70 (IJCNS) International Journal of Computer and Network Security,

Vol. 2, No. 5, May 2010

An Improved Proxy Ring Signature Scheme with

Revocable Anonymity
Binayak Kar1, Pritam Prava Sahoo2 and Ashok Kumar Das3
1
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
binayakdilu@rediffmail.com
2
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
sahoo_pritam@rediffmail.com
3
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
iitkgp_akdas2006@yahoo.co.in

examples, [2, 7, 10]). Since it is proposed, the proxy

Abstract: In this paper, we review Hu et al.'s proxy ring
signature with revocable anonymity. We then briefly review
Zhang and Yang's attacks on Hu et al.'s proxy ring signature
scheme. In order to eliminate those security flaws in Hu et al.'s
proxy ring signature scheme, we propose an improvement of Hu
et al.'s proxy ring signature with revocable anonymity. We show
that our proposed scheme provides better security as compared
to that for Hu et al.'s scheme.
Keywords: Proxy signature, ring signature, revocable
anonymity, security.
signature schemes have been suggested for use in many
applications [6, 8] particularly in distributed computing
where delegation of right is quite common. Examples
discussed in in the literature include distributed systems,
grid computing, mobile agent applications, distributed
shared object systems, global distribution networks and
mobile communications. To adapt to different requirements,
many variants of ring signature [5] were put forward, such
as ring blind signature, proxy ring signature, etc.

1. Introduction In this paper, we propose an improvement of Hu et al.’s

In Mobile Ad hoc Networks in order to ensure the service
available to the customers distributed in the whole networks,
the server needs to delegate his/her rights to some other
parties in the systems, for example to mobile agents. The
way of realizing this delegation is based on the notion of
proxy signature.
Digital signature is a cryptographic means through
which the authority, data integrity and signer’s non-
repudiation can be verified. The proxy signature is a kind of
digital signature scheme. In the proxy signature scheme, one
user called the original signer, can delegate his/her signing
capability to another user called the proxy signer. This is
similar to a person delegating his/her seal to another person
in the real world.
proxy ring signature scheme [1] in order to eliminate Zhang
and Yang’s attacks [9] on Hu et al.’s proxy ring signature
scheme. The remainder of this paper is organized as follows.
In Section 2, we give a brief overview of Hu et al.’s proxy
ring signature scheme with revocable anonymity and then
we discuss Zhang and Yang’s attacks on Hu et al.’s proxy
ring signature scheme. In Section 3, we propose an
improved version of Hu et al.’s proxy ring signature scheme
in order to withstand Zhang and Yang’s attacks in their
scheme. In Section 4, we discuss the security aspects of our
proposed improved scheme and then in Section 5, we
compare the performances of our scheme with those for Hu
et al.’s proxy ring signature scheme. Finally, we conclude
the paper in Section 6.

The notion of proxy signature was first introduced by
Mambo, Usuda and Okamoto in 1996 [3]. After that the
concept of ring signature was formalized in 2001 by Rivest,
Shamir and Tauman [4]. In the ring signature an
anonymous signature allows an user to anonymously sign on
behalf of a group, where no one can know which the actual
signer is. When verifying the verifier only knows that the
signature has been produced by some member of this ring,
but he/she has no information about who is the actual of the
signature.
Proxy signature can be combined with other special
signatures to obtain some new types of proxy signatures (for
2. Overview and Attacks on Hu et al’s Proxy
Ring Signature Scheme
In this section, we first discuss in brief Hu et al.’s proxy
ring signature scheme. We then describe Zhang and Yang’s
attacks on Hu et al.’s proxy ring signature scheme.
2.1 Overview of Hu et al.'s Proxy Ring
Signature Scheme
Hu et.al introduced a new type of signature scheme called
the proxy ring signature scheme with revocable anonymity
which combines ring signature with proxy signature.
 (IJCNS) International Journal of Computer and Network Security, 71
Vol. 2, No. 5, May 2010

In the following, we briefly review their scheme.

