A Group-Oriented Undeniable Signature Scheme for Unlikely Signers ...

Tamkang Journal of Science and Engineering, Vol. 9, No 1, pp. 45-54 (2006)

45

A Group-Oriented Undeniable Signature Scheme for Unlikely Signers and Verifiers Shin-Jia Hwang* and Hao-Chih Liao Department of Computer Science and Information Engineering, Tamkang University, Tamsui, Taiwan 251, R.O.C.

Abstract Lee and Hwang proposed group-oriented undeniable signature schemes with a trusted center to guard against Langford’s attack. Unfortunately, there are some security weaknesses in Lee-Hwang’s schemes. Their schemes assume that the signers and verifier should honestly perform steps; otherwise their schemes will fail. To remove this impractical assumption and the corresponding problems, our improvement is proposed. Key words: Undeniable Signatures, Group-Oriented Signatures, Threshold Signatures, Digital Signatures

1. Introduction A digital signature is a digital analogue of handwriting signatures to provide the authentication and nonrepudiation services. Moreover, digital signatures also provide the integrity service. To provide the authentication service, digital signatures must be generated by using some secret information (private key) only known by signers. In order to guarantee the message integrity, digital signatures are generated to be dependent on the content of a message. When a dispute arises, an unbiased third party can judge fairly by using digital signatures, without requiring the signer’s private key [1]. However, digital signatures are easily copied exactly. So that digital signatures may be maliciously transmitted to someone without the authorization of signers. To solve this problem, Chaum and van Antwerpen [2] proposed the undeniable signature scheme. Besides providing the authentication, integrity, and non-repudiation services, undeniable signatures must be verified with the original singer’s cooperation. Then the malicious transmitting problem of digital signatures can be removed. Later, Chaum also proposed a zero-knowledge undeniable signature scheme [3] for more useful applications. *Corresponding author. E-mail: [email protected]

For group-oriented applications, some threshold undeniable signature schemes are proposed. To integrate the group-oriented signatures with undeniable signatures, Harn and Yang [4] proposed their (1, n) and (n, n) undeniable signature schemes. In their schemes, the signature signing responsibility is shared by an authorized group. Then the verification of undeniable signatures needs the help of one member/all members in the original authorized group. However, among Harn and Yang’s schemes, only (2, n) threshold undeniable signature scheme is secure due to Langford’s cryptanalysis [5]. To guard against Langford’s attack, Lee and Hwang [6] proposed their group-oriented undeniable signature schemes with trusted centers. However, there are some security problems in Lee-Hwang’s schemes. In their schemes, any signer and the verifier should be honest that he/she performs the steps exactly. This honest assumption is so strong that Lee-Hwang’s schemes are not suitable for the practical application in the real world. The simple reason is that no one is always honest. Based on this observation, Wang et al. [8] proposed their attacks on Lee-Hwang’s scheme. To remove this strong and impractical assumption, our improvement is proposed. The rest of this article is organized as follows. In Section 2, Lee-Hwang’s schemes are briefly reviewed. In

46

Shin-Jia Hwang and Hao-Chih Liao

Section 3, our common secret exponent verification protocol is proposed. Based on this common secret exponent verification protocol, an improved group-oriented undeniable signature scheme is proposed in Section 4. The security analysis and discussions of our new scheme are given in Section 4. Finally, Section 5 is our conclusion.

2 Review of Lee-Hwang’s Group-Oriented Undeniable Signature Schemes Lee-Hwang’s (t, n) threshold undeniable signature scheme is reviewed first. Then their generalized grouporiented undeniable signature schemes are described.

L Bi = Õ jÎB,j¹i

xj (x j - x i )

mod q ( = Õ jÎB,j¹i

-x j (x i - x j )

mod q ) is

the Lagrange coefficient. Step 2. Each member Ui sends zi to the designed combiner (DC for short). Step 3. DC computes the signature Z = Pi0B zi mod p on a s L mod q å message m. So Z/ H(m) iÎB i Bi / H(m)S (mod p).

(1) System Setup Phase A trusted center (TC for short) determines the system-wild parameters. TC selects two large primes p and q with p= 2q+1. Then TC finds a public element g of order q in Zp*. TC also publishes a cryptographic hash function H(×), and determines a security parameter l (e.g. l = 1023) for the denial protocol. For some group A = {U1, U2, U3, …, Un}, TC randomly selects a secret polynomial f(x) Î Zq[x] of degree t-1 such that S= f(0) Î Zq* is the group private key of the group A. TC publishes the group public key Y= gS mod p for the group A. TC also chooses the public value xi for each user Ui in the group A such that xi ¹ xj, if i ¹ j. Each user Ui securely obtains his/her own private key si = f(xi) mod q from TC.

