2009 Fourth International Conference on Systems and Networks Communications

FSS-Id/A Fast Safe Identity-based Multi Signature Scheme

Sami Harari Laboratoire Syst` mes Navals Complexes e ISITV Universit du Sud ToulonVar e BP 56, 83162 La Valette du Var France harari@univ-tln.fr
AbstractIn this paper, an identity-based multi signature scheme (IBMS) is presented. Many applications require that public keys of the signers to be sent along the signature. Identity strings are likely to be much shorter than randomly generated public keys and are easily veriable with other applications such as mail or web pages. This property makes the identity based paradigm appealing in such a situation. The new scheme is based on the difculty of factoring a Rivest Adleman Shamir integer and in particular does not rely on the untested assumptions on bilinear maps. A proof of security for this IBMS is obtained under the assumption of the one wayness of the RSA in the random oracle model. It is analogous but not equivalent to the Bellare scheme. An extension to an aggregated identity based signature scheme is also presented.

I. I NTRODUCTION The need to elaborate new signature schemes, fast and safe is motivated by many applications and constraints linked to the condition of use. The most evident ones are smart cards, contact-less or mobile applications using radio frequency identication devices (RFID). Electronic commerce protocols tend to use signature schemes as proof of evidence of commercial binds. In many countries electronic signatures have the same status as paper signatures, and this number is increasing steadily. From a practical point of view a smart card is a computer which is intrinsically slow and that cannot perform a modular exponentiation in reasonable delay. The situation has changed and many of the more expensive cards have an arithmetic dedicated co-processor that computes such a quantity in short time, as long as electric power is available. The computing power problem is transposed to radio frequency identication devices, when used for authentication. These devices do not have a co-processor and electric power avalability is limited in time. The protocol must be executed in a very short delay corresponding to the physical distance where exchange of data is possible. A base time of 20 seconds is considered normal. This delay tends to diminish if the protocol is realized in a mobile situation: pedestrian or moving vehicle. These constraints eliminate all possibilities of computing a modular exponentiation in real time and if the communication delay between a mobile and its base is to be taken into account. The Rivest Shamir Adelman cryptosystem (RSA)[16] helped dene a one way function. Its strength has been
978-0-7695-3775-7/09 $26.00 2009 IEEE DOI 10.1109/ICSNC.2009.107 207 194 200

studied many times, algorithms that generate primes suitable for (RSA) implementations have been on constant scrutiny. Therefore having a scheme with strength equivalent to that of factoring the RSA integer N gives a good measure of the probability of success in achieving a undetected fraud. OUR CONTRIBUTION: In this paper, an identity-based multi signature scheme is presented. It relies, for its implementation on a RSA integer N and its keys (e, d), one of which can be made public. Though similar to the Guillou Quisquater scheme it differs from it by relying on less multiplications. The scheme is interactive, requiring n rounds, with intermediate computation if there are n participants. 1) Its strength is equivalent to that of the one wayness of the primitive RSA signature scheme. The probability of success in creating false signatures is linked to that of a random oracle factoring N as well as that of another oracle that can give preimages of a hash function H(). 2) The use of a hash function has as consequence that the knowledge of any number of signatures does not give any advantage to an adversary for creating a legitimate false signature, if the signature keys are sufciently structured. 3) The signature is in two parts, one obtained by an exponentiation, the other by two modular multiplications. The rst one is not message dependant and therefore can be pre computed and the result stored. This aspect makes it different an faster than schemes derived from the Guillou Quisquater scheme[4]. 4) The public key, used for checking can be freely chosen. It is independent of the RSA keys. It can be taken as a proven quantity like an e mail address for example. This system can therefore use trust, without having to rely on a trusted third party (TTP), which have been introduced to ensure the identity of the two participants in signature schemes. 5) The multi signature is obtained in rounds, n if there are n participants. All these items will be detailed. As in Digital Signature Standard (DSS) the system can be easily modied in order to obtain an authentication system though this will not be

