Cryptanalytic Performance Appraisal of Improved CCH 2 Proxy Multisignature Scheme

Many of the signature schemes are proposed in which the t out of n threshold schemes are deployed, but they still lack the property of security. In this paper, we have discussed implementation of improvedCCH1 and improvedCCH2 proxymultisignature scheme based on elliptic curve cryptosystem.We have represented time complexity, space complexity, and computational overhead of improved CCH1 and CCH2 proxy multisignature schemes. We have presented cryptanalysis of improved CCH2 proxy multisignature scheme and showed that improved CCH2 scheme suffered from various attacks, that is, forgery attack and framing attack.


Introduction
During the last decade there has been an exponential growth in the number of handheld devices being used all over the world.Devices with limited processing capability such as PDA and smart cards also exchange information over the networks.To provide the confidentiality and authenticity of information is a challenging task in a network environment which consists of constrained devices.The security of public key systems is based on the relative complexity of the underlying mathematical problem.For example, the security of RSA depends on integer factorizing systems and that of DSA depends on discrete logarithm systems [1].Proxy signatures are very useful tools when one needs to delegate his/her signing capability to another party.Relatively longer key lengths are required to maintain the security of a cryptosystem, because the computational power for cryptanalysis increases.This increases the need for higher computational power in devices to achieve reasonable security.But handheld devices like PDAs, smart cards, and so forth have limited processing capability and therefore the overheads associated with communication must be minimal.

Various Terms
(i) Proxy signature: proxy signature, as a variant of ordinary digital signature, allows one party (original signer) to delegate his/her signing capability to another party (proxy signer) such that the proxy signer can sign messages on behalf of the original signer [2].
(ii) Proxy multisignature: in proxy multisignature, one proxy signer can create signature on behalf of group of original signers.
(iii) Multiproxy signature: in multiproxy signature, multiple proxy signers can create signature on behalf of one original signer.
(iv) Multiproxy multisignature: in multiproxy multisignature, multiple proxy signers can create signature on behalf of multiple original signers.
(v) Proxy unprotected proxy signature: in proxy unprotected, the proxy signer generates proxy signatures only with the proxy signing key given by the original signer.So the original signer can also generate the same proxy signatures.(vi) Proxy protected proxy signature: in proxy protected, the proxy signer generates proxy signature not only with the proxy signing key given by the original signer but also with his own private key.Therefore, anyone else, including the original signer, cannot generate the same proxy signatures.
According to authenticated degree, Mambo et al. [4] give a classification, that is, full delegation, partial delegation, and delegation by warrant.
In full delegation, the original signer gives the same secret key(s) to proxy signer that he has, so that proxy signer can create the same signature as original signer creates.In partial delegation, a proxy signer has proxy private key, which is different from original signer's private key.Proxy signer can sign range of messages.In delegation by warrant, warrant is added that specifies what kinds of messages are delegated, the delegation period, IDs of original signers and proxy signer, and so forth.

Elliptic Curve over Finite Field GF (𝑝).
In 1985, elliptic curve cryptography was introduced by Miller [5] and Koblitz [6].ECC is an attractive public key cryptosystem due to small key size and low computational overhead.
Equation of the elliptic curve on a prime field GF () is where 43 + 272 mod  ̸ = 0.Here the elements of the finite field are integers between 0 and −1, where  is a large prime number and greater than 3.The operations are performed using modular arithmetic.Modular arithmetic works like ordinary arithmetic except that the answers of the calculation are reduced to its remainder on division by .The variables and coefficients all take values in set of integers from 0 through  − 1.The prime number  is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure.Point multiplication is calculated by two elliptic curve operations, that is, point addition and point doubling (Figure 2).The rules for point addition and point doubling over GF () are explained below and see Figure 1.

Point Addition.
The elliptic curve addition is different from simple addition. and  are two distinct points on the elliptic curve; that is,  = (1, 1) and  = (2, 2) [3].
where  = ((3 × 12 + )/(21)) mod  is the tangent at point  and  is one of the parameters chosen with the elliptic curve.

