Sage Journals: Discover world-class research

Abstract

Proxy signature is a very useful technique which allows the original signer to delegate the signing capability to a proxy signer to perform the signing operation. It finds wide applications especially in the distributed environment where the entities such as the wireless sensors are short of computational power and needed to be convinced to the authenticity of the server. Due to less proxy signature schemes in the post-quantum cryptography aspect, in this article, we investigate the proxy signature in the post-quantum setting so that it can resist against the potential attacks from the quantum adversaries. A general multivariate public key cryptographic proxy scheme based on a multivariate public key cryptographic signature scheme is proposed, and a heuristic security proof is given for our general construction. We show that the construction can reach Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure assuming that the underlying signature is Existential Unforgeability under an Adaptive Chosen Message Attack. We then use our general scheme to construct practical proxy signature schemes for three well-known and promising multivariate public key cryptographic signature schemes. We implement our schemes and compare with several previous constructions to show our efficiency advantage, which further indicates the potential application prospect in the distributed network environment.

Keywords

Post-quantum cryptography multivariate public key cryptography general construction proxy signature provable security

Introduction

The characteristic that some specified agents have the capability to proceed with the signing operations on behalf of the original signer turns out to be very attractive in case of the original signers temporal absence, short of computational power, and so on. It has already been shown in many previous researches that the proxy signature can be very helpful especially for application in the environments such as the wireless sensor networks,¹ Internet of things,² distributed shared object systems,³ grid computing,⁴ global distribution networks,⁵ and so on. However, most of the previous constructions are based on the hardness of number theory such as the integer factorization and discrete logarithm. According to Shor’s algorithm,⁶ Rivest–Shamir–Adleman (RSA) and some other algorithms based on the number theory will be broken in polynomial time after the emergence of quantum computers. And as a result, it will eventually lead to the break of most of the traditional cryptosystem.

To deal with the upcoming quantum computers, cryptographic researchers from different countries are beginning to devote themselves to explore the cryptosystems that can resist quantum computer attacks, that is, researching on the post-quantum cryptography.⁷ Post-quantum cryptography can be divided into five categories: code-based cryptography, lattice-based cryptography, hash-based cryptography, multivariate public key cryptography (MPKC), and isogeny-based cryptography. The National Institute for Standards and Technology (NIST) has announced a formal call for proposals for post-quantum cryptography in fall 2016.⁸ Thereafter, it formally provided the first round (round 1) submissions of post-quantum cryptographic standard protocols in December 2017.

The security of MPKC is based on solving a set of random quadratic multivariate equations on a finite field. So far, evidence does not reveal that quantum computers could solve this kind of questions effectively. Plus, MPKC schemes are in general much more effective than RSA in computing. But there are two drawbacks that become obstacles to use MPKCs. The first one is the large key sizes. The second drawback is that the security of MPKCs relies both on the multivariate quadratic (MQ) problem and on the Isomorphism of Polynomials (IP) problem, so the schemes in MPKCs are subjected to not only direct attacks but also structural attacks. This makes many MPKCs insecure, such as Matsumoto–Imai scheme,⁹ balanced Oil, and Vinegar.¹⁰ Under this situation, a number of attempts have been undertaken in order to tackle these two problems. For example, Courtois¹¹ studied provable security against key-only attack on Quartz, but the security against the chosen-message attack is unclear. Beyond these techniques, the Unbalanced Oil and Vinegar (UOV) scheme¹² is a well-known and deeply studied scheme in MPKC, Bulygin et al.¹³ then presented an idea to reduce the public key size of the UOV signature scheme and provided provable security against direct attacks. Then, Sakumoto et al.¹⁴ gave provable security of UOV against chosen-message attack, using the idea given in the study by Bellare and Rogaway,¹⁵ which concatenates a random seed $r$ with the signing message $M$ so as to make the basic trapdoor one-way function of UOV become full domain hash (FDH). In Crypto2011, Sakumoto et al.¹⁶ proposed provably secure identification/signature schemes based on the MQ problem, which is a great improvement for the security of MPKCs.

According to NIST Computer Security Resource Center (CSRC): Cryptographic Technology Group,⁸ MPKC is popular for its efficient signature scheme in the post-quantum cryptography (PQC) aspect and signature schemes are promising. As shown in the submission, there are nine signature schemes, named double exponentiation with matrix exponent (DME),⁸ DualModeMS,¹⁷ GeMSS,¹⁸ Gui,¹⁹ Hi-MQ, lifted unbalanced oil and vinegar scheme (LUOV)²⁰ (a variant of UOV), multivariate quadratic digital signature scheme (MQDSS),²¹ Rainbow,²² TPSig.²³ Among them, only Rainbow is the old scheme, and others are all published in the recent 5 years and the best scheme is LUOV, which has a combined not more than 20 kB size. However, it is the newest one which need time to confirm its security. Another promising scheme is MQDSS, which is provable secure one and the key size is relatively small. However, its resultant signature is too large compared with the original small message. Also, the running time of two schemes is not fast which in fact is the most advantage of MPKC schemes compared with other PQC schemes. Other schemes such as Rainbow is good at the running time and the security consideration but suffers from large key size.

Also, multivariate signature schemes with special properties, such as proxy signature, ring signature, are proposed. For example, Tang and Xu²⁴ proposed the first MPKC proxy signature scheme based on the problem of IP. Petzoldt et al.²⁵ proposed the first provable MPKC threshold ring signature scheme based on the result of Sakumoto et al.¹⁴ Chen et al.²⁶ proposed the first online/offline signature based on UOV by utilizing the linear construction of the central map of UOV, so that the proposed scheme can be distributed in the wireless sensor networks. In addition, multivariate sequential aggregate signature scheme by Petzoldt et al.²⁷ and multivariate blind signature scheme by El Bansarkhani et al.²⁸ are proposed to enrich this area.

Since proxy signature scheme is widely used as a communication solution in distributed sensor networks, that is, the solution in healthcare wireless sensor networks in Verma et al.²⁹ In this article, we focus on developing multivariate signature schemes with special properties and investigate how to build an MPKC proxy scheme and then we will use this idea to build a series of MPKC proxy schemes based on current promising MPKCs (UOV, Rainbow, MQDSS). A highlight of our work is the general proxy scheme is formally provable security under the assumption that the basing scheme is secure, so based on the promising MPKC signature shcemes, our practical resultant proxy schemes from the general construction are considered promising proxy MPKC schemes.

This article is structured as follows: First, we introduce how to build a general MPKC proxy scheme, specifically we give a formal proof for the general scheme assuming the underlying MPKC scheme is secure. Then we propose three practical proxy signature schemes: Proxy-UOV, Proxy-Rainbow, and Proxy-MQ. Next, we run some experiments to verify the security and efficiencies of our schemes. Finally, we draw a conclusion.

Preliminaries

In this section, we give the preliminaries of this article.

Proxy signature scheme

A proxy signature protocol allows an entity, called the original signer, to delegate another entity, called a proxy signer, to sign messages on behalf of itself, in case of temporal absence, lack of time or computational power, and so on. The first efficient proxy signature was introduced by Mambo et al.³⁰ A proxy signature scheme consists of the following algorithms: Setup, KeyGen, Delegate, ProxyKeyGen, ProxySign, ProxyVerify, where the Setup and KeyGen correspond with an ordinary signature scheme $\underset{=}{Π} (Setup, KeyGen, Sign, Verify)$ . Assume $(p k_{A}, s k_{A})$ and $(p k_{B}, s k_{B})$ generated by KeyGen are the public/private key pairs of the original signer and the proxy signer, respectively. Delegate is a randomized algorithm for the delegation of signing right, that is, $θ \leftarrow Delegate (w, s k_{A}, p k_{A})$ is run by the original signer. The input $w$ can be regarded as a warrant. In general, $w$ includes the original signer’s public key $p k_{A}$ , the proxy signer’s public key $p k_{B}$ , a delegated time period $t$ , and other information. ProxyKeyGen algorithm generates the proxy key $psk$ for the proxy signer. For a message $m$ , the proxy signer can generate a proxy signature by ProxySign, that is, $σ \leftarrow ProxySign (m, (w, θ), psk)$ . Anyone who receives the proxy signature can verify the validity of the signature by ProxyVerify. ProxyVerify outputs 1 if the signature is valid; otherwise, it outputs 0.

MPKC signature scheme

Usually, an MPKC scheme over a finite field $k$ is defined as

$P = L_{1} ° F ° L_{2}$

in which $F$ is a set of $m$ quadratic multivariate polynomials in $n$ variables, $L_{1}$ is an affine transformation from $F_{q}^{m}$ to $F_{q}^{m}$ , and $L_{2}$ is an affine transformation from $F_{q}^{n}$ to $F_{q}^{n}$ .

For an MPKC digital signature scheme, the setup algorithm Setup ( $1^{λ}$ ) takes $1^{λ}$ as input and then outputs the system parameter $param$ which mainly contains $(q, n, m)$ , and all the arithmetic operations hereafter are over this finite field.

The key generation algorithm KeyGen( $param$ ) takes $param$ as input and then outputs $pk = P$ and $sk = (L_{1}, F, L_{2})$ .

The signing algorithm Sign( $M, sk$ ) is described in Algorithm 1.

Algorithm 1. Sign( $M, sk$ ).
Input
$M$ : the message;
$sk$ : $sk = (L_{1}, F, L_{2})$ , the private key;
Output
$σ$ : the signature on message $m$ ;
Begin
Step 1. The signer computes $M_{1} = L_{1}^{- 1} (M)$ ;
Step 2. The signer computes $M_{2} = F^{- 1} (M_{1})$ ;
Step 3. The signer computes $σ = L_{2}^{- 1} (M_{2})$ ;
Step 4. Return $σ$ ;
End

Finally, the verification algorithm Verify( $σ$ , $M$ , $P$ ) returns 1 if $P (σ) = M$ , otherwise returns 0.

