Javier Herranzand GermanSaez
Dept.MatematicaAplicadaIV,UniversitatPolitecnicadeCatalunya
C.JordiGirona,1-3,ModulC3,CampusNord,08034 Barcelona,Spain
e-mail: fjherranz,[email protected] s
Abstract
Inaproxysignaturescheme,apotentialsigner delegates hissigningcapability to
aproxyentity,who signsamessage onbehalfoftheoriginalsigner. Alltheproposals
of proxy signature schemes made until now have beenbased on Schnorr's signature
scheme. Thresholdversions of theseschemes havealso been proposed, inwhich the
poweroftheproxysigneris distributedamongagroupofplayers,insuchawaythat
anysubsetwithaminimumnumber(threshold)ofplayerscansignamessageonbehalf
oftheoriginalsigner.
We consider a modelthat is fully distributed, because we want to distributenot
onlythe powerof theproxysigner,butalsotheoriginal signerability todelegatehis
signing capability. Furthermore, we consider general structures, instead of only the
thresholdones,for both thetoleratedsubsetsof dishonestplayers andthe subsetsof
honestplayersauthorizedto executeavalidinstanceoftheprotocol,and inboththe
originalandtheproxysignerentities. WendsuÆcientcombinatorialconditionsthat
thesestructuresmustsatisfy inordertodesignafullydistributed,secureand robust
proxysignatureschemeforthisgeneralscenario.
Weproposesuchaschemeforthissetting. Itisbasedontheresultsof[8 ]and[15 ],
andinheritsthesecurityofthesetwoworks.
Keywords. Proxysignature schemes,distributed cryptographicprotocols,secret
Javier Herranzand GermanSaez
1 Introduction
Sometimes a person or a company that has the capability and the necessity of signing a
document does not have enough time to do so. Or perhaps this person, A, is keen to
delegatehis signingcapabilitytoanother person,B,soB would signdocumentsonbehalf
ofAifAhad some(technical,logistical) problem.
Inamoreconcrete(orpractical)situation,wecanimagineacompanywithmany
depart-ments. Oneofthem, A(nances,businessconnections,loansin abank,forexample) must
signdocumentsregularly,butAhasalotofthingstodoinadditiontosigning,andbesides
Awantsitsdocumentstobesignedevenifitisnotabletodosobecauseofsomeproblem.
AsolutionforthiscompanycouldbetohaveadepartmentB,theproxydepartment,whose
onlyjobwouldbeto signdocumentsonbehalfoftheotherdepartmentsofthecompany.
This is the scenario for a proxy signature scheme: a potential signer A delegates his
signing capability to aproxysigner, B (in someway, A tellsB what kindof messages B
can sign), and B signsa messageon behalf of the original signer,A. The receiverof the
messageveriesthesignatureofB andthedelegationofAtogether.
Proxysignatureschemesmusthavesomesecurityproperties; welistthemin Section2.
According to these properties, the mostcomplete proxysignature schemes proposed until
nowarethat ofLee,KimandKim[8]andthatofKim, Park andWon[7]. Theseschemes,
aswellasthepreviousproposals[9,16]ofproxysignatureschemes,arebasedonSchnorr's
signaturescheme[12], which isalso revisitedinSection2.
In[15],Stinsonand Stroblproposeadistributedversionof Schnorr'ssignaturescheme,
whichisassecureasthenon-distributedone;thatis,existentiallyunforgeableunder
adap-tivelychosenmessageattacks (as Pointchevaland Stern provedin [11]). This distributed
scheme is based on the joint generation of a random secret value. Distributed protocols
providemoresecurityandreliabilitythanindividualones,becausetheytoleratesome
coali-tionsofparticipantsto becorruptedornon-workingatthemomentoftheexecutionofthe
protocol. In Section 3 wepropose ageneral framework for distributed protocols; that is,
we consider general structures (families of subsets of players) that determine both which
subsetsofplayerscanperformsomespecicactionsandwhich subsetsofdishonestplayers
thesystemwill beabletotolerate. Thethreshold case,in which these subsetsaredened
accordingtotheircardinality,isaparticularcase. Weadapttothis generalframeworkthe
veriable secretsharing scheme of Pedersen [10], the joint generation of a random secret
value of Gennaro et al. [5] and the threshold Schnorr's signature scheme of Stinson and
Strobl[15].
InSection 4,weconstructafullydistributedandsecureproxysignaturescheme,in the
sensethatwedistributenotonlytheproxysigner(thatis,B),butalsotheoriginalsigner,A,
whodelegateshissigningcapability. Thisschemerunsinthegeneralframeworkintroduced
in Section 3. If the structures satisfy some combinatorial conditions that we state, the
schemeisrobustandunforgeableintherandomoraclemodelunderchosenmessageattacks,
becauseitinheritsitssecurityfromthesecurityofthedistributedSchnorr'ssignaturescheme
of [15] andthe proxysignature scheme of [8]. The distribution of theoriginal signer, the
levelofsecurityofthescheme,andthefactthatweconsiderascenariowhichismoregeneral
thanthethresholdone,makeourproposalmorecompletethanthepreviousthresholdproxy
signatureschemes([7,16,6]).
Finally, inSection 5weconcludebysummingupourcontributionand discussingsome
TheconceptofproxysignaturewasintroducedbyMambo,UsudaandOkamotoin[9]. They
classiedthesesignaturesaccordingtothedelegationtypeandtheprotectionof theproxy
signer. Kim et al.[7] includedwarrantinformationin these schemes; thatis, the signerA
sendstotheproxyB asignedmessageinwhichAexplicitlydelegatesitssigningcapability
to B, allowingB to signsome kindof messages(specied in the warrantinformation) on
behalfofA.
