An efficient threshold group signature scheme

Applied Mathematics and Computation 167 (2005) 362–371 www.elsevier.com/locate/amc

An efficient threshold group signature scheme Yuan-Lung Yu

a,*

, Tzer-Shyong Chen

b

a

Department of Computer Science and Information Management, Hung-Kung University, 3u Chung-Chie Rd., Sha Lu, Taichung u33, Taiwan b Department of Information Management, Tung-Hai University, 181 Taichung-kang Rd., Sec. 3, Taichung 40744, Taiwan

Abstract Globalization of the Internet has boosted electronic information exchange on both the personal and business levels. The popularity turned information communication and secure Internet transactions, which require the verification of digital signatures and identities, into a hot issue. Most existing digital signature schemes are based on the public key system of RSA and ElGamal. Security thus depends on solving factorization and the discrete logarithm. However, the encryption–decryption key of the RSA is too large, and the signature authentication of ElGamal takes too long, making this method unsuitable for certain systems. Additionally, the superior security and efficiency of the elliptic curve cryptosystem (ECC) [11–13] provides an imperative application foreground. This study integrates the short secret key characteristic of the elliptic curve cryptosystem and the (t, n) threshold method to create a signature scheme with simultaneous signing. The distinguishing feature of the proposed scheme is that the threshold value denotes the minimum number of members required to produce a valid group signature. All message recipients then can verify the signature.
2004 Elsevier Inc. All rights reserved. Keywords: Threshold signature; Digital signature; Public key; Elliptic curve cryptosystem

*

Corresponding author. E-mail address: [email protected] (Y.-L. Yu).

0096-3003/$ - see front matter
2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.06.089

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

363

1. Foreword Globalization of the Internet has accelerated the exchange of electronic information on both the personal and business levels. E-government, online tax filing and electronic banking are important areas for development. Information communication and secure Internet transactions involving the verification of digital signatures and identities are important issues of electronic and networking environments. Digital signatures emphasize wholeness, confidentiality, individual identity and indisputability in a message. Consequently, secure network communication can be ensured by identifying the two parties involved in the communication. Most digital signature schemes are based on the public key system of RSA and ElGamal. The security of this system depends on the solution to factorization and the discrete logarithm. However, the encryption–decryption key of the RSA is too large, and the signature authentication of ElGamal takes too long, making it unsuitable for operating certain systems. Recently, the elliptic curve cryptosystem has been attracting considerable attention owing to its potential for application in information security and cryptography. Owing to its superior security and efficiency, the elliptic curve cryptosystem has an imperative application foreground. The elliptic curve cryptosystem may [1,2] soon even replace the RSA, DSS and other current cryptosystems for use in certain applications. The ECC is already becoming a core research area. The elliptic curve cryptosystem, which has a smaller secret key and similar level of security to other cryptosystems, is very appealing. Generally, an elliptic curve cryptosystem with q bit, q being 160 bits, is as secure as a RSA with 1024-bit modulus. Shorter secret keys imply lower bandwidth and smaller memory, which is crucial in Internet applications. This study integrates the short secret key characteristic of the ECC [6–10] and the (t, n) threshold method to create a signature scheme characterized by simultaneous signing [14–16]. The distinguishing feature of the proposed scheme is that the threshold value represents the minimum number of members required to produce a valid group signature. The signature must be able to be verified by all recipients. 2. Introduction to the elliptic curve cryptosystem The general equation for the elliptic curve cryptosystem is y2 = x3 + ax + b mod p, where p is a natural prime number and the value of a, b should satisfy the discriminate D = 4a3 + 27b2 5 0 mod p. Only then can y2 = x3 + ax + b mod p serve as the encryption and decrypting elliptic curve cryptosystem. Before introducing the addition operation of the elliptic curve cryptosystem [3–5], a special point must be introduced, namely point O, which is known as the point of infinity and satisfies the following properties:

364

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

1. If P and Q are two points on the elliptic curve cryptosystem, and O is the point of infinity, then P + O = O + P = P. 2. O =
O. 3. If Q does not equal point (
P), then P + Q = O. 4. If P 5 O, Q 5 O, then P + Q =
R. According to the addition operation of the elliptic curve cryptosystem, if there are two points P = (x1, y1) and Q = (x2, y2) on the elliptic curve cryptosystem, and P 5
Q, then P + Q = (x3, y3), x3 = k2
x1
x2 mod m, y3 = k(x1
x3)
y1 mod m, where 8y
y 2 1 > > < x2
x1 ; if P 6¼ Q; ð1Þ k¼ 3x2 þ a > > ; if P ¼ Q: : 1 2y 1 If there is a point G on the elliptic curve cryptosystem, and this point is the generator point, then the operation on nG possesses the following properties, 1G = G, 2G = G + G, 3G = G + G + G = 2G + G, . . . (n
1)G = G + G +    + G with a total of (n
1)G, nG = O, (n + 1)G = G. Thus the nG is n · G formal, meaning addition operations of the elliptic curve cryptosystem, rather than the general multiplication operation, are continuously performed on n number of G
s. For example, a, b both use the elliptic curve cryptosystem y2 = x3 + x + 6 for communication, taking p as 11, then D = 4a3 + 27b2 mod 11 = 8 mod 11 5 0, consequently the points on the elliptic curve cryptosystem are shown to be (2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), (7, 9), (8, 3), (8, 8), (10, 2), (10, 9). If a, b both select the point (2, 7) as point G, and if the addition operation of the elliptic curve cryptosystem is performed, then G = (2, 7), 2G = G + G = (5, 2), 3G = 2G + G = (8, 3), 4G = (10, 2), 5G = (3, 6), 6G = (7, 9), 7G = (7, 2), 8G = (3, 5), 9G = (10, 9), 10G = (8, 8), 11G = (5, 9), 12G = (2, 4), 13G = O, 14G = (2, 7).

3. The proposed scheme The security of the digital group signature presented here is based on the solution to the elliptic curve discrete logarithm problem. This solution is extremely difficult to obtain. When a group wishes to publicize a message, t or more group members can represent the group by signing the message. The signing process can be divided into three stages: key generation, generation of threshold digital signature, and verification of threshold digital group signature. The CA (Center Authority) is responsible for generating the system parameters, and a secretary authenticates the signature of each member and publicizes the group signature.

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

365

3.1. Key generation The CA generates and publicizes system parameters, group public key, individual public keys, and the retainment of the threshold function. The system parameter generation process can be divided into the following four steps. Step 1: The CA generates and publicizes the following system parameters: E: y2 = x3 + ax + b (mod p) represents an elliptic curve cryptosystem, where a, b 2 Zp, 4a3 + 27b2 5 0 (mod p). p: A large prime number, such that GF(p) = {0, . . ., p
1}. N: A large prime number which is the order of the elliptic curve cryptpffiffiffi pffiffiffi osystem, where #E(GF(p)) lies between p þ 1
2 p and p þ 1 þ 2 p. h(Æ): A one-way hash function. G: Base point with order n, representing a base point G 2 E(GF(p)) on the elliptic curve cryptosystem. Xi: The public identity of group members Ui. Step 2: The CA generates and retains the following system parameters: f(x): (t, n) threshold function. f(x) = at
1xt
1 +    + a1x + a0 mod n, {ai, i = 0, . . ., t
1}. ai is a random integer between 1 and n
1. f(0) = a0, the group secret key. f(xi): Secret key of individual group members Ut. Step 3: The CA calculates and publicizes group public key N: Y = f(0)G, N =
Y. Step 4: The CA calculates and publicizes individual public keys Ni. Yi = f(xi)G, Ni =
Yi. 3.2. Threshold digital signature generation Suppose there is a group that needs to sign a message, the members U1, U2, . . ., Ut can represent the group by signing message m. This stage requires the generation of individual digital signatures, verification of individual signatures and generation of (t, n) threshold signature. The stages are as follows: Step 1: Each member Ui uses their secret key f(xi) and a random integer ki, 1 6 ki 6 n
1, to calculate their signature (ri, si) for message m. Ri ðxRi ; y Ri Þ ¼ k i G; ri ¼ xRi mod n;

publicize Ri ;

