Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Digital signatures are widely used in many aspects of electronic life. They are designed to be part of security services such as authentication, data integrity and non-repudiation. To date, many schemes such as multisignature [1], group signature [2], traditional signature [3, 4] have been proposed. A multisignature scheme is designed so that a group of users can sign a single document [1]. Multisignatures can be categorized into such as without signing authority or with distinguished signing authority [5, 6].

Group signatures, first introduced by Chaum and van Heyst in [2]. In a group signature scheme, any group member of a given group can sign an electronic document on behalf of the group in an anonymous and unlinkable way. On the other side, anyone only needs the group public key to verify the validity of a group signature. In case of a dispute, only group manager can reveal a member who signed, while other group members neither can identify the identity of the signer nor determine whether multiple signatures are produced by the same group member. To prevent a single corrupt member illegally authorizing a transaction, the threshold signature scheme can be used. A large number of studies were published on (t, n) threshold signature schemes. Schemes at [7,8,9,10,11] based on various hard problems such as RSA system, discrete logarithm (DLP), Chinese Remainder Theorem (CRT), ECDLP. However, schemes at [7, 8, 10] are not secure ones [12,13,14]. Signature of scheme at [11] cannot be verified by just one verifier and therefore is not practical. At [15] presents an idea of masking group’s private key to prevent group members who can collaborate to recover it but need a trusted party that use all member private keys to construct group signature and so one can argue that doesn’t meet requirement for non-repudiation.

Moreover, previous schemes often assume the number of users being controlled by an adversary less than threshold number [9, 10, 14, 16] in order to keep group’s private key safe. However, if the number of members grow, secret shared group keys will be delivered to more and more people. Therefore, there are more chances for group signature scheme to be unsecure. Previous group signature schemes lack mechanisms to maintain a balance between security and scaling of group. Especially, when considering the situation, a company might suffer Advanced Persistent Threat (APT) attacks. This leads to a valid security concern that group secret key might be lost by either corrupt members who can collaborate and recover the key. Another bad situation is many personal computers were targeted and compromised under an APT attack by hackers or state-sponsored APT campaigns that cause the group secret key being steal undetected.

Research at [17] proposed a group signature schemes that have distinguished signing authorities based on the multisignature protocols. Scheme at [17] requires a group manager to collect and issue signature.

This paper proposes a new threshold group signature protocol based on ECDLP that is highly secure, constant length and short signature, distinguished signing authority. The proposed scheme can protect group’s private key from being revealed by any set of corrupt signers or hacker’s threat. The proposed scheme allows group secret key shares to be kept on limited privilege signers only while allowing new people to join the group without recalculating group public key and easy revocation.

2 Proposed Group Signature Protocol

Currently, cryptographic protocols based on elliptic curves (EC) over finite field have been applied. In the proposed scheme, we use the EC, which order contains a sufficiently large prime divisor q (more than 256 bits) and a point G having order equal to q.

System initialization: Assume that a large group has n privilege signers who can keep company’s secret key shares (for example: directorate board) and any number of normal staffs. Only privilege signers have shared company’s secret key shares. Group’s policy requires that at least t (t < n) privilege signers must join signing process to make a valid group signature. Here are four roles in the proposed scheme:

Group Manager (GM): Group manager is a trusted party of the group signature scheme. He creates the secret parameters for the group, calculates and distributes secret key shares to privilege members; add, removes group members, and reveals the identity of the group member in a special case.

Distributed Center (DC): special hardened servers of the group that communicate with all signers during signing process. DC calculates some secret parameters needed by signers to create signatures for each transaction. Moreover, all signer’s shared signatures are safely stored on DC. Only GM can open DC when needed.

Normal signers: digitally sign on their own work inside large group document.

Privilege signers: digitally sign on their own work inside large group document. With enough t signatures of them, a signature of the group can be generated.

An example of this could be: A complex CAD design files of a construction company need to be internally signed by different people including signatures of t important people such as head of financial office, planning office, directorate board to form a valid group signature. The company wants to hide its internal structure. Head of financial office, planning office, and member of directorate board are privilege signers. In the case design defects are found, the company can traceback and see who is responsible for defect parts of the design.

