Multi-Use Unidirectional Proxy Re-Signatures

Multi-Use Unidirectional Pro xy Re-Signatures Beno ˆ ıt Libe rt 1 and Damien V ergnaud 2 1 Universit ´ e C atholique de Louv ain, Crypto Group Place du Lev ant, 3 – 1348 Louv ain-la-Neuve – Belgium 2 Ecole Normale Sup´ erieure – C.N.R.S. – I .N.R.I.A. 45, R ue d’Ulm – 75230 Pa ris CEDEX 05 – F rance Abstract. In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive named pr oxy r e-signatur es w here a proxy turns a sig nature computed under Alice’s secret key into one from Bob on the same messa ge. The semi-tru sted proxy do es not learn either part y’s signing key and cannot sign arbitrary messages on behalf of Alice or Bob. At CCS 2005, Ateniese and Hoh enb erger revisited the primitive by pro viding appropriate security definitions and efficient constructions in th e rand om oracle mod el. Nonetheless, they left op en the problem of d esigning a multi-use unidir e ctional scheme where the p roxy is able to translate in only one direction and signatures can b e re-translated several times. This pap er solves this problem, suggested for t h e fi rst time 10 years ago, and shows the first multi -hop unidir e ctional pro xy re-signature schemes. W e describ e a random-oracle-using system that is secure in the Ateniese-Hohen b erger mo del. The same technique also yields a similar construction in t he standar d mo del (i.e. without relying on random oracles). Both schemes are efficient and req uire newly defined – but falsifiable – Diffie-Hellman-like assumptions in bilinear groups. Keywords. Multi-use p ro xy re-signatures, unidirectionalit y , pairings. 1 In tro duction In 1998 , Blaze, Bleumer and Stra uss [8] pro po sed a cryptogr aphic primitiv e wher e a semi-tr us ted proxy is given so me infor mation that a llows turning Alice’s signature on a mess age into Bob’s signature on the sa me message. These pr oxy r e-signatu res (PRS) – not to b e confused with proxy signature s [23] – r equire tha t the proxy b e unable to sign on behalf of Alice or Bob on its own. The last few years s aw a renew ed in terest in proxy re- c r yptogra phy [3–5, 17–19 , 12]. This pape r presents the firs t constructions of mu lti-use unidir e ctional proxy re-s ignature wher ein the proxy can o nly tra nslate signatures in one direction and mes sages can b e re-signed a p o lynomial num b er of times. Our constructions are efficient and demand new (but falsifiable) Diffie-Hellman-related intractabilit y assumptions in bilinear map gr o ups. One of our contributions is a se c ur e scheme in the standar d mo del ( i.e. without res o rting to the r andom or a cle mo del). Rela ted work. Alice – the delega tor – can easily desig nate a proxy transla ting signatures computed using Bob’s secret k ey – the dele gatee – in to one that are v a lid w.r.t. her public key b y storing her secret key at the proxy . Up on receiving Bob’s signatures, the proxy can chec k them a nd re-sig n the messag e using Alice’s priv a te key . The problem with this a pproach is that the proxy can sign arbitra ry messages on beha lf o f Alice. Proxy re-signatures aim at se curely enabling the delegation of sig natures without fully trusting the proxy . They are related to pr oxy signatures, in tro duced in [23] and revisted in [16 , 9 , 22], in that a ny PRS can be used to implement a proxy signa ture mec hanis m but the c o nv erse is not necessarily true. In 19 98, B laze et al. [8 ] g av e the first example of P RS wher e s igning keys r emain hidden from the proxy . The primitive was formalized in 2005 b y Ateniese and Hohen b erg er [5] who pinned do wn useful prop er ties that can b e expected from proxy re- signature schemes. Blaze et al. ’s construction is bidir e ctional ( i.e. the proxy informa tion a llows “translating ” signatures in either directio n) and m u lti-use ( i.e. the translation o f signa tur es can b e p erformed in sequence and m ultiple times by distinct pr oxies without requiring the interv ention of signing entities). Unfortunately , Ateniese and Hohenberger [5] pinp ointed a flaw in the latter scheme: given a signature/r e-signatur e pair, any one can 1. Unidirectional: re-signature keys can only b e used for d elegation in one direction; 2. Multi-use: a message can b e re-signed a p olyn omial num b er of times; 3. Priv ate Pro xy: re-signature keys can b e kept secret by an honest p roxy; 4. T ransparent: a user may not even know that a proxy ex ists; 5. Unlink able: a re-signature cannot b e linked to th e one from which it was generated; 6. Key optimal: a user is only req uired t o store a constant amount of secret data; 7. Non-interactive: the delegatee do es not act in th e d elegation pro cess; 8. Non-transitive: the p ro xy cannot re-delegate signing rights; deduce the re-s ig nature k ey that ha s b een us ed in the delega tion ( i.e. the private pr oxy prop erty is not satisfied). Another issue in [8] is that the proxy and the delegatee can collude to exp ose the delegato r’s secret. T o ov ercome these limitations, At eniese a nd Hohenberger prop osed t wo constructions based on bilinear maps. The first o ne is a quite simple m ulti-use, bidir ectional proto col built on Bo neh-Lynn-Shacham (BLS) signatures [11]. Their second scheme is unidirectional (the design of such a scheme was an op en problem raised in [8]) but sing le-use. It involv es t wo different signature algo rithms: first -level signatures can b e tra nslated by the proxy whilst se c ond-level s ignatures canno t. A slig ht ly less efficient v aria nt was also sugges ted to ensure the pr iv a c y of re- signature keys kept at the proxy . The security of all schemes was a nalyzed in the random oracle mo del [7]. Our contributions. Ateniese and Hohenberg er left a s op en challenges the design of m ulti-use unidirectional systems and that of secure schemes in the standa rd sec ur ity mo del. The present pap er solves b oth problems: – w e pr esent a simple and efficient sys tem (built on the s hort signa ture put forth by Boneh et al. [1 1]) which is secur e in the r andom or acle mo del under a reasonable extension o f the Diffie-Hellman assumption; – using a n elegant technique due to W aters [27], the s cheme is easily mo dified so as to achieve security in the standard mo del. T o the best of our knowledge, this actually provides the first unidir ectional PRS that disp enses with random ora cles and thereby improv es a re cent bidirectional construction [2 5 ]. Both prop os a ls additiona lly preser ve the priv acy of proxy keys (with an improved efficiency w.r.t. [5] in the case of the first one). They combine a lmost all of the a b ov e pr op erties. As in prior unidirectional sc hemes, proxies a re not completely transpar ent since signatures hav e different s hap es and lengths acros s succe s sive levels. The siz e o f our signa tures ac tua lly grows linear ly with the num b er of pa s t translations : signa tures at level ℓ (i.e. that have be en transla ted ℓ − i times if the o riginal version was signed at level i ) co ns ist of ab out 2 ℓ gr oup e le men ts. In spite of this blow-up, we r etain imp ortant b enefits: – signers may wan t to tolera te a limited num b er (say t ) o f sig nature tra nslations fo r spe c ific messa ges. Then, if at most L transla tions are p ermitted in the globa l sys tem, user s