Abstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k;

Transcription

1 New ElGamal Type Threshold Digital Signature Scheme Choonsik PARK y and Kaoru KUROSAWA z y Electronics and Telecommunications Research Institute, P.O.Box 106, Yusong-ku, Taejeon, , Korea z Tokyo Institute of Technology 2{12{1 O-okayama, Meguro-ku, Tokyo 152, Japan kkurosaw@ss.titech.ac.jp 1

2 Abstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k; n) threshold ElGamal type digital signature scheme with no trusted center. We rst present a variant of ElGamal type digital signature scheme which requires only a linear combination of two shared secrets when applied to the (k; n)-threshold scenario. More precisely, it is a variant of Digital Signature Standard (DSS) which was recommended by the U.S. National Institute of Standard and Technology (NIST). We consider that it is meaningful to develop an ecient (k; n)- threshold digital signature scheme for DSS. The proposed (k; n) threshold digital signature scheme is proved to be as secure as the proposed variant of DSS against chosen message attack. 1 Introduction The notion of group oriented cryptography was introduced by Desmedt [1]. In a group oriented public key cryptosystem (or a group oriented digital signature scheme), the receiver/signer is a group of n members. Since then, this notion has been studied by many researchers. By using a general multiparty protocol [2], Desmedt [1] showed that a t-resilient public key cryptosystem (t < n=2) with no trusted center is obtained such that (1) n members can decrypt a ciphertext even if there are t dishonest members. (The secret key will never be calculated by the group, though.) (2) Any t dishonest members cannot decrypt any ciphertexts. This scheme is, however, completely impractical and interactive. Frankel [3] showed a dierent type but more ecient group oriented RSA type public key cryptosystem by using trusted clerks. Desmedt and Frankel [4] showed an ecient (k; n) threshold ElGamal type public key cryptosystem such that (1) k out of n members must cooperate to decrypt a ciphertext. (2) Any k? 1 dishonest members cannot decrypt any ciphertexts. This system requires a trusted center. Hwang [5] and then Pedersen [6] showed that the trusted center can be eliminated. In the system of Hwang 2

3 [5], however, the size of the group public key is much larger than that of Desmedt and Frankel [4] because each member publicizes his own public key. In the system of Pedersen [6], the public key is as small as that of Desmedt and Frankel [4]. Pedersen's system makes use of a noninteractive veriable secret sharing scheme [7]. Similarly, t-resilient digital signature schemes and (k; n)-threshold digital signature schemes are dened. In a t-resilient digital signature scheme, (1) n members can issue a signature even if there are t dishonest members. (The secret key will never be calculated by the group, though.) (2) Any t dishonest members cannot forge a signature. In a (k; n)-threshold digital signature scheme, (1) k out of n members must cooperate to issue a signature. (2) Any k? 1 dishonest members cannot forge a signature. Desmedt and Frankel [8] showed a (k; n) threshold RSA type digital signature scheme which requires a trusted center. As in group public key cryptosystems, Desmedt [1] showed that a t- resilient digital signature scheme with no trusted center is obtained for any digital signature scheme by using a general purpose multiparty protocol [2]. Cerecedo, Matsumoto and Imai (CMI) [9] showed an ecient t resilient digital signature scheme with no trusted center (t < n=2) for Schnorr's scheme [10]. An ecient multiparty protocol is known for linear combinations [11], but not for multiplications. The CMI scheme for Schnorr's scheme is ef- cient because the Schnorr's scheme requires only a linear combination of two shared secrets. On the other hand, ElGamal digital signature scheme [12] requires a multiplication and a division as well as a linear combination. CMI [9] showed an ecient multiplication protocol for t < n=3 which works under a certain condition and suggested to apply it to ElGamal scheme and two variants of ElGamal scheme [13, 14]. Clearly, no matter how ecient the multiplication protocol is, their ElGamal type schemes are not so ecient as their Schnorr's scheme because the ElGamal type schemes require a multiplication and a division as well as a linear combination. Actually, their ElGamal type schemes are more complicated than it is claimed in [9]: 1. As a division protocol, CMI used a multiparty protocol of [15]. The division protocol involves a multiplication protocol in it (see 4.3 of [9]). 3

