Post quantum proxy signature scheme based on the multivariate public key cryptographic signature

Proxy signature is a very useful technique which allows the original signer to delegate the signing capability to a proxy signer to perform the signing operation. It finds wide applications especially in the distributed environment where the entities such as the wireless sensors are short of computational power and needed to be convinced to the authenticity of the server. Due to less proxy signature schemes in the post-quantum cryptography aspect, in this article, we investigate the proxy signature in the post-quantum setting so that it can resist against the potential attacks from the quantum adversaries. A general multivariate public key cryptographic proxy scheme based on a multivariate public key cryptographic signature scheme is proposed, and a heuristic security proof is given for our general construction. We show that the construction can reach Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure assuming that the underlying signature is Existential Unforgeability under an Adaptive Chosen Message Attack. We then use our general scheme to construct practical proxy signature schemes for three well-known and promising multivariate public key cryptographic signature schemes. We implement our schemes and compare with several previous constructions to show our efficiency advantage, which further indicates the potential application prospect in the distributed network environment.


Introduction
The characteristic that some specified agents have the capability to proceed with the signing operations on behalf of the original signer turns out to be very attractive in case of the original signers temporal absence, short of computational power, and so on. It has already been shown in many previous researches that the proxy signature can be very helpful especially for application in the environments such as the wireless sensor networks, 1 Internet of things, 2 distributed shared object systems, 3 grid computing, 4 global distribution networks, 5 and so on. However, most of the previous constructions are based on the hardness of number theory such as the integer factorization and discrete logarithm. According to Shor's algorithm, 6 Rivest-Shamir-Adleman (RSA) and some other algorithms based on the number theory will be broken in polynomial time after the emergence of quantum computers. And as a result, it will eventually lead to the break of most of the traditional cryptosystem.
To deal with the upcoming quantum computers, cryptographic researchers from different countries are beginning to devote themselves to explore the cryptosystems that can resist quantum computer attacks, that is, researching on the post-quantum cryptography. 7 Postquantum cryptography can be divided into five categories: code-based cryptography, lattice-based cryptography, hash-based cryptography, multivariate public key cryptography (MPKC), and isogeny-based cryptography. The National Institute for Standards and Technology (NIST) has announced a formal call for proposals for post-quantum cryptography in fall 2016. 8 Thereafter, it formally provided the first round (round 1) submissions of post-quantum cryptographic standard protocols in December 2017.
The security of MPKC is based on solving a set of random quadratic multivariate equations on a finite field. So far, evidence does not reveal that quantum computers could solve this kind of questions effectively. Plus, MPKC schemes are in general much more effective than RSA in computing. But there are two drawbacks that become obstacles to use MPKCs. The first one is the large key sizes. The second drawback is that the security of MPKCs relies both on the multivariate quadratic (MQ) problem and on the Isomorphism of Polynomials (IP) problem, so the schemes in MPKCs are subjected to not only direct attacks but also structural attacks. This makes many MPKCs insecure, such as Matsumoto-Imai scheme, 9 balanced Oil, and Vinegar. 10 Under this situation, a number of attempts have been undertaken in order to tackle these two problems. For example, Courtois 11 studied provable security against key-only attack on Quartz, but the security against the chosen-message attack is unclear. Beyond these techniques, the Unbalanced Oil and Vinegar (UOV) scheme 12 is a well-known and deeply studied scheme in MPKC, Bulygin et al. 13 then presented an idea to reduce the public key size of the UOV signature scheme and provided provable security against direct attacks. Then, Sakumoto et al. 14 gave provable security of UOV against chosen-message attack, using the idea given in the study by Bellare and Rogaway, 15 which concatenates a random seed r with the signing message M so as to make the basic trapdoor one-way function of UOV become full domain hash (FDH). In Crypto2011, Sakumoto et al. 16 proposed provably secure identification/signature schemes based on the MQ problem, which is a great improvement for the security of MPKCs.
According to NIST Computer Security Resource Center (CSRC): Cryptographic Technology Group, 8 MPKC is popular for its efficient signature scheme in the post-quantum cryptography (PQC) aspect and signature schemes are promising. As shown in the submission, there are nine signature schemes, named double exponentiation with matrix exponent (DME), 8 DualModeMS, 17 GeMSS, 18 Gui, 19 Hi-MQ, lifted unbalanced oil and vinegar scheme (LUOV) 20 (a variant of UOV), multivariate quadratic digital signature scheme (MQDSS), 21 Rainbow, 22 TPSig. 23 Among them, only Rainbow is the old scheme, and others are all published in the recent 5 years and the best scheme is LUOV, which has a combined not more than 20 kB size. However, it is the newest one which need time to confirm its security. Another promising scheme is MQDSS, which is provable secure one and the key size is relatively small. However, its resultant signature is too large compared with the original small message. Also, the running time of two schemes is not fast which in fact is the most advantage of MPKC schemes compared with other PQC schemes. Other schemes such as Rainbow is good at the running time and the security consideration but suffers from large key size.
Also, multivariate signature schemes with special properties, such as proxy signature, ring signature, are proposed. For example, Tang and Xu 24 proposed the first MPKC proxy signature scheme based on the problem of IP. Petzoldt et al. 25 proposed the first provable MPKC threshold ring signature scheme based on the result of Sakumoto et al. 14 Chen et al. 26 proposed the first online/offline signature based on UOV by utilizing the linear construction of the central map of UOV, so that the proposed scheme can be distributed in the wireless sensor networks. In addition, multivariate sequential aggregate signature scheme by Petzoldt et al. 27 and multivariate blind signature scheme by El Bansarkhani et al. 28 are proposed to enrich this area.
Since proxy signature scheme is widely used as a communication solution in distributed sensor networks, that is, the solution in healthcare wireless sensor networks in Verma et al. 29 In this article, we focus on developing multivariate signature schemes with special properties and investigate how to build an MPKC proxy scheme and then we will use this idea to build a series of MPKC proxy schemes based on current promising MPKCs (UOV, Rainbow, MQDSS). A highlight of our work is the general proxy scheme is formally provable security under the assumption that the basing scheme is secure, so based on the promising MPKC signature shcemes, our practical resultant proxy schemes from the general construction are considered promising proxy MPKC schemes.
This article is structured as follows: First, we introduce how to build a general MPKC proxy scheme, specifically we give a formal proof for the general scheme assuming the underlying MPKC scheme is secure. Then we propose three practical proxy signature schemes: Proxy-UOV, Proxy-Rainbow, and Proxy-MQ. Next, we run some experiments to verify the security and efficiencies of our schemes. Finally, we draw a conclusion.

