Literature DB >> 29579125

Revocable identity-based proxy re-signature against signing key exposure.

Xiaodong Yang^1,2, Chunlin Chen¹, Tingchun Ma¹, Jinli Wang¹, Caifen Wang¹.

Abstract

Identity-based proxy re-signature (IDPRS) is a novel cryptographic primitive that allows a semi-trusted proxy to convert a signature under one identity into another signature under another identity on the same message by using a re-signature key. Due to this transformation function, IDPRS is very useful in constructing privacy-preserving schemes for various information systems. Key revocation functionality is important in practical IDPRS for managing users dynamically; however, the existing IDPRS schemes do not provide revocation mechanisms that allow the removal of misbehaving or compromised users from the system. In this paper, we first introduce a notion called revocable identity-based proxy re-signature (RIDPRS) to achieve the revocation functionality. We provide a formal definition of RIDPRS as well as its security model. Then, we present a concrete RIDPRS scheme that can resist signing key exposure and prove that the proposed scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model. To further improve the performance of signature verification in RIDPRS, we introduce a notion called server-aided revocable identity-based proxy re-signature (SA-RIDPRS). Moreover, we extend the proposed RIDPRS scheme to the SA-RIDPRS scheme and prove that this extended scheme is secure against adaptive chosen message and collusion attacks. The analysis results show that our two schemes remain efficient in terms of computational complexity when implementing user revocation procedures. In particular, in the SA-RIDPRS scheme, the verifier needs to perform only a bilinear pairing and four exponentiation operations to verify the validity of the signature. Compared with other IDPRS schemes in the standard model, our SA-RIDPRS scheme greatly reduces the computation overhead of verification.

