Non-interactive Conditional Proxy Re-Signature in the Standard Model

Non-interactive Conditional Proxy Re-Signature in the Standard Model Abstract Proxy re-signature allows a semi-trusted proxy to transform a delegatee’s signature on a message into a delegator’s signature on the same message. To transform a signature, the proxy uses a re-signature key that is received from the delegator. Once the proxy has received the re-signature key, the proxy can transform all the delegatee’s signatures to the delegator’s signatures; this process is undesirable in some applications that require a fine-grained delegation. To overcome this limitation of proxy re-signature schemes, the concept of conditional proxy re-signature was proposed. It provides fine-grained delegation, by which a re-signature key can be used to transform a signature on a message with a specific condition. To the best of our knowledge, two conditional proxy re-signature schemes have been proposed, but neither is proved in the standard model. We propose a non-interactive conditional proxy re-signature scheme in the standard model. In the proposed scheme, a delegator can choose a condition and can non-interactively generate a re-signature key even if a delegatee is off-line. Therefore, the delegator can fully control a delegation process. Our scheme is existentially unforgeable against adaptive chosen message attack and adaptive chosen condition attack. 1. INTRODUCTION Proxy re-signature (PRS) [1] allows a semi-trusted proxy to transform Alice’s signature on a message into Bob’s signature on the same message. To transform a signature, the proxy uses a re-signature key that is received from Bob. However, in this process, the proxy does not know the secret keys of Alice and Bob. In this process, the transformed signature is verified by Bob’s public key and the signature was originally made by Alice; i.e. Bob delegates his signing right to Alice. Therefore, Bob is called the delegator and Alice is called the delegatee. Ateniese and Hohenberger [2] formalized security models of PRS and provided useful properties and applications. They initially suggested eight desirable properties: Unidirectional: re-signature keys allow the proxy to transform Alice’s signature to Bob’s signature, but not vice versa. Multi-use: a message can be re-signed. Private proxy: the re-signature keys can be kept secret by an honest proxy. Transparent: a user may not even know that a proxy exists. Key optimal: a user is required to protect and store only a small constant number of secrets. Non-interactive: a delegatee does not act in the delegation process. Non-transitive: proxies cannot re-delegate their resigning rights. Temporary: a re-signing right is temporary. The definition of proxy re-signatures given in [1] was informal, so research on the topic was sparse. However, since the formalization in [2], studies on PRS have satisfied the multi-use, unidirectional and non-interactive properties in the standard model [3–7]. Blaze et al.’s construction [1] was bidirectional, multi-use and interactive. Ateniese and Hohenberger [2] proposed a bidirectional, multi-use and interactive PRS scheme and a unidirectional, single-use and non-interactive PRS scheme in the random oracle model. Shao et al. [3] proposed a bidirectional, multi-use and interactive PRS scheme in the standard model but their scheme was attacked and fixed [4, 6]. Chow et al. [4] proposed a unidirectional, single-use and interactive PRS scheme in the standard model. Libert and Vergnaud [5] proposed the first unidirectional, multi-use and non-interactive PRS scheme in the standard model. Recent work has focused on identity-based [3, 8–11], certificateless [12] and lattice-based [13] schemes. In a PRS scheme, if a delegator sends a re-signature key to a semi-trusted proxy, the proxy can transform all the delegatee’s signatures to the delegator’s signatures. This trait is undesirable in some applications that require fine-grained delegation. The semi-trusted proxy has unnecessarily many permissions for converting signatures. This situation is not what a delegator wants, because all transformed signatures will be verified by the delegator’s public key. Therefore, the delegator should be able to fully control which signatures can be transformed. To meet this goal, the concept of conditional proxy re-signature was proposed [14, 15]. It provides fine-grained delegation, by which a re-signature key can be used to transform a signature on a message with a specific condition; i.e. the delegator can categorize messages into different subsets according to conditions, and can delegate the signing rights separately for each subset. 1.1. Related work Vivek and Balasubramanian [15] proposed conditional proxy re-signature (CPRS) and its security model in the random oracle model. They proposed CPRS as a natural application of PRS and provided an applicable scenario in a vehicular ad hoc network (VANET). Their security model is based on the security notion proposed by Shao et al. [7]. However, their scheme is proved in the random oracle model [16], which is heuristic in the sense that it assumes the existence of a truly random function that all parties involved in a protocol can access. Therefore, the security proven in the random oracle model does not guarantee its security in the real world, because the random oracle does not exist. Vivek and Balasubramanian did not consider the non-interactive property. To generate re-signature key, a delegator and a delegatee should interactively cooperate; in the re-signature key generation process, the delegator chooses a condition and the delegetee uses the received condition to compute a part of re-signature key. The non-interactive property can simplify generation of re-signature keys. Especially, a delegatee is not required to be on-line during the delegation process. To flexibly apply CPRS, the non-interactive property is an important consideration. Independently, Wang [14] proposed a conceptual proxy re-signature scheme that supports conditional delegation. He proposed a method to use a fixed randomness. A delegatee maintains (delegatee’s condition, fixed randomness) pairs. If the delegatee wants to sign a message with a condition, he chooses a fixed randomness that corresponds to the condition, then uses the fixed randomness to generate a signature. A delegator can generate a conditional re-signature key by using his public key and a fixed randomness maintained by the delegatee. Re-signing is only possible when the fixed randomness is the same in the signature and the re-signature key. The main drawback of this scheme is that the delegation process is controlled by the delegatee, rather than by the delegator. All transformed signatures will be verified by the delegator’s public key. Therefore, the most reasonable approach is that the delegator can control which signatures of the delegatee can be transformed. Wang left the formal definition, security model and a natural construction as future work. Our scheme shares some properties of previous work (Table 1). Compared to Vivek and Balasubramanian’s scheme [15], our scheme additionally satisfies non-interactive property and it is proved in the standard model. Wang’s scheme can achieve non-interactive property if we assume that (delegatee’s condition, fixed randomness g1/t) pairs are publicly available, but it did not satisfy the key optimal property, because a delegatee should maintain a set of (delegatee’s condition, fixed randomness t) pairs that increases linearly in size as the number of conditions increases. In our scheme, the delegator can fully control which signatures of the delegatee can be transformed. Table 1. Comparison. [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model View Large Table 1. Comparison. [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model View Large 1.2. Application Proxy re-signature schemes can be applied in many applications such as providing a proof that a path has been taken, managing group signatures and simplifying certificate management [2]. Also, PRS has been used in various applications such as privacy preserving authentication in a VANET to hide the identity of a vehicle [17], pseudonymous authentication in VANET for pseudonymous certificate update [18] and public auditing in the cloud to update a revoked user’s data [19]. A simple application of conditional proxy re-signature is temporary delegation. CPRS can support temporary delegation by only allowing the proxy to re-sign a delegatee’s signature into a delegator’s signature for a limited time. One possible solution is to set the conditions as time period information. For example, if we assume that all users sign a message with the time when the message was created, such as August2017, and that a re-signature key is generated using the condition August2017, the proxy’s ability to re-sign can be restricted to a limited time period. Vivek and Balasubramanian [15] showed an application of conditional proxy re-signature in VANETs. Their scenario consists of a country root certificate authority (CA), regional CAs, road side units (RSUs) in a region and vehicles that each has an on-board unit (OBU). The root CA acts as the delegator, RSUs are the delegatees and the regional CAs act as the proxies. The OBU holds information about the vehicle’s identity, which will be certified by the CA. The regional CA has a conditional re-signature key, which converts the RSU’s signature to the root CA’s signature if the condition holds. When entering a region, a vehicle provides its credentials and conditions to the RSU. Then the RSU signs the credentials and conditions and sends it to the regional CA, who has a re-signature key. The regional CA converts the signature of the RSU to signature of the root CA and sends the signature back to the RSU. The RSU also sends the signature back to the vehicle then it can get a valid certificate signed by the root CA. This scenario provides several services with different levels according to users’ conditions. Therefore, this application can replace an access control list and can reduce load on the root CA. 1.3. Our contribution In this paper, we propose a conditional proxy re-signature scheme in the standard model. Our scheme uses a bilinear map that is realized by pairings. The proposed scheme is a non-interactive, unidirectional and single-use CPRS scheme. For conditional proxy re-signature we propose a security model based on security model in [2, 5]. Our scheme is secure if the 1-Flexible Diffie–Hellman assumption (1-FlexDH) and the modified Diffie–Hellman (mCDH) assumption hold in [5]. 1.4. Paper organization The remainder of this paper is organized as follows. Section 2 explains complexity assumptions we need. Section 3 recalls the syntax of CPRS schemes and proposes the security model. Section 4 describes our proposed scheme and its security. Finally, Section 5 gives the conclusion. 2. BILINEAR MAP AND COMPLEXITY ASSUMPTION 2.1. Bilinear map Let G and GT are two cyclic groups of prime order p. The bilinear map e:G×G→GT between these two groups should satisfy the following properties: Bilinear: we have e(ga,hb)=e(g,h)ab for all g,h∈G and a,b∈Z; Non-degenerate: if g is a generator of G then e(g,g)≠1GT; Computable: there is an efficient algorithm to compute e(g,h) for any g,h∈G. We can make the bilinear map by using Weil pairing or Tate pairing. In this paper, we view G and GT each as a multiplicative group. 