Preliminaries
In this section, we give the preliminaries of this article.

Proxy signature scheme
A proxy signature protocol allows an entity, called the original signer, to delegate another entity, called a proxy signer, to sign messages on behalf of itself, in case of temporal absence, lack of time or computational power, and so on. The first efficient proxy signature was introduced by Mambo et al. 30 A proxy signature scheme consists of the following algorithms: Setup, KeyGen, Delegate, ProxyKeyGen, ProxySign, ProxyVerify, where the Setup and KeyGen correspond with an ordinary signature scheme Q = (Setup, KeyGen, Sign, Verify). Assume (pk A , sk A ) and (pk B , sk B ) generated by KeyGen are the public/private key pairs of the original signer and the proxy signer, respectively. Delegate is a randomized algorithm for the delegation of signing right, that is, u Delegate(w, sk A , pk A ) is run by the original signer. The input w can be regarded as a warrant. In general, w includes the original signer's public key pk A , the proxy signer's public key pk B , a delegated time period t, and other information. ProxyKeyGen algorithm generates the proxy key psk for the proxy signer. For a message m, the proxy signer can generate a proxy signature by ProxySign, that is, s ProxySign (m, (w, u), psk). Anyone who receives the proxy signature can verify the validity of the signature by ProxyVerify. ProxyVerify outputs 1 if the signature is valid; otherwise, it outputs 0.

MPKC signature scheme
Usually, an MPKC scheme over a finite field k is defined as in which F is a set of m quadratic multivariate polynomials in n variables, L 1 is an affine transformation from F m q to F m q , and L 2 is an affine transformation from F n q to F n q .
For an MPKC digital signature scheme, the setup algorithm Setup (1 l ) takes 1 l as input and then outputs the system parameter param which mainly contains (q, n, m), and all the arithmetic operations hereafter are over this finite field.
The key generation algorithm KeyGen(param) takes param as input and then outputs pk = P and sk = (L 1 , F, L 2 ).
The signing algorithm Sign(M, sk) is described in Algorithm 1.
Finally, the verification algorithm Verify(s, M, P) returns 1 if P(s) = M, otherwise returns 0.

Security model for MPKC signature scheme
We quantify the security of MPKC signature scheme from the idea in Bellare and Rogaway. 15 A signature scheme is said to be ( , t, q s ) À secure if an attacker, given the public key, allowed to run in time t, and allowed a chosen-message attack in which he or she can get q s legitimate message-signature pairs, can be successful in forging the signature of a new message with probability at most . Definition 1. We say that the MPKC signature scheme is ( , t, q s ) À secure if there is no forger A who takes a public key generated through (pk, Á ) KeyGen (1 l ), after at most q s signature queries, and t processing time, then outputs a valid signature with probability at least .

