Security of A Multisignature Scheme for Specified Group of Verifiers ? Jiqiang Lv a , Xinmei Wang a and Kwangjo Kim b a National

Key Lab of ISN, Xidian University, Xi’an City, Shaanxi Province, 710071 CHINA lvjiqiang AT hotmail.com, xmwang AT xidian.edu.cn b International

Research center for Information Security, Information and Communications University, 58-4 Hwaam-dong Yusong-ku, Taejon, 305-732 KOREA kkj AT icu.ac.kr

Abstract A multisignature scheme for specified group of verifiers needs a group of signers’ cooperation to sign a message to a specified group of verifiers that must cooperate to check the signature’s validity later. Recently, Zhang et al. proposed a new multisignature scheme for specified group of verifiers. However, we find that Zhang et al.’s scheme cannot prevent a dishonest clerk of signing group from changing the signing message to another message of his choice while he is cooperating with the signers to produce a multisignature. Therefore, their scheme is insecure. Key words: Public key cryptography; Digital signature, Multisignature scheme PACS:

1

Introduction

A digital signature provides the functions of integration, authentication and nonrepudiation for a signing message. Under some ordinary situations, one signer is sufficient to generate a signature on some message. But under other situations, it may need a group of signers’ participation to produce a signature on a message. Due to the existence of the above situations, Itakura et al. [1] proposed a new concept of digital signature scheme, called multisignature scheme, during which a group of signers must cooperate to produce a signature ? This paper was published in Applied Mathematics and Computation, Vol. 166(1), pp. 58–63, Elsevier Science, 2005

Preprint submitted to Elsevier Science

9 October 2007

on a message and any verifier can check the multisignature’s validity by using the signing group’s public key. later, Laih et al. [2] proposed a new type of multisignature scheme that is used for a specified group of verifiers. It is different from a multisignature scheme in that only under the group of verifiers’ cooperation could a multisignature be verified. Unfortunately, He [3] pointed out that Laih et al.’s scheme has the weakness that the clerk of verifying group can verify a multisignature by himself if he once receives a signature from the same signing group. Recently, Zhang et al. [4] proposed a new multisignature scheme for specified group of verifiers, and claimed that forging signatures in the proposed scheme is equivalent to forging Harn’s signatures [5]. In this paper, we show that Zhang et al.’s scheme has the following weakness: a dishonest clerk of signing group can change the signing message to an arbitrary one while he is cooperating with the signers to produce a multisignature. In the next section, we briefly review Zhang et al.’s multisignature scheme for specified group of verifiers. In Section 3, we show the weakness in Zhang et al.’s scheme. Concluding remarks are made in Section 4.

2

Review of Zhang et al.’s Multisignature Scheme for Specified Group of Verifiers [4]

Zhang et al.’s multisignature scheme consists of three phases: key generation, multisignature generation, and multisignature verification. Key generation phase: Let GS = {US1 , US2 , · · · , USn } be the group of n signers and GV = {UV 1 , UV 2 , · · · , UV m } be the group of m verifiers. In each group, there is a specified user, called clerk. The clerk USc of the signer’s group is responsible for verifying all partial signatures signed by signers in GS and combining them into a multisignature. The clerk UV c of the verifier’s group is responsible for assisting all verifiers in GV to verify the multisignature. The trusted center selects two large primes p and q such that q|p − 1, a generator g with order q in Zp and a public one-way hash function H(·). Each USi ∈ GS selects his private key si ∈ Zq and computes his public key YSi = g si mod p. Each UV i ∈ GV selects his private key vi ∈ Zq and computes his public key YV i = g vi mod p. Then GS and GV respectively publish their group public key YS and YV , where Q Q YS = ni=1 YSi mod p and YV = m i=1 YV i mod p. Multisignature generation phase: All signers in GS perform the following steps to generate the multisignature 2

of a message m for the specified group GV of verifiers: Step 1: Each USi ∈ GS randomly selects an integer ki ∈ Zq∗ , computes ri = g ki mod p, 0

ri = YVki mod p, 0

and sends (ri , ri ) to USc . 0

Step 2: After receiving all the (ri , ri ), (i = 1, 2, · · · , n), USc computes r=

n Y

ri mod p,

i=1 0

r =

n Y

0

ri mod p,

i=1

0

and broadcasts r to all signers in GS . Step 3: Each USi ∈ GS computes 0

wi = si · (H(m) + r ) − ki mod q,

(1)

and sends wi to USc . Step 4: For each received wi , USc checks whether the following equation holds, H(m)+r

YSi

0

= ri · g wi mod p.

If all the wi , (i = 1, 2, · · · , n), holds, then USc computes w =

Pn

i=1

wi mod q.

The multisignature of m is (r, w). Multisignature verification phase: All verifiers in GV perform the following step to verify the multisignature of message m: Step 1: Each UV j ∈ GV computes Xj = rvj mod q, and sends Xj to UV c . 3

Step 2: UV c computes X=

m Y

Xj mod p,

j=1

and broadcasts X to all verifiers in GV . Step 3: Each UV j checks the validity of the multisignature of the message m by the following equation: H(m)+X

YS

= r · g w mod p.

If it holds, then the verifier accepts the signature is valid; Rejects, otherwise.

3

Security of Zhang et al.’s Multisignature Scheme

The dishonest clerk USc can produce a valid multisignature on any message m ¯ while he is cooperating with the signers to produce a multisignature in the following way, 0

Step 1: After receiving all the (ri , ri ) from each USi ∈ GS ,(i = 1, 2, · · · , n), USc randomly chooses an integer a ∈ Zq∗ , computes r¯ = g a ·

n Y

ri mod p,

i=1

0

r¯ =

YVa

·

n Y

0

ri mod p,

i=1 0

r¯∗ = r¯ − H(m) + H(m) ¯ mod p, and broadcasts r¯∗ to all signers in GS . Step 2: Each USi ∈ GS will compute w¯i = si · (H(m) + r¯∗ ) − ki mod q,

and send w¯i to USc . 4

Step 3: For all the w¯i , (1 ≤ i ≤ n), USc checks whether the following equation holds, 0

H(m)+¯ ¯ r

YSi

= ri · g w¯i mod p.

If all the above equalities hold, then USc computes w¯ =

Pn

i=1

w¯i − a mod q.

The multisignature of m ¯ is (¯ r, w), ¯ since

¯= X

m Y

¯ j mod p = X

j=1

= (g a+

Pn i=1

m Y

a

(g ·

j=1 ki

Pm

)

j=1

vj

n Y

vj

ri ) mod p =

i=1

mod p = (g

m Y

(g a+

Pn i=1

ki v j

) mod p

j=1

Pm j=1

vj a+

)

Pn i=1

ki

0

mod p = r¯ .

Therefore, we have

w¯ =

n X

w¯i − a mod q =

i=1

= =

n X i=1 n X

n X

(si · (H(m) + r¯∗ ) − ki ) − a mod q

i=1 0

(si · (H(m) ¯ + r¯ ) − ki ) − a mod q =

n X i=1

¯ − (a + si · (H(m) ¯ + X)

n X

0

si · (H(m) ¯ + r¯ ) − (a +

n X

ki ) mod q

i=1

ki ) mod q.

i=1

i=1

Thus, the following multisignature verification equation holds: ¯ H(m)+ ¯ X

YS

= r¯ · g w¯ mod p.

The weakness is mainly caused by the linear relationship between H(m) and 0 0 r in Eqn.(1). If Eqn.(1) is replaced with the equation wi = si · H(m, r ) − ki mod q, then the clerk USc will not produce a multisignature on a message 0 0 of his choice; Anyway, he can still change the parameter r to another r¯ . 0 Another way to improve Zhang et al.’s scheme is to broadcast ri to all the 0 signers in GS except just sending (ri , ri ) to USc . Then, each signer computes 0 ri and produce an individual signature wi . Furthermore, to prevent Li et al.’s attack [7], the certificated authority should require each user to prove that he knows the secret key corresponding to his public key. The disadvantage is to increase the computational complexity and communication costs, but higher security will be achieved. 5

4

Concluding Remarks

We show that Zhang et al.’s scheme cannot prevent a dishonest clerk of signing group from changing the signing message to another message of his choice while he is cooperating with the other signers to produce a multisignature.

References

[1] K. Itakura and K. Nakamura, A public-key cryptosystem suitable for digital multisignatures, NEC Res. Dev. 71:1-8(1983). [2] C.S. Laih and S.M. Yen, Multisignature for specified group of verifiers, Journal of Information Science and Engeering, 12 (1): 143-152(1996). [3] W.H. He, Weaknesses in some multisignature schemes for specified group of verifiers, Information Processing Letters 83: 95-99(2002). [4] Z. Zhang and G. Xiao, New Multisignature Scheme for Specified Group of Verifiers, Journal of Applied Mathematics and Computation, in press (2003). [5] L. Harn, New digital signature scheme based on discrete logarithm, IEE Electronics Letters, 30 (5): 396-398(1994). [6] L. Harn, Digital Multisignature with Distinguished Signing Authorities, IEE Electronics Letters, 35 (4): 294-295(1999). [7] Z.C. Li., L.C.K. Hui., K.P. Chow., C.F. Chong., W.W. Tsang and H.W. Chan, Cryptanalysis of Harn Digital Multisignature with Distinguished Signing Authorities, IEE Electronics Letters, 36 (4): 314-315(2000).

6

Security of A Multisignature Scheme for Specified ...

Oct 9, 2007 - r · gw mod p. If it holds, then the verifier accepts the signature is valid; Rejects, otherwise. 3 Security of Zhang et al.'s Multisignature Scheme.

123KB Sizes 2 Downloads 143 Views

Recommend Documents

Rules regarding quoting of PAN for specified transactions amended
Dec 15, 2015 - should be made mandatory for all sales and purchases of goods and services where ... Sale/ purchase exceeding ... Installation of telephone/.

Rules regarding quoting of PAN for specified transactions amended
Dec 15, 2015 - Rules regarding quoting of PAN for specified transactions amended ... To bring a balance between burden of compliance on legitimate ...

A Quality of Service Routing Scheme for Packet ...
Abstract. Quality of Service (QoS) guarantees must be supported in a network that intends to carry real-time multimedia traffic effectively. A key problem in providing. QoS guarantees is routing which consists of finding a path in a network that sati

Performance evaluation of a reservation random access scheme for ...
We compute the steady state distribution of the Markov chain. This result is used to ... This work is supported by a University of California MICRO and Pacific-Bell ...

A Methodology for the Construction of Scheme - IJEECS
Internet QoS has actually shown amplified average ... KGB's Internet-2 overlay network to measure the ex- ... sembled using AT&T System V's compiler built on.

A Methodology for the Construction of Scheme - IJEECS
cation of fiber-optic cables and semaphores. Simi- .... sembled using AT&T System V's compiler built on .... [23] K. J. Anderson, “An analysis of e-business with.

Qualitative Properties of a Numerical Scheme for the ...
Let us consider the linear heat equation on the whole space. { ut − ∆u =0 in Rd × (0, ..... First, a scaling argument reduces the proof to the case h = 1. We consider ...

Message Delays for a TDMA Scheme Under a ...
Abstract-A TDMA access-control scheme operating under a nonpre- emptive message-based .... For the underlying station we define: W,(k) = waiting time of the ...

Information & Network Security Jan 2018 (2010 Scheme).pdf ...
Mention the important features of Oakley algorithm. ,(05 ~arks). (. 8 a. Discuss the SSL protocol stack. b. Explain key features of SET. c. Describe the components ...

Information & Network Security July 2016 (2014 Scheme).pdf ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Main menu.

A Robust Acknowledgement Scheme for Unreliable Flows - CiteSeerX
net and the emergence of sensing applications which do not require full reliability ... can benefit from selective retransmissions of some but not all lost packets, due to ... tion or fading in a wireless network, or loss of ack packets in asymmetric

A Fault Detection and Protection Scheme for Three ... - IEEE Xplore
Jan 9, 2012 - remedy for the system as faults occur and save the remaining com- ponents. ... by the proposed protection method through monitoring the flying.

A MOTION VECTOR PREDICTION SCHEME FOR ...
Foreman MPEG-2. 42.5% 55.4% 79.1%. Proposed 78.5% 86.3% 93.7%. Stefan. MPEG-2. 33.5% 42.2% 59.7%. Proposed 61.5% 66.6% 75.4%. Table 2 shows experiment results of the full search al- gorithm, the transcoding algorithm using MPEG-2 MV and transcoding a

A Scheme for Attentional Video Compression
In this paper an improved, macroblock (MB) level, visual saliency algorithm ... of low level features pertaining to degree of dissimilarity between a region and.

A Redundant Bi-Dimensional Indexing Scheme for ...
systems. There are at least two categories of queries that are worth to be ... Our main aim is to extend a video surveillance system ..... Conference on MDM.

THE SPECIFIED BANK NOTES (CESSATION OF LIABILITIES).pdf ...
Page 1 of 4. Sons oftheanarchy s06e02.Drag you to hell.56789418536 - Download Portal video game.MorningComes nikki.I forever shallalso measure. 20cmВі ofsodiumthiosulphateand 30cmВі ofwater. I forever shall pour thembothwho let the dogs portal vi

Specified Bank Notes - Taxscan.PDF
Chief General Manager. Page 2 of 2. Specified Bank Notes - Taxscan.PDF. Specified Bank Notes - Taxscan.PDF. Open. Extract. Open with. Sign In. Main menu.

Mechanism Design with Partially-Specified ...
allocation of a physical good under a non-dumping assumption, a crucial element of our model is ...... Last and multiple bidding in second price internet auctions: ...

SpreadStore: A LDPC Erasure Code Scheme for ...
call for more robust and efficient systems than regular replication based ... have considered three different LDPC codes obtained by different construction of .... complexity, the way of decoding, the decoding complexity, error performance (both ...

A modified training scheme for SOFM to cluster ...
the University of Mysore and Master's in Electrical Engineering at Indian Institute of Science. He obtained his PhD Degree from Indian Institute of Science in the area of constructive learning RBF networks. He is the chairman of Information Science a

A Polynomial-time Approximation Scheme for ... - Research at Google
The line segments are the edges of the planar ... component serves to separate some terminals t1,...,tp ... it follows that the solution Ei∗ ∪ M returned in Line 9.