1 A Threshold Digital Signature Issuing Scheme without ... - CiteSeerX

Download PDF
7 downloads 9327 Views 66KB Size Report
Comment
The proposed (k, n) threshold digital signature scheme is proved to be as secure as the. Nyberg-Ruepple or ElGamal type digital signature against chosen ...
A Threshold Digital Signature Issuing Scheme without Secret Communication Kazuo Takaragi, Kunihiko Miyazaki, Masashi Takahashi Systems Development Laboratory, Hitachi, Ltd. e-mail: {takara, kunihiko, takahasi}@sdl.hitachi.co.jp Abstract This paper describes an efficient (k, n) threshold digital signature scheme. In the scheme, k out of n signers cooperate to issue a signature without using trusted center. No secret communication is required among signers across the network. As a base scheme, Pedersen's verifiable secret sharing (VSS) is applied to generate shared secret keys in such a way that no secret communication is required in the following signature issuing phase. Then, Nyberg-Ruepple or ElGamal type digital signature scheme is employed which uses only linear combination of two shared secrets when applied to the (k, n) - threshold scenario. It is considered that the (k, n) threshold scheme without using encryption is meaningful in an environment where strongly enciphered message cannot be sent across the network. The proposed (k, n) threshold digital signature scheme is proved to be as secure as the Nyberg-Ruepple or ElGamal type digital signature against chosen message attacks. It is discussed that the proposed VSS is also applicable to encryption. An application to (k, n) threshold sign-encryption is also presented.

1.

INTRODUCTION

With the progress of usage of the computer and communication, more and more paper works are replaced with electronic ones in our dairy life and business activities such as e-mail, electronic commerce, electronic money, etc. In many of such areas, digital signature is essential. This paper proposes secure and reliable digital signature schemes in a fault prone environment of hardware such as memory and CPU in the cryptographic device. Because of the comparative fragility of electronic device, the data on the device is easily broken, lost or altered. For example, it may be well congratulated when the data on floppy disk persists without error more than ten years. On the other hand, the data on the traditional paper usually persists without error for a long time period, e.g. a hundred years. The reliability of data on electronic device is far worse than that of paper. Furthermore, a secret data hidden in a hardware device is not always secure. Examples are unauthorized usage of stolen smart card by malicious user, exposure of secret data by reverse engineering and guessing of secret data by fault cryptanalysis [Bon97]. The problem is that we must rely on such undependable electronic devices in the real business using digital signature. In order to deal with that problem, it seems that kind of single failure criteria should be adopted. That is, a single failure of hardware shall not cause the loss of the private key

1

for authorized user nor cause the exposure of the private key to unauthorized user. This paper presents an efficient (k, n) thresholds digital signature scheme. An efficient (k, n) threshold ElGamal type public key cryptosystem was shown by Desmedt and Frankel [DF89] such that (1) (k, n) members must cooperate to decrypt a ciphertext. (2) Any k-1 dishonest members cannot decrypt any ciphertext. This system requires a trusted center. Hwang [Hwa90] and then Pedersen [Per91-2] showed that the trusted center can be eliminated. In the system of Hwang [Hwa90], however, the size of the group public key is much larger than that of Desmedt and Frankel [DF89] because each member publicizes his own public key. In the system of Pedersen [Per91-2], the public key is as small as that of Desmedt and Frankel [DF89]. Pedersen's system makes use of a noninteractive verifiable secret sharing scheme [Fel87]. Desmet and Frankel [DF91] showed a (k, n) threshold RSA type digital signature scheme such as (1) (k, n) members must cooperate to issue a signature. (2) Any k-1 dishonest members cannot forge a signature. This scheme required a trusted center. Park and Kurosawa [PK96] showed a (k, n) threshold ElGamal type digital signature scheme which requires no trusted center. The ElGamal type digital signature which is applicable to this scheme is composed of only a linear combination of shared secrets. This scheme, however, requires a enciphered communication between signers when they communicate across a network. In this paper, we show an efficient (k, n) threshold ElGamal type digital signature with no trusted center and no enciphered communication. The applicable ElGamal type digital signature is one which is composed of only a linear combination of shared secrets. Message recoverable Nyberg-Ruepple digital signature is included in our scheme.

