A proxy partially blind signature scheme with proxy revocation

Abstract

The constant privilege misuse of the signers is one of the most common problems of the schemes of proxy blind signatures. In 2008, Liu et al. proposed a proxy signature scheme capable of revoking proxy privileges. In this method, the original signer can terminate the proxy privilege at any time without needing to go through a commonly trusted third party. However, this scheme is unable to provide untraceability, and is vulnerable to counterfeit signature attacks. This study reviews Liu et al.’s scheme and its security loopholes, and proposes a proxy partially blind signature scheme. The proposed scheme not only retains the revocation functions in Liu et al.’s approach, but also meets the security requirements of proxy blind signatures.

Appendices

Appendix A: Review of Liu et al.’s scheme

Liu et al. suggested a new proxy blind signature scheme capable of revoking the privileges of proxy signers. The participants in their scheme include an original signer, a proxy signer, a signature receiver, and an authenticator. The scheme contains five phases: proxy key generation, proxy blind signature generation, signature extraction, signature authentication, and proxy privilege revocation. The appendix first introduces the scheme’s parameter settings and then describes the details of every phase.

1.1 System parameter settings

• p, q : two large prime numbers generated by the system that satisfy q | p − 1. In addition, p is the common modulus used in future calculations.

• g : g is an element of Z _p * whose order is q

• x _A , y _A : private and public keys that belong to the original signer, and \( y_{A} = g^{{x_{A} }} \bmod\, p \)

• x _B , y _B : private and public keys that belong to the proxy signer, \( y_{B} = g^{{x_{B} }} \bmod\, p \)

• x _P , y _P : private and public keys of the proxy signature, and \( y_{P} = g^{{x_{P} }} \bmod\, p \)

• m _w : warrant message (certificate) of the proxy signature, including identification information of the original signer and proxy signer, proxy privileges, and the proxy period

• H(·): secure one-way, collision-free hash function

1.2 Proxy key generation phase

The original signer executes the following steps when delegating the signing power to the proxy signer.

(a) The original signer selects a random number k _A  ∈ Z _q *, and generates an authorization signature S_A on messages (m_w, y_A, y_B). The calculations are as follows:

$$ r_{A} = g^{{k_{A} }} \bmod\, p $$

$$ h = H\left( {m_{w} ,r_{A} ,y_{A} ,y_{B} } \right) $$

$$ S_{A} = x_{A} + k_{A} \cdot h\bmod\, q $$

The original signer then sends the triplet (m _w , r _A , S _A ) to the proxy singer.

(b) After receiving the authorization message (r _A , S _A ) and authorization letter m _w , the proxy signer calculates the hash value and verifies whether the authorization signature S _A is legal.

$$ h = H\left( {m_{w} ,r_{A} ,y_{A} ,y_{B} } \right) $$

$$ g^{{S_{A} }} \mathop ?\limits_{ = } y_{A} \cdot r_{A}^{h} \bmod\, p $$

If the equation holds, the proxy signer accepts the proxy request. Through an effective authorization message, the proxy signer generates a private proxy signing key x _P and its associated public key y _P using the following equations:

$$ x_{P} = x_{B} \cdot y_{B} + S_{A} \bmod\, q $$

$$ y_{P} = g^{{x_{P} }} = y_{B}^{{y_{B} }} \cdot y_{A} \cdot r_{A}^{h} \bmod\,p $$

The proxy signer broadcasts the public key y _P after calculations. Figure 4 shows the pictorial description of the proxy key generation phase.

Fig. 4

The proxy key generation phase

Proxy blind signature generation phase

Assume that a signature receiver requests the proxy signer to sign a signature blindly. The proxy signer and signature receiver must cooperatively execute the following steps.

(a) The proxy signer chooses three random numbers u, s, d ∈ Z _q * and calculates parameters a and b using the following equations:

$$ a = g^{u} \bmod\,p $$

$$ b = g^{s} \cdot T^{d} \bmod\,p $$

The symbol T is the timestamp taken during the computations of a, b. Subsequently, the proxy signer sends (a, b, m _w , r _A , T) to the signature receiver.

(b) After receiving the message, the signature receiver calculates the hash value and verifies whether the authorization message is legal using the following equations:

$$ h = H\left( {m_{w} ,r_{A} ,y_{A} ,y_{B} } \right) $$

$$ y_{P} \mathop ?\limits_{ = } y_{B}^{{y_{B} }} \cdot y_{A} \cdot r_{A}^{h} \bmod\,p $$

If the authorization message is valid, the signature receiver believes that the original signer has authorized the proxy signer. Next, the signature receiver verifies T to see if it is within effective time frame and within the proxy signature period authorized by the warrant m _w . The signature receiver must also determine whether r _A appears on the revocation list. If it is on the current list of revocation, the receiver terminates the communication with the proxy signer. Otherwise, the signature receiver produces four blind factors t ₁, t ₂, t ₃, t ₄ ∈ Z _q *. Blinding the original message M yields a blind hash value e as follows.

$$ \alpha = a \cdot g^{t1} \cdot y_{p}^{t2} \bmod\,p $$

$$ \beta = b \cdot g^{t3} \cdot T^{t4} \bmod\, p $$

$$ \varepsilon = H\left( {\alpha ,\beta ,T,M} \right) $$

$$ e = \varepsilon - t_{2} - t_{4} \bmod\, q $$

The signature receiver then sends the blind hash value e to the proxy signer.

(c) When receiving the blind hash value e, the proxy signer signs on this blind hash value using the proxy signature private key x _P authorized by both the original signer and proxy signer, and obtains a blind message r after signature. The following is the details of computations.

$$ c = e - d\bmod\, q $$

$$ r = u - c \cdot x_{P} \bmod\, q $$

The proxy signer then returns the blind signature message (r, c, s, d) to the signature receiver. Figure 5 shows the phases of the partially blind signature generation and extraction.

Fig. 5

The proxy partially blind signature generation and extraction phase

Signature extraction phase

When receiving the blind message (r, c, s, d), the signature receiver un-blinds the message and calculates ρ, ϖ, σ, δ as follows:

$$ \rho = r + t_{1} \bmod\, q $$

$$ \varpi = c + t_{2} \bmod\, q $$

$$ \sigma = s + t_{3} \bmod\, q $$

$$ \delta = d + t_{4} \bmod\, q $$

Finally, the signature receiver obtains the complete proxy blind signature, i.e. (M, ρ, ϖ, σ, δ, r _A , m _w , T). The details of the extraction phase are shown in the Fig. 5.

Signature authentication phase

After receiving the public signature document (M, ρ, ϖ, σ, δ, r _A , m _w , T) sent by the signature receiver, the authenticator verifies whether the signature is legal using the following equations:

$$ \varpi + \delta \mathop ?\limits_{ = } H\left( {g^{\rho } \cdot y_{P}^{\varpi } ,g^{\sigma } \cdot T^{\delta } ,T,M} \right) $$

If the signature is legal, the signature receiver knows that the legal original signer has delegated signing power to the proxy signer and the proxy signer has signed and sent the signature document. Figure 6 shows the detail of the authentication phase.

Fig. 6

The signature authentication phase

Proxy revocation phase

In traditional proxy blind signatures, the letter of authorization m _w indicates the proxy privileges expiration time: the original signer revokes proxy privileges at this time. In Liu et al.’s scheme, if proxy signers abuse their authorization privileges, original signers have the ability to prematurely revoke proxy privileges by adding r _A to the public revocation list. Anyone can determine whether the proxy privilege is still effective by reviewing this list. Because any signatures made by the proxy signer before revocation are still effective, signed documents must always include the time of signing. Consequently, this time determines whether the signature is still effective. To reduce the system overhead, at the time of proxy privilege expiration, the system automatically removes r _A from the revocation list to prevent unlimited growing of the database.