Improvement of an Eliptic Curve Based Threshold Proxy Signature Scheme

. In 2006, Pomykala et al. proposed an elliptic curve based threshold proxy signature scheme as well as a proxy-protected version. They claimed their scheme had the properties of secrecy, unforgeability, non-repudiation and signer ’ s identification. In this study, we showed inter conspiracy attack on the basic scheme and gave another attack on the proxy-protected version. We pointed out that even if the central authority is engaged, the basic model is not a proxy-protected one. We also proposed an improved scheme that can resist the known attacks to achieve higher security, and gave the security analysis of the improved scheme in detail.


INTRODUCTION
The concept of proxy signature was first introduced by Mambo et al. in 1996 [1]. Proxy signature schemes have been suggested to be used in many applications. The concept of threshold proxy signature was proposed in 1997 [2,3] , from then on it has been widely studied [4][5][6][7]. The threshold proxy signature scheme is a variant of the proxy signature scheme that the signing power is delegated to a proxy group. In a (t,n) threshold proxy signature scheme, the proxy signature key is shared among a group of n proxy signers delegated by the original signer. Any t or more proxy signers can opperatively sign a message on behalf of the original proxy signer, but t-1 or fewer proxy signers can not.
In 2006, Pomykala et al. proposed an elliptic curve based threshold proxy signature scheme as well as a proxy-protected version [6]. They claimed their scheme had the properties of secrecy, unforgeability, non-repudiation and signer's identification. They ponited out that the proxy-protected version could assure the proxy-protection property.
In this paper, we give attacks on Pomykala et al.'s scheme in detail and we also point out that even if the central authority is engaged, the basic model is not proxy-protected, and gave an improved scheme that can resist the known attacks.

Brief Review of Pomykala et al.'s Scheme
The scheme is based on the elliptic curve cryptosystem whose security is based on the elliptic curve discrete logarithm problem(ECDLP) in the finite Abel group

Group Secret Key Generation Phase
The original proxy signer 0

Group Secret Key Share Phase
The original proxy signer 0 is a random integer.
Next the original proxy signer 0

Proxy Signature Generation Phase
Without loss of generality, let be the subset of t proxy signers from the group , and sends ji y to j P by a secret channels, for j=1,…,t-1, j i z .
(4) Each proxy signer j P verifies the t-1 values from other proxy signers by checking the equtions If all of the above equations hold, each proxy signer In fact, Then each proxy signer j P sends his partial proxy signature j V to other proxy signers via secret channels. The shares can be verified by checking the equations (6) If all of the above equations hold, the threshold proxy signature on M is

Inter Conspiracy Attack on Pomykala et al.'s Scheme
Firstly, we ponit out that the Pomykala et al.'s scheme is vulnerable to the inter conspiracy attack as following. Let be an arbitrary subset of t proxy signers from ^ǹ P P P , , 1 " , and Then the proxy signers in T can reconstruct the proxy signature key using Lagrange interpolation formula The forged threshold proxy signature is Then we show that the forged signature

The improved threshold proxy signature scheme
The group secret key generation phase and group secret key share key share phase are the same as those in Pomykala et al.'s Scheme.
The proxy signature generation phase is as following.
Let C be an appointed clerk, who is one of the proxy signers in P, and^t P P B , , 1 " be the subset of proxy signers from ^ǹ P P P , , 1 " , who actually make the threshold proxy signature on behalf of 0 P .
(1) The t proxy signers of B cooperate to reconstruct the proxy signature key using the Lagrange Interpolation Formula: (2) Each proxy signer B P i chooses a random integer ordQ k i as his secret information.
Then i P computes and broadcast Then j P sends j G to the clerk C.
(5) The clerk verifies these partial signatures by checking the equations

Security analysis of the improved scheme
(1) The secrecy of the improved scheme refers to the elliptic curve discrete logarithm problem in the finite Abel group ) ( p F E . If an attacker attempts to obtain the secret information of the signers, he must solve the elliptic curve discrete logarithm problem, which is more difficult than solving the discrete logarithm problem. Hence all the secret information is secure. And even if t out of n proxy signers conspire to obtain the group secret key d using the Lagrange Interpolation Formula, they cannot get the secret value k from the public value K, then cannot obtain the secret key 0