A threshold signature scheme withstanding the conspiracy attack
A threshold signature scheme withstanding the conspiracy attack
Jinn-Ke Jan, Yuh-Min Tseng, and Hung-Yu Chien
詹進科、曾育民、簡宏宇
Institute of Applied Mathematics, National Chung Hsing University, Taichung, Taiwan 402, R.O.C.
Department of Information Management, Nan-Kai College of Technology and Commerce, Nantou,
Taiwan 542, R.O.C.
E-mail: jkjan@amath.nchu.edu.tw
Abstract
A (t , n ) threshold signature, first proposed by Desmedt and Frankel, allows t or more
members of the group cooperate to generate a signature on behalf of the group while providing the
anonymity of the signers. Unfortunately, all (t , n ) threshold signature schemes proposed so far can
not withstand the conspiracy attack, thus the group secret key can be revealed. In this paper, we
propose a new (t , n ) threshold signature scheme to avoid the conspiracy attack. The security of the
proposed threshold signature scheme is based on the difficulty of computing the discrete logarithm
modulo for a composite number. The size of the group signature and the verification time of the
group signature are equivalent to that of an individual signature.
Keywords: Cryptography, Threshold signature, Group-oriented cryptography, Conspiracy attack.
1. Introduction
In the conventional digital signatures such as RSA [8] and ElGamal [2], a single signer is
sufficient to sign a message and any verifier can verify the validity of the signature with the signer’s
public key. However, the responsibility of signing messages for many applications needs to be
shared by a set of signers. It is a policy for some applications and occasions that at least t persons
rather than one person generate cooperatively a signature. The multi-signature schemes [3,7], the
(t , n ) threshold signature schemes [1,3] and the (t , n ) threshold multi-signature schemes [5,10]
were proposed for slightly different concepts. In these schemes, it is required that several signers
cooperate to generate a valid group signature for a message on behalf of the group.
Here, we briefly describe the concept and requirements of various group-oriented signature
schemes. In a multi-signature scheme [3,7], several signers can generate a signature for a message,
any verifier may check the validity of the multi-signature with the public keys of the signers. In
threshold multi-signature schemes [5,10], t or more members in the group can cooperate to
generate a valid group signature on behalf of the group. One verifier is sufficient to verify a given a
given signature and the verifier needs the public keys of the signers for verification. In the above
schemes [3,5,7,10], the signers are not anonymous. Finally, the (t , n ) threshold signature scheme
has the feature that t or more members of the group can cooperate to generate a valid group
signature on behalf of the group. And the verifier can check the validity of the group signature
without identifying the identities of the signers. That is, the signers are anonymous.
In 1991, Desmedt and Frankel [1] first proposed the concept of a (t , n ) threshold signature
scheme based on the RSA system [8]. In this scheme, a mutually trusted center determines the
group’s secret key and the secret keys of all group members. However, the proposed signature
scheme would be broken if any t or more group members conspire together with each other. This
weakness was presented by Li et al. [4]. Moreover, Harn [3] employed Lagrange interpolating
polynomials and the ElGamal signature scheme [2] to construct two (t , n ) threshold signature
schemes. One is a threshold signature scheme with the assistance of a mutually trusted center.
Another threshold signature scheme was also proposed in which the mutually trusted center is no
longer used.
- 31 -
IICM 第二卷 第三期 民國八十八年九月
Unfortunately, these schemes proposed in the literature [1,3] suffer from the conspiracy attack
and the group’s secret keys can be revealed [4,5]. To avoid the conspiracy attacks, Li et al. [5]
proposed two new (t , n ) threshold signature scheme with traceable signers. The proposed schemes
