Abstract. In this paper, we propose two group-oriented (t; n) blind threshold signature schemes based on the discrete logarithm problem. By these schemes, any ...
Blind Threshold Signatures Based on Discrete Logarithm Wen-Shenq Juang and Chin-Laung Lei National Taiwan University, Taipei, Taiwan, R.O.C.
Abstract. In this paper, we propose two group-oriented ( ) blind threshold signature schemes based on the discrete logarithm problem. By these schemes, any out of signers in a group can represent the group to sign blind threshold signatures. In our schemes, the size of a threshold signature is the same as the size of an individual signature and the signature veri cation process is simpli ed by means of a group public key. Our proposed schemes do not require the assistance of a mutually trusted authority. In addition each signer can select his own private key and the group public key is determined by all the members. The security of our schemes rely on the di�culty of computing discrete logarithm. t; n
t
n
1 Introduction The concept of blind signature was introduced by Chaum [2]. It allows the realization of secure voting schemes [8, 9, 15] preserving voters' privacy, and secure electronic payment systems [3, 5] protecting customers' anonymity. Such systems have a party called the signer who is responsible for producing digital signatures. The other parties called the requesters would like to obtain blind signatures on the messages they provide to the signer. In a distributed environment, the signed blind messages can be thought as tickets in applications such as secret voting schemes, or as xed amount of electronic money in secure electronic payment systems. A distinguishing property required by a typical blind signature scheme [1, 2] is so-called the "unlinkability", which ensures that requesters can prevent the signer from deriving the exact correspondence between the actual signing process performed by the signer and the signature which later made public. Instead of a single signer, several multisignature schemes [6, 12] have been proposed in a distributed environment, where several signers work together to sign a document. In [16], Shamir proposed the concept of threshold schemes. Since then, many threshold cryptosystems [4, 10, 14] have been proposed. The scheme proposed in [14] allows n participants in a group cooperating to generate a group public key and to distribute a shared secret without the assistance of a mutually trusted authority. Anyone can send a message secretly to the group by encrypting the message using the public key of the group. The group secret key can only be reconstructed by at least t out of the n group members. Although the group secret key can only be used once when the messages are decrypted in threshold cryptosystems, di�erent messages can be signed using a threshold signature scheme without disclosing the group secret key and the corresponding threshold signatures can be veri ed by the group public key.
In many single administrator election schemes [8, 9, 15], every voter requests a blind signature on his intention from the administrator in the registration phase, extracts the real vote from the blind signature and sends the real vote to the administrator through an untraceable email in the voting phase. One of the underlying assumptions of these schemes is that all the registered voters must cast their votes and no voter can abstain from voting. In real life, registered voters may abstain from voting after the registration phase. Since voters only need to communicate with the administrator in these protocols, there is no global computation among voters. But the administrator can impersonate the voters who abstain from voting after the registration phase and add extra votes as he wishes. To cope with this dilemma, instead of a unique administrator, every voter needs to request a blind threshold signature from t administrators. The underlying assumption can be relaxed as follows: at least (n ? t + 1) of the n administrators do not conspire with the others. By the blind threshold signatures, the power of a single administrator is distributed among the n administrators and the registered voters may abstain from voting after the registration phase. In this paper, we propose two e�cient blind threshold signature schemes based on the discrete logarithm problem. The rst scheme, based on the NybergRueppel type blind signature schemes [1], provides the message recovery capability [11], while the second scheme, based on the DSA type blind signature schemes [1], produces signatures with shorter length [7]. The security of our schemes relies on the di�culty of computing discrete logarithm and it is computationally infeasible for signers to derive the exact correspondence between the message they actually sign and all signers' complete views of the execution of the signing process. In our schemes, the size of a threshold signature is the same as the size of an individual signature and the veri cation process of the threshold signature is equivalent to that of each individual signature. Therefore, our proposed schemes are optimal with respect to the threshold signature size and the veri cation process. The paper is organized as follows. In Section 2, we present an e�cient blind threshold signature scheme based on the Nyberg-Rueppel scheme with message recovery and discuss its security and performance. Then we describe an e�cient blind threshold signature scheme based on the DSA type blind signature schemes and examine the security issues and the performance of this scheme in Section 3. Finally, a concluding remark is given in Section 4.