2.2. Complexity assumptions The security of our conditional proxy re-signature scheme will be reduced to the hardness of the 1-FlexDH problem and mCDH problem [5] in the group in which the signature in constructed. We briefly review the definition of the hard problems. Definition 2.1 (1-Flexible Diffie–Hellman Problem). Given a group Gof prime order pwith generator gand elements ga, gb∈Gwhere a, bare selected uniformly at random from Zp*, the 1-Flexible Diffie–Hellman (1-FlexDH) Problem in Gis to compute a triple (C,Ca,Cab)∈(G⧹{1G})3. Definition 2.2 (modified computational Diffie–Hellman Problem). Given a group Gof prime order pwith generator gand elements ga, ga2, gb∈Gwhere a, bare selected uniformly at random from Zp*, the modified computational Diffie–Hellman (mCDH) Problem in Gis to compute gab. Note that we will also use an equivalent formulation in [5] which is to find hxy given (h,hx,h1/x,hy). 3. SYNTAX AND SECURITY MODEL In this section, we present the syntax of conditional proxy re-signature and its security model that are used to construct and prove our scheme. 3.1. Syntax We modify the syntax of conditional proxy re-signature in [15] to satisfy our non-interactive conditional proxy re-signature scheme. The biggest difference between the syntax of our conditional proxy re-signature scheme and the scheme in [15] is the input to the 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm. In [15], the 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm takes a delegatee’s secret key and a delegator’s secret key. To generate a re-signature key without revealing each other’s secret key, the delegatee and the delegator should interactively compute a re-signature key. In contrast, in our scheme, the 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm takes a delegatee’s public key and a delegator’s secret key. Therefore, the delegator can compute a re-signature key without interacting with the delegetee. Definition 3.1 A unidirectional single-use non-interactive conditional proxy re-signature scheme consists of seven algorithms ( 𝖲𝖾𝗍𝗎𝗉, 𝖪𝖾𝗒𝗀𝖾𝗇, 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇, 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋, 𝖲𝗂𝗀𝗇, 𝖱𝖾𝖲𝗂𝗀𝗇, 𝖵𝖾𝗋𝗂𝖿𝗒) such that 𝖲𝖾𝗍𝗎𝗉(λ), the global parameter generation algorithm, is a probabilistic algorithm that given a security parameter λ, outputs a global parameter 𝗉𝖺𝗋𝖺𝗆 to be used by all parties; 𝗉𝖺𝗋𝖺𝗆←𝖲𝖾𝗍𝗎𝗉(λ), where we omit a global parameter in other algorithms for simplicity. 𝖪𝖾𝗒𝗀𝖾𝗇(λ), the key generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a public key pki and a secret key ski for user i; (pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ). 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c), the re-signature key generation algorithm, is a possibly probabilistic algorithm that given user i’s public key pki, user j’s secret key skj and a condition c, outputs the re-signature key rki→jc that transforms user i’s signature into user j’s signature for the condition c; rki→jc←𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c). 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,rki→jc), the re-signature key verification algorithm, is a deterministic algorithm that given user i’s public key pki, user j’s public key pkj, a condition c and a re-signature key rki→jc, outputs a bit b∈{0,1} (where b=1 signifies ‘acceptance’ and b=0 signifies ‘rejection’); b←𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki, pkj, c, rki→jc). 𝖲𝗂𝗀𝗇(ski,c,m), the signing algorithm, is a probabilistic algorithm that given user i’s secret key ski, a condition c and a message m, outputs user i’s first-level signature σ(1) that could be transformed by the proxy; σ(1)←𝖲𝗂𝗀𝗇(ski,c,m). 𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), rki→jc, pki, pkj), the re-signing algorithm, is a probabilistic algorithm that given a condition c, the message m, user i’s first-level signature σ(1), a re-signature key rki→jc, user i’s public key pki and user j’s public key pkj, first checks that σ(1) and rki→jc are valid. If they are valid, then the algorithm re-signs user i’s signature σ(1) to user j’s signature σ(2) and outputs the second-level signature σ(2) that cannot be transformed anymore. Otherwise, the algorithm outputs the special character ⊥, which indicates an error; σ(2)←𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), rki→jc, pki, pkj). 𝖵𝖾𝗋𝗂𝖿𝗒( pki, c, m, σ(L)), the verification algorithm, is a deterministic algorithm that given user i’s public key pki, a condition c, a message m and user i’s signature σ(L) which can be the first-level or second-level signature for L∈{1,2}, outputs a bit b∈{0,1} (where b=1 signifies ‘acceptance’ and b=0 signifies ‘rejection’); b←𝖵𝖾𝗋𝗂𝖿𝗒( pki, c, m, σ(L)). For any common public parameter 𝗉𝖺𝗋𝖺𝗆, any condition c, any message m and any couple of private/public key pairs (ski,pki),(skj,pkj) generated with 𝖪𝖾𝗒𝗀𝖾𝗇(λ), the algorithms should satisfy the following correctness properties: 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. where σ(2)=𝖱𝖾𝖲𝗂𝗀𝗇(c,m,𝖲𝗂𝗀𝗇(ski,c,m), 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇( pki, skj, c), pki, pkj); i.e. all signatures generated by 𝖲𝗂𝗀𝗇 or 𝖱𝖾𝖲𝗂𝗀𝗇 algorithms and all re-signature keys generated by 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm should be valid. 3.2. Security model Vivek and Balasubramanian [15] proposed a security model based on [7] for CPRS. Shao et al.’s security model [7] is an improvement over the security model proposed by Ateniese and Hohenberger (AH model) [2] when a proxy re-signature scheme has unidirectional and private proxy properties. Shao et al. presented a scheme that has been proven to be secure in the AH model but insecure in a specific attack; they also proposed a new security model that reduced the four security games in [2] to one security game. The security of schemes in [2, 4, 5] was proved in the AH model, and the security of schemes in [3, 15, 20] was proved in Shao et al.’s security model. One drawback of the schemes proved in Shao et al.’s security model is that if a delegator is corrupted, the re-signature key generation query fails. To prevent this failure, the schemes have restrictions such that a delegator and a delegatee are both corrupted or both uncorrupted in the re-signature key generation query; this means the restriction that parties whose security is compromised should be fixed in advance [21]. Therefore, in this paper, we propose a new CPRS security model based on [2] to prove our proposed scheme in the standard model without restrictions on generation of re-signature keys. The proposed security model is existential unforgeability, whereas security model in [2] is strong unforgeability. We divide our security model according to the primary goal of an adversary (signature forger or re-signature key forger) and dishonest entities. The followings are security models for a unidirectional single-use non-interactive CPRS scheme. Our scheme is secure against the attack in [7] because our re-sign algorithm re-randomizes the value including message m in the first-level signature. 3.2.1. External security External security is security against outside adversaries except the proxy, delegators and delegatees. In this security model, an adversary can get signatures on adaptively chosen messages and conditions. The goal of the adversary is to produce signatures of delegators and delegetees on a new message or a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] where O𝖲𝗂𝗀𝗇(·,·,·) is an oracle that takes as input an index i∈ {1,…,N}, a condition c and a message m to return a first-level signature σ(1)←𝖲𝗂𝗀𝗇( ski, c, m). O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·) takes indices i,j∈{1,…,N}, a condition c, a message m and a signature σ(1), then outputs a second-level signature σ(2)←𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki, skj, c), pki, pkj). Q denotes the set of (signer, condition, message) tuples (i,c,m) queried to O𝖲𝗂𝗀𝗇(·,·,·) or such that a tuple (·,i,c,m,·), with i∈{1,…,N}, was queried to O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·). In this game, forgery σ(L)*, where L∈{1,2}, can be a first-level signature or a second-level signature. 3.2.2. Internal security Internal security is protection against dishonest proxies and colluding delegators or delegatees. This security divided by four security games. Limited proxy: This is security against a dishonest proxy who wants forge a signature on a new message or a new condition. The proxy cannot sign messages on behalf of an honest delegatee, or create signatures for an honest delegator unless messages and conditions were signed by delegatees. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] where O𝖲𝗂𝗀𝗇(·,·,·) is an oracle that takes as input an index i∈ {1,…,N}, a condition c, a message m, then returns a first-level signature σ(1)←𝖲𝗂𝗀𝗇( ski, c, m). O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·) takes indices i,j∈{1,…,N} and a condition c, then outputs rki→jc←𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c). Q denotes the set of (condition, message) tuples (c,m) queried to the signing oracle. Also, σ(L)*, where L∈{1,2}, can be the first-level signature or the second-level signature. Compared to external security, the limited proxy adversary does not need to have O𝖱𝖾𝖲𝗂𝗀𝗇, because the adversary can obtain re-signature key from O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 and can then independently transform the first-level signature to the second-level signature. Unlike external security, the target condition and message pair cannot be queried for signature. Otherwise, the adversary wins the game trivially by computing σ(2)*←𝖱𝖾𝖲𝗂𝗀𝗇( c*, m*, σ(1), rki→jc, pki, pkj) from the σ(1)←O𝖲𝗂𝗀𝗇( i, c*, m*). Delegatee security: This security protects the delegatee from a colluding delegator and the proxy. In this security game, the index of delegatee is assigned to 0. An adversary can query the signing oracle to receive the first-level signatures of the delegatee, or can obtain the second-level signature from the delegatee’s signature and by using the re-signature key. In our setting, the adversary can compute re-signature keys independently from pk0 and skj with j≠0 by using 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pk0,skj,c) because of non-interactive property. Therefore, we omit 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c) algorithm in the security model. The goal of the adversary is to forge a signature on a new message or a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] where Q is the set of (condition, message) pairs queried to O𝖲𝗂𝗀𝗇(0,·,·). σ(L)* can be the first-level signature or the second-level signature for L∈{1,2}. Delegator security: This security notion protects the delegator from collusion between the delegatee and the proxy. In this game, the index of delegator is 0. The adversary is given private keys of all other signers i∈{1,…,N}. A signing oracle provides first-level signatures for the delegator. The goal of the adversary is to forge a first-level signature on a new message or a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] where σ(1)* is the first-level signature and Q is the set of (condition, message) pairs queried to O𝖲𝗂𝗀𝗇(0,·,·). A forgery in the delegator security is a first-level signature. In contrast, in external security, limited proxy security and delegatee security, the forgery can be a first-level signature or a second-level signature. Re-signature key unforgeability: This security prevents a dishonest proxy from producing re-signature keys of honest delegators on a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] where O𝖲𝗂𝗀𝗇(·,·,·) is an oracle that takes as input an index i∈ {1,…,N}, a condition c, a message m, then returns a first-level signature σ(1)←𝖲𝗂𝗀𝗇(ski,c,m). O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·) takes indices i,j∈{1,…,N} and a condition c, then outputs rki→jc←𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c). Q denotes the set of conditions c queried to the re-signature key generation oracle. 