4 An ElGamal digital signature requires a division and a multiplication in sequence. Therefore, it requires two multiplications in sequence. On the other hand, the ecient CMI multiplication protocol for t < n=3 works just for one multiplication, but not more. 2. For t < n=2, it is needed to reshare the local products of pieces (see of [9]). Beaver called this problem the ABC problem and solved it (see 5.3 and 5.4 of [16]). His protocol is, however, still very complicated. After a preliminary version of CMI [17], Katoh, Hirose, Minoh and Ikeda (KHMI) [18] showed a group oriented digital signature scheme for ElGamal scheme. This scheme also requires a multiplication and a division. Anyway, previous ElGamal type group oriented digital signature schemes are more complicated than the CMI scheme for Schnorr's scheme because they require a multiplication and a division. In this paper, we show an ecient (k; n) threshold ElGamal type digital signature scheme with no multiplication, no division and with no trusted center. We rst present a variant of ElGamal type digital signature scheme which requires only a linear combination of two shared secrets when applied to the (k; n)-threshold scenario. More precisely, it is a variant of Digital Signature Standard (DSS) [14] which was recommended by the U.S. National Institute of Standard and Technology (NIST). We consider that it is meaningful to develop an ecient (k; n)-threshold digital signature scheme for DSS. The proposed (k; n)-threshold digital signature scheme consists of two protocols, a key generation protocol and a signature issuing protocol. In the key generation protocol, each member of the group (each signer) rst broadcasts kjpj bits and then sends (n?1)jqj bits secretly, where the discrete log problem is considered in modp and q is a large prime number which divides p? 1. In the signature issuing protocol, each signer broadcasts kjpj bits, sends (k? 1)jqj bits secretly and then broadcasts jqj bits. Thus, our scheme is as ecient as the CMI scheme for Schnorr's scheme. Further, the proposed (k; n) threshold digital signature scheme is proved to be as secure as the proposed variant of DSS against chosen message attack. Recently, some researchers have investigated many variations of ElGamal signature scheme [19, 20, 21]. Our variant of DSS is related to those variations in some ways. 4

5 2 Preliminaries 2.1 Public Parameters Throughout this paper, p and q are large primes such that q divides p? 1, and g generates the subgroup, G q, of Z p of order q. It is assumed that p; q and g are publicly known. 2.2 Secret Sharing Scheme In a (k; n) threshold secret sharing scheme [22], a dealer distributes a secret s to n participants P1; : : : ; P n in such a way that Any group of fewer than k participants cannot obtain any information about the secret s. Any group of at least k participants can compute the secret s in polynomial time. Shamir showed a (k; n) threshold secret sharing scheme such as follows [22]. In order to distribute s 2 Z q among P1; : : : ; P n (where n < q), the dealer chooses a random polynomial f over Z q of degree at most k? 1 satisfying f(0) = s. Participant P i receives s i = f(i) as his private share. Due to the fact that there is one and only one polynomial of degree at most k?1 satisfying f(i) = s i for k values of i, the Shamir's scheme satises the denition of a (k; n) threshold scheme. Any k participants (P i1; : : : ; P ik ) can nd f and s by using Lagrange formula: Then f(u) = kx = kx l=1( Y h6=l kx l=1( Y h6=l u? i h i l? i h )f(i l ) u? i h i l? i h )s il (1) s = a j s ij mod q; (2) j=1 where a1; : : : ; a k are given by a j = Y h6=j i h i h? i j mod q: Each a i is non-zero and can easily be computed from the public information. 5

6 2.3 Veriable Secret Sharing Scheme Veriable secret sharing schemes (VSS) have been developed to prevent the cheating of the dealer. In a veriable secret sharing scheme, each participant can verify his share. Feldman [7] obtained a noninteractive VSS from the Shamir secret sharing by using probabilistic encryptions. Pedersen [6, 23] presented a noninteractive VSS for the purpose of a (k; n) threshold ElGamal type public key cryptosystem which is very similar to [7] but somewhat simpler. Pedersen's scheme [6, 23] is as follows. Assume the dealer has a secret s 2 Z q and is committed to s through a public information h = g s mod p. This secret can be distributed to P1; : : : ; P n as follows: PROTOCOL DISTRIBUTE (at the dealer) step 1. Choose a random polynomial f(u) = f0 + f1u + : : : + f k?1u k?1 over Z q of degree k? 1 satisfying f(0) = s. Compute s i = f(i). step 2. Send s i secretly to P i and broadcast (g f i mod p)i=1;:::;k?1 to all n participants. Thus the dealer broadcasts k?1 elements in Z p and sends secretly n elements in Z q. PROTOCOL VERIFY SHARE (at P i ) step 1. Verify that g s i = Q k?1 j=0 (gf j ) i j mod p. step 2. If this is false, broadcast s i and reject the dealer. step 3. For other each s l claimed at step 2, verify that g s l = Q k?1 j=0 (gf j ) l j mod p. If this is true, reject P l. Otherwise, reject the dealer. step 4. If the dealer is not rejected, accept s i. Proposition 2.1 [6, 23] Suppose that y(= g s mod p) is publicly known. Then, any l (1 l k? 1) participants having shares (s ij ) j=1;:::;l can nd (g f 0 j )j=1;:::;k?1 such that f 0 (u) = s + f1u 0 + : : : + fk?1u 0 k?1 f 0 (i j ) = s ij ; j = 1; : : : ; l; where f 0 (u) is a random polynomial, in polynomial time. 6

7 2.4 Generating a random secret An ecient multiparty protocol for generating a random number R is known [6, 23]. Suppose that a dealer chooses R at random, publicizes y = g R mod p and sends f(i) to P i secretly for i = 1; ; n, where f(u) is a random polynomial of degree k? 1 such that f(0) = R mod q. This procedure is simulated by the following protocol without the dealer. PROTOCOL RANDOM NUMBER (at P i ) step 1. Each P i chooses r i 2 Z q at random and broadcasts y i = g r i mod p to all other participants. step 2. Each P i distributes r i by using PROTOCOL DISTRIBUTE. That is, P i chooses a random polynomial such that f i (u) = r i + a i;1u + + a i;k?1u k?1 and sends f i (j) mod q to P j secretly (8j 6= i). P i also broadcasts g a i;1 ; ; g a i;k?1 mod p: step 3. Each P i executes PROTOCOL VERIFY. step 4. Let H 4 =fp j jp j is not detected to be cheating at step 3g: P i computes s i 4 = P j2h f j(i) secretly. step 5. Every Y P i computes Y Y y= 4 y j ; g a i;1 (= g b 1 ); ; g a i;k?1 (= g b k?1 ): j2h j2h Proposition 2.2 [6, 23] In PROTOCOL RANDOM NUMBER, let Then, R 4 = X j2h r j ; f(u) 4 = X j2h f j (u): y = g R f(u) = R + b1u + + b k?1u k?1 f(i) = s i : j2h 7

8 Denition 2.1 In PROTOCOL RANDOM NUMBER, we say that y is the main output. (y; g b 1 ; ; g b k?1) is the public output. s i is the secret output of P i. 3 A variant of DSS Digital Signature Standard (DSS) [14] proposed by NIST (the U.S. National Institute of Standard and Technology) is a slight variant of ElGamal digital signature scheme. In this section, we show a variant of DSS for which an ecient (k; n) threshold digital signature scheme can be designed. Recently, some researchers have investigated many variations of ElGamal signature scheme [19, 20, 21]. Our variant of DSS is related to those variations in some ways. 3.1 Digital Signature Standard (DSS) Let h be a one way hash function whose range is f0; ; q? 1g. Public key p; q; g; y(= g x mod p), (see subsection 2.1). Secret key x 2 Z q Message m Signature (r; s) such that r = (g l mod p) mod q (3) s = (h(m) + rx)=l(6= 0) mod q (4) where l 2 Z q is a random number (l 6= 0). Verication (r; s) is a valid signature for m if and only if r = (g h(m)=s y r=s mod p) mod q (5) 8

