifies whether g i = V 0 i .
r
2. Proxy Verification: Each U i checksuser If for some i , the verification phase , it indicates that U i is
the actual signer.
whether g = y rˆ mod q . If it holds, then U i
sˆi rˆi
o i
computes s i = xi + sˆi mod q . s i is his/her proxy signing
key. 2.2 Attacks on Hu et al.'s Proxy Ring Signature
Scheme
2.1.3 Signing Phase In the following, we briefly review the attacks due to Zhang
and Yang on Hu et al.’s scheme.
Let the user U i be the real signer and the ring be
B = (U 1 ,⋅ ⋅ ⋅,U n ) . On input a group size n ∈ Z , a 2.2.1Attack on Unforgeability
message m and a public key set yN = ( y1 ,⋅ ⋅ ⋅, yn ) , the This attack consists of the following steps.
signer U i does the followings: 1. Assume that the message m is a forged message.
We then compute h = H (m) .
1. Selects d ∈R Z q and randomly computes the followings:
2. Randomly choose a number a ∈R Z q to compute
h = H (m) and δ i = h si − d .Then set A = δ i1 / i .
a i = g a , and bi = h a .
2. Randomly chooses wi ∈ Z q and computes a i = g i
w
3. Randomly choose a number l ∈R Z q to compute
and bi = h i .
w
A = hl .
3. For all j ≠ i , picks up at random z j , c j , r j ∈ Z q and 4. For all j ≠ i , randomly select z j , c j , r j ∈ Z q and
−1
if r j ≠ y0 , then computes: aj = g
zj
(y y r )
j 0 j
cj
, −1
if r j ≠ y0 then compute the followings:
δ j = A , and b j = h δ
j zj cj
j aj = g
zj
(y j y0 r j ) j ,
c
zi = a − i ⋅ l ⋅ ci mod q .
Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and i ⋅l −1 −1
8. After this, compute ri = g yi y0 , and then set
rN = (r1 ,⋅ ⋅ ⋅, rn ) .
The resultant proxy ring signature on message m is rN = (r1 ,⋅ ⋅ ⋅, rn ) .
δ = (m, A, z N , c N , rN , V ) . 9. Finally, the resultant proxy ring signature on
message m becomes δ = (m, A, z N , c N , r N , V ) .
72 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 5, May 2010
a j = g j ( y j y0 r j ) j ,
z c
Zhang and Yang showed that the forged proxy ring 1. Commission Generation: For the user U i , the
signature is valid signature.
2.2.2 Attack on Revocable Anonymity original signer A0 randomly chooses ki ∈ Z q and
In the following, Zhang and Yang showed how to produce a then computes sˆ i = x 0 g k i mod q and
proxy ring signature in which the anonymity of the
rˆi = g ki mod q , where x0 is the original signer
dishonest proxy signer’s identity is not revoked.
A0 ’s secret (private) key. After that A0 sends
Let the user U i be the real signer and the ring be (sˆi , rˆi ) secretly to U i and keeps ki as secret.
B = (U 1 ,⋅ ⋅ ⋅,U n ) . On inputs, a group size n ∈ Z , a 2. Proxy Verification: Each user U i checks whether
message m and the public key set yN = ( y1 ,⋅ ⋅ ⋅, yn ) , the
g sˆi = g x0 ⋅ g mod q . Here y0 is the original
ki
zi = wi − ci s i + ci d . h = H (m) and δ i = h si − d .
rˆ −1 −d
4. Then computes ri = y0i rˆi g . After computing these, U i sets A = δ i .
1/ i
rN = (r1 ,⋅ ⋅ ⋅, rn ) . a i = yizi yixici y0ci ri ci = yiwi − ci si + ci d yixi ci y0ci y0xi rˆi −1 yi− d [ ]ci
Step-1. Computes h = H (m) . Thus if the proxy ring signature is generated by a valid
Step-2. For i = 1,⋅ ⋅ ⋅, n , computes member in the ring, the verification of the equation
a i = yi
zi + xi ci
y0ci rici , H (m, a N , bN ,V) = ∑ci passes.
i∈B
δ i = Ai , and
bi = h zi δ ici . 4.2 Correctness of Open Phase
−1
Step-3. If ri = y0 , then the verifier immediately rejects We prove the correctness of open algorithm as follows:
x rˆi − 1
yi − d y 0− 1 y i− d
x rˆi
the signature. g ri
= g y0 i
= g y0 i
−1
Step-4. Otherwise, if ri ≠ yo , the verifier checks the
( )
x rˆi
y0 i
y 0− 1 y i− d
ˆ
y 0x i r i x 0 x i rˆi
= g =V = V
H (m, a N , bN ,V) = ∑ci
g
6. Conclusion
In this paper, we have proposed an improved proxy ring
sig-nature with revocable anonymity to eliminate the
security flaws in Hu et al's scheme. The proposed scheme
allows the original signer to know exactly who the signer
is. We have given correctness proofs of our scheme and
analyze the security aspects of our scheme. The security
of the proposed scheme is based on the security of the
DLP problem. We have also shown that our scheme
preserves the properties of unforgeability as well as
revocable anonymity.