Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Revocable identity-based proxy re-signature against signing key exposure

  • Xiaodong Yang ,

    Contributed equally to this work with: Xiaodong Yang, Chunlin Chen

    Roles Writing – original draft, Writing – review & editing

    y200888@163.com

    Current address: College of Computer Science and Engineering, Northwest Normal University, Lanzhou, Gansu, China

    Affiliations College of Computer Science and Engineering, Northwest Normal University, Lanzhou, Gansu, China, State Key Laboratory of Cryptology, Beijing, China

  • Chunlin Chen ,

    Contributed equally to this work with: Xiaodong Yang, Chunlin Chen

    Roles Data curation

    Affiliation College of Computer Science and Engineering, Northwest Normal University, Lanzhou, Gansu, China

  • Tingchun Ma,

    Roles Validation

    Affiliation College of Computer Science and Engineering, Northwest Normal University, Lanzhou, Gansu, China

  • Jinli Wang,

    Roles Data curation

    Affiliation College of Computer Science and Engineering, Northwest Normal University, Lanzhou, Gansu, China

  • Caifen Wang

    Roles Formal analysis

    Affiliation College of Computer Science and Engineering, Northwest Normal University, Lanzhou, Gansu, China

Revocable identity-based proxy re-signature against signing key exposure

  • Xiaodong Yang, 
  • Chunlin Chen, 
  • Tingchun Ma, 
  • Jinli Wang, 
  • Caifen Wang
PLOS
x

Abstract

Identity-based proxy re-signature (IDPRS) is a novel cryptographic primitive that allows a semi-trusted proxy to convert a signature under one identity into another signature under another identity on the same message by using a re-signature key. Due to this transformation function, IDPRS is very useful in constructing privacy-preserving schemes for various information systems. Key revocation functionality is important in practical IDPRS for managing users dynamically; however, the existing IDPRS schemes do not provide revocation mechanisms that allow the removal of misbehaving or compromised users from the system. In this paper, we first introduce a notion called revocable identity-based proxy re-signature (RIDPRS) to achieve the revocation functionality. We provide a formal definition of RIDPRS as well as its security model. Then, we present a concrete RIDPRS scheme that can resist signing key exposure and prove that the proposed scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model. To further improve the performance of signature verification in RIDPRS, we introduce a notion called server-aided revocable identity-based proxy re-signature (SA-RIDPRS). Moreover, we extend the proposed RIDPRS scheme to the SA-RIDPRS scheme and prove that this extended scheme is secure against adaptive chosen message and collusion attacks. The analysis results show that our two schemes remain efficient in terms of computational complexity when implementing user revocation procedures. In particular, in the SA-RIDPRS scheme, the verifier needs to perform only a bilinear pairing and four exponentiation operations to verify the validity of the signature. Compared with other IDPRS schemes in the standard model, our SA-RIDPRS scheme greatly reduces the computation overhead of verification.

Introduction

A digital signature provides security services such as data integrity, authentication and non-repudiation; therefore, it is one a key technology to ensure information security. In particular, digital signatures can be combined with passwords [1, 2], smart cards [3], biometrics [4], chaotic parallel keyed hash functions [5] and other technologies to achieve identity authentication of parties in communication. Consequently, they have practical applications in systems such as smart cities [6], body area networks [7], the Internet of Things [8] and ubiquitous networks [9]. To meet the security needs of different practical scenarios, researchers have proposed a series of digital signature variants. For instance, a blind signature can effectively protect the content of signed messages; therefore, it is applied to e-commerce, e-voting, e-currency and other systems to protect participants’ interests [10, 11]. A group signature allows any member of a group to sign messages on behalf of the entire group anonymously; therefore, group signatures have been used to protect the privacy and authenticate the identity of vehicles in vehicular ad-hoc networks [12]. A ring signature is a type of group signature with no administrator that can be used in cloud computing and block-chains to achieve unconditional anonymity to protect a user’s privacy [13, 14]. In many scenarios, we need, for example, to verify Alice’s signature, but we do not know her public key or her public key has expired. We want to transform Alice’s signature into Bob’s signature, because Bob’s public key is available. To achieve this transformation, Blaze et al. [15] introduced the concept of a proxy re-signature (PRS). In a PRS scheme, a semi-trusted proxy is allowed to transform Alice’s signature on a message into Bob’s signature on that same message. However, the proxy cannot independently generate a valid signature on any message on behalf of Alice or Bob. Instead, the proxy re-signature functions as a signature conversion method; consequently, it has been widely used in areas such as cross-domain authentication, digital rights management, privacy preservation and auditing in cloud computing environments.

Ateniese and Hohenberger [16] provided a security model for PRS and presented two concrete schemes in 2005: one is multi-use and the other is single-use. Generally speaking, in a multi-use PRS scheme, a proxy can transform a signature from Alice to Bob into a signature from Bob to Carol, but a proxy cannot further convert a transformed signature in a single-use PRS scheme. In the proxy re-signature field, a multi-use PRS is more useful than is a single-use PRS. After Ateniese and Hohenberger’s seminal work [16], other PRS schemes with special properties were proposed, including the universally composable secure PRS [17], the certificateless PRS [18] and the threshold PRS [19]. In particular, Shao et al. [20] proposed an identity-based proxy re-signature (IDPRS) scheme to address the problem of certificate management in traditional PRS schemes. In IDPRS, the user’s email address or other unique identifying information is used as the public key, and the user’s private key is generated by a trusted private key generator (PKG). IDPRS allows a semi-trusted proxy to convert a signature under one identity to another signature under another identity on the same message, but the proxy is unable to produce any signature on behalf of any of these two identities. As a result, IDPRS eliminates the requirement for certificates and simplifies key management, but challenges still remain to be addressed in practical applications.