Security model for MPKC signature scheme

We quantify the security of MPKC signature scheme from the idea in Bellare and Rogaway.¹⁵ A signature scheme is said to be $(ϵ, t, q_{s}) - secure$ if an attacker, given the public key, allowed to run in time $t$ , and allowed a chosen-message attack in which he or she can get $q_{s}$ legitimate message–signature pairs, can be successful in forging the signature of a new message with probability at most $ϵ$ .

Definition 1

We say that the MPKC signature scheme is $(ϵ, t, q_{s}) - secure$ if there is no forger $A$ who takes a public key generated through $(pk, \cdot) \leftarrow KeyGen (1^{λ})$ , after at most $q_{s}$ signature queries, and $t$ processing time, then outputs a valid signature with probability at least $ϵ$ .

UOV and Rainbow

The UOV scheme is one of the earliest MPKC signature scheme. Even though its construction is very simple, it turns out to be one of the most secure MPKC scheme so far. However, Rainbow is one of the most popular schemes in MPKC schemes and rapid development in recent years. It could be regarded as an extension of UOV and has obvious advantages over efficiency and key size.

The central map $F$ of UOV is composed of a set of so-called Oil–Vinegar polynomials which have the following form

$\sum_{i = 1}^{o} \sum_{j = 1}^{v} a_{ij} x_{i} x'_{j} + \sum_{i = 1}^{v} \sum_{j = 1}^{v} b_{ij} x'_{i} x'_{j} + \sum_{i = 1}^{o} c_{i} x_{i} + \sum_{j = 1}^{v} d_{j} x'_{j} + e$ (1)

In this polynomial, there are two kinds of variables: Oil variables ( $x_{i}$ ) and Vinegar variables ( $x'_{j}$ ). Once we assign a set of random values for Vinegar variables, the central map becomes a set of linear polynomials and can be easily inverted. When $v > o$ , this scheme is called UOV scheme, the construction of a UOV scheme is as follows

$P = F ° T$ (2)

where $T$ is an affine translation from $F_{q}^{n}$ to $F_{q}^{n}$ . The construction does not have to compose an invertible affine transformation on the left.

In the case of Rainbow, Rainbow is an extension of UOV scheme. It could be viewed as a multi-layer UOV scheme. Each layer is an independent UOV and each layer’s variables (including Oil variables and Vinegar variables) are Vinegar variables of the next layer. Specifically, let us assume a Rainbow has $l$ layers. We use $v_{i}$ to represent the number of Vinegar variables of the ith layer and $o_{i}$ to represent the number of Oil variables of the ith layer. Then we have $v_{i + 1} = o_{i} + v_{i}$ and $v_{l + 1} = n$ . Each layer’s Vinegar variables set and Oil variables set are represented as ${x_{1}, . . ., x_{v_{i}}}, {{x_{v_{i}}}_{+ 1}, . . ., {x_{v_{i}}}_{+ o_{i}}}$ and the ith layer’s polynomials have the form of

$\sum_{i = 1}^{v_{i}} \sum_{j = v_{i} + 1}^{v_{i} + o_{i}} a_{ij} x_{i} x_{j} + \sum_{i = 1}^{v_{i}} \sum_{j = 1}^{v_{i}} b_{ij} x_{i} x_{j} + \sum_{i = 1}^{v_{i} + o_{i}} c_{i} x_{i} + d$ (3)

We can see that the above polynomial has the basic Oil–Vinegar polynomial form. Finally, the construction of a Rainbow scheme is given as follows

$P = L_{1} ° F ° L_{2}$ (4)

The MQ-based signature scheme

At CRYPTO 2011 Sakumoto et al.¹⁶ presented a new identification scheme whose security is solely based on the MQ problem. In the scheme, every user chooses a vector $s \in F_{q}^{n}$ as his secret key and computes his public key as $v = F (s) \in F_{q}^{m}$ . To identify himself to a verifier, he or she has to show that he or she indeed knows $s$ (without revealing any information about $s$ ). Thus, to create a zero-knowledge proof of the vector $s$ , we need the polar form of the multivariate system $F$ , which is defined as

$G (x, y) = F (x + y) - F (x) - F (y)$

Note that $G (x, y)$ is bilinear in $x$ and $y$ , the knowledge of $s$ is equivalent to knowing a tuple $(r_{0}, r_{1}, t_{0}, t_{1}, e_{0}, e_{1})$ satisfying

$G (t_{0}, r_{1}) + e_{0} = v - F (r_{1}) - G (t_{1}, r_{1}) - e_{1}$

and $(t_{0}, e_{1}) = (r_{0} - t_{1}, F (r_{0}) - e_{1})$ . The five-pass identification scheme between a prover and a verifier is as follows

The prover chooses randomly $t_{0}, r_{0} \in_{R} F_{q}^{n}, e_{0} \in_{R} F_{q}^{m}$ , set $r_{1} = s - r_{0}$ and computes commitments $c_{0} = Com (r_{0}, t_{0}, e_{0}), c_{1} = Com (r_{1}, G (t_{0}, r_{1}) + e_{0})$ and then sends $(c_{0}, c_{1})$ to the verifier.

The verifier chooses randomly a choice $α \in_{R} F_{q}$ and sends $α$ to the prover.

After receive $α$ , the prover computes $t_{1} = α r_{0} - t_{0}, e_{1} = α F (r_{0})$ and then sends $(t_{1}, e_{1})$ to the verifier.

The verifier chooses randomly the challenge $Ch \in_{R} {0, 1}$ and sends $Ch$ to the prover.

If $Ch = 0$ , the prover sends $Rsp = r_{0}$ back; if $Ch = 1$ , the prover sends $Rsp = r_{1}$ back.

If the verifier chooses 0 as the challenge $Ch$ , he or she checks whether $c_{0} = Com (r_{0}, α r_{0} - t_{0}, α F (r_{0}) - e_{1})$ hold. If the verifier chooses 1 as the challenge $Ch$ , he or she checks whether $c_{1} = Com (r_{1}, α v - F (r_{1}) - G (t_{1}, r_{1}) - e_{1})$ holds.

This scheme has a cheating probability per round of 3/4 when $q = 2$ . Therefore, one needs at least 133 rounds to reduce the impersonation probability to less than $2^{- 80}$ . Sakumoto et al.¹⁶ propose for their five-pass schemes that $q = 2, n = 80, m = 80$ to achieve a security level of 80 bits.

Using the Fiat–Shamir paradigm,³¹ anyone can transform the MQ identification scheme into a signature scheme, and a good example is the MQDSS²¹ which is transformed from five-pass MQ identification scheme. Below we give a short description of the MQ signature scheme. For the full description of the MQ scheme, we recommend to read.²¹ The setup and key generation process for the signature scheme work just the same as the identification scheme.

To generate a signature for a message $m$ , the signer gathers the commitments for all rounds, creates the commitments $c_{0}^{(1)}, c_{1}^{(1)}, . . . c_{0}^{(round)}, c_{1}^{(round)}$ , and then uses a hash function $H$ to produce the challenge vector $Ch$ and compute the according responses $Rs p^{(1)}, . . ., Rs p^{(round)}$ . Finally, the signature is $σ = (c_{0}^{(1)} | | c_{1}^{(1)} | | . . . c_{0}^{(round)} | | c_{1}^{(round)}) | | Rs p^{(1)} | | . . . | | Rs p^{(round)}$ .

To verify the authenticity of a signature, the verifier parses $σ$ , computes the challenge vector $Ch$ , and tests for each $i \in 1, . . ., round$ if $Rs p^{i}$ is a correct response to $C h_{i}$ according to $c_{0}^{(i)}, c_{1}^{(i)}$ .

Security model for proxy signature

Schuldt et al.³² presented the security notion Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure (ps-uf-pke) for multilevel proxy signature scheme. Later, Tang and Xu²⁴ modified this notion to single-level proxy signature scheme and adopted as the security model for a proxy signature. In the analysis of our proxy scheme, we also use this model, and we recommend to read more information about this model in Tang and Xu.²⁴ We summarize the security model for a proxy signature in the following.

In our security model for proxy signature, the definition is the same as that in Tang and Xu.²⁴ In the security model in Tang and Xu,²⁴ it uses only one list $psklist$ to store the proxy key which generated by $C$ , but it does not use lists to store the original signature query and the proxy query, this is ambiguous for someone to calculate the number and kinds of query oracle. So, in our security model, we use three initialized empty lists: $OSList$ , $delList (w)$ , $pskList (w)$ which are maintained by a challenger $C$ . The $OSList$ stores all the signatures which are queried by the original signature query, and the $delList (w)$ stores the submitted warrants and the corresponding delegation. The $pskList (w)$ stores all the proxy key which is generated by $C$ from the warrants in the $delList (w)$ . Using these three lists, we can follow the security proof more clearly. More precisely, by calculating the list $OSList$ , we can know how many times of ordinary signature oracle have been queried, and from $delList (w)$ , we can know the number of query of proxy signature oracle. The security model is based on the following game which is played between a challenger $C$ and an adversary $A$ :

Setup. The challenger $C$ runs Setup with input $1^{k}$ and generates $(p k^{*}, s k^{*})$ for $u^{*}$ by running the KeyGen ( $1^{k}$ ) of an ordinary signature scheme. After that, $C$ sends $p k^{*}$ to the adversary $A$ and stores $s k^{*}$ .

Queries. The adversary $A$ can adaptively access to any of the following queries which are answered by $C$ :

Ordinary signature. $A$ submits a message $m$ to $C$ , $C$ generates a signature on $m$ by $σ \leftarrow Sign (m, s k^{*})$ . $C$ returns $σ$ to $A$ and adds $(m, σ)$ to the $OSList$ list.

