Sage Journals: Discover world-class research

Abstract

The existing proxy signature schemes with the proxy revocation function are proven to be malleable and do not possess strong unforgeability. Motivated by these concerns, a new proxy signature scheme with fast revocation is proposed, and it can be proved that the proposed scheme can achieve strong unforgeability in the standard model. By using this scheme, the original signer can generate the delegation warrant for the proxy signer, and at the same time, he/she can perform the immediate revocation to completely terminate the delegation when needed. Analyses show that the proposed scheme satisfies all of the security requirements of proxy signature and has shorter public parameters than the existing ones.

1. Introduction

As a variation of digital signature [1], proxy signature [2] allows the original signer to delegate his/her signature rights to a proxy signer. In this case, the designated proxy signer can generate valid signatures like the original signer. Proxy signature has many important applications in our daily life. For example, in the sensor networks aiming at collecting temperature data, sensor nodes are responsible for collecting data and sending them to the sink node. With data from sensor nodes, the sink node processes them and issues the analysis result publicly through Internet. Generally, it is necessary for people to judge where this result comes from, and in this case the analysis result should be signed by the sink node before releasing it. Normally, the sink node is able to carry out the signature process by itself. However, it maybe has to choose a trustworthy and capable equipment to replace itself to implement signature for some reason, and the selected equipment is called a proxy signer. This is a typical case for sensor-based application systems. In fact, proxy signature has found even wider applications, including electronic commerce, e-cash, and mobile agents, where delegation of rights is quite common [3]. Thus, proxy signature becomes one of the hot topics in the field of information security, and many schemes [4–9] have been proposed recently.

In proxy signature, it is important to securely process the proxy revocation problem when a valid delegation expires or the original signer wants to revoke a valid delegation ahead of schedule for some reason. For instance, in the above example, the signature rights can be assigned to other equipment by the sink node. However, during the period of delegation, the sink node maybe wants to repeal the rights before the end of the delegation. In this case, the delegation revocation function is needed. Although fast revocation has already been taken into account in several proxy signature schemes [10–13], none of them have achieved the security notion of the secure existential unforgeablility, since an adversary can still generate a valid signature on the same message without the private key. That is to say, the adversary is still able to forge a signature after the proxy signer is revoked. The basic reason is that these proxy signature schemes are designed by using 2-level hierarchical Waters' schemes, but Waters et al.'s scheme is malleable [5, 14].

Motivated by the above concerns, we proposed a new proxy signature scheme with fast revocation in the standard model under the computational Diffie-Hellman assumption and proved that it can achieve strong unforgeability in the standard model. Compared with the existing proxy signature schemes, the proposed scheme has the following merits: shorter size of public parameters and tighter security reduction. At the same time, the proposed scheme has the property of fast revocation. In a word, our scheme achieves strong unforgeability of the proxy signature scheme with revocation.

The rest of this paper is organized as follows: in Section 2, we shall briefly review related works in the field of proxy signature. Hard problems and security notions are given in Section 3. In Section 4, we introduce the new proxy signature scheme. In Section 5, we analyze the correctness and security of our scheme and compare our scheme with existing schemes in terms of computational efficiency, the number of public parameters, and security. Finally, we conclude this paper in Section 6.

2. Related Works

The concept of proxy signature was first introduced by Mambo et al. [2], and it has been considered the most promising technique to solve the delegation problem of signature rights [15]. Since then, proxy signature has attracted a considerable amount of interest from researchers. According to the delegation types [2], proxy signature can be classified into three types: full delegation, partial delegation, and delegation by warrant. For the full delegation [15], the original signer directly sends his/her private key to the proxy signer. It is easy to implement the full delegation, but the signature produced by the proxy signer is completely indistinguishable from the one produced by the original signer. In fact, such schemes are obviously impractical and insecure, because the proxy signer has the same right as the original signer, and the original signer cannot achieve revocation of delegated rights. For the partial delegation [15], the original signer generates a proxy key from his/her private key and securely transfers it to the proxy signer, and the proxy signer uses this proxy key to sign messages on behalf of the original signer. Moreover, partial delegation is classified as proxy-unprotected and proxy-protected based on the protection of the proxy signer [15]. However, the signed messages by the proxy signer are not limited, so the proxy signer may sign some messages that the original signer is not willing to sign. To eliminate this drawback, Kim et al. [16] presented the partial delegation scheme with warrant, which combines the merits of the partial delegation and the delegation by warrant. In the delegation by warrant, the original signer specifies what kind of message is delegated in the warrant and produces a signature on the warrant. Then, the proxy signer uses this signature and his private key to create a valid proxy signature on behalf of the original signer. But this scheme was proven insecure later.

Recently, several proxy signature schemes have been put forward. In 2008, Liu et al. [6] presented a proxy multisignature scheme in the standard model, which allows a proxy signer to generate proxy signatures on behalf of two or more original signers. In 2012, Hwang et al. [17] proposed a variation of proxy signature scheme called threshold multiproxy multisignature scheme with shared verification based on the RSA problem. Sahu and Saraswat [18], in 2015, proposed an efficient and provably secure identity-based multi-proxy signature scheme, which allows a user to transfer its signature rights to a group of proxy signers.

However, most of the existing proxy signature schemes have the following essential shortcomings [19]. First, the declaration of a valid delegation in the warrant is useless. The proxy signer can still produce a signature even if the delegation period has expired. Second, when the original signer wants to revoke the delegation earlier than his/her schedule, he/she can do nothing. Thus, the revocation of delegated rights is an essential problem of proxy signature. To solve these problems, some schemes with revocation have been proposed. For example, Sun and Chen [20] proposed a time-stamped proxy signature scheme and claimed that the revocation problem can be solved by using a time-stamp. However, their scheme suffers from security weakness and cannot solve the second problem [21]. Seo et al. [19] proposed a mediated proxy signature scheme to solve the proxy revocation problem by using a special entity, called SEM, which is an online partially trusted server. But the shortcoming of the above schemes [19–21] is that they cannot be proven secure in the random oracle model or in the standard model. In order to eliminate this shortcoming, in 2009, Liu et al. [10] first proposed a provable secure proxy signature with revocation in the standard model.

For the lack of formal security definitions, many early schemes were proven insecure later. Therefore, security notion and security concept are important for designing the proxy signature schemes. In 2003, Boldyreva et al. [22] first defined the security model of proxy signature schemes. Although their model is efficient, it has received many criticisms, since the security of their model is unable to describe the security in the standard model. Consequently, their scheme is proved secure in the random oracle model, but it is vulnerable to the proxy key exposure attack. So, it is an interesting problem to design a proxy signature scheme, which can be proven secure in the standard model and avoid the proxy key exposure attack. In 2006, Huang et al. [4] divided the attackers into three types to make the security model much clearer and proposed a secure proxy signature in the standard model. Based on Huang et al.'s scheme and Waters' technique, Liu et al. [10] proposed a formal security model for proxy signature with fast revocation in the standard model. After that, many proxy signature schemes with revocation in the standard model have been proposed [10–13], and they are demonstrated by using a 2-level hierarchical Waters signature. However, there are two drawbacks in these schemes [10–12]. One is that they have a large number of public parameters, and the other is that they are not strongly unforgeable since an adversary is still able to forge a valid signature on the same message without the private key after the proxy signer is revoked.

Later, many new schemes were proposed. In 2013, Kim et al. [23] and Swapna et al. [24] constructed the provably secure ID-based proxy signature schemes based on the lattice problems, respectively and independently, but these schemes increased the length of the proxy private key significantly. In 2014, Hu et al. [25] presented a novel ID-based proxy signature scheme, and the proposed scheme is provably secure in the standard model. In the same year, Cao et al. [26] also presented a weak blind signature scheme by combing the requirements for proxy signature and weak blind signature. Unfortunately, Zhang and Jia [27] found that there exists a security problem in Cao et al.'s scheme. That is to say, the receiver of the signature can forge a valid signature on any message without being perceived, and at the same time, Zhang and Jia provided the detailed attack strategy and the possible improved schemes.