366

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

"

t Y

ri si ¼ k i þ f ðxi Þ

j¼1;j6¼i

#
xj hðmÞ mod n; xi
xj

h(m) represents the message calculation using a one-way hash function that improves the system security. Member Ui sends their individual digital signature (ri, si) to the secretary. Step 2: On receiving the digital signatures (ri, si) of all members Ui, the secretary employs the following equation to confirm the validity of the signature. " # t Y
xj Di ¼ ðxDi ; y Di Þ ¼ ri si G þ hðmÞN i ; x
xj j¼1;j6¼i i d i ¼ xDi mod n: Check whether di = ri is satisfied. If yes, then (ri, si) on message m is a valid signature of Ui. Otherwise, the signature is invalid. hQ i
xj t Proof 1. Multiply both sides of the equation, r s ¼ k þ f ðx Þ i i i i j¼1;j6 ¼ i xi
xj hQ i
x hðmÞ, by G, to obtain ri si G ¼ k i G þ f ðxi ÞG tj¼1;j6¼i xi
xj j hðmÞ. Since Yi = f(xi)G, Ni =
Yi, Ri = kiG therefore " r i s i G ¼ Ri þ Y i

t Y j¼1;j6¼i

#
xj hðmÞ xi
xj "

) Ri ¼ ri si G
Y i

t Y j¼1;j6¼i

" ) Ri ¼ ri si G þ hðmÞN i

#
xj hðmÞ xi
xj t Y

j¼1;j6¼i

#
xj : xi
xj

Hence Ri = (xRi, yRi) = Di = (xDi, yDi). Thus di = xDi mod n = xRi mod n = ri. h Step 3: On receiving the signatures (ri, si) of all members, the secretary calculates and publicizes the group signature (r, s) on message m: The secretary first obtains the public Ri = (xRi, yRi) of all members and then calculates R. R¼

t X i¼1

Ri ¼ ðxR ; y R Þ;

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

367

r ¼ xR mod n and s¼

t X

ri si mod n:

i¼1

3.3. Threshold digital group signature verification Any recipient of (r, s) can verify the authenticity of the group signature on message m. Step 1: The receiver first calculates the following equation: S¼

t X

ri si mod n

i¼1

to determine whether S = s is satisfied. If yes, step 2 is performed. Otherwise, the signature is invalid. Step 2: The following equation is calculated next: Q ¼ ðxQ ; y Q Þ ¼ sG þ hðmÞN q ¼ xQ mod n: Determine whether q = r is satisfied. If yes, (r, s) is an authentic group signature for message m. Otherwise, the signature is invalid. Proof 2. Change both sides of the following equation to " Di ¼ ðxDi ; y Di Þ ¼ ri si G þ hðmÞN i

t Y j¼1;j6¼i


xj xi
xj

P

form:

#

to obtain t X

Di ¼

i¼1

t X

r i si G þ

i¼1

)

t X i¼1

t X

" hðmÞN i

i¼1

Di ¼ G

t X i¼1

t Y j¼1;j6¼i

ri si þ hðmÞ


xj xi
xj

t X i¼1

" Ni

#

t Y

j¼1;j6¼i

#
xj : xi
xj

368

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

Since N i ¼
Y i ¼
f ðxi ÞG; s ¼

t X

ri si mod n

i¼1

)

t X

t X Di ¼ sG þ hðmÞ ð
f ðxi ÞGÞ

i¼1

i¼1

"

t Y

j¼1;j6¼i

#
xj : xi
xj

According to Lagrange polynomial insertion reversal method, " !# t t X Y
xj f ðxi Þ ¼ f ð0Þ mod n x
xj i¼1 j¼1;j6¼i i )

t X

Di ¼ sG þ hðmÞð
f ð0ÞGÞ:

i¼1

Since N ¼
Y ¼
f ð0ÞG )

t X

Di ¼ sG þ hðmÞN :

i¼1

From Proof 1, it is known that Ri = (xRi, yRi) = Di = (xDi, yDi), therefore t X i¼1

