Key-Insulated Undetachable Digital Signature Scheme and Solution for Secure Mobile Agents in Electronic Commerce

Considering the security of both the customers’ hosts and the eShops’ servers, we introduce the idea of a key-insulated undetachable digital signature, enablingmobile agents to generate undetachable digital signatures on remote hostswith the key-insulated property of the original signer’s signing key. From the theoretical perspective, we provide the formal definition and security notion of a keyinsulated undetachable digital signature. From the practical perspective, we propose a concrete scheme to secure mobile agents in electronic commerce. The scheme is mainly focused on protecting the signing key from leakage and preventing the misuse of the signature algorithm onmalicious servers. Agents do not carry the signing key when they generate digital signatures on behalf of the original signer, so the key is protected on remote servers. Furthermore, if a hacker gains the signing key of the original signer, the hacker is still unable to forge a signature for any time period other than the key being accessed. In addition, the encrypted function is combined with the original signer’s requirement to prevent the misuse of signing algorithm. The scheme is constructed on gap Diffie–Hellman groups with provable security, and the performance testing indicates that the scheme is efficient.


Introduction
Agents are a type of computer program that acts autonomously on behalf of a person or an organization.Mobile agents can easily transport themselves from one system in a network to another.They can also automatically suspend execution on one platform and migrate to another to resume their computations.Compared with traditional computing models (e.g., client/server), mobile agent technology has several significant advantages in electronic commerce applications, including autonomy and fault tolerance [1,2].
However, these benefits cannot be achieved without suitable security and trust technologies, which are critical for ensuring that all business data has been appropriately protected and business partners can collaborate with integrity and confidence.One significant threat is that malicious hosts might endanger passing agents because the attacks from owners of hosts are too strong to defeat with traditional security countermeasures.As a typical example, a mobile agent needs to sign a contract on behalf of the original signer (the customer) when an appropriate product has been found, while an attacker controlling the host can extract the secret signing key from the agent's code or even generate a signature on the contract by simply forcefully calling the signing function that is "carried" on the agent.Furthermore, the risk of leakage of the signing key on the customer's PC may stem from a variety of threats such as the "SSL Heartbleed." Therefore, in the research field of mobile agent security, it is a challenge to protect the digital signature functionality against attacks from remote malicious hosts and meanwhile control the security risk of signing key leakage on the original signer's host.Motivated by this security challenge, we propose a category of digital signature schemes for The rest of this paper is organized as follows.Section 2 presents backgrounds and preliminaries of this work, including the mobile agent systems and applications in electronic commerce, the undetachable digital signature schemes and the key-insulated signature schemes, and the security analysis of threats on mobile agents from malicious hosts.The formal definition and security notion of KIUDS schemes are provided in Section 3. A concrete KIUDS scheme is described in Section 4, along with the theoretical analysis in terms of security, correctness, and computational costs, as well as a set of experimental results.Comparisons with related works are presented in Section 5. Finally, the paper concludes with a discussion on the findings.Com-merce.An agent is a software entity that acts autonomously on behalf of a person or organization.Each agent has its own thread of execution, so tasks can be performed on its own initiative.A mobile agent is not bound to the system where it begins execution.It has the capability of transporting itself from one host to another in a network.We briefly introduce the backgrounds of mobile agents and the related system architecture [11] as follows.