4. CONDITIONAL PROXY RE-SIGNATURE IN STANDARD MODEL In this section, we propose a conditional proxy re-signature scheme, which is secure in the standard model. Our proposed scheme is based on the single-hop proxy re-signature scheme in [5]. 4.1. Proposed scheme 𝖲𝖾𝗍𝗎𝗉(λ): Given a security parameter λ, the setup algorithm chooses groups G and GT of order p(>2λ) with the bilinear map e:G×G→GT. The algorithm picks random generators g,h,f∈G, a random (l+1)-vector d¯=(d′,d1,…,dl)←Gl+1, a random (l+1)-vector u¯=(u′,u1,…,ul)←Gl+1 and a random (n+1)-vector v¯=(v′,v1,…,vn)←Gn+1. The algorithm defines Waters’ functions U(c):{0,1}l→G mapping l-bit strings c=c1…cl onto U(c)=d′·∏i=1ldici, J(c):{0,1}l→G mapping l-bit strings c=c1…cl onto J(c)=u′·∏i=1luici and F(m):{0,1}n→G mapping n-bit strings m=m1…mn onto F(m)=v′·∏i=1nvimi. The global parameter is 𝗉𝖺𝗋𝖺𝗆={G,GT,e,g,h,f,d¯,u¯,v¯}. 𝖪𝖾𝗒𝗀𝖾𝗇(λ):To generate a public/secret key pair, user i chooses random xi∈Zp* and sets Xi=gxi. The public key and secret key of user i are pki=Xi,ski=xi. 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c):On input of user i’s public key pki, user j’s secret key skj and a condition c, user j chooses random ρ∈Zp* and sets the re-signature key rki→jc=(rk0,rk1,rk2)=(c,(pki·f·U(c)ρ)1/skj,gρ) re- signing from a signature of user i to a signature of user j for a condition c. User j sends the re-signature key rki→jc to a proxy. 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,rki→jc): On input of user i’s public key pki, user j’s public key pkj, a condition c and a re-signature key rki→jc=(rk0,rk1,rk2), this algorithm returns 1 if the following three conditions are hold: rk0=c, rk2≠1, e(rk1,pkj)=e(pki,g)·e(f,g)·e(U(c),rk2). Otherwise, it returns 0. 𝖲𝗂𝗀𝗇(ski,c,m): To sign a message m with a condition c under the secret key ski, the signer picks random r,s∈Zp*, and sets σ(1)=(σ0,σ1,σ2)=(hski·J(c)r·F(m)s,gr,gs). 𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), rki→jc, pki, pkj): On input of the condition c, the message m, a signature σ(1) = ( σ0, σ1, σ2), the re-signature key rki→jc=( rk0, rk1, rk2), user i’s public key pki and user j’s public key pkj, the proxy tests whether 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,rki→jc) = 1 and checks the following conditions: σ1≠1, (1) σ2≠1, (2) e(σ0,g)=e(h,pki)·e(J(c),σ1)·e(F(m),σ2). (3) If the re-signature key is invalid or the conditions (1–3) do not hold, the proxy outputs ⊥. Otherwise, it picks random t,r′,s′∈Zp* and computes σ(2)=(σˆ0,σˆ1,σˆ2,σˆ3,σˆ4,σˆ5,σˆ6)=(σ0t·J(c)r′·F(m)s′,σ1t·gr′,σ2t·gs′,pkit,rk1t,rk2t,gt)=(ht·ski·J(c)rˆ·F(m)sˆ,grˆ,gsˆ,gt·ski,gt·ski/skj·ft/skj·U(c)ρ·t/skj,gρ·t,gt) where rˆ=t·r+r′ and sˆ=t·s+s′. If we set tˆ=t·ski/skj and δ=tˆ/ski=t/skj to represent σ(2) with the user j’s key, we have σ(2)=(σˆ0,σˆ1,σˆ2,σˆ3,σˆ4,σˆ5,σˆ6)=(htˆ·skj·J(c)rˆ·F(m)sˆ,grˆ,gsˆ,pkjtˆ,gtˆ·fδ·U(c)ρ·δ,pkjρ·δ,pkjδ). 𝖵𝖾𝗋𝗂𝖿𝗒( pkj, c, m, σ(L)): On input of user j’s public key pkj, the condition c, the message m and a signature σ(L) for L∈{1,2}, a verifier checks the validity of the signature by checking the relations (1–3) if the signature is of the form (σ0,σ1,σ2). Otherwise, it checks validity by the following relationship: σˆ1≠1,σˆ2≠1,e(σˆ0,g)=e(h,σˆ3)·e(J(c),σˆ1)·e(F(m),σˆ2),e(σˆ4,pkj)=e(g,σˆ3)·e(f,σˆ6)·e(U(c),σˆ5). Correctness of the first-level signature e(σ0,g)=e(hski·J(c)r·F(m)s,g)=e(hski,g)·e(J(c)r,g)·e(F(m)s,g)=e(h,gski)·e(J(c),gr)·e(F(m),gs)=e(h,pki)·e(J(c),σ1)·e(F(m),σ2) Correctness of the second-level signature e(σˆ0,g)=e(htˆskj·J(c)rˆ·F(m)sˆ,g)=e(htˆskj,g)·e(J(c)rˆ,g)·e(F(m)sˆ,g)=e(h,gtˆskj)·e(J(c),grˆ)·e(F(m),gsˆ)=e(h,σˆ3)·e(J(c),σˆ1)·e(F(m),σˆ2)e(σˆ4,pkj)=e(gtˆ·fδ·U(c)ρδ,pkj)=e(gtˆ,pkj)·e(fδ,pkj)·e(U(c)ρδ,pkj)=e(g,pkjtˆ)·e(f,pkjδ)·e(U(c),pkjρδ)=e(g,σˆ3)·e(f,σˆ6)·e(U(c),σˆ5). Correctness of the re-signature key e(rk1,pkj)=e((pki·f·U(c)ρ)1/skj,gskj)=e(pki,g)·e(f,g)·e(U(c)ρ,g)=e(pki,g)·e(f,g)·e(U(c),rk2). 4.2. Security analysis We will prove that our CPRS scheme is existentially unforgeable under adaptive chosen message attack and adaptive chosen condition attack, in the standard model, given that the 1-FlexDH and mCDH problem are hard. Theorem 4.1 The proposed CPRS scheme is a secure CPRS under the 1-FlexDH and mCDH assumptions. Proof We prove external security and internal security of the proposed scheme by using a technique similar to that used in [5, 22]. External security: Let A1 be an adversary that breaks external security. We construct an algorithm B1 that solves the 1−FlexDH problem by interacting with A1. B1 takes as an input a 1−FlexDH challenge (g,A=ga,B=gb). B1 proceeds as follows. Setup: B1 sets f=A=ga and h=B=gb. Let qs and qrs are the number of signing queries and re-signing queries, respectively. B1 sets τc=2(qs+qrs) and randomly chooses an integer kc, such that 0≤kc≤l, and τc(l+1)<p. The (l+1)-vector u¯=(u′,u1,…,ul) is defined by choosing u′=ho′−τckc·gw′ and ui=hoi·gwi for i∈{1,…,l} using random vectors (o′,o1,…,ol)←Zτcl+1 and (w′,w1,…,wl)←Zpl+1. In the similar way, B1 sets τm=2(qs+qrs) and randomly chooses an integer km, such that 0≤km≤n, and τm(n+1)<p. The (n+1)-vector v¯=(v′,v1,…,vn) is defined by choosing v′=hy′−τmkm·gz′ and vi=hyi·gzi for i∈{1,…,n} using random vectors (y′,y1,…,yn)←Zτmn+1 and (z′,z1,…,zn)←Zpn+1. For any condition c=c1…cl∈{0,1}l and any message m=m1…mn∈{0,1}n, if we define the following functions: K(c)=o′+∑i=1loici−τckc,L(c)=w′+∑i=1lwici,H(m)=y′+∑i=1nyimi−τmkmandR(m)=z′+∑i=1nzimi, then we have two equations: J(c)=u′·∏i=1luici=hK(c)gL(c)andF(m)=v′·∏i=1nvimi=hH(m)gR(m). The (l+1)-vector d¯=(d′,d1,…,dl) is defined by choosing d′=fα′ and wi=fαi for i∈{1,…,l} using random vectors (α′,α1,…,αl)←Zp* and set U(c)=d′·∏i=1ldici=fα′+∑i=1lαici. If we define G(c)=α′+∑i=1lαici, then U(c)=fG(c). B1 sets public parameter 𝗉𝖺𝗋𝖺𝗆={G, GT, e, g, h, f, d¯, u¯, v¯}. In addition, B1 picks an random integer i*∈{1,…,N}. Key generation:For user i≠i*, B1 defines Xi=gxi for a random xi∈Zp*. If i=i*, B1 outputs Xi*=Ax=gax for a random x∈Zp* which virtually defines the target user’s private key as ax. Signing queries: If a signature of user i≠i* for a condition c and a message m is queried, B1 produces the signature using its knowledge of xi. When i=i*, B1 fails if K(c)=0modp and H(m)=0modp. Otherwise, B picks r,s∈Zp. Using the technique described in [22], B1 can generate a signature according to the following cases: if K(c)≠0; σ(1)=(σ0,σ1,σ2)=(Xi*−L(c)/K(c)J(c)rF(m)s,Xi*−1/K(c)·gr,gs) if H(m)≠0; σ(1)=(σ0,σ1,σ2)=(Xi*−R(m)/H(m)J(c)rF(m)s,gr,Xi*−1/H(m)·gs) If we define r˜=r−(ax)/K(c) in Case 1, σ has the form σ0=Xi*−L(c)/K(c)J(c)rF(m)s=Xi*−L(c)/K(c)J(c)r˜(hK(c)gL(c))ax/K(c)·F(m)s=hax·J(c)r˜·F(m)s and σ1=Xi*−1/K(c)·gr=gr−ax/K(c)=gr˜. In the same way, if we define s˜=s−(ax)/H(m) in Case 2, we can get the correct distribution σ0=Xi*−R(m)/H(m)J(c)rF(m)s=Xi*−R(m)/H(m)J(c)r(hH(m)gR(m))ax/H(m)F(m)s˜=haxJ(c)rF(m)s˜ and σ2=Xi*−1/H(m)·gs=gr−ax/H(m)=gs˜. Re-signing queries: When a query on input ( i, j, c, m, σ(1)), B1 checks whether σ(1) is valid signature on c and m with respect to the public key i. If yes, it computes the second-level signature according to the j as follows: If j≠i*, B1 produces a first-level signature on c and m for secret key xj. Then, using re-signature algorithm and re-signature key rkj→jc=(c,(gxj·f·U(c)ρ)1/xj,gρ)=(c,g·f1/xj·U(c)ρ/xj,gρ) for a random ρ, it generate a second-level signature for j. If j=i*, B1 uses the simulation from the signing queries and generate a first-level signature for user j. If K(c)=0modp and H(m)=0modp, B1 fails. Otherwise, using re-signature algorithm and re-signature key rkj→jc=(c,(gax·f·U(c)ρ)1/ax,gρ)=(c,g·g1/x·gG(c)ρ/x,gρ) for a random ρ, B1 generate a second-level signature for j=i*. After polynomially many queries, A1 outputs a forgery for (j*,c*,m*). If K(c*)≠0modp or H(m*)≠0modp or j*≠i*, B1 fails. Otherwise, a forgery will be a form of the first-level signature σ(1)*=(σ0*,σ1*,σ2*)=(hax(gL(c*))r(gR(m*))s,gr,gs) or a form of the second-level signature σ(2)*=(σˆ0*,σˆ1*,σˆ2*,σˆ3*,σˆ4*,σˆ5*,σˆ6*)=(htax(gL(c*))r(gR(m*))s,gr,gs,gaxt,gt·gaδ·(gaG(c*))ρδ,gaxρδ,gaxδ). Then, B1 can produce a valid 1-FlexDH triple. If a forgery is the form of the first-level signature, then B1 computes (C,Ca,Cab)=gx,(ga)x,σ0*σ1*L(c*)σ2*R(m*)=(gx,(gx)a,(gx)ab). If a forgery is the form of the second-level signature, then B1 computes (C,Ca,Cab)=σˆ4*xσˆ5*G(c*)σˆ6*,σˆ3*,σˆ0*σˆ1*L(c*)σˆ2*R(m*)=(gxt,(gxt)a,(gxt)ab). Note that condition c* is given in the forgery and random x was chosen at the key generation phase. This completes the description of the simulation. For the simulation to complete without aborting, we require that all sign queries ( c,m) will either have K(c)≠0modp or H(m)≠0modp and that K(c*)=0modp, H(m*)=0modp and j*=i*. However, to make the analysis of the simulation easier, we will bound the probability of a sub-case of this event. We will assume that all sign queries ( c,m) satisfies K(c)≠0modp and H(m)≠0modp. Therefore, we will provide a lower bound on the probability that B1 aborts. Let (c1,m1),…, (cqQ,mqQ) be the conditions and messages in the sign and re-sign queries. Clearly, qQ≤qs+qrs. we define the events Ei,E* as Ei:K(ci)≠0modp∧H(mi)≠0modpE*:K(c*)=0modp∧H(m*)=0modp To make the analysis simpler, we will follow the approaches in [23] and force the simulator to abort whenever K(ci)≠0modτc and H(mi)≠0modτm. Given the assumption τc(l+1)<p which implies 0≤τckc<p and 0≤o′+∑i=1loi<p, it is easy to see that K(ci)=0modp implies that K(ci)=0modτc. Hence, K(ci)≠0modτc implies K(ci)≠0modp. In the same way, B1 will abort whenever H(mi)≠0modτm. Then the event Ei can be presented to the event Ei′ Ei′:K(ci)≠0modτc∧H(mi)≠0modτm Moreover, if we divide the event Ei′ into Ai and Bi and the event E* into A* and B* such as Ai:K(ci)≠0modτcA*:K(c*)=0modpBi:H(mi)≠0modτmB*:H(m*)=0modp, then the probability of B1 not aborting is Pr[¬abort]≥Pr⋀i=1qQAi∧A*∧⋀i=1qQBi∧B*∧(j*=i*) The events (⋀i=1qQAi∧A*) and (⋀i=1qQBi∧B*) are independent, because the functions K and H are selected independently. As in [23], if we compute the probability of Pr[(⋀i=1qQAi∧A*)], we have Pr⋀i=1qQAi∧A*≥1τc(l+1)1−qc+qrcτc and setting τc=2(qs+qrs) as in the simulation Pr⋀i=1qQAi∧A*≥14(qs+qrs)(l+1) The same analysis for the Pr[(⋀i=1qQBi∧B*)] gives the result Pr⋀i=1qQBi∧B*≥14(qs+qrs)(n+1) and we get that Pr[¬abort]≥Pr⋀i=1qQAi∧A*∧⋀i=1qQBi∧B*∧(j*=i*)≥116(qs+qrs)2(l+1)(n+1)N If the simulation does not abort, A1 will create a valid forgery with probability at least ϵ. B1 can then compute 1-FlexDH triple from the forgery with probability at least ϵ16(qs+qrs)2(l+1)(n+1)N Limited proxy security: Let A2 be an adversary that breaks the limited proxy security. We construct an algorithm B2 that solves the 1−FlexDH problem by interacting with A2. B2 takes as input a 1−FlexDH challenge (g,A=ga,B=gb). The algorithm B2 proceeds as follows. Setup: B2 produces public parameters exactly as in the proof of the external security except τc=2qs and τm=2qs. Note that in the limited proxy security, B2 does not need to select i* in advance. Key generation: For user i∈{1,…,N}, B2 defines a public key as Xi=Axi=gaxi for a random xi∈Zp* which virtually defines user i’s private key as axi. Rekeygen queries: For pairs (i,j) and a condition c, re-signature keys are computed as rki→jc=(c,(pki·f·U(c)ρ)1/skj,gρ)=(c,gxi/xj·g1/xj·gG(c)ρ/xj,gρ) Sign queries: B2 uses the simulation for the target user’s signature queries from the external security proof. In the limited proxy security, B2 does not know a user i’s private key axi. Therefore, B2 uses the technique described in [22] and B2 fails if K(c)=0modp and H(m)=0modp. When A2 outputs a forgery, B2 succeeds if K(c*)=0modp and H(m*)=0modp and extracts 1−FlexDH by the method in the proof of the external security. A