Our threshold forward-secure signature scheme, denoted by TFSS, is a key-evolving (t, s, n)-threshold signature scheme that consists of four procedures:
TFSS.key, TFSS.update, TFSS.sign, and TFSS.verify, where t is the maximum number of corrupted dealers, s is the minimum number of alive dealers so that signature computation is possible, and n is the total number of dealers. In our scheme, we set s = t + 1 and n ≥ 2t + 1. There is a manager presiding the scheme.
TFSS.key. It takes as input a security parameter l and outputs the public key and initial secret-key share Si,0 and public-key share P Ki,0 of the dealer Di’s.
1. Select N as that in the system setting.
2. The manager randomly selects Si,0∈ ZN∗, 1 ≤ i ≤ n and computes Ui,0 = 1/Si,02l(T +1) mod N , S0 =Qn
i=1Si,0 mod N , and U = 1/S02l(T +1) mod N . 3. The system’s initial secret key is SK0=(N, T, 0, S0) and the public key
P K = (N, U, T ).
4. Each dealer Di’s initial secret-key share is SKi,0 = (N, T, 0, Si,0) and public-key share is P Ki,0 = (N, Ui,0, T ).
5. Each dealer Di shares its Si,0 with other dealers by the (t, n)-VSS pro-cedure.
TFSS.update. At the end of time period j, all dealers take part in the pro-cedure to update their shares. Each dealer updates its secret-key and public-key shares from Si,j and P Ki,j to Si,j+1 and P Ki,j+1.
1. Each dealer Di randomly selects n − 1 numbers si,1, si,2, . . . , si,n−1 over ZN∗ and computes si,n= Si,j/Qn−1
k=1si,k mod N .
2. Each dealer Di sends si,k to Dk privately and publishes ˆsi,k = 1/s2i,kl(T +1−j) mod N , 1 ≤ k ≤ n.
3. Each dealer Dk checks validity of the published values by Ui,j = Qn
r=1sˆi,rmod N , 1 ≤ i ≤ n, i 6= k. Dealer Dk also checks validity of its received secret si,k by 1/s2i,kl(T +1−j) mod N = ˆsi,k. If one of the checks fails, all other dealers recover the secret Si,j by Recovery procedure.
4. Dealer Di’s new secret-key share is Si,j+1 = (Qn
k=1sk,i)2l mod N and the corresponding public-key share is Ui,j+1 =Qn
k=1sˆk,i mod N .
5. Dealer Di shares Si,j+1 with other dealers by (t, n)-VSS procedure.
We use NIProof-SS(g, t, gSi,j+1, Si,j+1t ) to verify whether Di’s action is correct, where t = −2l(T −j)and Si,j+1t = Ui,j+1. If the proof is correct and (t, n)-VSS procedure succeeds, all dealers delete their old secret-key shares; otherwise, the secret of Di is reconstructed.
TFSS.sign: at time period j, all dealers sign a messages M in a distributed way with the following steps.
1. Each dealer Di selects Ri ∈ ZN∗ randomly and publishes Yi = R2il(T +1−j) mod N and NIProof-SS(g, 2l(T +1−j), gRi, Yi). Then, it shares Ri to other dealers via (t, n)-VSS procedure with polynomial fi(x).
If NIProof-SS or (t, n)-VSS procedure fails, set Ri = 1 and run Recovery procedure to recover the secret-key share Si,j of Di. 2. Each dealer Di computes Y =Qn
i=1Yi and σ = H(j, Y, M ) and publishes its partial signature Zi = RiSi,jσ mod N .
3. Each dealer Di verifies validity of another dealer Dk’s partial signature by computing
Yi0 = Zi2l(T +1−j)Ui,jσ mod N
and checking whether Yi0 and Yi are equal. If the verification fails, all other alive dealers run Recovery procedure to recover the secret-key share Sk,j and Rk of Dk and compute the partial signature Zk.
4. Combine all partial signatures as a signature (j, Z, σ) for M at time j,
In this section, we show the correctness and security of our proposed scheme.
Theorem 16 (Correctness) Assume that SKj = (N, T, j, Sj) and P K = (N, U, T ) are key pairs of the system at time period j. Each dealer Di holds the secret-key share SKi,j = (N, T, j, Si,j) and public-key share
Theorem 17 Assume that 2l-th square root problem is diffi-cult. TFSS.update procedure is secure against malicious adversaries even malicious adversaries know t shares, sbi for 1 ≤ i ≤ t.
Proof. Given t shares, if there exists a malicious adversary A can compute any useful information from the transcripts among the dealers. We can con-struct a simulator S to simulate the procedure such that we can use A and the outputs of the simulator to compute useful information. Since the distribution of the simulator and that in the real run are polynomial indistinguishable, if the adversary A can compute any information from that in the real run, he can compute any useful information from the outputs of the simulator. Because the output of simulator carries no information, the output of the real run also carries no information. We construct a simulator S to simulate TFSS.update procedure assuming existence of malicious adversaries. Let B = {Db1, . . . , Dbt} be the set of corrupted servers at current time j. For simplicity, the secrets of corrupted dealers are treated as inputs. S simulates each dealer Di’s behavior as follows.
4. Simulate (t, n)-VSS procedure. For Di ∈ B, since S/ i,j0 of gSi,j0 is un-known, we can randomly selects Si,k0 ∈RZN∗, b1 ≤ k ≤ bt. Then, (j, Si,j0 ), (b1, Si,b0
1), · · · , (bt, Si,b0 t) can construct a polynomial function with degree-t even Si,j0 is unknown. We can do it by the method of Lagarange inter-polation in exponentiation. We send each Si,b0
i to the corrupted dealer Dbi.
If Dj forces Di to disclose ˆsi,j, since Dj has it, we can simulate ˆsi,j.
We consider that the distribution of the outputs for the simulator. In the step one, each ˆsi,j, 1 ≤ i ≤ n, 1 ≤ j ≤ n, is randomly selected from ZN∗ such that the distribution of that is identical to that in the real run. In the step two, if the Di ∈ B, the distribution of the transcripts of Di is the same as that in the real one. If the Di ∈ B, except the failure,i.e.,⊥, the distribution/ of the transcripts of Di is identical to that in the real one. In the step three, (t, n)-VSS procedure outputs the transcripts of the n polynomial functions.
The distribution of the transcripts is identical to that of the transcripts in the real run since each coefficient of polynomial functions is randomly selected over ZN∗. Therefore, the distribution of the outputs for the simulator is polynomial indistinguishable to the distribution of that in the real run. Since the outputs of simulation gives no information, that in the real run also gives no information.
The adversary cannot get useful information. This completes the proof. 2
Theorem 18 The TFSS scheme is a key-evolving (t, s, n)-threshold signature scheme for s = t + 1 and n = 2t + 1.
Proof. Since there are at most t corrupted servers, their secret-key shares are not sufficient to recover the secret-key shares of honest dealers. The others
follow the scheme. 2
Theorem 19 (Forward secrecy) Let FS-DS denote the single-user signa-ture scheme in [4]. TFSS is a threshold forward-secure signasigna-ture scheme as long as FS-DS is a forward-secure signature scheme in the single-user sense.
Proof. Let F be the adversary who attacks TFSS successfully by forging a signature (c0, Z, α). We construct an algorithm A that uses this F to forge a signature for the single-user FS-DS. As stated, the attacking procedure contains three phases: cma, breakin, and forge. The algorithm A contains the signing oracle S and the hashing oracle H, which can be allowed to query and provide the signing key if necessary. In the cma phase, F can query signatures and hash values from the signing oracle S and the hashing oracle H. Given a signature, we can simulate the transcripts as that in the real view. In the breakin phase, the singing oracle provides F with the secret key SKj such that F can forge a signature σ of the time period t, t < j in the forge phase. Algorithm A outputs F ’s output σ as the forged signature of the single-user scheme. We simulate the procedure as follows.
In the cma phase, F guesses a particular time period c during which F breaks more than t dealers and gets the secret Sc. Let U = 1/v2l(T +1−c) and P K = (N, U, T ), where v = Sc. We randomly select Ui,0, · · · , Un−1,0 ∈R ZN∗ and compute public-key share Un,0 = U/Qn−1
i=1 Ui,0 mod N . The public key is P Ki,0 = (N, Ui,0, T ), 1 ≤ i ≤ n. We simulate F by choosing a random tape for F , feeding all public keys to F , and running F in the cma phase. F can corrupt at most t dealers at any time period except the time period c. Since F can corrupt at most t dealers at any time period except at time period c, we simply give all necessary secret-key shares and exchanged shares as F ’s input.
F decides either to stay at the cma phase or to switch to the breakin phase, and then enter the forge phase.
We now we simulate the views of corrupted dealers during the key update phase. Let B = {Db1, · · · , Dbt} be the set of corrupted dealers at time period j. The simulation is the same as that of Theorem 17, which simulates the key update procedure. Note that the set of corrupted servers is decided in advance.
We can simulate the hash and signing oracles of F . For each query (j, Y, M ) made by F , we query H on the same input and return the answer to F . We simulate the signing oracle of F by using S. Let M be the message queried to
S. We give the direct answer (j, Z, σ) of S to F .
Now, we simulate F ’s view of the signing procedure. The input consists of all secrets of the corrupted dealers and public information. For the input M and its signature (j, Z, σ)) seen by F , we construct the same probability distribution of F ’s real view as follows.
1. For Di ∈ B, we directly choose Ri ∈ ZN∗ and publish Yi = R2il(T +1−j) mod N and NIProof-SS(g, 2l(T +1−j), gRi, Yi). Then, we simulate (t, n)-VSS procedure to share Ri with other dealers. Furthermore, we computes the partial signature Zi = RiSi,jσ mod N .
2. For Di 6∈ B, we computes its partial signature as follows. Let Z0 = Z/Qt
The above simulated view is identical to the real view. If the real view discloses any information, the adversary can simulate the real run to get infor-mation. Since the view of the simulator gives no useful information, the real view also provides no useful information.
Obtaining a forgery. Let c be the time period that F switches to the breakin phase. We provide the secret key Sc to F and run F to output a forged signature (c0, Z, α) for M0, where c0 < c. The (c0, Z, α) is a forged signature for the single-user FS-DS. Since the single-user scheme FS-DS is secure, our distributed scheme TFSS is secure. This completes the proof. 2