2 Blind threshold signature scheme with message recovery In this section, we propose a blind threshold signature scheme, based on the Nyberg-Rueppel type schemes, with message recovery. One of the main advantages of this scheme is that it can be combined with ElGamal encryption in a natural manner [11]. The reason is that the signed messages which are embedded in the signatures are elements of GF (p): In a typical signing process of a blind threshold signature scheme, there are two kinds of participants, the signers and
a requester. Before a requester can obtain a signature from the signers, all the signers have to cooperate to distribute their secret shadows to other signers in advance. Then the requester can request a blind threshold signature from the signers. The proposed scheme consists of three phases: the shadow distribution phase, the signature generation phase and the signature veri cation phase. The shadow distribution phase is performed only once among the signers and then they can use their secret shadows to sign messages. In the signature generation phase, a requester requests a blind signature from the signers and the signers cooperate to issue a blind threshold signature to the requester. In the signature veri cation phase, anyone can use the group public key to verify if a threshold signature is valid. Let Ui be the identi cation of signer i, n be the number of signers, t be the threshold value of the blind threshold signature scheme, m be the blind message to be signed, p; q be two large strong prime numbers such that q divides (p ? 1); and s be a generator of Zp� (i:e:; gcd(s; p) = 1; s 6= 1). Let g �p s(p?1)=q . In a distributed environment, Ui can choose his secret key di and publish the corresponding public key ei . Anyone can get ei via some authentication service (e.g. the X.509 directory authentication service [17]). Using a secure public key signature scheme, Ui can produce signatures (certi cates) of messages by di : Anyone can verify these signatures by the corresponding ei .
2.1 The shadow distribution phase Before a requester can request a threshold signature from the signers, all signers must cooperate to distribute their shadows to other signers. In the shadow distribution phase, each Ui ; 1 � i � n, carries out the following steps:
P
1. Ui chooses a secret key zi 2 Zq and a secret polynomial fi (x) = tk?=01 ai;k x such that ai;0 = zi , computes Gi;k �p ga and the signatures Cert Gi;k on Gi;k for 0 � k � t ? 1 and sends ((Gi;k ; Cert Gi;k ); 0 � k � t ? 1) to Uj ; 1 � j � n; j 6= i. 2. Upon receiving ((Gj;k ; Cert Gj;k ); 1 � j � n; j 6= i; 0 � k � t ? 1) from all other signers, Ui veri es if all Cert Gj;k are valid. If yes, he sends �i;j �q fi (xj ); where xj is a unique public number for Uj ; and a signature Cert �i;j on �i;j secretly to every Uj ; 1 � j � n; j 6= i. Otherwise, he publishes the invalid signatures and stops. 3. When Ui receives all �j;i ; Cert �j;i , 1 � j � n; j 6= i; from other signers, he veri es if the share �j;i received from Uj is consistent with the certi ed Q t ? 1 � values Gj;l , 0 � l � t ? 1; by checking whether g �p l=0 (Gj;l )x . If it fails, Ui broadcasts that an error has been found, publishes �j;i , Cert �j;i and the identi cation of Uj ; and then stops. Otherwise, Q Ui Qcomputes the signature Cert Yi on the group public key y �p nl=1 yl �p nl=1 Gl;0 and the signature Cert Fj;i on Fj;i �p g� ; 1 � j � n. He then sends (Cert Yi ; (Fj;i ; Cert Fj;i ; 1 � j � n)) to all other signers. 4. Upon receiving all ((Cert Yj ; 1 � j � n; j 6= i); (Fl;j ; Cert Fl;j ; 1 � l � n; 1 � j � n; j 6= i)), Ui veri es if all ((Cert Yj ; 1 � j � n; j 6= i); (Cert Fl;j ; i;k
j;i
j;i
i
l
1 � l � n; 1 � j � n; j 6= i)) are P valid. If yes, the shadow keys corresponding to the group secret key z �q nj=1 zj have been securely P =1 z and correctly Q n and all public distributed. The group public key y �p j=1 yj �p g shadows Fl;j �p g� ; 1 � l; j � n; can then be published by each signer. Otherwise, Ui publishes the invalid signatures and stops. n j
j
l;j
2.2 The signature generation phase Without loss of generality, we assume that the t out of n signers are Ui ; 1 � i � t: When a requester requests a blind threshold signature, he and the t signers perform the following steps during the signature generation phase.
