Wednesday, April 3, 2019

Digital signature

Digital signalizeatureI. IntroductionThe main role of digital sense of touch primitive is to preserve the data integrity of electronic put d throw and to accomplish the requirement of authentication and verification. Only nonpareil signer utilise his/her private name applys an ordinary digital signature avoidance. However, in virtu altogethery practical application, a register requires all(prenominal) group sections to generate a signature together. These proposals are called digital multisignature final causes 2, in which all group segments sign the same document by using their private refers. The multisignature final cause has deuce-ace characteristics, refer to 2, 4. For generating an effectual multisignature, the verification cost and the size of a multisignature energy be almost as same as that of an ordinary signature. In the past decade, several multisignture ends were proposed establish on the factorization, discrete logarithm problems or a combination of both. Moreover, there are a few aims proposed found on the identity-establish cryptosystem. A normal multisignature escape is called a multisignature with un exalted subscribe authorities, as each(prenominal) group member has the same responsibility for write the document. However, there are some situations when each member should have his/her own distinguished sign language authority 4, 5, 7, and 15. In this case, the multisignature outline is called a multisignature scheme with distinguished signing authorities For constructing a multisignture scheme with distinguished signing authorities, Harn 4 proposed the first scheme come out with this characteristic. In this scheme, each member scarcely has his/her distinguished signing trus cardinalrthy for his/her subdocument. The overtone contents give the bounce be easily verified without revealing the whole message. However, Li et al. 9 claimed that Harns scheme is not secure against insider coming. Moreover, Hwang et al. 7 pointed out that, in the Harn scheme, no evidence could be used to distinguish the signing authorities this is delinquent to the fact that all individual signatures and multisignatures are produced on the same hash digest of all the partial subdocuments. In the same paper, Hwang et al. 7 proposed a scheme based on the Harn scheme. In the expose, they claimed that their scheme overcomes the weaknesses of the Harn scheme. However, this is increasing the cost of generating multisignature. Huang et al. 6 proposed both multisignatures with distinguished signing authorities for sequential and broadcasting architectures. One year later, Yoon et al. 15 showed that Huangs scheme is unsecure since an assaulter scum bag derive a users secret key and forge the multisignature of the scheme on arbitrary message. All of those schemes are based on the factorization or discrete logarithm problems or a combination of both. In 1998, Shamir 12 introduced the concept of an identity-based (ID-base d) cryptosystem to simplify the key management problem. In general, the main humor of identity-based cryptosystem is that the public key of a user is inferred from his/her identity. Each user necessitate to register at a private key generator (PKG) by identifying his/herself before joining the network. Later, the PKG will generate a secret key for that signer which is related to his/her identity. The secret key is sent to the user via a secure channel. Shamir proposed an ID-based signature (IBS) scheme from RSA primitive 11. The aegis of IBS was not proven or argued until Bellare et al. 1 proved that the IBS is secure against forgeability low chosen-message approach. In the literature, there is only one ID multisignature with distinguished signing authorities for sequential and broadcasting architectures based on the identity-based cryptosystem. Wu et al. 14 proposed two ID-based multisigntures with distinguished signing authorities, relying on the Wus 13 ID-based multisignatur e scheme, which however is shown to be unsecure 8. Chien 3 showed that Wu et al. 14 two ID-based multisignatures have the security weakness by two attacks insider attack and partial document substitution attack. More recently, Harn 5 proposed a new efficient ID-based RSA multisignature relying on IBS. Their scheme has constant signature length and verification metre independent of the number of signers. They proved that their scheme is secure against multisignature collusion attack, adaptative chosen-ID attack and forgeability under chosen-message attack.In this paper, we propose an efficient ID-based multisignature with distinguished signing authorities based Harns multisignature 5. We innovativeify the Harns scheme to be suitable as a mutlisignature with distinguished signing authorities for broadcasting architecture. We use Wus implement of generating a multisignature with distinguished signing authorities only for broadcasting architecture. We theorise that the signing grou p U1, U2,, Ul , to l the number of signers, want to generate the multisignature for the document D which can be divided to meaningful subdocuments d1, d2,, dl . The member Uj is only responsible for signing partial subdocumentdj, forj=1,2,,l.The rest of this paper nonionized as follows. In section 2, we review of Harns multisignature scheme. Section 3, we describe our proposed scheme. The security analysis of the proposed scheme is plowed in section 4. The paper is concluded in section 5. II. Review of Harns efficient identity-based RSA multisignatureA. PKG keysThe PKG picks two stochastic large primes, p and q by run probabilistic polynomial algorithmic program Krsa, then calculates n=p.q, after that chooses a random public key e such that gcde,n=1 and computes the private key d=e-1 modn.B. Multisignature propagation1) Signer secret key generationIn this algorithm, the signer gets a copy of his secret key from the PKG through a two-step movement1. A signer submits his identit y to the PKG.2. The PKG, with its private key d and the alike(p) public key e, signs the message digest of the identity, denoted as ij, by generating a secret key gj, such that gj=ijdmod n. 2) Message signingTo generate an identity-based multisignature, each signer carries out the followings steps1. Chooses a random integer rj and computes tj=rje mod n2. Broadcasts tj to all the signers.3. Upon receiving of tj, j=1,2,,l, each signer computes t=j=1ltj mod nand sj=gj.rjh(t,D) mod n4. Broadcasts sj to all the signers.5. After receiving of sj, j=1,2,,l the multisignature component s can be computed as s=j=1lsj mod nThe multisignature for a document D is =t,s.C. Multisignature verificationTo swear a multisignature =t,s of a document D of signers whose identities are i1, i2, , il one verifies the following se=i1.i2.il . th(t,D) mod n (1)If it holds, the identity-based multisignature is valid, otherwise it is invalid.III. Our proposed schemeOur proposed scheme as same is the same as Har ns scheme in the form description which follows the model proposed in Micali et al. 10. In our modification, there are two new players a document issuer (DI) and a document collector (DC). The DI is responsible of dividing the document into l smaller subdocuments such that D=d1d2dl and the DC is responsible of collecting the partial signature and issue the multisignature. A. PKG KeysThe PKG picks two random large primes, p and q by run probabilistic polynomial algorithm Krsa, then calculates n=p.q, after that chooses a random public key e such that gcde,n=1 and computes the private key d=e-1 modn.B. Extract Signer key generation Through this algorithm, a signer collects his private key by dealing with PKG in two steps1. A signer submits his identity to ij the PKG.2. The PKG, with its private key d and the corresponding public key e, signs the message digest of the identity, denoted as ij, by generating a secret key gj, such tha gj=ijdmod n. C. Message signingTo generate an identity -based multisignature with distinguishing signing authorities, each signer carries out the followings steps1. Chooses a random integer rj and computes tj=rjemod n2. Broadcasts tj, htj, djto all the signers and DC. 3. Upon receiving of tj, j=1,2,,l, each signer computes t=j=1ltjhtj, dj mod n H=h(t,D)And generats hisher partial signature sj=gj. rjH.h(tj,dj) mod n4. Broadcasts sj to all the signers and DC.5. DC verifies all partial signatures by holding the following sje=ij . tjH.h(tj,dj) (2)5. After that for all sj, j=1,2,,l the multisignature component s can be computed as s=j=1lsj mod nThe multisignature for a document D is =t,sD. Multisignature verificationTo verify a multisignature =t,s of a document D of signers whose identities are i1, i2, , il one verifies the following se=i1.i2.il . tH mod n (3)If it holds, the identity-based multisignature is valid, otherwise it is invalid.E. Correctness s=j=1lsj= j=ilgj. rjH.h(tj,dj) mod n s=g1.g2.gl .j=1lrjH.h(tj,dj) mod nse=g1e.g2e..gle.j =1l. rjH.e.h(tj,dj) mod n se=g1e.g2e..gle. j=1ltjhtj, dj Hmod n se=i1.i2.in.tHmod nIV. Security AnalysisOur proposed scheme is an efficient improvement on Herns multisignature (IBMS), which is suitable to meet the property of distinguishing signing authorities. Therefore, the proposed scheme construct based on Shamir identity based signature (IBS) scheme. Without lost generality, both scheme are proved secure based on RSA cryptosystem, refer to 5, 12. Our proposed scheme inherits the security aspects from its root schemes therefore, those aspects are still applicable and approvable to our scheme.Next, we will discuss some potential and essential attacks against our scheme. Attack 1. An existential forgery under accommodative chosen-message attack, which an adversary attempts to forge a multisignature or a partial signature for a chosen document or subdocument adaptationally without knowing some(prenominal) private key.Essentially, the standard Shamir IBS scheme is secure against forgery under adaptive chosen-message attack, according to Berllare et al. 1. Thus, it is easy to get the proposed scheme secure against this type of attack, due to both schemes having the same identical forms and assuming one-wayness of the underlying RSA crypotsystem. Attack 2. The adaptive chosen-ID attack, which an adversary (adversaries) tries to adaptively choose identity (identities) and forge private key from the PKG, therefore, it can forge a multisignature or partial signature.Harn et al. 5 introduced the concept of the adaptive chosen-ID attack and proved that their IBMS scheme is secure against this attack. Our scheme resembles Harns scheme, this result in our scheme also secure against adaptive chosen-ID attack.V. Conclusion We have proposed an efficient ID-based RSA multisignatures with distinguished signing authorities for broadcasting architecture based on Shamirs IBS scheme and Hern et al. IBMS scheme. The proposed scheme is secure against forgeability under adaptiv e chosen-message attack and adaptive chosen-identity attack.

No comments:

Post a Comment