9 3.2 A variant of DSS Now, we present a variant of DSS. In our variant, the public key and the secret key are the same as those of DSS [14]. Let h be a one way hash function whose range is f1; ; q? 1g. Public key p; q; g; y(= g x mod p), (see subsection 2.1). Secret key x 2 Z q Message m Signature (t; w) such that w = (g e mod p) mod q (6) t = wx + h(m)e mod q (7) where e 2 Z q is a random number. Verication (t; w) is a valid signature for m if and only if w = (g t=h(m) y?w=h(m) mod p) mod q (8) The validity of eq.(8) is proved by the following lemma. Lemma 3.1 g e = g t=h(m) y?w=h(m) mod p ( Proof ) From eq.(7), e = t=h(m)? wx=h(m) mod q: Then, it is easy to see that this lemma holds. 2 An ecient multiparty protocol is known for linear combinations [11], but not for multiplications. In DSS, suppose that h(m) and r are publicly known constants. Then, the right hand side of eq.(4) is not a linear combination of x and l. It requires a division and a multiplication. Therefore, we cannot obtain an ecient (k; n)-threshold digital signature scheme even if a general purpose multiparty protocol is applied. On the contrary, in our scheme, suppose that h(m) and w are publicly known constants. Then, the right hand side of eq.(7) is just a linear combination of x and e. Therefore, we can obtain an ecient (k; n)-threshold digital signature scheme as will be shown in the next section. 9

10 Remark 3.1 In section of [19], Shimbo discussed the security of a variant of ElGamal signature scheme. He showed that h must be chosen carefully in the variant of ElGamal. However, his discussion cannot be applied to our variant of DSS because q is a prime number in eq.(7). We need only that h(m) 6= 0 mod q. Remember that the range of our h is dened as f1; ; q? 1g. 4 Proposed threshold digital signature scheme for DSS In this section, we show an ecient (k; n)-threshold digital signature scheme for DSS by using the scheme which we developed in subsection 3.2. The public key and signatures are the same as those of subsection Proposed scheme The proposed scheme consists of two protocols, a key generation protocol and a signature issuing protocol. Let P1; : : : ; P n be a set of signers. In our scheme; (K1) The key generation protocol requires all n signers to cooperate to generate a public key of the group and a secret key of each P i. (K2) In the signature issuing protocol, a subset B of signers can issue a signature if B contains k or more honest signers. (Cheaters may be included in B.) (K3) Any k? 1 dishonest signers cannot forge a signature even after polynomially many signatures have been issued. First, P1; : : : ; P n agree on (p; q; g). Key generation protocol (step 1) P1; : : : ; P n execute PROTOCOL RANDOM NUMBER. Let the public output be y(= g x mod p); g b 1 ; ; g b k?1 mod p: and the secret output of P i be i. 10

11 Then, the public verication key of the group is (p; q; g; y). Another public information is (g b 1 ; ; g b k?1). This information is used by signers to issue a signature. The secret key of P i is i. From Proposition 2.2, Let i = F1(i); where F1(u) = x + b1u + + b k?1u k?1 : (9) H1 4 =fp j jp j is not detected to be cheating at step 1 g: Signature issuing protocol Let m be a message and h be a one way hash function. Suppose that B H1 issue a signature. (step 2-1) If jbj < k, stop. Otherwise, B execute PROTOCOL RANDOM NUMBER. Let the public output be v(= g e mod p); g c 1 ; ; g c k?1 mod p: and the secret output of P i be i. Let w = v mod q: From Proposition 2.2, Let i = F2(i); where F2(u) = e + c1u + + c k?1u k?1 : (10) H2 4 =fp j jp j 2 B and P j is not detected to be cheating at step 2-1g: (step 2-2) If jh2j < k, stop. Otherwise, each P i 2 H2 reveals i 4 =w i + h(m) i mod q (11) (step 2-3) Each P i 2 H2 veries that Y Y k?1 k?1 g l = (y (g b j ) w (v (g c )lj j ) h(m) for 8l: )lj j=1 j=1 11

