Download Report

Information Sciences 177 (2007) 4095–4108
www.elsevier.com/locate/ins
How to construct secure proxy cryptosystem
Yuan Zhou
a,b,*
q
, Binxing Fang a,b, Zhenfu Cao c, Xiaochun Yun
Xiaoming Cheng b
a,b
,
a
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100080, PR China
National Computer Network Emergency Response Technical Team/Coordination Center of China, PR China
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, PR China
b
c
Received 2 June 2006; received in revised form 17 January 2007; accepted 26 January 2007
Abstract
Proxy cryptosystem, ﬁrst proposed by Mambo and Okamoto [M.Mambo, E. Okamoto, Proxy cryptosystem: delegation
of a power to decrypt ciphertexts, IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E80-A/1 (1997) 54–63], allows
the original decryptor to delegate his decrypting capability to the proxies. However, until now, no practical proxy cryptosystem modes are proposed. Therefore, in this paper, we present a novel proxy cryptosystem model: proxy cryptosystem
based on time segmentation. Under this mode, a security analysis model will be proposed. Furthermore, a proxy cryptosystem scheme is presented as an example. We will show that the proposed scheme is proven security in the proposed security analysis model. Finally, we will give the ID-based version of this construction.
2007 Elsevier Inc. All rights reserved.
Keywords: Proxy cryptosystem; Bilinear Diﬃe–Hellman; ID-based
1. Introduction
1.1. Background and related work
Recently, modern cryptography techniques such as encryption have attracted a lot of attentions due to the
booms of e-commerce. However, in some cases, a original decryptor such as the CEO of a corporate may be
put on too much decrypting load. Therefore, it is desirable to delegate the decrypting capability to some proxies such as the assistants of CEO, who can decrypt the encrypted messages on behalf of him. At the same time,
it is required that the delegation can be withdrew eﬃciently.
q
An extended abstract of this paper appears in CISC2005, volume 3820 of Lecture Notes in Computer Science, pp. 150–161, SpringerVerlag, 2005.
*
Corresponding author.
E-mail addresses: [email protected] (Y. Zhou), [email protected] (B. Fang), [email protected] (Z. Cao), [email protected] (X.
Yun).
0020-0255/$ - see front matter 2007 Elsevier Inc. All rights reserved.
doi:10.1016/j.ins.2007.01.024
4096
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
The nature method of delegating decryption is to ‘‘decrypt and re-encrypt’’. In this method, there are two
parties: one is an original decryptor, and the other is a delegated decryptor. When some ciphertext is sent to
the original delegator, he ﬁrst uses his secret key to implement a decryption operation and get the corresponding plaintext M, then encrypt it with the delegated decryptor’s public key. However, it may be low eﬃcient in
some situation. The original decryptor must implement two complete public key cryptographic operations.
Moreover, When the original decryptor is oﬀ-line, the delegated decryptor cannot implement any decryption
operation.
In 1996, Mambo and Okamoto [17] introduced proxy cryptosystem to delegate the capacity of decryption. In their original proposal, it allows an original decryptor to transform the ciphertext into another
ciphertext for a delegated decryptor. Once the ciphertext transformation is executed successfully, the delegated decryptor can compute a plaintext in place of the original decryptor. After Mambo and Okamoto’s
initial work, many scholars have done a lot of works in this ﬁeld. In 1998, Blaze, Bleumer, and Strauss [5]
proposed the notion of atomic proxy cryptography. In this method, the original decryptor and delegated
decryptor together publish a transformation key by which a semi-trusted intermediary transforms ciphertext
encrypted for the original decryptor directly into ciphertext that can be decrypted by the delegated decryptor. Follow on [5], Jakobsson [16] developed a quorum-based protocol where the semi-trusted intermediary
is divided into sub-components and each of them controls a share of the transformation key. Although
these schemes are more eﬃcient than ‘‘decrypt and re-encrypt’’, they still have the common shortcoming:
When original decryptor or a semi-trusted intermediary is oﬀ-line and does not execute transformation,
the delegated decryptor cannot decrypt some ciphertext encrypted for the original decryptor. So, it is desirable that a delegated decryptor can decrypt the ciphertext without any ciphertext transformation by other
entity.
In 2004, a transformation-free proxy (TFP) cryptosystem [21] was presented. The TFP scheme allows delegated decryptor to do decryption without any ciphertext transformation. However, in the scheme, the encryption key must be aiming at the speciﬁc delegated decryptor (i.e. the delegated decryptor only can decrypt the
ciphertext encrypted by the encryption key according to his identity). Moveover, no formal security notion are
given.
In comparison to delegation of signature, only few research eﬀorts have been put on delegation of decryption progresses [18,19,22,14,15]. It is fair to say that until the results in [23], constructing a secure proxy
cryptosystem was an open problem.
1.2. Our contribution
1.2.1. Proxy cryptosystem based on time segmentation
In this paper, we apply a time segmentation mode to proxy cryptosystem. Our idea is from the forwardsecure schemes [2,4]. In a proxy cryptosystem based on time segmentation (PCBTS), a original decryptor registers a public key PK and keeping private the corresponding secret key SK. The expected lifetime of PK is
divided into segmentations, say n of them, numbered t1 ; t2 ; . . . ; tn . The public key stays ﬁxed throughout the
lifetime of the scheme, this is curial for making such a scheme viable. When the original decryptor wants
to delegate his decryption capacity of time segmentation ti, he deviates the proxy secret key SK its at ti from
his secret key SK for a proxy decryptor. Then the proxy decryptor obtains the decryption capacity during time
segmentation ti. At the same time, a PCBTS scheme should guarantee that even if adversary knows proxy
secret key at time segmentation ti, messages encrypted during all time segmentations except ti remain secret.
Moveover, We deﬁne a rigorous notion of security for PCBTS and ID-based PCBTS.
1.2.2. PCBTS schemes
We propose a PCBTS scheme, which makes use of ideas from the Hierarchical identity-based encryption
(HIBE) scheme of Gentry and Silverberg [12], the hierarchical identity-based encryption with constant size
(HIBE-CSC) scheme of Boneh and Boyen [7], the Foward-secure public-key encryption (FSPE) scheme of
Canetti et al. [10] and the scheme of Fujisaki and Okamoto [11]. Its security is based on computational
BDH assumption [8,9]. Under this scheme, we construct an ID-based PCBTS scheme.
