ElGamal-Based Weighted Threshold Signature Scheme

(1)

ElGamal-Based Weighted Threshold Signature Scheme

Cheng Guo*, Chin-Chen Chang**,***

* Department of Computer Science, National Tsing-Hua University, Hsinchu, 30013, Taiwan E-mail: [email protected]

**Department of Information Engineering and Computer Science, Feng Chia University, Taichung, 40724, Taiwan

E-mail: alan3 c@ gmail.com

*** Department of Biomedical Imaging and Radiological Science, Chinese Medical University, 40402, Taiwan E-mail: [email protected]

Abstract

In this paper, we consider the special situation in which group members do not have equal privilege in the process of generating the group signature. We achieved a weighted threshold access structure by introducing S. Iftene’s extended Mignotte sequence. Further, we present a weighted threshold signature scheme. In our scheme, there is a set of group members, and each member is assigned to a positive weight. If a subset of group members wants to generate a group signature, the sum of the weights of its members must exceed a certain threshold.

Key Words: Weighted threshold signature, Chinese remainder theorem, Modified ElGamal

signature, Extended Mignotte sequence

1. Introduction

The group signature, a concept introduced by D. Chaum and E. van Heyst [1] in 1991, allows group members to produce anonymous signatures on behalf of the group. In 1991, Y. Desmedt and Y. Frankel [2] proposed a (t, n) threshold signature scheme based on the RSA cryptosystem. In their scheme, t cooperating members can produce a valid signature, but t-1 or fewer members cannot create a valid signature.

The prior literatures [2-4] in this area have been focused primarily on scenarios in which all members play equivalent roles. Consider the following example: A graduate who wants to apply for a postgraduate position must have some letters of recommendation. Assume that the graduate school’s policy concerning such recommendations is that the applicant must submit one of the following three options: 1) recommendations from two professors, 2) recommendations from one professor and two associate professors, or 3) recommendations from four associate professors. So, in this scenario, we can conclude that professors and associate professors are not equal in their privileges or authorities. As a motivation, we want to construct a weighted threshold signature scheme in which one positive weight is associated

(2)

with each group member and in which the message can be signed if, and only if, the sum of the weights assigned to group members who are signing the message is greater than or equal to a fixed threshold.

The concept of a weighted threshold secret sharing scheme was introduced by Shamir [5] in his seminal work on secret sharing where the participants are not of the same status. Shamir discussed the case of sharing a secret among the shareholders of some company, each holding a different amount of shadows. In 2007, S. Iftene [6] presented a weighted secret sharing scheme based on the CRT. She extended the threshold Mignotte scheme [7] in order to address the weighted access structure in which the set of participants is partitioned into several compartments, a positive weight is associated with each compartment, and the secret can be reconstructed when the sum of the weights of the participants involved exceeds a fixed threshold. Recently, K. Kaya and A.A. Selçuk [8] obtained the threshold scheme by combining CRT and RSA. They first constructed an incomplete group signature and then corrected it to a valid group signature.

To the best of our knowledge, no threshold signature schemes based on the CRT and the ElGamal signature scheme have been proposed in the literature to date. In this paper, we report the results of our development of a new weighted threshold signature based on the extended Mignotee secret sharing scheme [7] and the modified ElGamal signature scheme. The solution to a simultaneous linear congruences system can be obtained by using the CRT in combination with the multiplication rules allowed in congruences. So, we utilized this property to achieve the threshold access structure and generate the group signature from individual signatures.