(3) Confirmation Protocol Phase A verifier V and any subgroup B’ with t members in the group A cooperatively confirm the signature Z on the message m. Step 1. V chooses two random integers a, b0Zq*, computes W= H(m)agb mod p, and sends W to each member in B’. Step 2. Each member Ui in B’ selects a random integer ki0Zq*, computes Ki = g k mod p, and then broadcasts Ki to DC and the other members in B’. Each Ui also computes R1= WPi0B¢Ki mod p (= Wg3i0Bki mod p) and R2,i = R1siLBi mod p and sends R2,i to DC. Step 3. DC computes R1= WP i0B¢Ki mod p (= Wg3i0Bki mod p) and R2 = Pi0B¢ R2,i mod p (=R1S mod p), and sends (R1, R2) to V. Step 4. V sends a and b to all members in B¢. Then each Ui in B¢ checks W / H(m)agb mod p. If the equation holds, then they reveal V all ki’s to compute k = 3i0B¢ ki mod q. Step 5. V validates (m, Z) by adopting the equations R1/ Wgk (mod p) and R2/ ZaYb+k (mod p).

(2) Signing Protocol Phase A subgroup B with t members in A can generate a threshold undeniable signature on a message m. Step 1. Each member Ui in B calculates a hash value H(m) mod p. If the order of H(m) mod p is p-1, then he/she adjusts the digest H(m) by H(m) = H(m)2 mod p. Due to simplify the description, H(m) denotes the adjusted digest here and after. Each member Ui in B calculates sL his/her own partial signature zi = H(m) mod p where

(4) Denial Protocol Phase Any subgroup B¢ with t members in the group A can convince the verifier V that an alleged signature Z was not generated on the message m by the group A. Step 1. V selects two random integers Q Î [0, l] and c Î Zq*. Then he computes and sends E1= H(m)Qgc mod p and E2= ZQYc mod p to each member in B¢. Step 2. All members in B¢ cooperatively find the value of Q

2.1. Lee-Hwang’s Threshold Undeniable Signature Schemes Lee-Hwang’s (t, n) threshold undeniable signature scheme contains four phases: System setup phase, signing protocol phase, confirmation protocol phase, and denial protocol phase.

i

i Bi

A Group-Oriented Undeniable Signature Scheme for Unlikely Signers and Verifiers

by trail and error. Because all members in B¢ know H(m), s' E they cooperatively compute 1 mod p = (H(m)S¢/Z)Q E2 mod p, where SN = Ei0BsNiLBi mod p is the group private key and S 'i is the individual private key of some member s' E in B¢. If Z= H(m)S¢ mod p, 1 mod p = 1 cannot be used E2 to find the value of Q. Otherwise, they obtain the value of Q. Then each member Ui in BN chooses a random integer di and sends blob(di, Q¢) to V. The blob function is proposed in [9]. Step 3. V sends c to each member in B¢. Step 4. Each Ui checks (E1, E2) by the two equations E1 = H(m)Q¢gc mod p and E2= ZQ¢Yc mod p. If these equations hold, each Ui reveals di to V. Step 5. V opens all blob(di, Q¢) and checks whether Q= Q¢. If Q= Q¢, then V is confirmed that (m, Z) is not generated by A. It is easy to find that the verifier V and any member in the signer group should honestly execute any step in each protocol. In the confirmation protocol, if any member in B provides the incorrect partial signature zi, the undeniable signature Z is incorrect. However, no one finds this incorrect signature Z due to no verification on Z or zi in the signing protocol. In the confirmation protocol, if any member does not reveals his/her correct ki to the verifier on Step 4, the equations R1 / Wgk (mod p) and R2 / ZaYb+k (mod p) do not hold even though Z is the correct signature. Therefore, the confirmation protocol does not success due to the trouble made by malicious members. In the denial protocol, when one member does not honestly adopt his/her private key to compute E1S¢. Then there exists a large probability that the secret value of Q cannot be found. In other word, the subgroup B’ cannot convince the verifier that Z is not generated by the group A even though the signature Z is not their signature.

2.2. Lee-Hwang’s Generalized Group-Oriented Undeniable Signature Scheme Lee-Hwang’s generalized group-oriented undeniable signature scheme is given below. In their generalized scheme, the signature can be generated by any authorized subset B of A consisting of arbitrarily specified

47

members. Their generalized scheme is similar to their threshold scheme. So only the modified parts in their generalized scheme are given in the following. Their generalized scheme also has four phases. In the system setup phase, the system-wild parameters p, q, and g are generated in the same way. For the group A, TC first chooses the group private key S and computes the group public key Y = gS mod p. For an authorized subset Br of the group A, TC constructs the secret polynomial fr(x) of degree tr by interpolating (tr+1) point as follows: f r (x) = SÕ jÎBr

(x - x j ) (0 - x j )

+ å [si iÎBr

(x - x j ) (x - 0) ] mod q Õ (x i - 0) jÎBr ,j¹i (x i - x j )

where tr = |Br|. Obviously, each fr(x) has the properties fr(0) = S and fr(xi) mod q= si. Then, for each polynomial fr(x), the TC chooses a public distinct value xc and computes a public shadow fr(xc) mod p for Br. On Step 1 in the signing protocol, the individual signature for each singer Ui in Br is generated by the (si ´

- xc )( (x i - x c )

-x

Õ j ÎBr ,j¹i (xi - xj j ) ) mod q

mod p. new equation zi = H(m) On Step 3, after receiving all zi’s, DC computes the group undeniable signature by adopting the new way Z = (f r (x c )