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
4097
1.3. Organization
In Section 2, we ﬁrst deﬁne PCBTS and formally deﬁne its security notion, then a PCBTS scheme is provided under the computational BDH assumption. In Section 3, we deﬁne ID-based PCBTS and formally
deﬁne security notion for ID-based PCBTS. In this section, we also provide a ID-based PCBTS scheme. Section 4 gives some results and conclusions.
2. Proxy cryptosystem based on time segmentation and its security
In this section, we discuss proxy cryptosystem based on time segmentation (PCBTS). We ﬁrst discuss the
form of algorithms, and then discuss its security. After that, we present a secure PCBTS scheme.
2.1. Proxy cryptosystem based on time segmentation
Deﬁnition 2.1. A Proxy cryptosystem based on time segmentation (PCBTS) scheme is a 5-tuple of
probabilistic, polynomial time (PPT) algorithms ðG; PKD; E; D; PDÞ such that:
• The key generation algorithm G takes as input a security parameter 1k, and possibly other parameters, to
return a public key PK, and corresponding secret key SK. The algorithm is probabilistic.
• The proxy key derivation algorithm PKD takes as input the public key PK, the secret key SK, and the time
segmentation t, to return the proxy secret key SK ts of the corresponding time segmentation.
• The encryption algorithm E takes as input PK, a time segmentation t, and a message M, to return a ciphertext C. Here, the way of determining the time segmentation t can be described by a example: Suppose a day
is selected as the unit for the time segmentation. If the start time of the encryption operation is 11:45
November 13rd, 2006, then the time segmentation t determined by the software which is used for executing
the encryption operation is November 13rd,2006.
• The decryption algorithm D takes as input PK, the secret key SK, and a ciphertext C to return a message M.
• The proxy decryption algorithm PD takes as input PK, the secret proxy secret key SK ts of the corresponding
time segmentation t, and a ciphertext C, to return a message M.
These algorithms must satisfy the standard correctness requirements as follows:
(1) for any ðPK; SKÞ output by Gð1k Þ, and any message M, we have M ¼ DðPK; SK; EðPK; t; MÞÞ.
(2) for any ðPK; SK ts Þ output by PKDðPK; SK; tÞ, and any message M, we have M ¼ PDðPK; SK ts ;
EðPK; t; MÞÞ.
2.2. Security notion for PCBTS
We wish to assess the security of a PCBTS scheme. To do this eﬃciently we must ﬁrst pin down an appropriate model, in which all potential actions of the adversary must be considered. We extend the notion of indistinguishability of chosen plaintext attack (IND-CPA) [13] and the notion of indistinguishability of adaptive
chosen ciphertext attack (IND-CCA2) [20], and take into account the attack scenario in which the adversary
can obtains proxy secret keys of some time segmentations. We call this attack scenario selective time segmentation attack.
The adversary knows the total time segmentations, the current time segmentation, and the user’s public key
PK. The goal is that even exposure of some proxy secret keys corresponding to some time segmentations it
should be computationally infeasible for an adversary to obtain even a bit plaintext information of a given
ciphertext of time segmentation t* (the proxy secret key of t* has not been obtained by the adversary) with
respect to the already obtained proxy secret keys.
4098
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
Deﬁnition 2.2. A PCBTS scheme is secure against selective time segmentation, chosen plaintext attacks (STSCPA) if no polynomially bound adversary A has a non-negligible advantage against the Challenger in the
following game:
(1) The challenger takes a security parameter 1k and runs the G algorithm. It gives the adversary the public
key PK, and keeps the secret key SK to itself.
(2) The adversary issues queries q1 ; q2 ; . . . ; qm where query qi is
• Proxy secret key query ðti Þ. The challenger responds by running algorithm PKD to generate the
proxy secret key SK its corresponding to the time segmentation ti. It sends SK its to the adversary.
(3) The adversary generates a request challenge ðt ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext
and t* is a time segmentation and did not appear in any proxy secret key query in the second step.
The challenger picks a random bit b 2 f0; 1g and sets C ¼ EðPK; t ; M b Þ. It sends C* as the challenge
to the adversary.
(4) The adversary issues more queries qmþ1 ; qmþ2 ; . . . ; qn where query is
• Proxy secret key query ðti Þ where ti 6¼ t . Challenger responds as the second step.
At the end of the game the adversary outputs b0 2 f0; 1g and wins the game if b0 ¼ b. The adversary’s advantage is the absolute value of the diﬀerence between its success probability and 1/2.
Deﬁnition 2.3. A PCBTS scheme is secure against selective time segmentation, chosen ciphertext attacks (STSCCA) if no polynomially bound adversary A has a non-negligible advantage against the Challenger in the
following game:
(1) The challenger takes a security parameter 1k and runs the G algorithm. It gives the adversary the public
key PK, and keeps the secret key SK to itself.
(2) The adversary issues queries q1 ; q2 ; . . . ; qm where query qi is one of
• Proxy secret key query ðti Þ. The challenger responds by running algorithm PKD to generate
the proxy secret key SK its corresponding to the time segmentation ti. It sends SK its to the adversary.
• Decryption query ðC i ; ti Þ. The challenger runs algorithm D to decrypt the ciphertext Ci using the
secret key SK. It sends the resulting plaintext to the adversary.
(3) The adversary generates a request challenge ðt ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext
and t* is a time segmentation and did not appear in any proxy secret key query in the second step.
The challenger picks a random bit b 2 f0; 1g and sets C ¼ EðPK; t ; M b Þ. It sends C* as the challenge
to the adversary.
(4) The adversary issues more queries qmþ1 ; qmþ2 ; . . . ; qn where query is one of
• Proxy secret key query ðti Þ where ti 6¼ t . Challenger responds as the second step.
• Decryption query ðC i ; ti Þ where ðC i ; ti Þ 6¼ ðC ; t Þ. Challenger responds as the second step.
At the end of the game the adversary outputs b0 2 f0; 1g and wins the game if b0 ¼ b. The adversary’s advantage is the absolute value of the diﬀerence between its success probability and 1/2.
