Printer Friendly

Design and Implementation of a Mobile Voting System Using a Novel Oblivious and Proxy Signature.

1. Introduction

In recent years, network transactions for applications such as Internet auctions and banking have increased greatly. Network and mobile security technologies [1-6] play important roles in protecting users' privacy. In this regard, digital signatures have attracted considerable attention. By using public-key cryptography, a signer can sign a message using his or her private key, which is owned only by the signer, to create a digital signature for the message. Then, any verifier can validate the correctness of this signature by using the signer's public key.

However, it is necessary to protect the privacy of signature receivers in some situations, such as the contents of signed message in a digital cash system or the choices from candidates in an e-voting situation. In 1983, Chaum [7] introduced a blind signature scheme to offer blindness which protects the signee's privacy. In 2013, Nayak et al. [8] proposed a blind signature scheme based on an elliptic curve discrete logarithm problem. In 2005, Rabin [9] introduced the concept of oblivious transfer. In 1994, Chen [10] proposed the concept of oblivious signatures and considered two types of oblivious signature schemes. In 2008, Tso et al. [11] provided formal definitions and security requirements for an oblivious signature scheme. In 2012, Chou [12] proposed a more efficient and secure fc-out-of-n oblivious transfer scheme.

In 1996, Mambo et al. [13] proposed the concept of proxy signature. Various proxy signature schemes have been proposed [14, 15]. In 2000, Lin and Jan [16] proposed the first proxy blind signature scheme that combines the functionalities of both proxy signatures and blind signatures. In 2002, Tan et al. [17] proposed a proxy blind signature scheme; however, in 2003, Lal and Awasthi [18] showed this scheme to be insecure and further proposed a new scheme that is secure and more efficient than Tan et al.'s scheme. In 2013, Yang and Liang [19] proposed a new proxy blind signature scheme that allows revocation.

For electronic voting systems, in 2001, Ray and Narasimhamurthi [20] introduced an online anonymous electronic voting protocol that allows a voter to cast his or her ballot anonymously by exchanging untraceable authentic messages. In 2013, Pan et al. [21] proposed an electronic voting scheme that is based on the ring signature and is resistant to a clash attack. Several schemes with delegated voting functionality have been proposed. In 2013, Zwattendorfer et al. [22] proposed a proxy voting scheme that allows a voter to delegate his or her voting power to a proxy who actually casts the ballots for all represented voters. Norway has used an Internet-based voting protocol for some years, and the vote privacy and correctness of this scheme have been demonstrated [23]. In 2016, Kulyk et al. [24] proposed a new coercion-resistant proxy voting scheme by extending the coercion-resistant JCJ/Civitas theme, aiming to prevent direct voter coercion, delegation coercion, and proxy coercion. They also proposed a new proxy voting scheme [25] to extend the Helios voting system [26] with delegated voting functionality. In 2017, Cohensius et al. [27] considered a social choice problem and demonstrated that the mechanism using proxy voting better approximates the optimal outcome.

1.1. Motivation. Compared with a blind signature scheme, a oblivious signature scheme used in e-voting provides one more property: ambiguity in selected messages. A signer cannot find out which message a voter has selected while signing the messages, but the signer can be certain that the message the voter chooses is one of the predetermined messages; otherwise, the signature would not be accepted by a verifier. Therefore, in oblivious signature systems, which differ from blind signature schemes, the limited signed contents can prevent potential malicious users from obtaining valid signatures of some candidates for unauthorized purposes.

In addition, because each unit of a group (such as each state of a country, each county of a state, each campus of a school, or each approved bank of a group) may use different methods to authorize their members (using different keys), polling booths with proxy ability are required. Additional benefits include reducing the load at voting centers and avoiding network jams. Moreover, the mobility of the voting functionality allows people to vote from anywhere using their mobile devices, thereby making the electronic voting system more convenient.

The goal in this research is a design of novel schemes which combine oblivious and proxy signatures and extend the designed schemes to an electronic voting system which provides the following properties: mobility, instant voting, proxy signer, completeness, unforgeability, unlinkability, undeniability, accuracy, distinguishability, ambiguity, nonduplication, eligibility, verifiability, fairness, and privacy, where fairness means that no one can know the current total number of votes received by every candidate before the end of the voting period.

1.2. Our Contribution. In this paper, based on the Schnorr signature [28], we propose two novel 1-out-of-n blind (oblivious) and proxy signature schemes that combine the advantages of oblivious signatures and proxy signatures and satisfy the security properties of these two signature schemes. One of the proposed proxy oblivious schemes is of the proxy-unprotected type and the other is of the proxy-protected type. Based on our schemes, we also propose an anonymous electronic voting system with proxy signer. By using the concept proposed in [29], we conduct security analyses and performance comparisons. The results showed that our scheme has good performance and is efficient. Finally, we implement the voting system on Android mobile phones to prove that our scheme is workable. This paper extends the research [30], which presents the concept of 1-out-of-n oblivious and proxy signature schemes of proxy-unprotected type without the voting system application, security analyses and formal proofs, and mobile phone implementation.

2. Related Works

In this section, we present two representative protocols that are relevant to our scheme: oblivious signature and proxy signature.

2.1. Oblivious Signature. In 1983, Chaum [7] introduced a blind signature scheme. Compared with a normal signature, a blind signature offers an additional property, blindness, that provides it with the ability to protect the signee's privacy. In a blind signature scheme, a signee could get a message's digital signature signed by a signer without revealing any information about the message. This is vital in some applications such as electronic payment systems and secure voting systems [3135],because the requester's messages maybe sensitive. Nayak et al. [8] also proposed a blind signature scheme based on an elliptic curve discrete logarithm problem.

In 2005, Rabin [9] introduced the concept of oblivious transfer. In this protocol, a sender sends some subsets of some messages but does not know what the receiver has received. Thus, the receiver can get the particular message he or she wants without revealing any information about the message to the sender. In 2012, Chou [12] proposed a more efficient and secure k-out-of-n oblivious transfer scheme.

In 1994, Chen [10] proposed the concept of oblivious signatures. He considered two types of oblivious signature schemes. The first one comprises n keys and one message; the receiver can get a message signed with one of n keys that are chosen by him or her while the signers cannot know which key has been used for the signature by the receiver. The second one comprises n messages and one key; a signee can choose one predetermined message to get signed while not revealing any information about the selected message to the signer. In contrast to blind signatures, oblivious signatures can guarantee that the signed message is actually one of the predetermined messages; therefore, if the receiver were to submit some additional messages, the signature would not be accepted by the scheme.

In 2008, Tso et al. [11] noted that Chen's proposal does not crisply formalize the notion and security properties of the scheme. Consequently, they provided formal definitions and security requirements for an oblivious signature scheme, including completeness, unforgeability, and ambiguity, and proposed a 1-out-of-n oblivious signature agreement based on Schnorr's blind signature [28]. They also improved the scheme's performance. The preceding properties render oblivious signatures very suitable for electronic voting applications.