Shao et al. [20] proposed the first IDPRS scheme in the standard model. Later, Feng et al. [21] proposed a secure IDPRS scheme, but it was not multi-use. Hu et al. also [22] presented an IDPRS scheme without random oracles, but its security relies on a strong difficult problem assumption. Tian [23] proposed an IDPRS scheme from lattices in the random oracle model, but the size of the signature was relatively large and its practicality was poor. In addition, Wang et al. [24] constructed two server-aided proxy re-signature schemes that were provably secure in the random oracle model, but the second scheme cannot resist a collusion attack from the server and a malicious proxy. Moreover, Canetti et al. [25] found that the provably secure scheme in the random oracle model might be insecure in reality when the random oracle is instantiated by a specific hash function. Therefore, it is of practical significance to construct secure RIDPRS schemes in the standard model.

The existing IDPRS schemes do not consider the problem of user revocation [2023]. A revocation mechanism is essential for practical identity-based cryptosystem [26]. If a user’s key is compromised or a user’s authorization expires, that user needs to be revoked from the system. When users have been revoked, they should no longer be able to use their previous private keys to gain access to sensitive data or to generate valid digital signatures. Researchers have designed a series of revocable cryptographic schemes to achieve user revocation in identity-based settings [2729]. The main idea behind these schemes is that the PKG periodically updates the private keys of non-revoked users. Tsai et al. [30] proposed a revocable identity-based signature scheme in the standard model, in which a user’s signing key consists of a long-term secret key and a periodically changed update key. However, Tsai et al.’s scheme [30] is insecure against a signing key exposure attack: an adversary can obtain a fixed secret key from a compromised signature key and then combine it with subsequent update keys to forge the signature of any message. Lian et al. [31] proposed a revocable attribute-based signature scheme, but Wei et al. [32] revealed that Lian et al.’s scheme is vulnerable to signing key exposure. If a signature scheme can resist the signing key exposure attack, then the users store their secret keys on physical devices with relatively high security levels, while the update keys can be stored on devices with relatively low security levels (such as mobile phones, smart cards, etc.). However, to the best of our knowledge, no identity-based proxy re-signature scheme with a user revocation mechanism is available. Therefore, how to design a revocable identity-based proxy re-signature (RIDPRS) scheme is an open and interesting question.

In this paper, we formally define the syntax of RIDPRS and present a security model for RIDPRS against signing key exposure. Based on Shao et al.’s IDPRS scheme [20], we design a bidirectional and multi-use RIDPRS scheme. In the proposed scheme, the PKG’s master secret key is divided into two parts: one part is used to construct the user’s fixed secret key, and the other part is used to generate periodically changed update keys for the user. Only a non-revoked user can re-randomize their secret key and update key to generate a corresponding signing key. Consequently, our scheme can not only effectively revoke a user from the system, but also resist signing key exposure attacks. Furthermore, we introduce a new cryptographic primitive called server-aided revocable identity-based proxy re-signature (SA-RIDPRS), which is particularly suitable for verifiers with limited computing power. SA-RIDPRS allows the verifier to delegate most of the computational work involved in signature verification to a server with powerful computing capabilities; the verifier needs to perform only a small number of computational operations to verify the legitimacy of the signature. In addition, we formalize the security model for SA-RIDPRS. Based on our RIDPRS scheme, we also construct an SA-RIDPRS scheme and prove that the proposed scheme is secure against adaptive chosen message and collusion attacks. The results of our analysis show that our two schemes are bidirectional and multi-use, and they achieve user revocation functionality while maintaining efficiency in terms of computational complexity and storage overhead. In our SA-RIDPRS scheme, the verifier verifies the validity of the signature with minimal computational cost by executing the server-aided verification algorithm in conjunction with a server, which efficiently reduces the computational cost of the verifier.

The rest of this paper is organized as follows. Section 2 reviews some preliminaries used in our schemes. Section 3 presents security notions for RIDPRS and SA-RIDPRS. Section 4 constructs an IDPRS scheme and an SA-RIDPRS scheme and gives their security proof and performance analysis. Finally, Section 5 concludes the paper.

Preliminaries

In this section, we briefly review bilinear parings and the computational Diffie-Hellman (CDH) assumption.

Bilinear parings

Let p be a prime, G1 and G2 be two multiplicative cyclic groups of order p, and g be a generator of G1. An efficiently computable bilinear paring e: G1 × G1G2 is a map with the following properties [16]:

  • Bilinear: e(ga, gb) = e(g, g)ab = e(gb, ga) for any a, bZp.
  • Non-degenerate: e(g, g) ≠ 1.

Complexity assumption

The security of our scheme depends on the hardness of the CDH problem. Let G1 be a cyclic group of prime order p, and g be a generator of G1. Given , where a, bZp, the CDH problem is to compute gabG1.

Definition 1. We say that the CDH assumption holds if no probabilistic polynomial-time (PPT) algorithm can solve the CDH problem in G1 with a non-negligible probability [20].

Formal definition and security model

Security notions of RIDPRS

An RIDPRS scheme consists of the following eight algorithms (Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign, Verify):

  • Setup(λ) → (pp, msk): Given a security parameter λ, this algorithm outputs public parameters pp and a master secret key msk of the PKG.
  • Extract(pp, msk, ID) → skID: Given pp, msk and a user’s identity ID, this algorithm outputs a secret key skID of the identity ID.
  • KeyUp(pp, msk, ID, t) → vkID,t: Given pp, msk, an identity ID and a time period t, this algorithm outputs an update key vkID,t with respect to identity ID and time period t.
  • SKGen(pp, skID, vkID,t) → dkID,t: Given pp, a secret key skID and an update key vkID,t, this algorithm outputs an error symbol ⊥ if the identity ID has been revoked during the time period t; otherwise, it outputs a signing key dkID,t on (ID, t).
  • ReKey(pp, dkA,t, dkB,t) → rkAB,t: Given pp and two signing keys (dkA,t, dkB,t) corresponding to identities (IDA, IDB) at time period t, this algorithm outputs a re-signing key rkAB,t of the proxy.
  • Sign(pp, dkID,t, M) → σ: Given pp, a signing key dkID,t and a message M, this algorithm generates a signature σ on M.
  • ReSign(pp,rkAB, IDA, t, M, σA) → σB: Given pp, a re-signing key rkAB and a signature σA on a message M with respect to identity IDA and time period t, this algorithm outputs ⊥ if Verify(pp, IDA, t, M, σA) = 0; otherwise, it outputs a signature σB on M with respect to identity IDB and time period t.
  • Verify(pp, ID, t, M, σ) → {0, 1}: Given pp, an identity ID, a time period t, a message M and a signature σ, this algorithm outputs 1 if σ is a valid signature of M on (ID, t); otherwise, it outputs 0.