System preparation phase:

Group manager (GM) chooses two random integers \( A_{0} \), \( SE \) (1 < \( A_{0} \) < q, 1 < \( SE \) < q). \( A_{0} \) is group’s private key which is unchanged. SE is another secret number but can be changed to another value when GM decides to redistribute secret key shares. GM calculates secret key shares for n privilege signers following the cryptographic technique of Shamir’s perfect secret sharing scheme [18].

$$ \begin{aligned} & f\left( x \right) = (SE*A_{0} + s_{1} x + s_{2} x^{2} + \cdots + s_{t - 1} x^{t - 1} )\bmod \,q \\ & \left( {v_{i} ,y_{i} } \right), \, i = 0,\;1,\; \ldots ,\;n; y_{i} \equiv f\left( {v_{i} } \right)\,\bmod \,q \\ \end{aligned} $$
(1)

Values \( s_{1} ,s_{2} ,\; \ldots ,\;s_{t - 1} \) are random integers with \( \left( { 1< \, s_{i} < \, q} \right) \). These values are known only by GM. n values \( \left( {v_{i} ,\;y_{i} } \right) \) are secretly sent to n privileges, where y i is secret shared value of signer i, and v i is i-th signer’s identity. All v i from (1) are published inside privilege group. Value \( A_{0} *SE \) can be recovered by any t privilege people or devices who hold secret shares [18], while any number of privileges less than t can reveal nothing about a value \( A_{0} *SE \):

$$ A_{0} *SE \equiv \sum\limits_{k = 1}^{t} {y_{k} \left[ {\prod\limits_{i = 1,i \ne k}^{t} {\frac{{ - v_{i} }}{{v_{k} - v_{i} }}} } \right]} \bmod q $$
(2)

Each privilege who sign will use this equation to calculate of his share during signing process:

$$ f_{j} \equiv y_{j} (\prod\limits_{i = 1,i \ne j}^{t} {\frac{{ - v_{i} }}{{v_{j} - v_{i} }})} ,\,\left( {j = 1,\;2,\; \ldots ,\;n} \right) $$
(3)

GM calculates public key of the group as an EC point: \( P_{gm} = A_{0} *G \) and another EC point \( P_{DC} = (SE - 1)*A_{0} *G \). Point \( P_{gm} \) is group public key, which can be used by anyone to verify group signatures. GM keeps values \( h_{SE} = h(SE) \) and \( P_{DC} \) on DC.

Key generation phase:

Each member i-th in the group generates their private key as a random number \( k_{i} \left( { 1< \, k_{i} < \, q} \right) \), and then public key computed as the point \( P_{i} = k_{i} G \), i = (1, 2, …, N).

Group signature generation phase:

  1. 1.

    Assume N people including t privilege signers together sign the document set \( M = m_{1} ||m_{2} || \ldots ||m_{N} \). M is sent to DC prior to the signing process, the DC calculates values \( h_{i} = H\left( {m_{i} } \right)\), \( z_{i} = H\left( {h (M )||h_{i} ||P_{i} ||h_{SE} } \right) \). Then values \( \left( {z_{i} ,h_{i} } \right) \) are sent to corresponding signer i-th.

  2. 2.

    The DC calculates an EC point as follow:

    $$ U = h_{1} z_{1} P_{1} + h_{2} z_{2} P_{2} \, + \; \cdots + h_{N} z_{N} P_{N} $$
    (4)

    U is the first element of group signature.

  3. 3.

    Each signer i- th chooses a random integer t i (1 < t i  < q), and calculates \( R_{i} = t_{i} G \), then sends R i to DC.

  4. 4.

    DC calculates an EC point:

    $$ R = R_{1} + R_{2} + \cdots + R_{N} $$
    (5)

    and the second element of group signature:

    $$ e = H\left( {M\left| {\left| {x_{R} } \right|} \right|x_{U} } \right) $$
    (6)

    where \( x_{R} \) and \( x_{U} \) are x-coordinates of EC points R and U, respectively. DC sends the value e to the group members who initiated the protocol.

  5. 5.

    Each signer (privilege or normal) computes their signature share \( s_{i} \) on his assigned part \( \left( {m_{i} } \right) \) of the document differently as follow:

    If i-th signer is normal signer he computes:

    $$ s_{i} = t_{i} + h_{i} k_{i} z_{i} e\bmod \,q $$
    (7)

    If i-th signer is privilege signer he computes an EC point \( V_{i} = f_{i} eG \) and then \( s_{i} \):

    $$ s_{i} = f_{i} e + t_{i} + h_{i} k_{i} z_{i} e\bmod \,q $$
    (8)

    Normal signer sends \( \left( {s_{i} } \right) \) to DC, privilege sends two values (s i , V i ) to DC.

  6. 6.

    DC verifies \( s_{i} \) of a normal signer (\( s_{i} \) is sent by U i ) if DC received \( s_{i} \) only by checking following equation:

    $$ R_{i} = s_{i} G - \, z_{i} h_{i} eP_{i} $$
    (9)

    DC verifies \( s_{i} \) of a privilege signer (if DC received two values \( (s_{i} ,V_{i} ) \)) by checking following equation:

    $$ R_{i} = s_{i} G - V_{i} - z_{i} h_{i} eP_{i} $$
    (10)
  7. 7.