The existing proxy signature schemes are existentially unforgeable under adaptive chosen-message attacks and adaptive chosen-warrant attacks, which means that an adversary should not be able to produce a valid signature for a new message. However, most existing signature schemes are randomized and may produce some valid signatures for the same message, because they do not have the property of strong unforgeability, which is desirable in some applications [28]. A scheme is said to be strongly unforgeable if it is existentially unforgeable under adaptive chosen message attacks and an adversary cannot generate a different valid signature on the same message. Although strong unforgeability is an important property of proxy signature schemes, there are few proxy signatures that possess the property of strong unforgeability in the standard model because of the malleability of Waters' signature. In 2011, Sun et al. [7] proposed the first strongly unforgeable proxy signature in the standard model with the Waters' scheme and Boneh et al. [29]. This scheme shows the formal security of a strongly unforgeable proxy signature. However, Sun et al. could not solve the revocation problem of delegated rights described above.

Overall, although fast revocation has been taken into account in several proxy signature schemes, these schemes do not possess strong unforgeability. Therefore, a strongly unforgeable proxy signature with fast revocation in the standard model is an interesting topic. We need to construct a strongly unforgeable proxy signature with revocation under the computational Diffie-Hellman assumption. Our scheme is based on Sun et al.'s work [7] and the SEM revocation mechanism [19–21].

3. Preliminaries

Before introducing our scheme, we shall briefly introduce the difficult problems and security models related to our scheme. Notations used throughout the paper are summarized in Table 1.

Table 1

Notations.

Name	Meaning
P	Large prime integer
G	Additive group of order p
$G_{T}$	Multiplicative group of order p
$Z_{p}$	The set of positive integers which are less than p
g	Generator of G
e	Bilinear mapping, that is, e: $G \times G \to G_{T}$
$h_{i}$	Cryptographic hash function: ${\{0,1\}}^{*} \times G \times G_{T} \to Z_{p}$ ( $i = 1,2$ )
$H_{0}$	Hash function: ${\{0,1\}}^{*} \to {\{0,1\}}^{n}$
$s k_{i}$	Private key of i, where $i \in \{A, B\}$
$p k_{i}$	Public key of i, where $i \in \{A, B\}$
w	Warrant including the period of delegation, and so forth
M	Message to sign
CDH	Computational Diffie-Hellman problem
ε	Probability of polynomial algorithm
pr	The probability of an event

3.1. Hard Problems

The security of the proposed scheme is based on the hardness of the well-known hard mathematical problem, the computational Diffie-Hellman problem.

Definition 1 (computational Diffie-Hellman (CDH) problem in G).

Given $g, g^{a}, g^{b} \in G$ for unknown values a and $b \in Z_{p}$ , to compute $g^{a b} \in G$ , the probability that a polynomial algorithm A can solve the CDH problem is defined as

\begin{matrix} {Succ}_{A}^{CDH} = pr [g^{a b} ⟵ A (G, g, g^{a}, g^{b})] . \end{matrix}

(1)

Definition 2 (computational Diffie-Hellman (CDH) assumption in G).

Given $g, g^{a}, g^{b} \in G$ for two unknown values a and $b \in Z_{p}$ , $S u c c_{A}^{C D H}$ is negligible.

3.2. Algorithm Model

In this section, we will give the outline of a strongly unforgeable proxy signature with fast revocation. There exist three parties: an original signer Alice shorted by A, a proxy signer Bob shorted by B, and a security mediator SEM shorted by S, which is an online partial third server, introduced to check whether the proxy signer signs a message according to the warrant or he/she exists on the revocation list. B is picked by A. For other entities, S is supposed to be a partially trusted third party, who has to perform this protocol strictly. A proxy signature scheme with fast revocation consists of the following algorithms.

(1) Setup. Given the system security parameter, this algorithm outputs the system parameter π, which is publicly known.

(2) Key-Gen. Given π, this algorithm generates a private-public key pair ( $s k_{i}, p k_{i}$ ) for $i \in \{A, B\}$ . The private keys of signers must be kept secret.

(3) Delegation-Gen. Given π, the private key of A $s k_{A}$ , and a warrant ω to be delegated, this algorithm outputs a revocation identifier $R_{A}$ , and two partial delegation keys $σ_{B}$ and $σ_{S}$ . A sends ( $ω, σ_{B}, R_{A}$ ) to B and ( $ω, σ_{S}, R_{A}$ ) to S.

(4) Delegation-Verify. After receiving ( $ω, σ_{B}, R_{A}$ ) and ( $ω, σ_{S}, R_{A}$ ), both S and B prove the validity of the delegation.

(5) Proxy-Valid. B wants to sign a message M. S must guarantee that the period of proxy delegation specified in the warrant ω is valid, and B is not on the public revocation list.

(6) ProxySign-Gen. Given π, a warrant ω, a message M, two delegation keys $σ_{B}$ and $σ_{S}$ , and the secret key $s k_{B}$ of B, this algorithm outputs a proxy signature σ.

(7) ProxySign-Verify. Given π, a warrant ω, a message M, the signature σ, and the public keys $p k_{A}$ and $p k_{B}$ , this algorithm outputs 1 if σ is valid and 0 otherwise.

(8) Proxy-Revocation. If A wants to revoke the delegation of B before the specific delegation period expires, he/she asks S to put ( $ω, R_{A}$ ) on the public revocation list. Therefore, if the delegation period has expired or ( $ω, R_{A}$ ) exists in the revocation list, S will not issue any token for the proxy signer.

3.3. Security Models

For proxy signature schemes, the first security model was proposed by Mambo et al. [15]. However, this model was vulnerable to proxy key exposure attacks. In order to avoid proxy key exposure attacks, Huang et al. [4] provided a new security model of proxy signatures, where adversaries are divided into three types to make the security model much clearer. We modified this model a little to make it adapt to our scheme and strengthen its strong unforgeability of proxy signature. Three types of adversaries are shown as follows.

Type I. Adversary $A_{I}$ only has the public keys of A and B. It is an outside attacker in this case.

Type II. Adversary $A_{I I}$ has the public keys of A and B, and at the same time, he/she has corrupted the secret key of the proxy signer. It is an inside attacker in this case.

Type III. Adversary $A_{I I I}$ has the public keys of A and B. In addition, he/she has corrupted the secret key of the original signer. It is also an inside attacker in this case.

Clearly, if a proxy signature scheme is strongly unforgeable against type II and type III adversaries, it is also strongly unforgeable against type I. Therefore, if we show that our scheme is strongly unforgeable against type II and type III adversaries, it means that our scheme is strongly unforgeable against all three types of adversaries. In the following security model, we only consider the type II adversary $A_{I I}$ and type III adversary $A_{I I I}$ .

3.3.1. Strong Existential Unforgeability against the Adaptive $A_{II}$ Adversary

The strong unforgeability of the proxy signature scheme with fast revocation under $A_{I I}$ adversary requests that it is difficult for an attacker to forge a valid signature on M under a warrant if he/she does not obtain the delegation of the warrant ω. It is defined as the following game between a challenger C and an adversary $A_{I I}$ . (1)

$C$ runs the Setup algorithm to obtain the system parameter π and runs the Key-Gen algorithm to obtain A's private/public key pair ( $s k_{A}, p k_{A}$ ) and B's private/public key pair ( $s k_{B}, p k_{B}$ ). Then, C sends $p k_{A}$ , $s k_{B}$ , and $p k_{B}$ to an adversary $A_{I I}$ .

(2)

$A_{I I}$ makes a series of queries.

(a)

SEM-Delegation queries: $A_{I I}$ requests S's delegation key on a warrant ω. C runs the Delegation-Gen algorithm to obtain the partial delegation key $σ_{S}$ , and a revocation identifier $R_{A}$ , and then returns ( $ω, σ_{S}, R_{A}$ ) to an adversary $A_{I I}$ .

