## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

**Threshold-Multisignature Scheme
**

Johann van der Merwe, Dawoud S. Dawoud, Member, IEEE, and Stephen McDonald, Member, IEEE

Abstract—Threshold-multisignature schemes combine the properties of threshold group-oriented signature schemes and

multisignature schemes to yield a signature scheme that allows a threshold ðtÞ or more group members to collaboratively sign an

arbitrary message. In contrast to threshold group signatures, the individual signers do not remain anonymous, but are publicly

identifiable from the information contained in the valid threshold-multisignature. The main objective of this paper is to propose such a

secure and efficient threshold-multisignature scheme. The paper uniquely defines the fundamental properties of threshold-

multisignature schemes and shows that the proposed scheme satisfies these properties and eliminates the latest attacks to which

other similar schemes are subject. The efficiency of the proposed scheme is analyzed and shown to be superior to its counterparts.

The paper also proposes a discrete logarithm based distributed-key management infrastructure (DKMI), which consists of a round

optimal, publicly verifiable, distributed-key generation (DKG) protocol and a one round, publicly verifiable, distributed-key redistribution/

updating (DKRU) protocol. The round optimal DKRU protocol solves a major problem with existing secret redistribution/updating

schemes by giving group members a mechanism to identify malicious or faulty share holders in the first round, thus avoiding multiple

protocol executions.

Index Terms—Security and protection, distributed systems, group-oriented cryptography, threshold-multisignature, secret sharing,

distributed-key management infrastructure, publicly verifiable distributed-key generation, publicly verifiable distributed-key update,

publicly verifiable distributed-key redistribution.

Ç

1 INTRODUCTION

I

N distributed systems it is sometimes necessary for users

to share the power to use a cryptosystem [1], [2]. The

system secret is divided up into shares and securely stored

by the entities forming the distributed cryptosystem. The

main advantage of a distributed cryptosystem is that the

secret is never computed, reconstructed, or stored in a

single location, making the secret more difficult to

compromise [3].

In many applications, a threshold ðtÞ or more share-

holders are required to cooperatively generate a digital

signature, in contrast to the conventional single signer. This

may also be seen as a distribution of trust since the

shareholders must collaborate and contribute equally to

produce a valid multiparty signature.

Threshold-multisignature schemes [4] combine the proper-

ties of threshold group-oriented signature schemes [2] and

multisignature schemes [5]. In the literature, threshold-

multisignature schemes are also referred to as threshold

signature schemes with traceability [6], [7], [8]. The

combined properties guarantee the signature verifier that

at least t members participated in the generation of the

group-oriented signature and that the identities of the

signers can be easily established. The majority of the

existing threshold-multisignature schemes belong to var-

iants of the single signatory, generalized ElGamal signatures

[9], [10], extended to a group/multiparty setting.

In [11], Wang defines the properties of threshold group

signature schemes [12] in order to guarantee the security of

the system. To the best of the authors’ knowledge, a

complete set of definitions does not exist for threshold-

multisignature schemes. The authors’ studies have shown

that secure threshold-multisignature schemes must satisfy

the following five main properties:

Correctness: All threshold-multisignatures on an arbi-

trary message i, generated by an honest authorized subset u

of group members, forming subgroup 1

u

, can be verified by

any outsider \ (with respect to the group). This implies that

the group-oriented signature is publicly verifiable.

Threshold property: Only a threshold of t or more

authorized group members are able to collaboratively

generate a valid threshold-multisignature. This property

thus incorporates unforgeability.

Traceability: Any outsider \ can learn the identities of

the individual signers belonging to 1

u

from the threshold-

multisignature on i without interaction with any of the

group members and/or a group manager. This implies that

the signers are publicly traceable with public information.

Traceability implies accountability; the individual signers

participating in the threshold-multisignature scheme can be

held accountable for their contribution to the group-

oriented signature.

Coalition-resistance: No colluding subset of group

members can generate a valid threshold-multisignature not

satisfying the traceability property. Coalition-resistance

subsumes framing-resistance, i.e., no subset of groupmembers

can sign on behalf of any other subset of group members.

562 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

. The authors are with the School of Electrical, Electronic, and Computer

Engineering, University of KwaZulu-Natal, King George V Avenue,

Room 4-05, Glenwood, Durban, South Africa, 4041.

E-mail: {vdmerwe, dawoudd, mcdonalds}@ukzn.ac.za.

Manuscript received 16 Dec. 2004; revised 5 Apr. 2006; accepted 18 Apr.

2006; published online 9 Jan. 2007.

Recommended for acceptance by M. Singhal.

For information on obtaining reprints of this article, please send e-mail to:

tpds@computer.org, and reference IEEECS Log Number TPDS-0307-1204.

Digital Object Identifier no. 10.1109/TPDS.2007.1005.

1045-9219/07/$25.00 ß 2007 IEEE Published by the IEEE Computer Society

Break-resistance: An adversary in possession or control

of the group secret key and/or the individual secret shares

of any number of group members cannot generate a valid

threshold-multisignature and/or partial/individual signa-

tures; thus, although the underlying threshold cryptosystem

has been broken, the threshold-multisignature signature

scheme should not be breakable.

Threshold-multisignature schemes can be differentiated

from threshold group signatures [12] by the fact that by

definition, in the latter, the individual signers remain

anonymous since it is computationally hard to derive the

identities from the group signature, with the exception of

the group managers. In contrast, by the above-defined

traceability property of threshold-multisignature schemes, the

individual signers are publicly traceable and do not enjoy

anonymity. Consequently, the traceability property of

threshold-multisignature schemes allows the individual

signers to be held accountable in the public domain and

renders the unlinkability property of threshold group

signature schemes, as defined in [11], inapplicable.

An important component of any threshold digital

signature scheme is the sharing of the group key [2]. If

the group key sharing does not involve a trusted third party

(TTP), the key sharing is performed by a distributed

collaborative protocol. A threshold-multisignature scheme

that is suitable for distributed systems (for example, ad hoc

networks [13]) may require a distributed-key generation

(DKG) protocol that effectively eliminates the TTP. The

first DKG protocol, for discrete logarithm-based threshold

cryptosystems, was introduced in [14] and a number of

promising proposals for DKG have been published since

[15], [3], [16], [17]. In these schemes, the distributed-key is

generated in a distributed fashion as a function of the

random input of all protocol participants while preserving

the symmetric relationship between them.

In threshold cryptosystems, it is impractical to assume

that an adversary cannot compromise more than t share-

holders during the entire lifetime of the distributed secret

[18]. The secret shares therefore have to be periodically

updated using a distributed-key updating (DKU) protocol.

The DKU scheme allows for only an impractical period T in

which an active/mobile adversary has time to compromise

a sufficient percentage of the group secret shares [18].

The access structure À

ði.tÞ

1

of the initial share distribution

will not necessarily remain constant [19]. Assuming the

same shareholders to be present at all times is unrealistic

and the availability/security trade-off (set by the total

number of group members ðiÞ and threshold ðtÞ) may need

to be changed as a function of system vulnerability,

networking environment, and current functionality of the

cryptosystem. The shares must then be redistributed to a

new access structure À

ði

0

.t

0

Þ

1

0 using a distributed-key redistribu-

tion (DKR) protocol [19], [20].

The main objective of this paper is to propose a new

threshold-multisignature scheme without a trusted third

party (TTP), based on a round optimal, publicly verifiable

DKG protocol. The proposed scheme can be easily adapted

to incorporate a TTP; a version of the proposed scheme with

the assistance of a TTP will therefore not be presented. The

proposed discrete logarithm-based threshold-multisigna-

ture scheme is also proactively secure, allowing for DKR to a

new access structure À

ði

0

.t

0

Þ

1

0 and periodic DKU to mitigate

attacks from an active/mobile adversary. The proposed

discrete logarithm-based threshold-multisignature scheme

is made proactively secure by periodically updating secret

shares and facilitating changes in group membership by

allowing an authorized subset u of existing group members

to redistribute secret shares to a new access structure À

ði

0

.t

0

Þ

1

0 .

The paper is organized as follows: In Section 2, the new

threshold-multisignature scheme is proposed. Section 3

introduces a new distributed-key redistribution/updating

(DKRU) scheme. The security and features of the proposed

threshold-multisignature scheme are discussed in Section 4.

Some conclusions are provided in Section 5.

2 PROPOSED THRESHOLD-MULTISIGNATURE

SCHEME

In this section, a novel threshold-multisignature scheme,

without assistance from a trusted key distribution center

(KDC), is proposed. The scheme consists of the following

six parts (Section 2.1 through Section 2.6):

2.1 System Parameter Setup

The group members 1

i

, for i ¼ 1 : i, agree on and publish

the following system parameters:

. j. ¡ two large primes such that ¡ j ðj À 1Þ,

. q generator of the cyclic subgroup of order ¡ in ð7Þ

Ã

j

,

. HðÁÞ collision-free one-way hash function,

. ði. tÞ threshold parameter t and total number of

group members i, and

. T threshold cryptosystem secret update period.

Protocol participants 1

i

, for i ¼ 1 : i, are assumed to have a

long-term public/private key pair 11

i

,o1

i

and an

authentic certificate, verifiable with the public key of a

common trusted third party. The certificate of 1

i

binds the

public key 11

i

¼ q

o1

i

to user 1

i

’s identity 11

i

. The

certificates are distributed to (or can be traced by) all

communication entities 1

,

, for , ¼ 1 : i, , 6¼ i.

2.2 Initial Publicly Verifiable Distributed-Key

Generation

In this section, a publicly verifiable distributed-key generation

(DKG) protocol is presented. The round optimal DKG

protocol is developed from the scheme of Zhang and Imai

[17]. The purpose of the protocol is to realize secure, initial

secret sharing to an access structure À

i.t

1

, without a trusted

dealer or KDC.

The protocol executes in four steps:

1. For 1 i i, 1

i

chooses a random number

d

i

2 ½1. ¡ À 1. 1

i

then shares the random value d

i

with all of the other protocol participants, using

Shamir’s secret sharing scheme [21] as follows:

a. Sets o

i.0

¼ :

i.0

¼ d

i

and chooses at random

o

i./

2 ½1. ¡ À 1, for 1 / t À 1, such that the

numbers o

i.0

. . . . . o

i.tÀ1

define a polynomial

)

i

ðAÞ ¼

tÀ1

/¼0

o

i./

A

/

over ZZ

¡

.

b. For , ¼ 0. . . . . t À 1, 1

i

computes, ¹

i.,

¼ q

o

i.,

iod j. For , ¼ 1. . . . . i, 1

i

computes :

i.,

¼ )

i

ð11

,

Þ iod ¡, y

i.,

¼ q

:

i.,

iod j and an encryption

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 563

1

11,

ð:

i.,

Þ of each secret shadow. 1

i

then binds

itself to the public values by generating the digital

signature ði

1

i

:

1

i

Þ on message ð½y

i.1

. 1

11

1

ð:

i.1

Þ k

Á Á Á k ½y

i.i

. 1

11

i

ð:

i.i

Þ k ¹

i.0

k Á Á Á k¹

i.ðtÀ1Þ

Þ using

the ElGamal type signature variant: G1o ¼

ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ, developed from

the generalized ElGamal scheme presentedin [9].

The signature is generated with 1

i

’s long-term

private key o1

i

. 1

i

broadcasts the message and

the signature to all protocol participants. The

encryption 1

11,

ð:

i.,

Þ of the secret shadow for

protocol participant 1

,

is performed using an

appropriate publicly verifiable encryption scheme

[15], [22]. 1

i

keeps the share when , ¼ i.

2. Protocol participants 1

1

. . . . . 1

i

each verify the

following:

a. ði

1i

. :

1i

Þ is a valid signature on the public values

ð½y

i.1

. 1

111

ð:

i.1

Þ k Á Á Á k ½y

i.i

. 1

11i

ð:

i.i

Þ k ¹

i.0

k

Á Á Á k ¹

i.ðtÀ1Þ

Þ

receivedfrom1

i

. This serves as aproof of integrity

and binds participant 1

i

to these public values.

b. 1

11

,

ð:

i.,

Þ is the correct encryptionof :

i.,

under the

public key 11

,

. This implies that anybody can

verify that y

i.,

and :

i.,

satisfy the following

relationship: y

i.,

¼ q

:

i.,

iod j and that protocol

participant 1

,

can correctly retrieve the subshare

:

i.,

(note that only 1

,

can decrypt 1

11,

ð:

i.,

Þ with

its corresponding private key o1

,

to recover :

i.,

).

c. 1

,

knows that the subshare distribution from

member 1

i

is correct if (1) holds.

tÀ1

/¼0

¹

ð11

,

Þ

/

i./

¼

tÀ1

/¼0

ðq

oi./

Þ

ð11,Þ

/

¼ q

tÀ1

/¼0

ðoi./Þð11,Þ

/

¼ q

)i ð11,Þ

ðiod jÞ ¼ y

i.,

.

ð1Þ

3. Participants are disqualified if they do not follow the

protocol correctly. The remaining set of participants

form the set Q. The protocol aborts if Q contains less

than t members. 1

,

uses the correct shares received

from i 2 Q to compute the following:

r

,

¼

i2Q

ð:

i.,

1

i

Þ iod ¡. ð2Þ

where the Lagrangian coefficient is given as:

1

i

¼

/2Q./6¼i

11

/

11

/

À11

i

iod ¡. ð3Þ

The secret key r

,

is 1

,

’s new share in the distributed

group secret key r

Q

. The group public key can be

computed (verified) by any group member or

outsider as:

y

Q

¼

i2Q

¹

1

i

i.0

¼ q

i2Q

)i ð0Þ1i

¼ q

r

Q

iod j. ð4Þ

Each 1

,

, , 2 Q calculates its public key as y

,

¼

q

r

,

iod j. Using the ElGamal type signature variant

G1o, 1

,

binds itself tothepublic keyy

,

bygeneratinga

signature ði

1

,

. :

1

,

Þ on y

,

using its long-term private

key o1

,

. 1

,

broadcasts ðy

,

. i

1,

. :

1,

Þ to all protocol

participants. 1

,

also verifies the authenticity of the

receivedpublic keys after calculating the public key y

i

of all 1

i

, i 2 Q as:

y

i

¼ q

r

i

¼ q

,2Q

ð:

,.i

1

,

Þ

¼

,2Q

y

1,

,.i

iod j. ð5Þ

4. Each 1

,

, , 2 Q completely erases all traces of its

initial randomly chosen value d

,

and all generated

subshares :

,.i

¼ )

,

ð11

i

Þ iod ¡ ði ¼ 1. . . . . i) and re-

ceived subshares :

i.,

ði 2 QÞ.

The secret can be constructed if t or more honest players,

from the set Q, collect:

r

Q

¼

,2Q

r

,

/2Q./6¼,

11

/

11

/

À11

,

_ _

iod ¡. ð6Þ

Taking the Lagrange polynomial of the original random

values d

,

, for , 2 Q, also yields the group secret r

Q

, which

highlights the importance of erasing these values securely.

In Section 3, a publicly verifiable distributed-key redis-

tribution/update (DKRU) protocol is proposed that is

compatible with the initial DKG protocol given above.

The differences and the significance of the similarity are

discussed in Section 4.6 and Section 5.

2.3 Individual Signature Generation

Any subset u of t or more members can represent the group

and sign an arbitrary message i. Each member 1

i

, i 2 u,

selects a random integer /

i

2 ½1. ¡ À 1 and computes

i

i

¼ q

/

i

iod j. Each member verifiably encrypts /

i

with its

own long-term public key 11

i

using a verifiable encryption

scheme [15], [22] to generate 1

11i

ð/

i

Þ. Using the ElGamal

type signature variant G1o, 1

i

generates a signature

ði

0

1i

. :

0

1i

Þ on ½i

i

. 1

11

i

ð/

i

Þ using its long-term private key

o1

i

. 1

i

broadcasts ði

i

. 1

11i

ð/

i

Þ. i

0

1

i

. :

0

1

i

Þ to all protocol

participants. This implies that each member commits to its

public value i

i

and provides a proof of knowledge of its

corresponding discrete logarithm, /

i

.

After all committed i

i

s are available and members with

invalid i

i

s are excluded from the set u, the value 1 is

calculated as follows:

1 ¼

i2u

i

i

iod j. ð7Þ

Each 1

i

uses public values 11

,

authentically bound to 11

,

,

for , 2 u, to form the set 1.

1

i

uses its (secret share)/(private key) set ðr

i

. o1

i

Þ and

random number /

i

to compute its individual signature :

i

on

message i as follows:

:

i

¼ ½Hði. 1. 1Þ½ðr

i

Þ Á 1

ui

þo1

i

þ/

i

iod ¡. ð8Þ

where the Lagrange interpolating coefficient 1

ui

is given by:

1

ui

¼

/2u./6¼i

11

/

11

/

À11

i

iod ¡.

564 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

The set ð:

i

. i

i

. 1

ui

. 1Þ is the individual signature of 1

i

on

message i, which is broadcast to all other group members.

2.4 Individual Signature Verification

On receiving all of the signatures ð:

i

. i

i

. 1

ui

. 1Þ, 1

,

, , 2 u,

performs the functionality of a clerk and uses the public key

set ðy

i

. 11

i

Þ to authenticate the individual signature of 1

i

by verifying if 1

ui

is correct and whether the following

equation holds for i 2 u, i 6¼ ,:

q

:i

¼ y

1ui

i

11

i

_ _

½Hði.1.1Þ

i

i

iod j. ð9Þ

If (9) fails to hold, the individual signature of 1

i

onmessage i

is invalid. Participants are disqualified if their individual

signatures are found to be invalid. The remaining honest

participants form the set c and repeat the individual signature

generation part from (7), with u ¼ c. The protocol aborts if c

contains less than t members.