The idea of these proxy signature schemes is the following: A sends a message and
its signature to a proxy signer, B, who uses this information to construct a proxy key,
which B will use to sign messages on behalf of A. This proxy key must contain some
authenticinformationabouttheproxysigner,ifwewanttheseschemestosatisfythesecurity
requirementsofproxysignatureslistedintheworkofMamboetal.[9]:
(i) Strong unforgeability: only a designated proxy signer can create a valid proxy
signaturefortheoriginalsigner(eventheoriginalsignercannotdoit).
(ii) Veriability: a verier of a proxy signature will be convinced in any way of the
originalsigner'sagreementonthesignedmessage.
(iii) Strongidentiability: aproxysignaturedeterminestheidentityofthe
correspond-ingproxysigner.
(iv) Strong undeniability: after creatingavalidproxysignaturefor anoriginalsigner,
theproxysignercannotrepudiatethissignatureagainstanyone.
In[8]Lee,KimandKimbrieymodifytheproposalof[7]: nowtheproxysignerBand
the originalsignerA playasymmetric rolesin the generationof aproxysignature, andso
the warrant informationmust not containan explicit delegationof A's signing capability.
Besides, A does not need to designate aspecic proxy signer. In [8], the authors add a
new securityrequirementto proxy signatureschemes(which their scheme, aswell asthat
proposedin[7],satises):
(v) Preventionofmisuse: theproxysignercannotusetheproxykeyforotherpurposes
thangeneratingavalid proxysignature. Thatis,hecannot sign,withtheproxykey,
messagesthathavenotbeenauthorizedbytheoriginalsigner.
All the proposals of proxy signature schemes, like [8] and [7], are based on Schnorr's
signaturescheme([12]).
2.1 Schnorr's Signature Scheme
In[12],Schnorrintroducedthefollowingsignaturescheme.
Let p and q be large primes with qjp 1. Let g be a generator of a multiplicative
subgroupofZ
p
withorderq. H()denotesacollisionresistanthashfunction. (Thiswillbe
themathematicalscenarioin therest ofthepaper.)
AsignerA hasaprivate keyx
A 2Z
q
andthe correspondingpublickeyy
A =g
xA
. To
signamessageM,Aactsasfollows:
1. choosearandomk2Z
q
2. computer=g k
modpands=k+x
A
H(M;r) modq
3. denethesignatureonM tobethepair(r;s)
Thevalidityofthesignatureisveriedbytherecipientbycheckingthatg s
=ry H(M;r)
A .
In [11], Pointcheval and Stern proved that, in the random oracle model, existential
forgery under adaptively chosen message attack of Schnorr's scheme is equivalent to the
Thefollowingproxysignatureschemehasbeenintroducedin[8]. Itisbasedontheproposal
of Kim et al. [7], with thedierence that thewarrantinformation signed by theoriginal
signermustnotexplicitlyincludeeitherhisidentityortheidentityoftheproxysigner. This
ispossiblebecausetheoriginalsignerandtheproxysignerdonotplaythesameroleinthe
generationofaproxysignature,andsotheveriercanidentify bothofthem.
OriginalsignerAhasthekeypair(x
A ;y
A
),withy
A =g
xA
, whereasthe(future) proxy
signerB alsohashis userkeypair(x
B ;y
B
),withy
B =g
xB
.
Generation of the proxy key: the original signerA usesSchnorr's scheme to sign
warrantinformation M
!
, which should specify which messagesA will allow the proxyto
signonhisbehalf.
That is, A chooses at random k
A 2 Z
q
, and computes r
A = g
kA
and s
A = k
A +
x
A H(M
! ;r
A
) modq. Signer A sends (M
! ;r
A ;s
A
) to a proxy signer B secretly (in fact,
onlythevalues
A
mustremainsecret,thevaluesM
! andr
A
shouldbebroadcast). ThenB
veriesthevalidityoftheSchnorr'ssignature:
g sA
=r
A y
H(M!;rA)
A
Ifthevericationiscorrect,B computeshis proxykeypair(x
P ;y
P )as
x
P =x
B +s
A ; y
P =g
x
P
(=y
B r
A y
H(M!;rA)
A
)
Proxy signature generation: in order to createa proxy signatureon amessageM
conformingtothewarrantinformationM
!
,proxysignerB usesSchnorr'ssignaturescheme
with keys(x
P ;y
P
)and obtains asignature (r
P ;s
P
)for the message M. Thevalid proxy
signaturewillbethetuple
(M;r
P ;s
P ;M
! ;r
A )
Verication: arecipientcanverifythevalidityoftheproxysignaturebycheckingthat
M conformsto M
!
and thevericationequalityofSchnorr'ssignatureschemewith public
keyy H(M
! ;r
A )
A
r
A y
B (=y
P
);that is
g s
P
=r
P (y
B r
A y
H(M!;rA)
A
) H(M;r
P )
Thisproxysignatureschemesatises thesecurityrequirements(i),..., (v) listedabove
(see [8] forthe details). Note alsothat other signatureschemescan be used in the proxy
signaturegeneration,withkeys(x
P ;y
P
),providedthat theseschemesusekeysoftheform
(x;y),withy=g x
;forexample,ElGamalsignatureschemeorDSS.
3 Some Distributed Protocols in a General Framework
In [15], Stinson and Strobl propose a distributed version of Schnorr's signature scheme,
whichisprovedtobeassecureastheoriginalsignaturescheme. Thisproposalisbasedon
veriablesecretsharingschemesandonthejointgenerationofarandomsecretvalue.
