Information Technology Reference
In-Depth Information
which the original query was sent. In both scenarios, the security requirement is
anycast server authenticity.
In this paper, we consider the problem of authentication in anycast commu-
nication, and we propose an authentication solution which is closely related to
the concept of
proxy signatures
. In the next section, we review related work in
the area of proxy signatures, and then we describe the anycast model. Next, we
describe the proposed scheme and discuss the security and complexity of the
scheme.
2 Related Work
Delegation of rights is a common practice in the real world. A manager of an
institution may delegate to one of his deputies the capability to sign on behalf
of the institution while he is on holiday. For electronic transactions, a similar
approach is needed to delegate the manager's digital signature to the deputy.
Proxy signature is a signature scheme where an original signer delegates
his/her signing capability to a proxy signer, and then the proxy signer creates
a signature on behalf of the original signer. When a receiver verifies a proxy
signature, he verifies both the signature itself and the original signer's delegation.
Mambo, Usuda and Okamoto (MUO) [6] were the first to introduce the concept
of proxy signature. They gave various constructions of proxy signature schemes
and their security analysis. Interested readers may refer to [6] for details.
Lee
et al.
[5] noticed that MUO does not satisfy the strong undeniability
property, i.e. a proxy signer can repudiate the fact that he has created the signa-
ture. Based on this weakness, they classified proxy signature schemes into strong
and weak ones according to undeniability property. In our solution, described
in the next section, we will apply a strong scheme from [9]. It is a variant of
the ElGamal-type digital signature (as described in [7]), which was obtained by
improving the scheme from [6].
The signature scenario may be described as follows. Let
p, q
be large primes
such that
q
divides (
p−
1) and let
g ∈
Z
p
=
GF
(
p
). Let
M
be the set of messages
(not necessary of uniform length) and
H
:
M
→
Z
p
be a hash function.
Initialization
(
signer
)
1. Chooses the secret key
x ∈
Z
p
2. Computes the key
y
=
g
x
(mod
p
) and makes it public.
(Thus
p, q, g, H
and
y
are public.)
To sign a message
M
Signer
Verifier
1. Computes
m
=
H
(
M
).
1. Computes
m
=
H
(
M
).
2. Computes
l
=
g
s
y
r
r
(mod
p
).
2. Chooses a random
k
.
3. Computes
r
=
mg
−k
(mod
p
)
3. Accepts (
M, s, r
)if
m
=
l.
4. Computes
s
=
k − rx
(mod
q
)
.
5. Sends (
M, s, r
) to the verifier.
