A Fully Distributed Proactively Secure

Threshold-Multisignature Scheme
Johann van der Merwe, Dawoud S. Dawoud, Member, IEEE, and Stephen McDonald, Member, IEEE
Abstract—Threshold-multisignature schemes combine the properties of threshold group-oriented signature schemes and
multisignature schemes to yield a signature scheme that allows a threshold ðtÞ or more group members to collaboratively sign an
arbitrary message. In contrast to threshold group signatures, the individual signers do not remain anonymous, but are publicly
identifiable from the information contained in the valid threshold-multisignature. The main objective of this paper is to propose such a
secure and efficient threshold-multisignature scheme. The paper uniquely defines the fundamental properties of threshold-
multisignature schemes and shows that the proposed scheme satisfies these properties and eliminates the latest attacks to which
other similar schemes are subject. The efficiency of the proposed scheme is analyzed and shown to be superior to its counterparts.
The paper also proposes a discrete logarithm based distributed-key management infrastructure (DKMI), which consists of a round
optimal, publicly verifiable, distributed-key generation (DKG) protocol and a one round, publicly verifiable, distributed-key redistribution/
updating (DKRU) protocol. The round optimal DKRU protocol solves a major problem with existing secret redistribution/updating
schemes by giving group members a mechanism to identify malicious or faulty share holders in the first round, thus avoiding multiple
protocol executions.
Index Terms—Security and protection, distributed systems, group-oriented cryptography, threshold-multisignature, secret sharing,
distributed-key management infrastructure, publicly verifiable distributed-key generation, publicly verifiable distributed-key update,
publicly verifiable distributed-key redistribution.
Ç
1 INTRODUCTION
I
N distributed systems it is sometimes necessary for users
to share the power to use a cryptosystem [1], [2]. The
system secret is divided up into shares and securely stored
by the entities forming the distributed cryptosystem. The
main advantage of a distributed cryptosystem is that the
secret is never computed, reconstructed, or stored in a
single location, making the secret more difficult to
compromise [3].
In many applications, a threshold ðtÞ or more share-
holders are required to cooperatively generate a digital
signature, in contrast to the conventional single signer. This
may also be seen as a distribution of trust since the
shareholders must collaborate and contribute equally to
produce a valid multiparty signature.
Threshold-multisignature schemes [4] combine the proper-
ties of threshold group-oriented signature schemes [2] and
multisignature schemes [5]. In the literature, threshold-
multisignature schemes are also referred to as threshold
signature schemes with traceability [6], [7], [8]. The
combined properties guarantee the signature verifier that
at least t members participated in the generation of the
group-oriented signature and that the identities of the
signers can be easily established. The majority of the
existing threshold-multisignature schemes belong to var-
iants of the single signatory, generalized ElGamal signatures
[9], [10], extended to a group/multiparty setting.
In [11], Wang defines the properties of threshold group
signature schemes [12] in order to guarantee the security of
the system. To the best of the authors’ knowledge, a
complete set of definitions does not exist for threshold-
multisignature schemes. The authors’ studies have shown
that secure threshold-multisignature schemes must satisfy
the following five main properties:
Correctness: All threshold-multisignatures on an arbi-
trary message i, generated by an honest authorized subset u
of group members, forming subgroup 1
u
, can be verified by
any outsider \ (with respect to the group). This implies that
the group-oriented signature is publicly verifiable.
Threshold property: Only a threshold of t or more
authorized group members are able to collaboratively
generate a valid threshold-multisignature. This property
thus incorporates unforgeability.
Traceability: Any outsider \ can learn the identities of
the individual signers belonging to 1
u
from the threshold-
multisignature on i without interaction with any of the
group members and/or a group manager. This implies that
the signers are publicly traceable with public information.
Traceability implies accountability; the individual signers
participating in the threshold-multisignature scheme can be
held accountable for their contribution to the group-
oriented signature.
Coalition-resistance: No colluding subset of group
members can generate a valid threshold-multisignature not
satisfying the traceability property. Coalition-resistance
subsumes framing-resistance, i.e., no subset of groupmembers
can sign on behalf of any other subset of group members.
562 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
. The authors are with the School of Electrical, Electronic, and Computer
Engineering, University of KwaZulu-Natal, King George V Avenue,
Room 4-05, Glenwood, Durban, South Africa, 4041.
E-mail: {vdmerwe, dawoudd, mcdonalds}@ukzn.ac.za.
Manuscript received 16 Dec. 2004; revised 5 Apr. 2006; accepted 18 Apr.
2006; published online 9 Jan. 2007.
Recommended for acceptance by M. Singhal.
For information on obtaining reprints of this article, please send e-mail to:
tpds@computer.org, and reference IEEECS Log Number TPDS-0307-1204.
Digital Object Identifier no. 10.1109/TPDS.2007.1005.
1045-9219/07/$25.00 ß 2007 IEEE Published by the IEEE Computer Society
Break-resistance: An adversary in possession or control
of the group secret key and/or the individual secret shares
of any number of group members cannot generate a valid
threshold-multisignature and/or partial/individual signa-
tures; thus, although the underlying threshold cryptosystem
has been broken, the threshold-multisignature signature
scheme should not be breakable.
Threshold-multisignature schemes can be differentiated
from threshold group signatures [12] by the fact that by
definition, in the latter, the individual signers remain
anonymous since it is computationally hard to derive the
identities from the group signature, with the exception of
the group managers. In contrast, by the above-defined
traceability property of threshold-multisignature schemes, the
individual signers are publicly traceable and do not enjoy
anonymity. Consequently, the traceability property of
threshold-multisignature schemes allows the individual
signers to be held accountable in the public domain and
renders the unlinkability property of threshold group
signature schemes, as defined in [11], inapplicable.
An important component of any threshold digital
signature scheme is the sharing of the group key [2]. If
the group key sharing does not involve a trusted third party
(TTP), the key sharing is performed by a distributed
collaborative protocol. A threshold-multisignature scheme
that is suitable for distributed systems (for example, ad hoc
networks [13]) may require a distributed-key generation
(DKG) protocol that effectively eliminates the TTP. The
first DKG protocol, for discrete logarithm-based threshold
cryptosystems, was introduced in [14] and a number of
promising proposals for DKG have been published since
[15], [3], [16], [17]. In these schemes, the distributed-key is
generated in a distributed fashion as a function of the
random input of all protocol participants while preserving
the symmetric relationship between them.
In threshold cryptosystems, it is impractical to assume
that an adversary cannot compromise more than t share-
holders during the entire lifetime of the distributed secret
[18]. The secret shares therefore have to be periodically
updated using a distributed-key updating (DKU) protocol.
The DKU scheme allows for only an impractical period T in
which an active/mobile adversary has time to compromise
a sufficient percentage of the group secret shares [18].
The access structure À
ði.tÞ
1
of the initial share distribution
will not necessarily remain constant [19]. Assuming the
same shareholders to be present at all times is unrealistic
and the availability/security trade-off (set by the total
number of group members ðiÞ and threshold ðtÞ) may need
to be changed as a function of system vulnerability,
networking environment, and current functionality of the
cryptosystem. The shares must then be redistributed to a
new access structure À
ði
0
.t
0
Þ
1
0 using a distributed-key redistribu-
tion (DKR) protocol [19], [20].
The main objective of this paper is to propose a new
threshold-multisignature scheme without a trusted third
party (TTP), based on a round optimal, publicly verifiable
DKG protocol. The proposed scheme can be easily adapted
to incorporate a TTP; a version of the proposed scheme with
the assistance of a TTP will therefore not be presented. The
proposed discrete logarithm-based threshold-multisigna-
ture scheme is also proactively secure, allowing for DKR to a
new access structure À
ði
0
.t
0
Þ
1
0 and periodic DKU to mitigate
attacks from an active/mobile adversary. The proposed
discrete logarithm-based threshold-multisignature scheme
is made proactively secure by periodically updating secret
shares and facilitating changes in group membership by
allowing an authorized subset u of existing group members
to redistribute secret shares to a new access structure À
ði
0
.t
0
Þ
1
0 .
The paper is organized as follows: In Section 2, the new
threshold-multisignature scheme is proposed. Section 3
introduces a new distributed-key redistribution/updating
(DKRU) scheme. The security and features of the proposed
threshold-multisignature scheme are discussed in Section 4.
Some conclusions are provided in Section 5.
2 PROPOSED THRESHOLD-MULTISIGNATURE
SCHEME
In this section, a novel threshold-multisignature scheme,
without assistance from a trusted key distribution center
(KDC), is proposed. The scheme consists of the following
six parts (Section 2.1 through Section 2.6):
2.1 System Parameter Setup
The group members 1
i
, for i ¼ 1 : i, agree on and publish
the following system parameters:
. j. ¡ two large primes such that ¡ j ðj À 1Þ,
. q generator of the cyclic subgroup of order ¡ in ð7Þ
Ã
j
,
. HðÁÞ collision-free one-way hash function,
. ði. tÞ threshold parameter t and total number of
group members i, and
. T threshold cryptosystem secret update period.
Protocol participants 1
i
, for i ¼ 1 : i, are assumed to have a
long-term public/private key pair 11
i
,o1
i
and an
authentic certificate, verifiable with the public key of a
common trusted third party. The certificate of 1
i
binds the
public key 11
i
¼ q
o1
i
to user 1
i
’s identity 11
i
. The
certificates are distributed to (or can be traced by) all
communication entities 1
,
, for , ¼ 1 : i, , 6¼ i.
2.2 Initial Publicly Verifiable Distributed-Key
Generation
In this section, a publicly verifiable distributed-key generation
(DKG) protocol is presented. The round optimal DKG
protocol is developed from the scheme of Zhang and Imai
[17]. The purpose of the protocol is to realize secure, initial
secret sharing to an access structure À
i.t
1
, without a trusted
dealer or KDC.
The protocol executes in four steps:
1. For 1 i i, 1
i
chooses a random number
d
i
2 ½1. ¡ À 1Š. 1
i
then shares the random value d
i
with all of the other protocol participants, using
Shamir’s secret sharing scheme [21] as follows:
a. Sets o
i.0
¼ :
i.0
¼ d
i
and chooses at random
o
i./
2 ½1. ¡ À 1Š, for 1 / t À 1, such that the
numbers o
i.0
. . . . . o
i.tÀ1
define a polynomial
)
i
ðAÞ ¼

tÀ1
/¼0
o
i./
A
/
over ZZ
¡
.
b. For , ¼ 0. . . . . t À 1, 1
i
computes, ¹
i.,
¼ q
o
i.,
iod j. For , ¼ 1. . . . . i, 1
i
computes :
i.,
¼ )
i
ð11
,
Þ iod ¡, y
i.,
¼ q
:
i.,
iod j and an encryption
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 563
1
11,
ð:
i.,
Þ of each secret shadow. 1
i
then binds
itself to the public values by generating the digital
signature ði
1
i
:
1
i
Þ on message ð½y
i.1
. 1
11
1
ð:
i.1
ފ k
Á Á Á k ½y
i.i
. 1
11
i
ð:
i.i
Þ Š k ¹
i.0
k Á Á Á k¹
i.ðtÀ1Þ
Þ using
the ElGamal type signature variant: G1o ¼
ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ, developed from
the generalized ElGamal scheme presentedin [9].
The signature is generated with 1
i
’s long-term
private key o1
i
. 1
i
broadcasts the message and
the signature to all protocol participants. The
encryption 1
11,
ð:
i.,
Þ of the secret shadow for
protocol participant 1
,
is performed using an
appropriate publicly verifiable encryption scheme
[15], [22]. 1
i
keeps the share when , ¼ i.
2. Protocol participants 1
1
. . . . . 1
i
each verify the
following:
a. ði
1i
. :
1i
Þ is a valid signature on the public values
ð½y
i.1
. 1
111
ð:
i.1
ފ k Á Á Á k ½y
i.i
. 1
11i
ð:
i.i
ފ k ¹
i.0
k
Á Á Á k ¹
i.ðtÀ1Þ
Þ
receivedfrom1
i
. This serves as aproof of integrity
and binds participant 1
i
to these public values.
b. 1
11
,
ð:
i.,
Þ is the correct encryptionof :
i.,
under the
public key 11
,
. This implies that anybody can
verify that y
i.,
and :
i.,
satisfy the following
relationship: y
i.,
¼ q
:
i.,
iod j and that protocol
participant 1
,
can correctly retrieve the subshare
:
i.,
(note that only 1
,
can decrypt 1
11,
ð:
i.,
Þ with
its corresponding private key o1
,
to recover :
i.,
).
c. 1
,
knows that the subshare distribution from
member 1
i
is correct if (1) holds.

tÀ1
/¼0
¹
ð11
,
Þ
/
i./
¼

tÀ1
/¼0
ðq
oi./
Þ
ð11,Þ
/
¼ q

tÀ1
/¼0
ðoi./Þð11,Þ
/
¼ q
)i ð11,Þ
ðiod jÞ ¼ y
i.,
.
ð1Þ
3. Participants are disqualified if they do not follow the
protocol correctly. The remaining set of participants
form the set Q. The protocol aborts if Q contains less
than t members. 1
,
uses the correct shares received
from i 2 Q to compute the following:
r
,
¼

i2Q
ð:
i.,
1
i
Þ iod ¡. ð2Þ
where the Lagrangian coefficient is given as:
1
i
¼

/2Q./6¼i
11
/
11
/
À11
i
iod ¡. ð3Þ
The secret key r
,
is 1
,
’s new share in the distributed
group secret key r
Q
. The group public key can be
computed (verified) by any group member or
outsider as:
y
Q
¼

i2Q
¹
1
i
i.0
¼ q

i2Q
)i ð0Þ1i
¼ q
r
Q
iod j. ð4Þ
Each 1
,
, , 2 Q calculates its public key as y
,
¼
q
r
,
iod j. Using the ElGamal type signature variant
G1o, 1
,
binds itself tothepublic keyy
,
bygeneratinga
signature ði
1
,
. :
1
,
Þ on y
,
using its long-term private
key o1
,
. 1
,
broadcasts ðy
,
. i
1,
. :
1,
Þ to all protocol
participants. 1
,
also verifies the authenticity of the
receivedpublic keys after calculating the public key y
i
of all 1
i
, i 2 Q as:
y
i
¼ q
r
i
¼ q

,2Q
ð:
,.i
1
,
Þ
¼

,2Q
y
1,
,.i
iod j. ð5Þ
4. Each 1
,
, , 2 Q completely erases all traces of its
initial randomly chosen value d
,
and all generated
subshares :
,.i
¼ )
,
ð11
i
Þ iod ¡ ði ¼ 1. . . . . i) and re-
ceived subshares :
i.,
ði 2 QÞ.
The secret can be constructed if t or more honest players,
from the set Q, collect:
r
Q
¼

,2Q
r
,

/2Q./6¼,
11
/
11
/
À11
,
_ _
iod ¡. ð6Þ
Taking the Lagrange polynomial of the original random
values d
,
, for , 2 Q, also yields the group secret r
Q
, which
highlights the importance of erasing these values securely.
In Section 3, a publicly verifiable distributed-key redis-
tribution/update (DKRU) protocol is proposed that is
compatible with the initial DKG protocol given above.
The differences and the significance of the similarity are
discussed in Section 4.6 and Section 5.
2.3 Individual Signature Generation
Any subset u of t or more members can represent the group
and sign an arbitrary message i. Each member 1
i
, i 2 u,
selects a random integer /
i
2 ½1. ¡ À 1Š and computes
i
i
¼ q
/
i
iod j. Each member verifiably encrypts /
i
with its
own long-term public key 11
i
using a verifiable encryption
scheme [15], [22] to generate 1
11i
ð/
i
Þ. Using the ElGamal
type signature variant G1o, 1
i
generates a signature
ði
0
1i
. :
0
1i
Þ on ½i
i
. 1
11
i
ð/
i
ފ using its long-term private key
o1
i
. 1
i
broadcasts ði
i
. 1
11i
ð/
i
Þ. i
0
1
i
. :
0
1
i
Þ to all protocol
participants. This implies that each member commits to its
public value i
i
and provides a proof of knowledge of its
corresponding discrete logarithm, /
i
.
After all committed i
i
s are available and members with
invalid i
i
s are excluded from the set u, the value 1 is
calculated as follows:
1 ¼

i2u
i
i
iod j. ð7Þ
Each 1
i
uses public values 11
,
authentically bound to 11
,
,
for , 2 u, to form the set 1.
1
i
uses its (secret share)/(private key) set ðr
i
. o1
i
Þ and
random number /
i
to compute its individual signature :
i
on
message i as follows:
:
i
¼ ½Hði. 1. 1ފ½ðr
i
Þ Á 1
ui
þo1
i
Š þ/
i
iod ¡. ð8Þ
where the Lagrange interpolating coefficient 1
ui
is given by:
1
ui
¼