Correctness. Let (pp, msk) be the output of the algorithm Setup(λ). For any message M and any identities (IDA, IDB), if σA = Sign(pp, t, dkA,t, M) and σB = ReSign(pp,rkAB, IDA, t, M, σA), then the conditions Verify(pp, IDA, t, M, σA) = 1 and Verify(pp, IDB, t, M, σB) = 1 must both hold.

The security of an RIDPRS scheme should be existentially unforgeable under adaptive chosen identity and message attacks. Based on the security model of IDPRS in [20] and the security definition of revocable identity-based signature schemes in [3032], the existential unforgeability of a bidirectional RIDPRS scheme that captures signing key exposure is formally defined by using the following security game between a challenger and an adversary :

Setup: executes the algorithm Setup(λ) to generate public parameters pp and the PKG’s master secret key msk. Then, sends pp to .

Queries: The adversary adaptively makes the following queries:

  • Extract-query: When asks for a secret key of an identity ID, executes the algorithm Extract(pp, msk, ID) and returns the corresponding output skID to .
  • KeyUp-query: When inquires about an update key with respect to an identity ID and a time period t, executes the algorithm KeyUp(pp, msk, ID, t) and returns an update key vkID,t to .
  • SKGen-query: When asks for a signing key with respect to an identity ID and a time period t, first makes an Extract-query for ID and a KeyUp-query for the tuple (ID, t) to obtain a secret key skID and an update key vkID,t, respectively. Then, runs the algorithm SKGen(pp, skID, vkID,t) to generate a signing key dkID,t, and sends it to .
  • ReKey-query: When requests a re-signing key of two identities (IDA, IDB) at time period t, first makes the SKGen-query on tuples (IDA, t) and (IDB, t) to obtain the corresponding signing keys dkA,t and dkB,t, respectively. Afterwards, runs the algorithm ReKey(pp, dkA,t, dkB,t) to output a re-signing key rkAB,t, and then sends it to .
  • Sign-query: When requests a signature on a message M with respect to an identity ID and a time period t, first makes a SKGen-query on tuple (ID, t) to obtain a signing key dkID,t. Then, runs the algorithm Sign(pp, dkID,t, M) and returns a signature σ on M to .

Forgery: The adversary finally outputs a forged signature σ* on a message M* with respect to an identity ID* and a time period t*. We say that wins in the above game if the following conditions hold.

  1. Verify(pp, ID*, t*, M*, σ*) = 1.
  2. (ID*, t*) has never been queried of the SKGen-query.
  3. ID* has never been submitted to the Extract-query, and (ID*, t*) has never been submitted to the KeyUp-query.
  4. ID* has never been submitted to the ReKey-query.
  5. (ID*, t*, M*) has never been queried of the Sign-query.

Definition 2. A bidirectional RIDPRS scheme is said to be existentially unforgeable against adaptive chosen identity and message attacks if for any polynomial-time adversary the probability of winning in the above game is negligible.

Security notions of SA-RIDPRS

An SA-RIDPRS scheme consists of an RIDPRS scheme and a server-aided verification protocol. Due to the weaker computing power, the verifier is unable to perform complicated cryptographic operations. Therefore, the verifier needs to execute an interactive verification protocol to verify the validity of the signature with the help of a server. Specifically, a bidirectional SA-RIDPRS scheme is a tuple of the following ten algorithms (Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign, Verify, SA-Setup, SA-Verify):

  • The Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign and Verify algorithms are the same as those in the RIDPRS scheme described in Section 3.1.
  • SA-Setup(pp) → V String: On input public parameters pp, this algorithm generates a secret string V String that contains the pre-computed information of the verifier.
  • SA-Verify(pp, V String, ID, t, M, σ) → {0, 1}: On input pp, V String and a signature σ on a message M with respect to an identity ID and a time period t, this algorithm outputs 1 if the server convinces the verifier that σ is valid; otherwise, it outputs 0.

The security of an SA-RIDPRS scheme includes both the existential unforgeability of RIDPRS and the soundness of the algorithm SA-Verify. Existential unforgeability ensures that an attacker cannot generate a valid signature on a new message, whereas soundness ensures that the server cannot convince a verifier that an invalid signature is valid. The unforgeability of a bidirectional SA-RIDPRS scheme is the same as that of the RIDPRS scheme defined in Section 3.1. Based on the soundness of server-aided verification PRS [24], the soundness of the algorithm SA-Verify under adaptive chosen message and collusion attacks is defined by the following security game between a challenger and an adversary . In this game, the challenger acts as a verifier while the adversary acts as the server. is allowed to collude with the signer or the proxy; therefore, can generate or transform the signature of any message. The goal of is to convince that an invalid signature is valid. and interact as follows:

Setup: executes the Setup and SA-Setup algorithms to generate the public parameters pp and the string V String, respectively. Then, sends pp to .

Queries: can adaptively make a number of server-aided verification queries to . For each query on (IDi, ti, Mi, σi), runs the algorithm SA-Verify with and then returns the corresponding output to as a response.