Delegation to $u^{*}$ . $A$ transmits $w$ to $C$ , $C$ interacts with $A$ through the Delegate and the ProxyKeyGen with $(p k^{*}, s k^{*})$ . After the process finished, $C$ will obtain a delegation of signing right with $θ \leftarrow Delegate (w, s k^{*}, p k^{*})$ and a proxy key $s k_{p}$ . Then, $C$ adds $(w, θ)$ and $(w, s k_{p})$ to the $delList (w)$ list and the $pskList (w)$ list, respectively.

Delegation from $u^{*}$ .

Delegation of $sk'$ : $A$ submits $w$ to $A$ and want $u^{*}$ to give a delegation of signing right to $u'$ . $C$ generates a delegation $θ$ for $u'$ by Delegate and adds $(w, θ)$ to the $delList (w)$ list.

Self-delegation: $C$ interacts with itself through Delegate and ProxyKeyGen on input $w$ . $C$ generates a delegation of signing right $θ$ and a proxy key $s k_{p}$ , adds $(w, θ)$ and $(w, s k_{p})$ to the $delList (w)$ list and the $pskList (w) list$ , respectively. Then $C$ sends $θ$ to $A$ .

Proxy signature. $A$ transmits $(m, (w, θ))$ to $C$ and wants to obtain a proxy signature of $m$ . $C$ finds the proxy key $s k_{p}$ which correspond with $w$ in $pskList (w)$ . If $s k_{p}$ exists, $C$ returns $σ \leftarrow ProxySign (m, (w, θ), s k_{p})$ to $A$ . Otherwise, returns ⊥ to $A$ .

Proxy key exposure. $A$ transmits w to $C$ , $C$ returns the proxy key $s k_{p}$ to $A$ if such a key exists in $pskList (w)$ . Otherwise, returns ⊥ to $A$ .

Forgery. The successful forgery of $A$ can be one of the following forms:

Forge an ordinary signature of $u^{*}$ . $A$ outputs $(m, σ)$ which can be verified by Verify and $m$ has not been submitted in an ordinary signature query.

Forge a proxy signature of $u^{*}$ . $A$ outputs $(m, (w, θ), σ)$ where the $σ$ corresponds to the public key $p k^{*}$ . This forgery is said to be valid if it can be verified by ProxyVerify with $(m, (w, θ))$ has not been queried and $w$ has not been queried.

Self-proxy signature on behalf of $u^{*}$ . $A$ outputs $(m, (w, θ), σ)$ where $σ$ corresponds to the public key $p k_{p}$ . This forgery is said to be valid if it can be verified by ProxyVerify with $w$ has not been queried.

If one of the above cases happens, the game returns 1. Otherwise, it returns 0.

Definition 2

An adversary $A$ is said to be a $(ϵ^{'}, t^{'}, {q^{'}}_{d}, {q^{'}}_{s})$ -forger of a proxy signature scheme if $A$ has advantage at least $ϵ'$ in the above game, runs in time at most $t$ , and makes at most $q'_{d}$ and $q'_{s}$ delegation and signing queries to the challenger. A proxy signature scheme is said to be $(ϵ', t', q'_{d}, q'_{s})$ -secure if no $(ϵ', t', q'_{d}, q'_{s})$ -forger exists.

The general construction of MPKC proxy signature scheme

General proxy signature scheme

Assume we have an above MPKC signature scheme, we now describe our general proxy signature scheme as follows.

Setup: Let $n$ and $m$ be two positive integers, $F_{q}$ is a finite field and all the arithmetic operations hereafter are over this finite field. $H : {0, 1}^{*} \to F_{q}^{n}$ is a cryptographic hash function.

KeyGen: This algorithm generates the public key and the private key of a user. The detail process is the same as that of the key generation of an MPKC signature scheme. After this algorithm, we set the private key of user $A$ is $s k_{A} = (L_{1 A}, L_{2 A}, F_{A})$ , and the public key $p k_{A} = P_{A}$ , where $P_{A} = L_{1 A} ° F_{A} ° L_{2 A}$ . Similarly, the private key and public key of user $B$ are $s k_{B} = (L_{1 B}, L_{2 B}, F_{B})$ and $p k_{B} = P_{B}$ , respectively.

Delegate: On input a warrant $w$ where $w = (p k_{A}, p k_{B}, t)$ , this algorithm is performed by user $A$ and generates a delegation of signing right to user $B$ .

Randomly choose two invertible affine transformations $L'_{1}$ and $L'_{2}$ , which in the forms of $L_{1 A}$ and $L_{2 A}$ , respectively. Then, compute $L_{1} = L'_{1} ° L_{1 A}^{- 1}$ , $L_{2} = L_{2 A}^{- 1} ° L'_{2}$ , and

$P_{A}' = L_{1} ° P_{A} ° L_{2}$ (5)

Compute $θ = Sign (H (w | | P_{A}'), s k_{A})$ .

Send $(L_{1}, L_{2}, P_{A}')$ and the warrant $(w, θ)$ to user $B$ through an authenticated channel.

ProxyKeyGen: This algorithm generates a proxy key for the proxy signer with input $(L_{1}, L_{2}, P_{A}', w, θ)$ . It is performed by user $B$ as follows:

Verify the validity of $P_{A}'$ and $θ$ . If they are true, goto the next step. Otherwise, output 0.

Select two random invertible affine transformations ${L ″}_{1}$ and ${L ″}_{2}$ , respectively, compute

$L_{1 p} = L_{1} ° L_{1 B}^{- 1} ° {L ″}_{1}^{- 1}$ (6)

$L_{2 p} = {L ″}_{2}^{- 1} ° L_{2 B}^{- 1} ° L_{2}$ (7)

and

$F_{p} = {L ″}_{1} ° L_{1 B} ° P_{A} ° L_{2 B} ° {L ″}_{2}$ (8)

3. Compute a signature on $(w, θ, F_{p})$ through running Sign with $s k_{B}$ , that is, $σ_{prx} = Sign (H (w | | θ | | P'_{A}), s k_{B})$ .

4. Output $s k_{p} = (L_{1 p}, L_{2 p}, F_{p})$ as a proxy key of user $B$ which uses to generate proxy signatures on behalf of user $A$ , and the corresponding public key is $p k_{p} = P'_{A}$ .

Remark 1

Note that since $F_{p} = {L ″}_{1} ° L_{1 B} ° P_{A} ° L_{2 B} ° {L ″}_{2}$ , to invert $F_{p}$ , we do not need the secret key $F_{A}$ of user A, but the public key $P_{A}$ of user $A$ , what we need to choose is the linear transformations such that the map $F_{p}$ can still be easily inverted. This is the key point in the construction; otherwise, the construction cannot work. In some cases of MPKCs, the linear transformations are totally random, such as our proxy signature for MQ-based signature shown in section “Proxy-MQ: our MQ-based proxy signature scheme,” and the proxy signature in Tang and Xu.²⁴ In some cases of MPKCs, we need to choose some special linear transformations, for example, in section “Practical implementations for these two schemes,” we will show how to choose the linear transformations in the practical implementation of our proposed proxy schemes for UOV and Rainbow.

ProxySign: Suppose $M$ is the message to be signed. This algorithm generates a proxy signature on the message $M$ by user $B$ .

User $B$ applies $L_{1 p}$ , $L_{2 p}$ , and the central map $F_{p}$ to the basic MPKC signature algorithm described in Algorithm 1 to generate the signature $σ$ on $M$

$σ = Sign (H (M), s k_{p})$ (9)

Then the proxy signature on message $M$ by user $B$ is $(σ, (w, θ, P_{A}', σ_{prx}))$ .

ProxyVerify: On input $(M, σ, (w, θ, P'_{A}, σ_{prx}))$ , anyone can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps:

Check the validity of $θ$ on $w$ by running Verify with $p k_{A}$ : $Verify ((w, P'_{A}), θ, p k_{A}) =^{?} true$ . If it is ture, goto the next step. Otherwise, output 0.

Check the validity of $σ_{prx}$ on $(w, θ, P'_{A})$ by running Verify with $p k_{B}$ : $Verify ((w, θ, P'_{A}), σ_{prx}, p k_{B}) =^{?} true$ . If it is true, goto the next step. Otherwise, output 0.

Check the validity of $σ$ on message $M$ by running Verify with $P'_{A}$ : $Verify (M, σ, P'_{A}) =^{?} true$ . If it is true, output 1. Otherwise, output 0.

The verifier accepts the proxy signature if and only if the three conditions of ProxySign are all true. Otherwise, the verifier rejects the proxy signature.

Security analysis of the general proxy signature scheme

Theorem 1

If the basic MPKC signature scheme is $(ϵ, t, q_{s})$ secure, then the general proxy signature scheme is $(ϵ', t', q'_{d}, q'_{s})$ secure, where $ϵ \geq ε' / 2 q'_{d}$ , $t = t'$ and $q_{s} = q'_{s} + q'_{d}$ .

Proof

Let $A$ be an adversary who can $(ϵ', t', q'_{d}, q'_{s})$ break our proxy signature scheme, then there exists an attacker $C$ who can $(ϵ, t, q_{s})$ break the corresponding MPKC signature scheme using $A$ . Assume that $C$ receives a random public key $pk' = P'$ of MPKC signature scheme and has the right to access to an MPKC signing oracle $Oracl e_{sig} (m, sk)$ . Before beginning the security game, the attacker $C$ flips a uniform coin $c$ . The result of $c$ is hidden from $A$ , unless the security game aborts. If $c = 0$ , $C$ sets $p k^{*} = pk'$ , and $s k^{*} = Ø$ , where Ø means empty set. Otherwise, $C$ generates a fresh key pair $(p k^{*}, s k^{*}) \leftarrow KeyGen$ where $p k^{*} = (P^{*})$ , and chooses $i^{*} \in {1, 2, \dots, q'_{d}}$ .

