New multisignature scheme for specified group of verifiers

Applied Mathematics and Computation 157 (2004) 425–431 www.elsevier.com/locate/amc

New multisignature scheme for specified group of verifiers q Zhang Zhang *, Guozhen Xiao National Key Laboratory of ISN, Xidian University, Xi’an, Shaanxi 710071, People’s Republic of China

Abstract While in ordinary digital signature scheme one signer is sufficient to sign a message and one verifier is sufficient to check the validity of a given signature, there are situations in which a group of signers cooperatively sign a message and a group of verifiers cooperatively check the validity of a given signature. So far, only two multisignature schemes for specified group of verifiers have been suggested. Recently, He pointed out that the two schemes do not satisfy their security requirements. In this paper, the authors present a new multisignature scheme for specified group of verifiers. Forging signatures in the proposed scheme is equivalent to forging HarnÕs signatures. The proposed scheme can withstand HeÕs attack. Ó 2003 Elsevier Inc. All rights reserved. Keywords: Digital signature; Multisignature; Discrete logarithm

1. Introduction Digital signature is one of the major research topics in modern cryptography and computer security. In ordinary signature schemes, one signer is sufficient to sign a message and one verifier is sufficient to check the validity of a given signature. However, there are situations in which a group of signers cooperatively sign a message and a group of verifiers cooperatively check the validity of a given signature. q This work is supported in part by the National 973 Project under the contract no. G1999035804. * Corresponding author. E-mail address: [email protected] (Z. Zhang).

0096-3003/$ - see front matter Ó 2003 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2003.08.043

426

Z. Zhang, G. Xiao / Appl. Math. Comput. 157 (2004) 425–431

In 1983, Itakura and Nakamura [9] proposed the first multisignature scheme in which multiple signers can cooperate to sign the same message and any verifier can verify the validity of the multisignature. In general, the size of the multisignature independent of the number of signers is required in multisignature schemes. Since then, several multisignature schemes have been proposed in the literature [1,2,4,5,12,13,15]. In 1996, Laih and Yen (LY) [10] proposed a new concept of the multisignature scheme for a specified group of verifiers. The main differences between the LY scheme and the previous schemes are that a group of signers cooperates to sign a message for a specified group of verifiers, and only all verifiers in that specified group together are able to verify the validity of the multisignature. The group of signers should use not only each signerÕs private key but also the group public key of verifiers to sign a message. In both the multisignature generation phase and the multisignature verification phase, the group of signers and the group of verifiers need a clerk to help them in signing messages and verifying multisignatures, respectively. Later, Hwang et al. (HCC) [8] proposed another multisignature scheme for a specified group of verifiers that can provide authenticity as well as confidentiality. It is also different from the previous schemes and the LY scheme. In the HCC scheme, only all verifiers in the specified group together are able to recover the message from the multisignature and check if the message is signed by the group of signers. The group of signers and the group of verifiers also need a clerk, respectively. Recently, He [7] pointed out that both the LY scheme and the HCC scheme have a weakness. The clerk may have ability to verify the multisignature by himself with no help of the group of verifiers in the LY scheme, while the clerk may have ability to recover the message from the multisignature and to verify the message by himself with no help of the group of verifiers in the HCC scheme. Hence, both of the two schemes do not satisfy their security requirements. In this paper, the authors present a new multisignature scheme for specified group of verifiers. Forging signatures in the proposed scheme is equivalent to forging HarnÕs signatures [6]. The proposed scheme can withstand HeÕs attack. The rest of this paper is organized as follows: In Section 2, we give a brief review of the HarnÕs signature scheme. In Section 3, we introduce our new scheme. In Section 4, we discuss the security of our new scheme. Finally conclusions are given in Section 5.

2. Brief review of Harn’s scheme HarnÕs scheme is based on the original ElGamal signature scheme [3]. Let p, q, and g be the public parameters: p a large prime, q a large prime divisor of


427

p 1 and g an element in Zp of order q. Let H denote the secure hash algorithm. The signer has secret key x 2 Zq and public key y ¼ gx mod p. To generate Harn signature for message m, the signer randomly picks k 2 Zq and computes (r; s) as r ¼ gk mod p and s ¼ xðH ðmÞ þ rÞ k mod q. The verification equation for the HarnÕs signature is y H ðmÞþr ¼ rgs mod p:

ð1Þ

The advantage of HarnÕs scheme to the ElGamal signature scheme are that it simplifies the signature generation phase; it speeds up the signature verification process; it has a broad subliminal channel to allow any secret information to be concealed in the signature and secret information can only be recovered by the insiders with the secret key; it can provide an efficient multisignature.