To prove the security of a PCBTS scheme, we also adopt a concept called plaintext awareness (PA) [1,3].
Plaintext awareness means that the adversary can decrypt any ciphertext it creates. In essence, if the adversary
already knows the answer that it will receive from a decryption oracle, then the oracle gives him no additional
power.
Deﬁnition 2.4. Let P ¼ ðG; PKD; E; D; PDÞ be a STS-CPA PCBTS scheme in random oracle, we say it is
secure against PA if for any adversary B, there exists a polynomial time algorithm kðkÞ-knowledge extractor
K for P in the following game such that 1 kðkÞ is negligible in k:
(1) The challenger takes a security parameter 1k and runs the G algorithm. It gives the adversary the public
key PK and random oracle H, and keeps the secret key SK to itself.
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
4099
(2) The adversary B issues queries q1 ; q2 ; . . . ; qm where query qi is one of:
• Encryption Oracle queries Mi. The challenger runs algorithm E to encrypt the plaintext Mi using the
public key PK and random oracle H. It discards the Mi and sends the result ciphertext Ci to the adversary B.
• Random oracle queries hi. The challenger responds by a random value Hi as the answer of H ð:Þ.
(3) The adversary B creates a C*. We say C 6¼ C i . It sends C* to the challenger. When the challenger
receives C*, it run the kðkÞ-knowledge extractor K, which takes as input results Ci of queries Mi, results
ðhi ; H i Þ of queries hi and C*. It try to extract the corresponding plaintext M*.
When C* is valid ciphertext, the success probability of K to extract the corresponding is kðkÞ.
2.3. The computational bilinear Diﬃe–Hellman assumption
Bilinear Diﬃe–Hellman problem was formalized by Boneh and Franklin [8]. We brieﬂy review the relevant
facts as they appear in [8,9,6]. Let G1 and G2 be two (multiplicative) cycle groups of prime order q. A bilinear
pairing is a map e : G1 G1 ! G2 with the following properties:
(1) Bilinear: eðP a ; Qb Þ ¼ eðP ; QÞab , where P ; Q 2 G1 , and a; b 2 Z q .
(2) Non-degeneracy: There exists P 2 G1 and Q 2 G1 such that eðP ; QÞ 6¼ 1.
(3) Computability: There exists an eﬃcient algorithm to computer eðP ; QÞ for P ; Q 2 G1 .
Deﬁnition 2.5. Given group G1 and G2 of the same prime order q, a bilinear map e : G1 G1 ! G2 and a
generator P of G1, then the computational Bilinear Diﬃe–Hellman (BDH) Problem is deﬁned as follows:
Given ðP ; P a ; P b ; P c Þ for some a; b; c 2 Z q as input, compute eðP ; P Þabc 2 G2 . The advantage of an algorithm A
solving Computational BDH problem is
abc
AdvðAÞ ¼ Pr½AðP ; P a ; P b ; P c Þ ¼ eðP ; P Þ where the probability is over the random choice of a, b, c in Z q , the random choice of P 2 G1 and the random
bits of A.
Deﬁnition 2.6. Let IG is a BDH parameter generator that takes a security parameter 1k as input. We say that
IG satisﬁes the computational BDH assumption if AdvðAÞ is negligible (in k) for all PPT algorithms A.
2.4. A PCBTS scheme based on the computational BDH assumption
Now, we present a PCBTS scheme. the basic idea of our proposed scheme comes from [12,7,10,11]. The
scheme is described as follows.
The algorithm Gð1k Þ does the following:
(1) Run IGð1k Þ to generate groups G1, G2 of prime order q and bilinear map e.
(2) Select a random generator P 2 G1 ; Q 2 G1 and a random s 2 Z q . Set P pub ¼ P s ; Qsec ¼ Qs .
(3) Choose a cryptographic hash function H 1 : f0; 1g ! G1 . Choose a cryptographic hash function
n
n
H 2 : f0; 1g ! Z q . Choose a cryptographic hash function H 3 : G2 ! f0; 1g .
(4) The public key is PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ. The secret key is Qsec .
The message space is M ¼ f0; 1gnk . Here 0 < k < n. The ciphertext space is C ¼ G1 G1 f0; 1gn .
The algorithm PKDðPK; Qsec ; tÞ does the following:
d
Choose a random d 2 Z q , Set S t ¼ Qsec H 1 ðtÞ , and T t ¼ P d . The proxy secret key PSK ¼ ðS t ; T t Þ.
The algorithm EðPK; t; MÞ does the following:
k
(1) Choose a random r1 2 f0; 1g , set C 1 ¼ P r2 , where r2 ¼ H 2 ðmkr1 Þ.
r
(2) Set C 2 ¼ H 1 ðtÞ 2 .
4100
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
r
(3) Set C 3 ¼ ðmkr1 Þ H 3 ðgÞ, where g ¼ eðP pub ; QÞ 2 .
(4) Output C ¼ ðt; C 1 ; C 2 ; C 3 Þ.
The algorithm DðPK; Qsec ; CÞ does the following:
(1)
(2)
(3)
(4)
Compute g0 ¼ eðC 1 ; Qsec Þ.
Compute M 0 ¼ C 3 H 3 ðg0 Þ.
Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext.
Output M, where M is the ﬁrst n k bits of M 0 .
We verify consistency. During encryption ðmkr1 Þ is bitwise exclusive-ored with the hash of g. During decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are
the same since:
g0 ¼ eðC 1 ; Qsec Þ ¼ eðP r2 ; Qs Þ ¼ eðP ; QÞr2 s ¼ eðP pub ; QÞr2 ¼ g
Thus, decryption recovers M.
The algorithm PDðPK; PSK; CÞ does the following:
(1)
(2)
(3)
(4)
1
Compute g0 ¼ eðC 1 ; S t Þ eðT t ; C 2 Þ .
Compute M 0 ¼ C 3 H 3 ðg0 Þ.
Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext.
Output M, where M is the ﬁrst n k bits of M 0 .
We verify consistency. During encryption ðmkr1 Þ is bitwise exclusive-ored with the hash of g. During decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are
the same since:
g0 ¼ eðC 1 ; S t Þ eðT t ; C 2 Þ1 ¼ eðP r2 ; Qsec H 1 ðtÞd Þ eðP d ; H 1 ðtÞr2 Þ1
d
r
¼ eðP r2 ; Qs Þ eðP r2 ; H 1 ðtÞ Þ eðP d ; H 1 ðtÞ 2 Þ
r s
1
d
d 1
¼ eðP r2 ; Qs Þ eðP r2 ; H 1 ðtÞ Þ eðP r2 ; H 1 ðtÞ Þ
r
¼ eðP r2 ; Qs Þ ¼ eðP ; QÞ 2 ¼ eðP pub ; QÞ 2 ¼ g
ð1Þ
Thus, decryption recovers M.
Our main result of this section is the following.
Theorem 2.1. Under the computational BDH assumption, the above PCBTS scheme is secure in the sense of STSCCA.
For proving the main theorem, we will ﬁrst prove Lemmas 2.2 and 2.3.
Lemma 2.2. Under the computational BDH assumption, the above PCBTS scheme is secure in the sense of STSCPA.
Proof of Lemma 2.2. Assume a PPT algorithm A can be used to attack the above scheme with the advantage in the STS-CPA attack scenario. We construct a algorithm B which attempt to solve the computational BDH
problem. Algorithm B is given as input the BDH parameters (q, G1, G2, e) produced by IG and a random
instance (P, Pa, Pb, Pc)=(P, P1, P2, P3) of computational BDH problem. The goal of B is to compute
abc
U ¼ eðP ; P Þ 2 G2 . Algorithm B ﬁnds U by interacting with A as follows:
Key generation: Algorithm B creates public key PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ by setting
P pub ¼ P 1 ¼ P a ; Q ¼ P 2 ¼ P b . Algorithm B give A the public key PK. Observe that the (unknown) secret
key associated to PK is SK ¼ Qsec ¼ Qa ¼ P ab .
H1-queries: At any time algorithm A may issue queries to H1. To respond to these queries B maintains a list
of tuples called H list
1 . Each entity in the list is the form of (ti, mi, ni, Ti). The list is initially empty. To respond to
query ti algorithm B does the following:
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
4101
(1) If the query ti already appears on the H list
in a entity (ti, mi, ni, Ti), then algorithm B responds with
1
H i ðti Þ ¼ T i .
ðn Þ1 1
(2) Otherwise, B randomly selects mi 2 Z q , ni 2 Z q , set T i ¼ P mi ððP pub Þ i Þ , and adds the entity (ti, mi,
ni, Ti) to the H list
1 . It responds to A with H i ðt i Þ ¼ T i .
H2-queries: At any time algorithm A may issue queries to H2. To respond to these queries B maintains a list
of tuples called H list
2 . Each entity in the list is the form of ðli ; Li Þ. The list is initially empty. To respond to query
li 2 f0; 1gn algorithm B does the following:
(1) If the query li already on the H list
2 in a entity (li, Li), then algorithm B responds with H 2 ðli Þ ¼ Li .
(2) Otherwise, B randomly selects Li 2 Z q , and adds the entity (li, Li) to the H list
2 . It responds to A with
H 2 ðli Þ ¼ Li .
H3-queries: At any time algorithm A may issue queries to H3. To respond to these queries B maintains a list
of tuples called H list
3 . Each entity in the list is the form of ðvi ; V i Þ. The list is initially empty. To respond to
query vi 2 G2 algorithm B does the following:
(1) If the query vi already on the H list
2 in a entity (vi, Vi) then algorithm B responds with H 3 ðvi Þ ¼ V i .
n
(2) Otherwise, B randomly selects V i 2 f0; 1g , and adds the entity (vi, Vi) to the H list
3 . It responds to A with
H 3 ðvi Þ ¼ V i .
Proxy secret key queries before challenge: Let ti be a proxy secret key query issued by algorithm A. To
respond to the query algorithm B does the following:
(1) B runs the above algorithm H1 oracle to compute H i ðti Þ.
n :b
(2) Then B sets S ti ¼ P m2 i :ni , and T ti ¼ P n2i . In fact, S ti ¼ P m2 i :ni ¼ P ab P ab þ P m2 i :ni ¼ Qsec þ H ðti Þ i , and T ti ¼
P n2i ¼ P ni :b .
(3) B responds to A with (Si, Ti).
Challenge: The algorithm A generates a request challenge (t*, M0, M1). Here, M 0 and M 1 are equal length
plaintext and t* is a time segmentation and did not appear in any proxy secret key query in the second step.
The algorithm B picks a random bit b 2 f0; 1g, takes P3 as C 1 , picks a random u 2 Z q and takes P u3 as C 2 ,
k
picks a random N 2 f0; 1g , s 2 f0; 1g and takes ðM b ksÞ N as C 3 , and outputs C ¼ ðt ; C 1 ; C 2 ; C 3 Þ.
Proxy secret key queries after challenge: Let ti be a proxy secret key query issued by algorithm A and ti 6¼ t .
Algorithm B responds to proxy secret key queries in the same way it did in secret key queries before challenge.
Guess: Algorithm A outputs its guess b0 2 f0; 1g. The algorithm B tests if there exists an entity (vi, Vi) in the
list
H 3 such that V i ¼ N . If it is, B outputs vi as the solution to the given instance of BDH.
Let H2 be the event algorithm issues a query for H 2 ðM b ksÞ before challenge, and let H3 be the event
algorithm issues a query for H 3 ðvi Þ such that N ¼ H 3 ðvi Þ.
Then the successful probability of algorithm A to win the game is
Pr½b ¼ b0 ¼ Pr½b ¼ b0 ^ H2 þ Pr½b ¼ b0 ^ + H2 ^ H3 qH
1
þ Pr½b ¼ b0 ^ + H2 ^ + H3 6 k2 þ Pr½H3 þ
2
2
We know that in real attack jPr½b ¼ b0 1=2j P , so we have
Pr½H3 P qH 2
2k
Hence, at the end of the game, N appears in some tuple on H list
3 with the probability at least probability of B to successfully produce the correct answer. h
Now we show that the scheme is PA secure.
qH
2
2k
, that is the
4102
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
Lemma 2.3. The PCBTS scheme is PA secure.
Proof of Lemma 2.3. Assume A is a PA attacker. We construct a kðkÞ-knowledge extractor K, which runs as
follows:
Set up: We run Gð1k Þ, get public key PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ, get secret key Qsec .
H1-queries: At any time algorithm A may issue queries to H1. To respond to these queries we maintain a list
of tuples called H list
1 . Each entity in the list is the form of (ti, Ti). The list is initially empty. To respond to query
ti we do the following:
(1) If the query ti already appears on the H list
B responds with H i ðti Þ ¼ T i .
1 in a entity (ti, Ti), then algorithm
ðn Þ1 1
(2) Otherwise, we randomly select mi 2 Z q ; ni 2 Z q , set T i ¼ P mi ððP pub Þ i Þ , and adds the entity (ti, Ti) to
the H list
1 . It responds to A with H i ðt i Þ ¼ T i .
H2-queries: At any time algorithm A may issue queries to H2. To respond to these queries we maintains a
list of tuples called H list
2 . Each entity in the list is the form of (li, Li). The list is initially empty. To respond to
query li 2 f0; 1gn we do the following:
(1) If the query li already on the H list
2 in a entity (li, Li), then algorithm B responds with H 2 ðli Þ ¼ Li .
(2) Otherwise, we randomly select Li 2 Z q , and adds the entity (li, Li) to the H list
2 . It responds to A with
H 2 ðli Þ ¼ Li .
H3-queries: At any time algorithm A may issue queries to H3. To respond to these queries we maintain a list
of tuples called H list
3 . Each entity in the list is the form of (vi, Vi). The list is initially empty. To respond to query
vi 2 G2 we do the following:
(1) If the query vi already on the H list
2 in a entity (vi, Vi), then algorithm B responds with H 3 ðvi Þ ¼ V i .
n
(2) Otherwise, we randomly select V i 2 f0; 1g , and adds the entity (vi, Vi) to the H list
3 . It responds to A with
H 3 ðvi Þ ¼ V i .
Encryption-queries: At any time algorithm A may issue queries to E. To respond to these queries we
maintain a list of tuples called C list . Each entity in the list is the form of Ci. We use the above algorithm H
oracle and the public key PK to encrypt Mi, then we discard the Mi and add Ci to the C list . After that, we send
the result ciphertext Ci to the adversary A.
Challenge ciphertext: The adversary A creates a C ¼ ðt ; C 1 ; C 2 ; C 3 Þ, where say C 62 C list . It sends C* to us.
list
list
list
When we receive C*, we run the kðkÞ-knowledge extractor K, which takes as input H list
and C*.
1 ; H2 ; H3 ; C
The knowledge extractor K try to extract the plaintext. It works as follows:
list
list
(1) Check if (t*, m*, n*, T*), (l*, L*), (v*, V*) are
in H list
1 ; H 2 , and H 3 respectively. If not, then K fails.
L
L
(2) Otherwise, check if C 1 ¼ P , C 2 ¼ ðT Þ . If not, then K fails.
(3) Otherwise, compute M 0 ¼ V C 3 , output M*, where M* is the ﬁrst n k bits of M 0 .
Thinking of the success probability of K. Let F be an event that K fails but C* is a valid ciphertext, let H1
list
*
*
be an event that (t*, m*, n*, T*) is in H list
1 , let F be an event that K fails, let H2 be an event that (l , L ) is in H 2 ,
list
*
*
and let H3 be an event that (v , V ) is in H 3 . Then we have
Pr½F 6 Pr½F^ + H1 þ Pr½F^ + H2 þ Pr½F^ + H3 1 1 1
2 1
6 Pr½Fj + H1 þ Pr½Fj + H2 þ Pr½Fj + H3 6 þ þ n ¼ þ n
q q 2
q 2
so we have
2 1
k ¼ 1 Pr½F ¼ 1 n
q 2
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
4103
Proof of theorem 2.1. Due to the work of [1], If a encryption is CPA secure, at the same time it also PA, then it
is CCA. So the theorem follows directly from Lemmas 2.2 and 2.3. h
3. ID-based version of proxy cryptosystem based on time segmentation
In this section, we will discuss the ID-based version of PCBTS. Like the discussion order of the PCBTS, this
section is arranged as follows: Firstly we discuss the form of algorithms to specify such schemes followed by
the security analysis model. After that, we convert the PCBTS scheme described in Section 2.4 into a secure
ID-based PCBTS one.
3.1. ID-based PCBTS
Deﬁnition 3.1. A ID-based PCBTS scheme is a 6-tuple of PPT algorithms ðS; EXT; PKD; E; D; PDÞ such
that:
• The Setup algorithm S takes as input a security parameter 1k, and possibly other parameters, to return system parameters PM, and master-key MK. The algorithm is probabilistic.
• The Extract algorithm EXT takes as input the system parameters PM, the master key MK, and an arbi
trary ID 2 f0; 1g , to return a secret key SK.
• The proxy key derivation algorithm PKD takes as input PM, ID, and a secret key SK, and the time segmentation t, to return the secret proxy secret key SK ts of the corresponding time segmentation.
• The encryption algorithm E takes as input PM, ID, a time segmentation t, and a message M, to return a
ciphertext C. Here, the way of determining the time segmentation is the same as the one in Deﬁnition 2.1.
• The decryption algorithm D takes as input PM, ID, the secret key SK, and a ciphertext C to return a message M.
• The proxy decryption algorithm PD takes as input PM, ID, the secret proxy secret key SK ts of the corresponding time segmentation t, and a ciphertext C, to return a message M.
These algorithms must satisfy the standard correctness requirements as follows:
(1) for any (ID, SK) output by EXTðPM; MK; IDÞ, and any message M, we have M ¼ DðPM; ID; SK;
EðPM; ID; t; MÞÞ.
(2) for any ðID; SK ts Þ output by PKDðPM; ID; SK; tÞ, and any message M, we have M ¼ PDðPM; ID; SK ts ;
EðPM; ID; t; MÞÞ.
3.2. Security notion for ID-based PCBTS
When we access the security of an ID-based PCBTS scheme, selective time segmentation attack and chosen
ciphertext attack should also be considered. Moveover, as the general ID-based cryptosystem, the attacker
may implement secret key extraction attack, which ﬁrst appears in [9].