1. Each Ui randomly chooses a number ki 2 Zq , computes rbi �p gk and sends rbi to the requester. 2. After receiving all rbi ; 1 � i � t; the requester does the following. Q (a) Choose two random numbers � 2 Zq and 2 Zq� ; compute rb �p ni=1 rbi ; Q ri �p g� rbi ; r �p m ti=1 ri and mb �q ?1 r: (b) Check if m b 2 Zq�. If yes, send mb to all Ui; 1 � i � t: Otherwise, go back to step (a). Q P 3. Upon receiving m b , each Ui computes sbi �q m b (zi + nj=t+1 fj (xi )( tk=1;k6=i ( x??xx ))) +ki and sends sbi back to the requester. 4. After receiving all sbi ; the requester si �q sbi + �; and checks if Q =1 6= (computes ? ))(?r) Q ( n r ? s ? g yi ri �p ( j=t+1 (Fj;i )) ; 1 � i � t: If any of the sbi is not valid, he has toPask the corresponding signer to send it again. Otherwise, he computes s �q ti=1 si : The threshold signature of m is (r; s): i
k
i
k
t
i
k
;k
i
xi
xk xk
2.3 The signature veri cation phase
To verify the threshold signature (r; s); one simply computes m �p g?s yr r and checks if m has some redundancy information.
2.4 Analysis We discuss the correctness, security and performance of our scheme in this subsection. Given the secret information of a group of l < t members, Lemma 1 ensures that the threshold cryptosystem constructed in the shadow distribution will not discloses any extra information about the group secret key Pni=1phase zi .
Lemma1. Given a group of � < t members G = fpijpi 2 [1; n]; 1 � i � �g and the set of shares f�j;i j1 � j � n; i 2 Gg. For any xed j; 1 � j � n; it takes polynomial time on jpj to generate a random set fgac j1 � k � t ? 1g satisfying Q g� �p tk? (gac )x for i 2 G. j;k
j;i
1 =0
j;k
i
k
Proof. In step 3 of the shadow distribution phase, after Ui has received all �j;i , he veri es if the share �j;i received from UjQis consistent with the certi ed values ?1 (G )x . Therefore Gj;l ; 1 � l � t ? 1; by checking if g� �p tl=0 j;l j;i
Y(ga
t?1
g� �p j;i
j;l
l=0
)x �p g i
l
P =0?1 a t
i
j;l
l
l
�x : i
l
(1)
Since g �p s(p?1)=q and s is a generator of Zp� , g generates a cyclic subgroup Sg of Zp� with jSg j = q. From (1), we have t? X a 1
�j;i �q
l=0
j;l � xi l
(2)
From (2), we know that given a xed index j , the shares �j;i ; i 2 G; will use the same variables ad j;k ; 0 � k � t ? 1; as follows: t? X ad � x k : 1
�j;i �q
j;k
k=0
(3)
i
Given a xed index j , we can get at most � linear equations with t variables as follows: t?1 X �j;i �q ad (4) j;k � xi k (i 2 G): k=0
Since the linear equations have at least one solution ad j;k = aj;k ; 0 � k � t ? 1, we can solve the linear equations (4) and get a random solution ad j;k , 1 � k � t ? 1; by assigning random values to all free variables. From (4), it is clear that P ?=01 ac �x Qt?1 ac x � 2 g �p g �p k=0 (g ) . To prevent a signer from sending an invalid partial signature to the requester, a partial signature must be checked in step 4 of the signature generation phase. The following lemma ensures the correctness of partial signatures. t