2.1.4 Verification Phase
2.1.1 System Parameters
For verification of the signature δ = (m, A, z N , c N , r N , V )
The following system parameters are used in describing the on message m , the verifier executes the followings:
scheme. 1. Computes h = H (m) .
• p, q : two large prime numbers, q | p − 1 . 2. For i = 1,2,⋅ ⋅ ⋅, n , computes δ i = A ,
i
*
• g : an element of Z p whose order is q . bi = h zi δ ici ,
• x0 , x1 ,⋅ ⋅ ⋅, xn : the original signer A0 's secret key and a i = g z ( y i y 0 ri )
i c i

proxy signers U i 's secret key, where i = 1,⋅ ⋅ ⋅, n . −1

3. If ri = y0 , rejects the signature.
• y0 = g
H (m, a N , bN ,V) = ∑ci
x0
mod p : A0 's public key.
4. Otherwise, checks whether
• yi = g mod p : U i 's public key.
xi
i∈B
• H : a hash function, H : {0,1} → Z q .
* is satisfied or not.
If the verification is valid, then the verifier accepts δ as
2.1.2 Proxy Phase a valid proxy ring signature of message m .

1. Commission Generation: For the user U i , the original 2.1.5 Open Phase
Signer A0 randomly chooses ki ∈ Z q and then To open a signature and reveal the actual identity of the
signer, the original signer checks the following.
computes sˆ i = x 0 g k i + k i mod q and rˆi = g i mod q . k
y ri −1rˆ
Then A0 sends (sˆi , rˆi ) secretly to U i and keeps ki secret.
ˆ
For i = 1 to n , verifies whether g i = V 0 i .
r

2. Proxy Verification: Each U i checksuser If for some i , the verification phase , it indicates that U i is
the actual signer.
whether g = y rˆ mod q . If it holds, then U i
sˆi rˆi
o i
computes s i = xi + sˆi mod q . s i is his/her proxy signing
key. 2.2 Attacks on Hu et al.'s Proxy Ring Signature
Scheme
2.1.3 Signing Phase In the following, we briefly review the attacks due to Zhang
and Yang on Hu et al.’s scheme.
Let the user U i be the real signer and the ring be
B = (U 1 ,⋅ ⋅ ⋅,U n ) . On input a group size n ∈ Z , a 2.2.1Attack on Unforgeability
message m and a public key set yN = ( y1 ,⋅ ⋅ ⋅, yn ) , the This attack consists of the following steps.
signer U i does the followings: 1. Assume that the message m is a forged message.
We then compute h = H (m) .
1. Selects d ∈R Z q and randomly computes the followings:
2. Randomly choose a number a ∈R Z q to compute
h = H (m) and δ i = h si − d .Then set A = δ i1 / i .
a i = g a , and bi = h a .
2. Randomly chooses wi ∈ Z q and computes a i = g i
w
3. Randomly choose a number l ∈R Z q to compute
and bi = h i .
w
A = hl .
3. For all j ≠ i , picks up at random z j , c j , r j ∈ Z q and 4. For all j ≠ i , randomly select z j , c j , r j ∈ Z q and
−1
if r j ≠ y0 , then computes: aj = g
zj
(y y r )
j 0 j
cj
, −1
if r j ≠ y0 then compute the followings:
δ j = A , and b j = h δ
j zj cj
j aj = g
zj
(y j y0 r j ) j ,
c

4. Let a N = (a 1 ,⋅ ⋅ ⋅, a n ) , bN = (b1 ,⋅ ⋅ ⋅, bn ) . U i then δ j = A j , and b j = h j δ j j .

z c

and c = H (m, a N , bN , V ) . 5. Set a N = (a 1 ,⋅ ⋅ ⋅, a n ) and bN = (b1 ,⋅ ⋅ ⋅, bn ) .

g −d
computes V = g
n 6. Randomly choose V ∈ Z p to compute
5. Computes the following ci = c − ∑c
j =1, j ≠ i
j and
H (m, a N , bN ,V ) = c .
zi = wi − ci s i + ci d . n
rˆ −1 −d
6. Finally computes ri = y0i rˆi g .
7. Set ci = c − ∑c
j =1, j ≠ i
j , and then set

zi = a − i ⋅ l ⋅ ci mod q .
Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and i ⋅l −1 −1
8. After this, compute ri = g yi y0 , and then set
rN = (r1 ,⋅ ⋅ ⋅, rn ) .
The resultant proxy ring signature on message m is rN = (r1 ,⋅ ⋅ ⋅, rn ) .
δ = (m, A, z N , c N , rN , V ) . 9. Finally, the resultant proxy ring signature on
message m becomes δ = (m, A, z N , c N , r N , V ) .
72 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 5, May 2010

By verifying the following three equations:

a j = g j ( y j y0 r j ) j ,
z c

δ j = A j , and 3.1 Proxy Phase

bj = h δ
zj cj
j This phase consist of the followings.