2.5 Threshold-Multisignature Generation

After 1

,

, , 2 c, has received and verified t or more

individual signatures, the second signature parameter o of

the threshold-multisignature ð1. oÞ on message i can be

computed as:

o ¼

i2c

:

i

iod ¡. ð10Þ

The set of identities 1 is appended to ð1. oÞ and provides

an explicit link between the threshold signature and the

subset of individual signers who collaborated to generate

the threshold signature ð1. o. 1Þ on message i.

2.6 Threshold-Multisignature Verification and

Individual Signer Identification

Any outsider can use the group public key y

Q

and public

keys 11

i

bounded to the identities 11

i

, for i 2 c, to verify

the validity of the threshold-multisignature ð1. o. 1Þ on an

arbitrary message i. The signature verifier calculates the

subgroup public key 11

c

as follows:

11

c

¼ q

i2c

o1

i

¼

i2c

11

i

iod j. ð11Þ

The signature verifier now has all the information to check

if the following congruency holds:

q

o

ðy

Q

11

c

Þ

½Hði.1.1Þ

1 iod j. ð12Þ

If (12) holds, the threshold-multisignature ð1. o. 1Þ on

message i is valid and the subgroup 1 of individual

signers is positively identified. (See Section 4.1 for proof of

correctness.)

3 PROPOSED PUBLICLY VERIFIABLE

DISTRIBUTED-KEY REDISTRIBUTION/UPDATE

PROTOCOL

The proposed publicly verifiable distributed-key redistribu-

tion/update (DKRU) protocol is as follows:

A distributed group secret r

Q

is redistributed from À

i.t

1

to

a new access structure À

i

0

.t

0

1

0 , using the shares of the

authorized subset u 2 À

i.t

1

. The system parameter setup

given in Section 2.1 is applicable.

The initial secret distribution to the access structure À

i.t

1

is

performed using the publicly verifiable distributed-key gen-

eration (DKG) scheme given in Section 2.2. Note that the

proposed DKRU protocol is compatible with the initial DKG

protocol. The minor differences and the significance of the

similarity are discussed in Section 4.6 and Section 5. The

proposed DKRUprotocol can be used as a publicly verifiable

distributed-key updating (DKU) protocol bysimplykeepingthe

access structure constant, À

i

0

.t

0

1

0 ¼ À

i.t

1

. For the sake of

proactive security, the threshold cryptosystemshares should

be periodically updated within a limited time period T.

The publicly verifiable property by definition means that

any outsider can obtain all of the required information from

the broadcast channel to validate the operation of both the

initial DKG and DKRU protocols.

Assume that a subset c of new members join or existing

members leave the threshold cryptosystem.

The protocol executes in four steps:

1. 1

i

, i 2 u share their secret share r

i

of group secret

key r

Q

with 1

,

2 À

i

0

.t

0

1

0 , using Shamir’s secret sharing

scheme [21]:

For i 2 u:

a. 1

i

sets o

0

i.0

¼ :

0

i.0

¼ r

i

and chooses at random

o

0

i./

2 ½1. ¡ À 1, for 1 / t

0

À 1, such that the

numbers o

0

i.0

. . . . . o

0

i.t

0

À1

define a polynomial

)

0

i

ðAÞ ¼

t

0

À1

/¼0

o

0

i./

A

/

over ZZ

Q

.

b. For ,¼0. . . . . t

0

À1, 1

i

computes ¹

0

i.,

¼ q

o

0

i.,

iod j.

For , ¼ 1. . . . . i

0

, 1

i

computes :

0

i.,

¼ )

0

i

ð11

,

Þ

iod ¡, y

0

i.,

¼ q

:

0

i.,

iod j and an encryption 1

11,

ð:

0

i.,

Þ of each secret shadow. 1

i

then binds itself to

the public values bygeneratinga digital signature

ði

0

1i

. :

0

1i

Þ on message ð½y

0

i.1

. 1

11

1

ð:

0

i.1

Þk Á Á Á k

½y

0

i.i

0 . 1

11

i

0

ð:

0

i.i

0 Þ k ¹

0

i.0

k Á Á Á k ¹

0

i.ðt

0

À1Þ

k y

u

Þ using

the ElGamal type signature variant: G1o ¼

ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ, developed from

the generalized ElGamal scheme presented in [9].

The signature is generated with 1

i

’s long-term

private key o1

i

. 1

i

broadcasts the message and

signature toall protocol participants. Notethat 1

,

,

, 2 u, knows the authentic public values y

i

of

1

i

2 À

i.t

1

, from a previous DKG or DKRU opera-

tion (see (5) and (16)). The set y

u

is formed by y

i

,

i 2 u, andonly includedinthe broadcast message

if new members join the group. The encryption

1

11

,

ð:

0

i.,

Þ of the secret shadow for protocol

participant 1

,

is performed using an appropriate

publicly verifiable encryption scheme [15], [22]. 1

i

keeps the share when , ¼ i.

2. Protocol participants 1

1

. . . . . 1

i

0 each verify the

following:

a. ði

0

1i

. :

0

1i

Þ is a valid signature on the public values

ð½y

0

i.1

. 1

11

1

ð:

0

i.1

k Á Á Á k ½y

0

i.i

0 . 1

11

i

0

ð:

0

i.i

0 Þ k ¹

0

i.0

k

Á Á Á k ¹

0

i.ðt

0

À1Þ

k y

u

Þ.

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 565

b.

¹

0

i.0

¼ y

i

8 i 2 u. ð13Þ

If 1

,

, , 2 c are new members joining the group,

then they must only use y

i

s found to be

consistant in the broadcast messages received

from t or more members of subset u. If the

conditions do not hold for more than t members

from the authorized subset u, abort the protocol;

otherwise, evaluate the following equation:

t

0

À1

/¼0

¹

0ð11

,

Þ

/

i./

¼

t

0

À1

/¼0

ðq

o

0

i./

Þ

ð11

,

Þ

/

¼ q

t

0

À1

/¼0

ðo

0

i./

Þð11

,

Þ

/

¼ q

)

0

i

ð11,Þ

ðiod jÞ ¼ y

0

i.,

.

ð14Þ

1

,

knows that the subshare distribution received

from 1

i

is correct if (14) holds.

3. Participants are disqualified if they do not follow the

protocol correctly. The remaining set of participants

forms the set Q

0

. The protocol aborts if Q

0

contains

less than t members of the authorized subset u. 1

,

uses the correct shares received from i 2 Q

0

to

compute the following: r

0

,

¼

i2Q

0 :

0

i.,

1

0

i

, where the

Lagrangian coefficient is given as:

1

0

i

¼

/2Q

0

./6¼i

11

/

11

/

À11

i

iod ¡. ð15Þ

The secret key r

0

,

is 1

,

’s new share in the distributed

group secret key r

Q

0 .

1

If the conditions presented in

Step-2 hold, then 1

0

,

knows that its new secret key r

0

,

is a valid share of r

0

Q

. Each 1

,

, , 2 Q

0

calculates its

public key as y

0

,

¼ q

r

0

,

iod j. Using the ElGamal type

signature variant G1o and its long-term private key

o1

,

, 1

,

generates a signature ði

0

1

,

. :

0

1

,

Þ on y

0

,

, binding

itself to the public value. 1

,

broadcasts ðy

0

,

. i

0

1,

. :

0

1,

Þ to

all network participants. 1

,

also calculates the public

key of all 1

i

, i 2 Q

0

, as:

y

0

i

¼ q

r

0

i

¼ q

,2Q

0

ð:

0

,.i

1

,

Þ

¼

,2Q

0

y

01,

,.i

iod j. ð16Þ

4. Each 1

,

, , 2 Q

0

completely erases all traces of its old

share r

,

and all generated subshares :

0

,.i

¼

)

0

,

ð11

i

Þ iod ¡ ði ¼ 1. . . . . i

0

Þ and received subshares

:

0

i.,

(i 2 Q

0

).

The secret can be constructed if t

0

or more honest players,

from the set Q

0

, collect:

r

Q

0 ¼

,2Q

0

r

0

,

/2Q

0

/6¼,

11

/

11

/

À11

,

_ _

iod ¡. ð17Þ

Any network participant can calculate (verify) the group

public key when needed, using the available public

information, as follows:

y

Q

0 ¼

i2Q

0

¹

01

0

i

i.0

¼ q

i2Q

0

)

0

i

ð0Þ1

0

i

¼ q

r

Q

0

iod j. ð18Þ

4 DISCUSSION ON THE SECURITY AND

FEATURES OF THE PROPOSED

THRESHOLD-MULTISIGNATURE SCHEME

The proposed threshold-multisignature scheme is based on

a multiparty extension of the ElGamal type signature

variant: G1o ¼ ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ [9]. The pro-

posed threshold-multisignature scheme can equally use any

other secure and efficient signature variant of the ElGamal

type signature scheme. References [9], [10] help in selecting

such a variant. The main reason for using the defined G1o

is to minimize the computational cost of generating and

verifying the individual signatures and group-oriented

signature in a multiparty setting without compromising

security.

The security analysis considers a straightforward general

adversary model. An adversary is a malicious party that uses

every means available to break the proposed threshold-

multisignature scheme. Any active adversary can eavesdrop

on all of the communication between group members,

modify the content of messages, and inject them back into

the channel. When an honest party is compromised, all of

its public and private information is exposed to the

adversary.

To argue the security and validity of the proposed

threshold-multisignature scheme, it is enough to show that

the scheme fulfills all of the fundamental properties of

generic threshold-multisignature schemes given in Section 1

and resists attacks to which other similar schemes are

subject.

4.1 Correctness and Threshold Property

Any t or more honest group members of the authorized

subset c can collaborate and use the threshold-multi-

signature scheme to produce a valid threshold-multisigna-

ture ð1. o. 1Þ on an arbitrary message i. In the context of

the statement, /oic:t implies that the group members

follow the protocol as specified in Section 2.

Proof.

:

i

¼ ½Hði. 1. 1Þ½ðr

i

Þ Á 1

ci

þo1

i

þ/

i

iod ¡ ði 2 cÞ.

o ¼

i2c

ð:

i

Þ ¼ ½Hði. 1. 1Þ

i2c

½ðr

i

Þ Á 1

ci

þ

½Hði. 1. 1Þ

i2c

ðo1

i

Þ þ

i2c

ð/

i

Þ iod ¡.

q

o

¼ q

½Hði.1.1Þ½

i2c

½ðri ÞÁ1ci

q

½Hði.1.1Þ

i2c

ðo1iÞ

q

i2c

ð/iÞ

iod j

¼ q

½Hði.1.1Þr

Q

i2c

ð11

i

Þ

_ _

½Hði.1.1Þ

i2c

ði

i

Þ iod j

¼ ðy

Q

11

c

Þ

½Hði.1.1Þ

1 iod j.

tu

566 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

1. The group secret remains constant, irrespective of distributed-key

redistribution or distributed-key updates, ;y

Q

0 ¼ q

r

Q

0

¼ y

Q

¼ q

rQ

. Group

members 1

,

, for , 2 Q

0

belonging to the new access structure À

i

0

.t

0

1

0

thus

share the same group secret and public key as the old access structure À

i.t

1

.

4.2 Traceability of Signers

The reason for the intractability of [6] and [8], as presented

by [23] and [24], [25], respectively, is due to the non-

existence of a relationship between the threshold signature

ð1. oÞ and the Lagrange polynomial /ðyÞ used by the

signature verifier to identify the individual signers. The

polynomial /ðyÞ is constructed by the designated combiner

with t pairs of public values belonging to members of the

subgroup u that submitted valid partial signatures. The

Lagrange interpolation polynomial, /ðyÞ is given as [6]:

/ðyÞ ¼

t

1¼1

r

i

t

,¼1.,6¼i

y Ày

,

y

i

Ày

,

¼ /

tÀ1

y

tÀ1

þ . . . þ/

1

y þ/

0

. ð19Þ

It is noted here that it is possible to create such a

relationship between /ðyÞ and ð1. oÞ and make the schemes

proposed in [6], [8] traceable by including /ðyÞ within the

individual signatures. In the view of the authors, the schemes

presented in [6], [8], with a strong binding between /ðyÞ and

ð1. oÞ, still fail to provide an optimum solution to ensure

traceability. Using the polynomial function /ðyÞ to capture

the signers’ identities results in additional computational

overhead for the threshold signature verifiers (iðt À 1Þ

multiplications and iðt À 2Þ exponentiations) and fails to

reduce the threshold group-oriented signature size. The

polynomial /ðyÞ of degree t À 1, constructed from t data

points, requires at least t coefficients ð/

0

. /

1

. . . . . /

tÀ1

Þ to be

uniquely defined. Rather than including the coefficients in

the individual signatures and appending the coefficients to

the threshold signature, the proposed threshold-multi-

signature scheme uses the subset of identities 1 instead.

This saves the signature verifier the computational over-

head of evaluating /ðyÞ to learn the identities of the

individual signers. The computational cost of generating

/ðyÞ is considered in Section 4.7.4.

The traceability property of the proposed threshold-

multisignature scheme is verified in Section 4.3 by showing

that the signature verifier can only validate the threshold

signature if an authentic subset 1 of individual signers

collaborated to generate the signature. Since the subset 1 of

identities is used to validate the threshold signature (12) the

individual signers are publicly traceable and explicitly

bound to the threshold signature.

If a verifier were to know and use the certified public

keys of the individual signers, why not simply use a list of

individual (RSA) signatures for the group signature?

The threshold property must be guaranteed by crypto-

graphic means during the generation of the threshold

group-oriented signature to effectively share the power of

the cryptosystem between the group members [1], [2]. The

actual value of the threshold t may be (dynamically)

determined by an authorized subset of group members

[19] and thus forms part of the group policy. Expecting that

all (future) threshold group-oriented signature verifiers will

consistently enforce a (dynamic) group policy makes the

system vulnerable to attack.

4.3 Coalition-Resistance and Break-Resistance

The coalition and break-resistance properties can be verified

by showing that the proposed threshold-multisignature

scheme is break-resistant:

Assume a malicious subgroup u of t or more members

conspires to obtain the group secret r

Q

and wants to

frame valid subgroup c for a signature on an arbitrary

message i. This implies u wants to generate a valid

untraceable group-oriented signature. Any malicious party

1

,

chooses a random number / 2 ½1. ¡ À 1 and generates

1 ¼ q

/

. 1

,

uses the publicly known values ð11

i

Þ, for

i 2 c

0

, to form the subgroup ¹. (The public value 11

c

can

easily be calculated using (11).) The malicious member

can attempt to forge the threshold-multisignature by

computing o ¼ ½Hði. 1. ¹Þðr

Q

þo1

c

Þ þ/, which is im-

practical since 1

,

cannot compute o1

c

from 11

c

based

on the intractability of the discrete logarithm problem. An

alternative method is to solve for o to satisfy the

verification equation q

o

¼ ðy

Q

11

c

Þ

½Hði.1.¹Þ

1 iod j, which

is again impractical based on the intractability of the

discrete logarithm problem. An attacker’s last resort is to

randomly select a value 1 and signature parameter o and

then attempt to determine a value 1

0

that satisfies q

o

¼

ðy

Q

11

c

Þ

1

1 iod j and 1 ¼ ½Hði. 1

0

. ¹Þ simultaneously.

This is known to be impractical based on the properties of

a secure collision-free one-way hash function HðÁÞ.

This shows that using the proposed threshold-multi-

signature scheme to produce a valid untraceable signature

or signing on behalf of any other subset of group members

is not possible, even if the threshold cryptosystem is broken,

i.e., the group secret r

Q

is known or controlled by an

adversary. It also confirms that the individual signers that

collaborate to generate a threshold-multisignature are al-

ways traceable. With little modification to the above

argument, it can be shown that forging individual signatures

is also impractical, even if a coalition of t or more group

members conspire to obtain an individual’s partial share r

i

of the group key r

Q

.

2

It can thus be concluded that the

proposed threshold-multisignature is break-resistant.

4.4 Attacks on Threshold-Multisignature Schemes

4.4.1 Collusion Attack

A collusion attack enables dishonest group members (and/or

a designated clerk or combiner node: see Section 4.5) that

work together to control the group key.

Wang et al. [25] report a collusion attack on the threshold-

multisignature scheme (without a trusted third party)

presented by Li et al. in [8]. Wang et al. [25] propose some

countermeasures against the attack. The first solution

requires each member to publish its public value y

i

simultaneously to mitigate the rushing attack on the group

secret. This solution is impractical since there is no method in

existing networking protocols of accommodating i simulta-

neous broadcasts nor can devices receive i simultaneous

messages without advanced hardware. Any network parti-

cipant will therefore always be able to make a legitimate

excuse for a late arriving public value. The second proposed

solution requires members to commit to their public values

andthen open their commitments to reveal the public values.

This solution, however, makes the protocol interactive and

thus vulnerable to an adaptive adversary [16], [17]. The third

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 567

2. A formal security proof for the defined ElGamal signature variant

G1o in the Random Oracle and Generic Model ðROM þ GMÞ can be found

in [26]. The security proof of the underlying individual signature scheme

supports the break-resistance property.

solution requires members to provide a noninteractive proof

of knowledge of the discrete logarithmfor the public value y

i

to the base of the primitive element q. This solution is well

known and has been used by both Fouque and Stern [16] and

Zhang and Imai [17] to eliminate the need for a complaint

phase. As pointed out by Zhang and Imai, this approach was

first introduced in [15] by Stadler to realize a publicly verifiable

secret sharing scheme. The complaint phase also makes

distributed-key generation (DKG) schemes such as [14], [3],

[27] impractical considering the complexity of current multi-

party computations [16], [17].

