基于双线性配对的身份基强壮门限签名方案

ID-Based Robust Threshold Signature Scheme
from Bilinear Pairings *
Rongxing Lu, Zhenfu Cao † and Yuan Zhou
Department of Computer Science and Engineering,
Shanghai Jiao Tong University,
No. 1954, Huashan Road, Shanghai, PRC 200030
{rxlu, cao-zf, yzhou}@
Abstract
In recent years, the bilinear pairings, namely the Weil pairing of algebraic curves,
have initiated some new fields in cryptography, and many excellent ID-based
signature schemes from pairings have been proposed. However, we notice that
ID-based threshold signature schemes today are far rarer than basic ID-based
signature schemes. In order to fill this void, in this paper, we would like to present a
new ID-based robust threshold signature scheme from bilinear pairings. Any or
more members in our scheme can cooperate to generate a valid ID-based signature,
while or less can’t. In addition, our scheme also enjoys robustness.
k 1−k Keywords: Threshold Signature; ID-based Threshold Signature; Bilinear Pairings.
1 Introduction
In 1991, Desmedt and Frankel [1] first proposed the concept of threshold signature by combining digital signatures and Shamir secret sharing schemes [2] . In a threshold signature scheme, a group secret key is shared by members, any or more out of members can cooperate to issue a valid signature, while any ),(n k n k n 1−k or less can’t forge a valid one. Although the threshold signature scheme inherits the advantage of secret sharing scheme, there still exists an apparent * This work was supported in part by the National Research Fund for the Doctoral Program of Higher Education of China under Grant No. 20020248024. † Correspondence to: Zhenfu Cao, E-mail: cao-zf@
difference between them: the group secret key can be only used once in the secret sharing scheme, but can be repeatedly used in the threshold signature scheme. Since the threshold signature schemes enjoy many merits, such as decentralizing the signing authority and preserving the property of signer anonymity, many excellent threshold signature schemes have been proposed over the past years [3, 4, 5].
In order to bypass the trust problems in traditional Public Key Infrastructure (PKI), Shamir [6] introduced the concept of ID-based systems in 1984. According to him, in an ID-based system, the public key of a user is his unique identity information, such as name, email address etc, while the corresponding private key is extracted by a trusted private key generation center (PKGC). Since the ID-based system has significantly simplified key management and avoided the need of certificates to link users to their public keys, many ID-based schemes have been paid great attention [7, 8, 9]. Especially, after Boneh and Franklin [10] put forward the ID-based encryption scheme from the bilinear pairings in 2001, plenty of ID-based signature schemes using pairings have emerged one after another [11,12]. Cha and Cheon [11] presented an ID-based signature scheme using gap Diffie-Hellman groups. Paterson [12] also presented an efficient ID-based signature scheme from bilinear pairings over elliptic curves. However, since the secret key is an elliptic curve point and hard to be distributed by Shamir secret sharing scheme [2], we notice that ID-based threshold signature schemes today are far rarer than basic ID-based signature schemes.
Motivated by the problem mentioned above, in this paper, we would like to present a new ID-based robust threshold signature scheme from bilinear pairings. Here, we do not share the group secret key - an elliptic curves point in a direct way, but distribute its shade in to group members. In such a way, any or more members in the group can cooperate with each other to generate a valid ID-based signature, while fewer than members cannot. In addition, our scheme will also enjoy the property of robustness. Even though or more members’ conspiracy, the group ),(n k *
q Z n k k k
secret key and the system master-key are still secure.
The rest of this paper is organized as follows. In section 2, we first recall the basic concepts on bilinear pairings. Then in section 3, we present our ID-based robust threshold signature scheme from pairings. And then the scheme’s security are discussed in the next section 4. Finally, concluding remarks are made in section 5.
2 Basic Concepts on Bilinear Pairings
Let be a cyclic additive group and be a cyclic multiplicative group of the same prime order . We assume that the discrete logarithm problems in both and are hard. A bilinear pairing is a map which satisfies the following properties:
1G 2G q 1G 2G 211:G G G e →×z Bilinear : For any , and , we have . 1,G Q P ∈*,q Z b a ∈ab Q P e bQ aP e )
,(),(=z Non-degenerate : There exists 1,G Q P ∈ such
that 1),(≠Q P e . z Computable : There is an efficient algorithm to compute for all .