Entities: Chemical Disease Species

Mesh：

Year: 2018 PMID： 29579125 PMCID： PMC5868864 DOI： 10.1371/journal.pone.0194783

Source DB: PubMed Journal: PLoS One ISSN： 1932-6203 Impact factor: 3.240

Introduction

A digital signature provides security services such as data integrity, authentication and non-repudiation; therefore, it is one a key technology to ensure information security. In particular, digital signatures can be combined with passwords [1, 2], smart cards [3], biometrics [4], chaotic parallel keyed hash functions [5] and other technologies to achieve identity authentication of parties in communication. Consequently, they have practical applications in systems such as smart cities [6], body area networks [7], the Internet of Things [8] and ubiquitous networks [9]. To meet the security needs of different practical scenarios, researchers have proposed a series of digital signature variants. For instance, a blind signature can effectively protect the content of signed messages; therefore, it is applied to e-commerce, e-voting, e-currency and other systems to protect participants’ interests [10, 11]. A group signature allows any member of a group to sign messages on behalf of the entire group anonymously; therefore, group signatures have been used to protect the privacy and authenticate the identity of vehicles in vehicular ad-hoc networks [12]. A ring signature is a type of group signature with no administrator that can be used in cloud computing and block-chains to achieve unconditional anonymity to protect a user’s privacy [13, 14]. In many scenarios, we need, for example, to verify Alice’s signature, but we do not know her public key or her public key has expired. We want to transform Alice’s signature into Bob’s signature, because Bob’s public key is available. To achieve this transformation, Blaze et al. [15] introduced the concept of a proxy re-signature (PRS). In a PRS scheme, a semi-trusted proxy is allowed to transform Alice’s signature on a message into Bob’s signature on that same message. However, the proxy cannot independently generate a valid signature on any message on behalf of Alice or Bob. Instead, the proxy re-signature functions as a signature conversion method; consequently, it has been widely used in areas such as cross-domain authentication, digital rights management, privacy preservation and auditing in cloud computing environments. Ateniese and Hohenberger [16] provided a security model for PRS and presented two concrete schemes in 2005: one is multi-use and the other is single-use. Generally speaking, in a multi-use PRS scheme, a proxy can transform a signature from Alice to Bob into a signature from Bob to Carol, but a proxy cannot further convert a transformed signature in a single-use PRS scheme. In the proxy re-signature field, a multi-use PRS is more useful than is a single-use PRS. After Ateniese and Hohenberger’s seminal work [16], other PRS schemes with special properties were proposed, including the universally composable secure PRS [17], the certificateless PRS [18] and the threshold PRS [19]. In particular, Shao et al. [20] proposed an identity-based proxy re-signature (IDPRS) scheme to address the problem of certificate management in traditional PRS schemes. In IDPRS, the user’s email address or other unique identifying information is used as the public key, and the user’s private key is generated by a trusted private key generator (PKG). IDPRS allows a semi-trusted proxy to convert a signature under one identity to another signature under another identity on the same message, but the proxy is unable to produce any signature on behalf of any of these two identities. As a result, IDPRS eliminates the requirement for certificates and simplifies key management, but challenges still remain to be addressed in practical applications. Shao et al. [20] proposed the first IDPRS scheme in the standard model. Later, Feng et al. [21] proposed a secure IDPRS scheme, but it was not multi-use. Hu et al. also [22] presented an IDPRS scheme without random oracles, but its security relies on a strong difficult problem assumption. Tian [23] proposed an IDPRS scheme from lattices in the random oracle model, but the size of the signature was relatively large and its practicality was poor. In addition, Wang et al. [24] constructed two server-aided proxy re-signature schemes that were provably secure in the random oracle model, but the second scheme cannot resist a collusion attack from the server and a malicious proxy. Moreover, Canetti et al. [25] found that the provably secure scheme in the random oracle model might be insecure in reality when the random oracle is instantiated by a specific hash function. Therefore, it is of practical significance to construct secure RIDPRS schemes in the standard model. The existing IDPRS schemes do not consider the problem of user revocation [20-23]. A revocation mechanism is essential for practical identity-based cryptosystem [26]. If a user’s key is compromised or a user’s authorization expires, that user needs to be revoked from the system. When users have been revoked, they should no longer be able to use their previous private keys to gain access to sensitive data or to generate valid digital signatures. Researchers have designed a series of revocable cryptographic schemes to achieve user revocation in identity-based settings [27-29]. The main idea behind these schemes is that the PKG periodically updates the private keys of non-revoked users. Tsai et al. [30] proposed a revocable identity-based signature scheme in the standard model, in which a user’s signing key consists of a long-term secret key and a periodically changed update key. However, Tsai et al.’s scheme [30] is insecure against a signing key exposure attack: an adversary can obtain a fixed secret key from a compromised signature key and then combine it with subsequent update keys to forge the signature of any message. Lian et al. [31] proposed a revocable attribute-based signature scheme, but Wei et al. [32] revealed that Lian et al.’s scheme is vulnerable to signing key exposure. If a signature scheme can resist the signing key exposure attack, then the users store their secret keys on physical devices with relatively high security levels, while the update keys can be stored on devices with relatively low security levels (such as mobile phones, smart cards, etc.). However, to the best of our knowledge, no identity-based proxy re-signature scheme with a user revocation mechanism is available. Therefore, how to design a revocable identity-based proxy re-signature (RIDPRS) scheme is an open and interesting question. In this paper, we formally define the syntax of RIDPRS and present a security model for RIDPRS against signing key exposure. Based on Shao et al.’s IDPRS scheme [20], we design a bidirectional and multi-use RIDPRS scheme. In the proposed scheme, the PKG’s master secret key is divided into two parts: one part is used to construct the user’s fixed secret key, and the other part is used to generate periodically changed update keys for the user. Only a non-revoked user can re-randomize their secret key and update key to generate a corresponding signing key. Consequently, our scheme can not only effectively revoke a user from the system, but also resist signing key exposure attacks. Furthermore, we introduce a new cryptographic primitive called server-aided revocable identity-based proxy re-signature (SA-RIDPRS), which is particularly suitable for verifiers with limited computing power. SA-RIDPRS allows the verifier to delegate most of the computational work involved in signature verification to a server with powerful computing capabilities; the verifier needs to perform only a small number of computational operations to verify the legitimacy of the signature. In addition, we formalize the security model for SA-RIDPRS. Based on our RIDPRS scheme, we also construct an SA-RIDPRS scheme and prove that the proposed scheme is secure against adaptive chosen message and collusion attacks. The results of our analysis show that our two schemes are bidirectional and multi-use, and they achieve user revocation functionality while maintaining efficiency in terms of computational complexity and storage overhead. In our SA-RIDPRS scheme, the verifier verifies the validity of the signature with minimal computational cost by executing the server-aided verification algorithm in conjunction with a server, which efficiently reduces the computational cost of the verifier. The rest of this paper is organized as follows. Section 2 reviews some preliminaries used in our schemes. Section 3 presents security notions for RIDPRS and SA-RIDPRS. Section 4 constructs an IDPRS scheme and an SA-RIDPRS scheme and gives their security proof and performance analysis. Finally, Section 5 concludes the paper.

Preliminaries

In this section, we briefly review bilinear parings and the computational Diffie-Hellman (CDH) assumption.

Bilinear parings

Let p be a prime, G1 and G2 be two multiplicative cyclic groups of order p, and g be a generator of G1. An efficiently computable bilinear paring e: G1 × G1 → G2 is a map with the following properties [16]: Bilinear: e(g, g) = e(g, g) = e(g, g) for any a, b ∈ Z. Non-degenerate: e(g, g) ≠ 1.

Complexity assumption

The security of our scheme depends on the hardness of the CDH problem. Let G1 be a cyclic group of prime order p, and g be a generator of G1. Given , where a, b ∈ Z, the CDH problem is to compute g ∈ G1. Definition 1. We say that the CDH assumption holds if no probabilistic polynomial-time (PPT) algorithm can solve the CDH problem in G1 with a non-negligible probability [20].

