You are on page 1of 5

70 (IJCNS) International Journal of Computer and Network Security,

Vol. 2, No. 5, May 2010

An Improved Proxy Ring Signature Scheme with


Revocable Anonymity
Binayak Kar1, Pritam Prava Sahoo2 and Ashok Kumar Das3
1
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
binayakdilu@rediffmail.com
2
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
sahoo_pritam@rediffmail.com
3
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
iitkgp_akdas2006@yahoo.co.in

examples, [2, 7, 10]). Since it is proposed, the proxy


Abstract: In this paper, we review Hu et al.'s proxy ring
signature with revocable anonymity. We then briefly review signature schemes have been suggested for use in many
Zhang and Yang's attacks on Hu et al.'s proxy ring signature applications [6, 8] particularly in distributed computing
scheme. In order to eliminate those security flaws in Hu et al.'s where delegation of right is quite common. Examples
proxy ring signature scheme, we propose an improvement of Hu discussed in in the literature include distributed systems,
et al.'s proxy ring signature with revocable anonymity. We show grid computing, mobile agent applications, distributed
that our proposed scheme provides better security as compared shared object systems, global distribution networks and
to that for Hu et al.'s scheme. mobile communications. To adapt to different requirements,
Keywords: Proxy signature, ring signature, revocable many variants of ring signature [5] were put forward, such
anonymity, security. as ring blind signature, proxy ring signature, etc.

1. Introduction In this paper, we propose an improvement of Hu et al.’s


proxy ring signature scheme [1] in order to eliminate Zhang
In Mobile Ad hoc Networks in order to ensure the service and Yang’s attacks [9] on Hu et al.’s proxy ring signature
available to the customers distributed in the whole networks, scheme. The remainder of this paper is organized as follows.
the server needs to delegate his/her rights to some other In Section 2, we give a brief overview of Hu et al.’s proxy
parties in the systems, for example to mobile agents. The ring signature scheme with revocable anonymity and then
way of realizing this delegation is based on the notion of we discuss Zhang and Yang’s attacks on Hu et al.’s proxy
proxy signature. ring signature scheme. In Section 3, we propose an
improved version of Hu et al.’s proxy ring signature scheme
Digital signature is a cryptographic means through in order to withstand Zhang and Yang’s attacks in their
which the authority, data integrity and signer’s non- scheme. In Section 4, we discuss the security aspects of our
repudiation can be verified. The proxy signature is a kind of proposed improved scheme and then in Section 5, we
digital signature scheme. In the proxy signature scheme, one compare the performances of our scheme with those for Hu
user called the original signer, can delegate his/her signing et al.’s proxy ring signature scheme. Finally, we conclude
capability to another user called the proxy signer. This is the paper in Section 6.
similar to a person delegating his/her seal to another person
in the real world.

The notion of proxy signature was first introduced by 2. Overview and Attacks on Hu et al’s Proxy
Mambo, Usuda and Okamoto in 1996 [3]. After that the
Ring Signature Scheme
concept of ring signature was formalized in 2001 by Rivest,
Shamir and Tauman [4]. In the ring signature an In this section, we first discuss in brief Hu et al.’s proxy
anonymous signature allows an user to anonymously sign on ring signature scheme. We then describe Zhang and Yang’s
behalf of a group, where no one can know which the actual attacks on Hu et al.’s proxy ring signature scheme.
signer is. When verifying the verifier only knows that the
signature has been produced by some member of this ring, 2.1 Overview of Hu et al.'s Proxy Ring
but he/she has no information about who is the actual of the Signature Scheme
signature. Hu et.al introduced a new type of signature scheme called
the proxy ring signature scheme with revocable anonymity
Proxy signature can be combined with other special which combines ring signature with proxy signature.
signatures to obtain some new types of proxy signatures (for
(IJCNS) International Journal of Computer and Network Security, 71
Vol. 2, No. 5, May 2010

In the following, we briefly review their scheme.