detailed. Although RSA on a ring is used to describe the scheme, the system can be generalised to use RSA on elliptic curves with natural ease. A modication for aggregated signatures will be given. II. I DENTITY BASED M ULTI S IGNATURES We adapt denitions from [9] to the identity based setting. Consider n different signers with identities Id1 , , ..., Idn who collectively want to sign a message m. We consider that all the signers are simultaneously on line and interact to produce a signature . We assume that signers interact in rounds, where at the beginning of each round each signer receives an incoming message from each of the other signers, performs some computation and sends an outgoing message to all of the signers. The incoming message of the rst round consists of the message m and the list of the cosigners. The secret key is supposed to have been transmitted through a secure channel. The outgoing of the last round is the nal signature or E to indicate failure. We assume the connexions between the cosigners do not have to be private or authenticated. When describing the protocol we let each signer refer to himself by the index which was assigned to him. These indices have no meaning outside the protocol instance and are here to distinguish the different signers and the different connections a given signer establishes. III. T HE FSS IBMS S CHEME The scheme requires to describe the set up procedure, the key derivation procedure, the signing procedure and nally the verication procedure. A. The Set up Procedure The key distribution runs a generator procedure for RSA parameters (N, e, d), with e a prime integer, with length strictly greater than log2 N/4. It publishes mpk = (N, e) the master public key and keeps secret d the master secret key. We suppose that there exists a hash function H() with output strings of length at least 160 bits and less than log2 N . B. Key Derivation The identity of the signer denoted by Id, is an integer, characteristic of the signer, which is unforgeable. It can be obtained a string of characters to which is associated an integer less than n. As an identier one can take, depending on applications, an e mail address or a concatenation of an e mail address with the number of an Id card or passport or even a hash of a scan of an Id card or the rst page of a passport, all these documents belonging to the signer. In order to eliminate the possibility that a weak key is associated to a certain identity, a hash of the identity will be used instead of the identity itself.
208 195 201

The characteristic quantity of the signer number i with identication string Idi is the following: xi = H(Idi )((n)1).e mod N . () is the Euler function, we suppose that there are n persons that will sign the message m. The secret key xi of user i will be sent through a secure and authenticated channel. C. Signing a Message On input user with secret key x1 for Id1 , message m and cosigners with identities Id2 , ..., Idn , the signer proceeds as follows Round 1

Local Input: x1 , L = (Id1 , ..., Idn ), m Computation: choose a random r1 in ZN , compute R1 = r1 e mod N . and t1 = H(m||R1 ). Check that R1 has not been used in a previous signature. Send to each signer i : t1 .

Round 2 -Receive from signer i : ti -Send R1 for all i Round 3 - receive Ri - computation: Check that ti = H(m||Ri ). Halt the computation and transmit a signal failure if one of the equations is not checked. -Compute R = i Ri mod N . -Compute 1 = r1 m x1 mod N Round 4 Receive from signer i: i -Computation = i i mod N Local output = (R, ) D. Verication On input of the master key (N, e) and of a signature = (R, ), and a set of signers L = (Id1 , ..., Idn ) and a message m the verier computes 1) Compute the quantity t = (e ) mod N 2) Compute u = R me.n i H(Idi ) mod N 3) Check that t = u. If the quantities are equal accept the signature as valid, otherwise reject it. E. Remark If the multi signature has a speed constraint, then one can take an alternate value for the ti s. if the computation is done as follows, ti = H(Ri ) for all i, then this computation and the corresponding check can be done without the presence of data. Round 3 can be completed without knowing the data and could be precomputed and stored in some particular applications (RFID for instance). Round 4, and the computation of the full signature is done in the presence of data.

IV. S ECURITY OF THE S CHEME The security study will have three parts. Two concern the single user case. This corresponds to the scenario where an attacker tries to sign in place of a single user and participates to the multi signature. The third part will concern the a coalition of false signers against an honest signer. A. The Single User Case Le M be a message, and suppose that a dishonest user U wants to sign in place of a honest signer having public data (n, k, Id) he must compute (x, y) with x = rk . and y = h(M ||rk ).r.Id1 U can choose a random r and compute a legitimate x. However to compute y he must compute, Id1 mod n. For this he must know the secret key k , which in the presence of n is equivalent to factoring it. Thus forging a fake signature from the public data is a hard problem. Suppose that U has access to (Mi , xi , yi ) i = 1, ..., m a set of legitimately signed messages, by the owner of the secret key. In this setting U has to obtain the values ri from xi . He has to solve m distinct RSA problems. The other set of m equations concerning the yi is a set of m equations in m + 1 unknowns, which do not have a unique solution, even if there was no algorithmic obstacle to obtain the solution. One last remark is that taking the product of existing signatures of a set of message Mi yields a valid x part of a signature for the i Mi . However it does not yield a valid y part of a signature, since the hash function has no algebraic properties that can be used to this end. B. The Coalition Attack If the same set of m users multi sign a message M many times, U might be tempted to use partial information of some of the signers to fake another signature of that same message M . This is not possible if the x part of all signatures by all users is stored in a database and, when computing a multisignature, this database is checked for re use of a previously used random variable. In this case each of the users checks that the x part of the signature has not been used before, for any message. If this check is not done, then a coalition ( even reduced to 1) of users can participate to obtain a true new legitimate multi signature. C. Collision in Hash Functions The security of the scheme relies on the non existence of computable collisions for the hash function h(). The existence of such collisions would introduce mathematical structure, at least for some input values. In this case the scheme would have to be reinforced by using a specic
209 196 202

function to this end, such as an exponentiation. The resulting multi signature scheme would be slower. We now describe the identity-based aggregated signature scheme (IBAS). V. T HE FSS IBAS S CHEME The Identity Based Aggregate Signature Scheme (IBAS) requires a set up procedure, a key derivation procedure, a signing procedure and nally a verication procedure. In an IBAS the documents of the participants are all distinct. However there is a requirement that the document of each signer is aggregated with n documents of the other signers, to yield a signature that is unique and can be computed by each participant, in a short delay, through the knowledge of the secret key and the data exchanged by the participants. The procedure is sequential in n steps each step involving the computation of a signature by two participants. This can be materialized by two loops executed simultaneously. One of them begins at index 1, the other at index n. One outstanding property of the new scheme is that all participants at the end of n rounds have all the data to compute the aggregate signature. A. The Set up Procedure The key distribution runs a generator procedure for RSA parameters (N, e, d), with e a prime integer, with length strictly greater than log2 N/4. It publishes mpk = (N, e) the master public key. and keeps secret d the master secret key. We suppose that there exists a hash function H() with output strings of length at least 160 bits and less than log2 N . B. Key Derivation The identity of the signer denoted by Id, is an integer, characteristic of the signer, which is unforgeable. It can be obtained a string of characters to which is associated an integer less than n. In order to eliminate the possibility of a weak key associated to a certain identity, a hash of the identity will be used instead of the identity itself. The characteristic quantity of the signer number i with identication string Idi is the following: xi = H(Idi )((n)1).e mod N . () is the Euler function, we suppose that there are n persons that will sign the message m. The secret key xi of user i will be sent through a secure and authenticated channel. C. Signing a set of n Messages On input user with secret key xi for Idi and message mi for i = 1, ..., n the agreagate signature procedures is as follows Round 1 User 1

Local Input: s1 , L = (Id1 , ..., Idn ), m1 Computation: choose a random r1 in ZN , Compute R1 = r1 e mod N . and t1 = H(m1 ||R1 ). Compute 1 = r1 m1 x1 mod N Send to signer 2 : t1 , R1 , 1 , m1 Local Input: sn , L = (Id1 , ..., Idn ), mn Computation: choose a random rn in ZN , Compute Rn = rn e mod N . and tn = H(mn ||Rn ). Compute n = rn mn xn mod N Send to signer n 1 : tn , Rn , n , mn

E. Verication On input of the master key (N, e) and of a signature = (R, ), and a partial set of signers Lp = (Id1 , ..., Idk ) and a set of corresponding messages m1 , ...mk , the verier computes 1) t = e i H(Idi ) mod N 2) Compute u = R i me mod N i 3) Check that t = u. If the quantities are equal accept the signature as valid, otherwise reject it. VI. C ONCLUSION A new efcient signature scheme has been presented. As a single user signature scheme it is analogous, though somewhat faster, than other RSA based scheme. It can be Id Based. It has been shown that it is also suitable for multi signature which can be Id based or used for aggregated signatures that can also be Id Based. The schemes having simultaneously the two features are not common, making these two quite remarkable, while having very good algorithmic performance. R EFERENCES
[1] A. Fiat and A.Shamir How to prove yourself : practical solutions to identication and signature problems, LNCS 263 (1987), 186-194, Advances in Cryptology CRYPTO 1986. [2] S. Micali and R. Rivest. Transitive signature schemes. In Proceedings of RSA 2002, volume 2271 of LNCS, pages 236-243. Springer-Verlag, 2002. [3] H.Ong, C.P. Schnorr, , A. Shamir Efcient signature schemes based on polynomial equations, LNCS 196, 1985, pp 37 - 46, Advances in Cryptology CRYPTO. Springer Verlag 1984. [4] A.J. Menezes, P van Orschot, S Vanstone Handbook of Applied Cryptography CRC Press 1996. [5] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. SIAM J. Com- puting, 32(3):586-615, 2003. Extended abstract in Proceedings of Crypto 2001. [6] T. Okamoto. A digital multisignature scheme using bijective public-key cryptosystems. ACM Trans. Computer Systems, 6(4):432-441, 1998. [7] R. Gennaro, T. Rabin, S. Jarecki, and H. Krawczyk. Robust and efcient sharing of RSA functions. J. Cryptology, 13(2):273-300, 2000. [8] F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. In Proceedings of Asiacrypt 2002, volume 2501 of LNCS, pages 533-47. Springer-Verlag 2002. [9] M. Bellare and G. Neven. Multi-signatures in the plain public-key model and a general forking lemma. In ACM CCS 06. ACM Press, 2006.
210 197 203

User n

Round 2 User 2 -Receives from signer 1 : t1 , R1 , m1 ,1 . - Computation: Check that t1 = H(m1 ||R1 ). -Apply the verication procedure to the received signatures. Halt the computation and transmit a signal failure if the verication equation is not checked.

Local Input: s2 , L = (Id1 , ..., Idn ), m2 Computation: choose a random r2 in ZN , compute R2 = r2 e R1 mod N . and t2 = H(m2 ||R2 ). compute 2 = r2 m2 x2 mod N Send to signer 2 : everything received from user 1 and t2 , R2 ,m2 , 2

User n-1 -Receives from signer n : tn , Rn , mn ,n . - computation: Check that tn = H(mn ||Rn ). -Apply the verication procedure to the received signatures. Halt the computation and transmit a signal failure if the verication equation is not checked.

Local Input: sn1 , L = (Id1 , ..., Idn ), mn1 Computation: choose a random rn1 in ZN , compute Rn1 = rn1 e Rn mod N . and tn1 = H(mn1 ||Rn1 ). compute n1 = rn1 mn1 xn1 mod N Send to signer n 2 : everyting received from user n and tn1 , Rn1 ,mn1 , n1

Round 3 to Round n apply the same procedure as at round 2 modifying the indices, increasing them by one unit or decreasing them by one unit as appropriate. D. The Aggregate Signature The aggregate signature of (m1 , ..., mn ) by (Id1 , ..Idn ) is the signature computed with the data received at round n: : (R =
i

Ri , =
i

i , )

Each of the users, and only these users, can compute . Any eavesdropper will only get partial information.

[10] A. Boldyreva. Threshold signatures, multisignatures and blind signatures based on the gap-Dife-Hellman-group signature scheme. In Y. Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 31-46. Springer Verlag 2003. [11] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efcient protocols. In ACM CCS 93 , pages 62-73. ACM Press 1993 [12] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and veriably en- crypted signatures from bilinear maps. In E. Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages 416-432. Springer Verlag 2003. [13] . Castelluccia, S. Jarecki, J. Kim, and G. Tsudik. A robust multisignatures scheme with applications to acknowledgment aggregation. In C. Blundo and S. Cimato, editors, SCN 2004, volume 3352 of LNCS, pages 193-207. Springer Verlag 2005. [14] C. Castelluccia, S. Jarecki, J. Kim, and G. Tsudik. Secure acknowledgment aggregation and multisignatures with limited robustness. Computer Networks, 50( 10) : 1639-1652, 2006 [15] J. C. Cha and J. H. Cheon. An identity-based signature from gap Dife-Hellman groups. In Y. Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 18-30. Springer Verlag 2005. [16] A. Shamir,R. Rivest, L. Adleman. A method for obtaining digital signatures and public-key cryptosystems.In Communications of the ACM 21-2, pages 120-126, 1978.

211 198 204