j;i
i
j;k
k
k
i
j;k
k
Lemma 2. The partial signature (ri ; si) is valid if signer Ui is honest. Proof. By our scheme, we have
g?s yir ri �p g?(sb +�)Pgz r g� rbi Q ? �p g?(mb (z +P = +1 f (x )(Q =1 6= ( ? ? )))+k ) gz r gk �p g?mb (z + P= +1 f (x )( Q=1 6= ( ? ? ))) gz r �p g?Pmb z ?mb =Q+1 f (x )( ? =1 6= ( ? )) gz r �p g = +1 f (x )( Q=1 6= ( ?? ))(?mb ) �p (Qnj=t+1 (Fj;i ))( =1 6= ( ? ))(?r) i
i
i
n
i
j
n
i
j
j
t
j
t
j
j
i
t
i
k
k
j
t
;k
i
;k
k
;k
i
xi
;k
xk xk
xk xi x k i
xk xi x k
i
i
i
i
i
xk xi xk
t
k
i
t
i
t
k
;k
t
i
n
i
n
j
t
i
xi
xk xk
2
After the signature generation phase, the threshold signature can be veri ed by the group public key in the signature veri cation phase. Let � denote the
signers' complete views of an execution in the signature generation phase and let
s(m) denote the signature on message m generated in that execution. Theorem
4 ensures the correctness of the scheme. We rst give a formal de nition of the blindness for a threshold signature scheme as follows. De nition 3. A threshold signature scheme is said to be blind if it is computational infeasible for anyone except the requester to derive the link between the signers' views � and the signature s(m) submitted by the requester for veri cation later. Theorem 4. The blind message m can be extracted by the corresponding threshold signature (r; s) produced in the proposed scheme and there exists a unique pair of blind factors � and for the link between the signers' views � and the signature (r; s). Proof. The validity of the signature (r; s) can easily be established as follows.
g?s yr rP P �p g?( =1P(sb +�)) gP =1Pz r m(Qti=1 riQ) P ? ?(m b ( =1 z + =1 ( = +1 f (x )( =1 6= ( ? ))))+ =1 k ) ?t� �p mg P r Qt � g =1 z P ( i=1 gPrbi ) P P Q ? ? (m b ( =1 z + = +1 ( =1 f (x )( =1 6= ( ? ))))+ =1 k ) �p mg P r Qt k g =1 z P ( i=1 gP ) P zr ? (m b ( �p mg P =1 z +P = +1 z )) g =1 P P �p mg?mb =1 z g =1 z r �p mg?r =1 z g =1 z r �p m: t
n
i
i
i
i
n i
n
i
j
n
i
i
i
t
t
j
i
j
i
t
k
i
xi
xk xk
t
;k
i
xi
xk xk
t
;k
i
i
i
t
n
i
i
t
i
j
t
t
i
t
k
i
i
i
t
i
i
n i
i
n i
n i
n
i
t
i
i
n
i
i
n
i
i
i
Then we show that given views of all the signers in the signing process and the corresponding valid signature pair (r; s), there exists a unique pair of blind factors � and : Without loss of generality, assume that the signature (r; s) has been generated by t signers Ui ; 1 �Qi � t; with the view consisting of ki ; rbi �p gk ; sbi �q P n mb (zi + j=t+1 fj (i)( tk=1;k6=i ( x??xx )))+ki ; 1 � i � t; and mb ; then the following equations must hold for � and : i
k
i
r �p m
k
Yt r i=1
mb �q r ?1 s �q
Xs t
i=1
i
i
�p m
�q
Yt g�rb i
i=1
X(sb + �) t
i=1
i
(5) (6) (7)
Note that if t < q, then gcd(t; q) = 1: Since m b 2 Zq�; by equations (6) and (7), the unique solution for � and is: �q mb ?1 r (8)
� �q (s ?