H(m)

-x

Õ jÎBr (x c - xj j ) ) mod q

Õz

i

mod p = H(m)S mod p.

iÎBr

In the confirmation protocol, on Step 2, only the R2,i is generated by the new equation R 2,i = R 1

(s i ´

- xc (x i - x c )

) PjÎB' r , j ¹i (

- xj (x i - x j )

) mod q

mod p. Consequently, on

Step 3, all members in B’r compute R2 by the following new equation:

R2 =

ÕR

(f r (x c )

2,i

R1

-x

Õ j ÎB'r (x c - xj j ) ) mod q mod p = R S mod p 1

x i ÎB'r

In the denial protocol, only the try and error process finding Q is modified on Step 2, all members in B¢ coops' E eratively find the value of Q by the item 1 mod p where E2 S¢ = f r¢(x c )Õ jÎB'

r

-x j (x c - x j )

+ å iÎB' s 'i Õ jÎB' , j¹1 r

r

-x j (x i - x j )

mod q

is the group private key of the group A, S i' is the individual private key of some members in B¢, and f r' (xc) mod p is the public shadow for B¢r.

48


3. Our Common Secret Exponent Verification Protocol Our common secret exponent verification protocol (CSEVP for short) is described first. Based on this protocol, our improved (t, n) threshold undeniable signature scheme is proposed to overcome the weakness of Lee-Hwang’s scheme.

3.1. Our Protocol The system parameters of our protocol are defined below. There are two public primes p and q such that p = 2q + 1. The parameter g is a public element g0Zp* with order q. Let denote the subgroup of all elements generated by g. In CSEVP, one participator, Alice, plays the role of the prover while one participator, Bob, plays the role of the verifier. Suppose that Bob knows two bases E and Y in advance. After finishing CSEVP, Bob obtains Ek mod p and Yk mod p which share the same secret exponent k known only by Alice. Moreover, with the help of Alice’s proof, Bob is convinced that logE(Ek mod p) º logY(Yk mod p) (mod q). CSEVP(Alice, Bob, E, Y, k, p, Ek mod p, Yk mod p) Input: The prover Alice, the verifier Bob, two bases E and Y in , a secret exponent k (1 £ k < q) of Alice and the prime modular p. Output: Bob obtains Ek mod p, Yk mod p, and the Boolean value for Bob whether or not E k mod p and Yk mod p share the same secret exponent k. Step 1. Alice computes and sends Ek mod p and Yk mod p in to Bob. Step 2. Bob validates whether Ek mod p and Yk mod p belong to by adopting the equations 1 / Ekq (mod p) and 1 º Ykq (mod p). Then Bob randomly selects two secret integers e1 and e2 (1 £ e1, e2 < q), computes and sends C = Eke1Yke2 mod p to Alice. Step 3. Alice computes and sends D = Ck-1 mod p to Bob. Step 4. Bob adopts the equation D º (Ee1Ye2) (mod p) to check whether or not Ek mod p and Yk mod p share the same secret exponent k.

3.2. Security and Performance Analysis The goal of our analysis is to show that Bob can confidentially obtain Ek mod p and Yk mod p from Alice sharing the secret exponent k in our CSEVP. For the safeguard of our CSEVP, some theorems and corollaries are given first. Then these theorems and corollaries are used for the security analysis of CSEVP. Theorem 1. The order of an element w Î is q if w ¹ 1. Proof. First of all, the order of w is at most q since w Î and gq mod p= 1. The order of w cannot be 1 due to w ¹ 1. In order to prove by contradiction, assume that there is an integer i between 1 and q such that w = gi mod p. Then wq mod p = giq mod p = 1i mod p = 1 because gq mod p = 1. By Fact 2.129 in [1], the order of w should divide q. Due to the prime q, the order of w is 1 or q. The order of w cannot be 1 due to w ¹ 1. Therefore, the order of w is q. Theorem 2. For any element w 0, there exists a unique integer i in the range [1, q] such that w = gi mod p. Proof. Suppose that there are two distinct integers i and j in the range [1, q] such that w = gi mod p = gj mod p. Without losing generality, suppose that i > j. Because gi-j mod p = 1 and the order of g is q, i-j º 0 (mod q). But 0 < i-j < q for i and j are two distinct integers in the range [1, q]. By way of contradiction, i = j. Therefore, there exists a unique integer i in the range [1, q] such that w= gi mod p. Corollary 1. Zp*- contains no element with order q. Proof. By Fact 2.173 in [1] and q is a prime number, * Zp contains N(q) = q-1 elements with order q. By Theorems 1 and 2, -{1} also contains q-1 elements with order q. Then there is no element with order q in Zp*-. Corollary 2. If gi mod p = gj mod p, then i/ j (mod q). Proof. By Theorem 2 and gi-j mod p = 1, then q| (i-j). Therefore, i/ j (mod q). Theorem 3. In CSEVP, given two distinct integers k1 and k2 between 1 and q-1, Alice is able to cheat Bob such that Ek1 mod p and Yk2 mod p share the same secret exponent with probability 1/q.