/2u./6¼i
11
/
11
/
À11
i
iod ¡.
564 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
The set ð:
i
. i
i
. 1
ui
. 1Þ is the individual signature of 1
i
on
message i, which is broadcast to all other group members.
2.4 Individual Signature Verification
On receiving all of the signatures ð:
i
. i
i
. 1
ui
. 1Þ, 1
,
, , 2 u,
performs the functionality of a clerk and uses the public key
set ðy
i
. 11
i
Þ to authenticate the individual signature of 1
i
by verifying if 1
ui
is correct and whether the following
equation holds for i 2 u, i 6¼ ,:
q
:i
¼ y
1ui
i
11
i
_ _
½Hði.1.1ފ
i
i
iod j. ð9Þ
If (9) fails to hold, the individual signature of 1
i
onmessage i
is invalid. Participants are disqualified if their individual
signatures are found to be invalid. The remaining honest
participants form the set c and repeat the individual signature
generation part from (7), with u ¼ c. The protocol aborts if c
contains less than t members.
2.5 Threshold-Multisignature Generation
After 1
,
, , 2 c, has received and verified t or more
individual signatures, the second signature parameter o of
the threshold-multisignature ð1. oÞ on message i can be
computed as:
o ¼

i2c
:
i
iod ¡. ð10Þ
The set of identities 1 is appended to ð1. oÞ and provides
an explicit link between the threshold signature and the
subset of individual signers who collaborated to generate
the threshold signature ð1. o. 1Þ on message i.
2.6 Threshold-Multisignature Verification and
Individual Signer Identification
Any outsider can use the group public key y
Q
and public
keys 11
i
bounded to the identities 11
i
, for i 2 c, to verify
the validity of the threshold-multisignature ð1. o. 1Þ on an
arbitrary message i. The signature verifier calculates the
subgroup public key 11
c
as follows:
11
c
¼ q

i2c
o1
i
¼

i2c
11
i
iod j. ð11Þ
The signature verifier now has all the information to check
if the following congruency holds:
q
o
ðy
Q
11
c
Þ
½Hði.1.1ފ
1 iod j. ð12Þ
If (12) holds, the threshold-multisignature ð1. o. 1Þ on
message i is valid and the subgroup 1 of individual
signers is positively identified. (See Section 4.1 for proof of
correctness.)
3 PROPOSED PUBLICLY VERIFIABLE
DISTRIBUTED-KEY REDISTRIBUTION/UPDATE
PROTOCOL
The proposed publicly verifiable distributed-key redistribu-
tion/update (DKRU) protocol is as follows:
A distributed group secret r
Q
is redistributed from À
i.t
1
to
a new access structure À
i
0
.t
0
1
0 , using the shares of the
authorized subset u 2 À
i.t
1
. The system parameter setup
given in Section 2.1 is applicable.
The initial secret distribution to the access structure À
i.t
1
is
performed using the publicly verifiable distributed-key gen-
eration (DKG) scheme given in Section 2.2. Note that the
proposed DKRU protocol is compatible with the initial DKG
protocol. The minor differences and the significance of the
similarity are discussed in Section 4.6 and Section 5. The
proposed DKRUprotocol can be used as a publicly verifiable
distributed-key updating (DKU) protocol bysimplykeepingthe
access structure constant, À
i
0
.t
0
1
0 ¼ À
i.t
1
. For the sake of
proactive security, the threshold cryptosystemshares should
be periodically updated within a limited time period T.
The publicly verifiable property by definition means that
any outsider can obtain all of the required information from
the broadcast channel to validate the operation of both the
initial DKG and DKRU protocols.
Assume that a subset c of new members join or existing
members leave the threshold cryptosystem.
The protocol executes in four steps:
1. 1
i
, i 2 u share their secret share r
i
of group secret
key r
Q
with 1
,
2 À
i
0
.t
0
1
0 , using Shamir’s secret sharing
scheme [21]:
For i 2 u:
a. 1
i
sets o
0
i.0
¼ :
0
i.0
¼ r
i
and chooses at random
o
0
i./
2 ½1. ¡ À 1Š, for 1 / t
0
À 1, such that the
numbers o
0
i.0
. . . . . o
0
i.t
0
À1
define a polynomial
)
0
i
ðAÞ ¼

t
0
À1
/¼0
o
0
i./
A
/
over ZZ
Q
.
b. For ,¼0. . . . . t
0
À1, 1
i
computes ¹
0
i.,
¼ q
o
0
i.,
iod j.
For , ¼ 1. . . . . i
0
, 1
i
computes :
0
i.,
¼ )
0
i
ð11
,
Þ
iod ¡, y
0
i.,
¼ q
:
0
i.,
iod j and an encryption 1
11,
ð:
0
i.,
Þ of each secret shadow. 1
i
then binds itself to
the public values bygeneratinga digital signature
ði
0
1i
. :
0
1i
Þ on message ð½y
0
i.1
. 1
11
1
ð:
0
i.1
ފk Á Á Á k
½y
0
i.i
0 . 1
11
i
0
ð:
0
i.i
0 ފ k ¹
0
i.0
k Á Á Á k ¹
0
i.ðt
0
À1Þ
k y
u
Þ using
the ElGamal type signature variant: G1o ¼
ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ, developed from
the generalized ElGamal scheme presented in [9].
The signature is generated with 1
i
’s long-term
private key o1
i
. 1
i
broadcasts the message and
signature toall protocol participants. Notethat 1
,
,
, 2 u, knows the authentic public values y
i
of
1
i
2 À
i.t
1
, from a previous DKG or DKRU opera-
tion (see (5) and (16)). The set y
u
is formed by y
i
,
i 2 u, andonly includedinthe broadcast message
if new members join the group. The encryption
1
11
,
ð:
0
i.,
Þ of the secret shadow for protocol
participant 1
,
is performed using an appropriate
publicly verifiable encryption scheme [15], [22]. 1
i
keeps the share when , ¼ i.
2. Protocol participants 1
1
. . . . . 1
i
0 each verify the
following:
a. ði
0
1i
. :
0
1i
Þ is a valid signature on the public values
ð½y
0
i.1
. 1
11
1
ð:
0
i.1
Š k Á Á Á k ½y
0
i.i
0 . 1
11
i
0
ð:
0
i.i
0 ފ k ¹
0
i.0
k
Á Á Á k ¹
0
i.ðt
0
À1Þ
k y
u
Þ.
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 565
b.
¹
0
i.0
¼ y
i
8 i 2 u. ð13Þ
If 1
,
, , 2 c are new members joining the group,
then they must only use y
i
s found to be
consistant in the broadcast messages received
from t or more members of subset u. If the
conditions do not hold for more than t members
from the authorized subset u, abort the protocol;
otherwise, evaluate the following equation:

t
0
À1
/¼0
¹
0ð11
,
Þ
/
i./
¼

t
0
À1
/¼0
ðq
o
0
i./
Þ
ð11
,
Þ
/
¼ q

t
0
À1
/¼0
ðo
0
i./
Þð11
,
Þ
/
¼ q
)
0
i
ð11,Þ
ðiod jÞ ¼ y
0
i.,
.
ð14Þ
1
,
knows that the subshare distribution received
from 1
i
is correct if (14) holds.
3. Participants are disqualified if they do not follow the
protocol correctly. The remaining set of participants
forms the set Q
0
. The protocol aborts if Q
0
contains
less than t members of the authorized subset u. 1
,
uses the correct shares received from i 2 Q
0
to
compute the following: r
0
,
¼

i2Q
0 :
0
i.,
1
0
i
, where the
Lagrangian coefficient is given as:
1
0
i
¼

/2Q
0
./6¼i
11
/
11
/
À11
i
iod ¡. ð15Þ
The secret key r
0
,
is 1
,
’s new share in the distributed
group secret key r
Q
0 .
1
If the conditions presented in
Step-2 hold, then 1
0
,
knows that its new secret key r
0
,
is a valid share of r
0
Q
. Each 1
,
, , 2 Q
0
calculates its
public key as y
0
,
¼ q
r
0
,
iod j. Using the ElGamal type
signature variant G1o and its long-term private key
o1
,
, 1
,
generates a signature ði
0
1
,
. :
0
1
,
Þ on y
0
,
, binding
itself to the public value. 1
,
broadcasts ðy
0
,
. i
0
1,
. :
0
1,
Þ to
all network participants. 1
,
also calculates the public
key of all 1
i
, i 2 Q
0
, as:
y
0
i
¼ q
r
0
i
¼ q

,2Q
0
ð:
0
,.i
1
,
Þ
¼

,2Q
0
y
01,
,.i
iod j. ð16Þ
4. Each 1
,
, , 2 Q
0
completely erases all traces of its old
share r
,
and all generated subshares :
0
,.i
¼
)
0
,
ð11
i
Þ iod ¡ ði ¼ 1. . . . . i
0
Þ and received subshares
:
0
i.,
(i 2 Q
0
).
The secret can be constructed if t
0
or more honest players,
from the set Q
0
, collect:
r
Q
0 ¼

,2Q
0
r
0
,

/2Q
0
/6¼,
11
/
11
/
À11
,
_ _
iod ¡. ð17Þ
Any network participant can calculate (verify) the group
public key when needed, using the available public
information, as follows:
y
Q
0 ¼

i2Q
0
¹
01
0
i
i.0
¼ q

i2Q
0
)
0
i
ð0Þ1
0
i
¼ q
r
Q
0
iod j. ð18Þ
4 DISCUSSION ON THE SECURITY AND
FEATURES OF THE PROPOSED
THRESHOLD-MULTISIGNATURE SCHEME
The proposed threshold-multisignature scheme is based on
a multiparty extension of the ElGamal type signature
variant: G1o ¼ ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ [9]. The pro-
posed threshold-multisignature scheme can equally use any
other secure and efficient signature variant of the ElGamal
type signature scheme. References [9], [10] help in selecting
such a variant. The main reason for using the defined G1o
is to minimize the computational cost of generating and
verifying the individual signatures and group-oriented
signature in a multiparty setting without compromising
security.
The security analysis considers a straightforward general
adversary model. An adversary is a malicious party that uses
every means available to break the proposed threshold-
multisignature scheme. Any active adversary can eavesdrop
on all of the communication between group members,
modify the content of messages, and inject them back into
the channel. When an honest party is compromised, all of
its public and private information is exposed to the
adversary.
To argue the security and validity of the proposed
threshold-multisignature scheme, it is enough to show that
the scheme fulfills all of the fundamental properties of
generic threshold-multisignature schemes given in Section 1
and resists attacks to which other similar schemes are
subject.
4.1 Correctness and Threshold Property
Any t or more honest group members of the authorized
subset c can collaborate and use the threshold-multi-
signature scheme to produce a valid threshold-multisigna-
ture ð1. o. 1Þ on an arbitrary message i. In the context of
the statement, /oic:t implies that the group members
follow the protocol as specified in Section 2.
Proof.
:
i
¼ ½Hði. 1. 1ފ½ðr
i
Þ Á 1
ci
þo1
i
Š þ/
i
iod ¡ ði 2 cÞ.
o ¼

i2c
ð:
i
Þ ¼ ½Hði. 1. 1ފ

i2c
½ðr
i
Þ Á 1
ci
Šþ
½Hði. 1. 1ފ

i2c
ðo1
i
Þ þ

i2c
ð/
i
Þ iod ¡.
q
o
¼ q
½Hði.1.1ފ½

i2c
½ðri ÞÁ1ciŠŠ
q
½Hði.1.1ފ

i2c
ðo1iÞ
q

i2c
ð/iÞ
iod j
¼ q
½Hði.1.1ފr
Q

i2c
ð11
i
Þ
_ _
½Hði.1.1ފ
i2c
ði
i
Þ iod j
¼ ðy
Q
11
c
Þ
½Hði.1.1ފ
1 iod j.
tu
566 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
1. The group secret remains constant, irrespective of distributed-key
redistribution or distributed-key updates, ;y
Q
0 ¼ q
r
Q
0
¼ y
Q
¼ q
rQ
. Group
members 1
,
, for , 2 Q
0
belonging to the new access structure À
i
0
.t
0
1
0
thus
share the same group secret and public key as the old access structure À
i.t
1
.
4.2 Traceability of Signers
The reason for the intractability of [6] and [8], as presented
by [23] and [24], [25], respectively, is due to the non-
existence of a relationship between the threshold signature
ð1. oÞ and the Lagrange polynomial /ðyÞ used by the
signature verifier to identify the individual signers. The
polynomial /ðyÞ is constructed by the designated combiner
with t pairs of public values belonging to members of the
subgroup u that submitted valid partial signatures. The
Lagrange interpolation polynomial, /ðyÞ is given as [6]:
/ðyÞ ¼

