Improvements of generalization of threshold signature and authenticated encryption for group communications

Information Processing Letters 81 (2002) 41–45

Improvements of generalization of threshold signature and authenticated encryption for group communications Chien-Lung Hsu a , Tzong-Sun Wu b,∗ , Tzong-Chen Wu a a Department of Information Management, National Taiwan University of Science and Technology, Taipei, Taiwan 106, Republic of China b Department of Information Management, Huafan University, Taipei, Taiwan 223, Republic of China

Received 10 October 2000; received in revised form 8 January 2001 Communicated by F.Y.L. Chin

Abstract Recently, Wang et al. proposed a (t, n) threshold signature scheme with (k, l) threshold shared verification and a grouporiented authenticated encryption scheme with (k, l) threshold shared verification. However, this article will show that both the schemes violate the requirement of the (k, l) threshold shared verification. Further, two improvements are proposed to eliminate the pointed out security leaks inherent in the original schemes.  2002 Elsevier Science B.V. All rights reserved. Keywords: Threshold signature; Threshold shared verification; Authenticated encryption

1. Introduction In 1987, Desmedt [1] first presented the concept of the group-oriented cryptography. Elaborating on this concept, Desmedt and Frankel [2] proposed a (t, n) threshold signature scheme based on the RSA system [9]. In such a (t, n) threshold signature scheme, any t out of n signers in the group can collaboratively sign messages on behalf of the group for sharing the signing capability. Since then, the threshold signatures have been widely discussed [4,7,8,11]. In those threshold signature schemes, any one could play the role of a verifier to validate the group signatures with the signing group’s public key. In the opposite point of view, it also might be happened that a signature could be verified by k or more verifiers on behalf of the group of l members [3,5]. For integrating both the * Corresponding author.

E-mail address: [email protected] (T.-S. Wu).

ideas, Wang et al. recently proposed a (t, n) threshold signature scheme with (k, l) threshold shared verification [10]. For simplicity, we call this scheme as TS scheme in this article. It requires that a group signature be generated to a specific group of verifiers according to the threshold policy. The generation of signatures in the TS scheme is the same as that in the conventional group signature, i.e., any t or more signers can sign the message on behalf of the group of n members. In addition, the signature should be verified by any k or more verifiers on behalf of the specific group of l members. Applying the concept of authenticated encryption [6], Wang et al. further modified the TS scheme and proposed a (t, n) threshold authenticated encryption scheme with (k, l) threshold shared verification [10], which is called TAE scheme in the rest of the paper. In the TAE scheme, it is unnecessary for the signers to transmit the message to the specific group since it can be correctly recovered from the group signatures by any k out of l verifiers in the group.

0020-0190/02/$ – see front matter  2002 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 0 - 0 1 9 0 ( 0 1 ) 0 0 1 8 9 - 2

42

C.-L. Hsu et al. / Information Processing Letters 81 (2002) 41–45

In this article, however, we will show that both Wang et al.’s schemes violate the requirement of the (k, l) threshold shared verification [3,5]. The attacker can solely validate the group signature or recover the message from the group signature without the assistance of other verifiers in the verifying group. That is, the (k, l) threshold shared verification is not hold in Wang et al.’s schemes. Finally, to eliminate the pointed out security leaks, two improvements are given.

2. Review of Wang et al.’s schemes In this section, we briefly describe the two schemes proposed by Wang et al. Both schemes require a system center (SC) who is responsible for generating system parameters, individual/group private keys, and individual/group public keys. We denote Gs = {us1 , us2 , . . . , usn } as the group of n signers and Gv = {uv1 , uv2, . . . , uvl } as the group of l verifiers. Also, we define S = {us1, us2 , . . . , ust } as the group of signers signing the message on behalf of Gs and V = {uv1 , uv2, . . . , uvk } as the group of verifiers verifying the signature on behalf of Gv in the following. Further, the signers in S should elect one of them as the clerk (CLK) to validate the individual signatures and to combine the t valid individual signatures into a group signature. 2.1. TS scheme: (t, n) threshold signature with (k, l) threshold shared verification In this scheme, any t or more signers can sign a message on behalf of Gs and any k or more verifiers can verify the group signature on behalf of Gv . This scheme can be divided into three phases: parameters generating, individual signature generating and verifying, and group signature generating and verifying phases. 2.1.1. Parameters generating phase SC selects and computes the parameters and keys as: • two large primes, p and q, where q|p − 1, and a generator g with order q in GF(p); • a one-way hash function h;