attach a random number to the secret key held by each member, then the security of their schemes is
guaranteed. Meanwhile, the additional random number makes the (t , n ) threshold signature
schemes have the property of traceability. However, Michels and Horster [6] pointed out that Li et
al.’s threshold multi-signature scheme is vulnerable to forgery attack by an insider attacker under
reasonable assumptions. The signer can not make sure who his co-signers are. The weakness
violates the property of traceability. In 1998, Wang et al. [10] proposed two new (t , n ) threshold
signature schemes with traceable signers that can withstand conspiracy attacks without attaching a
secret number. Recently, Tseng and Jan [9] have shown that the proposed schemes are insecure by
presenting a forgery attack on them.
Michels and Horster also presented another forgery attack on the threshold signature schemes
proposed by Harn. The forgery attack is that an insider attack 1 wants to his victims, the signers
2, , t , to sign a message m' with him. They reject, but agree to sign the innocent message m
with him. The insider attack 1 , who colludes with the designated clerk can forge the valid signature
for message m' .
From the above descriptions, Desmedt and Frankel’s (t , n ) threshold signature scheme can
not withstand the conspiracy attack. Harn’s (t , n ) threshold signature schemes can also not
withstand the conspiracy attack and the forgery attack presented by Michels and Horster. Therefore,
the previously proposed (t , n ) threshold signature schemes were not secure against the conspiracy
attack. In the paper, we will propose a new (t , n ) threshold signature scheme. Under the difficulty
of computing the discrete logarithm modulo for a composite number, the proposed scheme is secure
against the conspiracy attack and the forgery attack.
2. Our scheme
In this section, we present a new (t , n ) threshold signature scheme with the assistance of a
mutually trusted center. The scheme consists of three phases: the system initiation phase, the
threshold signature generation phase, and the threshold signature verification phase. We describe the
three phases in details as follows:
[System Initialization Phase] The system contains a mutually trusted center, who is responsible for
selecting all parameters. Assume that there are n members in a group, let A be the set of all
group members. Any t or more members in the group can sign a message on behalf of the group,
let B be any subset in A of size t . The mutually trusted center selects the following parameters:
 a number N  p  q  ( 2 p'1)  (2q'1) , where p , q , p ' and q ' are distinct large
primes.
*
 a generator g with order v  p'q' in Z N .
 a system public value e such that gcd( e, v )  1 , where e  d  1 mod v and d is a
system secret value.
 a one-way hash function h( ) .
 a secret polynomial function f ( x )  ct 1 x t 1    c1 x  c0 mod v with degree t  1 , where
cn1 , , c1 , c0  Z v .
*
 a secret key x and a public key y , where x  f (0) mod v and y  g x mod N .
Thus, the mutually trusted center publishes e , y , N , g and h( ) , and keeps d , x , v , p , q ,
p' and q ' in secret.
For each group member U i with a public value IDi , for i  A , the mutually trusted center
- 32 -
A threshold signature scheme withstanding the conspiracy attack
U i ’s
computes
yi  g
f ( IDi ) i
secret
xi  ( g f ( IDi ) i ) d mod N
key
 ( ID
mod N , where  i 
jA, j i
and
publishes
his
public
key
1
 ID j ) mod v .
i
[Threshold signature generation phase] Without loss of generality, assume that there are t group
members want to sign a message m on behalf of the group. The t group members can be denoted
as U1 , U 2 , U t . The set of t group members is denoted as B . Each member U i chooses a
random number k i and computes ri as
ri  g ki e mod N .
Thus, U i makes ri publicly available through a broadcast channel. After all ri are available,
each group member computes the product R as
R   ri mod N .
iB
Then, U i uses his secret key xi and the random number k i to compute
si  ( x i )