Forgery: The adversary eventually outputs an identity ID*, a time period t*, a message M* and a string σ*. Let ΩM* be the set of all valid signatures on M*, where σ* ∉ ΩM*. If Verify(pp, ID*, t*, M*, σ*) = 0 and SA-Verify(pp, V String, ID*, t*, M*, σ*) = 1, which means that has convinced that σ* is a valid signature on M* with respect to the tuple (ID*, t*), then the adversary wins the game.

Definition 3. The algorithm SA-Verify is soundness if the probability that any polynomial-time adversary wins in the above game is negligible.

Definition 4. If an RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks, and the algorithm SA-Verify is soundness, then the resulting SA-RIDPRS scheme is said to be secure against adaptive chosen message and collusion attacks.

Our constructions

In this section, we first construct a bidirectional RIDPRS scheme based on the IDPRS scheme of Shao et al. [20]. Then, we extend it to the SA-RIDPRS scheme. Moreover, we provide security proofs and performance analyses for the proposed schemes.

Bidirectional and revocable ID-based proxy re-signature scheme

Description.

In our RIDPRS scheme, we assume that the length of the identity and the length of the message are nu-bit and nm-bit strings, respectively. We can achieve these by two collision-resistant hash functions and . The details of our RIDPRS scheme are described as follows:

  • Setup: Given a security parameter λ, the PKG does the following:
    1. Choose two multiplicative cyclic groups G1 and G2 of prime order p, a generator g of G1 and a bilinear pairing e: G1 × G1G2.
    2. Select a collision-resistant hash function , where nv is the fixed length of the output of H.
    3. Pick four random elements g2, u0, v0, w0G1 and three random vectors , and from G1, where 1 ≤ inu, 1 ≤ jnv and 1 ≤ knm.
    4. Choose two random integers and compute .
    5. Store the master secret key secretly and publish the public parameters .

    To simplify the expression, for any identity ID = (, any string T = (T1, …, and any message M = (M1, …, Mnm) , we define the following three functions
    , and , respectively.
  • Extract: Given a user’s identity ID, the PKG first chooses a random integer rIDZp and computes a secret key , . Then, the PKG sends skID to the user via a secure channel.
  • KeyUp: Given an identity ID and a time period t, the PKG randomly chooses sIDZp, and computes TID = H(ID, t) and vkID,t = (vkID,t,1, vkID,t,2) = . Then, the PKG sends an update key vkID,t to the user via a public channel.
  • SKGen: On input (ID, t), if identity ID has been revoked within time period t, the user is unable to generate a valid signing key because he cannot obtain valid update keys. Otherwise, the user with identity ID uses his secret key skID = (skID,1, skID,2) and update key vkID,t = (vkID,t,1, vkID,t,2) to generate a signing key using the following steps:
    1. Choose two random integers .
    2. Compute TID = H(ID, t), , ,
    3. Output a signing key dkID,t = (dkID,t,1, dkID,t,2, dkID,t,3).
  • ReKey: On input two signing keys dkA,t = (dkA,t,1, dkA,t,2, dkA,t,3) and dkB,t = (dkB,t,1, dkB,t,2, dkB,t,3) corresponding to two identities IDA and IDB, the proxy outputs a re-signing key
  • Sign: Given a message M, a signer randomly chooses rmZp and uses the signing key dkID,t = (dkID,t,1, dkID,t,2, dkID,t,3) to compute , σID,2 = dkID,t,2, σID,3 = dkID,t,3 and . Then, the signer outputs a signature σID = (σID,1, σID,2, σID,3, σID,4) on M.
  • ReSign: Given a re-signing key rkAB,t = (rkAB,t,1, rkAB,t,2, rkAB,t,3) and a signature σA = (σA,1, σA,2, σA,3, σA,4) on a message M with respect to an identity IDA and a time period t, the proxy outputs ⊥ if Verify(pp,IDA, t, M, σA) = 0; otherwise, the proxy randomly chooses , and computes , σB,2 = σA,2rkAB,t,2, σB,3 = σA,3rkAB,t,3 and . Then, the proxy outputs a signature σB = (σB,1, σB,2, σB,3, σB,4) for M with respect to the identity IDB and the time period t.
  • Verify: Given an identity ID, a time period t and a signature σID = (σID,1, σID,2, σID,3, σID,4) on a message M, the verifier first computes TID = H(ID, t). Then, the verifier checks whether the following equation holds: If the above equation holds, the verifier accepts that σID is valid and outputs 1; otherwise, the verifier outputs 0.

Correctness.

For any signature σA = (σA,1, σA,2, σA,3, σA,4) of message M on (IDA, t), any re-signing key rkAB,t = (rkAB,t,1, rkAB,t,2, rkAB,t,3) = (dkB,t,1/dkA,t,1, dkB,t,2/dkA,t,2, dkB,t,3/dkA,t,3) and IDB’s signing key dkB,t = (dkB,t,1, dkB,t,2, dkB,t,3), where , and . Then, we have a re-signature σB = (σB,1, σB,2, σB,3, σB,4) of M with respect to identity IDB and time period t, where

The following equation shows that our RIDPRS scheme satisfies correctness:

From the above equation, we can see that σB satisfies the condition Verify(pp, IDB, t, M, σB) = 1, so our RIDPRS scheme is correct. The distribution of the re-signature σB generated by the algorithm ReSign is the same as that of the signature generated by IDB himself using the algorithm Sign, which demonstrates that our RIDPRS scheme is multi-use. By using the re-signing key rkAB,t between IDA and IDB, it is easy to compute the re-signing key rkBA,t = 1/rkAB,t between IDB and IDA, which implies that our RIDPRS scheme is bidirectional.

Security analysis.

In our RIDPRS scheme, the algorithm SKGen re-randomizes a secret key skID and an update key vkID,t to generate a corresponding signing key for an identity ID and time period t. Even if an adversary obtains the signing key dkID,t, it is difficult to extract ID’s secret key skID from dkID,t. Moreover, the exposure of dkID,t at time period t does not reveal any information concerning other signing keys for identity ID at other time periods. Therefore, our RIDPRS scheme can resist signing key exposure attacks.

