A Proxy signature scheme enables a proxy signer to sign a message on behalf of
the original signer. In this paper, we propose ECDLP based solution for chen et. al [1]
scheme. We describe efficient and secure Proxy multi signature scheme that satisfy all the
proxy requirements and require only elliptic curve multiplication and elliptic curve addition
which needs less computation overhead compared to modular exponentiations also our
scheme is withstand against original signer forgery and public key substitution attack.
2. 307
can sign is not limited. This weakness eliminated by warrant schemes so using delegation by warrant
specifies the types of messages, delegation period and identity of signer (proxy or original), etc. In paper [3]
they mention two kinds of proxy signature schemes[13] depending on whether the original signer can
generate the same proxy signature as the proxy signers do. The one is proxy-unprotected and other is proxy
protected in which anyone else, including the original signer, cannot generate the same proxy signatures. This
difference is important in practical applications and this thing also avoids potential disputes between the
original signer and proxy signer. After the Mambo’s scheme [2] that is one to one i.e. one original signer and
one proxy signer there are so many proxy signature scheme have been proposed [4]. To meet the
requirements of various rapidly growing applications, different types of proxy signature schemes[11] have
been evolved. Those are threshold proxy signatures, nominative proxy signatures, onetime proxy signatures,
multi-proxy signatures, proxy multisignatures, proxy blind signatures, etc. Unlike one to one scheme the
proxy multi-signature scheme proposed by Yi et al’s [5] allows two or more original signers to delegate his
signing power to single proxy signer to sign the messages for all original signers. Yi et al’s [5] proposed two
types of proxy multi-signature scheme one is Mambo like proxy multi-signature scheme and another is Kim
like proxy multisignature scheme. Sun et. al [6] showed that both scheme are insecure. The Mambo-like
proxy multi-signature scheme in [5] suffers from the public key substitution attack easily. The Kimlike proxy
multi-signature scheme in [5] suffers from a kind of direct forgery. After that Sun et. al [6] proposed two
proxy multi-signature schemes one is Proxy protected proxy multisignature scheme (Mambo like) and
another is Proxy unprotected proxy multi-signature scheme (Kim like). Between these two schemes, one
scheme provides the protection for proxy signers while another scheme does not. In these schemes, the secure
channel is not necessary. However, Sun et. al [6] and Yi et al [5] schemes have the common disadvantage
that is size of the proxy signature depend on the number of original signers and both schemes involve
exponential operation to verify proxy signature. To overcome this problem chen et. Al [1] proposed a new
scheme. In [1] another solution for preventing Public key substitution attack and for original signer forgery is
proposed. [1] Describes the DLP based solution for proxy multisignature scheme. This solution has several
advantages. One is that it provides the fair protection for both original signer and proxy signer. In [1] scheme,
the proxy signer must obtain the authorization of the original signers during the generation of common
certificate and original signer also need to help the proxy signer to generate the common certificate. The
proxy signature is generated by the proxy signer’s private key so the the original signer cannot forge the
proxy signature alone. Therefore the original signer and the proxy signer have the fair protection. One more
advantage is that proxy signer participates the generation of the common certificate. In this scheme, verifier
checks the validity of the common certificate before the verification of proxy multisignature and the verifier
consequently identifies the mistake caused by the common certificate or the proxy signature.
Fig 1. Proxy signature scheme
On the basis of [1] we are going to propose new type of proxy multisignature scheme and that will be based
on ECDLP. Our proposed scheme don’t require any modular exponentiations, requires elliptic curve
multiplications and additions. Compared to the DLP based cryptosystems[14], ECC provides same security
with minimal key lengths and requires less storage requirements. According to [7] EC multiplication and
EC additions requires less computational time overhead compared to modular exponentiation. Hence, our
proposed scheme requires minimal execution times compared to [1] scheme and having same advantages. In
this paper we propose an efficient and secure proxy multisignature scheme and analyze the security of the
scheme. We show that our schemes are secure against the original signers forgery and public key substitution
attack. The rest of the paper is organized as follows. Section 2 we show the proxy requirements and security
assumptions. Section 3 introduce the chen et. al [1] proxy multi signature scheme [Figure 1]. In section 4 we
show our proxy multi signature [Figure 2] propose scheme and analyze its security and efficiency. Finally,
section 5 discusses some application.
3. 308
II. PRELIMINARIES
A. Proxy Requirements
In 1996, Mambo, Usuda and Okamoto [2] first addressed the basic properties that a proxy signature scheme
for partial delegation should satisfy and defined them as follows:
• Verifiability
• Identifiably
• Unforgeability
• Undeniability
• Prevention of misuse
B. Security assumption
The proxy multi signature scheme [Figure 2] in this paper is based on some security assumption.
• Elliptic curve Discrete logarithm Problem
(ECDLP): Consider the equation Q = kP where Q, P, Ep(a; b) and k < p. It is relatively easy to calculate Q
given k and P, but it is relatively hard to determine k given Q and P. This is called the discrete logarithm
problem for elliptic curves.
III. CHEN ET. AL SCHEME
In this scheme, p and q are two prime numbers such that q is a large prime factor of p-1. The generator g with
order q in Z*p. This scheme also involves three parties: original signers Ui 1 ≤ i ≤ n , proxy signer U0 and
verifier v. The original signer Ui has his private key xi and public key yi= gx
i mod p. On the other hand proxy
signer U0 also selects his private key x0 and public key y0= gx
0 modp. The function h is a cryptographic hash
function and we are using mw as a message warrant that contain the id’s of all original signers and proxy
signer, and the public keys of the signers etc. This scheme also contains three phases, the common certificate
generation phase, the proxy multisignature phase and the proxy multisignature verification phase.
A. The common certificate generation phase
In this phase all the original signers and the proxy signer cooperatively generate the proxy certificate. Steps
for generation of proxy certificate as follows:
Each signer Ui
first selects a random number ki∈Z*p.
• Then each signer calculate Ki= gk
i mod p and broadcast Ki to all signers including proxy signer.
• Each signer calculates K = ∏ܭi mod p for i = 0,1, 2, 3,........, n.
• Now each signer Ui calculates vi = h(mw)xiyi+kik mod q and broadcast vi to all signers including
proxy signer.
• Each signer Ui verifies the correctness of vi by the equation gv
i ≡ yi
h(m
w
)y
iKi
k
mod p.
Now the proxy signer computes V = ∑ ݒ
ୀ i mod q.
Finally, n original signer have authorized the proxy signer U0. The proxy certificate is (K, V ).
Fig 2. Multi Signature
4. 309
B. The Proxy multisignature generation phase
Suppose proxy signer U0 wants to generate the proxy signature on a message m on behalf of the n original
signers[12]. The proxy signer selects an random number t ∈ Z*p. Then proxy signer computes r = gt
mod p.
Now proxy signer calculates s satisfying
s = Vt + x0h(m)r mod q.
Finally the proxy signature of the message m is (r,ss).
• The proxy signer sends the (m, (r, s), m, (K, V )).
C. The Proxy multisignature verification phase
After re-ceiving (m, (r, s), mw, (K, V )) the verifier verifies the proxy multisignature in two stage.
Step 1: Verifier first checks the mw, then verify the proxy certificate (K, V ) using following equation g
V
≡ (∏ ݕ
ୀ i
yi
)h(m
w
)
KK
mod p.
Step 2 : The verifier v checks the signature (r, s) using following equation gs
≡ rV
y0
hmr
mod p
IV. OUR DIGITAL SIGNATURE BASED PROXY MULTI-SIGNATURE SCHEME
The proposed scheme is independent to the number of original signer and we are also using the merits of
ECC so the overhead of computation and communication cost due to modular exponential operation also
reduced. Our scheme also secure against original signer forgery attack and public key substitution attack.
This scheme also involves three parties: original signers Ui , 1 ≤ i ≤ n , proxy signer U0 and verifier v. All
original signers and the designated proxy signer are authorized to select their own individual secret keys. All
original signer and proxy signer randomly selects a number di ∈ [1, t─1] this number is his private key and
then using this they calculate public key that is Qi = di × B = (xQi,yQi). If xQi ≠ 0, di is the secret key and Qi is
the public one. The function h is a cryptographic hash function and we are using mw as a message warrant
that contain the id’s of all original signers and proxy signer, and the public keys of the signers etc. This
scheme also contains four phases, System initialization phase, the common certificate generation phase, the
proxy multisignature phase and the proxy multisignature verification phase.
A. System initialization phase
The following parameters over the elliptic curve domain must be known
Fp : A field size p(a large prime number of 512 bits).
E : An elliptic curve of the form (y2
≡ x3
+ax+b mod p) over Fp, where a, b ∈ Fp such that 4a3
+ 27b2
≠ 0(mod
p) represents a set of points (x, y) ∈ Fp × Fp which satisfy E and with an additional point called point at
infinity O. The cardinality of E should be divisible by a large Prime number because of the issue of security
raised by Pohlig and Hellman [8]. B : (B ≠ O) A finite point on E with an order t (a large prime number).
Table I is an example of calculating elliptic curve .
TABLE I. E(1,1):Y2
=X3
+X+1 MOD 23
(0,1) (6,4) (12,19)
(0,22) (6,19) (13,7)
(1,7) (7,11) (13,16)
(1,16) (7,12) (17,3)
(3,10) (9,7) (17,20)
(3,13) (9,16) (18,3)
(4,0) (11,3) (18,20)
(5,4) (11,20) (19,5)
(5,19) (12,4) (19,18)
B. The common certificate generation phase
In this phase all the original signers and the proxy signer cooperatively generate the proxy certificate. Steps
for generation of proxy certificate as follows:
• Each signer Ui first selects a random number ki ∈ {1, 2, 3, . . . ,t ─ 1}, where t is the order of elliptic
curve.
• Then each signer calculate Ki = ki × B and broadcast Ki to all signers including proxy signer.
5. 310
• Each signer calculates K i = ∑ ݇i mod p = (XK,YK) for i = 0, 1, 2, 3, . . . , n.
• Now each signer Ui calculates vi = h(mw)diXQi + kiXK and broadcast vi to all signers including proxy
signer.
• Each signer Ui verifies the correctness of v by the equation vi × B = h(mw)QiKQi + KiXK.
• Now the proxy signer computes V
Finally, n original signer have authorized the proxy signer U0. The proxy certificate is (K, V ).
C. The Proxy multisignature generation phase
Suppose proxy signer U0 wants to generate the proxy signature on a message m on behalf of the n original
signers.
• The proxy signer selects an random number l ∈ {1, 2, 3, . . . , t ─ 1}.
• Then proxy signer computes r = l × B mod p =(Xr,Yr).
• Now proxy signer calculates s satisfying = Vh(mw) + tXQ0 + d0h(m,mw)Xr. Finally the proxy signature of
the message is (r,s).
• The proxy signer sends the (m, (r, s), mw, (K, V )).
D. The Proxy multisignature verification phase
After re-ceiving (m, (r, s), mw, (K, V )) the verifier verifies the proxy multisignature in two stage.
Step 1: Verifier first checks the mw, then verify the proxy certificate (K, V ) using following equation V × B =
h(mw)∑ ܳ݅ܺ
ୀ Qi + KXK.
Step 2: The verifier v checks the signature (r, s) using following equation s × B = (h(mw)∑ ܳ݅ܺ
ୀ Qi + KXK )
h(mw) + rXQ0 + Q0h(m, mw)Xr.
V. SECURITY ANALYSIS AND DISCUSSIONS
Let us first consider the security of Proxy certificate (K, V ). The proxy certificate (K, V) is actually a digital
multisignature so it is very hard to forge without knowing the private key of original signers and proxy
signer. Now let us talk about public key substitution attack, suppose any signer Un wants to generate the
proxy certificate alone. Because he does not know the private key of any signer so the possible attack is to
construct a public key Q’n such that
α × B = ∑ ܳିଵ
iXQi + Q’nXQ’n mod p
where α is a random number. Then by using α and Q’n as his private key and public key respectively he is
able to generate the proxy certificate without agreement of the other signers. However it is hard to find Q’n
and α that satisfy the equation Q’nXQʹn = α × B - ∑ ܳିଵ
iXQi mod p. If the value of Qn is determine first then
finding α is Elliptic curve Discrete logarithm problem that is extremely hard problem. So public key
substitution attack is not possible in our case. Now we are going to discuss the security of proxy signature (r,
s). The proxy signature is actually a digital signature so it is hard to forge (r, s) without knowing the private
key of proxy signer. The attacker has to first overcome the difficulty to forge the proxy certificate. According
to the above discussion related to security of (K, V), no one can forge (K, V) without the agreement of the
proxy signer. Now security of (r, s) that is dependent on the equation s × B = (h(mw)∑ ܳ݅ܺ
ୀ Qi + KXK )
h(mw) + rXQ0 + Q0h(m,mw)Xr. So the proxy multisignature can be generated by the signer who owns the
private key d0. So the original signer can not forge the prosy signature that means our scheme is protected
from original signer forgery. Hence both proxy signers and original signers obtain the protection in our
scheme. There are many advantages in our scheme. First it provides fair protection for both original signer
and proxy signer and size of the proxy signature is not dependent to the number of original sign er. Since the
size of the proxy certificate is fixed ,the storage and communication cost are reduced. In [1] scheme they have
given solution for public key substitution attack and original signer forgery attack. On the basis of [1] we
have given the solution based on Elliptic curve and our solution is more efficient then his solution because
our proposed scheme dont require any modular exponentiations, requires elliptic curve multiplications and
additions. Compared to the DLP based cryptosystems[14], ECC provides same security with minimal key
lengths and requires less storage requirements. One more advantage is that our scheme does not need any
secure channel. The proxy certificate (K, V) can directly transmitted to the proxy signer. Due to the security
analysis of the proxy signature, nobody has the ability to create the proxy signature by only using the
common certificate.
6. 311
VI. CONCLUSION
We have proposed a proxy multi signature scheme based on elliptic curve cryptosystem[14] (ECC). The
proposed scheme is secure then Tzer-Shyong Chen [9], Kuo-Hsuan et. als [10] and Sun’s scheme [6] and
computation cost is independent of the number of original signers. Our scheme uses Diffie-Hellman for
sending the sub delegation parameter and we are not using any encryption and decryption method for sending
parameter. So we also reduce the cost of encryption and decryption. Besides this our scheme is able to
withstand the public key substitution attack and original signer forgery attack.
REFERENCES
[1] Chiu-Chin Chen, “The group-oriented design on proxy signature schemes”, 2002.
[2] Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto, “Proxy signatures for delegating signing operation”, in
Proceedings of the 3rd ACM Conference on Computer and Communications Security, Clifford Neuman, Ed., New
Delhi, India, Mar. 1996, pp. 48–57, ACM Press.
[3] Byoungcheon Lee Nonmember and Kwangjo Kim Member, “Strong proxy signatures”, Dec. 13 1999.
[4] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited”, in Proc. 1st International Information and
Communications Security Conference, 1997, pp. 223–232.
[5] G. Xiao L. Yi, G. Bai, “Proxy multi-signature scheme: a new type of proxy signature scheme”, in Electronics Letters
36, 2000.
[6] H.M. Sun, “On proxy multi-signature schemes”, in Proceedings of the International Computer Symposium,, 2000,
pp. ‘65–72.
[7] Koblitz, Menezes, and Vanstone, “The state of elliptic curve cryptography”, IJDCC: Designs, Codes and
Cryptography, vol. 19, 2000.
[8] Pohlig and Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic
significance”, IEEETIT: IEEE Transactions on Information Theory, vol. 24, 1978.
[9] Tzer-Shyong Chen, Yu-Fang Chung, and Kuo-Hsuan Huang, “A traceable proxy multisignature scheme based on
the elliptic curve cryptosystem”, Applied Mathematics and Computation, vol. 159, no. 1, pp. 137–145, Nov. 2004.
[10] Chien-Lung Hsu, Tzong-Sun Wu, and Wei-Hua He, “New proxy multisignature scheme”, Applied Mathematics and
Computation, vol. 162,no. 3, pp. 1201–1206, Mar. 2005.
[11] Je Hong Park, Bo Gyeong Kang, and Sangwoo Park, “Cryptanalysis of some group-oriented proxy signature
schemes”, in WISA, JooSeok Song, Taekyoung Kwon, and Moti Yung, Eds. 2005, vol. 3786 of Lecture Notes in
Computer Science, pp. 10–24, Springer.
[12] Jianying Guilin Wang, Feng Bao and Robert H. Deng, “Proxy signature scheme with multiple original signers for
wireless e-commerce applications”, Infocomm Security Department, Institute for Infocomm Research (I2R) 21
Heng Mui keng terrace, Singapore 119613, 2004, IEEE.
[13] Feng Cao and Zhenfu Cao, “Cryptanalysis on a proxy multi-signature scheme”, in IMSCCS (2), Jun Ni and Jack
Dongarra, Eds. 2006, pp. 117–120, IEEE Computer Society.
[14] Tzer-Shyong Chen, Yu-Fang Chung, and Gwo-Shiuan Huang, “Efficient proxy multisignature schemes based on the
elliptic curve cryptosystem”, Computers & Security, vol. 22, no. 6, pp. 527–534, 2003.
[15] Yumin Yuan, “Improvement of hsu-wu-he’s proxy multi-signature schemes”, in Secure Data Management, Willem
Jonker and Milan Petkovic, Eds. 2005, vol. 3674 of Lecture Notes in computer Science, pp. 234–240, Springer.