(b)

User-Delegation queries: $A_{I I}$ requests S's delegation key on a warrant ω. C runs the Delegation-Gen algorithm to obtain the partial delegation key $σ_{B}$ , and a revocation identifier $R_{A}$ , and then returns ( $ω, σ_{B}, R_{A}$ ) to an adversary $A_{I I}$ .

(c)

SEM-Sign queries: $A_{I I}$ requests S's partial proxy signature on a message M, which satisfies the warrant ω. C runs the ProxySign-Gen algorithm and obtains the partial proxy signature $σ_{p s}$ .

(d)

User-Sign queries: $A_{I I}$ requests B's complete signature on a message M. C runs the ProxySign-Gen algorithm and obtains a proxy signature σ.

(3)

Finally, $A_{I I}$ outputs a pair ( $M^{*}, ω^{*}, σ^{*}$ ), such that

(a)

$ω^{*}$ has not been queried in the SEM-Delegation or User-Delegation query,

(b)

$σ^{*}$ is a valid signature of the message $M^{*}$ under the warrant $ω^{*}$ ,

(c)

( $M^{*}, ω^{*}, σ^{*}$ ) is not among the triplets ( $M_{i}, ω_{i}, σ_{i}$ ) during the User-Sign query.

The advantage of an adversary $A_{I I}$ in the above game is defined to be

\begin{matrix} {Succ}_{A_{II}} = pr [A_{II} succeeds] . \end{matrix}

(2)

Definition 3.

An adversary $A_{I I}$ is said to be an ( $ε, t, q_{w}, q_{p s}$ ) forger of a proxy signature scheme with revocation if $A_{I I}$ has the advantage of at least ε in the above game, runs in time at most t, and makes at most $q_{w}$ SEM-Delegation queries and User-Delegation queries, and $q_{p s}$ SEM-Sign queries and User-Sign queries. If no ( $ε, t, q_{w}, q_{p s}$ ) forger $A_{I I}$ exists, the scheme is said to be ( $ε, t, q_{w}, q_{p s}$ ) strongly unforgeable against adaptive chosen warrant/message attacks.

3.3.2. Strong Existential Unforgeability against Adaptive $A_{III}$ Adversary

The strong unforgeability of the proxy signature scheme with fast revocation under an $A_{I I I}$ adversary requests that it is difficult for A to forge a valid signature on $M^{*}$ which has not been signed by B. It is defined as the following game between a challenger C and an adversary $A_{I I I}$ . (1)

C runs the Setup algorithm to obtain system's parameters π and runs the Key-Gen algorithm to obtain A's private/public key pair ( $s k_{A}, p k_{A}$ ), and B's private/public key pair ( $s k_{B}, p k_{B}$ ). Then, C sends $p k_{A}$ , $s k_{A}$ , and $p k_{B}$ to the adversary $A_{I I I}$ .

(2)

$A_{I I I}$ makes a series of queries:

User-Sign queries: $A_{I I I}$ requests B's the complete proxy signature on a message M. C runs the ProxySign-Gen algorithm and obtains a proxy signature σ.

(3)

Finally, $A_{I I I}$ outputs a pair ( $M^{*}, ω^{*}, σ^{*}$ ), such that

(a)

$σ^{*}$ is a valid signature of the message $M^{*}$ under the warrant $ω^{*}$ ,

(b)

( $M^{*}, ω^{*}, σ^{*}$ ) is not among the triplets ( $M_{i}, ω_{i}, σ_{i}$ ) during the User-Sign query.

The advantage of an adversary $A_{I I I}$ in the above game is defined to be

\begin{matrix} {Succ}_{A_{III}} = pr [A_{III} succeeds] . \end{matrix}

(3)

Definition 4.

An adversary $A_{I I I}$ is said to be an ( $ε, t, 0, q_{p s}$ ) forger of a proxy signature scheme with revocation if $A_{I I I}$ has the advantage of at least ε in the above game, runs in time at most t, and makes at most $q_{p s}$ SEM-Sign queries and User-Sign queries. If no ( $ε, t, 0, q_{p s}$ ) forger $A_{I I I}$ exists, the scheme is said to be ( $ε, t, 0, q_{p s}$ ) strongly unforgeable against adaptive chosen warrant/message attacks.

4. The Proposed Scheme

In this section, we shall introduce the strongly unforgeable proxy signature scheme with fast revocation in the standard model in detail, and this scheme is based on the existing works [5, 14]. Waters et al.'s scheme [14] is a basic algorithm prototype of Sun et al.'s scheme [5], and Sun et al. proposed the first proxy signature scheme based on Waters et al.'s model. Unfortunately, their schemes were proved to be insecure later [7]. So we analyzed their schemes and proposed a new proxy signature scheme with fast revocation, and this is our main contribution. Let A denote the original signer Alice, B denote the proxy signer Bob, and S denote the security mediator SEM who is an online partially trusted server. In the following, all the warrants to be signed will be regarded as a bit string of length n. Note: to construct a more flexible scheme which allows warrants of arbitrary length, a collision resistant hash function $H_{0}$ : ${\{0,1\}}^{*} \to {\{0,1\}}^{n}$ should be employed. The proposed scheme is illustrated in Figure 1 and elaborated on as follows.

Figure 1

The proposed proxy signature scheme with revocation.

(1) Setup. Let ( $G, G_{T}$ ) be bilinear groups where $|G| = |G_{T}| = p$ for a prime order p, and g is the generator of G. Let e denote a bilinear pairing e: $G \times G \to G_{T}$ . Additionally, choose random parameters $u^{'}, u_{1}, u_{2}, \dots, u_{n}$ , $v \in G$ , and a collision resistant hash function H: ${\{0,1\}}^{*} \times G \times G_{T} \to Z_{p}$ , and then set $u = (u_{1}, u_{2}, \dots, u_{n})$ . The system's public parameters are denoted as $π = (G, G_{T}, e, p, g, u^{'}, v, u, H)$ .

(2) Key-Gen. A randomly picks $x_{A}$ and $y_{A} \in Z_{p}$ and sets her private key $s k_{A} = (x_{A}, y_{A})$ . Then, A computes her public key $p k_{A} = (p k_{A x}, p k_{A y}) = (g^{x_{A}}, g^{y_{A}})$ . Similarly, B sets his secret key $s k_{B} = (x_{B}, y_{B})$ , and the public key $p k_{B} = (p k_{B x}, p k_{B y}) = (g^{x_{B}}, g^{y_{B}})$ . All public keys are certified by a Certification Authority (AS).

(3) Delegation-Gen. The warrant ω is signed by A and contains important information such as valid time of delegation of the signing rights, the identities of the original signer and the proxy signer, and other information of the delegation. Let $ω_{i}$ denote the ith bit of ω, and set $W = \{i ∣ ω_{i} = 1, i = 1,2, \dots, n\}$ . The original signer chooses randomly $x_{A 1}, x_{A 2}, r_{B}, r_{S} \in Z_{p}$ , such that $x_{A 1} + x_{A 2} = x_{A}$ , and computes

\begin{matrix} r_{B} + r_{s} = r_{A}, \\ R_{A} = g^{r_{A}}, \\ σ_{B} = (σ_{B 1}, σ_{B 2}) = (g^{x_{A 1} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{B}}, g^{r_{B}}), \\ σ_{S} = (σ_{S 1}, σ_{S 2}) = (g^{x_{A 2} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{S}}, g^{r_{S}}) . \end{matrix}

(4)

Then, A sends (

ω, σ_{B}, R_{A}

) to B and (

ω, σ_{S}, R_{A}

) to S, respectively.