h ( m , R )
 ( 0 ID j )
( IDi  ID j )
j A , jB
jB , j  i
 g ki mod N .
The user U i sends {ri , si } to a designated clerk, who takes the responsibility of collecting the
partial signatures. Besides, the clerk may authenticate the partial signatures by verifying the
following equation
si  ( yi )
h ( m , R )
e

( IDi  ID j )
jA , jB
 ( 0 ID j )
jB , j i
 ri mod N , for i  1,2, , t .
If the equation holds, the partial signature {ri , si } is valid.
h ( m , R )  ( IDi  ID j )  ( 0 ID j )
e
jA , jB
jB , j i
 ri mod N holds, then the partial signature {ri , si }
Theorem 1: If si  ( yi )
is valid.
Proof: Since xi  g f ( IDi )d  i mod N , where  i   ( IDi  ID j ) 1 mod v , we have
jA, j i
si  ( xi )
eh ( m ,R )
e
 (g
 (g

( IDi  ID j )
jA , jB
f ( IDi )d 
 ( IDi  ID j )1
 ( yi )
h ( m , R )

jA , jB
eh ( m ,R )
jA , jB
)
 ( IDi  ID j )1
jA , j i
 g ki e mod N
 ( IDi  ID j )  ( 0 ID j )
jB , j i
jA , j i
f ( IDi )

( 0 ID j )
h ( m , R )
)
( IDi  ID j )

( IDi  ID j )
jA , jB
 ( 0 ID j )
jB , j  i
jB , j i
 ( 0 ID j )
jB , j i
 g ki e mod N
 ri mod N
 ri mod N □
Further, the clerk computes the group signature S , where
S   si mod N
iB
Thus, ( R , S ) is the group signature for the message m .
[Threshold signature verification phase] Any verifier can use the group public key y to
authenticate the validity of the group signature {R , S } for the message m by checking the
following equation
S e  y h ( m,R )  R mod N .
If the equation holds, the group signature {R , S } is valid.
- 33 -
IICM 第二卷 第三期 民國八十八年九月
Theorem 2: If S e  y h ( m,R )  R mod N holds, then the group signature {m, R, S} is valid.
Proof: In the second phase, the individual signature {ri , si } of the message m satisfies the
following equation
si  ( yi )

h ( m , R )
e
( IDi  ID j )
jA , jB
 ( 0 ID j )
jB , j i
 ri mod N .
Since R   ri mod N and S   si mod N , we have
iB
e
iB
S  ( si ) mod N
e
iB
  ( yi )
h ( m ,R )
iB
 (g
f ( IDi ) 
( IDi  ID j )
f ( IDi ) 
 ( 0 ID j )
jB , j i
 ( IDi  ID j ) 1
jA , j i
iB
 (g

jA , jB
jA , j i

( IDi  ID j ) 

( IDi  ID j ) 
h ( m, R )
jA , jB
)
 ( IDi  ID j ) 1
 ri mod N
h ( m, R )
jA , jB
)
 ( 0  ID j )
jB , j i
 ( 0  ID j )
jB , j i
  ri mod N
iB
 R mod N
iB
 (g
h ( m , R )  f ( IDi ) 
iB
g
h ( m, R )

( IDi  ID j ) 1 
jB , j i
 ( f ( IDi ) 
iB
 ( 0  ID j )
jB , j i
( IDi  ID j ) 1 
jB , j i
)  R mod N
 ( 0  ID j ) )
jB , j i
 R mod N
According to the reconstructed relation of the polynomial f (x ) , the above equation can be
rewritten as
g f ( 0)h ( m, R )  R mod N
 y h ( m,R )  R mod N
Therefore, S e  y h ( m,R )  R mod N and the group signature {m, R, S} can be verified. □
As stated in the above Theorem, the verifier will believe that the group signature ( R , S ) for
the message m is valid. However, it is not possible to find out the identities of the t signers from
the group signature ( R , S ) . Thus, the signers are anonymous.
3. Security analysis
In the following, some possible attacks against the proposed scheme are presented. As we can
see, none of these attacks can break our proposed scheme.
Attack 1: An adversary tries to reveal the group secret key x  f (0) mod v from the public key y .
The adversary might directly solve x from the equation y  g x mod N . This implies that the
adversary can obtain x from the above equation if he solve the problem of computing a discrete
logarithm modulo the composite number N .
Attack 2: Any t members of the group, may cooperate to reveal the secret keys x  f (0) mod v
and d .
Since each U i is the group member, they have the corresponding secret key
xi  g f ( IDi )d  i mod N , where  i   ( IDi  ID j ) 1 mod v . Thus, they generate a valid group
jA, j i
signature. As for getting the secret keys, they might plot the following two approaches: (i) revealing
the value f ( IDi ) from xi or yi , (ii) revealing the secret key d of the mutually trusted center.
In the first approach, as analyzed in Attack 1, they will face the computation of the discrete
logarithm modulo the composite number N . As for the other approach, since the modulus N is
chosen to be infeasible to factor, specialized attacks applicable to the RSA scheme are ineffective,
- 34 -
A threshold signature scheme withstanding the conspiracy attack
e.g., it is infeasible to find d with the known e . That is, our scheme can withstand the conspiracy
attack.
Attack 3: The signer U i colludes with the designated clerk that they may forge the valid signature
for message m' , but the signers U 2 , U t reject to sign a message m' with him.
In Michels and Horster’s forgery attack on Harn’s schemes, the signer U i wants to his victims,
the signers U 2 , U t to sign a message m' with him. They reject, but agree to sign the innocent
message
with
him.
In
our
scheme,
since
the
partial
signature
is
m
si  ( x i )
h ( m , R )

( IDi  ID j )
j A , jB
 ( 0 ID j )
jB , j  i
 g ki mod N and the message m is protected by the one-
way hash function h () with the value R . Thus, our scheme can withstand the forgery attack.
Attack 4: The designated clerk and an adversary may try to reveal the member’s secret key xi .
Since the modulus N is chosen to be infeasible to factor, specialized attacks applicable to
the RSA scheme are ineffective, e.g., it is infeasible to find d with the known e . They can not
compute xi  ( yi ) d mod N . This implies that the designated clerk and an adversary can obtain
member’s secret key xi if they solve the factorization problem
Attack 5: A receiver tries to determine the identities of the signers from the group signature.
A receiver only knows the group signature {R , S } and may authenticate the validity. Since the
receiver does not know the partial signatures {ri , si } of each signer U i , he can not check
si  ( yi )
h ( m , R )
e

jA , jB
( IDi  ID j )
 ( 0 ID j )
jB , j i
 ri mod N .
4. Discussions
As stated in the previous section, our scheme is secure against the Li et al.’s conspiracy attack
[4,5] and the Michels and Horster’s forgery attack [6]. In the following, let us discuss the
responsibility of the designated clerk as well as the signer’s anonymity.
In the Desmedt and Frankel’s scheme [1], each group member U i has a public value IDi
without another public key yi . Thus, the designated clerk may only takes the responsibility of
collecting the partial signatures and can not authenticate the partial signatures. If the designated
clerk is one of the signers, he certainly knows the identities of the other signers. Otherwise, the
designated clerk can not know the identities of the signers.
In the Harn’s scheme [3], each group member U i has two public keys yi and IDi . After
receiving the partial signature, the designated clerk may use each member’s public keys to
authenticate the partial signature. Although the designated clerk is not one of the signers, he also
knows the identities of all signers. Note that if the designated clerk reveals the identities of all
signers, it violates the property of anonymity.
Therefore, two approaches in the Desmedt and Frankel’s scheme and the Harn’s scheme are
alternative. As described in Section 2, our scheme adopts the approach in the Harn’s scheme.
However, our proposed scheme may also be designed as the approach in the Desmedt and Frankel’s
scheme. It is not required that the mutually trusted center publishes each member’s public key yi .
Thus, the designated clerk can not authenticate the partial signature and can not know the identities
of the signers.
Let us consider the performance of our proposed scheme. The performance evaluation of the
proposed scheme concerns the size of the group signature and the time complexity for verifying the
group signature. Both the sizes of the group signature {R , S } and each partial signature {ri , si } are
2 | N | , where | N | is the bit-string length. As for the time complexity for verifying the group
signature, two modular exponentiations are required. That is, the group signature verification
- 35 -
IICM 第二卷 第三期 民國八十八年九月
process is simplified because there is only one group public key required.
5. Conclusions
We have proposed a new (t , n ) threshold signature scheme that it is secure enough against the
conspiracy attack and the forgery attack. We have demonstrated that the group signature verification
process is simplified and the group signature’s size is equivalent to an individual signature’s size.
Therefore, the proposed scheme is proved to be secure and efficient.
References
[1] Y. Desmedt and Y. Frankel, "Shared generation of authenticators and signatures", Advances in