Deﬁnition 3.2. An ID-based PCBTS is secure against secret key extraction, selective time segmentation, chosen
ciphertext attacks (ID-STS-CCA) if no polynomially bound adversary A has a non-negligible advantage
against the Challenger in the following ID-based STS-CCA game:
(1) The challenger takes a security parameter 1k and runs the S algorithm. It gives the adversary the system
parameter PM, It keeps the master key MK to itself.
(2) The adversary issues queries q1 ; q2 ; . . . ; qm where query qi is one of:
• Extraction query (IDi). The challenger responds by running algorithm EXT to generate the secret key
SKi corresponding to (IDi). It sends SK to the adversary.
4104
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
• Proxy secret key query (IDi, ti). The challenger ﬁrst generates the secret key SKi corresponding to IDi,
then responds by running algorithm PKD to generate the proxy secret key SK its corresponding to the
time segmentation ti. It sends SK its to the adversary.
• Decryption query (IDi, Ci, ti). The challenger runs algorithm D to decrypt the ciphertext Ci using the
secret key SK. It sends the resulting plaintext to the adversary.
(3) The adversary generates a request challenge ðID ; t ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext, ID is an identity and did not appear in any extraction query in the second step, ðID ; t Þ did not
appear in any proxy secret key of query in the second step. The challenger picks a random bit
b 2 f0; 1g and sets C ¼ EðPM; ID ; t ; M b Þ. It sends C* as the challenge to the adversary.
(4) The adversary issues more queries qmþ1 ; qmþ2 ; . . . ; qn where query is one of
• Extraction query (IDi) where IDi 6¼ ID .
• Proxy secret key query (IDi, ti) where ðIDi ; ti Þ 6¼ ðID ; t Þ. Challenger responds as the second step.
• Decryption query ðIDi ; C i ; ti Þ where ðIDi ; C i ; ti Þ 6¼ ðID ; C ; t Þ. Challenger responds as the second step.
At the end of the game the adversary outputs b0 2 f0; 1g and wins the game if b0 ¼ b. The adversary’s advantage is the absolute value of the diﬀerence between its success probability and 1/2.
3.3. A ID-based PCBTS scheme based on the computational BDH assumption
Now, we convert the PCBTS scheme in Section 2 into ID-based PCBTS scheme. The scheme is described as
follows:
The algorithm Sð1k Þ does the following:
(1) Run IGð1k Þ to generate groups G1, G2 of prime order q and bilinear map e.
(2) Select a random generator P 2 G1 and a random s 2 Z q . Set P pub ¼ P s .
(3) Choose a cryptographic hash function H 0 : f0; 1g ! G1 . Choose a cryptographic hash function
n
H 1 : f0; 1g ! G1 . Choose a cryptographic hash function H 2 : f0; 1g ! Z q . Choose a cryptographic
n
hash function H 3 : G2 ! f0; 1g .
(4) The system parameter is PM ¼ ðG1 ; G2 ; e; P ; P pub ; H 0 ; H 1 ; H 2 ; H 3 Þ. The master key is s.
The message space is M ¼ f0; 1gnk . Here 0 < k < n. The ciphertext space is C ¼ G1 G1 f0; 1gn .
The algorithm EXTðPM; s; IDÞ does the following:
(1) Compute QID ¼ H 0 ðIDÞ 2 G1 .
(2) Set the secret key d ID to be d ID ¼ sQID where s is the master key.
The algorithm PKDðPM; ID; d ID ; tÞ does as follows:
(1) Compute QID ¼ H 0 ðIDÞ.
d
ID
ID
d
ID
(2) Choose a random d 2 Z q , Set S ID
t ¼ d ID H 1 ðtÞ , and T t ¼ P . The proxy secret key PSK ¼ ðS t ; T t Þ.
The algorithm EðPM; ID; t; MÞ does as follows:
(1)
(2)
(3)
(4)
(5)
Compute QID ¼ H 0 ðIDÞ.
Choose a random r1 2 f0; 1gk , set C 1 ¼ P r2 , where r2 ¼ H 2 ðMkr1 Þ.
Set C 2 ¼ H 1 ðtÞr2 .
Set C 3 ¼ ðMkr1 Þ H 3 ðgÞ, where g ¼ eðP pub ; QID Þr2 .
Output C ¼ ðt; C 1 ; C 2 ; C 3 Þ.
The algorithm DðPM; ID; t; d ID ; CÞ does as follows:
(1) Compute g0 ¼ eðC 1 ; d ID Þ.
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
4105
(2) Compute M 0 ¼ C 3 H 3 ðg0 Þ.
(3) Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext.
(4) Output M, where M is the ﬁrst n k bits of M 0 .
We verify consistency. During encryption ðMkr1 Þ is bitwise exclusive-ored with the hash of g. During
decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are the same since:
s
r s
r
g0 ¼ eðC 1 ; d ID Þ ¼ eðP r2 ; ðQID Þ Þ ¼ eðP ; QID Þ 2 ¼ eðP pub ; QID Þ 2 ¼ g
Thus, decryption recovers M.
The algorithm PDðPM; ID; PSK; t; CÞ does the following:
(1)
(2)
(3)
(4)
1
ID
Compute g0 ¼ eðC 1 ; S ID
t Þ eðT t ; C 2 Þ .
0
0
Compute M ¼ C 3 H 3 ðg Þ.
Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext.
Output M, where M is the ﬁrst n k bits of M 0 .
We verify consistency. During encryption ðmkr1 Þ is bitwise exclusive-ored with the hash of g. During
decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are the same since:
ID
g0 ¼ eðC 1 ; S ID
t Þ eðT t ; C 2 Þ
1
d
r
¼ eðP r2 ; d ID H 1 ðtÞ Þ eðP d ; H 1 ðtÞ 2 Þ
s
d
s
r s
r
¼ eðP r2 ; ðQID Þ Þ eðP r2 ; H 1 ðtÞ Þ eðP d ; H 1 ðtÞ 2 Þ
1
1
s
d
d 1
¼ eðP r2 ; ðQID Þ Þ eðP r2 ; H 1 ðtÞ Þ eðP r2 ; H 1 ðtÞ Þ
r
¼ eðP r2 ; ðQID Þ Þ ¼ eðP ; QID Þ 2 ¼ eðP pub ; QID Þ 2 ¼ g
ð2Þ
Thus, decryption recovers M.
