New identity-based society oriented signature schemes from pairings on elliptic curves

(1)

New identity-based society oriented

signature schemes from pairings

on elliptic curves

Chih-Yin Lin

a

, Tzong-Chen Wu

b,*

, Fangguo Zhang

c

,

Jing-Jang Hwang

d

a

Institute of Information Management, National Chiao Tung University, Hsinchu 300, Taiwan, ROC

b

Department of Information Management, National Taiwan University of Science and Technology, 43, Section 4, Keelung Road, Taipei 106, Taiwan, ROC

c_{International Research Center for Information Security (IRIS), Information} and Communications University, 58-4 Hwaam-dong Yusong-ku, Taejon 305-732, South Korea d_{Department of Information Management, Chang Gung University, Kwei-Shan Tao-Yuan 333,}

Taiwan, ROC

Abstract

In this paper, we will propose two identity-based society oriented signature schemes that allow a group of co-signers to collaboratively generate a single signature for a message. The first proposed scheme is designated with known signers and the second scheme is with anonymous signers. Both schemes make use of pairings on elliptic curves in construction and thus have the merits of simplicity in design and efficiency in per-formance. In the proposed scheme with anonymous signers, a signer may participate in several different signing groups and may join or leave a signing group dynamically in a secure and efficient manner.

Keywords: Cryptography; Digital signature; Identity-based; Society oriented; Multisignature; Pairing; Elliptic curve

*

Corresponding author.

E-mail address:[email protected](T.-C. Wu).

(2)

1. Introduction

The concept of society oriented signature is first addressed by Desmedt [1], in which multiple signers collaboratively generate a single signature. There are two types of society oriented signature schemes: one is with known signers and the other is with anonymous signers [1,2]. The scheme with known signers is mostly referred to as multisignature schemes, e.g. the schemes in [3–6]. Within such schemes, the verifier makes use of the public keys from all co-signers for signature verification. In the scheme with anonymous signers, a group public key is established for the group of co-signers. Then, the verifier requires only this group public key to verify the society oriented signature. That is, the verifier does not necessarily know the identities of any co-signers, or how many co-signers have participated in signing.

Recently, Saeednia [2] proposed an identity-based society oriented signature scheme with anonymous signers, in which the signatures are verified with re-spect to only the group public identity. His scheme is converted from a well-known multisignature scheme proposed by Guillou and Quisquater [7]. Like the RSA cryptosystem, the security and arithmetic operations of their schemes are based on the factorization of a large composite. SaeedniaÕs scheme also deals with situations that a signer may join or leave the signing group, or participate in different signing groups. As he claimed, the group public identity and all co-signersÕ private keys remain unaltered in such dynamic situations. However, his scheme fails to satisfy some more important security features when dynamic situations are considered. As specified by Wang and Zhu [8], the co-signerÕs private key may be disclosed and the signatures may be forged after dealing a dynamic situation in SaeedniaÕs scheme. In addition, when all co-signers in the group leave, they can continue together to maliciously generate valid signatures and remain being anonymous. To withstand such coalition, Saeednia assumes that at least one co-signer should be honest. Nevertheless, this assumption does not help SaeedniaÕs scheme to against Wang and ZhuÕs attacks.

In this paper, we will propose two identity-based society oriented signature schemes from pairings on elliptic curves. Our schemes make use of a recently proposed pairing-based identity-based signature scheme, i.e. Cha and CheonÕs scheme [9], as the basic scheme. The Cha–Cheon scheme is provably secure against existential forgery on adaptively chosen message and identity attack in the random oracle model. Extended from their scheme, the first proposed scheme is named the SSK scheme that is designated to realize multisignatures with known signers. The second proposed scheme is named the SSA scheme, which is a multisignature scheme that achieves signer anonymity. In the SSA scheme, we will incorporate the concept of time or valid period to the group public key. Specifically, the society oriented signatures will be verified with re-spect to the group public identity along with a notion of valid time period. For example, the group public key can be the hashed digest of the group public

(3)

identity concatenates the current date, i.e. hash(groupAjj20030322). In this way, the verifier still makes use of the group public identity to verify society oriented signatures, despite of the necessity to reference which time period the signature was generated. As specified in [10,11], such time variant or time control ap-proach can fit effectively and efficiently into pairing-based identity-based public keys. With this approach, our SSA scheme can effectively deals with dynamic situations while being immune to Wang and ZhuÕs attacks [8]. Moreover, the techniques we use herein can be applied to fix the flaws in SaeedniaÕs scheme [2]. Details of secure dynamic situations will be discussed in Section 5.