2.

PREPARATION

Throughout this paper, p and q are large primes, E is an elliptic curve and base point P is a point on the elliptic curve E, which has an order of q. It is assumed that p, q, E and P are publicly known. And let Zq be a finite field, which has q elements We use the following basic tools to share the secret in our proposed scheme.

2

2.1 Shamir Secret Sharing In this section, we describe the Shamir secret sharing technique [Sha79]. A (k, n) threshold secret sharing scheme is a protocol between n+1 players in which the dealer distributes partial information about a secret to n participants such that (1) Any group of fewer than k participants cannot obtain any information about the secret. (2) Any group of at least k participants can compute the secret in polynomial time. Assume the dealer has a secret d ∈ Z q . This secret can be distributed to P1 , K, Pn , as follows. Step 1. The dealer chooses a polynomial f = f 0 + f1 x + L + f k −1 x k −1 over Zq of degree k-1 satisfying f (0) = d randomly. (i.e. Let f 0 = d and f 2 ,K, f k −1 be random number in Zq.) Then the dealer computes t i = f (i) . Step 2. Send t i secretly to Pi. Any k persons Pi1 ,K , Pik can find the secret d by the formula (Lagrange formula): k

f ( x) = ∑ (∏ l =1

h≠ l

k

= ∑ (∏ l =1

h≠ l

x − ih ) f (il ) il − ih x − ih ) ti il − ih l

Thus k

d =∑ a j t i j , j =1

where a1 , K , a k are given by ih . h ≠ j ih − i j On the other hand, Any group of fewer than k persons cannot find the secret d . Because for any d '∈ Z q there exists a polynomial f ' ( x ) over Zq of degree k-1 such that f ' (i j ) = t i j (1 ≤ j ≤ k − 1) aj = ∏

and

f ' (0) = d ' .

2.2 Pedersen’s Verifiable Secret Sharing (VSS) Pedersen presented a noninteractive verifiable secret sharing (VSS) [Ped91-1]. 3

“Verifiable” means each participant can verify his own share. Assume the dealer has a secret d ∈ Z q and is committed to d through a public key Q = dP . This secret can be distributed to P1 , K, Pn , as follows. PROTOCOL DISTRIBUTE (at dealer) Step 1. Compute shares ti using the Shamir secret sharing scheme described above in the field Zq by choosing a polynomial f = f 0 + f1 x + L + f k −1 x k −1 over Zq of degree k-1 satisfying f (0) = d and then computing t i = f (i) . Step 2. Send t i secretly to Pi and broadcast f i P (i = 1, K k − 1) to all n participants. Thus the dealer broadcasts k-1 points on the elliptic curve E and sends secretly n elements in Zq. PROTOCOL VERIFY SHARE (at Pi) k −1

Step 1. Verify that t i P = ∑ i j ( f j P) as a point on the elliptic curve E. j =0

Step 2. If this is false, broadcast t i and reject the dealer. k −1

Step 3. For other each t l claimed at Step 2, verify that t l P = ∑ l j ( f j P) as a point on j =0

the elliptic curve E. Step 4. If the dealer is not rejected, accept t i . Fewer than k participants, who have followed PROTOCOL VERIFY SHARE and accepted, do not get any information about d. This is shown by Proposition 2.1 as below. Proposition 2.1 Any

g (1 ≤ g ≤ k − 1)

participants

having

shares

f 'i P (i = 0,K k − 1) , such that f ' = f '0 + f '1 x + L + f ' k −1 x k −1 is a random polynomial of degree at most k-1 satisfying f ' (0) = d

4

t i j ( j = 1, K, g )

can

find

f ' (i j ) = t i j

j = 1, K, g .

