A novel proxy key generation protocol and its application

1
A novel proxy key generation protocol and its
application
Author Xiaoming Hu, Shangteng
Huang Periodical Computer Standards Interfaces
29 (2007) 191195 Data Received 20
November 2005 accepted 16 March 2006
2
Outline

• Introduction
• Related work
• Proxy Key Generation Protocol
• Proxy Signature Scheme
• Conclusion

3
Introduction
Proxy signer
Delegated
Original signer
Verifier
4
Related Work

• Tree types of delegation
• Full delegation
• Partial delegation
• Delegation by warrant
• Proxy key pair (Warrant, Secret key)
• ID-based key pair (ID, Secret key)

5
Properties of Proxy Signature Scheme

• Strong unforgeability
• A designated signer, called proxy signer, can
  create a valid proxy signature for the original
  signer. But the original signer and third parties
  who are not authorized cannot create a valid
  proxy signature.
• Verifiability
• From proxy signature a verifier can be convinced
  of the original signer's agreement on the signed
  message either by a self-authenticating form or
  by an interactive form.
• Strong identity
• any one can determine the identity of the
  corresponding proxy signer from a proxy
  signature.
• Strong undeniability
• Once a proxy signer creates a valid proxy
  signature for an original signer, the proxy
  signer cannot repudiate his signature creation.
• Prevention of misuse
• it should be confident that proxy key pair cannot
  be used for other purposes. Because the
  responsibility of proxy signer should be
  determined with warrant explicitly.

6
Bilinear Pairings

• G1 a cyclic additive group generated by P
• G2 be cyclic multiplicative group of the same
  order q
• H1 and H2 are two hash functions.
• A bilinear pairing is map e G1G1?G2

7
Proxy Key Generation Protocol
KGC
Original Signer
Proxy Signer
Chooses q,e and P ? G1,G2
Define H1,H2
t as master key, t?Ppub
G1,G2,e,q,P,Ppub,H1,H2
Create a warrant W
Compute
S1H2(W,So)
(W,S1)
Verify
S1H2(W,S0)
Compute
QwH1(W)
SktQw
S2SkSp
(W,S2)
Compute
SwS2-Sp
(W,Sw) is an ID-based key pair Sw S2-Sp
(SkSp)-Sp Sk tQw tH1(W)
Verify
e(Sw,P)e(H1(W),Ppub)
8
Theorem 1

• Theorem 1
• A can impersonate the original signer and forge a
  valid (W, S1) to KGC with a probability 1/q.
• Proof
• Suppose A tries to impersonate the original
  signer and forge a valid (W, S1) to KGC.

S1H2(W,So)
9
Theorem 2

• Theorem 2.
• A can impersonate the KGC and forge a valid
  (W,S2) to the proxy signer with a probability
  1/q.
• Proof.
• Suppose A tries to impersonate the KGC and forge
  a valid (W, S2) to the proxy signer.

Sw tH1(W) S2 Sw Sp
10
Proxy Signature Scheme
KGC
Original Signer
Proxy Signer
Chooses q,e and P ? G1,G2
Define H1,H2
t as master key, t?Ppub
G1,G2,e,q,P,Ppub,H1,H2
QwH1(W)
SwS2-Sp
Qw as proxy public key
proxy key (Qw, Sw)
e(V,P) e(UH1(m,U)Qw,Ppub)
UrQw
hH2(m,U)
V(rh)Sw
Then (U, V) is the proxy signature of the message
m.
11
Conclusions

• Propose a proxy signature key generation protocol
  in which proxy public key.
• The protocol consists of three entities original
  signer, proxy signer and KGC.
• The scheme has two virtues
• The proxy signature is shorter because it does
  not include any parameters for rebuilding the
  proxy public key
• The verification of the proxy signature is faster
  because the public proxy key does not have to be
  computed.