t
1¼1
r
i

t
,¼1.,6¼i
y Ày
,
y
i
Ày
,
¼ /
tÀ1
y
tÀ1
þ . . . þ/
1
y þ/
0
. ð19Þ
It is noted here that it is possible to create such a
relationship between /ðyÞ and ð1. oÞ and make the schemes
proposed in [6], [8] traceable by including /ðyÞ within the
individual signatures. In the view of the authors, the schemes
presented in [6], [8], with a strong binding between /ðyÞ and
ð1. oÞ, still fail to provide an optimum solution to ensure
traceability. Using the polynomial function /ðyÞ to capture
the signers’ identities results in additional computational
overhead for the threshold signature verifiers (iðt À 1Þ
multiplications and iðt À 2Þ exponentiations) and fails to
reduce the threshold group-oriented signature size. The
polynomial /ðyÞ of degree t À 1, constructed from t data
points, requires at least t coefficients ð/
0
. /
1
. . . . . /
tÀ1
Þ to be
uniquely defined. Rather than including the coefficients in
the individual signatures and appending the coefficients to
the threshold signature, the proposed threshold-multi-
signature scheme uses the subset of identities 1 instead.
This saves the signature verifier the computational over-
head of evaluating /ðyÞ to learn the identities of the
individual signers. The computational cost of generating
/ðyÞ is considered in Section 4.7.4.
The traceability property of the proposed threshold-
multisignature scheme is verified in Section 4.3 by showing
that the signature verifier can only validate the threshold
signature if an authentic subset 1 of individual signers
collaborated to generate the signature. Since the subset 1 of
identities is used to validate the threshold signature (12) the
individual signers are publicly traceable and explicitly
bound to the threshold signature.
If a verifier were to know and use the certified public
keys of the individual signers, why not simply use a list of
individual (RSA) signatures for the group signature?
The threshold property must be guaranteed by crypto-
graphic means during the generation of the threshold
group-oriented signature to effectively share the power of
the cryptosystem between the group members [1], [2]. The
actual value of the threshold t may be (dynamically)
determined by an authorized subset of group members
[19] and thus forms part of the group policy. Expecting that
all (future) threshold group-oriented signature verifiers will
consistently enforce a (dynamic) group policy makes the
system vulnerable to attack.
4.3 Coalition-Resistance and Break-Resistance
The coalition and break-resistance properties can be verified
by showing that the proposed threshold-multisignature
scheme is break-resistant:
Assume a malicious subgroup u of t or more members
conspires to obtain the group secret r
Q
and wants to
frame valid subgroup c for a signature on an arbitrary
message i. This implies u wants to generate a valid
untraceable group-oriented signature. Any malicious party
1
,
chooses a random number / 2 ½1. ¡ À 1Š and generates
1 ¼ q
/
. 1
,
uses the publicly known values ð11
i
Þ, for
i 2 c
0
, to form the subgroup ¹. (The public value 11
c
can
easily be calculated using (11).) The malicious member
can attempt to forge the threshold-multisignature by
computing o ¼ ½Hði. 1. ¹ÞŠðr
Q
þo1
c
Þ þ/, which is im-
practical since 1
,
cannot compute o1
c
from 11
c
based
on the intractability of the discrete logarithm problem. An
alternative method is to solve for o to satisfy the
verification equation q
o
¼ ðy
Q
11
c
Þ
½Hði.1.¹ÞŠ
1 iod j, which
is again impractical based on the intractability of the
discrete logarithm problem. An attacker’s last resort is to
randomly select a value 1 and signature parameter o and
then attempt to determine a value 1
0
that satisfies q
o
¼
ðy
Q
11
c
Þ
1
1 iod j and 1 ¼ ½Hði. 1
0
. ¹ÞŠ simultaneously.
This is known to be impractical based on the properties of
a secure collision-free one-way hash function HðÁÞ.
This shows that using the proposed threshold-multi-
signature scheme to produce a valid untraceable signature
or signing on behalf of any other subset of group members
is not possible, even if the threshold cryptosystem is broken,
i.e., the group secret r
Q
is known or controlled by an
adversary. It also confirms that the individual signers that
collaborate to generate a threshold-multisignature are al-
ways traceable. With little modification to the above
argument, it can be shown that forging individual signatures
is also impractical, even if a coalition of t or more group
members conspire to obtain an individual’s partial share r
i
of the group key r
Q
.
2
It can thus be concluded that the
proposed threshold-multisignature is break-resistant.
4.4 Attacks on Threshold-Multisignature Schemes
4.4.1 Collusion Attack
A collusion attack enables dishonest group members (and/or
a designated clerk or combiner node: see Section 4.5) that
work together to control the group key.
Wang et al. [25] report a collusion attack on the threshold-
multisignature scheme (without a trusted third party)
presented by Li et al. in [8]. Wang et al. [25] propose some
countermeasures against the attack. The first solution
requires each member to publish its public value y
i
simultaneously to mitigate the rushing attack on the group
secret. This solution is impractical since there is no method in
existing networking protocols of accommodating i simulta-
neous broadcasts nor can devices receive i simultaneous
messages without advanced hardware. Any network parti-
cipant will therefore always be able to make a legitimate
excuse for a late arriving public value. The second proposed
solution requires members to commit to their public values
andthen open their commitments to reveal the public values.
This solution, however, makes the protocol interactive and
thus vulnerable to an adaptive adversary [16], [17]. The third
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 567
2. A formal security proof for the defined ElGamal signature variant
G1o in the Random Oracle and Generic Model ðROM þ GMÞ can be found
in [26]. The security proof of the underlying individual signature scheme
supports the break-resistance property.
solution requires members to provide a noninteractive proof
of knowledge of the discrete logarithmfor the public value y
i
to the base of the primitive element q. This solution is well
known and has been used by both Fouque and Stern [16] and
Zhang and Imai [17] to eliminate the need for a complaint
phase. As pointed out by Zhang and Imai, this approach was
first introduced in [15] by Stadler to realize a publicly verifiable
secret sharing scheme. The complaint phase also makes
distributed-key generation (DKG) schemes such as [14], [3],
[27] impractical considering the complexity of current multi-
party computations [16], [17].
The proposed threshold multisignature scheme prevents
adversaries from controlling the group key by using the
publicly verifiable, one round DKG protocol, given in
Section 2.2, and, thus, inherently eliminates attacks from an
adaptive adversary during the construction of the threshold
cryptosystem. The proposed scheme uses publicly verifiable
encryption [15], [22] that allows protocol participants to
provide a zero knowledge proof of their public values’
discrete logarithm. Publicly verifiable encryption, however,
does not offer a mechanism to bind participants to their
public values. Committing participants to their public
values and ensuring the public values’ integrity are both
essential if members are to be disqualified if their public
values fail to satisfy the verification equations (for example,
(1) or (9)). The existing round optimal DKG protocols [16],
[17] and threshold-multisignature schemes [4], [6], [7], [8]
fail to guarantee a strong binding between participants and
their public values. The weak binding allows an adversary
to manipulate public values that will result in the dis-
qualification of honest participants. The proposed thresh-
old-multisignature scheme and DKG protocol use the
ElGamal type signature variant G1o to generate secure
and efficient digital signatures, which explicitly binds
participants to their public values and simultaneously
provides a mechanism to ensure the values’ integrity.
4.4.2 Universal Forgery Attack
In [23], Tseng and Jan present a universal forgery attack on
the threshold signature schemes with traceability by Wang
et al. [6]. The attack allows any group member or outsider to
generate a valid forged threshold signature ð1
0
. o
0
Þ on an
arbitrary message i
0
from an existing valid threshold
signature ð1. oÞ on message i. Tseng and Jan also show in
[23] that Wang et al.’s schemes [6] are completely insecure
since the trapdoor information c
)ð0Þ
, which is, in fact, the
group secret ðy ¼ q
c
)ð0Þ
Þ, can be calculated as c
)ð0Þ
¼
o1
À1
HðiÞ
Àt
from any valid threshold signature ð1. oÞ in
message i.
The scheme by Wang et al. [6] is an example of an
insecure ElGamal type signature variant extended to a
multiparty setting. The universal forgery attack in [6] is a
direct consequence of the insecurity of the modified ElGamal
signature scheme on which the group signature is based.
Caution should be taken in the modification of the ElGamal
signature or when choosing an appropriate variant. The
modification of the basic ElGamal signature scheme for the
sake of efficiency can easily introduce an insecurity. The
threshold-multisignature scheme proposed in Section 2
takes this fact into consideration. It is developed from a
secure and optimally efficient variant that was selected
using the guidelines given in [9], [10].
4.4.3 Rushing Attack
In the context of group-oriented signature schemes, a
rushing attack is defined as a manipulation of the signature
parameters or keying material by an adversary based on the
public values received from all the other participants. The
adversary thus waits until all other participants have
played before defining its own value [16]. It is noted that
the collusion attack by Wang et al. [25] and universal
forgery attack by Wu and Hsu [24], both rely directly on a
rushing attack. Assuming the threshold signature scheme is
based on a secure and efficient variant [9], [10], it should be
clear that the majority of attacks on group-oriented
signature schemes can thus only come from a vulnerability
introduced by the extension of the ElGamal type signature
variant to accommodate multiple signers. Since group
members must all make a valid contribution to the thresh-
old signature parameters and group secret, it is evident that
manipulation of these values can occur if an adversary can
delay playing its own contribution. The adversary can
collect the contributed values of all other participants and
then compute its own contribution to force the signature
parameters or group secret to a known value when
calculated as a function of all contributed values. Fouque
and Stern [16] and Zhang and Imai [17] construct their
distributed-key generation schemes on a synchronous net-
work to prevent the adversary from delaying its response,
thereby eliminating rushing attacks. Fouque and Stern
propose a solution to mitigate rushing attacks without
using a synchronous network. Fouque and Stern define an
Incorruptible Third Party (ITP) to always play at the end,
therefore eliminating the requirement for synchrony and
preventing a malicious player from manipulating the
signature parameters. The ITP unfortunately becomes a
single point of vulnerability.
It is noted here that synchrony is not always required in a
discrete logarithm-basedthresholdgroup-orientedsignature
scheme based on a variant of the generalized ElGamal type
signature. Forcing players to provide a zero knowledge proof
of the discrete logarithm of all public values is sufficient to
completely eliminate the rushing attack in an asynchronous
network. Take, for example, the signature parameter 1,
which is generally calculated as 1 ¼

i2u
i
i
iod j, where
i
i
¼ q
/
i
is the public value of each player 1
i
with correspond-
ing randomly chosen secret /
i
. The malicious player 1
,
waits
for each 1
i
to play its i
i
. 1
,
chooses a randomvalue / and sets
1 ¼ q
/
. After receiving all i
i
s for i 2 u. i 6¼ ,, 1
,
factors out its
public value as i
,
¼ 1

i2u.i6¼,
i
À1
i
iod j , whichwill force the
other players to compute 1 at a later stage (of which the
discrete logarithm is known by 1
,
). Note that 1
,
does not
knowthe discrete logarithmof its public value i
,
nor can it be
calculatedbasedonthe intractability of discrete logarithms in
finite fields. This will, in particular, be true if the modular
arithmetic is done in an appropriate multiplicative subgroup
ðð7Þ
Ã
j
Þ or a cyclic subgroup of order ¡.
The attack presented by Michels and Horster [28] on the
threshold-multisignature proposed by Li et al. [4] is a good
example of the rushing attack principle. As in the above
example, the malicious player 1
,
in this attack does not
know the discrete logarithm of its own share i
,
; thus, if the
threshold group-oriented signature protocol requires each
568 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
player to provide a zero knowledge proof of all public
values’ discrete logarithms, the benefit the adversary gains
from a rushing attack in an asynchronous network is
nullified. It will also prevent a malicious participant from
disrupting the protocol since the participant can simply be
disqualified if it does not play a fair game.
The proposed threshold multisignature scheme in this
paper requires players to provide a zero knowledge proof
of the discrete logarithm of their public values by generat-
ing a publicly verifiable encryption [15], [22] on the discrete
logarithm of the public values. With this mechanism, the
proposed scheme eliminates rushing attacks without any
requirement for synchrony.
4.4.4 Conspiracy Attack
It is noted here that the threshold signature scheme
proposed by Li et al. [8] is also vulnerable to a conspiracy
attack by t or more malicious members. Any t or more
members forming the subgroup u
0
can use their subshares
)ð11
i
Þ
,
, ði. , 2 u
0
Þ to construct the group secret key )ð0Þ as
)ð0Þ ¼

t
,¼1
ð)ð11
i
Þ
,

t
/¼1./6¼,
11
,
11
,
À11
i
Þ. Any malicious mem-
ber generates 1 ¼ q
/
i
and solves the following congruence
for integer o: o1 ð1þ/ðiÞÞ/
i
þ)ð0Þ iod ¡. The set
ð1. oÞ will be a universally forged signature on the arbitrary
message i, verifiable with the group-oriented signature
verification equation, q
o1
¼ 1
ð1þ/ðiÞÞ
y iod j.
As shown in Section 4.3, conspiracy attacks in the
proposed threshold-multisignature schemes are avoided by
each member contributing an individual secret (long-term
private key o1
i
) to the group-orientedsignature knownto be
explicitly associated with the member. A mechanism is
provided for verifying the members’ secret contributions
from the threshold-multisignature without revealing any
additional information of the secrets, except the information
that is publicly knowto be associatedwith the secrets, i.e., the
members’ public keys 11
i
, for i 2 c. Li et al. [4] defend
against conspiracy attacks in a similar approach by adding a
random number to the secret key, which effectively conceals
the member’s secret share of the group key. Note that this is,
however, only accurate for Li et al.’s scheme with a trusted
authority. Since the randomnumbers are not explicitly linked
tothe member’s identity, the scheme presentedin[4] does not
have a strong traceability property [6].
Conspiracy attacks in threshold-multisignature schemes
can also be avoided if the secret shares of members are
generated in such a way that construction of the threshold
cryptosystem’s secret polynomial or derivation of the group
secret from the members’ secret shares is computationally
infeasible. Wang et al. [6] propose such a scheme which
prevents conspiracy attacks without attaching a random
secret to secret shares. It is, however, noted that, since a
member’s public value in [6] is not explicitly linked to a
secret known to be associated with a group member, the
scheme by Wang et al. also lacks a strong traceability
property. The same comment can be made on the scheme
proposed by Lee and Chang in [7].
4.5 Symmetric Relationships—Eliminating the
Combiner
Acentralizedcombiner nodeis aspecializedserver whichcan
be seen as a single point of vulnerability and should be
replicated in distributed networks (for example, ad hoc
networks) to ensure a correct combination [13]. The scheme
proposed in this paper eliminates the need for a designated
combiner/clerk as the construction of the threshold-multi-
signature is done by the shareholders themselves. This
eliminates attacks relying on a corrupt clerk and mitigates
the problemof ensuringthe availability of a combiner node in
distributed networks [13]. The scheme also preserves the
symmetric relationship between the shareholders by placing
on each node the same computational, memory, and
communication overhead.
4.6 Proactive Security and Secret Redistribution
The proposed threshold-multisignature scheme defends
against mobile/active adversaries by proactively updating
the group key shares every period T. To allow for dynamic
group membership and modification of the availability/
security trade-off, the shares can be redistributed to a new
access structure À
i
0
.t
0
1
0 . The proposed publicly verifiable
distributed-key redistribution/update (DGRU) protocol pro-
posed in Section 3 was designed to support dynamic group
membership and allow for share updates by merely keeping
the access structure constant, i.e., À
i
0
.t
0
1
0 ¼ À
i.t
1
. Comparing the
DGRU protocol to the initial DKG protocol presented in
Section2.2, the reader will note that these protocols are almost
exactly equivalent. By deliberately keeping the phrasing and
notation as far as possible the same, the following minor
differences are easily identifiable:
. For the initial DKG, each user must choose a random
number d
i
, while the DKRU protocol uses the user’s
share r
i
of the group secret r
Q
.
. Members of the authorized subset u append the
public values y
i
of 1
i
2 u to ð½y
0
i.1
. 1
11
1
ð:
0
i.1
ފ k Á Á Á k
½y
0
i.i
0 . 1
11
i
0
ð:
0
i.i
0 ފ k ¹
0
i.0
k Á Á Á k ¹
0
i.ðt
0
À1Þ
Þ if new mem-
bers join the group.
. In the DKRU protocol, the participants must also
check that the condition presented in (13) holds
before verifying whether the subshare distribution is
correct by using (14). New members should only use
public values that have been found to be consistent
in t or more broadcast messages. If both (13) and (14)
are satisfied for t or more members of u, the users
are guaranteed that their new share in the original
group key r
Q
is valid.
The DKG protocol due to Zhang and Imai [17] was
modified to complement the proposed DKRU protocol
given in Section 3 and to allow for practical key redistribu-
tion/updating. Besides the differences given above, the
initial DKG protocol, DKU protocol, and DGR protocol are
conveniently performed by a single, publicly verifiable,
round optimal protocol. A protocol suite capable of
servicing all aspects of secret sharing is defined here as a
distributed-key management infrastructure (DKMI).
It is noted that the proposed DKMI is independent of the
proposed threshold-multisignature scheme and can be used in
other applications to construct and maintain a threshold
cryptosystem.
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 569
The proposedDKMI presentedinSection2.2 andSection3
solves a major problem with existing secret redistribution/
update protocols. This problem is identified by Wong et al.
[20]: By definition, a threshold cryptosystemallows t or more
members holding a secret share to reconstruct the group
secret. In a proactively secure threshold cryptosystem, not
more than t À 1 members can be compromised or become
faulty within an update time period T; otherwise, the system
is broken. Referring to the proposed DKRU protocol pre-
sented in Section 3 and the secret redistribution scheme by
Wong et al. [20], the authorized subset u may thus contain, in
the worst-case scenario, t À 1 malicious members out of the
total i groupmembers. The t À 1 malicious members in u can
thus distribute subshares :
i.,
of an incorrect share r
i
to new
members joining the system. Although new members can
detect the discrepancy in the broadcast values, they cannot
identify which members are malicious. It is noted here that
this is not only applicable to the new members in the scheme
proposed by Wong et al., but also existing members cannot
identify the malicious members inu and, therefore, malicious
members cannot be disqualified. Consequently, the redis-
tribution protocol proposed by Wong et al. [20] must be
repeatedeachtime witha different authorizedsubset u
0
, with
ju
0
j ¼ t, until all values are consistent and all the verification
conditions hold. Wonget al. give aworst-caserepetitionof the
protocol bounded by
i
t
_ _
À
iÀtþ1
t
_ _
¼

