ABSTRACT
Formal models and security proofs are especially important for multisignatures: in contrast to threshold signatures, no precise definitions were ever provided for such schemes, and some proposals were subsequently broken.In this paper, we formalize and implement a variant of multi-signature schemes, Accountable-Subgroup Multisignatures (ASM). In essence, ASM schemes enable any subgroup, S, of a given group, G, of potential signers, to sign efficiently a message M so that the signature provably reveals the identities of the signers in S to any verifier.Specifically, we provide:
The first formal model of security for multisignature schemes that explicitly includes key generation (without relying on trusted third parties);
A protocol, based on Schnorr's signature scheme [33], that is both provable and efficient:
Only three rounds of communication are required per signature.
The signing time per signer is the same as for the single-signer Schnorr scheme, regardless of the number of signers.
The verification time is only slightly greater than that for the single-signer Schnorr scheme.
The signature length is the same as for the single signer Schnorr scheme, regardless of the number of signers.
- 1.Proceedin s of the Twentieth Annual ACM Symposium on Theory of Computing ,Chicago,Illinois,2 -4 May 1988.]]Google Scholar
- 2.E.Bach.How to generate factored random numbers. SIAM Journal on Computing ,17(2):179 -193,Apr. 1988.]] Google ScholarDigital Library
- 3.M.Bellare and P.Rogaway.Random oracles are practical:Aparadigm for designing e .cient protocols. In Proceedin s of the 1st ACM Conference on Computer and Communication Security ,pages 62 -73, November 1993.Revised version appears in http://www-cse.ucsd.edu/users/mihir/papers/ crypto-papers.html]] Google ScholarDigital Library
- 4.M.Ben-Or,S.Goldwasser,and A.Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract).In ACM {1 },pages 1 -10.]] Google ScholarDigital Library
- 5.G.Brassard,editor.Advances in Cryptology -CRYPTO '89 ,volume 435 of Lecture Notes in Computer Science .Springer-Verlag,1990, 20 -24 Aug.1989.]] Google ScholarDigital Library
- 6.J.Camenisch and M.Stadler.E .cient group signature schemes for large groups (extended abstract).In B.S.Kaliski Jr.,editor,Advances in Cryptology -CRYPTO '97 ,volume 1294 of Lecture Notes in Computer Science ,pages 410 -424. Springer-Verlag,17 -21 Aug.1997.]] Google ScholarDigital Library
- 7.D.Chaum,C.Crepeau,and I.Damgard.Multiparty unconditionally secure protocols (extended abstract). In ACM {1 },pages 11 -19.]] Google ScholarDigital Library
- 8.D.Chaum and E.van Heyst.Group signatures.In]]Google Scholar
- 9.D.W.Davies,editor.Advances in Cryptology -EUROCRYPT 91 ,volume 547 of Lecture Notes in Computer Science .Springer-Verlag, 8 -11 Apr.1991.]]Google Scholar
- 10.Y.Desmedt and Y.Frankel.Threshold cryptosystems. In Brassard {5 },pages 307 -315.]] Google ScholarDigital Library
- 11.U.Feige,A.Fiat,and A.Shamir.Zero-knowledge proofs of identity.Journal of Cryptolo y ,1(2):77 -94, 1988.]] Google ScholarDigital Library
- 12.A.Fiat and A.Shamir.How to prove yourself: Practical solutions to identification and signature problems.In A.M.Odlyzko,edtor,Advances in Cryptology -CRYPTO '86 ,volume 263 of Lecture Notes in Computer Science ,pages 186 -194. Springer-Verlag,1987,11 -15 Aug.1986.]] Google ScholarDigital Library
- 13.R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin. Robust and e .cient sharing of RSA functions.In Koblitz {20 },pages 157 -172.]] Google ScholarDigital Library
- 14.R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin. Robust threshold DSS signatures.In {23 },pp.354 -371.]]Google Scholar
- 15.R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin. Secure distributed key generation for discrete-log based cryptosystems.In J.Stern,editor,Advances in Cryptology -EUROCRYPT '99 ,volume 1592 of Lecture Notes in Computer Science ,pages 295 -310. Springer-Verlag,2 -6 May 1999.]]Google Scholar
- 16.O.Goldreich,S.Micali,and A.Wigderson.How to play any mental game or a completeness theorem for protocols with honest majority.In Proceedin s of the Nineteenth Annual ACM Symposium on Theory of Computing ,pages 218 -229,New York City,25 -27 May 1987.]] Google ScholarDigital Library