• two secret polynomialsfs (x) = at −1 x t −1 +at −2x t −2 + · · · + a1 x + a0 mod q and fv (x) = ck−1 x k−1 + ck−2 x k−2 + · · · + c1x + c0 mod q, where ai , cj ∈ Zq∗ for i = 0, 1, 2, . . ., t − 1, and j = 0, 1, 2, . . ., k − 1; • a secret polynomial fb (x) = bt −1x t −1 +bt −2x t −2 + · · · + b1 x + b0 mod q for generating a group signature, where bi ∈ Zq∗ for i = 0, 1, 2, . . . , t − 1; • a group private key fs (0) = a0 and a secret value fb (0) = b0 for Gs , and a group private key fv (0) = c0 for Gv ; • a group public key Ys = g fs (0) mod p and a public value Yb = g fb (0) mod p for Gs , and a group public key Yv = g fv (0) mod p for Gv ; • two individual private keys fs (xsi ) and fb (xsi ) for each signer usi in Gs (for i = 1, 2, . . . , n), and a private key fv (xvj ) for each verifier uvj in Gv (for j = 1, 2, . . . , l), where xsi and xvj are the public values associated with each signer usi and each verifier uvj , respectively; • the public key ysi = g fs (xsi ) mod p and the public value ybi = g fb (xbi ) mod p for each signer usi in Gs (for i = 1, 2, . . . , n), and the public key yvj = g fv (xvj ) mod p for each verifier uvj in Gv (for j = 1, 2, . . . , l). Finally, SC publishes the system parameters (p, q, g), h, (ysi , ybi ) (for i = 1, 2, . . . , n), yvj (for j = 1, 2, . . . , l), Ys , Yb , and Yv . 2.1.2. Individual signature generating and verifying phase Each signer usi ∈ S uses his private key fs (xsi ) and Gv ’s group public key Yv to compute the commitment value rsi = Yvfs (xsi )Lsi mod p

(1)

and then sends rsi to other signers in S via a secure channel, where t


Lsi =

(−xsj )(xsi − xsj )−1 mod q.

j =1, j =i

On receiving all rsj ’s (j = 1, 2, . . . , t and j = i), usi ∈ S computes r and si as r=

t


rsi mod p,

(2)

i=1

si = h(m)fs (xsi )Lsi − rfb (xsi )Lsi mod q.

(3)

C.-L. Hsu et al. / Information Processing Letters 81 (2002) 41–45

Note that r can be considered as the common session f (0) key between the groups Gs and Gv , i.e., r = Yv s = f (0) g fs (0)fv (0) = Ys v (mod p). After that, usi sends si , which is regarded as the individual signature for m, to CLK who then verifies the validity of usi by the equality h(m)Lsi rLsi ysi = g si ybi (mod p).

(4)

2.1.3. Group signature generating and verifying phase If all the t individual signatures are valid, CLK computes the group signature for m as s=

t 

si = h(m)fs (0) − rfb (0) (mod q)

which is then sent to the group Gv . For verifying the signature s, each verifier uvi ∈ V first computes f (xvi )Lvi

rvi = Ys v

mod p

(6)

and then sends it to other verifiers in V via a secure channel, where Lvi =

k


2.2.1. Signature generating phase Each signer usi ∈ S uses his private keys fs (xsi ) and fb (xsi ), and Gv ’s group public key Yv to compute zsi and ri as zsi = Yvfs (xsi )Lsi mod p,

(8)

ri = g fb (xsi )Lsi mod p,

(9)

where t


Lsi =

(−xsj )(xsi − xsj )−1 mod q.

j =1, j =i

Then, usi sends (zsi , ri ) to other signers in S via a secure channel. Upon receiving all (zsj , rj )’s (j = 1, 2, . . . , t and j = i), usi ∈ S computes the following values:  t 
z= zsi mod p mod q, (10) i=1

r =m

(−xvj )(xvi − xvj )−1 mod q.

 t


 riz g z mod p,

(11)

si = zfb (xsi )Lsi − rfs (xsi )Lsi mod q.