tÀ1
i¼1
tÀ1
i
_ _
iÀtþ1
tÀi
_ _
,
which makes the scheme impractical.
This paper presents a solution to the above problem with
existing secret redistribution/update protocols as follows:
In the proposed DKMI, the protocol participant 1
,
in the
initial DKG protocol uses (5) to calculate the authentic public
values y
i
corresponding to the secret share r
i
of each 1
i
, for
i 2 Q. In the DKRU protocol, members of the authorized
subset u construct a polynomial with their secret share set to
o
0
i.0
¼ :
0
i.0
¼ r
i
. In order to ensure that (14) holds and to avoid
identification, the malicious members are forced to compute
and broadcast ¹
0
i.0
¼ q
o
0
i.0
with their computed subshare
witnesses y
i.,
. Assume that a subset c of new members are
joining the threshold cryptosystem. 1
i
, i 2 u, broadcast to all
members a message that includes their calculatedpublic keys
y
i
, for all other 1
i
, i 2 u. All existing members forming part of
the new access structure À
ði
0
.t
0
Þ
1
0 can detect and positively
identify a malicious member that distributes subshares :
i.,
of
an incorrect share r
i
, by checking if (13) holds. The only
feasible optionis to require the authorizedsubset u to include
all the existing members that will formpart of the newaccess
structure À
i
0
.t
0
1
0 . By the fundamental definition of a threshold
cryptosystem, this will always ensure at least t members of u
with consistent public values. This requirement places no
limitation on the practicality of the proposed distributed-key
management infrastructure (DKMI)
3
and keeps the scheme
round optimal.
The new members will detect the discrepancies in the
public values broadcast by the members in u. Since the new
members will receive consistent public values from at least
t participants, the participants with inconsistent values can
therefore be considered malicious or faulty and are there-
fore positively identified.
4
Before joining members have
obtained a valid share of the group secret, they do not have
any authority and, therefore, can only implicitly aid in the
disqualification of malicious members by only using the
subshares of the t or more members with consistent public
values to compute their own new share in the group key.
4.7 Efficiency Analysis
The efficiency of threshold-multisignatures may be based on
the followingfive criteria (Section4.7.1 throughSection4.7.5):
4.7.1 Group Public Key Length
The public key length in similar schemes will be briefly
considered. In order to make a feasible comparison, only
schemes that attempt to eliminate conspiracy attacks are
evaluated:
Li et al. [4]: The group public key of [4] not only consists
of y, but also implicitly includes the following public values
fr
i
. :
i,
g. In the Li et al. scheme, protocol participants attach
a secret random number to their group secret shares in an
attempt to avoid a conspiracy attack. Consequently, the
public key includes the public values fr
i
. :
i,
g since these
values are required by the signature verifier to validate a
threshold signature. It can thus be concluded that the public
key is dependent on the number of group members i.
Wang et al. [6]: The scheme proposed in [6] is an
improvement on the scheme presented in [4] since con-
spiracy attacks are prevented without attaching a random
number to secret shares. The group public key is thus
independent of the group size i. The protocol, however,
requires the participants to order themselves into a ring
topology, which can be limiting in some network scenarios.
Lee and Chang [7]: The threshold-multisignature scheme
in [7] also avoids conspiracy attacks without attaching a
random secret to shares. The group public key is dependent
on the number of group members i as the signature verifier
needs the individual public values y
i
of all group members
and two additional parameters c
Q
and c
n
to compute the
subgroup public key, Y , that is required to verifying the
threshold signature. Difficulty will be experienced with this
scheme when trying to eliminate the need for a trusted
authority to distribute the initial group key shares.
A robust authentication mechanism is essential for
securing a distributed system against active adversaries
and central to ensuring the traceability of individual
signers. As shown in Section 4.3, the proposed threshold-
multisignature scheme uses the long-term private keys of
members o1
i
, provided by a public key infrastructure, to
570 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
3. It is obvious that existing members that do not participate in the
distributed-key redistribution or distributed-key update procedure will be
excluded from the threshold cryptosystem, therefore, old members wanting
to form part of 1
0
are always available to help with distributing subshares
to new members.
4. The proposed scheme does have another mechanism for all network
participants to identify malicious members. Since both the initial DKG
protocol (Section 2.2) and DKRU protocol (Section 3) are both publicly
verifiable, all network participants have exactly the same information as
existing members of the threshold cryptosystem, except for a valid share in
the group secret. A joining member who has observed a periodic DKRU
procedure can calculate the authentic public values of each group member
using (16) and, therefore, identify malicious members during the next
DKRU procedure.
avoid conspiracy attacks even if colluding members derive
or control the group secret r
Q
. As a result of members
including their private keys in their individual signatures, the
public key of the scheme consists of y
Q
and the public key
11
c
of the subgroup c that collaborated to generate the
threshold signature. The public key 11
c
of the subgroup c
is a function of the long-term public keys 11
i
of the group
members 1
i
, for i 2 c. Although the group public key may
be perceived to be dependent on the group size i, the
scheme does not introduce any additional storage require-
ments since the public keys 11
i
, for i 2 c used to calculate
11
c
is publicly known (traceable) and primarily required
for authentication purposes.
4.7.2 Group-Oriented Signature Size
The main contribution to the communication overhead, post
signature generation, is made by the size of the threshold
group signature. The threshold signature size of threshold-
multisignature schemes is bound to be dependent on the
threshold parameter or, more precisely, t þc, where
0 c ði ÀtÞ. This conclusion is naturally drawn from
the traceability property of threshold-multisignature schemes,
as given in Section 1, which specifies that any outsider must
be able to retrieve the identities of the individual signers
from the threshold signature. The threshold signature must
thus be bound to information explicitly linked to each of the
signers that collaborated to generate the threshold signa-
ture. In the case of the proposed scheme, the information is
the identities of the individual signers contained in 1. The
individual identities of the group members can be carefully
chosen to significantly reduce the size of the threshold-
multisignature.
4.7.3 Communication Cost of Signature Generation
and Verification
In terms of communication cost, the individual and thresh-
old signature generation mechanisms of all the existing
threshold-multisignature schemes and the proposed
scheme are almost equivalent. Multiparty signature
schemes constructed from ElGamal type (discrete loga-
rithm-based) signature variants are bound to be interactive.
In round one, each participant generates a commitment i
i
and, in the second round, generates an individual signature
ð:
i
. i
i
Þ on an arbitrary message i. In the third round,
participants send their contribution to a combiner or
designated clerk which constructs the threshold signature.
Assume the authorized subset u of group members
collaborate to sign i. This yields a three round protocol
for existing schemes, which requires ð2jujÞ broadcast
messages and ðjujÞ unicast messages. The proposed thresh-
old-multisignature scheme, is to the best of the authors’
knowledge, the first threshold group-oriented signature
scheme with traceability that allow malicious members to
be positively identified and disqualified from the group.
The proposed scheme also eliminates the need for a
combiner. Assuming u contains at least one malicious or
faulty participant, the proposed protocol will still require
three rounds and only two rounds if all individual
signatures satisfy (9). Therefore, in the three round scenario,
the proposed protocol requires ð3jujÞ broadcast messages
and, in the latter two round scenario only, ð2jujÞ broadcast
messages.
4.7.4 Computational Cost of Signature Generation
and Verification
To make a feasible comparison between the computational
cost of the proposed threshold-multisignature scheme and
similar schemes [4], [6], [7], it is assumed that the system
parameters are chosen to yield the same time complexity for
exponentiations, multiplications, andsummations. Although
summations and, in some cases, multiplications contribute to
an insignificant fraction of the overall time complexity, these
operations are still included for the sake of completeness.
Values that remain constant between different signature
generations (for example, the inner parts of the Lagrange
coefficients) can be precomputed and are therefore not
included in the analysis. The computational cost of the
schemes will be given in terms of the minimum threshold ðtÞ
members (out of the total ðiÞ group members) required to
collaboratively sign an arbitrary message i.
The threshold-multisignature schemes presented in [4],
[6], [7] were chosen for analysis since they all make an
attempt to eliminate a conspiracy attack by t or more
colluding members.
In Table 1 and Table 2, the schemes, with the assistance
of a trusted key distribution center (KDC), are compared.
Note that, although this paper does not present a threshold-
multisignature scheme with a KDC, it can be trivially
extended to incorporate a KDC without making any changes
to the individual/threshold signature generation and
verification procedures. Table 3 and Table 4 compare the
proposed threshold-multisignature scheme, without a KDC,
with the existing schemes.
In the schemes proposed by Wang et al. [6] and Li et al. [8],
the public values of the individual signers are captured
withintheLagrangeinterpolationpolynomial /ðyÞ as givenin
(19). The coefficients ð/
0
. /
1
. . . . . /
tÀ1
Þ of /ðyÞ are appended to
thethresholdsignature bythe combiner/clerk, whichenables
the threshold signature verifier to evaluate /ðyÞ in order to
identify the individual signers. In Section 4.2, it was shown
that appending the set of identities 1 to the threshold
signature is a better solution, saving the threshold signature
verifier the computational effort of evaluating /ðyÞ. Another
factor to consider is the computational cost of computing the
coefficients ð/
0
. /
1
. . . . . /
tÀ1
Þ. It can be shown that the total
computational cost of computing ð/
0
. /
1
. . . . . /
tÀ1
Þ fromt data
pairs is given as:
Multiplications : t

tÀ2
i¼1
t À 1
i þ 1
_ _
i
_ _
þ ðt À 2Þ þt þ 2
_ _
.
Summations : t

tÀ2
i¼1
t À 1
i þ 1
_ _
À 1
_ _
þ ðt À 1Þ þt
_ _
.
Inversions : t.
It should be clear that using an interpolation polynomial
/ðyÞ to identify the individual signers is impractical for
large values of threshold t.
The computational overhead that causes the most
concern is the number of exponentiations in the individual
signature verification equation ((9)) and threshold signature
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 571
verification equation ((12)), which are anticipated to
contribute the bulk of the verification time complexity.
The justification for looking critically at the verification
processes is substantiated by the notion that a signature is
normally generated only once, but verified many times. The
optimum number of exponentiations for an ElGamal type
signature variant is 2 [9]. It can thus be concluded that the
proposed threshold-multisignature scheme is superior to
existing schemes since it requires only two exponentiations
for threshold signature verification, while guaranteeing
break-resistance. For individual signature verification, three
exponentiations are required, one more than the optimal
two exponentiations. The additional exponentiation is as a
consequence of satisfying the stronger break-resistance
property. The proposed scheme also provides improved
efficiency for all other operations, with or without the
assistance of a trusted authority, which includes, individual
signature generation (Table 1 and Table 3) and threshold
signature generation (Table 2 and Table 4).
4.7.5 Efficiency of Initial Key Distribution and
Key Redistribution/Update Protocols
The proposedthresholdcryptosystemis constructedwiththe
round optimal DKG protocol presented in Section 2.2, which
572 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
TABLE 1
Computational Cost Comparison of Individual Signature Generation and Verification
(with the Assistance of a Trusted Share Distribution Center)
Ã
Proposed threshold-multisignature scheme (PTMS), see Section 2.
y
Note that computations of the individual signatures are performed modulo i.
TABLE 2
Computational Cost Comparison of Threshold Signature Generation and Verification
(with the Assistance of a Trusted Share Distribution Center)
Ã
Proposed threshold-multisignature scheme (PTMS), see Section 2.
y
i ¼ tð

tÀ2
i¼1
½
tÀ1
iþ1
_ _
iŠ þ ðt À 2Þ þt þ 2Þ.
z
: ¼ tð

tÀ2
i¼1
½
tÀ1
iþ1
_ _
À 1Š þ ðt À 1Þ þ tÞ.
effectively eliminates the need for a mutually trusted key
distribution center (KDC). Existing threshold-multisignature
schemes that do not need the assistance of a trusted authority
[4], [6], [8], do not use secure and efficient one round DKG
protocols to initialize the threshold cryptosystem. These
schemes also do not consider proactive security because they
do not allowfor the periodic updating of secret shares nor do
they permit dynamic group membership since they cannot
redistribute the secret shares to a newaccess structure. Based
on the above, the existing systems are rigid concerning the
threshold security parameters ði. tÞ, which sets the security/
availability trade-off. Accordingly, such systems cannot
respond to changes in the networking environment. For
these reasons, the efficiency of the proposed threshold-
multisignature scheme’s system setup and maintenance
procedures cannot be compared to the existing schemes.
It is the view of the authors that the security of the
underlying DKMI influences the security of the signature
scheme to such an extent that the threshold group-oriented
signature scheme cannot be considered separately from the
DKMI.
The worst-case computational cost of the initial DKG
protocol and DKRU protocol are briefly considered.
Efficiencyanalysis onthe initial DKGprotocol (Section2.2)
and DKRU protocol (Section 3) shows that these protocols
require OðitÞ and Oði
0
t
0
Þ exponentiations, respectively.
Multiplications yield a similar growth rate to the exponentia-
tions. Each protocol participant is required to generate
random numbers OðtÞ for initial DKG and Oðt
0
Þ for DKRU.
The threshold cryptosystem accommodates a total of
i
2
shares. Each participant broadcasts OðtÞ þOðiÞ mes-
sages for initial DKG and Oðt
0
Þ þOði
0
Þ for DKRU. The
network as a whole has a communication cost of OðitÞ þ
Oði
2
Þ and Oði
0
t
0
Þ þOði
02
Þ for initial DKG and DKRU,
respectively.
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 573
TABLE 3
Computational Cost Comparison of Individual Signature Generation and Verification
(without the Assistance of a Trusted Share Distribution Center)
Ã
Proposed threshold-multisignature scheme (PTMS), see Section 2.
TABLE 4
Computational Cost Comparison of Threshold Signature Generation and Verification
(without the Assistance of a Trusted Share Distribution Center)
Ã
Proposed threshold-multisignature scheme (PTMS), see Section 2.
y
i ¼ tð

tÀ2
i¼1
½
tÀ1
iþ1
_ _
iŠ þ ðt À 2Þ þt þ 2Þ.
z
: ¼ tð

tÀ2
i¼1
½
tÀ1
iþ1
_ _
À 1Š þ ðt À 1Þ þ tÞ.
5 CONCLUSION
Investigations within the fields of threshold group-oriented
signature schemes, threshold group signature schemes,
multisignature schemes, and threshold-multisignature
schemes resulted in explicitly defining the properties of
threshold-multisignature schemes. The main aim of this
paper is to introduce such a secure threshold-multi-
signature scheme. To reach this objective, the secure and
optimally efficient ElGamal type signature variant,
G1o ¼ ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ, was extended to a
multiparty setting to yield a threshold-multisignature
scheme, which from the authors’ point of view is the
first to provide a guaranteed traceability property. The
proposed threshold-multisignature scheme was shown to
satisfy all of the specified security requirements and to
fulfill the stronger break-resistant property. The threshold-
multisignature signature scheme thus remains secure,
even if the threshold cryptosystem has been broken, i.e.,
the group secret or individual secret shares are known or
controlled by an adversary. It was shown that the
proposed threshold-multisignature scheme eliminates the
latest attacks on similar threshold signature schemes with
traceability. The efficiency analysis showed that the
proposed threshold-multisignature scheme outperforms
other existing schemes and is optimal in terms of
exponentiations with respect to threshold signature
verification and near optimal for individual signature
verification, while providing break resistance.
The paper also addressed the issue of initial distributed-
key generation (DKG) to construct a threshold cryptosys-
tem without the assistance of a trusted authority. To realize
initial DKG, improvements were made to the round
optimal DKG scheme of Zhang and Imai. The paper
proposes a novel publicly verifiable, round optimal (one
round) distributed-key redistribution/updating (DKRU)
protocol that eliminates a major problem with existing
schemes; malicious or faulty protocol participants from the
original access structure are positively identifiable by the
existing honest members as well as the new members
joining the threshold cryptosystem, which avoids repeating
the secret redistribution protocol until all the verification
conditions holds.
The paper proposes the first integrated (single protocol)
solution for DKG, distributed-key updating (DKU), and
distributed-key redistribution (DKR). Although the initial
DKG protocol and DKRU protocol are presented separately
for clarity, it was shown that the two protocols are
essentially equivalent. The same initial DKG protocol can
thus be used to realize DKR and DKU by merely keeping
the access structure constant. The paper defines the notion
of a distributed-key management infrastructure (DKMI) as a
protocol suite that considers all aspects of secret distribu-
tion (DKG), secret updating (DKU), and secret redistribu-
tion (DKR). Considering the minor differences between the
initial DKG protocol and DKRU protocol, the proposed
DKMI requires considerably less implementation effort
than implementing three unrelated protocols to realize
distributed-key management.
Use of the DKRU mechanism makes the proposed fully
distributed threshold-multisignature scheme proactively
secure, allows for dynamic group membership, and gives
the group members the capability of adjusting the avail-
ability/security trade-off by redistributing the existing
access structure À
ði.tÞ
1
to a new access structure À
ði
0
.t
0
Þ
1
0 .
ACKNOWLEDGMENTS
This work was supported by ARMSCOR, the Armaments
Corporation of South Africa. The authors thank the
reviewers and editors for their time, effort, and positive
input.
REFERENCES
[1] Y. Desmedt, “Society and Group Oriented Cryptography: A New
Concept,” Proc. Advances in Cryptology—CRYPTO ’87, 1987.
[2] Y. Desmedt, “Threshold Cryptography,” European Trans. Tele-
comm., vol. 5, no. 4, pp. 449-457, 1994.
[3] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure
Distributed Key Generation for Discrete-Log Based Cryptosys-
tems,” Proc. Advances in Cryptology—EUROCRYPT ’99, May 1999.
[4] C.-M. Li, T. Hwang, and N.-Y. Lee, “Threshold-Multisignature
Schemes where Suspected Forgery Implies Traceability of
Adversarial Shareholders,” Proc. Advances in Cryptology—EURO-
CRYPT ’94, May 1994.
[5] A. Boldyreva, “Threshold Signatures, Multisignatures and Blind
Signatures Based on the Gap-Diffie-Hellman-Group Signature
Scheme,” Proc. Public Key Cryptography—PKC ’03, 2003.
[6] C.-T. Wang, C.-H. Lin, and C.-C. Chang, “Threshold Signature
Schemes with Traceable Signers in Group Communications,”
Computer Comm., vol. 21, no. 8, pp. 771-776, 1998.
[7] W.-B. Lee and C.-C. Chang, “(t, n) Threshold Digital Signature
with Traceability Property,” J. Information Science and Eng., vol. 15,
no. 5, pp. 669-678, 1999.
[8] Z.-C. Li, J.-M. Zhang, J. Luo, W. Song, and Y.-Q. Dai, “Group-
Oriented (t, n) Threshold Digital Signature Schemes with Trace-
able Signers,” Proc. Second Int’l Symp. Topics in Electronic Commerce
(ISEC ’01), Apr. 2001.
[9] P. Horster, M. Michels, and H. Petersen, “Generalized ElGamal
Signatures for One Message Block,” Proc. Second Int’l Workshop IT-
Security, Sept. 1994.
[10] L. Harn and Y. Xu, “Design of Generalised ElGamal Type Digital
Signature Schemes Based on Discrete Logarithms,” Electronics
Letters, vol. 30, no. 24, pp. 2025-2026, 1994.
[11] G. Wang, “On the Security of the Li-Hwang-Lee-Tsai Threshold
Group Signature Scheme,” Proc. Fifth Int’l Conf. Information
Security and Cryptography (ICISC ’02), Nov. 2002.
[12] H. Pedersen, “How to Convert Any Digital Signature Scheme into
a Group Signature Scheme,” Proc. Fifth Int’l Workshop Security
Protocols, Apr. 1997.
[13] L. Zhou and Z.J. Haas, “Securing Ad Hoc Networks,” IEEE
Network, special issue on network security, vol. 13, no. 6, pp. 24-30,
1999.
[14] T.P. Pedersen, “A Threshold Cryptosystem without a Trusted
Party,” Proc. Advances in Cryptology—EUROCRYPT ’91, 1991.
[15] M. Stadler, “Publicly Verifiable Secret Sharing,” Proc. Advances in
Cryptology—EUROCRYPT ’96, 1996.
[16] P.-A. Fouque and J. Stern, “One Round Threshold Discrete-Log
Key Generation without Private Channels,” Proc. Public Key
Cryptography—PKC ’01, Feb. 2001.
[17] R. Zhang and H. Imai, “Round Optimal Distributed Key
Generation of Threshold Cryptosystem Based on Discrete Loga-
rithm Problem,” Proc. Applied Cryptography and Network Security
(ACNS ’03), Oct. 2003.
[18] A. Herzberg, S. Jaracki, H. Krawczyk, and M. Yung, “Proactive
Secret Sharing or: How to Cope with Perpetual Leakage,” Proc.
Advances in Cryptology—CRYPTO ’95, 1995.
[19] Y. Desmedt and S. Jajodia, “Redistributing Secret Shares to New
Access Structures and Its Applications,” Technical Report ISSE-
TR-97-01, Dept. of Information and Software Eng., School of
Information Technology and Eng., George Mason Univ., July 1997.
[20] T.M. Wong, C. Wang, and J.M. Wing, “Verifiable Secret Redis-
tribution for Archive System,” Proc. First Int’l IEEE Security in
Storage Workshop, Dec. 2002.
574 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007
[21] A. Shamir, “How to Share a Secret,” Comm. ACM, vol. 22, no. 11,
pp. 612-613, 1979.
[22] J. Camenisch and I. Damga˚rd, “Verifiable Encryption, Group
Encryption, and Their Applications to Separable Group Signa-
tures and Signature Sharing Schemes,” Proc. Advances in Crypto-
logy—ASIACRYPT ’00, 2000.
[23] Y.-M. Tseng and J.-K. Jan, “Attacks on Threshold Signature
Schemes with Traceable Signers,” Information Processing Letters,
vol. 71, no. 1, pp. 1-4, 1999.
[24] T.-S. Wu and C.-L. Hsu, “Cryptanalysis of Group-Oriented (t, n)
Threshold Digital Signature Schemes with Traceable Signers,”
Computer Standards and Interfaces, vol. 26, no. 5, pp. 477-481, 2004.
[25] G. Wang, X. Han, and B. Zhu, “On the Security of Two Threshold
Signature Schemes with Traceable Signers,” Proc. First Int’l Conf.
Applied Cryptography and Network Security (ACNS ’03), Oct. 2003.
[26] C.P. Schnorr and M. Jakobsson, “Security of Discrete Log
Cryptosystems in the Random Oracle and Generic Model,” Proc.
Math. of Public-Key Cryptography, June 1999.
[27] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin,
“Adaptive Security for Threshold Cryptosystems,” Proc. Advances
in Cryptology—CRYPTO ’99, Aug. 1999.
[28] M. Michels and P. Horster, “On the Risk of Disruption in Several
Multiparty Signature Schemes,” Proc. Advances in Cryptology—
ASIACRYPT ’96, Nov. 1996.
Johann van der Merwe received the BSc
degree in electronic engineering from the Uni-
versity of Natal in 2003 and the MSc degree from
the University of KwaZulu-Natal in 2005. He is
currently pursuing the PhD degree in distributed
communication systems. His research interests
include security issues in ad hoc networks, with
particular focus on key management, threshold
group-oriented cryptography, and digital signa-
ture schemes.
Dawoud S. Dawoud received the BSc (1965)
and MSc (1969) degrees in electronic engineer-
ing from Cairo University and the PhD (1973)
degree in computer engineering from Russia. He
has been a full professor since 1984. He has
taught courses in computer engineering, digital
signal processing, and digital telecommunica-
tions in numerous universities, including Cairo
University, University of Lagos, and University of
Botswana. He has supervised many PhD and
MSc theses and published more than 90 papers and books. He holds
two patents in computer architecture. He is currently a professor of
computer engineering and signal processing at the University of
KwaZulu-Natal, South Africa. He is a member of the IEEE.
Stephen McDonald received the BSc (1987)
and MSc (1989) degrees in electronic engineer-
ing from the University of Natal, South Africa.
After working in the communications industry for
five years, he rejoined the University as a senior
lecturer in 1997. His current research interests
include ad hoc networks and various aspects of
image processing. He is a member of the IEEE.
> For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 575