- 17.L.Harn.Group-oriented (t,n )threshold digital signature scheme and digital multisignature.IEE Proc.-Comput.Digit.Tech.,141(5),Sept.1994.]]Google Scholar
- 18.P.Horster,M.Michels,and H.Petersen. Meta-multisignatures schemes based on the discrete logarithm problem.In Information Security:The Next Decade.Proceedin s of the IFIP TC11 Eleventh International Conference on Information Security, IFIP/Sec '95 ,pages 128 -141.Chapman &Hall,1995.]]Google Scholar
- 19.K.Itakura and K.Nakamura.Apublic-key cryptosystem suitable for digital multisignatures.NEC Research &Development ,(71):1 -8,Oct.1983.]]Google Scholar
- 20.N.Koblitz,editor.Advances in Cryptology -CRYPTO '96 ,volume 1109 of Lecture Notes in Computer Science .Springer-Verlag, 18 -22 Aug.1996.]] Google ScholarDigital Library
- 21.S.K.Langford.Weaknesses n some threshold cryptosystems.In Koblitz {20 },pages 74 -82.]] Google ScholarDigital Library
- 22.C.-M.Li,T.Hwang,and N.-Y.Lee. Threshold-multisignature schemes where suspected forgery mplies traceability of adversarial shareholders. In A.De Santis,editor,Advances in Cryptology -EUROCRYPT 94 ,volume 950 of Lecture Notes in Computer Science ,pages 194 -204. Springer-Verlag,1995,9 -12 May 1994.]]Google Scholar
- 23.U.Maurer,editor.Advances in Cryptology -EUROCRYPT 96 ,volume 1070 of Lecture Notes in Computer Science .Springer-Verlag, 12 -16 May 1996.]]Google Scholar
- 24.R.C.Merkle.Acertified digital signature.In Brassard {5},pages 218 -238.]] Google ScholarDigital Library
- 25.S.Micali.CS proofs.SIAM Journal on Computing , 30(4):1253 -1298,2000.]] Google ScholarDigital Library
- 26.M.Michels and P.Horster.On the risk of disruption in several multiparty signature schemes.In K.Kim and T.Matsumoto,editors,Advances in Cryptology -ASIACRYPT '96 ,volume 1163 of Lecture Notes in Computer Science ,pages 334 -345,Kyongju, Korea,3 -7 Nov.1996.Springer-Verlag.]] Google ScholarDigital Library
- 27.K.Ohta and T.Okamoto.Adigital multisignature scheme based on the Fiat-Shamir scheme.In H.I.H, R.Rivest,and T.Matsumoto,editors,Advances in Cryptology -ASIACRYPT 91 ,pages 139 -148. Spring-Verlag,1993,11 -14 Nov.1991.]] Google ScholarDigital Library
- 28.K.Ohta and T.Okamoto.On concrete security treatment of signatures derived from identification.In H.Krawczyk,editor,Advances in Cryptology -CRYPTO '98 ,volume 1462 of Lecture Notes in Computer Science ,pages 354 -369. Springer-Verlag,23 -27 Aug.1998.]] Google ScholarDigital Library
- 29.K.Ohta and T.Okamoto.Multi-signature schemes secure against active nsider attacks.IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences , E82-A(1):21 -31,Jan.1999.]]Google Scholar
- 30.T.Okamoto.Adigital multisignature schema using bijective public-key cryptosystems.ACM Transatction on Computer Systems ,6(4):432 -441,Nov.1988.]] Google ScholarDigital Library
- 31.T.P.Pedersen.Athreshold cryptosystem without a trusted party (extended abstract).In Davies {9 },pages 522 -526.]]Google Scholar
- 32.D.Pointcheval and J.Stern.Security proofs for signature schemes.In Maurer {23 },pages 387 -398.]]Google Scholar
- 33.C.-P.Schnorr.E .cient signature generation by smart cards.Journal of Cryptology ,4(3):161-174,1991.]]Google ScholarDigital Library
Index Terms
- Accountable-subgroup multisignatures: extended abstract
Recommendations
Efficient identity-based RSA multisignatures
A digital multisignature is a digital signature of a message generated by multiple signers with knowledge of multiple private keys. In this paper, an efficient RSA multisignature scheme based on Shamir's identity-based signature (IBS) scheme is ...
Efficient identity-based GQ multisignatures
ISO/IEC 14888 specifies a variety of digital signature mechanisms to sign messages of arbitrary length. These schemes can be applied to provide entity authentication, data origin authentication, non-repudiation, and data integrity verification. ISO/IEC ...
On the Security of Online/Offline Signatures and Multisignatures from ACISP'06
CANS '08: Proceedings of the 7th International Conference on Cryptology and Network SecurityEfficient authentication in routing protocols is one of the most important problems for security of ad hoc networks. In ACISP'06, Xu, Mu, and Susilo proposed an identity-based online/offline signature scheme for authentication in the AODV protocol and ...
Comments