The proposed threshold multisignature scheme prevents

adversaries from controlling the group key by using the

publicly verifiable, one round DKG protocol, given in

Section 2.2, and, thus, inherently eliminates attacks from an

adaptive adversary during the construction of the threshold

cryptosystem. The proposed scheme uses publicly verifiable

encryption [15], [22] that allows protocol participants to

provide a zero knowledge proof of their public values’

discrete logarithm. Publicly verifiable encryption, however,

does not offer a mechanism to bind participants to their

public values. Committing participants to their public

values and ensuring the public values’ integrity are both

essential if members are to be disqualified if their public

values fail to satisfy the verification equations (for example,

(1) or (9)). The existing round optimal DKG protocols [16],

[17] and threshold-multisignature schemes [4], [6], [7], [8]

fail to guarantee a strong binding between participants and

their public values. The weak binding allows an adversary

to manipulate public values that will result in the dis-

qualification of honest participants. The proposed thresh-

old-multisignature scheme and DKG protocol use the

ElGamal type signature variant G1o to generate secure

and efficient digital signatures, which explicitly binds

participants to their public values and simultaneously

provides a mechanism to ensure the values’ integrity.

4.4.2 Universal Forgery Attack

In [23], Tseng and Jan present a universal forgery attack on

the threshold signature schemes with traceability by Wang

et al. [6]. The attack allows any group member or outsider to

generate a valid forged threshold signature ð1

0

. o

0

Þ on an

arbitrary message i

0

from an existing valid threshold

signature ð1. oÞ on message i. Tseng and Jan also show in

[23] that Wang et al.’s schemes [6] are completely insecure

since the trapdoor information c

)ð0Þ

, which is, in fact, the

group secret ðy ¼ q

c

)ð0Þ

Þ, can be calculated as c

)ð0Þ

¼

o1

À1

HðiÞ

Àt

from any valid threshold signature ð1. oÞ in

message i.

The scheme by Wang et al. [6] is an example of an

insecure ElGamal type signature variant extended to a

multiparty setting. The universal forgery attack in [6] is a

direct consequence of the insecurity of the modified ElGamal

signature scheme on which the group signature is based.

Caution should be taken in the modification of the ElGamal

signature or when choosing an appropriate variant. The

modification of the basic ElGamal signature scheme for the

sake of efficiency can easily introduce an insecurity. The

threshold-multisignature scheme proposed in Section 2

takes this fact into consideration. It is developed from a

secure and optimally efficient variant that was selected

using the guidelines given in [9], [10].

4.4.3 Rushing Attack

In the context of group-oriented signature schemes, a

rushing attack is defined as a manipulation of the signature

parameters or keying material by an adversary based on the

public values received from all the other participants. The

adversary thus waits until all other participants have

played before defining its own value [16]. It is noted that

the collusion attack by Wang et al. [25] and universal

forgery attack by Wu and Hsu [24], both rely directly on a

rushing attack. Assuming the threshold signature scheme is

based on a secure and efficient variant [9], [10], it should be

clear that the majority of attacks on group-oriented

signature schemes can thus only come from a vulnerability

introduced by the extension of the ElGamal type signature

variant to accommodate multiple signers. Since group

members must all make a valid contribution to the thresh-

old signature parameters and group secret, it is evident that

manipulation of these values can occur if an adversary can

delay playing its own contribution. The adversary can

collect the contributed values of all other participants and

then compute its own contribution to force the signature

parameters or group secret to a known value when

calculated as a function of all contributed values. Fouque

and Stern [16] and Zhang and Imai [17] construct their

distributed-key generation schemes on a synchronous net-

work to prevent the adversary from delaying its response,

thereby eliminating rushing attacks. Fouque and Stern

propose a solution to mitigate rushing attacks without

using a synchronous network. Fouque and Stern define an

Incorruptible Third Party (ITP) to always play at the end,

therefore eliminating the requirement for synchrony and

preventing a malicious player from manipulating the

signature parameters. The ITP unfortunately becomes a

single point of vulnerability.

It is noted here that synchrony is not always required in a

discrete logarithm-basedthresholdgroup-orientedsignature

scheme based on a variant of the generalized ElGamal type

signature. Forcing players to provide a zero knowledge proof

of the discrete logarithm of all public values is sufficient to

completely eliminate the rushing attack in an asynchronous

network. Take, for example, the signature parameter 1,

which is generally calculated as 1 ¼

i2u

i

i

iod j, where

i

i

¼ q

/

i

is the public value of each player 1

i

with correspond-

ing randomly chosen secret /

i

. The malicious player 1

,

waits

for each 1

i

to play its i

i

. 1

,

chooses a randomvalue / and sets

1 ¼ q

/

. After receiving all i

i

s for i 2 u. i 6¼ ,, 1

,

factors out its

public value as i

,

¼ 1

i2u.i6¼,

i

À1

i

iod j , whichwill force the

other players to compute 1 at a later stage (of which the

discrete logarithm is known by 1

,

). Note that 1

,

does not

knowthe discrete logarithmof its public value i

,

nor can it be

calculatedbasedonthe intractability of discrete logarithms in

finite fields. This will, in particular, be true if the modular

arithmetic is done in an appropriate multiplicative subgroup

ðð7Þ

Ã

j

Þ or a cyclic subgroup of order ¡.

The attack presented by Michels and Horster [28] on the

threshold-multisignature proposed by Li et al. [4] is a good

example of the rushing attack principle. As in the above

example, the malicious player 1

,

in this attack does not

know the discrete logarithm of its own share i

,

; thus, if the

threshold group-oriented signature protocol requires each

568 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

player to provide a zero knowledge proof of all public

values’ discrete logarithms, the benefit the adversary gains

from a rushing attack in an asynchronous network is

nullified. It will also prevent a malicious participant from

disrupting the protocol since the participant can simply be

disqualified if it does not play a fair game.

The proposed threshold multisignature scheme in this

paper requires players to provide a zero knowledge proof

of the discrete logarithm of their public values by generat-

ing a publicly verifiable encryption [15], [22] on the discrete

logarithm of the public values. With this mechanism, the

proposed scheme eliminates rushing attacks without any

requirement for synchrony.

4.4.4 Conspiracy Attack

It is noted here that the threshold signature scheme

proposed by Li et al. [8] is also vulnerable to a conspiracy

attack by t or more malicious members. Any t or more

members forming the subgroup u

0

can use their subshares

)ð11

i

Þ

,

, ði. , 2 u

0

Þ to construct the group secret key )ð0Þ as

)ð0Þ ¼

t

,¼1

ð)ð11

i

Þ

,

t

/¼1./6¼,

11

,

11

,

À11

i

Þ. Any malicious mem-

ber generates 1 ¼ q

/

i

and solves the following congruence

for integer o: o1 ð1þ/ðiÞÞ/

i

þ)ð0Þ iod ¡. The set

ð1. oÞ will be a universally forged signature on the arbitrary

message i, verifiable with the group-oriented signature

verification equation, q

o1

¼ 1

ð1þ/ðiÞÞ

y iod j.

As shown in Section 4.3, conspiracy attacks in the

proposed threshold-multisignature schemes are avoided by

each member contributing an individual secret (long-term

private key o1

i

) to the group-orientedsignature knownto be

explicitly associated with the member. A mechanism is

provided for verifying the members’ secret contributions

from the threshold-multisignature without revealing any

additional information of the secrets, except the information

that is publicly knowto be associatedwith the secrets, i.e., the

members’ public keys 11

i

, for i 2 c. Li et al. [4] defend

against conspiracy attacks in a similar approach by adding a

random number to the secret key, which effectively conceals

the member’s secret share of the group key. Note that this is,

however, only accurate for Li et al.’s scheme with a trusted

authority. Since the randomnumbers are not explicitly linked

tothe member’s identity, the scheme presentedin[4] does not

have a strong traceability property [6].

Conspiracy attacks in threshold-multisignature schemes

can also be avoided if the secret shares of members are

generated in such a way that construction of the threshold

cryptosystem’s secret polynomial or derivation of the group

secret from the members’ secret shares is computationally

infeasible. Wang et al. [6] propose such a scheme which

prevents conspiracy attacks without attaching a random

secret to secret shares. It is, however, noted that, since a

member’s public value in [6] is not explicitly linked to a

secret known to be associated with a group member, the

scheme by Wang et al. also lacks a strong traceability

property. The same comment can be made on the scheme

proposed by Lee and Chang in [7].

4.5 Symmetric Relationships—Eliminating the

Combiner

Acentralizedcombiner nodeis aspecializedserver whichcan

be seen as a single point of vulnerability and should be

replicated in distributed networks (for example, ad hoc

networks) to ensure a correct combination [13]. The scheme

proposed in this paper eliminates the need for a designated

combiner/clerk as the construction of the threshold-multi-

signature is done by the shareholders themselves. This

eliminates attacks relying on a corrupt clerk and mitigates

the problemof ensuringthe availability of a combiner node in

distributed networks [13]. The scheme also preserves the

symmetric relationship between the shareholders by placing

on each node the same computational, memory, and

communication overhead.

4.6 Proactive Security and Secret Redistribution

The proposed threshold-multisignature scheme defends

against mobile/active adversaries by proactively updating

the group key shares every period T. To allow for dynamic

group membership and modification of the availability/

security trade-off, the shares can be redistributed to a new

access structure À

i

0

.t

0

1

0 . The proposed publicly verifiable

distributed-key redistribution/update (DGRU) protocol pro-

posed in Section 3 was designed to support dynamic group

membership and allow for share updates by merely keeping

the access structure constant, i.e., À

i

0

.t

0

1

0 ¼ À

i.t

1

. Comparing the

DGRU protocol to the initial DKG protocol presented in

Section2.2, the reader will note that these protocols are almost

exactly equivalent. By deliberately keeping the phrasing and

notation as far as possible the same, the following minor

differences are easily identifiable:

. For the initial DKG, each user must choose a random

number d

i

, while the DKRU protocol uses the user’s

share r

i

of the group secret r

Q

.

. Members of the authorized subset u append the

public values y

i

of 1

i

2 u to ð½y

0

i.1

. 1

11

1

ð:

0

i.1

Þ k Á Á Á k

½y

0

i.i

0 . 1

11

i

0

ð:

0

i.i

0 Þ k ¹

0

i.0

k Á Á Á k ¹

0

i.ðt

0

À1Þ

Þ if new mem-

bers join the group.

. In the DKRU protocol, the participants must also

check that the condition presented in (13) holds

before verifying whether the subshare distribution is

correct by using (14). New members should only use

public values that have been found to be consistent

in t or more broadcast messages. If both (13) and (14)

are satisfied for t or more members of u, the users

are guaranteed that their new share in the original

group key r

Q

is valid.

The DKG protocol due to Zhang and Imai [17] was

modified to complement the proposed DKRU protocol

given in Section 3 and to allow for practical key redistribu-

tion/updating. Besides the differences given above, the

initial DKG protocol, DKU protocol, and DGR protocol are

conveniently performed by a single, publicly verifiable,

round optimal protocol. A protocol suite capable of

servicing all aspects of secret sharing is defined here as a

distributed-key management infrastructure (DKMI).

It is noted that the proposed DKMI is independent of the

proposed threshold-multisignature scheme and can be used in

other applications to construct and maintain a threshold

cryptosystem.

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 569

The proposedDKMI presentedinSection2.2 andSection3

solves a major problem with existing secret redistribution/

update protocols. This problem is identified by Wong et al.

[20]: By definition, a threshold cryptosystemallows t or more

members holding a secret share to reconstruct the group

secret. In a proactively secure threshold cryptosystem, not

more than t À 1 members can be compromised or become

faulty within an update time period T; otherwise, the system

is broken. Referring to the proposed DKRU protocol pre-

sented in Section 3 and the secret redistribution scheme by

Wong et al. [20], the authorized subset u may thus contain, in

the worst-case scenario, t À 1 malicious members out of the

total i groupmembers. The t À 1 malicious members in u can

thus distribute subshares :

i.,

of an incorrect share r

i

to new

members joining the system. Although new members can

detect the discrepancy in the broadcast values, they cannot

identify which members are malicious. It is noted here that

this is not only applicable to the new members in the scheme

proposed by Wong et al., but also existing members cannot

identify the malicious members inu and, therefore, malicious

members cannot be disqualified. Consequently, the redis-

tribution protocol proposed by Wong et al. [20] must be

repeatedeachtime witha different authorizedsubset u

0

, with

ju

0

j ¼ t, until all values are consistent and all the verification

conditions hold. Wonget al. give aworst-caserepetitionof the

protocol bounded by

i

t

_ _

À

iÀtþ1

t

_ _

¼

tÀ1

i¼1

tÀ1

i

_ _

iÀtþ1

tÀi

_ _

,

which makes the scheme impractical.

This paper presents a solution to the above problem with

existing secret redistribution/update protocols as follows:

In the proposed DKMI, the protocol participant 1

,

in the

initial DKG protocol uses (5) to calculate the authentic public

values y

i

corresponding to the secret share r

i

of each 1

i

, for

i 2 Q. In the DKRU protocol, members of the authorized

subset u construct a polynomial with their secret share set to

o

0

i.0

¼ :

0

i.0

¼ r

i

. In order to ensure that (14) holds and to avoid

identification, the malicious members are forced to compute

and broadcast ¹

0

i.0

¼ q

o

0

i.0

with their computed subshare

witnesses y

i.,

. Assume that a subset c of new members are

joining the threshold cryptosystem. 1

i

, i 2 u, broadcast to all

members a message that includes their calculatedpublic keys

y

i

, for all other 1

i

, i 2 u. All existing members forming part of

the new access structure À

ði

0

.t

0

Þ

1

0 can detect and positively

identify a malicious member that distributes subshares :

i.,

of

an incorrect share r

i

, by checking if (13) holds. The only

feasible optionis to require the authorizedsubset u to include

all the existing members that will formpart of the newaccess

structure À

i

0

.t

0

1

0 . By the fundamental definition of a threshold

cryptosystem, this will always ensure at least t members of u

with consistent public values. This requirement places no

limitation on the practicality of the proposed distributed-key

management infrastructure (DKMI)

3

and keeps the scheme

round optimal.

The new members will detect the discrepancies in the

public values broadcast by the members in u. Since the new

members will receive consistent public values from at least

t participants, the participants with inconsistent values can

therefore be considered malicious or faulty and are there-

fore positively identified.

4

Before joining members have

obtained a valid share of the group secret, they do not have

any authority and, therefore, can only implicitly aid in the

disqualification of malicious members by only using the

subshares of the t or more members with consistent public

values to compute their own new share in the group key.

4.7 Efficiency Analysis

The efficiency of threshold-multisignatures may be based on

the followingfive criteria (Section4.7.1 throughSection4.7.5):

4.7.1 Group Public Key Length

The public key length in similar schemes will be briefly

considered. In order to make a feasible comparison, only

schemes that attempt to eliminate conspiracy attacks are

evaluated:

Li et al. [4]: The group public key of [4] not only consists

of y, but also implicitly includes the following public values

fr

i

. :

i,

g. In the Li et al. scheme, protocol participants attach

a secret random number to their group secret shares in an

attempt to avoid a conspiracy attack. Consequently, the

public key includes the public values fr

i

. :

i,

g since these

values are required by the signature verifier to validate a

threshold signature. It can thus be concluded that the public

key is dependent on the number of group members i.

Wang et al. [6]: The scheme proposed in [6] is an

improvement on the scheme presented in [4] since con-

spiracy attacks are prevented without attaching a random

number to secret shares. The group public key is thus

independent of the group size i. The protocol, however,

requires the participants to order themselves into a ring

topology, which can be limiting in some network scenarios.

Lee and Chang [7]: The threshold-multisignature scheme

in [7] also avoids conspiracy attacks without attaching a

random secret to shares. The group public key is dependent

on the number of group members i as the signature verifier

needs the individual public values y

i

of all group members

and two additional parameters c

Q

and c

n

to compute the

subgroup public key, Y , that is required to verifying the

threshold signature. Difficulty will be experienced with this

scheme when trying to eliminate the need for a trusted

authority to distribute the initial group key shares.

A robust authentication mechanism is essential for

securing a distributed system against active adversaries

and central to ensuring the traceability of individual

signers. As shown in Section 4.3, the proposed threshold-

multisignature scheme uses the long-term private keys of

members o1

i

, provided by a public key infrastructure, to

570 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

3. It is obvious that existing members that do not participate in the

distributed-key redistribution or distributed-key update procedure will be

excluded from the threshold cryptosystem, therefore, old members wanting

to form part of 1

0

are always available to help with distributing subshares

to new members.

4. The proposed scheme does have another mechanism for all network

participants to identify malicious members. Since both the initial DKG

protocol (Section 2.2) and DKRU protocol (Section 3) are both publicly

verifiable, all network participants have exactly the same information as

existing members of the threshold cryptosystem, except for a valid share in

the group secret. A joining member who has observed a periodic DKRU

procedure can calculate the authentic public values of each group member

using (16) and, therefore, identify malicious members during the next

DKRU procedure.

avoid conspiracy attacks even if colluding members derive

or control the group secret r

Q

. As a result of members

including their private keys in their individual signatures, the

public key of the scheme consists of y

Q

and the public key

11

c

of the subgroup c that collaborated to generate the

threshold signature. The public key 11

c

of the subgroup c

is a function of the long-term public keys 11

i

of the group

members 1

i

, for i 2 c. Although the group public key may

be perceived to be dependent on the group size i, the

scheme does not introduce any additional storage require-

ments since the public keys 11

i

, for i 2 c used to calculate

11

c

is publicly known (traceable) and primarily required

for authentication purposes.