As the challenger in the security game, $C$ will maintain three lists $OSList$ , $delList (w)$ , $pskList (w)$ . Here, the $delList$ list stores the intermediate result which will be considered in the following. Furthermore, $A$ is allowed to make $q'_{s}$ ordinary signature queries and $q'_{d}$ delegation queries which $C$ will answer in the security game as follows:

Ordinary signature. On input $m$ from $A$ , if $c = 0$ , $C$ simply makes query to the MPKC signing oracle and obtains an answer $σ$ ; if $c = 1$ , $β$ generates a signature $σ$ by running $Sign (m, s k^{*})$ . $C$ adds $(m, σ)$ to the $OSList$ list and sends $σ$ to $A$ .

Delegation to $u^{*}$ . $A$ transmits a delegation message $(w, θ, L_{1 d}^{'}, L_{2 d}^{'}, P'_{d})$ where $w = (p k_{d}, p k^{*}, t)$ . $C$ verifies whether both $P'_{d} = L_{1 d}^{'} ° P_{d} ° L_{2 d}^{'}$ and $θ = Sign (H (w | | P'_{d}), s k_{d})$ are correct. If $c = 0$ , $C$ chooses randomly two invertible affine transformations $L'_{1}$ and $L'_{2}$ , and computes $L_{1 p} = L'_{1 d} ° L_{1}'^{- 1}$ , $L_{2 p} = L {'_{2}}^{- 1} ° L'_{2 d}$ , and $F_{p u^{*}} = L'_{1} P_{d} ° L'_{2}$ . Let $p k_{p} = P'_{d}$ and $s k_{p} = (L_{1 p}, L_{2 p}, F_{p u^{*}})$ . makes a query to the MPKC signing oracle for $(w, θ, P'_{d}, p k_{p})$ and obtains a signature $σ_{prx}$ . In this case, $σ_{prx}$ would be added to the $OSList$ list. If $c = 1$ and this is not the $i^{*} th$ query, $C$ similarly chooses randomly two invertible affine transformations $L_{1}$ and $L_{2}$ , and computes $L_{1 p} = L'_{1 d} ° L_{1}^{- 1}$ , $L_{2 p} = L_{2}^{- 1} ° L'_{2 d}$ , and $F_{p u^{*}} = L_{1} ° P_{d} ° L_{2}$ . Let $p k_{p} = P'_{d}$ and $s k_{p} = (L_{1 p}, L_{2 p}, F_{p u^{*}})$ . Then $C$ runs $σ_{prx} = Sign (H (w | | θ | | p k_{p}), s k^{*})$ . If $c = 1$ and this is the $i^{*} th$ query, $C$ directly lets $p k_{p} = pk'$ , $s k_{p} = ϕ$ and runs $σ_{prx} = Sign (H (w | | θ | | p k_{p}), s k^{*})$ . Finally, $C$ stores $(w, θ, P'_{d})$ and $(w, s k_{p})$ to the $delList (w)$ and $pskList (w)$ , respectively.

Delegation from $u^{*}$ .

Delegation of $s k^{*}$ . $A$ submits $w$ to $C$ , where $w = (p k^{*}, p k_{d}, t)$ . $C$ chooses randomly two invertible affine transformations $(L_{1 d'}, L_{2 d'})$ and computes $P^{*'} = L_{1 d'} ° P^{*} ° L_{2 d'}$ . If $c = 0$ , then $C$ makes a query to the MPKC signing oracle and obtains a signature $θ$ on $w | | P^{*'}$ . The $θ$ later is added to the $OSList$ list by $C$ . If $c = 1$ , then $C$ generates $θ$ by running $θ \leftarrow Sign (H (w | | P^{*'}), s k^{*})$ and sends the delegation message $(w, θ, L_{1 d'}, L_{2 d'}, P^{*'})$ to $A$ . Of course, $C$ adds $(w, θ, P^{*'})$ to the $delList (w)$ list.

Self-delegation. $C$ interacts with itself with $w = (p k^{*}, p k^{*}, t)$ which submitted by $A$ . If $c = 0$ or $c = 1$ and this is not the $i^{*} th$ query, $C$ chooses randomly two invertible affine transformations $(L_{1 p}, L_{2 p})$ , computes $P^{*'} = L_{1 p} ° P^{*} ° L_{2 p}$ , makes a query to the MPKC signing oracle, and obtains a signature $θ$ on $w | | P^{*'}$ with $P^{*}$ . Then, $C$ also makes a query to the MPKC signing oracle for $(w, θ, P^{*'})$ and obtains a signature $σ_{prx}$ . If $c = 1$ and this is the $i^{*} th$ query, $C$ directly lets $p k_{p} = pk'$ and computes $σ_{prx} = Sign (H (w | | θ | | p k_{p}), s k^{*})$ . Finally, $C$ adds $(w, θ, p k_{p})$ to the $delList (w)$ and $(w, s k_{p})$ to the $pskList (w)$ . If the $θ$ is obtained by the MPKC signing oracle, $C$ also adds it to the $OSList$ list.

Proxy signature. Once receiving $(m, (w, θ))$ submitted by $A$ , $C$ finds the relevant information with $w$ from $delList (w)$ and $pskList (w)$ . $C$ parses $p k_{p}$ and the proxy key as $s k_{p}$ . Then, $C$ makes a query to the MPKC signing oracle for $m$ and obtains a signature $σ$ if $c = 0$ . Otherwise, $C$ computes $σ \leftarrow Sign (H (m), s k_{p})$ . Then $C$ sends $(m, σ, (w, θ, p k_{p}, σ_{prx}))$ to $A$ .

Proxy key exposure. On input $w$ from $A$ , $C$ finds relevant information from $delList (w)$ and $pskList (w)$ and parses it as $(s k_{p}, (w, θ, p k_{p}, σ_{prx})$ . If $s k_{p} = ϕ$ , $C$ aborts the game. Otherwise, $C$ returns $(s k_{p}, (w, θ, p k_{p}, σ_{prx}))$ to $A$ .

If the above game is not forced to abort by $C$ , $A$ will eventually output a forgery. The forgeries are classified into two different cases:

Case 1: $A$ forges (1) a valid MPKC signature $(m, σ)$ or (2) a valid proxy signature $(m, (w, θ, p k_{p}, σ_{prx}), σ)$ which the corresponding public key $p k_{p}$ was not generated by $C$ , or (3) a valid proxy signature $(m, (w, θ, p k_{p}, σ_{prx}), σ)$ where $w$ was not submitted to the ordinary signature query.

Case 2: $A$ forges a valid signature which is not in case 1.

In the case $c = 0$ , $C$ sets $p k^{*} = pk'$ . If $A$ constructs a valid forgery in case 2, $C$ will abort the game. Otherwise, if $A$ constructs a valid forgery in case 1, then

If the forgery is of type 1, that is, $(m, σ)$ , it shows that $A$ has not requested a signature on $m$ . Then, $C$ will not have submitted $m$ to an MPKC signature oracle. That is, $σ$ is a valid forgery of an MPKC signature under the public key $pk'$ .

If the forgery is of type 2, that is, $(m, (w, θ, p k_{p}, σ_{prx}), σ)$ is a valid signature for $(w, θ, p k_{p})$ under the public key $p k_{p} = p k^{'}$ , then $C$ will not have submitted $(w, θ, p k_{p})$ to MPKC signing oracle. Therefore, $σ_{prx}$ will be a valid MPKC signature forgery under the public key $pk'$ .

If the forgery is of type 3, that is, $(m, (w, θ, p k_{p}, σ_{prx}), σ)$ derives that $θ$ is a valid forgery for $w$ , and $C$ will therefore not have submitted $w$ to the signing oracle. Hence $θ$ is a valid forgery of an MPKC signature under the public key $pk'$ .

Now, let us consider the case $c = 1$ where $C$ inserts $pk'$ as a proxy public key. In this case, if the forgery is in case 1, then $C$ will abort the game. However, if the forgery is in case 2 which forgery $(m, (w, θ, p k_{p}, σ_{prx}), σ)$ where $p k_{p} = pk'$ , then $C$ outputs $(m, σ)$ as a valid forgery for signature scheme. Otherwise, $C$ aborts. Note that if $A$ constructs such a forgery, then $A$ will not have queried the proxy key $(w, θ, p k_{p}, σ_{prx})$ with $p k_{p}$ .

We define the following events associated with the above security game: $E_{1}$ be the event that $A$ constructs a forgery in case 1, $E_{2}$ be the event that $A$ . constructs a forgery in case 2, and $E_{3}$ denotes that $A$ guesses the correct value of $i^{*}$ in a forgery for case 2. The success probability of $A$ is $\Pr [E_{1}] + \Pr [E_{2}]$ . Then the success probability of $C$ can be

$\begin{matrix} ϵ = \Pr [c = 0 \land E_{1}] + \Pr [c = 1 \land E_{2} \land E_{3}] \\ = 1 / 2 \cdot \Pr [E_{1}] + \Pr [E_{3} | c = 1 \land E_{2}] \cdot \\ \Pr [c = 1 | E_{2}] \cdot \Pr [E_{2}] \\ = 1 / 2 \cdot \Pr [E_{1}] + 1 / q'_{d} \cdot 1 / 2 \cdot \Pr [E_{2}] \\ \geq \frac{ε'}{2 {q_{d}}^{'}} . \end{matrix}$

Remark 2

Note that the above proof is only a heuristic security proof, since the underlying signature schemes in the area of MPKC are mostly not provable secure, more discussion will be done next, and we propose the additional analysis in section “Practical implementations for these two schemes” for our practical implementation.

Furthermore, we can obtain that anyone can determine the proxy signer by the verification of the warrant $w$ and the signature $σ_{prx}$ . Then, the proxy signer is required to sign $θ$ and the public key of the proxy signature. Under the assumption that the underlying signature scheme is secure, we can conclude that any proxy signer cannot deny the proxy signature he or she created due to the existence of $σ_{prx}$ . At the same time, the private key of the original signer is only directly used to sign the warrant $w$ . And no one can obtain the private key of the original signer from the proxy key because of the selected random transformations in Delegate. The above discussions show that our scheme meets all the security properties of a proxy signature scheme.

