A Threshold Digital Signature Issuing Scheme without Secret Communication

Transcription

1 A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, Abstract Ths paper descrbes an effcent (k, n) threshold dgtal sgnature scheme In the scheme, k out of n sgners cooperate to ssue a sgnature wthout usng trusted center No secret communcaton s requred among sgners across the network As a base scheme, Pedersen's verfable secret sharng (VSS) s appled to generate shared secret keys n such a way that no secret communcaton s requred n the followng sgnature ssung phase Then, Nyberg-Ruepple or ElGamal type dgtal sgnature scheme s employed whch uses only lnear combnaton of two shared secrets when appled to the (k, n) - threshold scenaro It s consdered that the (k, n) threshold scheme wthout usng encrypton s meanngful n an envronment where strongly encphered message cannot be sent across the network The proposed (k, n) threshold dgtal sgnature scheme s proved to be as secure as the Nyberg-Ruepple or ElGamal type dgtal sgnature aganst chosen message attacks It s dscussed that the proposed VSS s also applcable to encrypton An applcaton to (k, n) threshold sgn-encrypton s also presented INTRODUCTION Wth the progress of usage of the computer and communcaton, more and more paper works are replaced wth electronc ones n our dary lfe and busness actvtes such as e-mal, electronc commerce, electronc money, etc In many of such areas, dgtal sgnature s essental Ths paper proposes secure and relable dgtal sgnature schemes n a fault prone envronment of hardware such as memory and CPU n the cryptographc devce Because of the comparatve fraglty of electronc devce, the data on the devce s easly broken, lost or altered For example, t may be well congratulated when the data on floppy dsk perssts wthout error more than ten years On the other hand, the data on the tradtonal paper usually perssts wthout error for a long tme perod, eg a hundred years The relablty of data on electronc devce s far worse than that of paper Furthermore, a secret data hdden n a hardware devce s not always secure Examples are unauthorzed usage of stolen smart card by malcous user, exposure of secret data by reverse engneerng and guessng of secret data by fault cryptanalyss [Bon97] The problem s that we must rely on such undependable electronc devces n the real busness usng dgtal sgnature In order to deal wth that problem, t seems that knd of sngle falure crtera should be adopted That s, a sngle falure of hardware shall not cause the loss of the prvate key

2 for authorzed user nor cause the exposure of the prvate key to unauthorzed user Ths paper presents an effcent (k, n) thresholds dgtal sgnature scheme An effcent (k, n) threshold ElGamal type publc key cryptosystem was shown by Desmedt and Frankel [DF89] such that () (k, n) members must cooperate to decrypt a cphertext (2) Any k- dshonest members cannot decrypt any cphertext Ths system requres a trusted center Hwang [Hwa90] and then Pedersen [Per9-2] showed that the trusted center can be elmnated In the system of Hwang [Hwa90], however, the sze of the group publc key s much larger than that of Desmedt and Frankel [DF89] because each member publczes hs own publc key In the system of Pedersen [Per9-2], the publc key s as small as that of Desmedt and Frankel [DF89] Pedersen's system makes use of a nonnteractve verfable secret sharng scheme [Fel87] Desmet and Frankel [DF9] showed a (k, n) threshold RSA type dgtal sgnature scheme such as () (k, n) members must cooperate to ssue a sgnature (2) Any k- dshonest members cannot forge a sgnature Ths scheme requred a trusted center Park and Kurosawa [PK96] showed a (k, n) threshold ElGamal type dgtal sgnature scheme whch requres no trusted center The ElGamal type dgtal sgnature whch s applcable to ths scheme s composed of only a lnear combnaton of shared secrets Ths scheme, however, requres a encphered communcaton between sgners when they communcate across a network In ths paper, we show an effcent (k, n) threshold ElGamal type dgtal sgnature wth no trusted center and no encphered communcaton The applcable ElGamal type dgtal sgnature s one whch s composed of only a lnear combnaton of shared secrets Message recoverable Nyberg-Ruepple dgtal sgnature s ncluded n our scheme 2 PREPARATION Throughout ths paper, p and q are large prmes, E s an ellptc curve and base pont P s a pont on the ellptc curve E, whch has an order of q It s assumed that E and P are publcly known And let Z q be a fnte feld, whch has q elements We use the followng basc tools to share the secret n our proposed scheme 2