Proof. On Step 2, Bob adopts the equations E k q mod p and Y k q mod p to find the order of E k mod p and Y k mod p. So the order of E k mod p and Y k mod p should be q by Theorem 1. On Step 3, the order of D should be q; otherwise D E e Y e mod p by Corollary 1. Let Y = gy mod p, E = ge mod p, C = gc mod p, and D = gd mod p, where y, e, c, d Î Z*q. Consider the following two congruent equations C = E k e Y k e mod p and D = E e Y e mod p. Due to the above equations, the following congruent equations should be satisfied c = ek1e1 + yk2e2 mod q and d = ee1+ ye2 mod q. Since k1 and k2 are distinct between 1 and q, k1 k2 (mod q). Suppose that Alice knows y = .e mod q. The congruent equations can be modified to be e-1c = k1e1 + .k2e2 mod q and d = ee1 + ye2 mod q. By multiplying the inverse of k1 modulo q on the both side of the first equations, the following equations are obtained k1-1e-1c = e1 + .k1-1k2e2 mod q and e-1d = e1 + .e2 mod q. If k1-1k2 mod q = 1 and k1-1c / d (mod q), there are infinite solutions for (e1, e2). So k2 is the inverse k1-1 of mod q. However, k1 is also the inverse of k1-1 mod q. Since Z*q is a multiplication group, by Theorem 4.10 in [10], the multiplicative inverse is unique. So k2 º k1 (mod q). Then there is only one solution for the equations k1-1e-1c = e1 + .k1-1k2e2 mod q and e-1d = e1+ .e2 mod q. The only chance for Alice is to guess the values of D or (e1, e2). There are q possible distinct values of D by Theorem 2, so the probability of successful guesses is 1/q. Consider the computation cost of our CSEVP. Here and after, the ME denotes one modular exponentiation operation and MM denotes one modular multiplication operation. In our CSEVP, the computation cost of the prover is 1 ME while the computation cost of the verifier is 4 MEs, where the computation cost of Ek mod p and Yk mod p is not counted for these items can be precomputed. Michels and Stadler [7] proposed a protocol to prove the equality or inequality of two discrete logarithms at the 1

2

1

1

1

1 1

1

2

2

2

2

2

2

49

same time. To compare with Michels and Stadler’s protocol, our CSEVP is only used to prove the equality of two discrete logarithms. Fortunately, in our improved scheme, only the equality proof of two discrete logarithms is necessary, so our CSEVP is more suitable for our improvement. Moreover, our CSEVP is more efficient than Michels and Stadler’s protocol. In Michels and Stadler’s protocol, the computation cost of the prover is 6 MEs while the computation cost of the verifier is 8 MEs. So our CSEVP provides the equality proof of two discrete logarithms in efficient ways.

4. Improved Threshold Undeniable Signature Scheme 4.1. Our Scheme The improved (t, n) threshold undeniable signature scheme contains four phases: System setup phase, signing protocol phase, confirmation protocol phase, and denial protocol phase (1) System Setup Phase The system-wild parameters determined by TC are the same as the ones in Lee-Hwang’s scheme. For some group A = {U1, U2, U3, …, Un}, TC randomly selects a secret polynomial f(x) Î Zq[x] of degree t-1 such that S = f(0) mod q as the group secret key of A. TC also chooses the distinct public value xi for each user Ui in the group A such that xi ¹ xj, if i ¹ j. Each user Ui securely obtains his/her own private key si = f(xi) mod q. TC publishes the group public key Y= gS mod p for A and the certificated public key yi = gsi mod p for each member Ui for i = 1, 2, 3, …, n. (2) Signing Protocol Phase Any subgroup B with t members in A can generate a threshold undeniable signature on a message m. Without losing generality, assume B = {U1, U2, U3, …, Ut}. In our scheme, the H(m) denotes the adjusted digest on the message m. Step 1. Each member Ui in B computes his/her partial signaSL mod p. Each member Ui executes ture zi = H(m) L CSEVP(Ui, Uj, H(m) , g, Si, p, zi mod p, yi mod p) with the user Uj in B, where j = 1, 2, 3, ..., t and j ¹ i. Note that L both the members Ui and Uj compute H(m) by themi