2. Preliminary

S. Iftene [6] introduced an extended Mignotte sequence and gave a weighted threshold secret sharing scheme. In a weighted threshold secret sharing scheme, the set of participants is partitioned into several compartments, and a positive weight is associated with each compartment. In S. Iftene’s scheme, the secret can be reconstructed if, and only if, the sum of the weights of the participants involved exceeds a fixed threshold. Now, we will briefly describe S. Iftene ( , , )t n -Mignotte sequence. Let n ≥ 2, ( , 1 2, ,n) be a sequence of

weights associated with n participants, and t be a threshold. Let S denote qualified sets of participants that can recover the shared secret from their shadows. A ( , , )t n -Mignotte sequence is a sequence of positive integers p1, p2, … , pn such that

1

max ( ({ })) min ( ({ }))

i i

i S t lcm p i Si   i St lcm p i Si 

(3)

A ( , , )t n -Mignotte sequence can be constructed as follows. Let p p1 , 2, , pN be a general ( , )t N

-Mignotte sequence, where 1

n i i

N



_ and define pilcm p j P({ j  i}) for all 1 ≤ i ≤ n, where

{P1, P2, … , Pn} is an arbitrary partition of the set {1, 2, … , N} such that |Pi|i for all 1 ≤ i

≤ n. It is easy to prove that the sequence p1, p2, … , pn is indeed a ( , , ) t n -Mignotte sequence

[7].

2. System model and security requirements

We have a set of n group members collaborating to generate the threshold signature, indexed 1, 2, … , n, a shared distributed center (SDC) for generating a group public key YA along

with secret keys y y1, , ,2 yn, and the group member public keys Y Y1, , ,2Yn. An adversary A

can obtain the secret keys of the corrupted members, along with the group public key, corresponding group member public keys and a signing algorithm. There is also a group signature verification algorithm, an individual signature verification algorithm, and an individual signature combining algorithm. And t is the weighted threshold of the proposed scheme.

The following definition is existential unforgeability against adaptively chosen message attacks.

Definition 1. Under the random oracle machine (ROM), we say that a ( , , )t n weighted threshold signature scheme is unforgeable against adaptive chosen message attacks if there is no polynomial-time adversary A who corrupts at most t-1 weighted group members can win, with non-negligible probability, in the following game:

Game:

Suppose that the sum of the weights of all group members 1

n i i

N



_ , where i denotes the

group member’s weight for i = 1, 2, … , n. At the beginning of the game, adversary A selects a subset of group members to corrupt, where the sum of the weights of corrupted members is less than or equal to t-1. Namely, adversary A can control corresponding corrupted group members, access their secret key, and generate their individual signatures.

(1) In this model, adversary A can ask the uncorrupted group members for signing requests on her or his designated messages. Upon such a request, an uncorrupted group member outputs an individual signature for the given message. Adversary A can produce a challenge message mi and send a hash query and a signing query on mi to a hashing oracle OH and a

signing oracle OS, respectively. We used the Simon Simulator to simulate all random oracles.

In addition, Simon will also simulate the signing procedure and answer the signature queries. (2) Adversary A further computes and produces the corresponding new challenging message

(4)

j

m _{according to the Simon’s previous answers and submits this message to}OH and OS.

(3) If adversary A satisfies the “extended training course,” adversary A will generate a new weighted threshold signature * on message m*. Of course, message m* has not been queried to the random oracle OH and the signing oracle OS before.

(4) If the new weighted threshold signature * is valid, adversary A wins the game.

3.

( , , )t n

_{-weighted threshold signature scheme}

Our scheme utilizes the cryptographic techniques of the weighted secret sharing scheme [6] based on the extended ( , , ) t n _{-Mignotte sequence and the modified ElGamal digital signature}

scheme. In this phase, the SDC is responsible for initializing the system and generating parameters as follows:

(1) p, a large prime modulus, where 2512 _{< p < 2}1024_;

(2) q, a prime divisor of p-1, where 2159 _{< q < 2}160_;

(3) A sequence  1, 2, ,n will be referred to as the weights related to n different group

members, and t will be referred to as the global threshold of the scheme. The weights often depend entirely on the significance of the members;

(4) An extended ( , , )t n -Mignotte sequence p1, p2, … , pn is given, whose construction

process is the same as the description in Section 2;

(5) A positive integer ___h(p1)q_mod_p_{, where h is a random integer with 1 ≤ h ≤ p-1, and}_ _is

a generator with order q in GF(p). { , , }p q _{are the public values.}

3.1 Group secret key and secret shadows generation phase

Suppose S is a coalition of qualified subsets of group members. Let PS i\{ } denote



j S j i, pj

and PS i, be the multiplicative inverse of PS i\{ } in Zpi, i.e., PS i\{ }PS i , 1(mod )pi .