4.7.2 Group-Oriented Signature Size

The main contribution to the communication overhead, post

signature generation, is made by the size of the threshold

group signature. The threshold signature size of threshold-

multisignature schemes is bound to be dependent on the

threshold parameter or, more precisely, t þc, where

0 c ði ÀtÞ. This conclusion is naturally drawn from

the traceability property of threshold-multisignature schemes,

as given in Section 1, which specifies that any outsider must

be able to retrieve the identities of the individual signers

from the threshold signature. The threshold signature must

thus be bound to information explicitly linked to each of the

signers that collaborated to generate the threshold signa-

ture. In the case of the proposed scheme, the information is

the identities of the individual signers contained in 1. The

individual identities of the group members can be carefully

chosen to significantly reduce the size of the threshold-

multisignature.

4.7.3 Communication Cost of Signature Generation

and Verification

In terms of communication cost, the individual and thresh-

old signature generation mechanisms of all the existing

threshold-multisignature schemes and the proposed

scheme are almost equivalent. Multiparty signature

schemes constructed from ElGamal type (discrete loga-

rithm-based) signature variants are bound to be interactive.

In round one, each participant generates a commitment i

i

and, in the second round, generates an individual signature

ð:

i

. i

i

Þ on an arbitrary message i. In the third round,

participants send their contribution to a combiner or

designated clerk which constructs the threshold signature.

Assume the authorized subset u of group members

collaborate to sign i. This yields a three round protocol

for existing schemes, which requires ð2jujÞ broadcast

messages and ðjujÞ unicast messages. The proposed thresh-

old-multisignature scheme, is to the best of the authors’

knowledge, the first threshold group-oriented signature

scheme with traceability that allow malicious members to

be positively identified and disqualified from the group.

The proposed scheme also eliminates the need for a

combiner. Assuming u contains at least one malicious or

faulty participant, the proposed protocol will still require

three rounds and only two rounds if all individual

signatures satisfy (9). Therefore, in the three round scenario,

the proposed protocol requires ð3jujÞ broadcast messages

and, in the latter two round scenario only, ð2jujÞ broadcast

messages.

4.7.4 Computational Cost of Signature Generation

and Verification

To make a feasible comparison between the computational

cost of the proposed threshold-multisignature scheme and

similar schemes [4], [6], [7], it is assumed that the system

parameters are chosen to yield the same time complexity for

exponentiations, multiplications, andsummations. Although

summations and, in some cases, multiplications contribute to

an insignificant fraction of the overall time complexity, these

operations are still included for the sake of completeness.

Values that remain constant between different signature

generations (for example, the inner parts of the Lagrange

coefficients) can be precomputed and are therefore not

included in the analysis. The computational cost of the

schemes will be given in terms of the minimum threshold ðtÞ

members (out of the total ðiÞ group members) required to

collaboratively sign an arbitrary message i.

The threshold-multisignature schemes presented in [4],

[6], [7] were chosen for analysis since they all make an

attempt to eliminate a conspiracy attack by t or more

colluding members.

In Table 1 and Table 2, the schemes, with the assistance

of a trusted key distribution center (KDC), are compared.

Note that, although this paper does not present a threshold-

multisignature scheme with a KDC, it can be trivially

extended to incorporate a KDC without making any changes

to the individual/threshold signature generation and

verification procedures. Table 3 and Table 4 compare the

proposed threshold-multisignature scheme, without a KDC,

with the existing schemes.

In the schemes proposed by Wang et al. [6] and Li et al. [8],

the public values of the individual signers are captured

withintheLagrangeinterpolationpolynomial /ðyÞ as givenin

(19). The coefficients ð/

0

. /

1

. . . . . /

tÀ1

Þ of /ðyÞ are appended to

thethresholdsignature bythe combiner/clerk, whichenables

the threshold signature verifier to evaluate /ðyÞ in order to

identify the individual signers. In Section 4.2, it was shown

that appending the set of identities 1 to the threshold

signature is a better solution, saving the threshold signature

verifier the computational effort of evaluating /ðyÞ. Another

factor to consider is the computational cost of computing the

coefficients ð/

0

. /

1

. . . . . /

tÀ1

Þ. It can be shown that the total

computational cost of computing ð/

0

. /

1

. . . . . /

tÀ1

Þ fromt data

pairs is given as:

Multiplications : t

tÀ2

i¼1

t À 1

i þ 1

_ _

i

_ _

þ ðt À 2Þ þt þ 2

_ _

.

Summations : t

tÀ2

i¼1

t À 1

i þ 1

_ _

À 1

_ _

þ ðt À 1Þ þt

_ _

.

Inversions : t.

It should be clear that using an interpolation polynomial

/ðyÞ to identify the individual signers is impractical for

large values of threshold t.

The computational overhead that causes the most

concern is the number of exponentiations in the individual

signature verification equation ((9)) and threshold signature

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 571

verification equation ((12)), which are anticipated to

contribute the bulk of the verification time complexity.

The justification for looking critically at the verification

processes is substantiated by the notion that a signature is

normally generated only once, but verified many times. The

optimum number of exponentiations for an ElGamal type

signature variant is 2 [9]. It can thus be concluded that the

proposed threshold-multisignature scheme is superior to

existing schemes since it requires only two exponentiations

for threshold signature verification, while guaranteeing

break-resistance. For individual signature verification, three

exponentiations are required, one more than the optimal

two exponentiations. The additional exponentiation is as a

consequence of satisfying the stronger break-resistance

property. The proposed scheme also provides improved

efficiency for all other operations, with or without the

assistance of a trusted authority, which includes, individual

signature generation (Table 1 and Table 3) and threshold

signature generation (Table 2 and Table 4).

4.7.5 Efficiency of Initial Key Distribution and

Key Redistribution/Update Protocols

The proposedthresholdcryptosystemis constructedwiththe

round optimal DKG protocol presented in Section 2.2, which

572 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

TABLE 1

Computational Cost Comparison of Individual Signature Generation and Verification

(with the Assistance of a Trusted Share Distribution Center)

Ã

Proposed threshold-multisignature scheme (PTMS), see Section 2.

y

Note that computations of the individual signatures are performed modulo i.

TABLE 2

Computational Cost Comparison of Threshold Signature Generation and Verification

(with the Assistance of a Trusted Share Distribution Center)

Ã

Proposed threshold-multisignature scheme (PTMS), see Section 2.

y

i ¼ tð

tÀ2

i¼1

½

tÀ1

iþ1

_ _

i þ ðt À 2Þ þt þ 2Þ.

z

: ¼ tð

tÀ2

i¼1

½

tÀ1

iþ1

_ _

À 1 þ ðt À 1Þ þ tÞ.

effectively eliminates the need for a mutually trusted key

distribution center (KDC). Existing threshold-multisignature

schemes that do not need the assistance of a trusted authority

[4], [6], [8], do not use secure and efficient one round DKG

protocols to initialize the threshold cryptosystem. These

schemes also do not consider proactive security because they

do not allowfor the periodic updating of secret shares nor do

they permit dynamic group membership since they cannot

redistribute the secret shares to a newaccess structure. Based

on the above, the existing systems are rigid concerning the

threshold security parameters ði. tÞ, which sets the security/

availability trade-off. Accordingly, such systems cannot

respond to changes in the networking environment. For

these reasons, the efficiency of the proposed threshold-

multisignature scheme’s system setup and maintenance

procedures cannot be compared to the existing schemes.

It is the view of the authors that the security of the

underlying DKMI influences the security of the signature

scheme to such an extent that the threshold group-oriented

signature scheme cannot be considered separately from the

DKMI.

The worst-case computational cost of the initial DKG

protocol and DKRU protocol are briefly considered.

Efficiencyanalysis onthe initial DKGprotocol (Section2.2)

and DKRU protocol (Section 3) shows that these protocols

require OðitÞ and Oði

0

t

0

Þ exponentiations, respectively.

Multiplications yield a similar growth rate to the exponentia-

tions. Each protocol participant is required to generate

random numbers OðtÞ for initial DKG and Oðt

0

Þ for DKRU.

The threshold cryptosystem accommodates a total of

i

2

shares. Each participant broadcasts OðtÞ þOðiÞ mes-

sages for initial DKG and Oðt

0

Þ þOði

0

Þ for DKRU. The

network as a whole has a communication cost of OðitÞ þ

Oði

2

Þ and Oði

0

t

0

Þ þOði

02

Þ for initial DKG and DKRU,

respectively.

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 573

TABLE 3

Computational Cost Comparison of Individual Signature Generation and Verification

(without the Assistance of a Trusted Share Distribution Center)

Ã

Proposed threshold-multisignature scheme (PTMS), see Section 2.

TABLE 4

Computational Cost Comparison of Threshold Signature Generation and Verification

(without the Assistance of a Trusted Share Distribution Center)

Ã

Proposed threshold-multisignature scheme (PTMS), see Section 2.

y

i ¼ tð

tÀ2

i¼1

½

tÀ1

iþ1

_ _

i þ ðt À 2Þ þt þ 2Þ.

z

: ¼ tð

tÀ2

i¼1

½

tÀ1

iþ1

_ _

À 1 þ ðt À 1Þ þ tÞ.

5 CONCLUSION

Investigations within the fields of threshold group-oriented

signature schemes, threshold group signature schemes,

multisignature schemes, and threshold-multisignature

schemes resulted in explicitly defining the properties of

threshold-multisignature schemes. The main aim of this

paper is to introduce such a secure threshold-multi-

signature scheme. To reach this objective, the secure and

optimally efficient ElGamal type signature variant,

G1o ¼ ð`.1GII.3.oð1Þ. i. :. /ði. iÞ. 1Þ, was extended to a

multiparty setting to yield a threshold-multisignature

scheme, which from the authors’ point of view is the

first to provide a guaranteed traceability property. The

proposed threshold-multisignature scheme was shown to

satisfy all of the specified security requirements and to

fulfill the stronger break-resistant property. The threshold-

multisignature signature scheme thus remains secure,

even if the threshold cryptosystem has been broken, i.e.,

the group secret or individual secret shares are known or

controlled by an adversary. It was shown that the

proposed threshold-multisignature scheme eliminates the

latest attacks on similar threshold signature schemes with

traceability. The efficiency analysis showed that the

proposed threshold-multisignature scheme outperforms

other existing schemes and is optimal in terms of

exponentiations with respect to threshold signature

verification and near optimal for individual signature

verification, while providing break resistance.

The paper also addressed the issue of initial distributed-

key generation (DKG) to construct a threshold cryptosys-

tem without the assistance of a trusted authority. To realize

initial DKG, improvements were made to the round

optimal DKG scheme of Zhang and Imai. The paper

proposes a novel publicly verifiable, round optimal (one

round) distributed-key redistribution/updating (DKRU)

protocol that eliminates a major problem with existing

schemes; malicious or faulty protocol participants from the

original access structure are positively identifiable by the

existing honest members as well as the new members

joining the threshold cryptosystem, which avoids repeating

the secret redistribution protocol until all the verification

conditions holds.

The paper proposes the first integrated (single protocol)

solution for DKG, distributed-key updating (DKU), and

distributed-key redistribution (DKR). Although the initial

DKG protocol and DKRU protocol are presented separately

for clarity, it was shown that the two protocols are

essentially equivalent. The same initial DKG protocol can

thus be used to realize DKR and DKU by merely keeping

the access structure constant. The paper defines the notion

of a distributed-key management infrastructure (DKMI) as a

protocol suite that considers all aspects of secret distribu-

tion (DKG), secret updating (DKU), and secret redistribu-

tion (DKR). Considering the minor differences between the

initial DKG protocol and DKRU protocol, the proposed

DKMI requires considerably less implementation effort

than implementing three unrelated protocols to realize

distributed-key management.

Use of the DKRU mechanism makes the proposed fully

distributed threshold-multisignature scheme proactively

secure, allows for dynamic group membership, and gives

the group members the capability of adjusting the avail-

ability/security trade-off by redistributing the existing

access structure À

ði.tÞ

1

to a new access structure À

ði

0

.t

0

Þ

1

0 .

ACKNOWLEDGMENTS

This work was supported by ARMSCOR, the Armaments

Corporation of South Africa. The authors thank the

reviewers and editors for their time, effort, and positive

input.

REFERENCES

[1] Y. Desmedt, “Society and Group Oriented Cryptography: A New

Concept,” Proc. Advances in Cryptology—CRYPTO ’87, 1987.

[2] Y. Desmedt, “Threshold Cryptography,” European Trans. Tele-

comm., vol. 5, no. 4, pp. 449-457, 1994.

[3] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure

Distributed Key Generation for Discrete-Log Based Cryptosys-

tems,” Proc. Advances in Cryptology—EUROCRYPT ’99, May 1999.

[4] C.-M. Li, T. Hwang, and N.-Y. Lee, “Threshold-Multisignature

Schemes where Suspected Forgery Implies Traceability of

Adversarial Shareholders,” Proc. Advances in Cryptology—EURO-

CRYPT ’94, May 1994.

[5] A. Boldyreva, “Threshold Signatures, Multisignatures and Blind

Signatures Based on the Gap-Diffie-Hellman-Group Signature

Scheme,” Proc. Public Key Cryptography—PKC ’03, 2003.

[6] C.-T. Wang, C.-H. Lin, and C.-C. Chang, “Threshold Signature

Schemes with Traceable Signers in Group Communications,”

Computer Comm., vol. 21, no. 8, pp. 771-776, 1998.

[7] W.-B. Lee and C.-C. Chang, “(t, n) Threshold Digital Signature

with Traceability Property,” J. Information Science and Eng., vol. 15,

no. 5, pp. 669-678, 1999.

[8] Z.-C. Li, J.-M. Zhang, J. Luo, W. Song, and Y.-Q. Dai, “Group-

Oriented (t, n) Threshold Digital Signature Schemes with Trace-

able Signers,” Proc. Second Int’l Symp. Topics in Electronic Commerce

(ISEC ’01), Apr. 2001.

[9] P. Horster, M. Michels, and H. Petersen, “Generalized ElGamal

Signatures for One Message Block,” Proc. Second Int’l Workshop IT-

Security, Sept. 1994.

[10] L. Harn and Y. Xu, “Design of Generalised ElGamal Type Digital

Signature Schemes Based on Discrete Logarithms,” Electronics

Letters, vol. 30, no. 24, pp. 2025-2026, 1994.

[11] G. Wang, “On the Security of the Li-Hwang-Lee-Tsai Threshold

Group Signature Scheme,” Proc. Fifth Int’l Conf. Information

Security and Cryptography (ICISC ’02), Nov. 2002.

[12] H. Pedersen, “How to Convert Any Digital Signature Scheme into

a Group Signature Scheme,” Proc. Fifth Int’l Workshop Security

Protocols, Apr. 1997.

[13] L. Zhou and Z.J. Haas, “Securing Ad Hoc Networks,” IEEE

Network, special issue on network security, vol. 13, no. 6, pp. 24-30,

1999.

[14] T.P. Pedersen, “A Threshold Cryptosystem without a Trusted

Party,” Proc. Advances in Cryptology—EUROCRYPT ’91, 1991.

[15] M. Stadler, “Publicly Verifiable Secret Sharing,” Proc. Advances in

Cryptology—EUROCRYPT ’96, 1996.

[16] P.-A. Fouque and J. Stern, “One Round Threshold Discrete-Log

Key Generation without Private Channels,” Proc. Public Key

Cryptography—PKC ’01, Feb. 2001.

[17] R. Zhang and H. Imai, “Round Optimal Distributed Key

Generation of Threshold Cryptosystem Based on Discrete Loga-

rithm Problem,” Proc. Applied Cryptography and Network Security

(ACNS ’03), Oct. 2003.

[18] A. Herzberg, S. Jaracki, H. Krawczyk, and M. Yung, “Proactive

Secret Sharing or: How to Cope with Perpetual Leakage,” Proc.

Advances in Cryptology—CRYPTO ’95, 1995.

[19] Y. Desmedt and S. Jajodia, “Redistributing Secret Shares to New

Access Structures and Its Applications,” Technical Report ISSE-

TR-97-01, Dept. of Information and Software Eng., School of

Information Technology and Eng., George Mason Univ., July 1997.

[20] T.M. Wong, C. Wang, and J.M. Wing, “Verifiable Secret Redis-

tribution for Archive System,” Proc. First Int’l IEEE Security in

Storage Workshop, Dec. 2002.

574 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 4, APRIL 2007

[21] A. Shamir, “How to Share a Secret,” Comm. ACM, vol. 22, no. 11,

pp. 612-613, 1979.

[22] J. Camenisch and I. Damga˚rd, “Verifiable Encryption, Group

Encryption, and Their Applications to Separable Group Signa-

tures and Signature Sharing Schemes,” Proc. Advances in Crypto-

logy—ASIACRYPT ’00, 2000.

[23] Y.-M. Tseng and J.-K. Jan, “Attacks on Threshold Signature

Schemes with Traceable Signers,” Information Processing Letters,

vol. 71, no. 1, pp. 1-4, 1999.

[24] T.-S. Wu and C.-L. Hsu, “Cryptanalysis of Group-Oriented (t, n)

Threshold Digital Signature Schemes with Traceable Signers,”

Computer Standards and Interfaces, vol. 26, no. 5, pp. 477-481, 2004.

[25] G. Wang, X. Han, and B. Zhu, “On the Security of Two Threshold

Signature Schemes with Traceable Signers,” Proc. First Int’l Conf.

Applied Cryptography and Network Security (ACNS ’03), Oct. 2003.

