2009 Fourth International Conference on Systems and Networks Communications

FSS-Id/A Fast Safe Identity-based Multi Signature Scheme
Sami Harari Laboratoire Syst` mes Navals Complexes e ISITV Universit´ du Sud ToulonVar e BP 56, 83162 La Valette du Var France harari@univ-tln.fr
Abstract—In this paper, an identity-based multi signature scheme (IBMS) is presented. Many applications require that public keys of the signers to be sent along the signature. Identity strings are likely to be much shorter than randomly generated public keys and are easily verifiable with other applications such as mail or web pages. This property makes the identity based paradigm appealing in such a situation. The new scheme is based on the difficulty of factoring a Rivest Adleman Shamir integer and in particular does not rely on the untested assumptions on bilinear maps. A proof of security for this IBMS is obtained under the assumption of the one wayness of the RSA in the random oracle model. It is analogous but not equivalent to the Bellare scheme. An extension to an aggregated identity based signature scheme is also presented.

I. I NTRODUCTION The need to elaborate new signature schemes, fast and safe is motivated by many applications and constraints linked to the condition of use. The most evident ones are smart cards, contact-less or mobile applications using radio frequency identification devices (RFID). Electronic commerce protocols tend to use signature schemes as proof of evidence of commercial binds. In many countries electronic signatures have the same status as paper signatures, and this number is increasing steadily. From a practical point of view a smart card is a computer which is intrinsically slow and that cannot perform a modular exponentiation in reasonable delay. The situation has changed and many of the more expensive cards have an arithmetic dedicated co-processor that computes such a quantity in short time, as long as electric power is available. The computing power problem is transposed to radio frequency identification devices, when used for authentication. These devices do not have a co-processor and electric power avalability is limited in time. The protocol must be executed in a very short delay corresponding to the physical distance where exchange of data is possible. A base time of 20 seconds is considered normal. This delay tends to diminish if the protocol is realized in a mobile situation: pedestrian or moving vehicle. These constraints eliminate all possibilities of computing a modular exponentiation in real time and if the communication delay between a mobile and its base is to be taken into account. The Rivest Shamir Adelman cryptosystem (RSA)[16] helped define a one way function. Its strength has been
978-0-7695-3775-7/09 $26.00 © 2009 IEEE DOI 10.1109/ICSNC.2009.107 207 194 200

studied many times, algorithms that generate primes suitable for (RSA) implementations have been on constant scrutiny. Therefore having a scheme with strength equivalent to that of factoring the RSA integer N gives a good measure of the probability of success in achieving a undetected fraud. OUR CONTRIBUTION: In this paper, an identity-based multi signature scheme is presented. It relies, for its implementation on a RSA integer N and its keys (e, d), one of which can be made public. Though similar to the Guillou Quisquater scheme it differs from it by relying on less multiplications. The scheme is interactive, requiring n rounds, with intermediate computation if there are n participants. 1) Its strength is equivalent to that of the one wayness of the primitive RSA signature scheme. The probability of success in creating false signatures is linked to that of a random oracle factoring N as well as that of another oracle that can give preimages of a hash function H(). 2) The use of a hash function has as consequence that the knowledge of any number of signatures does not give any advantage to an adversary for creating a legitimate “false” signature, if the signature keys are sufficiently structured. 3) The signature is in two parts, one obtained by an exponentiation, the other by two modular multiplications. The first one is not message dependant and therefore can be pre computed and the result stored. This aspect makes it different an faster than schemes derived from the Guillou Quisquater scheme[4]. 4) The public key, used for checking can be freely chosen. It is independent of the RSA keys. It can be taken as a proven quantity like an e mail address for example. This system can therefore use trust, without having to rely on a trusted third party (TTP), which have been introduced to ensure the identity of the two participants in signature schemes. 5) The multi signature is obtained in rounds, n if there are n participants. All these items will be detailed. As in Digital Signature Standard (DSS) the system can be easily modified in order to obtain an authentication system though this will not be

where at the beginning of each round each signer receives an incoming message from each of the other signers. -Compute θ1 = r1 · m · x1 mod N Round 4 Receive from signer i: θi -Computation θ = i θi mod N Local output σ = (R. with e a prime integer.. . e. otherwise reject it.computation: Check that ti = H(m||Ri ).. The secret key is supposed to have been transmitted through a secure channel. e) and of a signature σ = (R. The secret key xi of user i will be sent through a secure and authenticated channel. Round 4. d). I DENTITY BASED M ULTI S IGNATURES We adapt definitions from [9] to the identity based setting. φ() is the Euler function. and t1 = H(m||R1 )..e mod N . Remark If the multi signature has a speed constraint. with length strictly greater than log2 N/4.. We assume that signers interact in rounds. The Set up Procedure The key distribution runs a generator procedure for RSA parameters (N. .. is an integer. the signing procedure and finally the verification procedure. and a set of signers L = (Id1 .. E. . C. Although RSA on a ring is used to describe the scheme. L = (Id1 . 208 195 201 The characteristic quantity of the signer number i with identification string Idi is the following: xi = H(Idi )(φ(n)−1). which is unforgeable. B. then one can take an alternate value for the ti ’s. Round 2 -Receive from signer i : ti -Send R1 for all i Round 3 . If the quantities are equal accept the signature as valid. θ) D. A.. In order to eliminate the possibility that a weak key is associated to a certain identity. compute R1 = r1 e mod N . the system can be generalised to use RSA on elliptic curves with natural ease. and the computation of the full signature is done in the presence of data.. III. we suppose that there are n persons that will sign the message m.. then this computation and the corresponding check can be done without the presence of data. Send to each signer i : t1 . The incoming message of the first round consists of the message m and the list of the cosigners. We suppose that there exists a hash function H() with output strings of length at least 160 bits and less than log2 N . As an identifier one can take.. e) the master public key and keeps secret d the master secret key. Verification On input of the master key (N. Check that R1 has not been used in a previous signature. . Consider n different signers with identities Id1 . II. if the computation is done as follows. Signing a Message On input user with secret key x1 for Id1 . . Halt the computation and transmit a signal failure if one of the equations is not checked. all these documents belonging to the signer. These indices have no meaning outside the protocol instance and are here to distinguish the different signers and the different connections a given signer establishes. characteristic of the signer. We assume the connexions between the cosigners do not have to be private or authenticated. a hash of the identity will be used instead of the identity itself. Idn ) and a message m the verifier computes 1) Compute the quantity t = (θe ) mod N 2) Compute u = R · me. When describing the protocol we let each signer refer to himself by the index which was assigned to him.receive Ri .. We consider that all the signers are simultaneously on line and interact to produce a signature σ. the signer proceeds as follows Round 1 • • • Local Input: x1 . depending on applications. Idn who collectively want to sign a message m. ti = H(Ri ) for all i. message m and cosigners with identities Id2 . Key Derivation The identity of the signer denoted by Id. the key derivation procedure. Idn ). T HE FSS IBMS S CHEME The scheme requires to describe the set up procedure. . θ). -Compute R = i Ri mod N . m Computation: choose a random r1 in ZN ∗ . It can be obtained a string of characters to which is associated an integer less than n. an e mail address or a concatenation of an e mail address with the number of an Id card or passport or even a hash of a “scan” of an Id card or the first page of a passport.. performs some computation and sends an outgoing message to all of the signers.n · i H(Idi ) mod N 3) Check that t = u. It publishes mpk = (N.detailed. A modification for aggregated signatures will be given. Round 3 can be completed without knowing the data and could be precomputed and stored in some particular applications (RFID for instance). Idn . The outgoing of the last round is the final signature σ or E to indicate failure.

. to yield a signature that is unique and can be computed by each participant. The Single User Case Le M be a message. It can be obtained a string of characters to which is associated an integer less than n. e. . a hash of the identity will be used instead of the identity itself. a key derivation procedure. even if there was no algorithmic obstacle to obtain the solution. in a short delay. In order to eliminate the possibility of a weak key associated to a certain identity. then a coalition ( even reduced to 1) of users can participate to obtain a true new legitimate multi signature. we suppose that there are n persons that will sign the message m. In this setting U has to obtain the values ri from xi . through the knowledge of the secret key and the data exchanged by the participants. characteristic of the signer. One of them begins at index 1. The characteristic quantity of the signer number i with identification string Idi is the following: xi = H(Idi )(φ(n)−1). In an IBAS the documents of the participants are all distinct. Id) he must compute (x. C. Suppose that U has access to (Mi . and y = h(M ||rk )..Id−1 U can choose a random r and compute a legitimate x. φ() is the Euler function. with length strictly greater than log2 N/4. such as an exponentiation. However it does not yield a valid y part of a signature. This can be materialized by two loops executed simultaneously. B.r. It publishes mpk = (N. If this check is not done. which do not have a unique solution. This is not possible if the x part of all signatures by all users is stored in a database and. T HE FSS IBAS S CHEME The Identity Based Aggregate Signature Scheme (IBAS) requires a set up procedure. for any message. Id−1 mod n..e mod N . One outstanding property of the new scheme is that all participants at the end of n rounds have all the data to compute the aggregate signature. The resulting multi signature scheme would be slower. The Coalition Attack If the same set of m users multi sign a message M many times.IV. C. This corresponds to the scenario where an attacker tries to sign in place of a single user and participates to the multi signature. Key Derivation The identity of the signer denoted by Id. a signing procedure and finally a verification procedure. The secret key xi of user i will be sent through a secure and authenticated channel. Signing a set of n Messages On input user with secret key xi for Idi and message mi for i = 1. Two concern the single user case. k. with e a prime integer. . However to compute y he must compute. Collision in Hash Functions The security of the scheme relies on the non existence of computable collisions for the hash function h(). since the hash function has no algebraic properties that can be used to this end.. at least for some input values. n the agreagate signature procedures is as follows Round 1 User 1 . U might be tempted to use partial information of some of the signers to fake another signature of that same message M . this database is checked for re use of a previously used random variable. when computing a multisignature. the other at index n. A. The Set up Procedure The key distribution runs a generator procedure for RSA parameters (N. B. V. d). The third part will concern the a coalition of false signers against an honest signer. We suppose that there exists a hash function H() with output strings of length at least 160 bits and less than log2 N ... However there is a requirement that the document of each signer is aggregated with n documents of the other signers. In this case each of the users checks that the x part of the signature has not been used before. y) with x = rk . m a set of legitimately signed messages. In this case the scheme would have to be reinforced by using a specific 209 196 202 function to this end. One last remark is that taking the product of existing signatures of a set of message Mi yields a valid x part of a signature for the i Mi . The procedure is sequential in n steps each step involving the computation of a signature by two participants. S ECURITY OF THE S CHEME The security study will have three parts. He has to solve m distinct RSA problems. e) the master public key. The existence of such collisions would introduce mathematical structure. which in the presence of n is equivalent to factoring it. which is unforgeable. is an integer. A. The other set of m equations concerning the yi is a set of m equations in m + 1 unknowns. by the owner of the secret key. yi ) i = 1. We now describe the identity-based aggregated signature scheme (IBAS). xi . For this he must know the secret key k . and keeps secret d the master secret key. Thus forging a fake signature from the public data is a hard problem. and suppose that a dishonest user U wants to sign in place of a honest signer having public data (n.

-Apply the verification procedure to the received signatures. θ = i θi . Schnorr. Extended abstract in Proceedings of Crypto 2001. R2 .. C. Any eavesdropper will only get partial information. R1 . m2 Computation: choose a random r2 in ZN ∗ .computation: Check that tn = H(mn ||Rn ). θ1 .P. Idn ). increasing them by one unit or decreasing them by one unit as appropriate. Verification On input of the master key (N. m1 . Halt the computation and transmit a signal failure if the verification equation is not checked. 2003. and tn = H(mn ||Rn ). 6(4):432-441.. mn Computation: choose a random rn in ZN ∗ . Krawczyk.Shamir “How to prove yourself : practical solutions to identification and signature problems”. VI. Springer-Verlag 2002.. L = (Id1 . Shamir “Efficient signature schemes based on polynomial equations”. -Apply the verification procedure to the received signatures. . Compute R1 = r1 e mod N . and H. θn . [2] S. [4] A. . ACM Trans... Halt the computation and transmit a signal failure if the verification equation is not checked. Bellare and G. In Proceedings of RSA 2002. ) Each of the users.. T.J. . making these two quite remarkable. Rn .mk . mn E. [5] D. pages 533-47. It can be Id Based. [8] F. Idn ).. Springer Verlag 1984. 1998. mn . Neven. m1 Local Input: sn . C ONCLUSION A new efficient signature scheme has been presented.θn . If the quantities are equal accept the signature as valid. compute Rn−1 = rn−1 e · Rn mod N ... . Advances in Cryptology CRYPTO. Kim. and a partial set of signers Lp = (Id1 .‘ compute θ2 = r2 · m2 · x2 mod N Send to signer 2 : everything received from user 1 and t2 ..Ong. “A digital multisignature scheme using bijective public-key cryptosystems”. and only these users. . Multi-signatures in the plain public-key model and a general forking lemma. θ). 2000. can compute σ.. Rivest. volume 2271 of LNCS. . Idn ). . Compute Rn = rn e mod N . In ACM CCS 06. ID-based blind signature and ring signature from pairings. Idk ) and a set of corresponding messages m1 . Rabin. Advances in Cryptology CRYPTO 1986. mn ) by (Id1 . mn−1 Computation: choose a random rn−1 in ZN ∗ . [7] R. 2006. In Proceedings of Asiacrypt 2002. m1 Computation: choose a random r1 in ZN ∗ . J. Zhang and K.θ1 . .puting. The Aggregate Signature The aggregate signature of (m1 . 1985. θ2 User n-1 -Receives from signer n : tn .. 210 197 203 User n • • • • Round 2 User 2 -Receives from signer 1 : t1 . pages 236-243. θn−1 Round 3 to Round n apply the same procedure as at round 2 modifying the indices.. R1 . Idn ). Franklin. L = (Id1 .mn−1 . • • • • Local Input: s2 . Okamoto.• • • • Local Input: s1 . “Transitive signature schemes”. .m2 . SIAM J. ACM Press.. S. [3] H. the verifier computes 1) t = θe · i H(Idi ) mod N 2) Compute u = R · i me mod N i 3) Check that t = u. The schemes having simultaneously the two features are not common. Cryptology. “Robust and efficient sharing of RSA functions”. Rn−1 . 186-194. LNCS 263 (1987). A. Rn . Boneh and M. LNCS 196.46. Jarecki. 2002.Computation: Check that t1 = H(m1 ||R1 ). .. P van Orschot.. L = (Id1 . otherwise reject it. L = (Id1 . while having very good algorithmic performance. As a single user signature scheme it is analogous. R EFERENCES [1] A. [9] M.. pp 37 . compute R2 = r2 e ·R1 mod N . 13(2):273-300. Menezes.‘ Compute θn = rn · mn · xn mod N Send to signer n − 1 : tn . e) and of a signature σ = (R.. . than other RSA based scheme. Compute θ1 = r1 · m1 · x1 mod N Send to signer 2 : t1 . “Identity-based encryption from the Weil pairing“.. volume 2501 of LNCS. and t1 = H(m1 ||R1 ). and tn−1 = H(mn−1 ||Rn−1 ). D. Fiat and A. though somewhat faster.. • • • • Local Input: sn−1 . and t2 = H(m2 ||R2 ). Computer Systems. Micali and R. Gennaro. [6] T. Com. It has been shown that it is also suitable for multi signature which can be Id based or used for aggregated signatures that can also be Id Based.Idn ) is the signature computed with the data received at round n: σ : (R = i Ri . 32(3):586-615. Springer-Verlag. S Vanstone “Handbook of Applied Cryptography” CRC Press 1996. .‘ compute θn−1 = rn−1 · mn−1 · xn−1 mod N Send to signer n − 2 : everyting received from user n and tn−1 ..

1978. Jarecki. pages 416-432. pages 193-207. [13] . L. B. Springer Verlag 2005. Gentry. Computer Networks. In Y. PKC 2003. Biham. pages 18-30. Blundo and S.In Communications of the ACM 21-2. volume 3352 of LNCS. Cha and J. C. Shamir. Desmedt. Tsudik. pages 31-46. 50( 10) : 1639-1652. H. Desmedt. Threshold signatures. A method for obtaining digital signatures and public-key cryptosystems. S. Lynn. PKC 2003. and G. [16] A. volume 2567 of LNCS. An identity-based signature from gap Diffie-Hellman groups. Tsudik. and H. multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. SCN 2004. and G. volume 2567 of LNCS. 211 198 204 . [14] C.crypted signatures from bilinear maps. Jarecki. Kim. J. In ACM CCS 93 . Cimato. S. editor. Boneh. Springer Verlag 2003. Rogaway. Cheon. In C. ACM Press 1993 [12] D. pages 62-73. Random oracles are practical: A paradigm for designing efficient protocols. In E. Springer Verlag 2005. Secure acknowledgment aggregation and multisignatures with limited robustness. volume 2656 of LNCS. Castelluccia. Shacham. Aggregate and verifiably en. 2006 [15] J.[10] A. editor. Springer Verlag 2003. Adleman. Boldyreva. A robust multisignatures scheme with applications to acknowledgment aggregation. Kim. [11] M. EUROCRYPT 2003. J. editor. In Y. Bellare and P.R. pages 120-126. Castelluccia. editors. Rivest. C.