),(Q P e 1,G Q P ∈From the literature [10], we note that such a bilinear pairing may be realized using the modified Weil pairing associated with supersingular elliptic curve. For instance, let be a prime such that and for some prime . Let p 3mod 2=p 16−=q p 3>q E be a supersingular curve defined by over . The group of rational points 132+=x y p F }),(:),{()(E y x F F y x F E p p p ∈×∈= forms a cyclic group of order . Because the prime satisfies the condition , the group of points order in also form a cyclic subgroup, namely . Let 1+p q 16+=p q q )(p F E 1G P be the generator of and be the subgroup of containing all elements of order . Then, a
bilinear pairing is a computable map between and .
1G 2G 2p F q e 1G 2G Now we describe some related mathematical problems, namely the Computational
Diffie-Hellman (CDH) Problem, Decisional Diffie-Hellman (DDH) Problem and the Bilinear Diffie-Hellman (BDH) Problem.
CDH Problem : For , given a tuple *,q Z b a ∈1,,G bP aP P >∈<, compute . An algorithm 1G abP ∈A is said to solve the CDH problem with an advantage of ε if
ε≥==]),,(Pr[)(abP bP aP P A A Adv CDH
where the probability ε is taken over the random values and b .
a DDH Problem : For , given a tuple *,,q Z c
b a ∈1,,,G cP bP aP P >∈<, judge whether
or not. Due to the property of bilinear pairings q ab c mod =),(),(cP P e bP aP e =, the DDH Problem here is easy.
BDH Problem : For , given a tuple *
,,q Z c b a ∈1,,,G cP bP aP P >∈<, compute . An algorithm 2),(G P P e abc ∈A is said to solve the BDH problem with an advantage of ε if
ε≥==]),(),,,(Pr[)(abc BDH P P e cP bP aP P A A Adv
where the probability ε is taken over the random values and .
b a ,
c We assume through this paper that both CDH Problem an
d BDH Problem ar
e hard, which means there is no polynomial time algorithm to solve CDH Problem or BDH Problem with non-negligible probability.
3 Our Proposed Scheme
We now give a full description of our ID-based robust threshold signature scheme in this section. Our scheme, similar to a threshold version of Paterson’s ID-based signature ),(n k [12] , is composed of four algorithms: Setup, Extract, Signing and Verification. In below, we describe each of these algorithms in turn:
Setup
Let be a cyclic additive group and be a cyclic multiplicative group of the same prime order . Let 1G 2G q P be a generator of . A bilinear pairing is a map 1G 211:G G G e →×. Define two secure hash functions: and . PKGC first chooses a random number and sets 1*1}1,0{:G H →*1*2}1,0{:q Z G H →×*
q Z s ∈sP P pub =, then keeps as the master-key secret by himself, and publishes the system parameters s },,,,,,,{2121H H P P e q G G params pub =.
Extract
Assume that there are members n i B ),,1(n i L = in a group B . To implement ID-based threshold signature, PKGC should distribute the secret key’s shadows to each member.
s B 'When B submits the identity information to PKGC. PKGC computes public key as and then carries out the following steps.
*}1,0{∈B ID s B ')(1B B ID ID H Q =First, PKGC picks up a random number , computes and , where
*q Z r ∈*q Z sr ∈11G P r ∈−1−r is the inverse of r in . *q Z Then, he randomly chooses a secret polynomial function over of degree )(x F *
q Z 1−k such that . Namely, sr F =)0(sr x a x a x a x F k k k k ++++=−−−−112211)(L
where are randomly chosen from .
)1,,1( −=k i a i L *
q Z And then, he computes ,)(i F X i =),,1(n i L = and sends to the corresponding member i X
i B in a secure way.
Finally, he computes and broadcasts B ID i Q i F Y )(=, ),,1(n i L = in group B . In such a way, each member can verify his/her individual secret key by checking . In addition, the parameter i B ),,1(n i L =B ID i i Q X Y =P r 1− is also published in group B .
Signing
To make a signature on message , a clerk in group *}10{，M ∈B is first appointed to process the signature. First, the clerk uses the hash function on 1H M to produce , then he picks up a random number , and computes as the inverse of in .
11)(G M H ∈*q Z t ∈1−t t *q Z The clerk then computes and , sends and to each member in group 11G P tr V ∈=−*
122),(),(q Z P tr M H V M H ∈=−)(1M H B ID Q V M H ),(2B .
On receiving and , each member will use his/her individual secret key )(1M H B ID Q V M H ),(2i B ),,1(n i L =)(i F X i = to make sub-signature: )),()()((21B ID i Q V M H M H i F +=δ, then responses i δ to the clerk .
Because the DDH Problem is easy here, the clerk can use the following equality to verify each sub-signature:
)),()(,(),(21IDB i i IDB Q V M H M H Y e Q e +=δ If the equality does hold, the sub-signature can be accepted, otherwise, rejected. Since,
)
),()(,()
),()(,)(())
),()()((,()
,(212121IDB i IDB IDB IDB IDB i IDB Q V M H M H Y e Q V M H M H Q i F e Q V M H M H i F Q e Q e +=+=+=δ Once the clerk received and verified valid sub-signatures, he can compute the whole signature. Here, without loss of generality, we assume these sub-signatures are
k k ，，δδδL 21. Then,
the whole signature is )
),()(( )
),()()(0( )),()()(( 2121211
1
B ID B ID B ID k i i k
i i
i Q V M H M H sr Q V M H M H F Q V M H M H i F +=+=+⋅=⋅=∑∑==λδλδ where q j i j k
i j j k i
j j i mod )()0(,1,1∏∏≠=≠=−−=λ.
The clerk computes . In this way, the signature
of message )),()((2111IDB Q V M H M H sr t t
S +==−−δM is .
),(S V
Verification To verify the signature of the message ),(S V M , any one can use the group B ’s public key to check the following equality:
)(1B B ID ID H Q =),(12),())(,(),(V M H IDB pub pub Q P e M H P e S V e ⋅= If the equality is valid, the signature will be accepted. Otherwise, rejected. Since
),(121212*********),())(,()
),(,())(,())
),(,())(,())
),()((,())
),()((,())
),()((,()
,(V M H IDB pub pub IDB pub pub IDB IDB IDB IDB Q P e M H P e Q V M H P e M H P e Q V M sH P e M sH P e Q V M H M H s P e Q V M H M H sr P r e Q V M H M H sr t P tr e S V e ⋅=⋅=⋅=+=+=+=−−−
4 Security Analysis
In this section, we will prove the following statements to examine the security of our proposed ID-based threshold signature scheme, especially focusing on the unforgeability and robustness.
Statement 1 The proposed scheme is unforgeable under the assumptions of one-way hash function and discrete logarithm problem.
Proof Take a close look at the whole signature signed by group ),(S V B , where and , we will find it is almost similar to the Paterson’s ID-based signature scheme P tr V 1−=)),()((211IDB Q V M H M H sr t S +=−[12]. The main difference is that the hash value of is in group , which is required here to resist the forgery attack. Suppose an outside adversary tries to forge a valid signature for his arbitrarily chosen message to pass the signature verification. Then, he can easily compute for a new message )(1M H 1G IDB Q V M H M H ),'()'(21+'M . However, it is difficult for him to determine sr under the discrete logarithm problem assumption, even though he has gained several signatures from the group B to messages his own choice. Therefore, the proposed scheme can resist the outside adversary’s forgery attack. □
Statement 2 The proposed scheme is a valid threshold digital signature scheme.
),(n k Proof In our threshold signature scheme, we have applied Shamir secret sharing
),(n k
technique [2] to distribute the group secret shadows to members and used the property of bilinear pairings to verify each sub-signature. Therefore, if all members in s B 'n B follow the issue signature protocol, it is clear that or more members can produce a valid digital signature, while or few members can’t do that. Hence, the proposed scheme is a valid threshold digital signature scheme. □
k 1−k ),(n k Statement 3 The proposed scheme is a robust threshold digital signature scheme.
Proof The proposed scheme enjoys robustness, even though all members do not follow the issue signature protocol, they still can’t find the group secret key or the PKGC’s master-key .
s B 'IDB sQ s Trivially, to disclose any other member’s individual secret key requires conspiracy of or more members. Without loss of generality, we here assume they are . Then, the individual secret key of any member ,k k B B B ,,,21L l B )1(n l k ≤≤+ is
∑=⋅==k
i i l i F l F X 1)()(λ where q j i j l k i j j k i j j i
mod )()(,1,1∏
∏≠=≠=−−=λ. Moreover, sr also can be derived by the following equality ∑=⋅==k i i i F F sr 1)()0(λ where q j i j k
i j j k
i
j j i mod )()0(,1,1∏∏≠=≠=−−=λ.