UOV and Rainbow
The UOV scheme is one of the earliest MPKC signature scheme. Even though its construction is very simple, it turns out to be one of the most secure MPKC scheme so far. However, Rainbow is one of the most popular schemes in MPKC schemes and rapid development in recent years. It could be regarded as an extension of UOV and has obvious advantages over efficiency and key size.
The central map F of UOV is composed of a set of so-called Oil-Vinegar polynomials which have the following form In this polynomial, there are two kinds of variables: Oil variables (x i ) and Vinegar variables (x 0 j ). Once we assign a set of random values for Vinegar variables, the central map becomes a set of linear polynomials and can be easily inverted. When v.o, this scheme is called UOV scheme, the construction of a UOV scheme is as follows where T is an affine translation from F n q to F n q . The construction does not have to compose an invertible affine transformation on the left.
In the case of Rainbow, Rainbow is an extension of UOV scheme. It could be viewed as a multi-layer UOV scheme. Each layer is an independent UOV and each layer's variables (including Oil variables and Vinegar variables) are Vinegar variables of the next layer. Specifically, let us assume a Rainbow has l layers. We use v i to represent the number of Vinegar variables of the ith layer and o i to represent the number of Oil variables of the ith layer. Then we have v i + 1 = o i + v i and v l + 1 = n. Each layer's Vinegar variables set and Oil variables set are represented as fx 1 , : : : , x v i g, fx v i + 1 , : : : , x v i + o i g and the ith layer's polynomials have the form of We can see that the above polynomial has the basic Oil-Vinegar polynomial form. Finally, the construction of a Rainbow scheme is given as follows The MQ-based signature scheme At CRYPTO 2011 Sakumoto et al. 16 presented a new identification scheme whose security is solely based on the MQ problem. In the scheme, every user chooses a vector s 2 F n q as his secret key and computes his public key as v = F(s) 2 F m q . To identify himself to a verifier, he or she has to show that he or she indeed knows s (without revealing any information about s). Thus, to create a zero-knowledge proof of the vector s, we need the polar form of the multivariate system F, which is defined as Note that G(x, y) is bilinear in x and y, the knowledge of s is equivalent to knowing a tuple (r 0 , r 1 , t 0 , t 1 , e 0 , e 1 ) satisfying and (t 0 , e 1 ) = (r 0 À t 1 , F(r 0 ) À e 1 ). The five-pass identification scheme between a prover and a verifier is as follows 1. The prover chooses randomly t 0 , r 0 2 R F n q , e 0 2 R F m q , set r 1 = s À r 0 and computes commitments c 0 = Com(r 0 , t 0 , e 0 ), c 1 = Com(r 1 , G(t 0 , r 1 ) + e 0 ) and then sends (c 0 , c 1 ) to the verifier. 2. The verifier chooses randomly a choice a2 R F q and sends a to the prover. 3. After receive a, the prover computes t 1 = ar 0 À t 0 , e 1 = aF(r 0 ) and then sends (t 1 , e 1 ) to the verifier. 4. The verifier chooses randomly the challenge Ch2 R f0, 1g and sends Ch to the prover. 5. If Ch = 0, the prover sends Rsp = r 0 back; if Ch = 1, the prover sends Rsp = r 1 back. 6. If the verifier chooses 0 as the challenge Ch, he or she checks whether c 0 = Com(r 0 , ar 0 À t 0 , aF(r 0 ) À e 1 ) hold. If the verifier chooses 1 as the challenge Ch, he or she checks whether This scheme has a cheating probability per round of 3/4 when q = 2. Therefore, one needs at least 133 rounds to reduce the impersonation probability to less than 2 À80 . Sakumoto et al. 16 propose for their five-pass schemes that q = 2, n = 80, m = 80 to achieve a security level of 80 bits.
Using the Fiat-Shamir paradigm, 31 anyone can transform the MQ identification scheme into a signature scheme, and a good example is the MQDSS 21 which is transformed from five-pass MQ identification scheme. Below we give a short description of the MQ signature scheme. For the full description of the MQ scheme, we recommend to read. 21 The setup and key generation process for the signature scheme work just the same as the identification scheme.
To generate a signature for a message m, the signer gathers the commitments for all rounds, creates the commitments , and then uses a hash function H to produce the challenge vector Ch and compute the according responses Rsp (1) , : : : , Rsp (round) . Finally, the signature is s = (c (1) 0 jjc (1) 1 jj: : : (1) jj: : : jjRsp (round) . To verify the authenticity of a signature, the verifier parses s, computes the challenge vector Ch, and tests for each i 2 1, : : : , round if Rsp i is a correct response to

Security model for proxy signature
Schuldt et al. 32 presented the security notion Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure (ps-uf-pke) for multilevel proxy signature scheme. Later, Tang and Xu 24 modified this notion to single-level proxy signature scheme and adopted as the security model for a proxy signature. In the analysis of our proxy scheme, we also use this model, and we recommend to read more information about this model in Tang and Xu. 24 We summarize the security model for a proxy signature in the following. In our security model for proxy signature, the definition is the same as that in Tang and Xu. 24 In the security model in Tang and Xu, 24 it uses only one list psklist to store the proxy key which generated by C, but it does not use lists to store the original signature query and the proxy query, this is ambiguous for someone to calculate the number and kinds of query oracle. So, in our security model, we use three initialized empty lists: OSList, delList(w), pskList(w) which are maintained by a challenger C. The OSList stores all the signatures which are queried by the original signature query, and the delList(w) stores the submitted warrants and the corresponding delegation. The pskList(w) stores all the proxy key which is generated by C from the warrants in the delList(w). Using these three lists, we can follow the security proof more clearly. More precisely, by calculating the list OSList, we can know how many times of ordinary signature oracle have been queried, and from delList(w), we can know the number of query of proxy signature oracle. The security model is based on the following game which is played between a challenger C and an adversary A: Setup. The challenger C runs Setup with input 1 k and generates (pk Ã , sk Ã ) for u Ã by running the KeyGen (1 k ) of an ordinary signature scheme. After that, C sends pk Ã to the adversary A and stores sk Ã . Queries. The adversary A can adaptively access to any of the following queries which are answered by C: 1. Ordinary signature. A submits a message m to C, C generates a signature on m by s Sign(m, sk Ã ). C returns s to A and adds (m, s) to the OSList list. 2. Delegation to u Ã . A transmits w to C, C interacts with A through the Delegate and the ProxyKeyGen with (pk Ã , sk Ã ). After the process finished, C will obtain a delegation of signing right with u Delegate(w, sk Ã , pk Ã ) and a proxy key sk p . Then, C adds (w, u) and (w, sk p ) to the delList(w) list and the pskList(w) list, respectively. 3. Delegation from u Ã .
1. Delegation of sk 0 : A submits w to A and want u Ã to give a delegation of signing right to u 0 . C generates a delegation u for u 0 by Delegate and adds (w, u) to the delList(w) list.
2. Self-delegation: C interacts with itself through Delegate and ProxyKeyGen on input w. C generates a delegation of signing right u and a proxy key sk p , adds (w, u) and (w, sk p ) to the delList(w) list and the pskList(w)list, respectively. Then C sends u to A. 1. Proxy signature. A transmits (m, (w, u)) to C and wants to obtain a proxy signature of m. C finds the proxy key sk p which correspond with w in pskList(w). If sk p exists, C returns s ProxySign(m, (w, u), sk p ) to A. Otherwise, returns ? to A.