Zhang and Yang showed that the forged proxy ring 1. Commission Generation: For the user U i , the
signature is valid signature.
2.2.2 Attack on Revocable Anonymity original signer A0 randomly chooses ki ∈ Z q and

In the following, Zhang and Yang showed how to produce a
proxy ring signature in which the anonymity of the
dishonest proxy signer’s identity is not revoked.
Let the user U i be the real signer and the ring be
B = (U 1 ,⋅ ⋅ ⋅,U n ) . On inputs, a group size n ∈ Z , a
message m and the public key set yN = ( y1 ,⋅ ⋅ ⋅, yn ) , the
then computes sˆ i = x 0 g k i mod q and
rˆi = g ki mod q , where x0 is the original signer
A0 ’s secret (private) key. After that A0 sends
(sˆi , rˆi ) secretly to U i and keeps ki as secret.
2. Proxy Verification: Each user U i checks whether
g sˆi = g x0 ⋅ g mod q . Here y0 is the original
ki

signer U i performs the following:

signer A0 ’s public key. Then U i computes
1. Here, for j = 1 to n , the generations of
s i = xi + sˆi mod q as his/her proxy signing key.
a j ,δ j , b j and A remain same as those for Hu et
al.’s scheme.
2. Sets a N = (a 1 ,⋅ ⋅ ⋅, a n ) , bN = (b1 ,⋅ ⋅ ⋅, bn ) and
3.2 Singing Phase
Assume that the user U i be the real signer. Let the ring be
randomly chooses V ∈ Z p to compute
B = (U 1 ,⋅ ⋅ ⋅, U n ) . Inputs in this phases are (i ) a group size
H (m, a N , bN , V ) = c . Here we note that
generation of V is different from that of Hu et al.’s
n ∈ Z , (ii ) a message m and (iii ) a public set
scheme and V is a random number. yN = ( y1 ,⋅ ⋅ ⋅, yn ) . The signer U i then executes the
n following steps:
3. Computes ci = c − ∑c
j =1, j ≠ i
j and
Step-1. Selects d ∈R Z q randomly and then computes

zi = wi − ci s i + ci d . h = H (m) and δ i = h si − d .
rˆ −1 −d
4. Then computes ri = y0i rˆi g . After computing these, U i sets A = δ i .
1/ i

Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and Step-2. Randomly choose wi ∈ Z q and then compute

rN = (r1 ,⋅ ⋅ ⋅, rn ) .
a i = yi and bi = h
wi wi
.
Finally, the resultant proxy ring signature on message m Step-3. For all j ≠i, selects at random
is δ = (m, A, z N , c N , r N , V ) . From the above generation −1
z j , c j , r j ∈ Zq such that r j ≠ y 0 . Then computes
process of proxy ring signature, the original signer cannot
z j +xjc j
a j = yj
c c
revoke the identity of proxy signer, because of the fact that y0 j r j j ,
V in the signature δ = (m, A, z N , c N , rN , V ) is a random
δ j = A j , and b j = h j δ j j .
z c
number and the value of i can not be retrieved by using the
above open algorithm. As a result, the original signer can Step-4. Let a N = (a 1 ,⋅ ⋅ ⋅, a n ) , and bN = (b1 ,⋅ ⋅ ⋅, bn ) .
not revoke the anonymity of the proxy signer’s identity. −d
y0−1
U i then computes V = g yi and
c = H (m, a N , bN , V ) .
3. Improved Proxy Ring Signature Scheme
n
In this section, we describe our improved signature scheme
in order to eliminate the security flaws discussed in Section
Step-5. Computes ci = c − ∑c
j =1, j ≠ i
j and

