Professional Documents
Culture Documents
L. Harn
where m' = f ( m ) . If the equation holds true, the group Since yy' # $asi mod p. this forged partial signature
signature { r , s} has been verified. ( r ; , SI) cannot satisfy the signature verification equation.
It is therefore concluded that, although one of the partial
Theorem: If y"' = f a " mod p, the group signature { r , s } signatures ri from each member is not authenticated by
has been verified. other members and the attacker can easily change this
value, to place a successful attack is infeasible. On the
Proof: With the knowledge of secret key z i , user ui is able other hand, if it is necessary, each member can still sign
to generate its partial signature { r i , si} for message m to this partial signature and then make the signature of ri
satisfy and ri itself available on the broadcast channel.
(iv) If the clerk is allowed to collect all ri from the
yy' = <asi mod p members and to broadcast the productive result r for all
I E E Proc.-Compuf.Digit. Tech., Vol. 141, No. 5, September 1994 309
members to sign accordingly, there will be a possible authentication center (KAC) is responsible for selecting
active attack associated with the clerk. This is because, all parameters, the group secret key and all secret
instead of broadcasting r, the clerk broadcasts r' = rf shadows for group members. The KAC selects:
mod p for all members to use to sign their signatures. (i) p , a large prime modulus, where z5l1< p < 2512,
With the knowledge of the signature pair ( r , s) for (ii) q, a prime divisor of p - 1, where 2159< q < 2 I 6 O ,
the message m', the clerk can successfully forge a signa- (iii) { a i , for i = 0, ..., t - I}, and f ( x ) = a , a , x +
ture pair (r', st) for the message m", where + . . + a , - l x z - l mod q, each ai is a random integer
m" = m't mod p - 1. Since t is a random integer, this with 0 < ai < q,
attack can be applied to forge any message. Thus, it is (iv) a, where a = h ( p - - l ) / q mod p , h is a random integer
recommended that all group members to compute their with 1 < h < p - 1 such that h'P-l)'q mod p > 1. a is a
own r to avoid this attack. generator with order q in G F ( p ) . { p , q, U} are the public
values, { a i ,i = 0, . _ . ,t - 1) are the secret values.
3.5 Other features
(i) In this scheme, a signature signed only by partial It should be pointed out that according to Lemma 1 in
Reference 20, if c( is a generator with order q in G F ( p ) ,
members cannot be verified correctly by an outsider. In
then a' mod p = a'mod mod p , for any nonnegative
other words, a valid group signature must be mutually
integer r.
generated by all members.
(ii) The group signature in this scheme consists of a
pair of { r , s } . The n individual signatures produced by all 4.1 Group secret key and secret shadows generation
members consist of n pairs of { r i , si}. Thus, the scheme phase
combines n individual signatures into a single signature. The group secret key is determined by KAC asf(0). The
(iii) The group signature verification process requires secret shadow for each group member is also determined
two modular exponentiations. However, the varification by KAC as
process for n individual signatures requires 2n modular
f ( x i )mod q for i = 1, 2, . . ., n
exponentiations. Thus, this scheme speeds up the verifica-
tion process by a factor of n. where xi is the public value associated with each group
(iv) The same scheme can be easily applied to solve the member. The KAC also needs to compute one group
digital multisignature problem. Instead of combining n public key y as
individual signatures in a group-oriented signature, the y = a/'" mod p
digital multisignature scheme should be able to combine
any number of individual signatures into a multi- for group signature verification purpose and public keys
signature. Also, instead of using a fixed group public key Yi as
to verify the signature in the group-oriented signature y- = a/"" mod p , for i = 1, 2, _..,n
scheme, the verifier in the digital multisignature scheme
should use all signer's public keys to verify the multi- for all group members.
signature. There are two properties that need to be
achieved in the design of an optimal digital multi- 4.2 ( t , n ) Threshold signature generation phase
signature scheme: (a) the size of the multisignature This scheme allows any t group members to represent the
should be equivalent to the size of an individual's signa- group to sign a message m. Without losing generality,
ture; and (b) the verification process of multisignature assume that the t group members involved can be
should be almost equivalent to the verification process of denoted as u l , u 2 , ..., u t . This phase can be further
an individual's signatures. References 13, 15 and 16 divided into two parts.
provide for more information on this topic. All existing
digital multisignature schemes are based on the factoring Part 1: Individual signature generation and verification.
