1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou

2 Outline Introduction Hwang-Chen Scheme Our proposed scheme Secure analysis Performance evaluation Conclusions

3 Introduction Multi-proxy multi-signature scheme A proxy group can generate a proxy signature on behalf of the original signer group.

4 Introduction In Hwang-Chen scheme, the original group and proxy group can cooperate to generate a proxy certificate. Only all the proxy signers can cooperate to sign a message on behalf of the original group. Our improved scheme to be proposed is better than their scheme in terms of computational complexity and communication cost.

5 Hwang-Chen Scheme Three phases: Proxy Certificate Generate Phase. Multi-Proxy Multi-Signature Generation Phase. Multi-Proxy Multi-Signature Verification phase.

6 Hwang-Chen Scheme p: a large prime. q: a large prime factor of p − 1. g: a generator in Z p with order q. h( · ): a one-way hash function. m w : a warrant. U i : original singer, for i=1, 2, …, n 1. x U i : original singer’s private key. y U i : original singer’s public key, y U i = g x U i mod p. P j : proxy singer, for j=1, 2, …, n 2. x P j : proxy singer’s private key. y P j : proxy singer’s public key, y P j = g x P j mod p. G O : original group of n 1 original signers, G O = {U 1, U 2, …, U n 1 } G P : proxy group of n 2 proxy signers, G P = {P 1, P 2, …, P n 2 }

7 Proxy Certificate Generate Phase Step 1: Step 2: Each U i and P j calculates K as Step 3: Each U i selects a random number Calculates Each P j selects a random number Calculates Broadcasts to n 1 -1 original signers and n 2 proxy signers Broadcasts to n 1 original signers and n 2 -1 proxy signers Each U i computes Each P j computes Broadcasts to n 1 +n 2 -1 signers Broadcasts to n 1 +n 2 -1 signers

8 Proxy Certificate Generate Phase Step 4: Upon receiving the and, each singer verifies by checking Step 5: If all equations hold, each P j computes The proxy certificate is (K, V ).

9 Multi-Proxy Multi-Signature Generation Phase Given a message M, G P wants to sign M on behalf of G O. Step 1: Step 2: Upon obtaining all ’ s, Each P j calculates Step 3: Each P j sends (m w, (K, V), M, (r j, s j )) to the clerk C. Each P j selects a random number Calculates Broadcasts to n 2 -1 proxy signers

10 Multi-Proxy Multi-Signature Generation Phase Step 4: Upon obtaining (m w, (K, V), M, (r j, s j )), C verifies the proxy certificate by checking Step 5: C computes If all of individual proxy signatures for M are valid, C calculates The multi-proxy multi-signature is (m w, (K, V), M, (R, S)). and verifies (r j, s j ) by checking

11 Multi-Proxy Multi-Signature Verification phase Any verifier can verify the validity of the multi-proxy multi-signature (m w, (K, V), M, (R, S)) by If it holds, the multi-proxy multi-signature (m w, (K, V), M, (R, S)) is valid. Step 1: From m w and (K, V), the verifier checks Step 2: Then, the verifier checks

12 Our proposed scheme p, q: two large primes. h( · ): a one-way hash function. m w : a warrant. U i : original singer, for i=1, 2, …, n 1. x U i : original singer’s private key. y U i : original singer’s public key, y U i = x U i -1 mod (p-1)(q-1). P j : proxy singer, for j=1, 2, …, n 2. x P j : proxy singer’s private key. y P j : proxy singer’s public key, y P j = y P j -1 mod (p-1)(q-1). G O : original group of n 1 original signers, G O = {U 1, U 2, …, U n 1 } G P : proxy group of n 2 proxy signers, G P = {P 1, P 2, …, P n 2 }

13 Proxy Certificate Generate Phase Step 1: Each U i or P j calculates v i or v n 1 +j following the signing order and sends it to U i+1 or P j+1, where v 0 =h(m w ) Before calculating these, U i or P j should check v i-1 or v n 1 +j-1. EachU i checks whether the following equation holds Each P i checks whether the following equation holds

14 Proxy Certificate Generate Phase Step 2: P n 2 broadcasts V=v n 2 to the n 1 original signers and other n 2 -1 proxy signers. Step 3: After receiving V, each U i checks each P j checks If all the above equations hold, the proxy certificate is V.

15 Multi-Proxy Multi-Signature Generation Phase Allows n 2 proxy signers to sing M on behalf of the original group. Step 1: Each P j calculates s j to follow the signing order where s 0 =h(M, V). Before calculating s j, P j should first check the validity of s j-1. EachP j checks whether the following equation holds

16 Multi-Proxy Multi-Signature Generation Phase Step 2: P n 2 sends m w,V, M and S=s n 2 to the clerk C. Step 3: Upon receiving (m w,V, M,S ), C checks the following equation holds The multi-proxy multi-signature is (m w,V, M,S ).

17 Multi-Proxy Multi-Signature Verification phase Any verifier can verify the validity of the multi-proxy multi-signature (m w, V, M, S)) by If it holds, the M is authenticated and the proxy signature (m w, V, M, S) is valid. Step 1: According m w, the verifier can get the public keys of original singer and proxy singer from CA. Step 2: From m w and V, the verifier can checks Step 3: The verifier checks the validity of the proxy signature of M by

18 Secure analysis Based on one-way hash function. Cryptographic assumption of factorization. Under the forgery attack, we can prevent by verification equation.

19 Performance evaluation T exp : The time for a modular exponentiation computation. T mul: The time for a modular multiplication computation. T inv : The time for a modular inverse computation. T h : The time for computing a one-way hash function h( · ). | x |: The bit-length of an integer x.

20 Performance evaluation

21 Conclusions We have proposed an improved version of the Hwang-Chen scheme. We show that the proposed scheme is more efficient than the Hwang-Chen scheme in terms of both computation complexity and communication cost.

22 Thank You