(1) Select a group secret key y and compute the group public key ymod

A

Y  p to verify the group signature;

(2) Compute each member secret key yiymodpi, for i = 1, 2, …, n, where pi is the public

value associated with each member;

(3) Compute each member’s public key vimod

i

Y  p, for i = 1, 2, …, n, where

, \{ }mod

i i S i S i i

v y P P p_.

3.2

( , , )t n

_{-threshold signature generation phase}

In our scheme, the members are not of the same status. That is, each member is assigned to a positive weight, and a set can generate the group signature if, and only if, the sum of weights assigned to its members exceeds a certain threshold. Let m be a document to be signed, where

(5)

0 ≤ m ≤ p-1. Without losing generality, assume that a collection of permissible subsets S wants to sign a message m. This phase can be further divided into two parts.

(1) Individual signature generation and verification

Each member ui randomly selects an integer ki, ki[1,q1], and computes a public value ri as

mod i

k i

r p. (1)

and makes ri publicly available through a broadcast channel. Once all ri are available, each

member computes the product r as:

mod

i i S

r



_ r p_{. (2)}

Member ui uses his secret key yi and ki to sign the message m based on the modified ElGamal

signature scheme. Let f(x) be a hash function. Member ui then computes

mod

i i i

s  v m k r q_{, (3)}

where0  si q 1,m f m( ) and viy P Pi S i S i, \{ }modpi. The signature {ri, si} is an individual

signature of message m. These signatures are transmitted along with message m to the designated clerk.

The clerk utilizes the ui’s public key Yi to compute the following equation and authenticate

the validity of the individual signature:

mod i s m r i i Y _r _ p_{. (4)}

If the equation holds, the individual signature {ri, si} of message m received from ui is valid.

(2) ( , , )t n -weighted threshold signature generation

After individual signatures are received and verified by the designated clerk in the first phase, the group signature of the message can be obtained as {r, s}, where

mod

i i S

r



_ r p_{, and}s



i S simodq. (5)

Since the unique _i mod _i

i S i S i i t t y v p       





can only be computed modulo i S i

i t p    



, the s

generated in (5) is incomplete. We denote _i

i S i S t p P    





and utilize K. Kaya and A.A. Selçuk’s

method [8] to correct the incomplete signature s:

mod mod . i i i S i i i S i S s v m k r q v m k r q             





The group manager tries to establish the following equation by computing l:

mod

i S

i S vmP lm y m q



. (6) Then, the completed signature S can be computed by

mod

S

(6)

3.3

( , , )t n

_{-threshold signature verification phase}

After receiving the group signature {r, s} of the message m, any verifier can use the group public key YA to verify the validity of the signature. The verification equation is given as

follows:

mod

m r s

A

Y _r p_{. (8)}

If the equation holds, the group signature {r, s} is valid.

4. Security analysis

In 1996, D. Pointcheval and J. Stern [9] gave a security proof for a variant of the ElGamal signature scheme by using random oracle (RO) and the forking reduction technique. W. B. Mao [10] provided a more intuitive description of the security proof by using the same reasoning that was used in D. Pointcheval and J. Stern’s method. In the following section, we will use their method to prove our scheme.

Theorem 4. In the random oracle model, if there exists an adversary A who ( ( ), )t k  -wins the above game after issuing qH hash queries and qS signing queries, then the Discrete

Logarithm problem in a finite field can be solved with another probability  with time t k( )_.

Proof. We will show this theorem by the reduction to contradiction. Assume that the proposed weighted threshold signature is ( ( ), )t k  -breakable, where t k( ) and  _{are a}

polynomial and a significant function in k, respectively, where k is a secure parameter. We will construct a reduction transformation that can translate t k( )_tot k( )_and _to. If the reduction is efficient enough, the t k( ) will be small enough and  will be sufficiently close to _{. Therefore,} will be significant enough, and a hard problem will become ( ( ), )t k  -breakable. It is well known that it is not true that the hard problem can be ( ( ), )t k  -breakable. So, in this way, we can reach a contradiction and complete a security proof.