2.
Proxy key exposure. A transmits w to C, C returns the proxy key sk p to A if such a key exists in pskList(w). Otherwise, returns ? to A. Forgery. The successful forgery of A can be one of the following forms: 1. Forge an ordinary signature of u Ã . A outputs (m, s) which can be verified by Verify and m has not been submitted in an ordinary signature query. 2. Forge a proxy signature of u Ã . A outputs (m, (w, u), s) where the s corresponds to the public key pk Ã . This forgery is said to be valid if it can be verified by ProxyVerify with (m, (w, u)) has not been queried and w has not been queried. 3. Self-proxy signature on behalf of u Ã . A outputs (m, (w, u), s) where s corresponds to the public key pk p . This forgery is said to be valid if it can be verified by ProxyVerify with w has not been queried.
If one of the above cases happens, the game returns 1. Otherwise, it returns 0.

Definition 2.
An adversary A is said to be a ( 0 , t 0 , q 0 d , q 0 s )forger of a proxy signature scheme if A has advantage at least 0 in the above game, runs in time at most t, and makes at most q 0 d and q 0 s delegation and signing queries to the challenger. A proxy signature scheme is said to The general construction of MPKC proxy signature scheme General proxy signature scheme Assume we have an above MPKC signature scheme, we now describe our general proxy signature scheme as follows.
Setup: Let n and m be two positive integers, F q is a finite field and all the arithmetic operations hereafter are over this finite field. H: f0, 1g Ã ! F n q is a cryptographic hash function.
KeyGen: This algorithm generates the public key and the private key of a user. The detail process is the same as that of the key generation of an MPKC signature scheme. After this algorithm, we set the private key of user A is sk A = (L 1A , L 2A , F A ), and the public key Similarly, the private key and public key of user B are sk B = (L 1B , L 2B , F B ) and pk B = P B , respectively.
Delegate: On input a warrant w where w = (pk A , pk B , t), this algorithm is performed by user A and generates a delegation of signing right to user B.
1. Randomly choose two invertible affine transformations L 0 1 and L 0 2 , which in the forms of L 1A and L 2A , respectively. Then, compute A ) and the warrant (w, u) to user B through an authenticated channel.
ProxyKeyGen: This algorithm generates a proxy key for the proxy signer with input (L 1 , L 2 , P 0 A , w, u). It is performed by user B as follows: 1. Verify the validity of P 0 A and u. If they are true, goto the next step. Otherwise, output 0. 2. Select two random invertible affine transformations L 00 1 and L 00 2 , respectively, compute and F p = L 00 3. Compute a signature on (w, u, F p ) through running Sign with sk B , that is,

