A post-quantum proxy signature scheme based on rainbow digital signature

Transcription

1 527 A post-quantum proxy signature scheme based on rainbow digital signature Shaohua Tang Lingling Xu ICM 2012, March, Al Ain Abstract Quantum computers have recently emerged as a threat to the traditional public key cryptosystems based on the difficult problems of integer factoring, discrete logarithm, and elliptic curve, such as RSA, DSA, ElGamal, and ECC. The proxy signature schemes based on these cryptosystems have been threatened at the same time. So it is important to propose efficient and secure proxy signature schemes that can still be used in the quantum computer era. In this paper, we propose a proxy signature scheme based on the Rainbow digital signature, which is a potential post-quantum cryptographic algorithm. The most important feature of our scheme is hopefully against the potential attacks by the quantum computers, and some properties of the proxy signature, such as unforgeability, distinguishability, and undeniability, are also satisfied by our scheme. Through security discussion, our scheme can reach the same security level as the underlying Rainbow signature. Keywords: Post-Quantum Cryptography; Multivariate Public Key Cryptography; Proxy Signature; Digital Signature; Rainbow Signature 1 Introduction In 1996, Mambo, Usuda and Okamoto introduced the first efficient proxy signature [11, 12]. The proxy signature allows a designated person, called a proxy signer, to sign on behalf of an original signer. The proxy signature can be classified into some categories on the basis of delegation, namely, full delegation, partial delegation, and partial delegation by warrant. In full delegation, an original signer directly shares its secret key with a proxy signer, then the proxy signer can sign documents on behalf of the original signer using the original signer s private key. The main drawback of this class of delegation is the absence of distinguishability between the original signer and the proxy signer. In partial delegation, an original signer derives a proxy key from its secret key and hands it over to a proxy signer. In this case, the proxy signer can misuse the original signer s delegated signing right if lack of mechanism to restrict proxy signer s proxy privilege in this class of delegation. Supported by the National Natural Science Foundation of China under Grant No. U and , and Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2011), and Guangzhou Metropolitan Science and Technology Planning Project under grant No. 2011J , and the Fundamental Research Funds for the Central Universities under Grant No. 2009ZZ0035 and 2011ZG0015, and Guangdong Provincial Natural Science Foundation of under grant No

2 528 Proxy Signature Scheme based on Rainbow In partial delegation with warrant, an explicit warrant is added to the delegated right, then the weaknesses of full delegation and partial delegation are overcome. A warrant consists of signers identity, delegation period and the qualification of the message on which the proxy signer can sign. 1.1 Related Work A considerable number of proxy signature schemes have been constructed for each of these delegation types, as shown in [2]. In recent years, there appear some directions on the provable security of proxy signature [2], proxy blind signature [18], and anonymous proxy signatures [8], etc. Almost all the proxy signature schemes so far are based on the difficulty of integer factoring, discrete logarithm, and/or elliptic curve. However, an algorithm that can factor an integer and solve the problems of discrete logarithms on quantum computer in polynomial time was discovered by Peter Shor [17]. With the rapid development of quantum computing techniques, quantum computers have recently emerged as a threat to cryptosystems like RSA, DSA, and ECC, so do the proxy signature schemes based on these cryptosystems. There are many important classes of cryptographic systems beyond RSA, DSA, and ECC, which are called Post Quantum Cryptography [1] and include Hashbased cryptography [6], Code-based cryptography [13], Lattice-based cryptography [10], and Multivariate Public Key Cryptography (MPKC) [5]. The security of MPKC is based on the knowledge that solving a set of multivariate polynomial equations over a finite field, in general, is proven to be an NP-hard problem [9], and it is well known that quantum computers do not appear to have an advantage when dealing with this NP-hard problems. Therefore, our proposed proxy signature scheme based on Rainbow signature, which falls into the category of MPKC, is valuable not only nowadays but also in the era of the quantum computers. 1.2 Our Contribution After the introduction of multivariate public key cryptography and Rainbow digital signature scheme, we propose a proxy signature scheme based on Rainbow signature, which includes the stages of initialization, delegation and proxy key generation, generation of proxy signature, and verification of proxy signature. Then we analyze the security of the proposed scheme and show that our proxy signature scheme shares the same security level with the underlying Rainbow signature scheme. We also show that not only the following three basic conditions that are met by our proposed scheme, the verifier can verify the proxy signature just like checking the validity of the ordinary signature; the proxy signature is different from the ordinary signature; both the proxy signer and the original signer cannot deny the signatures they created; some important properties of proxy signature schemes, such as strong unforgeability, strong undeniability, secret-key s dependence, distinguishability, etc., are also owned by our scheme. 1.3 Organization The rest of the paper is organized as follows. In Section 2, we introduce the multivariate public key cryptosystems and the Rainbow signature scheme. Then our proposed proxy signature scheme based on Rainbow signature is described in Section 3. We analyze the security of our scheme in Section 4. Finally, the conclusion is summarized in Section 5.

