A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem

A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem Source: IEEE TRANSACTIONS KNOWLEDGE AND DATA ENGINEERING, VOL 15,NO 5, SEPTEMBER/OCTOBER, 2003 Author: Min-Shiang Hwang, Eric Jui-Lin, Iuon-Chang Lin Speaker :林育正 Team member: 童毅峰林峻鋒 Date: Dec. 8, 2003

Outline • Introduction • Proposed Scheme • Discussion • Property Analysis • Comparisons • Application • Conclusion

Introduction 1 • Proxy signature: • The proxy signature allows proxy signers to sign messages on behalf of the original signer without exposing the original signer’s private key

Introduction 2 • (1,n) threshold proxy signature: • A legal proxy signature can be generated by a designated proxy signer by using a proxy signing key. • (t,n) threshold proxy signature: • (t,n) threshold proxy signature schemes allow any t or more proxy signers from a designated group of n members to cooperatively sign messages while (t-1) or less members cannot generate the legal proxy signature.

Introduction 3 • Proxy requirements • Secrecy: • The original signer’s private key must be kept secret. • Proxy protected: • Only a delegated proxy signer can generate his partial proxy signature. • Unforgeability: • (t-1) or less proxy signers have no capability of forging a valid proxy signature.

Introduction 4 • Proxy requirement (cont.) • Non-repudiation: • The original signer cannot deny having delegated the power of signing messages to the proxy signers. The proxy signers cannot deny that they having signed the message. • Time constraint: • The proxy signing keys can be used only during a stipulated period. • Known signers: • For internal auditing purposes, the system is able to identify the actual signers in the proxy group.

Introduction 5 • This paper propose a new (t,n) threshold proxy signature scheme based on the RSA cryptosystem. • This new scheme only requires the Lagrange formula to share the proxy signing key.

Proposed Scheme • Three phases • The proxy sharing phase • The proxy signature issuing phase • The verification phase

Threshold proxy signature based on the RSA cryptosystem • P0 ︰ Original signer • P1, P2, ..., Pn ︰Proxy signers • Ni = pi ×qi where pi and qiare two secret large primes. • di is a private key for Pi and its corresponding public key be ei, such that di * ei = 1 mod Φ(Ni). • Φ(Ni) = (pi - 1)(qi - 1)

Threshold proxy signature based on the RSA cryptosystem • The parameters ei and Ni can be published. • The parameter di and Φ(Ni) are kept secret by the holder. • [M]di mod Ni : M encrypted with Pi’s private key di • [M]ei mod Ni : M encrypted with Pi’s public key ei using the ordinary RSA cryptosystem. • mw : contains period of proxy key, the identities of the proxy signers and the original signer, etc

Threshold proxy signature based on the RSA cryptosystem • D : group proxy signature key generated by P0 • E : verification key of D

The Proxy Sharing Phase • Step 1. Proxy generation • D = d0mw mod Φ(N0) • E = e0mw mod Φ(N0) • P0 publishes {mw, E, [mw || E] d0mod N0}

The Proxy Sharing Phase • Step 2 (proxy sharing) • Ki = f(x) = D + a1X + a2X2 + … +at-1Xt-1 mod Φ(N0) where a1, a2, … at-1 are random numbers. • The original signer P0 computes Pi’s partial proxy signing key, ki = f(i) and sends [[Ki]do mod N0 || ki ]ei mod Ni to the proxy signer Pi, where iis user’s identity and for all Li Z

The Proxy Sharing Phase • Step 3. (proxy share generation) • After receiving [[Ki]do mod N0 || ki ]eimod Ni each proxy signer can decrypt the ciphertext to obtain {[ki]d0 mod n0, ki} • Then each proxy signer Pi can confirm the validity of ki and keep it secret.

The Proxy Signature Issuing Phase • Step 1. • Each member of T signs the message M with his partial proxy signing key ki, where i  T. • The partial proxy signature si for each actual proxy signer pi. • si = M (Li × Ki) mod N0 • Li = Π–j / i-j • Each actual proxy signer sends {[si]dimod Ni,si}to the combiner. i, jεT, j ≠ i

The Proxy Signature Issuing Phase • Step 2. • The combiner verifies the si using the public key of the proxy signer Pi, and collects [si]dimod Ni. • S: the proxy signature on message M • S = Π si mod N0 = Π(M Li × Ki) mod N0 = MΣi εT (Li × f(i)) mod N0 = M f(0) mod N0 = MD mod N0 iεT iεT

The Verification Phase • Ni, ei, mw, and E are publicly known • Step 1. • Any receiver computes mw and E with the original signer’s public key. • The receiver checks the validity of the stipulated period. • If the period has expired, the proxy verification key is invalid.

The Verification Phase • Step 2. • SE mod N0 = (MD)E mod N0 = M (d0 × e0)mw mod N0 = M

The Verification Phase • Step 3. • For internal auditing purposes, the original signer can differentiate the actual signers from the signatures [si]di mod Ni on message si, where i  t.

Discussion – Property analysis • Secrecy • Proxy protected • Unforgability • Non-repudiation • Time constraint • Known signer

Discussion – Comparison COMPUTATIONAL OVERHEADS

Discussion – Comparison (cont.) COMMUNICATIONAL OVERHEADS

Application • Mobile Agent • Electronic Contract

Conclusion • Flexibly choose the threshold • Repeatedly use of the participant’s RSA key pairs which can also be used in other work • Put time constraints on the threshold delegation • Identify the actual signers

A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem

A practical (t, n) threshold proxy signature scheme based on the RSA cryptosystem

Presentation Transcript

Practical Issues

NANOROBOTICS CONTROL DESIGN: A PRACTICAL APPROACH TUTORIAL

T A S T I N G N O T E S

1-month Practical Course

N A T I O N A L

1-month Practical Course

1-month Practical Course

S-A-N-T-A

1-month Practical Course Genome Analysis Evolution and Phylogeny methods

1-month Practical Course

T u t a n k h a m u n

Practical English

1-Month Practical Master Course

C O N N O T A T I O N

C O N N I N G A S S E T M A N A G E M E N T Analyzing Reinsurance with DFA Practical Examples