More From This User
Related Docuements
2
From Mohan Kumar
Lec8
From Vijay Rodge
A new signature scheme with sharedverification
Jia Xiaoyun
1
,
3
Luo Shoushan
2
,
3
Liu Zhiqing
2
1.School of Continuing Education, Beijing University of Posts and Telecommunications, Beijing100876, China;2. School of Software Engineering, Beijing University of Posts and Telecommunications, Beijing100876, China;3. National Key Lab. of Integrated Service Networks, Xidian University, Xi’an710071,China
Abstract:
With the differences of user’s demands, digital signature techniques are being expandedgreatly, from the single signature, single verification mode to the multi-user’s one. This paper presents a new signature scheme with shared verification based on Fiat-Shamir signatures scheme,which is not only suitable for one public key for signature, but can be applied to many public keyssituation. In addition, the scheme could resist all kinds of collusion which make it more practicable and safer, and it is more efficient than other scheme.
Key word:
digital signature; shared verification; verifiable secret sharing
1 Introduction
With the development of computer and network communication technology, and with the differenceof user’s demands, digital signature techniques are being expanded greatly, from the single signature,single verification mode to the multi-user’s one. For example, a document synchronously needs multiplesignatures in some cases, thus it is called multiple digital signatures, existing some schemes have [1,2,3].Sometimes a digital signature needs multiple verifier to verify its correctness, such as [4]. In singleverifiable signature scheme, the verifier is apt to cause the security performance bottleneck of the wholesystem. Once he isn’t reliable, this will jeopardize the use of the whole secure system. So we can adoptmulti-verifiable signature service which have many witnesses, thus it can disperse responsibility andstrengthen the system security.Thus we propose the definition of digital signature with shared verification. A digital signature withshared verification only can verify the validity of the signature when all verifiers are honest andcooperative in an access structure. A digital signature with (t, n) shared verification is a special digitalsignature with shared verification, which enabled any t of the n verifiers to verify the validity of thesignature. A digital signature with (t, n) shared verification [4,5] has the following properties:(1)any t of the n verifiers can verify the validity of the signature(2)any t-1 or fewer verifiers cannot verify the validity of the signatureThe first digital signature with (t, n) shared verification was proposed by Soete al. [4] in 1989. In the paper, the construction of the digital signature with (t, n) shared verification was based on a special classof geometric incidence structures, so called generalized quadrangles. The author applies specialgeneralized quadrangles, and its ovoid and special point and liner to structure a digital signature with (t, n)shared verification. The disadvantage of the scheme is inefficient and only can apply the case of one publickey for signature.Harn L. proposes a digital signature with (t, n) shared verification [6] based on discrete logarithms.In the scheme, the secret-key of signer is fixed, but the public-key of verification signature is changed with
the message. The signer gives a secret share to every verifier respective through a (t, n) threshold secretsharing scheme. Any t of the n verifiers can recover the secret-key of verification signature when they
receive the signature of a message, so they can verify the validity of the signature. Afterwards, [7,8,9] haverevised in security question of [6] , thus make it become more and more perfect gradually. [10] proposes anew digital signature with shared verification based on a verifiable secret sharing scheme, but the schemeonly applies in one public-key situation for signature, it is nothing in many public-keys situation. There isa proposed digital signature with shared verification in this paper which can solve this question.In the paper, a new digital signature with shared verification is proposed, which was not onlysuitable for one public key for signature, but can be applied to many public keys situation. In addition,its security and efficiency are not lower than other signature schemes. In the paper, first, we propose anew digital signature with shared verification based on a publicly verification secret sharing scheme andanalyze its security, then we analyze the efficiency of the scheme, finally, we generalize its advantageand disadvantage.
2 a new digital signature with shared verification
2.1
preliminaries (systematic parameter)
Suppose p and q are two large primes, N=pq, where for the security of the RSA system it is assumed that p and q are sufficiently large (e.g., 512 digit numbers) [11].
],[
2/1
N N g
∈
and
q g p g
≠≠
,
. The secretkey of signer A is
*
N i
Z s
∈
, public key is
)(mod
2
N sv
ii
=
, where i=1,2,……k. The verifiers
},{
21
n
P P P P
……=
is a set of persons who participate in verification. The singer A can choose random aintegers
l
ID
from [n+2-t,N] for verifier
l
P
that only can be identity and is a public-known message,where l=1,2,
……n.