(12)

i=1

j =1, j =i

Upon receiving all rvj ’s (j = 1, 2, . . . , k and j = i),  uv ∈ V computes r = ki=1 rvi mod p. Afterwards, the validity of the group signature s for m can be verified by checking that Ysh(m) = g s Ybr (mod p).

in the TS scheme. The other two phases are stated below.

(5)

i=1

43

(7)

If it holds, the group signature is valid. 2.2. TAE scheme: (t, n) threshold authenticated encryption with (k, l) threshold shared verification In this scheme, any t or more signers can generate the signature with authenticated encryption on behalf of Gs and any k or more verifiers can recover the message and verify the group signature on behalf of Gv . Note that the redundancy must be embedded in the message m for verification. This scheme also can be divided into three phases: parameters generating, signature generating, and message recovering phases. In the first phase, the parameters ybi ’s (for i = 1, 2, . . . , n), Yb , and h are not required in this scheme, while all other ones are generated as the same as those

Note that z can be considered as the common session key between the groups Gs and Gv , i.e.,   z = g fs (0)fv (0) mod p mod q. Then, usi sends si to CLK who then verifies its validity rLsi by checking that riz = g si ysi (mod p). If all t individual signatures are valid, CLK computes s=

t 

si = zfb (0) − rfs (0) (mod q).

(13)

i=1

The group signature for m is (r, s) which is then transmitted to the group Gv . 2.2.2. Message recovering phase For recovering the message from (r, s), each verifier uvi ∈ V first computes A = g s Ysr = g zfb (0) (mod p) and f (xvi )Lvi

zvi = Ys v

mod p,

(14)

44

C.-L. Hsu et al. / Information Processing Letters 81 (2002) 41–45

 where Lvi = kj =1, j =i (−xvj )(xvi − xvj )−1 mod q. He then sends zvi to other verifiers in V via a secure channel. Upon receiving all zvj ’s (j = 1, 2, . . . , k and  j = i), uvi ∈ V computes z = ( ki=1 zvi mod p) mod q and recovers the message as m = rA−1 g −z mod p. The validity of the group signature can be verified by checking the redundancy embedded in m.

(1)

(1)

(i) Compute A = g s Ysr mod p = g zfb (0) . (ii) Compute B = r (1) A−1 (m(1) )−1 mod p = g z . (iii) Recover the message as  (2) (2) −1 −1 B mod p. m(2) = r (2) g s Ysr From the above discussions, we conclude that the TAE scheme violates the requirement of (k, l) threshold shared verification.

3. Attacks on Wang et al.’s schemes 4. Our improvements In the following, we will show that both Wang et al.’s schemes violate the requirement of the (k, l) threshold shared verification. 3.1. Attack on the TS scheme Let s (1) be the group signature for the message and have already been verified by verifiers in V . For verifying a subsequent signature s (2) for the message m(2) , any verifier in V can solely perform the verification task by simply examining that if m(1)

(2)

(2)

Ysh(m ) = g s Ybr (mod p), since the common session key r in Eq. (2) is obtained when verifying s (1) , which violates the requirement of (k, l) threshold shared verification. 3.2. Attack on the TAE scheme Let (r (1), s (1) ) be the group signature for the message m(1) and have already been verified by verifiers in V . We demonstrate two attacks on the TAE scheme such that the recovery of the message m(2) from the subsequent signature (r (2) , s (2) ) can be done by one verifier or an outsider. (1) Attack 1. Similar to the attack on the TS scheme, any verifier obtains the common session key z in Eq. (10) when recovering m(1) . Thus, he can solely recover the message from the group signature (2) (2) (r (2) , s (2) ) as m(2) = r (2) (g s Ysr )−1 g −z mod p. (2) Attack 2. This attack can be performed by any outsider. Once the message m(1) along with its signature (r (1) , s (1) ) is released, e.g., the sensibility of the message is sanitized after some period of time, the attacker can use (r (1) , s (1) , m(1)) to recover the message m(2) form the subsequent signature (r (2), s (2) ) as follows.