Proof (See [Per91-1]) This proposition shows that any number of participants can simulate the dealer no matter what shares they get. This means that fewer than k participants do not get any information about d. 2.3 Verifiable Secret Sharing (VSS) without a trusted center Pedersen’s verifiable secret sharing (VSS) described above needs trusted center as a dealer, because the dealer knows the secret. Pedersen also presented VSS without a trusted center [Per91-2]. In this protocol, each participant plays a role as the dealer in the above VSS. PROTOCOL RANDOM NUMBER (at Pi) Step 1. Each Pi chooses di at random and broadcasts d i P to all other participants. Step 2. Each Pi distributes di by using PROTOCOL DISTRIBUTE. That is, Pi chooses a random polynomial over Zq of degree k-1 such that f i ( x ) = f i , 0 + f i ,1 x + L + f i , k −1 x k −1 f i (0) = d i and then send f i ( j ) secretly to Pj (∀j ≠ i ) and broadcast f i , j P ( j = 1,K k − 1) to all n participants. Step 3. Each Pi executes PROTOCOL VERIFY. Step 4. If no Pi is rejected at Step 3., go to Step 5. Otherwise, stop. Step 5. Each Pi computes n

t i = ∑ f j (i ) j =1

and keep it secretly. Step 6. Every Pi computes n

Q = ∑ di P i =1

Qi = t i P and broadcasts those values. n

Using PROTOCOL RANDOM NUMBER, the secret

∑d i =1

5

i

can be distributed to P1,,,Pn.

n

But the secret

∑d i =1

3.

i

does not appear explicitly in this protocol.

DIGITAL SIGNATURE

In this section, we show two digital signature schemes. One is Nyberg-Ruepple signature scheme and another is a variant of ElGamal signature scheme. Our proposed (k, n) threshold technique which is shown later is valid for such signature schemes. 3.1 Nyberg-Ruepple signature Let h be a one way hash function whose range is {1, K, q − 1} . Secret Key d ∈ Z q Public Key Q (= dP) Message m Signature (r,s) such that ( x, y ) = kP r = x − h(m) (mod q) s = dr + k (mod q ) where k (≠ 0) ∈ Z q is a random number. Verification (r,s) is a valid signature for m if and only if x' = r + h(m) (mod q) where ( x' , y ' ) = sP − rQ . 3.2 A variant of ElGamal signature Let h be a one way hash function whose range is {1, K, q − 1} . Secret Key d ∈ Z q Public Key Q (= dP) Message m Signature (r,s) such that ( x, y ) = kP r = x (mod q) s = dr + kh(m) (mod q) where k (≠ 0) ∈ Z q is a random number. Verification (r,s) is a valid signature for m if and only if x' = r (mod q ) where ( x ' , y ' ) = sh(m) −1 P − rh (m) −1Q .

6

4.

PROPOSED THRESHOLD DIGITAL SIGNATURE

In this section, we show our proposing (k, n) threshold digital signature scheme over Nyberg-Ruepple signature scheme that we have shown in subsection 3.1. 4.1 Proposed scheme The proposed scheme consists of two protocols, a key generation protocol and a signature issuing protocol. We use Pederson’s VSS technique in subsection 2.3 only at the key generation protocol and do not use it at a signature issuing protocol. Let P1,..., Pn be a set of signer. The public key and the signature obtained from the following scheme will be the same as that from subsection 3.2. In our scheme, (1) The key generation protocol requires all n signers to cooperate to generate a public key Q of the group and a secret information si of each Pi. (2) In the signature issuing protocol, a subset B of signers can issue a signature (r, s) if B contains k honest signers. (3) Any k-1 dishonest signers cannot forge a signature even after polynomially many signatures have been issued. KEY GENERATION PROTOCOL Step 1. Each of P1,..., Pn executes PROTOCOL RANDOM NUMBER. Let the secret output of Pi be ti and the public output be Q (= dP), Qi (= t i P) (1 ≤ i ≤ n) . si is the secret information kept by Pi. Q is the public key for the group P1,..., Pn. SIGNATURE ISSUING PROTOCOL Step 1. Choose k signers Pi1 ,K, Pik , and let S be {i1 ,K, ik } , and let the signers {P j | j ∈ S } be B. Step 2. Each signer Pi (i ∈ S ) computes ei , S = ai , S ti where ai , S = ∏ h ≠i h∈S

h . h−i

Step 3. Each signer Pi (i ∈ S ) generates a random number k i (1 ≤ k i ≤ q − 1) . Step 4. Each signer Pi (i ∈ S ) computes Ri = k i P and broadcasts it to all members of B.