Formal definition and security model

Security notions of RIDPRS

An RIDPRS scheme consists of the following eight algorithms (Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign, Verify): Setup(λ) → (pp, msk): Given a security parameter λ, this algorithm outputs public parameters pp and a master secret key msk of the PKG. Extract(pp, msk, ID) → sk: Given pp, msk and a user’s identity ID, this algorithm outputs a secret key sk of the identity ID. KeyUp(pp, msk, ID, t) → vk: Given pp, msk, an identity ID and a time period t, this algorithm outputs an update key vk with respect to identity ID and time period t. SKGen(pp, sk, vk) → dk: Given pp, a secret key sk and an update key vk, this algorithm outputs an error symbol ⊥ if the identity ID has been revoked during the time period t; otherwise, it outputs a signing key dk on (ID, t). ReKey(pp, dk, dk) → rk: Given pp and two signing keys (dk, dk) corresponding to identities (ID, ID) at time period t, this algorithm outputs a re-signing key rk of the proxy. Sign(pp, dk, M) → σ: Given pp, a signing key dk and a message M, this algorithm generates a signature σ on M. ReSign(pp,rk, ID, t, M, σ) → σ: Given pp, a re-signing key rk and a signature σ on a message M with respect to identity ID and time period t, this algorithm outputs ⊥ if Verify(pp, ID, t, M, σ) = 0; otherwise, it outputs a signature σ on M with respect to identity ID and time period t. Verify(pp, ID, t, M, σ) → {0, 1}: Given pp, an identity ID, a time period t, a message M and a signature σ, this algorithm outputs 1 if σ is a valid signature of M on (ID, t); otherwise, it outputs 0. Correctness. Let (pp, msk) be the output of the algorithm Setup(λ). For any message M and any identities (ID, ID), if σ = Sign(pp, t, dk, M) and σ = ReSign(pp,rk, ID, t, M, σ), then the conditions Verify(pp, ID, t, M, σ) = 1 and Verify(pp, ID, t, M, σ) = 1 must both hold. The security of an RIDPRS scheme should be existentially unforgeable under adaptive chosen identity and message attacks. Based on the security model of IDPRS in [20] and the security definition of revocable identity-based signature schemes in [30-32], the existential unforgeability of a bidirectional RIDPRS scheme that captures signing key exposure is formally defined by using the following security game between a challenger and an adversary : Setup: executes the algorithm Setup(λ) to generate public parameters pp and the PKG’s master secret key msk. Then, sends pp to . Queries: The adversary adaptively makes the following queries: Extract-query: When asks for a secret key of an identity ID, executes the algorithm Extract(pp, msk, ID) and returns the corresponding output sk to . KeyUp-query: When inquires about an update key with respect to an identity ID and a time period t, executes the algorithm KeyUp(pp, msk, ID, t) and returns an update key vk to . SKGen-query: When asks for a signing key with respect to an identity ID and a time period t, first makes an Extract-query for ID and a KeyUp-query for the tuple (ID, t) to obtain a secret key sk and an update key vk, respectively. Then, runs the algorithm SKGen(pp, sk, vk) to generate a signing key dk, and sends it to . ReKey-query: When requests a re-signing key of two identities (ID, ID) at time period t, first makes the SKGen-query on tuples (ID, t) and (ID, t) to obtain the corresponding signing keys dk and dk, respectively. Afterwards, runs the algorithm ReKey(pp, dk, dk) to output a re-signing key rk, and then sends it to . Sign-query: When requests a signature on a message M with respect to an identity ID and a time period t, first makes a SKGen-query on tuple (ID, t) to obtain a signing key dk. Then, runs the algorithm Sign(pp, dk, M) and returns a signature σ on M to . Forgery: The adversary finally outputs a forged signature σ* on a message M* with respect to an identity ID* and a time period t*. We say that wins in the above game if the following conditions hold. Verify(pp, ID*, t*, M*, σ*) = 1. (ID*, t*) has never been queried of the SKGen-query. ID* has never been submitted to the Extract-query, and (ID*, t*) has never been submitted to the KeyUp-query. ID* has never been submitted to the ReKey-query. (ID*, t*, M*) has never been queried of the Sign-query. Definition 2. A bidirectional RIDPRS scheme is said to be existentially unforgeable against adaptive chosen identity and message attacks if for any polynomial-time adversary the probability of winning in the above game is negligible.

