Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Physical signature is an old and natural tool to authenticate the communication, but it does not work in electronic messages and the signer has to rely on digital signature [1]. Digital signature is a cryptographic tool to solve this problem of electronic authentication. Basically, digital signature has a self-authentication property, which means that someone has public information related to the signature, will be able to check its validity, but he/she will not able to forge this signature for other messages. This self-authentication property [2] of digital signatures is definitely suitable for many applications such as broadcasting of announcements and publication of public key certificates, but it is quiet unsuitable for some situations [3].

In some conditions, when the message are very much sensitive to the signature, receiver/message holder such that her/his medical reports, income tax related information, any personal information or most personal business transactions are these messages [4]. For these conditions, the information is signed such that only the information holder will able to verify the signature and also able to prove the validity of the signature to a third person, whenever it is required. These types of signatures are known as directed signatures [3,4,5,6]. In a directed signature scheme [3], the receiver always has full control over the process of signature verification. No other person can check the validity of this type signature without the help of signer/receiver [1].

In most situations, generally a single identity creates signature on the message. But there are so many conditions when the message is on behalf of a group/organization, that message may require the approval or consent of several people [2]. In these conditions, the signature is created by more than one identity rather than by a single identity [5]. In case of large bank transaction, which requires the signature of more than one person [7]. In such a condition, the problem can be solved by having a separate digital signature for every required signer, but this type of solution makes the verification process very typical [8]. This problem can be solved with the help of threshold signature [8]. The (t, n) threshold signature schemes [2, 7,8,9,10] are used to solve these problems. Threshold signatures are based upon the concept of threshold cryptography [9, 11, 12].

1.1 Paper Organization

Section 2 is about some basic tools. In Sect. 3, we present a threshold directed signature scheme. Section 4 discusses the security of the proposed scheme. An illustration of the scheme is discussed in Sect. 5. Conclusion is in Sect. 6.

2 Preliminaries: Some Basic Tools

2.1 In This Paper, We Will Use the Following Public Parameters

  • p: a prime number.

  • q: a prime number and q|p − 1.

  • g: a generator [3] of order q in \( Z_{P}^{*} . \)

  • h: one-way hash function [13].

It is assumed that user A selects an integer \( x_{A} \in Zq \) and will be able to compute a relative value/integer \( y_{A} = g^{{x_{A} }} \bmod p \). Here, the integer \( x_{A} \) is the secret/private key of the user A, and \( y_{A} \) is his/her public key.

2.2 Schnorr’s Signature Scheme

In the above scheme, the signature of the signer A on a message m is given by a pair \( (r_{A} ,S_{A} ) \), where, \( r_{A} = h(gk_{A} \bmod p,m) \), and \( S_{A} = k_{A} - x_{A} \cdot r_{A} \) mod p. The integer \( k_{A} \) is random and secret/private to A. The signature is verified by checking the equality.

$$ r_{A} = h(gS_{A} yr_{A} \bmod p,m). $$

3 Directed Threshold Signature Scheme

This section presents a threshold directed signature scheme [13, 14]. Suppose a group G of n designated users, out of which any t members are able to signed a message m. In our scheme, the message holder/signature receiver B will be able to check the signature authenticity, and he/she can prove this message authenticity to a third person C, whenever it is needed. It should be noted that no one other than the message holder B can check the validity of this kind of signature without the help of holder B [14]. We describe a construction of threshold directed signature scheme for this situation as follows.

In our scheme, there exists a trusted share distribution center (SDC) [13, 14], which is able to determine the secrets parameters and the secret shares v i ,i ∈ G for all members of the group. Again assume that H be a subset of G, containing t members. We also have a designated combiner DC for collecting partial signatures of each participant of subgroup H. Any shareholders in the group/subgroup have equal authority with respect to the main secret key for signature generation. In the proposed scheme, the generation of the required directed signature needs t signers out of n signers and interaction with DC. This scheme has the following steps.

3.1 Generation of Secret Key and Secret Shares for Group

  1. (a)

    SDC also selects a polynomial

    $$ g(x) = a_{0} + a_{1} x + \cdots a_{t - 1} x^{t - 1} \bmod q,\;{\text{with}}\;a_{0} = K = g(0). $$
  2. (b)

    SDC compiles group public key, \( y_{G} \), as, \( y_{G} = g^{ g(0)} \bmod p. \)

  3. (c)

    SDC computes private shares v i for each user in group G, as,

    $$ v_{i} = g(u_{i} )\bmod q. $$

    Here, u i is public information related to user i in the group G.

  4. (d)

    SDC transfers v i to each user in a secret manner.

3.2 Generation of Partial Signature by Any t Signer

Let any t signers out of n signers agree to sign a message m for receiver B, they generate the signature using following steps.

  1. (a)

    Each member i randomly picks \( K_{{i_{1} }} \) and \( K_{{i_{2} }} \in Zq \) and then computes

    $$ w_{i} = gK_{{i_{2} }} - K_{{i_{1} }} \bmod p\quad {\text{and}}\quad z_{i} = y_{B} K_{{i_{2} }} \bmod p. $$
  2. (b)

    Each signer computes Z, W, and R as

    $$ W = \prod\limits_{i \in H}^{{}} {w_{i} } \bmod q,Z = \prod\limits_{i \in H}^{{}} {z_{i} } \bmod q,\quad {\text{and}}\quad R = h(Z, W,m)\bmod q. $$
  3. (c)

    Each signer i modifies corresponding share, as

    $$ {\text{MS}}_{i} = v_{i} .\prod\limits_{j = 1,j \ne i}^{t} {\frac{{ - u_{j} }}{{u_{i} - u_{j} }}\bmod q} . $$
  4. (d)

    Each signer i computes

    $$ s_{i} = K_{{i_{1} }} - {\text{MS}}_{i} \cdot R\bmod q. $$
  5. (e)

    DC collects the partial signatures and produces

    $$ S = \sum\limits_{i = 1,}^{t} {s_{i} \bmod q.} $$
  6. (f)

    {S, W, R, m} is desired directed signature.

3.3 Verification of Digital Signature {S, W, R, M}

  1. (a)

    The signature holder B recovers \( \mu = gS(y_{G} )RW\bmod p \) and recovers \( Z = \mu x_{B} \bmod p. \)

  2. (b)

    The signature holder B checks the validity of signature by verifying R = h(Z, W, m) mod q.

3.4 Proof of Validity by Signature Receiver to Any Third Party C

  1. (a)

    The signature holder B sends \( \{ S_{A} ,W_{B} ,r_{A} ,m,\mu \} \) to third party.

  2. (b)

    Third party checks if \( r_{A} = h(Z_{B} ,W_{B} , m)\bmod q. \)

    If this does not hold third party stops the process; otherwise goes to the next steps [13, 14].

  3. (c)

    Signature receiver (in a zero-knowledge fashion) proves to C that \( \log_{\mu } Z_{B} = \log_{g} y_{B} \) as follows.

    • Third party selects randomly two values u and v ∈ Zp and then finds \( w = \mu u \cdot gv\bmod p \) and passes this value w to receiver.

    • The signature receiver selects randomly a value α ∈ Zp and then calculates another value \( \beta = w \cdot g\alpha \bmod p \) and \( \gamma = \beta x_{B} \bmod p \), and then passes it to third party.

    • The signature receiver verifies that \( w = \mu u \cdot gv\bmod p \). The third party verifies \( \beta = \mu u \cdot gv + \alpha \bmod p \) and \( \gamma = Z_{B} uy_{B} v + \alpha \bmod p \).

In this way, the third party ensures himself that the signature receiver is an authentic user.

4 Security Discussion

This section is about the security aspect of the proposed scheme.

  • Is it possible that an antagonist retrieves group secret key g(0) with the help of group public key \( y_{G} \)? It is computationally infeasible because this is equivalent to solve a discrete logarithm problem.

  • Is it possible that an antagonist recovers the secret information v i , from the information u i ? No, it is computationally infeasible because g is selected randomly.

  • Is it possible that an antagonist recovers the secret information v i , \( K_{{i_{1} }} \) and s i , from the equation \( s_{i} = K_{{i_{1} }} - MS_{i} \cdot R\bmod q \)? No, it is computationally infeasible because unknown parameters are three and the number of equation is only one.

  • Is it possible that an antagonist recovers the group secret key g(0) or any partial information from the equation, \( S = \sum\nolimits_{i = 1}^{t} {s_{i} \bmod q?} \) This is again computationally infeasible due the property of the equation.

  • Is it possible that an antagonist impersonates a shareholder of subgroup H? To impersonate, an antagonist needs a related secret share v i to generate corresponding secret value s i . To obtain this secret information from the public information is computationally infeasible.

  • Is it possible that an antagonist forges the digital signature {S, W, R, m} by using the equation

    $$ \mu = [gS(y_{G} )RW]\bmod p? $$

    To recover S from the above equation is equivalent to solving a discrete logarithm problem.

  • Is it possible that a group of antagonist act in collusion to recover the polynomial g(x)? Yes, this is possible, but this vulnerability is not a pitfall of the proposed scheme. Actually, this is the basic characteristic of the proposed scheme.