Cryptology - CRYPTO'91, 1992, pp. 457-469.
[2] T. ElGamal, "A public key cryptosystem and a signature scheme based on discrete logarithms",
IEEE Trans. Info. Theor., Vol. 31, No.4, 1985, pp. 469-472.
[3] L. Harn, "Group-oriented (t,n) threshold digital signature scheme and digital multisignature",
IEE Proc. Computers and Digital Techniques, Vol. 141, No. 5, 1994, pp. 307-313.
[4] C.M. Li, T. Hwang and N.Y. Lee, "Remark on the threshold RSA signature scheme", Advances
in Cryptology - CRYPTO'93, 1994, pp. 413-420.
[5] C.M. Li, T. Hwang and N.Y. Lee, " Threshold multisignature schemes where suspected forgery
implies traceability of adversarial shareholders", Advances in Cryptology - EUROCRYPT'94,
1995, pp. 194-204
[6] M. Michels and P. Horster, "On the risk of disruption in several multiparty signature schemes",
Advances in Cryptology - ASIACRYPT'96, 1997, pp. 334-345.
[7] T. Okamoto, "A digital multisignature scheme using bijective public-key cryptosystem", ACM
Trans. on Comp. Systems, Vol. 6, No. 8, 1988, pp. 432-441.
[8] R.L. Rivest, A. Shamir and L. Adelman, "A method for obtaining digital signature and public
key cryptosystem", Communications of the ACM, Vol. 21, No. 2, 1978, pp. 120-126.
[9] Y.M. Tseng and J.K. Jan, "Attacks on threshold signature scheme with traceable signers ",
Information Processing Letters, Vol.71, No.1, 1999, pp.1-4.
[10] C.T. Wang, C.H. Lin and C.C. Chang, Threshold signature schemes with traceable signers in
group communications, Computer Communications, Vol. 21, No. 8, 1998, pp. 771-776.
- 36 -
A threshold signature scheme withstanding the conspiracy attack
Biography of authors
Jinn-Ke Jan was born in Taiwan in 1951. He received the B.S. degree in Physics from Catholic Fu
Jen University, Taiwan, Republic of China, in 1974 and the M.S. degree in Information and
Computer Science from Tokyo University in 1980. He studied Software Engineering and HumanComputer Interface at the University of Maryland, College Park, MD, during 1984-1986. He is
presently a professor of the Department of Applied Mathematics at National Chung Hsing
University, Taiwan. He is currently also a director of the Computer Center at National Chung Hsing
University, the editor of Information and Education, and an executive member of the Chinese
Association for Information Security. He is the member of the IEEE. His research interests include
computer cryptography, network security, human factors of designing software and information
systems, database security, and coding theory.
Yuh-Min Tseng received the B.S. degree in Computer Science and Engineering from National
Chiao Tung University, Taiwan, Republic of China, in 1988; and the M.S. degree in Computer and
Information Engineering from National Taiwan University in 1990 and the Ph.D. in Applied
Mathematics from National Chung Hsing University in 1999. He is currently an Associate Professor
of the Department of Information Management, Nan-Kai College of Technology and Commerce.
He is a member of the IEEE. He is also a member of the Chinese Association for Information
Security (CCISA). His research interests include network security, cryptography, database security,
and image encryption.
Hung-Yu Chien received the B.S. degree in Computer Science from National Chiao Tung
University, Hsinchu, Taiwan, in 1988 and the M.S. degree in Computer and Information
Engineering from National Taiwan University, Taipei, Taiwan, in 1990. He is currently pursuing his
doctoral degree in applied mathematics at National Chung Hsing University. He is a member of the
Chinese Association for Information Security. His research interests include cryptography, network
security, electronic commerce.x
- 37 -