3 2 Shamr Secret Sharng In ths secton, we descrbe the Shamr secret sharng technque [Sha79] A (k, n) threshold secret sharng scheme s a protocol between n+ players n whch the dealer dstrbutes partal nformaton about a secret to n partcpants such that () Any group of fewer than k partcpants cannot obtan any nformaton about the secret (2) Any group of at least k partcpants can compute the secret n polynomal tme Assume the dealer has a secret follows d Z q Ths secret can be dstrbuted to P,, Pn K, as Step The dealer chooses a polynomal f = f + f over Z q of degree k- satsfyng be random number n Z q ) Then the dealer Step 2 Send t secretly to P Any k persons Thus where P k 0 x + L+ f k x k f ( 0) = d randomly (e Let f 0 = d and f 2 K, t = f (), f k P, K, can fnd the secret d by the formula (Lagrange formula): a, K, a are gven by k f ( x) = = k ( l= h l k ( l= h l d = k = h a x h ) f ( l ) l l h x h ) t l t h a = On the other hand, Any group of fewer than k persons cannot fnd the secret d Because for any d' Z there exsts a polynomal f '( x) over Z q of degree k- such that and q f '( h ) = t ( k ), f '(0) = d' 22 Pedersen s Verfable Secret Sharng (VSS) Pedersen presented a nonnteractve verfable secret sharng (VSS) [Ped9-] h 3

4 Verfable means each partcpant can verfy hs own share Assume the dealer has a secret d Z q and s commtted to d through a publc key Q = dp Ths secret can be dstrbuted to P, K, Pn, as follows PROTOCOL DISTRIBUTE (at dealer) Step Compute shares t usng the Shamr secret sharng scheme descrbed above n the feld Z q by choosng a polynomal k f = f 0 + fx + L+ f k x over Z q of degree k- satsfyng f ( 0) = d and then computng t = f () Step 2 Send t secretly to P and broadcast f P ( =, K k ) to all n partcpants Thus the dealer broadcasts k- ponts on the ellptc curve E and sends secretly n elements n Z q PROTOCOL VERIFY SHARE (at P) k Step Verfy that t P = ( f P) as a pont on the ellptc curve E = 0 Step 2 If ths s false, broadcast t and reect the dealer Step 3 For other each t l clamed at Step 2, verfy that = t l P l ( f P) as a pont on = 0 the ellptc curve E Step 4 If the dealer s not reected, accept t Fewer than k partcpants, who have followed PROTOCOL VERIFY SHARE and accepted, do not get any nformaton about d Ths s shown by Proposton 2 as below Proposton 2 Any g ( g k ) partcpants havng shares ( =, K, g) can fnd f ' P ( = 0, K k ), such that f ' = f ' 0 + f ' x + L+ f ' k s a random polynomal of degree at most k- satsfyng f '(0) = d x k t k 4

5 Proof f '( ) = t =, K g, (See [Per9-]) Ths proposton shows that any number of partcpants can smulate the dealer no matter what shares they get Ths means that fewer than k partcpants do not get any nformaton about d 23 Verfable Secret Sharng (VSS) wthout a trusted center Pedersen s verfable secret sharng (VSS) descrbed above needs trusted center as a dealer, because the dealer knows the secret Pedersen also presented VSS wthout a trusted center [Per9-2] In ths protocol, each partcpant plays a role as the dealer n the above VSS PROTOCOL RANDOM NUMBER (at P) Step Each P chooses d at random and broadcasts d P to all other partcpants Step 2 Each P dstrbutes d by usng PROTOCOL DISTRIBUTE That s, P chooses a random polynomal over Z q of degree k- such that k f ( x) = f + f x + L+ f x and then send ( ) partcpants,0, f secretly to P ) Step 3 Each P executes PROTOCOL VERIFY, k f (0) = d ( and broadcast f, P ( =, K k ) to all n Step 4 If no P s reected at Step 3, go to Step 5 Otherwse, stop Step 5 Each P and keep t secretly Step 6 Every P and broadcasts those values t = Q = Q n = n = = t f ( ) d P P Usng PROTOCOL RANDOM NUMBER, the secret n d = can be dstrbuted to P,,,P n 5