Besides the merits of eﬃciency in computation and communication inherent from the underlying elliptic curve realization of pairings [10], the proposed schemes have the following characteristics:

ii(i) The size of the society oriented signature is ﬁxed regardless of the number of co-signers.

i(ii) The signature veriﬁcation algorithms for the society oriented signature and the individual signature generated by the co-signer are the same as that in the Cha–Choen scheme.

(iii) Dynamic situations that a signer joins or leaves the signing group can be effectively and efficiently resolved, while the signatures are verified with re-spect to the same group identity.

(iv) Individual signerÕs private key remains unaltered for dynamic consider-ations.

i(v) Any signer within the system can participate in several diﬀerent signing groups with a single private key.

(vi) If all co-signers in the group leave, they can no longer generate valid sig-natures, even all of them collude.

The rest of this paper is organized as follows. In Section 2, we will address the properties of the pairing. In Section 3, we will review the Cha–CheonÕs scheme. After that, details of the SSK and SSA schemes are speciﬁed in Section 4. In Section 5, we will discuss the security and the dynamic situations. Per-formance is also analyzed in Section 5, where we will show the exact compu-tational costs for the SSK and SSA schemes. Finally, conclusions are given in Section 6.

2. The pairing

In the world of elliptic curve cryptography, the pairing was initially con-sidered as a negative property. This is because it reduces the discrete logarithm problem on some elliptic curves (e.g., supersingular curves) to the discrete logarithm problem in a ﬁnite ﬁeld [12], thus diminishing the strength and

(4)

practicability of supersingular curves in cryptography. Until a tripartite key agreement protocol proposed by Joux in ANTS 2000 [13], the pairing for the first time became beneficial and favorable to cryptographic research and ap-plications. Later, Boneh and Franklin [10] proposed an identity-based en-cryption scheme based on the modified Weil pairing and gave thorough analyses about its properties, security and performance. Since then, several pairing-based cryptographic schemes have been proposed, including a signa-ture scheme [14], threshold signasigna-ture, multisignasigna-ture and blind signasigna-ture schemes [3], etc., for general certificate-based public keys; and signature schemes [9,15], blind signature and ring signature schemes [16], etc, for iden-tity-based public keys.

In this paper, we will follow most of the notations and parameters deﬁned in [10]. Assume G1 is an additive cyclic group of prime order q; and, G2 is a

multiplicative cyclic group of prime order q. The discrete logarithm problem in both G1and G2are hard. Usually, G1can be considered as a subgroup of points

on an elliptic curve over a ﬁnite ﬁeld; and, G2a subgroup of the multiplicative

group of a related finite field. It is assumed herein that the decisional Diffie– Hellman problem is easy and the computational Diffie–Hellman problem is hard, which are defined as

Decision Diﬃe–Hellman––For a; b; c2 Z q, given P ; aP ; bP ; cP2 G1, decide whether c¼ ab. Computational Diﬃe–Hellman––For a; b2 Z q, given P ; aP ; bP2 G1, com-pute abP 2 G1.

We deﬁne pairing e : G1 G1! G2 as the bilinear map that has the

fol-lowing properties:

ii(i) Bilinear: For all P ; Q2 G1 and a; b2 Zq, we have eðaP ; bQÞ ¼

eðabP ; QÞ ¼ eðP ; abQÞ ¼ eðP ; QÞab.

i(ii) Non-degenerate: There exists a P2 G1, such that eðP ; P Þ 6¼ 1.

(iii) Computable: Given P ; Q2 G1, there is an eﬃcient algorithm to compute

eðP ; QÞ.

Notice that property (iii) is supported by a polynomial time algorithm in-vented by Miller [17]. Much of the details of the parameter selection, eﬃciency and security analysis about pairings can be found in [10].

3. Review of Cha–Cheon’s scheme

Assume there is a system administrator SA responsible for setting up the identity-based cryptosystem [18]. Let G1 and G2be two cyclic groups of prime

(5)

order q, as deﬁned in Section 2. P 2 G1 is a public element satisfying

eðP ; P Þ 6¼ 1, i.e. P is a generator of G1. SAÕs private key pair is s2 Zq, and

public key is Ppub¼ sP . Let H1:f0; 1g! G1, Hc:f0; 1g G1! Zq be two

cryptographic hash functions. Each signer ui has an identity bit-string IDi,

which is uniquely determined form his name, address, etc. We deﬁne H1ðIDiÞ as

uiÕs public identity, which will be served as his public key. There are three

al-gorithms in this scheme, i.e. KeyGen, Sign and Verify, respectively for key generation, signature generation and veriﬁcation.

