Research Article Secure Mobile Agent from Leakage ...downloads.hindawi.com/journals/misy/2015/901418.pdf · Research Article Secure Mobile Agent from Leakage-Resilient Proxy Signatures

Research ArticleSecure Mobile Agent from Leakage-Resilient Proxy Signatures

Fei Tang12 Hongda Li12 Qihua Niu12 and Bei Liang12

1The Data Assurance and Communication Security Research Center Chinese Academy of Sciences No 89 Minzhuang RoadHaidian District Beijing 100093 China2State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy of SciencesNo 89 Minzhuang Road Haidian District Beijing 100093 China

Correspondence should be addressed to Fei Tang tangfei127163com

Received 27 February 2014 Accepted 3 March 2014

Academic Editor David Taniar

Copyright copy 2015 Fei Tang et alThis is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

A mobile agent can sign a message in a remote server on behalf of a customer without exposing its secret key it can be used notonly to search for special products or services but also to make a contract with a remote server Hence a mobile agent system canbe used for electronic commerce as an important key technology In order to realize such a system Lee et al showed that a securemobile agent can be constructed using proxy signatures Intuitively a proxy signature permits an entity (delegator) to delegate itssigning right to another entity (proxy) to sign some specified messages on behalf of the delegator However the proxy signaturesare often used in scenarios where the signing is done in an insecure environment for example the remote server of a mobile agentsystem In such setting an adversary could launch side-channel attacks to exploit some leakage information about the proxy keyor even other secret states The proxy signatures which are secure in the traditional security models obviously cannot provide suchsecurity Based on this consideration in this paper we design a leakage-resilient proxy signature scheme for the securemobile agentsystems

1 Introduction

Mobile agents [1ndash3] are designed as some autonomous soft-ware entitieswhich are able to sign somemessages in a remoteserver on behalf of a customer without exposing its secret keyTherefore a mobile agent system can be used for electroniccommerce in many ways such as negotiating somethingwith other entities searching and buying special productsor services on behalf of a customer and selling products onbehalf of a shopping server As shown by previous works amobile agent system can be constructed using some proxysignature schemes for example Lee et al [4] used a strongnondesignated proxy signature scheme they also providedan RSA-based and Schnorr-based constructions of securemobile agent

Proxy Signatures This notion was first introduced by Mamboet al [5] in 1996 In a proxy signature scheme an entity calleddelegator may delegate its signing right to another entitycalled proxy who can then sign some specified messages on

behalf of the delegator we call such signatures as proxy sig-natures Finally the verifier can be convinced from the proxysignatures that the original signerrsquos agreement on the signedmessage and such proxy signatures must be computed by theproxy rather than the delegator Obviously proxy signaturesare very useful in many application scenarios for examplemobile agents [3 6ndash9] andmobile communications [10 11] Inthe existing proxy signature schemes themodel of delegationby warrant [5] (a signed warrant eg 119882 = 119868119863proxy M

indate sdot sdot sdot used to describe the validity of the delegation)has received the most attention Kim et al [12] suggestedthat a proxy key should be generated from such warrantAfterMambo et alrsquos seminalworkmany variants or improvedschemes have been proposed (eg see [4 11 13ndash17])

BPW Transformation Boldyreva et al [13] (henceforth calledBPW) have given a secure generic construction of proxyschemes in the model of delegation by warrant from anysecure ordinary signature scheme Informally to generate aproxy key the original signer first signs a concatenation of

Hindawi Publishing CorporationMobile Information SystemsVolume 2015 Article ID 901418 12 pageshttpdxdoiorg1011552015901418

2 Mobile Information Systems

the proxyrsquos public key and a warrant with a specific way toobtain a delegation certificateThen the proxy could set up theproxy key by himself using this delegation certificate Finallythe proxy could sign some messages that are described in thewarrant on behalf of the original signer (cf Section 4 of [13]for detailed description)

Multilevel Proxy Model Malkin et al [14] extended thegeneral proxy signatures to the scenario of multilevel proxywhere the proxy can also delegate the proxy signing rightto another proxy (in such setting the former proxy also isa delegator) similarly the second proxy also can delegateits proxy signing right to another and so on We call theidentities that the original signer and all proxies construct adelegation chain that is (original signer)-(1th proxy)-(2th proxy)-sdot sdot sdot -(119895th proxy)-sdot sdot sdot

Security Models for Proxy Signatures Due to the additionalproperty of the proxy signatures how to define the securityfor the proxy signatures is more complicated than thestandard signatures [18] In [19] Mambo et al introducedseveral security notions (then enhanced by Lee et al [4])for the proxy signatures (here we omit them please refer to[4 19] for detailed description) These notions provide someintuitive security requirements for the proxy signatures butcorresponding security definitions are unclear (ie lackingof formal definitions) so many constructions were shown tobe insecure and then fixed and finally to be shown insecureagain (eg [4 19 20]) Subsequently Boldyreva et al [13]first presented a well-defined security model for the proxysignatures In their model the adversary is allowed to corruptan arbitrary number of users and learn their secret keysMoreover the adversary can also register some public keys onbehalf of new usersThen the adversary interacts with honestusers playing the role of a delegator or a proxy and it cansee the transcripts of all executions of the delegation protocolbetween the honest users It is a rather strong security modelMalkin et al [14] later extended thismodel to allowmultilevelproxy signatures they also showed that proxy signatures areequivalent to key-insulated signatures [21] The models of[13 14] both are registered key models which means that itis required that the adversary submits the secret and publickeys of all users used in the model except a single challenginguser Schuldt et al [15] got rid of this requirement and gave anew security model existential unforgeability under adaptivechosen message attack with proxy key exposure (EU-CMA-PKE) In this model adversary directly controls all userrsquossecret keys of the delegation chain except the challenginguser furthermore the adversary can corrupt some user toobtain the proxy keys (see Section 4 of [15] for more detaileddescription)

Black-Box Assumption versus Reality In the security modelof cryptographic schemes traditionally it is assumed thatthe secret internal state (secret key randomness etc) of theschemes is completely hidden to the adversary and hencethe adversary in the traditional black-box model only canaccess an oracle to learn the input and output behaviors aboutthe scheme Unfortunately many cryptographic engineers

have shown that this assumption is not true in real worldapplications They have designed a large class of realisticattacks called side-channel attacks to detect some leakageinformation about the secret state for example timing attacks[22] power consumption [23] and fault attacks [24 25]Therefore if we implement a mobile agent system from asecure proxy signature that is in the traditional securitymodel it may be also insecure if the device of mobile agentencounters the side-channel attacks

Leakage-Resilient Cryptography To resist such side-channelattacks cryptographers have proposed many countermea-sures in the past few years Leakage-resilient cryptography isone of them which means that a cryptosystem is also secureeven the adversary obtains some bounded (even arbitrary)leakage information about the secret internal state

To model the security of cryptographic schemes inthe leakage-resilient cryptography setting with a formalwayconsidering an adversary attacks a scheme besides theordinary queries (as in the black-box model) it also canadaptively choose arbitrary polynomial time computablefunctions (named leakage functions)119891

119894 0 1

lowastrarr 0 1

120582 toobtain some information about the secret internal state Therestrictions of the input and output for such leakage functionsdepend on the leakage models Here we briefly present someof them

(i) Only computation leaks model introduced by Micaliand Reyzin [26] in this model leakage is assumedto only occur on values that are currently accessedduring the computation Therefore the input of theleakage function 119891

119894is confined to the active part of

the internal secret state while the passive part ofthe secret state is not taken as input to the leakagefunction

(ii) Bounded leakage model the overall amount of theleakage should be bounded on a prespecified value 120582

(iii) Continual-leakage model introduced by Brakerski etal [27] and Dodis et al [28] independently in thismodel the secret key is allowed to be refreshed whilethe corresponding public key remains fixedThen theamount of the leakage is bounded only in between anytwo successive key refreshes and the overall amountcan be unbounded

Many cryptographic schemes have been proposed inthe leakage-resilient cryptography setting based on differentleakage models for example leakage-resilient stream ciphers[29] leakage-resilient zero knowledge [30] leakage-resilientPKE [31 32] leakage-resilient IBE [33 34] and leakage-resilient signatures [35ndash40]

Leakage-Resilient Signatures In this paper we focus on theconstruction of leakage-resilient signature schemes Alwenet al [35] gave a construction of leakage-resilient signaturescheme in the random oracle model which may tolerateleakage of up to half the secret key Then Katz and Vaikun-tanathan [38] constructed a bounded leakage-resilient signa-ture scheme in the standardmodel which can tolerate leakage

Mobile Information Systems 3

of up to ℓminusℓ120598 (ℓ denotes the bit-length of the secret key) bits ofinformation about the secret key In the same paper they alsointroduced the notion of fully leakage-resilient signatureswhich means that it is EU-CMA secure even the adversarymay obtain leakage information on all internal state valuesthat are used throughout the lifetime of the scheme Boyle etal [36] then improved their scheme to a full one which canbe resilient to any leakage of length (1 minus 119900(1))ℓ bits Faust etal [37] constructed a tree-based leakage-resilient signaturescheme (in the model of ldquoonly computation leaksrdquo) whichcan be instantiatedwith any 3-time bounded leakage-resilientsignature Their scheme resilient to 120582 = 120582

10158403 bits per signing

process where 1205821015840 is size of the underlying 3-time signaturescheme can leak in total

Our Contribution Proxy signatures are often proposed foruse in applications where signing is done in a potentiallyhostile environment for example if we use a proxy signatureto realize a mobile agent system then the proxy key is storedin a laptop or even an IC card which might become infectedby malware In such setting an adversary who launches side-channel attacks can detect some leakage information aboutthe proxy key or even other internal states Based on thisconsideration we construct a proxy signature scheme in thesetting of leakage-resilient cryptography the leakage-resilientproxy signature (LRPS) for the first timeThe proposed LRPSscheme maintains the properties of these two primitivesleakage-resilient cryptography and proxy signatures

To define the security notion to the LRPS scheme wecombine the existing security models of proxy signaturesand leakage-resilient cryptography to put forward the secu-rity model of existential unforgeability against the adaptivechosen message and leakage attacks (EU-CMLA (We alsointroduce the notion of EU-CMLA-PKE which is extendedfrom EU-CMA-PKE in [15] for the full construction of theLRPS in Appendices)) Furthermore we also construct aconcrete LRPS scheme under the delegation by warrant andmultilevel proxy models it can be regarded as a concreteimplementation of the BPW transformation in the setting ofleakage-resilient cryptographyWe use a tree-based signaturescheme to construct the proxy signature scheme which isdifferent than the method that [13 15] adopted they bothadopted an aggregate signature [41] Hence our constructionprovides an alternative method to the construction of theproxy signatures The concrete construction of the LRPSscheme is based on Faust et alrsquos [37] (henceforth called FKPRin TCC 2010) leakage-resilient signature scheme

