Algorithms and Approaches of Proxy Signature: A...

International Journal of Network Security, Vol.9, No.3, PP.264–284, Nov. 2009 264

Algorithms and Approaches of Proxy Signature:

A Survey

Manik Lal Das1, Ashutosh Saxena2, and Deepak B Phatak3

(Corresponding author: Manik Lal Das)

Dhirubhai Ambani Institute of Information and Communication Technology Gandhinagar - 382007, India1

Infosys Technologies Ltd, SET Labs, Hyderabad-500019, India2

Computer Science & Engineering, Indian Institute of Technology, Bombay, Mumbai-400076, India3

(Email: maniklal [email protected], Ashutosh [email protected], [email protected])

(Received Aug. 22, 2007; revised and accepted April 23, 2008)

Abstract

This paper reviews the recent advances on proxy signa-tures, discusses few notable proposals, analyzes schemes’security and efficiency, and provides an overall remark ofthese proposals.

Keywords: Bilinear pairings, discrete logarithm, integerfactorization, proxy signature

1 Introduction

Digital signature is a cryptographic means throughwhich the authenticity, data integrity and signer’s non-repudiation can be verified. Typically, digital signatureof a document is a piece of information encrypted by thesigner’s private key. Numerous researches have shownsignificant contributions to this field using various cryp-tographic primitives [55]. Nevertheless, there are manypractical environments where digital signatures do notpossess specific requirements, and thereby digital signa-tures appear in several other forms, namely proxy signa-tures, multi signatures, blind signatures, ring signaturesetc. This paper aims to present a state-of-the-art discus-sion on recent advances of proxy signatures.

Proxy signature is a digital signature where an originalsigner delegates her signing capability to a proxy signer,and then the proxy signer performs message signing onbehalf of the original signer. For example, a manager ofa company wants to go for a long trip. She would needa proxy agent, to whom she would delegate her signingcapability, and thereafter the proxy agent would sign thedocuments on behalf of the manager. The notion of proxysignature has been evolved over a long time, 18 years now[20]. However, the cryptographic treatment on proxy sig-nature was introduced by Mambo et al. [53] in 1996. Theyfirst classified the proxy signature on the basis of delega-tion, namely full delegation, partial delegation and dele-gation by warrant, and presented a well-devised scheme.

In full delegation, an original signer gives her private keyto a proxy signer and the proxy signer signs document us-ing original signer’s private key. The drawback of proxysignature with full delegation is that the absence of a dis-tinguishability between original signer and proxy signer.In partial delegation, the original signer derives a proxykey from her private key and hands it over to the proxysigner as a delegation capability. In this case, the proxysigner can misuse the delegation capability, because par-tial delegation cannot restrict the proxy signer’s signingcapability. The weaknesses of full delegation and partialdelegation are eliminated by partial delegation with war-rant. A warrant explicitly states the signers’ identity, del-egation period and the qualification of messages on whichthe proxy signer can sign, etc. Another important re-quirement of a proxy signature is that the revocation ofdelegation capability, in other words, proxy revocation.The proxy revocation is essential for the situation whereoriginal signer key is compromised or any misuse of thedelegation capability is noticed. It may so happen thatthe original signer wants to terminate her delegation ca-pability before its expiry. Though Mambo et al.’s [53]scheme presented an informative notion on proxy signa-tures and its various features; however, the scheme allowsunlimited delegation, i.e., the proxy signer can sign anymessages. The unlimited signing capability allows proxysigner to misuse the delegation capability.

In 1997, Kim et al. [38] proposed a scheme by re-stricting proxy signer signing capability using the conceptof partial delegation with warrant. Subsequently, Zhang[85, 84] proposed threshold and non-repudiable proxy sig-nature schemes, respectively. Ghodosi and Pieprzyk [22]analyzed the shortcomings of [85] and the same is alsonoticed by Lee et al. [41]. Petersen and Horster [60]proposed another notion, called self-certified keys underdifferent trust levels and used them for creation of delega-tion capability, delegated signatures and proxy signatures.However, the work in [44] and [40] shows that Pertersenand Horster scheme is insecure.


In 1999, Okamoto et al. [57], for the first time, pro-posed proxy signature based on RSA signature scheme[63], but they considered the proxy unprotected notion(the notion is explained in Section 3). In the same year,Sun proposed two schemes [69, 73] on threshold proxysignatures. Then Lee and Kim [43] proposed a strongproxy signature scheme. Later, Viswanathan et al. [77]proposed a scheme for controlled environments.

In 2000, Sun [70, 71] proposed a multi-proxy signaturescheme and a time-stamped proxy signature, respectively.Hwang et al. [34] presented a non-repudiable thresh-old proxy signature scheme with known signers. Subse-quently, Yi et al. [83] proposed a proxy multi-signaturescheme.

In 2001, Romao and da Silva [64] proposed secure mo-bile agent with proxy certificates. Lee et al. [44, 45]proposed two proxy signature schemes and highlighted afew applications. But, Wang et al. [80] observed securityflaws of Lee et al.’s scheme [45]. Subsequently, Park andLee [58] proposed another scheme for mobile communica-tions.

In 2002, Shum and Wei [67] proposed a proxy signa-ture scheme with proxy signer privacy protection, but thescheme’s insecurity was found in [72].

Year 2003 saw a very impressive list of publicationsdemonstrating a vigourous interest in the proxy signa-ture study. In this year, a number of new schemes andimprovements have been proposed [3, 9, 11, 13, 14, 28, 29,31, 33, 35, 36, 37, 39, 40, 46, 47, 51, 65, 76, 80, 86, 87].However, most of the schemes observed the insecurity ofpreviously proposed schemes and proposed an improvedone, which was subsequently broken by others.

In 2004, a few interesting schemes [10, 15, 30, 32, 52,66, 74, 75, 78, 81, 82, 88] have been proposed.

In 2005, Lee and Lee [42] further addressed the secu-rity weaknesses of [67]. Wang [79] proposed a designated-verifier proxy signature scheme. Okamoto et al. [56] pro-posed a notion for short proxy signature using pairing.Awasthi and Lal [1] presented a multi-proxy signaturescheme. Afterwards, couple of schemes [61, 89, 90] havebeen proposed in the same year.

In 2006, a number of schemes [2, 7, 25, 48, 50] havecome into light. Lu and Huang [49] proposed a time-stamping proxy signature scheme.

In 2007 Das et al. [16] proposed a pairing-based proxysignature scheme, which does not require secure channelin key issuance stage.

In this survey, we review several notable proxy signa-ture schemes categorizing them into different construc-tions based on their security assumptions. The organiza-tion of this survey is as follows. In the next Section, wegive a mathematical background for general readership.Section 3 discusses the security properties of proxy signa-ture. Section 4 details the constructions of various proxysignatures. Section 5 reviews some of the notable proxysignature schemes. Section 6 gives concluding remarks ofour observations.

2 Preliminaries

2.1 Discrete Logarithm Problem and Its

Applications

The discrete logarithm is the inverse of discrete exponen-tiation in a finite cyclic group. Suppose G be a finite mul-tiplicative cyclic group of order a large prime q. Let g bea generator of G. Then every element y of G can be writ-ten in the form y = gk for some integer k. The discretelogarithm of y is k and is written as logg y = k mod q.

In 1976, Diffie and Hellman [17] revolutionized thecryptography and proposed a key exchange protocolwithout using secure channel, where the security of theprotocol relies on discrete logarithm problem (DLP).Since then, several key exchange protocols [6], public keyencryption [8, 55], and signature schemes [18, 23, 68]have been proposed in which the security assumptionstrust on the hardness of solving the DLP. Below wepresent a signature scheme, named Schnorr’s signature,which is being taking into account while constructingseveral proxy signature schmes discussed in Section 5.1.

The Schnorr signature scheme: The scheme S sch isbased on DLP and works as follows:

• Setup (SPdlp): Inputs 1k; and outputs params-dlp.The params-dlp consists of primes q and l such that2k−1 ≤ q < 2k, an element g ∈ Z

∗q of order l that

divides q − 1, and a hash function h : {0, 1}∗ → Zl.

• KeyGen (KGdlp): The users agree on a group G (mul-tiplicative group of integers modulo q) for some primeq with generator g of prime order l in which the DLPis hard. The user chooses a private key x ∈ Zl. Thepublic key is generated as y = gx mod q.

In other words, user public key ←KGdlp(params-dlp, user private key), i.e.

y ← KGdlp(params-dlp, x).

• Sign (Sdlp): To sign a message m, the signer has tochoose a random t ∈ Zl and compute r = gt mod q.Then compute c = h(m, r) and σ = (t − xc) mod l.The signature on messagem is (σ, c). In other words,σ← Sdlp(params-dlp, (t, r), x, m).

• Verify (Vdlp): The verifier computes r′ = gσyc (modq) and c′ = h(m, r′). If c′ = c then the signature isvalid, else the signature is invalid. In other words,

Result← Vdlp(params-dlp, y, σ,m),

where Result ∈ {V alid, Invalid}.

The Schnorr’s signature scheme is proven secure [68]under the assumption that DLP is hard.


2.2 Bilinear Pairings

Bilinear pairings were first introduced to elliptic curvecryptography for destructive methods like the MOV re-duction [54]. With the help of Weil pairing, the authors of[54] showed a way to reduce the DLP on supersingular el-liptic curves to the DLP of an extension of the underlyingfinite field. Later, Frey and Ruck [19] extended the attackto general elliptic curves with the Tate pairing. However,the Weil pairing and the Tate pairing can also be used asa constructive tool for cryptography [4, 5, 12, 27].

Suppose G1 is an additive cyclic group generated by Pof prime order q, and G2 is a multiplicative cyclic groupof the same order. A map e : G1 × G1 → G2 is called abilinear mapping if it satisfies the following properties:

• Bilinear: e(aP, bQ) = e(P,Q)ab for all P,Q ∈ G1 anda, b ∈ Z

∗q ;

• Non-degenerate: There exist P,Q ∈ G1 such thate(P,Q) 6= 1;

• Computable: There exist efficient algorithm to com-pute e(P,Q) for all P,Q ∈ G1. In general, G1 isa group of points on an elliptic curve and G2 is amultiplicative subgroup of a finite field.

Definition 1. Discrete Logarithm Problem (DLP): GivenQ,R ∈ G1, find an integer x ∈ Z

∗q such that R = xQ.

Definition 2. Decisional Diffie-Hellman Problem(DDHP): Given (P, aP, bP, cP ) for a, b, c ∈ Z

∗q , deter-

mine whether c ≡ ab mod q.

The advantage of any probabilistic polynomial time(PPT) algorithm A in solving DDHP in G1 is definedas

AdvDDHA,G1

= [Prob[A(P, aP, bP, cP ) = 1]

−Prob[A(P, aP, bP, abP ) = 1] : a, b ∈ Z∗q ].