The signature scheme [12]: (Fiat-Shamir Signatures) In Fiat-Shamir signature scheme, there aretwo security parameters k and m, and a hash function H that outputs a m*k bit-matrix
ji
c
. The signer Aselects
* Ni
Zs
∈
at random, and computes
)modN(
2
ii
sv
=
, where
k i1
≤≤
,. The public key consists of N and
k
vvv
……
,,
21
, and the secret key consists of
k
s s s
……
21
,
. To sign a message M, for
m j1
≤≤
,the signer A chooses
* N
Z r
j
∈
at random and computes
2
j j
r w
=
, and then computes
),,,(
21
m
wwwM H c
……=
. Finally, for
m j1
≤≤
, the signer A computes
1
/(modN)
ji
i k c j j i
z r s
…
. The signature is
),,(
21
m
z z z c
……
. To verify a signature, one checks that
cM H
m
=……
)u,u,u,(
21
, where
12
u(modN)
ji
i k c j j i
z v
…
.
2.2
The sharing scheme of the signer’s public key among the verifiers
We can share the public keys that we need as following, we share
2
i
h
here, where i=1,2,……k. If thefollowing is no special explanation we can always have i=1,2,……k
,
j=1,2,……m, l=1,2,……n.(1)A chooses
*
N i
Z h
and random
i
T
for every secret
2
i
h
, where
],2[
N T
i
and is relatively prime to p-1 and q-1, then computes
)(mod
N g R
i
T i
.(2)Find out
i
K
that make
))((mod1
N K T
ii
φ
=×
, where
)(
N
φ
is Euler function.(3)Publish the public-known
i
R
and
i
K
for secret
2
i
h
. Every verifier
l
P
chooses a integer
l
S
from
1
Foundation Item:
The National Natural Science Foundation of China(60772110)
[2, N] at random, and computes
)(mod
N g Q
l
S l
=
. Then the verifier keeps the secret
l
S
andsends
l
Q
to the signer A.(4)Use n+1 points
),),,(),,0(
112
ii
T nnT i
Q IDQ IDh
(
……
and Lagrange polynomial interpolationmethod [13] to construct n degree polynomial
)(
x f
i
:
N ID ID ID x ID x N Q
ID ID xh x f
ul nl uuul nl T l l nl l ii
i
mod)]/()()/()mod[(
)/()()(
,1112
−−××
+−−×=
∏∑∏
≠===
We can see easily there are k polynomials.(5)Compute and publish
)1(),2(),1(
t n f f f
iii
−+……
.The above method can regard as a publicly verifiable secret sharing scheme, it can efficiently preventthat the dealer sends a wrong share to the participant and identify the participant who offer wrong sharewhen resume secrets.
2.3
Signature generation
When the signer A signs for message M, A firstly chooses the generator g in
*
N
Z
which satisfy
)(mod
2
12
N g v
i
hi
=
, then chooses
*
N j
Z r
∈
at random and computes
)(mod
2
N r w
j j
=
and
),,,(
21
m
wwwM H c
……=
. Finally, A computes
1
/(mod)
ji
i k c j j i
z r s N
…
.So the signature is
),,(
21
m
z z z c
, verifiable formula is
cM H
m
)u,u,u,(
21
, where
12
u (mod )
ji
i k c j j i
z v N
…
.
2.4
Signature verification
Theory: When receive the signature of the signer A and shares from A, any t of the n verifiers can verifythat the signature is validity or not. We can assume that
t
P P P
21
,
is the t verifiers here. The detailed process is as following:We assume all i=1,2,……k, v=1,2,……t if there is no special explanation. Every verifier
v
P
can use hissecret
v
S
to compute his share
)(mod
'
N RS
v
S ivi
=
,
any entity can verify that the verifier
v
P
offer realshare or not. If
)(mod)(
'
N QS
v K vi
v
=
is true,
v
P
honestly offer share, in other words
'
vi
S
is right. Whenall
'
vi
S
are verified, we can use k*(n+1) points
' ' '1 1 2 2
1, (1)),(2, (2)), ( 1 , ( 1 )),( , ),( , ) ( , )
i i i i i t ti
f f n t f n t ID S ID S ID S
…… + − + − ……
(
and Lagrange polynomial interpolation method to resume n degree polynomials
)(
x f
i
.
For simpleness, we use
),(
uiui
Y X
to denote the k*(n+1) points, where u=1,2,……n,n+1, i=1,2,……k. Then we can resume ndegree Lagrange polynomial
)(
x f
i
:
of 00
English
579 Reads
Info and Rating
| Category: | Uncategorized. |
| Rating: | |
| Upload Date: | 01/21/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment