Article

Accountable-subgroup multisignatures: extended abstract

Authors:
Silvio Micali

MIT, Cambridge, MA

MIT, Cambridge, MA
View Profile

,
Kazuo Ohta

The University of Electro-Communications, Tokyo, Japan

The University of Electro-Communications, Tokyo, Japan
View Profile

,
Leonid Reyzin

Boston University, Boston, MA

Boston University, Boston, MA
View Profile

CCS '01: Proceedings of the 8th ACM conference on Computer and Communications SecurityNovember 2001Pages 245–254https://doi.org/10.1145/501983.502017

Published:05 November 2001Publication History

CCS '01: Proceedings of the 8th ACM conference on Computer and Communications Security

Pages 245–254

ABSTRACT

Formal models and security proofs are especially important for multisignatures: in contrast to threshold signatures, no precise definitions were ever provided for such schemes, and some proposals were subsequently broken.In this paper, we formalize and implement a variant of multi-signature schemes, Accountable-Subgroup Multisignatures (ASM). In essence, ASM schemes enable any subgroup, S, of a given group, G, of potential signers, to sign efficiently a message M so that the signature provably reveals the identities of the signers in S to any verifier.Specifically, we provide:

The first formal model of security for multisignature schemes that explicitly includes key generation (without relying on trusted third parties);
A protocol, based on Schnorr's signature scheme [33], that is both provable and efficient:
- Only three rounds of communication are required per signature.
- The signing time per signer is the same as for the single-signer Schnorr scheme, regardless of the number of signers.
- The verification time is only slightly greater than that for the single-signer Schnorr scheme.
- The signature length is the same as for the single signer Schnorr scheme, regardless of the number of signers.

Our proof of security relies on random oracles and the hardness of the Discrete Log Problem.

References

1.Proceedin s of the Twentieth Annual ACM Symposium on Theory of Computing ,Chicago,Illinois,2 -4 May 1988.]]Google Scholar
2.E.Bach.How to generate factored random numbers. SIAM Journal on Computing ,17(2):179 -193,Apr. 1988.]] Google ScholarDigital Library
3.M.Bellare and P.Rogaway.Random oracles are practical:Aparadigm for designing e .cient protocols. In Proceedin s of the 1st ACM Conference on Computer and Communication Security ,pages 62 -73, November 1993.Revised version appears in http://www-cse.ucsd.edu/users/mihir/papers/ crypto-papers.html]] Google ScholarDigital Library
4.M.Ben-Or,S.Goldwasser,and A.Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract).In ACM {1 },pages 1 -10.]] Google ScholarDigital Library
5.G.Brassard,editor.Advances in Cryptology -CRYPTO '89 ,volume 435 of Lecture Notes in Computer Science .Springer-Verlag,1990, 20 -24 Aug.1989.]] Google ScholarDigital Library
6.J.Camenisch and M.Stadler.E .cient group signature schemes for large groups (extended abstract).In B.S.Kaliski Jr.,editor,Advances in Cryptology -CRYPTO '97 ,volume 1294 of Lecture Notes in Computer Science ,pages 410 -424. Springer-Verlag,17 -21 Aug.1997.]] Google ScholarDigital Library
7.D.Chaum,C.Crepeau,and I.Damgard.Multiparty unconditionally secure protocols (extended abstract). In ACM {1 },pages 11 -19.]] Google ScholarDigital Library
8.D.Chaum and E.van Heyst.Group signatures.In]]Google Scholar
9.D.W.Davies,editor.Advances in Cryptology -EUROCRYPT 91 ,volume 547 of Lecture Notes in Computer Science .Springer-Verlag, 8 -11 Apr.1991.]]Google Scholar
10.Y.Desmedt and Y.Frankel.Threshold cryptosystems. In Brassard {5 },pages 307 -315.]] Google ScholarDigital Library
11.U.Feige,A.Fiat,and A.Shamir.Zero-knowledge proofs of identity.Journal of Cryptolo y ,1(2):77 -94, 1988.]] Google ScholarDigital Library
12.A.Fiat and A.Shamir.How to prove yourself: Practical solutions to identification and signature problems.In A.M.Odlyzko,edtor,Advances in Cryptology -CRYPTO '86 ,volume 263 of Lecture Notes in Computer Science ,pages 186 -194. Springer-Verlag,1987,11 -15 Aug.1986.]] Google ScholarDigital Library
13.R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin. Robust and e .cient sharing of RSA functions.In Koblitz {20 },pages 157 -172.]] Google ScholarDigital Library
14.R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin. Robust threshold DSS signatures.In {23 },pp.354 -371.]]Google Scholar
15.R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin. Secure distributed key generation for discrete-log based cryptosystems.In J.Stern,editor,Advances in Cryptology -EUROCRYPT '99 ,volume 1592 of Lecture Notes in Computer Science ,pages 295 -310. Springer-Verlag,2 -6 May 1999.]]Google Scholar
16.O.Goldreich,S.Micali,and A.Wigderson.How to play any mental game or a completeness theorem for protocols with honest majority.In Proceedin s of the Nineteenth Annual ACM Symposium on Theory of Computing ,pages 218 -229,New York City,25 -27 May 1987.]] Google ScholarDigital Library
17.L.Harn.Group-oriented (t,n )threshold digital signature scheme and digital multisignature.IEE Proc.-Comput.Digit.Tech.,141(5),Sept.1994.]]Google Scholar
18.P.Horster,M.Michels,and H.Petersen. Meta-multisignatures schemes based on the discrete logarithm problem.In Information Security:The Next Decade.Proceedin s of the IFIP TC11 Eleventh International Conference on Information Security, IFIP/Sec '95 ,pages 128 -141.Chapman &Hall,1995.]]Google Scholar
19.K.Itakura and K.Nakamura.Apublic-key cryptosystem suitable for digital multisignatures.NEC Research &Development ,(71):1 -8,Oct.1983.]]Google Scholar
20.N.Koblitz,editor.Advances in Cryptology -CRYPTO '96 ,volume 1109 of Lecture Notes in Computer Science .Springer-Verlag, 18 -22 Aug.1996.]] Google ScholarDigital Library
21.S.K.Langford.Weaknesses n some threshold cryptosystems.In Koblitz {20 },pages 74 -82.]] Google ScholarDigital Library
22.C.-M.Li,T.Hwang,and N.-Y.Lee. Threshold-multisignature schemes where suspected forgery mplies traceability of adversarial shareholders. In A.De Santis,editor,Advances in Cryptology -EUROCRYPT 94 ,volume 950 of Lecture Notes in Computer Science ,pages 194 -204. Springer-Verlag,1995,9 -12 May 1994.]]Google Scholar
23.U.Maurer,editor.Advances in Cryptology -EUROCRYPT 96 ,volume 1070 of Lecture Notes in Computer Science .Springer-Verlag, 12 -16 May 1996.]]Google Scholar
24.R.C.Merkle.Acertified digital signature.In Brassard {5},pages 218 -238.]] Google ScholarDigital Library
25.S.Micali.CS proofs.SIAM Journal on Computing , 30(4):1253 -1298,2000.]] Google ScholarDigital Library
26.M.Michels and P.Horster.On the risk of disruption in several multiparty signature schemes.In K.Kim and T.Matsumoto,editors,Advances in Cryptology -ASIACRYPT '96 ,volume 1163 of Lecture Notes in Computer Science ,pages 334 -345,Kyongju, Korea,3 -7 Nov.1996.Springer-Verlag.]] Google ScholarDigital Library
27.K.Ohta and T.Okamoto.Adigital multisignature scheme based on the Fiat-Shamir scheme.In H.I.H, R.Rivest,and T.Matsumoto,editors,Advances in Cryptology -ASIACRYPT 91 ,pages 139 -148. Spring-Verlag,1993,11 -14 Nov.1991.]] Google ScholarDigital Library
28.K.Ohta and T.Okamoto.On concrete security treatment of signatures derived from identification.In H.Krawczyk,editor,Advances in Cryptology -CRYPTO '98 ,volume 1462 of Lecture Notes in Computer Science ,pages 354 -369. Springer-Verlag,23 -27 Aug.1998.]] Google ScholarDigital Library
29.K.Ohta and T.Okamoto.Multi-signature schemes secure against active nsider attacks.IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences , E82-A(1):21 -31,Jan.1999.]]Google Scholar
30.T.Okamoto.Adigital multisignature schema using bijective public-key cryptosystems.ACM Transatction on Computer Systems ,6(4):432 -441,Nov.1988.]] Google ScholarDigital Library
31.T.P.Pedersen.Athreshold cryptosystem without a trusted party (extended abstract).In Davies {9 },pages 522 -526.]]Google Scholar
32.D.Pointcheval and J.Stern.Security proofs for signature schemes.In Maurer {23 },pages 387 -398.]]Google Scholar
33.C.-P.Schnorr.E .cient signature generation by smart cards.Journal of Cryptology ,4(3):161-174,1991.]]Google ScholarDigital Library

