Documente Academic
Documente Profesional
Documente Cultură
Available at http://www.Jofcis.com
Abstract
We propose a CRT-based threshold signature scheme without a dealer. To ensure the security and
robustness of the scheme, no dealer is required and all the participants cooperate to generate the group
public key. So nobody can get the group private key. The participants honesty can be tested by verifying
the share shadows. Each participant generates the partial signature base on CRT independently using
his own secret share. The group signature can be synthesized by t or more partial signatures without
leaking any information about the group private key, which ensures the group private keys reusability.
We modify the signature equation of ElGamal signature scheme to ensure the correctness of signature
verification. The experiments show that our scheme has less time complexity than Harns scheme.
Keywords: Secret Share; ElGamal Signature; Without a Dealer; CRT
Introduction
Secret sharing scheme was first proposed by Shamir [1] and Blakley [2] respectively in which a
dealer shares a secret among participants and only t or more participants can recover the secret.
In 1983, Asmuth and Bloom [3] put forward a threshold secret sharing scheme based on Chinese
Remainder Theorem (CRT), which has less computing complexity than Shamirs scheme. Qiong
et al. [4] and Iftene [5] proposed two CRT-based verifiable secret sharing schemes(VSS) independently, in which a corrupted dealer can still distribute inconsistent shares without detection, such
that different coalitions will obtain different values for the secret, which is called the authority
deceive. In 2008, K. Kaya and A.A. Selcuk [6] proposed a new VSS scheme based on CRT
and proved its security. However, its secret share verification process needs a dealer and is quite
complex. In 2012, literature [7] presented a simple but novel cryptography system which was
based on CRT. The areas of CRT-based secret sharing have been studied extensively in recent
years [8-11], but all of them require a dealer. Literature [13] is a secret sharing scheme without
a dealer based on Blakley and [12, 14, 15] are verifiable secret sharing schemes based on Shamir
and vector space.
?
Project supported by the National Nature Science Foundation of China (No. 61272540).
Corresponding author.
Email address: tanmengna@163.com (Mengna TAN).
976
In 1994, Harn [16] proposed a threshold signature scheme without a dealer which is based on
Lagrange interpolation. So far, the majority of existing threshold signature schemes are based
on Lagrange interpolation [17, 18, 19] and there are few studies on verifiable threshold signature
without a dealer based on CRT.
This paper proposes a new verifiable CRT-based threshold signature scheme without a dealer.
Each participant cooperates with the other participants to generate the secret shares and the
group public key (the group private key is also generated implicitly). The partial signatures are
generated based on CRT by using the secret shares. The group signature can be synthesized
by t partial signatures instead of using the group private key directly, so the group private key
will not be revealed in the signing process. Anybody can use the group public key to verify the
group signature. We modify the signature equation of ElGamal signature scheme to ensure the
correctness of signature verification. Our scheme can also identify the mutual cheating among
the participants by verifying the secret share shadows. The experiments show that our scheme
has less time complexity than Harns signature schemes.
Preliminary Works
2.1
Key generation phase: Let p and q be large prime numbers, where q = p 1 and let
g Zp be an element of order q. The private key x R Zp is chosen randomly and the
public key y = g x mod p is computed.
Signing phase: Let M Zq is a hashed message. The signer first chooses a random
ephemeral key k, where k R Zp and gcd(k, p). Then computes the signature (r, s), where
r= gk mod ps=k 1 (M xr) mod q
(1)
2.2
Harn [16] proposed a threshold signature scheme without a dealer based on Lagrange interpolation.
The scheme is briefly described as follows:
Public keys generating phase:
(1) Each participant randomly selects zi and xi , computes a corresponding public key
yi = g zi mod p. {xi , yi } are the participants
public keys and zi is the participants
Qn
secret key. The group public key y = i=1 yi mod p.
(2) Pi randomly selects a (t 1)th degree polynomial fi (x) with fi (0) = zi mod q. Computes the secret shadow fi (xj ) mod q and the public key yij = g fi (xj ) mod p. Then
sends fi (xj ) to Pj and broadcasts yij (i 6= j).