Bi

Bi

Bi

50


L Bi

selves before executing CSEVP(Ui, Uj, H(m) , g, si, p, zi mod p, yi mod p). Step 2. After checking that zi and yi share the same secret exponent si for all i Î B, then each member Uj in B computes the threshold undeniable signature Z on the message m by Z = Pi0Bzi mod p (=H(m)SiÎBsiLBi mod q mod p = H(m)S mod p). (3) Confirmation Protocol Phase The verifier V needs the help of any subgroup B¢ with t members in the group A to confirm whether or not the signature Z is generated by the group A on the message m. Step 1. V chooses two random integers a, b 0 Zq*, computes W= H(m)agb mod p, and then broadcasts W to all members in B¢. Step 2. Each member Ui in B’ selects a random integer ki Î * Zq , computes Ki = gki mod p and yiki mod p, and executes CSEVP(Ui, Uj, g, yi, ki, p, Ki mod p, yiki mod p) with the other t-1 member in B¢. Step 3. Each member Ui in B’ computes R1 = WPj ÎB¢Kj mod p (= Wg3j0BNkj mod p) and R2,i = R1siLi mod p if all pairs (Kj, yjkj mod p) pass through the validation of CSEVP. Step 4. L Each member Ui executes CSEVP(Ui, Uj, R 1 , yi, si, siLBi si p, R1 mod p, yi mod p) with the other t-1 members in B¢. If all pairs (R1siLBi mod p, yisi mod p) pass through the validation of CSEVP, then each Ui broadcasts R2,i to the other members in B¢. Step 5. Each Ui computes R2 = WPi0B¢R2,i mod p (= R1S mod p). Only the first member in B¢ sends (R1, R2) to V to reduce the communication cost. Step 6. V sends a and b to all members in B¢. Step 7. Then each member Ui in B¢ checks a and b by W º H(m)agb (mod p). If the equation holds, then Ui reveals ki to V to compute k = Si0B¢ ki mod q. Step 8. V validates (m, Z) by these equations R1 º Wgk (mod p) and R2 º ZaYb+k (mod p). Bi

(4) Denial Protocol Phase Any subgroup B¢ with t members in group A can convince the verifier V that an alleged pair (m, Z) was not generated by the group B’. Step 1. V selects two random integers Q 0 [0, l] and c 0 Zq*. Then V computes and sends E1 = H(m)Qgc mod p and E2 = ZQYc mod p to each member in B¢. Step 2. Each Ui in B’ selects a random integer k¢i 0 Zq*, computes E1k¢i mod p and E2k¢i mod p. To show that E1k¢i mod p and E2k¢i mod p share the same secret exponent k¢i, the member Ui executes CSEVP(Ui, Uj, E1, yi, k¢i, p, E1k¢i mod p, yik¢i mod p) and CSEVP(Ui, Uj, E2, yi, k¢i, p, E2k¢i mod p, yik¢i mod p) with Uj in B¢, for the other t-1 memebr in B’. Then each member Uj in B¢ obtains two pairs (E1k¢i mod p, yik¢i mod p) and (E2k¢i mod p, yik¢i mod p) after executing CSEVP twice. With the help of the common item yik¢i mod p, each member Uj in B¢ is sure that E1k¢i mod p and E2k¢i mod p share the same secret exponent. Step 3. All members in B¢ cooperatively find the value of Q åk by trail and error. They first compute E 1 mod p and åk E 2 mod p. Through the signing protocol, each member åk sL Ui in B¢ computes the partial (E 1 ) mod p and exeåk åk L sL cutes CSEVP (Ui, Uj, (E 1 ) , yi, si, p, (E 1 ) k å sL mod p, yisi mod p). If all pairs ((E 1 ) , yisi mod p) pass through the validation of CSEVP, then through the signåk ing protocol, they obtain (E 1 ) s mod p. By adopting s åk åk s (E ) H(m) equation 1 å k º ( ) Q (mod p), they can find åk (E 2 ) Z Q¢ as Q by trail and error if Z ¹ (H(m))S mod p. Then each Ui chooses a random integer di and sends the blob(di, Q¢) to V. Step 4. V sends c to each member in B¢. Step 5. Each Ui checks E1 = H(m)Q¢gc mod p. If the equality holds, each Ui reveals di to V. Step 6. V opens all blob(di, Q¢) and checks if Q = Q¢. If Q = Q¢, then V believes that (m, Z) is not generated by the group. iÎB'

iÎB'

' i

' i

iÎB'

iÎB'

' i

iÎB'

iÎB '

' i

iÎB '

' i

iÎB '

i

Bi

Bi

iÎB'

iÎB '

' i

iÎB'

' i

i

' i

i

Bi

Bi

' i

' i

' i

4.2. Security Analysis and Discussions Some possible security issues are considered for our


improved scheme. Security of the private keys The security of all private keys in our scheme is based on the discrete logarithm problem (DLP for short) [11]. The release of any private keys can damage the security of our scheme. Let us first consider the security of the partial private key si. Due to yi = gsi mod p, it is hard to find si directly from yi. In singing protocol, the partial signature zi = H(m)siLBi mod p contains the information about the partial private key si. In confirmation protocol, the item R2i = R1siLBi mod p contains the information about the partial private key si. In denial protocol, åk sL (E 1 ) mod p may release the partial private key si. Fortunately, deriving si from these items is hard due to these DLPs: log[H(m)LBi]Zi / si (mod q), log(R1LBi)R2i / si iÎB'

' i

i

Bi

(mod q), and log

k' E 1iÎåB' i

(E1

å k 'i

iÎB'