Wewill consider a framework which is more generalthan the threshold one. That is,
thosesubsetsofplayersauthorizedtoperformsomespecicactions,suchastherecoveryof
asecretorthesignatureofamessage,aswellasthosesubsetsofdishonestplayersthatthe
systemisableto tolerate,willnotbenecessarilydened accordingtotheircardinality.
Sowewilladaptto thisgeneralframeworktheprevious(threshold)proposalsfor
veri-ablesecretsharing[10],thejointgenerationofarandomsecret[5]andthresholdSchnorr's
In a secret sharing scheme, a dealer distributes shares of a secret value among a set of
players P = f1;:::;ng in such a way that only authorized subsets of players (those in
the so-calledaccess structure, denoted by 2 P
) canrecoverthesecretvalue from their
shares, whereas non-authorized subsets do not obtain any information about the secret
(unconditionalsecurity). Thestructure must be monotoneincreasing,that is,if A
1 2
andA
1 A
2
,thenA
2 2 .
SecretsharingschemeswereintroducedindependentlybyShamir[13]andBlakley[1]in
1979. Shamirproposedawell-knownthreshold scheme,in whichtheauthorizedsubsetsare
thosewithmorethantmembers(tisthethreshold). Otherworksproposeschemesrealizing
moregeneralaccessstructures;forexample,vectorspacesecretsharingschemes[2]areoften
used. An access structure can berealizedbysuch aschemeif, forsomepositiveinteger
t and somevectorspace E =K t
overa niteeld K (in ourcontext,it will be K=Z
q ),
there existsafunction
:P[fDg ! E
suchthat A2 ifand onlyifthevector (D)canbeexpressedasalinearcombinationof
thevectorsintheset (A)=f (i)ji2Ag. If canbedenedinthisway,wesaythat is
avectorspaceaccessstructure;thenwecanconstructasecretsharingschemefor withset
ofsecretsZ
q
: givenasecretvaluek2Z
q
,thedealertakesarandomelementv2E=(Z
q )
t
,
suchthatv (D)=k. Theshareofaparticipanti2P iss
i
=v (i)2Z
q
. LetAbean
authorizedsubset,A2 ;then, (D)= P
i2A c
A
i
(i),forsomec A
i 2Z
q
. Inordertorecover
thesecret,theplayersofAcompute
X
i2A c
A
i s
i =
X
i2A c
A
i
v (i) = v X
i2A c
A
i
(i) = v (D) = k modq
Shamirthreshold secret sharingscheme with thresholdt is a particular caseof vector
spaceschemes,taking (D)=(1;0;:::;0)and (i)=(1;i;i 2
;:::;i t 1
).
Linear secret sharing schemes can be seen as vector space secret sharing schemes in
which each player can have associated more than one vector. They were introduced by
Simmons,JacksonandMartin[14],whoprovedthatanyaccessstructurecanberealizedby
alinear secretsharingscheme, although in generalthe constructionthey proposed results
in an ineÆcient secret sharingscheme. These schemes have been considered under other
namessuchas geometricsecretsharingschemesormonotonespanprograms. Inourwork,
we will consider any possible access structure, so we will know that there exists a linear
secretsharingschemerealizingthis structure. However,wewill supposeforsimplicitythat
thisschemeisavectorspaceone.
A variation of these schemes are veriable secret sharing schemes, which prevent the
dealer and the playersfrom cheating; each participant cancheck if his share is consistent
withthesharedsecret. Thetwomostusedveriablesecretsharingschemesaretheproposals
ofPedersen[10]andFeldman[3]. Herewepresentamodicationofthe(threshold)veriable
secretsharingscheme proposed in [10]. Weconsider anyaccess structure . Furthermore,
wemusttakeintoaccountwhichsubsetsofdishonestplayerscanbetoleratedbythesystem.
Thosesubsetsformtheadversary structureA2 P
,whichmustbemonotonedecreasing: if
B
1
2Ais toleratedandB
2 B
1
,thenB
2
2Aisalsotolerated.
Thesituation ismodelizedbyanactiveadversary whocancorrupt,atthebeginningof
the protocol, all playersof somesubsetR 2A. Duringthe executionof theprotocol,the
adversarycontrolsthebehaviorofthese players,deciding ateach momentwhichplayersof
R follow the protocol correctly and which ones lie, but the adversary cannot change the
subsetRinAthathehaschosenatthebeginning(wesaythatitisastaticadversary). An
obviousrequirementisthat theadversary cannotobtainthe secretfrom theshares of the
participantsthathehascorrupted,sothecondition \A=;mustbesatised.
Inthethresholdcase,thestructures =fA22 P
: jAjtgandA=fB22 P
: jBj<
vectorspaceones)insteadofthresholdsecretsharingschemes.
As before, q andp arelarge primes suchthat qjp 1. Letg and hbegeneratorsof a
multiplicativesubgroup of Z
p
with order q. The set ofplayersis P =f1;:::;ng,and the
access structure 2 P
is dened by thefunction :P [fDg ! (Z
q )
t
. If the dealer
wantstosharethesecretk2Z
q
,in averiableway,hedoesthefollowing:
1. Choosetworandomvectorsin (Z
q )
t
:
v=(v (1)
;:::;v (t)
) ; w=(w (1)
;:::;w (t)
)
suchthat v (D)=k.
2. Compute(s
i ;s
0
i
)=(v (i);w (i))2(Z
q )
2
andsendthepair(s
i ;s
0
i
)toplayeri,for
1in.
3. BroadcastthepubliccommitmentsC
m =g
v (m)
h w
(m)
2Z
p
,for1mt.
Eachplayeriveriesthat
g s
i
h s
0
i
= t
Y
m=1 (C
m )
(i) (m)
(1)
where (i) (m)
denotes them-th componentof vector (i). If this equalitydoes nothold,
playeribroadcastsacomplaintagainstthedealer.
Foreachcomplaintfromaplayeri,thedealerbroadcaststhevalues(s
i ;s
0
i
)=(v (i);w
(i))satisfyingequation(1). Thedealerisrejectedifhereceivescomplaintsfromplayersof
asubsetthat isnotintheadversarystructureA,orifheanswersacomplaintwithvalues
that donotsatisfyequation(1). Otherwise,thedealerisaccepted.
Thisveriablesecretsharingschemeis computationallysecure, assuming that the
dis-cretelogarithmproblem inthegroupgeneratedbyg ishard(the proofis almostthesame
asthatin[10] forthethresholdcase).
3.2 Robust Joint Generation of a Random Secret Value
In thiswork,androughlyspeaking, adistributed protocolis saidto berobustifit always
producesacorrectoutput,eveninthepresenceofsometoleratedsubsetofdishonestplayers.
In [5] Gennaro, Jarecki, Krawczyk and Rabin use Pedersen's veriable secret sharing
scheme to design a protocol in which players in a set P = f1;:::;ng jointly generate a
publickeyy=g x
andsharesofthecorrespondingsecretkeyx,insuchawaythattormore
playerscan recoverthis secretkey(thresholdaccess structure). The ideais thefollowing:
eachplayeriplaystheroleofadealerandsharesarandomvaluek
i
amongtheplayers. The
secretkeyxwillbethesumofsomeofthesevalues.
Weexplainherethemoregeneralversionconsideringanyaccessstructure 2 P
(real-izable,forsimplicity,byavectorspaceschemedened byafunction )andanyadversary
structure A satisfying some security and robustness conditions. If we want this protocol
to berobust, wemust makesure that,when we detecta dishonestsubset ofplayersin A
and rejectthemfrom theprotocol,anauthorizedsubsetin stillremainsamong the
non-rejected players;this authorizedsubsetofhonest playerscangoonexecutingtheprotocol.
That is, for any subset R 2 A, it must be P R 2 , or equivalently, A c
, where
A c
=fP R : R2Ag.
Combiningthisconditionwiththeunforgeabilitycondition \A=;,wehavein
partic-ularthat thestructuresAand mustsatisfythefollowingcondition: forallsubsetR2A
itisnecessaryP R2=A. WesaythatsuchamonotonedecreasingstructureAisQ 2
inP.
Notethat inthethresholdcase,this Q 2
conditionisequivalentton2t+1.
of a dealer. That is, he chooses two random vectors v
i = (v
(1)
i
;:::;v (t)
i
) and w
i =
(w (1)
i
;:::;w (t)
i
), in (Z
q )
t
, where v
i
(D) = k
i
is the random secret distributed by
playeri,andsendstoplayerj thepair(s
ij ;s
0
ij )=(v
i
(j);w
i
(j)),for1j n.
ThepubliccommitmentsareC
im =g v (m) i h w (m) i
,for1mt.
2. At step1, playerswhocheatare detected and rejected. Wedene F
0
=fijplayeri
isnotrejected at step1g. Since A c
, wehavethat F
0
2 . Furthermore,for all
playersi2F
0
thatpassthisphase,therearevalidsharess
ij
correspondingtoplayers
j that formanauthorizedsubset. Each playerj 2P computeshis shareof thetotal
secretasx
j = P i2F 0 s ij
(the totalsecretwillbex= P i2F 0 k i 2Z q ).
3. Nowtheywantto computethevaluey =g x = Q i2F 0 g k i 2Z p
. Theyuse Feldman's
veriablesecretsharingscheme(see[3]fortheoriginalthresholdversion):
3.1. Eachplayeri2F
0 broadcastsA im =g v (m) i
, for1mt.
3.2. Eachplayerj veriesthe valuesbroadcastby allthe otherplayersin F
0 . That
is,foreachi2F
0
,playerjchecksthat
g sij = t Y m=1 (A im ) (j) (m) (2)
If this verication is false, player j complains against i broadcasting the pair
(s
ij ;s
0
ij
) that satisesvericationat step 1(Pedersen'sscheme, equation(1) in
Section3.1),butdoesnotsatisfyequation(2).
3.3. For playersi who received some valid complaint at step 3.2, the other players
j run the reconstruction phase of Pedersen's scheme to recover a vector v~
i =
(~v (1)
i
;:::;v~ (t)
i
)suchthat ~v
i
(j)=s
ij
,foralltheseplayersj(dependingonthe
case,theywillrecoverexactlyv~
i =v
i
,butthisis notnecessary). Theycanalso
recoverthevaluek
i
;thiscanbedonebecausetherearevalidsharess
ij
satisfying
equation(1)atstep1(Pedersen'sscheme),correspondingtoplayersj thatform
anauthorizedsubset. Allplayersin F
0
cancompute,therefore,thecorrectvalue
g ki
. Fromthevector~v
i
,thecorrectcommitmentvaluesA
im =g ~ v (m) i
canalsobe
computed.
Thenthepublickeyy=g x
canbeobtainedbyanyparticipantin thefollowingway:
y= Y i2F0 g ki = Y i2F0 g vi (D) = Y i2F0 t Y m=1 g v (m) i (D) (m) = Y i2F0 t Y m=1 (A im ) (D) (m)
Aftertheexecutionofthisprotocol,wehavethepublickeyy=g x
,wherex= P
i2F0 k
i
is the corresponding secret key, and x
j = P i2F0 s ij =( P i2F0 v i
) (j) = v (j) is the
share of player j corresponding to the secret x, where v = (v (1)
;:::;v (t)
), with v (m) = P i2F0 v (m) i
. Besides, thenal commitment valuesA
m =g
v (m)
canbe easilycomputed as
A m = Q i2F 0 A im
,for1mt.
We note all these facts (parameters and outputs of the protocol) with the following
expression:
(x
1 ;:::;x
n )
(P; ;A)
! ((x;y);fA
m g 1mt ;F 0 )
Thesecurityandrobustnessofthisprotocolcanbeprovedanalogouslytotheproofin[5]
Nowwe willexplain theproposalof Stinson andStrobl [15] fordistributing Schnorr's
sig-nature scheme. They consider threshold structures; that is, the system can tolerate the
presence of less than t dishonest players, whereas any subset of at least t honest players
cancompute avalidsignature. Butthey remarkthat theprotocol canbeadapted to run
withotherstructures,usingagenerallinear(veriable)secretsharingschemeinsteadofthe
thresholdsecretsharingscheme(anditsveriablevariants)ofShamir.
Wenow explain thescheme in [15] adapted to the caseof any access structure and
adversarystructure A, such that \A =; and A c
(the justication for these
com-binatorial requirementsisthesameasinSection 3.2). Weassumeagainthat isavector
spaceaccessstructuredened byafunction . Theprotocolhasthreeparts.
Key generation: playersin P =f1;:::;nguse theprotocol explainedin Section 3.2
tojointlygeneratesharesofasecretkeyandthecorrespondingpublickey. Theoutputwill
be:
(x
1 ;:::;x
n )
(P; ;A)
! ((x;y);fA
m g
1mt ;F
0 )
Signature generation: letH beacollision-free hashfunction,andM themessageto
besigned. IfanauthorizedsubsetF
1 2 ,F
1 F
0
wantstosignM,theydothefollowing:
1. PlayersinF
1
runagainthejointgeneration protocolofSection 3.2,withoutput
(k
1 ;:::;k
n )
(P; ;A)
! ((k;r);fC
m g
1mf ;F
2 )
wherekisarandomsecretsharedvalueinZ
q
andr=g k
ispublic,andF
2 F
1 .
2. Eachplayeri2F
2
broadcasts
i =k
i
+H(M;r)x
i
3. Eachplayerj2F
2
veries,foralli2F
2 ,that
g
i
= t
Y
m=1 (C
m )
(i) (m)
[(A
m )
(i) (m)
] H(M;r)
DeneF
3
=fijplayeri isnotdetectedtobecheatingatstep3g.
4. Each playeri 2 F
3
computes s =k+H(M;r)x modq, in the following way: since
A c
, wehavethat F
3
2 ,sothere exist publiccoeÆcientsf F3
j g
j2F3 in Z
q such
that P
j2F3
F
3
j
(j)= (D). Then,eachplayeri2F
3
computes
s= X
j2F
3
F3
j
j
ThesignatureforthemessageM isthepair(r;s).
Verication: thevericationphaseis thesameasin Schnorr'ssignaturescheme;that
is,therecipientcannotdistinguishifthesignaturehasbeengeneratedinadistributedway
ornot. Therecipientchecksthat
g s
=ry H(M;r)
Notation: wewillusetheexpression
DistSchnSig(P; ;A;M;y;fx
i g
i2P ;fA
m g
1mf
) = (r;s)
torefertoanexecutionofthesignaturegenerationphase,inwhich playersofasetP,with
thepublickeyy,shares(x
1 ;:::;x
n
)ofthesecretkeyx,andcommitmentvaluesA
m =g
v (m)
forthecomponentsv (m)
ofthevectorthat infact distributesthesharesofx.
Security oftheprotocol. In[15],thisdistributedsignatureschemeisprovedtobeas
secureasSchnorr'ssignaturescheme. Theideaoftheproofisthefollowing: theyprovethat
theprotocolis simulatable;that is, given anadversaryagainstthe scheme,there exists an
algorithm whichoutputsvaluesthat arecomputationallyindistinguishablefromthevalues
that theadversaryviewsduringarealexecutionoftheprotocol. Then,assumingthatthis
adversaryagainstthedistributedschemeissuccessfulin forgingasignatureunder achosen
messageattack,boththisfact andthesimulabilityof thedistributedprotocolcanbeused
to construct an adversary against the original Schnorr's scheme, which is also successful
in forging a signature under a chosen message attack. But in the random oracle model,
this isequivalentto solvingthediscrete logarithmproblem[11],sotheycanconcludethat
thedistributed versionofSchnorr'ssignatureschemehasthissamelevelofsecurity,in the
randomoraclemodel(see[15]forthecomplete proof).
The protocol is also robust, if A c
. This is due to the fact that there is alwaysa
subsetin thatpassesallthevericationtests,andsoplayersofthissubsetcannishthe
protocolcorrectly.
4 Fully Distributed Proxy Signatures
Inthissection,weproposeadistributedproxysignatureschemebasedontheproxysignature
scheme of Lee et al. [8] and on the idea of the distributed Schnorr's signature scheme of
Stinsonand Strobl[15],explainedabove.
Distributed protocols have two main advantages with respect to individual ones: an
increase of the security, because now morethan oneparty must becorrupted in order to
obtainasecretkey,forexample;andanincreaseofthereliability,becausetheprotocolcan
beexecutedevenifsomepartiesarenon-workingat thatmomentforsomereason.
Therearevariousproposalsofdistributed(threshold)proxysignatureschemes. Zhang's
proposal [16] is notstrongly unforgeable, because the original signercanimpersonate the
proxy signer. Kim et al. [7] also proposed a threshold version of their proxy signature
scheme. Hwang, Linand Lu[6] adapt the threshold scheme of Kim et al. to thecase in
whichtheverieroftheproxysignaturemustbeabletoidentify which concreteplayersin
theproxyentityhavesignedthemessage. Alltheseschemesdistributeonlythepowerofthe
proxysignerthat signsmessageson behalf of theoriginal signer. Whynot alsodistribute
theoriginalsigner,and inthiswayincreasethesecurityandreliabilityofthefullscheme?
Our proxy signature scheme is the rst that is fully distributed, in the sense that we
distribute both the original and the proxysigner. We consider general structures for the
authorized subsets andfor the tolerated subsetsof dishonest players. Finally, ourscheme
is based onthe proxy signatureschemeof Lee et al. [8], and so the original signerentity
doesnotneedto include explicitly his identity, northeidentityof theproxysignerin the
warrantinformationthatitsigns.
4.1 The Scenario
WemustthinkofentitiesAandBassetsofplayersA=fP
1 ;:::;P
nA
gandB =fQ
1 ;:::;Q
nB g.
Weconsider generalmonotone increasingaccessstructures
A 2
A
and
B 2
B
inthese
sets. Furthermore, the system will tolerate the presence of some coalitions of dishonest
players,thoseintheadversarystructuresA
A 2
A
andA
B 2
B
,whichmustbemonotone
decreasing; that is, the scheme will be unforgeable even if some players in A and some
playersin B are corrupted and exchange theirsecret information, provided
A \A
A =;
and
B \A
B
=;,ofcourse. Finally,werequireA c
A
A andA
c
B
B
, in orderto give
Weassume,forsimplicity,thatthereexistsafunction
A
:fDg[A ! (Z
q
) ,forsome
positiveintegert
A
,suchthatasubsetJ
A
Aisin
A
ifandonlyif
A
(D)2h
A (j)i
Pj2JA ,
andthesameforthestructure
B
withacertainpositiveintegert
B
andacertainfunction
B .
Any subset of A whose honest players form a subset in
A
can delegate A's signing
capability,andanysubsetofBwhosehonestplayersformasubsetin
B
cansignamessage
onbehalfofentityA.
4.2 Our proposal
Theprotocol thatwepresenthasfourparts:
Generationof the entities'keys
Playersin A jointly generate a publickey and shares of the corresponding secret key,
usingtheprotocolinSection3.2. PlayersinB dothesame. Theresultis:
(x
A;1 ;:::;x
A;nA ) (A; A ;A A ) ! ((x A ;y A );fA m g 1mtA ;F 0;A ) (x B;1 ;:::;x
B;nB ) (B; B;AB) ! ((x B ;y B );fB ` g 1`tB ;F 0;B )
Distributedgeneration ofthe proxy key
Inthisphase,playersinentityAsignawarrantinformationM
!
A
,usingtherstpartof
thedistributed Schnorr'ssignaturescheme explainedin Section3.3. However,theydonot
obtaintheexplicitsignature,butsharesofit(thuspreventingthepossibilityofonedishonest
participantinAsendingthissecretsignaturetoadishonestparticipantinentityB). Then
theysend someinformationtoplayersin entityB. Each playerin B thencomputes,from
this information, his share of the proxy key, which will later be used to generate a proxy
signaturein adistributed way. Thissubprotocol isasfollows.
1. Playersin A execute the rst step in thesignature generation phase of the
distrib-utedSchnorr'ssignatureschemeexplainedinSection 3.3. That is,theyrun thejoint
generationprotocolofSection 3.2,withoutput
(k
A;1 ;:::;k
A;n A ) (A; A ;A A ) ! ((k A ;r A );fC m g 1mt A ;F 1;A )
Thevaluesr
A =g kA and M ! A
aremadepublic.
2. EachplayerP
i 2F
1;A
computeshisshareofthevalues
A =k A +x A H(M !A ;r A
) modq
as
i =k
A;i
+H(M
!A ;r A )x A;i modq
3. EachplayerP
i 2F
1;A
distributesthevalue
i
,veriablyamongtheplayersin entity
B, in such a way that any subset in
B
canrecoverthis value. He uses Feldman's
scheme[3];thatis,P
i
choosesarandomvectorv
i =(v
(1)
i
;:::;v (tB)
i
)inZ tB q suchthat v i B (D)= i
,he makespublicthecommitmentvaluesD
i` =g
v (`)
i
, for1`t
B ,
andsendstoeach playerQ
j
2B theshares
ij =v i B (Q j ).
4. Insomeway(wedonotexplainthedetailshere),thecorrectcommitmentsfA
m g 1mt A andfC m g 1mt A
correspondingtothesharingofthesecretvaluesx
A andk
A
,
respec-tively,mustbepubliclyrevealedtoallplayersinentityB. Theneach playerQ
j 2B
checks,foranyreceivedshare s
g sij = t B Y `=1 (D i` ) B(Qj) (`)
Ifeitherofthesetwochecksfails,Q
j
broadcastacomplaintagainstP
i . IfP
i
receives
complaintsfromplayersthatformasubsetofBthatisnotinA
B
,thenheisrejected.
LetF
2;A
bethesubsetofplayersinAthatpassthisvericationphase. SinceA c
A
A ,
wehavethat F
2;A 2
A .
5. Players of B publicly x coeÆcients f F2;A i g P i 2F 2;A in Z q such that A (D) = P P i 2F 2;A F2;A i A (P i
). Then the equality P P i 2F 2;A F2;A i i = s A
holds, and each
playerQ
j
2B usesthese xedcoeÆcientstocomputehisshare ofthevalues
A as s A;j = X Pi2F2;A F2;A i s ij
modq:
Ineect,if J
B 2
B
,there exists coeÆcients f JB j g Qj2JB in Z q such that B (D)= P Q j 2J B J B j B (Q j
) modq. Then it is not diÆcult to see that P Q j 2J B J B j s A;j = s A
modq,andthatfs
A;j g
Q
j 2B
isaperfectsharingofthesecrets
A
,accordingtothe
accessstructure
B .
6. Each playerQ
j
2 B computesx
P;j = x
B;j +s
A;j
modq ashis share of thesecret
proxykeyx
P =x
B +s
A
modq. The publicproxykeyiscomputed asy
P =g xP = y B r A y H(M ! A ;r A ) A modp.
Notethat thevectorthatinfactsharesthesecretvalues
A
amongtheparticipantsofB
is v= X P i 2F 2;A F 2;A i v i =(v (1)
;:::;v (t B ) ) ; where v (`) = P Pi2F2;A F 2;A i v (`) i
, for 1 ` t
B
. Therefore, the commitment values V
`
correspondingto the components v (`)
of this vectorv canbepublicly computed from the
commitmentsD
i`
ofthecomponentsv (`)
i
ofthevectorsv
i ,forP
i 2F 2;A asfollows: V ` =g v (`) =g P P i 2F 2;A F 2;A i v (`) i = Y P i 2F 2;A (g v (`) i ) F 2;A i = Y P i 2F 2;A (D i` ) F 2;A i
Finally,thecommitmentscorrespondingtothecomponentsofthevectorthatsharesthe
secretproxykeyx
P =x
B +s
A
modqwillbeU
` =B
` V
`
,for1`t
B .
Notealsothatanotherpossiblestrategyistohaveanauthoritythatreceivestheshares
i
from players in A, computes the secret value s
A
from these shares, and redistributes
sharesofs
A
amongplayersinB. Thissolutionreducesthetotalnumberofcommunications
ofthescheme, butithassomedrawbacks: theauthoritymustbefullytrustedandreliable
(oppositeto thephilosophyofthis work),andabottleneckin thesystemispossible.
Distributedgeneration ofa proxy signature
If theplayersof entity B want to sign amessage M conforming to M
!A
on behalf of
entityA,theyexecute
DistSchnSig(B;
B ;A
B ;M;y
P ;fx P;j g j2B ;fU ` g 1`t B ) = (r
P ;s
P )
Theproxysignatureisthetuple (M;r
P ;s P ;M !A ;r A ). Verication
Therecipientof aproxysignaturecanverifyitsvaliditybycheckingthat
Thesecurityofourdistributedproxysignatureschemestemsfromthesecurityrequirements
that are satisedbytheproxysignaturescheme ofLee et al. [8],and from theexistential
unforgeabilityofthedistributed Schnorr'ssignatureschemeunderchosenmessageattacks,
in therandomoraclemodel[15]. Roughlyspeaking, ifanalgorithmcouldforgeanew
dis-tributedproxysignatureaftersomeexecutionsofourscheme(inwhichtheforgeralgorithm
viewsallthepublicinformationandthesecretinformationofatoleratedsubsetofdishonest
players),thenwecouldconstruct fromitanotheralgorithm thatwouldforgeadistributed
Schnorr'ssignature;andthisiscomputationallyinfeasible,in therandomoraclemodel.
Thus,iftheconditions
A \A
A
=;and
B \A
B
=;hold,wecanstatethatanysubset
of A
A
doesnotobtain anyinformation that allowsitto delegate A's signingcapabilityto
a proxy entity; and any subset of A
B
does not obtain any information that allows it to
sign amessageonbehalf of anoriginalsignerentity A(strongdistributed unforgeability).
Moreover,thedistributed proxysignatureschemesatisestherequirementsof veriability,
strongidentiability,strongundeniabilityandpreventionofmisuse(seeSection2).
Steps3and4inthedistributedproxykeygenerationphaseareavariationofFeldman's
veriablesecretsharing scheme(which is computationallysecure, see [3]). In these steps,
playersin B detect dishonest playersP
i 2F
1;A
whowantto share an incorrect~
i among
playersinB orwhowanttogivethemshares~s
ij
whichareinconsistentwiththecorrect
i .
SinceweimposeA c
A
A andA
c
B
B
, the scheme isrobust: an authorized subset
alwaysremainsin thesetofnonrejectedplayersandcanexecuteeachstepoftheprotocol.
Note that,even in thecasewhere the playersof asubsetR
A 2A
A
and theplayersof
a subset R
B 2 A
B
are corrupted at the sametime by the same adversary, thescheme is
unforgeableandrobust.
5 Conclusion and Open Problems
Inthispaperweproposeasecureandfullydistributedproxysignaturescheme. Weconsider
aframeworkwhichismoregeneralthanthethresholdone,in thesensethattheauthorized
subsetsandthetoleratedsubsetsofdishonestplayersare notnecessarilydenedaccording
totheircardinality. Westatethecombinatorialconditionsthatthesestructuresmustsatisfy
ifwewantourschemeto beunforgeableandrobust. Theschemeisbasedontheresultsof
[8]and[15],andinheritsitssecurityfromthesecurityofthesetwopreviousworks. Allthese
properties, especially the fact that we distribute not only the power of the proxy signer,
but alsotheoriginalsignerabilitytodelegatehissigningcapability,makeourschememore
completethanthepreviousproposalsofthresholdproxysignatureschemes([16,7,6]).
Distributingprotocolsisawayofachievingsecurityandreliability,soourschemecanbe
usedin aframeworkin whichentitieswishto preventexternalattacksordishonestactions
fromtheirownmembers. Forexample,wemightimagineacompanyinwhichadepartment
wantstodelegateitssigningcapabilitytoaproxydepartmentofthesamecompany. These
departmentsare formed bymany members, and itis dangerousto giveallthe powerof a
departmenttoasinglemember. Ourworkallowsthis companyto besecureso thereis no
possibilityof irregularityin the functioning of the company, even in the presenceof some
dishonestmembersineachdepartment. Besides,weconsidergeneralaccessstructures(not
onlythethresholdones)inthedepartments;thatis,themembersdonotallhavethesame
poweror inuence within the department. We alsoconsider generaladversarystructures;
that is,membersdonotallhavethesamesusceptibilitytobecorrupted.
Someproblemsremainopenintheareaofproxysignatures. Uptonow,alltheproposed
schemesarebasedonSchnorr'ssignaturescheme; thereforethekeysof alltheusersarein
the samegroup and the security parametersmust be the same for each user. This may
sometimesbeundesirable, soit would beveryinterestingto ndproxysignatureschemes
basedonothersignatureschemesinwhichthissituationdoesnotarise(forexample,RSA);
thediscretelogarithmproblemcanbeused,suchasDSS[4]. Butthisschememakesuseof
thecalledproblem ofthemultiplication,whichhasaneÆcientsolutiononlyinthethreshold
case, if an active adversary is considered. So it will be veryinteresting to nd a way of
solvingtheproblemof themultiplicationin thecaseofmoregeneralstructures.
Finally,thenumberofcommunicationsbetweentheparticipantsinourfullydistributed
schemeisquitelarge,butthisfact isinpartinheritedfrom thecostofthejointgeneration
ofarandomsecretvalue. Furthermore,communicationsbetweenentitiesAandB mustbe
performedonlyonce. However,perhapsotherfullydistributedproxysignatureschemescan
bedesignedto overcomethisdrawback.
References
[1] G.R.Blakley.Safeguardingcryptographickeys.Proc.oftheNationalComputerConf.,
AmericanFed.ofInformation.ProcessingSocietiesProceedings48p.313-317(1979).
[2] E.F.Brickell.Someidealsecretsharingschemes.J.Combin.Math. andCombin.
Com-put. 9p. 105-113(1989).
[3] P.Feldman.Apracticalschemefornon-interactiveveriablesecretsharing.Proc.ofthe
28thIEEESymp.ontheFound.ofComputerScience. IEEEPress,p.427-437(1987).
[4] R.Gennaro,S.Jarecki,H.KrawczykandT.Rabin.RobustThresholdDSSSignatures.
AdvancesinCryptology-Eurocrypt'96,LNCS1070,Springer-Verlag,p.354-371(1996).
[5] R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin. Secure distributed key
genera-tionfordiscrete-logbasedcryptosystems.AdvancesinCryptology-Eurocrypt'99,LNCS
1592,Springer-Verlag,p.295-310(1999).
[6] M.Hwang,I.LinandE.J.Lu.Asecurenonrepudiablethresholdproxysignaturescheme
withknownsigners.InternationalJournalofInformatica,vol.11,no.2,p.1-8,(2000).
[7] S. Kim, S. Parkand D. Won.Proxysignatures,revisited.Proc.of International
Con-ferenceonInformationandCommunicationsSecurity(ICISC'97)p. 223-232(1997).
[8] B. Lee, H. Kim and K. Kim. Strong proxy signature and its applications. The 2001
Symposium onCryptographyandInformation Security(SCIS2001)(2001).
[9] M.Mambo,K.Usuda andE. Okamoto. Proxysignatures: Delegationofthepowerto
signmessages.IEICETrans.Fundamentals Vol.E79-A,No.9,p.1338-1353(1996).
[10] T.P.Pedersen.Non-interactiveandinformation-theoreticsecureveriablesecret
shar-ing.AdvancesinCrypt.-CRYPTO'91,LNCS576,Springer-Verlag,p.129-140(1991).
[11] D. Pointcheval and J. Stern. Security proofs for signature schemes. Advances in
Cryptology-Eurocrypt'96,LNCS1070,Springer-Verlag,p. 387-398(1996).
[12] C.P.Schnorr.EÆcientsignaturegenerationbysmartcards.JournalofCryptology Vol.
4,p.161-174(1991).
[13] A.Shamir.Howtoshare asecret.Com.oftheACM No.22p.612-613(1979).
[14] G. J.Simmons, W. Jacksonand K. Martin. Thegeometry of secretsharingschemes.
BulletinoftheICA1p.71-88(1991).
[15] D.R.StinsonandR.Strobl.ProvablysecuredistributedSchnorrsignaturesanda(t;n)
thresholdschemeforimplicitcerticates.SixthAustralasianConferenceonInformation
SecurityandPrivacy(ACISP2001)LNCS2119,Springer-Verlag,p.417-434,(2001).
[16] K. Zhang. Threshold proxy signature scheme. 1997 Information Security Workshop,