3 S. Tang, L. Xu 529 Acknowledgements The authors thank Ms. Li Yang, who was the former student of the first author, for doing the implementation to verify the applicability of our scheme, and the discussion with whom also help improve some details of this paper. 2 Preliminaries 2.1 Multivariate Public Key Cryptosystems The building blocks of multivariate public key cryptosystem (MPKC) are multivariate polynomials over a finite field. Usually these polynomials are of total degree two, i.e., quadratic polynomials. Let k be a finite field. In a general multivariate public key cryptosystem, the cipher is given as a map F from k n to k m : F (x 1, x 2,..., x n ) = ( f 1, f 2,..., f m ), where each f i is a polynomial in k[x 1, x 2,..., x n ]. A typical construction of this type of system begins with first building a map F from k n to k m such that: 1) F (x 1, x 2,..., x n ) = (f 1, f 2,..., f m ), where f i k[x 1, x 2,..., x n ]; 2) Any equation F (x 1, x 2,..., x n ) = (y 1, y 2,..., y m) can be easily solved. Equivalently, we can efficiently find a pre-image of (y 1, y 2,..., y m) which will be unique for the case of encryption, and is denoted by F 1 (y 1, y 2,..., y m). Once such a map is found, the cipher F is constructed as a composition of three maps: F = L 1 F L 2, where L 1 : k m k m and L 2 : k n k n are two randomly-chosen invertible affines. In this case, the public key consists of the m polynomial components of F and the field structure of k, while the private key consists of L 1 and L 2. The map F may or may not be part of the private key depending on its precise nature. Figure 1 illustrates the composition of maps in MPKC. To encrypt the message X = (x l,..., x n), we calculate F (X ). To decrypt a ciphertext Y = (y 1,..., y m), we solve the system of equations defined by F (x 1,..., x n ) = Y. (1) This is accomplished by first finding Y 1 = L 1 1 (Y ), then Y 2 = F 1 (Y 1 ), and followed by L 1 2 (Y 2). Suppose Y equals to the hash value of a message M, i.e., Y = H(M), where H is the cryptographic hash function. To sign the message M, one has to find any solution to (1), which we denote by X = (x 1,..., x n). Anyone can verify if it is indeed a legitimate signature by checking to see whether or not F (x 1,..., x n) = Y.