2 Definitions

In this section we present some basic definitions for thispaper the notion of the stateful signatures and its securityin the black-box model and in the presence of leakagerespectively

21 Notations 1119896 denotes the string of 119896 ones for 119896 isin 119873 |119909|denotes the length of the bit string 119909 if 119909 is a bit string |119878|denotes the number of the entries in the set 119878 119904 $

larr997888 119878 means

randomly choosing an element 119904 from the set 119878Wewrite119910 larr

A(119909) to indicate that running the algorithm A with input 119909and then outputs 119910 and 119910

$larr997888 A(119909) has the same indication

except thatA is a probabilistic algorithmWe use the notation1199041 1199042to denote the concatenation of the bit strings 119904

1and 1199042

if they are not strings we assume that they will be encoded asa string before the concatenation takes place Lastly we writePPT for the probabilistic polynomial time

22 Stateful Signatures A signature scheme SIG consists ofthree algorithms key generation signing and verificationdenoted by Kg Sign and Vfy respectively We say that asignature scheme is stateful if the Sign algorithm is statefulwhich means that the secret key will be refreshed after (orbefore) each signing process while its corresponding publickey remains fixed That is to say SIG = (Kg Sign Vfy) is astateful signature scheme if it satisfies the following

(i) Kg is a PPT algorithm that takes as input a securityparameter 119896 and then outputs the signerrsquos initial secretkey SK

0and public key PK We write it (SK

0PK) $

larr997888

Kg(1119896)(ii) Sign is a PPT algorithm run by the signer who takes as

input its stateful secret key SK119894minus1

and amessage119898119894and

then outputs a signatureΣ119894and the next stateful secret

key SK119894 We write it (Σ

119894 SK119894)

$larr997888 Sign(SK

119894minus1 119898119894)

(iii) Vfy is a deterministic algorithm run by the verifierwho takes as input the signerrsquos public key PK thesigned message 119898

119894 and the corresponding signature

Σ119894and then outputs 1 if it is valid else it outputs 0 We

write it 10 larr Vfy(PK 119898119894 Σ119894)

23 Security of Stateful Signatures in the Black-Box ModelThe definition of existential unforgeability against adaptivechosen message attack (EU-CMA) for the stateful signaturesis defined by the following experiment Expeu-cma

SIGA which isplayed by a EU-CMA adversaryA and a challengerB

(i) B runs (SKlowast0PKlowast) $

larr997888 Kg(1119896) and gives PKlowast toA(ii) A can adaptively askB for the following

signing query SQ119898119894

B runs (Σ119894 SKlowast119894)

$larr997888 Sign(SKlowast

119894minus1 119898119894) and returns

Σ119894toA

(iii) At some pointA outputs (119898lowast Σlowast)

We say that A wins the above experiment Expeu-cmaSIGA if

1 larr Vfy(PKlowast 119898lowast Σlowast) and 119898lowast was not submitted to the

signing query We denote the probability of A succeeded byAdkeu-cma

SIGA We say SIG is EU-CMA secure if Adkeu-cmaSIGA is

negligible for every PPT adversaryA

24 Security of Stateful Signatures in the Presence of LeakageIn the setting of the leakage-resilient cryptography adversaryA can obtain 120582 bits of leakage information with every signing


query With the 119894th signing query the adversaryA adaptivelychooses any computable leakage function 119891

119894 0 1lowast rarr

0 1120582 to the leakage query and then obtains the output Λ

119894

of 119891119894which takes as input the active part SKlowast+

119894minus1of the stateful

secret key and the randomness 119903119894used in the signing phase

Formally the model of existential unforgeability againstadaptive chosen message and leakage attacks (EU-CMLA)is defined by the following experiment Expeu-cmla

SIGA which isplayed by a EU-CMLA adversaryA and a challengerB



(a) signing query SQ119898119894



119894minus1 119898119894 119903119894) and

returns Σ119894toA

(b) leakage queryLQ 119891119894

B runs Λ119894larr 119891119894(SKlowast+119894minus1

119903119894) and if |Λ

119894| = 120582 then

it returns perp else it returns Λ119894toA


We say that A wins the above experiment Expeu-cmlaSIGA if

1 larr Vfy(PK 119898lowast Σlowast) and 119898lowast was not submitted to the

signing query We denote the probability of A succeeded byAdkeu-cmla

SIGA We say SIG is EU-CMA secure if Adkeu-cmlaSIGA is


3 Leakage-Resilient Proxy Signatures

As outlined in the Introduction there exists three entities in aproxy signature scheme an original signer a (or multi) proxysigner and a verifier A delegator whether it is the originalsigner or a proxy signer wants to delegate its signing rightwhether original signing is right (ie the delegator is theoriginal signer) or proxy signing is right (ie the delegatoris a proxy signer) to a proxy Finally the verifier can beconvinced with the original signerrsquos agreement on the signedmessage and the identities of the proxy signers from the proxysignatures

In the multilevel proxy model a delegation chain (original signer)-(1th proxy)-(2th proxy)-sdot sdot sdot -(119895th proxy)-sdot sdot sdot consists of an original signer and 119895 (or more) proxysigners To identify them we require a list PK of theirpublic keys in the proxy signatures

In the BPW transformation the delegator will sign itsproxyrsquos public key and corresponding warrant to obtain acertificate to generate the proxy key Therefore to verify thevalidity of the delegation it is also required that the proxysignatures contain a list W of the warrants and C of thecertificates of the delegations

31 Syntax Formally we define the stateful proxy signatures(under the BPW transformation) as follows That is to saySIGlowast = (Kglowast SignlowastVfylowast ⟨Dellowast PKglowast⟩ PSignlowast PVfylowast) is astateful proxy signature scheme if the first three algorithmsare defined as Kg Sign and Vfy of the scheme SIG respec-tively and the latter three algorithms satisfy the following

(i) ⟨Dellowast PKglowast⟩ is a pair of interactive PPT delegationprotocol which means that the delegator D whosestateful key is (SKD(119894minus1)PKD) delegates its signingright to a proxy P who has a stateful key pair(SKP(1198941015840minus1)PKP)

(a) Dellowast is run by the delegator with input (SKD(119894minus1)PKP PK W C 119895 119882

119895) where PK W and

C are the lists of public keys warrants and del-egation certificates of the previous delegatorsrespectively 119895 describes the current proxy is the119895th proxy in the delegation chain (119895 = 0 meansthat the delegator is the original signer) and119882

119895

is the warrant for the current delegation(b) PKglowast is run by the proxy with input (SKP(1198941015840minus1)

PKP PKD) to generate its proxy key

As a result of this interactive algorithm the algorithmDellowast has no local output except that the delegatorrsquos nextstateful key SKD119894 The local output of PKglowast is the delega-tion information (PK1015840W1015840C1015840 119895 SKP(1198941015840minus1)) where PK1015840W1015840 and C1015840 are the lists of public keys warrants andcertificates in the delegation chain extended with the publickey of the proxy and warrant and certificate of the cur-rent delegation respectively We write it (SKD119894 PK1015840 W1015840C1015840 119895 SKP(1198941015840minus1))

$larr997888 ⟨Dellowast(SKD(119894minus1)PKPPKWC 119895119882

119895)

PKglowast(SKP(1198941015840minus1)PKPPKD)⟩

(ii) PSignlowast is a PPT algorithm run by a proxy thattakes as input its delegation information (PKW C 119895 SKP(1198941015840minus1)) and a message 119898

119894and then

outputs a proxy signature (PKWC 119895 119875Σ119894) on

behalf of the delegator and its next stateful keySKP1198941015840 We write it (PK W C 119895 119875Σ

119894 SKP1198941015840)

$larr997888

PSignlowast(PKWC 119895 SKP(1198941015840minus1) 119898119894)(iii) PVfylowast is a deterministic algorithm run by the verifier

who takes as input (PKWC 119895 119898119894 119875Σ119894) and then

outputs 1 if it is valid else it outputs 0 We write it10 larr PVfylowast(PKWC 119895 119898

119894 119875Σ119894)

In the real world applications userrsquos long-term secret keyshould be stored in a secure way and thus to guarantee thatno information about the long-term key is leaked while theproxy key is exposed it is better to generate a proxy keyindependent of the long-term key We call such constructiona full construction There exists a simple method to the fullconstruction from any BPW transformed proxy signature (cfSection 5 of [15])

(i) After obtaining the delegation information (PKWC 119895 SKP(1198941015840minus1)) the proxy first generates a fresh proxy

key pair (SK1015840P0PK1015840

P)$larr997888 Kglowast(1119896)

(ii) Compute (cert1015840 SKP1198941015840)$larr997888 Signlowast(SKP(1198941015840minus1) 00 PK1015840P

0 cert) where cert isin C is the delegation certificatefrom the delegator

(iii) The new delegation information is (PK1015840 W C1015840 1198951015840SK1015840P0) where PK

1015840isin PK1015840 and cert1015840 isin C1015840


The concrete full construction of such proxy signaturescheme and corresponding security analysis are presented inAppendices

32 Implement Secure Mobile Agent from Proxy SignatureScheme Whenwe realize amobile agent system constructionby using a secure proxy signature scheme let the clients bethe delegators and let the mobile agent be the proxy Thenthe clients and the agent together run the interactive delega-tion protocol to delegate the clientrsquos signing right to theagent Finally the agent can sign some specified messages onbehalf of the client A secure proxy signature scheme impliesa secure mobile agent system similarly a leakage-resilientproxy signature schememeans that the correspondingmobileagent system can be resilient to some bounded informationleakage

33 Security of the Leakage-Resilient Proxy Signatures Weput forward the security model of existential unforgeabilityagainst adaptive chosen message and leakage attacks (EU-CMLA) for the proxy signatures in the presence of leakageIt defined by the following experiment Expeu-cmla

SIGlowast A which isplayed by a challengerB and a EU-CMLA adversaryA whocontrols all userrsquos secret keys except the challenging user


larr997888 Kglowast(1119896) and gives PKlowast toA(ii) A can adaptively askB for the following

(a) delegation to SKlowast119894minus1

PKD

B interacts withA through the delegation pro-tocol by running algorithm PKglowast(SKlowast

119894minus1 PKlowast

PKD) When it is finishedBwill obtain the del-egation information (PK1015840W1015840C1015840 119895 SKlowast

119894minus1)

(b) delegation of SKlowast119894minus1

(PKP119882119895)

B interacts with A through the delegationprotocol to generate a proxy key to PKPB runsDellowast(SKlowast

119894minus1PKPPKWC 119895119882

119895) When it is

finishedB returns the transcript of the delega-tion toA

(c) self-delegation of SKlowast119894minus1

119882

B first runs (SK10158400PK1015840) $

larr997888 Kglowast and thenruns the delegation protocol to generate a proxykey to the challenging user itself (SKlowast

119894PK1015840

W1015840C1015840 1198951015840 SK10158400)

$larr997888 ⟨Dellowast(SKlowast

119894minus1PK1015840PKW

C 119895119882) PKglowast(SK10158400PK1015840PKlowast)⟩ When it is fin-

ishedB will obtain the delegation information(PK1015840W1015840C1015840 1198951015840 SK1015840

0) and send the transcript

of the delegation toA(d) ordinary signing queries of SKlowast

119894minus1119898119894


$larr997888 Signlowast(SKlowast

119894minus1 119898119894) and

returns Σ119894toA

(e) proxy signing queries of SKlowast119894minus1

(PKWC 119895

119898119894)

B runs (PKWC 119895 119875Σ119894 SKlowast119894)

$larr997888

PSignlowast(PK WC 119895 SKlowast119894minus1

119898119894) and returns

(PKWC 119895 119875Σ119894) toAlowast

(f) leakage queries 119891119894

A may adaptively launches leakage query aftereach query to the delegation protocol ordinarysigning or proxy signing oracle that is thesealgorithms have taken as input the secret keySKlowast119894minus1

B runsΛ119894larr 119891119894(SKlowast+119894minus1

119903119894) and if |Λ

119894| = 120582

then it returns perp else it returns Λ119894toA

(iii) At some pointA outputs a forgerywhichmust be oneof the following cases

(1) Ordinary signature of PKlowast (119898lowast Σlowast)if 1 larr Vrflowast(PKlowast 119898lowast Σlowast) and 119898

lowast has not beensubmitted to the ordinary signing queries thenoutput 1 else output 0

(2) Proxy signature of PKlowast (119898lowast (PKWC 119895

119875Σlowast)) PKlowast is the last entry inPK

if 1 larr PVrflowast(PKWC 119895 119898lowast 119875Σlowast) and

(PKWC 119895 119898lowast) has not submitted to the

proxy signing queries then output 1 else output0

(3) Proxy signature on behalf of PKlowast (119898lowast (PK

WC 119895 119875Σlowast)) PKlowast is the 119899th entry inPK

If 1 larr PVrflowast(PKWC 119895 119898lowast 119875Σlowast) and A

has not queried the delegation of SKlowast119894minus1

oracle oninputs (PK

119899+1119882119899+1

) that is the (119899+1)-th entryin the setPK) then output 1 else output 0

We say that A wins the above experiment Expeu-cmlaSIGlowastA if it

outputs a valid forgery We denote the probability of A

succeeded by Adkeu-cmlaSIGlowast A We say SIGlowast is EU-CMLA secure

if Adkeu-cmlaSIGlowast A is negligible for every PPT adversaryA

Remark In the model of EU-CMA-PKE A is allowed toquery a redelegation of a userrsquos proxy key However we definethe LRPS under the BPW transformation model (ie theuserrsquos proxy key is exactly its secret key) so in the model ofEU-CMLA A can run the redelegation by itself except thatthe redelegation of SKlowast

119894minus1which can be obtained from the

query of delegation of SKlowast119894minus1

in such setting SimilarlyA hasno need to query the proxy key exposure queries

4 Construction of Leakage-ResilientProxy Signatures

In this section we present a concrete construction ofthe LRPS scheme SIGlowast based on FKPR signature schemewhich can be instantiated with any EU-CMTLA (existentialunforgeability against chosen message and total leakageattacks) 3-time signature scheme sig = (kg sign vfy)

Before giving the detailed description of the SIGlowast wefirst introduce some notations relative to the tree-based (withdepth 119889 isin 119873) signature We denote the all bit strings oflength atmost 119889 (including the empty string 120576) with 0 1le119889 =⋃119889

119894=10 1119894cup 120576 (size 2119889+1 minus 1) The left and right child of an

internal node (or root) 119908 isin 0 1le119889minus1 are denoted by 119908 0

and 119908 1 respectively and par(119908) denotes the node 119908rsquos


parent node Depth-first traversal algorithm can be used totraverse and label the tree For a node 119908 isin 0 1

le119889 1119889 we

define algorithm DF(119908) as the node traversed after 119908 in thedepth-first traversal that is

DF (119908)

=

119908 0 if |119908| lt 119889

(119908 is the root or an internal node)

1199081015840 1 if |119908| = 119889

where 119908 = 1199081015840 0 1

119895(119908 is a leaf)

(1)

When the depth-first algorithm traverses the binary tree eachnode 119908 is associated with a secret-public key pair (sk

119908 pk119908)

by invoking the kg algorithm of the underlying signaturescheme sig The following notations will be used in the latterpart of this paper Let 119908 = 119908

11199082sdot sdot sdot 119908119905be a bit string with

length 119905

(i) Γ119908= (pk

119908 120601119908) (pk

11990811199082

12060111990811199082

) (pk1199081

1206011199081

) is aldquosignature pathrdquo from 119908 to the root 120601

1199081015840 is a signature

of 010 pk1199081015840 with its parentrsquos key skpar(1199081015840) that is

1206011199081015840

$larr997888 sign(skpar(1199081015840) 010 pk

1199081015840)

(ii) 119878119908= sk

11990811199082sdotsdotsdot119908119894

| 119908119894+1

= 0 is a subset of the secretkeys on the path from the root 120576 to node 119908 sk

1199081015840 isin 119878119908

if and only if the path goes to the left child 1199081015840 0

at the node 1199081015840 (The reason is that in this case thenode 119908

1015840rsquos right child 1199081015840 1 will be traversed after

node119908 under the depth-first traversal Consequentlywe need the secret key sk

1199081015840 of node1199081015840 to sign its right

child 1199081015840 1rsquos public key pk

11990810158401)

The stateful secret key of the scheme SIGlowast will have theform (119908 119878

119908 Γ119908) (ie using stacks 119878

119908and Γ119908to keep track of

the state or node119908) For a stack 119878 define the following threealgorithms

(1) push(119878 119886) putting element 119886 on the stack 119878(2) 119886 larr pop(119878) removing the topmost element from the

stack 119878 and assigning it to 119886(3) trash(119878) removing the topmost element from the

stack 119878

41 Construction To avoid trivial attacks against this schemewe use the idea of Boldyreva et al [13] attach a 3-bit string asthe prefix of the text that will be signed that is 111(text whichwill be to compute ordinary signatures) 010(text which willbe to compute signature paths) 100(text which will be tocompute delegation certificates) and 101(text which will beto compute proxy signatures) respectivelyThe LRPS schemeSIGlowast is constructed as follows

(i) Kglowast(1119896)

(sk120576 pk120576)

$larr997888 Kg(1119896) 119878

120576= sk

120576 Γ120576

= 0 SK120576

=

(119908120576 119878120576 Γ120576)PK = pk

120576 return (SK

120576PK)

(ii) Signlowast(SK119908 119898) (to ease exposition the signing pro-

cess of the root 120576 (ie 120590 $larr997888 sign(sk

120576 111 119898)) is not

contained in this formalizing description)

parse SK119908

= (119908 119878119908 Γ119908) if 119908 = 1

119889 return perp 119908 larr

DF(119908) (sk119908 pk119908)

$larr997888 Kg(1119896)

120590$larr997888 sign(sk

119908 111 119898) skpar(119908) larr pop(119878

119908) 120601119908

$larr997888

sign(skpar(119908) 010 pk119908)

if 119908|119908|

= 0 119878119908larr997888 push (119878

119908 skpar(119908))

if |119908| lt 119889 119878119908larr997888 push (119878

119908 sk119908)

if |119908| = 119889 119908 = 119908101584001119895

for 119894 = 1 119895 + 1 do trash (Γ119908)

(2)

Γ119908

larr push(Γ119908 (pk119908 120601119908)) Σ = (120590 Γ

119908) SK119908

=

(119908 119878119908 Γ119908) return (Σ SK

119908)

(iii) Vfylowast(PK 119898 Σ)parse Σ = (120590 Γ

11990811199082sdotsdotsdot119908|119908|

) pk120576= PK for 119894 = 1 |119908|

doif 0 larr vfy(pk

1199081sdotsdotsdot119908119894minus1

010 pk1199081sdotsdotsdot119908119894

1206011199081sdotsdotsdot119908119894

) return 0else return vfy(pk

11990811199082sdotsdotsdot119908|119908|

111 119898 120590)

(iv) Dellowast(SKD(119894minus1)PKPPKWC 119895119882119895)

D runs (cert119895 SKD119894)

$larr997888 Signlowast(SKD(119894minus1) 100 PKP

119895 119882119895) and

then sends (PKWC 119895119882119895 cert119895) to P

(v) PKglowast(SKP(1198941015840minus1)PKPPKD)P first checks the validity of the delegation certificatesfor 119896 = 1 119895 does

if 0 larr Vfylowast(PK119896minus1

100 PK119896 119896 119882

119896 cert119896)

it returns perp and rejects this delegation

otherwise run PK larr push(PKPKP)W larr

push(W119882119895)C larr push(C cert

119895)

finally set the delegation information as(PKWC 119895 SKP(1198941015840minus1))

If someone whose key pair is (SKSD(119894minus1)PKSD)wants to designate itself as a proxy it runs(SK1015840P0PK

1015840

P)$larr997888 Kglowast(1119896) to generate a fresh key

pair as the proxy key and creates a certificate(cert1015840 SKSD119894)

$larr997888 Signlowast(SKSD(119894minus1) 100 PK1015840P

0 1198821015840) then does

PK larr997888 push (PKPK1015840P)

W larr997888 push (W1198821015840)

C larr997888 push (C cert1015840)

(3)


finally it sets the delegation information as(PKWC 119895 SK1015840P0)

(vi) PSignlowast(PKWC 119895 SKP(119894minus1) 119898)

(Σ SKP119894)$larr997888 Signlowast(SKP(119894minus1) 101 119898) and output the

proxy signature (PKWC 119895 119875Σ = Σ)(vii) PVfylowast(PKWC 119895 119898 119875Σ)