ca n directly generate a sig nature at level L − t . – the co nv ersion of a ℓ th level sig nature is indisting uishable from one genera ted at level ℓ + 1 b y the s econd signer. The original signer’s ident ity is moreov er p er fectly hidden and the verifier only needs the new signer’s public k ey . The simplicity of our schemes makes them attractive for applications that motiv ated the search for multi- use unidirectional systems in [5]. One of them was to provide a pro of that a certain path w as taken in a directed g raph: for instance, U.S. customs only need one public k ey (the one of the immig r ation agen t who previously v alidated a sig nature on a n e-passp o r t) to make s ure that a fo r eign visitor leg ally entered the country and w ent through the required chec kp oints. Another application w as the con version o f certificates where v alid sig na tures for un trusted public keys can b e turned in to signa tures tha t verify under trusted keys. As exemplified in [5], unidir ectional schemes are quite app ealing for conv erting certificates b etw een ad-ho c netw or ks: using the public key o f netw ork B’s certification author ity (CA), the CA of net work A can non-interactiv ely compute a translation key and s e t up a pr oxy conv erting certificates from netw ork B within its own domain without having to r ely on untrusted no des o f B. R oadmap. In the forthcoming s ections, we r e c all the syntax of unidirectio nal PRS schemes a nd the secur ity mo del in section 2. Sec tio n 3 expla ins which a lgorithmic as sumptions we need. Section 4 des c r ib es o ur random-or acle-using scheme. Section 5 details how to get r id of the random ora c le idea lization. 2 2 Mo del and Securit y N otions W e first r ecall the syn tactic definition of unidire c tional P RS schemes fro m [5]. Definition 1 (Pro xy Re-Signatures). A ( unidir e ctional) pr oxy r e-signatur e (PRS ) scheme for N signers and L levels (wher e N and L ar e b oth p olynomial in the se curity p ar ameter λ ) c onsists of a tuple of (p ossibly r andomize d) algorithms ( Global - Setup , Keygen , ReKeygen , Sign , Re - Sig n , V erify ) wher e: Global - Setup ( λ ) : is a r andomize d algorithm (p ossibly run by a tru ste d p arty) that takes as input a se cu r ity p ar ameter λ and pr o duc es a set of system-wide public p ar ameters cp . Keygen ( cp ) : is a pr ob abilistic algorithm t hat, on input of public p ar ameters cp , outputs a signer’s pri- vate/public key p air ( sk , pk ) . ReKeygen ( cp , pk i , sk j ) : on input of public p ar ameters cp , signer i ’s public key pk i and signer j ’s pri vate key sk j , t his ( ide al ly non-inter active) algorithm outputs a r e-signatu re key R ij that al lows t ra nslating i ’s signatur es into signatu res in the name of j . Sign ( cp , ℓ, sk i , m ) : on input of public p ar ameters cp , a message m , a private key sk i and an inte ger ℓ ∈ { 1 , . . . , L } , this (p ossibly pr ob abilistic) algorithm output s a signatu r e σ on b ehalf of signer i at lev el ℓ . Re - Sign ( cp , ℓ, m, σ , R ij , pk i , pk j ) : give n c ommon p ar ameters cp , a level ℓ < L signatur e σ fr om signer i ∈ { 1 , . . . , N } and a r e-signatur e key R ij , this (p ossibly r andomize d) algorithm first che cks that σ is valid w.r.t pk i . If yes, it output s a signatu re σ ′ which verifies at level ℓ + 1 under public key pk j . V erify ( cp , ℓ, m, σ , pk i ) : give n public p ar ameters cp , an inte ger ℓ ∈ { 1 , . . . , L } , a message m , an al le ge d signa- tur e σ and a public key pk i , this de terministic algorithm outputs 0 or 1 . F or al l se curity p ar ameters λ ∈ N and system-wide p ar ameters cp output by Global - Setup ( λ ) , for all c ouples of priv ate/public key p airs ( sk i , pk i ) , ( sk j , pk j ) pr o duc e d by Keygen ( cp ) , for any ℓ ∈ { 1 , . . . , L } and message m , we sho uld have V erify ( cp , ℓ, m, Sign ( cp , ℓ, sk i , m ) , p k i ) = 1; V erify ( cp , ℓ, m, ReSign ( cp , ℓ, m, Sign ( cp , ℓ, sk i , m ) , R eKeygen ( cp , pk i , sk j )) , pk j ) = 1 . T o lighten notations, we so metimes omit to explicitly include public parameter s cp that are part of the input of all but o ne algor ithms. The secur ity model of [5] co nsiders the following tw o orthogonal notions termed external and insider se cu rity . External se curit y: is the s ecurity ag a inst adv ers aries o utside the sy stem (that differ from the proxy and delegation partners). This notion demands that the next pr obability b e a neg ligible function of the security pa r ameter λ : Pr[ { pk i , sk i ) ← Keygen ( λ ) } i ∈ [1 ,N ] , ( i ⋆ , L, m ⋆ , σ ⋆ ) ← A O S ign ( . ) , O Resign ( . ) ( { pk i } i ∈ [1 ,N ] ) : V erify ( L, pk i ⋆ , m ⋆ , σ ⋆ ) ∧ ( i ⋆ , m ⋆ ) 6∈ Q ] where O S ig n ( . ) is an ora cle taking as input a mess age a nd a n index i ∈ { 1 , . . . , N } to r eturn a fir st level signature σ ← Sig n (1 , sk i , m ); the oracle O Resign ( . ) takes as input indices i, j ∈ { 1 , . . . , N } and a lev el ℓ signature σ and returns the output o f σ ′ ← Re - Sign ( ℓ, m, σ , ReKeygen ( pk i , sk j )); and Q denotes the set of (signer ,message) pairs ( i, m ) queried to O S ig n ( . ) or s uch that a tuple (? , j, i, m ), with j ∈ { 1 , . . . , N } , was que r ied to O Resign ( . ). This notion only ma kes sense if re-signing keys ar e kept priv ate by the proxy . In ternal securit y: The second se curity notion c o nsidered in [5] strives to protect us e rs, as muc h as p ossible, against disho nest proxies and co lluding delegation pa rtners. Thre e secur it y g uarantees should be e nsured. 3 1. Limited Pro xy se curity: this no tion captures the proxy’s inabilit y to sign messages on b ehalf of the delegatee or to create sig na tures fo r the delega tor unles s messages were firs t signed by o ne of the latter’s delegatees. F orma lly , w e consider a g ame whe r e adv er s aries have all re-signing k eys but ar e denied acce s s to signer s’ priv a te k eys . The follo wing pr obability should b e negligible: Pr  { pk i , sk i ) ← K eygen ( λ ) } i ∈ [1 ,N ] , { R ij ← ReKeyg en ( pk i , sk j ) } i,j ∈ [1 ,N ] , ( i ⋆ , L, m ⋆ , σ ⋆ ) ← A O S ign ( .,. )  { pk i } i ∈ [1 ,N ] , { R ij } i,j ∈ [1 ,N ]  : V erify ( L, pk i ⋆ , m ⋆ , σ ⋆ ) ∧ m ⋆ 6∈ Q  where O S ig n ( ., . ) is an o racle taking as input a messa ge and an index i ∈ { 1 , . . . , N } to return a fir st level signa ture σ ← Sign (1 , sk i , m ) a nd Q stands for the set o f messages m queried to the s igning oracle. 2. Delegatee Security: info r mally , this notion pr o tects the delegatee from a colluding deleg ator a nd proxy . Namely , the delegatee is ass igned the index 0. The a dversary is pro vided with an oracle returning first level signatures on b ehalf of 0 and is also gra nted acces s to re - signature keys 1 R 0 i for all i 6 = 0 (but not R i 0 for any i ). Her pr obability o f success Pr  { pk i , sk i ) ← K eygen ( λ ) } i ∈ [0 ,N ] , { R ij ← ReKeyg en ( pk i , sk j ) } i ∈{ 0 ,...,N } ,j ∈{ 1 ,...,N } ( L, m ⋆ , σ ⋆ ) ← A O S ign (0 ,. )  pk 0 , { pk i , sk i } i ∈ [1 ,N ] , { R ij } i ∈{ 0 ,...,N } ,j ∈{ 1 ,...,N }  : V erify ( L, pk 0 , m ⋆ , σ ⋆ ) ∧ m ⋆ 6∈ Q  , where Q is the set of messa g es queried to O S ig n (0 , . ), should b e negligible. 3. Delegator Security: this notion captures tha t a collusio n b etw een the deleg atee a nd the proxy should be harmless for the hones t delegator . Namely , we consider a tar g et delegato r with index 0. The a dversary is given priv ate keys of all other signer s i ∈ { 1 , . . . , N } as well as al l re-signa tur e keys including R i 0 and R 0 i for i ∈ { 1 , . . . , N } . A signing o r acle O S ig n (0 , . ) also provides her with first level signa tures for 0 . Y et, the following pr obability should be neg ligible, Pr  { pk i , sk i ) ← Keygen ( λ ) } i ∈ [0 ,N ] , { R ij ← ReKeyg en ( pk i , sk j ) } i,j ∈ [0 ,N ] , (1 , m ⋆ , σ ⋆ ) ← A O S ign (0 ,. )  pk 0 , { pk i , sk i } i ∈ [1 ,N ] , { R ij } i,j ∈ [0 ,N ] ,  : V erify (1 , pk 0 , m ⋆ , σ ⋆ ) ∧ m ⋆ 6∈ Q  , meaning she has little chance of framing user 0 at the first level. An imp orta nt difference betw een exter nal and limited proxy security should b e under lined. In the former, the attack er is allowed to obtain signatures o n the target messag e m ⋆ for signers other than i ⋆ . In the la tter, the ta rget message cannot b e querie d for sig nature at all (knowing a ll proxy keys, the attack er would trivially win the game otherwise). 3 Bilinear Maps and Complexit y A ssumptions Bilinear gr oups. Groups ( G , G T ) of prime o rder p are ca lled biline ar map gr oups if there is a mapping e : G × G → G T with the fo llowing pr o p erties: 1. bilinearit y: e ( g a , h b ) = e ( g , h ) ab for any ( g , h ) ∈ G × G and a, b ∈ Z ; 2. efficien t co mputability for a ny input pair; 1 In non-interacti ve schemes, th e ad versary can compute those ke ys herself from pk 0 and sk i , with i 6 = 0, and the definition can b e simplified. In the general case, they remain part of the adversary’s input. 4 3. non-degeneracy: e ( g , h ) 6 = 1 G T whenever g , h 6 = 1 G . In these groups, w e assume the hardnes s of the well-known Computational Diffie-Hellman (CDH) pro blem which is to compute g xy given g x and g y . Flexible Diffie-Hellman pr oblems. Our signatures rely on new g e neralizations o f the Diffie-Hellman problem. T o motiv ate them, let us firs t r ecall the definition of the 2-out- of-3 Diffie-Hel lman pr oblem [20]. Definition 2 . In a prime or der gr oup G , the 2-out-of-3 Diffie-Hel l man pr oblem ( 2 - 3 - CDH ) is, given ( g , g a , g b ) , to find a p air ( C, C ab ) ∈ G × G with C 6 = 1 G . W e in tro duce a p o ten tially harder version o f this problem that w e call 1 -Flexible Diffie-Hellman problem: Definition 3 . The 1-Flexibl e Diffie-He llman pr oblem ( 1 - Flex D H) is, given ( g , A = g a , B = g b ) ∈ G 3 , to find a triple ( C, C a , C ab ) ∈ ( G \{ 1 G } ) 3 . The unforgeability o f our multi-use unidirectiona l proxy r e-signa tur es is pro ved assuming the intractability of a relax ed v ariant of this problem where more flexibility is permitted in the c hoice of the ba s e C for the Diffie-Hellman computatio n. Definition 4 . The ℓ -Flexible Diffie-H e llman pr oblem ( ℓ -FlexDH ) is, given ( g , A = g a , B = g b ) ∈ G 3 , to find a (2 ℓ + 1) -uple ( C 1 , . . . , C ℓ , D a 1 , . . . , D a ℓ , D ab ℓ ) ∈ G 2 ℓ +1 wher e log g ( D j ) = Q j i =1 log g ( C i ) 6 = 0 for j ∈ { 1 , . . . ℓ } . A given instance has many publicly verifiable so lutions: a c andidate 2 ℓ + 1-tuple ( C 1 , . . . , C ℓ , D ′ 1 , . . . , D ′ ℓ , T ) is ac c eptable if e ( C 1 , A ) = e ( D ′ 1 , g ), e ( D ′ j , g ) = e ( D ′ j − 1 , C j ) for j = 2 , . . . , ℓ and e ( D ′ ℓ , B ) = e ( T , g ). The ℓ -FlexDH a s sumption is thus falsifiable acc o rding to Naor ’s classifica tion [2 4]. In gener ic gr oups, the g eneral intractabilit y res ult given by theorem 1 of [20] by Kunz-Ja cques and Poin tchev al implies the generic hardness of ℓ -FlexDH. F or co mpleteness, app endix A gives an a daptation of this res ult in gener ic biline ar groups. R emark 1. The know le dge-of-exp onent assumption (KEA1) [6] w as introduced in 1991 by Damg ˚ ard [14 ]. Roughly sp eak ing, KEA1 ca ptures the intuition that a ny algo r ithm whic h, given elements ( g , g x ) ∈ G 2 , computes a pair ( h, h x ) ∈ G 2 m ust “ know” log g ( h ). Under KEA1, the in tractability of the ℓ -Flexible Diffie- Hellman proble m is easily seen to b e bo il down to the Diffie-Hellman a s sumption. Given ( g , g a ), an adversary outputting ( C 1 , D a 1 ) = ( C 1 , C a 1 ) necessarily “knows” t 1 = lo g g C 1 and th us also ( C 2 , C a 2 ) = ( C 2 , ( D a 2 ) 1 /t 1 ) as well as t 2 = log g C 2 , which in turn successively yields lo g arithms of C 3 , . . . , C ℓ . Although the K EA1 assumption is inher ently non-falsifiable, it holds in generic groups [15 , 1] and our results ca n b e se e n as resting on the com binatio n CDH+KEA1. Modified Diffie-Hellman pr oblem. The second assumption that we need is that the CDH pr oblem ( g a , g b ) remains hard even when g ( a 2 ) is av aila ble. Definition 5 . The mo di fied C o mputational Di ffie-Hel lman pr oblem (mCDH) is, given ( g , g a , g ( a 2 ) , g b ) ∈ G 4 , to c ompute g ab ∈ G . In fact, we use an equiv alent formulation of the problem which is to find h xy given ( h, h x , h 1 /x , h y ) (the equiv a le nc e is readily obser ved b y defining g = h 1 /x , x = a , y = b/a ). 5 4 A Multi-Hop Scheme in the R andom Oracle Mo del T o provide a b etter in tuition of the underlying idea of o ur scheme, we first describe its s ing le-hop version befo re extending it int o a multi-hop system. Our appro ach slightly differs from the o ne in [5] wher e signe r s have a “ strong” secret a nd a “weak” secret that are resp ectively us e d to pro duce first and se cond le vel signatures. In our scheme, users ha ve a single secret but first a nd second level s ignatures retain different sha p es . Another difference is that our re- signature algorithm is probabilistic. W e exploit the idea that, given g b ∈ G = h g i for so me b ∈ Z , one can ha rdly genera te a Diffie-Hellman triple ( g a , g b , g ab ) without knowing the cor r esp onding exp onent a [14 ]. A v alid BLS signature [11 ] ( σ = H ( m ) x , X = g x ) can be blinded into ( σ ′ 1 , σ ′ 2 ) = ( σ t , X t ) using a random exp onent t . An extra element g t then ser ves a s evidence that ( σ ′ 1 , σ ′ 2 ) actually hides a v a lid pa ir. This technique can b e iterated several times by adding t wo gr oup elements a t each step. T o tra nslate s ignatures fro m signer i to signer j , the key idea is to hav e the proxy p erfor m a n appro priate change o f v ariable involving the translation key during the blinding. The scheme is obviously not strongly unfor geable in the sense o f [2] (since all but first level sig natures can be publicly re-ra ndo mized) but this “ malleability” o f signatures is not a weakness whatsoever. It even turns out to b e a desir able feature allowing for the unlink ability of tr a nslated signature s w.r .t. o riginal ones. 4.1 The Single Hop V ersi on In this scheme, signers’ public keys consist of a single group element X = g x ∈ G . Their well-formedness is th us efficien tly verifiable b y the c e rtification authority that just has to c heck their mem b ership in G . This already improv es [5] where public keys ( X 1 , X 2 ) = ( g x , h 1 /x ) ∈ G 2 ( g a nd h b eing common pa rameters) must be v alidated by testing whether e ( X 1 , X 2 ) = e ( g , h ). Global-setup ( λ ) : this a lgorithm c ho oses bilinear g roups ( G , G T ) of pr ime or der p > 2 λ . A ge ne r ator g ∈ G and a hash function H : { 0 , 1 } ∗ → G (mo dele d as a ra ndo m ora cle in the security pro o f ) a re a lso chosen. Public pa r ameters only co nsist of cp := { G , G T , g , H } . Keygen ( λ ) : user i ’s public k ey is set a s X i = g x i for a r a ndom x i R ← Z ∗ p . ReKeygen ( x j , X i ) : this algorithm o utputs the proxy key R ij = X 1 /x j i = g x i /x j which a llows turning s igna- tures from i into signatures fro m j . Sign (1 , x i , m ) : to sign m ∈ { 0 , 1 } ∗ at level 1 , compute σ (1) = H ( m ) x i ∈ G . Sign (2 , x i , m ) : to sign m ∈ { 0 , 1 } ∗ at level 2 , c ho o s e t R ← Z ∗ p and compute σ (2) = ( σ 0 , σ 1 , σ 2 ) = ( H ( m ) x i t , X t i , g t ) . (1) Re-Sign (1 , m, σ (1) , R ij , X i , X j ) : on input of m ∈ { 0 , 1 } ∗ , the re-signa ture key R ij = g x i /x j , a signature σ (1) ∈ G and public keys X i , X j , check the v alidity of σ (1) w.r.t s igner i by testing e ( σ (1) , g ) = e ( H ( m ) , X i ). If v alid, σ (1) is turned into a s ignature on behalf o f j b y choo sing t R ← Z ∗ p and computing σ (2) = ( σ ′ 0 , σ ′ 1 , σ ′ 2 ) = ( σ (1) t , X t i , R t ij ) = ( H ( m ) x i t , X t i , g tx i /x j ) If we se t ˜ t = tx i /x j , we have σ (2) = ( σ ′ 0 , σ ′ 1 , σ ′ 2 ) = ( H ( m ) x j ˜ t , X ˜ t j , g ˜ t ) . ( 2) V erify (1 , m, σ (1) , X i ) : this algorithm a ccepts if e ( σ (1) , g ) = e ( H ( m ) , X i ). V erify (2 , m, σ (2) , X i ) : a second level signature σ (2) = ( σ 0 , σ 1 , σ 2 ) is ac cepted for the public key X i if the following co nditions are true. e ( σ 0 , g ) = e ( σ 1 , H ( m )) e ( σ 1 , g ) = e ( X i , σ 2 ) 6 Relations (1) and (2) show that tra nslated signatures hav e exactly the s ame distribution as signatures directly pro duced by signers at level 2. In co mparison with the only known unidirectio na l PRS with priv a te re-signing keys (suggested in section 3.4.2 of [5]), this o ne features shorter second level signatures that m ust include a Schnorr-like [26 ] proo f o f knowledge in addition to 3 gr oup elements in [5 ]. On the o ther hand, signa tur es of [5 ] are strongly unforg eable unlike ours . It is also worth mentioning that the a b ove scheme only r equires the 1-Flexible Diffie-Hellman assumption which is more classical than the g eneral ℓ -FlexDH. 4.2 Ho w to Obtain Multiple Hops The above constr uction ca n b e sc a led up int o a multi-hop P RS sc heme if we itera tively apply the same idea se veral times. T o preven t the link ability of s ig natures b etw een succe ssive lev els ℓ + 1 and ℓ + 2, the re-signa ture a lgorithm p erforms a r e -randomiza tion using r andom exp onents r 1 , . . . , r ℓ . Sign ( ℓ + 1 , x i , m ) : to sign m ∈ { 0 , 1 } ∗ at the ( ℓ + 1 ) th level, user i choo ses ( t 1 , . . . , t ℓ ) R ← ( Z ∗ p ) ℓ and outputs σ ( ℓ +1) = ( σ 0 , . . . , σ 2 ℓ ) ∈ G 2 ℓ +1 where σ 0 = H ( m ) x i t 1 ··· t ℓ ,  σ k = g x i t 1 ··· t ℓ +1 − k for k ∈ { 1 , . . . , ℓ } σ k = g t k − ℓ for k ∈ { ℓ + 1 , . . . , 2 ℓ } . Re-Sign ( ℓ + 1 , m, σ ( ℓ +1) , R ij , X i , X j ) : on input of a mess age m ∈ { 0 , 1 } ∗ , the re-sig na ture key R ij = g x i /x j , a v a lid ( ℓ + 1) th level signa ture σ ( ℓ +1) = ( σ 0 , . . . , σ 2 ℓ ) = ( H ( m ) x i t 1 ··· t ℓ , g x i t 1 ··· t ℓ , g x i t 1 ··· t ℓ − 1 , . . . , g x i t 1 , g t 1 , . . . , g t ℓ ) ∈ G 2 ℓ +1 and public keys X i , X j , chec k the v a lidit y of σ under X i . If v alid, σ is turned into a ( ℓ + 2) th level signa ture on b ehalf of j by dr awing ( r 0 , r 1 , . . . , r ℓ ) R ← ( Z ∗ p ) ℓ +1 and computing σ ( ℓ +2) = ( σ ′ 0 , . . . , σ ′ 2 ℓ +2 ) ∈ G 2 ℓ +3 where σ ′ 0 = σ r 0 ··· r ℓ 0 and        σ ′ k = σ r 0 ··· r ℓ +1 − k k for k ∈ { 1 , . . . , ℓ } σ ′ ℓ +1 = X r 0 i σ ′ ℓ +2 = R r 0 ij σ ′ k = σ r k − ℓ − 2 k − 2 for k ∈ { ℓ + 3 , . . . , 2 ℓ + 2 } . If we define ˜ t 0 = r 0 x i /x j and ˜ t k = r k t k for k = 1 , . . . , ℓ , we observe that σ ( ℓ +2) = ( H ( m ) x j ˜ t 0 ˜ t 1 ··· ˜ t ℓ , g x j ˜ t 0 ˜ t 1 ··· ˜ t ℓ , g x j ˜ t 0 ˜ t 1 ··· ˜ t ℓ − 1 , . . . , g x j ˜ t 0 , g ˜ t 0 , . . . , g ˜ t ℓ ) ∈ G 2 ℓ +3 V erify ( ℓ + 1 , m, σ ( ℓ +1) , X i ) : the v alidity of σ ( ℓ +1) = ( σ 0 , . . . , σ 2 ℓ ) ∈ G 2 ℓ +1 at level ( ℓ + 1) is chec ked by testing if these equalities simult aneo usly hold: e ( σ 0 , g ) = e ( H ( m ) , σ 1 ) , e ( σ ℓ , g ) = e ( X i , σ ℓ +1 ) e ( σ k , g ) = e ( σ k +1 , σ 2 ℓ − k +1 ) for k ∈ { 1 , . . . , ℓ − 1 } 4.3 Securit y Theorem 1. The L -level scheme is a se cur e unidir e ctional pr oxy re -signatu r e u n der the ( L − 1) -FlexDH and mCDH assumptions in t he r andom or acle mo del. Pr o of. Limite d pr oxy se curity. W e show that an adversary A 1 with adv antage ε implies an a lgorithm B 1 solving a n ( L − 1)- FlexDH instance ( g , A = g a , B = g b ) with pro bability O ( ε/q s ), where q s is the num b er of signing quer ies made by A 1 . 7 System parameters: A 1 is challenged on pa r ameters { G , G T , g , O H } where O H is the random o racle con- trolled by the simulator B 1 . Public key generation: when A 1 asks for the creation of user i ∈ { 1 , . . . , N } , B 1 resp onds with a newly generated public key X i = A x i = g ax i , for a ra ndom x i R ← Z ∗ p , which virtua lly defines user i ’s priv ate key as ax i . F or all pairs ( i, j ), r e-signa tur e keys R ij are calculated a s R ij = g x i /x j = g ax i /ax j . Oracle queries : A 1 ’s queries are tac kled with as follows. F ollowing a well-known technique due to Cor on [13], a binar y coin c ∈ { 0 , 1 } with exp ected v alue 1 − ζ ∈ [0 , 1] decides w hether B 1 int ro duces the challenge in the o utput of the random oracle or an elemen t of known sig nature. F o r the optimal v alue o f ζ , this int ro duces the los s factor O ( q s ) in the s uccess pro ba bility . • R andom or acle queries : T o resp o nd to these queries, B 1 maintains a list (refer r ed to as the H -List) of tuples ( m, h, µ, c ) as follows: 1. If the query m already app ear s in the H -List, then B 1 returns h ; 2. Otherwise, B 1 generates a r andom bit c suc h that P r[ c = 0] = ζ ; 3. It picks uniformly at random µ ∈ Z ∗ p and computes h = g µ if c = 0 a nd h = B µ otherwise; 4. It adds the 4-uple ( m, h, µ, c ) to the H -List and returns h as the answer to the r andom or acle query . • Signing qu eries : when a signature of signer i is queried for a mess age m , B 1 runs the r andom or acle to obtain the 4-uple ( m, h, µ, c ) co ntained in the H -List. If c = 1 then B 1 rep orts failure and ab orts. Otherwise, the algorithm B 1 returns h x i a = A x i µ as a v alid signature o n m . After a num b er of quer ie s, A 1 comes up with a message m ⋆ , that w as nev er queried for signature fo r any signer, a n index i ⋆ ∈ { 1 , . . . , N } and a L th level forgery σ ⋆ ( L ) = ( σ ⋆ 0 , . . . , σ 2 L − 2 ⋆ ) ∈ G 2 L − 1 . At this stage, B 1 runs the random o racle to obtain the 4-uple ( m ⋆ , h ⋆ , µ ⋆ , c ⋆ ) con tained in the H -List and fails if c ⋆ = 0. Otherwise, if σ ⋆ ( L ) is v a lid, it ma y b e written ( σ ⋆ 0 , . . . , σ 2 L − 2 ⋆ ) =  B µ ⋆ x i ⋆ at 1 ...t L − 1 , A t 1 ,...t L − 1 , . . . , A t 1 , g t 1 , . . . , g t L − 1  which pr ovides B 1 with a v alid tuple ( C 1 , . . . , C L − 1 , D a 1 , . . . , D a L − 1 , D ab L − 1 ), where D ab L − 1 = σ ⋆ 0 1 /µ ⋆ x i ⋆ , so that log g ( D j ) = Q j i =1 log g ( C i ) for j ∈ { 1 , . . . , L − 1 } . A similar analysis to [1 3, 11] gives the announced b ound o n B 1 ’s adv antage if the optimal proba bilit y ζ = q s / ( q s + 1) is used when answering hash queries . Dele gate e se curity. W e also show how to break the ( L − 1)-Flex DH assumption out of a delegatee security adversary A 2 . Given an input pair ( A = g a , B = g b ), the simulator B 2 pro ceeds a s B 1 did in the pr o of of limited proxy security . System parameters and publ ic k eys: the target delegatee’s public key is set X 0 = A = g a . F or i = 1 , . . . , n , o ther public keys are defined a s X i = g x i for a random x i R ← Z ∗ p . T o generate r e-signatur e keys R ij , B 2 sets R ij = g x i /x j when i, j 6 = 0 a nd R 0 j = A 1 /x j = g a/x j for j = 1 , . . . , n . Queries: A 2 ’s has h and signing quer ies are handled exactly a s in the pro of of limited proxy secur ity . Namely , B 2 fails if A 2 asks for a signature on a message m for whic h H ( m ) = B µ and r e s p o nds co nsistently otherwise. When A 2 outputs her forg ery σ ⋆ ( L ) = ( σ ⋆ 0 , . . . , σ ⋆ 2 L − 2 ) at level L , B 2 is successful if H ( m ⋆ ) = B µ ⋆ , for some µ ⋆ ∈ Z ∗ p , and extracts an admissible (2 L − 1)-uple as do ne in the proo f of limited pro xy secur it y . Dele gator se curity. This security pr op erty is prov en under the mCDH as sumption. Giv en an adversary A 3 with adv a ntage ε , we outline an algo rithm B 3 that has pro bability O ( ε/q s ) of finding g ab given ( g , A = g a , A ′ = g 1 /a , B = g b ). Public key generation: as previously , the tar get public key is defined as X 0 = A = g a . Remaining public keys ar e set as X i = g x i for a random x i R ← Z ∗ p for i = 1 , . . . , n . This time, A 3 aims a t pro ducing a fir st level forger y a nd is granted al l r e - signature k eys, including R 0 j and R j 0 . F or indexes ( i, j ) s.t. i, j 6 = 0, B 3 sets R ij = g x i /x j . If i = 0, it calculates R 0 j = A 1 /x j = g a/x j . If j = 0 (and thus i 6 = 0), B 3 computes R i 0 = A ′ x i = g x i /a to A 3 . 8 Hash a nd signing que r ies are dealt with exactly as for previo us adversaries. Even tually , A 3 pro duces a first level fo rgery σ ⋆ (1) for a new messag e m ⋆ . Then, B 3 can extract g ab if H ( m ) = ( g b ) µ ⋆ for some µ ⋆ ∈ Z ∗ p , which o c c urs with proba bilit y O (1 / q s ) using Coron’s technique [13]. Otherwise, B 3 fails. External se curity. W e finally s how that an ex ter nal security a dversar y A 4 also allows brea king the ( L − 1)- FlexDH ass umption almost exactly as in the pro of of limited pr oxy securit y . The simulator B 4 is given an instance ( g , A = g a , B = g b ). As previo usly , B 4 m ust “progr am” the random oracle H hoping that its output will b e H ( m ⋆ ) = B µ ⋆ (where µ ⋆ ∈ Z ∗ p is known) for the message m ⋆ that the forger y σ ⋆ ( L ) per tains to. The difficult y is that B 4 m ust also b e able to answer signing queries made on m ⋆ for all but one sig ners. Therefore, B 4 m ust g uess which signer i ⋆ will b e A 4 ’s prey b eforeha nd. At the outset of the ga me, it thus chooses an index i ⋆ R ← { 1 , . . . , N } . Signer i ⋆ ’s public key is set as X i ⋆ = A = g a . All other signers i 6 = i ⋆ are assig ned public keys X i = g x i for which B 4 knows the matc hing se cret x i and can thus alwa ys answer signing quer ies. Hash queries and s igning queries inv olving i ⋆ are handled as in the pro of of limited proxy security . When faced with a re-sig ning quer y from i to j for a v alid signature σ ( ℓ ) at level ℓ ∈ { 1 , . . . , L } , B 4 ignores σ ( ℓ ) and simulates a first level signatur e for signer j . The resulting signatur e σ ′ (1) is then turned into a ( ℓ + 1) th level signature and g iven back to A 4 . A re-sig ning query thus trigger s a signing query that only causes failure if H ( m ) differs fro m g µ for a kno wn µ ∈ Z ∗ p . When A 4 forges a signature at lev el L , B 4 successfully extract a (2 L − 1)-Flexible Diffie-Hellman tuple (as B 1 and B 2 did) if H ( m ⋆ ) = ( g b ) µ ⋆ and if it corr ectly guessed the iden tity i ⋆ of the target signer. If A 4 ’s adv a nt ag e is ε , w e find O ( ε / ( N ( q s + q r s + 1))) as a low er bo und on B 4 ’s probability of success, q s and q r s being the num b er of signature a nd re-sig nature queries re sp ectively . ⊓ ⊔ 5 Eliminating t he Random Oracle Several extensions of BLS s ignatures hav e a s ta ndard mo del counterpart when W aters’ technique sup ersedes random oracle manipulations (e.g. [21]). Likewise, we ca n very simply twist our metho d and achieve the first unidirectional PRS scheme (even including s ingle hop ones) that avoids the rando m oracle mo del. Mutatis mutandis , the sc heme is tota lly simila r to our first c o nstruction and r elies on the same assumptions. 5.1 The Single Hop V ariant As in [27], n denotes the length of messag es to b e signed. Arbitr ary lo ng messag es can b e signed if we first apply a collision- r esistant hash function with n -bit outputs, in which ca se n is part of the s ecurity parameter. The scheme requires a tr us ted party to generate common public para meters. Ho wev er, this party can remain off-line a fter the setup phas e. Global-setup ( λ, n ) : giv en security pa rameters λ, n , this algorithm cho oses bilinear gr oups ( G , G T ) o f order p > 2 λ , gener ators g , h R ← G and a random ( n + 1)-vector u = ( u ′ , u 1 , . . . , u n ) R ← G n +1 . The latter defines a function F : { 0 , 1 } n → G mapping n -bit string s m = m 1 . . . m n (where m i ∈ { 0 , 1 } for all i ∈ { 0 , 1 } ) onto F ( m ) = u ′ · Q n i =1 u m i i . The public parameters are cp := { G , G T , g , h, u } . Keygen ( λ ) : user i sets his public k ey a s X i = g x i for a r a ndom x i R ← Z ∗ p . ReKeygen ( x j , X i ) : giv en use r j ’s pr iv a te key x j and us e r i ’s public key X i , ge nerate the re-signatur e key R ij = X 1 /x j i = g x i /x j that will be used to translate s ignature from i in to sig natures from j . Sign (1 , m , x i ) : to sign a message m = m 1 . . . m n ∈ { 0 , 1 } n at the fir st lev el, the signer picks r R ← Z ∗ p at random and c o mputes σ (1) = ( σ 0 , σ 1 ) = ( h x i · F ( m ) r , g r ) 9 Sign (2 , m , x i ) : to genera te a second level sig nature on m = m 1 . . . m n ∈ { 0 , 1 } n , the signer cho oses r, t R ← Z ∗ p and co mputes σ (2) = ( σ 0 , σ 1 , σ 2 , σ 3 ) = ( h tx i · F ( m ) r , g r , X t i , g t ) (3) Re-Sign (1 , m , σ (1) , R ij , X i , X j ) : on input of a messag e m ∈ { 0 , 1 } n , the re-signatur e k ey R ij = g x i /x j , a signature σ (1) = ( σ 0 , σ 1 ) and public keys X i , X j , chec k the v alidity o f σ w.r.t signer i by testing if e ( σ 0 , g ) = e ( X i , h ) · e ( F ( m ) , σ 1 ) (4) If σ (1) is a v a lid, it can b e turned into a signature on b ehalf of j by choos ing r ′ , t R ← Z ∗ p and co mputing σ (2) = ( σ ′ 0 , σ ′ 1 , σ ′ 2 , σ ′ 3 ) = ( σ t 0 · F ( m ) r ′ , σ t 1 · g r ′ , X t i , R t ij ) = ( h tx i · F ( m ) r ′′ , g r ′′ , X t i , g tx i /x j ) where r ′′ = tr + r ′ . If w e set ˜ t = tx i /x j , we o bserve that σ (2) = ( σ ′ 0 , σ ′ 1 , σ ′ 2 , σ ′ 3 ) = ( h ˜ t x j · F ( m ) r ′′ , g r ′′ , X ˜ t j , g ˜ t ) (5) V erify (1 , m , σ (1) , X i ) : the v alidity of a first level sig nature σ (1) = ( σ 1 , σ 2 ) is chec ked by testing if relation (4) holds. V erify (2 , m , σ (2) , X i ) : a second level signature σ (2) = ( σ 0 , σ 1 , σ 2 , σ 3 ) is ac c epted for the public key X i if the following co nditions are true. e ( σ 0 , g ) = e ( σ 2 , h ) · e ( F ( m ) , σ ′ 1 ) (6) e ( σ 2 , g ) = e ( X i , σ 3 ) (7) T o the b est of our knowledge, the above scheme is the first unidirectional PRS in the standard model and solves another problem left op en in [5] wher e all constructions require the ra ndom o racle mo del. Lik e the scheme of section 4, this ex tens io n of W aters’ signature [2 7] is scalable into a multi-hop PRS. 5.2 The Multi-Hop Extensio n A t lev els ℓ ≥ 2, a lgorithms Sign , Re - Sign and Verify are gener alized as follo ws. Sign ( ℓ + 1 , m, x i ) : to sign m ∈ { 0 , 1 } n at level ℓ + 1, user i pic ks r R ← Z ∗ p , ( t 1 , . . . , t ℓ ) R ← ( Z ∗ p ) ℓ and outputs σ ( ℓ +1) = ( σ 0 , . . . , σ 2 ℓ +1 ) ∈ G 2 ℓ +2 where        σ 0 = h x i t 1 ··· t ℓ · F ( m ) r σ 1 = g r σ k = g x i t 1 ··· t ℓ +2 − k for k ∈ { 2 , . . . , ℓ + 1 } σ k = g t k − ℓ − 1 for k ∈ { ℓ + 2 , . . . , 2 ℓ + 1 } . Re-Sign ( ℓ + 1 , m , σ ( ℓ +1) , R ij , X i , X j ) : on input of a message m ∈ { 0 , 1 } ∗ , the r e-signatur e key R ij = g x i /x j , a purp orted ( ℓ + 1) th level signa ture σ ( ℓ +1) = ( σ 0 , . . . , σ 2 ℓ +1 ) = ( h x i t 1 ··· t ℓ · F ( m ) r , g r , g x i t 1 ··· t ℓ , g x i t 1 ··· t ℓ − 1 , . . . , g x i t 1 , g t 1 , · · · , g t ℓ ) ∈ G 2 ℓ +2 and public keys X i , X j , chec k the corr ectness o f σ ( ℓ +1) under X i . If v alid, σ ( ℓ +1) is translated for X j by sampling r ′ R ← Z ∗ p , ( r 0 , r 1 , . . . , r ℓ ) R ← ( Z ∗ p ) ℓ +1 and setting σ ( ℓ +2) = ( σ ′ 0 , . . . , σ ′ 2 ℓ +3 ) ∈ G 2 ℓ +4 where                σ ′ 0 = σ r 0 ··· r ℓ 0 · F ( m ) r ′ σ ′ 1 = σ r 0 ··· r ℓ 1 · g r ′ σ ′ k = σ r 0 ··· r ℓ +2 − k k for k ∈ { 2 , . . . , ℓ + 1 } σ ′ ℓ +2 = X r 0 i σ ′ ℓ +3 = R r 0 ij σ ′ k = σ r k − ℓ − 3 k − 2 for k ∈ { ℓ + 4 , . . . , 2 ℓ + 3 } . 10 If we define ˜ t 0 = r 0 x i /x j , r ′′ = r 0 · · · r ℓ + r ′ and ˜ t k = r k t k for k = 1 , . . . , ℓ , we observe that σ ( ℓ +2) = ( h x j ˜ t 0 ˜ t 1 ··· ˜ t ℓ · F ( m ) r ′′ , g r ′′ , g x j ˜ t 0 ˜ t 1 ··· ˜ t ℓ , g x j ˜ t 0 ˜ t 1 ··· ˜ t ℓ − 1 , . . . , g x j ˜ t 0 , g ˜ t 0 , . . . , g ˜ t ℓ ) V erify ( ℓ + 1 , m , σ ( ℓ +1) , X i ) : a ca ndidate signatur e σ ( ℓ +1) = ( σ 0 , . . . , σ 2 ℓ +1 ) is v er ifie d by tes ting if the fol- lowing equa lities hold: e ( σ 0 , g ) = e ( h, σ 3 ) · e ( F ( m ) , σ 1 ) e ( σ k , g ) = e ( σ k +1 , σ 2 ℓ +3 − k ) for k ∈ { 2 , . . . , ℓ } e ( σ ℓ +1 , g ) = e ( X i , σ ℓ +2 ) 5.3 Securit y Theorem 2. The scheme with L levels (and thus at most L − 1 hops) is a se cur e unidir e ctional PRS under the ( L − 1) -Flex D H and mCDH assum ptions. Pr o of. The pro of is v ery similar to the one of theorem 1 and re pla ces r andom oracle manipulations b y the tricks of [10, 27]. W e prov e the limited proxy and delegatee s e c urity prop erties under the ( L − 1 )-FlexDH assumption. The delegator security is demonstrated under the mCDH assumption. Limite d pr oxy se cu rit y. W e consider an adversary A 1 with a dv antage ε . W e describ e an alg orithm B 1 solving a ( L − 1)-FlexDH instance ( A = g a , B = g b ) with probability ε/ 4 q s ( n + 1 ), whe r e q s is the num ber of signing queries made b y A 1 , within a co mparable time. System parameters: The simulator B 1 prepares common public parameters a s follows. It first sets h = B = g b . The ( n + 1 )-vector u = ( u ′ , u 1 , . . . , u n ) is defined by cho osing u ′ = h w ′ − κτ · g z ′ and u i = h w i · g z i for i ∈ { 1 , . . . , n } using r andom v ector s ( w ′ , w 1 , . . . , w n ) R ← Z n +1 τ , ( z ′ , z 1 , . . . , z n ) R ← Z n +1 p , where κ R ← { 0 , . . . , n } is ra ndo mly chosen and τ = 2 q s . F or any message m = m 1 . . . m n ∈ { 0 , 1 } n , we have F ( m ) = u ′ · n Y i =1 u m i i = h J ( m ) g K ( m ) for functions J : { 0 , 1 } n → Z , K : { 0 , 1 } n → Z p resp ectively defined as J ( m ) = w ′ + P n i =1 w i m i − κτ and K ( m ) = z ′ + P n i =1 z i m i . As in [27], B 1 will b e succes sful if J ( m ⋆ ) = 0 fo r the mess age m ∗ of the forger y stage whereas J ( m ) 6 = 0 fo r all messages m 6 = m ∗ queried for signature. Since | J ( . ) | ≤ τ ( n + 1) ≪ p , we hav e J ( m ⋆ ) = 0 with non- ne g ligible pro bability O (1 /τ ( n + 1 )). The adv er sary A 1 is challenged on parameters ( g , h, u ). Key ge neration: for user i ∈ { 1 , . . . , N } , B 1 defines a public key as X i = A x i = g ax i , for a r andom x i R ← Z ∗ p , which virtually defines user i ’s priv ate key as ax i . F or pairs ( i, j ), re- s ignature keys a r e c hos en as R ij = g x i /x j = g ax i /ax j . Signing queries: when a signature of sig ner i is quer ied for a mes s age m , B 1 fails if J ( m ) = 0 mo d p . Otherwise, follo wing the technique of [10, 27 ], it can constr uct a signature by picking r R ← Z p and computing σ = ( σ 1 , σ 2 ) =  X − K ( m ) J ( m ) i · F ( m ) r , X − 1 J ( m ) i · g r  . which is returned to A I . If w e define ˜ r = r − ( ax i ) /J ( m ), σ has the corr ect dis tribution a s σ 1 = X − K ( m ) J ( m ) i · F ( m ) r = X − K ( m ) J ( m ) i · F ( m ) ˜ r · ( h J ( m ) · g K ( m ) ) ax i J ( m ) = h ax i · F ( m ) ˜ r and σ 2 = g r − ( ax i ) /J ( m ) = g ˜ r . 11 After p olyno mially many q ue r ies, A 1 comes up with a messag e, that was never q uer ied for signature for any signer, and index i ⋆ ∈ { 1 , . . . , N } and a forgery σ ( L ) ⋆ = ( σ ⋆ 0 , . . . , σ ⋆ 2 L − 1 ) = ( h ax i ⋆ t ⋆ 1 ··· t ⋆ L − 1 · F ( m ) r ⋆ , g r ⋆ , g ax i ⋆ t ⋆ 1 ··· t ⋆ L − 1 , g ax i ⋆ t ⋆ 1 ··· t ⋆ L − 2 , . . . , g ax i ⋆ t ⋆ 1 , g t ⋆ 1 , · · · , g t ⋆ L − 1 ) ∈ G 2 L at level L . At this stage , B 1 fails if J ( m ⋆ ) 6 = 0 mo d p . Otherwise, if σ ( L ) ⋆ is v a lid, σ 0 ⋆ = h ax i ⋆ t ⋆ 1 ··· t ⋆ L − 1 · g r ⋆ K ( m ⋆ ) which pr ovides B 1 with a v alid (2 L − 1)-uple ( C 1 , . . . , C L − 1 , D a 1 , . . . , D a L − 1 , D ab L − 1 ) =  σ L +1 ⋆ , . . . , σ 2 L − 1 ⋆ , σ L ⋆ 1 /x i ⋆ , . . . , , σ 2 ⋆ 1 /x i ⋆ ,  σ 0 ⋆ σ 1 ⋆ K ( m ⋆ )  1 /x i ⋆  =  g t ⋆ 1 , . . . , g t ⋆ L − 1 , g at ⋆ 1 , . . . , g at ⋆ 1 ··· t ⋆ L − 1 , g t ⋆ 1 ··· t ⋆ L − 1 ab  . A c o mpletely similar ana lysis to [27] sho ws that J ( m ⋆ ) = 0 with probability 1 / 4 q s ( n + 1), which yields the bo und on B 1 ’s adv antage. Dele gate e se curity. A dele gatee security adversary A 2 also implies a breach in the ( L − 1)-Flex DH assumption. The sim ulato r B 2 is giv en ( A = g a , B = g b ) and us e s a strateg y that is completely analog ous to the one of simulator B 1 in the proof o f limited pr oxy security . System parameters and publ ic k eys: B 2 prepares public parameters exactly as in the pro of of limited proxy se c ur ity . The public k ey of the target user is defined as X 0 = A = g a . The attack er A 2 m ust b e provided with priv ate keys for all the deleg ators of that user. F or i = 1 , . . . , n , other public keys are therefore c hos en as X i = g x i for r andomly pick ed x i R ← Z ∗ p . The adversary A 2 then r eceives { g , h = B , u, X 0 = g a , x 1 , . . . , x n } a s well a s r e-signature keys R ij for i ∈ { 0 , . . . , N } a nd j ∈ { 1 , . . . , N } . These are set a s R 0 j = A 1 /x j = g a/x j and R ij = g x i /x j if i 6 = 0. Signing queries: for all signer s i 6 = 0, A 2 can generate signatures on her o wn. When a signature of the target signer is requested for a messa g e m , B 2 pro ceeds as B 1 did whe n fac ing the limited pr oxy adversary A 1 . It fails if J ( m ) = 0 mo d p a nd can a nswer the que r y otherwise . When A 2 even tually outputs a forg ery ( σ ⋆ 0 , . . . , σ ⋆ 2 L − 1 ) at level L , B 2 is successful if J ( m ⋆ ) = 0 a nd extracts an admissible (2 L − 1)-uple as B 1 did. Dele gator se curity. A deleg ator securit y adversary A 3 having adv a ntage ε after q s signing queries is finally shown to imply an algo r ithm B 3 to solve a problem which is equiv alent (under linear time reductio n) to the mCDH pro blem with pro bability ε/ 4 q s ( n + 1 ). Giv en ( g , A = g a , A ′ = g 1 /a , B = g b ), this problem is to find out g ab . Public parameters and publi c key generation: Again, system parameter s ar e prepa red as in the pro of of limited proxy security . Namely , B 3 defines h = B = g b and choo ses u ′ , u 1 , . . . , u n so a s to hav e F ( m ) = h J ( m ) · g K ( m ) for some functions J, K : { 0 , 1 } n → Z p where J cancels with non-negligible pr obability . The public key of the target delegato r is set as X 0 = A = g a . F or i = 1 , . . . , n , remaining public keys ar e set as X i = g x i for a random x i R ← Z ∗ p . The a dversary A 3 receives { g , h = B , u, X 0 = g a , x 1 , . . . , x n } . This time, she is provided with al l re-signature keys (including R 0 j and R j 0 ) a nd attempts to pro duce a first lev el forgery . F or pairs ( i, j ) suc h that i, j 6 = 0, B 3 sets R ij = g x i /x j . If i = 0, it defines R 0 j = A 1 /x j = g a/x j . If j = 0 (a nd th us i 6 = 0 ), B 3 calculates R i 0 = A ′ x i = g x i /a and hands { R ij } i,j to A 3 . 12 Signing queries: when A 3 asks for a signature from the ta rget delega to r for a mes sage m , B 3 fails if J ( m ) = 0 mo d p and ca n answer the query exactly as in the pro o f of limited pro xy security otherwise. Even tually , A 3 pro duces a first lev el forgery σ (1) ⋆ = ( σ 1 ⋆ , σ 2 ⋆ ) for a mes s age m ⋆ that was never queried for signa ture. If J ( m ⋆ ) 6 = 0, B 3 fails. Otherwis e , given that ( σ 1 ⋆ , σ 2 ⋆ ) = ( h a · g r K ( m ⋆ ) , g r ), B 3 finds out g ab = σ 1 ⋆ /σ 2 ⋆ K ( m ⋆ ) . External S e cu rity. W e co nsider an adversary A 4 with adv a ntage ε . W e describ e an alg o rithm B 4 solving a ( L − 1)-FlexDH instance ( A = g a , B = g b ) with pr obability ε/ (4 N ( q s + q r s )( n + 1)) within compa r able time, where q s and q r s are is the n umber of signing a nd re- signing queries. System parameters: The s imulator B 4 prepares co mmon public para meters as in the limited proxy security pro of. In addition, it picks at random an integer i ∗ ∈ { 1 , . . . , N } . Public key generation: when A 4 asks for the creation of user i ∈ { 1 , . . . , N } , B 4 resp onds – with a newly g enerated public k ey X i = g x i , for a random x i R ← Z ∗ p if i 6 = i ∗ (s.t. x i , user i ’s pr iv a te key , is known to the s imu lato r); – with X i ∗ = A if i = i ∗ (whic h virtually defines user i ’s pr iv ate k ey a s a ). Oracle queries : A 4 ’s queries a re tackled with as follo ws. • Signing qu eries : when a signature of signer i is queried for a mess a ge m , - B 4 uses its kno wledge of x i to pro duce the sig na ture if i 6 = i ∗ ; - B 4 uses the simulation from the limited proxy security pro of if i = i ∗ (and therefo re fails if J ( m ) = 0 mo d p ). • R e-signing queries : for such a query on input ( m , σ ( ℓ ) , i, j ), B 4 chec ks if σ ( ℓ ) is a v alid ℓ th level signature on m for some ℓ ∈ { 1 , . . . , L − 1 } with resp ect to the public k ey i . If y es, B 4 pro duces a first level signa ture on m for user j (using the previous simulation str ategy), incr eases its level up to ℓ + 1 (for the same public key) using the re-signing alg orithm (with re-sig na ture key s imply equa l to g ) a nd outputs the resulting ( ℓ + 1) th level signature. The s imulation only fails if J ( m ) = 0 mo d p and j = i ∗ . After polynomially man y q ueries, A 4 comes up with a message m ⋆ , an index j ⋆ ∈ { 1 , . . . , N } and a forgery σ ( L ) ⋆ ∈ G 2 L at level L . Recall that m ⋆ cannot ha ve bee n queried to signer j ⋆ . Aga in, B 4 fails if J ( m ⋆ ) 6 = 0 mo d p o r j ⋆ 6 = i ∗ . Otherwise, if σ ( L ) ⋆ is v alid, B 4 pro duces a v alid ( L − 1 )-FlexDH-tuple as in the limited proxy secur ity pro o f. A completely s imilar ana lysis to this pr o of ends up with the anno unce d b o und o n B 4 ’s adv a nt ag e. ⊓ ⊔ 6 Conclusions and Op en Problems W e describ ed the first m ulti-use unidirectio nal proxy r e-signatur es, which so lves a problem left op en in 2 0 05. The ra ndom-ora c le-based prop os al also offers efficiency improvemen ts ov er existing solutio ns at the first level. The other sc heme additiona lly happens to be the first unidirectiona l PRS in the standard mo del. Two ma jo r op en problems remain. First, it would b e interesting to see if m ulti-level unidirectional P RS hav e efficient realiz ations under more classical intractabilit y assumptions. A per haps more challenging task would b e to find o ut implementations of such primitives where the size o f signatures and the verification cos t grow sub-linea rly with the n um b er of translations. 13 References 1. M. Ab e, S. F ehr. P erfect NIZK with Ad aptive Soundness. In TCC’ 07 , LNCS 4392, pages 118–136 . Springer, 2007. 2. J.-H. An, Y . Dodis, and T. Rabin. On the securit y of join t signature and encryption. In Eur o crypt’02 , LNCS 2332, pages 83–107. S pringer, 2002. 3. G. Ateniese, K. F u, M. Green, S. Hohen b erger. Improv ed Proxy Re-Encryp tion Schemes with A pplications t o Secure Distributed Storage. In NDSS , 2005. 4. G. Ateniese, K. F u, M. Green, S. Hohen b erger. Improv ed Proxy Re-Encryp tion Schemes with A pplications t o Secure Distributed Storage. In ACM TI SSEC , 9(1): pp. 1–30, 2006. 5. G. Ateniese, S. Hohenberger. Proxy re-signatures: new defin itions, algorithms, and applications. In ACM C CS’05 , pages 310–319, ACM Press, 2005 6. M. Bellare, A. Pala cio: The know ledge-of-exp onent assumptions and 3-rou n d zero-knowledge proto cols. Pro c. of Crypto’04, Sp ringer LNCS V ol. 3152, 273–289 (2004) 7. M. Bellare, P . Rogaw ay . Random oracles are practical: A paradigm for designing efficient proto cols. In A CM CCS’93 , pages 62–73, ACM Press, 1993. 8. M. Blaze, G. Bleumer, M. Strauss. Divertible Protocols and Atomic Pro xy Crypt ography . In Eur o crypt’98 , LNCS 1403, pages 127–144, 1998. 9. A. Boldyrev a, A. Palac io, B. W arinschi. Secure Pro xy Signature Schemes for D elegation of Signing Rights. Cryptology ePrint Archive : R ep ort 2003/096, 2003. 10. D. Boneh, X. Bo yen. Efficien t selectiv e-ID secure identit y based encryption without random oracles. In Eur o- crypt’04 , LNCS 3027, pp . 223–238. Springer, 2004. 11. D. Boneh, B. Lynn, H. Sh ac ham. Short signatures from the W eil pairing. In Asiacrypt’01 , volume 2248 of LNCS , pages 514–532. Springer, 2002. 12. R. Canetti, S . Hohenb erger. Chosen-Ciphertext Secure Pro xy R e-Encryption. In ACM CCS’07 . p ages 185–194 . ACM Press, 2007. 13. J.-S. Coron. O n th e exact security of F ull Domain H ash. In C rypto’00 , v olume 188 0 of LNCS , pages 229–235 . Springer, 2000. 14. I. Damg ˚ a rd: T ow ards Practical Public Key S y stems Secure Against Chosen Ciphertext Attac ks. Pro c. of Crypto’91, Sp ringer LNCS V ol. 576, 445–456 (1991) 15. A. Den t. The Hardn ess of the DHK Problem in t he Generic Group Mod el. Cryptology ePrin t Archive: rep ort 2006/15 6, 2006. 16. Y. Do dis, A.-A. Iva n. Proxy Cryptography R evisited. In NDSS’03 , 2003. 17. M. Green, G. Ateniese. Identit y-Based Proxy Re-encryp t ion. In ACNS’07 , LN CS 4521, pages 288–306 . Springer, 2007. 18. S. Hohenberger. Adv ances in Signatures, En cry ption, and E- Cash from Bilinear Groups. Ph.D. Thesis , MIT, Ma y 2006. 19. S. Hohenberger, G. N. R othblum, a. shelat, V. V aikuntanathan. Securely Obfuscating Re-en cry ption. In TC C’07 , LNCS 4392, pages 233–252. Springer, 2007. 20. S. Kunz-Jacques, D. Poi ntc heval . Ab out the S ecurity of MTI/C0 and MQV. In SCN’06 , LNCS 4116, pages 156–172 , Springer, 2006. 21. S. Lu, R. Ostrovsky , A. Sahai, H. Sh ac ham, B. W aters. Seq u ential A ggregate Signatures and Mu ltisignatures Without Rand om Oracles. In Eur o crypt’06 , volume 4004 of LNCS , pages 465–485, Springer, 2006. 22. T. Malkin, S. Ob ana and M. Y ung. The Hierarch y of Key Evolving Signatures and a Characterization of Pro xy Signatures. In Eur o crypt’04 , volume 3027 of LNCS , p ages 306–322, Springer, 2004. 23. M. Mambo, K . Usuda, E. Ok amoto. Pro xy Signatures for Delegating Signing O p eration. In ACM CCS’96 , pages 48–57. ACM Press, 1996. 24. M. Naor. On Cryptographic Assumpt ions and Chall enges. In Crypto’03 , LNCS 272 9 pages 96–109. Sp ringer- V erlag, 2003. 25. J. S hao, Z. Cao, L. W ang, X. Liang. Proxy Re-Signature Sc hemes without Ran d om Oracles . In Indo crypt’07 , LNCS 4859, pages 197–209. Springer, 2007. 26. C. P . Schnorr. Efficien t identification and signatures for smart cards. I n Crypto’89 , volume 435 of LNCS , pages 239–252 . Springer, 1989. 27. B. W aters. Efficient Identity-Based Encrypt ion Without Rand om Oracles. In Eur o crypt’05 , LNCS 349 4, pages 114–127 . Springer 2005. 14 A Generic hardness of ℓ -FlexDH in bilinear groups T o provide more confidence in the ℓ -FlexDH assumption we prov e a low er b ound o n the computational complexity o f the ℓ -FlexDH problem for generic groups equip ed with bilinear ma ps. In [20], Kunz-J acques and Pointc hev al define a family of co mputational pr oblems that enables to study v ariants o f the CDH problem in the generic gr oup mo del. Let A b e an adversary in this mo del and ϕ ( X 1 , . . . , X k , Y 1 , . . . , Y ℓ ) b e a mu ltiv ariate p olyno mial whose co efficients might depend on A ’s b ehaviour. F or v alues of x 1 , . . . , x k chosen by the simulator, a nd knowing their enco dings, the goa l of A is to compute the encoding s o f y 1 , . . . , y ℓ such that ϕ ( x 1 , . . . , x k , y 1 , . . . , y ℓ ) = 0 . All elements manipula ted by A are linear p olyno mials in x 1 , . . . , x k and some new ra ndom element s in- tro duced through the group or a cle. Let us denote P i the p olynomia l corre sp onding to y i (it is a random v ar iable), Kunz-Ja cques and Poin tchev al prov ed the following result. Theorem 3 ([20] ). L et d = deg ( ϕ ) and P m b e an upp er b ound for the pr ob ability Pr[ ϕ ( X 1 , . . . , X k , P 1 ( X 1 , . . . , X k ) , . . . , P ℓ ( X 1 , . . . , X k )) = 0 ] Then the pr ob ability that A wins after q G queries satisfies Succ ( q G ) ≤ P m + (3 q G + k + 2) 2 p + d p . The choice φ ( X 1 , X 2 , Y 1 , . . . , Y ℓ +1 ) = Y ℓ +1 − X 1 X 2 Y 1 . . . Y ℓ implies the generic hardness of the problem ℓ - FlexDH in groups. The purpos e o f this section is to pr ove that Kunz-Jacques and Poin tchev al result also holds in g eneric bilinear groups and therefore tha t the problem ℓ - FlexDH is intractable in these gr oups. Theorem 4. L et d = deg ( ϕ ) and P m b e an upp er b ound for the pr ob ability Pr[ ϕ ( X 1 , . . . , X k , P 1 ( X 1 , . . . , X k ) , . . . , P ℓ ( X 1 , . . . , X k )) = 0 ] Then the pr ob ability that A wins after q G or acle queries t o the gr oup op er ations in G , G T to the biline ar map e satisfies Succ ( q G ) ≤ P m + (3 q G + k + 2) p + d p . Pr o of. In the follo wing I a nd I T , denote the set { 0 , . . . , p − 1 } and ar e used to represent elements of G a nd G T resp ectively . F ollowing [20], in the generic bilinear group mo del, an adv ersa ry A has access to – an o racle G tha t, on input ( a, b, r , r ′ ) ∈ Z 2 × I 2 , answers with the r e presentation of ax + bx ′ in I , where r is the r epresentation of x and r ′ the repr esentation of x ′ . – an o racle G T that, on input ( a, b, r , r ′ ) ∈ Z 2 × I 2 T , answers with the r e presentation of ax + bx ′ in I T , where r is the representation of x a nd r ′ the repr esentation of x ′ . – an oracle E that, on input ( a, b, r , r ′ ) ∈ Z 2 × I 2 , a ns wers with the repres e ntation of ax + bx ′ in I T , wher e r is the r epresentation of x and r ′ the repr esentation of x ′ . The connection b etw een repre sentations and elements of Z p is managed b y the simulator through tw o lists L and L T of pairs ( x, r ) asso c iating an elemen t with its representation. A representation r in an oracle query input does not need to corr e sp ond to an e lement of Z p in L or L G ; if it do es, the cor resp onding element is used, o therwise a ra ndom e lement x is drawn by the s imu lato r in Z p and b o und to r , that is, ( x, r ) is added to L or L G . The same rule applies for the answer to the query: if ax + b x ′ = x ′′ with ( x ′′ , r ′′ ) in L or L G , r ′′ is answered. O ther wise, a random r epresentation r ′′ , is chosen and ( x ′′ , r ′′ ) is added to L or L G , and the answer to the oracle query is r ′′ . Overall, each o r acle query a dds at most 3 pa irs to L or L G . F or our pro blem, initially we hav e L = { (0 , r z ) , (1 , r e ) , ( x 1 , r 1 ) , . . . , ( x k , r k ) } and L T = ∅ 15 and A is g iven r z , r e , r 1 , . . . , r k . A ’s go al is to output r ′ 1 , . . . , r ′ ℓ corres p o nding to y 1 , . . . , y ℓ in Z p that, together with the x i ’s, cancel ϕ . The last queries of A are assumed to b e of the for m G (1 , 0 , r ′ i , r e ). A has won if ϕ ( x 1 , . . . , x k , y 1 , . . . , y ℓ ) = 0 where ( y i , r ′ i ) ∈ L . T o prov e the generic ha r dness of the problem, we cons ide r a s im ulato r S ′ where ra ndom v alues in Z p are replaced by for mal unknowns X i . Repr e sents of ele ments o f G ( r esp. G T ) corres p o nd to linear co mbinations ( r esp. quadratic polyno mials) of these unknowns with c o efficients in Z p . The sim ulatio n is similar to the one given in [20] and A ’s g o al is to output r ′ 1 , . . . , r ′ ℓ corres p o nding to line a r p olynomia ls P 1 , . . . , P ℓ in Z p [ X 1 , . . . , X , . . . ] that, together with the unk nowns X i ’s, ca nc e l ϕ . The difference betw een A ’s success probability in the tw o sim ulation o ccurs only if S ′ ’s simu latio n, the representations o f different p olyno mials (linea r o r quadra tic) P 1 and P 2 collide in S ’s simulation. The num ber of po lynomials in L and L T is upper -b ounded by 3 q G + k + 2 and their degr ees is at mos t tw o. Therefore , the difference a pp ea rs with pr obability a t most (3 q G + k + 2) 2 /p . As in [2 0], the s uc c e ss cr iterion in S ′ ’s simulation is str ic ter than in S ’s simulation and as ab ov e the probability that A s ucceeds in S ’s simulation but not in S ′ ’s simulation is upp er-b ounded b y d/p (s inc e ϕ is of degree d and the P i ’s are linea r p olynomia l). ⊓ ⊔ 16