The DDHP is easy in G1, since it is easy to computee(aP, bP ) = e(P, P )ab and decide whether e(P, P )ab =e(P, P )c.

Definition 3. Computational Diffie-Hellman Problem(CDHP): Given (P, aP, bP ) for a, b ∈ Z

∗q, compute abP .

The advantage of any probabilistic polynomial-time(PPT) algorithm A in solving CDHP in G1, is defined asAdvCDH

A,G1= Prob[A(P, aP, bP ) = abP : a, b ∈ Z

∗q ]≥ ε. For

every PPT algorithm A, AdvCDHA,G1

is negligible ε. Thereis no known efficient algorithm which can solve CDHP inG1.

Definition 4. Gap Diffie-Hellman (GDH) group: Aprime order group G1 is a GDH group if there exists an ef-ficient polynomial-time algorithm which solves the DDHPin G1 and there is no PPT algorithm which solves theCDHP with non-negligible probability of success.

The domains of bilinear pairings provide examples ofGDH groups. The MOV reduction [54] provides a methodto solve DDHP in G1, but there is no known efficientalgorithm for CDHP in G1.

Definition 5. Bilinear Diffie-Hellman Problem (BDHP):Given (P, aP, bP, cP ) for a, b, c ∈ Z

∗q, compute e(P, P )abc.

Definition 6. Weak Diffie-Hellman Problem (WDHP):Given (P,Q, aP ) for a ∈ Z

∗q , compute aQ.

Since most of our discussions on pairing-based proxysignatures are surrounded by Hess’s signature scheme[27], we briefly discuss the scheme as follows.

The Hess signature scheme: The scheme Shess isbased on CDHP and works as follows:

• Setup(SPcdhp): It takes 1k and master-key s asinput; and outputs params-cdhp. The params-cdhp includes groups G1, G2 of order prime q; agenerator P ∈ G1; a bilinear map e : G1 × G1 →G2; map-to-point H : {0, 1}∗ → G1, hash func-tion h : {0, 1}∗ × {0, 1}∗ → Z

∗q and public key of

a trusted party, say Key Generation Center (KGC)(PubKGC = sP ). The KGC keeps s secret.

• KeyGen (KGcdhp): It takes params-cdhp, user (withidentity ID) public key PubID = H(ID) as input;outputs user private key SID = sPubID, i.e., SID

←KGcdhp(params-cdhp, PubID).

• Sign (Scdhp): To sign a message m, the signerchooses an arbitrary P1 ∈ G1, picks a random t ∈ Z

∗q

and computes

r = e(P1, P )t,

c = h(m, r),

σ = cSID + tP1.

The signature on message m is the tuple (c, σ). Inother words, σ←Scdhp(params-cdhp, (t, r, c), SID,m).

• Verify (Vcdhp): The signature (c, σ) is verified bythe following checking: Compute r′ = e(σ, P ) ·e(H(ID),−PubKGC)c. Accept the signature if c =h(m, r′). Else reject the signature. In other words,Result← Vcdhp(params-cdhp, PubID, PubKGC,σ, (c,m)), where Result ∈ {V alid, Invalid}.

The Hess’s signature scheme is proven secure against ex-istential forgery on adaptive chosen-message attack underthe assumption that CDHP is hard.

2.3 Integer Factorization Problem

The integer factorization (also known as prime decompo-sition) problem (IFP) is: Input a large positive integer;output it as a product of prime numbers. The problem


holds a strong security assumption in cryptography, com-plexity theory, and quantum computers. Based on IFP,the most widely used scheme for public key encryptionand signature is RSA [63]. There are several algorithms,protocols, and products where security relies on IFP.

The RSA signature scheme: The signature schemeSrsa works as follows:

• Setup(SPrsa): Inputs 1k, secret large primes p, q;and outputs params-rsa. The params-rsa is publicand consists of a modulus N = pq and hash functionh : {0, 1}∗ → ZN .

• KeyGen (KGrsa): Choose public key e such that 1 <e < φ(N) which is co-prime to φ(N), where φ(N) =(p−1)(q−1). Compute private key d such that de ≡1 mod φ(N). Procedurally, d←KGrsa(params-rsa,e).

• Sign (Srsa): To sign a message m, compute σ =h(m)d mod N . The signature of a message m is thetuple (m,σ). In other words, σ← Srsa(params-rsa,d, m).

• Verify (Vrsa): Compute m′ = σe mod N . The sig-nature is valid if m′ = h(m).

In other words, Result← Vrsa(params-rsa, e, σ, m),Result ∈ {V alid, Invalid}.

3 Security Properties of Proxy

Signature

Desirable security properties of proxy signatures havebeen evolved from the introduction of proxy signature.A widely accepted list of required security properties isgiven below:

• Strong unforgeability: A designated proxy signer cancreate a valid proxy signature on behalf of the orig-inal signer. But the original signer and other thirdparties cannot create a valid proxy signature.

• Strong identifiability: Anyone can determine theidentity of corresponding proxy signer from the proxysignature.

• Strong undeniability: Once a proxy signer creates avalid proxy signature on behalf of the original signer,he cannot deny the signature creation.

• Verifiability: The verifier can be convinced of thesigners’ agreement from the proxy signature.

• Distinguishability: Proxy signatures are distinguish-able from the normal signatures by everyone.

• Secrecy: The original signer’s private key cannot bederived from any information, such as the shares ofthe proxy key, proxy signatures, etc.

• Prevention of misuse: The proxy signer cannot usethe proxy key for other purposes than it is made for.That is, he cannot sign message with the proxy keythat have not been defined in the warrant. If he doesso, he will be identified explicitly from the warrant.

3.1 Classification of Proxy Signature

According to the nature of delegation capability, proxysignature can be classified as proxy-unprotected, proxy-protected and threshold notions. This differentiation isimportant in practical applications, since it enables proxysignature schemes to avoid potential disputes between theoriginal signer and the proxy signer.

3.1.1 Proxy-Unprotected Notion

The scenario exists when an original signer gives hersigning rights (full delegation with warrant) to a proxysigner. The original signer sends a signed warrant to theproxy signer, who then uses this information to gener-ate proxy signatures by executing a standard signaturescheme. When a proxy signature is sent, the recipientchecks its validity according to the corresponding stan-dard signature verification process. As the proxy signerdoes not append his private key on top of the receiveddelegation, a dishonest original signer can sign the mes-sage and later claim that the signature was created bythe proxy signer. This type of proxy signature primarilylacks strong unforgeability property.

3.1.2 Threshold Notion

In a threshold proxy signature, the proxy key is sharedby a group of n proxy signers. In order to produce a validproxy signature on a given message m, individual proxysigner produces his partial signature on that message, andthen combines them into a full proxy signature on messagem.

In a (t, n) threshold proxy signature scheme, the orig-inal signer delegates her signing capability to a proxygroup of n members. Any t or more proxy signers of thegroup can cooperatively issue a proxy signature on behalfof the original signer, but (t − 1) or less proxy signerscannot forge a signature.

4 Models of Proxy Signature

Based on the security assumptions on various proxy sig-nature schemes, we categorize the existing schemes intofour different constructions: DLP-based proxy signature,RSA-based proxy signature, ECDSA-based proxy signa-ture, and Pairing-based proxy signature. The schemesconsist of delegation capability generation, delegation ca-pability verification, proxy key generation, proxy signa-ture generation and proxy signature verification.


4.1 DLP-based Proxy Signature

The participants involved in the model are:

• An original signer, who delegates her signing capa-bility to a proxy signer.

• A proxy signer, who signs the message on behalf ofthe original signer.

• A verifier, who verifies the proxy signature and de-cides to accept or reject.

• A trusted party, who certifies the public key.

DLP-based Proxy Signature Model: An originalsigner selects a private key xo and computes her publickey yo as

yo ← KGdlp(params-dlp, xo).

A proxy signer selects a private key xp and computeshis public key yp as

yp ← KGdlp(params-dlp, xp).

• Delegation capability generation: It takes params-dlp, original signer chosen parameters (ko, ro), orig-inal signer private key xo, a warrant ω as input; andoutputs signature σo on ω. Procedurally,

σo ← Sdlp(params-dlp, (ko, ro), xo, ω).

• Delegation capability verification: It takes params-dlp, yo, ω, σo as input; and outputs Result,where Result∈ {V alid, Invalid}, i.e., Result←Vdlp(params-dlp, yo, σo, ω).

• Proxy key generation(PKeyGendlp): It takes params-dlp, σo, xp and random number as input; and out-puts proxy key ρp. Typically, the proxy signeruses simple arithmetic operation to form a proxykey ρp = yoσo + xpyp mod q. Procedurally, ρp ←PKeyGendlp(params-dlp, σo, xp, pub-params

1).

• Proxy signature generation: It takes params-dlp,proxy key ρp and message m as input; outputs signa-ture σp on m, i.e, σp ← Sdlp(params-dlp, ρp, m).

• Proxy signature verification: It takes params-dlp,yo, yp, m and σp as input; outputs Result, i.e.,Result← Vdlp(params-dlp, (yo, yp), σp, m).

4.2 RSA-based Proxy Signature



1pub-params include signers’ public keys, random numbers, war-rant, etc.



• A trusted party, who certifies the public key.

RSA-based Proxy Signature Model: An originalsigner selects a public key yo and computes her privatekey xo as

xo ← KGrsa(params-rsa, yo).

A proxy signer selects a public key yp and computeshis private key xp as

xp ← KGrsa(params-rsa, yp).

• Delegation capability generation: It takes params-rsa, xo, a warrant ω as input; and outputs signatureσo on ω, Procedurally, σo ← Srsa(params-rsa, xo,ω).

• Delegation capability verification: It takes params-rsa, yo, ω, σo as input; and outputs Result. Thatis, Result← Vrsa(params-rsa, yo, σo, ω), whereResult ∈ {V alid, Invalid}.

• Proxy signature generation: It takes params-rsa,σo, xp and message m as input; outputs signatureσp on m, i.e, σp ← Srsa(params-rsa, xp, (σo,m))Proxy signature verification: It takes params-rsa,yo, yp, m and σp as input; and outputs Result, i.e.,Result← Vrsa(params-rsa, (yo, yp), σp,m).

4.3 Pairing-based Proxy Signature





• A trusted party, who issues user private key.

Pairing-based Proxy Signature Model: The originalsigner generates her public key yo = H(IDo), and com-putes private key xo ←KGcdhp(params-cdhp, yo), whereIDo is original signer’s identity.

The proxy signer generates his public key yp =H(IDp), and computes private key

xp ← KGcdhp(params-cdhp, yp),

where IDp is proxy signer’s identity.


• Delegation capability generation: Takes params-cdhp, xo and a warrant ω as input; outputs signatureσo on ω, i.e., σo ← Scdhp(params-cdhp, (ko, ro, co),xo, ω).