In their scheme [11], it first creates a normalized definition for the oblivious signature agreement and proposes the following properties to ensure security:

(1) Completeness: as long as the recipient and the signer can implement the agreement honestly, once the agreement is completed the recipient can obtain the signed message.

(2) Unforgeability: despite the algorithm being publicly published, attackers still have difficulty creating a forged signature within an acceptable time frame.

(3) Ambiguity in selected messages: the signer is unable to determine the recipient's selection.

This system provides for three roles, namely, the signer, the recipient, and the verifier. The operation proceeds through three phases, namely, initiation, signing, and verification. Figure 1 shows their scheme and the steps in this scheme are as follows.

(1) System Initiation Phase. In this phase, the signer generates public parameters and a pair of asymmetric keys for use in the following process.

The signer first establishes security parameter [1.sup.k] to input into the system to establish the algorithm G, which can be used to obtain the public parameters for the agreement.

(A) p, q are two large prime numbers, and q | (p - 1).

(B) g, h [[member of].sub.R] [Z.sup.*.sub.p] are two parameters with order q.

(C) H() is a hash function.

The signer also selects a random number x [[member of].sub.R] [Z.sup.*.sub.p] as a private key to calculate the public key y = [g.sup.x] mod p.

(2) Signing Phase. This phase explains how the recipient obtains the signature value from the signer's signature (see Figure 1).

Step 1. Assume the recipient wants to obtain the signature value for message [member of] {[m.sub.2], [[m.sub.m], ..., [m.sub.n]}. First, the recipient selects r [[member of].sub.R] [Z.sup.*.sub.p], then calculates c = [g.sup.r][h.sup.l] mod p, and then transmits c and {[m.sub.1], [[m.sub.2], ..., [m.sub.n]} to the signer.

Step 2. After the signer receives these, he selects random numbers [k.sub.i] [[member of].sub.R] [Z.sup.*.sub.p], i = 1, 2, ..., n, using [k.sub.i] to calculate [mathematical expression not reproducible] mod p followed by [[??].sub.i] = H([m.sub.i], [K.sub.i]c/[(gh).sup.i] mod p) and uses private key x to obtain [mathematical expression not reproducible] mod q for the signed message. Finally, [mathematical expression not reproducible], is transmitted to the recipient.

Step 3. Once the recipient has received [mathematical expression not reproducible] he/she then calculates [[delta].sub.i] = [g.sup.(r-i)], [h.sup.(l-i)] mod p, i = 1, 2, ..., n, and verifies [mathematical expression not reproducible] to determine whether it satisfies [mathematical expression not reproducible], where only the lth message initially selected by the recipient will be successfully verified.

Step 4. The successful verification [mathematical expression not reproducible] is then used to calculate [mathematical expression not reproducible]. Finally, we obtain the m{s signature value [sigma]([m.sub.l]) = (e, s).

(3) Verification Phase. This phase explains how the verifier verifies the correctness of the signature obtained by the recipient (see Figure 3).

Step 1. The recipient sends the obtained signature value [sigma]([m.sub.l]) and the selection to the verifier.

Step 2. After the verifier obtains ([m.sub.l], [sigma]([m.sub.l])), he/she deter? mines whether ([m.sub.l], [sigma]([m.sub.l])) satisfies e [??] H([m.sub.l], [g.sup.s][y.sup.e] mod p). If it does, this represents that the signature obtained by the recipient is genuine.

Note that, in Step 2 of signing phase, the signer cannot learn which message is selected by the recipient; this is called the ambiguity of the protocol. Moreover, in Step 2 of verification phase, unless the selected message [m.sub.l] is one of the elements of [m.sub.i], the signature will not be accepted by a verifier. This protocol ensures that a signee's message is one of the predetermined messages, which is one of the features of an oblivious signature scheme.

2.2. Proxy Signature. Although the aforementioned signature schemes seem practical, they are unsuitable for applications in which the signers are not always available. To overcome this problem, in 1996, Mambo et al. [13] proposed the concept of proxy signature. Various proxy signature schemes have been proposed [14,15]. Such schemes consist of three entities: an original signer, a proxy signer, and a signee. The original signer can delegate his or her signing power to one or more proxy signers to enable them to sign messages submitted on his or her behalf. Mambo et al. discussed two types of proxy signature schemes: proxy unprotected and proxy protected.

Proxy-unprotected proxy signatures include two cases: full delegation and partial delegation. In full delegation, the original signer gives his or her private key to the proxy signer to sign messages; therefore, the original signer takes full responsibility for the signatures produced by the proxy signer. In partial delegation, the original signer creates a proxy signature key using his or her private key and securely forwards it to the proxy signer; then, the proxy signer uses this proxy signature key to sign messages on the original signer's behalf.

Proxy-protected proxy signature schemes allow the original signer to use his or her private key to create a proxy signature key and securely forward it to the proxy signer. The proxy signer computes a new proxy signature signing key--which contains both the original signer's original proxy signature signing key and the private key of the proxy signer--and then signs messages using the new proxy signature key. Therefore, the original signer and proxy signer share the responsibility for the valid proxy signatures generated by the proxy signer. Both of these schemes afford security properties such as verifiability, unforgeability, and undeniability.

For example, the president of a company could ask his or her reliable secretary (using the proxy-unprotected signature scheme) or employee (using the proxy-protected signature scheme) to sign some important documents on his or her behalf. Then, if some illegal situation arises in relation to the proxy signature, the employee's privacy can be uncovered while the secretary's privacy cannot.

Moreover, delegation can be categorized as full delegation, partial delegation, and delegation by warrant, as follows:

(1) Full delegation: the proxy signer obtains a copy of the original signer's signature key to produce a proxy signature value identical to the signature of the original signer.

(2) Partial delegation: the proxy signer's signature key is obtained through a calculation based on the original signer's private key. However, the proxy signature key cannot be used to obtain information related to the original signer's private key. Partial delegation can be categorized as one of two types: proxy-unprotected or proxy-protected. In the former, the original signer and proxy signer can both provide valid proxy signatures. In the latter, only the proxy signer can provide a valid proxy signature.

(3) Delegation by warrant: a warrant based on the original signer's signature is used to validate the proxy signer's signing authority. The proxy signer's authorization message and proxy signature content is included in the proxy signature and the verifier is-used to determine the legitimacy of the authorization.

The original signer first delegates his/her signing rights to one or more proxy signers, so that the proxy signers can sign a message in the name of the original signer. Each type of the scheme, proxy unprotected or proxy protected, has to satisfy three security requirements.

(1) Verifiability: the proxy signature created by the proxy signer can convince anyone of the permission from the original signer.

(2) Unforgeability: only the authorized proxy signers can sign a valid signature; this cannot be done even by the original signer.

(3) Undeniability: neither the proxy signer nor the original signer can deny the signature they created after the signature creation.

The earliest proxy signature scheme (Figure 2) (proposed by Mambo et al. [13]) is a proxy signature of the proxy-unprotected type for the ElGamal scheme [36]. The steps in this scheme are as follows.

(1) Key Generation Phase. In this phase, the system generates two primes and a pair of keys, public and private keys, for use in the following process.