similar analysis to the external security shows that B2 can then compute 1-FlexDH triple from the forgery with probability at least ϵ16qs2(l+1)(n+1) Delegatee security: Let A3 be an adversary that breaks the delegatee security. We construct an algorithm B3 that solves the 1−FlexDH problem by interacting with A3. B3 takes as input a 1−FlexDH challenge (g,A=ga,B=gb). The algorithm B3 proceeds as follows. Setup: B3 produces public parameters exactly as in the proof of the limited proxy security. Key generation: For the target user 0, B3 defines a public key as X0=Ax0=gax0 for a random x0∈Zp*. For all other users i∈{1,…,N}, B3 picks random xi∈Zp* and computes Xi=gxi. Note that in the delegatee security A3 knows public key and private key pairs {pki,ski}i∈[1,N]. For pairs (i,j), where i∈{0,…,N} and j∈{1,…,N}, A3 can compute re-signature keys using rki→jc=(c,(pki·f·U(c)ρ)1/skj,gρ). Sign queries: B3 also uses the simulation for the target user’s signature queries from the external security proof because B3 does not know a user 0’s private key ax0. B3 fails if K(c)=0modp and H(m)=0modp. When A3 outputs a forgery, B3 succeeds if K(c*)=0modp and H(m*)=0modp and extracts 1−FlexDH by the method in the proof of the external security. A similar analysis to the external security shows that the algorithm B3 can then compute 1-FlexDH triple from the forgery with probability at least ϵ16qs2(l+1)(n+1) Delegator security: Let A4 be an adversary that breaks the delegator security. We construct an algorithm B4 that solves the mCDH problem by interacting with A4. B4 takes as input a mCDH challenge (g,A=ga,A′=g1/a,B=gb). B4 proceeds as follows. Setup: B4 produces public parameters exactly as in the proof of the limited proxy security. Key generation: For the target user 0, B4 defines a public key as X0=Ax0=gax0 for a random x0∈Zp*. For all other users i∈{1,…,N}, B4 picks random xi∈Zp* and computes Xi=gxi. Rekeygen queries: For pairs (i,j), where i,j≠0, re-signature keys are computed as rki→jc=(c,(pki·f·U(c)ρ)1/skj,gρ)=(c,(gxi·f·U(c)ρ)1/xj,gρ). If i=0, it defines rk0→jc=(c,(pk0·f·U(c)ρ)1/skj,gρ)=(c,(Ax0·f·U(c)ρ)1/xj,gρ). If j=0, it computes rki→0c=(c,(pki·f·U(c)ρ)1/sk0,gρ)=(c,(gxi·f·U(c)ρ)1/ax0,gρ)=(c,(g1/a)xi/x0·(ga)1/ax0·(ga)G(c)ρ/ax0,gρ)=(c,(A′)xi/x0·g1/x0·gG(c)ρ/x0,gρ). Sign queries: B4 also uses the simulation for the target user’s signature queries from the external security proof. It fails if K(c)=0modp and H(m)=0modp. When A4 outputs a first-level forgery, B4 succeeds if K(c*)=0modp and H(m*)=0modp. Given a forgery σ(1)*=(σ0*,σ1*,σ2*)=(hax0(gL(c*))r(gR(m*))s,gr,gs), B4 extracts gab=σ0*σ1*L(c*)σ2*R(m*)1/x0. A similar analysis to the external security shows that B4 can then compute gab from the forgery with probability at least ϵ16qs2(l+1)(n+1) Re-signature key unforgeability: Let A5 be an adversary that breaks the re-signature key unforgeability. We construct an algorithm B5 that solves the mCDH problem by interacting with A5. B5 takes as input a mCDH challenge (g,A=ga,A=g1/a,B=gb). B5 proceeds as follows. Setup: B5 sets f=B=gb, h=A=ga and g′=A′=g1/a. Let qrk is the number of re-signature key queries. B5 sets τrk=2qrk and randomly chooses an integer krk, such that 0≤krk≤l, and τrk(l+1)<p. The (l+1)-vector d¯=(d′,d1,…,dl) is defined by choosing d′=fα′−τrkkrk·g′β′ and ui=fαi·g′βi for i∈{1,…,l} using random vectors (α′,α1,…,αl)←Zτcl+1 and (β′,β1,…,βl)←Zpl+1. For any condition c=c1…cl∈{0,1}l, if we define the following functions: G(c)=α′+∑i=1lαici−τrkkrkandN(c)=β′+∑i=1lβici, then we have an equation: U(c)=d′·∏i=1ldici=fG(c)g′N(c). The (l+1)-vector u¯=(u′,u1,…,ul) is defined by choosing u′=go′ and ui=goi for i∈{1,…,l} using random vectors (o′,o1,…,ol)←Zp* and set J(c)=u′·∏i=1luici=go′+∑i=1loici. If we define K(c)=o′+∑i=1loici, then J(c)=gK(c). In the same way, the (n+1)-vector v¯=(v′,v1,…,vn) is defined by choosing v′=gy′ and vi=gyi for i∈{1,…,n} using random vectors (y′,y1,…,yn)←Zp* and set F(m)=v′·∏i=1nvimi=gy′+∑i=1nyimi. If we define H(m)=y′+∑i=1nyimi, then F(m)=gH(m). B5 sets public parameter 𝗉𝖺𝗋𝖺𝗆={G,GT,e,g,h,f,d¯,u¯,v¯}. Key generation: For user i∈{1,…,N}, B5 defines a public key as Xi=A′xi=gxi/a for a random xi∈Zp* which virtually defines user i’s private key as xi/a. Rekeygen queries: For pairs (i,j) and a condition c, B5 fails if G(c)=0modp. Otherwise, B5 picks ρ∈Zp. Using similar technique with the simulation for target user’s signature queries in the external security proof, B5 can generate a re-signature key as follows: rki→jc=(rk0,rk1,rk2)=(c,gxi/xj·(g1/xj)−N(c)/G(c)·U(c)ρ,g−1/G(c)·Xjρ) If we define ρ˜=xjρ/a−1/G(c), rk1 has the form rk1=gxi/xj·(g1/xj)−N(c)/G(c)·U(c)ρ=gxi/xj·(g1/xj)−N(c)/G(c)·U(c)aρ˜/xj·(fG(c)·g′N(c))a/(xjG(c))=gxi/xj·fa/xj·U(c)aρ˜/xj=(gxi/a·f·U(c)ρ˜)a/xj and rk2=g−1/G(c)·Xjρ=g−1/G(c)+xjρ/a=gρ˜. Sign queries: B5 picks r and s∈Zp* and computes the first-level signature as follows: σ(1)=(σ0,σ1,σ2)=(hxi/aJ(c)rF(m)s,gr,gs)=(gxi(gK(c))r(gH(m))s,gr,gs) When A5 outputs a forged re-signature key, B5 succeeds if G(c*)=0modp. Given a forgery rki*→j*c*=(rk0*,rk1*,rk2*)=(c*,gxi*/xj*·fa/xj*·g′N(c*)aρ/xj*,gρ), B5 extracts gab=rk1*xj*gxi*·rk2*N(c*). A similar analysis to the external security shows that B5 can compute gab from the forged re-signature key with probability at least ϵ4qrk(l+1)□ 5. CONCLUSION We have proposed a conditional proxy re-signature scheme in the standard model. The proposed scheme is a non-interactive, unidirectional and single-use CPRS scheme. It is existentially unforgeable against adaptive chosen message and adaptive chosen condition attack. The security of the proposed scheme is based on the 1-Flexible Diffie–Hellman assumption and the modified Diffie–Hellman assumption. In the proposed scheme, a delegator can independently choose a condition, and can non-interactively generate a re-signature key without the participation of a delegatee. Therefore, a delegator can fully control the delegation process. However, the public parameters of our scheme consist of a description of the groups G, GT and the pairing e, and 2l+n+6 group elements of G. Its public parameters’ size and computational cost are relatively large when compared to [15]. To construct the first-level signature, a signer must compute on average l/2+n/2+2 multiplications in G and perform five exponentiations in G. Generation of the second-level signature requires on average l/2+n/2+4 multiplications in G and 11 exponentiations in G except the verification process of the first-level signature. Verification of the first-level signature requires on average l/2+n/2 multiplications in G and four pairing computations. Verification of the second-level signature requires on average l+n/2 multiplications in G and eight pairing computations. REFERENCES 1 Blaze , M. , Bleumer , G. and Strauss , M. ( 1998 ) Divertible protocols and atomic proxy cryptography. Advances in Cryptology—EUROCRYPT’98, Techniques Espoo, Finland, May, pp. 127–144. Springer, Berlin, Heidelberg. 2 Ateniese , G. and Hohenberger , S. ( 2005 ) Proxy Re-signatures: New Definitions, Algorithms, and Applications. Proc. 12th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, November, pp. 310–319. ACM New York, NY, USA. 3 Shao , J. , Cao , Z. , Wang , L. and Liang , X. ( 2007 ) Proxy Re-signature Schemes Without Random Oracles. Progress in Cryptology—INDOCRYPT 2007, Chennai, India, December, pp. 197–209. Springer, Berlin, Heidelberg. 4 Chow , S.S.M. and Phan , R.C.-W. ( 2008 ) Proxy Re-signatures in the Standard Model. Information Security, Taipei, Taiwan, September, pp. 260–276. Springer, Berlin, Heidelberg. 5 Libert , B. and Vergnaud , D. ( 2008 ) Multi-use Unidirectional Proxy Re-signatures. Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, pp. 511–520. ACM, New York, NY, USA. 6 Kim , K. , Yie , I. and Lim , S. ( 2009 ) Remark on Shao et al.’s bidirectional proxy re-signature scheme in Indocrypt’07 . Int. J. Netw. Secur. , 9 , 8 – 11 . 7 Shao , J. , Feng , M. , Zhu , B. , Cao , Z. and Liu , P. ( 2010 ) The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key. Information Security and Privacy, Sydney, Australia, July, pp. 216–232. Springer, Berlin, Heidelberg. 8 Shao , J. , Wei , G. , Ling , Y. and Xie , M. ( 2011 ) Unidirectional Identity-Based Proxy Re-Signature. 2011 IEEE Int. Conf. Communications (ICC), Kyoto, Japan, June, pp. 1–5. IEEE. 9 Wang , Z.-W. and Xia , A.-D. ( 2015 ) ID-based proxy re-signature with aggregate property . J. Inf. Sci. Eng. , 31 , 1199 – 1211 . 10 Zhang , Z. , Hu , X. and Yang , Y. ( 2009 ) Identity Based Proxy Re-Signature Schemes without Random Oracle. 2009 Int. Conf. Computational Intelligence and Security (CIS 2009), Beijing, China, December, pp. 256–259. IEEE Computer Society. 11 Tian , M. ( 2015 ) Identity-based proxy re-signatures from lattices . Inf. Process. Lett. , 115 , 462 – 467 . Google Scholar CrossRef Search ADS 12 Xiao , H. and Zhang , M. ( 2013 ) Provably-Secure Certificateless Proxy Re-signature Scheme. 2013 5th Int. Conf. Intelligent Networking and Collaborative Systems, Xi’an, China, September, pp. 591–594. IEEE. 13 Xie , J. , Hu , Y.-p. and Gao , J.-t. ( 2016 ) Multi-use unidirectional lattice-based proxy re-signatures in standard model . Secur. Commun. Netw. , 9 , 5615 – 5624 . Google Scholar CrossRef Search ADS 14 Wang , X.A. ( 2015 ) Proxy Re-signature Supporting Conditional Delegation. 2015 10th Int. Conf. P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), Krakow, Poland, November, pp. 844–848. IEEE. 15 Vivek , S.S. and Balasubramanian , G. ( 2015 ) Controlled proxy re-signing - conditional proxy re-signatures. 2015 12th Int. Joint Conf. e-Business and Telecommunications (ICETE), Colmar, France, July, pp. 186–193. IEEE. 16 Bellare , M. and Rogaway , P. ( 1993 ) Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. Proc. 1st ACM Conf. Computer and Communications Security, Fairfax, VA, USA, November, pp. 62–73. ACM New York, NY, USA. 17 Xiong , H. , Chen , Z. and Li , F. ( 2012 ) Efficient privacy-preserving authentication protocol for vehicular communications with trustworthy . Secur. Commun. Netw. , 5 , 1441 – 1451 . Google Scholar CrossRef Search ADS 18 Sun , Y. , Lu , R. , Lin , X. , Shen , X. and Su , J. ( 2010 ) An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications . IEEE Trans. Vehicular Technol. , 59 , 3589 – 3603 . Google Scholar CrossRef Search ADS 19 Wang , B. , Li , B. and Li , H. ( 2015 ) Panda: public auditing for shared data with efficient user revocation in the cloud. In IEEE Trans. Serv. Comput. , 8 , pp. 92 – 106 . 20 Hong , X. and Long , Y. ( 2012 ) A novel unidirectional proxy re-signature scheme and its application for MANETs . J. Comput. , 7 , 1796 – 1800 . Google Scholar CrossRef Search ADS 21 Canetti , R. and Hohenberger , S. ( 2007 ) Chosen-ciphertext Secure Proxy Re-encryption. Proc. 14th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, October, pp. 185–194. ACM New York, NY, USA. 22 Waters , B. ( 2005 ) Efficient Identity-Based Encryption Without Random Oracles. Advances in Cryptology—EUROCRYPT 2005, Aarhus, Denmark, May, pp. 114–127. Springer, Berlin, Heidelberg. 23 Paterson , K.G. and Schuldt , J.C.N. ( 2006 ) Efficient Identity-Based Signatures Secure in the Standard Model. Information Security and Privacy, Melbourne, Australia, July, pp. 207–222. Springer, Berlin, Heidelberg. Author notes Handling editor: Joseph Liu © The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png The Computer Journal Oxford University Press

Non-interactive Conditional Proxy Re-Signature in the Standard Model

Loading next page...
 
/lp/ou_press/non-interactive-conditional-proxy-re-signature-in-the-standard-model-f09zb0xMWd
Publisher
Oxford University Press
Copyright
© The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com
ISSN
0010-4620
eISSN
1460-2067
D.O.I.