Signature generation phase: {P1 , P2 , , Pt } denotes involved participants.
977
k
(1) Suppose Pi selects an integer kQ
i , computes ri = gi mod p and broadcasts ri . Once all
t
ri are available, computes r = i=1 ri .
P
Q
k
}h(M ) ki r,
(2) For the message M, Pi computes si = {zi + nj=t+1 fj (xi ) tk=1,k6=i xx
i xk
and sends the partial signature {M, r, s} to the signature synthesizer.
P
(3) The group signature can be generated as {M, r, s}, where s = ti=1 si mod q.
Signature verification phase: If the equation y h(M ) = rr g s mod p holds, the group
signature {M, r, s} is valid.
2.3
Asmuth and Bloom proposed a secret sharing scheme [3] based on CRT. The scheme has two
phases:
Dealing phase: To share a secret S among a group of n participants {P1 , P2 , , Pn }, the
dealer does the following.
(1) A set of relatively
q < d1 < d2 < ... < dn are chosen, where q is a large
Q
Q prime integers
d
prime and N = ti=1 di > q t1
i=1 ni+1 .
(2) The dealer computes z = S + Aq, where 0 A [N/q] 1.
(3) Computes zi = z mod di and sends (zi , di ) to Pi (i = 1, 2, ..., n) as the share of Pi .
Combining phase: Let W =Q
{P1 , P2 , , Pt } be a coalition of t participants gathered to
construct the secret. Let D = ti=1 di .
(1) Pi (i = 1, 2, ..., n) computes si = dDi ei zi mod D, where ei can be achieved by the
formula dDi ei 1(moddi ) (i = 1, 2, ..., n).
P
(2) According to the CRT, the participants compute z = ti=1 si mod D, and then obtain
the secret by computing S = z mod q.
The Asmuth-bloom scheme needs a dealer to distribute the secret shares, which may cause the
authority deceive problem.
Our Scheme
Assume the set of n participants is P = {P1 , P2 , , Pn }, at least t participants join the signing
process. Without loss of generality, we define the t participants as W = {P1 , P2 , , Pt }. The
outline of our scheme is shown in Fig. 1.
As no dealer is required in our scheme, each participant Pi selects a sub-secret to compute his
secret share shadow. Then participants generate their own secret share as well as the group public
key by exchanging secret share shadows rather than distributed by a dealer. In exchanging process,
mutual cheating among participants can be identified by verifying the secret share shadows.
Based on modified ElGamal signature, each participant produces a partial signature for message
M by using his secret share. The group signature can be synthesized by t partial signatures, which
978
3.1
The public parameters: two large prime numbers p and q, where q is the prime factor of (p 1),
a positive integer sequence d = {d1 , d2 , , dn } and a generating element g in the finite field Zp .
q and d meet the requirements of the Asmuth-Bloom threshold scheme. n, t, p, q, g and d are
public. Message M Zq .
Step 1 Pi (i = 1, 2, , n) secret selects a random number xi as his private key and an integer
Ai which are satisfy the following inequality.
0 < xi < [q/n]
0 Ai < [N/q 2 ] 1 /n.
(2)
(3)
(4)
Pi computes
aij is secret share shadow.
Step 2 Pi sends aij to Pj by secure channel and keeps aii by himself.
Step 3 Pi computes the verification information i , ij (j = 1, 2, , n): i = g xi +Ai q mod p,
ij = (xi + Ai q aij )/dj , ij = g kij mod p, then broadcasts i , ij and g Ai .
To prevent the participants fraud behaviour, after receiving aij from Pi , Pj can verify it with
the following formula
d
((g aij mod p)(ijj mod p)) mod p = i
(5)
979
n
X
aij mod dj .
(6)
i=1
3.2
Pi (i = 1, 2, , n) broadcasts g xi , then any participant can compute the group public key Y.
Y =
n
Y
g xi mod p.
(7)
i=1
n
X
xi .
