Secure Delegation of Signing Power from Factorization

University of Wollongong Research Online

Faculty of Engineering and Information Faculty of Engineering and Information Sciences - Papers: Part A Sciences

1-1-2015

Secure delegation of signing power from factorization

Yong Yu University of Wollongong, [email protected]

Man Ho Au University of Wollongong, [email protected]

Yi Mu University of Wollongong, [email protected]

Willy Susilo University of Wollongong, [email protected]

Huai Wu University of Electronic Science and Technology of China, [email protected]

Follow this and additional works at: https://ro.uow.edu.au/eispapers

Part of the Engineering Commons, and the Science and Technology Studies Commons

Recommended Citation Yu, Yong; Au, Man Ho; Mu, Yi; Susilo, Willy; and Wu, Huai, "Secure delegation of signing power from factorization" (2015). Faculty of Engineering and Information Sciences - Papers: Part A. 5030. https://ro.uow.edu.au/eispapers/5030

Research Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library: [email protected] Secure delegation of signing power from factorization

Abstract Delegation of signing is a working way common in oce automation work, and is also an important approach to establish trust. Proxy signature is an important cryptographic primitive for delegating the signing powers and it has found many real world applications. The existing proxy signature schemes from factorization assumption are either insecure or inecient. In this paper, we propose a novel, ecient and provably secure proxy signature scheme from factorization. Our construction makes use of a factorization based key-exposure free chameleon hash function in the delegation phase and the proxy signer needs only to nd a collision to a chameleon hash value to generate a valid proxy signature. As a result, our scheme is highly ecient in terms of the computation of a proxy signature. We also provide a formal security proof by classifying the adversaries into three categories. Comparisons demonstrate that the new scheme outperforms the known ones in terms of security, computational eciency and the length of the public key.

Disciplines Engineering | Science and Technology Studies

Publication Details Yu, Y., Au, M. Ho., Mu, Y., Susilo, W. & Wu, H. (2015). Secure delegation of signing power from factorization. The Computer Journal, 58 (4), 867-877.

This journal article is available at Research Online: https://ro.uow.edu.au/eispapers/5030 Secure Delegation of Signing Power from Factorization

Yong Yu1,2, Man Ho Au2,∗, Yi Mu2, Willy Susilo2, Huai Wu1

1. School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, 610054, PR China 2. Centre for Information and Computer Security Research, School of Computer Science and Software Engineering, University of Wollongong, Wollongong, NSW 2522, Australia Email: [email protected]

Delegation of signing is a working way common in office automation work, and is also an important approach to establish trust. Proxy signature is an important cryptographic primitive for delegating the signing powers and it has found many real world applications. The existing proxy signature schemes from factorization assumption are either insecure or inefficient. In this paper, we propose a novel, efficient and provably secure proxy signature scheme from factorization. Our construction makes use of a factorization based key-exposure free chameleon hash function in the delegation phase and the proxy signer needs only to find a collision to a chameleon hash value to generate a valid proxy signature. As a result, our scheme is highly efficient in terms of the computation of a proxy signature. We also provide a formal security proof by classifying the adversaries into three categories. Comparisons demonstrate that the new scheme outperforms the known ones in terms of security, computational efficiency and the length of the public key.

Keywords: Digital signature, Proxy signature, Factorization, Provable security Received 00 January 2013; revised 00 Month 2013

1. INTRODUCTION to proxy-protected proxy signature authorized by using delegation with warrant in this paper. The notion of proxy signature [1] was put forth by The security of the majority existing proxy signature Mambo et al., which enables a proxy signer to sign schemes depends on the discrete logarithm assumption on behalf of an original signer in the case where the and some intractable assumptions on elliptic curves. original signer is unavailable (eg. temporal absence, To avoid putting all eggs in one basket, Shao [19] lack of computational power etc.). Subsequently, many proposed two proxy signature schemes based on the proxy signature schemes with their variants, analysis, factorization assumption. However, no formal security improvements and applications have been proposed in analysis was provided. Subsequently, Shao [20] designed the literature [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, a new proxy signature scheme from factorization and 16, 17, 18, 19]. Proxy signatures have been suggested proved the security in the random oracle model. for extensive usage in numerous practical applications Zhou et al.[21] described two efficient proxy-protected such as in distributed computing, e-commerce, e-cash, signature schemes based on RSA assumption and the and grid computing where delegation of rights is quite factoring assumption respectively. Unfortunately, Park common [5, 6, 7]. Mambo et al. [1] classified proxy et al. [22] showed that both schemes are vulnerable to signatures into two categories: proxy-unprotected and outsider attacks. In 2007, Liu et al. [23] proposed an proxy-protected. A proxy-protected scheme, where improvement of Zhou et al.’s scheme and claimed that only the proxy signer is able to generate valid proxy the new construction satisfies all the desirable security signatures, is more practical since it accommodates requirements of a secure proxy signature. However, Hu some highly desirable properties such as fairness and et al. [24] discovered that Liu et al.’s scheme [23] is not signature ownership. In an orthogonal dimension, secure against a malicious original signer’s attack. In proxy signatures can also be classified according to 2012, Yu et al. [33] proposed a provably secure proxy their delegation types, including full delegation, partial signature scheme from factorization. The construction delegation, delegation with warrant and threshold in [33] is conceptually simple and elegant: the original delegation. At present, delegation with warrant is the signer issues a standard digital signature on the public most popular choice because of its high security and key of the proxy signer together with the delegation flexible delegation policy. Thus, we limit our attention policy under which the proxy signer is authorized to sign