Xt sb )t? i=1
i
1
(9)
In the following, we show that the solutions of � and in equations (8) and (9) also Q satis es equation (5).
m ti=1 g�rbi Q �p g?s yPr rgt� ti=1 gk P P �p rg? =1P(sb +�)P gr =1Pz gt� g =1Qk ? ))))+P k ) +t�) ? ((m b ( z + ( f (x )( ( ? =1 =1 = +1 =1 = 6 =1 �p rgP P gr =1Pz gt� g P =1 k P P P �p rg?(mb ( P =1 z + P = +1 z )+ P=1 k ) gr P =1 z g =1 k �p rg?((Pmb =1 z + P=1 k ) ) gr =1 z g =1 k 2 �p rg? =1 mb z gr =1 z �p r: Since � and are kept secret by the requester and all signatures are equally i
t
n
i
i
t
i
i
n
i
i
n
i
i
i
n
i
j
n i
j
t
t
i
t
t
t
i
k
;k
i
n i
n
i
i
xi
t
xk xk
i
i
i
i
t
i
i
n
i
i
i
i
i
i
i
t
n
t
t
i
i
t
i
i
t
i
i
i
i
i
likely from the signer's point of view, it is computationally infeasible for the signer toPderive the link between the view consisting of ki ; rbi �p gk ; sbi �q Q n t mb (zi + j=t+1 fj (xi )( k=1;k6=i ( x??xx ))) + ki ; 1 � i � t; mb and the signature (r; s) submitted by a requester for veri cation later. In our blind threshold signature scheme, the partial signature Q =1(si;6=r(i)??must)) Q ( n z r r ? s ? s satisfy the equation g yi ri �p g g ri �p ( j=t+1 (Fj;i )) (?r ) : Since r; Fi;j ; xk ; ri ; yi and si are all public, an attacker needs to solve the discrete logarithm problem in order to get the secret values. The security of the partial signatures is the same as the Nyberg-Rueppel type blind signature schemes. With the information of all partial signatures and the corresponding threshold signature, an attacker is not capable of deriving P the secret Q Q keys since it needs to solve the equation rg?s yr �p m( ni=1 ri )g?( =1 s ) ( ni=1 gz )r : To solve this equation is equivalent to solve the discrete logarithm problem. In our scheme, the size of the threshold signature is the same as the size of an individual signature and the veri cation process of a threshold signature is equivalent to that of an individual signature. Thus, our proposed scheme is optimal with respect to the threshold signature size and the veri cation process. i
k
i
k
t
i
i
i
k
n i
i
;k
i
xi
xk xk
i
3 Blind threshold signature scheme with shorter signature length To provide the message recovery capability, the signed messages must be embedded to the signatures. The length of a signature must be more than or equal to the length of the corresponding signed message. In some situations, it is impractical when the length of a signed document is large. In this section, we propose a blind threshold signature scheme, based on the DSA type blind signature schemes, produces signatures with shorter length. In the DSA type blind signature scheme, if its q is 160 bits, p is 512 bits and the blind message m is less than 512 bits, the ratio of its signature size and that of a Nyberg-Rueppel
160�2 = 320 = 0:48. If the type signature scheme with message recovery is 160+512 672 blind message m is more than 512 bits, instead of signing the whole message, one can make a signature on the digest of the message which is the hashed value of a secure one-way hash function with the message as input. The length of the signature (r; s) in this scheme is also 320 bits, but in the Nyberg-Rueppel type signature scheme with message recovery, the length of the signature on message jmj e � 672 bits; where jmj is the length of m: Our scheme consists of three m is d 512 phases: the shadow distribution phase, the signature generation phase and the signature veri cation phase. The system parameters and the shadow distribution phase are the same as the scheme proposed in Section 2. We only present the signature generation phase and the signature veri cation phase in the following.