Step 1. Choose two large prime numbers p, q such that q | (P - 1).

Step 2. Select random numbers g [member of] [Z.sup.*.sub.p] such that [Ord.sub.p] g = q.

Step 3. Each of the original signer and the proxy signer choose a random number x [[member of].sub.R] [Z.sup.*.sub.p] as their private keys.

Step 4. Each of the original signer and the proxy signer compute y = [g.sup.x] mod p as their public keys.

(2) Proxy Phase

Step 1. The original signer chooses a random number k [[member of].sub.R] [Z.sup.*.sub.p-1].

Step 2. The original signer computes K = [g.sup.k] mod p.

Step 3. The original signer calculates [sigma] = x + kK mod(p - 1) and sends [sigma] to the proxy signer via a secure channel.

Step 4. After receiving a, the proxy signer checks whether

[g.sup.[sigma]] [??] [yK.sup.K] mod p is correct. If it is, the proxy signer accepts delegation.

(3) Signing Phase. After receiving a message m from a requestor, the proxy signer processes the follow steps.

Step 1. Choose a random number r [[member of].sub.R] [Z.sup.*.sub.p-1].

Step 2. Compute R = [g.sup.r] mod p.

Step 3. Evaluate s = [r.sup.1] (m - R[sigma])mod(p - 1) and send signature (R, s, K) to the requestor.

(4) Verification Phase. After receiving a message (m, (R, s, K)) from the requestor, a verifier checks the validation of the signature via the following verification equation: [g.sup.m] [??] [([yK.sup.K]).sup.R][R.sup.s] mod p.

Note that [mathematical expression not reproducible]

3. System Goal and Security Requirements

In this section, we define the attacker model, propose two new signature schemes, and present one electronic voting system based on the proposed signature schemes.

3.1. Attacker Model for Signature Scheme. The proposed signature schemes consist of four entities: an original signer A, a proxy signer B, a receiver R, and a verifier V. In our scheme, we assume the channels between A and B are secure. Any identity (i.e., R or V) communicates with B via an insecure public channel, offering adversaries opportunities to intercept. In the following, we present the assumptions of the attacker model [37, 38].

(1) An adversary may eavesdrop on all communications between protocol actors over the public channel.

(2) An attacker can modify, delete, resend, and reroute the eavesdropped message.

(3) An attacker cannot intercept a message over a secure channel.

(4) An attacker cannot be a legitimate original signer or proxy signer.

(5) The attacker knows the protocol description, which means the protocol is public.

3.2. Signature Scheme. We define the security properties of a proxy oblivious signature scheme as follows.

Definition 1 (security requirements of our signature scheme). Our signature scheme is secure if it achieves (1) completeness, (2) unforgeability, (3) unlinkability, (4) undeniability, (5) verifiability, (6) distinguishability, and (7) ambiguity.

The security requirements of our proposed scheme are listed as follows:

(1) Completeness: if all entities follow the protocol honestly, then, at the end of the protocol, R will obtain the valid signature a of the selected message.

(2) Unforgeability: in a proxy-unprotected type scheme, B can sign messages on behalf of A without taking responsibility for the signature. V can merely know that the signature is signed by some proxy delegated by A, and no one except B (or A) can produce a valid signature. In a proxy-protected type scheme, A and B share the responsibility for the signature, and only B can create a valid signature for R. Consequently, the proxy signing key is practically unbreakable, making it almost impossible for an attacker to create a valid signature.

(3) Unlinkability: B can identify neither the message nor the proxy signature he or she generates associated with the scheme after the signature is revealed when necessary.

(4) Undeniability: neither A nor B can deny the signature they have created after signature generation.

(5) Verifiability: the signature that R receives should be able to convince V of the agreement from A and B.

(6) Distinguishability: the proxy signature is distinguishable from a normal one.

(7) Ambiguity: B cannot find out which message R has selected while signing the messages, but B can be certain that the message he or she signs is one of the predetermined messages; otherwise, the signature would not be accepted by a verifier.

3.3. Attacker Model for Voting Scheme. The proposed electronic voting system consists of five entities: a creator A, a proxy creator B, a voter R, a voting center V, and a bulletin board BB. In our scheme, we assume the channels between A and B are secure. Any identity (i.e., R, V, or BB) communicates with B via an insecure public channel, offering adversaries opportunities to intercept. In the following, we present the assumptions of the attacker model [37,38].

(1) An adversary may eavesdrop on all communications between protocol actors over the public channel.

(2) An attacker can modify, delete, resend, and reroute the eavesdropped message.

(3) An attacker cannot intercept a message over a secure channel.

(4) An attacker cannot be a legitimate creator or proxy creator.

(5) The attacker knows the protocol description, which means the protocol is public.

3.4. Voting System. The proposed electronic voting system consists of five entities, A, B, R, V, and BB, which, in a practical situation, would correspond to a central government, a local government, a voter, a voting center computer, and a bulletin website, respectively. Anane et al. [39] present the core properties of the voting system and indicated that a viable e-voting system should possess (1) accuracy, (2) privacy (untraceability), (3) individual and universal verifiability,

(4) eligibility, and (5) fairness. Based on [39], we define the system requirements of the proposed electronic voting system as follows.

Definition 2 (system requirements of our electronic voting system). Our electronic voting system is secure if it achieves

(1) proxy completeness, (2) eligibility, (3) nonduplication, (4) fairness, (5) accuracy, (6) verifiability, and (7) privacy.

This system requirements of our electronic voting system are listed as follows:

(1) Proxy completeness: the proxy creator should not deny the fact that he or she has accepted the delegation from the creator.

(2) Eligibility: only voters who have the right to vote can participate in the voting event.

(3) Nonduplication: every legal voter is allowed to cast only one ballot.

(4) Fairness: before the end of the voting period, no one can know the current total number of votes received by every candidate.

(5) Accuracy: the validity of all ballots can be verified by using the proper public key.

(6) Verifiability: every voter should be able to confirm his or her voting condition and verify all other voters' ballots.

(7) Privacy: no one except for the voter can find out which candidate has been chosen, even at the end of voting.

4. Proposed Signature Scheme

Two types of proxy oblivious signature schemes are proposed: proxy-unprotected type and proxy-protected type. Each scheme includes four phases: (1) system setup phase,

(2) proxy phase (Figure 3), (3) signing phase (Figure 4), and (4) verification phase (Figure 5). Notation illustrates the notations used in the protocol.

4.1. Proxy-Unprotected Type. For a proxy-unprotected type scheme, our protocol is as follows.

(1) System Setup Phase

Step 1. Two large primes p, q [contains as member] q | (p - 1) are chosen.

Step 2. Two generators g, h [member of] [Z.sup.*.sub.p], where [Ord.sub.p] g = q and [Ord.sub.p] h = q, are chosen.

Step 3. The original signer A chooses [mathematical expression not reproducible].

Step 4. The proxy signer B chooses [mathematical expression not reproducible].

(2) Proxy Phase

Step 1 (commission generation). A randomly chooses [mathematical expression not reproducible].

