Threshold Undeniable RSA Signature Scheme

Size: px

Start display at page:

Download "Threshold Undeniable RSA Signature Scheme"

Joella White
5 years ago
Views:

1 Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing , P. R. China. {glwang, qsh, mshwang}@ercist.iscas.ac.cn 2 Mathematics Department, College of Science and Technology, Nihon University, Tokyo , Japan. {zhanfei zhou}@hotmail.com Abstract. Undeniable signature has been extensively researched after Chaum and Antwerpen first proposed the concept of this special digital signature ten years ago. Up to now, however, almost all the existed schemes are based on discrete logarithm cryptosystems. In this paper, based on an improvement of the practical threshold RSA signature scheme proposed by Shoup at Eurocrypt 2000 and the first undeniable RSA signature scheme proposed by Gennaro, Krawczyk and Rabin at Crypto 97, we present the first, as we know, threshold undeniable RSA signature scheme. Our scheme is secure and robust since all the partial signatures are verifiable by adopting a discrete logarithm equality protocol proposed by Shoup. 1 Introduction Undeniable signature is a special kind of digital signature with the characteristic that signature cannot be verified without the cooperation of the signer and cannot be denied by the signer if he has signed the signature indeed. (t, n) threshold signature is one kind of group-oriented signature, in which only the subsets with at least t members in a group U can generate a valid signature and any verifier can simply verify an alleged signature if he/she knows U s group public key. However, in a (t, n) threshold undeniable signature scheme, any subset of t members out of n, denoted by U B, can represent the group U to generate a signature, but without the cooperation of t members, a verifier cannot verify the validity of an alleged signature even if he knows U s group public key. At the same time, any subset of less than t members cannot generate, confirm or disavow a signature even if they cooperate maliciously. Generally speaking, a threshold undeniable signature scheme consists of the following three main sub-protocols. (1) Signing Protocol: t members in subset U B run this protocol to produce a valid signature for any message, but any attacker I cannot forge a valid Supported by the National Key Basic Research Program of China (No. G ) and the National Natural Science Foundation of China (No ).

2 signature of group U with non-negligent possibility unless I has corrupted at least t members or U s private signing key has been compromised to I (i.e., nonforgeability). (2) Confirmation Protocol: By running this protocol between prover U B, t members of U, and verifier V, V is convinced that an alleged signature is indeed signed by U. Confirmation protocol should satisfy the following three properties. Completeness: A signature signed by group U will always be accepted by V if all the members in U B and V are honest (this means that they properly act as the protocol described). Soundness: Even a cheating prover U B cannot convince the verifier V to accept an non-valid signature of U with non-negligent possibility. Zero-knowledge: On input a message and its valid signature, any possible cheating verifier V interacting with a subset U B does not learn any information aside from the validity of the signature. (3) Denial Protocol: By running this protocol, prover U B ensures a verifier V that a signature is not signed by group U. Denial protocol also should satisfy the similar three properties as follows. Completeness: A signature not signed by U will always pass through the denial protocol such that V believes that it is not U s signature if all the members in U B and V are honest. Soundness: Even a cheating prover U B cannot successfully deny a valid signature of U with non-negligent possibility by running denial protocol. Zero-knowledge: On input a message and a non-valid signature, any possible cheating verifier V interacting with a subset U B does not learn any information aside from the the fact that this non-valid signature is in fact not a valid signature of group U. Besides nonforgeability, a threshold undeniable signature should also be robust, meaning that corrupted members should not be able to prevent uncorrupted members from generating signatures. After Chaum and Antwerpen first proposed the conception of undeniable signature in [6], extensive researches are done to this special kind signature. Chaum [2] presented a zero-knowledge undeniable signature scheme with promising applications in copyright protection of electronic products. By combining the undeniable signature and group-oriented signature [7, 8], Harn and Yang [13] proposed the conception of (t, n) threshold undeniable signature, and presented two concrete schemes in respect of t = 1 and t = n. But Langford [14] pointed out that their (n, n) threshold undeniable signature scheme only possesses a security of 2-out-of-n, because any two adjacent members can generate a valid threshold signature. Lin etc. presented a general threshold undeniable signature scheme [16], but which is also subjected to Langford s attack [14]. [15] generalized Chaum s zero-knowledge undeniable signature [2] to a (t, n) threshold undeniable signature scheme with a dealer. However, unlike all the above schemes based