5 Illustration

To illustrate the proposed scheme, we consider that there are four users. Out of four users A, C, E, and F any two users, say, A and F can generate the directed signature for message m. The secret and public key pair \( x_{B} = 6 \), \( y_{B} = 8 \) of the receiver B. The following steps illustrate our scheme.

5.1 Generation of Group Secret Key and Partial Secret Shares

Let SDC choose p = 23, q = 11, g = 18, and g(x) = 3 + 5x mod 11, where g(0) = 3 is the group secret key. The public values u i and corresponding secret shares v i of users are as follows.

Users

Public value (u i )

Secret share (v i )

A

9

4

C

12

8

E

14

7

F

16

6

Now, the SDC computes the private/secret key as g(0) and then recovers the group public key, \( y_{G} \), as \( y_{G} = 18^{3} \bmod 23 = 13 \).

5.2 Signature Generation by Any t Users

Users A and F out of four users agree to sign a message m for user B, then the signature generation has the following steps.

  1. (a)

    The user A randomly selects \( K_{{a_{1} }} = 2 \), \( K_{{a_{2} }} = 7 \) and computes \( w_{1} = 3 \), \( z_{1} = 12. \)

    Similarly, the user F randomly selects \( K_{{f_{1} }} = 5 \), \( K_{{f_{2} }} = 9 \) and computes \( w_{4} = 4 \), \( z_{4} = 9. \)

  2. (b)

    Both the users A and F make \( (w_{1} ,w_{4} ) \) and \( (z_{1} ,z_{4} ) \) publicly available through a broadcast channel. Once all \( (w_{1} ,w_{4} ) \) and \( (z_{1} ,z_{4} ) \) are available, each user in H computes the product Z, W, and R as

    $$ W = 12,Z = 16\quad {\text{and}}\quad R = h(16,12,m)\bmod 11 = 5({\text{let}}). $$
  3. (c)

    The users A and F compute their modified shares as MS A  = 6 and MS G  = 8.

  4. (d)

    The user A uses his/her modified share MS A  = 6 and random integer \( K_{{a_{1} }} = 2 \) and calculates his/her partial signature \( s_{1} = 5 \).

  5. (e)

    The user F uses his/her modified shadow, MS G  = 8, and random integer \( K_{{f_{1} }} \) = 5 and calculates his/her the partial signature \( s_{2} = 9 \).

  6. (f)

    Both the users A and F send their partial signature to DC who produces a group signature S = 3.

  7. (g)

    DC sends {3, 12, 5, m} to B as signature of the group G for the message m.

5.3 Signature Verification by B

  1. (a)

    B computes µ = [183.135. 12] mod 23 = 3 and Z = 16.

  2. (b)

    B checks the validity of signature by computing R = 5.

5.4 Proof of Validity by B to Any Third Party C

  1. (a)

    B sends {3, 12, 5, m, 3} to C, and C checks that R = 5.

  2. (b)

    Now, B proves to C that log3 16 = log18 8 in a zero-knowledge fashion [15] by using the following confirmation protocol.

    1. (i)

      C chooses at random u = 11, v = 13 and computes w = 2 and sends w to B.

    2. (ii)

      B chooses at random α = 17 and computes β = 16 and γ = 4 and sends β, γ to C.

    3. (iii)

      C sends u, v to B, by which B can verify that w = 2.

    4. (iv)

      B sends α to C, by which she can verify that β = 16 and γ = 4.

6 Conclusion

The security of this cryptosystem is [16,17,18] based on the discrete log problem. Only t − 1 shadows are not sufficient to obtain the group secret key and they will also get no information about the group secret key, until t individuals act in collusion. In this scheme, there is a designated combiner DC who collects the partial signature of the signer [19, 20]. We should note that there is no secret information associated with the DC [21,22,23,24]. Every user can compute his/her modified share under mod q. If q is not prime, then the calculation of the exponents is performed by mod Φ(q), which is not a prime. This implies that Lagrange interpolation for calculating the modified shadows will not work (except when q = 3, in which case we are not interested). Consider the situation, when \( \prod\nolimits_{j = 1,j \ne i}^{t} {(u_{i} - u_{j} )} \) and q are co-prime. In this case, there is no way to find out the multiplicative inverse of \( \prod\nolimits_{j = 1,j \ne i}^{t} {(u_{i} - u_{j} )\bmod q} \). There is only possibility of selecting the large prime q numbers in order for each person to get around this difficulty. These signature schemes are meaningless to any third party because there is no way for him to prove its validity. The only knowledge of Z is not sufficient to prove the validity of signature. Signature receiver also has to perform the confirmation protocol in a zero-knowledge fashion to prove the validity of signature [25,26,27,28,29,30,31,32]. No doubt, the communication cost of the proposed scheme is very high, so in future, we should try to reduce its cost without compromising the security of the scheme.