## Nonrepudiable Proxy Signature Schemes (1997)

Citations: | 2 - 0 self |

### BibTeX

@TECHREPORT{Zhang97nonrepudiableproxy,

author = {Kan Zhang},

title = {Nonrepudiable Proxy Signature Schemes},

institution = {},

year = {1997}

}

### OpenURL

### Abstract

. Delegation of rights is a common practice in the real world. Proxy signature schemes have been invented to delegate signing capability efficiently and transparently. Existing proxy signature schemes don't support nonrepudiation. Nonrepudiation means signature signer, both the original and proxy signers, cannot falsely deny later that he generated a signature. In practice, it is important and, sometimes, necessary to have the capability to decide who is the actual signer of a proxy signature for internal auditing purpose or when there is abuse of signing capability. In this paper, we show how to add nonrepudiation to existing proxy signature schemes. Nonrepudiation is achieved through a partially blind signature key generation protocol adapted from a fully blind signature scheme. The new nonrepudiable proxy signature scheme fits in the same general framework as existing ones. Therefore, the desirable properties of existing schemes can also be said about our new scheme. In...

### Citations

1113 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...essage substitution attack is not feasible in our scheme since we require a constant message m = 1. For more detailed discussion on the security of ordinary ElGamal-like signature schemes, please see =-=[9, 21,17, 2, 16]-=-. It is apparent that our scheme and the MUO scheme belong to the same general framework. The properties that the MUO scheme has, for example, the properties listed in Section 3, are also true with ou... |

493 |
Undeniable signature
- Chaum, Antwerpen
- 1990
(Show Context)
Citation Context ...creator, they are often used as a method to certify intended delegations [20, 14]. There are other special digital signature schemes for delegating verification capability, e.g. undeniable signatures =-=[8, 5]-=-, designated confirmer signatures [6, 18]. In this paper, we are interested in delegating signing capability. While delegation of signing capability as a tool may have broad applications in various ar... |

424 |
Blind signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ...s view of an execution of the protocol, which means the original signer cannot get any information about the signature pair he blindly signed. This is the blindness property in Chaum's original sense =-=[3, 4]-=-, which we refer to as full blindness in this paper. While fully blind signature schemes may find useful applications in digital cash, they are not ideal for generating proxy signature keys. In proxy ... |

417 | Security Without Identification: Transaction Systems to make Big Brother Obsolete
- Chaum
- 1985
(Show Context)
Citation Context ...s view of an execution of the protocol, which means the original signer cannot get any information about the signature pair he blindly signed. This is the blindness property in Chaum's original sense =-=[3, 4]-=-, which we refer to as full blindness in this paper. While fully blind signature schemes may find useful applications in digital cash, they are not ideal for generating proxy signature keys. In proxy ... |

354 | Tamper Resistance — a Cautionary Note
- J, Kuhn
- 1996
(Show Context)
Citation Context ...the company signature key in a temperproof hardware, e.g. a smartcard, and delegate it to a proxy signer. The underlying assumption is that the hardware is temper-proof, which is not necessarily true =-=[1]-=-. Another drawback is that you cannot tell the differences between signatures signed by a proxy and those signed by the original signer since they are all signed by the same smartcard (same key). Ther... |

302 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance - Pohlig, Hellman |

117 | Proxy-Based Authorization and Accounting for Distributed Systems
- Neuman
- 1993
(Show Context)
Citation Context ...ture schemes related to our work are briefly described. 2 2 Delegation of signing capability Delegation of rights has been studied for various applications before, e.g. proxybased user authentication =-=[20, 14]-=-. Since digital signature schemes ensure both message authentication and identity of its creator, they are often used as a method to certify intended delegations [20, 14]. There are other special digi... |

92 |
Proxy Signatures for Delegating Signing Operation
- Mambo, Usuda, et al.
- 1996
(Show Context)
Citation Context ...ability. While delegation of signing capability as a tool may have broad applications in various areas, we confine ourselves to the problem of how to delegate signing capability to a proxy signer. In =-=[13]-=-, delegations of signing rights are classified into three types, i.e., full delegation, delegation by warrant and partial delegation. In full delegation, a proxy signer is given the same secret key x ... |

84 |
Message recovery for signature schemes based on the discrete logarithm problem
- Nyberg
- 1994
(Show Context)
Citation Context ... The following equation can be used as an alternative to equation (1). g s = y r r(modp) (2) Equation (1) and (2) correspond to a special case (message m equals 1) of Yen-Laih [21] and Nyberg-Rueppel =-=[17]-=- signature schemes, respectively. The authors of MUO scheme stated the following properties. -- Unforgeability Only the original signer and the designated proxy signer can create a valid proxy signatu... |

81 |
Designated Confirmer Signatures
- Chaum
- 1994
(Show Context)
Citation Context ... to certify intended delegations [20, 14]. There are other special digital signature schemes for delegating verification capability, e.g. undeniable signatures [8, 5], designated confirmer signatures =-=[6, 18]-=-. In this paper, we are interested in delegating signing capability. While delegation of signing capability as a tool may have broad applications in various areas, we confine ourselves to the problem ... |