[26] C.P. Schnorr and M. Jakobsson, “Security of Discrete Log

Cryptosystems in the Random Oracle and Generic Model,” Proc.

Math. of Public-Key Cryptography, June 1999.

[27] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin,

“Adaptive Security for Threshold Cryptosystems,” Proc. Advances

in Cryptology—CRYPTO ’99, Aug. 1999.

[28] M. Michels and P. Horster, “On the Risk of Disruption in Several

Multiparty Signature Schemes,” Proc. Advances in Cryptology—

ASIACRYPT ’96, Nov. 1996.

Johann van der Merwe received the BSc

degree in electronic engineering from the Uni-

versity of Natal in 2003 and the MSc degree from

the University of KwaZulu-Natal in 2005. He is

currently pursuing the PhD degree in distributed

communication systems. His research interests

include security issues in ad hoc networks, with

particular focus on key management, threshold

group-oriented cryptography, and digital signa-

ture schemes.

Dawoud S. Dawoud received the BSc (1965)

and MSc (1969) degrees in electronic engineer-

ing from Cairo University and the PhD (1973)

degree in computer engineering from Russia. He

has been a full professor since 1984. He has

taught courses in computer engineering, digital

signal processing, and digital telecommunica-

tions in numerous universities, including Cairo

University, University of Lagos, and University of

Botswana. He has supervised many PhD and

MSc theses and published more than 90 papers and books. He holds

two patents in computer architecture. He is currently a professor of

computer engineering and signal processing at the University of

KwaZulu-Natal, South Africa. He is a member of the IEEE.

Stephen McDonald received the BSc (1987)

and MSc (1989) degrees in electronic engineer-

ing from the University of Natal, South Africa.

After working in the communications industry for

five years, he rejoined the University as a senior

lecturer in 1997. His current research interests

include ad hoc networks and various aspects of

image processing. He is a member of the IEEE.

> For more information on this or any other computing topic,

please visit our Digital Library at www.computer.org/publications/dlib.

VAN DER MERWE ET AL.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 575

forming subgroup P. of group members.

This implies that the group-oriented signature is publicly verifiable. This property thus incorporates unforgeability. can be verified by any outsider V (with respect to the group). Traceability: Any outsider V can learn the identities of the individual signers belonging to P. Threshold property: Only a threshold of t or more authorized group members are able to collaboratively generate a valid threshold-multisignature. .

10. i. The authors are with the School of Electrical. In the literature.za. 4041. Coalition-resistance subsumes framing-resistance. The majority of the I . from the thresholdmultisignature on m without interaction with any of the group members and/or a group manager. no subset of group members can sign on behalf of any other subset of group members. University of KwaZulu-Natal. [7]. The main advantage of a distributed cryptosystem is that the secret is never computed. Traceability implies accountability. This implies that the signers are publicly traceable with public information. 2006. a threshold ðtÞ or more shareholders are required to cooperatively generate a digital signature. and reference IEEECS Log Number TPDS-0307-1204. For information on obtaining reprints of this article. 2006. Room 4-05. reconstructed. published online 9 Jan. Threshold-multisignature schemes [4] combine the properties of threshold group-oriented signature schemes [2] and multisignature schemes [5]. The system secret is divided up into shares and securely stored by the entities forming the distributed cryptosystem. dawoudd.00 ß 2007 IEEE . Singhal. please send e-mail to: tpds@computer. Recommended for acceptance by M.e.1109/TPDS.1005. thresholdmultisignature schemes are also referred to as threshold signature schemes with traceability [6]. making the secret more difficult to compromise [3]. Manuscript received 16 Dec. Published by the IEEE Computer Society N distributed systems it is sometimes necessary for users to share the power to use a cryptosystem [1].org. This may also be seen as a distribution of trust since the shareholders must collaborate and contribute equally to produce a valid multiparty signature. mcdonalds}@ukzn. accepted 18 Apr. Electronic. or stored in a single location. 2007. In many applications. revised 5 Apr. Glenwood. Digital Object Identifier no. [8]. the individual signers participating in the threshold-multisignature scheme can be held accountable for their contribution to the grouporiented signature. 1045-9219/07/$25. and Computer Engineering.ac.2007. E-mail: {vdmerwe. South Africa. Durban. in contrast to the conventional single signer.. [2]. 2004. King George V Avenue. Coalition-resistance: No colluding subset of group members can generate a valid threshold-multisignature not satisfying the traceability property. The combined properties guarantee the signature verifier that at least t members participated in the generation of the group-oriented signature and that the identities of the signers can be easily established.

the threshold-multisignature signature scheme should not be breakable. In contrast. thus. allowing for DKR to a ðn0 . for discrete logarithm-based threshold cryptosystems. based on a round optimal. the key sharing is performed by a distributed collaborative protocol. ðn. publicly verifiable DKG protocol. The secret shares therefore have to be periodically updated using a distributed-key updating (DKU) protocol. In threshold cryptosystems.tÞ The access structure ÀP of the initial share distribution will not necessarily remain constant [19]. The proposed scheme can be easily adapted to incorporate a TTP. it is impractical to assume that an adversary cannot compromise more than t shareholders during the entire lifetime of the distributed secret [18]. inapplicable. the individual signers remain anonymous since it is computationally hard to derive the identities from the group signature. [16]. Assuming the same shareholders to be present at all times is unrealistic and the availability/security trade-off (set by the total number of group members ðnÞ and threshold ðtÞ) may need to be changed as a function of system vulnerability. the traceability property of threshold-multisignature schemes allows the individual signers to be held accountable in the public domain and renders the unlinkability property of threshold group signature schemes. The proposed discrete logarithm-based threshold-multisignature scheme is made proactively secure by periodically updating secret shares and facilitating changes in group membership by allowing an authorized subset . the distributed-key is generated in a distributed fashion as a function of the random input of all protocol participants while preserving the symmetric relationship between them. was introduced in [14] and a number of promising proposals for DKG have been published since [15]. The DKU scheme allows for only an impractical period T in which an active/mobile adversary has time to compromise a sufficient percentage of the group secret shares [18]. as defined in [11].VAN DER MERWE ET AL. and current functionality of the cryptosystem. An important component of any threshold digital signature scheme is the sharing of the group key [2]. by the above-defined traceability property of threshold-multisignature schemes. [20]. Threshold-multisignature schemes can be differentiated from threshold group signatures [12] by the fact that by definition. The shares0 must then be redistributed to a ðn0 . The main objective of this paper is to propose a new threshold-multisignature scheme without a trusted third party (TTP). ad hoc networks [13]) may require a distributed-key generation (DKG) protocol that effectively eliminates the TTP. In these schemes. the individual signers are publicly traceable and do not enjoy anonymity. A threshold-multisignature scheme that is suitable for distributed systems (for example. The first DKG protocol. If the group key sharing does not involve a trusted third party (TTP). [17]. although the underlying threshold cryptosystem has been broken. Consequently.t Þ new access structure ÀP 0 using a distributed-key redistribution (DKR) protocol [19]. [3]. in the latter. The proposed discrete logarithm-based threshold-multisignature scheme is also proactively secure. with the exception of the group managers. a version of the proposed scheme with the assistance of a TTP will therefore not be presented.t0 Þ and periodic DKU to mitigate new access structure ÀP 0 attacks from an active/mobile adversary.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 563 Break-resistance: An adversary in possession or control of the group secret key and/or the individual secret shares of any number of group members cannot generate a valid threshold-multisignature and/or partial/individual signatures. networking environment.

The round optimal DKG protocol is developed from the scheme of Zhang and Imai [17]. initial secret sharing to an access structure Àn. T threshold cryptosystem secret update period.6): 2. Section 3 introduces a new distributed-key redistribution/updating (DKRU) scheme. Some conclusions are provided in Section 5. 2 PROPOSED THRESHOLD-MULTISIGNATURE SCHEME In this section.0 ¼ si. . . Pi chooses a random number di 2 ½1. tÞ threshold parameter t and total number of group members n.j mod p. . . a publicly verifiable distributed-key generation (DKG) protocol is presented. The scheme consists of the following six parts (Section 2. for i ¼ 1 : n.1 through Section 2. The certificate of Pi binds the public key P Ki ¼ gSKi to user Pi ’s identity IDi . The paper is organized as follows: In Section 2.2 b. for j ¼ 1 : n. Sets ai.0 ¼ di and chooses at random ai. Ai. j 6¼ i. q two large primes such that q j ðp À 1Þ. without a trusted P dealer or KDC. n. the new threshold-multisignature scheme is proposed. such that the numbers ai. is proposed. ai. The security and features of the proposed threshold-multisignature scheme are discussed in Section 4. . p HðÁÞ collision-free one-way hash function. t À 1. for i ¼ 1 : n. and . Pi then shares the random value di with all of the other protocol participants. of existing group members ðn0 .j ¼ fi ðIDj Þ mod q. . For j ¼ 1. without assistance from a trusted key distribution center (KDC). The certificates are distributed to (or can be traced by) all communication entities Pj . Z For j ¼ 0. q À 1. .t .1 System Parameter Setup The group members Pi . The purpose of the protocol is to realize secure.j ¼ gai. . .j mod p and an encryption 2. . . Initial Publicly Verifiable Distributed-Key Generation In this section.k 2 ½1. are assumed to have a long-term public/private key pair P Ki =SKi and an authentic certificate. . using Shamir’s secret sharing scheme [21] as follows: a. . . q À 1. For 1 i n.0 . g generator of the cyclic subgroup of order q in ðZÞÃ . Protocol participants Pi . Pi computes si. agree on and publish the following system parameters: p. ðn. The protocol executes in four steps: 1. yi. for 1 k t À 1. a novel threshold-multisignature scheme. Pi computes. verifiable with the public key of a common trusted third party. .k Xk over Z q . .j ¼ gsi.t0 Þ to redistribute secret shares to a new access structure ÀP 0 .tÀ1 define a polynomial PtÀ1 fi ðXÞ ¼ k¼0 ai. .

6 and Section 5.j Li Þ mod q.564 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. sPi Þ is a valid signature on the public values ð½yi.j and si.j under the public key P Kj .n . VOL. . hðm. The secret can be constructed if t or more honest players. sPj Þ to all protocol participants. This serves as a proof of integrity and binds participant Pi to these public values. The differences and the significance of the similarity are discussed in Section 4. b.j ði 2 QÞ.j : Participants are disqualified if they do not follow the protocol correctly.1 . . This implies that anybody can verify that yi. developed from the generalized ElGamal scheme presented in [9]. ðmod pÞ ¼ yi. EP Kn ðsi. Pi broadcasts the message and the signature to all protocol participants. tÀ1 Y k¼0 GES.j ).j Þ with its corresponding private key SKj to recover si. Taking the Lagrange polynomial of the original random values dj .1 Þ k Á Á Á k ½yi. Ai. The protocol aborts if Q contains less than t members. EP Kn ðsi. The remaining set of participants form the set Q.j Þ of each secret shadow.i mod p: ð5Þ j2Q Each Pj .j ¼ gsi. [22]. 4. i 2 Q as: P Y L ðs L Þ j yi ¼ gxi ¼ g j2Q j.j (note that only Pj can decrypt EP Kj ðsi. rÞ. APRIL 2007 2. from the set Q. ð2Þ xj ¼ i2Q where the Lagrangian coefficient is given as: IDk Li ¼ mod q: IDk À IDi k2Q.j satisfy the following relationship: yi.j mod p and that protocol participant Pj can correctly retrieve the subshare si. .j Þ is the correct encryption of si. . Pj uses the correct shares received from i 2 Q to compute the following: X ðsi. ðrPi . Pj broadcasts ðyj .k ÞðIDj Þ ¼ g k¼0 ðai.1 Þ k Á Á Á k ½yi. . Protocol participants P1 . n) and received subshares si. which highlights the importance of erasing these values securely.ðtÀ1Þ Þ received from Pi .ðtÀ1Þ Þ using the ElGamal type signature variant: GES ¼ ðM:EGII:3:ð1Þ. also yields the group secret xQ . . j 2 Q completely erases all traces of its initial randomly chosen value dj and all generated subshares sj.0 k Á Á Á kAi. In Section 3. The signature is generated with Pi ’s long-term private key SKi .n Þ k Ai.k ÞðIDj Þ k¼0 fi ðIDj Þ ð1Þ ¼g 3. r. . Pj also verifies the authenticity of the received public keys after calculating the public key yi of all Pi . a publicly verifiable distributed-key redistribution/update (DKRU) protocol is proposed that is compatible with the initial DKG protocol given above.1 .i ¼ fj ðIDi Þ mod q ði ¼ 1. EP K1 ðsi. EP K1 ðsi.0 k Á Á Á k Ai.k6¼i Y ð3Þ 2. The encryption EP Kj ðsi. c. rPj .j Þ of the secret shadow for protocol participant Pj is performed using an appropriate publicly verifiable encryption scheme [15]. collect: ! Y X IDk mod q: ð6Þ xj xQ ¼ IDk À IDj j2Q k2Q. Pi keeps the share when j ¼ i. Pi then binds itself to the public values by generating the digital signature ðrPi sPi Þ on message ð½yi. for j 2 Q. Pn each verify the following: a.n . Pj binds itself to the public key yj by generating a signature ðrPj .n Þ k Ai.k6¼j 4. .k ðIDj Þk ¼ tÀ1 PtÀ1 Y k k ðgai.i j ¼ yj. s. 1Þ. 18. EP Kj ðsi.3 Individual Signature Generation Any subset . NO. sPj Þ on yj using its long-term private key SKj . EP Kj ðsi. Pj knows that the subshare distribution from member Pi is correct if (1) holds.

i 2 . of t or more members can represent the group and sign an arbitrary message m. Each member Pi .

selects a random integer ki 2 ½1. s0Pi Þ on ½ri . q À 1 and computes ri ¼ gki mod p. This implies that each member commits to its public value ri and provides a proof of knowledge of its corresponding discrete logarithm. After all committed ri s are available and members with invalid ri s are excluded from the set . s0Pi Þ to all protocol participants. Each member verifiably encrypts ki with its own long-term public key P Ki using a verifiable encryption scheme [15]. Pi broadcasts ðri . Using the ElGamal type signature variant GES. [22] to generate EP Ki ðki Þ. r0Pi . ki . Pi generates a signature ðr0Pi . EP Ki ðki Þ. EP Ki ðki Þ using its long-term private key SKi ..

. the value R is calculated as follows: Y ri mod p: ð7Þ R¼ i2.

The group public key can be computed (verified) by any group member or outsider as: P Y L f ð0ÞL i Ai. for j 2 .0 ¼ g i2Q i i ¼ gxQ mod p: ð4Þ yQ ¼ i2Q Each Pi uses public values IDj authentically bound to P Kj . The secret key xj is Pj ’s new share in the distributed group secret key xQ .

BÞ½ðxi Þ Á L. R. Pi uses its (secret share)/(private key) set ðxi . to form the set B.. SKi Þ and random number ki to compute its individual signature si on message m as follows: si ¼ ½Hðm.

ð8Þ where the Lagrange interpolating coefficient L.i þ SKi þ ki mod q.

i is given by: L.

i ¼ IDk mod q: IDk À IDi k2.

Using the ElGamal type signature variant .. j 2 Q calculates its public key as yj ¼ gxj mod p.k6¼i Y Each Pj .

VAN DER MERWE ET AL. L. ri .: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 565 The set ðsi .

i . 2. ri . which is broadcast to all other group members.4 Individual Signature Verification On receiving all of the signatures ðsi . BÞ is the individual signature of Pi on message m. L.

j 2 . BÞ. Pj .i .

. P Ki Þ to authenticate the individual signature of Pi by verifying if L. performs the functionality of a clerk and uses the public key set ðyi .

i is correct and whether the following equation holds for i 2 .

. i 6¼ j: ½Hðm.R.BÞ L ri mod p: ð9Þ gsi ¼ yi .

the individual signature of Pi on message m is invalid. Participants are disqualified if their individual signatures are found to be invalid.i P Ki If (9) fails to hold. The remaining honest participants form the set and repeat the individual signature generation part from (7). with .

SÞ on message m can be computed as: X si mod q: ð10Þ S¼ i2 authorized subset . The protocol aborts if contains less than t members. has received and verified t or more individual signatures. the second signature parameter S of the threshold-multisignature ðR. j 2 . ¼ . 2.5 Threshold-Multisignature Generation After Pj .

The publicly verifiable property by definition means that any outsider can obtain all of the required information from the broadcast channel to validate the operation of both the initial DKG and DKRU protocols. For the sake of P P proactive security. i 2 .2.t is P performed using the publicly verifiable distributed-key generation (DKG) scheme given in Section 2. Note that the proposed DKRU protocol is compatible with the initial DKG protocol. The initial secret distribution to the access structure Àn.6 and Section 5.t . Àn 0. The system parameter setup P given in Section 2. the threshold cryptosystem shares should be periodically updated within a limited time period T . Pi .t ¼ Àn.t . The protocol executes in four steps: 1. 2 Àn.1 is applicable. The proposed DKRU protocol can be used as a publicly verifiable distributed-key updating (DKU) protocol by simply keeping the 0 0 access structure constant. Assume that a subset of new members join or existing members leave the threshold cryptosystem. The minor differences and the significance of the similarity are discussed in Section 4.

share their0 secret share xi of group secret 0 key xQ with Pj 2 Àn 0. using Shamir’s secret sharing P scheme [21]: For i 2 .t .

. . . . EP Kn0 ðs0i.: Pi sets a0i. . Z 0 b.n0 Þ k A0i. n0 .n0 . .0 ¼ xi and chooses at random a0i.t0 À1 define a polynomial Pt0 À1 fi0 ðXÞ ¼ k¼0 a0i. q À 1.0 ¼ s0i. For j ¼ 0.1 .j mod p. For j ¼ 1.1 Þk Á Á Á k ½y0i.j ¼ fi0 ðIDj Þ 0 mod q.j mod p and an encryption EP Kj ðs0i. a0i. .0 .j Þ of each secret shadow. Pi computes s0i. . EP K1 ðs0i.j ¼ gsi.j ¼ gai. . .0 k Á Á Á k A0i. s0Pi Þ on message ð½y0i. Pi then binds itself to the public values by generating a digital signature ðr0Pi . for 1 k t0 À 1. . y0i. Pi computes A0i. . t0 À1.ðt0 À1Þ k y.k Xk over Z Q . such that the numbers a0i.k 2 ½1.

Þ using the ElGamal type signature variant: GES ¼ ðM:EGII:3:ð1Þ. The signature is generated with Pi ’s long-term private key SKi . Note that Pj . hðm. developed from the generalized ElGamal scheme presented in [9]. r. rÞ. Pi broadcasts the message and signature to all protocol participants. 1Þ. j 2 . s.

knows the authentic public values yi of Pi 2 Àn. from a previous DKG or DKRU operaP tion (see (5) and (16)). The set y..t .

is formed by yi . i 2 .

. ðr0Pi . EP K1 ðs0i.n0 .1 . The encryption EP Kj ðs0i. a. Pn0 each verify the following: a.ðt0 À1Þ k y. .n0 Þ k A0i. s0Pi Þ is a valid signature on the public values ð½y0i.1 k Á Á Á k ½y0i. . Protocol participants P1 . Pi keeps the share when j ¼ i. . [22].0 k Á Á Á k A0i. and only included in the broadcast message if new members join the group.j Þ of the secret shadow for protocol participant Pj is performed using an appropriate publicly verifiable encryption scheme [15].. EP Kn0 ðs0i.

for i 2 . using the shares of the P . BÞ on message m is valid and the subgroup B of individual signers is positively identified. The proposed publicly verifiable distributed-key redistribution/update (DKRU) protocol is as follows: A distributed group secret xQ is redistributed from Àn.1 for proof of correctness. BÞ on message m. (See Section 4. the threshold-multisignature ðR. S. Threshold-Multisignature Verification and Individual Signer Identification Any outsider can use the group public key yQ and public keys P Ki bounded to the identities IDi . SÞ and provides an explicit link between the threshold signature and the subset of individual signers who collaborated to generate the threshold signature ðR.BÞ R mod p: ð12Þ If (12) holds. The signature verifier calculates the subgroup public key P K as follows: P Y P Ki mod p: ð11Þ P K ¼ g i2 SKi ¼ i2 2.t .R. Þ: The set of identities B is appended to ðR. to verify the validity of the threshold-multisignature ðR. S.) 3 PROPOSED PUBLICLY VERIFIABLE DISTRIBUTED-KEY REDISTRIBUTION/UPDATE PROTOCOL 2.6 The signature verifier now has all the information to check if the following congruency holds: gS ðyQ P K Þ½Hðm. S.t to P 0 0 a new access structure Àn 0. BÞ on an arbitrary message m.

A0i.566 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. NO.0 ¼ yi 8 i 2 . 18. 4. VOL. APRIL 2007 b.

then they must only use yi s found to be consistant in the broadcast messages received from t or more members of subset .: ð13Þ If Pj . j 2 are new members joining the group.

. If the conditions do not hold for more than t members from the authorized subset .

The remaining set of participants forms the set Q0 . abort the protocol. as follows: P Y 0L0 f 0 ð0ÞL0 yQ0 ¼ Ai. using the available public information.. otherwise. Participants are disqualified if they do not follow the protocol correctly.k 0ðIDj Þ k ¼ t0 À1 Y k¼0 ðgai. evaluate the following equation: t0 À1 Y k¼0 Any network participant can calculate (verify) the group public key when needed.j : ð14Þ Pj knows that the subshare distribution received from Pi is correct if (14) holds.k ÞðIDj Þ 0 k Pt0 À1 0 k ¼ g k¼0 ðai. The protocol aborts if Q0 contains less than t members of the authorized subset .0i ¼ g i2Q0 i i ¼ gxQ0 mod p: ð18Þ i2Q0 4 DISCUSSION ON THE SECURITY AND FEATURES OF THE PROPOSED THRESHOLD-MULTISIGNATURE SCHEME Ai.k ÞðIDj Þ ¼ gfi ðIDj Þ ðmod pÞ ¼ y0i.

binding itself to the public value.R. X X ðsi Þ ¼ ½Hðm.t . In the context of the statement. all of its public and private information is exposed to the adversary. it is enough to show that the scheme fulfills all of the fundamental properties of generic threshold-multisignature schemes given in Section 1 and resists attacks to which other similar schemes are subject.BÞ i2 ðSKi Þ g i2 ðki Þ mod p hY i½Hðm. where the Lagrangian coefficient is given as: L0i ¼ Y k2Q0 . from the set Q0 . References [9]. Pj uses the correct shares received from i 2 Q0 to P compute the following: x0j ¼ i2Q0 s0i. Using the ElGamal type signature variant GES and its long-term private key SKj . IDk mod q: IDk À IDi ð15Þ The secret key x0j is Pj ’s new share in the distributed group secret key xQ0 . collect: ! Y X IDk 0 xj xQ0 ¼ mod q: ð17Þ IDk À IDj j2Q0 k2Q0 k6¼j 4.BÞ Y ¼ g½Hðm. . Pj also calculates the public key of all Pi ..BÞ½ i2 ½ðxi ÞÁLi g½Hðm. R. R. modify the content of messages. . [10] help in selecting such a variant. P 4. Each Pj .j (i 2 Q0 ). hðm. j 2 Q0 calculates its 0 public key as y0j ¼ gxj mod p. j 2 Q0 completely erases all traces of its old share xj and all generated subshares s0j.j L0i . BÞ ðSKi Þ þ ðki Þ mod q. r0Pj . Any active adversary can eavesdrop on all of the communication between group members. BÞ½ðxi Þ Á Li þ SKi þ ki mod q ði 2 Þ. BÞ on an arbitrary message m. i2 i2 P P P gS ¼ g½Hðm. si ¼ ½Hðm. 1Þ [9]. i 2 Q0 . n0 Þ and received subshares 0 si. s0Pj Þ to all network participants. 0 Group members Pj . The main reason for using the defined GES is to minimize the computational cost of generating and verifying the individual signatures and group-oriented signature in a multiparty setting without compromising security.yQ0 ¼ gxQ0 ¼ yQ ¼ gxQ 0.i ¼ 0 fj ðIDi Þ mod q ði ¼ 1. for j 2 Q0 belonging to the new access structure Àn .R. honest implies that the group members follow the protocol as specified in Section 2. s. The proposed threshold-multisignature scheme can equally use any other secure and efficient signature variant of the ElGamal type signature scheme. The secret can be constructed if t0 or more honest players. An adversary is a malicious party that uses every means available to break the proposed thresholdmultisignature scheme. .R. The security analysis considers a straightforward general adversary model. rÞ.BÞ R mod p: u t . Proof.1 If the conditions presented in Step-2 hold.i j ¼ yj.1 Correctness and Threshold Property Any t or more honest group members of the authorized subset can collaborate and use the threshold-multisignature scheme to produce a valid threshold-multisignature ðR. Each Pj .tP 0 thus share the same group secret and public key as the old access structure Àn.R. . s0Pj Þ on y0j . then Pj0 knows that its new secret key x0j is a valid share of x0Q . 1. To argue the security and validity of the proposed threshold-multisignature scheme. Pj broadcasts ðy0j . Pj generates a signature ðr0Pj . r. R. The group secret remains constant.ij mod p: ð16Þ j2Q0 The proposed threshold-multisignature scheme is based on a multiparty extension of the ElGamal type signature variant: GES ¼ ðM:EGII:3:ð1Þ. and inject them back into the channel. When an honest party is compromised. irrespective of distributed-key redistribution or distributed-key updates.R. as: P Y 0L 0 ðs0 L Þ y0i ¼ gxi ¼ g j2Q0 j.BÞxQ ðP Ki Þ ðr Þ mod p i2 i2 i ¼ ðyQ P K Þ½Hðm. S.k6¼i 0 3. . BÞ ½ðxi Þ Á Li þ S¼ i2 i2 X X ½Hðm.

[25]. The polynomial hðyÞ is constructed by the designated combiner with t pairs of public values belonging to members of the subgroup . as presented by [23] and [24]. SÞ and the Lagrange polynomial hðyÞ used by the signature verifier to identify the individual signers.VAN DER MERWE ET AL.2 Traceability of Signers The reason for the intractability of [6] and [8]. is due to the nonexistence of a relationship between the threshold signature ðR.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 567 4. respectively.

The actual value of the threshold t may be (dynamically) determined by an authorized subset of group members [19] and thus forms part of the group policy. . hðyÞ is given as [6]: hðyÞ ¼ t X I¼1 xi t Y y À yj ¼ btÀ1 ytÀ1 þ . constructed from t data points. [8] traceable by including hðyÞ within the individual signatures. [8].j6¼i It is noted here that it is possible to create such a relationship between hðyÞ and ðR. Using the polynomial function hðyÞ to capture the signers’ identities results in additional computational overhead for the threshold signature verifiers (nðt À 1Þ multiplications and nðt À 2Þ exponentiations) and fails to reduce the threshold group-oriented signature size. b1 . This saves the signature verifier the computational overhead of evaluating hðyÞ to learn the identities of the individual signers. The traceability property of the proposed thresholdmultisignature scheme is verified in Section 4. requires at least t coefficients ðb0 . why not simply use a list of individual (RSA) signatures for the group signature? The threshold property must be guaranteed by cryptographic means during the generation of the threshold group-oriented signature to effectively share the power of the cryptosystem between the group members [1]. SÞ. the proposed threshold-multisignature scheme uses the subset of identities B instead. . . The computational cost of generating hðyÞ is considered in Section 4. with a strong binding between hðyÞ and ðR.4. Assume a malicious subgroup . still fail to provide an optimum solution to ensure traceability. Since the subset B of identities is used to validate the threshold signature (12) the individual signers are publicly traceable and explicitly bound to the threshold signature. SÞ and make the schemes proposed in [6]. that submitted valid partial signatures. [2]. The Lagrange interpolation polynomial.7. . þ b1 y þ b0 : ð19Þ yi À yj j¼1. . Expecting that all (future) threshold group-oriented signature verifiers will consistently enforce a (dynamic) group policy makes the system vulnerable to attack. In the view of the authors. Rather than including the coefficients in the individual signatures and appending the coefficients to the threshold signature. the schemes presented in [6]. The polynomial hðyÞ of degree t À 1. If a verifier were to know and use the certified public keys of the individual signers. btÀ1 Þ to be uniquely defined.3 by showing that the signature verifier can only validate the threshold signature if an authentic subset B of individual signers collaborated to generate the signature. .

of t or more members conspires to obtain the group secret xQ and wants to frame valid subgroup for a signature on an arbitrary message m. This implies .

R.) The malicious member can attempt to forge the threshold-multisignature by computing S ¼ ½Hðm. AÞ simultaneously. it can be shown that forging individual signatures is also impractical. A formal security proof for the defined ElGamal signature variant GES in the Random Oracle and Generic Model ðROM þ GMÞ can be found in [26]. makes the protocol interactive and thus vulnerable to an adaptive adversary [16]. Any network participant will therefore always be able to make a legitimate excuse for a late arriving public value. 4. q À 1 and generates R ¼ gk . With little modification to the above argument. which is again impractical based on the intractability of the discrete logarithm problem. An attacker’s last resort is to randomly select a value F and signature parameter S and then attempt to determine a value R0 that satisfies gS ¼ ðyQ P K ÞF R mod p and F ¼ ½Hðm. i. The first solution requires each member to publish its public value yi simultaneously to mitigate the rushing attack on the group secret.AÞ R mod p.. (The public value P K can easily be calculated using (11). . This shows that using the proposed threshold-multisignature scheme to produce a valid untraceable signature or signing on behalf of any other subset of group members is not possible. This solution. Pj uses the publicly known values ðIDi Þ.4 Attacks on Threshold-Multisignature Schemes 4. wants to generate a valid untraceable group-oriented signature. The third 2. An alternative method is to solve for S to satisfy the verification equation gS ¼ ðyQ P K Þ½Hðm. however. It also confirms that the individual signers that collaborate to generate a threshold-multisignature are always traceable. the group secret xQ is known or controlled by an adversary. which is impractical since Pj cannot compute SK from P K based on the intractability of the discrete logarithm problem.2 It can thus be concluded that the proposed threshold-multisignature is break-resistant. This is known to be impractical based on the properties of a secure collision-free one-way hash function HðÁÞ. The second proposed solution requires members to commit to their public values and then open their commitments to reveal the public values. AÞðxQ þ SK Þ þk. R0 . [17].5) that work together to control the group key.R.3 Coalition-Resistance and Break-Resistance The coalition and break-resistance properties can be verified by showing that the proposed threshold-multisignature scheme is break-resistant: 4. This solution is impractical since there is no method in existing networking protocols of accommodating n simultaneous broadcasts nor can devices receive n simultaneous messages without advanced hardware.1 Collusion Attack A collusion attack enables dishonest group members (and/or a designated clerk or combiner node: see Section 4. Wang et al. Wang et al.e. [25] propose some countermeasures against the attack. to form the subgroup A. even if the threshold cryptosystem is broken.4. even if a coalition of t or more group members conspire to obtain an individual’s partial share xi of the group key xQ . The security proof of the underlying individual signature scheme supports the break-resistance property. in [8]. for i 2 0 . [25] report a collusion attack on the thresholdmultisignature scheme (without a trusted third party) presented by Li et al. Any malicious party Pj chooses a random number k 2 ½1.

2. S 0 Þ on an arbitrary message m0 from an existing valid threshold signature ðR. [17].2 Universal Forgery Attack In [23]. which is. given in Section 2. Q which is generally calculated as R ¼ i2. for example. 4. thus.568 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. The scheme by Wang et al. SÞ on message m. (1) or (9)). [8] fail to guarantee a strong binding between participants and their public values. 4. 18.3 Rushing Attack In the context of group-oriented signature schemes. Caution should be taken in the modification of the ElGamal signature or when choosing an appropriate variant. Fouque and Stern propose a solution to mitigate rushing attacks without using a synchronous network. Take. The ITP unfortunately becomes a single point of vulnerability. the fð0Þ group secret ðy ¼ g Þ. The universal forgery attack in [6] is a direct consequence of the insecurity of the modified ElGamal signature scheme on which the group signature is based. this approach was first introduced in [15] by Stadler to realize a publicly verifiable secret sharing scheme. [6] is an example of an insecure ElGamal type signature variant extended to a multiparty setting. The complaint phase also makes distributed-key generation (DKG) schemes such as [14]. inherently eliminates attacks from an adaptive adversary during the construction of the threshold cryptosystem. The weak binding allows an adversary to manipulate public values that will result in the disqualification of honest participants. Publicly verifiable encryption. [6]. This solution is well known and has been used by both Fouque and Stern [16] and Zhang and Imai [17] to eliminate the need for a complaint phase. [25] and universal forgery attack by Wu and Hsu [24]. It is noted here that synchrony is not always required in a discrete logarithm-based threshold group-oriented signature scheme based on a variant of the generalized ElGamal type signature. Forcing players to provide a zero knowledge proof of the discrete logarithm of all public values is sufficient to completely eliminate the rushing attack in an asynchronous network. [3]. and. 4. Committing participants to their public values and ensuring the public values’ integrity are both essential if members are to be disqualified if their public values fail to satisfy the verification equations (for example. It is noted that the collusion attack by Wang et al.4. [7]. [10]. it is evident that manipulation of these values can occur if an adversary can delay playing its own contribution. The threshold-multisignature scheme proposed in Section 2 takes this fact into consideration. both rely directly on a rushing attack. The adversary can collect the contributed values of all other participants and then compute its own contribution to force the signature parameters or group secret to a known value when calculated as a function of all contributed values. [10].4. thereby eliminating rushing attacks. The proposed threshold-multisignature scheme and DKG protocol use the ElGamal type signature variant GES to generate secure and efficient digital signatures. does not offer a mechanism to bind participants to their public values. Assuming the threshold signature scheme is based on a secure and efficient variant [9]. [27] impractical considering the complexity of current multiparty computations [16]. The proposed scheme uses publicly verifiable encryption [15]. Tseng and Jan present a universal forgery attack on the threshold signature schemes with traceability by Wang et al. which explicitly binds participants to their public values and simultaneously provides a mechanism to ensure the values’ integrity. can be calculated as fð0Þ ¼ Àt À1 SR HðmÞ from any valid threshold signature ðR. Since group members must all make a valid contribution to the threshold signature parameters and group secret. The existing round optimal DKG protocols [16]. a rushing attack is defined as a manipulation of the signature parameters or keying material by an adversary based on the public values received from all the other participants. The modification of the basic ElGamal signature scheme for the sake of efficiency can easily introduce an insecurity. [17] and threshold-multisignature schemes [4]. the signature parameter R. [6]. [22] that allows protocol participants to provide a zero knowledge proof of their public values’ discrete logarithm. The attack allows any group member or outsider to generate a valid forged threshold signature ðR0 . however. It is developed from a secure and optimally efficient variant that was selected using the guidelines given in [9]. The proposed threshold multisignature scheme prevents adversaries from controlling the group key by using the publicly verifiable. As pointed out by Zhang and Imai. Tseng and Jan also show in [23] that Wang et al. The adversary thus waits until all other participants have played before defining its own value [16]. Fouque and Stern define an Incorruptible Third Party (ITP) to always play at the end. Fouque and Stern [16] and Zhang and Imai [17] construct their distributed-key generation schemes on a synchronous network to prevent the adversary from delaying its response.’s schemes [6] are completely insecure since the trapdoor information fð0Þ . VOL. one round DKG protocol. in fact. it should be clear that the majority of attacks on group-oriented signature schemes can thus only come from a vulnerability introduced by the extension of the ElGamal type signature variant to accommodate multiple signers. therefore eliminating the requirement for synchrony and preventing a malicious player from manipulating the signature parameters. SÞ in message m. APRIL 2007 solution requires members to provide a noninteractive proof of knowledge of the discrete logarithm for the public value yi to the base of the primitive element g. NO.