2.1.4 Verification Phase
2.1.1 System Parameters
For verification of the signature δ = (m, A, z N , c N , r N , V )
The following system parameters are used in describing the on message m , the verifier executes the followings:
scheme. 1. Computes h = H (m) .
• p, q : two large prime numbers, q | p − 1 . 2. For i = 1,2,⋅ ⋅ ⋅, n , computes δ i = A ,
i
*
• g : an element of Z p whose order is q . bi = h zi δ ici ,
• x0 , x1 ,⋅ ⋅ ⋅, xn : the original signer A0 's secret key and a i = g z ( y i y 0 ri )
i c i

proxy signers U i 's secret key, where i = 1,⋅ ⋅ ⋅, n . −1


3. If ri = y0 , rejects the signature.
• y0 = g
H (m, a N , bN ,V) = ∑ci
x0
mod p : A0 's public key.
4. Otherwise, checks whether
• yi = g mod p : U i 's public key.
xi
i∈B
• H : a hash function, H : {0,1} → Z q .
* is satisfied or not.
If the verification is valid, then the verifier accepts δ as
2.1.2 Proxy Phase a valid proxy ring signature of message m .

1. Commission Generation: For the user U i , the original 2.1.5 Open Phase
Signer A0 randomly chooses ki ∈ Z q and then To open a signature and reveal the actual identity of the
signer, the original signer checks the following.
computes sˆ i = x 0 g k i + k i mod q and rˆi = g i mod q . k
y ri −1rˆ
Then A0 sends (sˆi , rˆi ) secretly to U i and keeps ki secret.
ˆ
For i = 1 to n , verifies whether g i = V 0 i .
r

2. Proxy Verification: Each U i checksuser If for some i , the verification phase , it indicates that U i is
the actual signer.
whether g = y rˆ mod q . If it holds, then U i
sˆi rˆi
o i
computes s i = xi + sˆi mod q . s i is his/her proxy signing
key. 2.2 Attacks on Hu et al.'s Proxy Ring Signature
Scheme
2.1.3 Signing Phase In the following, we briefly review the attacks due to Zhang
and Yang on Hu et al.’s scheme.
Let the user U i be the real signer and the ring be
B = (U 1 ,⋅ ⋅ ⋅,U n ) . On input a group size n ∈ Z , a 2.2.1Attack on Unforgeability
message m and a public key set yN = ( y1 ,⋅ ⋅ ⋅, yn ) , the This attack consists of the following steps.
signer U i does the followings: 1. Assume that the message m is a forged message.
We then compute h = H (m) .
1. Selects d ∈R Z q and randomly computes the followings:
2. Randomly choose a number a ∈R Z q to compute
h = H (m) and δ i = h si − d .Then set A = δ i1 / i .
a i = g a , and bi = h a .
2. Randomly chooses wi ∈ Z q and computes a i = g i
w
3. Randomly choose a number l ∈R Z q to compute
and bi = h i .
w
A = hl .
3. For all j ≠ i , picks up at random z j , c j , r j ∈ Z q and 4. For all j ≠ i , randomly select z j , c j , r j ∈ Z q and
−1
if r j ≠ y0 , then computes: aj = g
zj
(y y r )
j 0 j
cj
, −1
if r j ≠ y0 then compute the followings:
δ j = A , and b j = h δ
j zj cj
j aj = g
zj
(y j y0 r j ) j ,
c

4. Let a N = (a 1 ,⋅ ⋅ ⋅, a n ) , bN = (b1 ,⋅ ⋅ ⋅, bn ) . U i then δ j = A j , and b j = h j δ j j .


z c

and c = H (m, a N , bN , V ) . 5. Set a N = (a 1 ,⋅ ⋅ ⋅, a n ) and bN = (b1 ,⋅ ⋅ ⋅, bn ) .


g −d
computes V = g
n 6. Randomly choose V ∈ Z p to compute
5. Computes the following ci = c − ∑c
j =1, j ≠ i
j and
H (m, a N , bN ,V ) = c .
zi = wi − ci s i + ci d . n
rˆ −1 −d
6. Finally computes ri = y0i rˆi g .
7. Set ci = c − ∑c
j =1, j ≠ i
j , and then set

zi = a − i ⋅ l ⋅ ci mod q .
Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and i ⋅l −1 −1
8. After this, compute ri = g yi y0 , and then set
rN = (r1 ,⋅ ⋅ ⋅, rn ) .
The resultant proxy ring signature on message m is rN = (r1 ,⋅ ⋅ ⋅, rn ) .
δ = (m, A, z N , c N , rN , V ) . 9. Finally, the resultant proxy ring signature on
message m becomes δ = (m, A, z N , c N , r N , V ) .
72 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 5, May 2010

By verifying the following three equations:

a j = g j ( y j y0 r j ) j ,
z c

δ j = A j , and 3.1 Proxy Phase


bj = h δ
zj cj
j This phase consist of the followings.