) s º s i (mod q). Except these, i

the partial private key si is also used in the CSEVP in the signing protocol. Fortunately, in the CSEVP, the private key si also appears on the secret exponents of zi = H(m)siLBi mod p and yi. The private key si is protected by the DLP, too. Therefore, the partial private key si is secure. Let us consider the security of the group private key S. An adversary may want to find the group private key S from the group public key Y. Due to Y = gS mod p, it is hard to find S directly from Y. In the singing protocol, the group signature Z = H(m)S mod p contains the information about the group private key S. In the confirmation protocol, the item R2 = R1S mod p contains the information about the group private key S. In the denial protocol, åk (E 1 ) s may release the group private key S. Fortunately, åk (E 2 ) deriving S from these items is hard due to these DLPs: åk log H(m) Z º log R R 2 º log å (E 1 ) s (mod q). iÎB'

iÎB'

' i

' i

1

k'

iÎB'

' i

E 1iÎB' i

Security of the secret random numbers The release of the secret random numbers also influences the security of our scheme. The security basis of these random numbers is based on the DLP. In the confirmation protocol, each member Ui in B¢ selects a random integer ki Î Zq*, computes Ki = gki mod p for the computation of R1= WPi0B¢Ki mod p (= WgSi0B¢ki mod p) and R2 = R1S mod p. The computation of ki = loggKi mod q is almost equivalent to the DLP. In the denial protocol, each

51

Ui in B’ selects a random integer k¢i Î Zq*, and computes E1k¢i mod p and E2k¢i mod p to guard against any forgery attack of the group signature occurring in the denial protocol. To find the secret random number k¢i form E1k¢i mod p or E2k¢i mod p is equivalent to the DLP. Although both ki and k¢i is used in the CSEVP, the secret random numbers ki and k¢i are still secure since they only occur on the exponent. Security and correctness of the signature Z = H(m)S mod p and the partial signature H(m)siLBi on the message m Based on the security and correctness of CSEVP, the partial signature H(m)siLBi is correct and the secret exponent si is secure. After executing CSEVP(Ui, Uj, H(m)LBi, g, si, p, zi mod p, yi mod p) between the members Ui and Uj, any member Uj confirms that logH(m)LBizi = si = loggyi. Due to the certificated partial public key yi and Theorem 3, the partial signature H(m)siLBi is only correctly generated by the member Ui. In other words, the adversary only has 1/q to forge the partial signature H(m)siLBi. Because q is a very large prime number, the chance is negligible. All of the partial signatures H(m)siLBi¢s are correct and verified, so the signature Z = H(m)S mod p has to be correct. Correctness of the confirmation protocol The correctness of the confirmation protocol is based on the correctness of W = H(m)agb mod p and (R1, R2). The correctness of W is guaranteed by the DLP is proved as below: Theorem 4. For any incorrect W¢, the pair (a, b) can be provided on Step 6 to fool the signers in the confirmation protocol, then the discrete logarithm logH(m)g can be computed efficiently. Proof. For any incorrect W¢ provided on Step 1, the pair (a, b) provided on Step 6 should satisfy the requirement W¢ = H(m)agb mod p to fool signers. Suppose that W’ = H(m)a¢gb¢ mod p and (a¢, b¢) ¹ (a, b) over Z*q × Z*q. Then the congruence equation H(m)agb º H(m)a’gb’ (mod p) is obtained. Then the following equation is also obtained. H(m)(a-a¢) º g(b¢-b) (mod p). Let d = gcd(b¢-b, q). It must be the case that d Î {1, q}.

52


Hence, there are two possible cases for d, which are considered in turn. First, suppose that d = 1. Then let y = (b¢-b)-1 mod q. We have that g º g(b¢-b)y (mod p) º H(m)(a-a¢)y (mod p), so the discrete logarithm logH(m)g can be computed as follows: logH(m)g = (a-a¢)(b¢-b)-1 (mod q). Next, suppose that d = q. This happens only if b º b¢ (mod q). But then we have H(m)agb º H(m)a¢gb¢ (mod p), so H(m)a º H(m)a¢ (mod p), and a º a¢ (mod q). Thus a contradiction (a, b) = (a¢, b¢) over Zq* × Zq* occurs. So this case is impossible. After considering all possible values for d, the following conclusion is obtained. If the verifier can efficiently provide incorrect W on Step 1 and (a, b) on Step 6, then it is feasible to compute the discrete logarithm logH(m)g in Zp. Before obtaining the secret random integers ki’s, the verifier V must show the t members the exponents a and b. By Theorem 4, the verifier is forced to correctly generate W. Otherwise, he/she has to solve the DLP. The correctness of (R1, R2) is based on the correctness of CSEVP. Based on the security and correctness of CSEVP, the commit value R1 and the partial commit value R2,i are secure and correct. After executing CSEVP(Ui, Uj, g, yi, ki, p, Ki mod p, yiki mod p) between Ui and Uj, any member Uj confirms that loggKi = ki = logyiyiki. Due to the certificated partial public key yi and Theorem 3, the member Ui shows that he/she actually knows the secret exponent ki of Ki. The adversary only has negligible chance 1/q to cheat Uj by using any illegal way to generate Ki. All of Ki’s are correct and verified, the relationship R1 = WPi0B¢Ki mod p (= WgSj0B¢kj mod p) has to be correct. Similarly, after executing CSEVP(Ui, Uj, R1LBi, yi, si, p, R2,i mod p, yisi mod p) between the members Ui and Uj, any member Uj confirms that log(R1LBi)R2,i= si= loggyi. According to the certificated partial public key yi and Theorem 3, R1siLBi is only correctly generated by the member Ui. In other words, the adversary only has the negligible chance 1/q to forge R2,i. All of R2,i’s are verified to be correct, the commit value R2 = WPi0B¢R2,i mod