4 530 Proxy Signature Scheme based on Rainbow k n L 2 k n F m k L 1 m k id id k n F m k Figure 1: Composition of maps in MPKC 2.2 Rainbow Digital Signature Scheme Rainbow scheme belongs to the class of Oil-Vinegar signature constructions. The scheme consists of a quadratic system of equations involving Oil and Vinegar variables that are solved iteratively. The Oil-Vinegar polynomial can be represented by the form α ij x i x j + β ij x i x j + γ i x i + η, (2) i O l,j S l i,j S l i S l+1 where O l is a set of Oil variables in the the l th layer, and S l is a set of Vinegar variables in the the l th layer. Rainbow scheme consists of four components: private key, public key, signature generation and signature verification Private Key The private key consists of two affine transformations L 1 1, L 2 1 and the center mapping F, which is held by the signer. L 1 : k n v 1 k n v 1 and L 2 : k n k n are two randomly chosen invertible affine linear transformations. F is a map consists of n v 1 Oil-Vinegar polynomials. F has u 1 layers of Oil-Vinegar construction. The first layer consists of o 1 polynomials where {x i i O 1 } are the Oil variables, and {x j j S 1 } are the Vinegar variables. The l th layer consists of o l polynomials where {x i i O l } are the Oil variables, and {x j j S l } are the Vinegar variables Public Key The public key consists of the field k and the n v 1 polynomial components of F, where F = L 1 F L Signature Generation Suppose M is the message to sign, H is a cryptographic hash function, and Y = H(M), which can be expressed by Y = (y 1,..., y n v1 ) k n v 1, and the signature is derived by computing L 1 2 F 1 L 1 1 (Y ). Therefore, first we should compute Y = L 1 1 (Y ), which is a computation of an affine transformation. Next, to solve the equation Y = F, at each layer, the v i Vinegar variables in the Oil- Vinegar polynomials are randomly chosen and the variables at upper layer are chosen as part of the Vinegar variables. After that, the Vinegar variables are substituted into the multivariate polynomials to derive a set of linear equations with only Oil variables of that layer. If these equations have a solution, we move to next layer. Otherwise, a new set of Vinegar variables should be chosen. This procedure for each successive layer is repeated until the last layer. In this step, we obtain a vector X = (x 1,..., x n ).

5 S. Tang, L. Xu 531 Table 1: Parameters of Rainbow for Practical Applications Parameter Value Ground field GF (2 8 ) Size of message hash 24 bytes Size of signature 42 bytes Number of layers 2 Set of variables in each layer (17, 12), (1, 12) Finally, we compute X = L 2 1 (X) = (x 1,..., x n ). Then X is the signature for messages Y Signature Verification To verify the authenticity of a signature X, F (X ) = Y is computed. If Y = Y holds, the signature is accepted, otherwise rejected Parameters for Practical Applications We adopt the parameters of Rainbow signature suggested in [4] for practical applications to design our proxy signature scheme. The parameters are shown in Table 1, which is a two-layer scheme where there are 17 random-chosen Vinegar variables and 12 Oil variables in the first layer, and 1 random-chosen Vinegar variables and 12 Oil variables in the second layer Security of Rainbow According to the analysis in [4], the security level of Rainbow signature adopting the parameters in Table 1 can be greater than 2 80, which meets the security requirement of practical application. 3 Proposed Proxy Signature Scheme We are going to propose a proxy signature scheme based up Rainbow digital signature, which falls into the category of partial delegation. In the proposed scheme, the proxy private keys are derived from the private key of the proxy signer and the private key of the original signer, then the proxy signature is different from the original one. Furthermore, the proxy signer s signing capability can be restricted accordingly. The proposed scheme is divided into the stages of initialization, delegation and proxy key generation, generation of proxy signature, and verification of proxy signature. 3.1 Initialization Suppose that H is a cryptographic hash function, n and m are two positive integers, k is a finite field and all the arithmetic operations hereafter are over this field. The underlying signature algorithm we use is of the form F (x 1,..., x n ) = S F T = ( f 1,..., f m ), (3) where T and S are two randomly-chosen invertible affine transformations, each f i k[x 1,..., x n ], and then F is a map from k n to k m. The private key consists of the affine pair (S, T ) and the central map F, while the public key consists of the finite filed k and the components of F, i.e. f 1,..., f m.