Step 2 (proxy delivery). A securely forwards the pair (r, [s.sub.p]) to the proxy signer B and publishes [y.sub.p].

Step 3 (proxy verification). B checks whether [mathematical expression not reproducible] mod p holds. If it does, B accepts the proxy and uses [s.sub.p] as his or her secret proxy signature key.

(3) Signing Phase

Step 1. R decides n messages {[m.sub.1], [[m.sub.2], ..., [m.sub.n]} and then selects a message [m.sub.b] [member of] {[m.sub.1], [[m.sub.2], ..., [m.sub.n]}, randomly chooses v [[member of].sub.R] [Z.sup.*.sub.p], computes c = [g.sup.v][h.sup.-b] mod p, and finally sends the determined messages and c to B.

Step 2. For i = 1, 2, ..., n, B chooses n random numbers [mathematical expression not reproducible].

Step 3. For i = 1, 2, ..., n, R computes [[delta].sub.i] = c[(gh).sup.i] mod p and accepts the oblivious signature if and only if [mathematical expression not reproducible].

Step 4. To convert the oblivious signature into a generic signature, R lets [mathematical expression not reproducible] and computes [mathematical expression not reproducible]. The signature for [m.sub.b] is [sigma] = (e, s).

(4) Verification Phase. As shown in Figure 5, the verifier V accepts the signature a as a valid signature if and only if e = H([m.sub.b], [g.sup.s][y.sup.e.sub.p] mod p).

4.2. Proxy-Protected Type. For a proxy-protected type scheme, the signing phase and verification phase are the same as those in the case of a proxy-unprotected type scheme except for one more computation [y.sub.p] = [y'.sub.p] [y.sub.B] mod p (as shown in Figure 6). The proxy phase is modified as described subsequently.

(1) Proxy Phase

Step 1 (commission generation). A randomly chooses [mathematical expression not reproducible].

Step 2 (proxy delivery). A securely forwards the pair (r, [s.sub.A]) to the proxy signer B and publishes [y'.sub.p].

Step 3 (proxy verification). B checks whether [mathematical expression not reproducible] mod p holds. If it does, B accepts the proxy and computes [s.sub.p] = [s.sub.A] + [x.sub.B] mod q as his or her secret proxy signature key.

5. Proposed Voting System

5.1. System Overview. Based on the proposed signature scheme, our electronic voting system allows a creator (central government) to delegate one or more proxy creators (local government), and a voter can get a legal ballot from a proxy creator and send his or her vote to a verifier (center voting computer).

This system includes six phases: (1) system setup phase,

(2) proxy phase (Figure 8), (3) register phase (Figure 9), (4) circling phase (Figure 10), (5) voting phase (Figure 11), and (6) counting phase (Figure 12), as shown in Figure 7.

Step 1. The system first generates the required parameters.

Step 2a. The creator delegates his or her authority to a proxy creator.

Step 2b. The creator publishes the public key of the proxy creator to the bulletin.

Step 3a. The proxy creator examines whether the registrant is a legal voter; if so, he or she distributes a certificate to the voter.

Step 3b. The proxy creator publishes the certificate to the bulletin.

Step 3c. The voter checks whether he or she has registered successfully via the bulletin.

Step 4. The voter chooses a candidate and receives the signature on it from the proxy creator.

Step 5a. The voter casts his or her ballot and sends it to the voting center.

Step 5b. The voting center publishes a message about the ballot from the voter to the bulletin.

Step 5c. Every voter can confirm whether his or her ballot has been received by the voting center; if not, he or she can resend the ballot.

Step 6a. At the end of the voting period, the proxy creator forwards the decrypting key to the voting canter, and the voting center starts to verify and count the ballots.

Step 6b. The voting center publishes the voting result to the bulletin, where everyone can verify and count all ballots.

5.2. System Process. We assume that the system database already contains an identification list of legal voters and that the bulletin is read-only to all entities except for the authorities.

(1) System Setup Phase

Step 1. Two large primes p, q [contains as member] q | (p - 1) are chosen.

Step 2. Two generators g, h [member of] [Z.sup.*.sub.p], where [Ord.sub.p] = q and [Ord.sub.p] h = q, are chosen.

Step 3. The creator A chooses [mathematical expression not reproducible].

Step 4. The proxy creator B chooses [mathematical expression not reproducible].

Step 5. B chooses two large primes [p.sub.B], [q.sub.B].

Step 6. B computes [N.sub.B] = [p.sub.B] x [q.sub.B].

Step 7. B computes [phi]([N.sub.B]) = ([p.sub.B] - 1)([q.sub.B] - 1).

Step 8. B chooses [e.sub.B] [contains as member] GCD([e.sub.B], [phi]([N.sub.B])) = 1.

Step 9. B computes [d.sub.B] = [e.sup.-1.sub.B] mod [phi]([N.sub.B]).

(2) Proxy Phase

Step 1. A randomly chooses [mathematical expression not reproducible].

Step 2. A encrypts the pair ([r.sub.A], [s.sub.A]) using ([e.sub.B], [N.sub.B]), forwards it to B, and publishes [y'.sub.p].

Step 3. B decrypts ([r.sub.A], [s.sub.A]) using ([d.sub.B], [N.sub.B]) and checks whether [mathematical expression not reproducible] mod p holds. If it does, B accepts the proxy and computes [s.sub.p] = [s.sub.A] + [x.sub.B] mod q as his or her secret proxy signature key.

Step 4. B generates a signature [mathematical expression not reproducible] and forwards it to A.

Step 5. A checks whether [mathematical expression not reproducible] holds. If it does, he or she publishes [y'.sub.p], [y.sub.B] to the bulletin.

(3) Register Phase

Step 1. A voter R picks a pseudoname pn and a password pw, computes [H.sub.R] = H(pw), encrypts (id, pn, H(pw)) using ([e.sub.B], [N.sub.B]), and sends it to a proxy creator.

Step 2. B decrypts (id, pn, [H.sub.R]) using ([d.sub.B], [N.sub.B]) and checks whether R is a legal voter. If so, B stores (pn, [H.sub.R]) in the system database, sets flag(pn) = 0, calculates [mathematical expression not reproducible], returns Cert(R) to R, and publishes Cert(R) to the bulletin, where Cert(R) = (pn [e.sub.B], [s.sub.B]).

Step 3. R verifies whether [mathematical expression not reproducible] is correct. If so, he or she has the right to vote.

(4) Circling Phase

Step 1. B sends a random number r [[member of].sub.R] [Z.sup.*.sub.p] to R after receiving a login request from R.

Step 2. R computes [H'.sub.R] = H(H(pw),r), picks a random number v [[member of].sub.R] [Z.sup.*.sub.p], calculates c = [g.sup.v] [h.sup.-b] mod p ([m.sub.b] [member of] [[m.sub.1], [[m.sub.2], ..., [m.sub.n]}), and forwards (pn, [H'.sub.R], c) to B.

Step 3. B examines whether [H'.sub.R] = H([H.sub.R], r) is correct. If so, B checks whether flag(pn) = 0. If it holds, B chooses [mathematical expression not reproducible], and sets flag(pn) = 1.