3 on discrete logarithm cryptosystems, Gennaro, Krawczyk and Rabin presented the first undeniable RSA signature scheme [12]. In this paper, we will construct the first, as we know, threshold undeniable RSA signature scheme with a dealer. Our Scheme are builded from an improvement to Shoup s threshold signature scheme [20] and Gennaro etc. s undeniable RSA signature scheme [12]. Our schemes are secure and robust because all the partial signatures are verifiable by adopting a discrete logarithm equality protocol proposed by Shoup [20]. The organization of this paper is as follows. Notations are described in 2. Shoup s discrete logarithm equality protocol [20] and Gennaro etc. s undeniable RSA signature scheme are reviewed in 3 and 4 respectively. Then, we propose an improvement to Shoup s threshold RSA signature and a newly threshold undeniable RSA signature scheme in 5 and 6 respectively. The last two sections are about some discussions and future work. 2 Notations Our systems consist of a dealer D and a group U with n members U i (i = 1, 2,, n). Let t be the threshold value and B denote a subset of size t in the index set {1, 2,, n}. The notation x R X means that an element x is selected randomly and uniformly from set X. In this paper, the RSA modulus N is selected as the product of two large secure primes p and q, i.e. there exist two primes p, q such that p = 2p + 1, q = 2p + 1 and N = pq. Let M = p q, and L(N) denote the bit-length of N. We denote by Q N the subgroup of squares in ZN. For any integer x, let J (x N) denote the Jacobi symbol symbol of x respect to the base N. In addition, we denote by J N the subgroup of elements x ZN with J (x N) = 1. Then we know that Q N J N ZN. Moreover, Q N is cyclic of order M and J N is cyclic of order 2M. 3 Discrete Logarithm Equality Protocol As a key of modern cryptography, knowledge proving plays an important role in constructing varied protocols and schemes. Among of them, the most extensively used knowledge proving protocols are based on discrete logarithm cryptosystems [3]. In this section, we briefly review a discrete logarithm equality protocol proposed by Shoup [20], which is an improvement to a well-known interactive protocol, due to Chaum and Pedersen [5]. Let g 1, g 2 are two generators of the subgroup Q N of Z N. Q N s order is not known. The prover P possesses a secret number α Z M such that log g1 h 1 = log g2 h 2 = α, i.e. h 1 = g 1 α and h 2 = g 2 α. By running the following protocol between the prover P and the verifier V, P convinces V that he indeed possesses the secret α but does not reveals which is it to V. Let H be a hash

