Institutional Knowledge at Singapore Management University Institutional Knowledge at Singapore Management University Strong identity-based proxy signature schemes, revisited Strong identity-based proxy signature schemes, revisited

Proxy signature is a useful cryptographic primitive that has been widely used in many applications. It has attracted a lot of attention since it was introduced. There have been lots of works in constructing efficient and secure proxy signature schemes. In this paper, we identify a new attack that has been neglected by many existing proven secure proxy signature schemes. We demonstrate this attack by launching it against an identity-based proxy signature scheme which is proven secure. We then propose one method that can effectively prevent this attack. The weakness in some other proxy signature schemes can also be fixed by applying the same method.


Introduction
Proxy signature is a special type of digital signature which allows one user (original signer) to delegate his/her signing right to another signer (proxy signer).The latter can then issue signatures on behalf of the former.The corresponding proxy signature can be verified by the public that it is indeed generated by the proxy signer with proper delegation from the original signer [1,2].Proxy signature has been found useful in many applications, such as distributed computing [3], electronic commerce [4], mobile agents [5], and grid computing [6].It is worth noticing that proxy signature can also serve as a useful tool in Internet of things (IoT), since most of the RFID tags in IoT only have limited storage and computing ability.For those operations involving a large amount of computation, those tags can authorize the tag readers with strong computing ability to perform those operations with the help of a proxy signature scheme [7,8].
The concept of proxy signature was introduced by Mambo, Usuda, and Okamoto in 1996 [9].They presented three different types of proxy signature, namely, full delegation, partial delegation, and delegation by warrant in their seminal work.Shortly after Mambo et al. 's work, Kim et al. [10] proposed a new type of proxy signature combing partial delegation and warrant.They demonstrated that schemes combining partial delegation and warrant can provide a higher level of security than schemes based on partial delegation or warrant separately.Since then, proxy signature has been extensively researched in different settings, such as blind proxy signature [11], anonymous proxy signature [12], and identity-based proxy signature [13].
These delegation-by-warrant proxy signature schemes can be further classified into two categories according to whether the proxy signature is generated by the proxy signer using his own private key or not.In the first type, the proxy signer generates a new proxy signing key using the delegation information and his own private key.The proxy signatures are generated under the new proxy signing key.The proxy signature schemes in [5,[14][15][16][17] fall into the first type.In the second type, the proxy signer issues a proxy signature using his own private key.The proxy signatures are essentially combinations of the original signer's signature on the warrant and the proxy signer's signature on the message.Such proxy signature schemes could be found in [13,[18][19][20][21].
On the security modelling of proxy signature, Boldyreva et al. [22] proposed a comprehensive security model for the delegation-by-warrant proxy signature, where an original signer can also perform self-delegation.Malkin et al. [23] extended the security model to allow fully hierarchical proxy signatures.They also proved that proxy signatures are essentially equivalent to key-insulated signatures.The security model proposed in [22,23] is in the registered key model, which means the adversary has to submit every public and private key pair in the security game except the challenge one.Later, Schuldt et al. [24] proposed an enhanced security model for proxy signature by allowing the adversary to query arbitrary proxy signing keys.Roughly speaking, a secure proxy signature scheme should satisfy the following requirements.
(i) Verifiability: given a proxy signature, a verifier can be convinced that the proxy signature is indeed a valid signature generated by the proxy signer with proper delegation from an original signer on the signed message.(ii) Identifiability: given a proxy signature, a verifier is able to determine the identities of the corresponding original signer and proxy signer.(iii) Unforgeability: no one, except the designated proxy signer, can create a valid proxy signature.(iv) Untenability: a proxy signer cannot deny at a later time on a proxy signature that he has created before.(v) Prevention of misuse: it is required in the first type of proxy signature schemes that the proxy signing key cannot be used for purposes other than creating proxy signatures.Once misused, the identity of the misbehaving proxy signer can be determined explicitly.
1.1.Our Contribution.We revisit proxy signature and show an attack that has been neglected by the second type of proxy signature schemes [13,[18][19][20][21] that have been proven secure.In these schemes, a proxy signature is essentially the combination of the original signer's standard signature on a warrant and the proxy signer's standard signature on a message.In the security analysis, it is assumed that an adversary has access to the original signer and proxy signer's standard signature oracles.We show that, under such a circumstance, some proxy signature schemes [13,[18][19][20][21] that have been previously proved secure are in fact not secure.We demonstrate a new attack by launching it against an identity-based proxy signature scheme [13] that has been proven secure.We show that a malicious adversary can create a proxy signature on a message, if he has access to the standard signature of the original signer and proxy signer, which is as defined in the security models in [13,18].Thus, these proxy signature schemes [13,[18][19][20][21], which we believe is not a complete list, are in fact not secure.We propose an efficient solution by revising the identity-based proxy signature scheme [13] to thwart this attack.It is worth noticing that the same method can also be applied to [18][19][20][21] to resist this attack.
We have noticed there have been several works [5,22] aiming to transform normal proxy signature schemes into strong ones.The authors in [22] suggested to add two different prepositive tags "00" and "11" to distinguish the signatures generated by the original signer and proxy signer.However, this simple solution cannot prevent the attack proposed in this paper according to the original security model in [13].The adversaries are able to query any message of their choices.To stop the proxy signer from misusing the proxy signing key, the authors in [5] classified existing proxy signature schemes into strong and weak ones and proposed one method to transform weak proxy signature schemes into strong ones.However, as have been mentioned above, their method is only applicable when a proxy signature is generated from a proxy signing key which is created by the proxy signer using the delegation information and his own private key.Therefore, the method proposed in [5] is not suitable for the scenarios discussed in this paper.
Paper Organization.The rest of the paper is organized as follows.We introduce some preliminaries in Section 2. Then we present a new attack in some proxy signature schemes in Section 3 by attacking an identity-based proxy signature scheme.The security model for proxy signature that captures the attack is presented in Section 4. We then revise the identity-based proxy signature scheme in Section 5.The security proof and efficiency analysis are presented in Section 6 and the paper is concluded in Section 7.

Preliminaries
In this section, we introduce some preliminaries used throughout this paper.

Bilinear Map.
Let G 1 , G 2 be two cyclic groups of prime order  and  a generator of G 1 .The  : G 1 ×G 1 → G 2 is said to be an admissible bilinear map if the following conditions hold: (ii) Nondegeneracy: there exists (iii) Computability: there is an efficient algorithm to compute ( 1 ,  2 ) for all  1 ,  2 ∈ G 1 .

Complexity Assumption
Definition 1 (computational Diffie-Hellman (CDH) problem).Given , ,  ∈ G 1 for some random ,  ∈ Z  , compute  ∈ G 1 .Define the success probability of a polynomial algorithm A in solving the CDH problem as where  = log() is the security parameter.The CDH assumption states that, for any polynomial algorithm adversary A,   A,G 1 () is negligible in .

A New Attack in Some Proxy Signature Schemes
In this section, we present an attack that has been neglected by many existing proxy signature schemes [13,[18][19][20][21].To better explain how an attacker works, we demonstrate this attack via a concrete example.Before we start to introduce the attack, we first review an identity-based proxy signature scheme proposed in [13].
(5) DelegationGen: let  be a warrant that includes the delegation information such as the identities of the original signer and the designated proxy signer, the delegation period, the types of messages that a proxy signer can sign, and so on.Then the original signer with identity   generates the delegation information (7) ProVer: on input the identities   ,   of the original signer and proxy signer, a warrant  ∈ {0, 1} * and a message  ∈ {0, 1} * and the proxy signature Otherwise, output "0".

An Attack against the ID-Based Proxy Signature Scheme.
Wu et al. 's identity-based proxy signature scheme [13] is proven secure.However, we show below that if the original signer and proxy signer also use their private keys to generate standard signatures, which is just as defined in their security models, then their scheme could be broken by a malicious outsider attacker.Assume the identities of the original signer and proxy signer are   ,   , respectively, in the security model in [13], three types of adversaries are defined, namely, (i) A  , which is an outsider adversary that has knowledge of (  ,   ), (ii) A  , which is a malicious proxy signer that has knowledge of (  ,   ,    ), (iii) A  , which is a malicious original signer that has knowledge of (  ,    ,   ).
The original signer and proxy signer could use the same key pairs to generate normal signatures using the standard signature scheme introduced in [13 It can be verified that  = (  1 ,   2 ,   3 ) is a valid proxy signature.Thus, the proposed identity-based proxy signature is insecure, since given a proxy signature  = (  1 ,   2 ,   3 ), it might come from a malicious adversary.The proposed attack is a practical attack since a malicious adversary could launch such an attack without notice of both the original signer and the proxy signer.Besides the scheme mentioned in this paper, we have found that the proxy signature schemes in [18][19][20][21] are also subjected to this attack.

Security Model for Proxy Signature
4.1.Malicious Attackers.We revise the security model for identity-based proxy signature defined in [13] to capture the new attack in this section.In the security model for proxy signature, the capability of an adversary is modelled by its ability to query different oracles.Before we formally define each adversarial game, we first introduce four types of oracle queries that will appear in the models: According to the information held by an attacker, three different types of adversaries are defined: (1) A  : an outsider attacker who only has the identities of the original signer and the proxy signer that aims to forge a valid proxy signature.
(2) A  : a malicious proxy signer who possesses the private key    of the proxy signer and the identity of the original signer, and tries to forge a valid proxy signature  without knowledge of the private key    of the original signer.
(3) A  : a malicious original signer that possesses the private key    of the original signer and the identity   of the proxy signer, and tries to forge a valid proxy signature  without knowing the private key    of the proxy signer.

Adversarial Game with a Malicious Outsider Adversary
A  .We first define the adversarial game between a malicious outsider adversary A  and a simulator S as follows: ( Define the advantage of a malicious adversary A  in winning the game as Definition 2. We say an identity-based proxy signature scheme is secure against an outsider adversary A  if for any probabilistic polynomial time A  , V A  () is negligible in .Define the advantage of a malicious adversary A  in winning the game as

Adversarial Game with a Malicious
Definition 4. We say an identity-based proxy signature scheme is secure against the A  under chosen identity and message attacks if for any probabilistic polynomial time A  , V A  () is negligible in .

The Revised Identity-Based Proxy Signature Scheme
We present the revised ID-based proxy signature scheme that efficiently thwarts the proposed attack in this section.
(5) DelegationGen: let  be a warrant that includes the delegation information such as the identities of the original signer and the designated proxy signer, the delegation period, the types of messages that a proxy signer can sign, and so on.

Security Analysis
In this section, we analyse the security of the revised ID-based proxy signature scheme against A  , A  , and A  adversaries.
eorem .The revised ID-based proxy signature scheme is secure against an outsider adversary A  if the CDH assumption holds.
Proof.The proof is by contradiction under the random oracle model.Suppose there exists an outsider adversary A  that has a nonnegligible advantage  in attacking the proposed scheme; then we can build another algorithm B that uses A  to solve the CDH problem.Let G 1 be a bilinear pairing group of prime order ; B is given , ,  ∈ G 1 which is a random instance of the CDH problem.Its goal is to compute .Algorithm B will simulate the challenger and interact with the forger A  as described below.
(1) Setup: B selects a bilinear map  : where G 1 and G 2 are of prime order .B chooses a generator  of G 1 .Let (, , ) be the inputs of the CDH problem.B sets the master public key   = , where  ∈ Z *  .B selects three collision-resistant hash functions (2) Hash queries: in the security proof, the hash functions  0 ,  1 ,  2 are modelled as random oracles.We regard the identity, warrant, and message queries as  0 ,  1 , and  2 queries, respectively.Assume B keeps hash tables  0 ,  1 , and  2 for these queries. ( B will not abort when  * =   and  * =   .Thus, if there exists an outsider adversary A  that has a nonnegligible probability  in breading the proposed identity-based proxy signature scheme, then there exists another probabilistic polynomial time algorithm B that has a probability which is nonnegligible.Thus, we reach a contradiction.
eorem .The revised ID-based proxy signature scheme is secure against the A  chosen identity and chosen warrant attacks if the CDH assumption holds.
Proof.Let us recall the definition of A  ; A  is a malicious proxy signer possessing the private key of the proxy signer.With this in mind, the simulation is as follows: (1) Setup: B selects a bilinear map  : where ), and let  denote the calculation of paring.We can see that our revised proxy signature scheme involves only one addition, two multiplication, and one hash operation in the proxy signing algorithm.As for the expensive paring operations needed in the proxy verification parts, the numbers are exactly the same.

Conclusion
In this paper, we introduced a practical attack which has not been considered by some existing proxy signature schemes.
In particular, we took an identity-based proxy signature scheme to describe how this attack works.We also presented an enhanced security model that can capture this attack.Our model has considered different types of potential adversaries against an identity-based proxy signature scheme and allowed the adversary to query the individual signatures of both the original signer and the proxy signer.The proposed new scheme inherits the good features of the original scheme and at the same time can effectively prevent the attack.The proposed method can also be applied in other proxy signature schemes [18][19][20][21] to ensure an improved security.
and generates the standard signature (  1 ,   2 ) such that   1 =    +    2 (, ) and   2 =   .(iv) Upon receiving the standard signature (  1 ,   2 ) on  from the proxy signer.A  aborts if (  1 , ) ̸ = ( 0 (  ),   )( 2 (, ),   2 ).(v) If both (  1 ,   2 ) and (  1 ,   2 ) are valid.A  outputs a proxy signature  = (  1 ,   2 ,   3 ) on message  with warrant  such that   1 ]. Suppose A  aims to generate a proxy signature  = (  1 ,   2 ,   3 ) on a message  with a warrant ; it is worth noticing that A  might obtain such a genius warrant  when verifying a valid proxy signature.Then A  acts as follows: (i) A  requires a standard signature (  1 ,   2 ) on warrant  of the original signer with identity   , where  is a warrant containing the delegation information.The original signer chooses a random   ∈ Z  and generates the standard signature (  1 ,   2 ) such that   1 =    +    1 () and   2 =   .(ii) Upon receiving the standard signature (  1 ,   2 ) on  from the original signer.A  aborts if (  1 , ) ̸ = ( 0 (  ),   )( 1 (),   2 ).(iii) A  requires a standard signature (  1 ,   2 ) on message  ‖  of the proxy signer with identity   , where  is a message.The proxy signer chooses a random   ∈ Z Key extract query: A can query an identity  ∈ ID, where ID represents the identity space, to the key extract oracle O  (⋅).The corresponding key   is then generated and returned to A. A can query the original signer's signing oracle O    (⋅) with any warrant  ∈ W under the original signer's identity  ∈ ID, where W represents the warrant space.The private key   on identity  is generated using the key extraction algorithm.The corresponding original signer's signature   on warrant  is generated and returned to A.
(ii) Original signer's standard signing query:(iii)Proxy signing query: A can query the proxy signing oracle O  (⋅) with any message  ∈ M with warrant  ∈ W of his choice under the original signer's identity   and the proxy signer's identity   such that   ,   ∈ ID, where M represents the message space.The private keys    and    on identities   ,   are generated using the key extraction algorithm.A valid proxy signature on  is then generated and returned to A. (iv) Proxy signer's signing query: A can query the standard signature with any message  ∈ M of his choice to the proxy signer's standard signing oracle O    (⋅).A valid standard signature of the proxy signer   on  under the proxy signer's identity is then generated and returned to A.
i) Setup: the simulator S runs Setup algorithm to generate the  and  and sends  to A  as well as keeping  secret. can choose any warrant  ∈ W with the original signer's identity   and queries the original signer's standard signing oracle O    .S generates the private key    using the key extract algorithm    ← KeyExtract(,   , ); then S generates the delegation information   ← StandardSign(   , , ) and sends   to A  . queries the proxy signer's standard signing oracle O    with a message  ∈ M of his choice under the proxy signer's identity   ∈ ID. S generates the private key    using the key extract algorithm    ← KeyExtract(,   , ); then S generates the standard signature  ← StandardSign(   , , ) and sends  to A  .
(ii) Original signer's standard signing queries: A (iii) Proxy Signer's Standard Signature Queries: A (iv) Forgery Phase: finally, A  outputs a proxy signature  * on message  * for a warrant  * with the original signer's identity   and the proxy signer's identity   .We say A  wins the game if (i) ProVer( * ,   ,   ,  * ,  * ) = 1; (ii) ( * ,   ) has been queried to the original signer's standard signing oracle O    ; (iii) ( * ,  * ,   ) has been queried to the proxy signer's standard signing oracle O    .
Proxy Signer A  .We first define the adversarial game between a malicious proxy signer A  and a simulator S as follows: (i) Setup: the simulator S runs Setup algorithm to generate the  and  and sends  to A  as well as keeping  secret. selects an identity  such that  ∈ ID, the simulator S runs   ← KeyExtract(, , ) and returns   to A  . ← StandardSign(  , , ) and sends   to A  .(iv) Proxy signing queries: A  chooses a warrant  ∈ W and a message  ∈ M and queries the proxy signing oracle O  with the original signer's identity  1 and the proxy signer's identity  2 .S generates   1 ,   2 ← KeyExtract (,  1 ,  2 , )   ← DelegationGen (  1 , , ) ,  ← ProSign (  ,   2 , , )  outputs a proxy signature  * on message  * for a warrant  * with the original signer's identity   and the proxy signer's identity   .  has not been queried to the key extraction oracle O  ; (iii) ( * ,  * ,   ) has not been queried to the proxy signer's standard signing oracle O    ; (iv) ( * ,  * ,   ,   ) has not been queried to the proxy signing oracle O  .
(ii) Key extract queries: A (iii) Original signer's standard signing queries: A  can choose any warrant  ∈ W with an identity  ∈ ID and queries original signer's standard signing oracle O    .S generates the private key   using the key extract algorithm   ← KeyExtract(, , ); then S generates the original signer's standard signature  (v) Forgery Phase: finally, A outputs a proxy signature  * on message  * for a warrant  * with the original signer's identity   and the proxy signer's identity   .We say A  wins the game if (i) ProVer( * ,   ,   ,  * ,  * ) = 1; (ii)   has not been queried to the key extraction oracle O  (⋅); (iii) ( * ,   ) has not been queried to the delegation oracle O  ; (iv) ( * ,  * ,   ,   ) has not been queried to the proxy signing oracle O  .Define the advantage of a malicious adversary A  in winning the game as V A  () = Pr [A  Wins the game] .(5)Definition 3. We say an identity-based proxy signature scheme is secure against the A  under chosen identity and warrant attacks if for any probabilistic polynomial time A  , V A  () is negligible in .with a message  ∈ M of his choice under an identity  ∈ ID. S generates the private key   using the key extract algorithm   ← KeyExtract(, , ); then S generates the standard signature   ← StandardSign(  , , ) and sends   to A  .(iii) Forgery Phase: finally, A * ,   ,   ,  * ,  * ) = 1;(ii) ProSign: upon receiving the delegation information   = (  1 ,   2 ) and  from the original signer, the proxy signer with identity   generates a proxy signature  = (  1 ,   2 ,   3 on a message  such that   1 =   1 +    +    2 (, ) +    1 (),   2 =   2 +   ,   3 =   .(7) ProVer: on input the identities   ,   of the original signer and proxy signer, a warrant  and a message  and the proxy signature  = (  1 ,   2 ,   3 ), outputs "1" if (  1 , ) = ( 0 (  ),   )( 1 ()),   2 ) ⋅ ( 0 (  ),   )( 2 (, ),   3 ).Otherwise, output "0".

Table 1 :
Comparison regarding the computational costs.Schemes ProSign ProVer Wu et al. 's scheme [13] 2 ⋅  G 1 + 2 ⋅  G 1 + 1 ⋅   5 ⋅  + 4 ⋅   Our scheme 3 ⋅  G 1 + 4 ⋅  G 1 + 2 ⋅   5 ⋅  + 4 ⋅   6.1.Efficiency Analysis.We analyze the efficiency of the revised proxy signature scheme and compare it with the original scheme.The detail computation costs are presented in Table 1.As have been noticed, some algorithms in the revised scheme remains unchanged; thus, we only concern those algorithms that are different in our and the original schemes.Let  G 1 ,  G 1 denote the multiplication add addition calculations in G 1 ,   denote the calculation of hash function (either  0 ,  1 , or  2