The proposed MPKC proxy signature schemes

In this section, we will propose three proxy schemes based on three well-known MPKC schemes: UOV,¹² Rainbow²² and MQ-based scheme.¹⁶

Proxy-UOV: proxy scheme based on UOV

Now we describe the process of our proxy scheme based on UOV using our general construction.

Setup: Let $n$ and $m$ be two positive integers, $k$ is a finite field and all the arithmetic operations hereafter are over this finite field. $H : {0, 1}^{*} \to k^{n}$ is a cryptographic hash function.

KeyGen: This algorithm generates the public key and the private key of a user. The detail process is the same as that of the key generation of an MPKC signature scheme. After this algorithm, we set the private key of user A is $s k_{A} = (F_{A}, T_{A})$ , and the public key $p k_{A} = P_{A}$ , where $P_{A} = F_{A} ° T_{A}$ . Similarly, the private key and public key of user $B$ are: $s k_{B} = (F_{B}, T_{B})$ , $p k_{B} = P_{B}$ , respectively.

Delegate: $A$ randomly chooses a bijective affine transformation $T$ , then computes $T_{A}' = T ° T_{A}$ , $F_{A}' = F_{A} ° T$ and $P_{A}' = F_{A}' ° T_{A}'$ .

The affine $T$ should be kept secret by $A$ . $A$ sends $(T_{A}', F_{A}', P_{A}')$ and the warrant $(w, θ)$ to $B$ through an authenticated channel, where $w = (p k_{A}, p k_{B}, t)$ , $t$ is a time period which denotes that $w$ is valid in time $t$ and $θ$ is a signature on $w$ generated by $A$ using our proposed signing algorithm, that is, $θ = Sign (H (w), s k_{A})$ .

ProxyKeyGen: After receiving $(T_{A}', F_{A}', P_{A}', w, θ)$ , $B$ first checks the validity of $P_{A}', θ$ by checking if $P_{A}' = F_{A}' ° T'_{A}$ and $Verify (w, θ, p k_{A}) = 1$ . Then $B$ selects a random bijective affine transformation $T'$ and computes $T_{p} = T'^{- 1} ° T_{A}'$ , and $F_{p} = F'_{A} ° T'$ . Let $s k_{p} = (F_{p}, T_{p})$ , and $p k_{p} = P_{A}'$ . Then $s k_{p}$ is a private key for ordinary signature, and the corresponding public key is $p k_{p}$ , that is because the following equality holds

$\begin{matrix} F_{p} ° T_{p} = F'_{A} ° T' ° T'^{- 1} ° T ° T_{A} \\ = F'_{A} ° T ° T_{A} = F_{A}' ° T_{A}' = P_{A}' \end{matrix}$ (10)

Then $B$ computes a signature $σ_{prx}$ by running

$σ_{prx} = Sign ((H (w, θ, P'_{A}), s k_{B})$ (11)

and sets $s k_{p}$ as the proxy signing key that $B$ uses to generate proxy signatures on behalf of $A$ and sets $p k_{p}$ and $(w, θ, P'_{A}, σ_{prx})$ as the proxy verifying key.

ProxySign: Suppose $M$ is the message to be signed. This algorithm generates a proxy signature on the message $M$ by user $B$ .

User $B$ applies $T_{p}$ and the central map $F_{p}$ to the basic MPKC signature algorithm described in Algorithm 1 to generate the signature $σ$ on $M$

$σ = Sign (H (M), s k_{p})$ (12)

Then the proxy signature on message $M$ by user $B$ is $(σ, (w, θ, P_{A^{'}}, σ_{p r x}))$ .

ProxyVerify: On input $(M, σ, (w, θ, P'_{A}, σ_{prx}))$ , anyone can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps:

Check the validity of $θ$ on $w$ by running Verify with $p k_{A}$ : $Verify ((w, P'_{A}), θ, p k_{A}) =^{?} true$ . If it is ture, go to the next step. Otherwise, output 0.

Check the validity of $σ$ on message $M$ by running Verify with $P'_{A}$ : $Verify (M, σ, P'_{A}) =^{?} true$ . If it is true, output 1. Otherwise, output 0.

The verifier accepts the proxy signature if and only if the three conditions of ProxySign are all true. Otherwise, the verifier rejects the proxy signature.

Proxy-Rainbow: proxy scheme based on Rainbow

Since the main difference of this proxy signature schemes lies on the Delegate step and ProxyKeyGen process compared to the general construction, we just only describe the processes Delegate step and ProxyKeyGen.

Setup: Let $n$ and $m$ be two positive integers, $k$ is a finite field, and all the arithmetic operations hereafter are over this finite field. $H : {0, 1}^{*} \to k^{n}$ is a cryptographic hash function.

Delegate: $A$ randomly chooses two invertible affine transformations $L'_{1}$ and $L'_{2}$ respectively, then computes $L_{1} = L_{1 A} ° L'_{1}$ , $L_{2} = L'_{2} ° L_{2 A}$ and $F'_{A} = L'_{1} ° F_{A} ° L_{2}'$ . $P_{A}' = L_{1} ° F_{A}' ° L_{2}$ . The affine $L'_{1}$ and $L'_{2}$ should be kept secret by $A$ . $A$ sends $(L_{1}, L_{2}, F'_{A}, P_{A}')$ and the warrant $(w, θ)$ to $B$ through an authenticated channel, where $w = (p k_{A}, p k_{B}, t)$ , $t$ is a time period which denotes that $w$ is valid in time $t$ and θ is a signature on $w$ generated by $A$ using Rainbow signing algorithm, that is, $θ = Sign (w, s k_{A})$ .

ProxyKeyGen: After receiving $(L_{1}, L_{2}, F'_{A}, P_{A}', w, θ)$ , $B$ randomly chooses two invertible affine transformations ${L ″}_{1}$ and ${L ″}_{2}$ , respectively, and computes $L_{1 p} = L_{1} ° L' {'_{1}}^{- 1}$ , $L_{2 p} = {L ″}_{2}^{- 1} ° L_{2}$ , and $F_{p} = {L ″}_{1} ° P_{A} ° {L ″}_{2}$ . Let $s k_{p} = (L_{1 p}, F_{p}, L_{2 p})$ , and $p k_{p} = P_{A}'$ . Then $s k_{p}$ is a private key for ordinary signature, and the corresponding public key is $p k_{p}$ , that is, because the following equality holds

$\begin{matrix} L_{1 p} ° F_{p} ° L_{2 p} = L_{1} ° {L ″}_{1}^{- 1} ° {L ″}_{1} ° P_{A} ° {L ″}_{2} \\ ° {L ″}_{2}^{- 1} ° L_{2} = L_{1} ° F'_{A} ° L_{2} = P_{A}' \end{matrix}$ (13)

Then $B$ computes a signature $σ_{prx}$ by running

$σ_{prx} = Sign ((w, θ, p k_{p}), s k_{B})$ (14)

and sets $s k_{p}$ as the proxy signing key that $B$ uses to generate proxy signatures on behalf of $A$ , and sets $p k_{p}$ and $(w, θ, pkp, σ_{prx})$ as the proxy verifying key.

Practical implementations for these two schemes

In Petzoldt et al.,³³ the result indicates that $q = 2^{8}, m = 26, v = 52$ has security level higher than $2^{80}$ for UOV scheme, where $q$ is the order of the finite field, $m$ is the number of polynomials and is equal to the number of Oil variate, and $v$ is the number of Vinegar variate. We will choose this parameter set.

Next, also the extremely important setting of our construction, we should choose appropriate affine transformations that could preserve the special structure of UOV scheme. Specifically, after composing an affine transformation, the polynomials in the new central map, the public key should still stay in the form of Oil–Vinegar polynomials. If we represent a UOV scheme’s central polynomial by its corresponding matrix, the Vinegar variables are denoted by its first $v = 52$ variables. Then the matrices of the polynomials in central map should be in the form of Figure 1. In Figure 1, the gray areas represent the random entries while blank areas denote zero entries. The rest part of this article follows the same rules. Thereby, our problem is transformed to choose an affine transformation that could keep the shape of the above matrix of central equation. To achieve that goal, we could pick the invertible affine transformations of the form as shown in Figure 2.

Figure 1.

Oil–Vinegar scheme corresponding matrix.

Figure 2.

The affine transformation form for Proxy-UOV.

Once $T$ and $T'$ are choosing in this form, we will get that $F_{p} = F_{A} ° T ° T'$ , which means that the matrices form of central map $F_{p}$ is

$\begin{matrix} F_{p} = [\begin{matrix} *_{v \times v} & *_{v \times o} \\ *_{o \times v} & 0_{o \times o} \end{matrix}] [\begin{matrix} *_{v \times v} & 0_{v \times o} \\ *_{o \times v} & *_{o \times o} \end{matrix}] [\begin{matrix} *_{v \times v} & *_{0 \times o} \\ *_{o \times v} & *_{o \times o} \end{matrix}] \\ = [\begin{matrix} *_{v \times v} & *_{v \times o} \\ *_{o \times v} & 0_{o \times o} \end{matrix}] \end{matrix}$

Thus, this will make sure that the map $F_{p}$ can still be easily inverted.

Currently, the Rainbow prevails now is two-layer based and layer structure (18,12,12) and $GF (2^{8})$ is enough to resist all the attacks mentioned above (security level is greater than $2^{80}$ ).³⁴ Thereby, we plan to use this parameter set of Rainbow for our Proxy-Rainbow scheme. The Rainbow’s corresponding matrices have the following forms in Figure 3.

Figure 3.

Rainbow scheme corresponding matrix.

Moreover, to keep the multi-layer structure of central equation, the structure of the left affine transformation $L_{1}$ and $L'_{1}$ should have the shapes as shown below. By choosing these structures, we can make sure that the map $F_{p}$ of Proxy-Rainbow can still be easily inverted (Figures 4 and 5).

Figure 4.

The left affine transformation form for Proxy-Rainbow.

Figure 5.