12 Let H3 4 =fp j jp j 2 H2 and P j is not detected to be cheating at step 2-3g: (step 2-4) If jh3j < k, stop. Otherwise, each P i 2 H3 computes t satisfying t = wx + h(m)e mod q (12) by applying Lagrange formula to f i g (see the following lemma). The signature is (t; w). (Remember that w is obtained at step 2-1.) The validity of the signature (t; w) is veried by eq.(8). Lemma 4.1 In the proposed scheme above, let t = wx + h(m)e mod q: Then, for any fp i1 ; ; P ik g 2 H3, ( Proof ) Let t = j=1 kx Y d6=j i d i d? i j ij (13) F3(u) 4 =wf1(u) + h(m)f2(u): (14) Then, from eq.(9), eq.(10) and eq.(11), F3(0) = wf1(0) + h(m)f2(0) = wx + h(m)e = t: (15) F3(i) = wf1(i) + h(m)f2(i) = w i + h(m) i = i : (16) Therefore, by using Lagrange formula (eq.(2)), we see that eq.(13) holds. 2 Remark 4.1 (1) The validity of i is veried at step (2-3) by using eq.(16). (2) Step (2-2), (2-3) and (2-4) are a multiparty protocol of computing eq.(12), where the private input to P i is ( i ; i ). (w; h(m)) are the public constants. Then, eq.(12) is just a \linear combination" of shared secrets x and e. Therefore, we have been able to obtain an ecient (k; n)- threshold digital signature scheme. 12

13 4.2 Eciency In PROTOCOL RANDOM NUMBER, let l denote the number of players. Each player rst broadcasts kjpj bits and then sends (l? 1)jqj bits secretly. Now, the communication complexity of the proposed (k; n) threshold scheme is analyzed as follows. In the key generation protocol, each signer rst broadcasts kjpj bits and then sends (n? 1)jqj bits secretly. In the signature issuing protocol, each signer rst broadcasts kjpj bits and then sends (jbj? 1)jqj bits secretly. Finally, each signer broadcasts jqj bits. Thus, our scheme is as ecient as the CMI scheme for Schnorr's scheme [9]. 5 Security In this section, we show that the proposed (k; n) threshold digital signature scheme is secure. 5.1 Correctness and Detectability The correctness of the signature (t; w) is easily veried by eq.(8). Next, We prove (K2) of subsection 4.1. Cheatings at step 1 and step (2-1) occur in PROTOCOL RANDOM NUMBER. The cheaters are detected by PROTOCOL VERIFY SHARE included in the PROTOCOL RANDOM NUMBER. Cheaters at step (2-2) are detected by step (2-3). Then, the detected cheaters are eliminated from later on. Therefore, if there exist at least k honest signers in the signature issuing protocol, our scheme can issue a valid signature. 5.2 View The view of P i in a protocol is everything that P i sees in executing the protocol. For example, in PROTOCOL RANDOM NUMBER, the view of P1 is g r 1 ; : : : ; g rn ; g a 1;1 ; : : : ; g a 1;k?1 ; : : : ; g a n;1 ; : : : ; g a n;k?1 ; f1(1); : : : ; f n (1); r1; a1;1; : : : ; a1;k?1 13

14 and the content of his random tape. Supose that an adversary corrupts P i1 ; ; P il. Then, the view of the adversary is f the view of P i1 g [ [ f the view of P il g. Denition 5.1 Suppose that a set of players B execute PROTOCOL RAN- DOM NUMBER on input (p; q; g) and the main output is y. Let ^A be the adversary which corrupts up to k-1 players. Denote the view of ^A for this protocol by view( ^A; p; q; g; y). Let VIEW( ^A; p; q; g; y) denote the random variable induced by view( ^A; p; q; g; y). Lemma 5.1 For any probabilistic polynomial time adversary ^A, there exists a probabilistic polynomial time Turing machine M such that the probability distribution of M(p; q; g; y) is identical to VIEW( ^A; p; q; g; y). ( Proof ) For simplicity, suppose that B = fp1; ; P n g and ^A corrupts P1; : : : ; P k?1. Then, view( ^A; p; q; g; y) is as follows. (a) r i and y i = g r i mod p for 1 i k? 1. (b) y j for k j n, where y1 y n = y. (c) a i;1; : : : ; a i;k?1 for 1 i k? 1. (d) g a i;1 ; : : : ; g a i;k?1 for 1 i n. (e) f1(i); : : : ; f n (i) for 1 i k? 1. For 1 i k? 1, f i (u) = r i + a i;1u + + a i;k?1u k?1 : (f) s i (= f1(i) + + f n (i)) for 1 i k? 1. (g) The content of the random tape of ^A. Now, we show M. (1) M computes (a) and (c) as ^A does. (2) From (c), M obtains polynomials f1(u); : : : ; f k?1(u). M computes f1(i); : : : ; f k?1(i) for 1 i k? 1. M chooses f k (i); : : : ; f n (i); 1 i k? 1, randomly. Then, M obtains (e) and (f). (3) M chooses y k ; : : : ; y n?1 randomly. Let y n = y=y1 y n?1. Then, M obtains (b). 14

15 (4) M can compute g a i;1 ; : : : ; g a i;k?1 for 1 i k? 1 from (1). (5) Note that M obtains y j from (3) and f j (1); : : : ; f j (k? 1) from (2) for k j n. Then, by Proposition 2.1, M can compute g a j;1 ; : : : ; g a j;k?1 for k j n from y j and f j (1); : : : ; f j (k? 1). M obtains (d). (6) M knows the content of the random tape of ^A because, in(1), M behaves in the same way as ^A does. Therefore, M can compute view( ^A; p; q; g; y) with the same probability as VIEW( ^A; p; q; g; y) Unforgeability Let D1 denote the digital signature scheme of subsection 3.2 and D2 denote the proposed (k; n) threshold digital signature scheme of subsection 4.1. In this section, we prove that D2 is as secure as D1 against chosen message attack by using Theorem 5.1 and Theorem 5.2 below. (We prove (K3) of subsection 4.1.) In chosen message attack against a digital signature scheme, an adversary A1 is allowed to use a signer as an oracle. He tries to forge a signature after getting signatures from the signer to messages of his own choice. If there exists no probabilistic polynomial time algorithm A1 that can forge a message in this way, we say that the signature scheme is secure against chosen message attack. For a (k; n) threshold digital signature scheme, we assume k? 1 or less signers deviating from the protocol in an arbitrary way. This is formalized by means of a probabilistic polynomial time adversary A2 which corrupts up to k? 1 signers. We dene a chosen message attack against our (k; n) threshold digital signatures scheme as follows. An adversary A2 is allowed to have the signature issuing protocol executed by any k or more signers to messages of his own choice. A2 tries to forge a signature from signatures he obtained in this way and his view, where the view is everything that A2 sees in executing the key generation protocol and the signature issuing protocol. Denition 5.2 Let A1 be a probabilistic polynomial time Turing machine which can use a signer of D1 as an oracle. We denote by A1(p; q; g; y) the random variable that takes a value of (m1; m2; ; ( ^m; ^t; ^w)) with the same probability that A1 on input (p; q; g; y) queries (m1; m2; ; ) to the signer and nally outputs ( ^m; ^t; ^w), where the probability is taken over the coin tosses of A1 and the signer. 15

16 Denition 5.3 Let A2 be a probabilistic polynomial time Turing machine which can corrupt up to k?1 signers of D2. A2 can have the signature issuing protocol executed by any k or more signers. We denote by A2(p; q; gjy) the random variable that takes a value of (m1; m2; ; ( ^m; ^t; ^w)) with the same probability that A2 on input (p; q; g) queries (m1; m2; ; ) to the signature issuing protocol and nally outputs ( ^m; ^t; ^w) under the condition that the key generation protocol outputs y, where the probability is taken over the coin tosses of A2 and the signers. Theorem 5.1 For any adversary A1 against D1, there exists an adversary A2 against D2 such that Pr[A2(p; q; gjy) = (m1; m2; ; ( ^m; ^t; ^w))] = Pr[A1(p; q; g; y) = (m1; m2; ; ( ^m; ^t; ^w))] (17) for any public key (p; q; g; y) and any (m1; m2; ; ( ^m; ^t; ^w)). ( Proof ) We show A2 which uses A1 as a subroutine. Suppose that the key generation protocol of D2 outputs y. A2 provides A1 with (p; q; g; y) and the content of the random tape of A1. Then, A2 runs A1. If A1 requests a signature for a message m i ; A2 has P1; : : : ; P k execute the signature issuing protocol for m i. A2 obtains the signature (t i ; w i ) for m i from P1; : : : ; P k. Then, A2 feeds (t i ; w i ) to A1. Thus, A1 can do his chosen message attack. A2 outputs ( ^m; ^t; ^w) if and only if A1 outputs ( ^m; ^t; ^w). Now, it is clear that eq.(17) holds. 2 Theorem 5.2 For any adversary A2 against D2, there exists an adversary A1 against D1 such that Pr[A1(p; q; g; y) = (m1; m2; ; ( ^m; ^t; ^w))] = Pr[A2(p; q; gjy) = (m1; m2; ; ( ^m; ^t; ^w))] (18) for any public key (p; q; g; y) and any (m1; m2; ; ( ^m; ^t; ^w)). ( Proof ) We show A1 which uses A2 as a subroutine. A1 provides A2 with (p; q; g; y) and the content of the random tape of A2. By using M of lemma 5.1, A1 generates view(a2; p; q; g; y) of the key generation protocol and feeds it to A2. Next, A1 runs A2. If A2 requests a signature for a message m i, 16

17 A1 obtains the signature (t i ; w i ) for m i from the oracle (signer) and feeds (t i ; w i ) to A2. A1 also computes v i = g t i=h(m i ) y?w i =h(m i ) mod p and feeds v i to A2 (see lemma 3.1). By using M, A1 generates view(a2; p; q; g; v i ) and feeds it to A2. A1 must feed f1; : : : ; k g to A2, further. For simplicity, suppose that A2 has the signature issuing protocol executed by P1; : : : ; P k and A2 corrupts P1; : : : ; P k?1. Note that 1; : : : ; k?1 are included in the view(a2; p; q; g; y). Similarly, 1; : : : ; k?1 are included in the view(a2; p; q; g; v i ). Therefore, M can compute 1; : : : ; k?1. Finally, A1 computes k as follows. From Lagrange formula (eq.(2)), we have where d j = Y h6=j h h? j t i = d d k?1 k?1 + d k k 6= 0 for 1 j k: Hence, k is obtained as follows. X k?1 k = (t i? d j j )=d k : j=1 Now, A1 feeds f1; : : : ; k g to A2. Then, A2 can obtain the whole view and do his chosen message attack. A1 outputs ( ^m; ^t; ^w) if and only if A2 outputs ( ^m; ^t; ^w). Thus, it is clear that eq.(18) holds. 2 6 Conclusion We have shown an ecient (k; n) threshold DSS type digital signature scheme with no trusted center. It has been proved that the proposed (k; n) threshold digital signature scheme is as secure as the proposed variant of DSS against chosen message attack. It will be a further work to develop an ecient (k; n) threshold RSA type digital signature scheme with no trusted center. 17

18 References [1] Y. Desmedt, \Society and Group Oriented Cryptography : A New Concept ", In Proc. of Crypto'87, Lecture Notes in Computer Science, LNCS 293, Springer Verlag, pp.120{127, [2] O. Goldreich, S. Micali, and A. Wigderson, \How to Play Any Mental Game ", In Proceedings of the 19th ACM Symposium on Theory of Computing, pp.218{229, [3] Y. Frankel, \A practical protocol for large group oriented networks ", In Proc. of Eurocrypt'89, Lecture Notes in Computer Science, LNCS 434, Springer Verlag, pp.56{61, [4] Y. Desmedt and Y Frankel, \Threshold Cryptosystem ", In Proc. of Crypto'89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag, pp.307{315, [5] T. Hwang, \Cryptosystem for group oriented cryptography ", In Proc. of Eurocrypt'90, Lecture Notes in Computer Science, LNCS 473, Springer Verlag, pp.352{360, [6] T.P. Pedersen, \A Threshold Cryptosystem without a Trusted Party ", In Proc. of Eurocrypt'91, Lecture Notes in Computer Science, LNCS 547, Springer Verlag, pp.522{526, [7] P. Feldman, \A Practical Scheme for Non-Interactive Veriable Secret Sharing ", In Proceedings of 28th IEEE symposium on Foundations of Computer Science, pp.427{437, [8] Y. Desmedt and Y. Frankel, \Shared Generation of Authenticators and Signatures ", In Proc. of Crypto'91, Lecture Notes in Computer Science, LNCS 576, Springer Verlag, pp.457{469, [9] M. Cerecedo, T. Matsumoto, and H. Imai, \Ecient and Secure Multiparty Generation of Digital Signatures Based on Discrete Logarithms ", In IEICE Trans. on Fundamentals, vol.e76-a, no.4, pp.532{545, [10] C.P. Schnorr, \Ecient Identication and Signatures for Smart Cards ", In Proc. of Crypto'89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag, pp.235{251,

19 [11] M. Ben-or, S. Goldwasser, and A. Wigderson, \Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation ", In Proceedings of the 20th ACM Symposium on Theory of Computing, pp.1{10, [12] T. ElGamal, \A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms ", In IEEE Trans. IT, vol.31, no.4, pp.469{472, [13] G. Agnew, R. Mullin, and S. Vanstone, \Improved Digital Signature Scheme Based on Discrete Logarithms ", In Electronics Letters, vol.26, no.14, pp.1024{1025, [14] \Working Draft American National Standard X X, Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry:Part 1: The Digital Signature Algorithm (DSA), American Bankers Association, Washington,D.C., Feb A description of the algorithm and comments on the proposed can be found in the article \Debating Encryption Standards "", In Communications of the ACM, Vol.35, No.7, pp.32{54, [15] J. Bar-Ilan and D. Beaver, \Non-Cryptographic Fault-Tolerant Computing in a Constant Number of Rounds of Interaction ", In Proceedings of the ACM symposium on Principles of Distributed Computation, pp.201{209, [16] D. Beaver, \Secure multiparty protocol and zero knowledge proof systems tolerating a faulty minority ", In Journal of Cryptology, vol.4, no.4, pp.75{122, [17] M. Cerecedo, T. Matsumoto, and H. Imai, \Practical protocols for fault tolerant distributed generation of signatures ", In Symposium on cryptography and information security, Tateshina, Japan, April 2-4, pp.532{545, [18] T. Katoh, S. Hirose, M. Minoh, and K. Ikeda, \A protocol for group oriented signature scheme applying Elgamal's public key cryptosystem ", In Proc. of the IEICE fall conference, Sept., 1{187, [19] A. Shimbo, \Multisgnature schemes based on the ElGamal scheme (in Japanese) ", In SCIS'94 workshop, January 27-29, SCIS-2C,

20 [20] K.Nyberg and R.A.Rueppel, \Message recovery for signature schemes based on the discrete logarithm problem ", In Proc. of Eurocrypt '94, pp.175{190, [21] L. Harn and Y. Xu, \Design of generalized ElGamal type digital signature schemes based on discrete logarithms ", In Electronics Letters, vol.30, no.24, pp.2025{2026, [22] A. Shamir, \How to Share a Secret ", In Communications of the ACM, vol.22, no.11, pp.612{613, [23] T.P. Pedersen, \Distributed Provers with Applications to Undeniable Signatures ", In Proc. of Eurocrypt'91, Lecture Notes in Computer Science, LNCS 547, Springer Verlag, pp.221{238,