where ri ¼ gki is the public value of each player Pi with corresponding randomly chosen secret ki . The malicious player Pj waits for each Pi to play its ri . Pj chooses a random value k and sets R ¼ gk . ri mod p. After receiving all ri s for i 2 .

i 6¼ j.. Pj factors out its Q public value as rj ¼ R i2.

be true if the modular arithmetic is done in an appropriate multiplicative subgroup ððZÞÃ Þ or a cyclic subgroup of order q. in particular. p The attack presented by Michels and Horster [28] on the threshold-multisignature proposed by Li et al. which will force the i other players to compute R at a later stage (of which the discrete logarithm is known by Pj ). if the threshold group-oriented signature protocol requires each . As in the above example. This will. [4] is a good example of the rushing attack principle. thus..i6¼j rÀ1 mod p . Note that Pj does not know the discrete logarithm of its public value rj nor can it be calculated based on the intractability of discrete logarithms in finite fields. the malicious player Pj in this attack does not know the discrete logarithm of its own share rj .

i.. Members of the authorized subset . With this mechanism. memory. 4. and communication overhead. This eliminates attacks relying on a corrupt clerk and mitigates the problem of ensuring the availability of a combiner node in distributed networks [13]. the following minor differences are easily identifiable: For the initial DKG. It will also prevent a malicious participant from disrupting the protocol since the participant can simply be disqualified if it does not play a fair game.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 569 player to provide a zero knowledge proof of all public values’ discrete logarithms. . The proposed publicly verifiable P distributed-key redistribution/update (DGRU) protocol proposed in Section 3 was designed to support dynamic group membership and allow for share updates by merely keeping 0 0 the access structure constant. Comparing the P P DGRU protocol to the initial DKG protocol presented in Section 2. the reader will note that these protocols are almost exactly equivalent. To allow for dynamic group membership and modification of the availability/ security trade-off. ad hoc networks) to ensure a correct combination [13]. the benefit the adversary gains from a rushing attack in an asynchronous network is nullified. By deliberately keeping the phrasing and notation as far as possible the same.t ¼ Àn. [22] on the discrete logarithm of the public values. The proposed threshold multisignature scheme in this paper requires players to provide a zero knowledge proof of the discrete logarithm of their public values by generating a publicly verifiable encryption [15]. the proposed scheme eliminates rushing attacks without any requirement for synchrony. The scheme proposed in this paper eliminates the need for a designated combiner/clerk as the construction of the threshold-multisignature is done by the shareholders themselves.t .2. each user must choose a random number di . 4.e.5 Symmetric Relationships—Eliminating the Combiner A centralized combiner node is a specialized server which can be seen as a single point of vulnerability and should be replicated in distributed networks (for example.t .VAN DER MERWE ET AL. The scheme also preserves the symmetric relationship between the shareholders by placing on each node the same computational. Àn 0. the0 shares can be redistributed to a new 0 access structure Àn 0. while the DKRU protocol uses the user’s share xi of the group secret xQ .6 Proactive Security and Secret Redistribution The proposed threshold-multisignature scheme defends against mobile/active adversaries by proactively updating the group key shares every period T .

append the public values yi of Pi 2 .

New members should only use public values that have been found to be consistent in t or more broadcast messages. to ð½y0i.n0 Þ k A0i.ðt0 À1Þ Þ if new members join the group. the participants must also check that the condition presented in (13) holds before verifying whether the subshare distribution is correct by using (14).1 Þ k Á Á Á k ½y0i. . EP Kn0 ðs0i.1 . If both (13) and (14) are satisfied for t or more members of . In the DKRU protocol.0 k Á Á Á k A0i.n0 . EP K1 ðs0i.

DKU protocol. and DGR protocol are conveniently performed by a single. It is noted that the proposed DKMI is independent of the proposed threshold-multisignature scheme and can be used in other applications to construct and maintain a threshold cryptosystem. publicly verifiable. A protocol suite capable of servicing all aspects of secret sharing is defined here as a distributed-key management infrastructure (DKMI). Any t or more members forming the subgroup .. the users are guaranteed that their new share in the original group key xQ is valid. round optimal protocol. Besides the differences given above. the initial DKG protocol. The DKG protocol due to Zhang and Imai [17] was modified to complement the proposed DKRU protocol given in Section 3 and to allow for practical key redistribution/updating. [8] is also vulnerable to a conspiracy attack by t or more malicious members. .4.4 Conspiracy Attack It is noted here that the threshold signature scheme proposed by Li et al. 4.

j 2 . ði.0 can use their subshares fðIDi Þj .

. A mechanism is provided for verifying the members’ secret contributions from the threshold-multisignature without revealing any additional information of the secrets.’s scheme with a trusted authority. only accurate for Li et al. Note that this is. As shown in Section 4. Any malicious member generates R ¼ gki and solves the following congruence for integer S: SR ðR þ hðmÞÞki þ fð0Þ mod q. for i 2 . SÞ will be a universally forged signature on the arbitrary message m. [4] defend against conspiracy attacks in a similar approach by adding a random number to the secret key. verifiable with the group-oriented signature verification equation. gSR ¼ RðRþhðmÞÞ y mod p. noted that. also lacks a strong traceability property. the scheme by Wang et al. The same comment can be made on the scheme proposed by Lee and Chang in [7]. which effectively conceals the member’s secret share of the group key.3.k6¼j IDj ÀIDi Þ. . The set ðR. [6] propose such a scheme which prevents conspiracy attacks without attaching a random secret to secret shares. conspiracy attacks in the proposed threshold-multisignature schemes are avoided by each member contributing an individual secret (long-term private key SKi ) to the group-oriented signature known to be explicitly associated with the member.e. the members’ public keys P Ki . Wang et al. It is. except the information that is publicly know to be associated with the secrets. however. the scheme presented in [4] does not have a strong traceability property [6]. Since the random numbers are not explicitly linked to the member’s identity. Conspiracy attacks in threshold-multisignature schemes can also be avoided if the secret shares of members are generated in such a way that construction of the threshold cryptosystem’s secret polynomial or derivation of the group secret from the members’ secret shares is computationally infeasible. i. 0 Þ to construct the group secret key fð0Þ as P Q IDj fð0Þ ¼ t ðfðIDi Þj t j¼1 k¼1. however. Li et al. since a member’s public value in [6] is not explicitly linked to a secret known to be associated with a group member.

2 and Section 3 solves a major problem with existing secret redistribution/ update protocols. APRIL 2007 The proposed DKMI presented in Section 2. NO.570 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. a threshold cryptosystem allows t or more members holding a secret share to reconstruct the group secret. not more than t À 1 members can be compromised or become faulty within an update time period T . the system is broken. In a proactively secure threshold cryptosystem. VOL. otherwise. [20]. This problem is identified by Wong et al. 18. the authorized subset . Referring to the proposed DKRU protocol presented in Section 3 and the secret redistribution scheme by Wong et al. 4. [20]: By definition.

may thus contain. The t À 1 malicious members in . t À 1 malicious members out of the total n group members. in the worst-case scenario.

Although new members can detect the discrepancy in the broadcast values. but also existing members cannot identify the malicious members in . they cannot identify which members are malicious. can thus distribute subshares si. It is noted here that this is not only applicable to the new members in the scheme proposed by Wong et al.j of an incorrect share xi to new members joining the system..

and. Consequently. the redistribution protocol proposed by Wong et al. malicious members cannot be disqualified. therefore. [20] must be repeated each time with a different authorized subset .

0 . with j.

until all values are consistent and all the verification conditions hold. members of the authorized subset .0 j ¼ t. t t tÀi i which makes the scheme impractical. the protocol participant Pj in the initial DKG protocol uses (5) to calculate the authentic public values yi corresponding to the secret share xi of each Pi . for i 2 Q. This paper presents a solution to the above problem with existing secret redistribution/update protocols as follows: In the proposed DKMI. Wong et al. In the DKRU protocol.À Á aÀworst-case repetition of the give Á PtÀ1 À ÁÀ Á protocol bounded by n À nÀtþ1 ¼ i¼1 tÀ1 nÀtþ1 .

construct a polynomial with their secret share set to a0i.0 ¼ s0i.j . In order to ensure that (14) holds and to avoid identification. i 2 .0 with their computed subshare witnesses yi. Pi . Assume that a subset of new members are joining the threshold cryptosystem.0 ¼ gai.0 ¼ xi . the malicious members are forced to compute 0 and broadcast A0i.

broadcast to all members a message that includes their calculated public keys yi .. for all other Pi . i 2 .

j of an incorrect share xi .. by checking if (13) holds. All existing members forming part of ðn0 .t0 Þ the new access structure ÀP 0 can detect and positively identify a malicious member that distributes subshares si. The only feasible option is to require the authorized subset .

to include all the existing members that will form part of the new access 0 0 structure Àn 0. By the fundamental definition of a threshold P cryptosystem. this will always ensure at least t members of .t .

It is obvious that existing members that do not participate in the distributed-key redistribution or distributed-key update procedure will be excluded from the threshold cryptosystem. therefore. The new members will detect the discrepancies in the public values broadcast by the members in . old members wanting to form part of P 0 are always available to help with distributing subshares to new members. 3. with consistent public values. This requirement places no limitation on the practicality of the proposed distributed-key management infrastructure (DKMI)3 and keeps the scheme round optimal.

[4]: The group public key of [4] not only consists of y. zij g. can only implicitly aid in the disqualification of malicious members by only using the subshares of the t or more members with consistent public values to compute their own new share in the group key. only schemes that attempt to eliminate conspiracy attacks are evaluated: Li et al. Difficulty will be experienced with this scheme when trying to eliminate the need for a trusted authority to distribute the initial group key shares. The proposed scheme does have another mechanism for all network participants to identify malicious members. provided by a public key infrastructure. Wang et al. The protocol. the proposed thresholdmultisignature scheme uses the long-term private keys of members SKi . [6]: The scheme proposed in [6] is an improvement on the scheme presented in [4] since conspiracy attacks are prevented without attaching a random number to secret shares. therefore. . Y . 4.3. A robust authentication mechanism is essential for securing a distributed system against active adversaries and central to ensuring the traceability of individual signers.4 Before joining members have obtained a valid share of the group secret. Since the new members will receive consistent public values from at least t participants. Consequently. but also implicitly includes the following public values fxi .2) and DKRU protocol (Section 3) are both publicly verifiable. all network participants have exactly the same information as existing members of the threshold cryptosystem. to 4. A joining member who has observed a periodic DKRU procedure can calculate the authentic public values of each group member using (16) and. that is required to verifying the threshold signature. except for a valid share in the group secret.1 Group Public Key Length The public key length in similar schemes will be briefly considered. In the Li et al.7 Efficiency Analysis The efficiency of threshold-multisignatures may be based on the following five criteria (Section 4. requires the participants to order themselves into a ring topology. therefore.7. Since both the initial DKG protocol (Section 2. they do not have any authority and. which can be limiting in some network scenarios. Lee and Chang [7]: The threshold-multisignature scheme in [7] also avoids conspiracy attacks without attaching a random secret to shares.7. In order to make a feasible comparison. It can thus be concluded that the public key is dependent on the number of group members n. The group public key is thus independent of the group size n.1 through Section 4. the participants with inconsistent values can therefore be considered malicious or faulty and are therefore positively identified. As shown in Section 4.7.5): 4. however. identify malicious members during the next DKRU procedure. The group public key is dependent on the number of group members n as the signature verifier needs the individual public values yi of all group members and two additional parameters cQ and cw to compute the subgroup public key. zij g since these values are required by the signature verifier to validate a threshold signature. the public key includes the public values fxi . scheme.. protocol participants attach a secret random number to their group secret shares in an attempt to avoid a conspiracy attack.

Although the group public key may be perceived to be dependent on the group size n. for i 2 used to calculate P K is publicly known (traceable) and primarily required for authentication purposes. the scheme does not introduce any additional storage requirements since the public keys P Ki . for i 2 . and.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 571 avoid conspiracy attacks even if colluding members derive or control the group secret xQ .VAN DER MERWE ET AL. As a result of members including their private keys in their individual signatures. in the latter two round scenario only. ð2j. the public key of the scheme consists of yQ and the public key P K of the subgroup that collaborated to generate the threshold signature. The public key P K of the subgroup is a function of the long-term public keys P Ki of the group members Pi .

which specifies that any outsider must be able to retrieve the identities of the individual signers from the threshold signature. in the second round. In round one. The threshold signature size of thresholdmultisignature schemes is bound to be dependent on the threshold parameter or. each participant generates a commitment ri and. The individual identities of the group members can be carefully chosen to significantly reduce the size of the thresholdmultisignature. This conclusion is naturally drawn from the traceability property of threshold-multisignature schemes. participants send their contribution to a combiner or designated clerk which constructs the threshold signature. is made by the size of the threshold group signature. 4. 4.7. more precisely. where 0 c ðn À tÞ. ri Þ on an arbitrary message m. the information is the identities of the individual signers contained in B. post signature generation. t þ c. Multiparty signature schemes constructed from ElGamal type (discrete logarithm-based) signature variants are bound to be interactive. In the case of the proposed scheme. as given in Section 1.7. The threshold signature must thus be bound to information explicitly linked to each of the signers that collaborated to generate the threshold signature. the individual and threshold signature generation mechanisms of all the existing threshold-multisignature schemes and the proposed scheme are almost equivalent. In the third round.2 Group-Oriented Signature Size The main contribution to the communication overhead.jÞ broadcast messages. generates an individual signature ðsi .3 Communication Cost of Signature Generation and Verification In terms of communication cost. Assume the authorized subset .

This yields a three round protocol for existing schemes. which requires ð2j. of group members collaborate to sign m.

jÞ broadcast messages and ðj.

jÞ unicast messages. is to the best of the authors’ knowledge. Assuming . the first threshold group-oriented signature scheme with traceability that allow malicious members to be positively identified and disqualified from the group. The proposed threshold-multisignature scheme. The proposed scheme also eliminates the need for a combiner.

contains at least one malicious or faulty participant. Therefore. the proposed protocol requires ð3j. the proposed protocol will still require three rounds and only two rounds if all individual signatures satisfy (9). in the three round scenario.

[6]. It can be shown that the total computational cost of computing ðb0 . [6]. Table 3 and Table 4 compare the proposed threshold-multisignature scheme. . with the assistance of a trusted key distribution center (KDC). btÀ1 Þ. In Table 1 and Table 2. multiplications contribute to an insignificant fraction of the overall time complexity. the public values of the individual signers are captured within the Lagrange interpolation polynomial hðyÞ as given in (19). b1 . . . . The threshold-multisignature schemes presented in [4]. which enables the threshold signature verifier to evaluate hðyÞ in order to identify the individual signers. . Multiplications : t iþ1 i¼1 ! ! tÀ2 X t À 1 Summations : t À 1 þ ðt À 1Þ þ t . iþ1 i¼1 Inversions : t: It should be clear that using an interpolation polynomial hðyÞ to identify the individual signers is impractical for large values of threshold t. . multiplications. in some cases. the inner parts of the Lagrange coefficients) can be precomputed and are therefore not included in the analysis. In the schemes proposed by Wang et al. [7] were chosen for analysis since they all make an attempt to eliminate a conspiracy attack by t or more colluding members. b1 . .2. [7]. . and summations. although this paper does not present a thresholdmultisignature scheme with a KDC. Note that. btÀ1 Þ from t data pairs is given as: ! tÀ2 X t À 1 ! i þ ðt À 2Þ þ t þ 2 . . . [6] and Li et al. Another factor to consider is the computational cost of computing the coefficients ðb0 . it was shown that appending the set of identities B to the threshold signature is a better solution. . without a KDC. Values that remain constant between different signature generations (for example. The computational cost of the schemes will be given in terms of the minimum threshold ðtÞ members (out of the total ðnÞ group members) required to collaboratively sign an arbitrary message m. saving the threshold signature verifier the computational effort of evaluating hðyÞ.7. it is assumed that the system parameters are chosen to yield the same time complexity for exponentiations. Although summations and. The computational overhead that causes the most concern is the number of exponentiations in the individual signature verification equation ((9)) and threshold signature . these operations are still included for the sake of completeness. with the existing schemes. it can be trivially extended to incorporate a KDC without making any changes to the individual/threshold signature generation and verification procedures. . the schemes. The coefficients ðb0 . [8]. In Section 4. btÀ1 Þ of hðyÞ are appended to the threshold signature by the combiner/clerk. b1 .4 Computational Cost of Signature Generation and Verification To make a feasible comparison between the computational cost of the proposed threshold-multisignature scheme and similar schemes [4]. are compared.jÞ broadcast messages 4.