2.2. We use the same set of system parameters as used in Hu zi = wi − ci s i + ci d .

et al.’s proxy ring signature scheme given in Section 2.1.1.
x rˆ −1 −d
Step-6. Computes ri = y0 i i yi .
The different phases of our improved scheme are given
in the following subsections.
Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and
 (IJCNS) International Journal of Computer and Network Security, 73
Vol. 2, No. 5, May 2010

rN = (r1 ,⋅ ⋅ ⋅, rn ) . a i = yizi yixici y0ci ri ci = yiwi − ci si + ci d yixi ci y0ci y0xi rˆi −1 yi− d [ ]ci

Finally, the resultant proxy ring signature on message m is

δ = (m, A, z N , c N , rN , V ) . = yiwi yi−ci si yi
ci d
yixi ci y0ci y0xi ⋅rˆi ⋅ci y0−ci yi−ci d
= yiwi yi−ci [ xi + sˆi ] yixici y0xi ⋅rˆi ⋅ci

3.3 Verification Phase

= yiwi yi−ci xi yi−ci sˆi yixici y0xi ⋅rˆi ⋅ci
To verify the signature δ = (m, A, z N , c N , r N , V ) on = yiwi yi−ci [ x0 rˆi ] y0xi ⋅rˆi ⋅ci
message m , the verifier needs to execute the following = yiwi yi−ci x0 rˆi yici x0 rˆi = yiwi
steps.

Step-1. Computes h = H (m) . Thus if the proxy ring signature is generated by a valid
Step-2. For i = 1,⋅ ⋅ ⋅, n , computes member in the ring, the verification of the equation

a i = yi
zi + xi ci
y0ci rici , H (m, a N , bN ,V) = ∑ci passes.
i∈B
δ i = Ai , and
bi = h zi δ ici . 4.2 Correctness of Open Phase
−1
Step-3. If ri = y0 , then the verifier immediately rejects We prove the correctness of open algorithm as follows:
x rˆi − 1
yi − d y 0− 1 y i− d
x rˆi
the signature. g ri
= g y0 i
= g y0 i
−1
Step-4. Otherwise, if ri ≠ yo , the verifier checks the
( )
x rˆi
y0 i
y 0− 1 y i− d
ˆ
y 0x i r i x 0 x i rˆi
= g =V = V
H (m, a N , bN ,V) = ∑ci
g

validity of the equation: x 0 rˆi sˆ i

i∈B = V yi
= V yi

If the above equation is valid , then the verifier accepts δ

as a valid proxy ring signature on message m .
4.3 Security Analysis
3.4 Open Phase
In this section, we show that our scheme preserves the
In order to open a signature and reveal the actual identity of unforgeability as well as revocable anonymity properties
the signer, the original signer can verify the following
equation: • Unforgeability: The improved scheme satisfies the
ˆ
yisi unforgeability property as follows.
For i = 1 to n , checks whether g
ri
=V .
Assume that B denotes the ring. We prove that
If the verification passes for some i , then the user U i is the any adversary A∉ B can not forge the valid ring
actual signer. signature. Suppose A can repeat the proxy phase
and also query the original signer for ŝ k and rˆk ,
4. Analysis of Our Improved Scheme
where k ∈ B in order to receive some proxy
In this section, we give correctness proofs for our signature key which does not belong the ring
verification phase as well as open phase. We then describe B . To forge a ring signature, A needs to execute
the security analysis of our scheme. the signing phase. Let A select randomly
zi , ci , ri ∈ Z q , for all i ∈ B and compute
4.1 Correctness of Verification Phase
c = H (m, a N , bN , V ) . However, this becomes
We prove the correctness of verification process as follows: impossible because in order to compute
For the signer i , δ i = A = δ i
i
( ),
1/ i i
a i = yi
zi + xi ci ci ci
y r , A needs the private key xi
0 i

of the proxy signer U i . Computation of the

bi = h zi δ ici = h wi −ci si +ci d δ ici = h wi h ci d − ci si δ ici
private key xi from the public key yi is
= h wi h −ci ( si − d )δ ici = h wi δ i−ci δ ici = h wi computationally infeasible, since it is based on the
discrete logarithm problem (DLP) for a large
prime q. As a result, except U i no one can
calculate a i and hence, our scheme satisfies the
unforgeability property.
74
• Revocable anonymity: Let an untrustworthy proxy
signer can produce a proxy ring signature which
can pass the verification phase. But then the
original signer can revoke the anonymity of his
identity. Now, to open the signature and reveal the
actual identity of the signer the verification of the
sˆi
equation g ri = V yi , where i = 1,⋅ ⋅ ⋅, n is
needed. If for some i , the check is valid, then U i
becomes the actual signer. This is impossible again
because V in the signature
δ = (m, A, z N , c N , rN , V ) itself is not a random
number. It depends upon the public key of the
original signer and the proxy key of proxy signer as
−d
y0−1
V = g yi .Thus, our scheme also preserves the
property of revocable anonymity.
5. Performance Comparison of Our Scheme
with Hu et al.’s Proxy Ring Signature Scheme
In this section, we compare the computational costs of
different phases of our scheme with those for Hu et al’s
scheme.
Table 1: Performance comparison between our scheme and
Hu et al.’s proxy ring signature scheme.
Notes: TM: time taken for a modular multiplication, TE:
time taken for an exponential operation, TH: time taken for a
one-way hash function.
We have compared the computational costs of different
phases of our scheme with those for Hu et al’s scheme in
Table 1. From this table, we see that our scheme requires
one modular multiplication less than Hu et al’s scheme.
Thus, the computational costs of our scheme are also
comparable with Hu et al’s signature scheme.
6. Conclusion
In this paper, we have proposed an improved proxy ring
sig-nature with revocable anonymity to eliminate the
security flaws in Hu et al's scheme. The proposed scheme
allows the original signer to know exactly who the signer
is. We have given correctness proofs of our scheme and
analyze the security aspects of our scheme. The security
of the proposed scheme is based on the security of the
DLP problem. We have also shown that our scheme
preserves the properties of unforgeability as well as
revocable anonymity.
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 5, May 2010
References
[1] C. Hu, P. Liu, and D. Li. New Type of Proxy Ring Sig-
nature Scheme with Revocable Anonymity and No Info
Leaked. In Multimedia Content Analysis and Mining
(MCAM 2007), LNCS, volume 4577, pages 262–266,
2007.
[2] W.D. Lin and J.K. Jan. A security personal learning tools
using a proxy blind signature scheme. In Proceedings of
International Conference on Chinese Language
Computing, Illinois,USA, pages 273–277, July 2000.
[3] M. Mambo, K. Usuda, and E. Okamot. Proxy
signatures: delegation of the power to sign message .
IEICE Transaction Functional, E79-A(9):1338–1353,
1996.
[4] R.L. Rivest, A. Shamir, and Y. Tauman. How to leak a
secret. In Advances in Cryptology-Asiacrypt 2001,
LNCS, volume 2248, pages 552–565. Springer-Verlag,
2001.
[5] Kyung-Ah Shim. An Identity-based Proxy Signature
Scheme from Pairings. In ICICS 2006, LNCS, volume
4307, pages 60–71. Springer-Verlag, 2006.
[6] J. Xu, Z. Zhang, and D. Feng. ID-Based Proxy Signature
Using Bilinear Pairings. In ISPA Workshops, LNCS,
volume 3759, pages 359–367. Springer-Verlag, 2005.
[7] L. Yi, G. Bai, and G. Xiao. Proxy multi-signature
scheme: a new type of proxy signature scheme.
Electronics Letters, 36(6):527–528, 2000.
[8] F. Zhang and K. Kim. Efficient ID-based blind
signature and proxy signature from pairings. In
Information Security and Privacy, volume 2727, pages
218– 219. Springer Berlin, 2003.
[9] J. Zhang and Y. Yang. On the Security of a Proxy
Ring Signature with Revocable Anonymity. In 2009
International Conference on Multimedia Information
Networking and Security (MINES), volume 1, pages
205–209, 2009.
[10] K. Zhang. Threshold proxy signature schemes. In 1997
Information Security Workshop, Japan, volume 1396,
pages 282–290. Springer Berlin, September, 1997.