Mobile Agent Systems and Applications in Electronic
During an agent's travel process, the agent state (including the execution state and the attributes) and code are being transported.The agent's authority identifies the person or organization for which the agent acts.The names of the agents are usually required for identification, management, and locating.Commonly, agents are named by their authority, identity, and agent system type, whose combination can be mapped into a unique value for identifying a particular agent instance within the scope of the authority.
By definition, an agent system is an integrated platform that can create, interpret, execute, transfer, and terminate agents.An agent system is usually associated with an authority that identifies the person or organization for which the agent system acts.An agent system is uniquely identified by its name and address, and a host can contain one or more agent systems.An instance of the architecture of mobile agent system is illustrated in Figure 1.
Agents transfer themselves between places over the network, where a place hereby is a context in which an agent executes.An agent is associated with a location, which consists of the place name and the address of the agent system where the place resides.An agent system may contain one or multiple places while a place can also host a number of agents.If an agent system does not support places, then it acts as a default place.When a client requests for the location of an agent, it retrieves the address of the place where the agent is executing.
The agent technology seems an attractive paradigm to support e-commerce applications [12,13], because agents are capable of acting on behalf of customers to reduce the effort required for performing transactions.Agents are autonomous by nature and therefore can be easily personalized to embody customers' preferences.In addition, they are adaptive in terms of the capabilities of learning from both past actions and their environment, coping with changing network conditions and evolving user requirements.The above features permit the agent technology to add value to three primary e-commerce dimensions: information filtering, information gathering and retrieval, and dynamic and flexible execution of transactions.As typical applications, agent-based electronic commerce, product recommendation, and decision making have been demonstrated in the recent years [14][15][16].
Furthermore, mobile agents not only can autonomously act and negotiate on behalf of their creators in one host, but also can autonomously decide to move itself from one host to another as necessary [13].Such mobility achieves better network utilization and allows mobile users to disconnect with their agents roaming in the network, thus reducing connection costs.In the context of electronic marketplaces, for example, the mobility permits the agent to perform all required operations locally in the involved marketplace without reliable connection or bandwidth engagement.
Some eShop and e-marketplace applications based on mobile agent technology have been recently proposed.A typical application of mobile agents in electronic commerce is shown in Figure 2. The figure illustrates an intelligent trade agent (ITA) that roams the Internet buying goods or services from the servers of three eShops in the network.Other applications include a silicon intellectual property automatic trading platform [17], an agent-based English auction protocol using an elliptic curve cryptosystem for mobile commerce [18], a novel multiagent system architecture to cope with the flexibility requirements of virtual enterprises [19], and an approach aiming to deploy the mobile agent paradigm for mobile business applications [20].

Digital Signature Schemes and Attack Models.
Digital signature schemes allow a signer who has established a public key to sign a message such that any other party can verify that the message originated from the signer and was not modified in any way.A digital signature scheme typically consists of three algorithms: the key generation algorithm, the signing algorithm, and the verification algorithm.There are three main attack models according to the capabilities of an adversary to attack cryptosystems [21], for example, a digital signature scheme.The first is the black-box model.It is a traditional attack model where an adversary only has access to the functionality of a cryptosystem.This limited access increases the effort and is time required to start attacks.The second is the grey-box model, which refers to a model where a leakage function is present.In such an attack context, the adversary can deploy side-channel cryptanalysis techniques.Owing to the large variety of leakage functions, the grey-box model can further be classified into several subgroups.The third is the white-box model, where the adversary has total visibility of the software implementation of the cryptosystem and full control over its execution platform.
As shown in Figure 3, the white-box model is the worst-case model.The white-box model is used to analyze algorithms that are running in a nontrustable environment, that is, an environment in which applications are subject to attacks from the execution platform.
Secure computing in a white-box model is a challenge because the model assumes that [22] (1) fully privileged attack software shares a host with the cryptographic software, having complete access to the implementation of the algorithms, (2) dynamic execution (with instantiated cryptographic keys) can be observed, and (3) internal details of cryptographic algorithms are both completely visible and alterable.

Attacks and Threats against Mobile Agents and Their
Signing Routines.While mobile agent-based technologies are already in use, mobile agents are still exposed to serious security threats.Mobile agent-based applications cannot be successfully implemented without suitable security technologies to ensure that the sensitive business data are appropriately protected and business partners can work together with integrity and confidence.One of the most challenging threats to mobile agent security is attacks from platforms (malicious hosts).In general, there are two main kinds of attacks from malicious hosts [23], eavesdropping attacks and manipulation attacks.A substantial number of attacks are identified in detail in [24], including spying out code, spying out data, spying out control flow, manipulation of code, manipulation of data, manipulation of control flow, incorrect execution of code, masquerading of the host, denial of execution, spying out interaction with other agents, manipulation of interaction with other agents, and returning wrong system call results issued by the agent.
Clearly, mobile agents executed on a malicious host are in a white-box attack context.In traditional digital signature schemes, mobile agents must carry the private key when they generate digital signatures on behalf of the original user.Possible attacks from malicious remote hosts endanger the digital signature functionality provided by a mobile agent because the signing algorithm may be misused and the signing key may be compromised.Furthermore, many mobile agent systems are implemented in Java because of the language's suitable performance across various platforms.Unfortunately, the key in a class file (the Java byte code) is extremely vulnerable, as illustrated in Figure 4. Hence, traditional digital signature schemes are not suitable for mobile agents, while new signature techniques are required.
Meanwhile, digital signature functionalities also face a significant key leakage problem on the local host of the original signer.A serious security issue is presented in the event that the original signer's local host is under the control of a hacker because the original private signing key may be compromised.
The severity of the potential threats increases with the rapid development of advanced persistent threats (APTs) such as "Operation Aurora" against Gmail accounts, the "Stuxnet Worm" against the control system of nuclear devices in Iran, "Operation Shady RAT" against more than 70 organizations (including several defense contractors), and the recently discovered "Havex" against industrial control systems.An APT is a set of stealthy and continuous hacking processes often orchestrated by people targeting a specific entity.Additionally, security vulnerabilities such as the "SSL Heartbleed," which was disclosed in April 2014 in the OpenSSL cryptography library, could also enable hackers to extract information from remote hosts.

Undetachable Digital Signatures for Mobile Agents.
The idea of the undetachable digital signature was proposed by Sander and Tschudin in [25] based on the reasoning that mobile agents do not have to be executed in clear text form.The undetachable digital signature technique allows a mobile agent to effectively produce a digital signature inside a remote and possibly malicious host without allowing the host to deduce the agent's secret or to reuse the signature routine for arbitrary documents.A brief introduction to this idea is presented as follows.
Let Sig be a rational function used by  (a customer) to produce the digital signature Sig() of an arbitrary message .Furthermore, suppose the message  is the result of a rational function  applied to some input data .Finally, the verification function Ver that  publishes to allow others to check the validity of the digital signature  is regarded to be a valid signature of  if and only if To allow the customer's mobile agent to create "undetachable" signatures, the following is computed: where  is an auxiliary binding function that binds a constraint (e.g., a restriction or a limitation) on the signing function.For example, in the case of electronic commerce, a typical constraint could be "an iPhone 6 costing no more than 916 Dollars." Signed and  are then migrated to  (the eShop) with the mobile agent. evaluates However, Sander and Tschudin did not provide a concrete implementation of the undetachable digital signature scheme.The first undetachable digital signature scheme was proposed by Kotzanikolaou et al. in the form of an RSA implementation [3].This was improved by Lee et al. [4] with bilateral security, whose scheme provides server's nonrepudiation because it contains server's signature at the same time.Han et al. proposed a security scheme for etransactions using mobile agents with an agent broker [5], while they gave an undetachable signature function pair but without presenting the signing function Sig subject to (2).Another undetachable signature scheme based on pairings was proposed in prior work [8], which is based on the short signature scheme proposed in prior work [26].To solve the problem in which a host may force an agent to commit to a suboptimal transaction, Borselius et al. [6] introduced the notion of undetachable threshold signatures and proposed an RSA-based implementation.In prior work [9], an implementation of undetachable threshold digital signature based on conic curves was proposed, and computational studies indicated that the implementation in [9] was superior to the RSA-based implementation in [6].The latest published undetachable signature scheme was presented in prior work [10], which provides forward security by following the BLS short signature [26].However, except for the scheme in [10], none of the proposed undetachable digital signature schemes can simultaneously protect digital signature functionalities against attacks from remote malicious hosts and mitigate the security risk of signing key leakage on the original signer's host.Moreover, even with the scheme in [10], an adversary can forge any signature during any period after he/she has got the signing key (e.g., via cracking the host of the original signer).Therefore, stronger undetachable digital signature schemes are demanded, which motivate us to develop undetachable signature schemes with the keyinsulated property.

Key-Insulated Digital
Signatures.The exposure of secret keys is perhaps the most devastating attack on a cryptosystem because it typically leads to a full loss of security.This problem is probably the greatest threat to cryptography in the real world: in practice, it is typically easier for an adversary to obtain a secret key from a naive user than to break the computational assumption on which the system is based.This threat is currently increasing as new APTs are quickly developed.
Complete prevention of key exposure-even for the original signer on his local host-usually requires some degree of physical security, which can be expensive and inconvenient.Thus, some security countermeasures assume that key exposure will inevitably occur and therefore focus on minimizing the damage which results when keys are obtained by an attacker.
A category of such damage-minimization security countermeasures is key-insulated cryptography [27,28].In the security model of key-insulated cryptography, physical security (and hence the secrecy of stored data) is guaranteed for a single device that holds a "master" secret key corresponding to a fixed public key.Day-to-day cryptographic operations such as signing a message, however, are performed by an insecure device (e.g., the customer's PC) which "refreshes" its private key periodically by interacting with the physically secure device.In a (, )-key-insulated cryptosystem, an attacker who compromises the insecure device and obtains secret keys for up to  time periods is unable to violate the security of the cryptosystem for any of the remaining - periods.The principle of key-insulated signature schemes is illustrated in Figure 5.

