Applying two channels to vector space secret sharing based multi-signature scheme

Page 1

Xiao et al. / J Zhejiang Univ SCI 2005 6A(1):56-62
56




Applying two channels to vector space secret sharing based
multi-signature scheme

XIAO Qing-hua (肖清华)†, PING Ling-di (平玲娣), CHEN Xiao-ping (陈小平), PAN Xue-zeng (潘雪增)
(School of Computer Science, Zhejiang University, Hangzhou 310027, China)
†E-mail: foxqinghua@etang.com
Received Jan. 20, 2004; revision accepted Oct. 29, 2004

Abstract: Secret sharing and digital signature is an important research area in information security and has wide applications in
such fields as safeguarding and legal use of confidential information, secure multiparty computation and electronic commerce. But
up to now, study of signature based on general vector space secret sharing is very weak. Aiming at this drawback, the authors did
some research on vector space secret sharing against cheaters, and proposed an efficient but secure vector space secret sharing
based multi-signature scheme, which is implemented in two channels. In this scheme, the group signature can be easily produced if
an authorized subset of participants pool their secret shadows and it is impossible for them to generate a group signature if an
unauthorized subset of participants pool their secret shadows. The validity of the group signature can be verified by means of
verification equations. A group signature of authorized subset of participants cannot be impersonated by any other set of partici-
pants. Moreover, the suspected forgery can be traced, and the malicious participants can be detected in the scheme. None of several
possible attacks can successfully break this scheme.

Key words: Vector space secret sharing, Multi-signature, Discrete logarithm, Chinese remainder theorem
doi:10.1631/jzus.2005.A0056 Document code: A CLC number: TP309


INTRODUCTION

Digital signatures play an important role in our
modern electronic society because they have the
properties of integrity and authentication. The integ-
rity property ensures that the received message is not
modified, and the authentication property ensures that
the sender is not impersonated. In well-known con-
ventional digital signatures, such as RSA and DSA, a
single signer is sufficient to produce a valid signature,
and anyone can verify the validity of any given sig-
nature. However, on many occasions, we need to
share the responsibility of the signing message with a
set of signers. Issuing checks for a company is an
example for this. For the sake of security, it may be a
policy of a company that checks must be signed by a
group of individuals rather than one person. Secret
sharing signature schemes (Gennaro et al., 1996;
Safavi et al., 1999) and multi-signature schemes
(Harn and Kiesler, 1989; Okamoto, 1988; Harn,
1994b) are designed to solve such problems. There
are two major differences between secret sharing
signature and multi-signature schemes. Firstly, it is
not necessary to restrict the number of signers to
generate a valid signature in a multi-signature scheme.
In contrast to a multi-signature scheme, a so-called
threshold value must be predetermined to guarantee
the security of the system in a secret sharing signature
scheme. Secondly, a secret sharing signature repre-
sents the signature signed by the group while a
multi-signature is a signature that represents a set of
individuals who sign the message. Consequently, a
secret sharing signature is suitable for the case where
the members of a group are allowed to sign on behalf
of the group.
But when cheaters appear in signatures, and if
we want to detect and trace them, we may need to
combine these two signatures to form a new one. We
call it secret sharing based multi-signature scheme
(Desmedt and Frankel, 1992b).
Journal of Zhejiang University SCIENCE
ISSN 1009-3095
http://www.zju.edu.cn/jzus
E-mail: jzus@zju.edu.cn

Page 2

Xiao et al. / J Zhejiang Univ SCI 2005 6A(1):56-62
57
RELATED WORKS

Since the secret sharing based multi-signature
scheme can solve problems that cannot be solved by
secret sharing signature and multi-signature scheme
individually, much research had been focused on the
topic. Desmedt and Frankel (1992b) applied a trusted
key authentication center to determine the group’s
secret key and the secret keys of all group members.
However, Li et al.(1994) pointed out that Desmedt
and Frankel’s scheme may suffer from conspiracy
attacks and that the secret keys can be revealed if t or
more participants act in collusion. To avoid conspir-
acy attacks, the new proposed schemes (Li et al.,
1995) attach a random number to the secret key held
by each member, so that the security of their schemes
is guaranteed. Similarly, Harn (1994a) used the
cryptographic technique of Shamir’s perfect secret
sharing which is based on the Lagrange interpolating
polynomial and digital signature algorithm to con-
struct a (t, n) threshold signature scheme designed to
partition the group’s secret key into n different
shadows. By collecting any of the t shadows, the
group signature can be easily generated. Michels and
Horster (1996) showed that these solutions mentioned
above are all vulnerable to forgery attack by an inside
attacker and cannot withstand conspiracy attacks.
Desmedt and Frankel (1992a) presented another
threshold signature scheme based on RSA. But simi-
lar to their previous solution (Desmedt and Frankel,
1992b), the secret keys can still be revealed by con-
spiracy attacks.
Most of the researches above consider only
threshold structures: the system tolerates the presence
of less than t corrupted players, and the subsets of
players who can sign a message are those with k or
more players. To thwart this weakness, Brickell (1989)
introduced vector space construction that is more
general than the threshold structure. In order to im-
prove the security of vector space secret sharing,
Padró and Sáez (1999) proposed a solution that can
efficiently find out whether some cheaters exist.
However, this solution cannot reveal the cheaters’
identities. Xu et al.(2002) improved Padró’s scheme
and presented another secure vector space secret
sharing scheme.
Recently, in order to make the signature scheme
more practical and general, Herranz et al.(2003) ex-
tended the vector space structure to a so-called gen-
eral access structure and proposed a framework al-
lowing a general access structure of players to sign
and a general family of dishonest players that the
scheme can tolerate. Using general access structure,
Ventzislav et al.(2001) also built some uncondition-
ally secure proactive secret sharing schemes. But up
to now, study of signature based on vector space and
general access structure is still very weak.
Almost all of the signature schemes mentioned
above are implemented in one channel. The main
contribution of this paper is to design a two-channel
secure vector space traceable multi-signature scheme.
Security of the signature scheme in each channel is
equal to that of an independent one. Malicious users
can forge the signature only if the signatures in both
channels can be forged. In our designed scheme, when
a faulty signature is presented, cheaters can be de-
tected and traced easily. In terms of performance, this
scheme should not be less efficient than most of so-
lutions available (e.g., Li et al., 1995; Harn, 1994a;
Desmedt and Frankel, 1992a). We organize the rest of
the paper as follows. First of all, secure vector space
secret sharing scheme is reviewed and analyzed. Then
we present our new proposed scheme and analyze its
security and efficiency, respectively. At last, we draw
our conclusions.


SECURE VECTOR SPACE SECRET SHARING

This section contains some background and
formal definitions of vector space secret sharing
scheme (Brickell, 1989; Stinson, 1995), which will be
referred in the rest of this paper.
Let T be an access structure on a set of partici-
pants P={p1, p2, …, pn} and D∉P a special participant
called the dealer. T is said to be a vector space access
structure if, for some vector space E=Kr over a finite
field K, there exists a function

ψ : P ∪{D}→E (1)

such that A∈T if and only if the vector ψ(D) can be
expressed as a linear combination of the vectors in the
set ψ(A)={ψ(pi)|pi∈A}. If T is a vector space access
structure, we can construct an ideal secret sharing
scheme for T with set of secrets K: given a secret

Page 3

Xiao et al. / J Zhejiang Univ SCI 2005 6A(1):56-62
58
value k∈K, the dealer takes a random v∈E, such that
k=v⋅ψ(D) (2)

and sends to the participant pi∈P his share

ips =v⋅ψ(pi)∈K (3)

A scheme constructed in this way is called a
vector space secret sharing scheme. Let A∈T be an
authorized subset, then we have:

( )()(Dp
ψ λψ λ ψ=+

for some λi∈K. In order to recover the secret, the
players of A compute
1
1p
s
Unfortunately, such scheme is open to the
Tompa-Woll attack (Tompa and Woll, 1988). To
ensure the security of vector space secret sharing,
Padró and Sáez (1999) proposed an improved scheme.
The dealer D selects a vector pair (v1, v2), such that:
( ,,,)
r
k vv
=⋅⋅⋅
v
,
2
( k v
=
v
computes
1
1
( ),
i
i
p
p
s
v
and delivers
12
(,)
ii
pp
ss
necessary to recover k, all the members in A show
their shadows pair
1
(,
i
p
s
,
l
ppl p
sssk
=
holds, the recovered secret k1
is valid. Otherwise, it denotes some participants in A
may not be honest.


PROPOSED SCHEME

We assume that there is an honest dealer D to
determine the secret and to deliver the secret shadows
to all the participants. The word “honest” implies that
the dealer must ensure that the secret information is
not disclosed or revealed to unauthorized people and
prevent unauthorized modification or destruction of
data. It is expected that if the dealer is compromised,
the security of the whole system will be lost.
Let us divide our scheme into three phases: the
system initialization phase, the partial signature gen-
eration and verification phase, the group signature
generation and verification phase.
1122
)()
ll
pp
λψ+⋅⋅⋅+
,
2
2
.
l
plp
ssk
λλλ++⋅⋅⋅+=

211
1
2
22
s
2
,,,)
ψ
⋅
r
v
⋅⋅⋅
=
,
1
p
2
,.
∈
(1≤i≤n),
v vE D
ψ
⋅=

2
2
()
i
i
p
v
to each pi, i=1, 2, …, n. When is
2
),
i
p
λ
s
and compute k1=
11 211 12 222
12212
.
l
pplp
sss
λλλλλ
+ +⋅⋅⋅+=+ +⋅⋅⋅+

If the equation
2
21
kk
System initialization phase
The honest dealer D selects the following pa-
rameters: (1) A huge prime N, 2511<N<2512 and a
generator g with order N′ in GF(N), where N′=pq,
N′|(N−1), p and q are two large primes, and
2160<p,q<2161; (2) A one-way hash function h(); (3)
Parameters σp, σq, where

σp=1 mod p=0 mod q
σq=0 mod p=1 mod q (4)

Additionally, suppose A={p1, p2, …, pl} is the
subset authorized to sign a message. We can refer
other parameters mentioned before, among which
λi∈K can be computed by any participants. D com-
putes the group public key
to each pi, i=1, 2, …, n, and publishes N, N′,
σp, σq, g, h, Y, ψ and keeps k1, v1, v2 in secret.

Distribution of secret shadows and verification
phase
Each participant pi in A has to generate a partial
signature for message m as follows. pi picks two
random numbers bip∈[1, p−1], biq∈[1, q−1] and
computes his public key pair (yi1, yi2) as
mod,gN
=

2
g
=

mod
ip ipq iq
bbb
σσ
=+
and ri as

modgN
=
(6)

It is worth noting here that the public keys of
each participant are also regarded as his identity in-
formation. Each pi makes ri publicly available through
a broadcast channel. Once all ri are available, each pi
can compute

mod
i
pA
∈
( , , )HASHh m R A
=
(8)

Then pi uses his secret shadows and the random
number bi to compute

mod
i
ipi ip
ss b HASHp
1mod,
k
YgN
=
delivers
12
(,)
ii
pp
ss
1
1
pi
s
iy
2
mod,
pi
s
iyN bi as
N
′
(5)
ib
ir
i
RrN
=∏
(7)
12
mod
i
piq
s b HASHq
λ
=+=+

(9)

Page 4

Xiao et al. / J Zhejiang Univ SCI 2005 6A(1):56-62
59
pi sends the partial signature {m, ri, si} to a designated
clerk responsible for collecting the partial signatures
and producing the group signature. Since no secret
information is kept, the clerk can be anyone in the
system. The clerk can check whether the equation

()
iii
gyry
=

holds. If so, the partial signature from pi is valid. The
correctness of this equation can be easily seen as
follows.
Since
mod
i
ipiip
ss b HASHp
we have
()(
i
ipiipp
ssb HASH
λσ+++
=
12
mod
ipq
is
HASH
N
λσσ
(10)
12
mod ,
i
p iq
sb HASHq
λ
=+=+

12
) mod
i
piqq
sb HASHN
λσσ
′
=+++
12
12
()()mod'
()
12
mod
mod
()mod
piipppiqq
iii
pippq
ippiq q
ii
ipq
sb HASHsb HASHN
s
ss
bbHASH
HASH
iii
ggN
gggN
yryN
σ
λσσ
σσ
λσ σ
+
=
=


To achieve traceability, our newly proposed
signature scheme should not be forged, which was
confirmed in our security analysis later in this paper.
Furthermore, the incorrect partial signatures should
be detected and identified if the signature is suspected
forgery.
Theorem 1 If the following congruence relation
does not hold, then the false partial signature is de-
tected:
1
()
ii
gyry
=
Proof This is due to the fact that yi1, yi2 is regarded as
pi’s public identity. If the participants do not preset
bogus secret shadow or tampers with secret shadow,
the equation
1
()
i
gyr
=
because forging si equals to solving the difficult dis-
crete logarithm problem.

Group signature generation and verification phase
When all partial signatures from participants in
A={p1, p1, …, pl} are valid, the clerk can compute the
group signature:
i
pA
∈
is the group signature for the message m. Any verifi-
ers can compute:

σ
σ

=



2
mod.
ipq
is
HASH
i
N
λσσ

2
mod
ipq
is
HASH
ii
yN
λσσ
must hold
mod.
i
SsN
′
=∑
Thus, {m, A, R, S}
2
mod
q
p
i
i
pA
ZYyN
∈
∏
(11)
and then use the group public key
authenticate the validity of {m, A, R, S} by checking
whether the following equation

modg ZRN
=
(12)

holds. If so, the group signature {m, A, R, S} is valid.
The correctness of this equation can be easily seen as
follows:
Since
mod
i
pA
∈
∑
1mod
k
YgN
=
to
S HASH
i
SsN
′
=∑
, then
mod mod
ii
ii
pApA
Sspsq
∈∈
==
∑

According to Eq.(11), we have
(
i
pi
pA
λ
∈
=+
∑
∑
1
1
1
2
)mod
()( )mod
() mod
mod
i
i
ii
i
ii
i
ii
ip
piip
pApA
piip
pApA
p iq
pApA
Ss b HASHp
sb HASHp
s HASHbp
sHASHbq
λ
λ
∈
∈
∈∈
∈∈
=+
=+
=+
∑
∑∑
∑
∑

With the help of σp, σq, we also have

=+




++




=+



+
∑
1
2
2
1
()
mod
mod
i
ii
i
ii
ii
i
i
pi ipp
pApA
p iqq
pApA
ppipqiq
p
′
ApA
qp
pA
SsHASHb
s HASHbN
k HASHbb
sN
λσ



σ



σσσ
σ
∈∈
∈∈
∈∈
∈


′




+
∑∑
∑∑
∑∑

Obviously,
2
1
2
()
2
mod
mod
mod
mod mod
p ipqiq
qpi
pApA
pA
p
ii
i
p ip
b
q iq
b
pq
pA
p
ii
i
i
q
pA
p
i
i
i
bbHASH
s
k
S
HASH
s
pA
HASHb
i
pA
HASH
HASH
i
pA
ggggN
YggN
YygN
ZrNZR N
σ



σ
+
σ
σ
σσ
+
σ
σ
σ
σ
∈∈
∈
∈
∈




∈
∈
∈
∑∑
∑

















=
∑
=
∑




=
==
∏
∏
∏


The signers are anonymous to the verifier be-
cause it is not possible to find out the identities of the

Page 5

Xiao et al. / J Zhejiang Univ SCI 2005 6A(1):56-62
60
signers in A from the group signature.


SECURITY ANALYSIS

The security of the proposed scheme is based on
well-known cryptographic assumptions: the intracta-
bility of reversing the one-way hash function (OWHF)
and solving the discrete logarithm (DLP). Conspiracy
and forgery attacks mentioned by Michels and Hor-
ster (1996) as scheme proposed by Desmedt and
Frankel (1992b), Li et al.(1995), and Harn (1994a)
cannot break our scheme.
Theorem 2 The secret is secure, and this new
scheme is invulnerable to conspiracy attacks.
Proof Attackers who try to pirate the secret k1 may
include any outside adversaries and inside partici-
pants in A.
Attack 1 Some participants in A may cooperate to
reveal k1. Only when all the participants in the au-
thorized subset A cooperate with each other, can they
recover k1
through the equation
11
11 p
sk
λ=

211
}
2
.
l
plp
ss
λλ+ +⋅⋅⋅+
Any other participants in subset
12
={ ,,,
l
A'
resolve k1=v1⋅ψ(D) as follow:

s
ψ
ψ
=⋅


⋅⋅⋅


=⋅

( )D
ψ
⋅=
v
p ppT
′
…∉
who try to pirate k1 must
11 12
2122
1
′
2
1121
1222
12
()()
()()
,,
()()
ll
pp
pp
plpl
psp
sps
⋅⋅⋅



p
spsp
ψ
ψ
⋅
ψψ
⋅
′
′′
=⋅=
=
⋅







=
vv
vv
vv

2
21
( ( ))D
ψ
⋅
v
,

where ψ(D)∉<ψ(p1), …, ψ(pl′)>. Since v1, v2 is kept
secret for them in our scheme, no member in A′={p1,
p1, …, pl′} will get any useful information about k1.
Similarly, when A′={p1, p1, …, pl−1}⊂A is a set of
cheaters who do not know k1, each pi in A′ may show
his faulty shadow pair
1
(
i
p
s
(i=1, 2, …, l−1), where ε,δ∈K, ε≠0 if he wishes to
resolve
212
,)(,)
iii
p
′
pipi
sss
εδ
′
=++
,
1k′ through the following equations

1
1
1
′ =
1
11
,
i
ll
ip i i
i
∑
i
∑
ksk
λ λεε
−
==
+=+
∑∑

2
1
2
′ =
2
11
i
ll
ipii
ii
ksk
λλδδ
−
==
+=+
.
Evidently, these cheaters cannot be detected only
()k
δε
+=+
, that is,
δ
sult, the probability that cheaters succeed with faulty
(ε, δ) is only 1/q2.
Attack 2 An outside adversary tries to reveal k1. He
has to resolve k1 through the public key Y=
Obviously, that equals solving DLP.
Theorem 3 Secret keys for each participant are
secure.
Proof As we know, in the distribution of secret
shadows and verification phase, only each pi’s public
keys
1
modgN
=
and
public. Attackers cannot pirate xi1, xi2 through other
ways. It implies that revealation of xi1, xi2 by a cheater
equals solving DLP.
Theorem 4 Forgery attackers will not succeed.
Proof Firstly, we implement two types of signature
in two channels (one type in each channel). Malicious
users can forge the signature only if the signatures in
both p channel and q channel can be forged. Instead of
attaching a random number to the secret key held by
each member (Li et al., 1995), this new scheme can
withstand conspiracy attacks. The attack described in
(Michels and Horster, 1996) may succeed in forging
the p channel signatures. However, the q channel
signature can avoid this attack since we apply a hash
function to the signed messages m and R. This coun-
termeasure can avoid the attack mentioned by
Michels and Horster (1996). In fact, we directly adopt
the signature scheme proposed in Michels and Horster
(1996)’s scheme (refer to its heuristic countermea-
sures) as our q channel signature; thus, our scheme
can withstand the attack presented by Michels and
Horster (1996).
Furthermore, we can check the security of our
scheme by resolving the questions given by Li et
al.(1995). We omit detailed analysis here because it is
very similar to the latter. The reader may refer to that
solution for more detailed information.
Let us consider the case where two members pi
and pj conspire with each other to change the group
signature {m, A, R, S} into {m, A′, R′, S′}, where
,
A
∈
,A
∉
SS
′
=
if
22
11
k
2
1
2k
εε
=+
. As a re-
1k
g mod N.
1
pi
s
iy
2
2
mod
pi
s
iygN
=
are
ip
A′=A−pi+pj. In this case, the clerk will reject (A′)’s
legality without verification of each participant’s
partial signature. The reason is that HASH=h(m, R, A)
jp
22
,
ii
pqp
′
q
ss
σσ
−+
R′=R,