Security notions of SA-RIDPRS

An SA-RIDPRS scheme consists of an RIDPRS scheme and a server-aided verification protocol. Due to the weaker computing power, the verifier is unable to perform complicated cryptographic operations. Therefore, the verifier needs to execute an interactive verification protocol to verify the validity of the signature with the help of a server. Specifically, a bidirectional SA-RIDPRS scheme is a tuple of the following ten algorithms (Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign, Verify, SA-Setup, SA-Verify): The Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign and Verify algorithms are the same as those in the RIDPRS scheme described in Section 3.1. SA-Setup(pp) → V String: On input public parameters pp, this algorithm generates a secret string V String that contains the pre-computed information of the verifier. SA-Verify(pp, V String, ID, t, M, σ) → {0, 1}: On input pp, V String and a signature σ on a message M with respect to an identity ID and a time period t, this algorithm outputs 1 if the server convinces the verifier that σ is valid; otherwise, it outputs 0. The security of an SA-RIDPRS scheme includes both the existential unforgeability of RIDPRS and the soundness of the algorithm SA-Verify. Existential unforgeability ensures that an attacker cannot generate a valid signature on a new message, whereas soundness ensures that the server cannot convince a verifier that an invalid signature is valid. The unforgeability of a bidirectional SA-RIDPRS scheme is the same as that of the RIDPRS scheme defined in Section 3.1. Based on the soundness of server-aided verification PRS [24], the soundness of the algorithm SA-Verify under adaptive chosen message and collusion attacks is defined by the following security game between a challenger and an adversary . In this game, the challenger acts as a verifier while the adversary acts as the server. is allowed to collude with the signer or the proxy; therefore, can generate or transform the signature of any message. The goal of is to convince that an invalid signature is valid. and interact as follows: Setup: executes the Setup and SA-Setup algorithms to generate the public parameters pp and the string V String, respectively. Then, sends pp to . Queries: can adaptively make a number of server-aided verification queries to . For each query on (ID, t, M, σ), runs the algorithm SA-Verify with and then returns the corresponding output to as a response. Forgery: The adversary eventually outputs an identity ID*, a time period t*, a message M* and a string σ*. Let Ω be the set of all valid signatures on M*, where σ* ∉ Ω. If Verify(pp, ID*, t*, M*, σ*) = 0 and SA-Verify(pp, V String, ID*, t*, M*, σ*) = 1, which means that has convinced that σ* is a valid signature on M* with respect to the tuple (ID*, t*), then the adversary wins the game. Definition 3. The algorithm SA-Verify is soundness if the probability that any polynomial-time adversary wins in the above game is negligible. Definition 4. If an RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks, and the algorithm SA-Verify is soundness, then the resulting SA-RIDPRS scheme is said to be secure against adaptive chosen message and collusion attacks.

Our constructions

In this section, we first construct a bidirectional RIDPRS scheme based on the IDPRS scheme of Shao et al. [20]. Then, we extend it to the SA-RIDPRS scheme. Moreover, we provide security proofs and performance analyses for the proposed schemes.

Bidirectional and revocable ID-based proxy re-signature scheme

Description

In our RIDPRS scheme, we assume that the length of the identity and the length of the message are n-bit and n-bit strings, respectively. We can achieve these by two collision-resistant hash functions and . The details of our RIDPRS scheme are described as follows: Setup: Given a security parameter λ, the PKG does the following: Choose two multiplicative cyclic groups G1 and G2 of prime order p, a generator g of G1 and a bilinear pairing e: G1 × G1 → G2. Select a collision-resistant hash function , where n is the fixed length of the output of H. Pick four random elements g2, u0, v0, w0 ∈ G1 and three random vectors , and from G1, where 1 ≤ i ≤ n, 1 ≤ j ≤ n and 1 ≤ k ≤ n. Choose two random integers and compute . Store the master secret key secretly and publish the public parameters . To simplify the expression, for any identity ID = (, any string T = (T1, …, and any message M = (M1, …, M) , we define the following three functions , and , respectively. Extract: Given a user’s identity ID, the PKG first chooses a random integer r ∈ Z and computes a secret key , . Then, the PKG sends sk to the user via a secure channel. KeyUp: Given an identity ID and a time period t, the PKG randomly chooses s ∈ Z, and computes T = H(ID, t) and vk = (vk, vk) = . Then, the PKG sends an update key vk to the user via a public channel. SKGen: On input (ID, t), if identity ID has been revoked within time period t, the user is unable to generate a valid signing key because he cannot obtain valid update keys. Otherwise, the user with identity ID uses his secret key sk = (sk, sk) and update key vk = (vk, vk) to generate a signing key using the following steps: Choose two random integers . Compute T = H(ID, t), , , Output a signing key dk = (dk, dk, dk). ReKey: On input two signing keys dk = (dk, dk, dk) and dk = (dk, dk, dk) corresponding to two identities ID and ID, the proxy outputs a re-signing key Sign: Given a message M, a signer randomly chooses r ∈ Z and uses the signing key dk = (dk, dk, dk) to compute , σ = dk, σ = dk and . Then, the signer outputs a signature σ = (σ, σ, σ, σ) on M. ReSign: Given a re-signing key rk = (rk, rk, rk) and a signature σ = (σ, σ, σ, σ) on a message M with respect to an identity ID and a time period t, the proxy outputs ⊥ if Verify(pp,ID, t, M, σ) = 0; otherwise, the proxy randomly chooses , and computes , σ = σ ⋅ rk, σ = σ ⋅ rk and . Then, the proxy outputs a signature σ = (σ, σ, σ, σ) for M with respect to the identity ID and the time period t. Verify: Given an identity ID, a time period t and a signature σ = (σ, σ, σ, σ) on a message M, the verifier first computes T = H(ID, t). Then, the verifier checks whether the following equation holds: If the above equation holds, the verifier accepts that σ is valid and outputs 1; otherwise, the verifier outputs 0.

Correctness

For any signature σ = (σ, σ, σ, σ) of message M on (ID, t), any re-signing key rk = (rk, rk, rk) = (dk/dk, dk/dk, dk/dk) and ID’s signing key dk = (dk, dk, dk), where , and . Then, we have a re-signature σ = (σ, σ, σ, σ) of M with respect to identity ID and time period t, where The following equation shows that our RIDPRS scheme satisfies correctness: From the above equation, we can see that σ satisfies the condition Verify(pp, ID, t, M, σ) = 1, so our RIDPRS scheme is correct. The distribution of the re-signature σ generated by the algorithm ReSign is the same as that of the signature generated by ID himself using the algorithm Sign, which demonstrates that our RIDPRS scheme is multi-use. By using the re-signing key rk between ID and ID, it is easy to compute the re-signing key rk = 1/rk between ID and ID, which implies that our RIDPRS scheme is bidirectional.

Security analysis

In our RIDPRS scheme, the algorithm SKGen re-randomizes a secret key sk and an update key vk to generate a corresponding signing key for an identity ID and time period t. Even if an adversary obtains the signing key dk, it is difficult to extract ID’s secret key sk from dk. Moreover, the exposure of dk at time period t does not reveal any information concerning other signing keys for identity ID at other time periods. Therefore, our RIDPRS scheme can resist signing key exposure attacks. To simplify the security analysis of our RIDPRS scheme, we classify adversaries into two types: external and internal. The main difference between these two types of attackers is that an external adversary is not allowed to make queries about the secret key of the challenged identity ID* whereas an internal adversary is not allowed to make queries about the update key of the challenged identity ID* or the challenged time period t*. The following two lemmas prove that our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks. Lemma 1. If a polynomial-time external adversary breaks our RIDPRS scheme with non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability. Proof. Assume that an adversary breaks the existential unforgeability of our RIDPRS scheme with the probability ε after making at most q secret key queries, q update key queries, q signing key queries, q re-signing key queries and q signing queries. We will construct an algorithm to solve the CDH problem in G1 with the probability at least ε1 by using ’s forgery. Given a random instance of the CDH problem, the goal of is to compute g. The algorithm interacts with as follows. Setup: randomly chooses two integers k(0 ≤ k ≤ n) and k(0 ≤ k ≤ n), and sets g2 = g, l = 2(q + q + q + q) and l = 2q such that l(n + 1)

Randomly choose x0, x1, …, x ∈ Z and y0, y1, …, y ∈ Z, then compute and a vector , where for 1 ≤ i ≤ n. Randomly choose z0, z1, …, z ∈ Z and then compute and a vector , where for 1 ≤ j ≤ n. Randomly choose c0, c1, …, c ∈ Z and d0, d1, …, y ∈ Z and then compute and a vector , where for 1 ≤ k ≤ n. Select a collision-resistant hash function . Choose a random integer and compute . This calculation implies that the master secret key is but a is unknown to . Send the public parameters (G1, G2, e, p, g, g1, g2, H, u0, v0, to . For any identity , any string and any message , we define the following five functions: , , , , . Thus, we have Queries: The adversary can issue the following types of queries adaptively: Extract-query: When asks for a secret key query on an identity ID, first computes F(ID). We note that implies (and thus implies ). If , aborts; otherwise, randomly chooses r ∈ Z computes and then sends the secret key sk to . KeyUp-query: When issues an update key query on an identity ID and a time period t, randomly chooses s ∈ Z and computes T = H(ID, t). Then, uses the secret value β to compute and returns an update key vk to . SKGen-query: For a signing key query on (ID, t), if identity ID has been revoked at time period t, outputs ⊥. Otherwise, randomly chooses , and performs an Extract-query on ID and a KeyUp-query on (ID, t) to obtain a secret key sk = (sk, sk) and an update key vk = (vk, vk), respectively. Then, computes T = H(ID, t), and returns a signing key dk = (dk, dk, dk) to . ReKey-query: When issues a re-signing key query on two identities (ID, ID) and a time period t, first makes SKGen-query on (ID, t) and (ID, t) to obtain the corresponding signing keys dk and dk, respectively. Then, executes the algorithm ReKey(pp, dk, dk) to produce a re-signing key rk and sends it to . Sign-query: When issues a signature query on a message M with respect to an identity ID and a time period t, considers the following two cases: – Case 1: If , makes a SKGen-query on (ID, t) to obtain a signing key dk. Then, executes the algorithm Sign(pp, dk, M) to produce a signature σ on M and returns it to . – Case 2: If , further considers the following two subcases: * Case 2.1: If , aborts. * Case 2.2: If , randomly chooses , and computes T = H(ID, t), , , and Then, returns a signature σ = (σ1, σ2, σ3, σ4) on M to . Forgery: The adversary finally outputs a signature on a message M* with respect to an identity ID* and a time period t*. If or , aborts. Otherwise, to solve the instance of the CDH problem, computes T = H(ID*, t*) and outputs g as follows: Now, we analyse the probability that does not abort in the above simulation. If completes the simulation without aborting, then the following events must have occurred: In the Extract-query, SKGen-query and ReKey-query phases, the condition must be satisfied for any queried identity ID. In the Sign-query phase, or must be satisfied for any queried identity ID and message M. In the forgery phase, and must be satisfied for the challenged identity ID* and message M*. Similar to the probability analysis described in [20, 33], we define the following events: for i = 1, …, q + q + q + q. . for i = 1, …, q. . Hence, the probability that will not abort in the above simulation is Because l(n + 1) < p, we can find that and Since l(n + 1) < p, we have that As l = 2(q + q + q + q) and l = 2q, we can obtain the resulting probability Therefore, can successfully solve the CDH problem in G1 with a probability of . Lemma 2. If a polynomial-time internal adversary breaks our RIDPRS scheme with a non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability. Proof. Assume that an adversary breaks the existential unforgeability of our RIDPRS scheme with the probability ε after making at most q secret key queries, q update key queries, q signing key queries, q re-signing key queries and q signing queries. We can construct an algorithm that solves the CDH problem in G1 with a probability ε2 using the adversary’s forgery . is given a random instance of the CDH problem. To calculate g, interacts with as follows. Setup: randomly chooses two integers k(0 ≤ k ≤ n) and k(0 ≤ k ≤ n), and sets g2 = g, l = 2(q + q + q + q) and l = 2q such that l(n + 1) < p and l(n + 1) < p. Then, generate public parameters pp according to the following steps: Randomly choose x0, x1, …, x ∈ Z and y0, y1, …, y ∈ Z; then, compute and a vector , where for 1 ≤ j ≤ n. Randomly choose z0, z1, …, z ∈ Z; then, compute and a vector , where for 1 ≤ i ≤ n. Set parameter w0 and vector in the same way as is done in Lemma 1. Select a collision-resistant hash function . Choose a random integer and compute , which implies that the master secret key is , but a is unknown to . Send the public parameters (G1, G2, e, p, g, g1, g2, H, u0, v0, to . For an identity , a string and a message , we define five functions: , , , , . Thus, we also have Queries: answers ’s queries as follows. Extract-query: Upon receiving a secret key query for identity ID, randomly chooses r ∈ Z and computes Then, sends a secret key sk to . KeyUp-query: Upon receiving an update key query on an identity ID and a time period t, first computes T = H(ID, t). If , aborts. Otherwise, randomly chooses s ∈ Z and outputs an update key vk = (vk, vk) in response, where SKGen-query: answers a signing key query in the same way as it does the SKGen-query in Lemma 1. ReKey-query: answers a re-signing key query in the same way as it does the ReKey-query in Lemma 1. Sign-query: Upon receiving a signature query on a message M with respect to an identity ID and a time period t, computes T = H(ID, t) and considers the following two cases: – Case 1: If , generates a signature on M in the same manner as in Case 1 in Lemma 1. – Case 2: If , further considers the following two subcases: * Case 2.1: If , aborts. * Case 2.2: If , creates a signature on M in the same manner as in Case 2.2 in Lemma 1, except that Forgery: The adversary finally outputs a signature on a message M* with respect to an identity ID* and a time period t*. first computes T = H(ID*, t*). If or , aborts. Otherwise, computes g as follows: Similar to the probabilistic analysis for Lemma 1, the probability that algorithm successfully solves the CDH problem in G1 is at least . Combining Lemma 1 and Lemma 2, we obtain the following theorem. Theorem 1. Our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model under the CDH assumption.

Server-aided revocable identity-based proxy re-signature scheme

Based on our RIDPRS scheme, we construct a bidirectional SA-RIDPRS scheme in which the verifier can verify the legality of a signature at relatively low computational cost with the help of a server. Our SA-RIDPRS scheme is described as follows: The Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign and Verify algorithms are the same as those in our RIDPRS scheme described in Section 4.1.1. SA-Setup: Given the public parameters pp, the verifier chooses a random integer , computes K0 = e(g2, g1) and sets a string . SA-Verify: Given a signature σ = (σ1, σ2, σ3, σ4) on a message M with respect to an identity ID and a time period t, the verifier interacts with a server through the following protocol: The verifier computes and sends the tuple to the server. The server computes T = H(ID, t), , and . Then, the server sends (K2, K3, K4) to the verifier. The verifier first computes and checks whether the equation K1 = K0 ⋅ K2 ⋅ K3 ⋅ K4 holds. If the equation holds, the verifier accepts that σ is valid and outputs 1; otherwise, the verifier outputs 0. For any signature σ = (σ1, σ2, σ3, σ4) , and a string , we have Thus, the above equation shows that our SA-RIDPRS scheme satisfies the correctness. In Section 4.1.3, we demonstrated that our RIDPRS scheme is existentially unforgeable in the standard model. According to Definition 4, our SA-RIDPRS scheme is secure if we prove that the algorithm SA-Verify has the soundness property. Lemma 3. The algorithm SA-Verify in our SA-RIDPRS scheme has soundness against adaptive chosen message and collusion attacks. Proof. Assume that the adversary is acting as a server with powerful computational capabilities, and the challenger is acting as a verifier. Because is allowed to collude with the signer or the proxy, has access to the signing or re-signing key to generate a valid signature for any message. First, sends an invalid message-signature pair (M*, σ*) to . Then, ’s task is to convince that σ* is a valid signature on a message M* with respect to an identity ID* and a time period t*. Setup: first runs the algorithm Setup to generate public parameters pp, and runs the Extract, KeyUp and SKGen algorithms to generate a signing key with respect to the tuple (ID*, t*). Then, randomly chooses , computes and secretly stores the string . Finally, sends to the adversary . Queries: can adaptively make at most q sever-aided verification queries to . For each query on the tuple (ID, t, M, σ), runs the algorithm SA-Verify with and returns the resulting output to . Forgery: The adversary eventually sends a message-signature pair (M*, σ* = to , where σ* is not a valid signature on message M* with respect to identity ID* and time period t*, which means that Verify(pp, ID*, t*, M*, σ*) = 0. Subsequently, interacts with as follows. uses the secret string to compute Then, sends to . computes T = H(ID*, t*), , , and , and returns to . computes and verifies whether holds. If this equation holds, then SA-Verify(pp, V String, ID*, t*, M*, σ*) = 1. In the following, we analyse the probability that the invalid message-signature pair satisfies the condition . Since (σ*)′ = (σ*) and x* is randomly chosen by from , the probability that can derive x* from (σ*)′ is . As , the probability of finding an integer x* that satisfies the condition is also . Moreover, because p is a large prime, can convince that σ* is a valid signature for message M* on (ID*, t*) with a negligible probability (). Therefore, the algorithm SA-Verify in our SA-RIDPRS scheme satisfies the soundness requirement. By combining Theorem 1, Lemma 3 and Definition 4, the following theorem can be deduced. Theorem 2. In the standard model, our SA-RIDPRS scheme is secure against adaptive chosen message and collusion attacks.

Performance analysis

In this section, we discuss the performance of our schemes and other IDPRS schemes in the standard model in terms of their computational cost and security properties. Because multiplication and hash function operations have relatively low computational costs, we consider only bilinear pairing and exponentiation operations, which have relatively high computational costs. In Table 1, “Size” denotes the size of a signature; “Sign”, “Verify” and “ReSign” denote the computational cost of the Sign, Verify and ReSign algorithms, respectively; and “Revocation” denotes whether the scheme includes a user revocation function. E represents the time to execute an exponentiation operation; P represents the time to execute a bilinear pairing operation; |p| represents the length of an element in Z; and |G1| represents the length of an element in group G1.

Table 1

Performance comparisons with previous schemes.

Scheme	Size	Sign	Verify	ReSign	Revocation
Shao et al.’s scheme [20]	3\|G₁\|	2E	3P	2E + 3P	No
Feng et al.’s scheme [21]	3\|G₁\|	3E	3E + 5P	5E + 4P	No
Hu et al.’s scheme [22]	4\|G₁\| + \|p\|	6E	4E + 3P	6E + 3P	No
Our RIDPRS scheme	4\|G₁\|	2E	4P	2E + 4P	Yes
Our SA-RIDPRS scheme	4\|G₁\|	2E	4E + P	6E + P	Yes