Step 4. R computes [y.sub.p] = [y.sub.p][y'.sub.B] mod p, and, for every i = 1, 2, ..., n, he or she calculates [[delta].sub.i] = c[(gh).sup.i] mod p and checks whether [mathematical expression not reproducible] is correct. If so, R computes [mathematical expression not reproducible]. The final signature is [sigma]([m.sub.b]) = (e, s).

(5) Voting Phase

Step 1. R calculates H(H(pw), [e.sub.B]) and uses it as a symmetric key to encrypt ([m.sub.b], [sigma]([m.sub.b])), produces a cipher CR, and sends (Cert(R), [C.sub.R]) to the voting center.

Step 2. V first examines whether [mathematical expression not reproducible] holds. If so, V publishes (Cert(R), [C.sub.R]) to the bulletin.

Step 3. Every voter can check whether his or her ballot is received by the voting center via the bulletin. If it is not, the voter resends (Cert(R), [C.sub.R]).

(6) Counting Phase

Step 1. B forwards [key.sub.R] = H([H.sub.R], [e.sub.B]) to the voting center.

Step 2. V decrypts [C.sub.R] using the symmetric key [key.sub.R], publishes (Cert(R), [C.sub.R], [m.sub.b], [key.sub.R]) to the bulletin and calculates [y.sub.p] = [y'.sub.p] [y.sub.B] mod p, and verifies whether e = H([m.sub.b], pn, [g.sup.s][y.sup.e.sub.p] mod p) is correct. If so, the signature is valid and the ballot is counted.

Step 3. V publishes the voting result. Everyone can verify and count the ballots via the bulletin.

6. Security Analysis

In this section, we analyze our protocol according to the security requirements defined in Section 3.

6.1. Signature Scheme

(1) The Proposed Scheme Is Complete. Because the completeness of the signature [sigma] = (e, s) depends on the Schnorr signature [28], we only show the completeness of the oblivious signature generated in the signing phase. For any [mathematical expression not reproducible]. Therefore, the completeness of the proxy signature [sigma] = (e, s) is proved.

(2) Proxy Oblivious Signatures Are Unforgeable. Unforgeability can be proved via Definitions 3 and 5 and Theorems 4 and 6.

Definition 3 (DLP). Let [p.sub.1] be a large prime, [g.sub.1] be a primitive root modulo p, and y = [g.sub.1.sup.x] mod [p.sub.1], where [mathematical expression not reproducible]. If x can be evaluated from given y, [p.sub.1], and [g.sub.1], then we say discrete logarithm problem (DLP) can be solved (the probability of solving this problem is denoted as Pr(x | y, [p.sub.1], [g.sub.1]) = [[epsilon].sub.1]).

Theorem 4 (unforgeability). In our protocol, if a recipient can forge the signer's signature; then DLP can be solved.

Proof. In our scheme, assume an adversary tries to evaluate [s.sub.A] by eavesdropping [y'.sub.p]. Let [RO.sub.1] be a random oracle: input [y'.sub.p], p, and g to output [s.sub.A] (i.e., [RO.sub.1]([y'.sub.p], p, g) [??] [s.sub.A]). In Definition 3, let [y'.sub.p] [left arrow] x, p [left arrow] [p.sub.1], and g [left arrow] [g.sub.1] be input parameters of [RO.sub.1] and obtain output [s.sub.A]. Let y [left arrow] [s.sub.A], then y is evaluated. Therefore, Pr([s.sub.A] | [y'.sub.p], p, g) [less than or equal to] Pr(y | x, [p.sub.1], [g.sub.1]) = [[epsilon].sub.1], which means the discrete logarithm problem can be solved if [RO.sub.1] exists.

Definition 5 (DLP under known plaintext attack). Let [p.sub.1] be a large prime, [g.sub.1] be a primitive root modulo [mathematical expression not reproducible] can be evaluated from given [p.sub.1], [g.sub.1], ([x.sub.i], [y.sub.i]) and [y.sub.n+1], i = 1, 2, ..., n, then we say DLP under known plaintext attack can be solved (the probability of solving this problem is denoted as Pr([x.sub.n+1] | ([x.sub.i], [y.sub.i]), [y.sub.n+1], [p.sub.1], [d.sub.1]) = [[epsilon].sub.2]).

Theorem 6 (unforgeability under replay attack). In our protocol, if a recipient can forge the signer's signature from given n pairs ([y'.sup.(i).sub.P], [s.sup.(i).sub.P]), i = 1, 2, ..., n, then DLP under known plaintext attack can be solved.

Proof. In our scheme, assume an adversary tries to evaluate [s.sup.(i+1).sub.A] from eavesdropped ([y'.sup.(i).sub.P], [s'.sup.(i).sub.A]) and [y'.sup.(n+1).sub.P], i = 1, 2, ..., n. Let [RO.sub.2] be a random oracle: input ([mathematical expression not reproducible] be input parameters of [RO.sub.2] and obtain output [s.sup.(i+1).sub.A]. Let [x.sub.n+1] [left arrow] [s.sup.(i+1).sub.A]; then [x.sub.n+1] is evaluated. Therefore, Pr([s.sup.(i+1).sub.A] | ([y'.sup.(i).sub.P] [s.sup.(i).sub.A]), [y'.sup.(n+1).sub.P], p, g) [less than or equal to] Pr([x.sub.n+1] | ([x.sub.i], [y.sub.i]), [y.sub.n+1], [p.sub.1], [g.sub.1]) = [[epsilon].sub.2] which means the DLP under known plaintext attack can be solved if [RO.sub.2] exists.

(3) Proxy Oblivious Signatures Are Unlinkable. In the signing phase, because B receives the disguised selection c of the message [m.sub.b], he or she cannot find out the selection of R. Moreover, because the blinding factor v is required during the conversion of the oblivious signature [mathematical expression not reproducible], where v is known only by R, B cannot make a linkage between the signature and R's selection. Thus, we can conclude that B can discover neither the message nor the proxy signature associated with the protocol after the signature is verified.

(4) Proxy Oblivious Signatures Are Undeniable. Owing to the unforgeability of the proxy oblivious signature, B cannot repudiate any proxy signature produced by him or her.

(5) Proxy Oblivious Signatures Are Verifiable. In the verification phase, V checks whether the equation [mathematical expression not reproducible]. Therefore, the signature can be verified by all verifiers.

(6) Generated Signatures Are Distinguishable. Evidently, by using different congruences to check the validity of the original signatures and the proxy signatures, everyone can easily distinguish the proxy signature from a normal signature.

(7) The Proposed Scheme Provides Ambiguity of the Message Selected by R; That Is, It Provides Perfect Security for R. If an attacker [A.sub.1] takes the place of B, [A.sub.1] needs to obtain b, where c = [g.sup.v][h.sup.-b] mod p, v [[member of].sub.R] [Z.sup.*.sub.q], because we know that, for every b of any c, there exists [v.sub.i] such that [mathematical expression not reproducible]. Finally, we conclude that the probability of [A.sub.1] getting the correct b is 1/n, which achieves theoretical security.