as a proxy key of user
B which uses to generate proxy signatures on behalf of user A, and the corresponding public key is pk p = P 0 A .
Remark 1. Note that since F p = L 00 1 8 L 1B 8 P A 8 L 2B 8 L 00 2 , to invert F p , we do not need the secret key F A of user A, but the public key P A of user A, what we need to choose is the linear transformations such that the map F p can still be easily inverted. This is the key point in the construction; otherwise, the construction cannot work. In some cases of MPKCs, the linear transformations are totally random, such as our proxy signature for MQ-based signature shown in section ''Proxy-MQ: our MQ-based proxy signature scheme,'' and the proxy signature in Tang and Xu. 24 In some cases of MPKCs, we need to choose some special linear transformations, for example, in section ''Practical implementations for these two schemes,'' we will show how to choose the linear transformations in the practical implementation of our proposed proxy schemes for UOV and Rainbow. ProxySign: Suppose M is the message to be signed. This algorithm generates a proxy signature on the message M by user B.
User B applies L 1p , L 2p , and the central map F p to the basic MPKC signature algorithm described in Algorithm 1 to generate the signature s on M Then the proxy signature on message M by user B is (s, (w, u, P 0 A , s prx )). ProxyVerify: On input (M, s, (w, u, P 0 A , s prx )), anyone can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps: 1. Check the validity of u on w by running Verify with pk A : Verify((w, P 0 A ), u, pk A ) ¼ ? true. If it is ture, goto the next step. Otherwise, output 0. 2. Check the validity of s prx on (w, u, P 0 A ) by running Verify with pk B : Verify ((w, u, P 0 A ), s prx , pk B ) ¼ ? true. If it is true, goto the next step.
Otherwise, output 0. Security analysis of the general proxy signature scheme Theorem 1. If the basic MPKC signature scheme is ( , t, q s ) secure, then the general proxy signature scheme is ( 0 , t 0 , q 0 d , q 0 s ) secure, where ø e 0 =2q 0 d , t = t 0 and q s = q 0 s + q 0 d .
Proof. Let A be an adversary who can ( 0 , t 0 , q 0 d , q 0 s ) break our proxy signature scheme, then there exists an attacker C who can ( , t, q s ) break the corresponding MPKC signature scheme using A. Assume that C receives a random public key pk 0 = P 0 of MPKC signature scheme and has the right to access to an MPKC signing oracle Oracle sig (m, sk). Before beginning the security game, the attacker C flips a uniform coin c. The result of c is hidden from A, unless the security game aborts. If c = 0, C sets pk Ã = pk 0 , and sk Ã = [, where [ means empty set. Otherwise, C generates a fresh key pair (pk Ã , sk Ã ) KeyGen where pk Ã = (P Ã ), and chooses i Ã 2 f1, 2, . . . , q 0 d g. As the challenger in the security game, C will maintain three lists OSList, delList(w), pskList(w). Here, the delList list stores the intermediate result which will be considered in the following. Furthermore, A is allowed to make q 0 s ordinary signature queries and q 0 d delegation queries which C will answer in the security game as follows: . makes a query to the MPKC signing oracle for (w, u, P 0 d , pk p ) and obtains a signature s prx . In this case, s prx would be added to the OSList list. If c = 1 and this is not the i Ã th query, C similarly chooses randomly two invertible affine transformations L 1 and L 2 , and computes L 1p = L 0 1d 8 L À1 1 , L 2p = L À1 2 8 L 0 2d , and F pu Ã = L 1 8 P d 8 L 2 . Let pk p = P 0 d and sk p = (L 1p , L 2p , F pu Ã ). Then C runs s prx = Sign(H(wjjujjpk p ), sk Ã ). If c = 1 and this is the i Ã th query, C directly lets pk p = pk 0 , sk p = f and runs s prx = Sign(H(wjjujjpk p ), sk Ã ). Finally, C stores (w, u, P 0 d ) and (w, sk p ) to the delList(w) and pskList(w), respectively. Delegation from u Ã . 1. Delegation of sk Ã . A submits w to C, where w = (pk Ã , pk d , t). C chooses randomly two invertible affine transformations (L 1d 0 , L 2d 0 ) and computes P Ã 0 = L 1d 0 8 P Ã 8 L 2d 0 . If c = 0, then C makes a query to the MPKC signing oracle and obtains a signature u on wjjP Ã 0 . The u later is added to the OSList list by C.
If c = 1, then C generates u by running u Sign(H(wjjP Ã 0 ), sk Ã ) and sends the delegation message (w, u, L 1d 0 , L 2d 0 , P Ã 0 ) to A. Of course, C adds (w, u, P Ã 0 ) to the delList(w) list. 2. Self-delegation. C interacts with itself with w = (pk Ã , pk Ã , t) which submitted by A. If c = 0 or c = 1 and this is not the i Ã th query, C chooses randomly two invertible affine transformations (L 1p , L 2p ), computes P Ã 0 = L 1p 8 P Ã 8 L 2p , makes a query to the MPKC signing oracle, and obtains a signature u on wjjP Ã 0 with P Ã . Then, C also makes a query to the MPKC signing oracle for (w, u, P Ã 0 ) and obtains a signature s prx . If c = 1 and this is the i Ã th query, C directly lets pk p = pk 0 and computes s prx = Sign(H(wjjujjpk p ), sk Ã ). Finally, C adds (w, u, pk p ) to the delList(w) and (w, sk p ) to the pskList(w). If the u is obtained by the MPKC signing oracle, C also adds it to the OSList list. Proxy signature. Once receiving (m, (w, u)) submitted by A, C finds the relevant information with w from delList(w) and pskList(w). C parses pk p and the proxy key as sk p . Then, C makes a query to the MPKC signing oracle for m and obtains a signature s if c = 0. Otherwise, C computes s Sign(H(m), sk p ). Then C sends (m, s, (w, u, pk p , s prx )) to A.
Proxy key exposure. On input w from A, C finds relevant information from delList(w) and pskList(w) and parses it as (sk p , (w, u, pk p , s prx ). If sk p = f, C aborts the game. Otherwise, C returns (sk p , (w, u, pk p , s prx )) to A.
If the above game is not forced to abort by C, A will eventually output a forgery. The forgeries are classified into two different cases: Case 1: A forges (1) a valid MPKC signature (m, s) or (2) a valid proxy signature (m, (w, u, pk p , s prx ), s) which the corresponding public key pk p was not generated by C, or (3) a valid proxy signature (m, (w, u, pk p , s prx ), s) where w was not submitted to the ordinary signature query. Case 2: A forges a valid signature which is not in case 1.
In the case c = 0, C sets pk Ã = pk 0 . If A constructs a valid forgery in case 2, C will abort the game. Otherwise, if A constructs a valid forgery in case 1, then If the forgery is of type 1, that is, (m, s), it shows that A has not requested a signature on m. Then, C will not have submitted m to an MPKC signature oracle. That is, s is a valid forgery of an MPKC signature under the public key pk 0 .
If the forgery is of type 2, that is, (m, (w, u, pk p , s prx ), s) is a valid signature for (w, u, pk p ) under the public key pk p = pk 0 , then C will not have submitted (w, u, pk p ) to MPKC signing oracle. Therefore, s prx will be a valid MPKC signature forgery under the public key pk 0 . If the forgery is of type 3, that is, (m, (w, u, pk p , s prx ), s) derives that u is a valid forgery for w, and C will therefore not have submitted w to the signing oracle. Hence u is a valid forgery of an MPKC signature under the public key pk 0 . Now, let us consider the case c = 1 where C inserts pk 0 as a proxy public key. In this case, if the forgery is in case 1, then C will abort the game. However, if the forgery is in case 2 which forgery (m, (w, u, pk p , s prx ), s) where pk p = pk 0 , then C outputs (m, s) as a valid forgery for signature scheme. Otherwise, C aborts. Note that if A constructs such a forgery, then A will not have queried the proxy key (w, u, pk p , s prx ) with pk p .
We define the following events associated with the above security game: E 1 be the event that A constructs a forgery in case 1, E 2 be the event that A. constructs a forgery in case 2, and E 3 denotes that A guesses the correct value of i Ã in a forgery for case 2. The success probability of A is Pr½E 1 + Pr½E 2 . Then the success probability of C can be Remark 2. Note that the above proof is only a heuristic security proof, since the underlying signature schemes in the area of MPKC are mostly not provable secure, more discussion will be done next, and we propose the additional analysis in section ''Practical implementations for these two schemes'' for our practical implementation. Furthermore, we can obtain that anyone can determine the proxy signer by the verification of the warrant w and the signature s prx . Then, the proxy signer is required to sign u and the public key of the proxy signature. Under the assumption that the underlying signature scheme is secure, we can conclude that any proxy signer cannot deny the proxy signature he or she created due to the existence of s prx . At the same time, the private key of the original signer is only directly used to sign the warrant w. And no one can obtain the private key of the original signer from the proxy key because of the selected random transformations in Delegate. The above discussions show that our scheme meets all the security properties of a proxy signature scheme.

