www.ietdl.

org
Published in IET Information Security Received on 17th March 2009 Revised on 24th September 2009 doi: 10.1049/iet-ifs.2009.0033

ISSN 1751-8709

On the security of an identity-based proxy multi-signature scheme

B. Wang
Information Engineering College of Yangzhou University, No. 36 Middle JiangYang Road, Yangzhou City, Jiangsu Province, Peoples Republic of China E-mail: jxbin76@yahoo.cn

Abstract: In 2000, Yi et al. proposed two proxy multi-signature schemes which enable two or more original signers to delegate their signing power to a proxy signer. Combining proxy multi-signature with identity-based cryptography, Wang et al. proposed an identity-based proxy multi-signature scheme in 2007. Their scheme is claimed to be secure in the random oracle model. However, in this study, the author shows that Wang et al.s scheme is vulnerable to a forgery attack described in this study.

Introduction

The notion of proxy signature was rst introduced by Mambo et al. [1] in 1996. A proxy signature scheme enables an original signer to delegate his signing capability to a designated proxy signer. Then the proxy signer can generate proxy signatures on behalf of the original signer. There are four types of delegation: full delegation; partial delegation; delegation by warrant; and partial delegation by warrant. In general, the basic security properties of proxy signature are unforgeability and veriability. Unforgeability means that only the designated proxy signer can sign messages on behalf of the original signer. Veriability means that any verier can be convinced of the original signers agreement on the signed message by verifying the corresponding proxy signature. Since Mambo et al. introduced the concept of proxy signature, several kinds of proxy signature schemes have been proposed [2, 3]. Furthermore, there are various extensions of the proxy signature primitive, such as threshold proxy signature [4], proxy multi-signature [5]. Proxy multi-signature means a proxy signer can sign messages on behalf of several original signers. In 2000, Yi et al. [5] proposed two proxy multi-signature schemes. However, no formal analysis is provided to prove the security of the schemes in [5]. Recently, Wang et al. [6] proposed an identity-based proxy multi-signature scheme and claimed their scheme to be secure in the random oracle model under the computational Dife-Hellman assumption IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 48 doi: 10.1049/iet-ifs.2009.0033

over pairing-friendly groups. Nevertheless, we show that the original signers can collude to forge a proxy multisignature on a message that was not signed by the proxy signer in Wang et al.s scheme. Then we explain why Wang et al.s scheme is insecure.

Review of Wang et al.s scheme

We briey review Wang et al.s identity-based proxy multisignature scheme in this section. Their scheme is based on an identity-based aggregate signature scheme proposed by Gentry and Ramzan (GR scheme) [7]. The details of Wang et al.s scheme can be described as follows: KeyGen: The Private Key Generator (PKG) generates parameters and keys as follows: 1. Generates groups G1 and G2 , where G1 is a cyclic additive group generated by P, whose order is a large prime q, and G2 is a cyclic multiplicative group of the same order. Then let e : G1 G1 ! G2 be a bilinear pairing that satises the following conditions: Bilinear: For any Q, R, T [ G1 , we have e(Q R, T ) e(Q, T )e(R, T ) and e(Q, R T ) e(Q, R)e(Q, T ) Non-degenerate: There exists R, T [ G1 , such that e(R, T ) = 1 45

& The Institution of Engineering and Technology 2010

www.ietdl.org
Computable: There exists an efcient algorithm to compute e(R, T ) for any R, T [ G1 . 2. Picks a random s [ Zq and sets Q sP. 3. Chooses three cryptographic secure hash functions H1 , H2 , H3 , which are dened as follows: H1 : {0, 1} ! G1 , H2 : {0, 1} ! G1 and H3 : {0, 1} ! Zq . The system parameters are params k(G1 , G2 , e, P, Q, H1 , H2 , H3)l. The PKGs secret key is s [ Zq. KeyExt: The client with identity IDi receives sPi,j , for j [ 0, 1, from the PKG as secret keys, where Pi,j H1(IDi,j) [ G1 . Sign: At rst, the signer with identity IDi chooses a random string m to sign a message m. In the following, the signer proceeds as follows: 1. computes Pm H2(m) [ G1; 2. computes c H3(m, IDi , m) [ Zq; 3. generates a random r [ Zq; 4. computes his signature (m, S, T), where S rPm (sPi,0) c (sPi,1) and T rP. Verify: The verier checks that e(S, P) e(T , Pm )e(Q, Pi,0 c Pi,1 ), where Pm, c, Pi,j, for j [ 0, 1, are dened as above. ProxyKeyGen: 1. Make warrant: To delegate their signing capability to the proxy signer identied by identity IDP, the original signers ID1 , . . . , IDn jointly generate a warrant mv , which includes the restrictions on the class of messages to be delegated, the identities of the original signers and the proxy signer, the period of delegation, and so on. The original signers also choose a string m that is never used before. 2. Subproxy generation: Every original signer IDi, 1 i n, computes Pm H2(m), ci H3(mv, IDi, m), Si riPm (s Pi,0) ci(sPi,1) and T riP, where ri [ Zq. Then IDi sends (mv, m, Si, Ti) to the proxy signer IDP. 3. Subproxy verication: For all 1 i n, the proxy signer IDP veries the validity of (mv , m, Si , Ti) by checking e(Si , P) e(Ti , Pm )e(Q, Pi,0 ci Pi,1 ). If the verication fails, IDP requests IDi to provide a valid signature for the warrant mv . 4. Proxy generation: If IDP conrms the validity of all (mv , m, P P Si , Ti), 1 i n, he computes SO n Si , TO n Ti . i1 i1 The corresponding proxy secret key of IDP is PSk (SO , TO , sPP,j , j [ {0, 1}): ProxyMultiSign: 1. ProxySign: When IDP signs a message m on behalf of ID1 , . . . , IDn , he computes Pm H2 (m), cP , H3 (mv km, 46 IDP , m), SP rPm (sPP,0 ) cP (sPP,1 ) where r [ Zq . and TP rP,

2. Aggregate: IDP computes S SO SP, T TO TP. (mv , m, m, S, T ) is a proxy multi-signature from IDP on behalf of ID1 , . . ., IDn . ProxyMultiVerify: To verify a proxy multi-signature (mv , m, m, S, T ) of a message m under the warrant mv , a verier checks that e(S, P) e(T , Pm )e Q,
n X i1

Pi,0 PP,0

n X i1

! ci Pi,1 cP PP,1

3 Cryptanalysis of Wang et al.s scheme

In this section, we will show that the original signers can collude to forge a proxy multi-signature from the proxy signer IDP by intercepting valid proxy multi-signatures issued by IDP. The attack can be described as follows. Given a protocol Proto, the view of an adversary A, denoted by ViewProto(A), is dened as the probability distribution on the knowledge of the adversary, namely, the computational and memory history of the corrupted parties and the public communication and output of the protocol. Assume the adversary A corrupts all the original signers ID1 , . . . , IDn in Wang et al.s scheme. Then A is able to compute SO and TO , which are also computed by the proxy signer IDP at the Proxy generation stage. In the following, let us assume A intercepts the following valid proxy multi-signatures on distinct messages issued by IDP (mv , m1 , m, S1 , T1 ), (mv , m2 , m, S2 , T2 ), (mv , m3 , m, S3 , T3 ) where the warrant mv and the string m are xed by the original signers at the Make warrant stage and the Subproxy generation stage, respectively. These values dene the view of A. Then A proceeds as follows: 1. Computes
1 SP S1 SO , 1 TP T1 TO , 2 SP S2 SO , 2 TP T2 TO , 3 SP S3 SO 3 TP T3 TO

where

1 1 SP rP1 Pm (sPP,0 ) cP (sPP,1 ), 1 1 TP rP1 P, cP H3 (mv km1 , IDP , m) 2 2 SP rP2 Pm (sPP,0 ) cP (sPP,1 ), 2 2 TP rP2 P, cP H3 (mv km2 , IDP , m) 3 3 SP rP3 Pm (sPP,0 ) cP (sPP,1 ), 3 3 TP rP3 P, cP H3 (mv km3 , IDP , m)

& The Institution of Engineering and Technology 2010

IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 48 doi: 10.1049/iet-ifs.2009.0033

www.ietdl.org
2. Computes cP H3 (mv km, IDP , m), where m is a message chosen by the adversary.
1 2 3 3. Computes x (cP cP )1 (cP cP )mod q, where (c1 2 P 2 21 cP) is the multiplicative inverse of (c1 2 c2 ) over Zq. Note P P that since the chosen hash functions are collision resistant, the probability of c1 c2 is negligible. P P

4. Computes
1 2 3 SP x(SP SP ) SP 3 x(rP1 rP2 )Pm (cP cP )(sPP,1 ) 3 rP3 Pm (sPP,0 ) cP (sPP,1 )

(x(rP1 rP2 ) rP3 )Pm (sPP,0 ) cP (sPP,1 )

1 2 3 TP x(TP TP ) TP

S SP SO ,

T TP TO

GR scheme relies on the freshness of the string m. Then let us review Wang et al.s scheme carefully. We discover that the proxy signer always uses the same string m as xed by the original signers at the Subproxy generation stage to produce proxy multi-signatures. Obviously, this fact violates the security requirement of GR scheme. Hence it is not surprising to state that Wang et al.s scheme is not unforgeable. To foil our attack, the proxy signer is required to pick a fresh string m when producing a proxy multisignature. But this modication hurts the efciency of their scheme. On the other hand, Li et al. [8] also presented a different attack on the scheme in [6]. They demonstrated that an adversary that corrupts all users who delegate their signing capability to a proxy is able to forge a proxy multisignature on a particular message, but only if he obtains a conventional signature issued by the proxy on the same message. Hence the proxy can avoid their attack by choosing distinct key pairs to issue conventional signatures. In contrast with their attack [8], our adversary is more powerful since it can make forgery on messages of its choice by intercepting valid proxy multi-signatures issued by the proxy.

5. The forged proxy multi-signature is (mv , m, m, S, T ). 6. For the sake of simplicity, we use r to denote (x(rP1 2 rP2) rP3)mod q. Since we have SP rPm sPP,0 cP (sPP,1 ), TP rP, it is easy to check the following equations e(S, P) e(SP SO , P) e(rPm sPP,0 cP (sPP,1 ) SO , P) ! ! n X ri r Pm , P e
i1 n X i1 n X i1

Conclusion

!! ci Pi,1 cP PP,1

e P, s

Pi,0 PP,0

e(TP TO , Pm ) e Q,
n X i1

Pi,0 PP,0
n X i1

n X i1

! ci Pi,1 cP PP,1
n X i1

In this paper, we present a cryptanalysis of an identitybased proxy multi-signature scheme [6]. In the rst place, we show that the original signers can collude to forge a valid proxy multi-signature from the proxy signer in Wang et al.s scheme. That is, their scheme does not satisfy the unforgeability property required by a secure proxy multi-signature scheme. Then we explain why Wang et al.s scheme is insecure. The reason is that the proxy signer in Wang et al.s scheme always uses the same string m as xed by the original signers at the Subproxy generation stage to produce proxy multisignatures. Obviously, this fact violates the security requirement of GR scheme. To foil our attack, the proxy signer is required to pick a fresh string m when producing a proxy multi-signature. But this modication hurts the efciency of their scheme.

! ci Pi,1 cP PP,1

Acknowledgment

e(T , Pm )e Q,

Pi,0 PP,0

We thank the anonymous referees for their helpful comments on earlier drafts of this paper.

where cP H3 (mv km, IDP , m), where each ci is xed at the Subproxy generation stage by the corresponding original signer. Hence the forged proxy multi-signature can be veried successfully.

References

Remark: It is obvious that the original signers can collude to

forge a proxy multi-signature on a message that was not signed by the proxy signer by our attack. However, the standard signature scheme used in Wang et al.s scheme is the same as that of [7]. Does our attack imply that the identity-based aggregate signature scheme (GR scheme) [7] is insecure? Certainly not. At this point, please note that the security of IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 48 doi: 10.1049/iet-ifs.2009.0033

[1] MAMBO M., USUDA K., OKAMOTO E.: Proxy signatures for delegating signing operation. Proc. Third ACM Conf. on Computer and Communications Security, 1996, pp. 48 57 [2] LEE B., KIM H., KIM K.: Strong proxy signature and its applications. Proc. ICICS97, Int. Conf. on Information and Communication Security, 2001, pp. 603 608 47

& The Institution of Engineering and Technology 2010

www.ietdl.org
[3] KIM S., PARK S., WON D.: Proxy signature, revisited. Proc. SCIS2001, Int. Conf. on Information and Communication Security, 1997, pp. 223 232 [4] HSU C.L., WU T.S., WU T.C.: New nonrepudiable threshold proxy signature scheme with known signers, J. Syst. Software, 2001, 58, pp. 119 124 [5] YI L., BAI G., XIAO G. : Proxy multi-signature scheme: a new type of proxy signature scheme, Electron. Lett., 2000, 36, (6), pp. 527 528 [6] WANG Q., CAO Z.F.: Identity based proxy multi-signature, J. Syst. Softw., 2007, 80, pp. 1023 1029
C. , RAMZAN Z. : Identity based [7] GENTRY aggregate signatures. PKC2006 2006, (LNCS, 3958), pp. 257 273

[8] FAGEN L., SHIJIE Z., RONG S.: Cryptanalysis of an identity based proxy multi-signature scheme, IEICE Trans. Fundam. Electron. Commun. Comput. Sci., 2008, E91-A, (7), pp. 1820 1823

48

& The Institution of Engineering and Technology 2010

IET Inf. Secur., 2010, Vol. 4, Iss. 2, pp. 45 48 doi: 10.1049/iet-ifs.2009.0033