• Delegation capability verification: It takes params-cdhp, yo, ω and σo as input; and outputs Result,i.e., Result← Vcdhp(params-cdhp, (yo, PubKGC),σo, (co, ω)), where Result ∈ {V alid, Invalid}.

• Proxy key generation: It takes params-cdhp, σo,xp and random number as input; and outputs proxykey ρp← PKeyGencdhp(params-cdhp, σo, (user-params2), xp).

• Proxy signature generation: Takes params-cdhp,proxy key ρp and message m as input; outputs sig-nature σp on m, i.e., σp ← Scdhp(params-cdhp,(kp, rp), ρp, m).

• Proxy signature verification: It takes params-cdhp, yo, yp, m and σp as input; outputsResult← Vcdhp(params-cdhp, (yo, yp, PubKGC),σp, (cp,m, ω)).

5 Review of Some Notable Proxy

Signature Schemes

5.1 DLP-based Proxy Signature Schemes

5.1.1 Mambo, Usuda and Okamoto (1996)

First classified the proxy signature on the basis ofthe degree of delegation, and proposed a well-devisedscheme. In their scheme both proxy unprotected andproxy protected notions are envisaged. As we are morefocused on proxy-protected scheme, here we discuss theproxy-protected notion.

Assumption: DLP is hard.

• Alice picks a private key xo and generates public keyyo ←KGdlp(params-dlp, xo).

• Bob picks a private key xp and generates public keyyp ←KGdlp(params-dlp, xp).

• Delegation capability generation: Alice chooses arandom number ko ∈ Z

∗q−1 and computes ro =

gko mod q. Alice computes σo ← Sdlp(params-dlp,(ko, ro), xo).

• Delegation capability verification: Bob accepts σo ifand only if

V alid← Vdlp(params-dlp, yo, σo).

• Proxy key generation: Bob computes proxy key ρp

← PKeyGendlp(params-dlp, σo, xp, pub-params).

2The user-params includes signers’ public keys, random num-bers, warrant, etc.

• Proxy signature generation: The proxy signature onmessage m is computed as

σp ← Sdlp(params-dlp, (kp, rp), ρp,m).

• Proxy signature verification: The verifier accepts theproxy signature if and only if

V alid← Vdlp(params-dlp, (yo, yp), σp,m).

• Security: The underlying security of the scheme isbased on the hardness of DLP. But, the scheme hastwo weaknesses. Firstly, unlimited delegation, i.e.,Bob can sign any messages on behalf of Alice, be-cause Alice has delegated unlimited signing rights toBob. Secondly, proxy transfer, i.e., Bob transfers Al-ice’s delegation power to any other party who cansign any message on behalf of Alice. In other words,the scheme does not satisfy the prevention of misusesecurity property.

5.1.2 Kim, Park and Won (1997)

Proposed a proxy signature scheme using partial delega-tion with warrant and a proxy signature scheme usingthreshold delegation.


Scheme for Partial Delegation with Warrant(PDW):





gko mod q.

Then, Alice computes σo ← Sdlp(params-dlp,(ko, ro), xo, ω).


V alid← Vdlp(params-dlp, yo, σo, ω).






V alid← Vdlp(params-dlp, (yo, yp), σp, (ω,m)).


Table 1: Conventions and notation for DLP-based proxy signature schemesAlice Original signerBob Proxy signerq A large primeZq Set of integers modulo qZ

∗

q Multiplicative group of Zq

g Generator of large order in Z∗

q

xo, xp Private key of Alice and Bob, respectivelyyo Public key of Alice, yo = gxo mod qyp Public key of Bob, yp = gxp mod qω A warranth(.) A collision-resistant one-way hash function

Scheme for Threshold Delegation: In the thresholddelegation, Alice sends her delegation to a proxy group sothat the proxy signer’s power is shared to sign a message.

• Alice picks private key xo and generates public keyyo ←KGdlp(params-dlp, xo).

• Each proxy signer acts as a dealer with a randomsecret u, chooses a random polynomial such thatf(x) = u + a1x + · · · + at−1x

t−1 mod (q − 1). Theproxy group keys are generated as follows:

– Public keys: gu mod q, ga1 mod q, · · · ,gat−1 mod q.

– Private keys: xp,i = u + a1i + · · · + at−1it−1;

i = 1, 2, · · · , t.

• Delegation capability generation: Alice choosesa random number ko ∈ Z

∗q−1 and computes

ro = gko mod q. Then Alice computes σo ←Sdlp(params-dlp, (ko, ro), xo, ω).

• Proxy sharing: To share σo in a threshold man-ner with threshold t, Alice chooses random bj ∈Zq−1; j = 1, 2, · · · , t − 1, and publishes the valuesBj = gbj , j = 1, 2, · · · , t−1. Then, she computes theproxy share σi as

σi = f ′(i) = σo + b1i+ · · ·+ bt−1it−1.

• Delegation capability verification: Each proxy signeraccepts σi if and only if

gσi = yh(ω,ro)o ro ·

t−1∏

j=1

B(ij)j mod q.

• Proxy key generation: Each proxy signer computesproxy key as

ρp,i ← PKeyGendlp(params-dlp, σi, xp,i, pub− params).

• Proxy signature generation: To sign a message m,each proxy signer computes v = h(l,m), where l =gr mod q (r is secret to the proxy signer). Then, theproxy signer computes λi = si +σiv mod (q− 1) andreveals λi, where si = f(i) = r+a1i+ · · ·+at−1i

i−1.

On validating λi, each proxy signer computes σ sat-isfying σ = r + σov = f(0) + f ′(0)v mod (q − 1) byapplying Lagrange formula to λi. The proxy signa-ture on m is the tuple (ω, ro,m, σ, v).

• Proxy signature verification: The verifier checkswhether v′ = gσ ·(yo ·yp)

h(ω,ro)ro)−v mod q, and then

whether v = h(v′,m).

• Security: To the best of our knowledge the proposedPDW scheme is still unbroken. However, the intu-ition in this scheme that using warrant does not re-quire proxy revocation is not correct. There are manysituations where proxy revocation is a must thoughwarrant explicitly states the validity and restricts themessage signing. Sun et al. [73] showed that theabove threshold delegation approach is insecure.

5.1.3 Zhang (1997a)

Proposed a threshold and non-repudiable proxy signa-ture, where both the original signer and proxy signercannot falsely deny their signature.



• Assume that there is a group of n proxy signers pi,i = 1, · · · , n.

• Proxy key generation: Alice picks ko ∈ Zq−1, com-putes R = gko mod q, and broadcasts R. Theproxy signer randomly selects αi ∈ Zq−1, computesypi

= gαiR mod q, checks whether ypi∈ Z

∗q−1 and if

it holds then broadcasts ypi.

• Alice computes R =∏n

i=1 ypi, and s = n−1Rxo +

k mod (q − 1) and broadcasts s. Then, each proxysigner computes R =

∏n

i=1 ypi, σpi

= s + αi mod(q − 1), and checks if the equality holds: gs =

yn−1RR mod q. If it holds, the proxy signer acceptsσpi

as a valid proxy share.

• The threshold proxy signature and verification aredone in similar approaches as in the schemes [21, 26].


• Security: The articles [41, 73] pointed out some weak-nesses in Zhang’s threshold proxy signatures [85].Later, some additional attacks are commented in [22].

5.1.4 Petersen and Horster (1997)

Proposed a scheme for self-certified keys issuance underdifferent trust level and used them for delegation ofsigning rights and delegated signatures, proxy signatures.




• Delegation capability generation: Alice picks a ran-dom number ko ∈ Z

∗q−1, computes ro = gko mod

q. Then, Alice computes σo ← Sdlp(params-dlp,(ko, ro), xo, ProxyID).


V alid← Vdlp(params-dlp, yo, σo, P roxyID).




σp ← Sdlp(params-dlp, ρp, (m,ProxyID)).

• Proxy signature verification: The verifier accepts theproxy signature if

V alid← Vdlp(params-dlp, (yo, yp), σp,

(m,ProxyID)).

• Security: The scheme has three weaknesses. Firstly,the proxy signer can deny his signature creation laterbecause a proxy signature does not contain any au-thentic information of proxy signer. Secondly, theproxy signer gets a proxy key pair (xp, yp) from theoriginal signer. He can deny his signature by show-ing that the proxy signature is created by the origi-nal signer with the name of him. Thirdly, the originalsigner sends the signing rights to a proxy signer with-out any agreement or warrant. The original signercan argue that the proxy signature is not valid forthe concerned message. Moreover, the schemes in[40, 44] further pointed out some more weaknesses ofthis scheme.

5.1.5 Sun, Lee and Hwang (1999)

Proposed a (t, n) threshold proxy signature based onZhang’s threshold scheme [85].



• Assume that there is a group of n proxy signers pi,i = 1, · · · , n. Each proxy signer pi has a private keyxpi∈ Zq−1 and a public key ypi

←KGdlp(params-dlp, xpi

).

• Proxy generation: Alice picks ko ∈ Zq−1, computesR = gko mod q, and broadcasts R. Then each proxysigner randomly selects αi ∈ Zq−1, computes rpi

=gαiR mod q.

Alice computes R =∏n

i=1 rpimod q, and s =

n−1xoh(R, PGID) + ko mod (q − 1) and broadcastss, where PGID is the proxy group identity thatrecords the proxy status, the event mark of the proxyshare generation, the expiration time of the delega-tion, the identities of original signer and proxy sign-ers. After validating s, each proxy signer performsa (t, n) verifiable threshold secret sharing scheme[59], and acts as a dealer to distribute proxy sub-shares to other n − 1 proxy signers for generat-ing their valid proxy shares. Each proxy signer pi

selects a (t − 1)-degree polynomial fi(x) = si +ai,1x + ai,2x

2 + · · · + ai,t−1xt−1 mod (q − 1), where

si = s + αi + xpih(R, PGID) mod (q − 1). Then pi

sends the proxy sub-share fi(j) to proxy signer pj(for1 ≤ j ≤ n and j 6= i) vis a secure channel. In addi-tion, pi also broadcasts gai,1 , · · · , gai,t−1 .

After validating all fj(i), pi computes x′i =n∑

j=1

fj(i) mod (q − 1) as his proxy share. Let f(x) =

n∑

j=1

fj(x) mod (q − 1). This proxy share can be

written as x′i = f(i) and will be used for generat-ing proxy signatures. The shared secret key is re-

garded as f(0) = ns+n∑

i=1

αi +n∑

i=1

xpih(R, PGID) =

n∑

i=1

(αi + ko) +

n∑

i=0

xpih(R, PGID) mod (q − 1).

• Proxy signature generation: Each participant proxysigner pi (1 ≤ i ≤ t) performs a (t, t) verifiable se-cret sharing scheme by randomly choosing a (t− 1)-

degree polynomial f ′i(x) =

t−1∑

j=0

a′i,jxj mod (q−1) and

broadcasts c′i,j = ga′

i,j mod q for j = 0, 1 · · · , t − 1.Then pi computes f ′

i(j) and sends it to pj via asecure channel for 1 ≤ j ≤ n and j 6= i. After


validating each f ′i(j), each participant proxy signer

pi computes x′′i = f(i) =

t∑

j=1

f ′j(i) mod (q − 1),

where f ′(x) =

t∑

j=1

f ′j(x) mod (q − 1) and Y =

t∏

k=1

c′k,0 mod q. Finally, each pi computes and broad-

casts Ti = x′ih(m) + x′′i Y mod (q − 1).

On validating Ti, each pi computes T = f(0)h(m) +f ′(0)Y mod (q − 1) from Tj by applying Lagrange’sinterpolating polynomial, where m is the message.The proxy signature on message m is the tuple(R, PGID, Y, T ).


gT =

(

yo

n∏

i=1

yi

)h(R,PGID)

R

h(m)

Y Y mod q.

• Security: Hsu et al. [31] and Shao [66] noticed thatSun et al.’s scheme is not secure, it lacks coalitionattack.

5.1.6 Lee, Kim and Kim (2001b)

Proposed a scheme in which a mobile agent is con-structed using non-designated proxy signature whichrepresents both the original signer’s (customer) and theproxy signer’s (remote server) signatures. The workprovides Schnorr-based and RSA-based constructions forsecure mobile agent. Here, we give the Schnorr-basedconstruction, and the RSA-based construction is given inthe next section.






gko mod q. Then she computes σo ← Sdlp(params-dlp, (ko, ro), xo, ω).


V alid← Vdlp(params-dlp, yo, σo, ω).

• Proxy key generation: Bob computes proxy keyρp ← PKeyGendlp(params-dlp, σo, xp, public-parameters).




V alid← Vdlp(params-dlp, (yo, yp), σp, (m,ω)).

• Security: Wang et al. [80] showed that the scheme isinsecure against transferring and forgery attacks.

5.1.7 Boldyreva, Palacio and Warinschi (2003)

Proposed a formal security notion for proxy signature. Atthe same time, they proposed a provable secure scheme,called triple Schnorr proxy signature scheme, which is anenhanced version of the PDW scheme [38].






gko mod q. Then computes σo ← Sdlp(params-dlp,(ko, ro), xo, (ω, yo, yp)).


V alid← Vdlp(params-dlp, yo, σo, (ω, yo, yp)).




σp ← Sdlp(params-dlp, (kp, rp, yo, yp), ρp,m)).


V alid← Vdlp(params-dlp, (yo, yp), σp,m)).

• Security: The scheme is based on Kim et al.’s PDWscheme [38]. The scheme did not consider warrant inthe proxy signing phase which leads unlimited del-egation, that is, the scheme suffers from delegationmisuse.


5.1.8 Li, Tzeng and Hwang (2003)

Proposed a generalized version (t1/n1 − t2/n2) proxysignature scheme. The (t1/n1 − t2/n2) proxy signaturescheme allows t1 out of n1 original signers to delegatetheir signing capability to a designated proxy group oft2 out of n2 proxy signers. The proxy group of proxysigners can cooperatively generate the proxy signatureon behalf of the original group. Any verifier can verifythe proxy signature on the message with the knowledgeof the identities of the actual original signers and theactual proxy signers.


• Let the scheme consists of n1 original signers and n2

proxy signers.

• For i = 1, 2, · · · , n1, the original signer choosesa private key xoi

and generates public key yoi

←KGdlp(params-dlp, xoi).

• For j = 1, 2, · · · , n2, the proxy signer choosesa private key xpj

and generates public key ypj

←KGdlp(params-dlp, xpj).

• Delegation capability generation: For i = 1, 2, · · · , t1(< n1), the original signer chooses a random numberkoi∈ Z

∗q−1 and computes roi

= gkoi mod q. Thenthe original signer computes σoi

← Sdlp(params-dlp, (koi

, roi), xoi

, ω). A designated clerk (any oneof the original signers) verifies the individual proxyshares as whether

V alid← Vdlp(params-dlp, yoi, σoi

, ω).

If it holds, the clerk combines the individual proxy

shares as σo =

t1∑

i=1

σoimod q − 1. The final proxy

share is the tuple (ω,K, σo), where K =

t1∏

i=1

roi.

Delegation capability verification: Bob accepts σo ifand only if

V alid← Vdlp(params-dlp, (K, yo), σo, ω).

• Proxy signature generation: Each proxy signer se-lects a random integer kpj

∈ Z∗q−1, computes rpj

=

gkpj mod q, and broadcast rpj. Then, each proxy

signer computes R =∏t2

j=1 rpjmod q and σpj

=

kpjR + (σot

−12 + xoi

yoi)h(m,R,ProxyID) mod (q − 1),

where t2 is the threshold value of the proxy sign-ers group. A designated clerk verifies the individualproxy signature as whether

gσpj = rRpj

((KK

t1∏

i=1

yyoi

h(ω,K)oi )t

−12 y

ypj

pj )h(m,R,ProxyID)

modq.

If it does, the clerk combines the individual proxysignature of m as σ =

∑t2j=1 σpj

mod (q − 1). Theproxy signature of m is (ω,K,m,R, σ).

• Proxy signature verification: A verifier checks thevalidity of the proxy signature on m whether

gσ = RR(KK

t1∏

i=1

yyoi

h(ω,K)oi

t2∏

j=1

yypjpj

)h(m,R,ProxyID) mod q.

• Security: The security analysis of the scheme is weak.With some heuristic arguments the authors provedthe security strength of the scheme.

5.1.9 Herranz and Saez (2004)

Proposed a distributed proxy signature scheme. Thescheme extended the work in [3] to the scenario of fullydistributed proxy signature schemes.


• Generation of keys: Let E = {P (1), P ((2), · · · , P (n)}be a distributed entity formed by n participants.There is an access structure Γ ⊂ 2E, which is formedby those subsets of participants which are authorizedto perform the secret task. The access structure mustbe monotone increasing; that is, if A1 ∈ Γ is autho-rized and A1 ⊂ A2 ⊂ E, then A2 must be authorized.The joint generation of discrete logarithm keys is asfollows:

– Each participant P (l) ∈ E obtains a secret valuex(l) ∈ Zq−1. The values {x(l)}P (l)∈E form asharing of the secret key x ∈ Zq−1, according tosome linear secret sharing scheme realizing theaccess structure Γ. The corresponding publickey y = gx mod q is made public, along withother values (commitments) which ensure therobustness of the protocol.

– The fully distributed triple Schnorr proxy sig-nature scheme is generated in a similar way ofthe Boldyreva et al.’s scheme [3].

• Security: The scheme is as secure as Kim et al.’sPDW scheme [38].

5.1.10 Malkin, Obana and Yung (2004)

Presented a formal model for fully hierarchical proxysignatures with warrant that supports chains of severallevels of delegation.


• The signers’ selects private key xi and computes pub-lic key yi ←KGdlp(params-dlp, xi).

• Delegation capability generation: This is an interac-tive process between the designator and proxy signer.It takes public keys of a designator yiL−1 and a proxy


signer yiL, the signing key of which the designator

delegates its signing right (i.e., the signing key is ei-ther a signing key xiL−1 or a proxy key σio···→iL−1 de-pending on whether iL−1 is original signer or proxysigner), a warrant up to previous delegation WL−1

and a warrant ωL set in current delegation as inputs;outputs delegation rights.

• Proxy key generation: It takes public keys of a desig-nator yiL−1 and a proxy signer yil

, the private key ofthe proxy signer xiL

as inputs and outputs a proxykey σio···→iL

and a warrant ω.


σp ← Sdlp(params-dlp, σio···→iL, (m,ω)).

• Proxy signature verification: The verifier accepts theproxy signature if

V alid← Vdlp(params-dlp, yio, σp, (m,ω)).

• Security: The scheme formalizes a model of fully hi-erarchical proxy signature, which is a probably securemodel to the best of our knowledge.

5.1.11 Lu and Huang (2006)

Proposed a proxy signature scheme using time-stampingservice for validating delegation service at the verifier.






gko mod q. Then she computes σo ← Sdlp(params-dlp, (ko, ro), xo, ω).


V alid← Vdlp(params-dlp, yo, ro, σo, ω).

• Proxy key generation: Bob computes proxy keyρp ← PKeyGendlp(params-dlp, σo, xp, public-parameters), and y′p ← gρp .

• Proxy signature generation: Firstly, Alice sends ω toa time-stamping service (TSS) for a time-stamp. TheTSS generates tB ← h(n, ω, tB−1, tf(B)) and sendsit back to Alice, where n is the group size. ThenAlice makes the (ω, tB) to the public. Secondly,Bob sends a message m to the TSS and requests atime-stamp. The TSS generates a time-stamp tn ←

Table 2: Conventions and notation for RSA-based proxysignature schemes

Alice Original signerBob Proxy signerNo, Np RSA Modulus for Alice and Bob, respectivelyyo Public key of Alice, where 1 < yo < φ(No)yp Public key of Bob, where 1 < yp < φ(Np)xo Private key of Alice, where xoyo ≡ 1 mod φ(No)xp Private key of Bob, where xpyp ≡ 1 mod φ(Np)ω A warranth(.) A collision-resistant one-way hash function

h(n,m, tn−1, tf(n)) and sends it back to Bob. Finally,the proxy signature on message m is computed as

σp ← Sdlp(params-dlp, (kp, rp), ρp,m, tn).


V alid← Vdlp(params-dlp, (yo, yp), σp, (m, tn, ω)).

• Security: The scheme’s security relies on DLP. Theuse of time-stamp provides a mechanism for the del-egation expiry or revoking by Alice, if she desires todo so.

5.2 RSA-based Proxy Signature

5.2.1 Okamoto, Tada and Okamoto (1999)

Proposed a scheme that reduces the computation andstorage cost during the protocol execution, and theprotocol is suitable for implementation on smart cards.

Assumption: IFP is hard and smart card is a tamperresistant device.

• Alice picks a public key yo and generates private keyxo ←KGrsa(params-rsa, yo).

• Delegation capability generation: Alice computes σo

← Srsa(params-rsa, xo, (ω, Ip)) where Ip denotethe limit of money which she can spend.


V alid← Vrsa(params-rsa, yo, σo, (ω, Ip)).

• Proxy signature generation: To sign a message m,Bob generates a random number kp ∈ Z

∗N , and com-

putes

r = gkph(m)σo mod No

s = g−yokp mod No.


• The proxy signature of message m is the tuple(m, (r, s), Ip).

• Proxy signature verification: The verifier checkswhether (IDp, ω) = h(Ip)r

yosh(m) mod No. If itdoes, the verifier accepts it as a valid proxy signa-ture. Otherwise, rejects it.

• Security: The scheme has weak security as it is de-signed as a proxy-unprotected scheme, where Alicecan frame Bob by signing the message and later claimthat Bob has signed the message.

5.2.2 Lee, Kim and Kim (2001b)

A mobile agent is constructed in the scheme usingnon-designated proxy signature which represents boththe original signer’s (customer) and the proxy signer’s(remote server) signatures.

Assumption: IFP is hard.


• The mobile agent (proxy signer) chooses a public keyyp and generates private key

xp ← KGrsa(params-rsa, yp).

• Delegation capability generation: Alice createsσo←Srsa(params-rsa, xo, (AliceID, req)), wherereq is the customer requirements for purchase suchas price range, date, delivery requirements, etc.

• Delegation capability verification: The mobile agentaccepts σo if and only if

V alid← Vrsa(params-rsa, yo, σo, (AliceID, req)).

• Proxy signature generation: Let BID be the agent’sbid information which conforms to req. The agent(remote server) tries to sell the product to Alice. Theremote server computes

x = h(AliceID, req, AgentID,BID)xp mod Np

y = h(AliceID, req)x mod No, and

z = σxo mod No.

Then sends the tuple (AliceID, req, AgentID, BID,x, y, z) to the mobile agent and the agent will getback to Alice with this tuple as a receipt of the pur-chase.

• Proxy signature verification: Alice receives(AliceID, req, AgentID, BID, x, y, z) fromthe mobile agent, then she can verify the validity ofthe purchase by the following:

– Whether h(AliceID, req, AgentID,BID) =xyp mod Np.

– Whether y = h(AliceID, req)x mod No.

– Whether y = zyo mod No.

– Whether BID ∈ {req}.

• Security: Wang et al. [80] showed that the scheme isinsecure and inefficient.

5.2.3 Shao (2003)

Proposed a proxy signature scheme based on the factor-ing problem, which combines the RSA signature schemeand the Guillou and Quisquater [24] signature scheme.

Assumption: IFP is hard and Guillou-Quisquater signa-ture is secure.


• Bob picks a public key yp and generates private keyxp ←KGrsa(params-rsa, yp).

• Delegation capability generation: Alice computesproxy key v = h(ω, ProxyID)−xo mod No, u =bv/Npc and z = vyp mod Np. The delegation is thetuple (ω, z, u).

• Delegation capability verification: Bob recovers v =u×Np + (zxp mod Np).

• Proxy signature generation: Let m be the messageto be signed by Bob. Bob does the following:

– Randomly chooses an integer t ∈ [1, No] andcomputes r = tyo mod No.

– Compute k = h(m, r) and x = kxp mod Np.

– Compute y = tvk mod No. The proxy signatureon message m is (m,ω, x, y, ProxyID).

• Proxy signature verification: The verifier checks thefollowing:

– Compute k′ = xyp mod Np.

– Compute r′ = yyoh(ω, ProxyID)k′

mod No.

– Check whether k′ = h(m, r′).

• Security: The security of the scheme is based onGuillou-Quisquater signature scheme [24]. However,there is no formal security proof of it.

5.2.4 Das, Saxena and Gulati (2004)

Proposed a proxy signature scheme that provides effectiveproxy revocation mechanism.

Assumption: IFP is hard. In addition to Alice and Bob,a trusted server (TS) is a participant in the scheme fortime stamp issuance.



• Bob picks a public key yp and generates private keyxp ←KGrsa(params-rsa, yp).

• TS chooses a public key ys and generates private keyxs ←KGrsa(params-rsa, ys).

• Delegation capability generation: Alice computes thedelegation capability σo as

σo ← Srsa(params-rsa, xo, (ω, yp, ys)).


V alid← Vrsa(params-rsa, yo, σo, (ω, yp, ys)).

• Proxy signature generation: Let m be the messageto be signed. Bob requests a time stamp to the TSand sends (R,m, yo, yp), where R ← Srsa(params-rsa, xp, (m, ω, yo, yp)). The TS verifies whetherV alid←Vrsa(params-rsa, yp, R, (m,ω, yo, yp)). Ifit holds, the TS ascertain the following conditionsare true before the time stamp is issued:

– Alice’s public key yo is not in the public revo-cation list maintained by the TS.

– ω is not expired.

Now, TS computes Tm ← Srsa(params-rsa, xs,(m,ω, yo, yp, T )), where T denotes a time stamp.Then, TS sends (Tm, T ) to Bob over a public channel.

Bob accepts T if and only if

V alid← Vrsa(params-rsa, ys, Tm, (m,ω, yo, yp, T )).

If it holds, Bob generates proxy signature as σp =(h(m,ω, yo, ys, T )⊕ σo)

xp mod Np, otherwise rejectsthe time stamp and makes another request tothe TS. The proxy signature of message m is(m,ω, T, Tm, σp).

• Proxy signature verification: The verifier checks thefollowing to validate a proxy signature:

– Whether V alid←Vrsa(params-rsa, ys, Tm,(m,ω, yo, yp, T )). If it holds, the verifier is as-sured that the time stamp in the signed messageis correct. Otherwise, he rejects the signed mes-sage.

– Whether h(ω, yp, ys) = (σyp

p mod Np ⊕ h(m,ω, yo, ys, T ))yo mod No. If it holds, he acceptsthe signed message. Otherwise, he rejects it.

• Security: The scheme provides an effective proxyrevocation mechanism. The scheme is secure onthe assumption that IFP is hard. However, thescheme does not work when Np > No, but it is avalid assumption because typically the proxy signerkey strength should not be greater than the originalsigner key strength.

5.2.5 Zhou, Cao and Chai (2005)

Proposed a warrant-based proxy signature scheme, wheresecurity is based on IFP. They used improved Rabin’ssignature scheme [62] for their scheme.

Assumption: IFP is hard.

• Alice picks public key (No, ao) and private key(po, qo), where po and qo are two large primes, No

is the product of these two primes and ao ∈ Z∗No

isJacobi symbol satisfying ( ao

No) = -1.

• Bob picks public key (Np, ap) and private key(pp, qp), where pp and qp are two large primes, Np

is the product of these two primes and ap ∈ Z∗Np

is

Jacobi symbol satisfying (ap

Np) = -1.

• Delegation capability generation: Alice signs on war-rant and computes delegation power σo as σo←Srabin(po, qo, ao, ω, No). We note that the signatureprocess is done by Rabin’s [62] signature generationphase, and we term it as Srabin.

• Delegation capability verification: Bob verifieswhether V alid←Vrabin(σo, ω, ao, No). We note thatthe verification process is done by Rabin’s [62] signa-ture verification phase, and we term it as Vrabin.

• Proxy signature generation: Let m be the messageto be signed by Bob. Bob creates his signature on mas σp← Srabin(pp, qp, ap, σo, Np).

• Proxy signature verification: The verifier accepts theproxy signature σp if and only if V alid←Vrabin(σp,σo, ω, ao, ap, No, Np).

• Security: The scheme is secure on the assumptionthat IFP is hard. The authors also proved the se-curity strength of the scheme under random oraclemodel.

5.3 ECDSA-based Proxy Signature

5.3.1 Chen, Chung and Huang (2003)

Proposed a scheme for proxy multi-signature based onelliptic curve cryptosystem that reduces high computa-tional overheads of Sun’s scheme [71].

Assumption: ECDLP is hard.

• Let B = (xB , yB) be a point in E(Fq) for a largeprime q, the order of B is assumed as t. For each1 ≤ i ≤ n, the original signer secretly selects a ran-dom number 1 ≤ di ≤ t − 1 as her private key andcomputes the corresponding public keyQi = di×B =(xQi

, yQi).

• The proxy signer selects a private key 1 ≤ dp ≤ t− 1and computes corresponding public key Qp = dp× =(xQp

, yQp).


• Delegation capability generation: For each 1 ≤ i ≤n, the original signer Ai selects a random number1 ≤ ki ≤ t− 1, computes ri = ki×B = (xri

, yri) and

si = xi · xQi· h(ω, ri)ki mod t.

• Delegation capability verification and proxy key gen-eration: For each 1 ≤ i ≤ n, the proxy signer com-putes Ui = (xQi

· h(ω, ri) mod t) × Qi − si × B =(xUi

, yUi) using (ω, ri, si). If xUi

= xrimod t, the

proxy signer accepts si as a valid delegation of sign-ing right; otherwise, he rejects it. If the proxy signervalidates all (ω, ri, si) in which 1 ≤ i ≤ n, s/he thencomputes d = dp · xQp

+∑n

i=1 si mod t as a validproxy key.

• Proxy signature generation: When the proxy signersigns a message m for A1, · · · , An, he executes thesigning operation of a designated signature schemeusing the signing key d. The resulting proxy signa-ture is the tuple (m,σsp

(m), r1, r2, · · · , rn, ω).

• Proxy signature verification: The verifier computesthe proxy public key Q corresponding to the proxykey sp for verifying the proxy signature by the des-ignated signature scheme: Q = xQp

× Qp + (xQ1 ·h(ω, r1) mod t × Q1 + · · · + (xQn

· h(ω, rn) mod t ×Qn(r1 + · · · + rn). With the newly generated proxypublic key Q, the verifier confirms the validity ofσsp

(m) by validating the verification equation of thedesignated signature scheme.

• Security: The authors did not consider any securitymodel for their scheme, instead, a heuristic securityanalysis is given to safeguard the scheme.

5.4 Pairing-based Proxy Signature

5.4.1 Zhang, Safavi-Naini and Lin (2003)

Proposed an identity based proxy signature based onHess’s ID-based signature.

Assumption: WDHP is hard.

• Alice computes her public key yo = H(IDo), whereIDo is her identity. Then, Alice obtains her privatekey xo ←KGcdhp(params-cdhp, yo) from KGC.

• Bob computes his public key yp = H(IDp), whereIDp is his identity. Then, Bob obtains his privatekey xp ←KGcdhp(params-cdhp, yp) from KGC.

• Delegation capability generation: Alice computes σo

← Scdhp(params-cdhp, (ko, ro, co), xo, ω).Delegation capability verification: Bob accepts σo ifand only if

V alid← Vcdhp(params-cdhp, yo, σo, (co, ω)).


← PKeyGencdhp(params-cdhp, σo, co, xp).

• Proxy signature generation: Bob picks a randomnumber kp ∈ Z

∗q−1, computes

rp = e(P, P )kp ,

cp = h(m, rp) and

σp ← Scdhp(params-cdhp, (kp, cp), ρp,m).


V alid← Vcdhp(params-cdhp, (yo, yp), σp, (cp,m, ω)).

• Security: Only heuristic security analysis is given tosafeguard the scheme.

5.4.2 Chen, Zhang and Kim (2003)

Proposed a multi-proxy signature scheme, where Alicedelegates her signing capability to l proxy signers.

