Chen Weidong
Key Lab. of Inform. Security, Graduate School, Chinese Academy of Science, Beijing 100039 Institute of Electronics, Chinese Academy of Sciences, Beijing 100080, China
Feng Dengguo
Key Lab. of Inform. Security, Inst. of Software, Chinese Academy of Sciences, Beijing, China fdg@ls.iscas.ac.cn
The central task of cryptography is privacy and authentication insured and signature is one of the most important mechanism providing authentication.
The common signature schemes,such as RSA[1], ElGamal[2], are realized by one signer using his private key, and called “individual signature”. However, in many applications, the responsibility of signing is requested to be shared. So, it is natural to introduce the concepts of threshold group-signature: Verifying the validness of signature needs the group public key and anonymity is also asked for. In 1991, Desmedt and Frankel firstly proposed a threshold group-signature
*Supported by the National Gtand for Fundamental Research 973 Program of China under Grant No.
G1999035802; the National Natural Science Foundation of China under Grant No. 60253027
Abstract Reference[9] proposed a threshold group-signature scheme in order to solve the problem so called “threshold group-signature scheme with privilege subsets”
suggested by Feng Dengguo. We firstly show there exist some insufficiencies and potential hazard in the scheme mentioned above. Secondly, Using the idea of constructing group-signature schemes by individual signature schemes, we put forward a group of the ones with four variants of ElGamal type, having many attractive properties such as shorter length of signature, message recovery, authentication and so on. Finally, the security of our schemes is proved in the standard model.
Keywords: threshold group-signature scheme; secret sharing scheme; ElGamal cryptosys-tem; message recovery; provable security
1. Introduction
scheme based on RSA[3], after that many similar schemes are put forward, such as [4, 5, 6, 7].
One potential problem of schemes mentioned above is that the responsibility of each member is same, but the practical cases are not always as this. In 2000, Feng Dengguo suggested a problem of threshold group-signature with privilege subsets [8]: group G made of n members, has m disjoint subsets, each consisting of members. Only when at least members in each subset accept and total number of participants of G t at least, can the group signature be generated. In addition, anonymity and tracing the respective signers in case of authorized are required too.
[8]gives a threshold group-signature scheme satisfying the need above and by far there are not other similar schemes proposed. Of course, some threshold key management protocols borrowing the idea mentioned above, but most are not secure.
We firstly show that the scheme proposed by [8] has many disadvantages.
Furthermore, there are some potential hazards on security. Using the idea of constructing group signature schemes by individual signature ones[4], we put forward a group of schemes of EIGamal type, having many attractive properties, such as shorter length of signature, not requiring the assistance of trusted party, simpler realization, authentication (i.e., SC may verifies the pieces submitted by respective members.) and so on. Consisting of four variants, two of them have the property of message recovery, i.e.the message can be recovered from the respective signature, which convenience the application greatly, for example, economical use of bandwidth. We also give the security proof of our schemes.
2.
Analysis on threshold scheme [8]
[8] proposed a threshold group-signature scheme with privilege subsets based on DLP(Discrete Logarithm Problem), called –threshold scheme.
The basic frame of the scheme is as follows.
1) Initialization IDC(trusted identity distribution center) and every member generate identities together and the former also produces the needed parameters.
After 12 mutual steps, user i(=1,2,...,n) gets
and DC(DigitalSignature Combination Center) gains polynomial
2) Signing Each member and DC carry out mutual subprotocol of 12 steps.
Then DC determines the validity of the identity of each member using respective polynomial Satisfying the need of “privilege threshold”, DC broadcasts
A Group of Threshold Group-Signature Schemes with Privilege Subsets 83
the group signature parameter where i.e., is
dis-criminant of identity of signers. Finally, DC collects all individual signatures and produces group signature where,
Obviously, suggests the identities of participants of G.
3) Verifying omitted.
Analysis as follows. Firstly, protocols involved in is very complicated, es-pecially the longer length of signature. In fact, the length of the signature is not
smaller than where, are
both secure primes and is the number of privilege subsets.
Furthermore, the scheme above has potential hazard on security. [8] shows, according to the need of anonymity, the identities of member keep secret, i.e., it should be very difficult to factorize the polynomial But, in fact there is efficient algorithm[11], such as Berleknmp, etc., for the factorization of polynomial in some finite field, even if the characteristic of field is larger.
3.