The Computer Journal, Vol. ??, No. ??, ???? 2 Y. Yu, M.H. AU, Y. Mu, W. Susilo on behalf of the original signer. This standard signature proposed such as in [38, 37, 39, 40]. is viewed as a warrant. A proxy signature from this The use of Chameleon Hash in Proxy proxy signer is a standard signature on the message Signatures Mehta and Harn [41] firstly introduced under the proxy’s public key together with the warrant. the idea of using chameleon hash to construct novel To verify a proxy signature, anyone can check if the proxy signature schemes where verifiers need not be warrant is a valid signature from the original signer on aware of the existence of a proxy. However, in the public key of the proxy signer and the delegation their scheme, the proxy signer can only sign one policy, followed by the validation of the signature under time since two valid proxy signatures will lead to the the proxy’s public key. Yu et al. [33] instantiated the exposure of his trapdoor. Recently, Chandrasekhar et above idea based on an improved Rabin-type signature al. [42] presented a technique of using trapdoor hash [25]. The scheme was shown secure against both functions to build proxy signature that does not restrict outsider attackers and insider attackers. the number of signatures a proxy can generate per It is relatively straightforward to construct proxy delegation. We first review their generic construction signature schemes following the two signature approach and highlight some of the subtle issues when we describe discussed above, and the security of the resulting their concrete instantiation from the discrete logarithm scheme depends on the unforgeability of the underlying assumption. In their generic approach, the trapdoor digital signature scheme. While this approach is hash function is used as the public key of a proxy while clever, it imposes a lower bound on the time and the trapdoor is the secret key. When the delegator space complexities of the resulting proxy signature wishes to delegate his signing right to this proxy, he since it can be viewed as a consecutive execution of creates a signature σ on a value h concatenated with the two digital signature instances. In this paper, our warrant w, where h is the output of the trapdoor hash goal is to construct an efficient secure proxy signature function of the proxy on input w and randomness r. scheme that is secure under hardness of factorization, When the proxy wishes to create a proxy signature on a a fundamental and well-studied intractable problem in message m, it uses his trapdoor to compute randomness number theory. By efficient we require that the time c such that (m, c) also ‘hashes” to h. A proxy signature and space complexity should be less than the cost then consists of the signature σ from the original signer of running two standard signature instances and thus on the chameleon hash value h concatenated with the another approach is adopted. warrant w, the warrant w, as well as the randomness r and c. The verification of the proxy signature 1.1. Related Work involves computing h which is the chameleon hash of w with randomness r, validating σ on h||w and that Chameleon Hash Our approach in the construction the message m together with randomness c “hashes” to of proxy signatures involves the use of another crypto- h. Note that this approach is novel in that it does not graphic primitive called Chameleon hash function intro- involve operations on two signatures. duced by Krawczyk and Rabin [34]. Roughly speaking, Obviously, the approach requires key exposure-free chameleon hash, also known as trapdoor hash, is a trap- chameleon hash function since a proxy signatures door one-way function, which prevents anyone except consist of a collision. Chandrasekhar et al. proposed the holder of the trapdoor from finding the collisions of a discrete-logarithm based chameleon hash function for a random input. Specifically, to evaluate the hash of an the purpose. A detailed analysis of their concrete input m, a random number r is chosen and the function construction reviewed that their DL-based construction takes m, r as input for evaluation. Given the trapdoor of is not a straightforward instantiation of the above the chameleon hash function, the original input m and conceptual idea. Firstly, h is not just the trapdoor r, together with another input m0, the trapdoor hold- hash of the warrant w. Instead, it is the trapdoor hash er could output another randonness r0 such that (m, r) of another value which is the hash of the public key and (m0, r0) evaluates to the same hash value. This is a of the proxy concatenated with the warrant. Secondly, useful primitive for constructing chameleon signatures σ is not a signature on h||w. Rather, it is a Schnorr [34], online/offline signatures [35, 36] etc. Ateniese and signature on the string h||w||r and that the randomness Mederious [37] discussed the key exposure problem in r is also part of the Schnorr signature. In other words, r the original formulation of chameleon hash function due is part of the signature from the original signer as well as to Krawczyk et al.[34]. Specifically, while the trapdoor the randomness used in the evaluation of the chameleon holder can generate collisions (two distinct input that hash. On one hand, this modification from the above “hashes” to the same output), the trapdoor can be com- conceptual idea allows the compression of the proxy puted based on any pair of collisions. They mentioned signature via safe re-use of randomness. On the other that this phenomena is undesirable in applications in hand, these deviations from the generic construction which the pair of collisions will be released eventually appeared to be necessary to prevent a malicious proxy and introduced identity-based chameleon hash [37] to from creating another chameleon hash function and solve the problem. Subsequently, many novel chameleon randomness r0 such that (w, r0) also “hashes” to the hash schemes without the key-exposure problem were same value h for this new chameleon hash function. The

The Computer Journal, Vol. ??, No. ??, ???? Secure Delegation of Signing Power from Factorization 3 use of the same randomness r in the signature and the Definition 2. Let p be an odd prime and a an chameleon hash function evaluation tied the signature a integer. The Legendre symbol p is defined by from the original signer to the specific hash value being signed. This technique is especially suitable for Schnorr-  1, if a ∈ Q ,  p type signatures [26], where the randomness used can be a ¯ p = −1, if a ∈ Qp, generated before the message to be signed is known.  0, if p | a. Thus, it is non-trivial to construct factorization-based When the modulo n is a composite number, Jacobi proxy signatures following this conceptual approach. It symbol ( a ), a generalization of the Legendre symbol, involves subtle modifications in addition to choosing n will be involved. appropriate building blocks that are secure under the Definition 3. Let n ≥ 3 be odd with prime factorization assumption. factorization n = pe1 pe2 ··· pet , the Jacobi symbol a Our contributions. To our best knowledge, 1 2 t n is defined by the formula there has not been such a factorization-based proxy signature scheme that achieves provable security, a a e1 a e2 a et ( ) = ( ) ( ) ··· ( ) . efficiency and novelty simultaneously. Therefore, n p1 p2 pt our main contribution of this paper is to fill Definition 4. A Blum integer is a composite integer this gap by providing a provably secure and non- of the form n = pq, where p and q are distinct primes consecutive proxy signature scheme from factorization. each congruent to 3 modulo 4. Specifically, we propose a new proxy signature scheme Fact 2. If n = pq is a Blum integer, the function by incorporating factorization-based chameleon hash f : Q → Q defined by f(x) ≡ x2 (mod n) is a function and improved Rabin-type digital signatures n n permutation. The inverse function of f is [27] where n = pq is a Williams integer. We show that our scheme achieves all the desirable −1 (p−1)(q−1)+4 f (x) ≡ x 8 (mod n). properties a secure proxy signature should possess and provide formal security proofs as well under 2.2. Complexity assumptions the factorization assumption in the random oracle model. The theoretical analysis and the experimental Integer Factorization Problem. Given n, an odd results demonstrate that the new scheme offers stronger composite integer with at least two distinct large prime security, higher computational efficiency and shorter factors, output a prime number p such that p|n. The public key simultaneously. probability that a polynomially bounded algorithm A Organization: Section 2 reviews some preliminaries can solve the integer factorization problem is defined as IF used in this paper. Section 3 describes the formal model SuccA = Pr[p ← A(n)]. of proxy signature schemes. Section 4 presents our Integer Factorization Assumption. Given an proxy signature scheme and the comparisons with other odd composite integer n with distinct large prime IF schemes. Section 5 provides security analysis of the new factors, SuccA is negligible. scheme. Section 6 concludes the paper. 3. FORMAL MODELS OF PROXY SIGNA- 2. PRELIMINARIES TURE SCHEMES In this section, we review some basic knowledge In this section, we briefly review the components and used in this paper, including quadratic residue, security model of proxy signature schemes [14, 6]. Legendre symbol, Jacobi symbol and the factorization assumption [28, 29]. 3.1. The compents of proxy signature schemes Two participants, namely an original signer Alice and 2.1. Related definitions and facts a proxy signer Bob, are involved in a proxy signature Definition 1. Let a ∈ Z∗, the multiplicative group scheme. The scheme consists of the following five n algorithms: Setup, KeyGen, DelGen, ProxySign and of Zn. a is said to be a quadratic residue modulo n, ∗ 2 Verification. if there exists an x ∈ Zn such that x ≡ a (mod n). If no such x exists, a is called a quadratic nonresidue Setup: On input the system security parameter, this modulo n. The set of all quadratic residues modulo n is algorithm generates system’s parameters. denoted by Qn and the set of all quadratic nonresidues KeyGen: On input the system’s parameters, this is denoted by Q¯n. Fact 1. Let n = pq, a product of two distinct algorithm outputs secret-public key pairs for Alice ∗ and Bob. odd primes p and q. Then a ∈ Zn is a quadratic residue modulo n if and only if a ∈ Qp and a ∈ Qq. DelGen: On input the system’s parameters, Alice’s (p−1)(q−1) It follows that |Qn| = |Qp| · |Qq| = 4 and secret key ska and the warrant w, this algorithm ¯ 3(p−1)(q−1) |Qn| = 4 . generates a delegation σw of w.

The Computer Journal, Vol. ??, No. ??, ???? 4 Y. Yu, M.H. AU, Y. Mu, W. Susilo

ProxySign: On input the system’s parameters, the Type 2: As a malicious proxy signer, A2 additionally warrant w, the delegation σw, the secret key skb of holds the secret key of the proxy signer Bob. the proxy signer and the message m to be signed, this algorithm generates a proxy signature σ on m Type 3: A3 simulates a malicious original signer and under the warrant w. has the secret key of the original signer Alice.

Verification: On input the system’s parameters, Obviously, if a proxy signature scheme is unforgeable against Type 2 and Type 3 adversaries, it is unforgeable original signer’s public key pka, proxy signer’s against Type 1 adversary as well. public key pkb, the warrant w, the signed message m and the alleged signature σm, this algorithm outputs True if σ is a valid proxy signature on the 3.3. Security models message m and outputs ⊥ otherwise. Existential unforgeability against adaptive A2 adversary: This notion captures that it is hard for an 3.2. Security requirements for proxy signature adversary to forge a valid proxy signature on message schemes m under a warrant w, if he does not have the delegation Since the invention of proxy signature, several security of w.This property is defined using the following game requirements of this cryptographic primitive have been between a challenger C and a Type 2 adversary A2. specified to satisfy the different situations. It has been Setup: The challenger C runs the Setup algorithm widely accepted that a secure proxy signature scheme to obtain system’s parameters, and runs KeyGen should provide the following requirements [6, 5]. algorithm to obtain key pairs (ska, pka) and Verifiability: From a valid proxy signature, a verifier (skb, pkb) of the original signer and the proxy can be convinced of the original signer’s agreement signer. C then forwards (pka, pkb, skb) to A2. on the signed message. Delegation queries: A2 requests the delegations on Strong undeniability: Once a proxy signer generates warrants wi adaptively. C runs the DelGen a valid proxy signature on behalf of the original algorithm to obtain σwi and returns it to A2. signer, the proxy signer cannot deny his signature generation against anyone else. ProxySign queries: A2 requests a proxy signature on Strong identifiability: For a valid proxy signature, a message mi under a warrant wi adaptively. In anyone can determine the identity of the corre- response, C firstly runs DelGen algorithm to obtain sponding proxy signer. the delegation on w and then, runs the ProxySign algorithm to get a proxy signature σ and returns Strong unforgeability: Only the designated proxy it to A2. signer can generate valid proxy signatures on ∗ ∗ ∗ behalf of the original singer. Namely, any other Output: Finally, A2 outputs a triple (m , w , σ ), such third party, including the original signer, can not that generate a valid proxy signature in the name of the proxy signer. 1. σ∗ is a valid proxy signature on message m∗ ∗ Prevention of misuse: The proxy signing key cannot under warrant w . ∗ be used for purposes other than generating valid 2. w has not been queried during the Delegation proxy signatures. In the case of misuse, the queries. ∗ ∗ responsibility of proxy signer should be determined 3. (m , w ) has not been queried during the explicitly. ProxySign queries phase.

Among all the essential security requirements, the The success probability of an adversary A2 winning above game is defined as Succ . A can (t, q , q , ) property of strong unforgeability is the most A2 2 w ps desirable, which essentially indicates the undeniability break a proxy signature scheme if it makes at most qw and prevention of misuse. To capture the nature of Delegation queries, qps ProxySign queries, and runs in time at most t and Succ is at least . strong unforgeability well, we adopt the security model A2 of proxy signatures due to Huang et al. [14] to prove the security of our scheme. Besides outside adversaries, Existential unforgeability against adaptive A3 two types of inside adversaries are also considered in adversary: This notion says that it is difficult for the model. a malicious original signer to generate a valid proxy signature on a message m∗ which was not singed by Type 1: As an outside adversary, A1 only has the the proxy signer. It is defined using the following game public keys of Alice and Bob. between an adversary A3 and a challenger C.

The Computer Journal, Vol. ??, No. ??, ???? Secure Delegation of Signing Power from Factorization 5

Setup: The challenger C runs the Setup algorithm partial-domain hash signature schemes are provably to obtain system’s parameters, and runs KeyGen secure in the random oracle model, assuming that algorithm to obtain key pairs (ska, pka), (skb, pkb) factoring is hard, if the size of the hash function of the original signer and the proxy signer. C then is larger than 2/3 of the modulus size. In Crypto sends (pka, pkb, ska) to A3. 2004, Gentry [25] improved Coron’s results for Rabin- PDH and proposed a speciﬁc variant of the improved Rabin-PDH. We also developed a new factorization- ProxySign queries: A3 requests a proxy signature on based chameleon hash function by introducing double the pair (mi, wi) with the original signer Alice and the proxy signer Bob. In response, C outputs a trapdoor to Shamir’s scheme [35] as a building block of our construction. valid proxy signature σi and returns it to A3.

∗ ∗ ∗ 4.2. Description of the new scheme Output: Finally, A3 outputs a new triple (m , w , σ ), such that As mentioned our construction is inspired by Gentry’s signature scheme [25], together with our new Harn- 1. σ∗ is a valid proxy signature on message m∗ like chameleon hash function [36], and is described as under warrant w∗. follows. 2. (m∗, w∗) has not been queried during the Setup: The original signer Alice randomly picks two ProxySign queries phase. large primes p0 and q0 satisfying p0 ≡ 3 mod 8, q ≡ 7 mod 8 as her private key and computes The success probability of an adversary A3 winning 0 n = p q as her public key. The proxy signer picks above game is deﬁned as SuccA . We say that A3 can 0 0 0 3 two safe primes p , q and computes n = p q . (t, qps, ) break a proxy signature scheme if A3 makes 1 1 1 1 1 Compute p0 = p1−1 , q0 = q1−1 and λ(n ) = at most qps proxy signature queries in time at most t 1 2 1 2 1 lcm(p − 1, q − 1) = 2p0q0. Choose an element and SuccA is at least . 1 1 3 g ∈ Z∗ of order λ(n ). Let H , H and H be three n1 1 1 2 3 ∗ 0 secure hash functions where H1 : {0, 1} → [h, h ) 4. OUR CONSTRUCTION 2 00 0 3 ∗ with h = h − h (mod n0) ≥ 8n0 , H2 : {0, 1} → In this section, we ﬁrst describe our design philosophy ∗ Zn and H3 : {0, 1} → Zn . The public chameleon and the choice of our building blocks, followed by a 1 1 hash key of the proxy signer is (n1, g) and the detailed description of our chameleon hash-based proxy private trapdoor key is (p1, q1). signature scheme based on factorization. Then, we will compare the performance of the new scheme with the Delegation: The original signer delegates her signing existing ones in the same style. power to a proxy signer, say Bob, as follows.

4.1. Design Philosophy 1. Alice makes a warrant w specifying her Our approach is similar to the approach due to public key, the public chameleon hash key Chandrasekhar et al. [42] with some minor of the proxy signer, a period of validity, and modifications. Specifically, we require that the public restrictions on the messages the proxy signer key of the proxy signer is included in the warrant. A is allowed to sign. delegation is made possible when the original signer 2. Bob picks a random integer k1, computes k1 creates a signature on the chameleon hash of the r1 ≡ g (mod n1) and forwards r1 to Alice. warrant based on the chameleon hash function of 3. Alice chooses a random integer t0, computes H2(w,r1)||t0 the proxy. With this minor modification, it is not hw = H1(r1g (mod n1), w) and necessary for the signature from the original signer a0, b0 as follows. to include the randomness of the chameleon hash nor ( 0, if ( hw ) = 1, the signature itself (as in the DL-based instantiation a = n0 0 1, if ( hw ) = −1. of Chandrasekhar et al.) and allows us to use the n0 efficient Rabin-PDH signature due to Gentry [25], a deterministic signature scheme with signature size of ( −a0 −a0 0, if ( 2 hw ) = ( 2 hw ) = 1, one single group element described below. p0 q0 b0 = −a0 −a0 1, if ( 2 hw ) = ( 2 hw ) = −1. In STOC 1989, Vallée [30] provided an elegant p0 q0 analysis of the distribution, in Zn, of integers in 2 0 0 4. Alice computes s0 using her private key p0, q0, Bn,h,h0 = {x ∈ [1, n): h ≤ x (mod n) ≤ h } for h −h ≥ 2 n0−p0−q0+5 8n 3 , i.e., integers with modular squares in a narrow −a0 s0 ≡ (2 hw) 8 (mod n0) interval. In Crypto 2002, based on Vallée’s conclusion, Coron[31] investigated the security of partial-domain and sends (w, t0, s0, a0, b0) to Bob via a secure hash signature schemes and showed that for e = 2, channel.

The Computer Journal, Vol. ??, No. ??, ???? 6 Y. Yu, M.H. AU, Y. Mu, W. Susilo

5. Receiving (w, t0, s0, a0, b0), Bob computes Regarding the correctness of the proxy signature, 0 H2(w,r1)||t0 hw = H1(r1g (mod n1), w) and since Delegation and ProxySign share the same 2 veriﬁes the delegation by checking if s0 ≡ signature algorithm, we just show the chameleon hash −a0 0 b0 2 · hw · (−1) (mod n0) holds. of the message m is identical to that of the warrant w.

ProxySign: Bob signs a message m ∈ {0, 1}∗ on H3(m,r2)||t1 behalf of Alice according to the warrant with his r2g λ(n1) chameleon hash trapdoor as follows. ≡ gk2 gH3(m,r2)||t0+(k1−k2)+2 (H2(w,r1)−H3(m,r2))

λ(n1) λ(n1) ≡ gk2+2 H3(m,r2)+t0+k1−k2+2 (H2(w,r1)−H3(m,r2))

1. Check whether m conforms to the warrant w. λ(n1) k1+t0+2 H2(w,r1) If the check fails, output “invalid” and abort. ≡ g H2(w,r1)||t0 Otherwise, go to the next step. ≡ r1g (mod n1) 2. Pick a random k2 ∈ Zλ(n ) and compute 1 0 0 k2 We can conclude that h = h , and as a consequence, r2 ≡ g (mod n1). w m s2 ≡ 2−a0 · h0 · (−1)b0 (mod n ) also holds. 3. Compute t1 ≡ t0 + (k1 − k2) + 0 m 0 λ(n1) 2 (H2(w, r1) − H3(m, r2)) mod λ(n1). 4. The final proxy signature on m under the 4.4. Performance comparisons and experimen- warrant w is σ = (a0, b0, s0, t0, r1, r2, t1). tal results We compare the security and efficiency of the new Verification: To check whether σ = scheme with those of existing ones in the same style[21, (a0, b0, s0, t0, r1, r2, t1) is a valid proxy signa- 20, 23, 33], i.e., whose security is related to the integer ture on m under the warrant w, a verifier performs factorization problem or the RSA problem. Several the following operations. expensive cryptographic operations are considered. We denote by mul, exp, and inv the multiplication, the 1. Check whether m conforms to w. If the check modular exponentiation and the inversion computation fails, output “invalid” and abort. Otherwise, respectively. root is denoted as the operation to find go to the next step. the solutions of x2 ≡ a (mod n) when the factor of ? H2(w,r1)||t0 2. Check whether r1g ≡ n is given. The comparisons of six known schemes H3(m,r2)||t1 r2g (mod n1). are summarized in Table 1. The Delegation column, 0 H3(m,r2)||t1 3. Compute hm = H1(r2g mod n1, w) Proxysign column and Verify column demonstrate ? 2 −a0 0 b0 the computation costs of each scheme. Security and verify whether s0 ≡ 2 · hm · (−1) column denotes the intractable assumptions that the (mod n0). If it holds, the proxy signature is valid; Otherwise, invalid. schemes rely on. Against A2 and Against A3 columns show whether the scheme is secure against the attacks mounted by malicious proxy signers and malicious 4.3. Correctness original signers respectively. The symbol N means that The correctness of the scheme is not self-evident and the scheme is vulnerable to this kind of attack while we interpret it in detail. The integer n0 = p0q0 where Y indicates that it is secure against the attack. The p0 ≡ 3 mod 8, q0 ≡ 7 mod 8 is called Williams integer. schemes in [21] are insecure because they can resist Obviously, a Williams integer is also a Blum integer. neither a malicious proxy signer’s attack nor a malicious Assume p0 = 8t1 + 3 and q0 = 8t2 + 7 where t1, t2 ∈ Z, original signer’s attack. Although the scheme in [23] we can observe that is secure against a malicious proxy signer’s attack, it suffers a malicious original signer’s attack. Thus, this p2−1 64t2+48t +8 2 0 1 1 ( ) = (−1) 8 = (−1) 8 = −1, scheme is also insecure. The constructions in [20, 33] p0 and our new proposal are secure against all kinds of

q2−1 64t2+112t +48 adversaries. Our scheme outperforms the one in [20] in 2 0 2 2 ( ) = (−1) 8 = (−1) 8 = 1, terms of security, computational efficiency and length of q 0 the public key. Specifically, the unforgeability of Shao’s thus, ( 2 ) = ( 2 ) · ( 2 ) = −1. Therefore, if proxy signature [20] depends on RSA problem while n0 p0 q0 0 H2(w,r1)||t0 the unforgeability of our scheme relies on factorization. hw = H1(r1g mod n1, w) equals hw and (w, t0, s0, a0, b0) is a valid delegation, then Consequently, our scheme is at least as secure as Shao’s scheme, but possibly more secure [27]. Furthermore, 2 n0−p0−q0+5 −a0 −a0 our scheme is a bit more efficient than the scheme in [20] −a0 8 2 hw, if 2 hw ∈ Qn, ((2 hw) ) = −a0 −a0 −2 hw, if 2 hw ∈ Q¯n. because 1 exponentiation, the most expensive operation in the schemes, is less required. The employment of 2 −a0 Therefore, the verification of delegation s0 ≡ 2 · Williams integer helps to avoid searching an integer a 0 b0 a hw · (−1) (mod n0) always holds. satisfying Jacobi symbol ( n ) = −1 and including it in

The Computer Journal, Vol. ??, No. ??, ???? Secure Delegation of Signing Power from Factorization 7

TABLE 1. Comparisons of six proxy signature schemes from factorization. Schemes Delegation Proxysign Verify Security Against A2 Against A3 ZCL1[21] 1 exp 2 exp+1 mul 2 exp+1 inv+1 mul RSA N N ZCL2[21] 1 root 1 exp+2 mul+1 root 5 mul+1 inv Factorization N N LWLH[23] 2 mul+1 root 2 exp+2 mul+1 root 2 exp+5 mul+2 inv Factorization Y N Shao[20] 2 exp+1 inv 3 exp+1 mul 3 exp+1 mul RSA Y Y Yu[33] 1 exp+1 mul 3 exp+1 mul 1 exp+4 mul+1 inv Factorization Y Y Ours 4 exp+1 mul 1 exp+1 mul 2 exp+2 mul Factorization Y Y

TABLE 2. Experimental results of the new proxy signature 5. SECURITY PROOFS scheme The new proxy signature is warrant-based, and a Setup Delegation ProxySign Verification delegation is the original signer’s signature on the 512.658 ms 90.297 ms 25.633 ms 28.462 ms warrant which contains information regarding proxy signer’s identity, a period of validity, and restrictions on the messages for which the warrant is valid, etc. Therefore, the properties of identifiability, undeniability, verifiability and prevention of misuse can the public key because 2 is just such an integer. As a follow naturally due to the security of improved Rabin result, the length of the public key of the new scheme signature scheme. In this section, we will focus on the is shorter than the existing constructions. Although unforgeability of the new construction and demonstrate three more exponentiations are needed in delegation the security against adaptive chosen message attacks of generation than that of the scheme in [33], the new Type 2 and Type 3 adversaries in the random oracle scheme achieves higher efficiency in proxy signature and model. proxy signature verification, which is highly essential for Existential unforgeability against type 2 two reasons. Firstly, in many applications, delegation is adversary a one-time process while proxy signing and verification Theorem 5.1. If there exists a Type 2 adversary A will be executed frequently. Secondly, in some real- 2 that can (t, q , q , ) breaks the unforgeability of the world scenarios, proxy signatures are often deployed w ps new proxy signature scheme, then there exists another in the environments such as agent-based computing algorithm B that can use A to solve an instance of the systems [5], smart card applications [7], where the proxy 2 factoring problem with probability has limited processing capability. 2 Experimental results: We also evaluate the 2 · (1 − 1/8n 3 )2 performance of our new construction by conducting an SuccIF ≥ 0 . B 8 · q2 experiment to assess the running time of our scheme w on personal computers. An implementation of the Proof.The security proof is by contradiction. algorithms was realized on a computer with CPU T8100 Assume there exists a polynomial-time adversary A2 @ 2.10 GHz and 2.0 GB memory, and the operating that is able to produce a forgery with non-negligible system is Windows 7.0. All the public key operations success probability, we then use A2 to build an were built with Miracle Library [44] which implements algorithm B to factorize a Williams integer. Assume multiprecision integer and rational data-types, and B receives a random instance of factorizing a Williams provides the routines to perform basic arithmetic on integer: given a large Williams number N with |N| ≥ them. According to the security requirements of 1024 bits, output a factor of N. factoring, we employed 1024-bit modulus n0 and n1, Setup: B sets N, the input of the factorization and the corresponding large prime factors p0, q0, p1, q1 are 512 bits. We preformed the experiment 1000 times problem, as n0, the public key of the original and the average running time of each sub-algorithm is signer. Then, B picks two large safe primes p1, q1, shown in Table 2. We can observe that it takes 512.658 computes n1 = p1q1, λ(n1) = lcm(p1 − 1, q1 − 1) and choose an element g ∈ Z∗ of order λ(n ). ms to setup the system, which is the most expensive n1 1 ∗ 0 The hash functions H1 : {0, 1} → [h, h ) with operation but runs only one time. The delegation phase 2 0 3 ∗ costs 90.297 ms, while the proxysign and verification h − h (mod n0) ≥ 8n0 , H2 : {0, 1} → Zn1 and ∗ cost 25.633 ms and 28.462 ms respectively. The H3 : {0, 1} → Zn1 are treated as random oracles. implementing results demonstrate that the new scheme The public chameleon hash key of the proxy signer is highly efficient. is (n1, g) and the private trapdoor key is (p1, q1). B returns (N, p1, q1) to A2.

H2 queries: A2 can make at most qH2 queries on the hash function H2 for the input (wi, ri) adaptively.

The Computer Journal, Vol. ??, No. ??, ???? 8 Y. Yu, M.H. AU, Y. Mu, W. Susilo

B maintains a hash list called L2 to store the Solving IF problem: It’s easy to check that in the answers for the consistency of a hash function. If B random oracle model, the outputs of the simulated has received an identical query before, it responds proof are indistinguishable from those in the real as it did before. Otherwise, B picks a random attacks. Finally, A2 produces a proxy signature ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ value hi ∈ Zn1 , returns hi to A2 and logs the tuple forgery σ = (a0, b0, s0, t0, r1, r2, t1) on a ∗ ∗ (wi, ri, hi) into L2. message m under warrant w with probability . A2 outputs a valid proxy signature after querying H queries: A can make at most q queries on the 2 3 2 H3 H oracle with probability 0 = · (1 − 1/8n 3 ) hash function H for the input (m , r ) adaptively. 1 0 3 j j because s is randomly picked from [h, h0). We can B maintains a hash list called L to store the i 3 solve the factorization problem instance by using answers for the consistency of a hash function. If B the oracle replay technique[32]. We ﬁrstly guess a has received an identical query before, it responds ﬁxed index 1 ≤ j ≤ q and expect that w∗ happens as it did before. Otherwise, B picks a random w to be the warrant of which A forges a valid proxy h0 ∈ Z , returns h0 to A and adds the tuple 2 j n1 j 2 signature on m∗. The probability that we make a (m , r , h0 ) into L . j j j 3 correct guess is denoted by Pr[luck]= 1 . qw

H1 queries: A2 can make at most qH1 queries on the Equipped with the same system parameters and hash function H1 for the input (vi, wi) adaptively. public key N, n1, the game is played again. For B maintains a hash list L1 to store the answers for the same sequences of random bits to the two the consistency of a hash function. For each request copies of A2, B responds with the same answers on (vi, wi), if B has received the same query before, to the oracle queries until A2 asks the H1 query ∗ it returns the previous answer to A2. Otherwise, B for wj = w . At that point, B answers

picks a random li ∈ Zn1 , returns li to A2 and adds two random answers (ai, bi, ki, ri, ti, vi, wi, si) and 0 0 0 0 0 0 0 0 (⊥, ⊥, ⊥, ⊥, ⊥, vi, wi, li) into L1 list. (ai, bi, ki, ri, ti, vi, wi, si) . Thus, we have

0 0 Delegation queries: A2 can make at most qw 2 ai −bi 02 ai −bi si · 2 · (−1) ≡ si · 2 · (−1) (mod N). delegation queries adaptively. When A2 queries on a warrant wi, B picks a random ki and computes Since ai, bi are randomly chosen from {0, 1}, ai = ki 0 0 ri = g . B then searches the L2 list to check ai and bi = bi with probability 1/4. As a result, 2 02 whether there is an item (wi, ri, hi). If there does si ≡ si (mod N) holds with probability 1/4. Now 0 0 not exist such an item, B picks a random hi ∈ Zn1 GCD(si − si,N) or GCD(si + si,N) is a nontrivial and logs (wi, ri, hi) into L2 list. Then B picks factor of N [29]. hi||ti a random ti, computes rig (mod n1) → vi, The simulator’s probability of success can be assessed picks ai, bi ∈ {0, 1}, si ∈ BN,h,h0 with uniform 2 ai −bi using the technique of splitting lemma[32]. Let X be distribution, sets H(vi, wi) = si · 2 · (−1) (mod N) and logs (a , b , k , r , t , v , w , l ) into L the set of possible sequences of random answers up to i i i i i i i i 1 ∗ ∗ the point that A2 queries the H1 oracle for (v , w ) and list. Finally, B responds (ti, si, ai, bi) to A2. Y be the set of possible sequences of random answers Proxy signature queries: A2 can make at most qps after that point. For any x ∈ X and y ∈ Y , given the proxy signature queries. For each query on sequences of random answers of random oracles (x||y), (wi, mi), B searches the L1 list to check whether the probability that B obtains a valid proxy signature 2 the tuple (ai, bi, ki, ri, ti, vi, wi, si) exists in the list. 3 is · (1 − 1/8n0 )/qw. Following the splitting lemma, If there is no such a tuple, B picks a random ki there exists such a “good” subset Ω ∈ X such that ki and computes ri = g . Then B picks a random ti, the probability that the probability that x ∈ Ω is at hi||ti 2 computes rig (mod n1) → vi, picks ai, bi ∈ 3 least · (1 − 1/8n0 )/2qw, and for any s ∈ Ω, y ∈ Y , {0, 1}, si ∈ BN,h,h0 with uniform distribution, sets 2 a −b the probability that B gets a valid proxy signature is at H(v , w ) = s · 2 i · (−1) i (mod N) and logs 2 i i i 3 least · (1 − 1/8n )/2qw with the sequences of random (ai, bi, ki, ri, ti, vi, wi, si) into L1 list. B searches 0 answers (s||y). Therefore, the probability that B can the L2 list to ﬁnd if there is an item (wi, ri, hi). If there is no such an item, B picks a random value solve the factorization problem is

hi ∈ Zn1 , and logs the tuple (wi, ri, hi) into L2. Then, B chooses a random k ∈ Z ), computes 2 2 pi λ(n1 IF 1 3 3 kpi SuccB ≥ · · (1 − 1/8n0 )/qw · · (1 − 1/8n0 )/2qw rpi ≡ g (mod n1). B searches if there exists 4 an item (m , r , h0 ) in L list. If there is no such 2 i pi i 3 2 · (1 − 1/8n 3 )2 0 = 0 . an item, B selects a random hj ∈ Zn1 , and adds 2 0 8 · qw the tuple (mi, rpi, hi) into L3. Finally, B computes λ(n1) 0 tpi ≡ ti + (ki − kpi) + 2 (hi − hi) mod λ(n1) and response (ai, bi, si, ti, ri, rpi, tpi) as a proxy Existential unforgeability against Type 3 signature of mi under the warrant wi to A2. Adversary

The Computer Journal, Vol. ??, No. ??, ???? Secure Delegation of Signing Power from Factorization 9

0 Theorem 5.2. If there exists a type 3 adversary A3 and logs (wi, ri, hi) into L2 list. Then, B picks that can (t, qps, ) break the proxy signature scheme, a random ri ∈ Zn1 and checks whether there 0 there exists another algorithm B that can use A3 to solve exists an item (mi, ri, hi) in L3 list. If there is 0 an instance of factoring problem with probability no such an item, B picks a random hi ∈ Zn1 , 0 and adds the tuple (mi, ri, hi) into L3. B selects 1 1 0 0 IF 3 3 0 hi||ti SuccB ≥ 2 · · (1 − ) . a random ti, computes vi = rig and sets 4qH n 2 ai −bi 1 H1(vi, wi) → si · 2 · (−1) . Finally, B logs 2 ai −bi (⊥, ⊥, ⊥, vi, wi, si · 2 · (−1) ) into L1 list and Proof. The adversary A3 possesses the public keys 0 0 of the original signer and the proxy signer and the transmits (ai, bi, si, ri, ri, ti, ti) to A3 as the answer to his proxy signature query. private key of the original signer, thus, A3 can generate delegations on any warrant. As a result, delegation queries are not required here. Assume B is given a Solving IF problem: The simulated outputs are large composite number N with |N| ≥ 1024 bits, B’s indistinguishable from those in the real attacks in goal is factoring N. B will simulate the challenger and the random oracle model. Therefore, after a series response A ’s queries in the following way. of queries, A3 will output a new proxy signature 3 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ σ = (a0, b0, s0, t0, r1, r2, t1) on the message m ∗ Setup: B sets N, the input of the factorization under the warrant w with probability . If A3 ∗ ∗ problem, as n1, the public key of the proxy has not queried H3(m , r2), the probability that ∗ 0 0 signer, retaining H1 : {0, 1} → [h, h ) with h − σ is valid is less than 1/n1 since the answers 2 3 ∗ to the H3 hash functions are picked randomly h (mod n0) ≥ 8n0 , H2 : {0, 1} → Zn1 and ∗ H3 : {0, 1} → Zn for use as random oracles. from Zn1 . Thus, A3 will produce a valid forgery 1 0 Then, B picks two large primes p0, q0 as the original after querying the H3 oracle with probability = ∗ ∗ 0 signer’s secret key and the corresponding public 1 − 1/n1 and the answer to H3(m , r2) is h . key is n0 = p0q0. B delivers (N, p0, q0, n0) to A3. Then, based on the well-known oracle replay attack and the forking lemma [32], A3 uses the oracle

H2 queries: A3 can make at most qH2 queries on the replay technique by a polynomial replay of the 0 hash function H2 for the input (wi, ri) adaptively. attack with the same random salts and a diﬀerent B maintains a hash list called L to store the 0 0 2 oracle called H3 to get another forgery σ = answers for the consistency of a hash function. If B 0 0 0 0 0 ∗ 0 ∗ (a0, b0, s0, t0, r1, r2, t1) on the message m under has received an identical query before, it responds ∗ 0 ∗ ∗ the warrant w , and the answer to H3(m , r2) is as it did before. Otherwise, B picks a random h00. Now, we have value h ∈ Z , returns h to A and logs the tuple i n1 i 2 0 ∗ 00 0 0 ∗ h ||t1 ∗ h ||t1 (wi, ri, hi) into L2. r2g ≡ r2g (mod n1).

∗ k 0 0 k 00 H3 queries: A3 can make at most qH3 queries on the Thus, t1 +2 h ≡ t1 +2 h mod (λ(n1)) where k = hash function H3 for the input (mj, rj) adaptively. |λ(n1)| denotes the bit length of λ(n1). Therefore, ∗ 0 k 0 00 B maintains a hash list called L3 to store the λ(n1) divides t1 − t1 + 2 (h − h ), which indicates ∗ 0 k 0 00 answers for the consistency of a hash function. If B that φ(n1) divides 2(t1 −t1 +2 (h −h )). Following has received an identical query before, it responds the conclusion due to Miller [43], knowing such as it did before. Otherwise, B picks a random a multiple of φ(n1) is equivalent to factoring n1, 0 0 hj ∈ Zn1 , returns hj to A3 and adds the tuple which contracts the factoring assumption. The 0 (mj, rj, hj) into L3. probability that B can solve the factorization problem instance is H1 queries: A3 can make at most qH1 queries on the hash function H1 for the input (vi, wi) adaptively. IF 1 3 1 3 SuccB ≥ 2 · · (1 − ) . B maintains a hash list L1 to store the answers for 4q n H1 the consistency of a hash function. For each request on (vi, wi), if B has received the same query before, it returns the previous answer to A2. Otherwise, B

picks a random li ∈ Zn1 , returns hi to A2 and logs 6. CONCLUSION (⊥, ⊥, ⊥, vi, wi, li) into L1 list. In this paper, we put forward a novel construction of Proxy signature queries: A3 can make at most qps proxy signature whose unforgeability can be reduced proxy signature queries. For each proxy signature to the integer factorization problem. The new scheme query on (wi, mi), B ﬁrstly generates a delegation employed improved Rabin-type digital signature and a (ai, bi, si, ti) for wi since he has original signer’s factorization based key-exposure free chameleon hash secret key (p0, q0). B searches the L2 list to check function. We proved that the scheme is secure against 0 if there exists an item (wi, ri, hi). If there is all adversaries, in the random oracle model. Our scheme 0 no such an item, B picks ri, hi ∈ ZN randomly compares favorably with existing schemes based on the

The Computer Journal, Vol. ??, No. ??, ???? 10 Y. Yu, M.H. AU, Y. Mu, W. Susilo

RSA assumption or the factorization assumption. How [11] Wang, G., Bao, F., Zhou, J., Deng, R. H. (2003) to construct a proxy signature scheme with tighter Security analysis of some proxy signatures. In Qing, reductions to factorization without using forking lemma S., Gollmann, D., Zhou J. (eds.), Information is our future work. and Communications Security, 5th International Acknowledgement: The first author is supported by Conference, ICICS 2003, Huhehaote, China, Oct 10- the University of Wollongong Vice Chancellor Fellow- 13, 2003. Lecture Note in Computer Science 2971, pp. 305–319. Springer, Berlin. ship and the fourth author is supported by Australian [12] Shao,Z. (2009) Improvement of identity-based proxy Research Council Future Fellowship FT0991397. This multi-signature scheme. Journal of Systems and work is supported by the NSFC of China under Grants Software. 82(5), 794–800. 61003232, 61103207, U1233108, the National Research [13] Sun, Y. , Xu, C., Yu, Y., Mu, Y. (2011) Strongly Foundation for the Doctoral Program of Higher Educa- unforgeable proxy signature scheme secure in the tion of China under Grant 20100185120012, the NSFC standard model. Journal of Systems and Software. of China for International Young Scientists under Grant 84(9), 1471–1479. 61250110543, and the Fundamental Research Funds for [14] Huang, X., Mu, Y., Susilo, W., Zhang, F. (2005) A the Central Universities under Grants ZYGX2010J066 short proxy signature scheme: efficient authentication and ZYGX2011J067. in the ubiquitous world. In Callaghan, V., Enokido, T., Jin, H. (eds), Proc. of UISW2005, Nagasaki, Japan, Dec 6–7, 2005. Lecture Note in Computer Science 3823, pp. REFERENCES 480–489. Springer, Berlin. [1] Mambo, M., Usuda, K., Okamoto, E. (1996) Proxy [15] Zhang, F., Naini, R., Lin, C. (2004) Some new signature: delegation of the power to sign messages. proxy signature schemes from bilinear pairings. In IEICE Trans. Fundamentals, E79-A (9), 1338–1353. Progress on Cryptography: 25 years of Cryptography [2] Tan, Z. (2011) An off-line electronic cash scheme based in China, Kluwer International Series in Engineering on proxy blind signature. The Computer Journal, 54 and Computer Science, 769, 59–66. (4), 505–512. [16] Lu, R., Cao, Z. (2005) Designated verifier proxy [3] Yu, Y., Mu, Y., Wang, G., Sun, Y. (2011) signature scheme with message recovery. Applied Cryptanalysis of an off-line electronic cash scheme Mathematics and Computation. 169(2), 1237–1246. based on proxy blind signature. The Computer Journal, [17] Yu, Y., Xu, C., Zhang, X., Liao, Y. (2009) Designated 54 (10), 1645–1651. verifier proxy signature scheme without random oracles, [4] Zhang, J., Liu, C., Yang, Y. (2010) An efficient secure Computers and Mathematics with Applications. 57(8), proxy verifiably encrypted signature scheme, Journal of 1352–1364. Network and Computer Applications, 33(1), 29–34. [18] Schdult, J., Matsuura, K., Paterson, K. (2008) Proxy [5] Lee, B., Kim, H., Kim, K. (2011) Secure mobile signatures secure against proxy key exposure. In agent using strong non-designated proxy signature. In Cramer R. (ed.), Proc. of PKC 2008, Barcelona, Spain, Mu, Y., Varadharajan, Vijay.(eds), Proc. of ACISP March 9–12. Lecture Note in Computer Science 4939, 2001, Sydney, Australia, July 11–13, Lecture Note in pp. 344–359. Springer, Berlin. Computer Science 2119, pp. 474–486. Springer, Berlin. [19] Shao, Z. (2003) Proxy siganture schemes based on [6] Lee, B., Kim, H., Kim, K. (2001) Strong proxy factoring. Information Processing Letters, 85, 137–143. signature and its applications, in: The 2001 Symposium [20] Shao, Z. (2009) Provably secure proxy-protected on Cryptography and Information Security Oiso, signature schemes based on RSA. Computers and Japan, January 23-26, 603–08. Electrical Engineering. 35(3), 497–505. [7] Okamoto, T., Tada, M., Okamoto, E. (1999) Extended [21] Zhou, Y., Cao, Z., Lu, R. (2005) Provably secure proxy signatures for smart cards. In: Mambo, proxy-protected signature schemes based on factoring. M., Zheng Y. (eds.), Information Security, Second Applied Mathematics and Computations. 164, 83–98. International Workshop, ISW’99, Kuala Lumpur, [22] Park,J. H. B., Kang, G., Han, J. W. (2005) Malaysia, Nov 1999, Lecture Note in Computer Science Cryptanalysis of Zhou et al.’s proxy-protected signature 1729, pp. 247–258. Springer, Berlin. schemes, Applied Mathematics and Computations. 169, [8] Boldyreva, A., Palacio, A., Warinschi, B. (2012) Secure 192–197. proxy signature scheme for delegation of signing rights. [23] Liu, Y. C., Wen, H. A., Lin,C. L., Hwang, T. Journal of Cryptology. 25(1), 57–115. (2007) Proxy-protected signature secure against the [9] Lee, J. Y., Cheon, J. H., Kim, S. (2003) An analysis undelegated proxy signature attack. Computers and of proxy signatures: is a secure channel necessary? In Electrical Engineering. 33, 177–185. Joye, M. (eds.), Topics in Cryptology - CT-RSA 2003, [24] Hu, X., Xu, H., Si, T. (2010) Analysis and San Francisco, CA, USA, April 13-17, 2003, Lecture improvement of proxy-protected signature secure Note in Computer Science 2612, pp. 68–79. Springer, against the undelegated proxy signature attack. Journal Berlin. of Computational Information System. 6(9), 2997– [10] Kim, S., Park, S., Won, D. (1997) Proxy signatures, 3002. revisited. In Han, Y., Okamoto, T., Qing, S. [25] Gentry, C. (2004) How to compress Rabin ciphertexts (eds.), Information and Communication Security, First and signatures. In. Franklin M. K.(ed.), Advances International Conference, ICICS’97, Beijing, China, in Cryptology - CRYPTO 2004, Santa Barbara, Nov 11–14, 1997. Lecture Note in Computer Science California, USA, August 15–19, 2004, Lecture Note in 1334, pp. 223–232. Springer, Berlin. Computer Science 3152, pp. 179–200. Springer, Berlin.

The Computer Journal, Vol. ??, No. ??, ???? Secure Delegation of Signing Power from Factorization 11

[26] Schnorr, C. P. (1989) Efficient identification and on trapdoor hash functions. IET Information Security. signatures for smart cards. In Brassard G. (Ed.), Proc. 4(4). 322–332. of CRYPTO 1989, Santa Barbara, California, USA, [43] Miller, G. (1976) Reimann’s hypothesis and tests for August 20-24, 1989, 239-252 primality. Journal of Computer System Science. 13, [27] Rabin, M. O. (1979) Digitalized signatures and 300–317. public key functions as intractable as factorization, [44] Shamus Software Ltd., Miracle library. Available MIT/LCS/TR-212, MIT Laboratory for computer from: http://www.shamus.ie/index.php?page=home. Science, 1979. (accessed April 10, 2010) [28] Hoffstein, J., Pipher, J., Silverman, J. H. (2008) An introduction to mathematical cryptography, Springer Science+Business Media. [29] Shoup, V. (2008) A computational introduction to number theory and algebra, Cambridge University Press. [30] B, Valle’e (1998) Provably fast integer factoring with quasi-uniform small quadratic residues. in: Proc. of STOC 1989, 98–106. [31] Coron,J. S. (2002) Security proof for partial-domain hash signature schemes. In. Yung M. (ed.), Proc. of CRYPTO 2002, Santa Barbara, California, USA, August 18-22, 2002, Lecture Notes in Computer Science 2442, pp. 613–626. Springer, Berlin. [32] Pointcheval, D., Stern, J. (2000) Security arguments for digital signatures and blind signatures. Journal of Cryptology. 13(3), 361–396. [33] Yu, Y., Mu, Y., Susilo, W., Sun, Y., Ji, Y. (2012) Provably secure proxy siganture scheme from factorization, Mathematical and Computer Modelling. 55, 1160–1168. [34] Krawczyk, H., Rabin, T. (2000) Chameleon hashing and signatures. Network and distributed system security symposium, 143–54. [35] Shamir, A., Tauman, Y. (2001) Improved On-line/Off- line Signature Schemes. In Kilian J. (ed.), Proc. of CRYPTO 2001, Santa Barbara, California, USA, August 19–23, 2001, Lecture Notes in Computer Science 2139, pp. 355–367. Springer, Berlin. [36] Harn, L., Hsin, W., Lin, C. (2010) Efficient On- line/Off-line Signature Schemes Based on Multiple- Collision Trapdoor Hash Families. Comput. J., 53(9), 1478–1484. [37] Ateniese, G., Medeiros, B. (2004) Identity-based chameleon hash and applications. In Juels A. (Ed.), Proc. of Financial Cryptography 2004, Key West, FL, USA, February 9–12, 2004 Lecture Notes in Computer Science 3110, pp. 164–180. Springer, Berlin. [38] Ateniese, G., Medeiros, B. (2004) On the key exposure problem in chameleon hashes. In Blundo, C., Cimato S. (eds.), Proc. of SCN 2004, Amalfi, Italy, Sep 8–10, 2004, Lecture Notes in Computer Science 3352, pp. 165–179. Springer, Berlin. [39] Chen, X., Zhang, F., Tian H. et al.(2008), Efficient generic on-line/off-line (threshold) signatures without key exposure, Information Sciences. 178 (21), 4192– 4203. [40] Chen, X., Wu, Q., Zhang, F., Tian H. et al. (2011) New receipt-free voting scheme using double-trapdoor commitment, Information Sciences. 181(8), 1493–1502. [41] Mehta, M., Harn, L.(2005) Efficient one-time proxy signatures, IEE Proc.-Commun. 152 (2), 129–133. [42] Chandrasekhar,S., Chakrabarti, S., Singhal, M., Calvert, K. L. (2010) Efficient proxy signatures based

The Computer Journal, Vol. ??, No. ??, ????