7

Step 5. Each signer Pi (i ∈ S ) computes

( x, y ) = ∑ R j . j∈S

Step 6. Each signer Pi (i ∈ S ) computes r = x − h(m) (mod q) s i = ei , S r + k i (mod q ) and broadcasts s i to all members of B. Step 7. Each signer Pi (i ∈ S ) verifies R j = s j P − rQ j for all j (≠ i) ∈ S . If this is false, reject Pj and stop. Step 8. Each signer Pi (i ∈ S ) computes

s = ∑sj , j∈S

then outputs (r,s) as a digital signature of the group. Proposition 4.1 The signature (r,s) issued by above protocol satisfies r = x − h(m) (mod q) s = dr + K (mod q ) x is a x-coordinate of the point KP where d is the secret for the group P1,..., Pn (i.e. Q = dP ) and K = ∑ k i . i∈S

Proof The equation about r is obvious by Step 6 in SIGNATURE ISSUING PROTOCOL. (Note that all signers Pi (i ∈ S ) compute the same value x in Step 5.) On the other hand, s satisfies

8

s = ∑sj

(by Step 8)

j∈S

= ∑ (e j , S r + k j ) (by Step 6) j∈S

  =  ∑ e j , S  r + K  j∈S        h = ∑∏ t j   r + K (by Step 2)  j∈S  hh∈≠Sj h − j      = dr + K (by Lagrange formula). And by Step 5, x is a x-coordinate of the point KP. This proposition shows that verification for our proposed scheme is the same as that of subsection 3.1. It is easy to show that the (k, n) threshold signature scheme over an ElGamal type digital signature can be obtained in a similar way. 4.2 Advantage Advantage of (k, n) signature itself Generally, a secret data hidden in a hardware device is not always secure. First, it may be broken. Second, a malicious user may misuse it when it is stolen. Furthermore, an exposure of secret data may occur by reverse engineering and guessing of the secret data by fault cryptanalysis [Bon97]. The basic countermeasure for such accidents would be a kind of multiple failure criteria being adapted to a set of devices which belong to a user. That is, when a certain number of the devices are broken, it shall not cause the substantial loss of the private key when it is broken. Furthermore, when a certain number of the devices are stolen, it shall not cause the substantial exposure of the private key. (k, n) scheme itself has an advantage for realizing such a countermeasure. Advantage of proposed method In our proposed scheme, secure communication path is required only at key generation. This means the set of signer use secure communication path only once, at the key generation. This secure communication path can be realized easily by some means. In Park-Kurosawa scheme, secure communication path is required at every time when the set of signers issue a signature. That is, our scheme has an advantage in an environment where strongly enciphered message cannot be sent across the network at the time they issue a signature. Efficiency

9

We estimate the communication complexity of our proposed (k, n) threshold scheme precisely as follows. In the key generation protocol, each signer first broadcasts 2k | p | bits (here coefficient “2” means “both x- and y-coordinates of the point on the elliptic curve E”, so we can reduce it to k | p | + k bits), then sends (n − 1) | q | bits secretly and finally broadcasts 4 | p | bits (we can reduce it to 2 | p | +2 bits). In the signature issuing protocol, each signer first broadcasts 2 | p | bits (we can reduce it to | p | +1 bits), then broadcasts | q | bits and finally broadcasts 2 | q | bits. In this protocol, we do not need secret communication across the network when issuing signature. Thus, our scheme has an advantage to Park-Kurosawa scheme (see Table 1).

PK scheme Our scheme

KEY GENERATION SIGNATURE ISSUING broadcast send secretly broadcast send secretly 2k | p | +4 | p | (n − 1) | q | 2k | p | +2 | q | (k − 1) | q | 2k | p | +4 | p | (n − 1) | q | 2 | p | + | q | +2 | q | 0 Table 1. Comparison of the communication complexity

Note: (1) In the above table, both of PK scheme and our proposed scheme are applied to the elliptic curve logarithm problem. (2) We estimates the communication complexity of our proposed scheme using NybergRuepple signature scheme, but if using a variant of ElGamal scheme shown in subsection 3.2, the communication complexity is same. (3) In the original PK paper [PK96] subsection 4.2, they do not estimate the size of the public output which is broadcasted at the end of the key generation protocol. In the above table, we count it in.

5.

SECURITY

In this section, we discuss the security of the proposed (k, n) threshold digital signature scheme. 5.1 Correctness and Detectability The correctness of the signature is easily verified by verification described in subsection 3.1. The cheaters who cheat at Step 1 in KEY GENERATION PROTOCOL are detected by PROTOCOL VERIFY SHARE included in the PROTOCOL RANDOM NUMBER. The cheaters who cheat at Step 6 in SIGNATURE ISSUING PROTOCOL are detected by Step 7. 5.2 View

10

The view of Pi in a protocol is everything that Pi sees in executing the protocol. Suppose that an adversary corrupts Pi1 , K , Pi g . Then the view of the adversary is { the view of Pi1 } ∪L ∪ { the view of Pi g } . Definition 5.1 Suppose that a set of players B executes PROTOCOL RANDOM NUMBER on input (E, p, q, P) and the main output is Q. Let Aˆ be the adversary which corrupts up to k-1 players. Denote the view of Aˆ for this protocol by view( Aˆ , E , p, q, P, Q ) . Let VIEW ( Aˆ , E , p, q, P, Q ) denote the random variable induced by view( Aˆ , E , p, q, P, Q ) . Lemma 5.2 For any probabilistic polynomial time adversary Aˆ , there exists a probabilistic polynomial time Turing machine M such that the probability distribution of M ( E , p, q, P, Q ) is identical to VIEW ( Aˆ , E , p, q, P, Q ) . Proof (See [PK96] Lemma 5.1) Definition 5.3 Suppose that a set of k players B executes SIGNATURE ISSUING PROTOCOL on input (E, p, q, P, h(m)) and the output of KEY GENERATION PROTOCOL, and output is (r, s). Let Aˆ be the adversary which corrupts up to k-1 players. Denote the view of Aˆ for this protocol by viewsig ( Aˆ , Q, h(m), r , s ) . Let VIEWsig ( Aˆ , Q, h(m), r , s ) denote the random variable induced by view ( Aˆ , Q, h(m), r , s ) . sig

Lemma 5.4 For any probabilistic polynomial time adversary Aˆ , there exists a probabilistic polynomial time Turing machine Msig such that the probability distribution of M sig (Q, h(m), r , s ) is identical to VIEWsig ( Aˆ , Q, h(m), r , s ) . Proof For simplicity, suppose that B = {P1 , K , Pk } and Aˆ corrupts P1,...,Pg (1 ≤ g ≤ k − 1) . Then, viewsig ( Aˆ , Q, h(m), r , s ) is as follows. (a) ei , S

(1 ≤ i ≤ g ) .

11

(b) ei , S P (1 ≤ i ≤ k ) . (c) (d) (e) (f)

k i (1 ≤ i ≤ g ) . Ri (1 ≤ i ≤ k ) . ( x, y ) . s i (1 ≤ i ≤ k ) .

(g) The contents of the random tape of Aˆ . Now, we show Msig. (1) Msig computes (a) from the Pi’s secret ti by Lagrange fomula. (2) Msig computes (c) as Aˆ does. (3) From (a) and (c), Msig obtains s i (1 ≤ i ≤ g ) . si (4)

And

Msig

chooses

( g + 1 ≤ i ≤ k − 1) randomly. Then Msig computes s k = s − ∑i =1 s i . Msig obtains (f). k −1

From

(a),

Msig

obtains

ei , S P (1 ≤ i ≤ g ) .

And

Msig

chooses

ei , S P ( g + 1 ≤ i ≤ k − 1) randomly from the group which is generated by the base point P on the elliptic curve E. Then Msig computes ek , S P = dP − ∑i =1 ei , S P . Msig obtains (b). k −1

(5) Msig computes s j P − rQ j from (b) and (f). Then Msig obtains (d). (6) From (d), Msig obtains (e). (7) Msig knows the contents of the random tape of Aˆ because in (2) Msig behaves in the same way as Aˆ does. Therefore, Msig can compute viewsig ( Aˆ , Q, h(m), r , s ) with the same probability as VIEW ( Aˆ , Q, h(m), r , s ) . sig

5.3 Unforgeablity Let D1 denote the digital signature scheme of subsection 3.1 and D2 denote the proposed (k, n) threshold digital signature scheme of subsection 4.1. In this section, we show that D2 is as secure as D1 against chosen message attack. In chosen message attack against a digital signature scheme, an adversary A1 is allowed to use a signer as an oracle. He tries to forge a signature after getting signatures from the signer to messages of his own choice. If there is no probabilistic polynomial time algorithm A1 that can forge a message in this way, we say that the signature scheme is secure against chosen message attack. For (k, n) threshold digital signature scheme, we assume k-1 or less signers deviating from the protocol in an arbitrary way. This is formalized by means of a probabilistic polynomial time adversary A2 is which corrupts up to k-1 signers. We define a chosen message attack against our (k, n) threshold digital signature as follows. An adversary A2 is allowed to have the signature issuing protocol executed by any k signers to messages of his own choice. A2 tries to forge a signature from signatures he obtained in this way and his view, where the view is everything that A2 sees in executing the key generation protocol and the signature issuing protocol. 12

Definition 5.5 Let A1 be a probabilistic polynomial time Turing machine which can use a signer of D1 as an oracle. We denote by A1 ( E , p, q, P, Q ) the random variable that takes a value of (m1 , m 2 , L, (mˆ , rˆ, sˆ)) with the same probability that A1 on input ( E , p, q, P, Q) queries (m1 , m 2 ,K) to the signer and finally outputs (mˆ , rˆ, sˆ) , where the probability is taken over the coin tosses of A1 and the signer. Definition 5.6 Let A2 be a probabilistic polynomial time Turing machine which can corrupt up to k-1 signers of D2. A2 can have the signature issuing protocol executed by any k signers. We denote by A2 ( E, p, q, P | Q) the random variable that takes a value of (m1 , m 2 , L, (mˆ , rˆ, sˆ)) with the same probability that A2 on input ( E , p, q, P) queries (m1 , m 2 ,K) to the signature issuing protocol and finally outputs (mˆ , rˆ, sˆ) under the condition that the key generation protocol output Q, where the probability is taken over the coin tosses of A2 and the signers. Theorem 5.7 For any adversary A1 against D1, there exists an adversary A2 against D2 such that Pr[ A2 ( E , p, q, P | Q ) = (m1 , m2 , L , (mˆ , rˆ, sˆ))] = Pr[ A1 ( E , p, q, P, Q ) = (m1 , m2 , L , (mˆ , rˆ, sˆ))] for any public key ( E , p, q, P, Q) and any (m1 , m 2 , L, (mˆ , rˆ, sˆ)) . Proof Suppose that key generation protocol of D2 outputs Q. A2 provides A1 with ( E , p, q, P, Q) and the content of the random tape of A1. Then, A2 runs A1. If A2 requests a signature for a message mi, A2 obtains the signature (ri , s i ) for mi from P1,...,Pk. Then, A2 feeds (ri , s i ) to A1. Thus, A1 can do his chosen message attack. A2 outputs (mˆ , rˆ, sˆ) if and only if A1 outputs (mˆ , rˆ, sˆ) . Now, it is clear that the equation holds. Theorem 5.8 For any adversary A2 against D2, there exists an adversary A1 against D1 such that Pr[ A1 ( E, p, q, P, Q ) = (m1 , m2 , L , (mˆ , rˆ, sˆ))] = Pr[ A2 ( E , p, q, P | Q ) = (m1 , m2 , L , (mˆ , rˆ, sˆ))] for any public key ( E , p, q, P, Q) and any (m1 , m 2 , L, (mˆ , rˆ, sˆ)) . Proof

13

A1 provides A2 with ( E , p, q, P, Q) and the content of the random tape of A2. By using M of lemma 5.2, A1 generates view( A2 , E , p, q, P, Q ) of the key generation protocol and feeds it to A2. Next, A1 runs A2. If A2 requests a signature for a message mi, A1 obtains the signature (ri , s i ) for mi from the oracle and feeds (ri , s i ) to A2. Then by using Msig of Lemma 5.4, A2 can obtain the whole view and do his chosen message attack. A1 outputs (mˆ , rˆ, sˆ) if and only if A2 outputs (mˆ , rˆ, sˆ) . Now, it is clear that the equation holds.

6.

APPLICATION

In this section, we show some application of the proposed scheme, which is (k, n) threshold signature scheme with encryption and (k, n) threshold decryption scheme. 6.1 Sign-encryption We use the sign-encryption (for ordinary single signature) as below. By this signencryption, we can reduce the data size of encrypted message with the signature. Let ds and Qs (=dsP) be the key pair for signer, and dv and Qv (=dvP) be the key pair for verifier. SIGNATURE ISSUING WITH ENCRYPTION Step 1. Generate a random number k (1 ≤ k ≤ q − 1) . Step 2. Compute ( x, y ) = kP and ( x e , y e ) = kQv . Step 3. Compute

r = x − h(m) (mod q) s = dsr + k .

Step 4. Encrypt a message m by common key cipher using xe as the key. Step 5. Send (r , s ) with encrypted message m' to verifier. SIGNATURE VERIFICATION WITH DECRYPTION Step 1. Compute ( x ' , y ' ) = sP − rQs . Step 2. Compute ( x d , y d ) = d v ( x' , y ' ) . Step 3. Decrypt the encrypted message m' by common key cipher using xd as the key. Step 4. For recovered message m'', verify

14

x' = r + h(m' ' ) (mod q ) . If it is false output "invalid". Otherwise, output "valid". 6.2 (k, n) signature issuing and decryption with sign-encryption In this subsection, we show proposed (k, n) signature scheme with sign-encryption, which is described above, and (k, n) decryption at verifier. KEY GENERATION PROTOCOL FOR SIGNER Step 1. P1,..., Pn execute PROTOCOL RANDOM NUMBER. Let the secret output of Pi be si and the public output be Q (= dP), Qi (= s i P) (1 ≤ i ≤ n) . Q is the public key for the group P1,..., Pn. KEY GENERATION PROTOCOL FOR VERIFIER Step 1. P'1,..., P'n execute PROTOCOL RANDOM NUMBER. Let the secret output of P'i be s'i and the public output be Q ' (= d ' P), Q 'i (= s 'i P) (1 ≤ i ≤ n) . Q' is the public key for the group P'1,..., P'n. SIGNATURE ISSUING WITH ENCRYPTION PROTOCOL Step 1. Choose k signers Pi1 ,K, Pik , and let S be {i1 ,K, ik } and let a subset B of signers be {P j | j ∈ S } . Step 2. Each signer Pi (i ∈ S ) computes ei , S = ai , S s i where h ai , S = ∏ . h ≠i h − i h∈S

Step 3. Each signer Pi (i ∈ S ) generates a random number k i (1 ≤ k i ≤ q − 1) . Step 4. Each signer Pi (i ∈ S ) computes Ri = k i P Ti = k i Q' and broadcasts it. Step 5. Each signer Pi (i ∈ S ) computes

15

( x, y ) = ∑ R j . j∈S

Step 6. Each signer Pi (i ∈ S ) computes r = x − h(m) (mod q) s i = ei , S r + k i (mod q ) and broadcasts these. Step 7. Each signer Pi (i ∈ S ) verifies R j = s j P − rQ j for all j (≠ i) ∈ S . If this is false, reject Pj and stop. Step 8. Each signer Pi (i ∈ S ) computes

s = ∑sj j∈S

( x' , y ' ) = ∑ T j j∈S

then encrypt by common key cipher using x' as the key and broadcasts encrypted message m' with (r,s) as a digital signature. SIGNATURE VERIFICATION WITH DECRYPTION PROTOCOL Step 1. Choose k verifiers P'i1 , K , P' ik , and let S' be {i1 ,K, ik } and let a subset B' of signers be {P' j | j ∈ S '} . Step 2. Each signer P'i (i ∈ S ' ) computes e' i , S ' = a i , S ' s ' i where h ai , S ' = ∏ . h ≠i h − i h∈S '

Step 3. Each verifier P'i (i ∈ S ' ) computes ( x' , y ' ) = sP − rQ . Step 4. Each verifier P'i (i ∈ S ' ) computes and broadcasts Ri = e'i , S ' ( x' , y ' ) . Step 5. Each verifier P'i (i ∈ S ' ) computes and broadcasts ( x d , y d ) = ∑ Ri . i∈S '

16

Step 6. Decrypt the encrypted message m' by common key cipher using xd as the key. Step 7. For recovered message m'', verify x' = r + h(m' ' ) (mod q ) . If it is false output "invalid". Otherwise, output "valid".

7.

PATENT INFORMATION

Hitachi has patent application relating to the proposed scheme.

8.

CONCLUSION

We have shown an efficient (k, n) threshold digital signature scheme with no trusted center. It is more efficient than PK scheme [PK96], i.e. in signature issuing protocol, lower communication complexity and without secure communication path. And it is as secure as Nyberg-Ruepple signature scheme or a variant ElGamal signature scheme against chosen message attack. REFERENCES [Bon97]

D. Boney, R. A. DeMillo and R. J. Lipton, "On the Importance of Checking Cryptographic Protocols of Faults," Eurocrypt '97, May 1997 [DF89] Y. Desmedt and Y. Frankel, “Threshold Cryptosystem”, In Proc. of Crypto’89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag, pp.307-315, 1990. [DF91] Y. Desmedt and Y. Frankel, “Shared Generation of Authenticators and Signatures”, In Proc. of Crypto’91, Lecture Notes in Computer Science, LNCS 576, Springer Verlag, pp.457-469, 1991. [Fel87] Feldman, “A Practical Scheme for Non-Interactive Verifiable Secret Sharing”, In Proc. of 28th IEEE symposium on Foundations of Computer Science, pp.427-437, 1987. [Hwa90] T. Hwang, “Cryptosystem for group oriented cryptography”, In Proc. of Eurocrypt’90, Lecture Notes in Computer Science, LNCS 473, Springer Verlag, pp.352-360, 1991. [Per91-1] T.P. Pedersen, “Distributed Provers with Applications to Undeniable Signatures”, In Proc. of Eurocrypt’91, Lecture Notes in Computer Science, LNCS 547, Springer Verlag, pp.221-238, 1991. [Per91-2] T.P. Pedersen, “A Threshold Cryptosystem without a Trusted Party”, In Proc. of Eurocrypt’91, Lecture Notes in Computer Science, LNCS 547, Springer Verlag, pp.522-526, 1991. [PK96] C.Park and K.Kurosawa, “New ElGamal Type Threshold Digital Signature Scheme”, IEICE Trans. Fundamentals, E79-A(1):86-93, January 1996. [Sha79] A. Shamir, “How to Share a Secret”, In Communications of the ACM, vol.22, 17

no.11, pp.612-613, 1979.

18