6 532 Proxy Signature Scheme based on Rainbow When we choose the Rainbow digital signature as our underlying signature algorithm for the proposed scheme, the central map F consists of multiple layers of Oil-Vinegar polynomials of the form in (2), and the parameters we adopt are described in Table 1. Suppose that Alice and Bob are users in our system, in which Alice is the original signer, and Bob is the proxy signer. We assume that the center map F is shared among Alice and all the proxy signers in our scheme. Alice s private key consists of S A and T A, and the corresponding public key is F A = S A F T A, (4) where S A and T A are two randomly-chose invertible affines. Similarly, Bob s private key consists of two randomly invertible affines S B and T B, and the corresponding public key is F B = S B F T B. 3.2 Delegation and Proxy Key Generation At this stage, a delegation token, which is called the proxy to represent the proxy signing power authorized to Bob by Alice, is computed by Alice and delivered to Bob. Then Bob can generate the proxy signing key by invoking its own private key and the proxy. The detailed steps are as follows. Step 1. [Proxy generation] Alice randomly chooses two affines S C and T C, then computes S σ = S A + S C, T σ = T A + T C, and P A = S σ F T σ + F A. Then Alice generates a signature on P A using the Rainbow signature algorithm as follows: V A = T 1 A F 1 S 1 A (H(P A)). Step 2. [Proxy delivery] Alice sends the proxy (S σ, T σ, P A, V A ) to Bob. Alice also publishes (P A, V A, ID B ) to the public bulletin board, where ID B is Bob s universal unique identifier. Step 3. [Proxy verification] After receiving the proxy (S σ, T σ, P A, V A ), Bob verifies the validity of the proxy by checking whether or not the following equations hold true: 1) P A = S σ F T σ + F A ; 2) H(P A ) = F A (V A ). If both the above two equations hold true, then proceed to next step; otherwise, goto Step 1 or terminate the protocol. Step 4. [Generation of the proxy signing key] Bob computes S σ = S σ + S B and T σ = T σ + T B, and checks whether or not S σ and T σ are invertible. If both S σ and T σ are invertible, then (S σ, T σ ) is Bob s signing key for the proxy signature; otherwise, repeat Steps 1 to 4 until S σ and T σ are invertible. 3.3 Generation of Proxy Signature Suppose M is the the message to sign. The proxy signature on the message M by Bob is calculated via the following steps. Step 1. Bob applies the proxy signing key (S σ, T σ ) and the central map F to the Rainbow signature algorithm described in Section 2.2 to generate the signature s on M: w = T 1 σ F 1 S σ 1 (H(M)). (5)

7 S. Tang, L. Xu 533 Step 2. Bob computes P B = S σ F T σ ( F A + F B + P A ), (6) and r = P B (w). (7) Then the proxy signature on message M by Bob is the two-tuple (w, r). 3.4 Verification of Proxy Signature Any verifier can verify the validity of the proxy signature by executing the following steps. Step 1. By inquiring the public bulletin board according to ID B, the verifier can get (P A, V A ) and Bob s public key F B. Alice s public key F A can also be queried from the bulletin board. Step 2. The verifier checks the validity of (P A, V A ) by verifying whether or not the equation H(P A ) = F A (V A ) holds true. If true, proceed to the next step; otherwise, terminate the protocol. Step 3. The verifier checks the validity of (w, r) by verifying whether or not the following equation holds true. H(M) = ( F A + F B + P A )(w) + r. (8) If true, the two-tuple (w, r) is a valid proxy signature by Bob; otherwise, it is invalid. Why can we judge that the received (w, r) is valid or not by verifying (8)? The reason is given by the following theorem. Theorem 1 The received two-tuple (w, r) is a valid proxy signature by Bob on message M, if and only if (8) holds true. Proof On the one hand, we can also derive (8) from (5), that is, if (w, r) is a valid proxy signature on M by Bob, we can derive from (5) that The above equation can be converted to its identical form: H(M) = (S σ F T σ )(w). (9) H(M) = (( F A + F B + P A ) + (S σ F T σ ) ( F A + F B + P A ))(w). (10) By integrating (6) and (7), the above equation is identical to H(M) = ( F A + F B + P A )(w) + P B (w) = ( F A + F B + P A )(w) + r. (11) Then (11) is the same as (8). Therefore, if (w, r) is a valid proxy signature, the Eq. (8) holds true. On the other hand, we can also derive (5) from (8), which means that if (8) holds true, the two-tuple (w, r) is a valid proxy signature.

8 534 Proxy Signature Scheme based on Rainbow 4 Security Discussion 4.1 Collusion Attack to Derive the Original Signer s Private Key Usually there are a lot of proxy signers in the system, suppose without losing generality that both Bob and Peggy are proxy signers. Since the center map F is shared among Alice and all the proxy signers in our scheme, which means that both F and Alice s public key F A in (4) are known to the proxy signers Bob and Peggy, can Bob and Peggy inspire to derive Alice s private key S A and T A via F A = S A F T A with knowledge of F and F A? The above potential attack can be reduced to the problem of Isomorphisms of Polynomials (IP) [15]. There have been a lot of researches exploring efficient ways to solve the IP problem, for example, [14], [16], [7], and [3], etc. Recently, [3] reports two best ways to solve the IP problem, and if the central map is homogeneous and the polynomials are quadratic, then the complexities of solving are O(n 3.5 q n/2 ) and O(n 6 q 2n/3 ) respectively, where q is the cardinality of finite field k, and n is the number of variables. These complexities imply that no polynomial algorithms to solve the IP problem are currently known. As a result, this potential attack is very hard to launch. 4.2 Security of Our Scheme We can know from (5) that the generation of the proxy signature is by invoking the ordinary Rainbow signature and using the proxy signing key. Therefore, as long as the procedure of proxy delegation is secure, our proxy signature scheme should share the same security level with the underlying Rainbow signature scheme. According to the analysis in [4], the security level of Rainbow signature adopting the parameters in Table 1 can be greater than 2 80, which meets the security requirement of practical application. Usually, it is considered to be a computationally secure MPKC scheme if the attacking complexity is greater than Therefore, combining the above security analysis, adopting Rainbow as the underlying signature algorithm and the parameters we choose in Table 1 can let our proposed scheme be a secure proxy signature scheme. 4.3 Properties of the Proxy Signature We are going to show that the proposed scheme owns some security properties of proxy signature, namely, unforgeability of original signature, unforgeability of proxy signature, strong distinguishability, strong undeniability, identification, proxy key dependence and revocability Unforgeability of original signature On the one hand, the proxy signer can t recover the original signer s private keys in our scheme. On the other hand, the security of Rainbow signature would be very strong [4] if we choose its parameters appropriately. In other words, no one can forge the original signer s ordinary signature. Then the security feature of basic unforgeability is owned.

9 S. Tang, L. Xu Secret-key s dependence The private keys of proxy signatures depend on the private keys of the proxy signers and the original signer. So the secret-key s dependence is satisfied Unforgeability of proxy signature According to the property of basic unforgeability and secret-key s dependence, we can conclude that no one can forge the proxy signature Verifiability From proxy signatures, a verifier can be convinced of the original signer s agreement on the signed message Distinguishability Valid proxy signatures are distingushable from valid original underlying signatures in polynomial time Identifiability The original signer can determine from a proxy signature (w, r), along with the public information (P A, V A, ID B ), the identity of the corresponding proxy signer Revocability The original signer can also broadcast a signed message to announce the invalidation of (P A, V A, ID B ). Then the proxy signature generated by Bob hereafter will become invalid Strong distinguishability This property is analyzed in the following two aspects. On the one hand, an ordinary signature 1 is constructed as F A (H(M)), but our proxy signature is constructed as a composition of tuple (w, r). There is the difference between proxy signature and the ordinary signer s ordinary signature. On the other hand, in our scheme, as the proxy signature contains r, the proxy signatures generated by different proxy signers are different Strong undeniability According to the above properties, we can conclude that no one can deny the proxy signature he/she created. 5 Conclusion We propose a proxy signature scheme based on the Rainbow digital signature which belongs to multivariate public key cryptography (MPKC). The most important feature of our scheme is hopefully against the potential attacks by the quantum computers, since MPKC and Rainbow signature can potentially resist the future quantum computing attacks. Through security discussion, our scheme can reach the same security level as the Rainbow signature. Some major properties of the proxy signature, such as unforgeability, distinguishability, secret-key s dependence, and undeniability, are also owned by our scheme.

10 536 Proxy Signature Scheme based on Rainbow References [1] Bernstein, D.J., Buchmann, J., Dahmen, E.: Post Quantum Cryptography. Springer, Department of Computer Science, University of Illinois, Chicago (2009) [2] Boldyreva, A., Palacio, A., Warinschi, B.: Secure Proxy Signature Schemes for Delegation of Signing Rights. Journal of Cryptology. pp (2003) [3] Bouillaguet, C., Faugère, J., Fouque, P., Perret, L.: Differential Algorithms for the Isomorphism of Polynomials Problem. manuscript (2009), pdf [4] Ding, J., Yang, B., Chen, C., Chen, M., Cheng, C.: New Differential-Algebraic Attacks and Reparametrization of Rainbow. In: Proceedings of the 6th International Conference on Applied Cryptography and Network Security. pp Springer (2008) [5] Ding, J., Gower, J.E., Schmidt, D.S.: Multivariate Public Key Cryptosystems. Springer, University of Cincinnati, USA (2006) [6] Dods, C., Smart, N.P., Stam, M.: Hash Based Digital Signature Schemes. In: IMA Int. Conf. pp (2005) [7] Faugere, J., Perret, L.: Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. In: Advances in Cryptology-EUROCRYPT pp Springer (2006) [8] Fuchsbauer, G., Pointcheval, D.: Anonymous Proxy Signatures. In: Security and Cryptography for Networks. pp Springer (2008) [9] Garey, M.R., Johnson, D.S.: Computers and Intractability, A Guide to the Theory of NP- Completeness. W.H. Freeman (1979) [10] Hoffstein, J., Pipher, J., Silverman, J.H.: NSS: An NTRU Lattice-Based Signature Scheme. In: Advances in Cryptology EUROCRYPT pp Springer (2001) [11] Mambo, M., Usuda, K., Okamoto, E.: Proxy Signatures: Delegation of The Power to Sign Messages. IEICE Transactions on Fundamentals. E79-A(9), (1996) [12] Mambo, M., Usuda, K., Okamoto, E.: Proxy Signatures for Delegating Signing Operation. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security. pp ACM (1996) [13] McEliece, R.J.: A Public-Key Cryptosystem Based on Algebraic Coding Theory. DSN Progress Report. 42(44), (1978) [14] Patarin, J., Goubin, L., Courtois, N.: Improved Algorithms for Isomorphisms of Polynomials. In: Advances in Cryptology EUROCRYPT pp Springer (1998) [15] Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Advances in Cryptology EUROCRYPT pp Springer (1996) [16] Perret, L.: A Fast Cryptanalysis of the Isomorphism of Polynomials with One Secret Problem. In: Advances in Cryptology EUROCRYPT pp Springer (2005)

11 S. Tang, L. Xu 537 [17] Shor, P.W.: Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 26(5), (1997) [18] Verma, G.K.: A Proxy Blind Signature Scheme over Braid Groups. International Journal of Network Security 9(3), (2009) Shaohua Tang School of Computer Science & Engineering South China University of Technology Guangzhou , China csshtang@scut.edu.cn, shtang@ieee.org Lingling Xu School of Computer Science & Engineering South China University of Technology Guangzhou , China csllxu@scut.edu.cn, xu.lingling@139.com

12