ID-based Directed Threshold Multisignature Scheme from Bilinear Pairings

Transcription

1 P asudeva Reddy et al / Internatonal Journal on Computer Scence and Engneerng ol(), 9, based Drected Threshold Multsgnature Scheme from Blnear Parngs P asudeva Reddy, B Umaprasada Rao, T Gowr ( vasucrypto@yahoocom) ( buprasad@yahoocon ) (gowr3478@yahoocom) Department of Engneerng Mathematcs, Andhra Unversty, sakhapatnam, AP, Inda Department of Electroncs and communcaton Engneerng, ASCET, Gudur, AP, Inda Abstract - Mult sgnature s a sgnature scheme n whch sgners ontly generate a sgnature on a message Threshold multsgnature combnes the trats of threshold sgnature and multsgnature In threshold multsgnature, a group of users ontly generate a vald multsgnature on a message and any one can verfy the valdty of the multsgnature However, n some applcatons the sgned message s senstve to the sgnature recever Drected sgnature scheme allows only a desgnated verfer to check the valdty of the sgnature ssued to hm; and at the tme of trouble or f necessary, any thrd party can verfy the sgnature wth the help of the sgner or the desgnated verfer as well Due to ts merts, drected sgnature scheme s wdely used n stuatons where the recever s prvacy should be protected By combnng all these deas, n ths paper, we propose an -based Drected Threshold Multsgnature Scheme from blnear parngs To the best of our knowledge ths s the frst drected threshold multsgnature scheme n the -based settng from blnear parngs The securty of the proposed scheme s based on the Computatonal Dfe-Hellman Problem Also we have dscussed the securty propertes of the proposed scheme namely, robustness and unforgeablty I INTRODUCTION Dgtal sgnature s a cryptographc tool to authentcate electronc communcatons Dgtal sgnature scheme allows a user wth a lc key and a correspondng prvate key to sgn a document n such a way that anyone can verfy the sgnature on the document (usng her/hs lc key), but no one can forge the sgnature on any other document Ths self-authentcaton s requred for some applcatons of dgtal sgnatures such as certfcaton by some authorty In most stuatons, the sgner s generally a sngle person However, n some cases the message s sent by one organzaton and requres the approval or consent of several people In these cases, the sgnature generaton s done by more than one consentng person A common example of ths polcy s a large bank transacton, by one organzaton, whch requres the sgnature of more than one partner Such a polcy could be mplemented by havng a separate dgtal sgnature for every requred sgner, but ths soluton ncreases the effort to verfy the message lnearly wth the number of sgner To solve these problems, Multsgnature schemes [, 9,, 8] and threshold sgnature schemes [7, 8, 9, ] are used where more than one sgners share the responsblty of sgnng messages Threshold sgnature was ntroduced by Desmedt and Frankle [8] In ths paradgm, f t or more users collude, they can mpersonate any other set of users to generate sgnatures Ths case mples that a malcous subgroup of users can generate sgnatures wthout takng any responsblty To solve ths problem, the method of threshold multsgnatue s presented [5], whch combnes dea of threshold sgnature wth the dea of multsgnature It can prevent a group of malcous users from mpersonatng other users through the generaton of sgnatures In 984, Shamr ntroduced the concept of dentty based (-based) systems to smplfy key management procedures of CA-based Publc Key Infrastructure (PKI) [] Snce then, several based sgnature schemes have been proposed [,, 3, 5, 3, ] -based systems can be a good alternatve for CA-based systems from the vewpont of effcency and convenence -based systems have a property that a user's lc key can be easly calculated from hs dentty by a lcly avalable functon, whle hs prvate key can be calculated by a trusted Key Generaton Center (KGC) They enable any par of users to communcate securely wthout exchangng lc key certfcates, wthout keepng a lc key drectory, and wthout usng onlne servce of a thrd party, as long as a trusted KGC ssues a prvate key to each user when he frst ons the network 74

2 P asudeva Reddy et al / Internatonal Journal on Computer Scence and Engneerng ol(), 9, Recently, several threshold sgnature schemes from blnear parngs have been proposed Boldyreva proposed a robust proactve threshold sgnature scheme whch works any Gap Dffe-Hellman(GDH) group [3] Baek and Zheng formalzed the concept of dentty based threshold sgnature and gave the frst provably secure scheme [] Cheng et al proposed an -based sgnature from m-torson groups of super sngular ellptc curves [6] In these schemes, f t or more users collude, they can mpersonate any other set of users to generate sgnatures, whch s smlar to regular threshold schemes However, there are so many stuatons, when the sgned message s senstve to the sgnature recever Sgnatures on medcal records, tax nformaton and most personal/busness transactons are such stuatons Sgnatures used n such stuatons are called drected sgnatures [4, 3, 4, 6,7] In drected sgnature scheme, the sgnature recever has full control over the sgnature verfcaton process and can prove the valdty of the sgnature to any thrd party, whenever necessary Nobody can check the valdty of sgnature wthout hs cooperaton In ths paper, by combnng all these deas, we propose a dgtal sgnature scheme named as An based Drected Threshold Multsgnature from Blnear Parngs To the best of our knowledge there s no exstng dentty based drected threshold multsgnature scheme usng parngs We use Hess s -based sgnature scheme [3] as the base for our scheme The proposed scheme s secure aganst exstence forgery under adaptve chosen message attack n the random oracle model assumng Computatonal Dffe-Hellman Problem (CDHP) s hard The rest of the paper s organzed as follows In Secton, we descrbe background concepts on blnear parngs and some related mathematcal problems In Secton 3, we present our proposed based Drected Threshold Multsgnature Scheme (- DTMS) Secton 4, gves securty analyss of the proposed scheme Fnally, we conclude our work n secton 5 II PRELIMINARIES In ths secton, we wll brefly revew the basc concepts of blnear parngs and some related mathematcal problems, and then we ntroduce based lc key settng from blnear parngs Fnally, we wll ntroduce Baek and Zheng s computatonally verfable secret sharng scheme based on blnear parng (CSSBP) [] Blnear Parngs Let G be an addtve cyclc group generated by P whose order s a prme q, and G be a multplcatve cyclc group of the same order q A blnear parng s a map e: G G G wth the followng propertes: Blnear ab e( ap, bq) = e( P, Q), for all P, Q G and ab, Z q Non degenerate: There exsts that e( P, Q) ; PQ, G such 3 Computable: There s an effcent algorthm to compute e( P, Q) for all PQ, G Now we descrbe some mathematcal problems ng Dscrete Logarthm Problem (DLP): Gven two group elements Pand Qfnd an nteger n, such that Q = npwhenever such an nteger exsts Decsonal Dffe-Hellman Problem (DDHP): For a, b, c R Z q, gven P, ap, bp, cp, decde whether c abmod q Computatonal Dffe-Hellman Problem (CDHP): For abc,, R Z q, gven PaPbP,, compute abp We assume CDHP and DLP are ntractable When the DDHP s easy but the CDHP s hard on the group G we call G as a Gap-Dffe-Hellman (GDH) group based Publc-Key settng usng parngs -based lc key settng nvolves a Key Generaton Centre KGC and a group of users The basc operatons consst of Setup and Prvate Key Extracton (smply Extract) When we use blnear parngs to construct -based Publc Key Cryptography (PKC), Setup and Extract can be mplemented as follows: Let P be a generator of G Remember that G s an addtve group of prme order q and the blnear parng s gven by e: G G G Defne two cryptographc hash functons { } { } H :, G and H :, Z q Setup: KGC chooses a random number s Z q and sets P = sp KGC lshes system parameters params { G G e q P P, H H } =,,,,,,, and 75

3 P asudeva Reddy et al / Internatonal Journal on Computer Scence and Engneerng ol(), 9, keeps s as the master key, whch s known only by t self Extract: A user submts hs dentty nformaton to KGC KGC computes the user s lc key as Q = H ( ), and returns d = sq to the user as hs prvate key 3 CSSBP Scheme Baek and Zheng proposed a computatonally secure verfable secret sharng scheme based on blnear parng (CSSBP)[] Ths scheme wll be used to dstrbute a prvate key assocated wth an dentty nto a number of sgnature generaton servers { } Let G, G, e, q, P, P be a set of parameters, as defned n secton Suppose that a threshold t and the number of servers n satsfes t n To share a secret S G among n partes, a dealer performs the followng steps Chooses F, F, F t unformly at random from G and construct a polynomal-lke functon t (PLF) F ( x) = S xf x F t for x Z q and computes S = F() and verfcaton key Y = e( S, P) for =, n Note that S = S Sends S to user A secretly whle makng Y lc for =, n Broadcasts ( ) ( ) α = esp, and α = ef J, Pfor =, t 3 Each user A then checks whether ts share S t e S, P = Π= α s vald by computng ( ) III PROPOSED SCHEME (-DTMS) (-based Drected Threshold Mult sgnature Scheme) Suppose a system nvolves a trusted KGC, a desgnated combner DC and a group of users A, A, A n KGC s ncharge of settng system parameters { } parms = G, G, e, q, P, P, and computng all user s prvate keys Let be the dentty of the user A Let B be any user subset of sze t( B = t) For any B, we can defne Lagrange s nterpolaton B coeffcents λ, = Π Our -based B, scheme s descrbed as follows: Phase-I: Intalzaton KGC selects a random nteger s Z q and sets P = sp KGC computes lc key of A as ( ) ( ) ( ) Q = H ( ) and returns d = sq to the user as hs prvate key Wthout loss of generalty, let o s a trusted dealer TD, whch dstrbutes hs prvate key d o to n users TD ( ) e runs CSSBP to dstrbute d to n users Each user o A gets prvate share d (, ) from TD, smultaneously A gets hs prvate key d from (, ) (, ) KGC d and Y = e d, P G are prvate share and lc/verfable nformaton, we λb, have : Π Y = e( H ( ), P ) B Phase: Partal Sgnature Generaton Let M be the message to be sgned To generate the partal sgnature on M, each sgner A performs the followng steps: Step: Chooses a random nteger k, r Z q and computes K ( ) ( ) U (, = e P P), R = rq and L = e d, rq v and broadcast U, L, R and DC ( ) to the remanng ( t ) sgners Step: Computes U, L and R after recevng all U, L, R from A B as U = U, L = L B B and R = R B Step3: Also computes = h ( HU, ), = h ( HU, ),where H = H ( ML, ) And then B (, ) W = λ, d d K P computes as ( ) 76

4 P asudeva Reddy et al / Internatonal Journal on Computer Scence and Engneerng ol(), 9, The partal sgnature on message M s ( W, ) σ = Step4: Sends ( W, ) sgnature on message M σ = to DC as hs partal Phase3: Partal Sgnature erfcaton DC verfes that each ndvdual sgnature by checkng the equalty B, ( ( )) ( ), ),where U, λ, = h H U = e W P e Q P Y Phase4: Threshold Multsgnature Generaton If all the partal sgnatures are vald, DC combnes them to W, W = W Thus σ = ( W,, R) s a threshold multsgnature of message M Phase 5: Drect erfcaton On recevng the threshold multsgnature σ = ( W,, R) on message M, the desgnated verfer computes U = e( W, P) e( Q H ( )), P ) and ( ( )),, H = H M e d R v Accepts the threshold multsgnature f and only f = h H, U ( ) Phase6: Publc erfcaton Gven a threshold multsgnature σ = ( W,, R) on sgners denttes,, n, verfer v and message M, to enable a thrd party T to verfy t, ether DC (on behalf of sgners) or v computes Ad (, ) = e d R = L and sends t to T Then T v computes H = H ( M, Ad) and U = e( W, P) e( ( Q H ( )), P ) Accepts the threshold multsgnature f and only f = h( H, U) Correctness of the threshold multsgnature (, ) (( ( )), ) ) ewp e Q H P I ( ) (( ) ) = e W, P e Q H ( ), P ) (, ) ( λ B, ) (( ) ) =e d d K P, P e Q H ( ), P ) B (, ) λ, (, ) ( ( )),, ( ) ) = e d d P e K P P e Q H P (, ) B ( λ d, P) e( d P) e( KP P) e( ( Q H ) P ) =e,,, ( ), ) ( ) ( ) (( ) ) λb (, ), = ed (, P) e Q, P e KPPe, Q H( ), P ) ( ( ) P ) e( Q P ) e K P P e ( Q H ) =e H,, (, ) ( ), P ) ( ) ( ) (( ) ) K =e Q H ( ), P e ( ), ) (, ) Q H P e P P =U SECURITY ANALYSIS OF THE PROPOSED - DTMS To analyze the securty, the propertes of robustness and unforgeablty of the scheme should be consdered ) Unforgeablty: An adversary chooses the players he wants to corrupt n advance Here corrupton means that the adversary can manage to know the prvate key of the corrupted players Unforgeablty means that an adversary, even f havng corrupted up to t players of the group, cannot produce a vald par ( M, σ ), where M s a message havng never been sgned by the sgners ) Robustness: An adversary havng corrupted up to t players, or t co-operated malcous players of the group cannot prevent t from generatng a vald sgnature, Defnton : A threshold multsgnature scheme s called secure f t has the propertes of unforgeablty and robustness Theorem : The proposed -DTMS has the property of robustness Proof: The threshold multsgnature s reconstructed from at least t partal sgnatures The Desgnated Combner (DC) frst verfes all the partal sgnatures and then chooses the vald ones to reconstruct a threshold sgnature Even f havng corrupted up to ( t ) sgners, snce there s no way to get the t th vald partal sgnature, the adversary stll cannot produce a vald threshold sgnature Whle DC can get t vald partal sgnatures, thus can produce a vald threshold multsgnature 77

5 P asudeva Reddy et al / Internatonal Journal on Computer Scence and Engneerng ol(), 9, Theorem : The proposed -DTMS has the property of unforgeablty To prove the property of unforgeablty of the proposed -DTM scheme, we use the method gven by RGennaro et al [9], whch ndcates that a threshold multsgnature s unforgeable f the underlyng sgnature s secure and the threshold multsgnature s smulatable A threshold sgnature scheme s smulatable f the followng propertes hold: ) The prvate key generaton and dstrbuton protocol s smulatable That s, there s a smulator to smulate the vew of the adversary on the executon ) The threshold multsgnature generaton protocol as smulatable That s, there exsts a smulator to smulate the vew of the adversary on the executon of threshold multsgnature generaton The prvate key generaton and dstrbuton protocol n our scheme s a varant of the well-known Baek and Zheng s computatonally secure verfable secret sharng scheme (CSSBP)[] As dscussed n [5], we can easly prove that our threshold multsgnature generaton protocol s smulatable So, our -DTMS s smulatable Also, the underlng sgnature scheme [ 3 ], for the proposed scheme, s secure aganst exstentally forgery under adaptve chosen message attack and gven attack n the random oracle model by assumng Computatonal Dffe- Hellman Problem (CDHP) s hard Therefore, the proposed -DTMS s unforgeable Theorem 3: The proposed -DTMS s really a drected sgnature Proof: To verfy a threshold multsgnature σ = ( WR,, ), Ad = e( d v, R) = L must be avalable Therefore, only the desgnated verfer can verfy ts authentcty due to hs prvate key d v As far as a thrd party s concerned, to compute Ad s equvalent to solve the CDHP However, when a thrd party holds Ad wth the help of DC (on behalf of the sgners) or a desgnated verfer, he can easly verfy the multsgnature Hence the proposed -DTMS scheme s actually a drected sgnature scheme Conclusons We proposed an -based Drected threshold Multsgnature Scheme (-DTMS)from blnear parngs Ths scheme s applcable when the sgned message s senstve to the sgnature recever; and sgnatures are generated by the cooperaton of a number of people from a gven group of senders In ths scheme, any malcous set of sgners cannot mpersonate any other set of sgners to forge the sgnatures The proposed -DTMS scheme s robust and s unforgeable n the random oracle modal by assumng the CDH problem s hard References [] JBaek and YLZheng, Identty-Based Threshold Sgnature Scheme from the Blnear Parngs, TCC 4, IEEE Computer Socety,, 4, pp4-8 [] ABoldyreva, Threshold sgnatures, Multsgnatures, and blnd sgnatures based on GDH group sgnature scheme, In proceedngs of PKC, LNCS 567, 3, pp3-46, Sprnger- erelag, Berln [3] JCCha and JHCheon, An dentty-based sgnature from gap Dffe-Hellman groups, Publc Key Cryptography- PKC3, LNCS 567, Sprnger-erlag, 3, pp8-3 [4] DChaum, Desgnated confrmer sgnatures, Advances n Cryptology EUROCRYPT 94, LNCS 95, Sprnger- erlag, 994, pp 86 9 [5] XFChen, FGZhang and KKm, A New -based Group Sgnature Scheme from Blnear Parngs, In Proceedngs of WISA'3, LNCS 98, Sprnger-erlag, 3, pp [6] XGCheng, JMLu and XMWang, An Identty-Based Sgnature and Its Threshold erson, Advanced Informaton Networkng and Applcatons-AINA'5, IEEE, 5, pp [7] YDesmedt, Threshold cryptography, European Transactons on Telecommuncatons and Related Technologes ol 5, No 4, 994, pp35 43 [8] YDesmedt and YFrankel, Shared Generaton of Authentcators and Sgnatures, Advances n Cryptology- Crypto 9, LNCS 576, Sprnger-erlag, 99, pp [9] RGennaro, SJareckKrawczyk and TRabn, Robust threshold DSS sgnature, Advances n EuroCrypto 96,LNCS 7, Sprnger erlag, 996, pp [] THardono and YZheng, A practcal Dgtal Multsgnature Scheme Based on DLP, Advance n cryptology Auscrypt- 9, 99, pp 6 [] LHarn, (t, n) Threshold sgnature scheme and dgtal multsgnature, Workshop on cryptography and Data securty, Proceedngs, Chung Cheng Insttute of Technology, ROC,June 7-9,993, pp6-73 [] LHarn and TKesler, New Scheme for Dgtal multsgnatures, Electronc Letters 5(5), 989, pp- 3 [3] FHess, Effcent dentty based sgnature schemes based on parngs, Selected Areas n cryptography, SAC, Sprnger-erlag, 3, pp3-34 [4] WBLee and CCChang, (t, n) Threshold Dgtal Sgnature wth Traceablty Property, Journal of Informaton Scence and Engneerng, ol5, No5, 999, pp [5] CL, THwang, and NLee, Threshold-Multsgnature Schemes where Suspected Forgery Imples Traceablty of Adversaral Shareholders, Advances n Cryptology- Eurocrypt'94, LNCS 95, Sprnger-erlag, 995, pp 94-4 [6] RLu, ZCao, A drected sgnature scheme based on RSA assumpton, Internatonal Journal of Network Securty (3), 6, pp8 86 [7] RLu, XLm, ZCao, JShao, XLang, New (t,n) threshold drected sgnatures schemes wth provable securty, Informaton Scences 78, 8, pp56-65 [8] KOhta and TOkamoto, A dgtal multsgnature scheme based on Fat-Shamr scheme, Advance n Cryptology Asacrypt-9, 99, pp

6 P asudeva Reddy et al / Internatonal Journal on Computer Scence and Engneerng ol(), 9, [9] TOkamoto, A dgtal Mult-sgnature scheme usng bectve PKC, ACM transactons on computer systems, ol6, No8, 988, pp [] KGPaterson, -based Sgnatures from Parngs on Ellptc Curves, IEEE Communcatons Letters, ol38, No8,, pp5-6 [] RSaka, KOhgsh and MKasahara, Cryptosystems Based on Parng, The Symposum on Cryptography and Informaton Securty-SCIS', Oknawa, Japan,, pp6-8 [] AShamr, Identty-based cryptosystem and sgnature scahemes, In: BlakleyGR, ChaumD (eds) Advances n cryptology Proceedngs of Crypto 84, Lecture Notes n Computer Scence, vol96, 985, pp47-53, Sprnger, Berln [3] Sun, JL, GChem, Yang, Identty based drected sgnature scheme from blnear parngs, In IACR Crypology eprnt Archve Report 8/35 [4] Sunderlal and Mano Kumar, A drected sgnature scheme and ts applcatons, Proceedngs of Natonal conference on Informaton Securty, Newyork, 8-9 Jan 3, pp 4-3 [5] C Xangguo, LJngme, WXnme, An Identty-based Sgnature and ts Threshold erson, Proceedngs of AINA- 5, IEEE, 5 79