Embed Size (px)
Citation preview
computer communicatbns
ELSEVIER Computer Communications 19 (1996) 851-856
Research note
Two ID-based multisignature protocols for sequential and broadcasting architectures
Tzong-Chen Wu *, Shu-Lin Chou, Tzong-Sun Wu
Department of Information Management, National Taiwan Institute of Technology, Taipei, 107 Taiwan, ROC
Received 20 July 1995
Abstract
Based on the difficulty of factorization problem, two ID-based digital multisignature protocols are proposed, one suitable for the sequential architecture and the other for the broadcasting architecture. Both protocols have common characteristics: (1) the size of multisignature is fixed, despite the number of participants increasing; (2) it is easy to implement the multisignature generation and verification procedures; (3) the key management among participants is simplified. As for the sequential multisignature protocol, it additionally has the following characteristics: (4) the signing order (if necessary) can be flexibly defined by the system or the document issuer in advance, without affecting the predefined setup parameters; (5) each signer can easily verify the partial multisignature produced by all preceding signers; also, each signer can check whether all preceding signers have indeed signed the document.
Keywordr: Digital multisignature; ID-based cryptosystem; Factorization; Discrete logarithms; One-way hashing function
1. Introduction
In computer communication systems, for electronic documents it is vital to preserve the properties of security and sensitivity, especially in government, business, diplomacy and military activities. The use of a digital signature achieves the requirements for document iden- tification and verification [l-3]. However, in some prac- tical applications many signatories need to sign a document. For example, an important contract should be approved and signed by the financial, marketing and warehouse managers, and then be verified by the custo- mer. A digital multisignature scheme can be used for this purpose.
For signing a document by many signatories, two approaches can be adopted: the sequential and broad- casting approaches. In the sequential approach, the document creator (issuer) creates the document and transmits it to the first signer. The signing order can be predefined by the issuer, or it can be arbitrarily deter- mined by the participant signers themselves before signing. Each signer sends his partial multisignature (with respect to all preceding signers and himself) to the next successive signer for further signing. When all
* Corresponding author.
0140-3664/96/%15.00 0 1996 Elsevier Science B.V. All rights reserved
PZZ SO140-3664(96)01108-5
participant signers finished the signing process sequen- tially, a multisignature with respect to all participant signers is obtained, and this can be verified by the verifier. Fig. 1 shows the sequential multisignature architecture.
In the broadcasting approach, the issuer broadcasts the document to all participant signers simultaneously. Each participant signer signs the document individually and sends his signature to a collector, whose task it is to produce a multisignature with respect to all participant signers. The multisignature generated by the collector can then be verified by the verifier in the same way as in the sequential approach. Fig. 2 shows the broadcast- ing multisignature architecture. The advantage of the broadcasting approach is that it reduces communication costs; the sequential approach allows each signer to verify the partial multisignature with respect to all pre- ceding signers.
In the past decade, several digital multisignature schemes [4-81 have been developed. Itakura and Nakamura [6] first proposed a multisignature scheme based on an extended RSA scheme [2]. The Itakura- Nakamura scheme has the disadvantage that the signing order is restricted to the system setup stage. Okamoto [8] improved the Itakura-Nakamura scheme by using one-way hashing functions and bijective public key
852 T.-C. Wu et aLlComputer Communications 19 (1996) 851-856
issuer L signers
verifier
Fig. 1. Sequential multisignature architecture.
cryptosystems. In the Okamoto scheme, the signing order can be flexibly defined by the system without interfering with the system parameters. However, the Okamoto scheme needs to use an interactive protocol for verifying the multisignature. Both the Itakura- Nakamura and Okamoto schemes have the disadvantage that the size of the multisignature increases proportion- ally when the number of signers increasing. Based on a modified RSA scheme, Harn and Kiesler [5] proposed a multisignature scheme that produces a constant size of multisignature despite the number of signers increasing. However, in the Harn-Kiesler scheme, the signing order is restricted to the system setup stage, and the processing time of the multisignature generation and verification procedures depends on the number of signers, i.e. the more signers involved, the more computational time is required for multisignature generation and verification. Recently, Boyd [9] and Ohta and Okamoto [7] separately proposed fast digital multisignature schemes based on the zero-knowledge scheme of Fiat and Shamir [l]. In Boyd’s scheme, the verification procedure is identical to the verification of an individual signature for the under- lying scheme. However, the Ohta-Okamoto scheme requires two interactive loops among all participant signers to generate a multisignature. Hardjono and Zheng [4] proposed a digital multisignature scheme based on discrete logarithms. In the Hardjonon-Zheng scheme, the signing order can be flexibly defined by the document issuer or the system. In addition, the verifier can easily verify the multisignature and check out whether all preceding signers have indeed signed the document.
All the multisignature schemes mentioned above can only be suitably employed by the sequential architecture. As for the broadcasting architecture, these schemes require further modification in their multisignature gen- eration and verification procedures. Recently, Harn [lo]
Ul @e issuer >
\_ collector verifier
n
signers
Fig. 2. Broadcasting multisignature architecture.
proposed a multisignature scheme based on ElGamal’s scheme. Harn’s scheme is suitable for the broadcasting architecture, however, Harn’s scheme requires two inter- active broadcasts for multisignature generation.
In some applications, such as a level-based respon- sibilities organization, each signer should follow the sign- ing order defined by the document issuer (or the system), and the signer may first verify the partial multisignature produced by all preceding signers before signing. For such a case, the multisignature scheme should provide the participant signers with the capability of verifying the partial multisignatures produced by all the preceding signers. However, most of the previously proposed multisignature schemes do not offer such a capability.
An ID-based digital signature scheme has the advan- tage that it enables any pair of signers to verify each other’s signatures without exchanging private or public keys, without keeping key directories, and without using the services of a third party [3,11]. The verifier only needs to know the signer’s identity to verify the signature pro- duced, hence the key management problem is simplified. In this paper, we propose two ID-based multisignature protocols for the sequential and broadcasting architec- tures, respectively. These protocols have in common the following characteristics:
(1) the size of the multisignature is fixed, despite the number of signers increasing;
(2) it is easy to implement the multisignature generation and verification procedures;
(3) the key management among participant signers is simplified.
As for the sequential multisignature protocol, it addi- tionally has the following characteristics:
(4) the signing order (if necessary) can be flexibly defined by the system or the document issuer in advance, without affecting the predefined setup parameters;
(5) each signer can easily verify the partial multisignature produced by all the preceding signers before signing; also, each signer can check whether all the preceding signers have indeed signed the document.
2. Proposed multisignature protocols
In this section, two ID-based multisignature protocols (the sequential multisignature protocol and the broad- casting multisignature protocol) are proposed. For con- venience, we divide each multisignature protocol into three stages: the initial stage; the multisignature genera- tion stage; and the multisignature verification stage. Both protocols use the same initial stage to set up the signing environment. However, the multisignature generation and verification procedures for each protocol are some- what different.
T.-C. Wu et al/Computer Communications 19 (1996) 851-856 853
Three main roles exist in our proposed protocols: the document issuer; the signers; and the verifier. The tasks of the document issuer are to create a document that needs to be signed, and to originate the multisignature process. The document issuer does not participate in signing the document; only the participant signers can sign. Note that the setup of a participant signers’ signing order is only considered in the sequential multisignature protocol, and it should first be published to all the parti- cipant signers before proceeding with the multisignature generation stage. The signing order for the participant signers can be flexibly defined by the document issuer, or the signers themselves, or by the system according to its specific applications, such as in a level-based responsibil- ities organization. The task of the verifier is to verify the multisignature produced by the predefined signers, regardless of the predefined signing order. Further, the verifier can check whether all the participant signers have indeed signed the document. In the sequential multi- signature protocol, each signer can verify the partial multisignature produced by all the preceding signers before he agrees to sign the document. In the broadcast- ing multisignature protocol a collector is needed. The tasks of the collector are to collect the signatures pro- duced by each of the participant signers and then to generate the multisignature with respect to all participant signers as a whole. Naturally, the collector is assumed to be trusted by all the participant signers and the verifier.
Initial stage Let U, be the document issuer, U,, be the signature
verifier and Ut, U,, . . . , U,, be the participant signers. By Chen and Hwang’s ID-based system [12], the system proceeds with the following steps to set up the signing environment:
Step 1. Choose a large number N = Pi . P2. P3. P4, where Pi, 1 5 i 5 4, are primes satisfying the condition that (Pi - 1)/2 are odd and relatively prime.
Step 2. Choose two integers e and d in Z,, such that
e-d = l(modL), (1)
where L = Zcm(PI - 1, P2 - 1, P3 - 1, P4 - 1). Step 3. Choose a primitive element (Y over GF(Pi), for
1 < i 5 4, and compute
T = 8(mod N). (2)
Step 4. Choose a one-way hashing function h, such that 1 2 h(x) < 4(N) for all x, where 4 is the Euler’s totient function.
Step 5. Publish N, W, T and h, and secretly keep P,, P2, P3, P4 and d.
Step 6. For each signer Ui with the identity ID;, com- pute a secret key S; such that
asi = ZD?(mod N). (3)
Here, the assigned identity IDi should satisfy ZDf # l(mod N).
Step 7. Send the secret key S; to Vi through a secure channel.
Note that in Step 6, the discrete logarithm S; of ZDf modulo N to the base a is the smallest non-negative integer such that os’ = ZD?(modN), and Si can be obtained by computing the discrete logarithm x; satisfy- ing (yxi = ZD?(mod P,), for i = 1, 2, 3,4, and solving the system
s;=xi(modPt - 1)
S; = x2(mod P2 - 1)
S; = xs(mod P3 - 1)
S; = xq(mod P4 - 1)
by the Chinese Remainder Theorem (CRT). As sug- gested by Maurer and Yacobi [6], the length of Pi is chosen to be 60-70 digits such that computing discrete logarithms module each Pi is feasible, but factoring the product of Pi’s is completely infeasible. That is, given ZDi, computing si from Eq. (3) is as difficult as factoring the composite N.
After finishing the initial stage, each signer Ui owns a secret key si and a public identity ZDi. In the following, the multisignature generation and verification stages for the sequential multisignature protocol and the broadcasting multisignature protocol are described, respectively.
2.1. Sequential multisignature protocol
Let D be the document that needs to be signed by the signers U, , U,, . . . , U,,. Before signing, the document issuer U, defines the signing order, say (U,, U2, . . , U,,), and publishes the signing order to all participant signers. The multisignature generation and verification stages for the sequential protocol are stated as follows.
Multisignature generation stage For originating the multisignature generation proce-
dure, the document issuer UI first sets a dummy multi- signature SGo = 1 and then sends {D, SGO} to the first signer U1. For each signer Vi receiving {D, SGi_1 }, he performs the following steps to sign the document D:
Step 1. Compute
M. = TS”h(D)(mod N) I (4)
and
SG; = SG;_t *M;(mod N). (5)
Step 2. Send {D, SGi} to the next signer Ui+l.
Here, M; is the signature for D with respect to Ui, SG; is regarded as the partial multisignature for D with
854 T.-C. Wu et al./Computer Communications 19 (1996) 851-856
respect to signers Ui, U,, . . . , Ui. We may rewrite Eq. (5) as
SGi = ~ Mj(mod N). j=l
(6)
Multisignature verification stage When Ui receives {D, SGi_ I} , he may first verify the partial multisignature SGi_i produced by the preceding signers
WI, u,,..., Ui_l before deciding to sign. Ui can verify SGi_i by checking whether the following equation holds:
(SGi_l)e . WY
= l(modN).
If it holds, then Ui accepts SGi_i as the partial multi- signature with respect to the preceding signers Ui,
f-J,,...> Ui_1. Otherwise, SG,_I is invalid, which may indicate that some of the preceding signers have omitted to sign or produce an invalid signature.
When the last signer U,, have signed, he sends {D, SG,} to the verifier. Here, SG, is the multisignature for D with respect to all participant signers. Afterwards, the verifier U, can verify SG, by checking whether the following equation holds:
(SGJ .
h(D)
= l(modN).
Now, we show how Eqs. (7) and (8) indeed work:
by Eq. (6)
TSj’h(D)‘e(modN) by Eq. (4) j=l
=fJa -d’~‘h(D)~e(modN) by Eq. (2) j=l
(8)
= fI q+h(“)-’ (modN) by Eq. (3) j=l
= fiIDJ2’h(D)(modN) j=l
That is,
by Eq. (1)
( SGi)e *
h(D)
= l(modN).
2.2. Broadcasting multisignature protocol
Let U,, U, and D be defined the same as in the sequential multisignature protocol. Let U, be the
collector. For originating the multisignature signing process, U, first defines the participant signers, say G={U,,U2 ,..., Un}, and then broadcasts {D, G}.
Multisignature generation stage For each Ui in G, he performs the following steps to
sign D:
Step 1. Compute Mi by Eq. (4). Step 2. Send {D, Mi} to U,.
Here, Mi is the signature with respect to Ui. When U, receives the signatures’ Mis for D sent from each of the participant signers, he computes the multisignature SG for D with respect to all participant signers as
SG = fi Mi(mod N). i=l
After that, U, sends {D, SG) to the verifier.
Multisignature verification stage The verifier U, verifies the multisignature SG sent
from U, by checking whether the following equation holds:
h(D) SG”. = l(modN). (IO)
As in the sequential multisignature protocol, it can be seen that Eq. (10) does indeed work.
3. Analysis
The cryptoanalysis and computational complexity of the proposed protocols are analysed below.
3.1. Cryptoanalysis
The security issues considered for the proposed proto- cols are:
(1) It is hard to deduce the system’s secret parameters from public information.
(2) It is hard to deduce the signer’s secret key from public information.
(3) It is hard to deduce the signer’s secret key from partial multisignature(
(4) It is hard to forge a signature for any signer without knowing his secret key. Also, it is hard to forge a multisignature for any set of signers without knowing their secret keys.
(5) The verifier can detect whether some participant signer(s) have omitted to sign the document.
Both security issues (1) and (2) are covered by the Maurer-Yacobi scheme [13]. We only discuss security issues (3)-(5) in the following.
T.-C. Wu et al./Computer Communications I9 (1996) 851-856 855
Issue (3) Consider the sequential multisignature protocol. An
adversary may obtain the signature Mi for D with respect to Ui by observing the partial multisignatures SGi_l and SGi. Knowing Mi, one possible way for computing the signer’s secret key can be deduced from Eq. (4). Given Mi, D, T, N and h, the adversary should first know the factorization of N for computing Si [13]. However, it is based on the factorization problem, such as the RSA scheme [2]. For the same reason, in the broadcasting multisignature protocol, the difficulty of computing a signer’s secret key from Eq. (4) is based on the factoriza- tion problem.
Issue (4) By Eq. (4), we know
M. = TS”h(D)(modN) 2
= (cy-d)S”h(D)(modN)
= (ID?)Pe~“hiD)(mod N).
Hence, if an adversary wants to compute the signature Mi for D with respect to lJi, he should first know Si or e-‘(mod 4(N)). H ere, d = F1 (mod 4(N)). However, the difficulty of computing Si or d is based on issues (1) and (2). Further, consider the case in which the adversary wants to forge the partial multisignature SGi for D with respect to Ui, U,, . . . , Ui in the sequential multisignature protocol. To pass the check (i.e. Eqs. (7) or (8)) in the multisignature verification procedure, the adversary should compute a forgery partial multisignature SGT satisfying
h(D)
(mod N). (11)
However, without knowing d, the adversary cannot com- pute such an SG; by Eq. (11). For the same reason, an adversary cannot compute the signature Mi for D with respect to Ui or forge a multisignature SG* with respect to u,, u,, . . . , U,, in the broadcasting multisignature pro- tocol. Note that even a conspiracy attack on revealing the system or the signer’s secret information cannot work, since Eq. (4) is linearly independent.
Issue (5) Suppose a signer, say Ui, intentionally or unintention-
ally omitted to sign the document. In the sequential multisignature protocol, two possible ways of producing the signing omission for Ui may be considered. The first (unintentionally omitting to sign the document) is that Ui-1 directly sends {D, SGi_1) to Vi+, for signing, with- out passing through Ui. The second way (intentionally omitting to sign the document) is that Ui sends (0, SGi_1) to U,+l for pretending that he has signed the document, so that Vi+1 will regard the received
SGi_i as the partial multisignature with respect to U,,
u,,..., Ui. Now, we explain that the above two tricks cannot pass the check in the multisignature verification procedure. In order to pass the check each Ui’S signature A4i should satisfy
(Mi)e *IDF’h(D) = l(mod N). (12)
By Eq. (12), if Ui omitted to sign the document, then it implies Mi = 1. To pass the check in Eqs. (7) or (8) we know ID ? ’ h(D’ = l(modN). Since ZDf #
1 I h(D& 4(N),
l(mod N) and we conclude ID T. h(D) # l(modNL
which is a contradiction. Hence, wi;h the omission of the participant signer Vi, the produced partial multi- signature SGi cannot pass the check in the multisignature verification procedure. As for the broadcasting multi- signature protocol, the case of the omission of a certain signer should be notified by the trusted collector before producing the final multisignature.
3.2. Computational analysis
Let Th, TexP and Tmul be the execution time for a one- way hashing function h, exponential and muhiplicative operations over modulo N, respectively. The computa- tional complexities for the multisignature generation and verification procedures are analysed as below.
Consider the sequential multisignature protocol. Each signer requires (Th + TexP + 2T,,,) time for generating the partial multisignature. If each Vi precomputes the value Tq (mod N) in Eq. (4) before originating the multi- signature generation stage, then each signer only requires (Th + TexP + Tmu,) time for generating the partial multi- signature. As to the multisignature verification stage, it requires (Th + 2T,,, + iT,,,) time for verifying the par- tial multisignature SGi. However, if the signer Ui (or the verifier) precomputes the value ni:ii ID; (mod N) (or njn=t ZDj(modN)) h k w en nowing the preceding signers, then the time for verifying the partial multisignature SGi is greatly reduced to (Th + 2T,,, + T,,,).
Next, consider the broadcasting multisignature proto- col. Each signer requires (Th + TexP + T,,,) time to gen- erate the signature Mi, and the collector U, needs
(n - ~)T,,I time to compute the multisignature SG with respect to n participant signers. As for the multi- signature verification stage, the verifier needs (Th + 2T,,, + (n + l)T& time for verifying SG. Again, if the verifier precomputes the value ny=, IDj(modN) h k w en nowing the participant sign- ers, then it only requires (Th + 2T,,, + Tmul) time for verifying the multisignature SG.
4. Conclusions
We have presented two ID-based multisignature pro- tocols based on the difficulty of factorization problem.
856 T.-C. Wu et al/Computer Communications 19 (1996) 851-856
One is suitable for the sequential architecture, and the other is suitable for the broadcasting architecture. We have also shown that the proposed protocols have the cnaracteristics listed in Section 1.
As analysed in Section 3, the multisignature genera- tion and verification procedures can be implemented practically. In addition, if proper precomputation is taken by the signers (or the verifier) when knowing the preceding signers (or the participant signers), then the time complexities for the multisignature generation and the multisignature verification stages can be reduced further.
[ill
[121
1131
L. Harn and S. Yang, ID-based cryptographic schemes for user
identification, digital signature, and key distribution, IEEE J.
Selected Areas Commun., 1 l(5) (1993) 757-760.
J.L. Chen and T. Hwang, Identity-based conference key broadcast
schemes with authentication, Computers & Security, 13 (1994) 53-
57.
U.M. Maurer and Y. Yacobi, Non-interactive public key crypto-
graphy, Advances in Cryptology - Eurocrypto ‘91, 1992, pp.
4988507.
References
111
PI
131
141
[51
161
t71
181
191
1101
A. Fiat and A. Shamir, How to prove yourself: practical solutions
to identification and signature problem, Advances in Cryptology
- CRYPT0 ‘86, Springer-Verlag, 1987, pp. 186-194.
R. Rives& A. Shamir and L. Adeleman, A method for obtaining
digital signature and public-key cryptosystem, Commun. ACM,
21(2) (1978) 120-126.
A. Shamir, Identity-based cryptosystems and signature schemes,
Advances in Cryptology - CRYPT0 ‘84, Springer-Verlag, 1985,
pp. 47-53.
T. Hardjono and Y. Zheng, A practical digital multisignature
scheme based on discrete logarithms, Advances in Cryptology
- AUSCRUPTO ‘92, Springer-Verlag, 1993, pp. 16-21.
L. Harn and T. Kielser, New scheme for digital multisignatures,
Electr. Lett., 25(15) (1989) 1002-1003.
K. Itakura and K. Nakamura, A public-key cryptosystem suitable
for digital multisignatures, NEC Res. and Develop., 71 (1983) 1-8.
k. Ohta and T. Okamoto, A digital multisignature scheme based
on Fiat-Shamir scheme, Advances in Cryptology - ASIA-
CRYPT ‘91, Springer-Verlag, 1992, pp. 75-79.
T. Okamoto, A digital multisignature scheme using bijective
public-key cryptosystems, ACM Trans. Computer System, 6(8)
(1988) 432-441.
C. Boyd, Multisignature based on zero knowledge schemes, Electr.
Lett., 27(22) (1991) 2002-2004.
L. Harn, New digital signature scheme based on discrete loga-
rithms, Electr. Lett., 30(5) (1994) 396-398.
Tzong-Chen Wu received a BS in information engineering from the National Taiwan Univer- sity, Taiwan in 1983, an MS in applied mathe- matics from the National Chung Hsing University, Taiwan, in 1989, and a PhD in com- puter science and information engineering from the National Chiao Tung University, Taiwan in 1992. Since 1992 he has been Associate Profes- sor in the Department of Information Manage- ment, National Taiwan Institute of Technology, Taiwan. His current research
interests include cryptography and data security, network manage- ment, pattern recognition and data engineering techniques.
Shu-Lin Chou received a BS in business mathe- matics from Soochow University, Taiwan in 1993, and an MBA in information management from the National Taiwan Institute of Tech- nology, Taiwan in 1995. His research interests include cryptography and security management.
Tzong-Sun Wu received a BS in electrical engi- neering from the National Taiwan University, Taiwan in 1990, and is now a doctoral candi- date in the Department of Information Management, National Taiwan Institute of Technology, Taiwan. His research interests include computer security and network management.