problem. Since each user selects a different modulus n for Members can sign the message simultaneously. Here, just
their public key, there are two problems associated with the procedures associated with member ui are described.
this approach: (a) the signing order has certain Member ui randomly selects an integer, k i E [l, q - 11,
restrictions (i.e. the moduli associated with signers should and computes a public value, ri , as
be arranged in an ascending order); and (b) the multi-
signature verification process requires all different moduli ri = a'' mod p
n (i.e. the required operation is linear in the number of and makes ri publicly available through a broadcast
signers). Thus, they are not the optimal digital multi- channel. Once all ri are available, each member computes
signature schemes. The proposed multisignature scheme the product, r, as
is the first scheme based on the discrete logarithm
t
problem. Since all users use the same modulus p in this r = n r i mod p
scheme, it allows users to sign the same message i= 1
simultaneously. In addition, it can compress n partial sig-
natures into a multisignature without any data expansion Member ui uses his secret keys,f(xi) and k i , to sign the
and it also simplifies the verification process significantly. message m based on the modified signature scheme.
Thus, the proposed scheme is optimal. Member ui then solves the equation
r= (6.1) mod P
fake shadow, fi(xj), and publishes the corresponding
public key as yi. = mod p . Since it is known that if
the member is honest and picks up all the real shadows,
Member ui uses his secret keys, z i and k i , and secret then with the knowledge of any t shadows from the rest
+ +
shadows, h{xi),for j = t 1, t 2, ..., n, to sign the of n - 1 shadows, the same polynomial,@) can be recon-
structed. There are C7-l ways to reconstruct fi(x). In
message m based on the modified signature scheme and
solves the equation other words, all these reconstructed polynomials will pass
through A(0) = zi. However, if there are fake shadows,
n
some reconstructed polynomials will be different from
A(x) and will not pass through A(0) = zi and, without
knowing these shadows, this condition can still be exam-
x m' - ki x r mod q ined by just knowing the public keys of these shadows.
for integer s i , where 0 < si < q - 1 and m' = f ( m ) , and Using the theorem in the previous section, for any t
transmits {m,si} to a designated clerk. Note here that the public keys of secret shadows, y i ,j k , for k = 1, 2, . .. , t, we
individual signature, {rir s i } , is a partial signature of have
message m.
Once the clerk receives the individual signature { r i , si}
n a i-".-
y, =y, XI1 - 5 ,
, L i l . l * l XI2 -
.-l.,*l X,l
from U;, he needs to verify the validity of this partial sig- L '.J1 Yi. j z
nature. The clerk uses uI)s public keys, xi, y i ,and y j , ( , for n".
j =t + +
1, t 2, ..., n, and partial signature { r i , si} to . . . Yi.jt x*-x*
l-l.L*,
mod p
compute
Since any t out of n combination of the public values
satisfies the above relation, members can verify their
secret shadows individually.
where m' = f ( m ) . If the equation holds true, the partial The security analysis of this scheme is almost the same
signatwe {ri,si} of message m received from ui has been as the previous one. However, this scheme does not need
verified. the assistance of a mutually trusted party.
Part 2: ( t , n) Signature generation. Once t partial signa- 6 Conclusion
tures are received and verified by the clerk, the group
signature of message m can be generated as { r , s}, where Three threshold digital signature schemes based on the
s = s1 + s2 + ... + S, mod q. difficulty of solving the discrete logarithm problem are
proposed. The group signature can be generated when
5.3 (t, n ) Threshold signature verification phase the number of participating members is larger than or
The verification procedure is given as equal to the threshold value. The size of the group signa-
ture and the verification time of the signature are the
y'"' = Jusmod p same as that of an individual signature. The first scheme
where m' = f ( m ) . If the equation holds, the group signa- is a special case which requires all group members to sign
ture { r , s} is valid. the message together. This scheme can be easily applied
to generate digital multisignature. The second scheme
Theorem: If y'"' = Jus mod p , the group signature { r , s} provides a general solution and it requires the assistance
has been verified. of a mutually trusted party; however, the third scheme
does not require the mutually trusted party.