V first checks the validity of the delegation certificatesfor 119896 = 1 119895 does


100 PK119896 119896 119882

119896 cert119896)

returns 0else it returns Vfylowast(PK

119895 101 119898 119875Σ)

Upper Bound of the Number of the Messages Can Be SignedFor a fixed signing key in both of the schemes FKPR andSIGlowast the upper bound of the number of the message thatcan be signed is 119902 = 2

119889+1minus 2 We can see that from the

above construction each internal node is used only one timeto the signing algorithm However the key (with respect tothe scheme sig) of any leaf can be signed three times Hencethe upper bound of the number of the message can be signedand could be increased to 2119889+2 minus 4 that is double the numberof the previous upper bound as well as the FKPR scheme

We should stress here that there is a disadvantage to ourscheme which is based on tree-based signature compared tothat constructed based on aggregate signature [13 15] that isin those schemes the verification of the delegation certificatescan be executed at a time due to the property of aggregabilityof the aggregate signatures [41]

42 Security We now analyze the security of the proposedLRPS scheme

Theorem 1 If the FKPR scheme (denoted by SIG) is EU-CMLA secure then the proxy signature scheme SIGlowast also isEU-CMLA secure

Our proof line is similar to that of Boldyreva et alrsquos[13] If there exists a EU-CMLA adversary and A can breakthe security of the scheme SIGlowast then we can construct achallengerB to break the security of the FKPR scheme SIG

(i) Initially B will be given a challenging public keyPK1015840 and can adaptively make signing query (SQ) andleakage query (LQ) in the experiment Expeu-cmla

SIGB Bfirst sets PKlowast = PK1015840 as the challenging public key ofthe experiment Expeu-cmla

SIGlowast A and sends it to A Then itplays the experiment withA

(ii) Amay adaptively askB for the following

(a) Delegation to SKlowast119894minus1

PKD

B interacts with A through the delegationprotocol by running PKglowast(lowastPKlowastPKD) Whenit is finished B will obtain the delegationinformation (PK1015840W1015840C1015840 119895 lowast)B can run the

PKglowast algorithm even if it has no idea about theSKlowast119894minus1

because SKlowast119894minus1

will be set as the proxy keyof the challenging user so upon completionBdoes not know the corresponding proxy key

(b) Delegation from SKlowast119894minus1

(PKP119882119895)

B interacts withA through the delegation pro-tocol to generate a proxy key to PKP B makesthe signing query SQ with input 00 PKP 119895

119882119895 then it will be returned Σ After the delega-

tion protocol is finishedA will obtain the dele-gation information (PK1015840W1015840C1015840 119895 lowast) wherePKP isin PK1015840 119882

119895isin W1015840 and cert

119895= Σ isin C1015840

(c) Self-delegation of SKlowast119894minus1

119882B runs the delegation protocol to generatea proxy key of PKlowast to itself B first runs(SK10158400PK1015840) $

larr997888 Kglowast and then makes the signingquery SQ with input 00 PK1015840 0 119882 then itwill be returned to Σ FinallyB will return thedelegation information (PK1015840 W1015840 C1015840 0 SK1015840

0)

and sends the delegation transcripts toA wherePK1015840 isin PK1015840119882 isin W1015840 and cert1015840 = Σ isin C1015840

(d) Ordinary signing queries of SKlowast119894minus1

119898119894

B makes the signing query SQ with input11 119898

119894 then it will be returned to signature Σ

FinallyB returns Σ toA(e) Proxy signing queries of SKlowast

119894minus1 (PKWC 119895

119898119894)



Finally B returns (PKWC 119895 119875Σ = Σ) toA

(f) Leakage queries 119891119894

A may make query 119891119894for the leakage infor-

mation after each delegation protocol ordinarysigning or proxy signing query To answer itBmakes the same query toLQ it will be returnedas a valid leakage information Λ

119894or perp if 119891

119894is

illegal FinallyB returns it toARemark In the construction of scheme SIGlowastexcept for the Signlowast algorithm there are alsotwo algorithms using the signing or proxy sign-ing key the Dellowast and PSignlowast Actually howeverthey are also a signing algorithm just with dif-ferent input of text so the leakage informationanswered byB (fromLQ) is indistinguishableto what A obtains in the real interaction in theexperiment Expeu-cmla

SIGlowast A

(iii) Finally according to the assumption A outputs aforgery for the challenging public key PKlowast withrespect to scheme SIGlowast It must be one of thefollowing cases We now show the challengerB howto translateArsquos forgery as a forgery with respect to theFKPR scheme SIG

(1) Ordinary signature of PKlowast (119898lowast Σlowast)


If A outputs an ordinary signature (119898lowast Σlowast) ofPKlowast thenB outputs (11 119898

lowast Σlowast)



If A outputs a proxy signature (119898lowast (PKW

C 119895 119875Σlowast)) of PKlowastB outputs (01 119898

lowast Σlowast)


WC 119895 119875Σlowast)) PKlowast is the 119899th entry in the list

PKIf A outputs a proxy signature (119898

lowast (PKW

C 119895 119875Σlowast)) on behalf of PKlowast then B outputs

(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)

Analysis of B It is clear that the view ofAwhich is answeredbyB in the above experiment is identical to whatA obtainsin the real interaction in the experiment Expeu-cmla

SIGlowast A Wenow show that any valid output of the adversary A can betranslated to a valid forgery with respect to the FKPR schemeSIG

(1) If A outputs an ordinary signature (119898lowast Σlowast) 1 larr

Vrflowast(PKlowast 119898lowast Σlowast) and 119898lowast has not been submitted

to the ordinary signing queries so B does not makethe signing query SQ with input 11 119898

lowast Therefore(11 119898

lowast Σlowast) is a valid forgery with respect to the

scheme SIG(2) If A outputs a proxy signature (119898

lowast (PKW

C 119895 119875Σlowast)) 1 larr PVrflowast(PKWC 119895 119898

lowast 119875Σlowast) and

(PKWC 119895 119898lowast) has not submitted to the proxy

signing queries so B does not make the signingquery SQ with input 01 119898

lowast Therefore (01

119898lowast 119875Σlowast) is a valid forgery with respect to the scheme

SIG(3) If A outputs a proxy signature on behalf of PKlowast

(119898lowast (PKWC 119895 119875Σ

lowast)) where PKlowast is the 119899th

entry in PK 1 larr PVrflowast(PKWC 119895 119898lowast 119875Σlowast)

and A does not make the query of delegation fromSKlowast119894minus1

with input (PK119899+1

119882119899+1

) ((119899 + 1)th entry inPK) so B does not make the signing query SQwith input 00 PK

119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1

) is a valid forgerywith respect to the scheme SIG

From the above analysis we can see that the challengerBrsquos output of forgery is contradictory to the security of theFKPR scheme SIG (cf Theorem 1 of [37]) and thus provesthe security of the LRPS scheme SIGlowast

5 Conclusion

In this paper we design a leakage-resilient proxy signaturescheme the LRPS To model the security of such schemeswe adapt the existing models of the proxy signature schemeswhich are proposed by Schuldt et al (in PKC 2008) [15] andBoldyreva et al (in Jour Crypto 2012) [13] to the leakage-resilient cryptography setting and give an extended modelEU-CMLA for the LRPS schemes Furthermore we present

a concrete construction based on Faust et alrsquos (in TCC 2010)[37] LR signature scheme This construction is provablysecure under the given security model

Appendices

Now we show that their proposed proxy signature schemeSIGlowast in Section 4 which is based on the BPW transformationcan be used to produce a secure full construction (denoted bySIGlowastlowast) of the proxy signature scheme

A Construction

As said before to guarantee that no information aboutthe userrsquos long-term secret key is leaked if its proxy keysare exposed we had better let a proxy generate fresh andindependent keys (PK SK) in a delegation create a certificatefor PK and keep the SK as the proxy secret key to recordthe proxy public keys of the proxies maintain a separate listFK to store them The construction of the scheme SIGlowastlowast =(Kglowastlowast SignlowastlowastVfylowastlowast ⟨Dellowastlowast PKglowastlowast⟩ PSignlowastlowast PVfylowastlowast) is asfollows where the algorithms Kglowastlowast SignlowastlowastVfylowastlowast are thesame as the algorithms Kglowast SignlowastVfylowast of the schemeSIGlowast respectively Here we should stress that the followingconstruction is based on Schuldt et alrsquos [15] idea while theirscheme is based on sequential aggregate signature but ours isbased on tree-based signature and we focus on the realizationof the leakage-resilient proxy signature

In the scheme SIGlowast the proxyrsquos proxy key is in factexactly its long-term secret key and hence it delegates its ownsigning right or proxyrsquos signing right to the next proxy ittakes as input its secret key to run the delegation algorithmDellowast However when we consider the full construction of theproxy signature scheme proxyrsquos secret key and proxyrsquos key aredifferent and independent and thus when it delegates its ownsigning right to a proxy it takes as input its secret key when itdelegates its proxy signing right to the next proxy then it takesas input the proxy key To uniformly describe these two caseswe use sk to denote the input to the Dellowastlowast algorithm run bythe delegator in the scheme SIGlowastlowast For ease of descriptionhere we describe the stateful signing algorithm Signlowastlowast as anonstateful formalization

(i) Dellowastlowast(skPKPPKFKWC119882) it is dividedinto the following two cases depending on (PKW)

(a) If PK and W are empty (ie sk is an long-term secret key) the delegator constructs listsPK = PKDPKP FK = 0 and W = 119882Then compute cert $

larr997888 Signlowastlowast(sk 100 PK

FK W) and send the delegation information(PKFKW cert) to the proxy

(b) If PK andW are not empty (ie sk is a proxykey) the delegator constructs lists PK larr

push(PKPKP) and W larr push(W119882) Thencompute cert

$larr997888 Signlowastlowast(sk 100 PK

FK W) and send the delegation information(PKFKWC cert) to the proxy


(ii) PKglowastlowast(SKPPKPPKD)the proxy first checks the validity of the delega-tion certificates for 119896 = 1 |C| does if 0 larr

Vfylowastlowast(PK119896minus1

100 PK FK W cert119896)

it returns perp and rejects this delegation where cert119896

means the 119896th entry in the listC Otherwise first gen-erate a fresh proxy key pair (PK1015840P SK

1015840

P) larr Kglowastlowast(1119896)

and run FK larr push(FKPK1015840P) Then computecert

$larr997888 Signlowastlowast(SKP 100 PK FK

W) Finally run PK larr push(PKPKP)W larr

push(W119882)C larr push(C cert) set PSK = (FK

cert SK1015840P) and output the delegation information(PKWCPSK)