4 function, whose output is an l 1 -bit interger, where l 1 is a second security parameter (l 1 = 128, say). For convenience, we will simply denote this protocol as DLE(g 1, h 1 ; g 2, h 2 ; α). DLE(g 1, h 1 ; g 2, h 2 ; α) Protocol (1) P randomly selects w R [0,, 2 L(N)+2l1 1], computes a 1 = g1 w mod N, a 2 = g2 w mod N, c = H(g 1 g 2 h 1 h 2 a 1 a 2 ) and r = αc + w. Then, P publishes P roof P = (r, c) as the proof of knowing the secret α. (2) From the proof (r, c), V first computes a 1 = g1h r c 1 mod N and a 2 = g2h r c 2 mod N, then determines whether P knows the secret α by checking c H(g 1 g 2 h 1 h 2 a 1 a 2 ). 4 Gennaro etc. s Undeniable RSA Signature In this section, we briefly review the first undeniable RSA signature scheme constructed by Gennaro etc. [12]. In their scheme, the signer publishes the RSA modulus and a sample signature but keeps the usual key pair secretly. The confirmation and denial of a signature are to check whether certain relations between the signature and the sample signature hold. Stage 1: Setting System Parameters If user P want to use this system, he first chooses two large secure primes p = 2p + 1 and q = 2q + 1 and let the RSA modulus as N = pq. Then he chooses the key pair e, d [1, ϕ(n) 1] such that ed = 1 mod ϕ(n). In addition, P selects an element w Z N of order at least p q as the sample message and computes the sample signature S w = w d mod N. At last, P publishes his public key information (N, w, S w ) but keeps his private key information (e, d) secretly. Where, d is used to generate signature and e to verify signature. Furthermore, P chooses a secure parameter l (usually it can be set as 1024). Stage 2: Generation of Undeniable Signature As in regular RSA signature scheme, if user P want to sign a message m, he computes S m = m d mod N and publishes (m, S m ) as his signature on message m. Stage 3: Confirmation Protocol A verifier V can not alone verify whether an alleged signature (m, S m ) is signed by P, because V does not know P s verification key e (in fact, P does not publish this information at all). But V and P can run the following confirmation protocol to convince V that (m, S m ) is P s signature on message m. (3-1) V randomly selects two numbers c 1, c 2 R [1, N], computes the value C = Sm c1 Sw c2 mod N and sends it to P. (3-2) After received C, P computes and sends the value R = C e mod N to V.

5 (3-3) After received R, V check whether R m c1 w c2 mod N holds. If yes, then V accepts S m as P s signature on message. Otherwise, V and P has to run the denial protocol to determine whether S m is indeed not signed by P. Stage 4: Denial Protocol V and P can run the following denial protocol to convince V that S m is not P s signature on message m. (4-1) V randomly selects two numbers c 1 R [1, l] and c 2 R [1, N], sends C 1 = m c1 w c2 mod N and C 2 = Sm c1 Sw c2 mod N to P. (4-2) After received (C 1, C 2 ), P searches all possible values in [1, l] to find a number r such that (m/s e m ) r = C 1 /C e 2 mod N. If such r was found, then P sends it V. (4-3) V checks whether r c 1. If yes, V convinces that S m is not signed by P. Otherwise, V believes that P is trying to deny his own signature. [12] proved two theorems about the completeness, soundness and zero- knowledge of above confirmation protocol and denial protocol. Gennaro etc. s theorems show that their scheme is secure. In practice, secure parameter l can be selected as a small number, but P and V can run denial protocol several times to guarantee security without loss efficiency. For example, let l = 1024 and running the denial protocol for ten times, then 1/2 100 security level can be reached. In other words, the probability of occurring the following event is less than one in a million: V believes that S m is not signed by P, but in fact S m is P s signature on message m. 5 Improved Threshold RSA Signature Scheme In this section, we present an improved threshold RSA signature to Shoup s scheme [20], which has the same security level and is more efficient compared to Shoup s scheme. Furthermore, it seems intractable to directly generalize Shoup s scheme to undeniable environments, but our scheme can be generalized as a threshold undeniable signature if the methods used in [12] are adopted. In the essence, we simplify the signing equation of Shoup s scheme. Now, we first describe our improved threshold signature scheme, then compare the security and efficiency between our scheme and Shoup s. 5.1 Description of Threshold RSA Signature Scheme The dealer D chooses a RSA modulus N as the product of two large secure primes described in section 2. The dealer D also chooses the RSA public exponent e as a prime such that n < e < min{p, q }, and the secret exponent d ZM is the integer which satisfies de = 1 mod M. Stage 1. Distribution of Secrets