Key-Insulated Undetachable Digital Signature
In this section, we propose a novel category of digital signature schemes for mobile agents, the KIUDS scheme.This scheme simultaneously protects the digital signature functionality against attacks from remote malicious hosts and mitigates the security risk of signing key leakage on the original signer's host.We begin by defining the KIUDS scheme and then provide its security model and security notion.(1) , the key generation algorithm, is a probabilistic algorithm taking as input a security parameter 1  ( ∈ N) and the total number of time periods .It returns a public key  pub , a master secret signing key , and an initial key  0 .

Definition
(2)  * , the device key update algorithm, is a probabilistic algorithm taking as input indices ,  for time periods (throughout, we assume 1 ≤ ,  ≤ ) and the master key .It returns a partial secret key   , .(3) , the user key update algorithm, is a deterministic algorithm taking as input indices , , a secret key   , and a partial secret key   , .It returns the secret key   for time period .
(4) , the undetachable signing function generation algorithm, is a probabilistic polynomial time algorithm which takes the requirement of a customer  , the customer's identity   , and the index of the current time period  as inputs.The algorithm outputs a function  Signed, (⋅).
(5) , the undetachable signing algorithm, is a polynomial time algorithm which takes the contract (or its hash value) as input.The algorithm outputs an undetachable signature .
(6) , the undetachable signature verification algorithm, is a polynomial time algorithm which takes the contract (or its hash value) and an undetachable signature  as input.The algorithm outputs either "Accept" or "Reject," simply 1 or 0.
To aid in further discussions, the frequently used symbols are listed as follows:

Workflow of Using a KIUDS Scheme.
First, a trusted authority, for example, a certification authority or a key distribution center, should publish all public parameters of the cryptosystem to all participants.The trusted authority then generates cryptographic keys for all participants by running the algorithm (1  ); and the private key (i.e., the master key and the initial key) of each participant is sent via a correspondingly secure communication channel.The customer stores the private signing key in a physically secure device.Day-to-day cryptographic operations are performed by an insecure device (e.g., the customer's PC) which periodically refreshes its key by interacting with the secure device using key update algorithms ( * and ).
When a customer wants a mobile agent to do the shopping, the customer runs the  algorithm to prepare the mobile agent before it starts migrating.The mobile agent then begins migrating to search for shops that are willing to satisfy the customer's requirement.Finally, anyone can check the validity of a contract by using the  algorithm.
Figure 6 illustrates the workflow of using the algorithms in the proposed scheme.

Security Model and Security Notion.
A KIUDS scheme differs from conventional digital signature schemes, as do its security model and security notion.However, the starting point of the discussion of the security model of KIUDS schemes is still the classical security model of conventional digital signature schemes.
There are four subclasses of known-message attacks against digital signature schemes [29]: the plain knownmessage attack, the generic chosen-message attack, the oriented chosen-message attack, and the adaptively chosenmessage attack (ACMA).ACMA is the most dangerous scenario because the adversary is supposed to have such privilege, asking the signer to sign any message that he wants and then adapting his queries according to previous messagesignature pairs.
The expected results of an attack are classified as follows [30]: (1) disclosing the secret key of the signer; (2) constructing an efficient algorithm which is able to sign any message; and (3) providing a new message-signature pair.The third category is called existential forgery.In many cases this attack is not dangerous because the output message is likely to be meaningless.Nevertheless, a signature scheme which is not existentially unforgeable (and thus that admits existential forgeries) cannot be used to certify random-looking elements such as keys.
Besides the attack model of ACMA, the following three security threats must be included in the attack model of KIUDS schemes.
(1) Implementation Exposures.A shop owner  is capable of obtaining the implementation of  signed, .This corresponds to an attack from malicious hosts.Note that an implementation exposure indicates ACMA because  can run the implementation of the signing algorithm.(2) Key Exposures.In some time periods, an attacker may break the defense system of a customer's computer and extract the corresponding signing key from the disk or memory.(3) Adaptively Chosen-Restriction Attack.This attack is an extension of the first threat.Consider the case where a friend () of customer  asks  to purchase an item.The restriction of an undetachable signature is probably set up by  instead of .Then, if  colludes with a shop owner,  is also capable of obtaining the implementation of  signed, .
The first threat is easy to model by giving the adversary the description of the implementation of  signed, .
To model the second threat, we give the adversary access to a key exposure oracle  Exposure , 0 () that performs the following operations on input .The oracle first checks whether period  has been "activated"; if so, the oracle returns the value already stored for   .Otherwise, the key exposure oracle runs   0, ←  * (0, , ) followed by   ← (0, ,  0 ,   0, ), returns and stores the value   , and labels period  as "activated." To model the third threat, we give the adversary access to a chosen-restriction oracle  Chosen-restriction , 0 (,  ) that performs the following operations on input (,  ).The oracle first checks whether period  has been "activated"; if so, the oracle returns the output of (  ,   ‖   ).Otherwise, the key exposure oracle runs   0, ←  * (0, , ) followed by   ← (0, ,  0 ,   0, ), stores the value   , labels period  as "activated," and returns the output of (  ,   ‖   ).Moreover, the first threat is also covered by the chosen-restriction oracle because the chosen-restriction oracle models a stronger adversary rather than a simple malicious eShop owner.
Note that storing the values of the secret signing keys for activated time periods is only necessary when the algorithm  * is probabilistic; when  * is deterministic, the oracles ( Exposure , 0 and  Chosen-restriction , 0 ) may simply run  * "from scratch" whenever needed to answer a query.
Definition 1 ((t,N)-KIUDS scheme).Let  = (,  * , , , , ) be a KIUDS scheme.For any adversary A, the probability of a successful attack is defined as follows: We say that  is a (, )-KIUDS scheme if   A () is negligible for any probabilistic polynomial time (PPT) adversary A who submits at most  queries to the key exposure oracle  Exposure , 0 .Moreover, following the convention of key-insulated cryptography, we say  is perfectly key-insulated if  equals  − 1.

A Concrete Scheme
In this section, we propose a construction of a KIUDS scheme and provide the proofs of correctness and security.In addition, we present the results of the complexity analysis and performance testing.Note that the proposed scheme utilizes the signature scheme in [31] as a building block.

The Algorithms.
Let  1 be a cyclic group generated by a generator , whose order is a prime number , and let  2 be a cyclic multiplicative group of the same order .Suppose that discrete logarithm problems in both  1 and  2 are hard.Let  :  1 × 1 →  2 be a pairing that satisfies the following three conditions.
We note that the Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modified to create such bilinear maps.
Suppose that  is an additive group.Four well-known mathematical problems are defined as follows.
We assume throughout this paper that CDHP and DLP are intractable, meaning that there is no polynomial time algorithm to solve CDHP or DLP with nonnegligible probability.When the DDHP is easy but the CDHP is hard on group  1 ,  1 is called a gap Diffie-Hellman (GDH) group.Our scheme can be built on any GDH group.Further mathematical background can be found in [32,33].
We now define some system parameters.Let  be a generator of  1 .Suppose that the total number of time periods  is a shared public value.Two secure hash functions are given here:  1 : {0, 1} * →   and  2 : {0, 1} * →  1 .The implementations of these hash functions can be found in works such as [34][35][36].
The public parameters Ω = ( 1 ,  2 , (⋅, ⋅), , ,  1 ,  2 ) should be published to all participants by the trusted authority.Moreover, a public function ValidTuple that outputs 1 when the input is a valid Diffie-Hellman tuple and outputs 0 otherwise is shared among all parties.
(i) The Key Generation Algorithm .It takes a security parameter 1  where  ∈ N as input and returns the public key  pub and the master secret key  as shown in Algorithm 1.
Because the total number of time periods  is already a system-wide public value and the initial key  0 is not demanded in the proposed scheme, we omit them in the input and output, respectively.
(ii) The Device Key Update Algorithm  * .In the proposed scheme, the device key update algorithm  * updates the signing key directly as shown in Algorithm 2.
(iii) The User Key Update Algorithm .The user key update algorithm  can be defined as an identical transformation to fulfill the definition as shown in Algorithm 3. (iv) The Undetachable Signing Function Generation Algorithm .First, the customer  generates the description of his/her requirement  .Next, the customer should run the  algorithm to prepare his/her mobile agent before the agent starts migrating.The process is illustrated in Figure 7 and the algorithm is presented as shown in Algorithm 4.
(v) The Undetachable Signing Algorithm .If a shop owner is going to make a deal with the customer, he/she should generate bid information   satisfying   and run the  algorithm on input  =   ‖   ‖   ‖   to sign a contract (see Algorithm 5).
(vi) The Undetachable Signature Verification Algorithm .Anyone can verify a contract by running the  algorithm that works as shown in Algorithm 6. Proof.Since  is a generator of  1 , ∃( ∈  *  ∧  =  2 ()).Although it is difficult to calculate the value of , the following equations hold:
Hence, the verification algorithm  outputs 1.This completes the proof.
The next proposition indicates that the proposed scheme satisfies (2) in Section 2.

Security of the Scheme
Theorem 4. The proposed scheme is a perfectly KIUDS scheme.
Proof.First, we construct a security game which consists of two subgames (Game 1 and Game 2), as shown in Figure 8.In this security game, there are three players: A, F, and a simulator of the signature scheme in [31] called ().The game proceeds in the random oracle model (ROM).A is a PPT adversary against the proposed keyinsulated undetachable signature scheme.The message is in the form of  = ( 1 ,  2 ).The forger F plays between A and ().A is capable of making queries  Exposure , 0 (⋅),  Chosen-restriction , 0 (⋅, ⋅),   1 (⋅), and   2 (⋅).F is responsible for answering these queries with the help of ().() should answer queries .(⋅),.(⋅,⋅), . 1 (⋅), and . 2 (⋅), from F. Note that the input parameter of . is the unitary form  ∈ N, where  is the order of .
Algorithms 7 and 8 are used by the forger F to answer queries from the adversary A in the security game.
At the end of the security game, the algorithm F. is used to forge a signature of () from the output of A. The algorithm F. proceeds as shown in Algorithm 9.
Clearly, in the security game that is illustrated in Figure 8, we have Suppose that the adversary A can win Game 1 that queries  Exposure , 0 (⋅),  Chosen-restriction , 0 (⋅, ⋅),   1 (⋅), and   2 (⋅) at most   ,   ,   1 , and   2 times, respectively, and has a running time of  0 and an advantage  0 .Then, F can win Game 2 with queries .(⋅),.(⋅,⋅),  1 (⋅), and  2 (⋅) at most   ,   ,   1 +  +3, and   2 +  +  +2 times, respectively, and has a running time of  =  0 +   and an advantage  0 =   A ().Recall that the simulator () simulates the signature scheme in [31], and therefore Game 2 depicts attacks against the signature scheme in Section 3.1 of [31] in an equivalence form.Based on Lemma 4 in [30] (the Forking Lemma), Theorem 3 in [31] stated that "if there is an algorithm for an adaptively chosen message and ID attack to our scheme which queries  1 ,  2 and Sign and Extract at most  1 ,  2 , , and  times, respectively, and has running time  0 and advantage then the CDHP can be solved with probability ≥ 1/9 and within running time By substituting  1 =   1 +  +3,  2 =   2 +  +  +2,  =   ,  =   , and 0 =  0 +   into (20) and ( 21), we have that if then the CDHP can be solved with probability no less than 1/9 and within running time According to the assumption that CDHP is hard,  0 is negligible with respect to the value of , and so is   A ().This completes the proof.(SM; ⟨ *  ,  1 ⟩ →  1 ), point addition (PA; ⟨ 1 ,  1 ⟩ →  1 ), bilinear map (BM; ,  1 ×  1 →  2 ), and the two hash functions  1 and  2 .All of these operations are polynomialbounded and can be computed efficiently.

Begin
Let  be the size of an element in   * and let  1 be the size of an element in  1 .Let |res| be the length of   ‖   , |msg| the length of the , and |impl| the size of the implementation of  signed, without , , and .In Table 1, we show the numbers of operations needed for the algorithms proposed in Section 4.1.