The proposed MPKC proxy signature schemes
In this section, we will propose three proxy schemes based on three well-known MPKC schemes: UOV, 12 Rainbow 22 and MQ-based scheme. 16 Proxy-UOV: proxy scheme based on UOV Now we describe the process of our proxy scheme based on UOV using our general construction.
Setup: Let n and m be two positive integers, k is a finite field and all the arithmetic operations hereafter are over this finite field. H: f0, 1g Ã ! k n is a cryptographic hash function. KeyGen: This algorithm generates the public key and the private key of a user. The detail process is the same as that of the key generation of an MPKC signature scheme. After this algorithm, we set the private key of user A is sk A = (F A , T A ), and the public key pk A = P A , where P A = F A 8 T A . Similarly, the private key and public key of user B are: sk B = (F B , T B ), pk B = P B , respectively. Delegate: A randomly chooses a bijective affine transformation T , then computes T 0 The affine T should be kept secret by A. A sends (T 0 A , F 0 A , P 0 A ) and the warrant (w, u) to B through an authenticated channel, where w = (pk A , pk B , t), t is a time period which denotes that w is valid in time t and u is a signature on w generated by A using our proposed signing algorithm, that is, u = Sign(H(w), sk A ).
A and Verify(w, u, pk A ) = 1. Then B selects a random bijective affine transformation T 0 and computes T p = T 0À1 8 T 0 A , and F p = F 0 A 8 T 0 . Let sk p = (F p , T p ), and pk p = P 0 A . Then sk p is a private key for ordinary signature, and the corresponding public key is pk p , that is because the following equality holds Then B computes a signature s prx by running and sets sk p as the proxy signing key that B uses to generate proxy signatures on behalf of A and sets pk p and (w, u, P 0 A , s prx ) as the proxy verifying key.
ProxySign: Suppose M is the message to be signed. This algorithm generates a proxy signature on the message M by user B.
User B applies T p and the central map F p to the basic MPKC signature algorithm described in Algorithm 1 to generate the signature s on M Then the proxy signature on message M by user B is (s, (w, u, P 0 A , s prx )).
ProxyVerify: On input (M, s, (w, u, P 0 A , s prx )), anyone can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps: 1. Check the validity of u on w by running Verify with pk A : Verify((w, P 0 A ), u, pk A ) ¼ ? true.
If it is ture, go to the next step. Otherwise, output 0. 2. Check the validity of s prx on (w, u, P 0 A ) by running Verify with pk B : Verify((w, u, P 0 A ), s prx , pk B ) ¼ ? true. If it is true, go to the next step.
Otherwise, output 0. 3. Check the validity of s on message M by running Verify with P 0 A : Verify(M, s, P 0 If it is true, output 1. Otherwise, output 0.
The verifier accepts the proxy signature if and only if the three conditions of ProxySign are all true. Otherwise, the verifier rejects the proxy signature.

Proxy-Rainbow: proxy scheme based on Rainbow
Since the main difference of this proxy signature schemes lies on the Delegate step and ProxyKeyGen process compared to the general construction, we just only describe the processes Delegate step and ProxyKeyGen.
Setup: Let n and m be two positive integers, k is a finite field, and all the arithmetic operations hereafter are over this finite field. H: f0, 1g Ã ! k n is a cryptographic hash function. KeyGen: This algorithm generates the public key and the private key of a user. The detail process is the same as that of the key generation of an MPKC signature scheme. After this algorithm, we set the private key of user A is sk A = (L 1A , L 2A , F A ), and the public key Similarly, the private key and public key of user B are sk B = (L 1B , L 2B , F B ) and pk B = P B , respectively. Delegate: A randomly chooses two invertible affine transformations L 0 1 and L 0 2 respectively, then computes and L 0 2 should be kept secret by A. A sends (L 1 , L 2 , F 0 A , P 0 A ) and the warrant (w, u) to B through an authenticated channel, where w = (pk A , pk B , t), t is a time period which denotes that w is valid in time t and u is a signature on w generated by A using Rainbow signing algorithm, that is, u = Sign(w, sk A ). ProxyKeyGen: After receiving (L 1 , L 2 , F 0 A , P 0 A , w, u), B randomly chooses two invertible affine transformations L 00 1 and L 00 2 , respectively, and computes L 1p = L 1 8 L 00 1 À1 , L 2p = L 00 2 À1 8 L 2 , and F p = L 00 2 . Let sk p = (L 1p , F p , L 2p ), and pk p = P 0 A . Then sk p is a private key for ordinary signature, and the corresponding public key is pk p , that is, because the following equality holds Then B computes a signature s prx by running and sets sk p as the proxy signing key that B uses to generate proxy signatures on behalf of A, and sets pk p and (w, u, pkp, s prx ) as the proxy verifying key.