6 (1-1) The dealer D randomly selects a polynomial f(x) with order less than (t 1). Let f(x) = t 1 j=0 a jx j Z M [x], where a 0 = d and a j R Z M (j = 1, 2,, t 1). (1-2) Dealer D computes d i as follows and sends d i to member U i secretly: d i = f(i)(n!) 1 mod M, i = 1, 2,, n. (1) For any index subset B with t elements, it is easy to see that these d i satisfy the following equation according to the Lagrange interpolation formula: d = i B d i λ Bi mod M, where λ Bi = j B\{i} j n! j i (1-3) Dealer D randomly selects a generator v of Q N and computes: v i = v di mod N Q N, i = 1, 2,, n. Z. (2) In addition, D chooses an element u ZN such that the Jacobi symbol of u is 1, i.e. J (u N) = 1. (1-4) D publishes or broadcasts N, e, n, u, v and all v i (i = 1, 2,, n). Stage 2. Generation and Verification of Partial Signatures If member U i want to sign an original message m 0, then U i first computes the digest m as { H(m0 ), if J (H(m m = 0 ) N) = 1 H(m 0 )u, if J (H(m 0 ) N) = 1. (3) This forces that J (m N) = 1. Now, U i computes his partial signature as follows: S i = m 2di mod N. (4) Last, U i runs the DLE(v, v i ; m 2, S i ; d i ) protocol (where m 2 is computed under mod N) for constructing the proof P roof Ui to show the validity of partial signature S i by revealing that log v v i = log m 2 S i (= d i ). U i publishes or broadcasts (i, m, S i, P roof Ui ) as his partial signature message. Stage 3. Generation and Verification of Threshold Signature If there is at least t honest members (i.e., they generated valid partial signatures), then by choosing any t honest members U i (i B and B = t), each member can compute the threshold RSA signature S as follows: S = i B S i 2λ Bi mod N (= m 4d mod N); (5) A verifier can check the validity of a threshold signature (m 0, S) by the following equality S e m 4 mod N. (6)

7 Of course, the m in above equality has been processed by the equation (3). We have accomplished the description of our improvement to Shoup s scheme. The essential improvement is that Shoup s signing equation, displayed by the following equation (7), is modified as equation (5) in our scheme. S = S a m b mod N = m 4ad+b mod N. (7) Where, a, b are two public integers such that 4a + eb = 1 since gcd(4, e) = 1, and S is determined by equation (5). 5.2 Discussions of Threshold RSA Signature Scheme Now, we will briefly discuss the validity, security and efficiency of our scheme. Theorem 1. (Validity of the Scheme) If at least t honest members produced valid partial signatures and correct proofs, then the threshold signature determined by equation (5) satisfies the signature verification equation (6). Proof. According to (2), for index subset B {1, 2,, n} with t elements we know that there exists an integer k such that i B (λ Bi d i ) = d+km. Therefore, from equation (5) and (4), we have S = i B S i 2λ Bi mod N = m 4diλ Bi i B mod N (8) = m 4d+4kM mod N = m 4d+kφ(N) mod N = m 4d mod N. On the other hand, ed = 1 mod M, so there exists an integer k such that ed = 1 + km. Hence, S e = (m 4d ) e mod N = m 4+4 km mod N = m 4 mod N. (9) So, the signature S on message m satisfies the verification equation (6). Theorem 2. (Unforgeability of the Scheme) An attacker I can forge a valid signature to message m in our scheme if and only if he can forge a valid signature to the same message in Shoup s scheme. Proof. If attacker I can forge a valid signature S to message m in our scheme such that S e = m 4 mod N. Then, by using the public parameters a and b of Shoup s scheme, attacker I can compute a value S = S a m b mod N. Following reasonings show that S is the valid signature to message m in Shoup s scheme: ( S) e = (S a m b ) e mod N = (S e ) a m be mod N = m 4a+eb mod N = m mod N. So attacker I has successfully forged the signature on message m in Shoup s scheme. On the other hand, if attacker I can forge a valid signature S to message m in Shoup s scheme such that S e = m mod N. Then, let S = S 4 mod N. We have S e = ( S 4 ) e mod N = ( S e ) 4 mod N = m 4 mod N. Above equalities show that attacker I has successfully forged the signature S on message m in our scheme.

8 Furthermore, as Shoup did in [20], the following theorem holds. Theorem 3. (Security of the Scheme) In the random oracle model for hash function H, our threshold signature scheme is secure (robust and non-forgeable) assuming the standard RSA scheme is secure. In addition, comparing with Shoup s scheme, our threshold signature scheme possesses several advantages as follows. Simple Signing Equation. The signing equation in our scheme is S = m 4d mod N, which is simpler than Shoup s signing equation S = S a m b mod N. In general, a and b are large integers, and one of them must be negative. Therefore, computing a signature in Shop s scheme is lower than in our scheme. Protecting the Modulus. Because one of the two parameters a and b is negative integer in Shoup s scheme, one inverse, S 1 mod N or m 1 mod N, has to be computed before generating every threshold signature. Once the inverse element cannot be found (of course, this case occurs in a negligent possibility because factoring RSA modulus is difficult.), a factor of N has been found and this RSA cryptosystem is crashed then. Therefore, Shoup s signing equation does a negative effect in protecting the RSA modulus N. But, our scheme is immune to this problem. Scalability. Our scheme can be generalized to a threshold undeniable signature scheme (see section 5 of this paper), but Shoup s scheme seems intractable to generalize to this case. Public Exponent. In fact, the public exponent e in our scheme can be selected as any element of ZM, not necessarily a prime. In addition, in order to verify the honesty of the dealer D, verifiable secret sharing [17] or publicly verifiable secret sharing schemes [21, 18] can be introduced. But the discussion about these problems is out the scope of this paper. 6 Threshold Undeniable RSA Signature Scheme In this section, we propose a threshold undeniable RSA signature scheme with fine properties. As we know, this is the first threshold undeniable signature scheme based on RSA cryptosystem so far. In our scheme, by using Shamir s secret scheme [19], the dealer D distributes the RSA signing and verifying key pair (e, d) to all n members of group U, such that each subgroup of t honest members can generate undeniable RSA signature. At the same time, any t cooperative members can represent group U to confirming or disavowing an alleged signature. In addition, the honesty of each participating member is verifiable in all the three procedures of signature s generation, confirming and denying. In the essence, this scheme is constructed by combining the Gennaro etc. s undeniable RSA signature scheme in section 4 and the improved threshold RSA

9 signature scheme in section 5. But to many details, skillful processing are conceived to construct a secure and practical scheme. Now, we describe the scheme in detail. Stage 1: System Initialization After selecting a RSA modulus N as the form defined in section 2, the dealer D chooses the signing and verifying key pair as (e, d), such that ed = 1 mod M and e is a prime. Supposing n, the number of members in group U, satisfies n < min{p, q }. In addition, let ē = e4 1 mod M. Stage 2: Distribution of Secrets (2-1) The dealer D chooses two random polynomials f(x), g(x) Z M [x], such that f(0) = d and g(0) = ē. Then, D computes the sub-keys as follows. d i = f(i)(n!) 1 mod M, ē i = g(i) (n!) 1 mod M, i = 1, 2,, n. Hence, to any subset B of size t in {1, 2, 3,, n}, sub-keys d i, ē i satisfy the following properties (λ Bi displayed in (2)): d = i B d i λ Bi mod M, ē = i B ē i λ Bi mod M. (10) (2-2) The dealer D selects a random generator w of Q N and computes: S w = w 4d mod N, T w = w 4ē mod N. S wi = w 2di mod N, T wi = w 2ēi mod N, i = 1, 2,, n. (11) (2-3) The dealer D randomly chooses a fixed element u in ZN Jacobi value respect to N is 1, i.e. such that it s J (u N) = 1, u R Z N. (12) (2-4) The dealer D publishes N, n, u, w, S w, T w and S wi, T wi (i = 1, 2,, n), but sends d i and ē i to U i secretly. (2-5) U i verifies the following equations: S wi w 2di mod N, T wi w 2ēi mod N. S w j B S wj 2λ Bj mod N, T w j B T wj 2λ Bj mod N. (13) Where, B can be any subset with t elements of {1, 2,, n}. If finding any of the above equations does not hold, U i proclaims this fact, then the dealer D is considered to be failed in distributing the secrets. Otherwise, the dealer is successful. Stage 3: Generation and Verification of Partial Signature (3-1) If the member U i wants to sign the original message m 0, he first computes message digest m of m 0 by using equation (3) such that we always have J (m N) = 1.

10 (3-2) U i computes the partial signature of m as following: S mi = m 2di mod N. (14) Then, U i runs the DLE(w 2, S wi ; m 2, S mi ; d i ) protocol (where, w 2 and m 2 all are computed in mod N) and constructs the proof P roof Ui to indicate that log w 2 S wi = log m 2 S mi (= d i ). (3-3) Using P roof Ui, any member can verify whether the partial signature S mi is signed by U i. Stage 4: Generation of Threshold Undeniable Signature If there are t members U i (i B and B = t) who have generated valid partial signatures, then the threshold undeniable signature S m on message m can be computed by the following equation: S m = i B S mi 2λ Bi mod N (= m 4d mod N). (15) Stage 5: Confirmation Protocol After getting the consent of t members U i (i B and B = t), V can run the following confirming protocol with these t members to check whether an alleged signature (m, S m ) is signed by group U. (5-1) V selects two random numbers c 1, c 2 R [1, N], computes the following challenger C and sends or broadcasts it to every member U i (i B): C = S c1 m S c2 w mod N. (16) (5-2) After U i received C, he computes his partial response R i as: R i = C 2ēi mod N. (17) Using the protocol DLE(w 2, T wi ; C 2, R i ; ē i ), U i produces the proof P roof Ui and broadcasts (R i, P roof Ui ). Obtained this information, each member can verify the validity of R i. If all these t members have produced their correct partial responses R i, then the response R can be determined by the following equation, and be sent to V : R = i B R 2λ Bi i mod N (= C 4ē mod N). (18) (5-3) V verifies whether the following equality holds after he received R: R m 4c1 w 4c2 mod N. (19) If yes, then V accepts the signature (m, S m ), i.e. he believes that S m is U s valid signature on message m. Otherwise, the denial protocol has to be run to determine whether (m, S m ) is not a signature of U.

11 Stage 6: Denial Protocol When t members U i (i B and B = t) agree to deny an alleged signature (m, S m ), V and U i (i B) run the following denial protocol. (6-1) V selects two random numbers c 1 R [1, l], c 2 R [1, N], then he computes (C 1, C 2 ) as follows and sends or broadcasts them to every U i (i B). C 1 = m c1 w c2 mod N, C 2 = S c1 m S c2 w mod N. (20) (6-2) All U i (i B) use their sub-keys ē i to compute: S 4ē m = 2ē (S i m ) 2λ Bi mod N, C 4ē 2 = 2ē i 2 ) i B i B(C 2λ Bi mod N. (21) Then they search all possible values in [1, l] to find a number r such that the following equation holds, and send this r to the verifier V : (m 4 /S m 4ē ) r = C 4 1/C 2 4ē mod N. (22) (6-3) V verifies whether r c 1. If yes, then V rejects the signature S m, i.e. V believes that S m is not group U s signature on message m. Otherwise, V considers that these members U i (i B) is trying to deny U s threshold signature S m deliberately. 7 Analysis of the Proposed Scheme Now, we give a brief discussion about the validity and security of the above threshold undeniable RSA signature scheme. First, it is not difficult to verify the completeness of our scheme according to the descriptions, i.e. if all t members are honest and have produced valid partial signatures, then the determined threshold undeniable signature will pass through the confirmation protocol. Second, Shamir s secret sharing scheme [19] is used to distributing secrets in our scheme, so it can be concluded that an attacker I cannot generate a valid threshold undeniable signature if the number of members controlled by I is less than t. Third, in all the three procedures of generation, confirmation and denial of undeniable signature, all the corrupted members will be identified, because each participating member has to run the DLE protocol for constructing necessary proof to indicate that they have operated properly in these three procedures. Last, from the security of Gennaro etc. s scheme [12], one can conclude that each sub-key will not be compromised when each member uses it to confirm or deny undeniable signature. Hence, we have successfully proposed a secure, robust and efficient threshold undeniable signature scheme with a dealer. 8 Future Work In the future research, we will consider to generalize our threshold undeniable RSA signature scheme to the distributing environment where there is no the help of a dealer or a trusted party. Some of relevant works have been done by Frankel, MacKenzie and Yung [11], Damgård and Koprowski [9].