3. The proposed scheme The procedure of the scheme contains three phases: the key generation phase, the multisignature generation phase and the multisignature verification phase. Key generation phase. Let GS ¼ ðUS1 ; US2 ; . . . ; USn Þ be the group of n signers and GV ¼ ðUV1 ; UV2 ; . . . ; UVm Þ be the group of m verifiers. In each group, there is a specified user, called clerk. The clerk USc of the signerÕs group is responsible for verifying all partial signatures signed by signers in GS and combining them into a multisignature. The clerk UVc of the verifierÕs group is responsible for assisting all verifiers in GV to verify the multisignature. The trusted center selects two large primes p and q such that q is a large prime divisor of p 1. The trusted center also selects an element g 2 Zp with order q. Each USi 2 Gs selects his private key si 2 Zq and computes his public key YSi ¼ gsi mod p. Each UVi 2 GV selects his private key vi 2 Zq and computes his public key YVi ¼ gvi mod p. Then GQ their group public key S and GV respectively publish Q YS and YV , where YS ¼ ni¼1 gsi mod p and YV ¼ mj¼1 gvj mod p. Multisignature generation phase. All signers in GS perform the following steps to generate the multisignature of a message m for the specified group GV of verifiers: (1) Each USi 2 Gs selects a random element ki 2 Zq and computes ri ¼ gki mod p;

ð2Þ

ri0 ¼ YVki mod p;

ð3Þ

then sends ri , ri0 to USc .

428


(2) USc computes r¼

n Y

ri mod p;

ð4Þ

i¼1

r0 ¼

n Y

ri0 mod p

ð5Þ

i¼1

and broadcasts r0 to all signers in GS . (3) Each USi computes wi ¼ si ðH ðmÞ þ r0 Þ ki mod q

ð6Þ

then sends wi to USc . (4) Upon receiving all wi ði ¼ 1; . . . ; nÞ, USc verifies each USi Õs partial signature by checking HðmÞþr0

YSi

¼ ri gwi mod p

ð7Þ

and computes w¼

n X

wi mod p

ð8Þ

i¼1

and sends m and its multisignature (r; w) to GV . Multisignature verification phase. All verifiers in GV perform the following step to verify the multisignature of message m: (1) Each UVj 2 GV computes Xj ¼ rvj mod p

ð9Þ

and sends Xj to UVc . (2) UVc computes X ¼

m Y

Xj mod p

ð10Þ

j¼1

and broadcasts X to all verifiers in GV . (3) Each UVj verifies the validity of the multisignature by checking HðmÞþX

YS

¼ rgw mod p:

ð11Þ


429

Correctness of the proposed scheme can be confirmed through the following results: Theorem 1. If Eq. (10) holds, then the multisignature is authentic. Proof. From Eqs. (2)–(5) we have r0 ¼ rv mod p;

ð12Þ

Pm where v ¼ j¼1 vj mod p. From Eqs. (9) and (10), we have X ¼ r0 mod p. H ðmÞþr0 H ðmÞþX From Eqs. (6) and (8) we have rgw ¼ YS ¼ YS mod p.

h

4. Security analysis In this section, we will discuss several possible attack. None of these attacks can successfully break our new scheme. (1) Can the attacker reveal the secret keys of the signers orP the verifiers? n The attacker wants to reveal users secret key s , v i j i¼1 si mod p and Pm v ¼ j¼1 vj mod p from YSi , YVj , YS and YV , respectively. The difficulty is equivalent to solving discrete logarithms. He also cannot derive the signerÕs secret key si from Eq. (6) because the equation contains two unknown variables. (2) Can the attacker forging a valid multisignature? Pm We assume the attacker knows the value of v ¼ j¼1 vj mod p, since this only make his task easier. To the unforgebility property of the proposed scheme, we have the following result: Theorem 2. Forging multisignatures in the proposed scheme is equivalent to forging P the Harn’s signature with the secret key and public key pair s ¼ ni¼1 si mod q and g0S mod p, where g0 ¼ YV . Proof. With the knowledge of the value of v, the multisignature of the proposed scheme can be verified by checking H ðmÞþr0

rgw ¼ YS

ð13Þ

mod p;

where r0 ¼ rv mod p. We can rewrite Eq. (13) as vðH ðmÞþr0 Þ

r0 YVw ¼ YS

sðH ðmÞþr0 Þ

¼ YV

mod p

ð14Þ

430


so that 0

r0 g0w ¼ ðg0s ÞH ðmÞþr mod p: 0 Notice that g0 2 Zp is also an element with order q, therefore (rP ; w) is the HarnÕs signature with the secret key and the public key pair s ¼ ni¼1 si mod q and g0s mod p (from Eq. (1)). Since the signatures of the two schemes can be converted each other, forging signatures of the two schemes is equivalent. h