10.1093/computer_journal/bxy036
Publisher site
See Article on Publisher Site

Abstract

Abstract Proxy re-signature allows a semi-trusted proxy to transform a delegatee’s signature on a message into a delegator’s signature on the same message. To transform a signature, the proxy uses a re-signature key that is received from the delegator. Once the proxy has received the re-signature key, the proxy can transform all the delegatee’s signatures to the delegator’s signatures; this process is undesirable in some applications that require a fine-grained delegation. To overcome this limitation of proxy re-signature schemes, the concept of conditional proxy re-signature was proposed. It provides fine-grained delegation, by which a re-signature key can be used to transform a signature on a message with a specific condition. To the best of our knowledge, two conditional proxy re-signature schemes have been proposed, but neither is proved in the standard model. We propose a non-interactive conditional proxy re-signature scheme in the standard model. In the proposed scheme, a delegator can choose a condition and can non-interactively generate a re-signature key even if a delegatee is off-line. Therefore, the delegator can fully control a delegation process. Our scheme is existentially unforgeable against adaptive chosen message attack and adaptive chosen condition attack. 1. INTRODUCTION Proxy re-signature (PRS) [1] allows a semi-trusted proxy to transform Alice’s signature on a message into Bob’s signature on the same message. To transform a signature, the proxy uses a re-signature key that is received from Bob. However, in this process, the proxy does not know the secret keys of Alice and Bob. In this process, the transformed signature is verified by Bob’s public key and the signature was originally made by Alice; i.e. Bob delegates his signing right to Alice. Therefore, Bob is called the delegator and Alice is called the delegatee. Ateniese and Hohenberger [2] formalized security models of PRS and provided useful properties and applications. They initially suggested eight desirable properties: Unidirectional: re-signature keys allow the proxy to transform Alice’s signature to Bob’s signature, but not vice versa. Multi-use: a message can be re-signed. Private proxy: the re-signature keys can be kept secret by an honest proxy. Transparent: a user may not even know that a proxy exists. Key optimal: a user is required to protect and store only a small constant number of secrets. Non-interactive: a delegatee does not act in the delegation process. Non-transitive: proxies cannot re-delegate their resigning rights. Temporary: a re-signing right is temporary. The definition of proxy re-signatures given in [1] was informal, so research on the topic was sparse. However, since the formalization in [2], studies on PRS have satisfied the multi-use, unidirectional and non-interactive properties in the standard model [3–7]. Blaze et al.’s construction [1] was bidirectional, multi-use and interactive. Ateniese and Hohenberger [2] proposed a bidirectional, multi-use and interactive PRS scheme and a unidirectional, single-use and non-interactive PRS scheme in the random oracle model. Shao et al. [3] proposed a bidirectional, multi-use and interactive PRS scheme in the standard model but their scheme was attacked and fixed [4, 6]. Chow et al. [4] proposed a unidirectional, single-use and interactive PRS scheme in the standard model. Libert and Vergnaud [5] proposed the first unidirectional, multi-use and non-interactive PRS scheme in the standard model. Recent work has focused on identity-based [3, 8–11], certificateless [12] and lattice-based [13] schemes. In a PRS scheme, if a delegator sends a re-signature key to a semi-trusted proxy, the proxy can transform all the delegatee’s signatures to the delegator’s signatures. This trait is undesirable in some applications that require fine-grained delegation. The semi-trusted proxy has unnecessarily many permissions for converting signatures. This situation is not what a delegator wants, because all transformed signatures will be verified by the delegator’s public key. Therefore, the delegator should be able to fully control which signatures can be transformed. To meet this goal, the concept of conditional proxy re-signature was proposed [14, 15]. It provides fine-grained delegation, by which a re-signature key can be used to transform a signature on a message with a specific condition; i.e. the delegator can categorize messages into different subsets according to conditions, and can delegate the signing rights separately for each subset. 1.1. Related work Vivek and Balasubramanian [15] proposed conditional proxy re-signature (CPRS) and its security model in the random oracle model. They proposed CPRS as a natural application of PRS and provided an applicable scenario in a vehicular ad hoc network (VANET). Their security model is based on the security notion proposed by Shao et al. [7]. However, their scheme is proved in the random oracle model [16], which is heuristic in the sense that it assumes the existence of a truly random function that all parties involved in a protocol can access. Therefore, the security proven in the random oracle model does not guarantee its security in the real world, because the random oracle does not exist. Vivek and Balasubramanian did not consider the non-interactive property. To generate re-signature key, a delegator and a delegatee should interactively cooperate; in the re-signature key generation process, the delegator chooses a condition and the delegetee uses the received condition to compute a part of re-signature key. The non-interactive property can simplify generation of re-signature keys. Especially, a delegatee is not required to be on-line during the delegation process. To flexibly apply CPRS, the non-interactive property is an important consideration. Independently, Wang [14] proposed a conceptual proxy re-signature scheme that supports conditional delegation. He proposed a method to use a fixed randomness. A delegatee maintains (delegatee’s condition, fixed randomness) pairs. If the delegatee wants to sign a message with a condition, he chooses a fixed randomness that corresponds to the condition, then uses the fixed randomness to generate a signature. A delegator can generate a conditional re-signature key by using his public key and a fixed randomness maintained by the delegatee. Re-signing is only possible when the fixed randomness is the same in the signature and the re-signature key. The main drawback of this scheme is that the delegation process is controlled by the delegatee, rather than by the delegator. All transformed signatures will be verified by the delegator’s public key. Therefore, the most reasonable approach is that the delegator can control which signatures of the delegatee can be transformed. Wang left the formal definition, security model and a natural construction as future work. Our scheme shares some properties of previous work (Table 1). Compared to Vivek and Balasubramanian’s scheme [15], our scheme additionally satisfies non-interactive property and it is proved in the standard model. Wang’s scheme can achieve non-interactive property if we assume that (delegatee’s condition, fixed randomness g1/t) pairs are publicly available, but it did not satisfy the key optimal property, because a delegatee should maintain a set of (delegatee’s condition, fixed randomness t) pairs that increases linearly in size as the number of conditions increases. In our scheme, the delegator can fully control which signatures of the delegatee can be transformed. Table 1. Comparison. [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model View Large Table 1. Comparison. [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model [15] [14] Ours Unidirectional Yes Yes Yes Multi-use No No No Private proxy Yes Yes Yes Transparent No No No Key optimal Yes No Yes Non-interactive No Yes Yes Condition selection Delegator Delegatee Delegator Security Random oracle Not proved Standard model View Large 1.2. Application Proxy re-signature schemes can be applied in many applications such as providing a proof that a path has been taken, managing group signatures and simplifying certificate management [2]. Also, PRS has been used in various applications such as privacy preserving authentication in a VANET to hide the identity of a vehicle [17], pseudonymous authentication in VANET for pseudonymous certificate update [18] and public auditing in the cloud to update a revoked user’s data [19]. A simple application of conditional proxy re-signature is temporary delegation. CPRS can support temporary delegation by only allowing the proxy to re-sign a delegatee’s signature into a delegator’s signature for a limited time. One possible solution is to set the conditions as time period information. For example, if we assume that all users sign a message with the time when the message was created, such as August2017, and that a re-signature key is generated using the condition August2017, the proxy’s ability to re-sign can be restricted to a limited time period. Vivek and Balasubramanian [15] showed an application of conditional proxy re-signature in VANETs. Their scenario consists of a country root certificate authority (CA), regional CAs, road side units (RSUs) in a region and vehicles that each has an on-board unit (OBU). The root CA acts as the delegator, RSUs are the delegatees and the regional CAs act as the proxies. The OBU holds information about the vehicle’s identity, which will be certified by the CA. The regional CA has a conditional re-signature key, which converts the RSU’s signature to the root CA’s signature if the condition holds. When entering a region, a vehicle provides its credentials and conditions to the RSU. Then the RSU signs the credentials and conditions and sends it to the regional CA, who has a re-signature key. The regional CA converts the signature of the RSU to signature of the root CA and sends the signature back to the RSU. The RSU also sends the signature back to the vehicle then it can get a valid certificate signed by the root CA. This scenario provides several services with different levels according to users’ conditions. Therefore, this application can replace an access control list and can reduce load on the root CA. 1.3. Our contribution In this paper, we propose a conditional proxy re-signature scheme in the standard model. Our scheme uses a bilinear map that is realized by pairings. The proposed scheme is a non-interactive, unidirectional and single-use CPRS scheme. For conditional proxy re-signature we propose a security model based on security model in [2, 5]. Our scheme is secure if the 1-Flexible Diffie–Hellman assumption (1-FlexDH) and the modified Diffie–Hellman (mCDH) assumption hold in [5]. 1.4. Paper organization The remainder of this paper is organized as follows. Section 2 explains complexity assumptions we need. Section 3 recalls the syntax of CPRS schemes and proposes the security model. Section 4 describes our proposed scheme and its security. Finally, Section 5 gives the conclusion. 2. BILINEAR MAP AND COMPLEXITY ASSUMPTION 2.1. Bilinear map Let G and GT are two cyclic groups of prime order p. The bilinear map e:G×G→GT between these two groups should satisfy the following properties: Bilinear: we have e(ga,hb)=e(g,h)ab for all g,h∈G and a,b∈Z; Non-degenerate: if g is a generator of G then e(g,g)≠1GT; Computable: there is an efficient algorithm to compute e(g,h) for any g,h∈G. We can make the bilinear map by using Weil pairing or Tate pairing. In this paper, we view G and GT each as a multiplicative group. 