Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏魏魏
Identity Base Threshold Proxy Signature
Jing Xu, Zhenfeng Zhang, and Dengguo Feng
Form eprint
Presented by 魏聲尊
Outline
• Introduction
• Definition
• (t,n) threshold proxy Signature Scheme
• Conclusion
Introduction
• Proxy signature allow original signature to delegate his singing capability to another user
• ID Base :public key can derive via a public algorithm
Introduction
• (t,n) threshold proxy signature scheme:
• Applications: e-cash, mobile agent, mobile communication etc.
Original user
Proxy group of n member
>=t
Definition
• Security Requirement of ID-Base Threshold Proxy Signature– Distinguishability– Secrecy– Proxy Protected– Unforgeability– Nonrepudiation
• The bilinear pairing: G be a cyclic additive group generated by P, order = q
(prime), V be a multiplicative group of same order.Let be a pairing which satisfies the following condition:
1.Bilinearity: ,That is , . 2.Non-degeneracy: ,such that 3.Computability: ,there is an efficient algorith
m to compute
Definition
RQeRPeRQPe ,ˆ,ˆ,ˆ GRQP ,,
RQeQPeRQPe ,ˆ,ˆ,ˆ
GQP , 1,ˆ QPe
GQP ,
VGGe :ˆ
QPe ,ˆ
• Param-generation
• Key-generation
• Secret-share-generation
• Proxy-share-generation
• Proxy-signature-generation
• Proxy-signature-verification
Proposed (t,n) threshold proxy Signature Scheme
Proposed (t,n) threshold proxy Signature Scheme
• Param-generation– Pick a random master key and set – Choose hash functions– original signer be the proxy group of n proxy signer
• Key-generation:– Compute and associated private key
for original signer and proxy signers
sPPsub GHH *
21 1,0:,
0P nPPPPS ,,, 21
GIDHQ iIDi 1
GsQdii IDID
*qZs
Proposed (t,n) threshold proxy Signature Scheme
• Secret-share-generation– Each randomly chooses a (t-1)-degree
polynomial
with random coefficients and publish – sends to , can validate it by checking
the equality
– compute his secret share and publish
PSPi
0
1
1i
t
t
lili axaxf
*qil Za PaA ilil
iP jfi jP jP
ik
t
k
ki AjPjf
1
0
iP
n
k ki ifr1
PrU ii
Proposed (t,n) threshold proxy Signature Scheme
• Proxy-share-generation: Let be the warrant.
in PS gets their own proxy singing key share as follow:
– 1. first randomly choose and computes
Let .Then he compute
The signature on is . Finally, sends and
to each – 2. verify the signature by
if is accept , compute as his own proxy secret
m
iP
0P*qZr PrU
UmIDHH ,,02 HrdV 0
m VU ,0P m
PSPi VU ,
iP HUeQPeVPe pub ,ˆ),(ˆ,ˆ 0 iP Vn
ds ii
1
Proposed (t,n) threshold proxy Signature Scheme
• Proxy-share-generation:– 3. randomly chooses a (t-1)-degree polynomial
with random coefficients and publishes can be got by each proxy signer as
Furthermore, sends to
– 4. can validate it by . compute his proxy
singing key share and publish
iP
i
t
t
lili sxbxg
1
1
Gbil ilil bPeB ,ˆ0iB
H
nUeQ
nPeIDHPesPe subisubi
1,ˆ
1,ˆ,ˆ,ˆ 0
iP jgi jP
iP
1
0
,ˆt
k
ijkj
k
BigPeiP
n
k ki igskp1
iskpPe ,ˆ
Proposed (t,n) threshold proxy Signature Scheme
• Proxy-signature-generation: Let be the actual proxy signature 1. Lagrange interpolation formula to compute ,Let
2. Each compute his own proxy signature share by compute and 3.designated clerk validate by
if it accept, computes The proxy signature of m is Proxy-signature-verification verify proxy signature by
tPPPD ,, 21i
t
i iUU
1
iPHrskpV iii iii VU ,
i HUeskpPeVPe iii ,ˆ,ˆ,ˆ i
t
i iVV
1
tj
iji ij
j,,2,1 UmHH ,2
VUmUm ,,,,
VUmUm ,,,,
HUeHUeQPeVPen
iisub ,ˆ,ˆ,ˆ,ˆ
0
Proposed (t,n) threshold proxy Signature Scheme
VU , VUmUm ,,,,
>=t
HUeHUeQPeVPen
iisub ,ˆ,ˆ,ˆ,ˆ
0
Original signer
n proxy signer
Designer clerk
Conclusion
• Security– Distinguishability: warrant and the public keys of the origina
l signer and the proxy signer must in occur in the verification equation of threshold proxy scheme
– Secrecy: because of the ID-Base signature scheme, any party private key
must be kept secret. – Proxy Protected: the original signer does know private key– Unforgeability: without the private key , no one can forge th
e proxy– singer to create and pass the verificatio
n – Nonrepudiation: the valid proxy signature contain the warrant
The first ID-Base threshold proxy signature scheme
m
idiP
idiP i
m
id