(8)
i=1
3.3
There are many variants for ElGamal signature. But limited by modulo arithmetic, most variants unsuited for CRT-based threshold signature. With the further research into the ElGamal
signature and Chinese reminder theorem, we deduce a modified ElGamal signature/verification
formula which is suitable for CRT-based threshold signature scheme.
(1) According to Eq. (1), sk = (M rx) mod q. The equation can conclude to ak = b+cx mod q,
in which a = s, b = M, c = r. The verification is ra = g b y c mod p.
(2) Let a = rM, b = s, then c = 1, thus Eq. (1) can transform to k r M = s + x. Then
signature is s = k r M + x mod q, corresponding verification is g s rrM Y mod p.
Based on the modified signature, the generation of partial signatures is described as follows:
Step 1 Each Pi selects a random number ki Zq , computes ri = g ki mod p and broadcasts it.
After receiving ri from other participants, Pi computes
r=g
Pt
i=1
ki
mod p =
t
Y
i=1
ki
g mod p =
t
Y
i=1
ri mod p
980
Step 2 Pi computes D =
Qt
i=1
Vi =
(9)
(10)
3.4
Signature verification
(11)
i=1
(12)
n
X
aij .
(13)
i=1
n
X
xi + q
i=1
n
X
(14)
i=1
(15)
t
X
D
i=1
di
ei yi mod D =
t
X
i=1
Vi mod D.
(16)
981
Also, according to Eq. (8) and Eq. (14), we can get the following equation
Z=X+
n
X
Ai q X mod q.
(17)
i=1
Q
For q < d1 < d2 < < dn , N = ti=1 di and D is the product of any t di , so D N . Let
di = d1 + li (li is integers and i = 1, 2, ..., n), then
D = d1 t + u1 d1 t1 + u2 d1 t2 + + ut1 d1 + ut .
N = d1 t + v1 d1 t1 + v2 d1 t2 + + vt1 d1 + vt .
where ui , vi are integers and ui vi . Then,
N/q =
vt1 d1 vt d1
d1 t1 v1 d1 t2 v2 d1 t3
d1 +
d1 +
d1 + + (
+
)
q
q
q
q
q
= (r M
t
X
ki +
i=1
t
X
= ((r M
= ((r M
Vi ) mod D mod q
i=1
t
X
ki +
i=1
t
X
t
X
i=1
ki + Z) mod D) mod q
i=1
= (r M
t
X
ki + Z) mod q
i=1
= (r M
t
X
i=1
= (r M
t
X
ki + X) mod q.
i=1
So g s g rM
(12) is correct.
Pt
i=1
ki +X
mod p g rM
Pt
i=1
ki
982
Security Analysis
4.1
By Eq. (8), the group private key X can be generated only when obtaining all sub-secrets xi .
In the group public key generating process, Pj can get g xi from participant Pi , but obtaining xi
according to g xi is the discrete logarithm problem. So no one can get other participants xi .
The group signature is synthesized by t partial signatures, which will not expose any information
of X. So the group private key X is safe and can be reused.
4.2
dj
q/dj
By Eq. (5), ((g aij mod p)(ij mod p)) mod p = (g xi Fiq ) mod p, then ij = g (xi aij )/dj Fi
For g and q are two primes, to satisfy ij is an integer, Fi must be the power of g. Suppose
0
0
0
Fi = g Ai (A0i 6= Ai , 0 A0i {[N/q 2 ] 1}/n), then ij = g (xi +qAi aij )/dj .
Since ij is an integer and g is a prime, a0ij is less than dj , thus a0ij = (xi + A0i q) mod dj . That
means a0ij is true. So Pi cannot provide the false aij when g Ai is false.
Similar to the proof above, we can prove that Pi cannot provide the false ij when g Ai is false.
Since both aij and ij must be true when g Ai is false, the false g Ai can be easily identified by
Eq. (5). So Pi cannot provide the false g Ai .
For g xi and g Ai must be true, i = g xi +Ai q = g xi g Ai q mod p. Obviously, the false i can not
satisfy the equation. So Pi cannot provide the false i .
For i must be true, if Pi has provided the false ij which is denoted by ij0 , Pi must provide
the false aij , denoted by a0ij , to satisfy the Eq. (5) and a0ij < dj .
0
dj
mod p)) mod p = i = g xi +Ai q . Then ij0 = g (xi +Ai qaij )/dj .
Since g is a prime and ij0 is an integer, (xi + Ai q a0ij )/dj must be an integer. Then xi + qAi
mod dj .
a0ij
4.3
983
To forge a signature, a forger may try to find r, s to satisfy Eq. (12). If the forger fixes r first,
then computing s is equivalent to ElGamal signature scheme. If s is fixed, then computing r is
more difficult than ElGamal signature scheme.
The forger may generate t partial signatures. To generate a partial signatures si forger need to
get ui . In the process of generating partial signature, g ki is public, but get ki through g ki is the
discrete logarithm problem.
Experimental Result
Harns scheme [16] is the most representative Lagrange interpolation-based threshold signature
scheme. The majority of existing threshold signature schemes are based on Harns scheme. So
we will compare the time consumption of our scheme with that of Harns.
(1) Signature time consumption.
The Fig. 2 is the time consumption of signing between the Harns threshold signature scheme
and our scheme. The t axis indicates the threshold value, and the time axis indicates the
signature time consumption.
Obviously, our scheme is more efficient than the Harns threshold signature scheme.
(2) Secret shares generating consumption. In Harns scheme the secret share shadow is computed
by fi (x) = di + ai,1 x + ai,2 x2 + ai,3 x3 + + ai,t1 xt1 , fi (xj ) is the secret share shadow
sent
P
from Pi to Pj , and xj is the identity of Pj . Pj computes his secret share by Fj = ni=1 fi (xj ).
In
Pnour scheme, the secret share yj is computed by aij = (xi + Ai q) mod dj and yj =
i=1 aij mod dj .
In Harns scheme, a polynomial of degree t need to be computed, and the time consumption
is increased with the increase of t. Our scheme just needs to compute a congruence, which
984
Pi
Ai
xi
xi + Ai q
g xi
P1
32
737
i=1
34
40
32
48
P2
407
9363
i=2
15 0
32
10
35
P3
533
12261
i=3
14
41
18
P4
75
1728
27
i=4
26
36
32
P5
520
11963
27
i=5
12
32
25
38
has nothing to do with t. As shown in Fig. 3, the secret share generating of our scheme is
much more efficient than that of Harns scheme.
Example
985
Conclusion
We propose a verifiable threshold signature scheme based on CRT. No dealer is required for distributing shares, and all the participants work together to produce the group public key and their
own secret shares, which can protect against authority deceive. We modify the ElGamal signature equation to ensure the correctness of signature verification. Furthermore, mutual cheating
among the participants can be identified by verifying the secret share shadows. The security of
our scheme is discussed, and the experiments show that our scheme is more efficient than Harns
scheme.
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
986
[15] Benhui Zhang, Yuansheng Tang. Verifiable Vector Space Secret Sharing Scheme Without a Dealer.
Computer Science and Service System (CSSS), 2011 International Conference, NanJing, 27-29 June
2011, 931-934.
[16] Harn, L. Group-oriented (t,n) threshold digital signature scheme and digital multisignature. IEE
proceedings of Computers and Digital Techniques, 141 (1994) 5, 307-313.
[17] Yousheng Zhou, Feng Wang, Yixian Yang, et al. A novel threshold signature scheme with distinguished signing authorities. Broadband Network and Multimedia Technology (IC-BNMT), 2010
3rd IEEE International Conference. Beijing, 26-28 Oct. 2010, 728-732.
[18] HE Er-qing, HOU Zheng-feng and ZHU Xiao-ling. Proactive secret sharing scheme without trusted
party. Application Research of Computers. 30 (2013) 2, 491-493. (in Chinese).
[19] Tong Lu and BaoYuan Kang. Improvement of threshold group signature scheme. Computer Science
and Society (ISCCS), 2011 International Symposium, Kota Kinabalu, 16-17 July 2011, 150-153.
[20] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms,
IEEE Trans. Inform. Theory 31 (4) (1985) 469-472.