6 n d = But the secret does not appear explctly n ths protocol 3 DIGITAL SIGNATURE In ths secton, we show two dgtal sgnature schemes One s Nyberg-Ruepple sgnature scheme and another s a varant of ElGamal sgnature scheme Our proposed (k, n) threshold technque whch s shown later s vald for such sgnature schemes 3 Nyberg-Ruepple sgnature Let h be a one way hash functon whose range s {, K, q } Secret Key d Z q Publc Key Q ( = dp) Message m Sgnature (r,s) such that ( x, y) = kp where r = x h( m) (mod q) s = dr + k (modq) k( 0) Z s a random number q Verfcaton (r,s) s a vald sgnature for m f and only f x ' = r + h( m) (mod q) where ( x', y' ) = sp rq 32 A varant of ElGamal sgnature Let h be a one way hash functon whose range s {, K, q } Secret Key d Z q Publc Key Q ( = dp) Message m Sgnature (r,s) such that ( x, y) = kp where r = x (mod q) s = dr + kh( m) (mod q) k( 0) Z s a random number q Verfcaton (r,s) s a vald sgnature for m f and only f x ' = r (modq) where ( x', y') = sh( m) P rh( m) Q 6

7 4 PROPOSED THRESHOLD DIGITAL SIGNATURE In ths secton, we show our proposng (k, n) threshold dgtal sgnature scheme over Nyberg-Ruepple sgnature scheme that we have shown n subsecton 3 4 Proposed scheme The proposed scheme conssts of two protocols, a key generaton protocol and a sgnature ssung protocol We use Pederson s VSS technque n subsecton 23 only at the key generaton protocol and do not use t at a sgnature ssung protocol Let P,, P n be a set of sgner The publc key and the sgnature obtaned from the followng scheme wll be the same as that from subsecton 32 In our scheme, () The key generaton protocol requres all n sgners to cooperate to generate a publc key Q of the group and a secret nformaton s of each P (2) In the sgnature ssung protocol, a subset B of sgners can ssue a sgnature (r, s) f B contans k honest sgners (3) Any k- dshonest sgners cannot forge a sgnature even after polynomally many sgnatures have been ssued KEY GENERATION PROTOCOL Step Each of P,, P n executes PROTOCOL RANDOM NUMBER Let the secret output of P be t and the publc output be Q ( = dp), Q ( = t P) ( n) s s the secret nformaton kept by P Q s the publc key for the group P,, P n SIGNATURE ISSUING PROTOCOL Step Choose k sgners { P S} be B P, K,, and let S be, K, }, and let the sgners P k { k Step 2 Each sgner P ( S) where e, S = a, St h a, S = h Step 3 Each sgner P ( S) generates a random number k ( k q ) Step 4 Each sgner P ( S) and broadcasts t to all members of B R h h S = k P 7

8 Step 5 Each sgner P ( S) ( x, y) = Step 6 Each sgner P ( S) r = x h( m) R S (modq) s = e, S r + k (modq) and broadcasts s to all members of B Step 7 Each sgner P ( S) verfes for all ( ) S If ths s false, reect P and stop R = s P rq Step 8 Each sgner P ( S) s =, s S then outputs (r,s) as a dgtal sgnature of the group Proposton 4 The sgnature (r,s) ssued by above protocol satsfes r = x h( m) (mod q) s = dr + K (modq) x s a x-coordnate of the pont KP where d s the secret for the group P,, P n (e Q = dp ) and K = k Proof The equaton about r s obvous by Step 6 n SIGNATURE ISSUING PROTOCOL (Note that all sgners P ( S) compute the same value x n Step 5) On the other hand, s satsfes S 8

9 s = = = S S s ( e S e, S, S (by Step 8) r + k (by Step 6) h = t r + K (by Step 2) S h h h S = dr + K (by Lagrange formula) And by Step 5, x s a x-coordnate of the pont KP ) r + K Ths proposton shows that verfcaton for our proposed scheme s the same as that of subsecton 3 It s easy to show that the (k, n) threshold sgnature scheme over an ElGamal type dgtal sgnature can be obtaned n a smlar way 42 Advantage Advantage of (k, n) sgnature tself Generally, a secret data hdden n a hardware devce s not always secure Frst, t may be broken Second, a malcous user may msuse t when t s stolen Furthermore, an exposure of secret data may occur by reverse engneerng and guessng of the secret data by fault cryptanalyss [Bon97] The basc countermeasure for such accdents would be a knd of multple falure crtera beng adapted to a set of devces whch belong to a user That s, when a certan number of the devces are broken, t shall not cause the substantal loss of the prvate key when t s broken Furthermore, when a certan number of the devces are stolen, t shall not cause the substantal exposure of the prvate key (k, n) scheme tself has an advantage for realzng such a countermeasure Advantage of proposed method In our proposed scheme, secure communcaton path s requred only at key generaton Ths means the set of sgner use secure communcaton path only once, at the key generaton Ths secure communcaton path can be realzed easly by some means In Park-Kurosawa scheme, secure communcaton path s requred at every tme when the set of sgners ssue a sgnature That s, our scheme has an advantage n an envronment where strongly encphered message cannot be sent across the network at the tme they ssue a sgnature Effcency 9

10 We estmate the communcaton complexty of our proposed (k, n) threshold scheme precsely as follows In the key generaton protocol, each sgner frst broadcasts 2k p bts (here coeffcent 2 means both x- and y-coordnates of the pont on the ellptc curve E, so we can reduce t to k p + k bts), then sends ( n ) q bts secretly and fnally broadcasts 4 p bts (we can reduce t to 2 p + 2 bts) In the sgnature ssung protocol, each sgner frst broadcasts 2 p bts (we can reduce t to p + bts), then broadcasts q bts and fnally broadcasts 2 q bts In ths protocol, we do not need secret communcaton across the network when ssung sgnature Thus, our scheme has an advantage to Park-Kurosawa scheme (see Table ) KEY GENERATION SIGNATURE ISSUING broadcast send secretly broadcast send secretly PK scheme 2k p + 4 p ( n ) q 2k p + 2 q ( k ) q Our scheme 2k p + 4 p ( n ) q 2 p + q + 2 q 0 Table Comparson of the communcaton complexty Note: () In the above table, both of PK scheme and our proposed scheme are appled to the ellptc curve logarthm problem (2) We estmates the communcaton complexty of our proposed scheme usng Nyberg- Ruepple sgnature scheme, but f usng a varant of ElGamal scheme shown n subsecton 32, the communcaton complexty s same (3) In the orgnal PK paper [PK96] subsecton 42, they do not estmate the sze of the publc output whch s broadcasted at the end of the key generaton protocol In the above table, we count t n 5 SECURITY In ths secton, we dscuss the securty of the proposed (k, n) threshold dgtal sgnature scheme 5 Correctness and Detectablty The correctness of the sgnature s easly verfed by verfcaton descrbed n subsecton 3 The cheaters who cheat at Step n KEY GENERATION PROTOCOL are detected by PROTOCOL VERIFY SHARE ncluded n the PROTOCOL RANDOM NUMBER The cheaters who cheat at Step 6 n SIGNATURE ISSUING PROTOCOL are detected by Step 7 52 Vew 0

11 The vew of P n a protocol s everythng that P sees n executng the protocol Suppose that an adversary corrupts P, K, P Then the vew of the adversary s g { g the vew of P } L { the vew of P } Defnton 5 Suppose that a set of players B executes PROTOCOL RANDOM NUMBER on nput (E, P) and the man output s Q Let  be the adversary whch corrupts up to k- players Denote the vew of  for ths protocol by vew ( Aˆ, E, Let VIEW ( Aˆ, E, denote the random varable nduced by vew ( Aˆ, E, Lemma 52 For any probablstc polynomal tme adversary Â, there exsts a probablstc polynomal tme Turng machne M such that the probablty dstrbuton of M ( E, s dentcal to VIEW ( Aˆ, E, Proof (See [PK96] Lemma 5) Defnton 53 Suppose that a set of k players B executes SIGNATURE ISSUING PROTOCOL on nput (E, h(m)) and the output of KEY GENERATION PROTOCOL, and output s (r, s) Let  be the adversary whch corrupts up to k- players Denote the vew of  for ths protocol by vew sg ( Aˆ, Q, h( m), r, s) Let VIEW sg ( Aˆ, Q, h( m), r, s) denote the random varable nduced by vew sg ( Aˆ, Q, h( m), r, s) Lemma 54 For any probablstc polynomal tme adversary Â, there exsts a probablstc polynomal tme Turng machne M sg such that the probablty dstrbuton of M sg ( Q, h( m), r, s) s dentcal to VIEW sg ( Aˆ, Q, h( m), r, s) Proof For smplcty, suppose that B = { P, K, Pk } and  corrupts P,,P g ( g k ) Then, vew sg ( Aˆ, Q, h( m), r, s) s as follows (a) ( ) e, S g

12 (b) P ( ) e, S k k ( g (c) ) (d) R ( k) (e) ( x, y) (f) ( k) s (g) The contents of the random tape of  Now, we show M sg () M sg (a) from the P s secret t by Lagrange fomula (2) M sg (c) as  does (3) From (a) and (c), M sg obtans ( g) And M sg chooses k s ( g + k ) randomly Then M sg = s s s M sg obtans (f) s k e, S P ( g = (4) From (a), M sg obtans ) And M sg chooses e S, P ( g + k ) randomly from the group whch s generated by the base pont P on the ellptc curve E Then M sg k =, S e, P = dp e P M sg obtans (b) (5) M sg s P rq from (b) and (f) Then M sg obtans (d) (6) From (d), M sg obtans (e) (7) M sg knows the contents of the random tape of  because n (2) M sg behaves n the same way as  does Therefore, M sg can compute vew sg ( Aˆ, Q, h( m), r, s) wth the same probablty as VIEW sg ( Aˆ, Q, h( m), r, s) 53 Unforgeablty Let D denote the dgtal sgnature scheme of subsecton 3 and D 2 denote the proposed (k, n) threshold dgtal sgnature scheme of subsecton 4 In ths secton, we show that D 2 s as secure as D aganst chosen message attack In chosen message attack aganst a dgtal sgnature scheme, an adversary A s allowed to use a sgner as an oracle He tres to forge a sgnature after gettng sgnatures from the sgner to messages of hs own choce If there s no probablstc polynomal tme algorthm A that can forge a message n ths way, we say that the sgnature scheme s secure aganst chosen message attack For (k, n) threshold dgtal sgnature scheme, we assume k- or less sgners devatng from the protocol n an arbtrary way Ths s formalzed by means of a probablstc polynomal tme adversary A 2 s whch corrupts up to k- sgners We defne a chosen message attack aganst our (k, n) threshold dgtal sgnature as follows An adversary A 2 s allowed to have the sgnature ssung protocol executed by any k sgners to messages of hs own choce A 2 tres to forge a sgnature from sgnatures he obtaned n ths way and hs vew, where the vew s everythng that A 2 sees n executng the key generaton protocol and the sgnature ssung protocol k S 2

13 Defnton 55 Let A be a probablstc polynomal tme Turng machne whch can use a sgner of D as an oracle We denote by A ( E, the random varable that takes a value of ( m, m2, L,( mˆ, rˆ, sˆ)) wth the same probablty that A on nput ( E, queres ( m, m2, K) to the sgner and fnally outputs ( m ˆ, rˆ, sˆ ), where the probablty s taken over the con tosses of A and the sgner Defnton 56 Let A 2 be a probablstc polynomal tme Turng machne whch can corrupt up to k- sgners of D 2 A 2 can have the sgnature ssung protocol executed by any k sgners We denote by A 2 ( E, P the random varable that takes a value of ( m, m2, L,( mˆ, rˆ, sˆ)) wth the same probablty that A 2 on nput ( E, P) queres ( m, m2, K) to the sgnature ssung protocol and fnally outputs ( m ˆ, rˆ, sˆ ) under the condton that the key generaton protocol output Q, where the probablty s taken over the con tosses of A 2 and the sgners Theorem 57 For any adversary A aganst D, there exsts an adversary A 2 aganst D 2 such that Pr[ A ( E, P = ( m, m, L,( mˆ, rˆ, sˆ))] 2 = Pr[ A ( E, = ( m, m2, L,( mˆ, rˆ, sˆ))] for any publc key ( E, and any m, m, L,( mˆ, rˆ, ˆ)) Proof 2 ( 2 s Suppose that key generaton protocol of D 2 outputs Q A 2 provdes A wth ( E, and the content of the random tape of A Then, A 2 runs A If A 2 requests a sgnature for a message m, A 2 obtans the sgnature r, s ) for m from P,,P k Then, ( A 2 feeds ( r, s ) to A Thus, A can do hs chosen message attack A 2 outputs ( mˆ, rˆ, sˆ ) f and only f A outputs ( m ˆ, rˆ, sˆ ) Now, t s clear that the equaton holds Theorem 58 For any adversary A 2 aganst D 2, there exsts an adversary A aganst D such that Pr[ A ( E, = ( m, m, L,( mˆ, rˆ, sˆ))] = Pr[ A2 ( E, P = ( m, m2, L,( mˆ, rˆ, sˆ))] for any publc key ( E, and any m, m, L,( mˆ, rˆ, ˆ)) Proof 2 ( 2 s 3

14 A provdes A 2 wth ( E, and the content of the random tape of A 2 By usng M of lemma 52, A generates vew ( A2, E, of the key generaton protocol and feeds t to A 2 Next, A runs A 2 If A 2 requests a sgnature for a message m, A obtans the sgnature ( r, s ) for m from the oracle and feeds ( r, s ) to A 2 Then by usng M sg of Lemma 54, A 2 can obtan the whole vew and do hs chosen message attack A outputs ( m ˆ, rˆ, sˆ) f and only f A 2 outputs ( m ˆ, rˆ, sˆ ) Now, t s clear that the equaton holds 6 APPLICATION In ths secton, we show some applcaton of the proposed scheme, whch s (k, n) threshold sgnature scheme wth encrypton and (k, n) threshold decrypton scheme 6 Sgn-encrypton We use the sgn-encrypton (for ordnary sngle sgnature) as below By ths sgnencrypton, we can reduce the data sze of encrypted message wth the sgnature Let d s and Q s (=d s P) be the key par for sgner, and d v and Q v (=d v P) be the key par for verfer SIGNATURE ISSUING WITH ENCRYPTION Step Generate a random number k ( k q ) Step 2 Compute Step 3 Compute ( x, y) = kp and ( x e, ye ) = kqv r = x h( m) (mod q) s = d s r + k Step 4 Encrypt a message m by common key cpher usng x e as the key Step 5 Send ( r, s) wth encrypted message m' to verfer SIGNATURE VERIFICATION WITH DECRYPTION Step Compute Step 2 Compute ( x', y') = sp rq s ( xd, yd ) = d v ( x', y' ) Step 3 Decrypt the encrypted message m' by common key cpher usng x d as the key Step 4 For recovered message m'', verfy 4

15 x ' = r + h( m'' ) (modq) If t s false output "nvald" Otherwse, output "vald" 62 (k, n) sgnature ssung and decrypton wth sgn-encrypton In ths subsecton, we show proposed (k, n) sgnature scheme wth sgn-encrypton, whch s descrbed above, and (k, n) decrypton at verfer KEY GENERATION PROTOCOL FOR SIGNER Step P,, P n execute PROTOCOL RANDOM NUMBER Let the secret output of P be s and the publc output be Q ( = dp), Q ( = s P) ( n) Q s the publc key for the group P,, P n KEY GENERATION PROTOCOL FOR VERIFIER Step P',, P' n execute PROTOCOL RANDOM NUMBER Let the secret output of P' be s' and the publc output be Q' ( = d' P), Q' ( = s' P) ( n) Q' s the publc key for the group P',, P' n SIGNATURE ISSUING WITH ENCRYPTION PROTOCOL Step Choose k sgners be { P S} P, K,, and let S be, K, } and let a subset B of sgners P k { k Step 2 Each sgner P ( S) where e, S = a, S h h S s h a, S = h Step 3 Each sgner P ( S) generates a random number k ( k q ) Step 4 Each sgner P ( S) and broadcasts t Step 5 Each sgner P ( S) R T = = k P k Q' 5

16 ( x, y) = R S Step 6 Each sgner P ( S) r = x h( m) (modq) and broadcasts these s = e, S r k (modq) + Step 7 Each sgner P ( S) verfes for all ( ) S If ths s false, reect P and stop R = s P rq Step 8 Each sgner P ( S) s = s S ( x ', y' ) = T S then encrypt by common key cpher usng x' as the key and broadcasts encrypted message m' wth (r,s) as a dgtal sgnature SIGNATURE VERIFICATION WITH DECRYPTION PROTOCOL Step Choose k verfers sgners be { P' S' } P', K, P' k, and let S' be {, K, k } and let a subset B' of Step 2 Each sgner P' ( S' ) where e ', S ' = a h h S ', S ' s' h a, S ' = h Step 3 Each verfer P' ( S' ) ( x', y' ) = sp rq Step 4 Each verfer P' ( S' ) and broadcasts R = e', S' ( x', y') Step 5 Each verfer P' ( S' ) and broadcasts ( x, y ) = R d d S ' 6

17 Step 6 Decrypt the encrypted message m' by common key cpher usng x d as the key Step 7 For recovered message m'', verfy x ' = r + h( m'' ) (modq) If t s false output "nvald" Otherwse, output "vald" 7 PATENT INFORMATION Htach has patent applcaton relatng to the proposed scheme 8 CONCLUSION We have shown an effcent (k, n) threshold dgtal sgnature scheme wth no trusted center It s more effcent than PK scheme [PK96], e n sgnature ssung protocol, lower communcaton complexty and wthout secure communcaton path And t s as secure as Nyberg-Ruepple sgnature scheme or a varant ElGamal sgnature scheme aganst chosen message attack REFERENCES [Bon97] D Boney, R A DeMllo and R J Lpton, "On the Importance of Checkng Cryptographc Protocols of Faults," Eurocrypt '97, May 997 [DF89] Y Desmedt and Y Frankel, Threshold Cryptosystem, In Proc of Crypto 89, Lecture Notes n Computer Scence, LNCS 435, Sprnger Verlag, pp307-35, 990 [DF9] Y Desmedt and Y Frankel, Shared Generaton of Authentcators and Sgnatures, In Proc of Crypto 9, Lecture Notes n Computer Scence, LNCS 576, Sprnger Verlag, pp , 99 [Fel87] Feldman, A Practcal Scheme for Non-Interactve Verfable Secret Sharng, In Proc of 28 th IEEE symposum on Foundatons of Computer Scence, pp , 987 [Hwa90] T Hwang, Cryptosystem for group orented cryptography, In Proc of Eurocrypt 90, Lecture Notes n Computer Scence, LNCS 473, Sprnger Verlag, pp , 99 [Per9-] TP Pedersen, Dstrbuted Provers wth Applcatons to Undenable Sgnatures, In Proc of Eurocrypt 9, Lecture Notes n Computer Scence, LNCS 547, Sprnger Verlag, pp22-238, 99 [Per9-2] TP Pedersen, A Threshold Cryptosystem wthout a Trusted Party, In Proc of Eurocrypt 9, Lecture Notes n Computer Scence, LNCS 547, Sprnger Verlag, pp , 99 [PK96] CPark and KKurosawa, New ElGamal Type Threshold Dgtal Sgnature Scheme, IEICE Trans Fundamentals, E79-A():86-93, January 996 [Sha79] A Shamr, How to Share a Secret, In Communcatons of the ACM, vol22, 7

18 no, pp62-63, 979 8