-threshold group-signature
3.1 Basic idea
For the sake of simplicity, we assume group G has only one privilege subset Our construction of schemes adopts the idea of [4]: Based on mature individual signature schemes, for instance, schemes of EIGamal type, construct threshold group-signature scheme using Secret Sharing Scheme(SSS, such as Shamir’s scheme[12]). Compared with [4], we unite the “privilege threshold conditions” with SSS, i.e., Adopting “double secret sharing(double SSS)” idea, the scheme with four variants based on DLP is constructed. Similarly, it may not need the assistance of KAC.
3.2 Initiation
The agencies involved in as follows.
KAC: Trusted key authentication center, responsible for issuing key.
SC: Signature clerk.
G: party consisting of n members.
Privilege subset.
KAC Operates as follows.
1) Selects two “secure” primes q, where,
2)Selects two polynomials randomly and secretly, whose orders are and respectively.
3)Chooses as primitive element of finite field
Parameters set including and is public.
3.3 Generation of group key and secret pieces
We adopt the Shamir’s secret sharing scheme[11], called SSS. Group secret key is produced by KAC, i.e., mod q and group public key is
Distribution of secret pieces: Being common member, i gains piece and Otherwise, i.e., being a privilege member,
obtains pieces where, are SSS’public
computable parameters [11] used to recover group secret key and is namely the respective introduced in section 3.2. KAC publish all
3.4 Generation of threshold group-signature
We might as well assume there are exactly t members taking part in, named Suppose is the message to be signed.
1) Generation and verification of individual signature For any firstly selects secretly, and then computes broadcasting to all members. So each member can compute
common member continues to compute mod q.
And for privilege member he computes
mod q, where, is some hash function. Finally, is sent to SC.
SC can verify the validity of In fact, for any member i, the verification equation of SC is given as If the equation holds true, has been verified.
2) Combination of signature If SC accepts all the individual signatures, it computes mod q and outputs as the group signature.
3.5 Verification and Traceability
Verification equation is given as: Obviously, if satisfies the need for privilege threshold condition, we have results as follows according to SSS[12]
A Group of Threshold Group-Signature Schemes with Privilege Subsets 85 In view of The verification equation mentioned above holds true.
Otherwise, i.e., not satisfying those conditions, it is impossible to recover group secret key on the assumption that DLP is difficult to solve. When-ever any accredited agency want to investigate the identities of all member referring their individual signatures, the tracing procedure with assistance of SC is obvious.
3.6 Threshold group-signature scheme with several privilege subsets
Generic threshold group-signature problem is given in section 1. We just as well call such schemes -schemes, where, is the number of privilege subsets and not smaller than 1.
-schemes can be easily extended to schemes. In fact, we may select polynomials,
and group secret key is mod q, where any common mem-ber only obtain some piece and any privilege member can gain knowledge
of and one respective i.e., detail omitted.
3.7 Instance without the assistance of KAC
Similarly with [4], our schemes can do without the assistance of KAC. As a matter of fact, we can realize the schemes in such way, which each member becomes KAC of himself, i.e., selecting his public and secret key pair (EIGamal type) by himself. The group public key is Every member can distribute their own secret key pieces to privilege members in “double SSS
”way and to members without privilege in common way. Other details are the same as the former sections.
4.
Threshold group-signature schemes with message recovery
In view of efficiency, signature scheme with message recovery is very at-tractive. In this section, we will give two -threshold group-signature schemes with message recovery. For simplicity, it is illustrated with -threshold schemes all the same.
4.1 Generic threshold schemes of ElGamal type
Based on the discussion above, one may want to ask whether all of individ-ual signatures of ElGamal type can be applied to construct threshold group-signature in such way. The answer is positive.
Firstly, the two individual signature schemes determined by
and
Both of them can be used in the way above, where derivation of verification equation is omitted and concrete construction method similar with former sec-tions. In fact, (1) is just the individual schemes used in section 3.
Noteworthily, [9, 12] proposed six variants of individual signature schemes with message recovery of EIGamal type. The two variants of them as follows can be used to construct our threshold group signature schemes with privilege subsets.
and
where, is redundancy function which is a reversible permutation(when replacing it with hash function, the two schemes are the same as common schemes, without message recovery. ) and the respective verification equations are
In section 4.2, taking the first variants above for example, we propose new -threshold schemes.
4.2 Threshold schemes with message recovery
Initialization and distribution of secret key pieces are similar with section 3. We also assume there are exactly t members taking part in, named 1,2,...,t.
Suppose is the message to be signed. Procedure of signing is given as follows.