forming subgroup P. of group members.

This implies that the group-oriented signature is publicly verifiable. This property thus incorporates unforgeability. can be verified by any outsider V (with respect to the group). Traceability: Any outsider V can learn the identities of the individual signers belonging to P. Threshold property: Only a threshold of t or more authorized group members are able to collaboratively generate a valid threshold-multisignature. .

10. i. The authors are with the School of Electrical. In the literature.za. 4041. Coalition-resistance subsumes framing-resistance. The majority of the I . from the thresholdmultisignature on m without interaction with any of the group members and/or a group manager. no subset of group members can sign on behalf of any other subset of group members. University of KwaZulu-Natal. [7]. The main advantage of a distributed cryptosystem is that the secret is never computed. Traceability implies accountability. This implies that the signers are publicly traceable with public information. 2006. a threshold ðtÞ or more shareholders are required to cooperatively generate a digital signature. and reference IEEECS Log Number TPDS-0307-1204. For information on obtaining reprints of this article. 2006. Room 4-05. reconstructed. published online 9 Jan. Threshold-multisignature schemes [4] combine the properties of threshold group-oriented signature schemes [2] and multisignature schemes [5]. The system secret is divided up into shares and securely stored by the entities forming the distributed cryptosystem. dawoudd.00 ß 2007 IEEE . Singhal. please send e-mail to: tpds@computer. Recommended for acceptance by M.e.1109/TPDS.1005. thresholdmultisignature schemes are also referred to as threshold signature schemes with traceability [6]. making the secret more difficult to compromise [3]. Manuscript received 16 Dec. Published by the IEEE Computer Society N distributed systems it is sometimes necessary for users to share the power to use a cryptosystem [1].org. This may also be seen as a distribution of trust since the shareholders must collaborate and contribute equally to produce a valid multiparty signature. mcdonalds}@ukzn. accepted 18 Apr. Electronic. or stored in a single location. 2007. In many applications. revised 5 Apr. Glenwood. Digital Object Identifier no. [8]. the individual signers participating in the threshold-multisignature scheme can be held accountable for their contribution to the grouporiented signature. 1045-9219/07/$25. and Computer Engineering.ac.2007. E-mail: {vdmerwe. South Africa. Durban. in contrast to the conventional single signer.. [2]. 2004. King George V Avenue. Coalition-resistance: No colluding subset of group members can generate a valid threshold-multisignature not satisfying the traceability property. The combined properties guarantee the signature verifier that at least t members participated in the generation of the group-oriented signature and that the identities of the signers can be easily established.

the threshold-multisignature signature scheme should not be breakable. In contrast. thus. allowing for DKR to a ðn0 . for discrete logarithm-based threshold cryptosystems. based on a round optimal. the key sharing is performed by a distributed collaborative protocol. ðn. publicly verifiable DKG protocol. The secret shares therefore have to be periodically updated using a distributed-key updating (DKU) protocol. In threshold cryptosystems.tÞ The access structure ÀP of the initial share distribution will not necessarily remain constant [19]. The proposed scheme can be easily adapted to incorporate a TTP. it is impractical to assume that an adversary cannot compromise more than t shareholders during the entire lifetime of the distributed secret [18]. inapplicable. the individual signers remain anonymous since it is computationally hard to derive the identities from the group signature. [16]. Assuming the same shareholders to be present at all times is unrealistic and the availability/security trade-off (set by the total number of group members ðnÞ and threshold ðtÞ) may need to be changed as a function of system vulnerability. the traceability property of threshold-multisignature schemes allows the individual signers to be held accountable in the public domain and renders the unlinkability property of threshold group signature schemes. The proposed discrete logarithm-based threshold-multisignature scheme is made proactively secure by periodically updating secret shares and facilitating changes in group membership by allowing an authorized subset . the distributed-key is generated in a distributed fashion as a function of the random input of all protocol participants while preserving the symmetric relationship between them. was introduced in [14] and a number of promising proposals for DKG have been published since [15]. The DKU scheme allows for only an impractical period T in which an active/mobile adversary has time to compromise a sufficient percentage of the group secret shares [18]. as defined in [11].VAN DER MERWE ET AL. and current functionality of the cryptosystem. An important component of any threshold digital signature scheme is the sharing of the group key [2]. by the above-defined traceability property of threshold-multisignature schemes. [20]. Threshold-multisignature schemes can be differentiated from threshold group signatures [12] by the fact that by definition. The shares0 must then be redistributed to a ðn0 . The main objective of this paper is to propose a new threshold-multisignature scheme without a trusted third party (TTP). ad hoc networks [13]) may require a distributed-key generation (DKG) protocol that effectively eliminates the TTP. In these schemes. the individual signers are publicly traceable and do not enjoy anonymity. A threshold-multisignature scheme that is suitable for distributed systems (for example. The first DKG protocol. If the group key sharing does not involve a trusted third party (TTP). [17]. although the underlying threshold cryptosystem has been broken. Consequently.t Þ new access structure ÀP 0 using a distributed-key redistribution (DKR) protocol [19]. [3]. in the latter. The proposed discrete logarithm-based threshold-multisignature scheme is also proactively secure. with the exception of the group managers. a version of the proposed scheme with the assistance of a TTP will therefore not be presented.t0 Þ and periodic DKU to mitigate new access structure ÀP 0 attacks from an active/mobile adversary.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 563 Break-resistance: An adversary in possession or control of the group secret key and/or the individual secret shares of any number of group members cannot generate a valid threshold-multisignature and/or partial/individual signatures. networking environment.

The round optimal DKG protocol is developed from the scheme of Zhang and Imai [17]. initial secret sharing to an access structure Àn. T threshold cryptosystem secret update period.6): 2. Section 3 introduces a new distributed-key redistribution/updating (DKRU) scheme. Some conclusions are provided in Section 5. 2 PROPOSED THRESHOLD-MULTISIGNATURE SCHEME In this section.0 ¼ si. . . Pi chooses a random number di 2 ½1. tÞ threshold parameter t and total number of group members n.j mod p. . . a publicly verifiable distributed-key generation (DKG) protocol is presented. The scheme consists of the following six parts (Section 2. for i ¼ 1 : n.1 through Section 2. The certificate of Pi binds the public key P Ki ¼ gSKi to user Pi ’s identity IDi . The paper is organized as follows: In Section 2.2 b. for j ¼ 1 : n. Sets ai.0 ¼ di and chooses at random ai. Ai. j 6¼ i. q two large primes such that q j ðp À 1Þ. without a trusted P dealer or KDC. n. the new threshold-multisignature scheme is proposed. such that the numbers ai. is proposed. ai. The security and features of the proposed threshold-multisignature scheme are discussed in Section 4. . p HðÁÞ collision-free one-way hash function. t À 1. for i ¼ 1 : n. and . Pi then shares the random value di with all of the other protocol participants. of existing group members ðn0 .j ¼ fi ðIDj Þ mod q. . For j ¼ 1. without assistance from a trusted key distribution center (KDC). The certificates are distributed to (or can be traced by) all communication entities Pj . Z For j ¼ 0. q À 1Š. .t .1 System Parameter Setup The group members Pi . The purpose of the protocol is to realize secure.j ¼ gai. . .j mod p and an encryption 2. . . Initial Publicly Verifiable Distributed-Key Generation In this section.k 2 ½1. are assumed to have a long-term public/private key pair P Ki =SKi and an authentic certificate. . using Shamir’s secret sharing scheme [21] as follows: a. . . q À 1Š. For 1 i n.0 . g generator of the cyclic subgroup of order q in ðZÞà . Protocol participants Pi . Pi computes si. agree on and publish the following system parameters: p. ðn. The protocol executes in four steps: 1. yi. for 1 k t À 1. a novel threshold-multisignature scheme. Pi computes. verifiable with the public key of a common trusted third party. .k Xk over Z q . .j ¼ gsi.t0 Þ to redistribute secret shares to a new access structure ÀP 0 .tÀ1 define a polynomial PtÀ1 fi ðXÞ ¼ k¼0 ai. .

6 and Section 5.j Li Þ mod q.564 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. sPi Þ is a valid signature on the public values ð½yi.j and si.j under the public key P Kj .n . VOL. . hðm. The secret can be constructed if t or more honest players. sPj Þ to all protocol participants. This serves as a proof of integrity and binds participant Pi to these public values. The differences and the significance of the similarity are discussed in Section 4. b.j ði 2 QÞ.j : Participants are disqualified if they do not follow the protocol correctly.1 . . This implies that anybody can verify that yi. developed from the generalized ElGamal scheme presented in [9]. ðmod pÞ ¼ yi. EP Kn ðsi. Pi broadcasts the message and the signature to all protocol participants. tÀ1 Y k¼0 GES.j ).j Þ with its corresponding private key SKj to recover si. Taking the Lagrange polynomial of the original random values dj .1 ފ k Á Á Á k ½yi. Ai. The protocol aborts if Q contains less than t members. EP Kn ðsi. The remaining set of participants form the set Q.j Þ of each secret shadow.i mod p: ð5Þ j2Q Each Pj .j ¼ gsi. [22]. 4. i 2 Q as: P Y L ðs L Þ j yi ¼ gxi ¼ g j2Q j.j (note that only Pj can decrypt EP Kj ðsi. rÞ. APRIL 2007 2. from the set Q. ð2Þ xj ¼ i2Q where the Lagrangian coefficient is given as: IDk Li ¼ mod q: IDk À IDi k2Q.j satisfy the following relationship: yi.j mod p and that protocol participant Pj can correctly retrieve the subshare si. .j Þ is the correct encryption of si. . Pj uses the correct shares received from i 2 Q to compute the following: X ðsi. ðrPi . Pj broadcasts ðyj .k ÞðIDj Þ ¼ g k¼0 ðai.1 ފ k Á Á Á k ½yi. . Protocol participants P1 . n) and received subshares si. which highlights the importance of erasing these values securely.ðtÀ1Þ Þ received from Pi .ðtÀ1Þ Þ using the ElGamal type signature variant: GES ¼ ðM:EGII:3:ð1Þ. also yields the group secret xQ . . j 2 Q completely erases all traces of its initial randomly chosen value dj and all generated subshares sj.0 k Á Á Á kAi. In Section 3. The signature is generated with Pi ’s long-term private key SKi .n ފ k Ai.k ÞðIDj Þ k¼0 fi ðIDj Þ ð1Þ ¼g 3. r. . Pj also verifies the authenticity of the received public keys after calculating the public key yi of all Pi . a publicly verifiable distributed-key redistribution/update (DKRU) protocol is proposed that is compatible with the initial DKG protocol given above.1 .i ¼ fj ðIDi Þ mod q ði ¼ 1. EP K1 ðsi. EP K1 ðsi.0 k Á Á Á k Ai.k6¼i Y ð3Þ 2. The encryption EP Kj ðsi. c. rPj .j Þ of the secret shadow for protocol participant Pj is performed using an appropriate publicly verifiable encryption scheme [15]. collect: ! Y X IDk mod q: ð6Þ xj xQ ¼ IDk À IDj j2Q k2Q. Pi keeps the share when j ¼ i. Pi then binds itself to the public values by generating the digital signature ðrPi sPi Þ on message ð½yi. for j 2 Q. Pn each verify the following: a.n . Pj binds itself to the public key yj by generating a signature ðrPj .n Þ Š k Ai.k6¼j 4. .k ðIDj Þk ¼ tÀ1 PtÀ1 Y k k ðgai.i j ¼ yj. s. 1Þ. 18. EP Kj ðsi.3 Individual Signature Generation Any subset . NO. sPj Þ on yj using its long-term private key SKj . EP Kj ðsi. Pj knows that the subshare distribution from member Pi is correct if (1) holds.

i 2 . of t or more members can represent the group and sign an arbitrary message m. Each member Pi .

selects a random integer ki 2 ½1. s0Pi Þ on ½ri . q À 1Š and computes ri ¼ gki mod p. This implies that each member commits to its public value ri and provides a proof of knowledge of its corresponding discrete logarithm. After all committed ri s are available and members with invalid ri s are excluded from the set . s0Pi Þ to all protocol participants. Each member verifiably encrypts ki with its own long-term public key P Ki using a verifiable encryption scheme [15]. Pi broadcasts ðri . Using the ElGamal type signature variant GES. [22] to generate EP Ki ðki Þ. r0Pi . ki . Pi generates a signature ðr0Pi . EP Ki ðki Þ. EP Ki ðki ފ using its long-term private key SKi ..

. the value R is calculated as follows: Y ri mod p: ð7Þ R¼ i2.

The group public key can be computed (verified) by any group member or outsider as: P Y L f ð0ÞL i Ai. for j 2 .0 ¼ g i2Q i i ¼ gxQ mod p: ð4Þ yQ ¼ i2Q Each Pi uses public values IDj authentically bound to P Kj . The secret key xj is Pj ’s new share in the distributed group secret key xQ .

Bފ½ðxi Þ Á L. R. Pi uses its (secret share)/(private key) set ðxi . to form the set B.. SKi Þ and random number ki to compute its individual signature si on message m as follows: si ¼ ½Hðm.

ð8Þ where the Lagrange interpolating coefficient L.i þ SKi Š þ ki mod q.

i is given by: L.

i ¼ IDk mod q: IDk À IDi k2.

Using the ElGamal type signature variant .. j 2 Q calculates its public key as yj ¼ gxj mod p.k6¼i Y Each Pj .