The right affine transformation form for Proxy-Rainbow.

Proxy-MQ: our MQ-based proxy signature scheme

Using our general method to propose a proxy signature scheme based on the basic MQ-based signature scheme described in section “The general construction of MPKC proxy signature scheme,” we need to make some changes in the key generation phase KeyGen.

Below is the full description of our proxy signature for the MQ scheme.

KeyGen: Let $e$ be a vector from $F_{q}^{n}$ that every element is randomly chosen in $k$ (i.e. $e = {1, . . ., 1}^{T}$ , the superscript T denotes transposition), to get $A s$ private key, A first randomly chooses a bijective affine transformation $T_{A}$ , and its private key $s_{A}$ is calculated by $s_{A} = T_{A} (e)$ , then the corresponding public key $p k_{A}$ is $(F_{A}, v_{A})$ that satisfies $v_{A} = F_{A} (s_{A})$ . Similarly, B’s private key $s k_{B}$ is calculated by $s_{B} = T_{B} (e)$ where $T_{B}$ is a randomly bijective affine transformation, and the corresponding public key $p k_{B}$ is $(F_{B}, v_{B})$ that satisfies $v_{B} = F_{B} (s_{B})$ . Then $e$ , $p k_{A} = (F_{A}, v_{A})$ and $p k_{B} = (F_{B}, v_{B})$ , are published to the public bulletin board.

Delegate: Let $s_{A} = T_{A} (e)$ , $A$ randomly chooses a bijective affine transformation $T$ , then computes

$T_{A}' = T ° T_{A}$

$F_{A}' = F_{A} ° T$

$v_{A}' = F_{A}' ° T_{A}' (e)$

The affine $T$ should be kept secret by $A$ . $A$ sends $(T_{A}', F_{A}', v_{A}')$ and the warrant $(w, θ)$ to $B$ through an authenticated channel, where $w = (p k_{A}, p k_{B}, t)$ and $t$ is a time period which denotes that $w$ is valid in time $t$ , and $θ$ is a signature on $w$ generated by $A$ using our proposed signing algorithm, that is, $θ = Sign (w, s k_{A})$ .

ProxyKeyGen: Let $s_{B} = T_{B} (e)$ , after receiving $(T_{A}', F_{A}', v_{A}', w, θ)$ , $B$ selects a random bijective affine transformation $T'$ and computes

$s_{p} = T'^{- 1} ° T_{A}' (e)$

$F_{p} = F_{A}' ° T'$

$v_{p} = v_{A}'$

Let $p k_{p} = (F_{p}, v_{p}), s k_{p} = s_{p}$ . Then $s k_{p}$ is a private key for ordinary signature, and the corresponding public key is $p k_{p}$ , that is because the following equality holds

$\begin{matrix} F_{p} (s_{p}) = F_{A}' ° T' ° T'^{- 1} ° T_{A}' (e) \\ = F'_{A} ° T ° T_{A} (e) \\ = v_{A}' = v_{p} \end{matrix}$

Then $B$ computes a signature $σ_{prx}$ by running

$σ_{prx} = Sign ((w, θ, p k_{p}), s k_{B})$ (15)

and sets $s k_{p}$ as the proxy signing key that $B$ uses to generate proxy signatures on behalf of $A$ , and sets $p k_{p}$ and $(w, θ, p k_{p}, σ_{prx})$ as the proxy verifying key.

ProxySign: Suppose $M$ is the message to be signed. This algorithm generates a proxy signature on the message $M$ by user $B$ .

User $B$ applies $L_{1 p}$ , $L_{2 p}$ and the central map $F_{p}$ to the basic MPKC signature algorithm described in Algorithm 1 to generate the signature $σ$ on $M$

$σ = Sign (H (M), s k_{p})$ (16)

Then the proxy signature on message $M$ by user $B$ is $(σ, (w, θ, P_{A}', σ_{prx}))$ .

ProxyVerify: On input $(M, σ, (w, θ, P'_{A}, σ_{prx}))$ , anyone can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps:

Check the validity of $θ$ on $w$ by running Verify with $p k_{A}$ : $Verify ((w, P'_{A}), θ, p k_{A}) =^{?} true$ . If it is ture, goto the next step. Otherwise, output 0.

Check the validity of $σ$ on message $M$ by running Verify with $P'_{A}$ : $Verify (M, σ, P'_{A}) =^{?} true$ . If it is true, output 1. Otherwise, output 0.

The verifier accepts the proxy signature if and only if the three conditions of ProxySign are all true. Otherwise, the verifier rejects the proxy signature.

Practical implementation for Proxy-MQ

After the changes, it is easy to see that we modify the randomly selected vector into an invertible transformation and a public known random vector, so the scheme is based not only on MQ problem, but also on IP problem. In contrast to Sakumoto et al.,¹⁶ we suggest to use a determined system for the MQ-based signature scheme (i.e. $m = n$ ). The reason for this is that a greater number of variables does not increase the security of this scheme.³⁵ And we propose for the scheme the parameters $k = GF (2), (m, n) = (84, 84), r = 193$ , where $r$ is the number of the signer gathers the commitments in our modified MQ signature scheme.

A toy example and deployment in real distributed scenario

To illustrate how our proxy signature scheme works, we propose a toy example for Proxy-UOV in this section (others are similar). The following example comes from our running test on Magma.³⁶

In our toy example, we choose the parameter of Proxy-UOV as $q = 2^{2}, m = 2, n = 4, o = 2, v = 2$ .

First, we set the private key of user $A$ is $s k_{A} = (F_{A}, T_{A})$ , the public key $p k_{A} = P_{A}$ , the private key and public key of user $B$ are $s k_{B} = (F_{B}, T_{B})$ and $p k_{B} = P_{B}$ , respectively

$F_{A} = (\begin{matrix} x_{1} x_{3} + a^{2} x_{2} x_{4} + x_{3}^{2} + x_{4}^{2} \\ a^{2} x_{1} x_{4} + x_{3} x_{4} + x_{4}^{2} \end{matrix})$

$T_{A} (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} 1 & α & α^{2} & 0 \\ α^{2} & α^{2} & α & 1 \\ α^{2} & 0 & α^{2} & α \\ α & 0 & 1 & 1 \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix})$

$P_{A} = (\begin{matrix} x_{1}^{2} + α x_{1} x_{2} + x_{1} x_{3} + x_{1} x_{4} + α^{2} x_{2} x_{3} \\ + x_{2} x_{4} + α^{2} x_{3} x_{4} + x_{4}^{2} \\ α^{2} x_{1}^{2} + α x_{1} x_{2} + α x_{1} x_{3} + α^{2} x_{1} x_{4} + x_{2} x_{3} \\ + x_{2} x_{4} + α^{2} x_{3} x_{4} + α^{2} x_{4}^{2} \end{matrix})$

$F_{B} = (\begin{matrix} α x_{1} x_{3} + α x_{2} x_{4} + x_{2} x_{3} + α x_{3}^{2} + x_{3} x_{4} + x_{4}^{2} \\ x_{1} x_{4} + α^{2} x_{2} x_{3} + x_{3} x_{4} \end{matrix})$

$T_{B} (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} α & 1 & α & α \\ α^{2} & α & 0 & 1 \\ 0 & α & 0 & α \\ 1 & α^{2} & 0 & 1 \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix})$

$P_{B} = (\begin{matrix} x_{1}^{2} + α x_{1} x_{2} + α^{2} x_{1} x_{3} + α x_{1} x_{4} + α^{2} x_{2}^{2} \\ + α x_{2} x_{3} + α x_{3} x_{4} + x_{4}^{2} \\ α x_{1}^{2} + x_{1} x_{2} + α x_{1} x_{3} + x_{1} x_{4} + x_{2} x_{3} \\ + α x_{3} x_{4} + x_{4}^{2} \end{matrix})$

where $P_{A} = F_{A} ° T_{A}$ , $P_{B} = F_{B} ° T_{B}$ .

Delegate: $A$ randomly chooses a bijective affine transformation $T$ as follows

$T (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} 0 & α & 0 & 0 \\ α & α & 1 & 1 \\ 0 & 0 & α^{2} & α \\ 0 & 0 & α & 0 \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix})$

Then $A$ computes $T_{A}' = T ° T_{A}$ , $F_{A}' = F_{A} ° T_{A}'$ , and $P_{A}' = F_{A}' ° T_{A}'$ . The results are

$T'_{A} (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} 1 & 1 & α^{2} & α \\ α & α & 0 & 1 \\ 1 & 0 & 0 & α^{2} \\ 1 & 0 & 1 & α^{2} \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix})$

$F'_{A} = (\begin{matrix} α x_{1} x_{3} + α^{2} x_{2} x_{3} + α^{2} x_{2} x_{4} + x_{3} x_{4} + α^{2} x_{4}^{2} \\ α x_{2} x_{3} + α x_{3}^{2} + α^{2} x_{3} x_{4} \end{matrix})$

$P'_{A} = (\begin{matrix} α x_{1} x_{2} + x_{1} x_{3} + α x_{1} x_{4} + x_{2} x_{3} + x_{2} x_{4} \\ + α^{2} x_{3}^{2} + α^{2} x_{3} x_{4} + x_{4}^{2} \\ α x_{1}^{2} + α^{2} x_{1} x_{2} + α^{2} x_{1} x_{3} + α x_{3} x_{4} + α^{2} x_{4}^{2} \end{matrix})$

In addition, $A$ generates a warrant $w = (p k_{A}, p k_{B}, t)$ (assume that $H (w) = (0, α)$ ), signs it using the regular UOV signing algorithm, and gets $θ = Sign (H (w), s k_{A}) = (0, 0, α, 1)$ ,

Finally, $A$ sends $(T_{A}', F_{A}', P_{A}')$ and the warrant $(w, θ)$ to $B$ through an authenticated channel.