(4) Delegation-Verify. To confirm the correctness of ( $ω, σ_{B}, R_{A}$ ), B computes $R_{B} = e (σ_{B 1}, g)$ , and sends ( $ω, σ_{B}$ ) to S. After B receives $R_{S} = e (σ_{S 1}, g)$ from S, he verifies whether the following equation holds:

\begin{matrix} R_{B} R_{s} = e ({pk}_{A x}, {pk}_{A y}) e (u^{'} \prod_{i \in W} u_{i}, R_{A}) . \end{matrix}

(5)

Similarly, S verifies the above equation by $R_{B}$ . If the verification is not valid, B and S would request valid delegations from A again or terminate this protocol.

(5) Proxy-Valid. To produce a proxy signature on a message M, B has to cooperate with S. B transmits his identity and ( $ω, M, R_{A}, R_{B}$ ) to S. S confirms that ( $ω, M, R_{A}, R_{B}$ ) was received in the Delegation-Gen and Delegation-Verify phases. Then, S must assure the following conditions, before he/she generates the partial proxy signature on the message M. (a)

The period of proxy delegation specified in the warrant ω should be valid.

(b)

( $ω, R_{A}$ ) should not be in the public revocation list. If ( $ω, R_{A}$ ) is in the list, it means that the delegation has been revoked.

If the two conditions hold, S can perform the ProxySign-Gen stage.

(6) ProxySign-Gen. Let M be an n-bit message. The proxy signer has to cooperate with S to generate a proxy signature on M. (a)

S randomly chooses $r_{1}, k_{1} \in Z_{p}$ and computes $h_{1} = H (M ∥ ω, σ_{S 2}, g^{k_{1}})$ . Then, he sends the following partial proxy signature $σ_{p s}$ to B:

\begin{matrix} σ_{ps} = (g^{x_{A 2} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{S}} {(M v)}^{h_{1} k_{1}}, g^{r_{1}}, g^{h_{1} k_{1}}) . \end{matrix}

(6)

(b)

B checks whether the following equation holds:

\begin{matrix} e (σ_{ps 1}, g) R_{B} = e ({pk}_{A x}, {pk}_{A y}) e (u^{'} \prod_{i \in W} u_{i}, R_{A} σ_{ps 2}) e (M v, σ_{ps 3}) . \end{matrix}

(7)

If yes, B chooses two random values $r_{2}, k_{2} \in Z_{p}$ and computes $h_{2} = H (M ∥ ω, σ_{B 2}, g^{k_{2}})$ . The proxy signature is computed as in the following equation:

\begin{matrix} σ = (σ_{ps 1} σ_{B 1} {(u^{'} \prod_{i \in W} u_{i})}^{r_{2}} {(M v)}^{h_{2} k_{2}} g^{x_{B} y_{B}}, σ_{ps 2} g^{r_{2}}, σ_{ps 3} g^{h_{2} k_{2}}) = (g^{x_{A} y_{A}} g^{x_{B} y_{B}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{2} + r_{B} + r_{S}} {(M v)}^{h_{1} k_{1} + h_{2} k_{2}}, g^{r_{1} + r_{2}}, g^{h_{1} k_{1} + h_{2} k_{2}}) = (g^{x_{A} y_{A}} g^{x_{B} y_{B}} {(u^{'} \prod_{i \in W} u_{i})}^{\tilde{r}} {(M v)}^{\tilde{h}}, g^{r_{1} + r_{2}}, g^{\tilde{h}}), \end{matrix}

(8)

where

\tilde{r} = r_{1} + r_{2} + r_{B} + r_{S}

, and

\tilde{h} = h_{1} k_{1} + h_{2} k_{2}

(7) ProxySign-Verify. The verifier verifies whether the proxy signature σ on the message M is valid by judging whether the following equation holds:

\begin{matrix} e (σ_{1}, g) = e ({pk}_{A x}, {pk}_{A y}) e ({pk}_{B x}, {pk}_{B y}) e (u^{'} \prod_{i \in W} u_{i}, R_{A} σ_{2}) e (M v, σ_{3}) . \end{matrix}

(9)

(8) Proxy-Revocation. When a valid delegation period expires or A wants to revoke a valid delegation ahead of schedule for some reason, she asks S to put ( $ω, R_{A}$ ) in a public revocation list. When B issues a proxy token for a message M, S will check the valid period of the delegation in the warrant and ( $ω, R_{A}$ ) in the public revocation list. If the delegation period has expired or ( $ω, R_{A}$ ) exists in the revocation list, S does not issue the proxy token for B. Once the period of delegation has expired, ( $ω, R_{A}$ ) of the public revocation list could be eliminated. So, the size of the public revocation list will not increase.

5. Correctness and Security

5.1. Correctness

Theorem 5.

The delegation verification algorithm in our algorithm is correct.

Proof.

In our algorithm, we have $σ_{B 1} = g^{x_{A 1} y_{A}} (u^{'} \prod_{i \in W} u_{i})^{r_{B}}$ and $σ_{s 1} = g^{x_{A 2} y_{A}} (u^{'} \prod_{i \in W} u_{i})^{r_{S}}$ . In addition, we have $e (g^{x_{A 1} y_{A}}, g^{x_{A 2} y_{A}}) = e (g^{x_{A 1} + x_{A 2}}, g^{y_{A}}) = e ({pk}_{A x}, {pk}_{A y})$ . Thus, we have

\begin{matrix} R_{B} R_{s} = e (σ_{B 1}, g) e (σ_{s 1}, g) = e (g^{x_{A 1} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{B}}, g) e (g^{x_{A 2} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{S}}, g) = e (g^{x_{A 1} y_{A}} g^{x_{A 2} y_{A}}, g) e ({(u^{'} \prod_{i \in W} u_{i})}^{r_{B} + r_{S}}, g) = e ({pk}_{A x}, {pk}_{A y}) e (u^{'} \prod_{i \in W} u_{i}, R_{A}) . \end{matrix}

(10)

Theorem 6.

The proxy signature verification algorithm in our algorithm is correct.

Proof.

In our algorithm, we have the equations $σ_{ps 1} = g^{x_{A 2} y_{A}} (u^{'} \prod_{i \in W} u_{i})^{r_{1} + r_{S}} (M v)^{h_{1} k_{1}}$ and $R_{B} = e (σ_{B 1}, g) = e (g^{x_{A 1} y_{A}} (u^{'} \prod_{i \in W} u_{i})^{r_{B}}, g)$ . Thus, we have

\begin{matrix} e (σ_{ps 1}, g) R_{B} = e (g^{x_{A 2} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{S}} {(M v)}^{h_{1} k_{1}}, g) e (g^{x_{A 1} y_{A}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{B}}, g) = e ({pk}_{A x}, {pk}_{A y}) e (u^{'} \prod_{i \in W} u_{i}, R_{A} σ_{ps 2}) e (M v, σ_{ps 3}) . \end{matrix}

(11)

So, we prove the correctness of the proxy signature in the following way:

\begin{matrix} e (σ_{1}, g) = e (σ_{ps 1} σ_{B 1} {(u^{'} \prod_{i \in W} u_{i})}^{r_{2}} {(M v)}^{h_{2} k_{2}} g^{x_{B} y_{B}}, g) = e (g^{x_{A} y_{A}} g^{x_{B} y_{B}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{2} + r_{B} + r_{S}} {(M v)}^{h_{1} k_{1} + h_{2} k_{2}}, g) = e ({pk}_{A x}, {pk}_{A y}) e ({pk}_{B x}, {pk}_{B y}) e (u^{'} \prod_{i \in W} u_{i}, R_{A} σ_{2}) e (M v, σ_{3}) . \end{matrix}

(12)

5.2. Security

The proposed scheme satisfies the security requirements of verifiability, strong identifiability, strong undeniability, and prevention of misuse, which can be briefly explained as follows: $(1)$ verifiability: any verifier can be assured of A's agreement on the signature; $(2)$ strong undeniability: no one can know the private key of B; when B generates a signature, he/she cannot repudiate it because the signature is produced by his/her private key; $(3)$ strong identifiability: the identity information is included in the valid signature and the warrant as a form of public key; $(4)$ prevention of misuse: once the delegated right is misused, A asks S to stop sending the proxy token to B. More importantly, our scheme can achieve strong unforgeability in the standard model, which makes our scheme different from the existing proxy signature schemes proven secure in the standard model. Therefore, in this section, we shall prove the proposed scheme is strongly unforgeable against three types of adversaries mentioned above. If a proxy signature scheme is strongly unforgeable against a Type II or Type III adversary, it is also strongly unforgeable against Type I. Therefore, in this section, we will only prove that our scheme is strongly unforgeable against type II and type III under adaptive chosen message/warrant attacks in the standard model under the computational Diffie-Hellman assumption.