Assumption: CDHP is hard.


• Each proxy signer computes his public key ypi=

H(IDpi), where IDpi

is his identity. Then,Each proxy signer obtains his private key xpi

←KGcdhp(params-cdhp, ypi) from KGC.

• Delegation capability generation: Alice picks arandom number ko ∈ Z

∗q−1, computes ro =

e(P, P )ko , co = h(ω, ro), σo ← Scdhp(params-cdhp,(ko, ro, co), xo, ω).

• Delegation capability verification: Each proxy signeraccepts σo if and only if

(kp, cp),← Vcdhp(params-cdhp, yo, σo, (co, ω)).

• Proxy key generation: Each proxy signer computesproxy key as

ρpi← PKeyGencdhp(params-cdhp, σo, co, xpi

).

• Proxy signature generation: Each proxy signer per-forms the following operations to sign a message m:

– Pick randomly kpi∈ Z

∗q−1, computes rpi

=

e(P, P )kpi and broadcasts rpito the remaining

l− 1 proxy signers.

– Compute rp =∏l

i=1 rpiand cp = h(m, rp),

σpi= cpρpi

+ kpiP . Then, send σpi

to a des-ignated clerk (one of the proxy signers).

– The clerk verifies the individual proxy signature

and computes σp =

l∑

i=1

σpi. The proxy signa-

ture of message m is the tuple (m,ω, ro, cp, σp).


Table 3: Conventions and notation for pairings-based proxy signature schemes

Alice Original signerBob Proxy signerG1 A cyclic additive group, whose order is prime qG2 A cyclic multiplicative group of the same order qP A generator of G1

e A bilinear pairing mapH(·) Map-to-Point functionh(·) Collision-resistant one-way hash functions PKG’s master-keyPubKGC KGC’s public key, PubKGC = sPyo, xo Alice’s public key and private key, respectively, yo = H(IDo)yp, xp Bob’s public key and private key, respectively, yp = H(IDp)

• Proxy signature verification: The verifier accepts theproxy signature of message m if and only if cp =

h(m, e(σp, P )(e(

l∑

i=1

(yo +ypi, PubKGC)h(ω,ro) ·rl

o)−cp .

• Security: No formal security proof is considered tosafeguard the scheme.

5.4.3 Xu, Zhang and Feng (2004)

Formalized a notion of security for ID-based proxy signa-ture schemes and presented a proxy signature scheme.




• Delegation capability generation: Alice picks ko ∈Z∗q , computes ro = koP , Co = Ho(IDo, ω, ro) and

σo = xo + koCo, where

Ho : {0, 1}∗ × {0, 1}∗ ×G1 → G1.


e(σo, P ) = e(PubKGC, yo)e(ro, Co).

• Proxy key generation: Bob computes proxy key ρp =h1(IDo, IDp, ω, ro)xp + σo, where

h1 : {0, 1}∗ × {0, 1}∗ × {0, 1}∗ ×G1 → Z∗q .

• Proxy signature generation: To sign a message m,Bob does the following:

– Picks kp ∈ Z∗q−1, computes rp = kpP and then

puts Cp = Ho(IDp,m, rp).

– Computes σp = ρp +kpCp. The proxy signatureof message m is the tuple ((ro, rp), σp, (ω,m)).

• Proxy signature verification: The verifier acceptsthe proxy signature of message m iff e(σp, P ) =e(PubKGC, yp)

h1(IDo,IDp,ω,ro)e(PubKGC , yo)e(rp, Cp)e(ro, Co).

• Security: Security of the scheme is based on theCDHP in the random oracle model. But, the schemetakes large computational cost.

5.4.4 Zhang, Safavi-Naini and Susilo (2004)

Proposed a proxy signature scheme based on a shortsignature scheme.




• Delegation capability generation: Alice computesσo = (so + h(ω))−1yp.


e(h(ω)P + yo, σo) = e(P, yp).

• Proxy key generation: Bob computes ρp = xpσo.

• Proxy signature generation: To sign a message m,Bob does the following.

– Chooses a random number r ∈ Z∗q−1 and com-

putes U = r · (h(ω)P + yo).

– Computes t = H2(m,U) and σp = (t + r)−1ρp,where H2 : {0, 1}∗ × G1 → Z

∗q . The proxy sig-

nature of message m is (U, σp, ω).


• Proxy signature verification: The verifier verifieswhether

e(U +H2(m,U)(h(ω)P + yo), σp) = e(yp, yp).

• Security: Security of the scheme is based on CDHPin the random oracle model.

5.4.5 Lu, Cao and Dong (2006)

Proposed a designated verifier proxy signature scheme.




• Martin (a designated verifier) computes his pub-lic key ym = H(IDm), where IDm is his iden-tity. Then, Martin obtains his private key xm

←KGcdhp(params-cdhp, ym) from KGC.

• Delegation capability generation: Alice generatesdelegation capability σo as σo = xoH(ω).

• Delegation capability verification: Bob accepts σo ifand only if e(σo, P ) = e(H(ω), yo).

• Proxy key generation: Bob computes ρp = σo +xpH(ω).

• Proxy signature generation: To generate a designatedverifier proxy signature for Martin on message m,Bob does the following:

– Picks kp ∈ Z∗q−1 and computes rp = kpym.

– Computes σp = kp(yo + yp) − H2(m, rp) · ρp,where H2 : {0, 1}∗ ×G1 → Z

∗q .

– The proxy signature of message m is the tuple(rp, σp, (ω,m)).

• Proxy signature verification: The verifier accepts theproxy signature of message m if and only if e(yo +yp, r

′p) = e(σp, P ) · e(H(ω), yo + yp)

H2(m,rp), where

r′p = 1xm· rp.

• Security: Security of the scheme is based on theCDHP in the random oracle model. But, the schemerequires secure channel for proxy delivery.

5.4.6 Das, Saxena and Phatak (2007)

Proposed a proxy signature scheme based on Hesssignature scheme that provides effective proxy revocationmechanism and avoids key escrow problem.


• Alice computes her public key yo = H(IDo), whereIDo is her identity. Then, Alice generates her privatekey xo ←KGcdhp(params-cdhp, yo).

• Bob computes his public key yp = H(IDp), whereIDp is his identity. Then, Bob generates his privatekey xp ←KGcdhp(params-cdhp, yp).

• Delegation capability generation: Alice computesσo = (so + boH

′(ω, yo, yp), and ψo = boP . Here, bo issecret to Alice only and H ′ : {0, 1}∗×G1×G1 → G1.


e(so, P ) = e(ψo, H′(ω, yo, yp)) · e(yo, Rego),

where Rego = sboP , registration token published bythe KGC.

• Proxy key generation: Bob computes ρp = so + sp +bpH

′(ω, yo, yp). Here, bp is secret to the proxy signeronly.

• Proxy signature generation: To sign a message m,Bob does the following.

– Selects a random r ∈ Z∗q and compute R = rP .

– Computes a = h(m,R, yp) and ψp = bpP , whereh : {0, 1}∗ ×G1 ×G1 → {0, 1}

∗.

– Computes σp = (r + a)−1ρp. The proxy signa-ture of message m is (ω,m,R, σp, ψo, ψp, yo, yp).

• Proxy signature verification: The proxy signature isvalid if and only if

e(R+ h(m,R, yp)P, σp)

= e(ψo + ψp,H′(ω, yo, yp)) · e(yo, Rego) · e(yp, Regp).

• Security: The scheme is secure and does not requiresecure channel in key issuance stage.

6 Concluding Remarks

We have reviewed a few seminal works on proxy signatureswith respect to different security assumptions. In orderto give a concise picture of the schemes highlighting theimportant features and security aspects at a glance, wecompare them in the following tables. The Table 4 de-picts the DLP-based schemes, Table 5 depicts the RSA-based schemes, and Table 6 depicts the Pairing-basedschemes. We note that the computational complexity ofthe schemes in a same table more or less similar, as theirunderlying security is based on the same cryptographicprimitive. It is observed that many times, a paper typi-cally breaks a previous scheme and proposes a new one,which someone breaks later and, in turn, proposes a newone, and so on. Most of such work, though quite impor-tant and useful, essentially provides an incremental ad-vance to the same basic theme. Consequently, we believe


Table 4: Comparisons of the DLP-based proxy signatures

Features →

Schemes ↓

Secure Secure

Channel

Proxy Re-

vocation

Remarks

Mambo et al., 1996 No Yes Partial Unlimited delegationand misuse of delegation

Kim et al., 1997 Yes No No SecureZhang, 1997a No Yes No InsecurePetersen andHoster, 1997

No No No Insecure

Sun et al., 1999 No Yes No Suffers from Coalitionattacks

Lee et al., 2001b No No No Suffers from Transfer-ring, Forgery attacks

Boldyreva et al.,2003

Yes No No Based on Kim et al.,1997 and formalizes thesecurity notion, but un-limited delegation

Li et al., 2003 Yes No No No formal security anal-ysis

Herranz and Saez,2004

Yes No No Distributed proxy sig-nature, ideas based onBoldyreva et al., 2003a

Malkin et al., 2004 Yes No No Secure, based on Kimet al., 1997, hierarchicaldelegation

Lu and Huang,2006

No No No Suffers from Transfer-ring, Forgery attacks

Table 5: Comparisons of the RSA-based proxy signatures

Features →

Schemes ↓

Secure Secure

Channel

Proxy Re-

vocation

Remarks

Okamoto et al., 1999 Yes Yes No Does not provide strongunforgeability and pre-vention of misuse

Lee at al., 2001b No Yes No InsecureShao, 2003 No Yes No No formal security proofDas et al., 2004 Yes No Yes Np < No

Zhou et al., 2005 Yes No No Considers random oraclemodel

Table 6: Comparisons of the pairing-based proxy signatures

Features →

Schemes ↓

Key

Escrow

Secure

Channel

Proxy Re-

vocation

Remarks

Zhang et al., 2003 Yes Yes No No formal security proof,suffers from key escrow,needs secure channel

Chen et al., 2003 Yes Yes No No formal security proof,suffers from key escrow,needs secure channel

Xu et al., 2004 Yes Yes No Takes high computationcost, suffers from key es-crow, needs secure chan-nel

Zhang et al., 2004 Yes Yes No Suffers from key escrow,needs secure channel

Lu et al., 2006 Yes Yes No Suffers from key escrow,needs secure channel

Das et al., 2007 No No Yes Secure, no key escrow,no secure channel


it is not worth to measure a mathematical figure if thescheme is already found insecure. Instead, we summarizethe merits and limitations of the schemes. Finally, we ex-tract a few schemes from each category, which are seemedto be computationally efficient and secure.

