Security Analysis of a Paillier-Based Threshold Proxy Signature Scheme

Abstract

A (t, n)-threshold proxy signature scheme allows an original signer to delegate the signing capability to a group of n proxy members in such a way that any t or more than t proxy signers can generate a valid signature on behalf of the original signer. Recently, Ting et al. [1] proposed the first threshold proxy signature scheme from Paillier cryptosystem, and claimed that their construction is existentially unforgeable against chosen-message attacks and chosen-warrant attacks in the random oracle model. In this paper, however, we show that their scheme is insecure against a type II adversary who can access the secret key of the original signer, i.e., not only the proxy signers but also the original signer can generate a valid proxy signature. In addition, we analyze the causes of the attack and further discuss the possibility of avoiding the attack by improving the Ting et al.'s scheme.