The proposed scheme also provides improved efficiency for all other operations. NO. TABLE 2 Computational Cost Comparison of Threshold Signature Generation and Verification (with the Assistance of a Trusted Share Distribution Center) Proposed threshold-multisignature scheme (PTMS). APRIL 2007 TABLE 1 Computational Cost Comparison of Individual Signature Generation and Verification (with the Assistance of a Trusted Share Distribution Center) Ã Proposed threshold-multisignature scheme (PTMS). The optimum number of exponentiations for an ElGamal type signature variant is 2 [9]. with or without the assistance of a trusted authority. while guaranteeing break-resistance. which are anticipated to contribute the bulk of the verification time complexity. For individual signature verification. see Section 2. i¼1 iþ1 z s ¼ tðPtÀ2 ½ tÀ1 À 1 þ ðt À 1Þ þ tÞ. individual signature generation (Table 1 and Table 3) and threshold signature generation (Table 2 and Table 4). 18. VOL. The additional exponentiation is as a consequence of satisfying the stronger break-resistance property. 4. The justification for looking critically at the verification processes is substantiated by the notion that a signature is normally generated only once. 4. one more than the optimal two exponentiations. which .572 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. It can thus be concluded that the proposed threshold-multisignature scheme is superior to existing schemes since it requires only two exponentiations for threshold signature verification. but verified many times. y Note that computations of the individual signatures are performed modulo n. three exponentiations are required.5 Efficiency of Initial Key Distribution and Key Redistribution/Update Protocols The proposed threshold cryptosystem is constructed with the round optimal DKG protocol presented in Section 2. see Section 2. which includes. y m ¼ tðPtÀ2 ½ tÀ1 i þ ðt À 2Þ þ t þ 2Þ.2. i¼1 iþ1 Ã verification equation ((12)).7.

Efficiency analysis on the initial DKG protocol (Section 2. Each protocol participant is required to generate random numbers OðtÞ for initial DKG and Oðt0 Þ for DKRU. [8]. It is the view of the authors that the security of the underlying DKMI influences the security of the signature scheme to such an extent that the threshold group-oriented signature scheme cannot be considered separately from the DKMI. [6]. do not use secure and efficient one round DKG protocols to initialize the threshold cryptosystem. Accordingly. such systems cannot respond to changes in the networking environment. the existing systems are rigid concerning the threshold security parameters ðn. Multiplications yield a similar growth rate to the exponentiations.2) and DKRU protocol (Section 3) shows that these protocols require OðntÞ and Oðn0 t0 Þ exponentiations.VAN DER MERWE ET AL. Based on the above. . These schemes also do not consider proactive security because they do not allow for the periodic updating of secret shares nor do they permit dynamic group membership since they cannot redistribute the secret shares to a new access structure. respectively. respectively. Existing threshold-multisignature schemes that do not need the assistance of a trusted authority [4]. The worst-case computational cost of the initial DKG protocol and DKRU protocol are briefly considered. tÞ. which sets the security/ availability trade-off. TABLE 4 Computational Cost Comparison of Threshold Signature Generation and Verification (without the Assistance of a Trusted Share Distribution Center) Ã Proposed threshold-multisignature scheme (PTMS). i¼1 iþ1 effectively eliminates the need for a mutually trusted key distribution center (KDC).: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 573 TABLE 3 Computational Cost Comparison of Individual Signature Generation and Verification (without the Assistance of a Trusted Share Distribution Center) Ã Proposed threshold-multisignature scheme (PTMS). For these reasons. the efficiency of the proposed thresholdmultisignature scheme’s system setup and maintenance procedures cannot be compared to the existing schemes. see Section 2. see Section 2. Each participant broadcasts OðtÞ þ OðnÞ messages for initial DKG and Oðt0 Þ þ Oðn0 Þ for DKRU. The network as a whole has a communication cost of OðntÞ þ Oðn2 Þ and Oðn0 t0 Þ þ Oðn02 Þ for initial DKG and DKRU. The threshold cryptosystem accommodates a total of n2 shares. y m ¼ tðPtÀ2 ½ tÀ1 i þ ðt À 2Þ þ t þ 2Þ: i¼1 iþ1 z s ¼ tðPtÀ2 ½ tÀ1 À 1 þ ðt À 1Þ þ tÞ.

-H. To realize initial DKG. Although the initial DKG protocol and DKRU protocol are presented separately for clarity. Luo. and T. Public Key Cryptography—PKC ’03. The proposed threshold-multisignature scheme was shown to satisfy all of the specified security requirements and to fulfill the stronger break-resistant property. H. Y. Jaracki. 30. 2025-2026. Zhou and Z.. Sept.t0 Þ access structure ÀP to a new access structure ÀP 0 . C.” IEEE Network. Lin.” Proc. “Proactive Secret Sharing or: How to Cope with Perpetual Leakage. 1Þ. C. 1999. T. 2003. which from the authors’ point of view is the first to provide a guaranteed traceability property. vol. The thresholdmultisignature signature scheme thus remains secure. 2002.e.” Proc. The authors thank the reviewers and editors for their time. n) Threshold Digital Signature with Traceability Property. Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. and J. “Round Optimal Distributed Key Generation of Threshold Cryptosystem Based on Discrete Logarithm Problem. Stadler. M. “On the Security of the Li-Hwang-Lee-Tsai Threshold Group Signature Scheme. 5. Pedersen. r. secret updating (DKU). “Generalized ElGamal Signatures for One Message Block. May 1999. Fouque and J. “A Threshold Cryptosystem without a Trusted Party. Apr. Dec. 24. no. 1994. 2003. Hwang. 1998. 1995. Pedersen. the secure and optimally efficient ElGamal type signature variant. July 1997. May 1994. while providing break resistance. Considering the minor differences between the initial DKG protocol and DKRU protocol. Chang. special issue on network security. P. malicious or faulty protocol participants from the original access structure are positively identifiable by the existing honest members as well as the new members joining the threshold cryptosystem.” European Trans. The same initial DKG protocol can thus be used to realize DKR and DKU by merely keeping the access structure constant. Fifth Int’l Conf. “Securing Ad Hoc Networks. the group secret or individual secret shares are known or controlled by an adversary. “Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. pp. and C. which avoids repeating the secret redistribution protocol until all the verification conditions holds. vol. The paper proposes a novel publicly verifiable.. Oct. The main aim of this paper is to introduce such a secure threshold-multisignature scheme. G. J. Dai. T. Jarecki. and N.. Herzberg. 669-678. Z.-C.-A. 1996. Topics in Electronic Commerce (ISEC ’01). Petersen. Desmedt. and gives the group members the capability of adjusting the availability/security trade-off by redistributing the 0 existing ðn. A. Lee and C. Nov.” Proc. It was shown that the proposed threshold-multisignature scheme eliminates the latest attacks on similar threshold signature schemes with traceability. the Armaments Corporation of South Africa. “Threshold Signatures. 1999. “One Round Threshold Discrete-Log Key Generation without Private Channels. Xu.-M.” Proc. Krawczyk.” Proc. Krawczyk. L. The efficiency analysis showed that the proposed threshold-multisignature scheme outperforms other existing schemes and is optimal in terms of exponentiations with respect to threshold signature verification and near optimal for individual signature verification. and secret redistribution (DKR). “Threshold-Multisignature Schemes where Suspected Forgery Implies Traceability of Adversarial Shareholders. NO. 1994. W. of Information and Software Eng. To reach this objective. REFERENCES [1] [2] [3] [4] Y. C.-B. hðm. “How to Convert Any Digital Signature Scheme into a Group Signature Scheme. s. 771-776. M. Advances in Cryptology—EUROCRYPT ’91. pp. multisignature schemes. Dept. “Verifiable Secret Redistribution for Archive System. Li. Telecomm. George Mason Univ. Advances in Cryptology—CRYPTO ’95.” Proc. “(t. 2001. H. 5. 6. Stern. 1987. 4. and Y. 2001. and M. VOL. Wong. pp. the proposed DKMI requires considerably less implementation effort than implementing three unrelated protocols to realize distributed-key management. rÞ. L. 1997.” Proc. R. GES ¼ ðM:EGII:3:ð1Þ. distributed-key updating (DKU). threshold group signature schemes. Imai. round optimal (one round) distributed-key redistribution/updating (DKRU) protocol that eliminates a major problem with existing schemes. Second Int’l Symp. Feb. H.” Proc. The paper also addressed the issue of initial distributedkey generation (DKG) to construct a threshold cryptosystem without the assistance of a trusted authority. R.-T. no. W. Information Security and Cryptography (ICISC ’02)..-Y.tÞ ðn . improvements were made to the round optimal DKG scheme of Zhang and Imai. 8. 21. 1991. The paper proposes the first integrated (single protocol) solution for DKG. Wing. Information Science and Eng.” Technical Report ISSETR-97-01.” Proc. Advances in Cryptology—EUROCRYPT ’99. 2002. vol. Advances in Cryptology—EUROCRYPT ’96. and distributed-key redistribution (DKR). Wang. vol.” J. S. P. 449-457. Lee. Wang. C. J.574 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS.. “Threshold Signature Schemes with Traceable Signers in Group Communications.P.. i. no. pp. “Design of Generalised ElGamal Type Digital Signature Schemes Based on Discrete Logarithms. Li. APRIL 2007 5 CONCLUSION Investigations within the fields of threshold group-oriented signature schemes. Apr. effort. Haas. The paper defines the notion of a distributed-key management infrastructure (DKMI) as a protocol suite that considers all aspects of secret distribution (DKG).” Proc. “Society and Group Oriented Cryptography: A New Concept. it was shown that the two protocols are essentially equivalent. 15. Fifth Int’l Workshop Security Protocols. even if the threshold cryptosystem has been broken. Chang.” Computer Comm. Public Key Cryptography—PKC ’01. n) Threshold Digital Signature Schemes with Traceable Signers. 24-30. 1994.M. Use of the DKRU mechanism makes the proposed fully distributed threshold-multisignature scheme proactively secure. T. Gennaro. Yung.-Q. 4. Wang. allows for dynamic group membership. “Redistributing Secret Shares to New Access Structures and Its Applications. Second Int’l Workshop ITSecurity. pp. and H. “Publicly Verifiable Secret Sharing.” Proc. Y. Advances in Cryptology—EUROCRYPT ’94. First Int’l IEEE Security in Storage Workshop. Zhang.. was extended to a multiparty setting to yield a threshold-multisignature scheme. vol.J. and threshold-multisignature schemes resulted in explicitly defining the properties of threshold-multisignature schemes. no. Desmedt. ACKNOWLEDGMENTS This work was supported by ARMSCOR.” Proc.” Electronics Letters. “GroupOriented (t. S. Song. 13. no.-C. Jajodia. and positive input. [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] . School of Information Technology and Eng.” Proc. Boldyreva.-C.” Proc.-M. Zhang and H. “Threshold Cryptography. Harn and Y. Michels. 18. Desmedt and S. Rabin. A.M. Applied Cryptography and Network Security (ACNS ’03). Horster. Advances in Cryptology—CRYPTO ’87.

He is currently pursuing the PhD degree in distributed communication systems. and T. South Africa.P.” Proc. Wu and C. Jarecki. Math. Advances in Cryptology—ASIACRYPT ’00. 1996. Michels and P. 612-613. Krawczyk. ACM. Rabin. [23] Y. His current research interests include ad hoc networks and various aspects of image processing. “Cryptanalysis of Group-Oriented (t. 26. “On the Risk of Disruption in Several Multiparty Signature Schemes. n) Threshold Digital Signature Schemes with Traceable Signers.org/publications/dlib. Gennaro. he rejoined the University as a senior lecturer in 1997. no. 1-4. Han. “How to Share a Secret.” Computer Standards and Interfaces. Dawoud S. “Security of Discrete Log Cryptosystems in the Random Oracle and Generic Model. [26] C. threshold group-oriented cryptography. Group Encryption.” Information Processing Letters. Shamir. Tseng and J. and digital signature schemes. vol. South Africa.” Comm. Camenisch and I. 2004. 1999. 1. 477-481. 11. Canetti. please visit our Digital Library at www. including Cairo University. 71. Jakobsson.-L.-M. digital signal processing. vol. 5. . pp. R. vol. Jan. “Adaptive Security for Threshold Cryptosystems. Johann van der Merwe received the BSc degree in electronic engineering from the University of Natal in 2003 and the MSc degree from the University of KwaZulu-Natal in 2005. For more information on this or any other computing topic. 2003.-K. He has been a full professor since 1984. “On the Security of Two Threshold Signature Schemes with Traceable Signers.” Proc.” Proc. Schnorr and M.” Proc. no. Nov. and Their Applications to Separable Group Signatures and Signature Sharing Schemes. His research interests include security issues in ad hoc networks.: A FULLY DISTRIBUTED PROACTIVELY SECURE THRESHOLD-MULTISIGNATURE SCHEME 575 [21] A. Damgard. H. Horster.computer. no. “Verifiable Encryption. 1979. and digital telecommunications in numerous universities. pp. 2000. University of Lagos. Advances in Cryptology— ASIACRYPT ’96. He is a member of the IEEE.-S. He holds two patents in computer architecture. He has supervised many PhD and MSc theses and published more than 90 papers and books. [27] R. [25] G. [28] M. Aug. pp. Wang. After working in the communications industry for five years. Stephen McDonald received the BSc (1987) and MSc (1989) degrees in electronic engineering from the University of Natal. Applied Cryptography and Network Security (ACNS ’03). [24] T.VAN DER MERWE ET AL. 22. “Attacks on Threshold Signature Schemes with Traceable Signers. Dawoud received the BSc (1965) and MSc (1969) degrees in electronic engineering from Cairo University and the PhD (1973) degree in computer engineering from Russia. X. ˚ [22] J. Oct. He is currently a professor of computer engineering and signal processing at the University of KwaZulu-Natal.” Proc. June 1999. First Int’l Conf. He is a member of the IEEE. Advances in Cryptology—CRYPTO ’99. . and B. of Public-Key Cryptography. 1999. Zhu. S. with particular focus on key management. He has taught courses in computer engineering. and University of Botswana. Hsu.

- boyang-tsc13.pdf
- INTRUSION IDENTIFICATION IN MANET USING ENHANCED ADAPTIVE ACKNOWLEDGEMENT
- Public Key Cryptography
- Enhancing the reliability of digital signatures as non-repudiation evidence under a holistic threat model
- 1030-Form1A_help
- pkc2
- Authenticated Key Agreement Protocols a Comparative Study
- About Digital Signatures
- Review on Preserving Privacy Identity of Shared Data in Cloud
- 10.1.1.396.9985
- 16952_chapter 3 Classabc
- 4901 paper 2
- pcsc8_v2.01.0.pdf
- E Business DigSig
- Elliptic Curve Cryptography
- 2014 IEEE .NET CLOUD COMPUTING PROJECT Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud Storage
- Evernote Shared Notebook
- FDA 21 Cfr Part 11
- verisign_java
- DataSec1_v1
- Fatca Ides Technical Faqs
- el-gamal.pdf
- VANET Presentation
- Cryptography in E-Commerce
- E-comm
- LUC
- NSM
- Assignment 2
- Unit-V Elec Pymt Systms
- 2014 IEEE JAVA CLOUD COMPUTING PROJECT Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud Storage

Skip carousel

- lavabit-aclu-amicus-13-1024.pdf
- Review on variants of Security aware AODV
- A Robust Cryptographic System using Neighborhood-Generated Keys
- Network Signatures v. ConocoPhillips Company
- An Efficient Approach for Securing Broker-Less Publish-Subscribe System Using Identity-Based Encryption Scheme
- The Security and Efficiency in Attribute-Based Data Sharing
- As 4539.1.2.1-2001 Information Technology - Public Key Authentication Framework (PKAF) General - X.509 Certif
- As ISO 17090.1-2003 Health Informatics - Public Key Infrastructure Framework and Overview
- UT Dallas Syllabus for cs6377.001.09s taught by Murat Kantarcioglu (mxk055100)
- Blockchain Technology and Applications from a Financial Perspective
- Network Security & Cryptography MCQ'S
- As 4539.1.1-2002 Information Technology - Public Key Authentication Framework (PKAF) Related Standards Genera
- Computationally Efficient ID-Based Blind Signature Scheme in E-Voting
- Federal Reserve on Fintech
- Network Signatures v. Tyson Foods
- A Survey and Analysis Performance of Generating Key in Cryptography
- Network Signatures v. Comcast
- As NZS ISO IEC 11770.3-2008 Information Technology - Security Techniques - Key Management Mechanisms Using As
- A Symmetric Key Generation for File Encryption and Protection using/by USB Storage Device
- As 4539.1.2.3-2001 Information Technology - Public Key Authentication Framework (PKAF) Related Standards Gene
- As 2805.6.1.4-2009 Electronic Funds Transfer - Requirements for Interfaces Key Management - Asymmetric Crypto
- A Survey of Source Authentication Schemes for Multicast transfer in Adhoc Network
- DIFFIE-HELLMAN KEY EXCHANGE TECHNIQUE AND VIDEO STEGANOGRAPHY BASED ON LSB
- Venadium v. Spotify
- Network Signatures v. Purdue Pharma
- HYBRID APPROACH FOR SECURE DATA COMMUNICATION FOR DECENTALIZED DISRUPTION-TOLERANT MILITARY NETWORKS
- lavabit-eff-amicus-13-1024.pdf
- As ISO 17090.3-2003 Health Informatics - Public Key Infrastructure Policy Management of Certification Authori
- WP2016 3-1 4 Blockchain Security
- Analysis of VoIP Forensics with Digital Evidence Procedure

Sign up to vote on this title

UsefulNot usefulClose Dialog## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

Close Dialog## This title now requires a credit

Use one of your book credits to continue reading from where you left off, or restart the preview.

Loading