ProxyKeyGen: Afterreceiving $(T_{A}', F_{A}', P_{A}', w, θ$ , $B$ first checks the validity of $P_{A}', θ$ by checking $P'_{A} = F'_{A} ° T'_{A}$ and $Verify (w, θ, p k_{A}) = P_{A} (0, 0, α, 1) = (0, α)$ . Then $B$ selects a random bijective affine transformation $T'$ and computes $T_{p} = T'^{- 1} ° T_{A}'$ , and $F_{p} = F_{A}' ° T'$ , where

$T' (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} 1 & α & α^{2} & 1 \\ α^{2} & α^{2} & 0 & α^{2} \\ 0 & 0 & 0 & α \\ 0 & 0 & α & α^{2} \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix})$

$T_{p} (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} 1 & 0 & α & 1 \\ 1 & α^{2} & α & 1 \\ α & 0 & α^{2} & 1 \\ α^{2} & 0 & 0 & α \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix})$

$F_{p} = (\begin{matrix} α x_{1} x_{3} + x_{1} x_{4} + α^{2} x_{2} x_{4} + α x_{3}^{2} + α x_{3} x_{4} + x_{4}^{2} \\ α x_{1} x_{4} + α x_{2} x_{4} + α x_{3} x_{4} \end{matrix})$

Let $s k_{p} = (F_{p}, T_{p})$ , and $p k_{p} = P_{A}'$ . Then $s k_{p}$ is a private key for ordinary signature, and the corresponding public key is $p k_{p}$ .

Assume the hash value of $(w, θ, P'_{A})$ is $(α, α)$ , $B$ computes a signature $σ_{prx}$ by running

$σ_{prx} = Sign (H (w, θ, P'_{A}), s k_{B}) = (1, 1, 1, α)$

and sets $s k_{p}$ as the proxy signing key that $B$ uses to generate proxy signatures on behalf of $A$ , and sets $p k_{p}$ and $(w, θ, P'_{A}, σ_{prx})$ as the proxy verifying key.

ProxySign: Suppose $H (M) = (0, α^{2})$ is the message to be signed.

User $B$ generates the signature $σ$ on $M$ using the proxy key $s k_{p}$

$σ = Sign (H (M), s k_{p}) = (α^{2}, 0, α, α)$

Then the proxy signature on message $M$ by user $B$ is $(σ, (w, θ, P_{A}', σ_{prx}))$ .

ProxyVerify: On input $(M, σ, (w, θ, P'_{A}, σ_{prx}))$ , a verifier $V$ can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps:

1. Compute $P_{A} (θ) = (0, α)$ and check whether it is equal to $H (w)$ . Since it is true, go to the next step.

2. Compute $P_{B} (σ_{prx}) = (α, α)$ and check whether it is equal to $H (w, θ, P'_{A})$ . Since it is true, go to the next step.

3. Compute $P'_{A} (σ) = (0, α^{2})$ and check whether it is equal to $H (M)$ . Since it is also valid, the algorithm outputs 1.

In addition, let us consider a communication scenario in a distributed sensor network and see how we can deploy our proxy scheme into this scenario. To develop a secure communication in a distributed sensor network, sensors digitally sign the data (i.e. the message $M$ ) and communicate to a server. It is expected that the server must be convinced to the authenticity of the sender (i.e. sensor deployed in the distributed network) and the sender (i.e. sensor) must also be convinced to the authenticity of the receiver (i.e. server). To develop such authentication method, a designated receiver delegation method is the most promising. In this method, the deploying authority (DA) (server administrator or network developer) delegates its signing power to sensor and also designates the trained professional as a receiver. Thus, DA is original signer, sensor is a proxy signer and the server is designated receiver. As shown in the above toy example, in this scenario, the DA is acting as $A$ , the sensors are acting as $B$ , and finally, it can generate a proxy signature on message $M$ as $(σ, (w, θ, P_{A}', σ_{prx}))$ . Finally, the server is acting as a verifier $V$ and thus can convince to the authenticity of the sensors.

Performance and comparisons of our proxy signature schemes

The complexity and running time of each procedure of our proxy signature schemes, and comparison with Tang’s scheme²⁴ (the only proxy scheme of MPKC we have known) and Mambo’s scheme³⁰ (the first proxy scheme), Hu–Zhang (HZ) scheme³⁷ (an improved efficient secure proxy scheme) is shown in Table 1. We set the parameters in HZ scheme³⁷ with $(n = 2, t = 1)$ . From Table 1, we can see that the proxy signature generation and the proxy signature verification of our schemes are more efficient than Tang’s schemes in Table 1. According to recent research result, the time of generating a large prime is more than 20 times than that of generating a system of polynomials, and an exponentiation evaluation costs about half times than an evaluation operation, while choosing proper parameters with security level more than 80 bits. So, in this situation, all our schemes and Tang’s scheme²⁴ have better initialization time and verify process time than that of Mambo’s scheme³⁰ and HZ scheme.³⁷

Table 1.

Computing complexity requirements by ours and compared with other schemes.

	Proxy-UOV	Proxy-Rainbow	Proxy-MQ
Initialization	$O (2 n^{2} + 2 m n^{2})$	$\begin{matrix} O (2 m^{2} + 2 n^{2} + \\ 2 m n^{2}) \end{matrix}$	$O (2 n^{2} + 2 m n^{2})$
Proxy share generation	$O (3 n^{3} + 2 m n^{2} + n^{2} + S)$	$\begin{matrix} O (3 m^{3} + 4 n^{3} + \\ 4 m n^{2} + 2 uS) \end{matrix}$	$\begin{matrix} O (2 n^{3} + 3 m n^{2} + \\ 2 round \cdot m n^{3}) \end{matrix}$
Proxy signature generation	$O (n^{3} + n^{2} + S)$	$\begin{matrix} O (m^{3} + n^{3} + n^{2} + \\ uS) \end{matrix}$	$O (round \cdot m n^{3})$
Signature verify	$O (3 n)$	$O (3 n)$	$O (3 round \cdot m n^{3})$
	Tang’s scheme²⁴	Mambo’s scheme³⁰	HZ scheme³⁷
Initialization	$O (2 m^{2} + 2 n^{2} + 2 m n^{2})$	$\begin{matrix} 2 T_{p} + T_{e} + T_{m} \approx \\ O (2 \log (n_{r}) + \\ n_{rsa} \log (n_{r}) + n_{r}^{2}) \end{matrix}$	$\begin{matrix} 2 T_{p} + 5 T_{e} + 2 T_{m} \approx \\ O (2 \log (n_{r}) + \\ 5 n_{rsa} \log (n_{r}) + \\ 2 n_{r}^{2}) \end{matrix}$
Proxy share generation	$\begin{matrix} O (5 m^{3} + 5 n^{3} + \\ 5 m n^{3} + 3 qm n^{3}) \end{matrix}$	$T_{e} + T_{m} \approx O (n_{r} \log (n_{r}) + n_{r}^{2})$	$6 T_{e} + 4 T_{m} + T_{H} \approx O (6 n_{r} \log (n_{r}) + 4 n_{r}^{2} + \log (n_{h}))$
Proxy signature generation	$O (qm n^{3})$	$T_{e} \approx O (n_{r} \log (n_{r}))$	$4 T_{e} + 6 T_{m} + 2 T_{H} \approx O (4 n_{r} \log (n_{r}) + 6 n_{r}^{2} + 2 \log (n_{h}))$
Signature verify	$O (3 qm n^{3})$	$2 T_{e} + T_{m} \approx O (2 n_{r} \log (n_{r}) + n_{r}^{2})$	$5 T_{e} + 3 T_{m} + 2 T_{H} \approx O (5 n_{r} \log (n_{r}) + 3 n_{r}^{2} + 2 \log (n_{h})$

UOV: Unbalanced Oil and Vinegar; MQ: multivariate quadratic; RSA: Rivest–Shamir–Adleman; HZ: Hu–Zhang.

Notation for Table 1: $u, m, n$ : the number of layers, polynomials, and variables in a scheme, respectively; $S$ : average time required by a Gaussian Elimination function to solve linear equations; $q$ : the length of output bits of the hash function for Tang scheme;²⁴ $round$ : the iterative rounds for MQ-based signature; $T_{p}, T_{e}, T_{m}, T_{H}$ : the time for generating a large prime, one exponentiation computation, one modular multiplication computation, and hash function computation, respectively; $n_{r}, n_{h}$ : the size of the public key in a secure RSA scheme and the size of a secure hash function, respectively.The running time of our proposed Proxy-UOV and Proxy-Rainbow schemes (using our suggested parameters) compared with Mambo’s scheme³⁰ and HZ scheme³⁷ (2048 bits) is shown in Table 2. From the experiments’ results, we can see that our schemes’ proxy signature generation time is between RSA and elliptic curve cryptography (ECC), while the initialization and verifying time are much faster than both of them. Consequently, even though our scheme is a bit slower than the proxy share generation time, but it is applicable in real life.

Table 2.

Running time requirements by Proxy-UOV and Proxy-Rainbow and compared with other schemes.

	Proxy-UOV	Proxy-Rainbow	Mambo scheme	HZ scheme
Initialization (ms)	$19, 376$	$11, 912$	$404, 277$	$443, 885$
Proxy share generation (ms)	$52, 301$	$30, 691$	$141$	$10, 245$
Proxy signature generation (ms)	$187$	$61$	$47$	$4502$
Signature verify (ms)	$31$	$16$	$249$	$3646$

UOV: Unbalanced Oil and Vinegar; HZ: Hu–Zhang.

While running in Magma, the memory will be overflowed when using the suggested parameters of Proxy-MQ and Tang’s scheme in Tang and Xu,²⁴ we have to modify the parameter to formulate the running time ( $(n = 42, m = 42, q = 2, round = 2)$ for Proxy-MQ, $(n = 42, m = 42, q = 2, round = 2)$ for Tang’s scheme), and the result is shown in Table 3.

Table 3.

Running time requirements by Proxy-MQ and compared with Tang scheme.

	Proxy-MQ	Tang’s scheme
Initialization (ms)	$24, 043$	$24, 328$
Proxy share generation (ms)	$92, 008$	$122, 873$
Proxy signature generation (ms)	$30, 521$	$48, 642$
Signature verify (ms)	$74, 215$	$75, 832$

MQ: multivariate quadratic.

From the result shows, the proxy signature scheme based on MQ is slightly more efficient than Tang’s scheme²⁴ and is a promising proxy scheme by taking into account its post-quantum property in multivariate cryptography.

Conclusion

A general proxy signature scheme based on MPKC signature scheme is proposed, which invokes three number of times of the underlying signature scheme, and can satisfy all the security requirement of a proxy scheme. Through formal security analysis, our general scheme is proved to be cured on Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure assuming that the underlying MPKC signature is Existential Unforgeability under an Adaptive Chosen Message Attack. Thereafter, we propose three practical proxy schemes based on three promising MPKC schemes: UOV, Rainbow, and MQ-based scheme. Although the security of the underlying MPKC is still an open problem, the method to construct our proxy scheme and the method to formally prove the security of our proxy scheme are good exploration in the area of MPKC.

In the future work, we plan to construct other primitives based on multivariate signature scheme, such as identity-based signature, forward secure signature, and so on.

Footnotes

Handling Editor: José Camacho

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This work is supported by the Key Areas Research and Development Program of Guangdong Province under Grant 2019B010139002,National Natural Science Foundation of China under Grant 61972094,National Natural Science Foundation of China under Grant 61902079,and the project of Guangzhou Science and Technology (Grant 201902020006 and 201902020007).

ORCID iD

Jiageng Chen

References

Varadharajan

Allen

Black

. An analysis of the proxy problem in distributed systems. In: Proceedings of the 1991 IEEE computer society symposium on research in security and privacy, Oakland, CA, 20–22 May 1991, pp.255–275. New York: IEEE.

Park

Lee

. A digital nominative proxy signature scheme for mobile communication. In: Proceedings of the international conference on information and communications security, Xi’an, China, 13–16 November 2001, pp.451–455. Berlin; Heidelberg: Springer.

Leiwo

Hnle

Homburg

, et al. Disallowing unauthorized state changes of distributed shared objects. In: Proceedings of the IFIP international information security conference, Beijing, China, 22–24 August 2000, pp.381–390., Boston, MA: Springer.

Foster

Kesselman

Tsudik

, et al. A security architecture for computational grids. In: Proceedings of the 5th ACM conference on computer and communications security, San Francisco, CA, November 1998, pp.83–92. New York: ACM.

Bakker

Van Steen

Tanenbaum

. A law-abiding peer-to-peer network for free-software distribution. In: Proceedings of the 2001 IEEE international symposium on network computing and applications, Cambridge, MA, 8–10 October 2001, pp.60–67. New York: IEEE.

Shor

PW.

Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput 1997; 26: 1484–1509.

Bernstein

DJ.

Introduction to post-quantum cryptography. In: Bernstein

Buchmann

Dahmen

(eds) Post-quantum cryptography. Heidelberg: Springer, 2009, pp.1–14.

NIST CSRC: Cryptographic Technology Group. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, 2016, https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

Matsumoto

Imai

. Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Proceedings of the 7th international workshop on the theory and application of cryptographic techniques (EUROCRYPT’08), Davos, 25–27 May 1988, pp.419–453. Berlin: Springer

10.

Patarin

. The oil and vinegar signature scheme. In: Dagstuhl workshop on cryptography, Schloss Dagstuhl, 22–26 September 1997. Dagstuhl.

11.

Courtois

. Generic attacks and the security of Quartz. In: Desmedt

(ed.) Proceedings of the 6th international workshop on practice and theory in public key cryptography (PKC 2003), Miami, FL, 6–8 January 2003. Berlin: Springer, 2003, pp.351–364.

12.

Kipnis

Patarin

Goubin

. Unbalanced oil and vinegar signature schemes. In: Proceedings of the 18th annual international conference theory and application of cryptographic techniques (EUROCRYPT’99), Prague, 2–6 May 1999, pp.206–222. Berlin: Springer.

13.

Bulygin

Petzoldt

Buchmann

Towards provable security of the unbalanced oil and vinegar signature scheme under direct attacks. In: Gong

Gupta

(eds) Progress in Cryptology—INDOCRYPT 2010, lecture notes in computer science, 6498. Berlin; Heidelberg: Springer, 2010, pp.17–32.

14.

Sakumoto

Shirai

Hiwatari

. On provable security of UOV and HFE signature schemes against chosen-message attack. In: Proceedings of the 4th international conference on post-quantum cryptography (PQCrypto’2011), Taipei, Taiwan, 29 November—2 December 2011, pp.68–82. Berlin: Springer.

15.

Bellare

Rogaway

. The exact security of digital signatures-how to sign with RSA and Rabin. In: Proceedings of the 15th annual international conference on theory and application of cryptographic techniques (EUROCRYPT’06), Saragossa, 12–16 May 1996, pp.399–416. Berlin: Springer.

16.

Sakumoto

Shirai

Hiwatari

. Public-key identification schemes based on multivariate quadratic polynomials. In: Proceedings of the 31st annual international cryptology conference (CRYPTO’ 2011), Santa Barbara, CA, 14–18 August 2011, pp.706–723. Berlin: Springer.

17.

Faugère

J-C

Perret

Ryckeghem

DualModeMS: a dual mode for multivariate-based signature 20170918 draft (First round submission to the NIST post-quantum cryptography call). November 2017, https://www-polsys.lip6.fr/Links/NIST/DualModeMS_specification.pdf

18.

Casanova

Faugère

J-C

Macario-Rat

, et al. GeMSS: a great multivariate short signature (First round submission to the NIST post-quantum cryptography call), November 2017, https://www-polsys.lip6.fr/Links/NIST/GeMSS_specification.pdf

19.

Petzoldt

Chen

M-S

Yang

B-Y

, et al. Design principles for HFEV-based multivariate signature schemes. In: Proceedings of the 21th international conference on the theory and application of cryptology and information security (ASIACRYPT’2015), Auckland, New Zealand, November 29–December 3 2015, pp.311–334. Berlin: Springer.

20.

Beullens

Preneel

Field lifting for smaller UOV public keys. In: Patra

Smart

(eds) International conference in cryptology in India—INDOCRYPT 2017, LNCS, vol. 10698. Heidelberg: Springer, 2017, pp.227–246.

21.

Chen

M-S

Hülsing

Joost

, et al. From 5-pass MQ-based identification to MQ-based signatures. In: Advances in cryptology—ASIACRYPT 2016, LNCS, vol. 10032. Heidelberg: Springer, 2016, pp.135–165.

22.

Ding

Schmidt

. Rainbow a new multivariable polynomial signature scheme. In: Proceedings of the 3th international conference on applied cryptography and network security (ACNS’2005), New York, 7–10 June 2005, pp.164–175. Berlin: Springer.

23.

Peretz

On multivariable encryption schemes based on simultaneous algebraic Riccati equations over finite fields. Finite Fields Th App 2016; 39: 1–35.

24.

Tang

Towards provably secure proxy signature scheme based on isomorphisms of polynomials. Future Gener Comp Sy 2014; 30: 91–97.

25.

Petzoldt

Bulygin

Buchmann

A multivariate based threshold ring signature scheme: applicable algebra in engineering. Commun Comput 2013; 24: 255–275.

26.

Chen

Tang

, et al. Online/offline signature based on UOV in wireless sensor networks. Wirel Netw 2017; 23: 1719–1730.

27.

Petzoldt

Szepieniec

Mohamed

MSE

. A practical multivariate blind signature scheme (Cryptology ePrint Archive, Report2017/131), 2017, http://eprint.iacr.org/2017/131

28.

El Bansarkhani

Mohamed

MSE

Petzoldt

. MQSAS: a multivariate sequential aggregate signature scheme. In: Proceedings of the 19th international conference on information security (ISC 2016), Honolulu, HI, 3–6 September 2016, pp.426–439. Cham: Springer.

29.

Verma

Singh

Bandwidth efficient designated verifier proxy signature scheme for healthcare wireless sensor networks. Ad Hoc Netw 2018; 81: 100–108.

30.

Mambo

Usuda

Okamoto

Proxy signatures: delegation of the power to sign messages. IEICE T Fund Elec Commun Comp Sci 1996; 79: 1338–1354.

31.

Fiat

Shamir

. How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko

(ed.) Proceedings of the 6th annual international cryptology conference (CRYPTO’06), Santa Barbara, CA. Berlin: Springer, 1987, pp.186–194.

32.

Schuldt

Matsuura

Paterson

. Proxy signatures secure against proxy key exposure. In: Proceedings of the 11th international conference on theory and practice of public key cryptography (PKC 2008), Barcelona, 9–12 March 2008, pp.141–161. Berlin: Springer.

33.

Petzoldt

Bulygin

Buchmann

. Linear recurring sequences for the UOV key generation. In: Proceedings of the 14th international conference on theory and practice of public key cryptography (PKC 2011), Taormina, 6–9 March 2011, pp.335–350. Berlin: Springer.

34.

Petzoldt

Bulygin

Buchmann

A multivariate signature scheme with a partially cyclic public key. In: Gong

Gupta

(eds) Proceedings of SCC. Berlin: Springer, 2010, pp.33–48.

35.

Patarin

Goubin

. Trapdoor one-way permutations and multivariate polynomials. In: Proceedings of the 1st international conference on information security and cryptology (ICISC 1997), Beijing, China, 11–14 November 1997, pp.53–66. Berlin: Springer.

36.

Bosma

Cannon

Playoust

The Magma algebra system I: the user language. J Symb Comput 1997; 24: 235–265.

37.

Zhang

Cryptanalysis and improvement of a threshold proxy signature scheme. Comp Stand Inter 2009; 31: 169–173.