We assume that adversary A controls a subset of group members. The sum of the weights of involved members is less than or equal to t-1. Suppose that ul is an uncorrupted member and

that the sum of the weight of ul and the weights of all corrupted members is more than or

equal to t.

Hash queries. Since adversary A already has control of a subset of group members, according to the above-mentioned game, we just submit a hashing request to the uncorrupted member ul. In the random oracle model, adversary A makes RO-queries to Simon. Simon’s

response is via the simulation of the RO: he simulates Hash function f(x) by maintaining a Hash table of ( , )m fi i , for i = 1, 2, … , n, where mi are queries and fi are random answers.

(7)

Since the adversary A is polynomial bounded, he or she can only make n q H queries, where H

q _{is polynomial-bounded (in k).}

When adversary A submits an RO query on message mi to the Simon simulator, Simon

responds as follows. If Hash table contains mi, that is, ( , ) Hash_tablem fi i  , then Simon outputs i

f _{; otherwise, Simon randomly selects} {0,1}k i

f as the response and adds ( , )m fi i to the Hash

table. Simon’s answers are uniformly random in the set {1,2,3, ,2 }k

 .

Sign queries. Since adversary A has controlled a subset of group members and obtained their individual valid signatures, he or she just needs to send a signing query on ul to RO. Hence,

the Simon Simulator must respond to RO queries and to the signing queries with answers that can pass the verification steps. In order to respond to A’s queries, Simon maintains a series of triplet tables ( , , )m r si i i , for i = 1, 2, … , n, named Sign-table, where mi are queries and ( , )r si i

are answers. Since adversary A is polynomial-bounded, he or she can only make n q S

signing queries, where qS is polynomial-bounded (in k). Now, Simon runs as follows:

First, Simon checks to determine whether mi is queried, that is, whether the Sign-table

contains mi. If the Sign-table contains mi, Simon will respond ( , )r si i as the answer.

Otherwise, for signing query mi, Simon randomly selects integers u, v that are less than p-1,

and sets (mod ), (mod ), (mod 1). u v i i i r Y p s ur q m vr p       

Then, Simon returns m as the RO answer on mi and returns ( , )r si i as the signing answer on i

m_{. Any third party can verify that the returned signature is indeed valid using the following}

formula: mod i s m r i i Y _r _ p_.

In the following, Simon simulates the ul’s individual signature. Due to the uniform

randomness of Simon’s answers, when A generates a valid forgery signature ( , )r s _{on M, we}

can conclude that the Simulator must have queried M and obtained the answer ( , )r s . The probability that M has not been queried is 2k_{. Since the value of}₂k_{is negligible, we know}

that M must be in Simon’s Sign-table.

First runs of adversary A. Simon runs A 1_{times. Since adversary A is a successful forger,}

after having adaptively issued qH hash queries to a random oracle OH and qS signed queries

to a signing oracle OS, he or she will output a valid individual signature ( , , )m r s i i with a

(8)

Second runs of adversary A. Now, adversary A issues the same queries another 1 times. However, this time, Simon will reset its n answers so that they are uniformly random. A can again output a valid individual signature ( , , )m r s i i with a probability of 1 on message M .

We can conclude that M  must be queried in the previous queries except for a trivial probability of 2k_.

When the two forged message-signature pairs ( ,( , , ))M m r s i i and (M m r s,( , , )) _i _i satisfy MM ,

successful forking of A’s RO queries will occur. According to the birthday paradox, the probability that successful forking will occur is roughly 1 n. Since n is polynomial-bounded, 1 n is significant enough. That is, Simon will construct two valid individual forged signatures ( , , )m r s i i and ( , , )m r s _i _i with the probability of 1 n, which is significant

enough.

According to two valid individual forged signatures, Simon can compute

mod mod . i i s m r i i s m r i i Y r p Y r p                Since vimod i Y  p and kimod i

r  p, Simon can obtain

(mod ) (mod ). i i i i i i v m k r s p v m k r s p      __ _{ }_ _ 

Since in the second runs of adversary A, Simon reset its random answers with an overwhelming probability 1 2_ k_:_m__m_{(mod )}_q _{. Then, we can compute:}

(mod ). i i i i i k r s k r s v p m m         

Thus, we can conclude that Simon can solve the Discrete Logarithm problem in a finite field with probability  with time t k( ).

5. Conclusions

In this paper, we propose a weight threshold signature scheme based on the CRT and a modified ElGamal signature scheme. In our scheme, each group member is assigned to a positive weight, and the group signature can be generated if, and only if, the sum of the weights of all involved members exceeds a fixed threshold. The scheme enables different group members to play different roles in the process of generating the group signature according to their significance. Our proposed scheme can also be extended to the most discrete logarithm-based schemes, including DSA. The correctness analysis and security analysis show that our scheme is secure and practical.

(9)

References

[1] Chaum D. and Van Heyst E., Group Signature. Proc. Advances in Cryptography,

EUROCRYPT’91. Berlin: Springer-Verlag, 1991, pp. 257-265.

[2] Desmedt Y. and Frankel Y., Shared Generation of Authenticators and Signatures. Proc.

Advances in Cryptography, CRYPTO’91. Berlin: Springer-Verlag, 1991, pp. 457-469.

[3] Shoup V., Practical Threshold Signature. Proc. Advance in Cryptography,

EUROCRYPT’2000. Berlin: Springer-Verlag, 2000, pp. 207-220.

[4] Gennaro R., Halevi S., Krawczyk H. and Rabin T., Threshold RSA for Dynamic and Ad-Hoc Group. Proc. Advances in Cryptography, EUROCRYPT’2008. Berlin: Springer-Verlag, 2008, pp. 88-107.

[5] Shamir A., How to Share a Secret. Communications of the ACM, 22 (1979) 612-613. [6] Iftene S., General Secret Sharing based on the Chinese Remainder Theorem with Applications in E-voting. Electronic Notes in Theoretical Computer Science, 186 (2007) 67-84.

[7] Mignotte M., How to Share a Secret. Proc. The Workshop on Cryptography.1983, pp. 371-375.

[8] Kaya K. and Selçuk A.A., Threshold Cryptography based on Asmuth-Bloom Secret Sharing. Information Sciences, 177 (2007) 4148-4160.

[9] Pointcheval D. and Stern J., Security Proofs for Signature Schemes. Proc. of Advances in

Cryptology, EUROCRYPTO 1996. Berlin: Springer-Verlag, 1996, pp. 387-398.

[10] W.B. Mao, Modern Cryptography: Theory and Practice, CHINA: Publishing House of

Electronics Industry, Beijing, 2006.

Cheng Guo received the B.S. degree in computer science from Xi’an University of Architecture and Technology in 2002. He received the M.S. degree in 2006 and his Ph.D in computer application and technology, in 2009, both from the Dalian University of Technology, Dalian, China.

(10)

Now he is as a post doc in the National Tsing Hua University, Hsinchu, Taiwan. His current research interests include information security and cryptology.

Chin-Chen Chang received his B.S. degree in applied mathematics in 1977 and the M.S. degree in computer and decision sciences in 1979, both from the National Tsing Hua University, Hsinchu, Taiwan. He received his Ph.D in computer engineering in 1982 from the National Chiao Tung University, Hsinchu, Taiwan. Since February 2005, he has been a Chair Professor of Feng Chia University. In addition, he has served as a consultant to several research institutes and government departments. His current research interests include database design, computer cryptography, image compression and data structures. He is a fellow of the IEEE.

**Corresponding author: Professor Chin-Chen Chang

Department of Information Engineering and Computer Science, Feng Chia University, No. 100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan, R.O.C.

Email: [email protected] TEL: 886-4-24517250 ext. 3790 FAX: 886-4-27066495