(3) Can the attacker impersonate USj to sign the message? The attacker may try to impersonate U S by randomly selects kj 2 Zq and kj j kj broadcasts Qn rj ¼ g mod p and rj0 ¼ YV mod p. Since the product value r0 ¼ rj0 i¼1;i6¼j ri mod p is determined by all n members, without the value of sj , he cannot computes the correct wi satisfying Eq. (7). (4) Can UVc (or any verifier) verifies the multisignature without the cooperation of the verifying group? In LY scheme and the HCC scheme, UVc can compute Diffie–Hellman key YSv when he assists all verifiers in GV to verify a multisignature. With the knowledge the Diffie–Hellman key, UVc can compute X and verify new multisignatures without the cooperation of the verifying group. In our scheme, UVc can also compute Diffie–Hellman key YSv from Eq. (14). However, this Diffie– Hellman key is useless in computing X ¼ r0 mod p. In fact, without the Pn knowledge of k ¼ i¼1 ki mod p and v, to compute r0 ¼ gkv mod p from r ¼ gk and YV ¼ gv is as hard as the computing Diffie–Hellman problem [11]. Therefore, HeÕs attack does not work in our scheme. Moreover, an attacker may try to verify a multisignature without computing H ðmÞ r0 . He must decide whether the double discrete logarithm of rgw YS to the bases YS and r is equal to the discrete logarithm of YV to the base g (from Eq. (14)). However, this is also a hard problem [14]. 5. Conclusions In this paper, the authors present a new multisignature scheme for specified group of verifiers based on HarnÕs signature scheme. Forging signatures in the proposed scheme is equivalent to forging HarnÕs signatures. Our scheme is highly secure than LY scheme and HCC scheme. References [1] C. Boyd, Digital multisignature, in: Proceedings of Conference on Coding and Cryptography, 1986, pp. 15–17. [2] C. Boyd, Multisignatures based on zero knowledge schemes, IEE Electron. Lett. 27 (22) (1991) 2002–2004.


431

[3] T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory 31 (4) (1985) 469–472. [4] L. Harn, T. Kiesler, New scheme for digital multisignature, IEE Electron. Lett. 25 (15) (1989) 1002–1003. [5] L. Harn, Group-oriented (t; n) threshold digital signature scheme and digital multisignature, IEE Proc. Comput. Digital Tech. 141 (5) (1994) 307–313. [6] L. Harn, New digital signature scheme based on discrete logarithm, IEE Electron. Lett. 30 (5) (1994) 396–398. [7] W.H. He, Weaknesses in some multisignature schemes for specified group of verifiers, Inform. Process. Lett. 83 (2002) 95–99. [8] S.J. Hwang, C.Y. Chen, C.C. Chang, An encryption/multisignature scheme with specified receiving groups, Comput. Systems Sci. Engrg. 13 (2) (1998) 109–112. [9] K. Itakura, K. Nakamura, A public-key cryptosystem suitable for digital multisignatures, NEC Res. Dev. 71 (1983) 1–8. [10] C.S. Laih, S.M. Yen, Multisignature for specified group of verifiers, J. Inform. Sci. Engrg. 12 (1) (1996) 143–152. [11] A. Menezes, P. Van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, 1996, pp. 113–114. [12] K. Ohta, T. Okamoto, A digital multisignature scheme based on the Fiat–Shamir scheme, in: Proceedings ASIACRYPTÕ91, 1991, pp. 139–148. [13] S. Park, S. Park, K. Kim, D. Won, Two efficient RSA multisignature schemes, in: Information and Communications Security First International Conference, 1997, pp. 217–222. [14] M. Stadler, Publicly verifiable secret sharing scheme, in: Proceedings EUROCRYPTÕ96, Springer-Verlag, New York, 1996, pp. 190–199. [15] T. Wu, S. Chou, Two ID-based multisignature protocols for sequential and broadcasting architecture, Comput. Commun. 19 (10) (1996) 851–856.