6.2. Voting System

(1) Delegation from Creator Is Complete. In the proxy phase, B signs the proxy public key [y'.sub.p] using his or her private key [x.sub.B] and passes the signature [s.sub.A,B] to A. Therefore, B cannot deny the fact that he or she has accepted the delegation from A.

(2) Eligibility. In the register phase, B checks whether R is a legal voter by his or her id. Therefore, only legal voters can get the certificate CERT(R) from B and participate in the voting event.

(3) Nonduplication. In the circling phase, B checks whether flag(pn) = 0. If it holds, it means that pn has not voted yet; otherwise, the process will be terminated. Consequently, every legal voter can cast at most one ballot.

(4) Fairness. In the voting phase, R encrypts his or her ballot using the symmetric key H(H(pw), [e.sub.B]) and sends it to the voting center. Therefore, no one can learn the current voting situation before the voting period is over.

(5) Accuracy. The validity of all ballots can be verified using the examining equation e = H([m.sub.b], pn, [g.sup.s][y.sup.e.sub.p] mod p).

(6) Verifiability. In the voting phase, every voter can check his or her own ballot via the bulletin, and the ballot cannot be modified by anyone. Furthermore, in the counting phase, every voter can verify and count all other voters' ballots on the bulletin.

(7) Privacy. In the circling phase, owing to the ambiguity of the proxy oblivious signature, no one can learn a voter's selection from c = [g.sup.v][h.sup.-b] mod p. In the voting phase, R encrypts his or her ballot using the key H(H(pw), [e.sub.B]) before casting it to V, and, therefore, no one can obtain his or her plain ballot. Finally, in the counting phase, because every selected candidate on the bulletin corresponds to a pseudoname pn, no one can discover which person has made the selection.

7. Comparison

This section presents a comparison of our scheme against other related schemes, including blind signature [8], proxy signature [13], oblivious signature [10, 11], and proxy blind signature [19]. Tables 1,2, and 3 present the computation cost, communication cost, and ability comparison, respectively. Because modular exponentiation is the most significant computational operation, we denote its time cost as "[T.sub.ex]" and ignore the other operations in the schemes.

Compared with other related schemes, our scheme provides the most abilities with a low increment in computation cost. Furthermore, the communication cost is no higher than that of other oblivious signature schemes.

In the proxy phase, B processes 2[T.sub.ex] to examine whether [mathematical expression not reproducible] mod p holds (see asterisk in Table 1). In the signing phase, B processes n[T.sub.ex] to calculate [mathematical expression not reproducible] mod p for i = 1, 2, ..., n. For [[delta].sub.i] = c[(gh).sup.i] mod p, B may compute [[delta].sub.i] by letting [[delta].sub.0] = c and generate [[delta].sub.i] = [[delta].sub.t-1] (gh) mod p for i = 1, 2, ..., n. Consequently, the computation cost is n modular multiplication rather than n[T.sub.ex].

8. Implementation

This section demonstrates an application of an anonymous mobile electronic voting with proxy signer implemented on smartphones. Figure 13 shows a flowchart of this system. In this system, it is assumed that any signer who is asked for his or her public key responds with his or her real public key immediately and that the requester would receive this public key at once. Tables 4,5, and 6 present the average computation times of each role in each phase, the average communication times of each communication direction in each phase, and the average computation and communication times in each phase, respectively, where PP, RP, CiP, VP, and CoP stand for proxy phase, register phase, circling phase, voting phase, and counting phase. The steps in this system are as follows.

Step 1. On the main page (Figure 14(a)), users are allowed to select a role and enter a pseudoname (Figure 14(b)). An original signer first runs the procedure and waits for proxy signers (Figure 14(c)).

Step 2. A proxy signer runs Step 1 and selects a detected original signer to request delegation (Figure 14(d)).

Step 3. The original signer selects the proxy signer on the request list to process the delegation (Figure 14(e)).

Step 4. After verifying the correctness of the delegation, the proxy signer sets the voting issue (Figure 14(f)) and starts waiting for verifiers (Figure 14(g)).

Step 5. A verifier runs Step 1 and waits for a proxy signer to send him a voting event (Figure 14(h)).

Step 6. The proxy signer selects a verifier to send the voting event (Figure 14(i)) and starts holding the event (Figure 14(j)).

Step 7. A receiver selects "Voter" on the main page and chooses a detected voting event (Figure 14(k)).

Step 8. The receiver votes for a candidate and presses the "Vote" button (Figure 14(l)) to send his or her vote to the proxy signer. Then, he or she receives a proxy oblivious signature and sends the extracted signature to the verifier by pressing the "Send" button (Figure 14(m)).

Step 9. The verifier keeps collecting votes (Figure 14(n)) until the proxy signer ends the voting event by pressing the "End Event" button shown in Figure 14(j).

Step 10. After the end of the voting event, the verifier starts verifying the collected votes and displays the voting result (Figure 14(o)).

9. Conclusion

We first construct 1-out-of-n proxy oblivious signature schemes of proxy-unprotected and proxy-protected types and discuss their security requirements. The proposed schemes combine the advantages of a proxy signature and an oblivious signature and satisfy the security properties of both signatures, including completeness, unforgeability, unlinkability, undeniability, verifiability, distinguishability, and ambiguity. Compared with related schemes, our schemes provide extra proxy ability and perform well in terms of both complexity and usability. Finally, an anonymous proxy electronic voting application is implemented on smartphones based on the proposed scheme.
Nomenclature

Notation

A:                     The original signer
B:                     The proxy signer
R:                     The recipient
V:                     The verifier
p, q:                  Two large prime numbers such that q | p-1
g, h:                  Two elements of [Z.sup.*.sub.p] of the same
                       order q
[Z.sup.*.sub.p]:       A set of the integers in {1, 2, ..., n - 1}
                       that are coprime to n
[Ord.sub.x]y:          The order of y modulo x
[[member of].sub.R]    A chosen random number x in [Z.sup.*.sub.q]
[Z.sup.*.sub.p]:
[x.sub.A]:             As private key
[y.sub.A]:             As public key
[s.sub.p]:             The signing key
n:                     The number of messages
[m.sub.i]:             The ith message
b:                     The value of the subscript of the selected
                       message [m.sub.b]
[sigma]:               The signature on [m.sub.b]
H(*):                  A public one-way hash function.