As shown in Table 1, in our SA-RIDPRS scheme, the verifier must perform one pairing operation and 4 exponentiations to verify the validity of a signature. In contrast, the verifier must compute 4 pairings in our RIDPRS scheme. Based on the results reported in [34], the computational overhead of a bilinear pair is, at minimum, more than five exponentiations in G1. Obviously, our SA-RIDPRS scheme is considerably less computationally intensive than is our RIDPRS scheme; therefore, it substantially reduces the verifier’s computational overhead, making it suitable for limited-resource devices. In terms of signature size, the signature in our SA-RIDPRS scheme contains 4 elements in G1. The signatures in Shao et al.’s scheme [20] and Feng et al.’s scheme [21] contain 3 elements in G1, while the signature in Hu et al.’s scheme [22] contains 4 elements in G1 and one element in Z. However, our two schemes are the only ones that provide user revocation functionality and can withstand signing key exposure attacks. In the signing phase, our SA-RIDPRS scheme and Shao et al.’s scheme [20] require 2 exponentiations to generate a signature on a message, whereas the schemes of Feng et al. [21] and Hu et al. [22] require 3 and 6 exponentiations respectively. In the re-signing phase, our SA-RIDPRS scheme performs one pairing operation and 6 exponentiations to create a valid re-signature, while the scheme of Shao et al. [20] requires 3 pairing operations and 2 exponentiations, and that of Feng et al. [21] must perform 4 pairing operations and 5 exponentiations. Hu et al.’s scheme [22] requires 3 pairing operations and 6 exponentiations. During signature verification, the computational cost in our SA-RIDPRS scheme involves one pairing operation and 4 exponentiations. The schemes of Shao et al. [20] requires 3 pairings, and that of Feng et al. [21] requires 5 pairings and 3 exponentiations. Hu et al.’s scheme [22] requires 3 pairings and 4 exponentiations. In summary, our SA-RIDPRS scheme has considerably less computational overhead than do the other schemes. We evaluate the performance of our SA-RIDPRS scheme and the three other IDPRS schemes [20-22]. The experiments are implemented in a hardware environment consisting of an Intel Core i7-6500 CPU 2.5 GHz with 8 GB of RAM. The corresponding simulation algorithms are implemented in the C language using the PBC-0.47-VC library and executed on a Windows 10 operating system. We chose the standard parameter a.param in the PBC library and set the group order p = 160 bits. The performance comparison results for all the schemes are shown in Figs 1, 2, 3 and 4.

Fig 1

Comparison of signature/re-signature size.

Fig 2

Signature generation cost comparison.

Fig 3

Re-signature generation cost comparison.

Fig 4

Verifier’s computational cost comparison.

In Fig 1, we can see that the length of the signature and re-signature in Shao et al.’s scheme [20] are both 532 bits. The length of the signature in Feng et al.’s scheme [21] is 384 bits, but the length of the re-signature is 512 bits. The length of the signature and re-signature in Hu et al.’s scheme [22] are both 532 bits. The length of the signature and re-signature in our SA-RIDPRS scheme are both 512 bits. However, Feng et al.’s scheme [21] is not multi-use because the lengths of signatures and re-signatures are different. While our SA-RIDPRS scheme includes one more element in G1 than the scheme of Shao et al. [20] does, it also effectively solves the user revocation problem. Therefore, compared with the other three schemes, our SA-RIDPRS scheme has comparable efficiency in terms of signature size. This is consistent with the above theoretical analysis. According to Table 1, the cost of generating a signature in our SA-RIDPRS scheme is equivalent to that of Shao et al.’s scheme [20]. The experimental results shown in Fig 2 indicate that our SA-RIDPRS scheme has lower computational overhead for signature generation than do the other two schemes [21, 22]. Fig 3 demonstrates that our SA-RIDPRS scheme improves on the other three schemes [20-22] in terms of the computational overhead for re-signature generation. From Fig 4, we can observe that the computational cost of the verifier is not related to the size of the message in our SA-RIDPRS scheme. Because the verifier in our SA-RIDPRS scheme offloads most of the time-consuming bilinear pairing computations to the server via the server-aided verification algorithm, it can perform signature verification at a relatively low computational cost. Thus, our SA-RIDPRS scheme greatly reduces the cost of the verifier. Moreover, our SA-RIDPRS scheme is more efficient than are the other schemes [20-22] in terms of the verifier’s computational overhead. Clearly, the results of these experiments are consistent with the results of the theoretical analysis in Table 1.

Conclusions

In this paper, we present two IDPRS schemes that include a user revocation mechanism. In our schemes, the PKG constructs an identity-dependent long-term key for all users and periodically generates update keys related to their identities and time periods for non-revoked users. Only non-revoked users can re-randomize the secret key and the update key to generate a corresponding signing key; therefore, our schemes are resistant to signing key exposure attacks. In the standard model, we prove that our schemes are secure under the CDH assumption. In particular, our SA-RIDPRS scheme substantially reduces the verifier’s computational burden. However, the security of our schemes relies on the hardness assumption of the CDH problem, which can be easily solved by quantum algorithms. In the future, we plan to construct a post-quantum secure RIDPRS scheme.

1 in total

1. A short certificateless aggregate signature against coalition attacks.

Authors: Xiaodong Yang; Jinli Wang; Tingchun Ma; Yutong Li; Caifen Wang
Journal: PLoS One Date: 2018-12-12 Impact factor: 3.240

1 in total