    If the equation holds for all \( s_{i} \), DC computes the third, fourth elements of group signature \( P_{V} = eP_{DC} \) and:

    $$ s = s_{1} + s_{2} + \; \cdots \; + s_{N} \bmod \,q $$
    (11)

    Group signature of M is a tuple \( \left( {U,\;P_{V} ,\; e,\; s} \right) \), which consists of two EC points and two integer values.

Group Signature verification:

  1. 1.

    Verifier computes the hash of the document \( M = m_{1} ||m_{2} || \cdots ||m_{N} \) as h = H(M).

  2. 2.

    Verifier uses the group public key P gm and the signature \( \left( {U,\;P_{V} ,\; e, \;s} \right) \) to compute an EC point \( \tilde{R} = sG - P_{V} - e(U + P_{gm} ) \), and value \( \tilde{e} = H(M\left| {\left| {x_{{\tilde{R}}} } \right|} \right|x_{U} ) \). Accept the signature only if \( \tilde{e} \equiv e \).

3 Analysis of the Proposed Group Signature Scheme

3.1 Proof of Correctness

  1. 1.

    Share signature verification equation (for privilege signer i-th):

$$ \begin{aligned} R_{i} & = s_{i} G - V_{i} - eh_{i} z_{i} P = Gf_{i} e + t_{i} G - V_{i} + k_{i} h_{i} z_{i} eG - k_{i} h_{i} z_{i} eG \\ & = V_{i} + t_{i} G - V_{i} + k_{i} h_{i} z_{i} eG - ez_{i} h_{i} k_{i} G = t_{i} G \equiv R_{i} \\ \end{aligned} $$
  1. 2.

    Share signature verification equation (for normal signer i-th):

$$ \begin{aligned} R_{i} & = s_{i} G - eh_{i} z_{i} P = t_{i} G + k_{i} h_{i} z_{i} eG - k_{i} h_{i} z_{i} eG \\ & = t_{i} G + k_{i} h_{i} z_{i} eG - k_{i} h_{i} z_{i} eG = t_{i} G \equiv R_{i} \\ \end{aligned} $$
  1. 3.

    Signature verification equation:

With total N signers including t privilege signers, and equations at (2), (3), (7), (8) we have:

$$ \begin{aligned} \tilde{R} & = sG - P_{V} - e(U + P_{gm} ) = sG - e(U + P_{DC} + P_{gm} ) \\ & = \left( {\sum\limits_{i = 1}^{N} {s_{i} } } \right)G - e\left( {P_{gm} + P_{DC} + \sum\limits_{i = 1}^{N} {h_{i} z_{i} P_{i} } } \right) \\ & = \left( {\sum\limits_{i = 1}^{N} {(t_{i} + k_{i} h_{i} z_{i} e) + \sum\limits_{i}^{t} {f_{i} e} } } \right)G - e\left( {A_{0} G + (SE - 1)A_{0} G + \sum\limits_{i = 1}^{N} {k_{i} h_{i} z_{i} G} } \right) \\ & = \left( {\sum\limits_{i = 1}^{t} {f_{i} e} + \sum\limits_{i = 1}^{N} {t_{i} } + \sum\limits_{i = 1}^{N} {k_{i} h_{i} z_{i} e} - eA_{0} + e(SE - 1)A_{0} - \sum\limits_{i = 1}^{N} {k_{i} h_{i} z_{i} e} } \right)G \\ & = \left( {\sum\limits_{i = 1}^{t} {f_{i} e} + \sum\limits_{i = 1}^{N} {t_{i} } - eA_{0} + e(SE - 1)A_{0} } \right)G = \left( {SEeA_{0} + \sum\limits_{i = 1}^{N} {t_{i} } - SEeA_{0} } \right)G \\ & = \sum\limits_{i = 1}^{N} {t_{i} G} = R \Rightarrow \tilde{e} = H(M||x_{{\tilde{R}}} \left\| {x_{U} } \right.) = H(M||x_{R} \left\| {x_{U} } \right.) = e. \\ \end{aligned} $$

If number of privilege signers who participated less than t or simply absent, above equation does not hold and signers cannot create a valid group signature.

Signature length: Signature of a document is a tuple of two integers and two EC point \( \left( {U,\;P_{V} ,\; e, \;s} \right) \), in the case of 128-bit security, q can be chosen with size around 256 bits and signature length will approximately 1536 bits. Compared with group schemes in [19], the proposed scheme has shorter signature length. If choose 80-bit security signature length will approximately 960 bits, with |q| = 160 bits).

3.2 Security Analysis

Theorem 1:

Protection of private keys and secret key shares.