VAN DER MERWE ET AL. L. ri .: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 565 The set ðsi .

i . 2. ri . which is broadcast to all other group members.4 Individual Signature Verification On receiving all of the signatures ðsi . BÞ is the individual signature of Pi on message m. L.

j 2 . BÞ. Pj .i .

. P Ki Þ to authenticate the individual signature of Pi by verifying if L. performs the functionality of a clerk and uses the public key set ðyi .

i is correct and whether the following equation holds for i 2 .

. i 6¼ j:  ½Hðm.R.Bފ L ri mod p: ð9Þ gsi ¼ yi .

the individual signature of Pi on message m is invalid. Participants are disqualified if their individual signatures are found to be invalid.i P Ki If (9) fails to hold. The remaining honest participants form the set and repeat the individual signature generation part from (7). with .

SÞ on message m can be computed as: X si mod q: ð10Þ S¼ i2 authorized subset . The protocol aborts if contains less than t members. has received and verified t or more individual signatures. the second signature parameter S of the threshold-multisignature ðR. j 2 . ¼ . 2.5 Threshold-Multisignature Generation After Pj .

The publicly verifiable property by definition means that any outsider can obtain all of the required information from the broadcast channel to validate the operation of both the initial DKG and DKRU protocols. For the sake of P P proactive security. i 2 .2.t is P performed using the publicly verifiable distributed-key generation (DKG) scheme given in Section 2. Note that the proposed DKRU protocol is compatible with the initial DKG protocol. The initial secret distribution to the access structure Àn.6 and Section 5.t . Àn 0. The system parameter setup P given in Section 2. the threshold cryptosystem shares should be periodically updated within a limited time period T . Pi .t ¼ Àn.t . The protocol executes in four steps: 1. 2 Àn.1 is applicable. The proposed DKRU protocol can be used as a publicly verifiable distributed-key updating (DKU) protocol by simply keeping the 0 0 access structure constant. Assume that a subset of new members join or existing members leave the threshold cryptosystem. The minor differences and the significance of the similarity are discussed in Section 4.

share their0 secret share xi of group secret 0 key xQ with Pj 2 Àn 0. using Shamir’s secret sharing P scheme [21]: For i 2 .t .

. . . . EP Kn0 ðs0i.: Pi sets a0i. . Z 0 b.n0 ފ k A0i. n0 .n0 . .0 ¼ xi and chooses at random a0i.t0 À1 define a polynomial Pt0 À1 fi0 ðXÞ ¼ k¼0 a0i. q À 1Š.0 ¼ s0i. For j ¼ 0.1 .j mod p. For j ¼ 1.1 ފk Á Á Á k ½y0i.j ¼ fi0 ðIDj Þ 0 mod q.j mod p and an encryption EP Kj ðs0i. a0i. .0 .j Þ of each secret shadow. Pi computes s0i. . EP K1 ðs0i.j ¼ gsi.j ¼ gai. . .0 k Á Á Á k A0i. s0Pi Þ on message ð½y0i. Pi then binds itself to the public values by generating a digital signature ðr0Pi . for 1 k t0 À 1. . y0i. Pi computes A0i. . t0 À1.ðt0 À1Þ k y.k Xk over Z Q . such that the numbers a0i.k 2 ½1.

Þ using the ElGamal type signature variant: GES ¼ ðM:EGII:3:ð1Þ. The signature is generated with Pi ’s long-term private key SKi . Note that Pj . hðm. developed from the generalized ElGamal scheme presented in [9]. r. rÞ. Pi broadcasts the message and signature to all protocol participants. 1Þ. j 2 . s.

knows the authentic public values yi of Pi 2 Àn. from a previous DKG or DKRU operaP tion (see (5) and (16)). The set y..t .

is formed by yi . i 2 .

. ðr0Pi . EP K1 ðs0i.n0 .1 . The encryption EP Kj ðs0i. a. Pn0 each verify the following: a.ðt0 À1Þ k y. .n0 ފ k A0i. s0Pi Þ is a valid signature on the public values ð½y0i.1 Š k Á Á Á k ½y0i. . Protocol participants P1 . Pi keeps the share when j ¼ i. . [22].0 k Á Á Á k A0i. and only included in the broadcast message if new members join the group.j Þ of the secret shadow for protocol participant Pj is performed using an appropriate publicly verifiable encryption scheme [15].. EP Kn0 ðs0i.

for i 2 . using the shares of the P . BÞ on message m is valid and the subgroup B of individual signers is positively identified. The proposed publicly verifiable distributed-key redistribution/update (DKRU) protocol is as follows: A distributed group secret xQ is redistributed from Àn.1 for proof of correctness. BÞ on message m. (See Section 4. the threshold-multisignature ðR. S. Threshold-Multisignature Verification and Individual Signer Identification Any outsider can use the group public key yQ and public keys P Ki bounded to the identities IDi . SÞ and provides an explicit link between the threshold signature and the subset of individual signers who collaborated to generate the threshold signature ðR.Bފ R mod p: ð12Þ If (12) holds. The signature verifier calculates the subgroup public key P K as follows: P Y P Ki mod p: ð11Þ P K ¼ g i2 SKi ¼ i2 2.t .R. Þ: The set of identities B is appended to ðR. to verify the validity of the threshold-multisignature ðR. S.) 3 PROPOSED PUBLICLY VERIFIABLE DISTRIBUTED-KEY REDISTRIBUTION/UPDATE PROTOCOL 2.6 The signature verifier now has all the information to check if the following congruency holds: gS  ðyQ P K Þ½Hðm. S.t to P 0 0 a new access structure Àn 0. BÞ on an arbitrary message m.

A0i.566 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. NO.0 ¼ yi 8 i 2 . 18. 4. VOL. APRIL 2007 b.

then they must only use yi s found to be consistant in the broadcast messages received from t or more members of subset .: ð13Þ If Pj . j 2 are new members joining the group.

. If the conditions do not hold for more than t members from the authorized subset .

The remaining set of participants forms the set Q0 . abort the protocol. as follows: P Y 0L0 f 0 ð0ÞL0 yQ0 ¼ Ai. using the available public information.. otherwise. Participants are disqualified if they do not follow the protocol correctly.k 0ðIDj Þ k ¼ t0 À1 Y k¼0 ðgai. evaluate the following equation: t0 À1 Y k¼0 Any network participant can calculate (verify) the group public key when needed.j : ð14Þ Pj knows that the subshare distribution received from Pi is correct if (14) holds.k ÞðIDj Þ 0 k Pt0 À1 0 k ¼ g k¼0 ðai. The protocol aborts if Q0 contains less than t members of the authorized subset .0i ¼ g i2Q0 i i ¼ gxQ0 mod p: ð18Þ i2Q0 4 DISCUSSION ON THE SECURITY AND FEATURES OF THE PROPOSED THRESHOLD-MULTISIGNATURE SCHEME Ai.k ÞðIDj Þ ¼ gfi ðIDj Þ ðmod pÞ ¼ y0i.

binding itself to the public value.R. X X ðsi Þ ¼ ½Hðm.t . In the context of the statement. all of its public and private information is exposed to the adversary. it is enough to show that the scheme fulfills all of the fundamental properties of generic threshold-multisignature schemes given in Section 1 and resists attacks to which other similar schemes are subject.Bފ i2 ðSKi Þ g i2 ðki Þ mod p hY i½Hðm. where the Lagrangian coefficient is given as: L0i ¼ Y k2Q0 . from the set Q0 . References [9]. Pj uses the correct shares received from i 2 Q0 to P compute the following: x0j ¼ i2Q0 s0i. Using the ElGamal type signature variant GES and its long-term private key SKj . IDk mod q: IDk À IDi ð15Þ The secret key x0j is Pj ’s new share in the distributed group secret key xQ0 . collect: ! Y X IDk 0 xj xQ0 ¼ mod q: ð17Þ IDk À IDj j2Q0 k2Q0 k6¼j 4.Bފ Y ¼ g½Hðm. . Pj also calculates the public key of all Pi ..Bފ½ i2 ½ðxi ÞÁL i ŠŠ g½Hðm. R. R. modify the content of messages. . [10] help in selecting such a variant. P 4. Each Pj .j (i 2 Q0 ). hðm. j 2 Q0 calculates its 0 public key as y0j ¼ gxj mod p. j 2 Q0 completely erases all traces of its old share xj and all generated subshares s0j.j L0i . Bފ ðSKi Þ þ ðki Þ mod q. r0Pj . Any active adversary can eavesdrop on all of the communication between group members. Bފ½ðxi Þ Á L i þ SKi Š þ ki mod q ði 2 Þ. BÞ on an arbitrary message m. i2 i2 P P P gS ¼ g½Hðm. si ¼ ½Hðm. 1Þ [9]. i 2 Q0 . n0 Þ and received subshares 0 si. s0Pj Þ to all network participants. 0 Group members Pj . The main reason for using the defined GES is to minimize the computational cost of generating and verifying the individual signatures and group-oriented signature in a multiparty setting without compromising security.yQ0 ¼ gxQ0 ¼ yQ ¼ gxQ 0.i ¼ 0 fj ðIDi Þ mod q ði ¼ 1. for j 2 Q0 belonging to the new access structure Àn .R. honest implies that the group members follow the protocol as specified in Section 2. s. The proposed threshold-multisignature scheme can equally use any other secure and efficient signature variant of the ElGamal type signature scheme. The secret can be constructed if t0 or more honest players. An adversary is a malicious party that uses every means available to break the proposed thresholdmultisignature scheme. .R. The security analysis considers a straightforward general adversary model. rÞ.Bފ R mod p: u t . Proof.1 If the conditions presented in Step-2 hold.i j ¼ yj.1 Correctness and Threshold Property Any t or more honest group members of the authorized subset can collaborate and use the threshold-multisignature scheme to produce a valid threshold-multisignature ðR. Each Pj .tP 0 thus share the same group secret and public key as the old access structure Àn.R. . s0Pj Þ on y0j . then Pj0 knows that its new secret key x0j is a valid share of x0Q . 1. To argue the security and validity of the proposed threshold-multisignature scheme. Pj broadcasts ðy0j . Pj generates a signature ðr0Pj . r. R. The group secret remains constant.ij mod p: ð16Þ j2Q0 The proposed threshold-multisignature scheme is based on a multiparty extension of the ElGamal type signature variant: GES ¼ ðM:EGII:3:ð1Þ. and inject them back into the channel. When an honest party is compromised. irrespective of distributed-key redistribution or distributed-key updates.R. as: P Y 0L 0 ðs0 L Þ y0i ¼ gxi ¼ g j2Q0 j.BފxQ ðP Ki Þ ðr Þ mod p i2 i2 i ¼ ðyQ P K Þ½Hðm. S.k6¼i 0 3. . Bފ ½ðxi Þ Á L i Šþ S¼ i2 i2 X X ½Hðm.

[25]. The polynomial hðyÞ is constructed by the designated combiner with t pairs of public values belonging to members of the subgroup . as presented by [23] and [24]. SÞ and the Lagrange polynomial hðyÞ used by the signature verifier to identify the individual signers.VAN DER MERWE ET AL.2 Traceability of Signers The reason for the intractability of [6] and [8]. is due to the nonexistence of a relationship between the threshold signature ðR.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 567 4. respectively.

The actual value of the threshold t may be (dynamically) determined by an authorized subset of group members [19] and thus forms part of the group policy. . hðyÞ is given as [6]: hðyÞ ¼ t X I¼1 xi t Y y À yj ¼ btÀ1 ytÀ1 þ . constructed from t data points. [8] traceable by including hðyÞ within the individual signatures. [8].j6¼i It is noted here that it is possible to create such a relationship between hðyÞ and ðR. Using the polynomial function hðyÞ to capture the signers’ identities results in additional computational overhead for the threshold signature verifiers (nðt À 1Þ multiplications and nðt À 2Þ exponentiations) and fails to reduce the threshold group-oriented signature size. b1 . This saves the signature verifier the computational overhead of evaluating hðyÞ to learn the identities of the individual signers. The traceability property of the proposed thresholdmultisignature scheme is verified in Section 4. requires at least t coefficients ðb0 . why not simply use a list of individual (RSA) signatures for the group signature? The threshold property must be guaranteed by cryptographic means during the generation of the threshold group-oriented signature to effectively share the power of the cryptosystem between the group members [1]. SÞ. the proposed threshold-multisignature scheme uses the subset of identities B instead. . . The computational cost of generating hðyÞ is considered in Section 4. with a strong binding between hðyÞ and ðR.4. Assume a malicious subgroup . still fail to provide an optimum solution to ensure traceability. Since the subset B of identities is used to validate the threshold signature (12) the individual signers are publicly traceable and explicitly bound to the threshold signature. SÞ and make the schemes proposed in [6]. that submitted valid partial signatures. [2]. The Lagrange interpolation polynomial.7. . þ b1 y þ b0 : ð19Þ yi À yj j¼1. . Expecting that all (future) threshold group-oriented signature verifiers will consistently enforce a (dynamic) group policy makes the system vulnerable to attack. In the view of the authors. Rather than including the coefficients in the individual signatures and appending the coefficients to the threshold signature. the schemes presented in [6]. The polynomial hðyÞ of degree t À 1. If a verifier were to know and use the certified public keys of the individual signers. btÀ1 Þ to be uniquely defined.3 by showing that the signature verifier can only validate the threshold signature if an authentic subset B of individual signers collaborated to generate the signature. .

of t or more members conspires to obtain the group secret xQ and wants to frame valid subgroup for a signature on an arbitrary message m. This implies .

R.) The malicious member can attempt to forge the threshold-multisignature by computing S ¼ ½Hðm. Aފ simultaneously. it can be shown that forging individual signatures is also impractical. A formal security proof for the defined ElGamal signature variant GES in the Random Oracle and Generic Model ðROM þ GMÞ can be found in [26]. makes the protocol interactive and thus vulnerable to an adaptive adversary [16]. Any network participant will therefore always be able to make a legitimate excuse for a late arriving public value. 4. q À 1Š and generates R ¼ gk . With little modification to the above argument. which is again impractical based on the intractability of the discrete logarithm problem. An attacker’s last resort is to randomly select a value F and signature parameter S and then attempt to determine a value R0 that satisfies gS ¼ ðyQ P K ÞF R mod p and F ¼ ½Hðm. i. The first solution requires each member to publish its public value yi simultaneously to mitigate the rushing attack on the group secret.Aފ R mod p.. (The public value P K can easily be calculated using (11). . This shows that using the proposed threshold-multisignature scheme to produce a valid untraceable signature or signing on behalf of any other subset of group members is not possible. This solution. Pj uses the publicly known values ðIDi Þ.4 Attacks on Threshold-Multisignature Schemes 4. wants to generate a valid untraceable group-oriented signature. The third 2. An alternative method is to solve for S to satisfy the verification equation gS ¼ ðyQ P K Þ½Hðm. however. It also confirms that the individual signers that collaborate to generate a threshold-multisignature are always traceable. the group secret xQ is known or controlled by an adversary. which is impractical since Pj cannot compute SK from P K based on the intractability of the discrete logarithm problem.2 It can thus be concluded that the proposed threshold-multisignature is break-resistant. This is known to be impractical based on the properties of a secure collision-free one-way hash function HðÁÞ. The second proposed solution requires members to commit to their public values and then open their commitments to reveal the public values. AފðxQ þ SK Þ þk. R0 . [17].5) that work together to control the group key.R.3 Coalition-Resistance and Break-Resistance The coalition and break-resistance properties can be verified by showing that the proposed threshold-multisignature scheme is break-resistant: 4. This solution is impractical since there is no method in existing networking protocols of accommodating n simultaneous broadcasts nor can devices receive n simultaneous messages without advanced hardware.1 Collusion Attack A collusion attack enables dishonest group members (and/or a designated clerk or combiner node: see Section 4. Wang et al. Wang et al.e. [25] propose some countermeasures against the attack. to form the subgroup A. even if the threshold cryptosystem is broken.4. even if a coalition of t or more group members conspire to obtain an individual’s partial share xi of the group key xQ . The security proof of the underlying individual signature scheme supports the break-resistance property. in [8]. for i 2 0 . [25] report a collusion attack on the thresholdmultisignature scheme (without a trusted third party) presented by Li et al. Any malicious party Pj chooses a random number k 2 ½1.