2.2. Complexity assumptions The security of our conditional proxy re-signature scheme will be reduced to the hardness of the 1-FlexDH problem and mCDH problem [5] in the group in which the signature in constructed. We briefly review the definition of the hard problems. Definition 2.1 (1-Flexible Diffie–Hellman Problem). Given a group Gof prime order pwith generator gand elements ga, gb∈Gwhere a, bare selected uniformly at random from Zp*, the 1-Flexible Diffie–Hellman (1-FlexDH) Problem in Gis to compute a triple (C,Ca,Cab)∈(G⧹{1G})3. Definition 2.2 (modified computational Diffie–Hellman Problem). Given a group Gof prime order pwith generator gand elements ga, ga2, gb∈Gwhere a, bare selected uniformly at random from Zp*, the modified computational Diffie–Hellman (mCDH) Problem in Gis to compute gab. Note that we will also use an equivalent formulation in [5] which is to find hxy given (h,hx,h1/x,hy). 3. SYNTAX AND SECURITY MODEL In this section, we present the syntax of conditional proxy re-signature and its security model that are used to construct and prove our scheme. 3.1. Syntax We modify the syntax of conditional proxy re-signature in [15] to satisfy our non-interactive conditional proxy re-signature scheme. The biggest difference between the syntax of our conditional proxy re-signature scheme and the scheme in [15] is the input to the 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm. In [15], the 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm takes a delegatee’s secret key and a delegator’s secret key. To generate a re-signature key without revealing each other’s secret key, the delegatee and the delegator should interactively compute a re-signature key. In contrast, in our scheme, the 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm takes a delegatee’s public key and a delegator’s secret key. Therefore, the delegator can compute a re-signature key without interacting with the delegetee. Definition 3.1 A unidirectional single-use non-interactive conditional proxy re-signature scheme consists of seven algorithms ( 𝖲𝖾𝗍𝗎𝗉, 𝖪𝖾𝗒𝗀𝖾𝗇, 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇, 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋, 𝖲𝗂𝗀𝗇, 𝖱𝖾𝖲𝗂𝗀𝗇, 𝖵𝖾𝗋𝗂𝖿𝗒) such that 𝖲𝖾𝗍𝗎𝗉(λ), the global parameter generation algorithm, is a probabilistic algorithm that given a security parameter λ, outputs a global parameter 𝗉𝖺𝗋𝖺𝗆 to be used by all parties; 𝗉𝖺𝗋𝖺𝗆←𝖲𝖾𝗍𝗎𝗉(λ), where we omit a global parameter in other algorithms for simplicity. 𝖪𝖾𝗒𝗀𝖾𝗇(λ), the key generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a public key pki and a secret key ski for user i; (pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ). 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c), the re-signature key generation algorithm, is a possibly probabilistic algorithm that given user i’s public key pki, user j’s secret key skj and a condition c, outputs the re-signature key rki→jc that transforms user i’s signature into user j’s signature for the condition c; rki→jc←𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c). 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,rki→jc), the re-signature key verification algorithm, is a deterministic algorithm that given user i’s public key pki, user j’s public key pkj, a condition c and a re-signature key rki→jc, outputs a bit b∈{0,1} (where b=1 signifies ‘acceptance’ and b=0 signifies ‘rejection’); b←𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki, pkj, c, rki→jc). 𝖲𝗂𝗀𝗇(ski,c,m), the signing algorithm, is a probabilistic algorithm that given user i’s secret key ski, a condition c and a message m, outputs user i’s first-level signature σ(1) that could be transformed by the proxy; σ(1)←𝖲𝗂𝗀𝗇(ski,c,m). 𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), rki→jc, pki, pkj), the re-signing algorithm, is a probabilistic algorithm that given a condition c, the message m, user i’s first-level signature σ(1), a re-signature key rki→jc, user i’s public key pki and user j’s public key pkj, first checks that σ(1) and rki→jc are valid. If they are valid, then the algorithm re-signs user i’s signature σ(1) to user j’s signature σ(2) and outputs the second-level signature σ(2) that cannot be transformed anymore. Otherwise, the algorithm outputs the special character ⊥, which indicates an error; σ(2)←𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), rki→jc, pki, pkj). 𝖵𝖾𝗋𝗂𝖿𝗒( pki, c, m, σ(L)), the verification algorithm, is a deterministic algorithm that given user i’s public key pki, a condition c, a message m and user i’s signature σ(L) which can be the first-level or second-level signature for L∈{1,2}, outputs a bit b∈{0,1} (where b=1 signifies ‘acceptance’ and b=0 signifies ‘rejection’); b←𝖵𝖾𝗋𝗂𝖿𝗒( pki, c, m, σ(L)). For any common public parameter 𝗉𝖺𝗋𝖺𝗆, any condition c, any message m and any couple of private/public key pairs (ski,pki),(skj,pkj) generated with 𝖪𝖾𝗒𝗀𝖾𝗇(λ), the algorithms should satisfy the following correctness properties: 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. 𝖵𝖾𝗋𝗂𝖿𝗒(pki,c,m,𝖲𝗂𝗀𝗇(ski,c,m))=1; 𝖵𝖾𝗋𝗂𝖿𝗒(pkj,c,m,σ(2))=1; 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c))=1. where σ(2)=𝖱𝖾𝖲𝗂𝗀𝗇(c,m,𝖲𝗂𝗀𝗇(ski,c,m), 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇( pki, skj, c), pki, pkj); i.e. all signatures generated by 𝖲𝗂𝗀𝗇 or 𝖱𝖾𝖲𝗂𝗀𝗇 algorithms and all re-signature keys generated by 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 algorithm should be valid. 3.2. Security model Vivek and Balasubramanian [15] proposed a security model based on [7] for CPRS. Shao et al.’s security model [7] is an improvement over the security model proposed by Ateniese and Hohenberger (AH model) [2] when a proxy re-signature scheme has unidirectional and private proxy properties. Shao et al. presented a scheme that has been proven to be secure in the AH model but insecure in a specific attack; they also proposed a new security model that reduced the four security games in [2] to one security game. The security of schemes in [2, 4, 5] was proved in the AH model, and the security of schemes in [3, 15, 20] was proved in Shao et al.’s security model. One drawback of the schemes proved in Shao et al.’s security model is that if a delegator is corrupted, the re-signature key generation query fails. To prevent this failure, the schemes have restrictions such that a delegator and a delegatee are both corrupted or both uncorrupted in the re-signature key generation query; this means the restriction that parties whose security is compromised should be fixed in advance [21]. Therefore, in this paper, we propose a new CPRS security model based on [2] to prove our proposed scheme in the standard model without restrictions on generation of re-signature keys. The proposed security model is existential unforgeability, whereas security model in [2] is strong unforgeability. We divide our security model according to the primary goal of an adversary (signature forger or re-signature key forger) and dishonest entities. The followings are security models for a unidirectional single-use non-interactive CPRS scheme. Our scheme is secure against the attack in [7] because our re-sign algorithm re-randomizes the value including message m in the first-level signature. 3.2.1. External security External security is security against outside adversaries except the proxy, delegators and delegatees. In this security model, an adversary can get signatures on adaptively chosen messages and conditions. The goal of the adversary is to produce signatures of delegators and delegetees on a new message or a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (i*,c*,m*)∉Q] where O𝖲𝗂𝗀𝗇(·,·,·) is an oracle that takes as input an index i∈ {1,…,N}, a condition c and a message m to return a first-level signature σ(1)←𝖲𝗂𝗀𝗇( ski, c, m). O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·) takes indices i,j∈{1,…,N}, a condition c, a message m and a signature σ(1), then outputs a second-level signature σ(2)←𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki, skj, c), pki, pkj). Q denotes the set of (signer, condition, message) tuples (i,c,m) queried to O𝖲𝗂𝗀𝗇(·,·,·) or such that a tuple (·,i,c,m,·), with i∈{1,…,N}, was queried to O𝖱𝖾𝖲𝗂𝗀𝗇(·,·,·,·,·). In this game, forgery σ(L)*, where L∈{1,2}, can be a first-level signature or a second-level signature. 3.2.2. Internal security Internal security is protection against dishonest proxies and colluding delegators or delegatees. This security divided by four security games. Limited proxy: This is security against a dishonest proxy who wants forge a signature on a new message or a new condition. The proxy cannot sign messages on behalf of an honest delegatee, or create signatures for an honest delegator unless messages and conditions were signed by delegatees. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pki*,c*,m*,σ(L)*)=1∧(1≤i*≤N)∧ (c*,m*)∉Q] where O𝖲𝗂𝗀𝗇(·,·,·) is an oracle that takes as input an index i∈ {1,…,N}, a condition c, a message m, then returns a first-level signature σ(1)←𝖲𝗂𝗀𝗇( ski, c, m). O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·) takes indices i,j∈{1,…,N} and a condition c, then outputs rki→jc←𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c). Q denotes the set of (condition, message) tuples (c,m) queried to the signing oracle. Also, σ(L)*, where L∈{1,2}, can be the first-level signature or the second-level signature. Compared to external security, the limited proxy adversary does not need to have O𝖱𝖾𝖲𝗂𝗀𝗇, because the adversary can obtain re-signature key from O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇 and can then independently transform the first-level signature to the second-level signature. Unlike external security, the target condition and message pair cannot be queried for signature. Otherwise, the adversary wins the game trivially by computing σ(2)*←𝖱𝖾𝖲𝗂𝗀𝗇( c*, m*, σ(1), rki→jc, pki, pkj) from the σ(1)←O𝖲𝗂𝗀𝗇( i, c*, m*). Delegatee security: This security protects the delegatee from a colluding delegator and the proxy. In this security game, the index of delegatee is assigned to 0. An adversary can query the signing oracle to receive the first-level signatures of the delegatee, or can obtain the second-level signature from the delegatee’s signature and by using the re-signature key. In our setting, the adversary can compute re-signature keys independently from pk0 and skj with j≠0 by using 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pk0,skj,c) because of non-interactive property. Therefore, we omit 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c) algorithm in the security model. The goal of the adversary is to forge a signature on a new message or a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(L)*) ←AO𝖲𝗂𝗀𝗇(0,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(L)*)=1∧(c*,m*)∉Q] where Q is the set of (condition, message) pairs queried to O𝖲𝗂𝗀𝗇(0,·,·). σ(L)* can be the first-level signature or the second-level signature for L∈{1,2}. Delegator security: This security notion protects the delegator from collusion between the delegatee and the proxy. In this game, the index of delegator is 0. The adversary is given private keys of all other signers i∈{1,…,N}. A signing oracle provides first-level signatures for the delegator. The goal of the adversary is to forge a first-level signature on a new message or a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[0,N], (c*,m*,σ(1)*) ←AO𝖲𝗂𝗀𝗇(0,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)(pk0,{pki,ski}i∈[1,N]): 𝖵𝖾𝗋𝗂𝖿𝗒(pk0,c*,m*,σ(1)*)=1∧(c*,m*)∉Q] where σ(1)* is the first-level signature and Q is the set of (condition, message) pairs queried to O𝖲𝗂𝗀𝗇(0,·,·). A forgery in the delegator security is a first-level signature. In contrast, in external security, limited proxy security and delegatee security, the forgery can be a first-level signature or a second-level signature. Re-signature key unforgeability: This security prevents a dishonest proxy from producing re-signature keys of honest delegators on a new condition. The following probability should be negligible: Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] Pr[{(pki,ski)←𝖪𝖾𝗒𝗀𝖾𝗇(λ)}i∈[1,N], (i*,j*,c*,rki*→j*c*) ←AO𝖲𝗂𝗀𝗇(·,·,·),O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·)({pki}i∈[1,N]): 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki*,pkj*,c*,rki*→j*c*)=1∧ (1≤i*,j*≤N)∧c*∉Q] where O𝖲𝗂𝗀𝗇(·,·,·) is an oracle that takes as input an index i∈ {1,…,N}, a condition c, a message m, then returns a first-level signature σ(1)←𝖲𝗂𝗀𝗇(ski,c,m). O𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(·,·,·) takes indices i,j∈{1,…,N} and a condition c, then outputs rki→jc←𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c). Q denotes the set of conditions c queried to the re-signature key generation oracle. 4. CONDITIONAL PROXY RE-SIGNATURE IN STANDARD MODEL In this section, we propose a conditional proxy re-signature scheme, which is secure in the standard model. Our proposed scheme is based on the single-hop proxy re-signature scheme in [5]. 4.1. Proposed scheme 𝖲𝖾𝗍𝗎𝗉(λ): Given a security parameter λ, the setup algorithm chooses groups G and GT of order p(>2λ) with the bilinear map e:G×G→GT. The algorithm picks random generators g,h,f∈G, a random (l+1)-vector d¯=(d′,d1,…,dl)←Gl+1, a random (l+1)-vector u¯=(u′,u1,…,ul)←Gl+1 and a random (n+1)-vector v¯=(v′,v1,…,vn)←Gn+1. The algorithm defines Waters’ functions U(c):{0,1}l→G mapping l-bit strings c=c1…cl onto U(c)=d′·∏i=1ldici, J(c):{0,1}l→G mapping l-bit strings c=c1…cl onto J(c)=u′·∏i=1luici and F(m):{0,1}n→G mapping n-bit strings m=m1…mn onto F(m)=v′·∏i=1nvimi. The global parameter is 𝗉𝖺𝗋𝖺𝗆={G,GT,e,g,h,f,d¯,u¯,v¯}. 𝖪𝖾𝗒𝗀𝖾𝗇(λ):To generate a public/secret key pair, user i chooses random xi∈Zp* and sets Xi=gxi. The public key and secret key of user i are pki=Xi,ski=xi. 𝖱𝖾𝗄𝖾𝗒𝗀𝖾𝗇(pki,skj,c):On input of user i’s public key pki, user j’s secret key skj and a condition c, user j chooses random ρ∈Zp* and sets the re-signature key rki→jc=(rk0,rk1,rk2)=(c,(pki·f·U(c)ρ)1/skj,gρ) re- signing from a signature of user i to a signature of user j for a condition c. User j sends the re-signature key rki→jc to a proxy. 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,rki→jc): On input of user i’s public key pki, user j’s public key pkj, a condition c and a re-signature key rki→jc=(rk0,rk1,rk2), this algorithm returns 1 if the following three conditions are hold: rk0=c, rk2≠1, e(rk1,pkj)=e(pki,g)·e(f,g)·e(U(c),rk2). Otherwise, it returns 0. 𝖲𝗂𝗀𝗇(ski,c,m): To sign a message m with a condition c under the secret key ski, the signer picks random r,s∈Zp*, and sets σ(1)=(σ0,σ1,σ2)=(hski·J(c)r·F(m)s,gr,gs). 𝖱𝖾𝖲𝗂𝗀𝗇( c, m, σ(1), rki→jc, pki, pkj): On input of the condition c, the message m, a signature σ(1) = ( σ0, σ1, σ2), the re-signature key rki→jc=( rk0, rk1, rk2), user i’s public key pki and user j’s public key pkj, the proxy tests whether 𝖱𝖾𝖲𝗂𝗀𝖪𝖾𝗒𝖵𝖾𝗋(pki,pkj,c,rki→jc) = 1 and checks the following conditions: σ1≠1, (1) σ2≠1, (2) e(σ0,g)=e(h,pki)·e(J(c),σ1)·e(F(m),σ2). (3) If the re-signature key is invalid or the conditions (1–3) do not hold, the proxy outputs ⊥. Otherwise, it picks random t,r′,s′∈Zp* and computes σ(2)=(σˆ0,σˆ1,σˆ2,σˆ3,σˆ4,σˆ5,σˆ6)=(σ0t·J(c)r′·F(m)s′,σ1t·gr′,σ2t·gs′,pkit,rk1t,rk2t,gt)=(ht·ski·J(c)rˆ·F(m)sˆ,grˆ,gsˆ,gt·ski,gt·ski/skj·ft/skj·U(c)ρ·t/skj,gρ·t,gt) where rˆ=t·r+r′ and sˆ=t·s+s′. If we set tˆ=t·ski/skj and δ=tˆ/ski=t/skj to represent σ(2) with the user j’s key, we have σ(2)=(σˆ0,σˆ1,σˆ2,σˆ3,σˆ4,σˆ5,σˆ6)=(htˆ·skj·J(c)rˆ·F(m)sˆ,grˆ,gsˆ,pkjtˆ,gtˆ·fδ·U(c)ρ·δ,pkjρ·δ,pkjδ). 𝖵𝖾𝗋𝗂𝖿𝗒( pkj, c, m, σ(L)): On input of user j’s public key pkj, the condition c, the message m and a signature σ(L) for L∈{1,2}, a verifier checks the validity of the signature by checking the relations (1–3) if the signature is of the form (σ0,σ1,σ2). Otherwise, it checks validity by the following relationship: σˆ1≠1,σˆ2≠1,e(σˆ0,g)=e(h,σˆ3)·e(J(c),σˆ1)·e(F(m),σˆ2),e(σˆ4,pkj)=e(g,σˆ3)·e(f,σˆ6)·e(U(c),σˆ5). Correctness of the first-level signature e(σ0,g)=e(hski·J(c)r·F(m)s,g)=e(hski,g)·e(J(c)r,g)·e(F(m)s,g)=e(h,gski)·e(J(c),gr)·e(F(m),gs)=e(h,pki)·e(J(c),σ1)·e(F(m),σ2) Correctness of the second-level signature e(σˆ0,g)=e(htˆskj·J(c)rˆ·F(m)sˆ,g)=e(htˆskj,g)·e(J(c)rˆ,g)·e(F(m)sˆ,g)=e(h,gtˆskj)·e(J(c),grˆ)·e(F(m),gsˆ)=e(h,σˆ3)·e(J(c),σˆ1)·e(F(m),σˆ2)e(σˆ4,pkj)=e(gtˆ·fδ·U(c)ρδ,pkj)=e(gtˆ,pkj)·e(fδ,pkj)·e(U(c)ρδ,pkj)=e(g,pkjtˆ)·e(f,pkjδ)·e(U(c),pkjρδ)=e(g,σˆ3)·e(f,σˆ6)·e(U(c),σˆ5). Correctness of the re-signature key e(rk1,pkj)=e((pki·f·U(c)ρ)1/skj,gskj)=e(pki,g)·e(f,g)·e(U(c)ρ,g)=e(pki,g)·e(f,g)·e(U(c),rk2). 4.2. Security analysis We will prove that our CPRS scheme is existentially unforgeable under adaptive chosen message attack and adaptive chosen condition attack, in the standard model, given that the 1-FlexDH and mCDH problem are hard. Theorem 4.1 The proposed CPRS scheme is a secure CPRS under the 1-FlexDH and mCDH assumptions. Proof We prove external security and internal security of the proposed scheme by using a technique similar to that used in [5, 22]. External security: Let A1 be an adversary that breaks external security. We construct an algorithm B1 that solves the 1−FlexDH problem by interacting with A1. B1 takes as an input a 1−FlexDH challenge (g,A=ga,B=gb). B1 proceeds as follows. Setup: B1 sets f=A=ga and h=B=gb. Let qs and qrs are the number of signing queries and re-signing queries, respectively. B1 sets τc=2(qs+qrs) and randomly chooses an integer kc, such that 0≤kc≤l, and τc(l+1)<p. The (l+1)-vector u¯=(u′,u1,…,ul) is defined by choosing u′=ho′−τckc·gw′ and ui=hoi·gwi for i∈{1,…,l} using random vectors (o′,o1,…,ol)←Zτcl+1 and (w′,w1,…,wl)←Zpl+1. In the similar way, B1 sets τm=2(qs+qrs) and randomly chooses an integer km, such that 0≤km≤n, and τm(n+1)<p. The (n+1)-vector v¯=(v′,v1,…,vn) is defined by choosing v′=hy′−τmkm·gz′ and vi=hyi·gzi for i∈{1,…,n} using random vectors (y′,y1,…,yn)←Zτmn+1 and (z′,z1,…,zn)←Zpn+1. For any condition c=c1…cl∈{0,1}l and any message m=m1…mn∈{0,1}n, if we define the following functions: K(c)=o′+∑i=1loici−τckc,L(c)=w′+∑i=1lwici,H(m)=y′+∑i=1nyimi−τmkmandR(m)=z′+∑i=1nzimi, then we have two equations: J(c)=u′·∏i=1luici=hK(c)gL(c)andF(m)=v′·∏i=1nvimi=hH(m)gR(m). The (l+1)-vector d¯=(d′,d1,…,dl) is defined by choosing d′=fα′ and wi=fαi for i∈{1,…,l} using random vectors (α′,α1,…,αl)←Zp* and set U(c)=d′·∏i=1ldici=fα′+∑i=1lαici. If we define G(c)=α′+∑i=1lαici, then U(c)=fG(c). B1 sets public parameter 𝗉𝖺𝗋𝖺𝗆={G, GT, e, g, h, f, d¯, u¯, v¯}. In addition, B1 picks an random integer i*∈{1,…,N}. Key generation:For user i≠i*, B1 defines Xi=gxi for a random xi∈Zp*. If i=i*, B1 outputs Xi*=Ax=gax for a random x∈Zp* which virtually defines the target user’s private key as ax. Signing queries: If a signature of user i≠i* for a condition c and a message m is queried, B1 produces the signature using its knowledge of xi. When i=i*, B1 fails if K(c)=0modp and H(m)=0modp. Otherwise, B picks r,s∈Zp. Using the technique described in [22], B1 can generate a signature according to the following cases: if K(c)≠0; σ(1)=(σ0,σ1,σ2)=(Xi*−L(c)/K(c)J(c)rF(m)s,Xi*−1/K(c)·gr,gs) if H(m)≠0; σ(1)=(σ0,σ1,σ2)=(Xi*−R(m)/H(m)J(c)rF(m)s,gr,Xi*−1/H(m)·gs) If we define r˜=r−(ax)/K(c) in Case 1, σ has the form σ0=Xi*−L(c)/K(c)J(c)rF(m)s=Xi*−L(c)/K(c)J(c)r˜(hK(c)gL(c))ax/K(c)·F(m)s=hax·J(c)r˜·F(m)s and σ1=Xi*−1/K(c)·gr=gr−ax/K(c)=gr˜. In the same way, if we define s˜=s−(ax)/H(m) in Case 2, we can get the correct distribution σ0=Xi*−R(m)/H(m)J(c)rF(m)s=Xi*−R(m)/H(m)J(c)r(hH(m)gR(m))ax/H(m)F(m)s˜=haxJ(c)rF(m)s˜ and σ2=Xi*−1/H(m)·gs=gr−ax/H(m)=gs˜. Re-signing queries: When a query on input ( i, j, c, m, σ(1)), B1 checks whether σ(1) is valid signature on c and m with respect to the public key i. If yes, it computes the second-level signature according to the j as follows: If j≠i*, B1 produces a first-level signature on c and m for secret key xj. Then, using re-signature algorithm and re-signature key rkj→jc=(c,(gxj·f·U(c)ρ)1/xj,gρ)=(c,g·f1/xj·U(c)ρ/xj,gρ) for a random ρ, it generate a second-level signature for j. If j=i*, B1 uses the simulation from the signing queries and generate a first-level signature for user j. If K(c)=0modp and H(m)=0modp, B1 fails. Otherwise, using re-signature algorithm and re-signature key rkj→jc=(c,(gax·f·U(c)ρ)1/ax,gρ)=(c,g·g1/x·gG(c)ρ/x,gρ) for a random ρ, B1 generate a second-level signature for j=i*. After polynomially many queries, A1 outputs a forgery for (j*,c*,m*). If K(c*)≠0modp or H(m*)≠0modp or j*≠i*, B1 fails. Otherwise, a forgery will be a form of the first-level signature σ(1)*=(σ0*,σ1*,σ2*)=(hax(gL(c*))r(gR(m*))s,gr,gs) or a form of the second-level signature σ(2)*=(σˆ0*,σˆ1*,σˆ2*,σˆ3*,σˆ4*,σˆ5*,σˆ6*)=(htax(gL(c*))r(gR(m*))s,gr,gs,gaxt,gt·gaδ·(gaG(c*))ρδ,gaxρδ,gaxδ). Then, B1 can produce a valid 1-FlexDH triple. If a forgery is the form of the first-level signature, then B1 computes (C,Ca,Cab)=gx,(ga)x,σ0*σ1*L(c*)σ2*R(m*)=(gx,(gx)a,(gx)ab). If a forgery is the form of the second-level signature, then B1 computes (C,Ca,Cab)=σˆ4*xσˆ5*G(c*)σˆ6*,σˆ3*,σˆ0*σˆ1*L(c*)σˆ2*R(m*)=(gxt,(gxt)a,(gxt)ab). Note that condition c* is given in the forgery and random x was chosen at the key generation phase. This completes the description of the simulation. For the simulation to complete without aborting, we require that all sign queries ( c,m) will either have K(c)≠0modp or H(m)≠0modp and that K(c*)=0modp, H(m*)=0modp and j*=i*. However, to make the analysis of the simulation easier, we will bound the probability of a sub-case of this event. We will assume that all sign queries ( c,m) satisfies K(c)≠0modp and H(m)≠0modp. Therefore, we will provide a lower bound on the probability that B1 aborts. Let (c1,m1),…, (cqQ,mqQ) be the conditions and messages in the sign and re-sign queries. Clearly, qQ≤qs+qrs. we define the events Ei,E* as Ei:K(ci)≠0modp∧H(mi)≠0modpE*:K(c*)=0modp∧H(m*)=0modp To make the analysis simpler, we will follow the approaches in [23] and force the simulator to abort whenever K(ci)≠0modτc and H(mi)≠0modτm. Given the assumption τc(l+1)<p which implies 0≤τckc<p and 0≤o′+∑i=1loi<p, it is easy to see that K(ci)=0modp implies that K(ci)=0modτc. Hence, K(ci)≠0modτc implies K(ci)≠0modp. In the same way, B1 will abort whenever H(mi)≠0modτm. Then the event Ei can be presented to the event Ei′ Ei′:K(ci)≠0modτc∧H(mi)≠0modτm Moreover, if we divide the event Ei′ into Ai and Bi and the event E* into A* and B* such as Ai:K(ci)≠0modτcA*:K(c*)=0modpBi:H(mi)≠0modτmB*:H(m*)=0modp, then the probability of B1 not aborting is Pr[¬abort]≥Pr⋀i=1qQAi∧A*∧⋀i=1qQBi∧B*∧(j*=i*) The events (⋀i=1qQAi∧A*) and (⋀i=1qQBi∧B*) are independent, because the functions K and H are selected independently. As in [23], if we compute the probability of Pr[(⋀i=1qQAi∧A*)], we have Pr⋀i=1qQAi∧A*≥1τc(l+1)1−qc+qrcτc and setting τc=2(qs+qrs) as in the simulation Pr⋀i=1qQAi∧A*≥14(qs+qrs)(l+1) The same analysis for the Pr[(⋀i=1qQBi∧B*)] gives the result Pr⋀i=1qQBi∧B*≥14(qs+qrs)(n+1) and we get that Pr[¬abort]≥Pr⋀i=1qQAi∧A*∧⋀i=1qQBi∧B*∧(j*=i*)≥116(qs+qrs)2(l+1)(n+1)N If the simulation does not abort, A1 will create a valid forgery with probability at least ϵ. B1 can then compute 1-FlexDH triple from the forgery with probability at least ϵ16(qs+qrs)2(l+1)(n+1)N Limited proxy security: Let A2 be an adversary that breaks the limited proxy security. We construct an algorithm B2 that solves the 1−FlexDH problem by interacting with A2. B2 takes as input a 1−FlexDH challenge (g,A=ga,B=gb). The algorithm B2 proceeds as follows. Setup: B2 produces public parameters exactly as in the proof of the external security except τc=2qs and τm=2qs. Note that in the limited proxy security, B2 does not need to select i* in advance. Key generation: For user i∈{1,…,N}, B2 defines a public key as Xi=Axi=gaxi for a random xi∈Zp* which virtually defines user i’s private key as axi. Rekeygen queries: For pairs (i,j) and a condition c, re-signature keys are computed as rki→jc=(c,(pki·f·U(c)ρ)1/skj,gρ)=(c,gxi/xj·g1/xj·gG(c)ρ/xj,gρ) Sign queries: B2 uses the simulation for the target