Proof.

Normal and privilege signer use private key \( k_{i} \) to sign on a partial message \( m_{i} \) follow (7) and (8) respectively. In both cases two secret random values are used \( t_{i} \) and e. Using adaptive message attack is invalid with the scheme. Therefore, private keys and secret key shares are protected from other members.

Theorem 2:

Any subset of t privileged signers out of n to generate a valid signature of the group, but they cannot recover private key of group \( A_{0} \).

Proof.

If all privileged signers are curious, they can get a value \( A_{0} *SE \) by following (2). In order to find \( A_{0} \) from \( A_{0} *SE \), they have to try each possible guess value of SE’ to get \( A_{0}^{{\prime }} \) and check if \( A_{0}^{{\prime }} *G = P_{gm} \), with assumption of Elliptic curve problem is hard, this task is computational infeasible. Compared with previous works [9, 15, 20], the proposed scheme can protect group secret with any number corrupt members. Therefore, the proposed scheme is secure against conspiracy attack [12, 21].

Theorem 3:

Signers cannot bypass DC to create signature.

Proof.

An element of signature \( P_{V} = e*P_{DC} \),which \( P_{DC} \) is a private EC point kept on DC only and e (6) is a value related to the document and signer public keys. Without \( P_{DC} \), a signature cannot pass verification process. Often, a group wants to keep records of all transactions. If signers in a group signature scheme can collaborate without a system to keep track of all activities, this situation might cause issues for large group. At DC, a company can place more security protections than it can do with individual personal devices.

Theorem 4:

Suffering an APT attack, company group secret remains safe.

Proof.

During signing and verification process, group secret \( A_{0} \) is not reconstructed at any step. So, if suffering an APT attack many computers might be compromised, but hackers cannot use memory forensic technique or network sniffer to find \( A_{0} \). Assume hacker that can get all shares secrets of n privilege signers and following (2), they can recover \( A_{0} *SE \). They cannot get \( A_{0} \) directly from \( A_{0} *SE \) and \( P_{DC} \) because of ECDLP problem. Values \( h_{SE} = h(SE) \) and \( P_{DC} \) are stored on DC, but they are produced of safe hash function and multiplication on elliptic curve, respectively. Group secret is protected with APT attack.

Traceability

In the case of dispute, group manager needs to convince that specific signers signed sessions of document. In order to identify signer, GM can show values that related to only signer i-th (privilege or normal signer): h i , R i , \( z_{i} = H\left( {h (M )||h_{i} ||P_{i} ||h_{SE} } \right),\;s_{i} = t_{i} + h_{i} k_{i} z_{i} e\bmod q \) \( s_{i} = f_{i} e + t_{i} + h_{i} k_{i} z_{i} e\bmod q \) and an EC point \( V_{i} = f_{i} eG \). These values satisfy check equations for normal signers (9) or privilege signers (10) so only signer i-th is responsible for document session with \( h_{i} = h\left( {M_{i} } \right) \). Thus, the scheme provides distinguished signing authority feature internally. Disclosure of R i , V i is safe because they are produce by the multiplication on Elliptic curve.

Unforgeability

Signer i-th needs approval from DC to get \( z_{i} \) to calculate his share signatures that pass a verification equation at (9) or (10) for normal or privilege signer, respectively. Generating group signature needs cooperation of DC with t privilege signer members and only DC can produce a valid group manager with valid member’s shared signatures.

Unlinkability

Identifying the two different signatures generated by one member (or group of members) is impossible, except for the group manager.

Exculpability

In the proposed scheme, no member (or many corrupt members work together) can forge signatures of other. This is because signature of member is calculated not only by private key but also on \( R_{i} ,\;z_{i} ,\;e \) which are calculated for specific signer. Therefore, to forge the signature of a group member, they need to pass the signature check equation for each member of the group manager. That means they must break the ECDLP.

4 Conclusion

In this paper, a new threshold group signature scheme based on usage of Elliptic curve is proposed. The new scheme has these new practical benefits:

  1. 1.

    Scaling group without worrying about group secret loss; enables only a limited number people can hold secret key shared while allows number normal members to grow; Practical revocation and joining group.

  2. 2.

    Compared with previous threshold group signature schemes, no chance for an adversary or dishonest group of signers can steal group secret.

  3. 3.

    Reduce the risk of unexpected transaction of threshold group signature scheme by using a trusted DC.

  4. 4.

    Provides distinguished signing authority feature of multisignature internally.

The size of the output signature is comparable with known schemes. In practically, the proposed protocol provides more control to an organization by threshold mechanism and allowing a limited number of members who can authorize transactions. The scheme possesses many security advantages compared with previous works.