(iii) PSignlowastlowast(PKWCPSK 119898)

Σ$larr997888 Signlowastlowast(SK1015840P 101 119898) output the proxy

signature (PKWC 119875Σ = Σ)(iv) PVfylowastlowast(PKFKWC 119898 119875Σ)

V first checks the validity of the delegation cer-tificates for 119896 = 1 |C| does Vfylowastlowast(PK

119896minus1

100 PK FK W cert119896) or Vfylowastlowast(PK1015840

119896minus1

100 PK FK W cert119896) dependent

on the current certificate generated by Dellowastlowast orPKglowastlowast respectively If all the verifications pass thenreturnVfylowastlowast(PK1015840P 101 119898 119875Σ)

B Security

We now analyze the security of the scheme SIGlowastlowast This proofis roughly analogous to the proof of scheme SIGlowast Howeverbecause the proxy key is independent of the long-term secretkey we have to permit more queries to the adversary such asa redelegation of a userrsquos proxy key Here we adapt Schuldtet alrsquos [15] security model EU-CMA-PKE which is thestrongest notion for the proxy signature schemes (cf Section4 of [15] for detailed description) to the leakage-resilientcryptography setting EU-CMLA-PKE In the presence ofleakage we should care about what secret can be taken asinput to the leakage function long-term secret key proxy keyor both Our answer is both

The detailed analysis is as follows

Theorem B1 The proxy signature scheme SIGlowastlowast is EU-CMLA-PKE secure based on the security of the leakage-resilientFKPR signature scheme SIG

We show that if there exists a EU-CMLA-PKE adversaryA which can break the security of the scheme SIGlowastlowast then itcan be used to construct a challengerB to break the securityof the FKPR scheme SIG

(I) InitiallyB will be given a challenging public key PK1015840and can adaptively make signing query (SQ) and leakagequery (LQ) in the experiment Expeu-cmla

SIGlowast B B first chooses arandom 119888 larr 0 1 If 119888 = 0 B sets PKlowast = PK1015840 and SKlowast =0 Otherwise B generates a fresh key pair (PKlowast SKlowast) larr

Kglowastlowast and chooses random 119894lowastlarr 1 119902

119889 (where 119902

119889is the

number that A queries to the delegation oracle B will use

PK1015840 instead of a fresh key in the 119894lowastth delegation query by

A) For both cases B sends PKlowast to A as the challengingpublic key of the experiment Expeu-cmla-pke

SIGlowast A Then it plays the

experiment withA(II)Amay adaptively askB for the following When the

queries by A need signing invocation of SK1015840 correspondingto PK1015840 B queries its own singing oracle SQ and we omitthis implicit description in the following proof In additionB will maintain a set of lists PskList(lowast lowast) which contains allproxy keys generated byB for the delegation chain with thepublic keysPK and warrantsW

(i) Delegation to SKlowast (PKFKWC)

if 119888 = 0 or 119888 = 1 and this is not the 119894lowastth delega-

tion query then B first runs (PK SK) larr Kglowastlowast(1119896)

FK larr push(FKPK) and set SKprx = SK If119888 = 1 and this is the 119894lowastth delegation query B runsFK larr push(FKPKlowast) and set SKprx = 0 ThenB computes cert larr Signlowastlowast(SKprx 100 PK

FK W) Finally store PSK = (FK cert SKprx)in PskList(PKW)

(ii) Delegation from SKlowast this query can be divided intothe following three cases

(a) Delegation of SKlowast (PKP119882)

B sets PK = PKlowastPKPFK = 0 and W =

119882 Then compute cert larr Signlowastlowast(SKlowast 100

PK FK W) and set C = cert Finallyreturn the delegation information (PKFK

WC) toA(b) Redelegation of PSK (PKWC 119895PKP119882)

B retrieves the 119895th proxy key PskList (PKW)

and parses it as (FK cert SKprx) Then runPK larr push(PKPKP)W larr push(W119882)compute cert larr Signlowastlowast(SKprx 100 PK

FK W) and setC larr push(C cert) Finallyreturn the delegation information (PKFK

WC) toA(c) Self-delegation of SKlowast (PKWC 119895119882)

(1) if PK and W are empty (ie self-delega-tion of SKlowast) B constructs PK = PKlowastPKlowastFK = 0 and W = 119882 and setsSKsel = SKlowast and certsel = 0

(2) If PK and W (ie delegation of PSK)B retrieves the 119895th proxy key inPskList (PKW) and parses it as(FK cert SKprx) Then compute PK larr

push(PKPKlowast)W larr push(W119882) andset SKsel = SKprx and certsel = cert

B then computes cert larr Signlowastlowast(SKsel 100

PK FK W) If 119888 = 0 or 119888 = 1 and thisnot the 119894

lowastth delegation query B first runs(PK SK) larr Kglowastlowast(1119896) and construct FK larr

push(FKPK) Otherwise B constructsFK larr push(FKPKlowast) and set SK = 0FinallyB computes cert larr Signlowastlowast(SKsel 100


PK FK W) andC larr push(C cert) andthen store the proxy key PSK = (FK cert SK)in PskList(PKW) and send the transcript(PKFKWC) toA

(iii) Ordinary signing queries of SKlowast119898119894

B returns Signlowastlowast(SKlowast 111 119898)(iv) Proxy signing queries of SKlowast (PKWC 119895 119898

119894)

B retrieves the 119895th proxy key in PskList(PKW)

and parses it as (FK cert SKprx) Then compute119875Σ larr PSignlowastlowast(SKprx 101 119898

119894) and return

(PKWC (FK 119875Σ)) toA(v) Proxy key exposure queries (PKW 119895)

B retrieves the 119895th proxy key in PskList(PKW) andparses it as (FK cert SKprx) If SKprx = 0B abortsOtherwiseB returns (FK cert SKprx) toA

(vi) Leakage queries 119891119894

A makes query 119891119894for the leakage information about

the secret key sk (randomness is also included here)after each delegation protocol ordinary signing orproxy signing query If the used secret key is chosen byB thenB returns Λ

119894= 119891119894(sk) OtherwiseBmakes

the same query to its own leakage oracle LQ it willbe returned as valid leakage information Λ

119894or perp if 119891

119894

is illegal FinallyB returns it toARemark The secret state for A can be divided intotwo kinds the first one is that chosen by B in theexperiment and the second one is that unknown toB that is SK1015840 and the randomness used in the singingoracleSQ For the first oneB can directly answerAby itself For the second one similar to the proof inTheorem 1 B canmake the same query to its leakageoracleLQ

(III) Finally according to the assumption A outputs aforgery for the challenging public key PKlowast (with respect tothe scheme SIGlowastlowast) It must be one of the following cases

(1) ordinary signature (119898lowast Σlowast)(2) proxy signature (119898

lowast (PKWC (FK 119875Σ

lowast)))

where the last key inFK was not generated byB(3) proxy signature (119898


lowast)))

where the (119894lowast minus 1)th key inFK was not generated byB

(4) proxy signature (119898lowast (PKWC (FK 119875Σ

lowast)))

where the last key inFK was generated byB(5) proxy signature (119898


lowast)))

where the (119894lowast minus 1)th key inFK was generated byB

We now showhow the challengerB translatesArsquos forgeryas a forgery with respect to the FKPR scheme SIG IfB hasflipped 119888 = 0 which means that PKlowast = PK1015840 then the firstthree cases correspond to the forgeries whereA has forged asignature under the secret key SK1015840 and henceB can translatethem to a forged signature corresponding to the scheme SIGwhich can be analogous to that in the proof of Theorem 1

Otherwise ifA outputs a forgery that belongs to the last twocasesB will abort

If 119888 = 0 which means that B sets PK1015840 as the 119894lowastth freshproxy public key in this case if A outputs a forgery thatbelongs to the first three cases thenB will abort Otherwisethe last two cases indicate thatA has forged a signature underone of the keys generated byB in a delegation but for whichA has not received the corresponding secret key In those twocases 119875Σlowast will be a valid signature under a key PK generatedby B in some delegation query that is PK will be the lastkey in the list FK for a proxy key (FK cert SKprx) fromsome proxy key list PskList(lowast lowast) Therefore with probability1119902119889 B can choose the right 119894lowast such that PK = PK1015840 In this

caseB outputs 119875Σlowast as a valid forgery of the key PK1015840 for theunderlying signature scheme SIG

From the above analysis we can see that the challengerBrsquos forgery with a nonnegligible probability is contradictoryto the security of the FKPR schemeSIG (cfTheorem 1 of [37])and thus proves the security of the LRPS scheme SIGlowastlowast

Disclosure

An abstract of this paper has been presented in the pro-ceedings of the 5th International Conference on IntelligentNetworking and Collaborative Systems (INCoS) IEEE pp495ndash502 2013 [42]

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research is supported by the National Natural ScienceFoundation of China (Grant no 60970139) the StrategicPriority Program of Chinese Academy of Sciences (Grant noXDA06010702) and the IIEs Cryptography Research ProjectThe authors would like to thank anonymous reviewers fortheir helpful comments and suggestions

References

[1] W Farmer J Gutmann and V Swarup ldquoSecurity for mobileagents authentication and state appraisalrdquo in ComputerSecuritymdashESORICS 96 4th European Symposium on Researchin Computer Security Rome Italy September 25-27 1996Proceedings vol 1146 of Lecture Notes in Computer Science pp118ndash130 Springer Berlin Germany 1996

[2] P Kotzanikolaous G Katsirelos and V ChrissikopoulosldquoMobile agents for secure electronic transactionsrdquo in RecentAdvances in Signal Processing and Communications pp 363ndash368 World Scientific and Engineering Society Press 1999

[3] B Lee H Kim and K Kim ldquoSecure mobile agent using strongnon-designated proxy signaturerdquo in Information Security andPrivacy Proceedings of the 6th Australasian Conference (ACISPrsquo01) Sydney Australia July 11ndash13 2001 vol 2119 of Lecture Notesin Computer Science pp 474ndash486 Springer Berlin Germany2001


[4] B Lee H Kim and K Kim ldquoStrong proxy signature and itsapplicationsrdquo in Proceedings of the Symposium on Cryptographyand Information Security (SCIS 01) pp 603ndash608 2001

[5] M Mambo K Usuda and E Okamoto ldquoProxy signaturesdelegation of the power to sign messagesrdquo IEICE Transactionson Fundamentals of Electronics vol 79 pp 1338ndash1353 1996