12 References 1. J. Boyar, D. Chaum, I. Damgård, and T. Pedersen. Convertible Undeniable Signatures. In Crypto 90, LNCS 537, pp Springer-Verlag, D. Chaum. Zero-Knowledge Undeniable Signatures. In: Eurocrypt 90, LNCS 473, pp Springer-Verlag, J. Camenisch, and M. Michels. Proving in Zero-knowledge that a Number Is the Product of Two Safe Primes. In Eurocrypt 99, LNCS 1592, pp Springer- Verlag, D. Chaum, and T.P. Pedersen. Transferred Cash Grows in Size. In Eurocrypt 92, LNCS 658, pp Springer-Verlag, D. Chaum, and T.P. Pedersen. Wallet Databases With Observers. In Crypto 92, LNCS 740, pp Springer-Verlag, D. Chaum, and H. Van Antwerpen. Undeniable Signatures. In Crypto 89, LNCS 435, pp Springer-Verlag, Y. Desmedt. Society and Group Oriented Cryptography: A New Concept. In Crypto 87, LNCS 293, pp Springer-Verlag, Y. Desmedt, and Y. Frankel. Threshold Cryptosystems. In Crypto 89, LNCS 435, pp Springer-Verlag, I. Damgård, and M. Koprowski. Practical Threshold RSA Signature Without a Trusted Dealer. In Eurocrypt 2001 (to appear). Available from au.dk/ ivan/papers.html 10. I. Damgård, and T. Pedersen. New Convertible Undeniable Signature Schemes. In Eurocrypt 96, LNCS 1070, pp Springer-Verlag, Y. Frankel, P. D. MacKenzie, and M. Yung. Robust Efficient Distributed RSA-Key Generation. In 30th STOC, pp ACM, R. Gennaro, H. Krawczyk, and T. Rabin. RSA-Based Undeniable Signature. In Crypto 97, pp Springer-Verlag, L. Harn, and S. Yang. Group-Oriented Undeniable Signature Schemes without the Assistance of a Mutually Trusted Party. In Auscrypt 92, LNCS 718, pp Springer-Verlag, S.K. Langford. Weakness in Some Threshold Cryptosystems. In Crypto 96, LNCS 1109, pp Springer-Verlag, N.-Y. Lee, and T. Hwang. Group-Oriented Undeniable Signature Schemes with a Trusted Center. Computer Communications, 1999, 22: C.-H. Lin, C.-T. Wang, and C.-C. Chang. A Group-Oriented (t, n) Undeniable Signature Scheme without Trusted Center. In: Information Security and Privacy, ACISP 96, LNCS 1172, pp Springer-Verlag, T.P. Pedersen. No-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Crypto 91, LNCS 576, pp Springer-Verlag, B. Schoenmakers. A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting. In Crypto 99, LNCS 1666, pp Springer- Verlag, A. Shamir. How to Share a Secret. Communications of the ACM, 1979, 22(11): V. Shoup. Practical Threshold Signatures. In Eurocrypt 2000, LNCS 1807, pp Springer-Verlag, Avalaible from M. Stadler. Publicly Verifiable Secret Sharing. In Eurocrypt 96, LNCS 1070, pp Springer-Verlag, 1996.

Cryptanalysis of Threshold-Multisignature Schemes

Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address: