An Improved Threshold Proxy Signature Scheme Based on RSA

This paper proposes an improved RSA-based threshold proxy signature scheme. The proposed scheme satisfies the necessary security requirements of proxy signature such as verifiability, unforgeability, threshold property and identifiability. The proposed scheme does not require any secure channel to deliver the proxy keys any more. Introduction A proxy signature scheme involves three entities: an original signer, a proxy signer and a verifier. Once the proxy signer signed the message on behalf of the original signer, the verifier, who knows the public keys of the original and proxy signers, verifies the validity of the proxy signature after receiving it. Mambo et al. [1,2] first introduced the notion of proxy signature in 1996 and gave a systematic discussion of proxy signatures. They mentioned three levels of delegation:full delegation, partial delegation and delegation by warrant. In full delegation, the original signer gives its private key to the proxy signer. In partial delegation,the original signer generates a proxy signature key from its private key and gives it to the proxy signer. The proxy uses the proxy key to sign. The verification equation for proxy signature is modified, so that the proxy signature is distinguishable from the signature created by the original signer. In delegation by warrant, warrant is a certificate composed of a message part and a public signature key. The proxy signer obtains the warrant from the original signer and uses the corresponding private key to sign. The resulting signature consists of the created signature and the warrant. There are many proxy signature schemes in the literature. Kim, et al. [3] proposed a scheme by restricting proxy signer signing right using the concept of partial delegation with warrant in 1997. Okamoto et al. [4] proposed proxy signature based on RSA scheme in 1999. In 2001, Lee et al. [5, 6] proposed a proxy-protected signature scheme based on the RSA assumption. Shao [7] proposed proxy-protected signature scheme based on RSA in 2009. In 2012,Huang [8] proposed a threshold proxy signature scheme based on RSA cryptosystem. Howerer, in Huang’s scheme a secure communication channel is needed among an original signer and her / his proxy signers, which is unpractical. In this paper, we propose an improved threshold proxy signature scheme based on RSA which not only keeps the original properties of the scheme in [8], but also need no any secure communication channel. The rest of the paper is organized as follows. In Section 2, we give an improved threshold proxy signature scheme based on RSA. In Section 3, we give security analysis of the scheme. Finally, a conclusion is drawn in Section 4. Proposed Scheme In this section, we propose an improved threshold proxy signature scheme based on RSA. Throughout this article, we use O U to denote the original signer and   1 2 , , , n G U U U  the set of the proxy signers. The scheme is divided into four phases: Setup Parameters, Proxy Secret Key Sharing, Proxy Signature Generation and Proxy Signature Verification. Setup Parameters: The original signer chooses two strong primes ' 0 0 2 1 p p   and ' 0 0 2 1 q q   , where ' 0 p and ' 0 q are also primes. Both 0 p and 0 q should be so safe that anybody can't factor 0 0 N p q  efficiently. 6th International Conference on Management, Education, Information and Control (MEICI 2016) © 2016. The authors – Published by Atlantis Press 0629 1) The original signer chooses a public key , O e 0 0 1 ( ) ( 1)( 1), O e N p q       such that ( , ( )) 1 O e N   , and then uses extended Euclidean algorithm to compute the secret key , O d 1 ( ), O d N    such that 1(mod ( )). O O e d N   Let ( , ) O N e be public. 2) Let ( ) h  be a secure one-way hash function and m a warrant which consists of the original signer and proxy signers’ information, i.e., the identity of the original signer and proxy signers, the qualification of the message on which proxy signers can sign on behalf of the original signer, the validity period of delegation etc. All proxy signers generate the following public parameters through dialogue and consultation: 1) Choose a large prime p such that N p  and p has a large prime divisor q ; 2) Choose a generator g with order q in the multiplicative unit group of the ring p Z ; 3) Determine the identity number i ID for each proxy signer, where1 i n   . 4) Each proxy signer i U chooses her/his secret key i d to compute proxy public key (mod ) i d i y g p  and then make it public, where1 i n   . Proxy Secret Key Sharing: 1) The original signer chooses a random polynomial ( ) f x with degree 1 t  in [ ] N Z x such that (0) O f m d   and then computes 1 ( ) (mod ) i i i k f ID z N   , where 1 , ( )(mod ) i i j j n j i z ID ID N       ; 2) The original signer uses the ElGamal Cryptosystem to send (mod ) i k N to the proxy signer i U through a public communication channel. The details are as follows. The original signer randomly selects {0} i q q l Z Z     , and computes (mod ) i l i u g p  and mod ) i l i i i v k y p  , where (mod ) i d i y g p  is the proxy public key of and the proxy signer i U , 1 i n   .Then the original signer sends the pair ( , ) i i u v to the proxy signer i U . After receiving the pair ( , ) i i u v , the proxy signer i U computes (mod ) i i d i v u p  to recover the proxy secret key shadow i k , where1 i n   . Proxy Signature Generation: Without loss of generality, assume that 1 2 , , , t U U U are practical proxy signers who creates a signature for a message m on behalf of the original signer. Signature generation is as follows. 1) Each proxy signer i U randomly chooses a {0} i q q t Z Z     , where 1 i t   , then computes (mod ) i t i r g p  and broadcasts it in the proxy group; 2) Each proxy signer i U computes 1 (mod ), ( , , ) (mod ), t i i i i i R r p s d h R m A t R p      (mod ) i d i y g p  , and then sends the triple ( , , ) i i R s y to the designated combiner (DC), where A is the set consisting of identities of practical proxy signers; 3) After receiving ( , , ) i i R s y , DC verifies whether ( , , ) (mod ). i s R h R m A i i g r y p  If the equality holds , DC computes 1 (mod ) t i i S s p   and broadcasts it in the proxy group; 4) Each proxy signer i U uses her/his secret key shadow i k to compute (mod ) i i k i C S N   , and then sends it to DC again, where 1 , , ( )( ( )(mod ) i j i j j t j i t j n j i ID ID ID N             . DC computes