KeyGen. Given SAÕs private key s and signer uÕs public identity H1ðIDÞ,

com-pute uÕs private key is K as

K¼ sH1ðIDÞ: ð1Þ

Sign. Given uÕs private key K and a message m, compute R¼ rH1ðIDÞ,

h¼ Hcðm; RÞ, and S ¼ ðr þ hÞK, where ri2 Zqis randomly chosen. The

sig-nature isðS; RÞ.

Verify. Given uÕs public identity H1ðIDÞ, the message m and the signature

ðS; RÞ, compute h ¼ Hcðm; RÞ and verify that if the following equation holds:

eðP ; SÞ ¼ eðPpub; Rþ hH1ðIDÞÞ: ð2Þ

4. Proposed schemes

By using the same identity-based setting in the Cha–Cheon scheme, we will propose two society oriented signature schemes, SSK and SSA. As previously specified, the SSK scheme realizes multisignatures with known signers that require public identities from all co-signers for signature verification. The SSA scheme realizes multisignatures with anonymous signers, in which the signa-tures are verified with respect to the group identity and the group current status. Both schemes employ the same system parameters and notations from the Cha–Cheon scheme.

4.1. The SSK scheme

There are ﬁve algorithms in this scheme, SSKKeyGen, SSKIndSign, SSKIndVerify, SSKSigGen and SSKVerify. SSKKeyGen is the same as that in the basic scheme. SSKIndSig and SSKIndVerify are used for individual sig-nature generation. SSKSigGen and SSKVerify are used for society oriented signature generation and veriﬁcation. Meanwhile, a clerk CLK is employed to collect individual signatures generated by co-signers and to construct the so-ciety oriented signature by the algorithm SSKSigGen. Note that CLK does not possess any secret information.

(6)

Without loss of generality, suppose n signers in the system will collabora-tively generate a signatureðSQ; RQÞ for message m. We denote these signers as

uiÕs, for i¼ 1; 2; . . . ; n, who form a signing group Q. Each uiinitially computes

his individual signatureðSi; Ri; RQÞ by SSKIndSign, and then sends it to CLK.

Then, CLK veriﬁes the receivedðSi; Ri; RQÞ by SSKIndVerify. After CLK

col-lects and veriﬁes all individual signatures from uiÕs, for i¼ 1; 2; . . . ; n, he

constructs the society oriented signatureðSQ; RQÞ by SSKSigGen. The society

oriented signature ðSQ; RQÞ can be publicly veriﬁed by SSKVerify, using the

public identities H1ðIDiÞÕs from uiÕs, for i¼ 1; 2; . . . ; n. Details of the these

al-gorithms are stated as follows:

SSKKeyGen. The same as KeyGen in the Cha–Cheon scheme.

SSKIndSign. Given a message m, ui compute the signatureðSi; Ri; RQÞ with

other co-signers as follows.

Step1. Select ri2 Zq at random.

Step2. Compute Ri and send it to other co-signers, where

Ri¼ riH1ðIDiÞ: ð3Þ

Step3. Compute RQ and h as

RQ¼ Xn i¼1 Ri; ð4Þ h¼ Hcðm; RQÞ: ð5Þ Step4. Compute Sias Si¼ ðriþ hÞKi: ð6Þ

SSKIndVerify. Given uiÕs public identity H1ðIDiÞ and uiÕs individual

signa-tureðSi; Ri; RQÞ on message m, compute h ¼ Hcðm; RQÞ and check if the

fol-lowing equation holds:

eðP ; SiÞ ¼ eðPpub; Riþ hH1ðIDiÞÞ: ð7Þ

SSKSigGen. Given n co-signersÕ individual signatures ðSi; Ri; RQÞ, for

i¼ 1; 2; . . . ; n, on message m, ensure that all of them are valid, compute SQas below. The society oriented signature isðSQ; RQÞ.

SQ¼

Xn i¼1

Si: ð8Þ

SSKVerify. Given uiÕs public identities H1ðIDiÞ, for i ¼ 1; 2; . . . ; n, the message

mand the society oriented signatureðSQ; RQÞ collaboratively generated by all

(7)

eðP ; SQÞ ¼ e Ppub; RQþ h Xn i¼1 H1ðIDiÞ !! : ð9Þ

Next, we will show the correctness of the SSK scheme in regard to the in-dividual signature and the society oriented signature as follows:

Theorem 1. In cooperation with all other co-signers, an honest co-signer ui, who

follows SSKIndSign, will generate an individual signatureðSi; Ri; RQÞ for message

m that can be successfully veriﬁed by Eq. (7)in SSKIndVerify.

Proof. By Eq. (5), we have h¼ Hcðm; RQÞ. Eq. (7) can be obtained by the

fol-lowing induction:

eðP ; SiÞ ¼ eðP ; ðriþ hÞKiÞ ðby Eq: ð6ÞÞ

¼ eðP ; ðriþ hÞsH1ðIDiÞÞ ðbyEq: ð1ÞÞ

¼ eðsP ; ðriþ hÞH1ðIDiÞÞ ðbilinear property of eÞ

¼ eðPpub; riDiþ hH1ðIDiÞÞ ðbilinear property of eÞ

¼ eðPpub; Riþ hH1ðIDiÞÞ: ðby Eq: ð3ÞÞ

Theorem 2. If all co-signers honestly follow SSKIndSign and the trust CLK honestly follow SSKSigGen, the multisignature ðSQ; RQÞ can be successfully

veriﬁed by the Eq. (9)in SSKVerify.

Proof. By Eq. (5), we have h¼ Hcðm; RQÞ. Eq. (9) can be obtained by the

fol-lowing induction: eðP ; SQÞ ¼ e P ; Xn i¼1 Si ! ðby Eq: ð4ÞÞ ¼Y n i¼1

eðP ; SiÞ ðbilinear property of eÞ

¼Y

n

i¼1

eðPpub; Riþ hH1ðIDiÞÞ ðby Theorem 1Þ

¼ e Ppub; Xn i¼1 Riþ h Xn i¼1 H1ðIDiÞ !!

ðbilinear property of eÞ

¼ e Ppub; RGþ h Xn i¼1 H1ðIDiÞ !! ðby Eq: ð4ÞÞ

(8)

4.2. The SSA scheme

Without loss of generality, assume a group of n signer Q¼ fu1; u2; . . . ; ung

who will cooperatively generate signatures. Let IDQbe the unique group public

identity of Q. We deﬁne the group public key for verifying QÕs signature be H1ðIDQktÞ, where t is a notion that indicates the time period. The time period

should be deﬁned according to the frequency of the dynamic situations. For example, a group with daily updates may employ H1ðIDQk20030213Þ as the

group public key. For a group of more stable members, its group public key may use a longer period, e.g. H1ðIDQk200304–06Þ. In this way, the veriﬁer still

verifies the society oriented signature with respect to the group public identity, despite that he has to reference when the signature was generated. In practice, the time period t should be predefined and publicly acknowledged. However, a more feasible way is to append m with the information of current t as the target to be signed. That is, m will be time-stamped before signed, according to when the signature is generated. Consequently, the verifier can always use the correct H1ðIDQktÞ to verify the signature, since t or the information that reveals t is

available from the message to be veriﬁed.

Besides the use of time variant group public keys, we suppose all co-signers sign mkIDQ instead of m, in order to withstand Wang and ZhuÕs attacks [8].

Because only a concatenation is used, this simple approach will incur no extra cost, nor any security hazards.

There are six algorithms in the SSA scheme: SSAKeyGen, SSAToken, SSAIndSign, SSAIndVerify, SSASigGen and SSAVerify. SSAKeyGen is the same as that in the Cha–Cheon scheme. SSAIndSign and SSAIndVerify are individually the same as SSKIndSign and SSKIndVerify in the SSK scheme. To achieve individual uiÕs anonymity in Q, SA will compute public group token TQ

with the SSAToken algorithm. A clerk CLK who is deﬁned as in the SSK scheme will construct the society oriented signature with the group token TQ.

SSASigGen and SSAVerify are used respectively for society oriented signature generation and veriﬁcation.

When generating the society oriented signature, each uiwill ﬁrst computes his

individual signatureðSi; Ri; RQÞ by SSAIndSign, and sends it to CLK. Then, CLK

veriﬁes the receivedðSi; Ri; RQÞ by SSAIndVerify. After CLK collects and veriﬁes

individual signatures from all ui2 G, he constructs the society oriented signature

ðSQ; RQÞ by SSKSigGen. The society oriented signature ðSQ; RQÞ can be,

after-wards, publicly veriﬁed by SSKVerify, with respect to the group public identity IDQand its current status. Details of these algorithms are stated as follows:

SSAKeyGen. The same as KeyGen in the Cha–Cheon scheme.

SSAToken. Given SAÕs private key s, group GÕs public identity IDQ, current

time period t, and co-signersÕ public identity IDiÕs for all ui2 G, compute TQ

(9)

TQ¼ s H1ðIDQktÞ Xn i¼1 H1ðIDiÞ !! : ð10Þ

SSAIndSign. The same as SSKIndSign in the SSK scheme, except that h¼ HcðmkIDQ; RQÞ.

SSAIndVerify. The same as SSKIndVerify in the SSK scheme, except that h¼ HcðmkIDQ; RQÞ.

SSASigGen. Given message m and n co-signersÕ individual signatures ðSi; Ri; RQÞÕs, for i ¼ 1; 2; . . . ; n, ensure that all ðSi; Ri; RQÞÕs are valid,

com-pute h¼ HcðmkIDQ; RQÞ and SQas in below. The society oriented signature

isðSQ; RQÞ.

SQ¼

Xn i¼1

Siþ hTQ: ð11Þ

SSAVerify. Given group QÕs group public key H1ðIDQktÞ, message m and the

society oriented signatureðSQ; RQÞ, compute h ¼ HcðmkIDQ; RQÞ and check if

the following equation holds:

eðP ; SQÞ ¼ eðPpub; RQþ hH1ðIDQktÞÞ: ð12Þ

In the SSA scheme, each co-signer follows SSAIndSign to generate the in-dividual signature, which is the same as SSKIndSign. Therefore, the correctness of the individual signature can be directly implied from Theorem 1. In the following, we will show the correctness of the society oriented signature in the SSA scheme:

Theorem 3. If all co-signers honestly follow SSAIndSign and the trust CLK honestly follow SSASigGen, the multisignature ðSQ; RQÞ can be successfully

veriﬁed by the Eq. (12)in SSAVerify.

Proof. By Eq. (5), we have h¼ HcðmkIDQ; RQÞ. Eq. (12) can be obtained by the

following induction: eðP ; SQÞ ¼ e P ; Xn i¼1 Si ! þ hTQ ! ðby Eq: ð11ÞÞ ¼ e P ; X n i¼1 ðriþ hÞKi ! þ hs H1ðIDQktÞ Xn i¼1 H1ðIDiÞ !!

(10)

¼ e P ; X n i¼1 ðriþ hÞsH1ðIDiÞ ! þ hs H1ðIDQktÞ Xn i¼1 H1ðIDiÞ !! ðby Eq: ð1ÞÞ ¼ e P ; s X n i¼1 riH1ðIDiÞ ! þX n i¼1 hH1ðIDiÞ þ h H1ðIDQktÞ Xn i¼1 H1ðIDiÞ !! ¼ e sP ;X n i¼1 riH1ðIDiÞþ h Xn i¼1 H1ðIDiÞ ! þ H1ðIDQktÞ Xn i¼1 H1ðIDiÞ !!!

ðbilinear property of eÞ

¼ e Ppub; Xn i¼1 Riþ hH1ðIDQktÞ ! ðby Eq: ð3ÞÞ ¼ eðPpub; RQþ hH1ðIDQktÞÞ ðby Eq: ð4ÞÞ

5. Discussions

In Section 5.1, we discuss the security of the proposed schemes without considering the dynamic situations. How to deal with dynamic situation and the possible security concerns will be given in Section 5.2. Then, we will analyze the performance of the proposed SSK and SSA schemes in Section 5.3.

5.1. Security

We consider two types of attacks to both proposed schemes: the outsider forgery attack [19] and the insider forgery attack [3,9,19]. In speciﬁc to the SSA scheme, we further consider that the adversary may try to disclose the identity of any participant signer to violate the signer anonymity property, i.e. the anti-anonymity attack. The deﬁnitions of these attacks are given as follows:

Outsider forgery attack––An adversary A, who is not in the signing group Q as a co-signer, i.e. A62 Q, may attempt to for a society oriented signature for a chosen message. In this attack, we assume that all public information is available to A.

(11)

Insider forgery attack––A co-signer in the signing group or the collusion of some co-signers may attempt to forge the multisignature for the signing group, under the assumption that all public information is available to colluded co-signers. In this attack, we follow the same scenario in analyzing the insider attack against most multisignature schemes [3,19] by assuming the number of malicious co-signers in Q can be as many as n 1.

Anti-anonymity attack––An adversary A, who is not in the signing group Q as a co-signer, i.e. A62 Q, attempts to disclose the identities of the participant co-signers from a society oriented signature under the assumption that all public information is available to A. Note that in the SSA scheme, we assume all individual signatures are private to co-signers and the CLK, and none of them will deliberately reveal any co-signerÕs identity information to outsiders. Due to the employment as the basic scheme, the security of the proposed schemes is based on the robustness of the Cha–Cheon scheme. Besides, we assume that all one-way hash functions used herein are secure for crypto-graphic usages, as those deﬁned in [20]. Below, we will prove the security of the individual signature, and then show that the proposed SSK and SSA schemes are secure against the above attacks.

Theorem 4. The security of the individual signature is equivalent to the signature in the Cha–Cheon scheme under the assumption that the one-way hash function Hc is secure.

Proof. In the Cha–Cheon scheme, a valid signature for message m isðS; RÞ, and its veriﬁcation equation (2) can be represented as

eðP ; SÞ ¼ eðPpub; Rþ Hcðm; RÞH1ðIDÞÞ:

In the proposed SSK scheme, a valid individual signature for message m is ðSi; Ri; RQÞ, where RQ¼

Pn

i¼1Ri. The veriﬁcation equation (7) can be

repre-sented as

eðP ; SiÞ ¼ eðPpub; Riþ Hcðm; Riþ RRÞH1ðIDiÞÞ; ð13Þ

where RR¼ RQ Ri¼P n j¼1;j6¼iRj.

In Eq. (13), if RR is ﬁxed in advance, then the construction of Eq. (13) is

related to Eq. (12), which implies that ﬁnding a valid signatureðSi; RiÞ for Eq.

(13) will require the same knowledge as the case for Eq. (12). On the other hand, if Si is ﬁxed prior to the computing of ðRi; RRÞ to satisfy Eq. (13), the

adversary will have to convert Hc to attempting this. Under the assumption

that Hc is a secure one-way hash function, the security of the individual

sig-nature in the proposed schemes is equivalent to that of the sigsig-nature in the Cha–Cheon scheme, which is secure against adaptively chosen message and identity attack in the random oracle model [9]. The same result can be obtained

(12)

in the SSA scheme; since the only diﬀerence is that m is replaced by mkIDQ in

the one-way hash function. h

Theorem 5. The SSK scheme is secure against the outsider forgery attack and the insider forgery attack.

Proof. For the outsider forgery attack, consider that an adversary A62 Q wants to forge the multisignature of some message m for all ui2 Q. That is, A knows

all public information, including the public identities H1ðIDiÞÕs for all ui2 Q,

and wants to ﬁndðSQ; RQÞ satisfying the veriﬁcation equation (9) in SSKVerify.

By letting the public veriﬁcation key for Q asPn_i¼1H1ðIDiÞ, the construction of

the multisignature and the multisignature veriﬁcation of the SSK scheme can be related to the signature and the Verify algorithm in the Cha–Cheon scheme. This implies that such attack is equivalent to the signature forgery in their scheme. Since the Cha–Cheon scheme is secure against existential forgery on adaptively chosen message and identity attack in the random oracle model [9], the outsider forgery attack is infeasible in the proposed SSK scheme.

For the insider forgery attack, we assume there is at least one honest co-signer uain Q. Considering that some malicious signers ujÕs, for uj2 Q n fuag,

who want to generate the multisignature of the message m for the signing group Q. From SSKSigGen, it is to see that all malicious co-signers have to obtain uaÕs

individual signature to attempt this. With all public information and individual

signatures generated by ua regarding some messages diﬀerent to m, all

uj2 Q n fuag may try to deduce uaaÕs private key or forge uaÕs individual

sig-nature for m. However, deducing uaÕs private key Ka¼ sH1ðIDaÞ from his

public key H1ðIDaÞ requires the knowledge of SAÕs private key s, and ﬁnding s

from SAÕs public key Ppub¼ sP is a problem of solving discrete logarithm in G1,

which is widely believed to be computationally infeasible if G1 is well-chosen

[12,21]. On the other hand, the individual signatureðRQ; Ra; SaÞ has the same

security strength as the signature in the Cha–Cheon scheme, as proved from Theorem 4. The insider forgery attack is infeasible. h

Theorem 6. The SSA scheme is secure against the outsider attack, the insider attack and the anti-anonymity attack.

Proof. The security of the SSA scheme regarding the outsider forgery attack and the insider forgery attack can be directly implied from Theorem 5.

For the anti-anonymity attack, an adversary may obtain message m with its society oriented signatureðRQ; SQÞ, and uses the group public key H1ðIDQktÞ to

verify its validity, as in Eq. (12). If IDQreveals no personal information of any

co-signers in Q, the only public information that could possibly relate the group public key to the co-signersÕ individual public keys is the group token TQ.

(13)

oriented signatureðRQ; SQÞ regarding the same message, he can relate them by

Eq. (11). Moreover, he can compare RQ in ðRQ; Ri; SiÞ to RQ in ðRQ; SQÞ to

identify individual co-signer in Q. However, under the assumption that all individual signatures are private to co-signers and CLK, and none of them will deliberately reveal any signerÕs identity information to outsiders, this attack is

infeasible. h

5.2. Dynamic situations

In the proposed SSA scheme, a signer may dynamically join or leave the signing group. To resolve this, SA simply computes a new group token TQ0 for group Q0_{, where Q}0 _{is the updated group after any signer joins or leaves the}

original group Q. Note that the group public identity information remains the same, i.e. IDQ0 ¼ ID_Q. While computing the new group token, the group public key is also updated. For example, the group token is updated from TQ¼ sðH1ðIDQk200303Þ Pui2QH1ðIDiÞÞ to TQ0 ¼ sðH1ðIDQ0k200304Þ P

ui2Q0H1ðIDiÞÞ. As a result, the SSA scheme can effectively and efficiently deal with dynamic situations, since only the group public token is modified.

Regarding the flaws in SaeedniaÕs scheme [2], Wang and Zhu [8] specified five scenarios that may expose security problems. These scenarios are: (i) a signer leaves the signing group, (ii) a signer joins the signing group, (iii) dif-ferent groups represent the same organization, (iv) the same group represent different organizations, and (v) all signers leave the signing group and collude. In SaeedniaÕs scheme, the difference of a new group token and an old one di-rectly reveals some crucial information s. In (i) and (ii), s is the co-signerÕs private key who joins/leaves. In (iii), s may imply the ratio of the private keys of two co-signers ua and ub, thus forging an individual signatureðSa; Ra; RQÞ

from another valid signatureðSa; Ra; RQÞ is possible. In (iv), s may indicate ratio

of the private keys corresponding to two group public keys H1ðIDQ1Þ and H1ðIDQ2Þ, thus forging a society oriented signature ðSQ1; RQ1Þ from another valid signature ðSQ2; RQ2Þ is possible. In (v), without the assumption of an honest signer, if all signers leave they can collude to sign maliciously and anonymously. As analyzed by Wang and Zhu [8], SaeedniaÕs scheme can be enhanced to withstand attacks in scenarios (i), (ii), (iii) and (iv) if a trusted CLK exists who secretly possesses the group token.

In the SSA scheme, although both the new group token TQ0and the old one TQ are derived from the same group public identity information, they are

computed based on different time periods. Therefore, the difference of group tokens reveals no useful information to help malicious outsiders in scenario (i), (ii), and (iii). In (iv), although the difference of two different group tokens may imply the difference of the private keys corresponding to two different group public keys, a valid society oriented signature is embedded with group public identity with the message in Hc, i.e. h¼ HcðmkIDQ; RQÞ. Therefore, to conduct

(14)

a successful forgery requires the ability to invert the one-way hash function Hc.

In (v), when all signer leave, the time period also changes, therefore the co-alition of them would not be able to generate valid society oriented signatures not belong to the same period. Due to the time variant group public key and the concatenation of message with group public identity when signing, the proposed SSA scheme is secure against Wang and ZhuÕs attacks in all scenarios without employing a trusted CLK.

5.3. Performance

The performance for computational eﬃciency is analyzed herein. We omit the cost for computing the hashed digest from IDi to H1ðIDiÞ. The cost is

measured in terms of the following arithmetic operations. The computational costs for the SSK and SSA schemes are given in Table 1, where n is the number of co-signers.

TH The time for computing the one-way hash function Hc.

TAq The time for computing a modular addition Zq.

TAG1 The time for computing an addition in G1. TRG1 The time for computing a subtraction in G1. TMG1 The time for computing a multiplication in G1.

TP The time for computing a pairing e.

6. Conclusions

In this paper, we have proposed two identity-based society oriented signa-ture schemes, i.e. SSK and SSA, to respectively realize the multisignasigna-ture scheme with known signers and with anonymous signers. We have shown that the proposed schemes work correctly and are secure under possible outsider and insider forgery attacks. As discussed, an attempt to disclose the signer anonymity in the SSA scheme is also infeasible. Due to the underlying pairing

Table 1

Computational costs of the proposed SSK and SSA schemes (n signers)

SSK SSA

IndSign THþ TAqþ ðn 1ÞTAG1þ 2TMG1 THþ TAqþ ðn 1ÞTAG1þ 2TMG1 IndVerify THþ TAG1þ TMG1þ 2TP THþ TAG1þ TMG1þ 2TP SSAToken – ðn 1ÞTAG1þ TRG1þ TMG1 SSKSigGen/ SSASigGen THþ ðn 1ÞTAG1 THþ nTAG1þ TMG1 SSKVerify/ SSAVerify THþ nTAG1þ TMG1þ 2TP THþ TAG1þ TMG1þ 2TP

(15)

structure, the proposed schemes have the merits of simplicity in construction and eﬃciency in performance.

In the SSA scheme, we have provided an efficient and effective method to deal with dynamic situations that allow any signer to dynamically join or leave different signing groups with a single private key. By using the time variant group public key and signing the hash of message concatenates the group public identity, the proposed SSA scheme is secure against Wang and ZhuÕs attacks in all scenarios without requiring a trusted CLK.

References

[1] Y. Desmedt, Society and group oriented cryptography: a new concept, in: Advances in Cryptology––CRYPTO 87, Spring-Verlag, 1988, pp. 120–127.

[2] S. Saeednia, An identity-based society oriented signature scheme with anonymous signers, Inform. Process. Lett. 83 (2002) 295–299.

[3] A. Boldyreva, Eﬃcient threshold signature, multisignature and blind signature schemes based on the gap-Diﬃe–Hellman-group signature scheme, in: Proceedings of International Work-shop on Practice and Theory in Public Key Cryptography––PKC2003, Springer-Verlag, 2003, pp. 31–46.

[4] C. Boyd, Digital multisignatures, in: Proceedings of IMA Conference on Cryptography and Coding, Oxford University Press, 1989, pp. 241–246.

[5] T. Hardjono, Y. Zheng, A practical digital multisignature scheme based on discrete logarithms, in: Advance in Cryptology––AUSCRYPT 92, Springer-Verlag, 1992, pp. 122–132. [6] S. Micali, K. Ohta, L. Reyzin, Accountable subgroup multisignatures, in: Proceedings of 8th ACM Conference on Computer and Communication Security, ACM press, 2001, pp. 245–254. [7] L. Guillou, J.J. Quisquater, A paradoxical identity-based signature scheme resulting from zero-knowledge, in: Advances in Cryptology––CRYPTO 88, Springer-Verlag, 1989, pp. 216– 231.

[8] G. Wang, B. Zhu, Remarks in SaeedniaÕs identity-based society oriented signature scheme with anonymous signers, Cryptology ePrint Archive, Report 2003/046, 10 March 2003. Available fromhttp://eprint.iacr.org/2003/046.

[9] J.C. Cha, J.H. Cheon, An identity-based signature from gap Diﬃe–Hellman groups, in: Proceedings of International Workshop on Practice and Theory in Public Key Cryptogra-phy––PKC 2003, Springer-Verlag, 2003, pp. 18–30.

[10] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in: Advances in Cryptology––CRYOTO 2001, Springer-Verlag, 2001, pp. 213–229.

[11] K.G. Paterson, Cryptography from pairings: a snapshot of current research, Information Security Technical Report 7 (3) (2002) 41–54. Available fromhttp://www.isg.rhul.ac.uk/~kp/. [12] A.J. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a

ﬁnite ﬁeld, IEEE Trans. Inform. Theory 39 (1993) 1639–1646.

[13] A. Joux, A one round protocol for tripartite Diﬃe–Hellman, in: Algorithmic Number Theory Symposium, ANTS-IV, Springer-Verlag, 2000, pp. 385–394.

[14] D. Boneh, H. Shacham, B. Lynn, Short signatures from the Weil pairing, in: Advances in Cryptology––AISACRYPT 2001, Springer-Verlag, 2001, pp. 514–532.

[15] K.G. Paterson, ID-based signatures from pairings on elliptic curves, Electron. Lett. 38 (18) (2002) 1025–1026.

[16] F. Zhang, K. Kim, ID-based blind signature and ring signature from pairings, in: Advances in Cryptology––ASIACRYPT 2002, Springer-Verlag, 2002, pp. 533–547.

(16)

[17] V. Miller, Short programs for functions on curves, unpublished manuscript, 1986.

[18] A. Shamir, Identity-based cryptosystems and signature schemes, in: Advances in Cryptology–– CRYPTO 84, Springer-Verlag, 1984, pp. 47–53.

[19] M. Michels, P. Horster, On the risk of disruption in several multiparty signature schemes, in: Advances in Cryptology––ASIACRYPT 96, Springer-Verlag, 1996, pp. 334–345.

[20] NIST, Federal Information Processing Standard Publication 180-2, Secure Hash Standard (SHS), 2002. Available fromhttp://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf. [21] IEEE, IEEE P1363 Draft Standard, Annex––A: Number Theoretic Algorithms, 1998.