Index Terms

Accountable-subgroup multisignatures: extended abstract

Recommendations

Efficient identity-based RSA multisignatures

A digital multisignature is a digital signature of a message generated by multiple signers with knowledge of multiple private keys. In this paper, an efficient RSA multisignature scheme based on Shamir's identity-based signature (IBS) scheme is ...
Read More
Efficient identity-based GQ multisignatures

ISO/IEC 14888 specifies a variety of digital signature mechanisms to sign messages of arbitrary length. These schemes can be applied to provide entity authentication, data origin authentication, non-repudiation, and data integrity verification. ISO/IEC ...
Read More
On the Security of Online/Offline Signatures and Multisignatures from ACISP'06
CANS '08: Proceedings of the 7th International Conference on Cryptology and Network Security

Efficient authentication in routing protocols is one of the most important problems for security of ad hoc networks. In ACISP'06, Xu, Mu, and Susilo proposed an identity-based online/offline signature scheme for authentication in the AODV protocol and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '01: Proceedings of the 8th ACM conference on Computer and Communications Security
November 2001
274 pages
ISBN:1581133855
DOI:10.1145/501983
Conference Chair:
Mike Reiter
Bell Labs, USA
,
Editor:
Pierangela Samarati
University of Milan, Italy
Copyright © 2001 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 November 2001
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
digital signature
multisignature
Qualifiers
- Article
Conference

Acceptance Rates
CCS '01 Paper Acceptance Rate27of153submissions,18%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 139
  Total Citations
  View Citations
- 1,200
  Total Downloads
- Downloads (Last 12 months)83
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Accountable-subgroup multisignatures: extended abstract

CCS '01: Proceedings of the 8th ACM conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Efficient identity-based RSA multisignatures

Efficient identity-based GQ multisignatures

On the Security of Online/Offline Signatures and Multisignatures from ACISP'06