user’s signature queries from the external security proof. In the limited proxy security, B2 does not know a user i’s private key axi. Therefore, B2 uses the technique described in [22] and B2 fails if K(c)=0modp and H(m)=0modp. When A2 outputs a forgery, B2 succeeds if K(c*)=0modp and H(m*)=0modp and extracts 1−FlexDH by the method in the proof of the external security. A similar analysis to the external security shows that B2 can then compute 1-FlexDH triple from the forgery with probability at least ϵ16qs2(l+1)(n+1) Delegatee security: Let A3 be an adversary that breaks the delegatee security. We construct an algorithm B3 that solves the 1−FlexDH problem by interacting with A3. B3 takes as input a 1−FlexDH challenge (g,A=ga,B=gb). The algorithm B3 proceeds as follows. Setup: B3 produces public parameters exactly as in the proof of the limited proxy security. Key generation: For the target user 0, B3 defines a public key as X0=Ax0=gax0 for a random x0∈Zp*. For all other users i∈{1,…,N}, B3 picks random xi∈Zp* and computes Xi=gxi. Note that in the delegatee security A3 knows public key and private key pairs {pki,ski}i∈[1,N]. For pairs (i,j), where i∈{0,…,N} and j∈{1,…,N}, A3 can compute re-signature keys using rki→jc=(c,(pki·f·U(c)ρ)1/skj,gρ). Sign queries: B3 also uses the simulation for the target user’s signature queries from the external security proof because B3 does not know a user 0’s private key ax0. B3 fails if K(c)=0modp and H(m)=0modp. When A3 outputs a forgery, B3 succeeds if K(c*)=0modp and H(m*)=0modp and extracts 1−FlexDH by the method in the proof of the external security. A similar analysis to the external security shows that the algorithm B3 can then compute 1-FlexDH triple from the forgery with probability at least ϵ16qs2(l+1)(n+1) Delegator security: Let A4 be an adversary that breaks the delegator security. We construct an algorithm B4 that solves the mCDH problem by interacting with A4. B4 takes as input a mCDH challenge (g,A=ga,A′=g1/a,B=gb). B4 proceeds as follows. Setup: B4 produces public parameters exactly as in the proof of the limited proxy security. Key generation: For the target user 0, B4 defines a public key as X0=Ax0=gax0 for a random x0∈Zp*. For all other users i∈{1,…,N}, B4 picks random xi∈Zp* and computes Xi=gxi. Rekeygen queries: For pairs (i,j), where i,j≠0, re-signature keys are computed as rki→jc=(c,(pki·f·U(c)ρ)1/skj,gρ)=(c,(gxi·f·U(c)ρ)1/xj,gρ). If i=0, it defines rk0→jc=(c,(pk0·f·U(c)ρ)1/skj,gρ)=(c,(Ax0·f·U(c)ρ)1/xj,gρ). If j=0, it computes rki→0c=(c,(pki·f·U(c)ρ)1/sk0,gρ)=(c,(gxi·f·U(c)ρ)1/ax0,gρ)=(c,(g1/a)xi/x0·(ga)1/ax0·(ga)G(c)ρ/ax0,gρ)=(c,(A′)xi/x0·g1/x0·gG(c)ρ/x0,gρ). Sign queries: B4 also uses the simulation for the target user’s signature queries from the external security proof. It fails if K(c)=0modp and H(m)=0modp. When A4 outputs a first-level forgery, B4 succeeds if K(c*)=0modp and H(m*)=0modp. Given a forgery σ(1)*=(σ0*,σ1*,σ2*)=(hax0(gL(c*))r(gR(m*))s,gr,gs), B4 extracts gab=σ0*σ1*L(c*)σ2*R(m*)1/x0. A similar analysis to the external security shows that B4 can then compute gab from the forgery with probability at least ϵ16qs2(l+1)(n+1) Re-signature key unforgeability: Let A5 be an adversary that breaks the re-signature key unforgeability. We construct an algorithm B5 that solves the mCDH problem by interacting with A5. B5 takes as input a mCDH challenge (g,A=ga,A=g1/a,B=gb). B5 proceeds as follows. Setup: B5 sets f=B=gb, h=A=ga and g′=A′=g1/a. Let qrk is the number of re-signature key queries. B5 sets τrk=2qrk and randomly chooses an integer krk, such that 0≤krk≤l, and τrk(l+1)<p. The (l+1)-vector d¯=(d′,d1,…,dl) is defined by choosing d′=fα′−τrkkrk·g′β′ and ui=fαi·g′βi for i∈{1,…,l} using random vectors (α′,α1,…,αl)←Zτcl+1 and (β′,β1,…,βl)←Zpl+1. For any condition c=c1…cl∈{0,1}l, if we define the following functions: G(c)=α′+∑i=1lαici−τrkkrkandN(c)=β′+∑i=1lβici, then we have an equation: U(c)=d′·∏i=1ldici=fG(c)g′N(c). The (l+1)-vector u¯=(u′,u1,…,ul) is defined by choosing u′=go′ and ui=goi for i∈{1,…,l} using random vectors (o′,o1,…,ol)←Zp* and set J(c)=u′·∏i=1luici=go′+∑i=1loici. If we define K(c)=o′+∑i=1loici, then J(c)=gK(c). In the same way, the (n+1)-vector v¯=(v′,v1,…,vn) is defined by choosing v′=gy′ and vi=gyi for i∈{1,…,n} using random vectors (y′,y1,…,yn)←Zp* and set F(m)=v′·∏i=1nvimi=gy′+∑i=1nyimi. If we define H(m)=y′+∑i=1nyimi, then F(m)=gH(m). B5 sets public parameter 𝗉𝖺𝗋𝖺𝗆={G,GT,e,g,h,f,d¯,u¯,v¯}. Key generation: For user i∈{1,…,N}, B5 defines a public key as Xi=A′xi=gxi/a for a random xi∈Zp* which virtually defines user i’s private key as xi/a. Rekeygen queries: For pairs (i,j) and a condition c, B5 fails if G(c)=0modp. Otherwise, B5 picks ρ∈Zp. Using similar technique with the simulation for target user’s signature queries in the external security proof, B5 can generate a re-signature key as follows: rki→jc=(rk0,rk1,rk2)=(c,gxi/xj·(g1/xj)−N(c)/G(c)·U(c)ρ,g−1/G(c)·Xjρ) If we define ρ˜=xjρ/a−1/G(c), rk1 has the form rk1=gxi/xj·(g1/xj)−N(c)/G(c)·U(c)ρ=gxi/xj·(g1/xj)−N(c)/G(c)·U(c)aρ˜/xj·(fG(c)·g′N(c))a/(xjG(c))=gxi/xj·fa/xj·U(c)aρ˜/xj=(gxi/a·f·U(c)ρ˜)a/xj and rk2=g−1/G(c)·Xjρ=g−1/G(c)+xjρ/a=gρ˜. Sign queries: B5 picks r and s∈Zp* and computes the first-level signature as follows: σ(1)=(σ0,σ1,σ2)=(hxi/aJ(c)rF(m)s,gr,gs)=(gxi(gK(c))r(gH(m))s,gr,gs) When A5 outputs a forged re-signature key, B5 succeeds if G(c*)=0modp. Given a forgery rki*→j*c*=(rk0*,rk1*,rk2*)=(c*,gxi*/xj*·fa/xj*·g′N(c*)aρ/xj*,gρ), B5 extracts gab=rk1*xj*gxi*·rk2*N(c*). A similar analysis to the external security shows that B5 can compute gab from the forged re-signature key with probability at least ϵ4qrk(l+1)□ 5. CONCLUSION We have proposed a conditional proxy re-signature scheme in the standard model. The proposed scheme is a non-interactive, unidirectional and single-use CPRS scheme. It is existentially unforgeable against adaptive chosen message and adaptive chosen condition attack. The security of the proposed scheme is based on the 1-Flexible Diffie–Hellman assumption and the modified Diffie–Hellman assumption. In the proposed scheme, a delegator can independently choose a condition, and can non-interactively generate a re-signature key without the participation of a delegatee. Therefore, a delegator can fully control the delegation process. However, the public parameters of our scheme consist of a description of the groups G, GT and the pairing e, and 2l+n+6 group elements of G. Its public parameters’ size and computational cost are relatively large when compared to [15]. To construct the first-level signature, a signer must compute on average l/2+n/2+2 multiplications in G and perform five exponentiations in G. Generation of the second-level signature requires on average l/2+n/2+4 multiplications in G and 11 exponentiations in G except the verification process of the first-level signature. Verification of the first-level signature requires on average l/2+n/2 multiplications in G and four pairing computations. Verification of the second-level signature requires on average l+n/2 multiplications in G and eight pairing computations. REFERENCES 1 Blaze , M. , Bleumer , G. and Strauss , M. ( 1998 ) Divertible protocols and atomic proxy cryptography. Advances in Cryptology—EUROCRYPT’98, Techniques Espoo, Finland, May, pp. 127–144. Springer, Berlin, Heidelberg. 2 Ateniese , G. and Hohenberger , S. ( 2005 ) Proxy Re-signatures: New Definitions, Algorithms, and Applications. Proc. 12th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, November, pp. 310–319. ACM New York, NY, USA. 3 Shao , J. , Cao , Z. , Wang , L. and Liang , X. ( 2007 ) Proxy Re-signature Schemes Without Random Oracles. Progress in Cryptology—INDOCRYPT 2007, Chennai, India, December, pp. 197–209. Springer, Berlin, Heidelberg. 4 Chow , S.S.M. and Phan , R.C.-W. ( 2008 ) Proxy Re-signatures in the Standard Model. Information Security, Taipei, Taiwan, September, pp. 260–276. Springer, Berlin, Heidelberg. 5 Libert , B. and Vergnaud , D. ( 2008 ) Multi-use Unidirectional Proxy Re-signatures. Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, pp. 511–520. ACM, New York, NY, USA. 6 Kim , K. , Yie , I. and Lim , S. ( 2009 ) Remark on Shao et al.’s bidirectional proxy re-signature scheme in Indocrypt’07 . Int. J. Netw. Secur. , 9 , 8 – 11 . 7 Shao , J. , Feng , M. , Zhu , B. , Cao , Z. and Liu , P. ( 2010 ) The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key. Information Security and Privacy, Sydney, Australia, July, pp. 216–232. Springer, Berlin, Heidelberg. 8 Shao , J. , Wei , G. , Ling , Y. and Xie , M. ( 2011 ) Unidirectional Identity-Based Proxy Re-Signature. 2011 IEEE Int. Conf. Communications (ICC), Kyoto, Japan, June, pp. 1–5. IEEE. 9 Wang , Z.-W. and Xia , A.-D. ( 2015 ) ID-based proxy re-signature with aggregate property . J. Inf. Sci. Eng. , 31 , 1199 – 1211 . 10 Zhang , Z. , Hu , X. and Yang , Y. ( 2009 ) Identity Based Proxy Re-Signature Schemes without Random Oracle. 2009 Int. Conf. Computational Intelligence and Security (CIS 2009), Beijing, China, December, pp. 256–259. IEEE Computer Society. 11 Tian , M. ( 2015 ) Identity-based proxy re-signatures from lattices . Inf. Process. Lett. , 115 , 462 – 467 . Google Scholar CrossRef Search ADS 12 Xiao , H. and Zhang , M. ( 2013 ) Provably-Secure Certificateless Proxy Re-signature Scheme. 2013 5th Int. Conf. Intelligent Networking and Collaborative Systems, Xi’an, China, September, pp. 591–594. IEEE. 13 Xie , J. , Hu , Y.-p. and Gao , J.-t. ( 2016 ) Multi-use unidirectional lattice-based proxy re-signatures in standard model . Secur. Commun. Netw. , 9 , 5615 – 5624 . Google Scholar CrossRef Search ADS 14 Wang , X.A. ( 2015 ) Proxy Re-signature Supporting Conditional Delegation. 2015 10th Int. Conf. P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), Krakow, Poland, November, pp. 844–848. IEEE. 15 Vivek , S.S. and Balasubramanian , G. ( 2015 ) Controlled proxy re-signing - conditional proxy re-signatures. 2015 12th Int. Joint Conf. e-Business and Telecommunications (ICETE), Colmar, France, July, pp. 186–193. IEEE. 16 Bellare , M. and Rogaway , P. ( 1993 ) Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. Proc. 1st ACM Conf. Computer and Communications Security, Fairfax, VA, USA, November, pp. 62–73. ACM New York, NY, USA. 17 Xiong , H. , Chen , Z. and Li , F. ( 2012 ) Efficient privacy-preserving authentication protocol for vehicular communications with trustworthy . Secur. Commun. Netw. , 5 , 1441 – 1451 . Google Scholar CrossRef Search ADS 18 Sun , Y. , Lu , R. , Lin , X. , Shen , X. and Su , J. ( 2010 ) An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications . IEEE Trans. Vehicular Technol. , 59 , 3589 – 3603 . Google Scholar CrossRef Search ADS 19 Wang , B. , Li , B. and Li , H. ( 2015 ) Panda: public auditing for shared data with efficient user revocation in the cloud. In IEEE Trans. Serv. Comput. , 8 , pp. 92 – 106 . 20 Hong , X. and Long , Y. ( 2012 ) A novel unidirectional proxy re-signature scheme and its application for MANETs . J. Comput. , 7 , 1796 – 1800 . Google Scholar CrossRef Search ADS 21 Canetti , R. and Hohenberger , S. ( 2007 ) Chosen-ciphertext Secure Proxy Re-encryption. Proc. 14th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, October, pp. 185–194. ACM New York, NY, USA. 22 Waters , B. ( 2005 ) Efficient Identity-Based Encryption Without Random Oracles. Advances in Cryptology—EUROCRYPT 2005, Aarhus, Denmark, May, pp. 114–127. Springer, Berlin, Heidelberg. 23 Paterson , K.G. and Schuldt , J.C.N. ( 2006 ) Efficient Identity-Based Signatures Secure in the Standard Model. Information Security and Privacy, Melbourne, Australia, July, pp. 207–222. Springer, Berlin, Heidelberg. Author notes Handling editor: Joseph Liu © The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

Journal

The Computer JournalOxford University Press

Published: Apr 10, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off