Zhang and Yang showed that the forged proxy ring 1. Commission Generation: For the user U i , the
signature is valid signature.
2.2.2 Attack on Revocable Anonymity original signer A0 randomly chooses ki ∈ Z q and

In the following, Zhang and Yang showed how to produce a then computes sˆ i = x 0 g k i mod q and
proxy ring signature in which the anonymity of the
rˆi = g ki mod q , where x0 is the original signer
dishonest proxy signer’s identity is not revoked.
A0 ’s secret (private) key. After that A0 sends
Let the user U i be the real signer and the ring be (sˆi , rˆi ) secretly to U i and keeps ki as secret.
B = (U 1 ,⋅ ⋅ ⋅,U n ) . On inputs, a group size n ∈ Z , a 2. Proxy Verification: Each user U i checks whether
message m and the public key set yN = ( y1 ,⋅ ⋅ ⋅, yn ) , the
g sˆi = g x0 ⋅ g mod q . Here y0 is the original
ki

signer U i performs the following:


signer A0 ’s public key. Then U i computes
1. Here, for j = 1 to n , the generations of
s i = xi + sˆi mod q as his/her proxy signing key.
a j ,δ j , b j and A remain same as those for Hu et
al.’s scheme.
2. Sets a N = (a 1 ,⋅ ⋅ ⋅, a n ) , bN = (b1 ,⋅ ⋅ ⋅, bn ) and
3.2 Singing Phase
Assume that the user U i be the real signer. Let the ring be
randomly chooses V ∈ Z p to compute
B = (U 1 ,⋅ ⋅ ⋅, U n ) . Inputs in this phases are (i ) a group size
H (m, a N , bN , V ) = c . Here we note that
generation of V is different from that of Hu et al.’s
n ∈ Z , (ii ) a message m and (iii ) a public set
scheme and V is a random number. yN = ( y1 ,⋅ ⋅ ⋅, yn ) . The signer U i then executes the
n following steps:
3. Computes ci = c − ∑c
j =1, j ≠ i
j and
Step-1. Selects d ∈R Z q randomly and then computes

zi = wi − ci s i + ci d . h = H (m) and δ i = h si − d .
rˆ −1 −d
4. Then computes ri = y0i rˆi g . After computing these, U i sets A = δ i .
1/ i

Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and Step-2. Randomly choose wi ∈ Z q and then compute


rN = (r1 ,⋅ ⋅ ⋅, rn ) .
a i = yi and bi = h
wi wi
.
Finally, the resultant proxy ring signature on message m Step-3. For all j ≠i, selects at random
is δ = (m, A, z N , c N , r N , V ) . From the above generation −1
z j , c j , r j ∈ Zq such that r j ≠ y 0 . Then computes
process of proxy ring signature, the original signer cannot
z j +xjc j
a j = yj
c c
revoke the identity of proxy signer, because of the fact that y0 j r j j ,
V in the signature δ = (m, A, z N , c N , rN , V ) is a random
δ j = A j , and b j = h j δ j j .
z c
number and the value of i can not be retrieved by using the
above open algorithm. As a result, the original signer can Step-4. Let a N = (a 1 ,⋅ ⋅ ⋅, a n ) , and bN = (b1 ,⋅ ⋅ ⋅, bn ) .
not revoke the anonymity of the proxy signer’s identity. −d
y0−1
U i then computes V = g yi and
c = H (m, a N , bN , V ) .
3. Improved Proxy Ring Signature Scheme
n
In this section, we describe our improved signature scheme
in order to eliminate the security flaws discussed in Section
Step-5. Computes ci = c − ∑c
j =1, j ≠ i
j and

2.2. We use the same set of system parameters as used in Hu zi = wi − ci s i + ci d .


et al.’s proxy ring signature scheme given in Section 2.1.1.
x rˆ −1 −d
Step-6. Computes ri = y0 i i yi .
The different phases of our improved scheme are given
in the following subsections.
Let z N = ( z1 ,⋅ ⋅ ⋅, zn ) , c N = (c1 ,⋅ ⋅ ⋅, c n ) , and
(IJCNS) International Journal of Computer and Network Security, 73
Vol. 2, No. 5, May 2010

rN = (r1 ,⋅ ⋅ ⋅, rn ) . a i = yizi yixici y0ci ri ci = yiwi − ci si + ci d yixi ci y0ci y0xi rˆi −1 yi− d [ ]ci

Finally, the resultant proxy ring signature on message m is


δ = (m, A, z N , c N , rN , V ) . = yiwi yi−ci si yi
ci d
yixi ci y0ci y0xi ⋅rˆi ⋅ci y0−ci yi−ci d
= yiwi yi−ci [ xi + sˆi ] yixici y0xi ⋅rˆi ⋅ci

3.3 Verification Phase


= yiwi yi−ci xi yi−ci sˆi yixici y0xi ⋅rˆi ⋅ci
To verify the signature δ = (m, A, z N , c N , r N , V ) on = yiwi yi−ci [ x0 rˆi ] y0xi ⋅rˆi ⋅ci
message m , the verifier needs to execute the following = yiwi yi−ci x0 rˆi yici x0 rˆi = yiwi
steps.

Step-1. Computes h = H (m) . Thus if the proxy ring signature is generated by a valid
Step-2. For i = 1,⋅ ⋅ ⋅, n , computes member in the ring, the verification of the equation

a i = yi
zi + xi ci
y0ci rici , H (m, a N , bN ,V) = ∑ci passes.
i∈B
δ i = Ai , and
bi = h zi δ ici . 4.2 Correctness of Open Phase
−1
Step-3. If ri = y0 , then the verifier immediately rejects We prove the correctness of open algorithm as follows:
x rˆi − 1
yi − d y 0− 1 y i− d
x rˆi
the signature. g ri
= g y0 i
= g y0 i
−1
Step-4. Otherwise, if ri ≠ yo , the verifier checks the
( )
x rˆi
y0 i
y 0− 1 y i− d
ˆ
y 0x i r i x 0 x i rˆi
= g =V = V
H (m, a N , bN ,V) = ∑ci
g

validity of the equation: x 0 rˆi sˆ i


i∈B = V yi
= V yi

If the above equation is valid , then the verifier accepts δ


as a valid proxy ring signature on message m .
4.3 Security Analysis
3.4 Open Phase
In this section, we show that our scheme preserves the
In order to open a signature and reveal the actual identity of unforgeability as well as revocable anonymity properties
the signer, the original signer can verify the following
equation: • Unforgeability: The improved scheme satisfies the
ˆ
yisi unforgeability property as follows.
For i = 1 to n , checks whether g
ri
=V .
Assume that B denotes the ring. We prove that
If the verification passes for some i , then the user U i is the any adversary A∉ B can not forge the valid ring
actual signer. signature. Suppose A can repeat the proxy phase
and also query the original signer for ŝ k and rˆk ,
4. Analysis of Our Improved Scheme
where k ∈ B in order to receive some proxy
In this section, we give correctness proofs for our signature key which does not belong the ring
verification phase as well as open phase. We then describe B . To forge a ring signature, A needs to execute
the security analysis of our scheme. the signing phase. Let A select randomly
zi , ci , ri ∈ Z q , for all i ∈ B and compute
4.1 Correctness of Verification Phase
c = H (m, a N , bN , V ) . However, this becomes
We prove the correctness of verification process as follows: impossible because in order to compute
For the signer i , δ i = A = δ i
i
( ),
1/ i i
a i = yi
zi + xi ci ci ci
y r , A needs the private key xi
0 i

of the proxy signer U i . Computation of the


bi = h zi δ ici = h wi −ci si +ci d δ ici = h wi h ci d − ci si δ ici
private key xi from the public key yi is
= h wi h −ci ( si − d )δ ici = h wi δ i−ci δ ici = h wi computationally infeasible, since it is based on the
discrete logarithm problem (DLP) for a large
prime q. As a result, except U i no one can
calculate a i and hence, our scheme satisfies the
unforgeability property.
74 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 5, May 2010

• Revocable anonymity: Let an untrustworthy proxy References


signer can produce a proxy ring signature which
can pass the verification phase. But then the [1] C. Hu, P. Liu, and D. Li. New Type of Proxy Ring Sig-
original signer can revoke the anonymity of his nature Scheme with Revocable Anonymity and No Info
identity. Now, to open the signature and reveal the Leaked. In Multimedia Content Analysis and Mining
actual identity of the signer the verification of the
sˆi
(MCAM 2007), LNCS, volume 4577, pages 262–266,
equation g ri = V yi , where i = 1,⋅ ⋅ ⋅, n is 2007.
[2] W.D. Lin and J.K. Jan. A security personal learning tools
needed. If for some i , the check is valid, then U i
using a proxy blind signature scheme. In Proceedings of
becomes the actual signer. This is impossible again
International Conference on Chinese Language
because V in the signature Computing, Illinois,USA, pages 273–277, July 2000.
δ = (m, A, z N , c N , rN , V ) itself is not a random [3] M. Mambo, K. Usuda, and E. Okamot. Proxy
number. It depends upon the public key of the signatures: delegation of the power to sign message .
original signer and the proxy key of proxy signer as IEICE Transaction Functional, E79-A(9):1338–1353,
−d
y0−1 1996.
V = g yi .Thus, our scheme also preserves the
[4] R.L. Rivest, A. Shamir, and Y. Tauman. How to leak a
property of revocable anonymity. secret. In Advances in Cryptology-Asiacrypt 2001,
LNCS, volume 2248, pages 552–565. Springer-Verlag,
5. Performance Comparison of Our Scheme 2001.
with Hu et al.’s Proxy Ring Signature Scheme [5] Kyung-Ah Shim. An Identity-based Proxy Signature
In this section, we compare the computational costs of Scheme from Pairings. In ICICS 2006, LNCS, volume
different phases of our scheme with those for Hu et al’s 4307, pages 60–71. Springer-Verlag, 2006.
scheme. [6] J. Xu, Z. Zhang, and D. Feng. ID-Based Proxy Signature
Using Bilinear Pairings. In ISPA Workshops, LNCS,
Table 1: Performance comparison between our scheme and volume 3759, pages 359–367. Springer-Verlag, 2005.
Hu et al.’s proxy ring signature scheme. [7] L. Yi, G. Bai, and G. Xiao. Proxy multi-signature
scheme: a new type of proxy signature scheme.
Electronics Letters, 36(6):527–528, 2000.
[8] F. Zhang and K. Kim. Efficient ID-based blind
signature and proxy signature from pairings. In
Information Security and Privacy, volume 2727, pages
218– 219. Springer Berlin, 2003.
[9] J. Zhang and Y. Yang. On the Security of a Proxy
Ring Signature with Revocable Anonymity. In 2009
International Conference on Multimedia Information
Notes: TM: time taken for a modular multiplication, TE: Networking and Security (MINES), volume 1, pages
time taken for an exponential operation, TH: time taken for a 205–209, 2009.
one-way hash function. [10] K. Zhang. Threshold proxy signature schemes. In 1997
Information Security Workshop, Japan, volume 1396,
We have compared the computational costs of different pages 282–290. Springer Berlin, September, 1997.
phases of our scheme with those for Hu et al’s scheme in
Table 1. From this table, we see that our scheme requires
one modular multiplication less than Hu et al’s scheme.
Thus, the computational costs of our scheme are also
comparable with Hu et al’s signature scheme.

6. Conclusion
In this paper, we have proposed an improved proxy ring
sig-nature with revocable anonymity to eliminate the
security flaws in Hu et al's scheme. The proposed scheme
allows the original signer to know exactly who the signer
is. We have given correctness proofs of our scheme and
analyze the security aspects of our scheme. The security
of the proposed scheme is based on the security of the
DLP problem. We have also shown that our scheme
preserves the properties of unforgeability as well as
revocable anonymity.