However, to compute group secret key from s B 'IDB sQ sr , P r 1− and is still difficult due to the assumption of the CDH Problem. Therefore, the secret key is kept secret and robust. We believe the robustness is rather useful in some practical occasions, especially when has other purposes in the whole system.
IDB Q IDB sQ IDB sQ
On the other hand, it is also difficult to get the system mater-key from s sr , P r 1
− and , since pub P r is chosen randomly in . Therefore, our threshold signature scheme also ensures the security of PKGC. □
*q Z From what has been analyzed above, we may safely draw a conclusion that our proposed ID-based threshold signature is secure and can work correctly. 5 Conclusions
ID-based signature schemes have been widely studied recently. However, how to design an ID-based threshold signature scheme is still not easy due to the share of the secret key in group . In this paper, to solve out the secret sharing problem in group , we have proposed a new ID-based robust threshold signature scheme from the bilinear pairing. By analysis, our proposed scheme is not only secure but also robust. Even though or more members’ conspiracy, the group’s secret key and the system master-key are still secure. Therefore, it is very suitable for some practical applications. As our future work, we shall further consider some trust problems involved in PKGC.
IDB sQ 1G 1G ),(n k k IDB sQ s
References
[1] Y. Desmedt and Y. Frankel, Shared Generation of Authenticators and Signatures, in: Advances in
Cryptology – Crypto 91, LNCS 576, pp. 457 - 469, Springer verlag, 1991.
[2] A. Shamir, How to share a secret, Communication of the ACM , Vol.22, NO 11, pp. 612 – 613,
1979.
[3] L. Harn, Group-oriented (t, n ) threshold digital signature scheme and digital multisignature, IEE
Proc. –Comput. Digit. Tech.,145 (5), pp. 307 – 313, 1994.
[4] C. Park and K. Kurosawa, New ElGamal type threshold digital signature scheme, IEICE Trans.
Fundamentals , E79-AID: pp. 86 - 93, 1996.
[5] C. Wang, C. Lin and C. Chang, Threshold signature schemes with traceable signers in group
communications. Computer Communications 21(8), pp. 771 – 776, 1998.
[6] A. Shamir, Identity-based cryptosystems and signature schemes, in: Advance in cryptology -
Crypto84, LNCS 196, pp. 47 - 53, Springer-verlag, 1984.
[7]H. Tanaka, A realization scheme for the identity-based cryptosystem, in: Advance in cryptology -
Crypto 87, LNCS 293, pp. 341 - 349, Springer-verlag, 1987.
[8]S. Tsuji and T. Itoh, An ID-based cryptosystem based on the discrete logarithm problem, IEEE
Journal of selected Areas in communications, Vol 7, NO 4, pp. 467 - 473, 1989.
[9] C. Cocks, An identity based encryption scheme based on quadratic residues, in: Cryptography and
coding, LNCS 2260, pp. 360 - 363, Springer-verlag, 2001.
[10]D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, in: Advances in
Cryptology – Crypto 2001, LNCS 2139, pp. 213 - 229, Springer-Verlag, 2001.
[11]J.C. Cha and J.H. Cheon, An Identity-based signature from Gap Diffie-Hellman groups,
Cryptology ePrint Archive, Report 2002/018, /.
[12]K.G. Paterson, ID-based signatures from pairings on elliptic curves, Cryptology ePrint Archive,
Report 2002/004, /.
About Authors
Rongxing Lu received his B.S. and M.S. degrees in computer science from Tongji University in 2000 and 2003 respectively. Currently, he is a doctoral candidate in the Department of Computer and Engineering, Shanghai Jiao Tong University. His research interests lie in cryptography and network security.
Zhenfu Cao is the professor and the doctoral supervisor of Computer Software and Theory at Department of Computer Science of Shanghai Jiao Tong University. His main research areas are number theory and modern cryptography, theory and technology of information security etc. He is the gainer of Ying-Tung Fok Young Teacher Award (1989), the First Ten Outstanding Youth in Harbin (1996), Best Ph.D thesis award in Harbin Institute of Technology (2001) and the National Outstanding Youth Fund in 2002.
Yuan Zhou received a B.S. degree in control science and engineering from Shanghai University of Electric Power China in 1996, a master degree in control science and engineering from Harbin Institute of Technology, China in 2001 and is now a doctoral candidate in the Department of Computer and Engineering, Shanghai Jiaotong University. His research interests include network security and cryptography.
11。