Proof; The proof is similar to the proof in the previous
section. 7 References
One additional problem needs to be solved because 1 AGNEW, G.B., MULLIN, R.C., and VANSTONE, S.A.:'Improved
these group members are not mutually trusted. The digital signature scheme based on discrete exponentiation', Elec-
problem is how to convince the rest of the members that tronics Letters, 1990, 26, (14),pp. 1024-1025
the secret shadows received from the dealer (one of the 2 BOYD, C.: 'Digital multisignature'. Proceedings of conference on
group users) are derived consistently from the same secret Coding and Cryptography, Cirencester, 15-17 December 1986.
3 CHAUM, D., and VAN HEYST, E.: 'Group signature', in
without revealing the secret to the others. The applica- 'Advances in Cryptology'. Proceedings of Ewocrypt '91, pp. 257-
tion of this problem is very important. For example, a 265,8-11 April 1991
312 IEE Proc.-Comput. Digit. Tech., Vol. 141, No. 5, September 1994
4 DESMEDT, Y.: ‘Society and group oriented cryptography: a new 12 KIESLER, T., and HARN, L.: ‘RSA blocking and multisignature
concept’, in ‘Advances in Cryptology’. Proceedings of Crypto ’87, pp. schemes with no bit expansion’, Electronics Letters, 1990, 26, (18),
120-127,16-20 August, 1988 pp. 1490-1491
5 DESMEDT, Y., and FRANKEL, Y.: ‘Threshold cryptosystem’, in 13 LAIH, C.S., and HARN, L.: ‘Generalized threshold cryptosystems’,
‘Advances in Cryptology’. Proceedings of Crypto ’89, pp. 307-315, in ‘Advances in Cryptology’. Proceedings of Asiucrypt ’91, Nov.
20-24 August 1989 11-14,1991, pp. 159-169
6 DESMEDT, Y., and FRANKEL, Y.: ‘Shared generation of authen- 14 OHTA, K., and OKAMOTO, T.: ‘A digital multisignature scheme
ticators’, in ‘Advances in Cryptology’. Proceedings of Crypto ’91, based on the Fiat-Shamir scheme’, in ‘Advances in Cryptology’.
11-15 August 1991 Proceedings of Asiucrypt ’91,Nov. 11-14,1991, pp. 139-148
7 ELGAMAL, T.: ‘A public key cryptosystem and a signature scheme 15 OKAMOTO, T.: ‘A digital multisignature scheme using bijective
based on discrete logarithms’, IEEE Trans., 1985, IT-31,pp. 469- public-key crmtosystems’, ACM Trans. on Camp. . Systems,
. 1988, 6,
472 {X), pp. 4f2-Gl
8 FRANKEL, Y.: ‘A practical protocol for large group oriented net- 16 PEDERSEN, T.P.: ‘A threshold cryptosystem without a trusted
works’, in ‘Advances in Cryptology’. Proceedings of Eurocrypt ‘89, partv’. in ‘Advances in CrvDtolom’. .. PI,
-. Proceedinas of Eurocrvvt
April 1989, pp. 56-61 Apr:8-11,1991, pp. 522-5;;8
9 HARN, L., and YANG, S.: ‘Group-oriented undeniable signature 17 POHLIG, S., and HELLMAN, M.: ‘An improved algorithm for
schemes without the assistance of a mutually trusted party’, in computing logarithms over GF(p) and its cryptographic signifi-
‘Advances in Cryptology’. Proceedings of Auscrypt ‘92, December cance’, IEEE Truns., 1978, IT-24,106-110
1992 18 RIVEST, R.L., SHAMIR, A., and ADELMAN, L.: ‘A method for
IO HWANG, T.: ‘Cryptosystem for group oriented cryptography’, in obtaining digital signatures and public-key cryptosystem’, Commun.
‘Advances in Cryptology’. Proceedings of Eurocrypt ’90, April 1990, o f A C M , 1978, 21, (2). pp. 120-126
pp. 352-360 19 SHAMIR, A.: ‘How to share a secret’, Comm. A C M , 1979, 22, pp.
1 1 INGEMARSSON, I., and SIMMONS, G.L.: ‘A protocol to set up 6 12-6 13
shared secret schemes without the assistance of a mutually trusted 20 ‘The digital signature standard‘, Comm. A C M , 1992, 35, (7), pp.
party’, in ‘Advances in Cryptology’. Proceedings of Eurocrypt ’90, 36-40
May 21-24, 1990, pp. 266-282
IEE Proc.-Comput. Digit. Tech., Vol. 141, No. 5,September 1994 313