3.1 The signature generation phase
Without loss of generality, we assume that the t out of n signers are Ui ; 1 � i � t: When a requester requests a blind threshold signature, he and the t signers perform the following steps during the signature generation phase. 1. Each Ui randomly chooses a number ki 2 Zq , computes rbi �p gk and sends rbi to the requester. 2. After receiving all rbQi ; 1 � i � t; the requester does the following. (a) Compute rb �p ti=1 rbi : Check if rb 2 Zq�: If it fails, send all rbi ; 1 � i � t; and rb back to all Ui ; 1 � i � t; and go back to step 1. (b) Choose two random numbers �Q2 Zq and 2 Zq and compute rei �p g rbi � ; ri �q rei ; 1 � i � t; re �p ti=1 rei ; r �q re and mb �q rbm�re?1 : (c) Check if re 2 Zq� . If yes, send m b to all Ui; 1 � i � t: Otherwise, go back to step (b). P Q 3. Upon receiving m b , each Ui computes sbi �q rb(zi + nj=t+1 fj (xi )( tk=1;k6=i b and sends sbi back to the requester. ( x??xx ))) + ki m 4. After receiving all sbi ; the requester computes si �q ?m + sbi rb?1 re and checks Q ? 1 Q =1 6= ( ? )) ; 1 � i � t: If any if (gs yi?r )m?1 �p (rei )( nj=t+1 Fj;i )(rm of the sbi is not valid, he has toPask the corresponding signer to send it again. Otherwise, he computes s �q ti=1 si : The threshold signature of m is (r; s): i
k
i
k
t
i
k
;k
i
xi
xk xk
3.2 The signature veri cation phase
To verify ?the threshold signature (r; s) on message m; one simply checks if 1 s ? r m ((g y ) mod p) mod q = r:
3.3 Analysis We discuss the correctness, security and performance of our scheme in this subsection. To prevent a signer from sending an invalid partial signature to the requester, the partial signature must be checked in step 4 of the signature generation phase. The following lemma ensures the correctness of partial signatures.
Lemma 5. The partial signature (ri �q rei ; si ) is valid if signer Ui is honest. Proof. The proof is similar to that of Lemma 2 and is omitted due to space consideration. After the signature generation phase, the blind signature can be veri ed by the group public key in the signature veri cation phase. Let � denote the signers' complete views of an execution in the signature generation phase and let (m; (r; s)) denote the message-signature pair generated in that execution. Theorem 6 ensures the correctness of the scheme. Theorem 6. If the threshold signature (r; s) on message m is valid, it can be veri ed and there exists a unique pair of blind factors � and for the link between the signers' views � and the signature (r; s). Proof. The proof is similar to Theorem 4 and is omitted. Since � and are kept secret by the requester and all signatures are equally likely from the signers' point of view, it is computationally infeasible for the signersPto derive the Qlink between the view consisting of ki ; rbi �p gk ; sbi �q rb(zi + nj=t+1 fj (xi )( tk=1;k6=i ( x??xx )))+ ki mb ; 1 � i � t; mb and the signature (r; s) submitted by a requester for veri cation later. In our blind threshold signature scheme, the partial signature (si ; ri )? must Q ? 1 Q ? 1 ( rm n =1 6= ( ? )) : satisfy the equation (gs g?z r )m �p (rei )( j=t+1 Fj;i ) Since all Fj;i ; xk ; rei ; yi , si ; r and m are all public, an attacker needs to solve the discrete logarithm problem in order to get the secret value zi . The security of the partial signatures is the same as the DSA type blind signature schemes. With the information of all partial signatures and the corresponding threshold signature, an attacker is not capable of P deriving the P secret keys since it needs to solve the equation (gs y?r )m?1 �p (g =1 s g?( =1 z er) )m?1 : To solve this equation is equivalent to solve the discrete logarithm problem. In our scheme, the size of a threshold signature is the same as the size of an individual signature and the veri cation process of a threshold signature is equivalent to that of an individual signature. Thus, our proposed scheme is optimal with respect to the threshold signature size and the veri cation process. i
k
i
k
t
i
i
k
t i
i
n i
;k
i
xi
xk xk
i
4 Conclusion We have proposed two e�cient blind threshold signature schemes based on discrete logarithm. In our schemes, the size of a threshold signature is the same as the size of an individual signature and the veri cation process of a threshold signature is equivalent to the veri cation process of an individual signature. The security of our schemes relies on the hardness of computing discrete logarithm and it is computationally infeasible for the signers to derive the exact correspondence between the message they actually sign and all signers' complete views of the execution of the signing process.
References 1. J. L. Camenisch, J. M. Pivereau and M. A. Stadler, "Blind signatures based on the discret logarithm problem," Advances in Cryptology: Proc. of EuroCrypt'94, LNCS 950, pp. 428-432, Springer-Verlag, 1995. 2. D. Chaum, "Blind signatures systems," Advances in Cryptology: Proc. of Crypt'83, Plenum, pp. 153. 3. D. Chaum, A. Fiat and M. Naor, "Untraceable electronic cash," Advances in Cryptology: Proc. of Crypt'88, LNCS 403, pp. 319-327, Springer-Verlag, 1988. 4. Y. Desmedt and Y. Frankel, "Threshold cryptosystems," Advances in Cryptology: Proc. of Crypt'89, LNCS 435, pp. 307-315, Springer-Verlag, 1990. 5. N. Ferguson, "Single term o�-line coins," Advances in Cryptology: Proc. of EuroCrypt'93, LNCS 765, pp. 318-328, Springer-Verlag, 1993. 6. L. Harn, "Group-oriented (t,n) threshold digital signature scheme and digital multisignature," IEE Proc. Compu. Digit. Tech., Vol. 141, No. 5, pp. 307- 313, September 1994. 7. L. Harn and Y. Xu, "Design of generalised ElGamal type digital signature schemes based on discrete logarithm," Electronic Letters, Vol. 30, No. 24, pp. 205-206, 1994. 8. W. Juang and C. Lei, "A collision free secret ballot protocol for computerized general elections," to appear in Computers & Security (A preliminary version was presented at the 1994 Inter. Computer Symposium, Taiwan, pp. 309-314.) 9. W. Juang and C. Lei, "A secure and practical electronic voting scheme for real world environments," to appear in IEICE Trans. on Fundamentals (A preliminary version was presented at Proc. 6th National Conf. on Informa. Security, Taiwan, pp. 153-160, 1996). 10. C. S. Laih and L. Harn, "Generalized threshold cryptosystems," Advances in Cryptology: Proc. of AsiaCrypt'91, pp. 159-169, 1991. 11. K. Nyberg and R. A. Rueppel, "Message recovery for signature schemes based on the discrete logarithm problem," Advances in Cryptology: Proc. of EuroCrypt'94, LNCS 950, pp. 182-193, Springer-Verlag, 1995. 12. T. Okamoto, "A digital multisignature scheme using bijective public-key cryptosystems," ACM Trans. Computer Systems, Vol. 6, No. 8, pp. 432-441, 1988. 13. T. Okamoto and K. Ohta, "Universal Electronic cash," Advances in Cryptology: Proc. of Crypt'91, LNCS 576, pp. 324-337, Springer-Verlag, 1992. 14. T. P. Pedersen, "A threshold cryptosystem without a trusted party," Advances in Cryptology: Proc. of EuroCrypt'91, LNCS 547, pp. 522-526, Springer-Verlag, 1991. 15. K. Sako, "Electronic voting scheme allowing open objection to the tally," IEICE Trans. fundamentals, Vol. E77-A, No.1, pp. 24-30. 1994. 16. A. Shamir, "How to share a secret," Commun. ACM, Vol. 22, pp. 612-613, 1979. 17. W. Stallings, "Network and internetwork security," Prentice Hall International, pp. 333-340, 1995.