Practical implementations for these two schemes
In Petzoldt et al., 33 the result indicates that q = 2 8 , m = 26, v = 52 has security level higher than 2 80 for UOV scheme, where q is the order of the finite field, m is the number of polynomials and is equal to the number of Oil variate, and v is the number of Vinegar variate. We will choose this parameter set. Next, also the extremely important setting of our construction, we should choose appropriate affine transformations that could preserve the special structure of UOV scheme. Specifically, after composing an affine transformation, the polynomials in the new central map, the public key should still stay in the form of Oil-Vinegar polynomials. If we represent a UOV scheme's central polynomial by its corresponding matrix, then the matrices of the polynomials in central map should be in the form of following.
Next, also the extremely important setting of our construction, we should choose appropriate affine transformations that could preserve the special structure of UOV scheme. Specifically, after composing an affine transformation, the polynomials in the new central map, the public key should still stay in the form of Oil-Vinegar polynomials. If we represent a UOV scheme's central polynomial by its corresponding matrix, the Vinegar variables are denoted by its first v = 52 variables. Then the matrices of the polynomials in central map should be in the form of Figure 1. In Figure 1, the gray areas represent the random entries while blank areas denote zero entries. The rest part of this article follows the same rules. Thereby, our problem is transformed to choose an affine transformation that could keep the shape of the above matrix of central equation. To achieve that goal, we could pick the invertible affine transformations of the form as shown in Figure 2.
Once T and T 0 are choosing in this form, we will get that F p = F A 8 T 8 T 0 , which means that the matrices form of central map F p is Thus, this will make sure that the map F p can still be easily inverted.
Currently, the Rainbow prevails now is two-layer based and layer structure (18,12,12) and GF(2 8 ) is enough to resist all the attacks mentioned above (security level is greater than 2 80 ). 34 Thereby, we plan to use this parameter set of Rainbow for our Proxy-Rainbow scheme. The Rainbow's corresponding matrices have the following forms in Figure 3.
Moreover, to keep the multi-layer structure of central equation, the structure of the left affine transformation L 1 and L 0 1 should have the shapes as shown below. By choosing these structures, we can make sure that the map F p of Proxy-Rainbow can still be easily inverted (Figures 4 and 5).

Proxy-MQ: our MQ-based proxy signature scheme
Using our general method to propose a proxy signature scheme based on the basic MQ-based signature scheme described in section ''The general construction of MPKC proxy signature scheme,'' we need to make some changes in the key generation phase KeyGen.
Below is the full description of our proxy signature for the MQ scheme.
Setup: Let n and m be two positive integers, F q is a finite field and all the arithmetic operations hereafter are over this finite field. H: f0, 1g Ã ! F n q is a cryptographic hash function. KeyGen: Let e be a vector from F n q that every element is randomly chosen in k (i.e. e = f1, : : : , 1g T , the superscript T denotes transposition), to get As private key, A first randomly chooses a bijective affine transformation T A , and its private key s A is calculated by s A = T A (e), then the corresponding public key pk A is ( Similarly, B's private key sk B is calculated by s B = T B (e) where T B is a randomly bijective affine transformation, and the corresponding public key pk B is (F B , v B ) that satisfies v B = F B (s B ). Then e, pk A = (F A , v A ) and pk B = (F B , v B ), are published to the public bulletin board. Delegate: Let s A = T A (e), A randomly chooses a bijective affine transformation T, then computes The affine T should be kept secret by A. A sends (T 0 A , F 0 A , v 0 A ) and the warrant (w, u) to B through an authenticated channel, where w = (pk A , pk B , t) and t is a time period which denotes that w is valid in time t, and u is a signature on w generated by A using our proposed signing algorithm, that is, u = Sign(w, sk A ).  ProxyKeyGen: Let s B = T B (e), after receiving , u), B selects a random bijective affine transformation T 0 and computes Let pk p = (F p , v p ), sk p = s p . Then sk p is a private key for ordinary signature, and the corresponding public key is pk p , that is because the following equality holds Then B computes a signature s prx by running and sets sk p as the proxy signing key that B uses to generate proxy signatures on behalf of A, and sets pk p and (w, u, pk p , s prx ) as the proxy verifying key.
ProxySign: Suppose M is the message to be signed. This algorithm generates a proxy signature on the message M by user B.
User B applies L 1p , L 2p and the central map F p to the basic MPKC signature algorithm described in Algorithm 1 to generate the signature s on M Then the proxy signature on message M by user B is (s, (w, u, P 0 A , s prx )).
ProxyVerify: On input (M, s, (w, u, P 0 A , s prx )), anyone can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps: 1. Check the validity of u on w by running Verify with pk A : Verify((w, P 0 A ), u, pk A ) ¼ ? true. If it is ture, goto the next step. Otherwise, output 0. 2. Check the validity of s prx on (w, u, P 0 A ) by running Verify with pk B : Verify((w, u, P 0 A ), s prx , pk B ) ¼ ? true. If it is true, goto the next step.
Otherwise, output 0. 3. Check the validity of s on message M by running Verify with P 0 A : Verify(M, s, P 0 If it is true, output 1. Otherwise, output 0.
The verifier accepts the proxy signature if and only if the three conditions of ProxySign are all true. Otherwise, the verifier rejects the proxy signature.

Practical implementation for Proxy-MQ
After the changes, it is easy to see that we modify the randomly selected vector into an invertible transformation and a public known random vector, so the scheme is based not only on MQ problem, but also on IP problem. In contrast to Sakumoto et al., 16 we suggest to use a determined system for the MQ-based signature scheme (i.e. m = n). The reason for this is that a greater number of variables does not increase the security of this scheme. 35 And we propose for the scheme the parameters k = GF(2), (m, n) = (84, 84), r = 193, where r is   the number of the signer gathers the commitments in our modified MQ signature scheme.

A toy example and deployment in real distributed scenario
To illustrate how our proxy signature scheme works, we propose a toy example for Proxy-UOV in this section (others are similar). The following example comes from our running test on Magma. 36 In our toy example, we choose the parameter of Proxy-UOV as q = 2 2 , m = 2, n = 4, o = 2, v = 2.
First, we set the private key of user A is sk A = (F A , T A ), the public key pk A = P A , the private key and public key of user B are sk B = (F B , T B ) and pk B = P B , respectively Delegate: A randomly chooses a bijective affine transformation T as follows In addition, A generates a warrant w = (pk A , pk B , t) (assume that H(w) = (0, a)), signs it using the regular UOV signing algorithm, and gets u = Sign(H(w), sk A ) = (0, 0, a, 1), Finally, A sends (T 0 A , F 0 A , P 0 A ) and the warrant (w, u) to B through an authenticated channel.
and Verify(w, u, pk A ) = P A (0, 0, a, 1) = (0, a). Then B selects a random bijective affine transformation T 0 and computes Let sk p = (F p , T p ), and pk p = P 0 A . Then sk p is a private key for ordinary signature, and the corresponding public key is pk p .
Assume the hash value of (w, u, P 0 A ) is (a, a), B computes a signature s prx by running 1, 1, a) and sets sk p as the proxy signing key that B uses to generate proxy signatures on behalf of A, and sets pk p and (w, u, P 0 A , s prx ) as the proxy verifying key. Then the proxy signature on message M by user B is (s, (w, u, P 0 A , s prx )).
ProxyVerify: On input (M, s, (w, u, P 0 A , s prx )), a verifier V can verify the validity of the proxy signature by executing this algorithm. This algorithm includes the following steps: 1. Compute P A (u) = (0, a) and check whether it is equal to H(w). Since it is true, go to the next step. 2. Compute P B (s prx ) = (a, a) and check whether it is equal to H(w, u, P 0 A ). Since it is true, go to the next step. 3. Compute P 0 A (s) = (0, a 2 ) and check whether it is equal to H(M). Since it is also valid, the algorithm outputs 1.
In addition, let us consider a communication scenario in a distributed sensor network and see how we can deploy our proxy scheme into this scenario. To develop a secure communication in a distributed sensor network, sensors digitally sign the data (i.e. the message M) and communicate to a server. It is expected that the server must be convinced to the authenticity of the sender (i.e. sensor deployed in the distributed network) and the sender (i.e. sensor) must also be convinced to the authenticity of the receiver (i.e. server). To develop such authentication method, a designated receiver delegation method is the most promising. In this method, the deploying authority (DA) (server administrator or network developer) delegates its signing power to sensor and also designates the trained professional as a receiver. Thus, DA is original signer, sensor is a proxy signer and the server is designated receiver. As shown in the above toy example, in this scenario, the DA is acting as A, the sensors are acting as B, and finally, it can generate a proxy signature on message M as (s, (w, u, P 0 A , s prx )). Finally, the server is acting as a verifier V and thus can convince to the authenticity of the sensors.

Performance and comparisons of our proxy signature schemes
The complexity and running time of each procedure of our proxy signature schemes, and comparison with Tang's scheme 24 (the only proxy scheme of MPKC we have known) and Mambo's scheme 30 (the first proxy scheme), Hu-Zhang (HZ) scheme 37 (an improved efficient secure proxy scheme) is shown in Table 1. We set the parameters in HZ scheme 37 with (n = 2, t = 1). From Table 1, we can see that the proxy signature generation and the proxy signature verification of our schemes are more efficient than Tang's schemes in Table 1. According to recent research result, the time of generating a large prime is more than 20 times than Tang's scheme 24 Mambo's scheme 30 HZ scheme 37 Initialization O(2m 2 + 2n 2 + 2mn 2 ) 2T p + T e + T m ' O(2log(n r ) + n rsa log(n r ) + n 2 r ) 2T p + 5T e + 2T m ' O(2log(n r ) + 5n rsa log(n r ) + that of generating a system of polynomials, and an exponentiation evaluation costs about half times than an evaluation operation, while choosing proper parameters with security level more than 80 bits. So, in this situation, all our schemes and Tang's scheme 24 have better initialization time and verify process time than that of Mambo's scheme 30 and HZ scheme. 37 Notation for Table 1: u, m, n: the number of layers, polynomials, and variables in a scheme, respectively; S: average time required by a Gaussian Elimination function to solve linear equations; q: the length of output bits of the hash function for Tang scheme; 24 round: the iterative rounds for MQ-based signature; T p , T e , T m , T H : the time for generating a large prime, one exponentiation computation, one modular multiplication computation, and hash function computation, respectively; n r , n h : the size of the public key in a secure RSA scheme and the size of a secure hash function, respectively.The running time of our proposed Proxy-UOV and Proxy-Rainbow schemes (using our suggested parameters) compared with Mambo's scheme 30 and HZ scheme 37 (2048 bits) is shown in Table 2. From the experiments' results, we can see that our schemes' proxy signature generation time is between RSA and elliptic curve cryptography (ECC), while the initialization and verifying time are much faster than both of them. Consequently, even though our scheme is a bit slower than the proxy share generation time, but it is applicable in real life.
While running in Magma, the memory will be overflowed when using the suggested parameters of Proxy-MQ and Tang's scheme in Tang and Xu, 24 we have to modify the parameter to formulate the running time ((n = 42, m = 42, q = 2, round = 2) for Proxy-MQ, (n = 42, m = 42, q = 2, round = 2) for Tang's scheme), and the result is shown in Table 3.
From the result shows, the proxy signature scheme based on MQ is slightly more efficient than Tang's scheme 24 and is a promising proxy scheme by taking into account its post-quantum property in multivariate cryptography.

Conclusion
A general proxy signature scheme based on MPKC signature scheme is proposed, which invokes three number of times of the underlying signature scheme, and can satisfy all the security requirement of a proxy scheme. Through formal security analysis, our general scheme is proved to be cured on Existential Unforgeability under an Adaptive Chosen Message Attack with Proxy Key Exposure assuming that the underlying MPKC signature is Existential Unforgeability under an Adaptive Chosen Message Attack. Thereafter, we propose three practical proxy schemes based on three promising MPKC schemes: UOV, Rainbow, and MQ-based scheme. Although the security of the underlying MPKC is still an open problem, the method to construct our proxy scheme and the method to formally prove the security of our proxy scheme are good exploration in the area of MPKC.
In the future work, we plan to construct other primitives based on multivariate signature scheme, such as identity-based signature, forward secure signature, and so on.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.