PROXY BLIND SIGNATURE BASED ON
ECDLP
SATARUPA PRADHAN1
Information Technology Department, ITER, SOA University, Bhubaneswar, Orissa, PIN-751030, India
RAMESH KUMAR MOHAPATRA2
Asst. Professor, Computer Science and Engineering Department, ITER, SOA University, Bhubaneswar, Orissa, PIN-751030, India
Abstract:
Proxy blind signature combines the properties of both proxy signature and blind signature. In a proxy signature scheme, a signer delegates his signing power to a proxy, who signs a message on behalf of the original signer. In a blind signature scheme, the signer cannot link the relationship between the blind message and the signature of the chosen message. Therefore, it is very suitable for electronic commerce application. In this paper, a proxy blind signature scheme based on ECDLP (Elliptic Curve Discrete Logarithm Problem) has been proposed, which satisfy the security properties of both the blind signature and the proxy signature. Analysis shows that our scheme is secure and efficient.
Keywords: Cryptography; Blind Signature; Proxy Signature; ECDLP; Proxy Blind Signature.
1. Introduction
David Chaum [Chaum, (1983)] proposed the concept of bind signature in 1983, which allows the sender to have a given message signed by the signers without revealing any information about the message or its signature. Blind signature scheme was widely adopted in electronic business in later years due to its unforgeability, unlinkability property. In 1996, Mambo et al. [Mambo et al., (2003)] firstly introduced the concept of proxy signature, which allows an original signer delegates a proxy signer to sign message on its behalf. The proxy signature plays an important role in many applications too. On the combination of the proxy signature and blind signature, Lin and Jan proposed the first proxy blind signature in 2000. Proxy blind signatures are combination of the proxy signature and the blind signature. The proxy blind signature should satisfy the following properties:
i. Distinguishability: The proxy signature must be distinguishable from the original signature. ii. Unforgeability: Only the designated proxy signer can generate a valid proxy signature. iii. Non-repudiation: The original and proxy signer can’t deny their signatures against any one. iv. Verifiability: The receiver should be able to verify the proxy signature.
v. Identifiability: Anyone can determine the identity of the corresponding proxy signer and original signer from the signature.
vi. Prevention of misuse: The proxy key pair should be used only for creating proxy signature.
vii. Unlinkability: When the signature is revealed the proxy signer cannot identify the association between the message and the blind signature he generated.
2. Elliptic Curve
requires 160 bits where as RSA requires 1024 bits [Preneel, (2007)]. The security of ECC depends on the elliptic curve logarithm problem, a solution which is infeasible if the modulus is large.
A non singular Elliptic curve E can be written as:
E : y2 = x3 + ax + b (mod q) (1)
Where 4a3 + 27b ≠ 0 (mod q) (2)
The point P in the Elliptic curve is described by the coordinates (x1, y1).
The negative of the point P = (x1, y1) is the point –P = (x1, -y1).
2.1 Addition of Two Distinct Points P and Q
If P (xp, yp) and Q (xq, yq) are two distinct points such that P is not –Q, then
P + Q = R (3)
Where R = (xr, yr)
λ = (yq - yp) / (xq - xp) mod q (4)
where, λ is the slope of the line passing through P and Q xr = (λ
2
– xp – xq) mod q (5)
yr = ( λ * (xp - xr) – yp) mod q (6)
2.2 Doubling the Point P
2P = R(xr, yr) (Provided that yp is not 0) (7)
λ = ((3xp2 + a) / (2yp)) mod q (8)
xr = (λ 2
– 2xp) mod q (9)
yr = ((λ * (xp – xr)) – yp) mod q (10)
The elliptic curve discrete logarithm problem is defined as follows:
Definition: Let E be an elliptic curve over a finite field Fq and let P E (Fq) be a point of order n. Given Q E
(Fq), the elliptic curve discrete logarithm problem is to find the integer d [0, n-1], such that Q = d*P.
3. Proposed Scheme
In this section, we propose an efficient proxy blind signature scheme based on ECC. The proposed scheme is divided into five phases: system parameters, proxy delegation, blind signing, signature extraction and signature verification.
3.1 System Parameters
Uo : Original Signer
Up : Proxy Signer
Ur : Signature requester
B: Base Point h (): Hash Function
xo : Original Signer’s Secret key
yo : Original Signer’s Public key, yo = xoB
xp : Proxy Signer’s Secret key
yp :Proxy Signer’s Public key, yp = xpB
mw : proxy warrant, which contains the identities information of the original signer and the proxy
signer, validation periods of delegation, limits of authority. 3.2 Proxy Delegation Phase
The proxy signing key pair (Spr, Ypr) is generated as follows:
1) Original Signer randomly chooses ko, where (1 < ko < n) and computes:
Ro = koB (11)
i.e. Ro (xRo ,yRo)
ro = xRo mod n (12)
If it is correct, Up accepts it and computes proxy signers secret key Spr
Spr = xp+ so (15)
The corresponding proxy public key is
Ypr = yo + yp + Roh (mw||ro) = BSpr (16)
3.3Blind Signing Phase
1) Now proxy signer Up choose a random number kp (1<kp<n) and computes:
Rp = kpB (17)
i.e. Rp(xRp, yRp)
rp = xRp (18)
and sends Ro, Rp and mw to signature requester Ur
2) Blinding- (mw, Ro) is published by the original signer. Ur can read it whenever needed. When the signature
requester receives (Ro, Rp, mw) transmitted by proxy signer, he randomly selects three numbers a, b, c and
computes:
r = Rp + bB - Ypr (a+ c) (mod n) (19)
If r = 0, the signature requester should select a, b, c again. Now, signature requester computes
e* = h(r||m) (20)
e = e* - c - a (21)
3) Signing- After receiving e, Up computes
S’ = e Spr + kp (22)
3.4 Signature Extraction Phase After receiving S’, Ur computes
S = S’+ b (23)
Finally the signature of message m is (mw, ro, m, e*, S)
3.5 Verification Phase
The recipient of a proxy blind signature verifies the validity of (mw, ro, m, e*, S) by checking
e* ≟ h((SB - e*Ypr)mod n || m)mod n (24)
Original Signer Uo Proxy Signer Up
Randomly choose ko
Ro=koB soB ≟ Roh(mw||ro) + yo
ro=xRo if false stop; otherwise
so=xo+ koh(mw||ro) mod n Spr= xp+ so
Signature Requester Ur Proxy Signer Up
Randomly choose a, b, c Randomly choose kp
r = Rp + bB – Ypr (a+ c) (mod n) Rp = kpB, rp = xRp
e* = h(r||m)
e = e* - c – a S’ = e Spr + kp
S = S’+ b
Verification
Anyone can verify the validity of the proxy blind signature by using the equation e* ≟ h((SB - e*Ypr)mod n || m)mod n
Figure 1: The message flows of the proposed proxy blind signature scheme
(Ro, So, mw
)
4. Security Properties of the Scheme
In this section, we show that our scheme satisfies all properties of proxy blind signature.
Distinguishability: On the one hand, warrant mw is included in proxy blind signature (mw, ro, m, e*, S). On the
other hand, proxy signature public key Ypr = yo + yp + Roh (mw||ro) includes original signer public key yo and
proxy signer public key yp. So the proxy signature is easy to be distinguishable from the normal signature.
Nonrepudiation: In this scheme the original signer does not know the proxy signer’s secret key xp and proxy
signer does not know original signer’s secret key xo. Thus, neither the original signer nor the proxy signer can
sign in place of the other party.
Verifiability: The proposed scheme satisfies the property of verifiability. The verifier can verify the proxy blind signature by checking
e* ≟ h((SB - e*Ypr)mod n || m)mod n
Because SB - e*Ypr
= (S’ + b)B - e*Ypr
= (e Spr + Kp)B + bB - e*Ypr
= e SprB + KpB + bB - e*Ypr
= Ypr(e* - c - a) + Rp + bB - e*Ypr
= e*Ypr - cYpr - aYpr + Rp + bB - e*Ypr
= Rp + bB - Ypr (a+ c)
= r □
Unforgeability: An adversary (including the original signer and the receiver) wants to impersonate the proxy signer to sign the message m. He can intercept the delegation information (Ro, so, mw) but he cannot obtain the
proxy signature secret key Spr. So for this scheme forgery is hard.
Identifiability: The proxy blind signature (mw, ro, m, e*, S) contains the warrant mw. Moreover, in the
verification equation Ypr = yo + yp + Roh (mw||ro) which includes the original signer Uo’s public key yo and the
proxy signer Up’s public key yp. Hence, anyone can determine the identity of the corresponding proxy signer
from a proxy signature.
Prevention of misuse: The proposed scheme can prevent proxy key pair misuse because the warrant mw
includes original signer and proxy signer identities information, delegation period, etc. With the proxy key, the proxy signer cannot sign messages that have not been authorized by the original signer.
Unlinkability: During signature generation i.e. (mw, ro, m, e*, S) the proxy signer only have knowledge on (so,
ro, mw, S’, m). Again the proxy signer is allowed to give signature on behalf of the original signer when he
receives the delegation message (ro, so, mw) from the original signer. The signature requester use three random
secret keys a, b, c to make the message blind. Hence the requester can only unblind the message. The original signer and the proxy signer has no knowledge about the secret random numbers, therefore this scheme achieves the unlinkability property.
5. Conclusion
The system presents a new proxy blind signature scheme based on ECDLP. The proposed scheme satisfies the security requirements. The future work is to design an efficient proxy blind signature scheme for multiple original signers.
References
[1] Chaum, D. (1983): “Blind signature for untraceable payments”, Advances in Cryptology, proceeding of CRYPTO'82, Springer-Verlag, pp.l99-203.
[2] Koblitz, N. (1987): “Elliptic Curve Cryptosystems”,Mathematics of Computation, 48, pp. 203-209.
[6] Miller, V. (1986): “Uses of Elliptic Curve in Cryptography”, Advances in Cryptography, Proceedings of Crypto’85, Lectures notes on Computer Sciences, Springer-Verlag, pp. 417-426.
[7] Preneel, B. (2007) “A survey of recent developments in cryptographic algorithms for smart cards”, Computer Networks, Elsevier, 51, pp.2223–2233.
[8] Sun, H.; Hsieh, B.; Tseng, S. (2005): “On the security of some proxy blind signature schemes”, Systems and Software, Elsevier, 74, pp.297-302.
[9] Tan, Z.; Liu, Z.; Tang, C. (2002): “Digital proxy blind signature schemes based on DLP and ECDLP”, MM Research Preprints, MMRC, AMSS, Academia, Sinica, Beijing, 21, pp. 212-217.