2. S 0 Þ on an arbitrary message m0 from an existing valid threshold signature ðR. [17].2 Universal Forgery Attack In [23]. which is. given in Section 2. Q which is generally calculated as R ¼ i2. for example. 4. thus.568 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. The scheme by Wang et al. SÞ on message m. (1) or (9)). [8] fail to guarantee a strong binding between participants and their public values. 4. 18.3 Rushing Attack In the context of group-oriented signature schemes. Caution should be taken in the modification of the ElGamal signature or when choosing an appropriate variant. Fouque and Stern propose a solution to mitigate rushing attacks without using a synchronous network. Take. The ITP unfortunately becomes a single point of vulnerability. the fð0Þ group secret ðy ¼ g Þ. The universal forgery attack in [6] is a direct consequence of the insecurity of the modified ElGamal signature scheme on which the group signature is based. this approach was first introduced in [15] by Stadler to realize a publicly verifiable secret sharing scheme. [6] is an example of an insecure ElGamal type signature variant extended to a multiparty setting. The complaint phase also makes distributed-key generation (DKG) schemes such as [14]. inherently eliminates attacks from an adaptive adversary during the construction of the threshold cryptosystem. The weak binding allows an adversary to manipulate public values that will result in the disqualification of honest participants. Publicly verifiable encryption. [6]. This solution is well known and has been used by both Fouque and Stern [16] and Zhang and Imai [17] to eliminate the need for a complaint phase. [25] and universal forgery attack by Wu and Hsu [24]. It is noted here that synchrony is not always required in a discrete logarithm-based threshold group-oriented signature scheme based on a variant of the generalized ElGamal type signature. Forcing players to provide a zero knowledge proof of the discrete logarithm of all public values is sufficient to completely eliminate the rushing attack in an asynchronous network. [3]. and. 4. Committing participants to their public values and ensuring the public values’ integrity are both essential if members are to be disqualified if their public values fail to satisfy the verification equations (for example. It is noted that the collusion attack by Wang et al.4. [7]. [10]. it is evident that manipulation of these values can occur if an adversary can delay playing its own contribution. The threshold-multisignature scheme proposed in Section 2 takes this fact into consideration. both rely directly on a rushing attack. The adversary can collect the contributed values of all other participants and then compute its own contribution to force the signature parameters or group secret to a known value when calculated as a function of all contributed values. [10].4. thereby eliminating rushing attacks. The proposed threshold-multisignature scheme and DKG protocol use the ElGamal type signature variant GES to generate secure and efficient digital signatures. does not offer a mechanism to bind participants to their public values. Assuming the threshold signature scheme is based on a secure and efficient variant [9]. [27] impractical considering the complexity of current multiparty computations [16]. The proposed scheme uses publicly verifiable encryption [15]. Tseng and Jan present a universal forgery attack on the threshold signature schemes with traceability by Wang et al. which explicitly binds participants to their public values and simultaneously provides a mechanism to ensure the values’ integrity. can be calculated as fð0Þ ¼ Àt À1 SR HðmÞ from any valid threshold signature ðR. Since group members must all make a valid contribution to the threshold signature parameters and group secret. The existing round optimal DKG protocols [16]. a rushing attack is defined as a manipulation of the signature parameters or keying material by an adversary based on the public values received from all the other participants. The modification of the basic ElGamal signature scheme for the sake of efficiency can easily introduce an insecurity. [17] and threshold-multisignature schemes [4]. the signature parameter R. [6]. [22] that allows protocol participants to provide a zero knowledge proof of their public values’ discrete logarithm. The attack allows any group member or outsider to generate a valid forged threshold signature ðR0 . however. It is developed from a secure and optimally efficient variant that was selected using the guidelines given in [9]. The proposed threshold multisignature scheme prevents adversaries from controlling the group key by using the publicly verifiable. As pointed out by Zhang and Imai. Tseng and Jan also show in [23] that Wang et al. The adversary thus waits until all other participants have played before defining its own value [16]. Fouque and Stern define an Incorruptible Third Party (ITP) to always play at the end. Fouque and Stern [16] and Zhang and Imai [17] construct their distributed-key generation schemes on a synchronous network to prevent the adversary from delaying its response.’s schemes [6] are completely insecure since the trapdoor information fð0Þ . VOL. one round DKG protocol. in fact. it should be clear that the majority of attacks on group-oriented signature schemes can thus only come from a vulnerability introduced by the extension of the ElGamal type signature variant to accommodate multiple signers. therefore eliminating the requirement for synchrony and preventing a malicious player from manipulating the signature parameters. SÞ in message m. APRIL 2007 solution requires members to provide a noninteractive proof of knowledge of the discrete logarithm for the public value yi to the base of the primitive element g. NO.

where ri ¼ gki is the public value of each player Pi with corresponding randomly chosen secret ki . The malicious player Pj waits for each Pi to play its ri . Pj chooses a random value k and sets R ¼ gk . ri mod p. After receiving all ri s for i 2 .

i 6¼ j.. Pj factors out its Q public value as rj ¼ R i2.

be true if the modular arithmetic is done in an appropriate multiplicative subgroup ððZÞÃ Þ or a cyclic subgroup of order q. in particular. p The attack presented by Michels and Horster [28] on the threshold-multisignature proposed by Li et al. which will force the i other players to compute R at a later stage (of which the discrete logarithm is known by Pj ). if the threshold group-oriented signature protocol requires each . As in the above example. This will. [4] is a good example of the rushing attack principle. thus..i6¼j rÀ1 mod p . Note that Pj does not know the discrete logarithm of its public value rj nor can it be calculated based on the intractability of discrete logarithms in finite fields. the malicious player Pj in this attack does not know the discrete logarithm of its own share rj .

i.. Members of the authorized subset . With this mechanism. memory. 4. and communication overhead. This eliminates attacks relying on a corrupt clerk and mitigates the problem of ensuring the availability of a combiner node in distributed networks [13]. the following minor differences are easily identifiable: For the initial DKG. It will also prevent a malicious participant from disrupting the protocol since the participant can simply be disqualified if it does not play a fair game.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 569 player to provide a zero knowledge proof of all public values’ discrete logarithms. . The proposed publicly verifiable P distributed-key redistribution/update (DGRU) protocol proposed in Section 3 was designed to support dynamic group membership and allow for share updates by merely keeping 0 0 the access structure constant. Comparing the P P DGRU protocol to the initial DKG protocol presented in Section 2. the reader will note that these protocols are almost exactly equivalent. To allow for dynamic group membership and modification of the availability/ security trade-off. ad hoc networks) to ensure a correct combination [13]. the benefit the adversary gains from a rushing attack in an asynchronous network is nullified. By deliberately keeping the phrasing and notation as far as possible the same.t ¼ Àn. [22] on the discrete logarithm of the public values. The proposed threshold multisignature scheme in this paper requires players to provide a zero knowledge proof of the discrete logarithm of their public values by generating a publicly verifiable encryption [15]. the proposed scheme eliminates rushing attacks without any requirement for synchrony. The scheme proposed in this paper eliminates the need for a designated combiner/clerk as the construction of the threshold-multisignature is done by the shareholders themselves.t .2. each user must choose a random number di . 4.e.5 Symmetric Relationships—Eliminating the Combiner A centralized combiner node is a specialized server which can be seen as a single point of vulnerability and should be replicated in distributed networks (for example.t .VAN DER MERWE ET AL. The scheme also preserves the symmetric relationship between the shareholders by placing on each node the same computational. Àn 0. the0 shares can be redistributed to a new 0 access structure Àn 0. while the DKRU protocol uses the user’s share xi of the group secret xQ .6 Proactive Security and Secret Redistribution The proposed threshold-multisignature scheme defends against mobile/active adversaries by proactively updating the group key shares every period T .

append the public values yi of Pi 2 .

New members should only use public values that have been found to be consistent in t or more broadcast messages. to ð½y0i.n0 ފ k A0i.ðt0 À1Þ Þ if new members join the group. the participants must also check that the condition presented in (13) holds before verifying whether the subshare distribution is correct by using (14).1 ފ k Á Á Á k ½y0i. . EP Kn0 ðs0i.1 . If both (13) and (14) are satisfied for t or more members of . In the DKRU protocol.0 k Á Á Á k A0i.n0 . EP K1 ðs0i.

DKU protocol. and DGR protocol are conveniently performed by a single. It is noted that the proposed DKMI is independent of the proposed threshold-multisignature scheme and can be used in other applications to construct and maintain a threshold cryptosystem. publicly verifiable. A protocol suite capable of servicing all aspects of secret sharing is defined here as a distributed-key management infrastructure (DKMI). Any t or more members forming the subgroup .. the users are guaranteed that their new share in the original group key xQ is valid. round optimal protocol. Besides the differences given above. the initial DKG protocol. The DKG protocol due to Zhang and Imai [17] was modified to complement the proposed DKRU protocol given in Section 3 and to allow for practical key redistribution/updating. [8] is also vulnerable to a conspiracy attack by t or more malicious members. .4.4 Conspiracy Attack It is noted here that the threshold signature scheme proposed by Li et al. 4.

j 2 . ði.0 can use their subshares fðIDi Þj .

. A mechanism is provided for verifying the members’ secret contributions from the threshold-multisignature without revealing any additional information of the secrets.’s scheme with a trusted authority. only accurate for Li et al. Note that this is. As shown in Section 4. Any malicious member generates R ¼ gki and solves the following congruence for integer S: SR  ðR þ hðmÞÞki þ fð0Þ mod q. for i 2 . SÞ will be a universally forged signature on the arbitrary message m. [4] defend against conspiracy attacks in a similar approach by adding a random number to the secret key. verifiable with the group-oriented signature verification equation. gSR ¼ RðRþhðmÞÞ y mod p. noted that. also lacks a strong traceability property. the scheme by Wang et al. The same comment can be made on the scheme proposed by Lee and Chang in [7]. which effectively conceals the member’s secret share of the group key.3.k6¼j IDj ÀIDi Þ. . The set ðR. [6] propose such a scheme which prevents conspiracy attacks without attaching a random secret to secret shares. conspiracy attacks in the proposed threshold-multisignature schemes are avoided by each member contributing an individual secret (long-term private key SKi ) to the group-oriented signature known to be explicitly associated with the member.e. the members’ public keys P Ki . Wang et al. It is. except the information that is publicly know to be associated with the secrets. however. the scheme presented in [4] does not have a strong traceability property [6]. Since the random numbers are not explicitly linked to the member’s identity. Conspiracy attacks in threshold-multisignature schemes can also be avoided if the secret shares of members are generated in such a way that construction of the threshold cryptosystem’s secret polynomial or derivation of the group secret from the members’ secret shares is computationally infeasible. i. 0 Þ to construct the group secret key fð0Þ as P Q IDj fð0Þ ¼ t ðfðIDi Þj t j¼1 k¼1. however. Li et al. since a member’s public value in [6] is not explicitly linked to a secret known to be associated with a group member.

2 and Section 3 solves a major problem with existing secret redistribution/ update protocols. APRIL 2007 The proposed DKMI presented in Section 2. NO.570 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. a threshold cryptosystem allows t or more members holding a secret share to reconstruct the group secret. not more than t À 1 members can be compromised or become faulty within an update time period T . the system is broken. In a proactively secure threshold cryptosystem. VOL. otherwise. [20]. This problem is identified by Wong et al. 18. the authorized subset . Referring to the proposed DKRU protocol presented in Section 3 and the secret redistribution scheme by Wong et al. 4. [20]: By definition.

may thus contain. The t À 1 malicious members in . t À 1 malicious members out of the total n group members. in the worst-case scenario.

Although new members can detect the discrepancy in the broadcast values. but also existing members cannot identify the malicious members in . they cannot identify which members are malicious. can thus distribute subshares si. It is noted here that this is not only applicable to the new members in the scheme proposed by Wong et al.j of an incorrect share xi to new members joining the system..

and. Consequently. the redistribution protocol proposed by Wong et al. malicious members cannot be disqualified. therefore. [20] must be repeated each time with a different authorized subset .

0 . with j.

until all values are consistent and all the verification conditions hold. members of the authorized subset .0 j ¼ t. t t tÀi i which makes the scheme impractical. the protocol participant Pj in the initial DKG protocol uses (5) to calculate the authentic public values yi corresponding to the secret share xi of each Pi . for i 2 Q. This paper presents a solution to the above problem with existing secret redistribution/update protocols as follows: In the proposed DKMI. Wong et al. In the DKRU protocol.À Á aÀworst-case repetition of the give Á PtÀ1 À ÁÀ Á protocol bounded by n À nÀtþ1 ¼ i¼1 tÀ1 nÀtþ1 .

construct a polynomial with their secret share set to a0i.0 ¼ s0i.j . In order to ensure that (14) holds and to avoid identification. i 2 .0 with their computed subshare witnesses yi. Pi . Assume that a subset of new members are joining the threshold cryptosystem.0 ¼ gai.0 ¼ xi . the malicious members are forced to compute 0 and broadcast A0i.

broadcast to all members a message that includes their calculated public keys yi .. for all other Pi . i 2 .

j of an incorrect share xi .. by checking if (13) holds. All existing members forming part of ðn0 .t0 Þ the new access structure ÀP 0 can detect and positively identify a malicious member that distributes subshares si. The only feasible option is to require the authorized subset .

to include all the existing members that will form part of the new access 0 0 structure Àn 0. By the fundamental definition of a threshold P cryptosystem. this will always ensure at least t members of .t .

It is obvious that existing members that do not participate in the distributed-key redistribution or distributed-key update procedure will be excluded from the threshold cryptosystem. therefore. The new members will detect the discrepancies in the public values broadcast by the members in . old members wanting to form part of P 0 are always available to help with distributing subshares to new members. 3. with consistent public values. This requirement places no limitation on the practicality of the proposed distributed-key management infrastructure (DKMI)3 and keeps the scheme round optimal.

[4]: The group public key of [4] not only consists of y. zij g. can only implicitly aid in the disqualification of malicious members by only using the subshares of the t or more members with consistent public values to compute their own new share in the group key. only schemes that attempt to eliminate conspiracy attacks are evaluated: Li et al. Difficulty will be experienced with this scheme when trying to eliminate the need for a trusted authority to distribute the initial group key shares. The proposed scheme does have another mechanism for all network participants to identify malicious members. provided by a public key infrastructure. Wang et al. The protocol. the proposed thresholdmultisignature scheme uses the long-term private keys of members SKi . [6]: The scheme proposed in [6] is an improvement on the scheme presented in [4] since conspiracy attacks are prevented without attaching a random number to secret shares. therefore. . Y . 4.3. A robust authentication mechanism is essential for securing a distributed system against active adversaries and central to ensuring the traceability of individual signers.4 Before joining members have obtained a valid share of the group secret. Since the new members will receive consistent public values from at least t participants. Consequently. but also implicitly includes the following public values fxi .2) and DKRU protocol (Section 3) are both publicly verifiable. all network participants have exactly the same information as existing members of the threshold cryptosystem. to 4. A joining member who has observed a periodic DKRU procedure can calculate the authentic public values of each group member using (16) and. that is required to verifying the threshold signature. except for a valid share in the group secret.1 Group Public Key Length The public key length in similar schemes will be briefly considered. In the Li et al.7 Efficiency Analysis The efficiency of threshold-multisignatures may be based on the following five criteria (Section 4. requires the participants to order themselves into a ring topology. therefore.7. Since both the initial DKG protocol (Section 2. they do not have any authority and. which can be limiting in some network scenarios. Lee and Chang [7]: The threshold-multisignature scheme in [7] also avoids conspiracy attacks without attaching a random secret to shares.7. In order to make a feasible comparison. It can thus be concluded that the public key is dependent on the number of group members n. The group public key is thus independent of the group size n.1 through Section 4. the participants with inconsistent values can therefore be considered malicious or faulty and are therefore positively identified. As shown in Section 4.7.5): 4. however. identify malicious members during the next DKRU procedure. The group public key is dependent on the number of group members n as the signature verifier needs the individual public values yi of all group members and two additional parameters cQ and cw to compute the subgroup public key. zij g since these values are required by the signature verifier to validate a threshold signature. the public key includes the public values fxi . scheme.. protocol participants attach a secret random number to their group secret shares in an attempt to avoid a conspiracy attack.

Although the group public key may be perceived to be dependent on the group size n. for i 2 used to calculate P K is publicly known (traceable) and primarily required for authentication purposes. the scheme does not introduce any additional storage requirements since the public keys P Ki . for i 2 . and.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 571 avoid conspiracy attacks even if colluding members derive or control the group secret xQ .VAN DER MERWE ET AL. As a result of members including their private keys in their individual signatures. in the latter two round scenario only. ð2j. the public key of the scheme consists of yQ and the public key P K of the subgroup that collaborated to generate the threshold signature. The public key P K of the subgroup is a function of the long-term public keys P Ki of the group members Pi .

which specifies that any outsider must be able to retrieve the identities of the individual signers from the threshold signature. in the second round. In round one. The threshold signature size of thresholdmultisignature schemes is bound to be dependent on the threshold parameter or. each participant generates a commitment ri and. The individual identities of the group members can be carefully chosen to significantly reduce the size of the thresholdmultisignature. This conclusion is naturally drawn from the traceability property of threshold-multisignature schemes. participants send their contribution to a combiner or designated clerk which constructs the threshold signature. is made by the size of the threshold group signature. 4. 4.7. more precisely. where 0 c ðn À tÞ. ri Þ on an arbitrary message m. the information is the identities of the individual signers contained in B. post signature generation. t þ c. Multiparty signature schemes constructed from ElGamal type (discrete logarithm-based) signature variants are bound to be interactive. In the case of the proposed scheme. as given in Section 1.7. The threshold signature must thus be bound to information explicitly linked to each of the signers that collaborated to generate the threshold signature. the individual and threshold signature generation mechanisms of all the existing threshold-multisignature schemes and the proposed scheme are almost equivalent. In the third round.2 Group-Oriented Signature Size The main contribution to the communication overhead.jÞ broadcast messages. generates an individual signature ðsi .3 Communication Cost of Signature Generation and Verification In terms of communication cost. Assume the authorized subset .

This yields a three round protocol for existing schemes. which requires ð2j. of group members collaborate to sign m.

jÞ broadcast messages and ðj.

jÞ unicast messages. is to the best of the authors’ knowledge. Assuming . the first threshold group-oriented signature scheme with traceability that allow malicious members to be positively identified and disqualified from the group. The proposed threshold-multisignature scheme. The proposed scheme also eliminates the need for a combiner.

contains at least one malicious or faulty participant. Therefore. the proposed protocol requires ð3j. the proposed protocol will still require three rounds and only two rounds if all individual signatures satisfy (9). in the three round scenario.

[6]. It can be shown that the total computational cost of computing ðb0 . [6]. Table 3 and Table 4 compare the proposed threshold-multisignature scheme. . with the assistance of a trusted key distribution center (KDC). btÀ1 Þ. In Table 1 and Table 2. multiplications contribute to an insignificant fraction of the overall time complexity. the public values of the individual signers are captured within the Lagrange interpolation polynomial hðyÞ as given in (19). b1 . . . . The threshold-multisignature schemes presented in [4]. which enables the threshold signature verifier to evaluate hðyÞ in order to identify the individual signers. . Multiplications : t iþ1 i¼1 ! ! tÀ2 X t À 1 Summations : t À 1 þ ðt À 1Þ þ t . iþ1 i¼1 Inversions : t: It should be clear that using an interpolation polynomial hðyÞ to identify the individual signers is impractical for large values of threshold t. . multiplications. in some cases. the inner parts of the Lagrange coefficients) can be precomputed and are therefore not included in the analysis. In the schemes proposed by Wang et al. [7] were chosen for analysis since they all make an attempt to eliminate a conspiracy attack by t or more colluding members. b1 . .2. [7]. . and summations. although this paper does not present a thresholdmultisignature scheme with a KDC. Note that. btÀ1 Þ from t data pairs is given as: ! tÀ2 X t À 1 ! i þ ðt À 2Þ þ t þ 2 . . . [6] and Li et al. Another factor to consider is the computational cost of computing the coefficients ðb0 . it was shown that appending the set of identities B to the threshold signature is a better solution. . without a KDC. Values that remain constant between different signature generations (for example. The computational cost of the schemes will be given in terms of the minimum threshold ðtÞ members (out of the total ðnÞ group members) required to collaboratively sign an arbitrary message m. saving the threshold signature verifier the computational effort of evaluating hðyÞ.7. it is assumed that the system parameters are chosen to yield the same time complexity for exponentiations. Although summations and. The computational overhead that causes the most concern is the number of exponentiations in the individual signature verification equation ((9)) and threshold signature . these operations are still included for the sake of completeness. with the existing schemes. it can be trivially extended to incorporate a KDC without making any changes to the individual/threshold signature generation and verification procedures. . the schemes. The coefficients ðb0 . [8]. In Section 4. btÀ1 Þ of hðyÞ are appended to the threshold signature by the combiner/clerk. b1 .4 Computational Cost of Signature Generation and Verification To make a feasible comparison between the computational cost of the proposed threshold-multisignature scheme and similar schemes [4]. are compared.jÞ broadcast messages 4.

The proposed scheme also provides improved efficiency for all other operations. NO. TABLE 2 Computational Cost Comparison of Threshold Signature Generation and Verification (with the Assistance of a Trusted Share Distribution Center) Proposed threshold-multisignature scheme (PTMS). APRIL 2007 TABLE 1 Computational Cost Comparison of Individual Signature Generation and Verification (with the Assistance of a Trusted Share Distribution Center) à Proposed threshold-multisignature scheme (PTMS). The optimum number of exponentiations for an ElGamal type signature variant is 2 [9]. with or without the assistance of a trusted authority. while guaranteeing break-resistance. which are anticipated to contribute the bulk of the verification time complexity. For individual signature verification. see Section 2. i¼1 iþ1   z s ¼ tðPtÀ2 ½ tÀ1 À 1Š þ ðt À 1Þ þ tÞ. individual signature generation (Table 1 and Table 3) and threshold signature generation (Table 2 and Table 4). 18. VOL. The additional exponentiation is as a consequence of satisfying the stronger break-resistance property. 4. The justification for looking critically at the verification processes is substantiated by the notion that a signature is normally generated only once. 4. one more than the optimal two exponentiations. which .572 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. It can thus be concluded that the proposed threshold-multisignature scheme is superior to existing schemes since it requires only two exponentiations for threshold signature verification. but verified many times. y Note that computations of the individual signatures are performed modulo n. three exponentiations are required.5 Efficiency of Initial Key Distribution and Key Redistribution/Update Protocols The proposed threshold cryptosystem is constructed with the round optimal DKG protocol presented in Section 2. see Section 2. which includes.   y m ¼ tðPtÀ2 ½ tÀ1 iŠ þ ðt À 2Þ þ t þ 2Þ.2. i¼1 iþ1 à verification equation ((12)).7.

Efficiency analysis on the initial DKG protocol (Section 2. Each protocol participant is required to generate random numbers OðtÞ for initial DKG and Oðt0 Þ for DKRU. [8]. It is the view of the authors that the security of the underlying DKMI influences the security of the signature scheme to such an extent that the threshold group-oriented signature scheme cannot be considered separately from the DKMI. [6]. do not use secure and efficient one round DKG protocols to initialize the threshold cryptosystem. Accordingly. such systems cannot respond to changes in the networking environment. the existing systems are rigid concerning the threshold security parameters ðn. Multiplications yield a similar growth rate to the exponentiations.2) and DKRU protocol (Section 3) shows that these protocols require OðntÞ and Oðn0 t0 Þ exponentiations.VAN DER MERWE ET AL. Based on the above. . These schemes also do not consider proactive security because they do not allow for the periodic updating of secret shares nor do they permit dynamic group membership since they cannot redistribute the secret shares to a new access structure. respectively. respectively. Existing threshold-multisignature schemes that do not need the assistance of a trusted authority [4]. The worst-case computational cost of the initial DKG protocol and DKRU protocol are briefly considered. tÞ. which sets the security/ availability trade-off. TABLE 4 Computational Cost Comparison of Threshold Signature Generation and Verification (without the Assistance of a Trusted Share Distribution Center) à Proposed threshold-multisignature scheme (PTMS). i¼1 iþ1 effectively eliminates the need for a mutually trusted key distribution center (KDC).: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 573 TABLE 3 Computational Cost Comparison of Individual Signature Generation and Verification (without the Assistance of a Trusted Share Distribution Center) à Proposed threshold-multisignature scheme (PTMS). For these reasons. the efficiency of the proposed thresholdmultisignature scheme’s system setup and maintenance procedures cannot be compared to the existing schemes. see Section 2. see Section 2. Each participant broadcasts OðtÞ þ OðnÞ messages for initial DKG and Oðt0 Þ þ Oðn0 Þ for DKRU. The network as a whole has a communication cost of OðntÞ þ Oðn2 Þ and Oðn0 t0 Þ þ Oðn02 Þ for initial DKG and DKRU. The threshold cryptosystem accommodates a total of n2 shares.   y m ¼ tðPtÀ2 ½ tÀ1 iŠ þ ðt À 2Þ þ t þ 2Þ: i¼1 iþ1   z s ¼ tðPtÀ2 ½ tÀ1 À 1Š þ ðt À 1Þ þ tÞ.

-H. To realize initial DKG. Although the initial DKG protocol and DKRU protocol are presented separately for clarity. Luo. and T. Public Key Cryptography—PKC ’03. The proposed threshold-multisignature scheme was shown to satisfy all of the specified security requirements and to fulfill the stronger break-resistant property. H. Y. Jaracki. 30. 2025-2026. Zhou and Z.. Sept.t0 Þ access structure ÀP to a new access structure ÀP 0 . C.” IEEE Network. Lin.” Proc. “Proactive Secret Sharing or: How to Cope with Perpetual Leakage. 1Þ. C. 1999. T. 2003. which from the authors’ point of view is the first to provide a guaranteed traceability property. vol. The thresholdmultisignature signature scheme thus remains secure. 2002.e.” Proc. The authors thank the reviewers and editors for their time. n) Threshold Digital Signature with Traceability Property. Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. and J. “Round Optimal Distributed Key Generation of Threshold Cryptosystem Based on Discrete Logarithm Problem. Stadler. M. “On the Security of the Li-Hwang-Lee-Tsai Threshold Group Signature Scheme. 5. Pedersen. r. secret updating (DKU). “Generalized ElGamal Signatures for One Message Block. May 1999. Fouque and J. “A Threshold Cryptosystem without a Trusted Party. Apr. Dec. 24. no. 1994. 2003. Hwang. 1998. 1995. Pedersen. the secure and optimally efficient ElGamal type signature variant. July 1997. May 1994. while providing break resistance. Considering the minor differences between the initial DKG protocol and DKRU protocol. Chang. special issue on network security. P. malicious or faulty protocol participants from the original access structure are positively identifiable by the existing honest members as well as the new members joining the threshold cryptosystem.” European Trans. The same initial DKG protocol can thus be used to realize DKR and DKU by merely keeping the access structure constant. Fifth Int’l Conf. “Securing Ad Hoc Networks. the group secret or individual secret shares are known or controlled by an adversary. “Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. pp. and C. which avoids repeating the secret redistribution protocol until all the verification conditions holds. vol. The paper proposes a novel publicly verifiable.. Oct. The main aim of this paper is to introduce such a secure threshold-multisignature scheme. G. J. Dai. T. Jarecki. and N.. Herzberg. 669-678. Z.-C.-A. 1996. Topics in Electronic Commerce (ISEC ’01). Petersen. Desmedt. and gives the group members the capability of adjusting the availability/security trade-off by redistributing the 0 existing ðn. A. Lee and C. Nov.” Proc. It was shown that the proposed threshold-multisignature scheme eliminates the latest attacks on similar threshold signature schemes with traceability. the Armaments Corporation of South Africa. “Threshold Signatures. 1999. “One Round Threshold Discrete-Log Key Generation without Private Channels. Xu.-M.” Proc. Krawczyk.” Proc. Krawczyk. L. The efficiency analysis showed that the proposed threshold-multisignature scheme outperforms other existing schemes and is optimal in terms of exponentiations with respect to threshold signature verification and near optimal for individual signature verification. and secret redistribution (DKR). “Threshold-Multisignature Schemes where Suspected Forgery Implies Traceability of Adversarial Shareholders. NO. 1994. W. of Information and Software Eng. To reach this objective. REFERENCES [1] [2] [3] [4] Y. C.-B. hðm. “How to Convert Any Digital Signature Scheme into a Group Signature Scheme. s. 771-776. M. Advances in Cryptology—EUROCRYPT ’91. pp. multisignature schemes. Dept. “Verifiable Secret Redistribution for Archive System. Li. Telecomm. George Mason Univ. Advances in Cryptology—CRYPTO ’95.” Proc. “(t. 2001. H. 5. 6. Stern. 1987. 4. and Y. 2001. and M. VOL. Wong. pp. the proposed DKMI requires considerably less implementation effort than implementing three unrelated protocols to realize distributed-key management. rÞ. L. 1997.” Proc. R. GES ¼ ðM:EGII:3:ð1Þ. distributed-key updating (DKU). threshold group signature schemes. Imai. round optimal (one round) distributed-key redistribution/updating (DKRU) protocol that eliminates a major problem with existing schemes. Second Int’l Symp. Feb. H.” Proc. The paper also addressed the issue of initial distributedkey generation (DKG) to construct a threshold cryptosystem without the assistance of a trusted authority. R.-T. no. W. Information Security and Cryptography (ICISC ’02)..-Y.tÞ ðn . improvements were made to the round optimal DKG scheme of Zhang and Imai. 8. 21. 1991. The paper proposes the first integrated (single protocol) solution for DKG. Wing. Information Science and Eng.” Technical Report ISSETR-97-01.” Proc. Advances in Cryptology—EUROCRYPT ’99. 2002. vol. Advances in Cryptology—EUROCRYPT ’96. and distributed-key redistribution (DKR). Wang. vol.” J. S. P. 449-457. Lee. Wang. C. J.574 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS.. “Threshold Signature Schemes with Traceable Signers in Group Communications.P.. i. no. pp. “Design of Generalised ElGamal Type Digital Signature Schemes Based on Discrete Logarithms. Li. APRIL 2007 5 CONCLUSION Investigations within the fields of threshold group-oriented signature schemes. Apr. effort. Haas. The paper defines the notion of a distributed-key management infrastructure (DKMI) as a protocol suite that considers all aspects of secret distribution (DKG).” Proc. “Society and Group Oriented Cryptography: A New Concept. it was shown that the two protocols are essentially equivalent. 15. Fifth Int’l Workshop Security Protocols. even if the threshold cryptosystem has been broken. Chang.” Computer Comm. Public Key Cryptography—PKC ’01. n) Threshold Digital Signature Schemes with Traceable Signers. 24-30. 1994.M. Use of the DKRU mechanism makes the proposed fully distributed threshold-multisignature scheme proactively secure. T. Gennaro. Yung.-Q. 4. Wang. allows for dynamic group membership. “Redistributing Secret Shares to New Access Structures and Its Applications. Second Int’l Workshop ITSecurity. pp. and H. “Publicly Verifiable Secret Sharing.” Proc. Y. Advances in Cryptology—EUROCRYPT ’94. First Int’l IEEE Security in Storage Workshop. Zhang.. was extended to a multiparty setting to yield a threshold-multisignature scheme. vol.J. and threshold-multisignature schemes resulted in explicitly defining the properties of threshold-multisignature schemes. no. Desmedt. ACKNOWLEDGMENTS This work was supported by ARMSCOR.” Proc.” Electronics Letters. “GroupOriented (t. S. Song. 13. no.-C. Jajodia. and positive input. [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] . School of Information Technology and Eng.” Proc. Boldyreva.-C.” Proc.-M. Zhang and H. “Threshold Cryptography. Harn and Y. Michels. 18. Desmedt and S. Rabin. A.M. Applied Cryptography and Network Security (ACNS ’03). Horster. Advances in Cryptology—CRYPTO ’87.

He is currently pursuing the PhD degree in distributed communication systems. and T. South Africa.P.” Proc. Wu and C. Jarecki. Math. Advances in Cryptology—ASIACRYPT ’00. 1996. Michels and P. 612-613. Krawczyk. ACM. Rabin. [23] Y. His current research interests include ad hoc networks and various aspects of image processing. “Cryptanalysis of Group-Oriented (t. 26. “On the Risk of Disruption in Several Multiparty Signature Schemes. n) Threshold Digital Signature Schemes with Traceable Signers.org/publications/dlib. Gennaro. he rejoined the University as a senior lecturer in 1997. no. 1-4. Han. “How to Share a Secret.” Computer Standards and Interfaces. Dawoud S. “Security of Discrete Log Cryptosystems in the Random Oracle and Generic Model. [26] C. threshold group-oriented cryptography. Group Encryption.” Information Processing Letters. Shamir. Tseng and J. and digital signature schemes. vol. South Africa.” Comm. Camenisch and I. 2004. 1999. 1. 477-481. 11. Canetti. please visit our Digital Library at www. including Cairo University. 71. Jakobsson.-L.-M. digital signal processing. vol. 5. . pp. R. vol. Jan. “Adaptive Security for Threshold Cryptosystems. Johann van der Merwe received the BSc degree in electronic engineering from the University of Natal in 2003 and the MSc degree from the University of KwaZulu-Natal in 2005. For more information on this or any other computing topic. 2003.-K. He has been a full professor since 1984. “On the Security of Two Threshold Signature Schemes with Traceable Signers.” Proc.” Proc. Schnorr and M.” Proc. no. Nov. and Their Applications to Separable Group Signatures and Signature Sharing Schemes. His research interests include security issues in ad hoc networks.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 575 [21] A. Damgard. H. Horster.computer. no. “Verifiable Encryption. 1979. and digital telecommunications in numerous universities. pp. 2000. University of Lagos. Advances in Cryptology— ASIACRYPT ’96. He is a member of the IEEE.-S. He holds two patents in computer architecture. He has supervised many PhD and MSc theses and published more than 90 papers and books. [27] R. [25] G. [28] M. Aug. pp. Wang. After working in the communications industry for five years. Stephen McDonald received the BSc (1987) and MSc (1989) degrees in electronic engineering from the University of Natal. Applied Cryptography and Network Security (ACNS ’03). [24] T.VAN DER MERWE ET AL. 22. “Attacks on Threshold Signature Schemes with Traceable Signers. Dawoud received the BSc (1965) and MSc (1969) degrees in electronic engineering from Cairo University and the PhD (1973) degree in computer engineering from Russia. X. ˚ [22] J. Oct. He is currently a professor of computer engineering and signal processing at the University of KwaZulu-Natal.” Proc. June 1999. First Int’l Conf. He is a member of the IEEE. Advances in Cryptology—CRYPTO ’99. . and B. of Public-Key Cryptography. 1999. Zhu. S. with particular focus on key management. He has taught courses in computer engineering. and University of Botswana. Hsu.

Sign up to vote on this title
UsefulNot useful