Domain Parameters for Elliptic
Curve over GF () Are (, , , , ). is the prime number defined for finite field GF ().,  ∈ GF () are the two coefficients defining the curve 2 mod  = (3 +  + ) mod . is the generator point (, ) and  is the order of .

Various Security Parameters.
A proxy signature should have security properties [4] and they are as follows.
(1) Strong unforgeability: proxy signatures can be created only by designated proxy signer.Original signer or any other party cannot generate proxy signatures.
(2) Verifiability: a verifier can be convinced of the original signer's agreement on the signed message from the proxy signature.
(3) Strong identifiability: from the proxy signature, anyone can determine the identity of corresponding proxy signer.
(4) Strong undeniability: once valid proxy signature is created by proxy signer, he/she cannot repudiate signature creation.
(5) Distinguishability: proxy signatures are distinguishable from ordinary signature created by original signer.

Various Attacks
(i) Public key substitution attack: in this attack, original signer can generate proxy multisignature by updating his own public key [7].
(ii) Original signer's forgery attack: in this attack, original signers can generate valid proxy multisignature without agreement of proxy signer and verifier will be convinced that any proxy multisignature generated by using forged signing key is generated by agreement of all, original signer and proxy signer [8].

Review of Existing Schemes
Mambo et al. [4] define the different types of delegations like full delegation, partial delegation, and delegation by warrant.They have proposed a proxy signature scheme that is based on discrete logarithm problem.They have compared different proxy signature schemes like Schnorr scheme, Elgamal scheme, and Okamoto scheme on the basis of message length and amount of computational work.In all the above schemes, the amount of computational work in partial delegation is smaller than that with delegation by warrant.In partial delegation, a proxy signer can create proxy signature forever because valid period is not specified.In this case the original signer can revoke the signing capability of the proxy signer by two ways, that is, (1) to make revocation list publicly seen and ( 2) to change the public key of original signer and all proxies of honest proxy signers are updated accordingly.
Mambo et al. [10] proposed a new type of proxy signature scheme based on discrete logarithm problem.Scheme that is proposed by Mambo et al. 's [4] holds sufficient properties if original signer is trustworthy and never cheats.If the original signer is not trustworthy then proxy protected proxy signature scheme is important and they have introduced proxy protected proxy signature scheme based on discrete logarithm problem.
Kim et al. [11] have introduced two new types of proxy signature schemes based on discrete logarithm problem, that is, partial delegation with warrant and threshold delegation.Partial delegation with warrant combines the benefits of partial delegation and delegation with warrant.Valid period can be specified in proxy signature for partial delegation with warrant, so their new scheme does not require an additional proxy revocation protocol.In threshold delegation, the original signer delegates the power to sign message in such a way that from the designated group of n proxy signers,  or more proxy signers can create signature and  − 1 or less proxy signers cannot create signature on behalf of original signer.
Yi et al. [12] proposed a new type of proxy signature scheme, that is, proxy multisignature scheme in which a proxy signer can create signature on behalf of two or more original signers.They give the overview of proxy monosignature schemes, that is, Mambo et al. 's [4] and Kim et al. 's [11].They have introduced Mambo-like proxy multisignature scheme and Kim-like proxy multisignature scheme.Their schemes are proxy unprotected schemes; that is, original signer can also create proxy signature.
Sun [7] analyzes the proxy signature and proxy multisignature schemes and their analysis indicates that these schemes suffer from the public key substitution attack and direct forgery attack.They analyzes Yi et al. 's [12] proxy multisignature schemes and shows that these schemes suffer from public key substitution attack (an original signer can forge proxy multisignature by updating his own public key) and direct forgery attack (one original signer can generate forged proxy multisignature on arbitrary message for multiple original signers).They proposed a new proxy protected and proxy unprotected proxy multisignature schemes which do not suffer from these attacks.
Lee et al. [13] provide new classifications of proxy signature scheme, that is, strong and weak proxy signature, designated and nondesignated proxy signature, and selfproxy signature.They proposed a strong nondesignated proxy signature scheme.The proposed scheme does not specify proxy signer so it can be applied to multiproxy signature in which multiple original signers can delegate their signing capabilities to proxy signers.
Chen et al. [14] proposed a new proxy protected proxy signature scheme which is based on elliptic curve discrete logarithm problem.They analyze the performance of Sun [7] and the proposed scheme on the basis of time complexity.
Chen et al. [1] proposed an improved scheme in which the exponential operations are changed into elliptic curve multiplicative ones.Sun [7] improvement increases security but requires complex operations to derive the proxy public key that is required to verify the proxy multisignature.ECC has lower computational overhead and a smaller key size than that of RSA or DSA and ECC can achieve a level of security equal to that of the RSA or DSA.This proposed scheme is called CCH1 scheme.They compared the Sun [7] and proposed proxy multisignature schemes.The time complexity of proposed scheme is reduced and performance is enhanced without loss of security.
Chen et al. [15] introduced a traceable proxy multisignature scheme.This scheme makes size of proxy signature independent of number of original signers, so computation overhead means none of operations required for verification is greatly reduced.This proposed scheme is called CCH2 scheme.They compare the Sun [7] and proposed proxy multisignature schemes on the basis of time complexity.
Hwang et al. [16] proposed a generalized version of the (1/1−2/2) proxy signature scheme based on elliptic curve discrete logarithm problem.In a generalized proxy signature scheme with known signers, any 1 or more original signers out of 1 original signers (1 ≤ 1 ≤ 1) can represent the original group to delegate the signing capability, and 2 or more proxy signers out of 2 proxy signers (1 ≤ 2 ≤ 2) can represent the proxy group to sign message on behalf of the group of original signers.They have discussed special cases, namely, the (1/1−1) proxy signature (proxy multisignature) scheme, (1 − 2/2) proxy signature scheme (multiproxy signature), and (1 − 1) proxy signature scheme.
Wang et al. [17] present security analysis of some proxy signature schemes, that is, Mambo et al. 's [10] and Lee et al. 's [13].By identifying several attacks, they show that all these schemes are insecure.
Wang et al. [2] review Chen et al. 's [14] proxy protected proxy signature scheme based on elliptic curve cryptosystem and they show that it is vulnerable to an original signer forgery attack.They present an improved scheme which is secure against the proposed attack.
Park et al. [8] show that proxy multisignature schemes proposed by Chen et al. [1,15] are insecure against the malicious original signer(s).They review the CCH1 and CCH2 schemes and analyze their security.These schemes are vulnerable to proxy signing forgery attack by one or all original signers.
Chang et al. [18] proposed a proxy protected signature scheme based on ECDSA which satisfies security properties.They show that the time complexity of proxy signature is similar in both proxy signature based on ECDSA and ECDSA.
Li and Xue [19] have reviewed CCH1 and CCH2 proxy multisignature schemes based on elliptic curve cryptography.Park et al. [8] show that these schemes suffer from forgery attack by one or all original signers.They have proposed improved CCH1 and improved CCH2 schemes that do not suffer from forgery attack.
Tutanescu et al. [3] examine that ECC is more attractive cryptosystem than conventional cryptosystem (RSA/DSA) for mobile devices, which are limited in terms of their CPU, power, and network connectivity.ECC is fast and can be implemented with less hardware, because of shorter key length.They have presented the application of ECC, that is, internet, smart cards, PDAs, and PCs.Their opinion is that ECC could become the next generation of PKC.
Wang and Yu [20] have discussed two fatal flaws of the cryptosystem which are based on the logistic map and proposed by Wang and Xiang are pointed out.According to this, cryptanalysts could recover the plaintext by the chosen plaintext attacked in a short time.Authors proposed a remedial improvement which can avoid the flaws and enhance the security of the cryptosystem.
In this paper [21], have analyzed the security of a parallel keyed hash function based on chaotic neural network proposed by Wang and Zhao recently.Weak keys and forgery attacks against Wang and Zhao's scheme are demonstrated.Both theoretical analysis and experimental results show that the parallel keyed hash function is not security.Besides, some improvement measures are presented to enhance the security of the parallel keyed hash function.
Wang and He [22] have introduced a novel image encryption method based on a skew tent map that is proposed recently.In this paper, some flaws of this algorithm are pointed out and then a chosen plaintext attack against it is presented.Both theoretical analysis and experimental simulation indicate that the plain image can be recovered exactly from the cipher image without the secret key.So it can be seen that this algorithm is not secure enough to be applied in network communication.
Wang and Liu [23] have cryptanalysis of a parallel subimage encryption method with high-dimensional chaos.

Estimation of Time, Space, and
Computational Overhead of Improved CCH1 and CCH2 Schemes

Implementation of Improved CCH1 Proxy Multisignature
Scheme.There are four phases-the system initialization phase, the key generation phase, the proxy multisignature generation phase, and the proxy multisignature verification phase [19].
Phase 1. System initialization phase: before the whole scheme can be initialized, the following parameters over the elliptic curve domain must be known: (i) a field size , which is odd prime; (ii) two parameters ,  ∈   to define the equation of elliptic curve  over   (i.e.,  2 =  3 +  +  (mod )), where 4 3 + 27 2 ̸ = 0 (mod); (iii) a finite point  = (  ,   ) whose order is a large prime number in (  ), where  is a point in (  ), where  ̸ = , because  denotes an infinity point; (iv) the order of  = .
Phase 2. Key generation phase: this phase can be further divided into two parts.
Part 1. Personal public key generation phase: all original signers and the designated proxy signer are authorized to select their own individual secret keys.
(i) For each 1 ≤  ≤ , the original signer   secretly selects a random number 1 ≤   ≤  − 1 as his private key and computes the corresponding public key   =   ×  = (   ,    ), where "×" indicates the multiplication of a number by an elliptic curve point.
(ii) The proxy signer is provided with a private key 1 ≤   ≤  − 1 and a corresponding public key   =   ×  = (   ,    ).All public keys   and   must be certified by the CA.
Part 2. Proxy-signature secret key generation phase.
Step 2 (group commitment value generation).They then computes If    = 0, then return to step 1; otherwise   broadcasts   to other original signers.
Step 3 (subdelegation parameter generation).For each 1 ≤  ≤ , the original signer   uses his own secret keys   ,   and the group commitment value   to compute the following: where ℎ( ) is a hash function and the warrant   contains information such as the IDs of all original signers and proxy signer.Then, the subdelegation parameter for   is (  ,   ,   ).
Step 4 (subdelegation parameter verification).After the proxy signer has received the subdelegation parameters, then the proxy signer  computes and checks whether it holds.If it holds then the proxy signer accepts (  ,   ,   ) as a valid subdelegation parameter; otherwise, he can reject it and requests a valid one   or terminate this protocol.
Step 5 (proxy multisignature secret key generation).He then computes the proxy multisignature secret key as follows: Phase 3. Proxy multisignature generation phase: the proxy multisignature affixed to the  is in the form of (,   , , Sig  ()), where Sig  () is the signature generated by a designated signature scheme (EC-Schnorr signature scheme) using the proxy signing key  and  is message.
If  = 0, then go to step 1.

Mathematical Problems in Engineering
Phase 4. Proxy multisignature verification phase: when the verifier verifies the signature, he or she calculates the proxy public value  corresponding to the proxy signature key  as With the value, the verifier can confirm the validity of Sig  () by validating the verification equality of the designated signature scheme.
Step 2. And compute   = ℎ(  , ).Then check that   =  and if this equation satisfies then valid signature generated otherwise not.

Implementation of Improved CCH2 Proxy Multisignature
Scheme.There are four phases-the system initialization phase, the key generation phase, the proxy multisignature generation phase, and the proxy multisignature verification phase [19].
Phase 1. System initialization phase: before the whole scheme can be initialized, the following parameters over the elliptic curve domain must be known: (i) a field size , which is an odd prime; (ii) two parameters ,  ∈   to define the equation of elliptic curve  over   (i.e.,  2 =  3 +  +  (mod )), where 4 3 + 27 2 ̸ = 0 (mod); (iii) a finite point  = (  ,   ) whose order is a large prime number in (  ), where  is a point in (  ), where  ̸ = , because  denotes an infinity point; (iv) the order of  = .
Phase 2. Key generation phase: this phase can be further divided into two parts.
Part 1. Personal public key generation phase: all original signers and the designated proxy signer are authorized to select their own individual secret keys.
(i) For each 1 ≤  ≤ , the original signer   secretly selects a random number 1 ≤   ≤  − 1 as his private key and computes the corresponding public key   =   ×  = (   ,    ), where "×" indicates the multiplication of a number by an elliptic curve point.
(ii) The proxy signer is provided with a private key 1 ≤   ≤  − 1 and a corresponding public key   =   ×  = (   ,    ).All public keys   and   must be certified by the CA.
Part 2. Proxy-signature secret key generation phase.
Step 1 (secret key generation).For each 1 ≤  ≤ , the original signer   selects a random number   ∈ {1, 2, . . .,  − 1}/  as secret key. Step Step 3 (subdelegation parameter generation).For each 1 ≤  ≤ , the original signer   uses his own secret keys   ,   and the group commitment value   to compute the following: where ℎ( ) is a hash function and the warrant   contains information such as the IDs of all original signers and proxy signer.Then, the subdelegation parameter for   is (  ,   ).
Step 4 (subdelegation parameter verification).After the proxy signer has received the subdelegation parameters then the proxy signer  computes and checks whether it holds.If it holds then the proxy signer accepts (  ,   ) as a valid subdelegation parameter; otherwise, he can reject it and requests a valid one   or terminate this protocol.
Step 5 (proxy multisignature secret key generation).They then computes the proxy multisignature secret key as follows: Phase 3. Proxy multisignature generation phase: the proxy multisignature affixed to the  is in the form of (,   , , Sig  ()), where Sig  () is the signature generated by a designated signature scheme (EC-Schnorr signature scheme) using the proxy signing key  and  is message.
If  = 0, then go to step 1.
Phase 4. Proxy multisignature verification phase.When the verifier verifies the signature, he or she calculates the proxy public value  corresponding to the proxy signature key  as Figure 3: Entropy for the proposed scheme.With the value, the verifier can confirm the validity of Sig  () by validating the verification equality of the designated signature scheme.
Step 2. And compute   = ℎ(  , ).Then check that   =  and if this equation satisfies then valid signature generated otherwise not.

Performance Analysis of the Proposed Scheme
The analysis reports of the proposed scheme are given below.
4.1.Entropy.In this case, the value of entropy is the measure of the tendency of a process, to be entropically favored, or to proceed in a particular direction.Moreover, entropy provides an indication for a specific encryption method.We have analyzed our hypothesis on the basis of entropy generated [24].Figure 3 shows the entropy for the proposed scheme.The Figure 4 shows that compression ratio required in each scheme.Table 1 lists the name and compression ratio required in each scheme.

Floating Frequencies/Intuitive Synthesis.
Floating frequencies/intuitive synthesis in its completed three part entirety which takes full advantage of the time complexity, space complexity, and communication overhead provided by the digital medium.We have calculated floating frequency of threshold proxy signature scheme [24].Figure 5 shows floating frequencies/intuitive synthesis for the proposed scheme.

ASCII Histogram.
The ASCII histogram proved to be very useful since it helped enormously in debugging code involving probability calculations with simple print statements.Probabilistic simulations are extremely hard to test  because the results of a given operation are never strictly the same.However, they should have the same probability distribution, so by looking at the rough shape of the histogram, you tell if your calculations are going in the right direction.In this context, we have calculated ASCII histogram for our threshold proxy signature scheme [24].Figure 6 shows ASCII histogram for the proposed scheme.

Autocorrelation.
A mathematical representation of the degree of similarity between a given time series and a lagged version of itself over successive time intervals.It is the same as calculating the correlation between two different time series, except that the same time series is used twice-once in its original form and once lagged one or more time periods.The term can also be referred to as "lagged correlation" or "serial correlation." In this, we have calculated autocorrelation for threshold proxy signature scheme [24].Figure 7 shows autocorrelation for the proposed scheme.     2 lists the histogram analysis for overall threshold proxy signature schemes [24].Figure 8 shows radar chart showing overall analysis for all schemes.complexity, and computational overhead for the CCH1 and CCH2 schemes.
Finally, the malicious original signers  1 , . . .,   can forge a valid proxy signature (,   , , , ).The following shows why the proxy signature (,   , , , ) is valid.Proxy multisignature verification: when the verifier verifies the signature, he or she calculates the proxy public value  corresponding to the proxy signature key  as With the value, the verifier can confirm the validity of Sig  () by validating the verification equality of the designated signature scheme.
Step 2. And compute   = ℎ (  , ).Then check that   =  and if this equation satisfies then valid signature generated otherwise not.The malicious original signers can forge a valid signature (,   , , ,   ) on message  with respect to proxy signer 's private key   .

Time complexity of enhanced technique
The following shows why the signature (,   , , ,   ) is valid.Space complexity of CCH2 the verifier can confirm the validity of Sig  () by validating the verification equality of the designated signature scheme.
Step 2. And compute   = ℎ (  , ).Then check that   =  and if this equation satisfies then valid signature generated otherwise not.Upon receiving the signature (,   , , ,   ), then the malicious original signers  1 , . . .,   can forge a valid proxy signature as follows.
(i) The malicious users  1 ,  2 , . . .,   pretend to produce a forged warrant   , which records the delegation information such as identities of the malicious users  1 ,  2 , . . .,   and user .
With the value, the verifier can confirm the validity of Sig  () by validating the verification equality of the designated signature scheme.
Step 2. And compute   = ℎ (  , ).Then check that   =  and if this equation satisfies then valid signature generated otherwise not.

Conclusion
In this paper, we have discussed implementation of improved CCH1 and improved CCH2 proxy multisignature scheme based on elliptic curve cryptosystem.We have represented time complexity, space complexity, and computational overhead of improved CCH1 and CCH2 proxy multisignature schemes.We have presented cryptanalysis of improved CCH2 proxy multisignature scheme and showed that improved CCH2 scheme suffers from various attacks, that is, forgery attack and framing attack.

Figure 4 :
Figure 4: Radar chart showing compression ratio required in each scheme.

Figure 5 :
Figure 5: Floating frequencies/intuitive synthesis for the proposed scheme.

Figure 6 :
Figure 6: ASCII histogram for the proposed scheme.

Figure 7 :
Figure 7: Autocorrelation for the proposed scheme.

4. 5 .
Histogram Analysis.A histogram is a graphical representation showing a visual impression of the distribution of data.We have analyzed histogram for all schemes.Table

Figure 8 :
Figure 8: Radar chart showing overall analysis for all schemes.

Figure 9 :
Figure 9: Time complexity of improved CCH1 scheme with varying value of field size ().

Figure 11 :Figure 12 :
Figure 11: Space complexity of improved CCH1 scheme with varying value of field size ().

Figure 13 :
Figure 13: Computational overhead of improved CCH1 scheme with varying value of field size ().

Figure 15 :
Figure 15: Time complexity of improved CCH1 scheme with varying value of field size ().

Figure 17 :
Figure 17: Time complexity of enhanced scheme with varying value of field size ().

Figure 19 :
Figure 19: Space complexity of improved CCH2 scheme with varying value of field size ().

Table 1 :
Compression ratio (in %) in each scheme.

Table 2
A C E G I K M O Q S U W Y Value Frequency (%) ASCII histogram of ⟨NewTechPhase4.cs⟩[1836characters]
18)Proxy multisignature verification: when the verifier verifies the signature, he or she uses proxy public value   corresponding to the proxy signature key   .With the value, Figure 18: Space complexity of improved CCH1 scheme with varying value of field size ().