51 | A new signature scheme based on the DSA giving message recovery - Nyberg |

33 |
Designated Confirmer Signatures and Public Key Encryption Are Equivalent,” CRYPTO
- Okamoto
- 1994
(Show Context)
Citation Context ... to certify intended delegations [20, 14]. There are other special digital signature schemes for delegating verification capability, e.g. undeniable signatures [8, 5], designated confirmer signatures =-=[6, 18]-=-. In this paper, we are interested in delegating signing capability. While delegation of signing capability as a tool may have broad applications in various areas, we confine ourselves to the problem ... |

32 | Meta-Message Recovery and Meta-Blind Signature Schemes Based on the Discrete Logarithm Problem their Applications
- Horster, Michels, et al.
- 1994
(Show Context)
Citation Context ...rtcomings. 4 Nonrepudiable proxy signature scheme To achieve nonrepudiation, we use blind signature schemes to generate proxy signature keys. However, direct applying existing blind signature schemes =-=[7, 12]-=- results in fully blind signatures such that given a proxy signature the original signer has no idea about the identity of its proxy signer. Therefore, we have to adapt fully blind signature schemes t... |

17 |
New digital signature scheme based on discrete logarithm
- Yen, Laih
- 1993
(Show Context)
Citation Context ... with y 0 = yr r (modp). The following equation can be used as an alternative to equation (1). g s = y r r(modp) (2) Equation (1) and (2) correspond to a special case (message m equals 1) of Yen-Laih =-=[21]-=- and Nyberg-Rueppel [17] signature schemes, respectively. The authors of MUO scheme stated the following properties. -- Unforgeability Only the original signer and the designated proxy signer can crea... |

7 |
New digital signature scheme based on discrete logarithm (comment
- Nyberg, Rueppel
- 2004
(Show Context)
Citation Context ...essage substitution attack is not feasible in our scheme since we require a constant message m = 1. For more detailed discussion on the security of ordinary ElGamal-like signature schemes, please see =-=[9, 21,17, 2, 16]-=-. It is apparent that our scheme and the MUO scheme belong to the same general framework. The properties that the MUO scheme has, for example, the properties listed in Section 3, are also true with ou... |

5 | An Analysis of the Proxy
- Varadharajan, Allen, et al.
- 1991
(Show Context)
Citation Context ...ture schemes related to our work are briefly described. 2 2 Delegation of signing capability Delegation of rights has been studied for various applications before, e.g. proxybased user authentication =-=[20, 14]-=-. Since digital signature schemes ensure both message authentication and identity of its creator, they are often used as a method to certify intended delegations [20, 14]. There are other special digi... |

2 |
Comment: New digital signature scheme based on discrete logarithm
- Boyd
- 1994
(Show Context)
Citation Context ...essage substitution attack is not feasible in our scheme since we require a constant message m = 1. For more detailed discussion on the security of ordinary ElGamal-like signature schemes, please see =-=[9, 21,17, 2, 16]-=-. It is apparent that our scheme and the MUO scheme belong to the same general framework. The properties that the MUO scheme has, for example, the properties listed in Section 3, are also true with ou... |

2 |
selects ~ k 2 Zq , computes ~ r = g ~ k (mod p), and sends ~ r to Bob
- Alice
(Show Context)
Citation Context ...the company signature key in a temperproof hardware, e.g. a smartcard, and delegate it to a proxy signer. The underlying assumption is that the hardware is temper-proof, which is not necessarily true =-=[1]-=-. Another drawback is that you cannot tell the differences between signatures signed by a proxy and those signed by the original signer since they are all signed by the same smartcard (same key). Ther... |

2 |
randomly selects ff 2 Zq and fi 2 Z q , computes r = mg ff ~ r fi (mod p) and ~ m = rfi \Gamma1 (mod q): (b) Bob checks whether ~ m 2 Z q . If this is not the case, he goes back to step a). Otherwise, he sends ~ m to Alice
- Bob
(Show Context)
Citation Context |

2 |
computes ~ s = ~ mx+ ~ k(mod q) and forwards ~ s to Bob
- Alice
(Show Context)
Citation Context ...s view of an execution of the protocol, which means the original signer cannot get any information about the signature pair he blindly signed. This is the blindness property in Chaum's original sense =-=[3, 4]-=-, which we refer to as full blindness in this paper. While fully blind signature schemes may find useful applications in digital cash, they are not ideal for generating proxy signature keys. In proxy ... |

2 |
computes s = ~ sfi + ff(mod q): The pair (r; s) is a Nyberg-Rueppel signature of the message m and the above protocol is a blind signature scheme
- Bob
(Show Context)
Citation Context |

1 |
The Blinding of Weak Signatures
- Franklin, Yung
- 1995
(Show Context)
Citation Context ...the underlying Nyberg-Rueppel scheme (see Appendix) to the one used in MUO scheme (Eq 2). And the original blind Nyberg-Rueppel scheme becomes the one we use in our proxy signature key generation. In =-=[10]-=-, Franklin and Yung identified three forms of blinding: -- signature with blind verification prevents the signer from later recognising the signature, without necessarily hiding the message from him. ... |