Symbols Used in Performance Analysis

A:                     The original signer
B:                     The proxy signer
R:                     The recipient
V:                     The verifier
p, q:                  Two large prime numbers such that q | p - 1
g, h:                  Two elements of [Z.sup.*.sub.p] of the same
                       order q
[x.sub.A]:             A's private key
[y.sub.A]:             A's public key
[s.sub.p]:             The signing key
n:                     The number of messages
[m.sub.i]:             The ith message
b:                     The value of the subscript of the selected
                       message [m.sub.b]
n:                     Number of candidate messages in
                       oblivious signature scheme (e.g., 10)
[T.sub.ex]:            Time cost of a modular exponentiation
                       operation
[l.sub.q]:             Length of the parameter q (e.g., 128 bits)
[l.sub.p]:             Length of the parameter p (e.g., 1024 bits)
[l.sub.H]:             Length of the output of hash function
                       (e.g., 128 bits)
[sigma]:               The signature on [m.sub.b]
H(*):                  A public one-way hash function.


https://doi.org/10.1155/2017/3075210

Disclosure

This article does not contain any studies with human participants or animals performed by any of the authors.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is partially supported and funded by the Ministry of Science and Technology under Grant MOST 104-2221-E182-012 and by the CGMH project under Grant BMRPB46.

References

[1] J. Modic, R. Trapero, A. Taha, J. Luna, M. Stopar, and N. Suri, "Novel efficient techniques for real-time cloud security assessment," Computers & Security, vol. 62, pp. 1-18, 2016.

[2] A. V. Uzunov, "A survey of security solutions for distributed publish/subscribe systems," Computers & Security, vol. 61, pp. 94-129, 2016.

[3] A. V. Uzunov, E. B. Fernandez, and K. Falkner, "Security solution frames and security patterns for authorization in distributed, collaborative systems," Computers & Security, vol. 55, pp. 193-234, 2015.

[4] A. Castiglione, F Palmieri, U. Fiore, A. Castiglione, and A. De Santis, "Modeling energy-efficient secure communications in multi-mode wireless mobile devices," Journal of Computer and System Sciences, vol. 81, no. 8, pp. 1464-1478, 2015.

[5] T. Li, Z. Liu, J. Li, C. Jia, and K.-C. Li, "CDPS: a cryptographic data publishing system," Journal of Computer and System Sciences, vol. 89, pp. 80-91, 2016.

[6] Q. Shi, N. Zhang, and M. Merabti, "Fair signature exchange via delegation on ubiquitous networks," Journal of Computer and System Sciences, vol. 81, no. 4, pp. 615-631, 2015.

[7] D. Chaum, "Blind signatures for untraceable payments," Crypto, vol. 82, 1983.

[8] S. K. Nayak, B. Majhi, and S. Mohanty, "An ECDLP based untraceable blind signature scheme," in Proceedings of the Circuits, Power and Computing Technologies (ICCPCT), International Conference on. IEEE, pp. 829-834, India, March 2013.

[9] M. O. Rabin, "How to exchange secrets by oblivious transfer," IACR Cryptology ePrint Archive, vol. 2005, p. 187, 2005.

[10] L. Chen, "Oblivious signatures," in Computer Security-ESORICS 94, Lecture Notes in Computer Science 875, vol. 875 of Lecture Notes in Computer Science, pp. 161-172, Springer Berlin Heidelberg, Berlin, Heidelberg, 1994.

[11] R. Tso, T. Okamoto, and E. Okamoto, "1-out-of-n oblivious signatures," Information Security Practice and Experience, vol. 4991, pp. 45-55, 2008, Springer Berlin Heidelberg.

[12] J.-S. Chou, "A novel k-out-of-n oblivious transfer protocol from bilinear pairing," Advances in Multimedia, vol. 2012, Article ID 630610, 2012.

[13] M. Mambo, K. Usuda, and E. Okamoto, "Proxy signatures: delegation of the power to sign messages," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E79-A, no. 9, pp. 1338-1353, 1996.

[14] B. T. Lau, "Proxy signature schemes," in Proceedings of the 2006 1st IEEE Conference on Industrial Electronics and Applications, ICIEA 2006, Singapore, May 2006.

[15] H. Wang and R. Yan, "A code-based multiple grade proxy signature scheme," in Proceedings of the 2013 8th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2013, pp. 559-562, France, October 2013.

[16] W. D. Lin and J. K. Jan, "A security personal learning tools using a proxy blind signature scheme," in Proceedings of the Intl Conference on Chinese Language Computing, pp. 273-277, 2000.

[17] A. Z. Tan, Z. Liu, and C. Tang, "Digital proxy blind signature schemes based on DLP and ECDLP," MM Research Preprints, vol. 21, no. 7, pp. 212-217, 2002.

[18] S. Lal and A. K. Awasthi, "Proxy Blind Signature Scheme," Journal of Information Science and Engineering, vol. 72, 2003.

[19] F.-Y. Yang and L.-R. Liang, "A proxy partially blind signature scheme with proxy revocation," Journal of Ambient Intelligence and Humanized Computing, vol. 4, no. 2, pp. 255-263, 2013.

[20] I. Ray and N. Narasimhamurthi, "An anonymous electronic voting protocol for voting over the internet," Advanced Issues of E-Commerce and Web-Based Information Systems, Third International Workshop on IEEE, pp. 188-190, 2001.

[21] H. Pan, E. Hou, and N. Ansari, "RE-NOTE: An E-voting scheme based on ring signature and clash attack protection," in Proceedings of the 2013 IEEE Global Communications Conference, GLOBECOM 2013, pp. 867-871, USA, December 2013.

[22] B. Zwattendorfer, C. Hillebold, and P. Teufl, "Secure and privacy-preserving proxy voting system," in Proceedings of the 2013 IEEE 10th International Conference on e-Business Engineering, ICEBE 2013, pp. 472-477, UK, September 2013.

[23] S. Karda[section], M. S. Kiraz, M. A. Bingol, and F. Birinci, "Norwegian internet voting protocol revisited: ballot box and receipt generator are allowed to collude," Security and Communication Networks, vol. 9, no. 18, pp. 5051-5063, 2016.

[24] O. Kulyk, S. Neumann, K. Marky, J. Budurushi, and M. Volkamer, "Coercion-resistant proxy voting," in Proceedings of the 31st International Conference on ICT Systems Security and Privacy Protection, vol. 471, pp. 3-16, IFIP SEC, 2016.

[25] O. Kulyk, K. Marky, S. Neumann, and M. Volkamer, "Introducing proxy voting to Helios," in Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES), pp. 98-106, Austria, September 2016.

[26] B. Adida, "Helios: Web-based open-audit voting," USENIX Security Symposium, vol. 17, pp. 335-348, 2008.

[27] G. Cohensius, S. Mannor, R. Meir, E. Meirom, and A. Orda, "Voting for better outcomes," in Proceedings of the 16th Conference on Autonomous Agents and MultiAgent Systems, pp. 858866, Sao Paulo, Brazil, 2017.

[28] C. P Schnorr, "Efficient signature generation by smart cards," Journal of Cryptology, vol. 4, no. 3, pp. 161-174, 1991.

[29] M. Bellare and P Rogaway, "Random oracles are practical: a paradigm for designing efficient protocols," in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62-73, November 1993.

[30] C. Shin-Yan, W. Tsung-Ju, and C. Jiun-Ming, "1-out-of-n Proxy Oblivious Signature Schemes and its e-voting application," in Proceedings of the International Conference on Electronics Systems and Information Technology (ICESIT-15), pp. 10-14, 2015.