Theorem 7.

If there exists a type $II$ adversary $A_{II}$ who can $(ε, t, q_{w}, q_{ps})$ break our proxy signature scheme, there exists an algorithm C which can use $A_{II}$ to solve an instance of the $CDH$ problem in G with a probability

\begin{matrix} {Succ}_{C}^{CDH} \geq \frac{ξ}{8 (n + 1) q_{w}} \end{matrix}

(13)

within running time

t + ((n + 5) q_{w} + (n + 6) q_{ps} + n + 4) T_{m} + (10 q_{w} + 12 q_{ps} + 2 n + 8) T_{e}

, where

T_{m}

denotes the time for a multiplication in G, and

T_{e}

denotes the time for an exponentiation in G, respectively.

Proof.

Assume that C receives a random CDH problem instance ( $g, g^{a}, g^{b}$ ) in G whose order is a prime number p, and his/her goal is to output $g^{a b}$ . C will run the adversary $A_{I I}$ as a subroutine, act as $A_{I I}$ 's challenger, and respond to $A_{I I}$ 's requests in the following ways.

(i) Setup. Let $l = 4 q_{w}$ . C randomly chooses (1)

an integer k ( $0 \leq k \leq n$ ) (it is assumed that $l (n + 1) < p$ for the given values $q_{w}, q_{p s}, n$ ),

(2)

an integer $x^{'} \in Z_{l}$ and an n-dimensional vector $X = (x_{i})$ ( $x_{i} \in Z_{l}$ ),

(3)

an integer $y^{'} \in Z_{p}$ and an n-dimensional vector $Y = (y_{i})$ ( $y_{i} \in Z_{p}$ ).

For the ease of analysis, the following functions are defined:

\begin{matrix} F (W) = (p - l k) + x^{'} + \sum_{i \in W} x_{i}, \\ J (W) = y^{'} + \sum_{i \in W} y_{i}, \\ K (W) = \{\begin{cases} 0, & if x^{'} + \sum_{i \in W} x_{i} = 0 (\mod l) \\ 1, & otherwise . \end{cases} \end{matrix}

(14)

Then, C assigns a set of public parameters as follows: (1)

C sets the public key of the original signer $({pk}_{A x}, {pk}_{A y}) = (g^{a}, g^{b})$ , where $(g^{a}, g^{b})$ are from the input of the instance of the CDH problem.

(2)

C randomly picks two values ${sk}_{B x}, {sk}_{B y} \in Z_{p}$ and sets the public key of the proxy signer $({pk}_{B x}, {pk}_{B y}) = (g^{s k_{B x}}, g^{s k_{B y}})$ .

(3)

C sets $v = g^{c}$ , where $c \in Z_{p}$ .

(4)

C assigns $u^{'} = {pk}_{A x}^{p - l k + x^{'}} g^{y^{'}}$ and $u_{i} = {pk}_{A x}^{x_{i}} g^{y_{i}}$ , and sets $\vec{u} = (u_{1}, u_{2}, \dots, u_{n})$ .

Note that under the assignment

\begin{matrix} u^{'} \prod_{i \in W} u_{i} = {pk}_{A x}^{F (W)} g^{J (W)} \end{matrix}

(15)

C returns

(G, G_{T}, e, p, g, u^{'}, v, u, H)

and

({pk}_{A x}, {pk}_{A y}, {pk}_{B x}, {pk}_{B y}, {sk}_{B x}, {sk}_{B y})

to the adversary.

(ii) C runs $A_{I I}$ and responds to queries of $A_{I I}$ .

(1) SEM-Delegation Query. C first selects two random integers $x_{1}, r_{1} \in Z_{p}$ and computes

\begin{matrix} σ_{S} = ({pk}_{A y}^{x_{1}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1}}, g^{r_{1}}) . \end{matrix}

(16)

(2) User-Delegation Query. If $K (W) = 0$ , C terminates the simulation and reports failure and if $K (W) \neq 0$ , which implies $F (W) \neq 0 \mod p$ , C does not know the private key of A, but he/she can construct a delegation key related to A. Choose a random $r_{2} \in Z_{p}$ and compute a delegation key:

\begin{matrix} σ_{B} = ({pk}_{A y}^{- J (W) / F (W)} {(u^{'} \prod_{i \in W} u_{i})}^{r_{2}} {pk}_{A y}^{- x_{1}}, {pk}_{A y}^{- 1 / F (W)} g^{r_{2}}) . \end{matrix}

(17)

Let $x_{2} = a - x_{1}$ and ${\tilde{r}}_{2} = r_{2} - (b / F (W))$ (C does not know these values). Then, the correction of delegation key $σ_{B}$ can be proven as follows:

\begin{matrix} σ_{B 1} = {pk}_{A y}^{- J (W) / F (W)} {(u^{'} \prod_{i \in W} u_{i})}^{r_{2}} {pk}_{A y}^{- x_{1}} = {pk}_{A y}^{- J (W) / F (W)} {({pk}_{A x}^{F (W)} g^{J (W)})}^{r_{2}} {pk}_{A y}^{- x_{1}} = {({pk}_{A x}^{F (W)} g^{J (W)})}^{r_{2} - (b / F (W))} {pk}_{A x}^{b} {pk}_{A y}^{- x_{1}} = {pk}_{A y}^{a - x_{1}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{2} - (b / F (W))} = {pk}_{A y}^{x_{2}} {(u^{'} \prod_{i \in W} u_{i})}^{{\tilde{r}}_{2}} . \end{matrix}

(18)

Additionally, $σ_{B 2} = {pk}_{A y}^{- 1 / F (W)} g^{r_{2}} = g^{r_{2} - (b / F (W))} = g^{{\tilde{r}}_{2}}$ .

C computes $R_{A} = g^{r_{1}} g^{{\tilde{r}}_{2}}$ and gives $A_{I I}$ the SEM-Delegation key $σ_{S}$ and User-Delegation key $σ_{B}$ .

If $F (W) \neq 0 \mod p$ , C first produces delegation keys $σ_{S}$ and $σ_{B}$ by the Delegation-Gen query described above, and then he/she runs the SEM-Sign algorithm and User-Sign algorithm to answer $A_{I I}$ 's query since he/she knows the private key of B. Otherwise, C will construct a proxy signature in the same way as the construction of the delegation keys in the Delegation-Gen query. Then, C constructs the S's partial proxy signature and the user's complete proxy signature of ω on M in the following ways.

(3) SEM-Sign Query. C first chooses four random integers $x_{1}, r_{1}, r_{s}, k_{1} \in Z_{p}$ and computes

\begin{matrix} h_{1} = H (M ∥ ω, {pk}_{A x}^{- 1 / F (W)} \cdot g^{r_{1} + r_{s}}, g^{k_{1}}), \\ σ_{ps} = ({pk}_{A y}^{x_{1}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{s}} {(M v)}^{h_{1} k_{1}}, g^{r_{s} + r_{1}}, g^{h_{1} k_{1}}) . \end{matrix}

(19)

(4) User-Sign Query. C chooses three integers $r_{2}, r_{B}, k_{2} \in Z_{p}$ and computes

\begin{matrix} h_{2} = H (M ∥ ω, {pk}_{A x}^{- 1 / F (W)} \cdot g^{r_{2} + r_{B}}, g^{k_{2}}), \\ σ = ({pk}_{A y}^{- J (W) / F (W)} g^{{sk}_{B x} {sk}_{B y}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{2} + r_{s} + r_{B}} {(M v)}^{h_{1} k_{1} + h_{2} k_{2}}, {pk}_{A y}^{- 1 / F (W)} g^{r_{1} + r_{2} + r_{s} + r_{B}}, g^{h_{1} k_{1} + h_{2} k_{2}}) . \end{matrix}

(20)

We will prove the correctness of the proxy signature as follows:

\begin{matrix} σ_{1} = {pk}_{A y}^{- J (W) / F (W)} g^{{sk}_{B x} {sk}_{B y}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{2} + r_{s} + r_{B}} {(M v)}^{h_{1} k_{1} + h_{2} k_{2}} = {pk}_{A x}^{b} g^{{sk}_{B x} {sk}_{B y}} {(u^{'} \prod_{i \in W} u_{i})}^{r_{1} + r_{2} + r_{s} + r_{B} - (b / F (W))} {(M v)}^{h_{1} k_{1} + h_{2} k_{2}}, \\ σ_{2} = {pk}_{A y}^{- 1 / F (W)} g^{r_{1} + r_{2} + r_{s} + r_{B}} = g^{r_{1} + r_{2} + r_{s} + r_{B} - (b / F (W))} . \end{matrix}

(21)

(iii) If C does not abort during the simulation, the adversary will return a proxy signature $σ^{*} = (σ_{1}^{*}, σ_{2}^{*}, σ_{3}^{*})$ on the message $M^{*}$ under the warrant $ω^{*}$ with the probability of at least ε for B. If $F (W^{*}) = 0 \mod p$ , $u^{'} \prod_{i \in W^{*}} u_{i} = g^{J (W^{*})}$ . Since $σ^{*}$ is a valid proxy signature of the message $M^{*}$ under the warrant $ω^{*}$ , we have

\begin{matrix} e (σ_{1}^{*}, g) = e ({pk}_{A x}, {pk}_{A y}) e ({pk}_{B x}, {pk}_{B y}) e (u^{'} \prod_{i \in W^{*}} u_{i}, σ_{2}^{*}) e (M v, σ_{3}^{*}) = e (g^{a}, g^{b}) e (g^{{sk}_{B x}}, g^{{sk}_{B y}}) e (g^{J (W^{*})}, σ_{2}^{*}) e (M v, σ_{3}^{*}) . \end{matrix}

(22)

Then, we can compute out

\begin{matrix} g^{a b} = \frac{σ_{1}^{*}}{{(σ_{2}^{*})}^{J (W^{*})} {(M v)}^{h_{1} k_{1} + h_{2} k_{2}} g^{{sk}_{B x} {sk}_{B y}}} . \end{matrix}

(23)

This completes the description of the simulation. Now we have to assess C's probability of success. C will not abort if the following conditions hold. (1)

$K (W^{*}) \neq 0 \mod l$ during the Delegation-Gen queries.

(2)

$F (W^{*}) = 0 \mod p$ in the forgery phase.

The success probability is $S u c c_{C}^{C D H} = pr [A \land B]$ . Now we use Waters' technique [14] to compute a lower bound of C's success probability:

\begin{matrix} pr [A \land B] = pr [⋂_{1}^{q_{w}} K (W_{i}) \neq 0 \land F (W^{*}) = 0 \mod p] = pr [⋂_{i = 1}^{q_{w}} K (W_{i}) \neq 0] pr [F (W^{*}) = 0 \mod p ∣ ⋂_{i = 1}^{q_{w}} K (W_{i}) \neq 0] \geq (1 - \frac{q_{w}}{l}) pr [x^{'} + \sum_{i \in W} x_{i} = l k ∣ ⋂_{i = 1}^{q_{w}} K (W_{i}) \neq 0] = (\frac{1}{n + 1}) (1 - \frac{q_{w}}{l}) pr [K (W^{*}) = 0 ∣ ⋂_{i = 1}^{q_{w}} K (W_{i}) \neq 0] \geq (\frac{1}{n + 1}) {(1 - \frac{q_{w}}{l})}^{2} \frac{1}{l} \geq (\frac{1}{n + 1}) (1 - \frac{2 q_{w}}{l}) \frac{1}{l} . \end{matrix}

(24)

Therefore, $S u c c_{C}^{C D H} \geq (1 / (n + 1) l) (1 - (2 q_{w} / l)) ε$ . We can optimize it by setting $l = 4 q_{w}$ ; then

\begin{matrix} {Succ}_{C}^{CDH} \geq \frac{ε}{8 (n + 1) q_{w}} . \end{matrix}

(25)

Algorithm C's running time equals $A_{I I}$ 's running time which adds the time it takes to simulate the security proof. $2 n + 5$ exponentiation operations and $n + 1$ multiplication operations in G are needed in the Setup phase. Ten exponentiation operations and $5 + n$ multiplication operations are required in every Delegation-Gen query. ProxySign-Gen query needs 12 exponentiation operations and $6 + n$ multiplication operations. In the forgery phase, 3 exponentiation operations and 3 multiplication operations are needed. If we assume each exponentiation operation takes time $T_{e}$ , and multiplication operation takes time $T_{m}$ , so the total running time of algorithm C is at most $t + ((n + 5) q_{w} + (n + 6) q_{p s} + n + 4) T_{m} + (10 q_{w} + 12 q_{p s} + 2 n + 8) T_{e}$ .

Theorem 8.

The strongly unforgeable proxy signature with fast revocation is $(ε^{'}, t^{'}, 0, q_{ps})$ secure against a type adversary $A_{III}$ assuming that the $(ε^{'}, t^{'}) CDH$ assumption holds in G, where

\begin{matrix} {Succ}_{C}^{CDH} \geq \frac{ε^{'}}{n l} \end{matrix}

(26)

within running time

t^{'} \leq t + ((n + 6) q_{ps} + n + 4) T_{m} + (12 q_{ps} + 2 n + 8) T_{e}

Proof.

This proof is similar to that of Theorem 7 and thus we omit the detailed proof to save space. Here, we only illustrate the differences between them. First, we recall the capacity of adversary $A_{I I I}$ . This type has the public keys of A and B, and the secret key of the original signer. Therefore, $A_{III}$ does not need Delegation-Gen queries and can generate delegations on arbitrary warrants. Secondly, in the Setup phase, the simulator should set the public key of the proxy signer as $({pk}_{B x}, {pk}_{B y}) = (g^{a}, g^{b})$ , where $g^{a}$ and $g^{b}$ are the inputs of the given CDH problem instance. Other parts of this proof are similar to those of Theorem 7.

From Theorems 7 and 8, it can be seen that the proposed scheme can prevent Type II or Type III attacks; that is to say, our scheme has the strong unforgeability in the standard model. In fact, the reason why the existing proxy signature schemes with revocation cannot achieve the strong unforgeability results from their design method. From the aspect of the algorithm construction mechanism, the existing schemes can be regarded as 2-level hierarchical Waters' signature. However, Waters et al.'s scheme is malleable [5, 14], in which an adversary can generate a different valid signature on the same message even without the private key. In more details, in Waters' signature, we suppose that the signature of a message is denoted by $σ = (σ_{1}, σ_{2})$ . Anyone can create a valid signature in the following way: First, pick up an integer r and make the following equations hold: ${\bar{σ}}_{1} = σ_{1} (u^{'} \prod_{i \in M} u_{i})^{r}$ and ${\bar{σ}}_{2} = σ_{2} g^{r}$ . Then, $\bar{σ} = ({\bar{σ}}_{1}, {\bar{σ}}_{2})$ can be proven to be a valid signature. This weakness makes the existing proxy signature schemes with revocation not strongly unforgeable. However, in our scheme, we adopt different algorithm construction method, and our scheme is not 2-level hierarchical Waters' signature. Therefore, our scheme avoids the above attack and achieves the strong unforgeability.

5.3. Comparison with Existing Schemes

In this section, we will compare our scheme with other existing proxy signature schemes [3–12] in terms of the number of the public parameters, the size of the signature, the computational efficiency of the delegation stage, the proxy sign stage, and proxy sign verification stage. In order to facilitate the description, we define the symbols shown in Table 2.

Table 2

Symbol meaning.

Symbols	Meaning
n	The numbers of the warrant/message
t	The threshold in the threshold proxy signature
m	The number of the original or proxy signers in the multiproxy signature or proxy multisignature scheme
$T_{m}$	Time for multiplication operations in G
$T_{e}$	Time for exponentiation operations in G
E	Time for multiplication operations in $G_{T}$
P	Time for pairing operations

First, we will discuss the proxy signature process. In the proposed scheme, we consider the computational complexity. In order to delegate the proxy signer, the scheme needs 7 exponentiation operations in G, and $n + 2$ multiplication operations in G. In the phase of ProxySign-Gen, our scheme needs 9 exponentiation operations in G, and $2 n + 8$ multiplication operations in G. In order to verify the signature, 5 pairing operations, 3 multiplication operations in $G_{T}$ , and $n + 1$ multiplication operations in G are needed. For public parameters, only $n + 2$ group elements are needed in our scheme. From this point, our scheme is more suitable for low storage requirement of applications such as in an Ad hoc network [30]. The specific comparison results are shown in Table 3, from which we can find that our scheme is much better than most of the existing schemes. Although strong unforgeability and fast revocation are achieved simultaneously, our scheme has almost no increase in computational efficiency as to other proxy signatures with revocation schemes.

Table 3

Proxy signature scheme efficiency comparison.

Schemes	Size	Parameter	Delegation	ProxySign	Verify
Scheme [3]	$3 \|G\|$	2n + 2	3T_e + (n + 1)T_m	5T_e + (2n + 4)T_m + P	4P + 3E + 2nT_m
Scheme [4]	$3 \|G\|$	2n + 2	3T_e + (n + 1)T_m	5T_e + (2n + 4)T_m	5P + 3E + 2nT_m
Scheme [5]	$3 \|G\|$	n + 4	3T_e + (n + 1)T_m	4T_e + 3T_m	5P + 3E + (n + 1)T_m + T_e
Scheme [6]	$3 \|G\|$	2n + 2	(3m + 3)T_e + (n + 3m + 1)T_m	2T_e + (n + 1)T_m	(m + 4)P + (m + 2)E + 2nT_m
Scheme [7]	$3 \|G\|$	n + 4	3mT_e + (n + m)T_m	4T_e + (2m + 1)T_m	(m + 4)P + (m + 2)E + (n + 1)T_m + T_e
Scheme [8]	$3 \|G\|$	2n + 2	nP + (2n + 1)T_e + 2nT_m	4nT_e + 6nT_m + tP + (t − 1)E	4P + 3E + 2nT_m
Scheme [9]	$3 \|G\|$	2n + 2	3T_e + (n + 1)T_m	5T_e + (2n + 4)T_m + P	5P + 3E + 2nT_m
Scheme [10]	$3 \|G\|$	2n + 2	7T_e + (n + 2)T_m	9T_e + (2n + 8)T_m	5P + 3E + (2n + 1)T_m
Scheme [11]	$3 \|G\|$	2n + 2	7T_e + (n + 2)T_m	9T_e + (2n + 8)T_m + P	4P + 3E + 2nT_m
Scheme [12]	$3 \|G\|$	2n + 2	(m + n + 1)T_e + (3m + 4)T_m	8mT_e + (2n + 10m − 1)T_m	3P + E + (2n + m)T_m
Our scheme	$3 \|G\|$	n + 2	7T_e + (n + 2)T_m	9T_e + (2n + 8)T_m	5P + 3E + (n + 1)T_m

Size: length of signature. Parameter: the number of system public parameters.Delegation: the computational efficiency in the Delegation-Gen phase. ProxySign: the computational efficiency in the ProxySign-Gen phase. Verify: the computational efficiency in the ProxySign-Verify phase.

Compared to existing schemes, our scheme has some advantages that other schemes do not have. Moreover, as we all know, if pairing operations are executed by sensor nodes, it would affect the efficiency of the sensor networks. But from Table 3, we can know that just ProxySign-Verify needs 5 pairing operations, and it should be executed by a sink node or one proxy equipment but not sensor nodes, so the pairing operations will not affect the efficiency of sensor-based network systems.

The merit/demerit comparison between the existing schemes and our scheme is summarized in Table 4.

Table 4

Comparison of merits and demerits.

Schemes	F.R	S.M	S.U
Scheme [3]	No	Yes	No
Scheme [4]	No	Yes	No
Scheme [5]	No	Yes	No
Scheme [6]	No	Yes	No
Scheme [7]	No	Yes	No
Scheme [8]	No	Yes	No
Scheme [9]	No	Yes	No
Scheme [10]	Yes	Yes	No
Scheme [11]	Yes	Yes	No
Scheme [12]	Yes	Yes	No
Our scheme	Yes	Yes	Yes

F.R: whether the proxy signature can achieve fast revocation. S.M: whether the scheme has security proof in the standard model. S.U: whether the scheme is strongly unforgeable.

From Table 4, we can see that $(1)$ all existing proxy signatures in the standard model are proved secure and $(2)$ our scheme is the only proxy signature scheme that has strong unforgeability and fast revocation in the standard model.

Overall, compared with other proxy signatures [3–12] in the standard model, our scheme has stronger security because it has strong unforgeability and has low storage requirement because it has a shorter system parameter. At the same time, the scheme can achieve fast revocation.

6. Conclusions

Until now, none of the existing proxy signature schemes with revocation possesses strong unforgeablility. This leads to the fact that the adversary can even produce a new signature for a signed message, which makes the existing schemes insecure. In order to solve this security problem, this paper improves the situation and proposes a strongly unforgeable proxy signature with revocation under the computational Diffie-Hellman assumption in the standard model. The proposed scheme satisfies all of the security requirements for proxy signature schemes. Through a security analysis, we show that the proposed scheme is secure in the standard model and it can resist those attacks mentioned above. Furthermore, compared with several proxy signature schemes in the standard model, it is easy to conclude that the proposed scheme has advantages over other schemes, namely, stronger security and shorter system parameters. As a special kind of digital signature, the proxy signature has been widely applied in electronic commerce. With improvement of the proxy signature with revocation, the proposed scheme can be widely used in more applications, such as mobile agent and electronic transactions.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is supported by the National Natural Science Foundation of China under Grant nos. 61473214, 61103178, and 61103199, Natural Science Basic Research Plan in Shaanxi Province of China under Grant nos. 2015JM6294, 2014JQ8360, and 2014JQ8324, the Fundamental Research Funds for the Central Universities under Grant no. 3102015JSJ0003, Basic Science Research Fund in Xidian University, and the 111 Project of China under Grant no. B08038.

References

Goh

E.-J.

Jarecki

Katz

Wang

Efficient signature schemes with tight reductions to the Diffie-Hellman problems

Journal of Cryptology 2007 20 4 493 514

10.1007/s00145-007-0549-3

MR2370042

2-s2.0-36749054167

Mambo

Usuda

Okamoto

Proxy signature: delegation of the power to sign messages

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences 1996 E79-A 9 1338 1353

C. X.

Zhang

X. S.

Liao

Y. J.

Designated verifier proxy signature scheme without random oracles

Computers & Mathematics with Applications 2009 57 8 1352 1364

10.1016/j.camwa.2009.01.032

MR2512233

2-s2.0-62249130071

Huang

Susilo

Proxy signature without random oracles

Mobile Ad-Hoc and Sensor Networks 2006 4325

Berlin, Germany

Springer

473 484

10.1007/11943952_40

Sun

C. X.

Strongly unforgeable proxy signature scheme secure in the standard model

Journal of Systems and Software 2011 84 9 1471 1479

10.1016/j.jss.2011.02.041

2-s2.0-79960460234

Liu

Z. H.

Y. P.

Secure proxy multi-signature scheme in the standard model

Provable Security: Second International Conference, ProvSec 2008, Shanghai, China, October 30–November 1, 2008. Proceedings 2008 5324

Berlin, Germany

Springer

127 140 Lecture Notes in Computer Science

10.1007/978-3-540-88733-1_9

Sun

Yang

Improvement of a proxy multi-signature scheme without random oracles

Computer Communications 2011 34 3 257 263

10.1016/j.comcom.2010.02.002

2-s2.0-78751645553

Beheshti-Atashgah

Bayat

Gardshi

Aref

M. R.

Designated verifier threshold proxy signature scheme without random oracles

2012, http://eprint.iacr.org/2012/488.pdf

Ming

Wang

Y. M.

Directed proxy signature in the standard model

Journal of Shanghai Jiaotong University (Science) 2011 16 6 663 671

10.1007/s12204-011-1208-2

10.

Liu

Z.-H.

Y.-P.

Zhang

X.-S.

Secure proxy signature scheme with fast revocation in the standard model

The Journal of China Universities of Posts and Telecommunications 2009 16 4 116 124

10.1016/s1005-8885(08)60258-7

2-s2.0-69649096089

11.

Beheshti-Atashgah

Gardeshi

Bayat

A designated verifier proxy signature scheme with fast revocation without random oracles

Digital Information and Communication Technology and Its Applications: International Conference, DICTAP 2011, Dijon, France, June 21–23, 2011. Proceedings, Part I 2011 166

Berlin, Germany

Springer

535 550 Communications in Computer and Information Science

10.1007/978-3-642-21984-9_45

12.

Liu

Z. H.

Y. P.

Zhang

X. S.

Provably secure multi-proxy signature scheme with revocation in the standard model

Computer Communications 2011 34 3 494 501

10.1016/j.comcom.2010.05.015

2-s2.0-78751646839

13.

Beheshti-Atashgah

Gardeshi

Bayat

A new threshold proxy signature scheme with fast revocation

International Journal of Computer and Electrical Engineering 2012 4 5 766 770

10.7763/IJCEE.2012.V4.602

14.

Waters

Efficient identity-based encryption without random oracles

Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

May 2005

Aarhus, Denmark

114 127

10.1007/11426639_7

15.

Mambo

Usuda

Okamoto

Proxy signatures for delegating signing operation

Proceedings of the 3rd ACM Conference on Computer and Communications Security

March 1996

48 56

2-s2.0-0029717329

16.

Kim

Park

Won

Proxy signatures, revisited

Proceedings of the 1st International Conference on Information and Communication Security (ICICS ‘97)

November 1997

Beijing, China

223 232

17.

Hwang

M.-S.

Lee

C.-C.

Tzeng

S.-F.

A new proxy signature scheme for a specified group of verifiers

Information Sciences 2013 227 102 115

10.1016/j.ins.2012.11.004

MR3015752

2-s2.0-84872317781

18.

Sahu

R. A.

Saraswat

Secure and efficient scheme for delegation of signing rights

Information and Communications Security 2015 8958

Basel, Switzerland

Springer

258 273 Lecture Notes in Computer Science

10.1007/978-3-319-21966-0_19

19.

Seo

S. H.

Shim

K. A.

Lee

S. H.

A mediated proxy signature scheme with fast revocation for electronic transactions

Proceedings of the 2nd International Conference on Trust Privacy and Security in Digital Business

August 2005

Copenhagen, Denmark

216 225

10.1007/11537878_22

20.

Sun

H. M.

Chen

B. J.

Design of time-stamped proxy signatures with traceable receivers

Proceedings of the 9th National Conference on Information Security

May 1999

Taichung, Taiwan

247 253

21.

E. J.

Hwang

M.-S.

Huang

C.-J.

A new proxy signature scheme with revocation

Applied Mathematics and Computation 2005 161 3 799 806

10.1016/j.amc.2003.12.039

MR2113520

ZBL1060.94037

2-s2.0-10644282065

22.

Boldyreva

Palacio

Warinschi

Secure proxy signature scheme for delegation of signing rights

2005, http://eprint.iacr.org/2003/096.pdf

23.

Kim

K. S.

Hong

Jeong

I. R.

Identity-based proxy signature from lattices

Journal of Communications and Networks 2013 15 1 1 7

10.1109/JCN.2013.000003

2-s2.0-84875443029

24.

Swapna

Reddy

P. V.

Gowri

Efficient identity based multi-proxy multi-signcryption scheme using bilinear pairings over elliptic curves

Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI ‘13)

August 2013

Mysore, India

IEEE

418 423

10.1109/ICACCI.2013.6637208

25.

X. M.

Yang

Y. C.

Liu

Wang

Xiong

X. H.

A highly efficient and identity-based proxy signature scheme without random oracle

Proceedings of the 2nd International Conference on Information Technology and Electronic Commerce

December 2014

Dalian, China

204 207

26.

Cao

H.-J.

Zhu

Y.-Y.

P.-F.

A quantum proxy weak blind signature scheme

International Journal of Theoretical Physics 2014 53 2 419 425

10.1007/s10773-013-1826-6

2-s2.0-84892480886

27.

Zhang

K. J.

Jia

H. Y.

Cryptanalysis of a quantum proxy weak blind signature scheme

International Journal of Theoretical Physics 2015 54 2 582 588

10.1007/s10773-014-2250-2

MR3304824

28.

Huang

Wong

D. S.

Zhao

Y.-M.

Generic transformation from weakly to strongly unforgeable signatures

Journal of Computer Science and Technology 2008 23 2 240 252

10.1007/s11390-008-9126-y

MR2404140

2-s2.0-42149190642

29.

Boneh

Shen

Waters

Strongly unforgeable signatures based on computational Diffie-Hellman

Public Key Cryptography—PKC 2006: 9th International Conference on Theory and Practice in Public-Key Cryptography, New York, NY, USA, April 24–26, 2006. Proceedings 2006 3958

Berlin, Germany

Springer

229 240 Lecture Notes in Computer Science

10.1007/11745853_15

30.

Pang

L. J.

H. X.

Pei

Q. Q.

Improved multicast key management of Chinese wireless local area network security standard

IET Communications 2012 6 9 1126 1130

10.1049/iet-com.2010.0954

2-s2.0-84863562712

Strongly Unforgeable and Efficient Proxy Signature Scheme with Fast Revocation Secure in the Standard Model

Abstract

1. Introduction

2. Related Works

3. Preliminaries

3.1. Hard Problems

Definition 1 (computational Diffie-Hellman (CDH) problem in G).

Definition 2 (computational Diffie-Hellman (CDH) assumption in G).

3.2. Algorithm Model

3.3. Security Models

3.3.1. Strong Existential Unforgeability against the Adaptive A II Adversary

Definition 3.

3.3.2. Strong Existential Unforgeability against Adaptive A III Adversary

Definition 4.

4. The Proposed Scheme

5. Correctness and Security

5.1. Correctness

Theorem 5.

Proof.

Theorem 6.

Proof.

5.2. Security

Theorem 7.

Proof.

Theorem 8.

Proof.

5.3. Comparison with Existing Schemes

6. Conclusions

Footnotes

Conflict of Interests

Acknowledgments

References

3.3.1. Strong Existential Unforgeability against the Adaptive $A_{II}$ Adversary

3.3.2. Strong Existential Unforgeability against Adaptive $A_{III}$ Adversary