1) Generation and verification of individual signature For any firstly selects secretly, and then computes
broadcasting to all members. Therefore every member can compute the result
For common member i, he or she continues to compute mod q. And for privilege member i, he or she can compute
We take the scheme of section 3 called –threshold schemes and the one of section 4 called M R– –threshold schemes for examples.
Because of restricted space, the proofs is omitted.
Theorem 5.1. If each party involved in abides by rule of protocol, verification equations of the two schemes mentioned above, i.e., and
hold true.
By all appearances, only SC may identify the members taking part in signing.
So, our schemes satisfy the anonymity and do not need special authentication algorithm of identity, which is different greatly from [8]. In addition, our schemes have another good property, i.e. even the coalition of SC and some set of members ,which does not satisfy the threshold privilege condition, can not construct a valid signature because SC oneself can’t see the secret group key and the first component of signature is produced by all members taking part in.
Finally, we study whether the two schemes are secure against forgery. We adopt “provable security” methodology to solve the problem. In other words, Lengthy research results have made ones be convinced of security against forgery of the two individual signature schemes (1) and (3), which may be seen in [9, 12]. Therefore, we may base our analysis on the assumption that the individual signature schemes (1) and (3) are secure. For the sake of simplicity, we prescribe that adversary is a probabilistic polynomial time(PPT) algorithm, which can corrupt any member of group.
We firstly prove that adversary, which can corrupt members of G at most, see nothing from the interaction between she and honest members.
We mark denoting random variable dominated by indi-vidual signature scheme (1) and by individual signature scheme with message recovery (3). Similarly, we may define random variables according to group signature scheme of section 3 and the one of section 4 respectively, A Group of Threshold Group-Signature Schemes with Privilege Subsets 87 mod q, where, is some hash function. Finally, is sent to SC.
For any member i, the verification equation of SC is given as:
If the equation holds true, has been verified.
2) Combination of signature If SC accepts all the individual signatures, it computes mod q and output as the group signature.
Obviously, the verification equation of group signature is:
As section 3, we can also construct the -threshold schemes with message recovery, named MR- -threshold schemes, which need not the assistance of KAC.
5. Analysis
Rivest,R.L., Shamir,A.and Adleman, L., A method for Obtaining Digital Signatures and Public-key Cryptosystem, Comm.ACM Vol.21(2),1978.
EIGamal,L., A public Key Cryptosystem and a Signature Scheme Based on Discrete Logrithm, IEEE Trans. IT-31, 1985.
Y.Desmedt and Y.Frankel, Shared generation of authenticators and signatures, CRYPTO’91, Springer-Verlag, 1992.
L.Harn, Group-oriented (t,n)-threshold digital signature scheme based on discrete loga-rithms, IEE Proc. Computers and Digital Techniques, Vol.141, No.5, 1994.
Jinn-Ke Jan, et al., A threshold signature scheme withstanding the conspiracy attack, Computer Communications, Vol.21, No.8, 1999.
Wang Gui-lin and Qing Si-han, A Threshold Undeniable Signature Scheme Without a Trusted Party, Journal of Software, Vol.13,No.9, 2002.
Kazuo Takaragi, et al., A Threshold Digital Signature Issuing Scheme without Secret Communication, {takara,kunihiko,takihasi}@sdl.Hitachi.co.jp,1997.
Shi Yi and Feng Dengguo, The design and analysis of a new group of –threshold group-signature scheme, ChinaCrypto’2000.
Kaisa Nyberg, Rainer A.Rueppel, Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem, EUROCRYPT’94, Springer-Verlag, 1994.
Lidl, R. and Niederreiter, H., Introduction to Finite Fields and their Applications, London:
Cambridge University Press, 1986.
Shamir A. How to share a secret. Communications of the ACM, 1979, 22(11).
Giuseppe Ateniese and Breno de Medeiros, Efficient Group Signatures without Trapdoors, {ateniese,breno}cs.jhu.edu£¬2003.
where assume the respective group secret key is the same as the secret key of individual scheme.
Theorem 5.2. If the conditions above satisfied, then and are indistinguishable, so do MS and GMS.
Secondly, we consider the interaction between adversary A and dishonest member, i.e. A tries to impersonate honest members. For the sake of simplicity, we assume A has corrupt members out of all participants. Take – threshold scheme for example and base our analysis on the assumption that the individual signature schemes
is secure, where and is any extra public input.
Theorem 5.3. Under the assumption above and conditions of theorem 3, -threshold scheme is secure against forgery.
References