From these tables, it is clear to select some schemeswhich seem to be secure and efficient. The Kim et al.[38] proposed a seminal work which invites many otherproposal on the same basic theme and few of them laterfound insecure. To the best of authors knowledge, theKim et al.’s scheme is secure and efficient ones. AlthoughMalkin et al. [52] is also secure and efficient; however, itis based on Kim et al.’s scheme. Lu and Huang [49] isalso found secure and provides proxy revocation mecha-nism. The Zhou et al.’s scheme [89] is the only candidatefrom the RSA-based approach, which seems to be efficientand secure. And, from the pairing-based approach, Daset al. [16] has shown potential for the security strengthcompared to other schemes, though because of pairing op-eration it takes more computational cost than the DLPand RSA-based schemes.

We also tried to explore if there are any real implemen-tation of various proposed proxy signatures. For this, wecontacted individual author of some of the papers overemail, to learn whether the scheme is used in any real-world applications? Nonetheless, we have not identifieda scheme which is being used in practical application. Infact, the responses from several authors indicated thatthey were not aware of such applications which use theirscheme.

In conclusion, we believe that the actual deployment ofproxy signatures is yet to start in a big way. However, asand when this happens, the research work being carriedout will certainly provide practically usable implementa-tions.

References

[1] A. K. Awasthi, and S. Lal, “A multi-proxy signaturescheme for partial delegation with warrant,” 2005.(http://arxiv.org/pdf/cs.CR/0504093)

[2] H. Bao, Z. Cao and, S. Wang, “Identity-based thresh-old proxy signature scheme with known signers,”Proceedings of Theory and Applications of Modelsof Computation, LNCS 3959, pp. 538-546, Springer-Verlag, 2006.

[3] A. Boldyreva, A. Palacio, and B. Warinschi, “Securesignature schemes for delegation of signing rights,”2003. (http://eprint.iacr.org/2003/96/)

[4] D. Boneh, and M. Franklin, “Identity-based encryp-tion from the Weil pairing,” Proceedings of Crypto’01, LNCS 2139, pp. 213-229, Springer-Verlag, 2001.

[5] D. Boneh, B. Lynn, and H. Shacham, “Short sig-natures from the weil pairing,” Proceedings of Asi-acrypt’ 01, LNCS 2248, pp. 514-532, Springer-Verlag,2001.

[6] C. Boyd, and A. Mathuria, “Protocols for authen-tication and key establishment,” Springer-Verlag,2003.

[7] F. Cao, and Z. Cao, “A proxy-protected signaturescheme based on finite automaton,” Proceedings ofInternational Multi-Symposiums on Computer andComputational Sciences, pp. 48-55, IEEE ComputerSociety, 2006

[8] R. Canetti, S. Halevi, and J. Katz, “A forward-secure public-key encryption zscheme,” Proceedingsof Eurocrypt’ 03, LNCS 2656, pp. 255-271, Springer-Verlag, 2003.

[9] T. S. Chen, Y. F. Chung, and G. S. Huang, “Efficientproxy multi-signature schemes based on the ellipticcurve cryptosystem,” Computers & Security, vol. 22,no. 6, pp. 527-534, 2003.

[10] T. S. Chen, Y. F. Chung, and K. H. Huang, “A trace-able proxy multi-signature acheme based on the el-liptic surve cryptosystem,” Applied Mathematics andComputation, vol. 159, no. 1, pp. 137-145, 2004.

[11] X. Chen, F. Zhang, and K. Kim, “ID-based multi-proxy signature and blind multi-signature from bi-linear pairings,” Proceedings of KIISC’ 03, pp. 11-19,2003.

[12] C. Cocks, “An identity based encryption schemebased on quadratic residues,” Cryptography and Cod-ing, LNCS 2260, pp. 360-363, Springer-Verlag, 2001.

[13] M. L. Das, A. Saxena, and V. P. Gulati, “Proxysignatures using partial delegation with warrant,”Proceedings of International Conference on Num-ber Theory for Secure Communication, pp. 152-154,2003.

[14] M. L. Das, A. Saxena, and V. P. Gulati, “Secu-rity analysis of Lal and Awasthi’s proxy signatureschemes”, 2003. (http://eprint.iacr.org/2003/263/)

[15] M. L. Das, A. Saxena, and V. P. Gulati, “An efficientproxy signature scheme with revocation,” Informat-ica, vol. 15, no. 4, pp. 455-464, 2004.

[16] M. L. Das, A. Saxena, and D. B. Phatak, “A proxysignature scheme with revocation using bilinear pair-ings,” International Journal of Network Security, vol.4, no. 3, pp. 312-317, 2007.

[17] W. Diffie, and M. E. Hellman, “New directions incryptography.”, IEEE Transactions on InformationTheory, vol. IT-22, pp. 644-654, 1976.

[18] T. ElGamal, “A public key cryptosystem and a sig-nature scheme based on discrete logarithms,” IEEETransactions on Information Theory, vol. IT-31, no.4, pp. 469-472, 1985.

[19] G. Frey, and H. Ruck, “A remark roncerning m-divisibility and the discrete logarithm in the divisorclass group of curves,” Mathematics of Computation,vol. 62, pp. 865-874, 1994.

[20] M. Gasser, A. Goldstein, C. Kaufman, and B. Lamp-son, “The digital distributed system security archi-tecture,” Proceedings of National Computer SecurityConference, pp. 305-319, 1989.


[21] R. Gennaro. S. Jarecki, H. Krawczyk, and T. Rabi,“Robust threshold DSS signatures,” Proceedings ofEurocrypt’ 96, LNCS 1070, pp. 354-371, Springer-Verlag, 1996.

[22] H. Ghodosi, and J. Pieprzyk, “Repudiation of cheat-ing and non-repudiation of Zhang’s proxy signatureschemes,” Proceedings of Australasian Conferenceon Information Security and Privacy (ACISP’ 99),LNCS 1587, pp. 129-134, Springer-Verlag, 1999.

[23] S. Goldwasser, S. Micali, and R. Rivest, “A digitalsignature scheme secure against adaptive chosenmes-sage attacks,” SIAM Journal of Computing, vol. 17,no. 2, pp. 281-308, 1988.

[24] L. G. Guillou, and J. J. Quisquater. “A ‘paradoxical’identity-based signature scheme resulting from zero-knowledge,” Proceedings of Crypto’ 88, LNCS 403,pp. 216-231, Springer-Verlag, 1990.

[25] S. Guo, Z. Cao, and R. Lu, “An efficient ID-basedmulti-proxy multi-signature scheme,” Proceedings ofInternational Multi-Symposiums on Computer andComputational Sciences, pp. 81-88, IEEE ComputerSociety, 2006.

[26] L. Harn, “Goup oriented (t, n) digital signaturescheme and digital multi-signature,” IEE ProceedingsComputers & Digital Techniques, vol. 141, no. 5, pp.307-313, 1994.

[27] F. Hess, “An efficient identity based signatureschemes based on pairings,” Proceedings of SAC2002, LNCS 2595, pp. 310-324, Springer-Verlag,2002.

[28] J. Herranz, and G. Saez, “Fully distributedproxy signature schemes”, 2003. (http://eprint.iacr.org/2003/53/)

[29] J. Herranz, and G. Saez, “Verifiable secret sharingfor general access structures, with applications tofully distributed distributed proxy signatures,” Pro-ceedings of Financial Cryptography (FC’ 03), LNCS2742, pp. 286-302, Springer-Verlag, 2003.

[30] J. Herranz, and G. Saez, “Revisiting fully distributedproxy signature schemes,” Proceedings of Indocrypt’04, LNCS 3348, pp. 356-370, Springer-Verlag, 2004.

[31] C. L. Hsu, T. S. Wu, and T. C. Wu, “Improvementof threshold proxy signature scheme,” Applied Math-ematics & Computation, vol. 136, pp. 315-321, 2003.

[32] Z. Huang, and Y. Wang, “Convertible nominativesignatures,” Proceedings of Australasian Conferenceon Information Security and Privacy (ACISP’04),LNCS 3108, pp. 348-357, Springer-Verlag, 2004.

[33] S. Hwang, and C. Chen, “Cryptanalysis of nonrepu-diable threshold proxy signature schemes with knownsigners,” Informatica, vol. 14, no. 2, pp. 205-212,2003.

[34] M. Hwang, I. Lin, and E. J. Lu, “A secure nonrepu-diable threshold proxy signature scheme with knownsigners,” Informatica, vol. 11, no. 2, pp. 1-8, 2000.

[35] M. S. Hwang, E. J. L. Lu, and I. C. Lin, “A practi-cal (t, n) threshold proxy signature scheme based on

RSA cryptosystem,” IEEE Transactions on Knowl-edge and Data Engineering, vol. 15, no. 6, pp. 1552-1560, 2003.

[36] M. A. Ibrahim, and A. Cerny, “Proxy and thresholdone-time signatures,” Proceedings of InternationalConference Applied Cryptography and Network Secu-rity (ACNS’ 03), LNCS 2846, pp. 123-136, Springer-Verlag, 2003.

[37] A. Ivan, and Y. Dodis, “Proxy cryptography revis-ited,” Proceedings of Network and Distributed SystemSecurity Symposium (NDSS’03), The Internet Soci-ety, 2003.

[38] S. Kim, S. Park, and D. Won, “Proxy signatures re-visited,” Proceedings of Information and Communi-cations Security (ICICS’ 97), LNCS 1334, Springer-Verlag, pp. 223-232, 1997.

[39] S. Lal, and A. K. Awasthi, “A scheme for obtaining aWarrant message from the digital proxy signatures,”2003. (http://eprint.iacr.org/2003/073/)

[40] J. Lee, J. Cheon, and S. Kim, “An analysis of proxysignatures: Is a secure channel necessary?,” Proceed-ings of CT-RSA Conference, LNCS 2612, pp. 68-79,Springer-Verlag, 2003.

[41] N. Y. Lee, T. Hwang, and C. H. Wang, “On Zhang’snonrepudiable proxy signature schemes,” Proceedingsof Australasian Conference on Information Securityand Privacy (ACISP’ 98), LNCS 1438, pp. 415-422,Springer-Verlag, 1998.

[42] N. Y. Lee, and M. F. Lee, “The security of a strongproxy signature scheme with proxy signer privacyprotection,” Applied Mathematics and Computation,vol. 161, pp. 807-812, 2005.

[43] B. Lee, and K. Kim, “Strong proxy signatures,” IE-ICE Transactions Fundamentals, vol. E-82, no. 1, pp.1-11, 1999.

[44] B. Lee, H. Kim, and K. Kim, “Strong proxy signatureand its applications,” Proceedings of Symposium onCryptography and Information Security, pp. 603-608,2001.

[45] B. Lee, H. Kim, and K. Kim, “Secure mobile agentusing strong non-designated proxy signature,” Pro-ceedings of Australasian Conference on InformationSecurity and Privacy (ACISP’ 01), LNCS 2119, pp.474-486, Springer-Verlag, 2001.