To simplify the security analysis of our RIDPRS scheme, we classify adversaries into two types: external and internal. The main difference between these two types of attackers is that an external adversary is not allowed to make queries about the secret key of the challenged identity ID* whereas an internal adversary is not allowed to make queries about the update key of the challenged identity ID* or the challenged time period t*. The following two lemmas prove that our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks.

Lemma 1. If a polynomial-time external adversary breaks our RIDPRS scheme with non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability.

Proof. Assume that an adversary breaks the existential unforgeability of our RIDPRS scheme with the probability ε after making at most qsk secret key queries, qvk update key queries, qdk signing key queries, qrk re-signing key queries and qs signing queries. We will construct an algorithm to solve the CDH problem in G1 with the probability at least ε1 by using ’s forgery. Given a random instance of the CDH problem, the goal of is to compute gab. The algorithm interacts with as follows.

Setup: randomly chooses two integers ku(0 ≤ kunu) and km(0 ≤ kmnm), and sets g2 = gb, lu = 2(qsk + qdk + qrk + qs) and lm = 2qs such that lu(nu + 1)<p and lm(nm + 1)<p. To generate the public parameters pp, executes the following operations:

  1. Randomly choose x0, x1, …, xnuZlu and y0, y1, …, ynuZp, then compute and a vector , where for 1 ≤ inu.
  2. Randomly choose z0, z1, …, znvZp and then compute and a vector , where for 1 ≤ jnv.
  3. Randomly choose c0, c1, …, cnmZlm and d0, d1, …, ynmZp and then compute and a vector , where for 1 ≤ knm.
  4. Select a collision-resistant hash function .
  5. Choose a random integer and compute . This calculation implies that the master secret key is but a is unknown to .
  6. Send the public parameters (G1, G2, e, p, g, g1, g2, H, u0, v0, to .

For any identity , any string and any message , we define the following five functions:

, , , , .

Thus, we have

Queries: The adversary can issue the following types of queries adaptively:

  • Extract-query: When asks for a secret key query on an identity ID, first computes F(ID). We note that implies (and thus implies ). If , aborts; otherwise, randomly chooses rIDZp computes and then sends the secret key skID to .
  • KeyUp-query: When issues an update key query on an identity ID and a time period t, randomly chooses sIDZp and computes TID = H(ID, t). Then, uses the secret value β to compute and returns an update key vkID,t to .
  • SKGen-query: For a signing key query on (ID, t), if identity ID has been revoked at time period t, outputs ⊥. Otherwise, randomly chooses , and performs an Extract-query on ID and a KeyUp-query on (ID, t) to obtain a secret key skID = (skID,1, skID,2) and an update key vkID,t = (vkID,t,1, vkID,t,2), respectively. Then, computes TID = H(ID, t), and returns a signing key dkID,t = (dkID,t,1, dkID,t,2, dkID,t,3) to .
  • ReKey-query: When issues a re-signing key query on two identities (IDA, IDB) and a time period t, first makes SKGen-query on (IDA, t) and (IDB, t) to obtain the corresponding signing keys dkA,t and dkB,t, respectively. Then, executes the algorithm ReKey(pp, dkA,t, dkB,t) to produce a re-signing key rkAB,t and sends it to .
  • Sign-query: When issues a signature query on a message M with respect to an identity ID and a time period t, considers the following two cases:
    1. – Case 1: If , makes a SKGen-query on (ID, t) to obtain a signing key dkID,t. Then, executes the algorithm Sign(pp, dkID,t, M) to produce a signature σ on M and returns it to .
    2. – Case 2: If , further considers the following two subcases:
      1. * Case 2.1: If , aborts.
      2. * Case 2.2: If , randomly chooses , and computes TID = H(ID, t), , , and
        Then, returns a signature σ = (σ1, σ2, σ3, σ4) on M to .

Forgery: The adversary finally outputs a signature on a message M* with respect to an identity ID* and a time period t*. If or , aborts. Otherwise, to solve the instance of the CDH problem, computes TID* = H(ID*, t*) and outputs gab as follows:

Now, we analyse the probability that does not abort in the above simulation. If completes the simulation without aborting, then the following events must have occurred:

  • In the Extract-query, SKGen-query and ReKey-query phases, the condition must be satisfied for any queried identity ID.
  • In the Sign-query phase, or must be satisfied for any queried identity ID and message M.
  • In the forgery phase, and must be satisfied for the challenged identity ID* and message M*.

Similar to the probability analysis described in [20, 33], we define the following events:

  • for i = 1, …, qsk + qdk + qrk + qs.
  • .
  • for i = 1, …, qs.
  • .

Hence, the probability that will not abort in the above simulation is Because lu(nu + 1) < p, we can find that and Since lm(nm + 1) < p, we have that As lu = 2(qsk + qdk + qrk + qs) and lm = 2qs, we can obtain the resulting probability Therefore, can successfully solve the CDH problem in G1 with a probability of .

Lemma 2. If a polynomial-time internal adversary breaks our RIDPRS scheme with a non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability.

Proof. Assume that an adversary breaks the existential unforgeability of our RIDPRS scheme with the probability ε after making at most qsk secret key queries, qvk update key queries, qdk signing key queries, qrk re-signing key queries and qs signing queries. We can construct an algorithm that solves the CDH problem in G1 with a probability ε2 using the adversary’s forgery . is given a random instance of the CDH problem. To calculate gab, interacts with as follows.