First of all, we should take notice that the secret polynomial fb (x) used in Wang et al.’s schemes must be distinct for each signatures. Otherwise, with two signatures, the individual private key fs (xsi ) can be easily recovered from Eq. (3) in the TS scheme and Eq. (12) in the TAE scheme, respectively. One can see that the security flaws of both the TS and the TAE schemes are caused by the fact that the common session key is always the same for different signatures. In the following, we can utilize the randomized Yb for strengthening Wang et al.’s schemes. 4.1. Improved TS scheme To eliminate the security flaw of the TS scheme, we replace Eqs. (1) and (6) with Eqs. (1*) and (6*), respectively: rsi = Yv(fb (xsi )+fs (xsi ))Lsi mod p,

(1*)

rvi = (Ys Yb )fv (xvi )Lvi mod p.

(6*)

From Eqs. (1*) and (2), we can see that the common session key r = Yvb Yvs (mod p) in the group signature generation, where Yvb = g fv (0)fb (0) (mod p) and Yvs = g fv (0)fs (0) (mod p). Since fb (0) is a secret random value for generating group signatures, the common session key r will be distinct for all group signatures. Hence, the improved TS scheme can withstand the attack stated above. 4.2. Improved TAE scheme For strengthening the TAE scheme, we replace Eqs. (8) and (14) with Eqs. (8*) and (14*), respectively. zsi = Yv(fs (xsi )+fb (xsi ))Lsi mod p,

(8*)

C.-L. Hsu et al. / Information Processing Letters 81 (2002) 41–45

zvi = (Ys Yb )fv (xvi )Lvi mod p.

(14*)

From Eqs. (8*) and (10), it can be seen that the common session key z = (Yvb Yvs mod p) (mod q) in the group signature generation, where Yvb = g fv (0)fb (0) (mod p) and Yvs = g fv (0)fs (0) (mod p). Similar to the improved TS scheme, with the secret random value fb (0) for generating group signatures, the common session key z will be distinct for all group signatures. Hence, the improved TAE scheme can withstand the discussed attacks.

5. Conclusions We have shown that both Wang et al.’s schemes violate the requirement of (k, l) threshold shared verification. If some signature has been verified, any verifier can solely verify the subsequent signature in both the schemes. For the TAE scheme, if some message along with its signature is released, any outsider can recover the message from the subsequent signature. Finally, we proposed improvements to eliminate the pointed out security leaks in Wang et al.’s schemes.

Acknowledgements The authors would like to thank the referees for their valuable comments.

45

References [1] Y. Desmedt, Society and group oriented cryptography: A new concept, in: Advances in Cryptography — CRYPTO’87, 1987, pp. 120–127. [2] Y. Desmedt, Y. Frankel, Shared generation of authenticators and signatures, in: Advances in Cryptography — CRYPTO’91, 1991, pp. 457–469. [3] L. Harn, Digital signature with (t, n) shared verification based on discrete logarithms, Electron. Lett. 29 (24) (1993) 2094– 2095. [4] L. Harn, Group-oriented (t, n) threshold signature and digital multisignature, IEE Proc. Comput. Digital Techniques 141 (5) (1994) 307–313. [5] P. Hoster, M. Michels, H. Peterson, Comment: Digital signature with (t, n) shared verification based on discrete logarithms, Electron. Lett. 31 (14) (1995) 1137. [6] W.B. Lee, C.C. Chang, Authenticated encryption scheme without using one-way function, Electron. Lett. 31 (19) (1995) 1656–1657. [7] W.B. Lee, C.C. Chang, (t, n) Threshold digital signature with traceability property, J. Inform. Sci. Engrg. 15 (1999) 669– 678. [8] C.M. Li, T. Hwang, N.Y. Lee, Threshold-multisignature schemes where suspected forgery implies tractability of adversarial shareholders, in: Advances in Cryptology — EUROCRYPT’94, 1994, pp. 194–204. [9] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (2) (1978) 120–126. [10] C.T. Wang, C.C. Chang, C.H. Lin, Generalization of threshold signature and authenticated encryption for group communications, IEICE Trans. Fundamentals Electron. Comm. Comput. Sci. E83-A (6) (2000) 1228–1237. [11] C.T. Wang, C.H. Lin, C.C. Chang, Threshold signature schemes with traceable signers in group communications, Comput. Comm. 21 (8) (1998) 771–776.