[46] L. Li, S. Tzeng, and M. Hwang, “Generalization ofproxy signature-based on discrete logarithms,” Com-puters & Security, vol. 22, no. 3, pp. 245-255, 2003.

[47] C. Y. Lin, T. C. Wu, and F. Zhang, “Proxy signa-ture and proxy multi-signature from bilinear pair-ings,” Proceedings of International Conference on In-formatics, Cybernetics and Systems, 2003.

[48] R. Lu, Z. Cao, and X. Dong, “Efficient ID-basedone-time proxy signature and Its application in E-cheque,” Proceedings of Cryptology and Network Se-curity, LNCS 4301, pp. 153-167, Springer-Verlag,2006

[49] E. J. L. Lu, and C. J. Huang, “A time-stampingproxy signature scheme using time-stamping ser-


vice,” International Journal of Network Security, vol.2, no. 1, pp. 43-51, 2006.

[50] R. Lu, Z. Cao, X. Dong, and R. Su, “Designated ver-ifier proxy signature scheme from bilinear pairings,”Proceedings of International Multi-Symposiums onComputer and Computational Sciences, IEEE Com-puter Society, pp. 40-47, 2006.

[51] J. Lv, J. Liu, and X. Wang, “Further crypt-analysis of some proxy signature schemes,” 2003.(http://eprint.iacr.org/2003/111/)

[52] T. Malkin, S. Obana, and M. Yung, “The hierar-chy of key evolving signatures and a characterizationof proxy signatures,” Proceedings of Eurocrypt’ 04,LNCS 3027, Springer-Verlag, pp. 306-322, 2004.

[53] M. Mambo, K. Usuda, and E. Okamoto, “Proxy Sig-natures: Delegation of the Power to Sign Messages,”IEICE Transactions Fundamentals, vol. E79-A, no.9, pp. 1338-1353, 1996.

[54] A. Menezes, T. Okamoto, and S. Vanstone, “Reduc-ing elliptic curve logarithms to logarithms in finitefield,” IEEE Transactions on Information Theory,vol. 39, no. 5, pp. 1639-1646, 1993.

[55] A. Menezes, P. C. V. Oorschot, and S. Vanstone,Handbook of Applied Cryptography, CRC Press, 1996.

[56] T. Okamoto, A. Inomata, and E. Okamoto, “Aproposal of short proxy signature using pairing,”International Conference on Information Technol-ogy: Coding and Computing (ITCC’05), pp. 631-635,IEEE Computer Society, 2005.

[57] T. Okamoto, M. Tada, and E. Okamoto, “Extendedproxy signaures for smart card” Proceedings of Infor-mation Security Workshop’99, LNCS 1729, pp. 247-258, Springer-Verlag, 1999.

[58] H. U. Park, and I. Y. Lee, “A digital nomina-tive proxy signature scheme for mobile communica-tions,” Proceedings of Information and Communica-tions Security (ICICS’ 01), LNCS 2229, pp. 451-455,Springer-Verlag, 2001.

[59] T. Pedersen, “Distributed provers with applicationsto undeniable signatures,” Proceedings of Eurocrypt’91, LNCS 547, Springer-Verlag, pp. 221-238, 1991.

[60] H. Petersen, and P. Horster, “Self-certified keys-concepts and applications,” Proceedings of Confer-ence on Communivations and Multimedia Security,pp. 102-116, 1997.

[61] H. Qian, and Z. Cao, “A novel ID-based partial del-egation with Warrant proxy signature scheme,” Pro-ceedings of ISPA Workshops, LNCS 3759, pp. 323-331, Springer-Verlag, 2005.

[62] M. O. Rabin, “Digitalized signatures,” Foundationsof Secure Communication, pp. 155-168, AcademicPress, 1978.

[63] R. L. Rivest, A. Shamir, and L. Adleman, “A methodfor obtaining digital signatures and public-key cryp-tosystems,” Communications of the ACM, vol. 21,no. 2, pp. 120-126, 1978.

[64] A. Romao, and M. M. da Silva, “Secure mobile sgentdigital signatures with proxy certificates,” Proceed-ings of E-Commerce Agents, LNAI 2033, pp. 206-220,2001.

[65] Z. Shao, “Proxy signature schemes based on fac-toring,” Information Processing Letters, vol. 85, pp.137-143, 2003.

[66] Z. Shao, “Improvement of threshold proxy signaturescheme,” Computer Standards & Interfaces, vol. 27,pp. 53-59, 2004.

[67] K. Shum, and V. K. Wei, “A strong proxy signa-ture scheme with proxy signer privacy protection,”Proceedings of IEEE International Workshop on En-abling Technologies: Infrastucture for CollaborativeEnterprises (WETICE’ 02), 2002.

[68] C. Schnorr, “Efficient signature generation by smartcards,” Journal of Cryptography, vol. 4, no. 3, pp.161-174, 1991.

[69] H. M. Sun, “An efficient nonrepudiable thresholdproxy signature scheme with known signers,” Com-puter Communications, vol. 22, no. 8, pp. 717-722,1999.

[70] H. M. Sun, “On proxy multi-signature scheme,” Pro-ceedings of the International Computer Symposium,pp. 65-72, 2000.

[71] H. M. Sun, “Design of time-stamped proxy signa-tures with traceable receivers,” IEE Proceedings ofComputers & Digital Techniques, vol. 147, no. 6, pp.462-466, 2000.

[72] H. M. Sun, and B. T. Hsieh, “On the se-curity of some proxy signature schemes,” 2003.(http://eprint.iacr.org/2003/068/)

[73] H. M. Sun, N. Y. Lee, and T. Hwang, “Thresholdproxy signatures,” IEE Proceedings of Computers &Digital Techniques, vol. 146, no. 5, pp. 259-263, 1999.

[74] Z. Tan, and Z. Liu, “Provably secure delegation-by-certification proxy signature schemes,” 2004.(http://eprint.iacr.org/2004/148/)

[75] Z. Tan, and Z. Liu, “On the security ofsome nonrepudiable threshold proxy signa-ture schemes with known signers,” 2004.(http://eprint.iacr.org/2004/234/)

[76] C. S. Tsai, S. F. Tzeng, and M. S. Hwang, “Improvednon-repudiable threshold proxy signature schemewith known Signers,” Informatica, vol. 14, no. 3, pp.1-10, 2003.

[77] K. Viswanathan, C. Boyd, and E. Dwason, “Signa-ture scheme for sontrolled environments,” Proceed-ings of Information and Communications Security(ICICS’ 99), LNCS 1726, pp. 119-134, Springer-Verlag, 1999.

[78] G. Wang, “Designated-verifier proxy signatures for e-commerce,”, Proceedings of International Conferenceon Multimedia and Expo (ICME’ 04), pp. 1731-1734,2004.

[79] G. Wang, “Designated-verifier proxy signatureschemes,” Proceedings of Security and Privacy in theAge of Ubiquitous Computing, IFIP series 181, pp.409-423, Springer-Verlag, 2005.


[80] G. Wang, F. Bao, J. Zhou, and R. H. Deng, “Se-curity analysis of some proxy signatures,” 2003.(http://eprint.iacr.org/2003/196/)

[81] G. Wang, F. Bao, J. Zhou, and R. H. Deng, “Com-ments on a practical (t, n) threshold proxy signa-ture scheme based on the RSA cryptosystem,” IEEETransactions on Knowledge and Data Engineering,vol. 16, no. 10, pp. 1309-1311, 2004.

[82] J. Xu, Z. Zhang, and D. Feng, “ID-basedproxy signature using bilinear pairings,” 2004.(http://eprint.iacr.org/2004/206/)

[83] L. Yi, G. Bai, and G. Xiao, “Proxy multi-signaturescheme: A new type of proxy signature scheme,”,Electronics Letters, vol. 36, no. 6, pp. 527-528, 2000.

[84] K. Zhang, “Nonrepudiable proxy signature schemes,”2008. (http://citeseer.nj.nec.com/360090.html/)

[85] K. Zhang, “Threshold proxy signature schemes,”Proceedings of Information Security Workshop,LNCS 1396, pp. 191-197, Springer-Verlag, 1997.

[86] F. Zhang, and K. Kim, “Efficient ID-based blind sig-nature and proxy signature from bilinear pairings,”Proceedings of Australasian Conference on Infor-mation Security and Privacy (ACISP’2003), LNCS2727, pp. 312-323, Springer-Verlag, 2003.

[87] F. Zhang, R. S. Naini, and C. Y. Lin, “Newproxy signature, proxy blind signature and proxyring signature schemes from bilinear pairing,” 2003.(http://eprint.iacr.org/2003/104/)

[88] F. Zhang, R. Safavi-Naini, and W. Susilo, “An ef-ficient signature from bilinear pairings and its ap-plications,” Proceedings of Public Key Crptography(PKC’04), LNCS 2947, pp. 277-290, Springer-Verlag,2004.

[89] Y. Zhou, Z. Cao, and Z. Chai, “An efficient proxy-protected signature scheme based on factoring,” Pro-ceedings of ISPA Workshops, LNCS 3759, pp. 332-341, Springer-Verlag, 2005.

[90] Y. Zhou, Z. Cao, and Z. Chai, “Constructing secureproxy cryptosystem,” Proceedings of CISC, LNCS3822, pp. 150-161, Springer-Verlag, 2005.

Manik Lal Das received his Ph.D. degree from IndianInstitute of Technology, Bombay, India in 2006. He isan Assistant Professor in Dhirubhai Ambani Institute ofInformation and Communication Technology, Gandhina-gar, India. He has published over 40 research articles inrefereed Journals/Conferences. He is a member of theIEEE, Cryptology Research Society of India and IndianSociety for Technical Education. His research interestsinclude Cryptography and Information Security.

Ashutosh Saxena received his M.Sc. (1990), M. Tech.(1992) and Ph.D. in Computer Science (1999). Presently,he is working as Senior Research Associate in the SETLabs at Infosys Technologies Ltd., Hyderabad. He ison the Editorial Committees of various InternationalJournals and Conferences, and is a Life Member of Cryp-tology Research Society of India and Computer Societyof India and Member of IEEE Computer Society. He hasto his credit more than 70 research papers published inNational/ International Journals and Conferences. Hismain research interest is in the areas of AuthenticationTechnologies, Smart Card, Key Management and Secu-rity Issues and Payment Systems in Banking.

Deepak B Phatak received his Ph.D. degree from In-dian Institute of Technology, Bombay, India. He is a Pro-fessor in Computer Science & Engineering, Indian Insti-tute of Technology, Bombay, India. His research inter-ests include Data Bases, System performance evaluation,Smart Cards and Information Systems.

Algorithms and Approaches of Proxy Signature: A...

Documents

Transcript of Algorithms and Approaches of Proxy Signature: A...