Di ¼

t X

Ri ¼ R ) R ¼ sG þ hðmÞN :

i¼1

Hence, Q = (xQ,yQ)modn = R = (xR,yR)modn, q = xQ modn = r = xR modn. h

4. Analyses of security and performance This study analyzes security and performance at various angles and strata. The security is analyzed by considering possible methods of attack, which is also a search for the shortcomings of the system, demonstrating system security. The performance is analyzed by comparing the proposed signature scheme with the current schemes. Comparisons made include, secret key length, signature length, signing time and so on. The comparison demonstrates the superiority of the proposed scheme. 4.1. Analyses of security This study uses the (t, n) threshold method for multi-signing. Therefore t or more members must be present to establish a valid group signature and obtain the secret group key, making attack infeasible. If an attacker attempts to obtain the group secret key f(0) from the group public key N =
f(0)G, that

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

369

attacker must first solve the elliptic curve discrete logarithm problem (ECDLP), which is more difficult than solving the discrete logarithm problem. Consequently this attack is also infeasible. If an attacker attempts an attack by changing the signature in the individual signature verification equation " # t Y
xj Di ¼ ðxDi ; y Di Þ ¼ ri si G þ hðmÞN i x
xj j¼1;j6¼i i from Di to D0i with the hope of forging a valid signature s0i . However, the attacker will still have to face the difficulty of solving the ECDLP. The attacker has Q, s, G, h(m), N and attempts to forge a valid signature (r 0 , s 0 ) via the (t, n) threshold group signature verification equation: Q ¼ ðxQ ; y Q Þ ¼ sG þ hðmÞN : However, the attacker still must first solve the ECDLP. This study encrypted the message m using the one-way hash function, improving the security of message m and simultaneously protecting the message from direct attack. 4.2. Analyses of performance The scheme does not require calculation of the multiplication inverse during signing or signature verification, and nor does it require index operations. Accordingly, whether during signing or verification, the operation speed of the scheme is superior to that of more traditional ElGamal signature scheme and the DSA system. Basing both the individual and group signature verification on similar protocols can reduce the cost of system design. The scheme allows simultaneous message signing. Additionally, the (t, n) threshold method permits the number of valid signers to be adjusted by adjusting the threshold value at anytime, providing elasticity. Most of the current digital signature schemes are based on the RSA or ElGamal systems. However, the subject scheme is based on the elliptic curve discrete logarithm problem and is also a (t, n) threshold multi-signature. Replace the original index operation with the multiplication operation, change the individual public key from y = gx to Yi = f(xi)G, replace the multiplication operation with continuous additionPoperations, and finally change the Qn n group public key from Y ¼ i¼1 Y i to Y ¼ i¼1 Y i . The scheme presented here is based on the elliptic curve discrete logarithm problem. The scheme requires just 160 bits to achieve the same level of security as an RSA using 1024 bits. The similar security level and smaller secret key reduce the required memory space. Additionally, information transmission also is accelerated. The parameter n requires just 160 bits to achieve the same level

370

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

Table 1 Estimation of performance aimed at time complexity Items

Time complexity

Rough estimation

Threshold digital signature generation

4TEC_MUL + TEC_ADD + (3t + 1)TMUL + 2(t
1)TINV + 2TH

(3t + 117.12)TMUL + 2(t
1)TINV + 2TH

Threshold digital signature generation verification

2TEC_MUL + TEC_ADD + tTMUL + 2TH

(t + 58.12)TMUL + 2TH

of security as an RSA using 1024 bits. Consequently, the message requires only 320 bits. The performance of the proposed scheme is analyzed in the following subsection. The symbols are defined as follows: TMUL: Time cost of executing modulus operation. TINV: Time cost of the modulus opposite element operation. TADD: Time cost of the modular addition operation. TEC_MUL: Time cost of the elliptic curve multiplication operation. According to Ref. [14], the statement kB is given, where B 2 E(Zp), E is an elliptic curve defined over Zp, p 2160, and k is a random 160-bit integer. Thus, the following relationship demonstrates time complexity: T EC

MUL

29T MUL ;

T EC

ADD

0:12T MUL :

The total modulus addition and subtraction operation is low and thus is omitted here. Consequently, the estimated performance in terms of time complexity is as listed in Table 1.

5. Conclusion Although a public key system based on the elliptic curve cryptosystem uses a smaller key, it is highly secure. The superior performance and smaller bandwidth of this system will become the mainstream in public key systems in the future. Business affairs, both internal and external, can utilize this efficient threshold signature system for message signing and sending. Furthermore, the system can perform verification without the risk of alteration or forgery. This study has arrived at an intriguing conclusion through the study of traditional digital signatures, namely that any system based on the discrete logarithm problem can be modified using the concept of the elliptic curve cryptosystem. An index operation equation can be altered to a multiplication operation, and the multiplication operations can be changed to continuous

Y.-L. Yu, T.-S. Chen / Appl. Math. Comput. 167 (2005) 362–371

371

addition operations. The system is thus changed to a cryptosystem whose security is based on the elliptic curve discrete logarithm problem. Various cryptosystems thus can be designed. In future, it is hoped that the analyses presented herein can be applied to the (t, n) threshold digital group signature based on the elliptic curve cryptosystem to improve signature schemes, thus further shortening signatures, and also shortening the time required to produce and verify messages. Not only can the transmission load be reduced, but group identification also is quite significant in the future of e-government and e-commerce under secure Internet environment.

References [1] M. Robshaw, Y. Yin, Elliptic curve cryptosystems, An RSA Laboratories Technical Note, 1997, Revised June 27. [2] G.J. Lay, H.G. Zimmer, Constructing elliptic curves with given group order over large finite fields, in: Algorithmic Number Theory Proceedings LCNS 877, Springer-Verlag, Berlin, 1994, pp. 250–263. [3] H. Sakazaki, E. Okamoto, M. Mambo, Constructing identity-based key distribution systems over elliptic curves, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E81-A (10) (1998) 2138–2143. [4] R. Scheidler, A public-key cryptosystem using purely cubic fields, Journal of Cryptology 11 (2) (1998) 554–559. [5] K.R. Coombes, Elliptic curves and logarithmic derivatives, Journal of Pure and Applied Algebra 138 (1999) 21–38. [6] S.A. Vanstone, Elliptic curve cryptosystem—the answer to strong, fast public-key cryptography for securing constrained environments, Information Security Technical Report 2 (2) (1997) 78–87. [7] W.J. Caelli, E.P. Dawson, S.A. Rea, PKI, Elliptic curve cryptography, and digital signatures, Computers and Security 18 (1) (1999) 47–66. [8] S.A. Vanstone, R.J. Zuccherato, Elliptic curve cryptosystems using curves of smooth order over the ring Zn, IEEE Transactions on Information Theory 43 (4) (1997) 1231–1237. [9] T. Okamoto, A. Fujioka, E. Fujisaki, An efficient digital signature scheme based on elliptic curve over the ring Zm, in: Advances in Cryptology—CRYPTO
92, 1992, pp. 54–65. [10] Certicom, White Paper: Elliptic Curve Cryptosystems—Question & Answers, 1996. [11] J. Gaujardo, C. Paar, Efficient algorithms for elliptic curve cryptosystems, in: Advances in Cryptology—CRYPTO
97, Springer-Verlag, 1997, pp. 342–356. [12] G. Seroussi, Elliptic curve cryptography, in: Information Theory and Networking Workshop, 1999, pp. 41–45. [13] W.J. Caelli, E.P. Dawson, S.A. Rea, PKI, Elliptic curve cryptography, digital signatures, Computers and Security 18 (1) (1999) 47–66. [14] A. Jurisic, A.J. Menezes, Elliptic curves and cryptography. Available from: . [15] S.C. Kothari, Generalized linear threshold scheme, in: Proceeding of CRYPTO
84, SpringerVerlag, Berlin, 1984, pp. 231–241. [16] C. Blundo, A. De Santis, D. Stinson, Graph decompositions and secret sharing schemes, in: Proceeding of EUROCRYPT
92, Springer-Verlag, Berlin, 1992, pp. 1–20.