Theoretical Comparison with Related Work
Since the first implementation of undetachable digital signatures was proposed by Kotzanikolaou et al. [3], several concrete constructions of undetachable digital signature schemes have been proposed from 2001 to 2015 [4,5,[7][8][9][10].Compared with these prior undetachable digital signature schemes, the most significant feature of our proposed scheme lies in its key-insulation property.Different from most of prior studies, we have formally proved the security of the scheme.Moreover, the security of related schemes depends on a variety of diverse assumptions on the computational infeasibility of mathematical problems.Comprehensive comparisons in terms of the above three factors are summarized in Table 2.
The forward-secure undetachable digital signature (FSUDS) scheme in prior work [10] is currently the latest published study on undetachable signatures.In terms of the security, the "perfectly key-insulated" property implies the "forward-secure" property, but the inverse is not valid.Therefore, the proposed KIUDS scheme is stronger than the FSUDS scheme.
Compared with other key-insulated signature schemes, the proposed scheme is undetachable.The private key of the original signer (i.e., the customer) will hardly be compromised, even in a white-box attack context (e.g., a malicious host).For attackers, the misuse of signing functions carried with mobile agents is also infeasible even in white-box attack contexts, because the related restriction is combined with the "encrypted" signing function.
We further present the comparison in the field of software obfuscation.Obfuscation is a process that transforms a program into an unintelligible one without changing the original functionalities.If the signing algorithm has been obfuscated, the attacker cannot extract the signing key from the obfuscated implementation.However, it is still an open research problem that whether there exists an obfuscator for the signing algorithm in a digital signature scheme.Some obfuscators for specialized encrypted signatures have been developed since Hada's work was reported in Euro-Crypt 2010 [37].For example, an obfuscator for encrypted verifiably encrypted signatures [38] and an obfuscator for encrypted group signatures [39] were presented in recent years.However, obfuscated implementation of the generation algorithm of encrypted signatures cannot prevent misusing attacks, (i.e., an attacker can call the algorithm to generate a signature).Therefore, compared with obfuscation approaches for encrypted signatures, the proposed scheme is capable of providing further protection against misuse of the signing algorithm.

Experimental Results and Comparison
6.1.Performance Testing.We have implemented the algorithms in Java.Java has been used instead of C/C++ because many mobile agent platforms are developed in Java, although C/C++ is known to be more efficient.We used an open source Java Pairing-Based Cryptography Library (JPBC) [40] in our implementation.The configurations of the testing platforms are listed in Table 3, and the experimental results are shown in Figures 9 and 10.
When the computing platform is a PC, we focus on the speed of the algorithms.In Figure 9, we show the speed of the algorithms on two different portable computers in singlethread mode.When the computing platform is a server, the most important index of performance is the number of transactions that can be processed in a short time span (e.g., a second).Hence, Figure 10 shows the number of operations of each algorithm on a PC server in multithread mode.The experimental results indicate that the algorithms in the proposed scheme are quite efficient.

Experimental Comparison with Related Work.
With regard to the standard undetachable digital signature scheme based on bilinear pairings [8] and the FSUDS scheme [10], a group of experimental comparisons on computational costs has been performed on the server described in Table 3.The scheme in [8] has been selected for comparison because it is based on the same mathematical structure as the proposed scheme is.As the standard scheme does not include a key update algorithm, we use "0" to fill the data form.In Figure 11,

Figure 4 :
Figure 4: Segment of the Java byte code of an agent.

Figure 5 :
Figure 5: Principle of the key-insulated signature.

1
: a security parameter, ( ∈ N),  pub : the public key, : the master secret signing key, , : indices of the time period,  0 : the initial key,   : the secret key for time period ,   , : a partial secret key,   ‖   : shop 's bid information and identity,   ‖   : customer 's requirement and identity,  Signed, : an implementation of the undetachable signing function for time period , : the auxiliary function of  Signed, , : message (usually a contract), : an undetachable signature, : a prime number,  1 ,  2 : two cyclic groups whose orders are both , : a generator of  1 , (⋅, ⋅): a bilinear pairing from  1 ×  1 to  2 .

Figure 7 :
Figure 7: Preparation of a mobile agent for migration.

Figure 9 :
Figure 9: Running time (ms) on PC1 and PC2 for each algorithm in the proposed scheme.