Setup: randomly chooses two integers kv(0 ≤ kvnv) and km(0 ≤ kmnm), and sets g2 = gb, lv = 2(qvk + qdk + qrk + qs) and lm = 2qs such that lv(nv + 1) < p and lm(nm + 1) < p. Then, generate public parameters pp according to the following steps:

  1. Randomly choose x0, x1, …, xnvZlv and y0, y1, …, ynvZp; then, compute and a vector , where for 1 ≤ jnv.
  2. Randomly choose z0, z1, …, znuZp; then, compute and a vector , where for 1 ≤ inu.
  3. Set parameter w0 and vector in the same way as is done in Lemma 1.
  4. Select a collision-resistant hash function .
  5. Choose a random integer and compute , which implies that the master secret key is , but a is unknown to .
  6. Send the public parameters (G1, G2, e, p, g, g1, g2, H, u0, v0, to .

For an identity , a string and a message , we define five functions:

, , , , .

Thus, we also have

Queries: answers ’s queries as follows.

  • Extract-query: Upon receiving a secret key query for identity ID, randomly chooses rIDZp and computes Then, sends a secret key skID to .
  • KeyUp-query: Upon receiving an update key query on an identity ID and a time period t, first computes TID = H(ID, t). If , aborts. Otherwise, randomly chooses sIDZp and outputs an update key vkID,t = (vkID,t,1, vkID,t,2) in response, where
  • SKGen-query: answers a signing key query in the same way as it does the SKGen-query in Lemma 1.
  • ReKey-query: answers a re-signing key query in the same way as it does the ReKey-query in Lemma 1.
  • Sign-query: Upon receiving a signature query on a message M with respect to an identity ID and a time period t, computes TID = H(ID, t) and considers the following two cases:
    1. – Case 1: If , generates a signature on M in the same manner as in Case 1 in Lemma 1.
    2. – Case 2: If , further considers the following two subcases:
      1. * Case 2.1: If , aborts.
      2. * Case 2.2: If , creates a signature on M in the same manner as in Case 2.2 in Lemma 1, except that

Forgery: The adversary finally outputs a signature on a message M* with respect to an identity ID* and a time period t*. first computes TID* = H(ID*, t*). If or , aborts. Otherwise, computes gab as follows:

Similar to the probabilistic analysis for Lemma 1, the probability that algorithm successfully solves the CDH problem in G1 is at least .

Combining Lemma 1 and Lemma 2, we obtain the following theorem.

Theorem 1. Our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model under the CDH assumption.

Server-aided revocable identity-based proxy re-signature scheme

Description.

Based on our RIDPRS scheme, we construct a bidirectional SA-RIDPRS scheme in which the verifier can verify the legality of a signature at relatively low computational cost with the help of a server. Our SA-RIDPRS scheme is described as follows:

  • The Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign and Verify algorithms are the same as those in our RIDPRS scheme described in Section 4.1.1.
  • SA-Setup: Given the public parameters pp, the verifier chooses a random integer , computes K0 = e(g2, g1)x and sets a string .
  • SA-Verify: Given a signature σ = (σ1, σ2, σ3, σ4) on a message M with respect to an identity ID and a time period t, the verifier interacts with a server through the following protocol:
    1. The verifier computes and sends the tuple to the server.
    2. The server computes TID = H(ID, t), , and . Then, the server sends (K2, K3, K4) to the verifier.
    3. The verifier first computes and checks whether the equation K1 = K0K2K3K4 holds. If the equation holds, the verifier accepts that σ is valid and outputs 1; otherwise, the verifier outputs 0.

Correctness.

For any signature σ = (σ1, σ2, σ3, σ4) , and a string , we have

Thus, the above equation shows that our SA-RIDPRS scheme satisfies the correctness.

Security analysis.

In Section 4.1.3, we demonstrated that our RIDPRS scheme is existentially unforgeable in the standard model. According to Definition 4, our SA-RIDPRS scheme is secure if we prove that the algorithm SA-Verify has the soundness property.

Lemma 3. The algorithm SA-Verify in our SA-RIDPRS scheme has soundness against adaptive chosen message and collusion attacks.

Proof. Assume that the adversary is acting as a server with powerful computational capabilities, and the challenger is acting as a verifier. Because is allowed to collude with the signer or the proxy, has access to the signing or re-signing key to generate a valid signature for any message. First, sends an invalid message-signature pair (M*, σ*) to . Then, ’s task is to convince that σ* is a valid signature on a message M* with respect to an identity ID* and a time period t*.

Setup: first runs the algorithm Setup to generate public parameters pp, and runs the Extract, KeyUp and SKGen algorithms to generate a signing key with respect to the tuple (ID*, t*). Then, randomly chooses , computes and secretly stores the string . Finally, sends to the adversary .

Queries: can adaptively make at most qsv sever-aided verification queries to . For each query on the tuple (IDi, ti, Mi, σi), runs the algorithm SA-Verify with and returns the resulting output to .

Forgery: The adversary eventually sends a message-signature pair (M*, σ* = to , where σ* is not a valid signature on message M* with respect to identity ID* and time period t*, which means that Verify(pp, ID*, t*, M*, σ*) = 0. Subsequently, interacts with as follows.

  1. uses the secret string to compute Then, sends to .
  2. computes TID* = H(ID*, t*), , , and , and returns to .
  3. computes and verifies whether holds. If this equation holds, then SA-Verify(pp, V String, ID*, t*, M*, σ*) = 1.

In the following, we analyse the probability that the invalid message-signature pair satisfies the condition . Since (σ*)′ = (σ*)x* and x* is randomly chosen by from , the probability that can derive x* from (σ*)′ is . As , the probability of finding an integer x* that satisfies the condition is also . Moreover, because p is a large prime, can convince that σ* is a valid signature for message M* on (ID*, t*) with a negligible probability (). Therefore, the algorithm SA-Verify in our SA-RIDPRS scheme satisfies the soundness requirement.

By combining Theorem 1, Lemma 3 and Definition 4, the following theorem can be deduced.

Theorem 2. In the standard model, our SA-RIDPRS scheme is secure against adaptive chosen message and collusion attacks.

Performance analysis

In this section, we discuss the performance of our schemes and other IDPRS schemes in the standard model in terms of their computational cost and security properties. Because multiplication and hash function operations have relatively low computational costs, we consider only bilinear pairing and exponentiation operations, which have relatively high computational costs. In Table 1, “Size” denotes the size of a signature; “Sign”, “Verify” and “ReSign” denote the computational cost of the Sign, Verify and ReSign algorithms, respectively; and “Revocation” denotes whether the scheme includes a user revocation function. E represents the time to execute an exponentiation operation; P represents the time to execute a bilinear pairing operation; |p| represents the length of an element in Zp; and |G1| represents the length of an element in group G1.

As shown in Table 1, in our SA-RIDPRS scheme, the verifier must perform one pairing operation and 4 exponentiations to verify the validity of a signature. In contrast, the verifier must compute 4 pairings in our RIDPRS scheme. Based on the results reported in [34], the computational overhead of a bilinear pair is, at minimum, more than five exponentiations in G1. Obviously, our SA-RIDPRS scheme is considerably less computationally intensive than is our RIDPRS scheme; therefore, it substantially reduces the verifier’s computational overhead, making it suitable for limited-resource devices.

In terms of signature size, the signature in our SA-RIDPRS scheme contains 4 elements in G1. The signatures in Shao et al.’s scheme [20] and Feng et al.’s scheme [21] contain 3 elements in G1, while the signature in Hu et al.’s scheme [22] contains 4 elements in G1 and one element in Zp. However, our two schemes are the only ones that provide user revocation functionality and can withstand signing key exposure attacks.

In the signing phase, our SA-RIDPRS scheme and Shao et al.’s scheme [20] require 2 exponentiations to generate a signature on a message, whereas the schemes of Feng et al. [21] and Hu et al. [22] require 3 and 6 exponentiations respectively.

In the re-signing phase, our SA-RIDPRS scheme performs one pairing operation and 6 exponentiations to create a valid re-signature, while the scheme of Shao et al. [20] requires 3 pairing operations and 2 exponentiations, and that of Feng et al. [21] must perform 4 pairing operations and 5 exponentiations. Hu et al.’s scheme [22] requires 3 pairing operations and 6 exponentiations.

During signature verification, the computational cost in our SA-RIDPRS scheme involves one pairing operation and 4 exponentiations. The schemes of Shao et al. [20] requires 3 pairings, and that of Feng et al. [21] requires 5 pairings and 3 exponentiations. Hu et al.’s scheme [22] requires 3 pairings and 4 exponentiations. In summary, our SA-RIDPRS scheme has considerably less computational overhead than do the other schemes.

We evaluate the performance of our SA-RIDPRS scheme and the three other IDPRS schemes [2022]. The experiments are implemented in a hardware environment consisting of an Intel Core i7-6500 CPU 2.5 GHz with 8 GB of RAM. The corresponding simulation algorithms are implemented in the C language using the PBC-0.47-VC library and executed on a Windows 10 operating system. We chose the standard parameter a.param in the PBC library and set the group order p = 160 bits. The performance comparison results for all the schemes are shown in Figs 1, 2, 3 and 4.

In Fig 1, we can see that the length of the signature and re-signature in Shao et al.’s scheme [20] are both 532 bits. The length of the signature in Feng et al.’s scheme [21] is 384 bits, but the length of the re-signature is 512 bits. The length of the signature and re-signature in Hu et al.’s scheme [22] are both 532 bits. The length of the signature and re-signature in our SA-RIDPRS scheme are both 512 bits. However, Feng et al.’s scheme [21] is not multi-use because the lengths of signatures and re-signatures are different. While our SA-RIDPRS scheme includes one more element in G1 than the scheme of Shao et al. [20] does, it also effectively solves the user revocation problem. Therefore, compared with the other three schemes, our SA-RIDPRS scheme has comparable efficiency in terms of signature size. This is consistent with the above theoretical analysis.

According to Table 1, the cost of generating a signature in our SA-RIDPRS scheme is equivalent to that of Shao et al.’s scheme [20]. The experimental results shown in Fig 2 indicate that our SA-RIDPRS scheme has lower computational overhead for signature generation than do the other two schemes [21, 22]. Fig 3 demonstrates that our SA-RIDPRS scheme improves on the other three schemes [2022] in terms of the computational overhead for re-signature generation. From Fig 4, we can observe that the computational cost of the verifier is not related to the size of the message in our SA-RIDPRS scheme. Because the verifier in our SA-RIDPRS scheme offloads most of the time-consuming bilinear pairing computations to the server via the server-aided verification algorithm, it can perform signature verification at a relatively low computational cost. Thus, our SA-RIDPRS scheme greatly reduces the cost of the verifier. Moreover, our SA-RIDPRS scheme is more efficient than are the other schemes [2022] in terms of the verifier’s computational overhead. Clearly, the results of these experiments are consistent with the results of the theoretical analysis in Table 1.

Conclusions

In this paper, we present two IDPRS schemes that include a user revocation mechanism. In our schemes, the PKG constructs an identity-dependent long-term key for all users and periodically generates update keys related to their identities and time periods for non-revoked users. Only non-revoked users can re-randomize the secret key and the update key to generate a corresponding signing key; therefore, our schemes are resistant to signing key exposure attacks. In the standard model, we prove that our schemes are secure under the CDH assumption. In particular, our SA-RIDPRS scheme substantially reduces the verifier’s computational burden. However, the security of our schemes relies on the hardness assumption of the CDH problem, which can be easily solved by quantum algorithms. In the future, we plan to construct a post-quantum secure RIDPRS scheme.

Acknowledgments

The authors would like to thank anonymous reviewers for their constructive suggestions.

References

  1. 1. Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan M.K (2017) An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications 10(1): 92–105.
  2. 2. Li X, Niu J, Liao J, Liang W (2015) Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. International Journal of Communication Systems 28(2): 374–382.
  3. 3. Kumari S, Khan MK (2014) More secure smart card-based remote user password authentication scheme with user anonymity. Security and Communication Networks 7(11): 2039–2053.
  4. 4. Li F, Khan MK (2012) A biometric identity-based signcryption scheme. Future Generation Computer Systems 28(1): 306–310.
  5. 5. Wang X, Guo W, Zhang W, Khan MK, Alghathbar K (2013) Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network. Telecommunication Systems 52(2): 515–524.
  6. 6. Li X, Niu J, Kumari S, Wu F, Choo KKR (2017) A robust biometrics based three-factor authentication scheme for global mobility networks in smart city. Future Generation Computer Systems. Available from: https://doi.org/10.1016/j.future.2017.04.012.
  7. 7. Li X, Ibrahim MH, Kumari S, Sangaiah AK, Gupta V, Choo KKR (2017) Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Computer Networks 129: 429–443.
  8. 8. Li X, Niu J, Kumari S, Wu F, Sangaiah AK, Choo KKR (2018) A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments. Journal of Network and Computer Applications 103: 194–204.
  9. 9. Farash MS, Chaudhry SA, Heydari M, Sadough S, Mohammad S, Kumari S, Khan MK (2017) A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. International Journal of Communication Systems.
  10. 10. Kutubi MAAR, Alam KMR, Tahsin R, Ali GMN, Chong PHJ, Morimoto Y (2017) An off-line electronic payment system based on an untraceable blind signature scheme. KSII Transactions on Internet and Information Systems 11(5): 2628–2645.
  11. 11. Kumar M, Katti CP, Saxena PC (2017) A secure anonymous e-voting system using identity-based blind signature scheme. In: Proc. International Conference on Information Systems Security. pp. 29–49.
  12. 12. Zhang L, Li C, Li Y, Luo Q, Zhu R (2017) Group signature based privacy protection algorithm for mobile ad hoc network. In: Proc. IEEE Information and Automation. pp. 947–952.
  13. 13. Annamalai R, Srikanth J, Prakash M (2015) Integrity and privacy sustenance of shared large scale images in the cloud by ring signature. International Journal of Computer Applications 114(12): 13–18.
  14. 14. Sun SF, Au MH, Liu JK, Yuen TH (2017) RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. In: Proc. European Symposium on Research in Computer Security. pp. 456–474.
  15. 15. Blaze M, Bleumer G, Strauss M (1998) Divertible protocols and atomic proxy cryptography. In: Proc. Advances in Cryptology-Eurocrypt’98. pp. 127–144.
  16. 16. Ateniese G, Hohenberger S (2005) Proxy re-signatures: new definitions, algorithms, and applications. In: Proc. the 12th ACM conference on Computer and Communications Security. pp. 310–319.
  17. 17. Hong X, Gao J, Pan J, Zhang B (2017) Universally composable secure proxy re-signature scheme with effective calculation. Cluster Computing 78(20): 1–10.
  18. 18. Hu X, Liu Y, Xu H, Wang J, Zhang X (2015) Analysis and improvement of certificateless signature and proxy re-signature schemes. In: Proc. Advanced Information Technology, Electronic and Automation Control Conference. pp. 166–170.
  19. 19. Yang X, Gao G, Li Y, Li Y, Wang C (2015) On-line/off-line threshold proxy re-signature scheme through the simulation approach. Applied Mathematics and Information Sciences 9(6): 3251–3261.
  20. 20. Shao J, Cao Z, Wang L, Liang X (2007) Proxy re-signature schemes without random oracles. In: Proc. International Conference on Cryptology in India. pp. 197–209.
  21. 21. Feng J, Lan C, Jia B (2014) ID-based proxy re-signature scheme with strong unforgeability. Journal of Computer Applications 34(11): 3291–3294.
  22. 22. Hu X, Zhang Z, Yang Y (2009) Identity based proxy re-signature schemes without random oracle. In: Proc. International Conference on Computational Intelligence and Security, pp. 256–259.
  23. 23. Tian M (2015) Identity-based proxy re-signatures from lattices. Information Processing Letters 115(4): 462–467.
  24. 24. Wang Z, Lv W (2013) Server-aided verification proxy re-signature. In: Proc. 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. pp. 1704–1707.
  25. 25. Canetti R, Goldreich O, Halevi S (2014) The random oracle methodology, revisited. Journal of the ACM (JACM) 51(4): 557–594.
  26. 26. Jia X, He D, Zeadally S, Li L (2017) Efficient revocable ID-based signature with cloud revocation server. IEEE Access 5: 2945–2954.
  27. 27. Lee K, Lee DH, Park JH (2017) Efficient revocable identity-based encryption via subset difference methods. Designs, Codes and Cryptography 85(1): 39–76.
  28. 28. Ishida Y, Shikata J, Watanabe Y (2017) CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance. International Journal of Applied Cryptography 3: 288–311. https://doi.org/10.1504/IJACT.2017.086229
  29. 29. Shen L, Zhang F, Sun Y, Ma J (2017) An efficient revocable ID-based encryption scheme in the standard model. International Journal of Embedded Systems 9(2): 168–176.
  30. 30. Tsai TT, Tseng YM, Wu TY (2013) Provably secure revocable ID-based signature in the standard model. Security and Communication Networks 6(10): 1250–1260.
  31. 31. Lian Y, Xu L, Huang X (2013) Attribute-based signatures with efficient revocation In: Proc. Intelligent Networking and Collaborative Systems. pp. 573–577.
  32. 32. Wei J, Huang X, Hu X, Liu W (2015) Revocable threshold attribute-based signature against signing key kxposure. In: Proc. Information Security Practice and Experience. pp. 316–330.
  33. 33. Waters B (2005) Efficient identity-based encryption without random oracles. In: Proc. Eurocrypt 2005. pp. 114–127.
  34. 34. Fan CI, Sun WZ, Huang VSM (2010) Provably secure randomized blind signature scheme based on bilinear pairing. Computers and Mathematics with Applications 60(2): 285–293.