We can ensure the security of the proposed scheme from following Theorem 3.1.
Theorem 3.1. The ID-PCBTS scheme is secure.
Proof of theorem 3.1. The proof of the theorem uses the technique of analyzing the Fullident scheme in [8].
Suppose there exists an adversary A against the ID-PCBTS scheme with advantage . We can construct an
STS-CCA adversary B that uses A to attack the PCBTS scheme. The game between the challenger and adversary B starts with the challenger ﬁrst generating a random public key PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ by
running key generation algorithm G of the PCBTS scheme. The challenger gives PK to algorithm B.
Algorithm B works by interacting with A in an ID-STS-CCA game as follows:
Setup Algorithm B gives A the ID-PCBTS scheme’s system parameters PM = (G1, G2, e, P, Ppub, H0, H1,
H2, H3). Here G1, G2, e, P, Ppub, H1, H2, H3 are taken from PK, and H0 is a random oracle controlled by B as
described below:
H0-queries: At any time algorithm A can query the random oracle H0. To responds to these queries
algorithm B maintains a list of tuples ðIDi ; Qi ; bi ; ci Þ as explained below. We refer to this list as the H list
0 . The list
is initially empty. When A queries the oracle H0 at a point IDi algorithm B responds as follows:
(1) If the query IDi already appears on the H list
0 in a tuple ðIDi ; Qi ; bi ; ci Þ then algorithm B responds with
H 0 ðIDi Þ ¼ Qi 2 G1 .
(2) Otherwise, B generates a random coin 2 f0; 1g so that Pr½coin ¼ 0 ¼ d.
(3) Algorithm B picks a random bi 2 Z q . If coin ¼ 0 compute Qi ¼ P b . If coin ¼ 1 compute Qi ¼ Qb .
(4) Algorithm B adds the tuple ðIDi ; Qi ; bi ; ci Þ to the H list
0 and responds to A with H 0 ðIDi Þ ¼ Qi .
Hj-queries (j = 1, 2, 3): When algorithm issues queries to Hj (j = 1, 2, 3), algorithm B relay the queries to
challenger and relay the challenger’s responds back to A.
4106
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
Secret key queries before challenge: Let IDi be a secret key extraction query issued by algorithm A.
Algorithm B responds to this queries as follows:
(1) Run the above algorithm for responding to H0-queries to obtain a Qi 2 G1 such that H 0 ðIDi Þ ¼ Qi . Let
ðIDi ; Qi ; bi ; ci Þ be the corresponding tuple on the H list
0 . If ci ¼1 then B reports fail and terminates.
(2) Otherwise, set Qi ¼ P bi . Deﬁne d i ¼ ðP pub Þbi . Observe that d i ¼ Qi and therefore di is the secret key associated to the IDi. Give di to algorithm A.
Proxy secret key queries before challenge: Let (IDi, ti) be a proxy secret key queries issued by algorithm A.
Algorithm B responds as follows:
(1) Run the above algorithm for responding to H0-queries to obtain a Qi 2 G1 such that H 0 ðIDi Þ ¼ Qi . Let
ðIDi ; Qi ; bi ; ci Þ be the corresponding tuple on the H list
0 . If coin ¼1 then B reports fail and terminates.
(2) Otherwise, B issue proxy secret key query ti to challenger. When B receives the response (Si, Ti) from
challenge, it responds to A with ððS i Þbi ; ðT i Þbi Þ.
Decryption queries before challenge: Let ðIDi ; C i ; ti Þ be a decryption query issued by algorithm A. Let
C ¼ ðti ; C i1 ; C i2 ; C i3 Þ. Algorithm B responding to this queries as follows:
i
(1) Run the above algorithm for responding to H0-queries to obtain a Qi 2 G1 such that H 0 ðIDi Þ ¼ Qi . Let
ðIDi ; Qi ; bi ; ci Þ be the corresponding tuple on the H list
0 .
(2) If ci ¼ 0, run the algorithm for responding to secret key queries to obtain the secret key for the IDi. Then
use the secret key to respond to the decryption query.
(3) If ci ¼ 1; Qi ¼ Qbi is hold, do as follows:
b
b
• Set C iID ¼ ðti ; ðC i1 Þ i ; ðC i2 Þ i ; C i3 Þ.
• Relay the decryption query C iID to the challenger and relay the challenger’s response back to A.
Challenge: The algorithm A generates a request challenge ðID ; t ; M 0 ; M 1 Þ. Here, M0 and M1 are equal
length plaintext, ID is an identity and did not appear in any extraction query before challenge, ðID ; t Þ did
not appear in any proxy secret key of query before challenge. Algorithm B does as follows:
(1) Algorithm B gives the challenger (t*, M0, M1) that it wishes to be challenged on. The challenger responds
with a PCBTS scheme ciphertext C ¼ ðt ; C 1 ; C 2 ; C 3 Þ such that C* is the encryption of Mb for a random
b 2 f0; 1g selected by the challenger.
(2) B run the above algorithm for responding to H0-queries to obtain a Q 2 G1 such that H 0 ðID Þ ¼ Q . Let
ðID ; Q ; b ; Þ be the corresponding tuple on the1 H list
c ¼1 then B reports fail and terminates.
0 . If
1
b
bi
b1
(3) Otherwise, Q ¼ Q is hold. Set C ID ¼ ðt ; ðC 1 Þ ; ðC 2 Þ ; C 3 Þ, where b1
i is the inverse of b mod q. Algorithm B responds to A with the challenge C ID .
Secret key queries after challenge: Let IDi be a secret key extraction query issued by algorithm A and
IDi 6¼ ID . Algorithm B responds to secret key queries in the same way it did in secret key queries before
challenge.
Proxy secret key queries after challenge: Let (IDi, ti) be a proxy secret key query issued by algorithm A and
ðIDi ; ti Þ 6¼ ðID ; t Þ. Algorithm B responds to proxy secret key queries in the same way it did in secret key
queries before challenge.
Decryption queries after challenge: Let ðIDi ; C i ; ti Þ be a decryption query issued by algorithm A and
ðIDi ; C i ; ti Þ 6¼ ðID ; C ID ; t Þ. Algorithm B responds to decryption key queries in the same way it did in secret key
queries before challenge.
Guess: Eventually algorithm A outputs b 0 for b. Algorithm B outputs b 0 as its guess for b.
Let S1 be the event that A issues a secret key query of causing algorithm B to abort. Let S2 be the event that
A issues a proxy secret key query during that causes algorithm B to abort. Let S3 be the event that A choose a
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
4107
public key ID to be challenged, which causes algorithm B to abort. Let S4 be the event that after challenge
Algorithm A issues a decryption query (IDi, Ci) so that the decryption query that B would relay to the
challenger is equal to C*.
Refer to the method of [8], the probability that algorithm B is not abort is
Pr½+ S 1 ^ + S 2 ^ + S 3 ^ + S 4 6 dqE þqP þqD ð1 dÞ
Here, qE þ qP þ qD is the maximum number made by the adversary A. Pr½+ S 1 ^ + S 2 ^ + S 3 ^ + S 4 is maximized at dopt ¼ 1 1=ðqE þ qP þ qD þ 1Þ. Using dopt , the probability that B does not abort is at least
1
. So, algorithm B’s advantage is at least eðq þq þq þ1Þ and is not negligible.
eðqE þqP þqD þ1Þ
E
P
D
So, from Theorem 2.1, we know that the ID-PCBTS scheme is secure. h
4. Conclusion
In this paper, we have proposed a practical mode of proxy cryptosystem: proxy cryptosystem based on time
segmentation (PCBTS). Under this mode, we presented the security model of PCBTS and ID-based PCBTS.
At the same time, the corresponding schemes of PCBTS and ID-based PCBTS are given. Our schemes are
practical in e-commence scenario.
References
[1] M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in:
Advances in Cryptology – CRYPTO’98, LNCS, vol. 1462, 1998, pp. 26–45.
[2] M. Bellare, S.K. Miner, A forward-secure digital signature scheme, in: Advances in Cryptology – Crypto’99, LNCS, vol. 1666, 1999,
pp. 431–448.
[3] M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in: Advances in Cryptology
– Asiacrypt 2004, LNCS, vol. 3329, 2004, pp. 48–62.
[4] M. Bellare, A. Yee, Forward security in private-key cryptography, in: CT-RSA 2003, LNCS, vol. 2612, 2003, pp. 1–18.
[5] M. Blaze, G. Bleumer, M. Strauss, Divertible protocol and atomic proxy cryptography, in: Advances in Cryptology – Eurocrypt ’98,
LNCS, vol. 1403, 1998, pp. 127–144.
[6] D. Boneh, X. Boyen, Eﬃcient selective-ID secure identity-based encryption without random oracle, in: Advances in Cryptology –
Eurcocrypt 2004, LNCS, vol. 3027, 2004, pp. 223–238.
[7] D. Boneh, X. Boyen, Hierarchical identity-based encryption with constant size, in: Advances in Cryptology – Eurcocrypt 2005,
LNCS, vol. 3494, 2005, pp. 440–456.
[8] D. Boneh, M. Franklin, Identity based encryption from the Weil pairing, in: Advances in Cryptology – Crypto 2001, LNCS, vol.
2139, 2001, pp. 213–229.
[9] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in: Advances in Cryptology – Asiacrypt 2002, LNCS, vol.
2248, 2001, pp. 514–532.
[10] R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme, in: IEE Proceedings – Computers and Digital
Eurocrypt 2003, LNCS, vol. 2656, 2003, pp. 255–271.
[11] E. Fujisaki, T. Okamoto, How to enhance the security of public-key encryption, IEICE Trans. Fundam. E83-A (1) (2000) 24–32.
[12] C. Gentry, A. Silverberg, Hierarchical identity-based cryptography, in: Advances in Cryptology – Asiacrypt 2002, LNCS, vol. 2501,
2002, pp. 548–566.
[13] S. Goldwasser, S. Micali, Probabilistic encryption, J. Comput. Syst. Sci. 28 (1984) 270–299.
[14] H.F. Hang, C.C. Chang, A novel eﬃcient (t, n) threshold proxy signature scheme, Inform. Sci. 176 (10) (2006) 1338–1349.
[15] C.L. Hsu, K.Y. Tsai, P.L. Tsai, Cryptanalysis and improvement of nonrepudiable threshold multi-proxy multi-signature scheme with
shared veriﬁcation, Inform. Sci. 177 (2) (2006) 543–549.
[16] M. Jakobsson, On quorum controlled asymmetric proxy re-encryption, in: Proceedings of Public Key Cryptography 1999, LNCS, vol.
1560, 1999, pp. 112–121.
[17] M. Mambo, E. Okamoto, Proxy cryptosystem: delegation of a power to decrypt ciphertexts, IEICE Trans. Fundam. Electron.
Commun. Comput. Sci. E80-A/1 (1997) 54–63.
[18] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures for delegating signing operation, in: Proceedings of the 3rd ACM Conference
on Computer and Communications Security (CCS), New Delhi, India, 1996, pp. 48–57.
[19] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures delegation of the power to sign message, IEICE Trans. Functional E79-A (9)
(1996) 1338–1354.
4108
Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108
[20] C. Rackoﬀ, D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in: Advances in Cryptology
– CRYPTO’91, LNCS, vol. 576, 1992, pp. 433–444.
[21] L. Wang, Z. Cao, E. Okamoto, Y. Miao, T. Okamoto, Transformation-free proxy cryptosystems and their applications to electronic
commerce, in: Proceedings of Infosecu ’04, 2004, pp. 92–98.
[22] Yuan Zhou, Zhenfu Cao, Zhenchuan Chai, An eﬃcient proxy-protected signature scheme based on factoring, in: Proceedings of ISPA
Workshops 2005, LNCS, vol. 3759, 2005, pp. 332–341.
[23] Yuan Zhou, Zhenfu Cao, Zhenchuan Chai, Construct secure proxy cryptosystem, in: Proceedings of CISC2005, LNCS, vol. 3820,
2005, pp. 150–161.