p (= R1S mod p) is also correct. Therefore, the verifier obtains the correct pair (R1, R2) to validate (m , Z). Correctness of the denial protocol In the denial protocol, the verifier V has to correctly generate E1 and E2; otherwise he/she has to solve the DLP to provide the value of c on Step 4. The E1 and E2 should be correctly generated. For any incorrect E¢1= H(m)Q¢gc¢ mod p, the probability that Q¢ Î [0, l] is l /q by Theorem 2. Since q ? l, the probability is negligible. By the similar argument, for any incorrect E’2 = ZQ¢Yc¢ mod p, the probability that Q¢ Î [0, l] is negligible. Based on the security and correctness of CSEVP, the commit values E1k¢i and E2k¢i are secure and correct. Simiåk s L larly, the partial (E 1 ) is secure and correct. After executing CSEVP(Ui, Uj, E1, yi, k¢i, p, E1k¢i mod p, yik¢i mod p) and CSEVP(Ui, Uj, E2, yi, k¢i, p, E2k¢i mod p, yik¢i mod p) between the members Ui and Uj, any member Uj confirms that logE1E1k¢i = logE2E2k¢i = k¢i = logyiyik¢i. Due to the certificated partial public key yi and Theorem 3, the member Ui show that he/she knows the common secret exponent k¢i for the generation of E1k¢i and E2k¢i. All åk åk of E1k¢i’s and E2k¢i’s are correct, so E 1 and E 2 are correct consequentially. After executing CSEVP(Ui, Uj, åk L åk s L (E 1 ) , yi, si, p, (E 1 ) , y Si mod p) between Ui and åk s L Uj, any member Uj confirms that log (E 1 ) = si E = loggyi. Due to the correctness of CSEVP and the certifiåk s L cated partial public key yi, (E 1 ) is correctly generåk s L ated by the member Ui. All (E 1 ) ’s are validated, åk the commit value (E 1 ) s mod p is correct. By using the åk s åk correct items (E 1 ) mod p and E 2 mod p, the t members in B¢ are able to find the correct value of Q on Step 3. Due to the secure blobs [9], the verifier has to provide the correct value c to open the blobs on Step 6. After opening all blobs, the verifier confirms whether or not the signature Z is generated by the group A. iÎB'

' i

i

Bi

iÎB'

iÎB'

' i

Bi

' i

iÎB'

i

Bi

iÎB'

' i

iÎB'

iÎB'

iÎB'

' i

i

' å ki L B i 1iÎB'

iÎB'

' i

i

iÎB'

' i

i

Bi

Bi

' i

i

Bi

' i

' i

iÎB'

' i

Forgery problem of the signature Z on the message m The group private key S is used to generate Z = H(m)S åk mod p, R2 = R1S mod p, and (E 1 ) s , in the singing protocol, the confirmation protocol, and the denial protocol, respectively. So in these protocols, the adversary may have chance to generate some group signature Z¢ on a disallowed message m¢. First of all, in the signing protocol, due to the above analysis, the partial signature zi is correct after the CSEVP. The adversary cannot change any partial signature zi to obtain Z¢. Moreover, the adveriÎB'

' i


sary cannot mislead the generation of the correct group signature Z on the message m to compute the disallowed group signature Z¢. According to Theorem 4, in the confirmation protocol, the adversary can’t replace W with any incorrect W¢ in order to obtain the group signature Z¢ on the disallowed message m¢. On Step 6, the adversary should tell all the t singers a and b. Without correct a and b, the signers do not tell the adversary the secret random numbers ki’s. Since R2= (W¢gk)S mod p is randomized by the secret random number k, the adversary cannot retrieve anything form R2 = (W’gk)S mod p, where k = Si0B¢ ki mod q. In the denial protocol, the adversary may replace E1 with E’1 in order to obtain the group signature Z’ on the disallowed message m¢. The random numbers k¢i’s are seåk cure and unknown. Due to the randomized item (E 1 ) s , åk the adversary cannot mine anything form (E 1 ) s for Z¢ even if the adversary provides incorrect E1. Suppose that a malicious member in the signing group wants lonely to forge a signature Z on some disallowed message m. There are some possible forgery attacks for him/her. One way is to obtain Z in the signing protocol without the agreement of the other t-1 members in B. One way is to obtain Z during the computation of R2 = R1S mod p in the confirmation protocol. One way is to obtain Z when all members in B¢ cooperate to find the value of Q by trail and error. To obtain Z in the signing protocol, assume that the malicious member U1 in the signing group B computes sL the invalid individual signature z 1 = H(m) without his/her valid secret key s1. Then U1 cheats another t-1 members in B and tries to compute Z = PiÎBZi mod p by using his/her valid individual signature. However, our CSEVP can find out if the malicious member in B does not use his/her own private key to compute the valid individual signature. So the malicious member U1 can not successfully compute Z. In the confirmation protocol, the malicious member U2 in the signing group B’ do not honestly computes the value K2, and instead of K2 = H(m)g k mod p. Each member Ui in B¢ computes R 1 = WK2 K 3 L K t mod p = (b+ å k ) åk s H(m)s Wg H(m) mod p and R 2 = R 1 mod p = Z a Y R mod p. The malicious member U2 obtains Z = a 2(b+k) ZY s during the computation of R 2 = R 1 mod p. However, e e our CSEVP can find out H(m)g e y 1 mod p ¹ g e y 1 mod iÎB'

iÎB'

1

' i

B1

2

iÎB'

i

iÎB'

1

2

1

i

2

' i

53

p, if the malicious member U2 in B¢ do not honestly compute the value K2, and the attack is fail. In denial protocol, the malicious member U2 in the signing group B’ obtains a valid signature Z from (E 1

å k 'i

iÎB '

(E 2

åk

iÎB '

)s ' i

)

º(

H(m) Z

å ki '

s å k i' iÎB '

å k 'i

) Q . However, to obtain

iÎB '

'

åki

iÎB'

in

å ki '

mod p has to compute (E 1 ) s' mod p and E 1 åk åk log E E 2 = S¢ mod q. It is equivalent to the DLP. The attack for the malicious member U2 is fail. Let us consider the efficiency of our improvement. Our improved scheme is more complicated than LeeHwang’s schemes in order to remove the honest assumption in Lee-Hwang’s schemes. Because no one is always honest, anyone must validate whether or not the received data is generated honestly without releasing the secret exponents. Otherwise, some dishonestly generated data may be utilized by attacks to forge undeniable signatures or fool verifiers in confirmation or denial protocols. Therefore, there computation and communication cost is necessary to guard against Wang et al.’s and other possible attacks. After removing possible attacks on undeniable signatures, the proposed scheme is more practical than Lee-Hwang’s schemes. To reduce the computation and communication cost without degrade security level is our future research. iÎB'

iÎB'

iÎB'

' i

iÎB'

' i

1

5. Conclusions Lee-Hwang’s group-oriented undeniable signature schemes suffer Wang et al.’s attacks for their honest assumption [8]. To remove this impractical assumption, a common secret exponent verification protocol is proposed first. With the help of this protocol, the prover can convince that two values share the same common secret exponent with respect to two distinct random bases for the same cyclic group. So this protocol is our first contribution. Based on this protocol, a new group-oriented undeniable signature scheme without impractical assumption is proposed. In our new scheme, any participate is forced to honestly perform any steps; otherwise his/her malicious behavior will be found. Therefore, our scheme is more suitable for the real application than Lee-Hwang’s scheme. Our group-oriented scheme can be generalized by the same generalization way proposed in Lee-Hwang’s scheme.

54


Acknowledgement This work was supported in part by National Science Council of Republic of China under contract NSC922213-E-032-019.

[6]

References

[7]

[1] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, NY: CRC (1996). [2] Chaum, D. and Antwerpen, H. van, “Undeniable Signatures,” Advances in Cryptology -Crypto ’89, LNCS 435, New York: Springer-Verlag, pp. 212-216 (1990). [3] Chaum, D., “Zero-knowledge Undeniable Signatures,” Advance in Cryptology-Eurocrypt’90, LNCS 473, New York: Springer-Verlag, pp. 458-464 (1991). [4] Harn, L. and Yang, S., “Group-oriented Undeniable Signature Schemes without the Assistance of a Mutually Trusted Party,” Pre-proceeding of Auscrypt’92, LNCS 718, New York: Springer-Verlag, pp.133-142 (1993). [5] Langford, S. K., “Weakness in Some Threshold

[8]

[9]

[10]

Cryptosystems,” Advances in Cryptology- Crypto ,96, LNCS 1109, New York: Springer-Verlag, pp. 74-82 (1996). Lee, N. Y. and Hwang, T., “Group Oriented Undeniable Signature Schemes with Trust Center,” Computer Communications, Vol. 22, pp. 730-734 (1999). Michels, M. M. and Stadler, M., “Efficient Convertible Undeniable Signature Schemes,” Proc. 4th Workshop on Selected Areas in Cryptography (SAC’97), Ottawa, Canada, pp. 231-244 (1997). Wang, G., Zhou, J. and Deng, R. H., “Cryptanalysis of the Lee-Hwang Group-Oriented Undeniable Signature Schemes,” (2002, Sep.). Cryptology ePrint Archive. [Online]. Available: http://eprint.iacr.org/2002/150/. Brassard, G., Chaum, D. and Crepeau, C., “Minimum Disclosure Proofs of Knowledge,” Journal of Computer and Systems Science, Vol. 37, pp. 156-189 (1988). Rosen, Kenneth H., Elementary Number Theory and Its Applications, 4th Ed., New York: Addison Wesley Longman, (1999).

Manuscript Received: Mar. 28, 2005 Accepted: Jun. 6, 2005