[6] G Allee S Pierre R H Glitho and A El Rhazi ldquoAn improveditinerary recording protocol for securing distributed architec-tures based on mobile agentsrdquoMobile Information Systems vol1 no 2 pp 129ndash147 2005

[7] R Aversa B Di Martino N Mazzocca and S Venticinque ldquoAskeleton based programming paradigm formobilemulti-agentson distributed systems and its realization within the MAGDAmobile agents platformrdquoMobile Information Systems vol 4 no2 pp 131ndash146 2008

[8] K Goto Y Sasaki T Hara and S Nishio ldquoData gatheringusingmobile agents for reducing traffic in densemobile wirelesssensor networksrdquo Mobile Information Systems vol 9 no 4 pp295ndash314 2013

[9] YWang D S Wong and HWang ldquoEmploy a mobile agent formaking a paymentrdquo in Mobile Information Systems vol 4 pp51ndash68 IOS Press 2008

[10] S Parvin F K Hussain and S Ali ldquoA methodology to counterDoS attacks in mobile IP communicationrdquo Mobile InformationSystems vol 8 no 2 pp 127ndash152 2012

[11] H U Park and I Y Lee ldquoA digital nominative proxy signaturescheme for mobile communicationrdquo in Information and Com-munications Security Third International Conference ICICS2001Xian ChinaNovember 13ndash16 2001 Proceedings vol 2229 ofLectureNotes in Computer Science pp 451ndash455 Springer BerlinGermany 2001

[12] S Kim S Park and D Won ldquoProxy signatures revisitedrdquo inProceedings of the 1st International Conference on Informationand Communication Security (ICICS rsquo97) vol 1334 of LectureNotes in Computer Science pp 223ndash232 Springer 1997

[13] A Boldyreva A Palacio and B Warinschi ldquoSecure proxysignature schemes for delegation of signing rightsrdquo Journal ofCryptology vol 25 no 1 pp 57ndash115 2012

[14] T Malkin S Obana andM Yung ldquoThe hierarchy of key evolv-ing signatures and a characterization of proxy signaturesrdquo inAdvances in CryptologymdashEUROCRYPT 2004 vol 3027 of Lec-ture Notes in Computer Science pp 306ndash322 Springer BerlinGermany 2004

[15] J C N Schuldt K Matsuura and K G Paterson ldquoProxy signa-ture secure against key exposurerdquo in Public Key CryptographymdashPKC 2008 11th International Workshop on Practice and Theoryin Public-Key Cryptography Barcelona Spain March 9-12 2008Proceedings vol 4939 of Lecture Notes in Computer Science pp141ndash161 Springer Berlin Germany 2008

[16] H Wang and J Pieprzyk ldquoEfficient one-time proxy signaturesrdquoin Advances in CryptologymdashASIACRYPT 2003 vol 2894 ofLecture Notes in Computer Science pp 507ndash522 SpringerBerlin Germany 2003

[17] F Zhang R Safavi-Naini and C Y Lin ldquoNew proxy signa-ture proxy blind signature and proxy ring signature schemesfrom bilinear pairingsrdquo Tech Rep 2003104 Cryptology ePrintArchive 2003 httpeprintiacrorg

[18] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984

[19] M Mambo K Usuda and E Okamoto ldquoProxy signatures fordelegating signing operationrdquo in Proceedings of the 3rd ACM

Conference on Computer and Communications Security (CCSrsquo96) pp 48ndash56 ACM March 1996

[20] J Y Lee J H Cheon and S Kim ldquoAn analysis of proxysignatures is a secure channel necessaryrdquo in Proceedings ofthe Cryptographersrsquo Track at the RSA Conference San FranciscoCalif USA April 2003 Lecture Notes in Computer Science pp68ndash79 Springer 2003

[21] Y Dodis J Katz S Xu and M Yung ldquoStrong key-insulatedsignature schemesrdquo in Public Key CryptographymdashPKC 2003vol 2567 of Lecture Notes in Computer Science pp 130ndash144Springer Berlin Germany 2002

[22] D Brumley and D Boneh ldquoRemote timing attacks are practi-calrdquo Computer Networks vol 48 no 5 pp 701ndash716 2005

[23] P Kocher J Jaffe and B Jun ldquoDifferential power analysisrdquo inAdvances in CryptologymdashCRYPTOrsquo99 vol 1666 of Lecture Notesin Computer Science pp 388ndash397 Springer Berlin Germany1999

[24] E Biham Y Carmeli and A Shamir ldquoBug attacksrdquo inAdvancesin CryptologymdashCRYPTO 2008 vol 5157 of Lecture Notes inComputer Science pp 221ndash240 Springer Berlin Germany2008

[25] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advancesin CryptologymdashEUROCRYPTrsquo97 vol 1233 of Lecture Notes inComputer Science pp 37ndash51 Springer Berlin Germany 1997

[26] S Micali and L Reyzin ldquoPhysically observable cryptographyrdquoinTheory of Cryptography Proceedings of the 1stTheory of Cryp-tography Conference (TCC rsquo04) Cambridge MA USA February19mdash21 2004 vol 2951 of Lecture Notes in Computer Science pp278ndash296 Springer Berlin Germany 2004

[27] Z Brakerski Y T Kalai J Katz and V Vaikuntanathan ldquoOver-coming the hole in the bucket public-key cryptography resilientto continual memory leakagerdquo in Proceedings of the IEEE 51stAnnual Symposium on Foundations of Computer Science (FOCSrsquo10) pp 501ndash510 October 2010

[28] Y Dodis K Haralambiev A Lopez-Alt and D Wichs ldquoCryp-tography against continuous memory attacksrdquo in Proceedings ofthe 51st Annual IEEE Symposium on Foundations of ComputerScience pp 511ndash520 2010

[29] K Pietrzak ldquoA leakage-resilientmode of operationrdquo inAdvancesin CryptologymdashEUROCRYPT rsquo09 vol 5479 of Lecture Notesin Computer Science pp 462ndash482 Springer Berlin Germany2009

[30] S Garg A Jain and A Sahai ldquoLeakage-resilient zero knowl-edgerdquo in Advances in CryptologymdashCRYPTO 2011 vol 6841 ofLecture Notes in Computer Science pp 297ndash315 Springer BerlinGermany 2011

[31] E Kiltz and K Pietrzak ldquoLeakage resilient ElGamal encryp-tionrdquo in Advances in CryptologymdashASIACRYPT rsquo10 vol 6477 ofLectureNotes inComputer Science pp 595ndash612 Springer BerlinGermany 2010

[32] M Naor and G Segev ldquoPublic-key cryptosystems resilient tokey leakagerdquo in Advances in CryptologymdashCRYPTO 2009 vol5677 of Lecture Notes in Computer Science pp 18ndash35 SpringerBerlin Germany 2009

[33] S S M Chow Y Dodis Y Rouselakis and B Waters ldquoPrac-tical leakage-resilient identity-based encryption from simpleassumptionsrdquo in Proceedings of the 17th ACM Conference onComputer and Communications Security (CCS rsquo10) pp 152ndash161ACM October 2010

[34] T H Yuen S S M Chow Y Zhang and S M Yiu ldquoIdentity-based encryption resilient to continual auxiliary leakagerdquo in


Advances in CryptologymdashEUROCRYPT 2012 vol 7237 of Lec-ture Notes in Computer Science pp 117ndash134 Springer BerlinGermany 2012

[35] J Alwen Y Dodis and D Wichs ldquoLeakage-resilient public-key cryptography in the bounded-retrieval modelrdquo in Advancesin CryptologymdashCRYPTO 2009 vol 5677 of Lecture Notes inComputer Science pp 36ndash54 Springer 2009

[36] E Boyle G Segev and D Wichs ldquoFully leakage-resilientsignaturesrdquo inAdvances in CryptologymdashEUROCRYPT 2011 vol6632 of Lecture Notes in Computer Science pp 89ndash108 SpringerBerlin Germany 2011

[37] S Faust E Kiltz K Pietrzak and G N Rothblum ldquoLeakage-resilient signaturesrdquo in Theory of Cryptography 7th Theoryof Cryptography Conference TCC 2010 Zurich SwitzerlandFebruary 9-11 2010 Proceedings vol 5978 of Lecture Notesin Computer Science pp 343ndash360 Springer Berlin Germany2010

[38] J Katz and V Vaikuntanathan ldquoSignature schemes withbounded leakage resiliencerdquo in Advances in CryptologymdashASIACRYPT 2009 vol 5912 of Lecture Notes in ComputerScience pp 703ndash720 Springer Berlin Germany 2009

[39] T Malkin I Teranishi Y Vahlis and M Yung ldquoSignaturesresilient to continual leakage on memory and computationrdquo inProceedings of the 8th Theory of Cryptography Conference (TCCrsquo11) vol 6597 of Lecture Notes in Computer Science pp 89ndash106Springer Providence RI USA 2011

[40] F Tang H Li Q Niu and B Liang ldquoEfficient leakage-resilientsignature schemes in the generic bilinear group modelrdquo Cryp-tology ePrint Archive 2013785 2013 httpeprintiacrorg

[41] D Boneh C Gentry B Lynn and H Shacham ldquoAggregate andverifiably encrypted signatures frombilinearmapsrdquo inAdvancesin CryptologymdashEUROCRYPT 2003 vol 2656 of Lecture Notesin Computer Science pp 416ndash432 Springer Berlin Germany2003

[42] F Tang H Li Q Niu and B Liang ldquoLeakage-resilient proxysignaturesrdquo in Proceedings of the 5th IEEE International Confer-ence on Intelligent Networking and Collaborative Systems (INCoSrsquo13) pp 495ndash502 Xirsquoan China September 2013

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



the proxyrsquos public key and a warrant with a specific way toobtain a delegation certificateThen the proxy could set up theproxy key by himself using this delegation certificate Finallythe proxy could sign some messages that are described in thewarrant on behalf of the original signer (cf Section 4 of [13]for detailed description)

Multilevel Proxy Model Malkin et al [14] extended thegeneral proxy signatures to the scenario of multilevel proxywhere the proxy can also delegate the proxy signing rightto another proxy (in such setting the former proxy also isa delegator) similarly the second proxy also can delegateits proxy signing right to another and so on We call theidentities that the original signer and all proxies construct adelegation chain that is (original signer)-(1th proxy)-(2th proxy)-sdot sdot sdot -(119895th proxy)-sdot sdot sdot

Security Models for Proxy Signatures Due to the additionalproperty of the proxy signatures how to define the securityfor the proxy signatures is more complicated than thestandard signatures [18] In [19] Mambo et al introducedseveral security notions (then enhanced by Lee et al [4])for the proxy signatures (here we omit them please refer to[4 19] for detailed description) These notions provide someintuitive security requirements for the proxy signatures butcorresponding security definitions are unclear (ie lackingof formal definitions) so many constructions were shown tobe insecure and then fixed and finally to be shown insecureagain (eg [4 19 20]) Subsequently Boldyreva et al [13]first presented a well-defined security model for the proxysignatures In their model the adversary is allowed to corruptan arbitrary number of users and learn their secret keysMoreover the adversary can also register some public keys onbehalf of new usersThen the adversary interacts with honestusers playing the role of a delegator or a proxy and it cansee the transcripts of all executions of the delegation protocolbetween the honest users It is a rather strong security modelMalkin et al [14] later extended thismodel to allowmultilevelproxy signatures they also showed that proxy signatures areequivalent to key-insulated signatures [21] The models of[13 14] both are registered key models which means that itis required that the adversary submits the secret and publickeys of all users used in the model except a single challenginguser Schuldt et al [15] got rid of this requirement and gave anew security model existential unforgeability under adaptivechosen message attack with proxy key exposure (EU-CMA-PKE) In this model adversary directly controls all userrsquossecret keys of the delegation chain except the challenginguser furthermore the adversary can corrupt some user toobtain the proxy keys (see Section 4 of [15] for more detaileddescription)

Black-Box Assumption versus Reality In the security modelof cryptographic schemes traditionally it is assumed thatthe secret internal state (secret key randomness etc) of theschemes is completely hidden to the adversary and hencethe adversary in the traditional black-box model only canaccess an oracle to learn the input and output behaviors aboutthe scheme Unfortunately many cryptographic engineers

have shown that this assumption is not true in real worldapplications They have designed a large class of realisticattacks called side-channel attacks to detect some leakageinformation about the secret state for example timing attacks[22] power consumption [23] and fault attacks [24 25]Therefore if we implement a mobile agent system from asecure proxy signature that is in the traditional securitymodel it may be also insecure if the device of mobile agentencounters the side-channel attacks

Leakage-Resilient Cryptography To resist such side-channelattacks cryptographers have proposed many countermea-sures in the past few years Leakage-resilient cryptography isone of them which means that a cryptosystem is also secureeven the adversary obtains some bounded (even arbitrary)leakage information about the secret internal state

To model the security of cryptographic schemes inthe leakage-resilient cryptography setting with a formalwayconsidering an adversary attacks a scheme besides theordinary queries (as in the black-box model) it also canadaptively choose arbitrary polynomial time computablefunctions (named leakage functions)119891

119894 0 1

lowastrarr 0 1

120582 toobtain some information about the secret internal state Therestrictions of the input and output for such leakage functionsdepend on the leakage models Here we briefly present someof them

(i) Only computation leaks model introduced by Micaliand Reyzin [26] in this model leakage is assumedto only occur on values that are currently accessedduring the computation Therefore the input of theleakage function 119891

119894is confined to the active part of

the internal secret state while the passive part ofthe secret state is not taken as input to the leakagefunction

(ii) Bounded leakage model the overall amount of theleakage should be bounded on a prespecified value 120582

(iii) Continual-leakage model introduced by Brakerski etal [27] and Dodis et al [28] independently in thismodel the secret key is allowed to be refreshed whilethe corresponding public key remains fixedThen theamount of the leakage is bounded only in between anytwo successive key refreshes and the overall amountcan be unbounded

Many cryptographic schemes have been proposed inthe leakage-resilient cryptography setting based on differentleakage models for example leakage-resilient stream ciphers[29] leakage-resilient zero knowledge [30] leakage-resilientPKE [31 32] leakage-resilient IBE [33 34] and leakage-resilient signatures [35ndash40]

Leakage-Resilient Signatures In this paper we focus on theconstruction of leakage-resilient signature schemes Alwenet al [35] gave a construction of leakage-resilient signaturescheme in the random oracle model which may tolerateleakage of up to half the secret key Then Katz and Vaikun-tanathan [38] constructed a bounded leakage-resilient signa-ture scheme in the standardmodel which can tolerate leakage







2 Definitions



larr997888 119878 means





1and 1199042





0PK) $

larr997888






119894 SK119894)

$larr997888 Sign(SK

119894minus1 119898119894)













Σ119894toA












119894











119894minus1 119898119894 119903119894) and

returns Σ119894toA



119903119894) and if |Λ

119894| = 120582 then

















119895





119895)



119894and then



119894 SKP1198941015840)

$larr997888




119894 119875Σ119894)

















PKD




119894minus1)


(PKP119882119895)


119894minus1PKPPKWC 119895119882

119895) When it is



119882

B first runs (SK10158400PK1015840) $


119894PK1015840

W1015840C1015840 1198951015840 SK10158400)







119894minus1119898119894



119894minus1 119898119894) and

returns Σ119894toA


(PKWC 119895

119898119894)


$larr997888



(PKWC 119895 119875Σ119894) toAlowast




119903119894) and if |Λ

119894| = 120582














oracle oninputs (PK

119899+1119882119899+1


















le119889 1119889 we


DF (119908)

=

119908 0 if |119908| lt 119889


1199081015840 1 if |119908| = 119889

where 119908 = 1199081015840 0 1

119895(119908 is a leaf)

(1)


119908 pk119908)



length 119905

(i) Γ119908= (pk

119908 120601119908) (pk

11990811199082

12060111990811199082

) (pk1199081

1206011199081




1206011199081015840


1199081015840)

(ii) 119878119908= sk

11990811199082sdotsdotsdot119908119894

| 119908119894+1


1199081015840 isin 119878119908







11990810158401)


119908 Γ119908) (ie using stacks 119878





stack 119878



(sk120576 pk120576)

$larr997888 Kg(1119896) 119878

120576= sk

120576 Γ120576

= 0 SK120576

=

(119908120576 119878120576 Γ120576)PK = pk

120576 return (SK

120576PK)



120576 111 119898)) is not


parse SK119908

= (119908 119878119908 Γ119908) if 119908 = 1


DF(119908) (sk119908 pk119908)

$larr997888 Kg(1119896)


119908 111 119898) skpar(119908) larr pop(119878

119908) 120601119908

$larr997888

sign(skpar(119908) 010 pk119908)

if 119908|119908|

= 0 119878119908larr997888 push (119878

119908 skpar(119908))

if |119908| lt 119889 119878119908larr997888 push (119878

119908 sk119908)

if |119908| = 119889 119908 = 119908101584001119895

for 119894 = 1 119895 + 1 do trash (Γ119908)

(2)

Γ119908

larr push(Γ119908 (pk119908 120601119908)) Σ = (120590 Γ

119908) SK119908

=

(119908 119878119908 Γ119908) return (Σ SK

119908)


11990811199082sdotsdotsdot119908|119908|

) pk120576= PK for 119894 = 1 |119908|

doif 0 larr vfy(pk


010 pk1199081sdotsdotsdot119908119894

1206011199081sdotsdotsdot119908119894


11990811199082sdotsdotsdot119908|119908|

111 119898 120590)




119895 119882119895) and




100 PK119896 119896 119882

119896 cert119896)




119895)



1015840




0 1198821015840) then does


W larr997888 push (W1198821015840)


(3)








100 PK119896 119896 119882

119896 cert119896)


119895 101 119898 119875Σ)













PKD






(PKP119882119895)





119895= Σ isin C1015840




0)



119898119894




119894minus1 (PKWC 119895

119898119894)







119894or perp if 119891

119894is


SIGlowast A





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in









2 Definitions



larr997888 119878 means





1and 1199042





0PK) $

larr997888






119894 SK119894)

$larr997888 Sign(SK

119894minus1 119898119894)













Σ119894toA












119894











119894minus1 119898119894 119903119894) and

returns Σ119894toA



119903119894) and if |Λ

119894| = 120582 then

















119895





119895)



119894and then



119894 SKP1198941015840)

$larr997888




119894 119875Σ119894)

















PKD




119894minus1)


(PKP119882119895)


119894minus1PKPPKWC 119895119882

119895) When it is



119882

B first runs (SK10158400PK1015840) $


119894PK1015840

W1015840C1015840 1198951015840 SK10158400)







119894minus1119898119894



119894minus1 119898119894) and

returns Σ119894toA


(PKWC 119895

119898119894)


$larr997888



(PKWC 119895 119875Σ119894) toAlowast




119903119894) and if |Λ

119894| = 120582














oracle oninputs (PK

119899+1119882119899+1


















le119889 1119889 we


DF (119908)

=

119908 0 if |119908| lt 119889


1199081015840 1 if |119908| = 119889

where 119908 = 1199081015840 0 1

119895(119908 is a leaf)

(1)


119908 pk119908)



length 119905

(i) Γ119908= (pk

119908 120601119908) (pk

11990811199082

12060111990811199082

) (pk1199081

1206011199081




1206011199081015840


1199081015840)

(ii) 119878119908= sk

11990811199082sdotsdotsdot119908119894

| 119908119894+1


1199081015840 isin 119878119908







11990810158401)


119908 Γ119908) (ie using stacks 119878





stack 119878



(sk120576 pk120576)

$larr997888 Kg(1119896) 119878

120576= sk

120576 Γ120576

= 0 SK120576

=

(119908120576 119878120576 Γ120576)PK = pk

120576 return (SK

120576PK)



120576 111 119898)) is not


parse SK119908

= (119908 119878119908 Γ119908) if 119908 = 1


DF(119908) (sk119908 pk119908)

$larr997888 Kg(1119896)


119908 111 119898) skpar(119908) larr pop(119878

119908) 120601119908

$larr997888

sign(skpar(119908) 010 pk119908)

if 119908|119908|

= 0 119878119908larr997888 push (119878

119908 skpar(119908))

if |119908| lt 119889 119878119908larr997888 push (119878

119908 sk119908)

if |119908| = 119889 119908 = 119908101584001119895

for 119894 = 1 119895 + 1 do trash (Γ119908)

(2)

Γ119908

larr push(Γ119908 (pk119908 120601119908)) Σ = (120590 Γ

119908) SK119908

=

(119908 119878119908 Γ119908) return (Σ SK

119908)


11990811199082sdotsdotsdot119908|119908|

) pk120576= PK for 119894 = 1 |119908|

doif 0 larr vfy(pk


010 pk1199081sdotsdotsdot119908119894

1206011199081sdotsdotsdot119908119894


11990811199082sdotsdotsdot119908|119908|

111 119898 120590)




119895 119882119895) and




100 PK119896 119896 119882

119896 cert119896)




119895)



1015840




0 1198821015840) then does


W larr997888 push (W1198821015840)


(3)








100 PK119896 119896 119882

119896 cert119896)


119895 101 119898 119875Σ)













PKD






(PKP119882119895)





119895= Σ isin C1015840




0)



119898119894




119894minus1 (PKWC 119895

119898119894)







119894or perp if 119891

119894is


SIGlowast A





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







119894











119894minus1 119898119894 119903119894) and

returns Σ119894toA



119903119894) and if |Λ

119894| = 120582 then

















119895





119895)



119894and then



119894 SKP1198941015840)

$larr997888




119894 119875Σ119894)

















PKD




119894minus1)


(PKP119882119895)


119894minus1PKPPKWC 119895119882

119895) When it is



119882

B first runs (SK10158400PK1015840) $


119894PK1015840

W1015840C1015840 1198951015840 SK10158400)







119894minus1119898119894



119894minus1 119898119894) and

returns Σ119894toA


(PKWC 119895

119898119894)


$larr997888



(PKWC 119895 119875Σ119894) toAlowast




119903119894) and if |Λ

119894| = 120582














oracle oninputs (PK

119899+1119882119899+1


















le119889 1119889 we


DF (119908)

=

119908 0 if |119908| lt 119889


1199081015840 1 if |119908| = 119889

where 119908 = 1199081015840 0 1

119895(119908 is a leaf)

(1)


119908 pk119908)



length 119905

(i) Γ119908= (pk

119908 120601119908) (pk

11990811199082

12060111990811199082

) (pk1199081

1206011199081




1206011199081015840


1199081015840)

(ii) 119878119908= sk

11990811199082sdotsdotsdot119908119894

| 119908119894+1


1199081015840 isin 119878119908







11990810158401)


119908 Γ119908) (ie using stacks 119878





stack 119878



(sk120576 pk120576)

$larr997888 Kg(1119896) 119878

120576= sk

120576 Γ120576

= 0 SK120576

=

(119908120576 119878120576 Γ120576)PK = pk

120576 return (SK

120576PK)



120576 111 119898)) is not


parse SK119908

= (119908 119878119908 Γ119908) if 119908 = 1


DF(119908) (sk119908 pk119908)

$larr997888 Kg(1119896)


119908 111 119898) skpar(119908) larr pop(119878

119908) 120601119908

$larr997888

sign(skpar(119908) 010 pk119908)

if 119908|119908|

= 0 119878119908larr997888 push (119878

119908 skpar(119908))

if |119908| lt 119889 119878119908larr997888 push (119878

119908 sk119908)

if |119908| = 119889 119908 = 119908101584001119895

for 119894 = 1 119895 + 1 do trash (Γ119908)

(2)

Γ119908

larr push(Γ119908 (pk119908 120601119908)) Σ = (120590 Γ

119908) SK119908

=

(119908 119878119908 Γ119908) return (Σ SK

119908)


11990811199082sdotsdotsdot119908|119908|

) pk120576= PK for 119894 = 1 |119908|

doif 0 larr vfy(pk


010 pk1199081sdotsdotsdot119908119894

1206011199081sdotsdotsdot119908119894


11990811199082sdotsdotsdot119908|119908|

111 119898 120590)




119895 119882119895) and




100 PK119896 119896 119882

119896 cert119896)




119895)



1015840




0 1198821015840) then does


W larr997888 push (W1198821015840)


(3)








100 PK119896 119896 119882

119896 cert119896)


119895 101 119898 119875Σ)













PKD






(PKP119882119895)





119895= Σ isin C1015840




0)



119898119894




119894minus1 (PKWC 119895

119898119894)







119894or perp if 119891

119894is


SIGlowast A





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in











PKD




119894minus1)


(PKP119882119895)


119894minus1PKPPKWC 119895119882

119895) When it is



119882

B first runs (SK10158400PK1015840) $


119894PK1015840

W1015840C1015840 1198951015840 SK10158400)







119894minus1119898119894



119894minus1 119898119894) and

returns Σ119894toA


(PKWC 119895

119898119894)


$larr997888



(PKWC 119895 119875Σ119894) toAlowast




119903119894) and if |Λ

119894| = 120582














oracle oninputs (PK

119899+1119882119899+1


















le119889 1119889 we


DF (119908)

=

119908 0 if |119908| lt 119889


1199081015840 1 if |119908| = 119889

where 119908 = 1199081015840 0 1

119895(119908 is a leaf)

(1)


119908 pk119908)



length 119905

(i) Γ119908= (pk

119908 120601119908) (pk

11990811199082

12060111990811199082

) (pk1199081

1206011199081




1206011199081015840


1199081015840)

(ii) 119878119908= sk

11990811199082sdotsdotsdot119908119894

| 119908119894+1


1199081015840 isin 119878119908







11990810158401)


119908 Γ119908) (ie using stacks 119878





stack 119878



(sk120576 pk120576)

$larr997888 Kg(1119896) 119878

120576= sk

120576 Γ120576

= 0 SK120576

=

(119908120576 119878120576 Γ120576)PK = pk

120576 return (SK

120576PK)



120576 111 119898)) is not


parse SK119908

= (119908 119878119908 Γ119908) if 119908 = 1


DF(119908) (sk119908 pk119908)

$larr997888 Kg(1119896)


119908 111 119898) skpar(119908) larr pop(119878

119908) 120601119908

$larr997888

sign(skpar(119908) 010 pk119908)

if 119908|119908|

= 0 119878119908larr997888 push (119878

119908 skpar(119908))

if |119908| lt 119889 119878119908larr997888 push (119878

119908 sk119908)

if |119908| = 119889 119908 = 119908101584001119895

for 119894 = 1 119895 + 1 do trash (Γ119908)

(2)

Γ119908

larr push(Γ119908 (pk119908 120601119908)) Σ = (120590 Γ

119908) SK119908

=

(119908 119878119908 Γ119908) return (Σ SK

119908)


11990811199082sdotsdotsdot119908|119908|

) pk120576= PK for 119894 = 1 |119908|

doif 0 larr vfy(pk


010 pk1199081sdotsdotsdot119908119894

1206011199081sdotsdotsdot119908119894


11990811199082sdotsdotsdot119908|119908|

111 119898 120590)




119895 119882119895) and




100 PK119896 119896 119882

119896 cert119896)




119895)



1015840




0 1198821015840) then does


W larr997888 push (W1198821015840)


(3)








100 PK119896 119896 119882

119896 cert119896)


119895 101 119898 119875Σ)













PKD






(PKP119882119895)





119895= Σ isin C1015840




0)



119898119894




119894minus1 (PKWC 119895

119898119894)







119894or perp if 119891

119894is


SIGlowast A





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





le119889 1119889 we


DF (119908)

=

119908 0 if |119908| lt 119889


1199081015840 1 if |119908| = 119889

where 119908 = 1199081015840 0 1

119895(119908 is a leaf)

(1)


119908 pk119908)



length 119905

(i) Γ119908= (pk

119908 120601119908) (pk

11990811199082

12060111990811199082

) (pk1199081

1206011199081




1206011199081015840


1199081015840)

(ii) 119878119908= sk

11990811199082sdotsdotsdot119908119894

| 119908119894+1


1199081015840 isin 119878119908







11990810158401)


119908 Γ119908) (ie using stacks 119878





stack 119878



(sk120576 pk120576)

$larr997888 Kg(1119896) 119878

120576= sk

120576 Γ120576

= 0 SK120576

=

(119908120576 119878120576 Γ120576)PK = pk

120576 return (SK

120576PK)



120576 111 119898)) is not


parse SK119908

= (119908 119878119908 Γ119908) if 119908 = 1


DF(119908) (sk119908 pk119908)

$larr997888 Kg(1119896)


119908 111 119898) skpar(119908) larr pop(119878

119908) 120601119908

$larr997888

sign(skpar(119908) 010 pk119908)

if 119908|119908|

= 0 119878119908larr997888 push (119878

119908 skpar(119908))

if |119908| lt 119889 119878119908larr997888 push (119878

119908 sk119908)

if |119908| = 119889 119908 = 119908101584001119895

for 119894 = 1 119895 + 1 do trash (Γ119908)

(2)

Γ119908

larr push(Γ119908 (pk119908 120601119908)) Σ = (120590 Γ

119908) SK119908

=

(119908 119878119908 Γ119908) return (Σ SK

119908)


11990811199082sdotsdotsdot119908|119908|

) pk120576= PK for 119894 = 1 |119908|

doif 0 larr vfy(pk


010 pk1199081sdotsdotsdot119908119894

1206011199081sdotsdotsdot119908119894


11990811199082sdotsdotsdot119908|119908|

111 119898 120590)




119895 119882119895) and




100 PK119896 119896 119882

119896 cert119896)




119895)



1015840




0 1198821015840) then does


W larr997888 push (W1198821015840)


(3)








100 PK119896 119896 119882

119896 cert119896)


119895 101 119898 119875Σ)













PKD






(PKP119882119895)





119895= Σ isin C1015840




0)



119898119894




119894minus1 (PKWC 119895

119898119894)







119894or perp if 119891

119894is


SIGlowast A





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










100 PK119896 119896 119882

119896 cert119896)


119895 101 119898 119875Σ)













PKD






(PKP119882119895)





119895= Σ isin C1015840




0)



119898119894




119894minus1 (PKWC 119895

119898119894)







119894or perp if 119891

119894is


SIGlowast A





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





lowast Σlowast)





lowast Σlowast)




lowast (PKW


(00 PK119899+1

119899 + 1 119882119899 cert119899+1

)









lowast (PKW








(119898lowast (PKWC 119895 119875Σ





119882119899+1


119899+1 119899 + 1 119882

119899 Therefore

(00 PK119899+1

119899 + 1 119882119899 cert119899+1



5 Conclusion



Appendices


A Construction














100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






100 PK FK W cert119896)



1015840











119896minus1


119896minus1



B Security








119889 (where 119902

119889is the

































119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







119894)



119894) and return








119894or perp if 119891

119894





lowast)))



lowast)))



lowast)))



lowast)))







Disclosure




Acknowledgments


References






















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




















Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



Documents

Research Article Secure Mobile Agent from Leakage ...downloads.hindawi.com/journals/misy/2015/901418.pdf · Research Article Secure Mobile Agent from Leakage-Resilient Proxy Signatures