[31] E. Aljarrah, H. Elrehail, and B. Aababneh, "E-voting in Jordan: Assessing readiness and developing a system," Computers in Human Behavior, vol. 63, pp. 860-867, 2016.

[32] D. A. Lopez Garcia, "A flexible e-voting scheme for debate tools," Computers & Security, vol. 56, pp. 50-62, 2016.

[33] K. Vassil, M. Solvak, P. Vinkel, A. H. Trechsel, and R. M. Alvarez, "The diffusion of internet voting. Usage patterns of internet voting in Estonia between 2005 and 2015," Government Information Quarterly, vol. 33, no. 3, pp. 453-459, 2016.

[34] J. Dossogne and L. Frederic, "Blinded additively homomorphic encryption schemes for self-tallying voting," Journal of Information Security and Applications, vol. 22, pp. 40-53, 2015.

[35] N. Andras, A. Marta, and S. Peter, "Could on-line voting boost desire to vote?--Technology acceptance perceptions of young Hungarian citizens," Government Information Quarterly, vol. 33, no. 4, pp. 705-714, 2016.

[36] T. ElGamal, "A public key cryptosystem and a signature scheme based on discrete logarithms," in Advances in Cryptology, vol. 196 of Lecture Notes in Computer Science, pp. 10-18, Springer, Berlin, Germany, 1985.

[37] S.-Y. Chiou, Z. Ying, and J. Liu, "Improvement of a privacy authentication scheme based on cloud for medical environment," Journal of Medical Systems, vol. 40, no. 4, article no. 101, pp. 1-15, 2016.

[38] S.-Y. Chiou, "Common friends discovery for multiple parties with friendship ownership and replay-attack resistance in mobile social networks," Wireless Networks, pp. 1-15, 2016.

[39] R. Anane, R. Freeland, and G. Theodoropoulos, "E-voting requirements and implementation," in Proceedings of the 9th IEEE International Conference on E-Commerce Technology; The 4th IEEE International Conference on Enterprise Computing, E-Commerce and E-Services, CEC/EEE 2007, pp. 382-389, Japan, July 2007.

Shin-Yan Chiou, (1,2,3) Tsung-Ju Wang, (1) and Jiun-Ming Chen (1)

(1) Department of Electrical Engineering, College of Engineering, Chang Gung University, 259 Wen-Hwa 1st Road, Kweishan, Taoyuan, Taiwan

(2) Department of Nuclear Medicine, Linkou Chang Gung Memorial Hospital, Taoyuan, Taiwan

(3) Center for Biomedical Engineering, Chang Gung University, Taoyuan, Taiwan

Correspondence should be addressed to Shin-Yan Chiou; ansel@mail.cgu.edu.tw

Received 2 August 2017; Revised 18 October 2017; Accepted 31 October 2017; Published 24 December 2017

Academic Editor: Georgios Kambourakis

Caption: Figure 1: Oblivious signature scheme.

Caption: Figure 2: Proxy signature scheme.

Caption: Figure 3: Proxy phase (proxy-unprotected type).

Caption: Figure 4: Signing phase.

Caption: Figure 5: Verification phase.

Caption: Figure 6: Proxy phase (proxy-protected type).

Caption: Figure 7: System diagram.

Caption: Figure 8: Proxy phase.

Caption: Figure 9: Register phase.

Caption: Figure 10: Circling phase.

Caption: Figure 11: Voting phase.

Caption: Figure 12: Counting phase.

Caption: Figure 13: Flowchart of voting application.

Caption: Figure 14: Data transfer.
Table 1: Computation cost comparison.

Scheme                 Original signer    (Proxy) signer

Yang and Liang [19]      [T.sub.ex]         4[T.sub.ex]
Chen [10]                    --            3n[T.sub.ex]
Tso et al. [11]              --            2n[T.sub.ex]
Proposed                 2[T.sub.ex]          (n + 2)
                                         [T.sub.ex.sup.*]

Scheme                       Receiver            Verifier

Yang and Liang [19]        2[T.sub.ex]          3[T.sub.ex]
Chen [10]              (2n + 10)[T.sub.ex]      8[T.sub.ex]
Tso et al. [11]         (2n + 2)[T.sub.ex]      2[T.sub.ex]
Proposed                (2n + 2)[T.sub.ex]      2[T.sub.ex]

Table 2: Communication cost comparison.

Scheme               A [right arrow] B           B [right arrow] R

Yang and           [l.sub.q] + [1.sub.H]      [l.sub.p] + [l.sub.q] +
  Liang [19]                                         [1.sub.H]
Chen [10]                    --              3n[l.sub.p] + n[l.sub.q]

Tso et al. [11]              --              n([l.sub.q] + [l.sub.H])
Proposed           [l.sub.p] + [l.sub.q]     n([l.sub.q] + [l.sub.H])

Scheme            R [right arrow] B        R [right arrow] V

Yang and              [l.sub.q]         [l.sub.q] + 2[l.sub.H]
  Liang [19]
Chen [10]             [l.sub.q]        7[l.sub.p] + [l.sub.q] +
                                               [1.sub.H]
Tso et al. [11]       [l.sub.p]          [l.sub.q] + [1.sub.H]
Proposed              [l.sub.p]          [l.sub.q] + [1.sub.H]

Table 3: Ability comparison.

Scheme                   Blindness     Ambiguity     Proxy ability

Nayak et al. [8]          [check]
Mambo et al. [13]                                       [check]
Yang and Liang [19]       [check]                       [check]
Chen [10]                 [check]       [check]
Tso et al. [11]           [check]       [check]
Proposed                  [check]       [check]         [check]

Table 4: Computation time (milliseconds).

Phase          PP                RP                CiP

Role       A        B        R        B        R        B
Time      42.4     31.5    22.85    19.55     31.2      31

Phase          VP           CoP

Role       R        V        V
Time      19.8    10.35    20.25

Table 5: Communication time (milliseconds).

Phase                         PP

Direction    A [right arrow] B   B [right arrow] A
Time               61.05               81.65

Phase                         RP

Direction    R [right arrow] B   B [right arrow] R
Time               32.1                42.8

Phase                                   CiP

Direction    B [right arrow] R   R [right arrow] B   B [right arrow] R
Time               44.45               38.75               47.2

Phase               VP                  CoP

Direction    R [right arrow] V   B [right arrow] V
Time               44.7                39.6

Table 6: Implementation time (milliseconds).

Phase                   PP       RP      CiP

Computation time       73.9     42.4     62.2
Communication time    142.7     74.9    130.4

Phase                   VP      CoP     Total

Computation time      30.15    20.25    228.9
Communication time     44.7     39.6    432.3
COPYRIGHT 2018 Hindawi Limited
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2018 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Research Article
Author:Chiou, Shin-Yan; Wang, Tsung-Ju; Chen, Jiun-Ming
Publication:Security and Communication Networks
Geographic Code:9TAIW
Date:Jan 1, 2018
Words:9586
Previous Article:Jammer Localization in Multihop Wireless Networks Based on Gravitational Search.
Next Article:Behaviors of High-Frequency Subscribers in Cellular Data Networks.
Topics:

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |