advertisement

Proceedings of the IASTED International Conference Parallel and distributed Computing and Systems November 3-6, 1999 MIT, Boston, USA A BATCH-VERIFYING ALGORITHM FOR MULTIPLE DIGITAL SIGNATURES XIAOJUN SHEN ZHIJUN LIU LEIN HARN Computer Science Telecommunications Program University of Missouri-Kansas City 5100 Rockhill Road Kansas City, MO 64110 [email protected] [email protected] YONGMIN LOU 500E 8th, Rm 350 Kansas city, MO 64106 [email protected] scheme can also be found in the Elliptic Curve signature scheme. ABSTRACT- Instead of linearly verifying each individual signature one by one, the batch-verifying algorithm allows verifier to verify multiple signatures at once. In this paper, we develop a batch-verifying algorithm for identifying all invalid signatures in a batch with length n. Our analytical analysis shows that this algorithm needs only Min(2n-1, 2k(log n - logk) + 2k – 1) operations, where k is the number of invalid signatures among the n signatures. Thus, it is more efficient than the linear-verifying algorithm when k < 0.5n/logn, and it needs at most 2n-1 operations even under the worst scenario. Digital signatures are used to authenticate messages and to provide certificates for public keys. For example, the RSA signatures have been adopted by VISA and MasterCard in the secure electronic transactions (SET) standard [4] for providing security of electronic transfer of credit and payment information over the Internet. Since public-key cryptography requires intensive computation, it is desirable to speed up signature signing/verification by using either a cryptographic hardware accelerator or using an efficient software algorithm. Very recently, algorithms for batch-verifying were proposed for RSA signature [5] and DSA-type signature [6]. Instead of verifying each individual signature separately, these algorithms allow verifier to verify multiple signatures simultaneously. Since this approach maintains the same computational load as for verification of a single signature, a significant reduction in time for signature verification can be achieved. The application of these algorithms can be found in the security gateways that require verifying of X.509 publickey certificates signed by a limited number of certificate authorities (CAs). KEY WORDS- batch verification, binary trees, digital signatures. 1. INTRODUCTION At present, there are two popular public-key algorithms which provide digital signatures: the RSA scheme [1] and the ElGamal signature scheme [2]. The RSA scheme makes use of the difficulty of factoring a large integer into a product of two large prime numbers, and the ElGamal signature scheme makes use of the difficulty of solving the discrete logarithm problem over GF(p), where p is a large prime integer. Recently, the Elliptic Curve digital signature scheme, in which the difficulty of breaking the scheme is based on solving the discrete logarithm problem over an Elliptic Curve, has been included in the IEEE p1363 working project [3]. General speaking, the Elliptic Curve signature scheme is designed based on the ElGamal signature scheme. In other words, major properties of the ElGamal signature 302-277 Assuming there are n individual signatures, s1, s2, …, sn, in a batch, an important question in implementing these batch-verifying algorithms is how to identify invalid signatures efficiently? (They may occur due to transmission/storage error.) In the next section, we will propose a binary tree-searching algorithm for this question. Its performance depends on the number k of invalid signatures and their distribution among the n -1- signatures. Compared with the linear-verifying algorithm that needs n operations, our algorithm needs only Min(2n-1, 2k(log n - logk) + 2k – 1) operations. Thus, it is more efficient than the linear-verifying algorithm when k < 0.5n/logn. For a large k, this algorithm may need slightly more operations. However, it never needs more than 2n-1 operations even under the worst scenario. if(signatureVerify(s[first], issuer.publickey.value)) {/* Function SignatureVerify() deploys general * signature verification procedure. It returns 0 while * the signature is valid, 1 while the signature is * invalid. */ status[first] = 1; return 1; } else return 0; This paper is organized as follows. Section 2 presents the algorithm; Section 3 presents a detailed analysis of this algorithm; and Section 4 concludes this paper. } /* Step 1: calculate the product of all the signatures */ Product = Productof Signatures(s[], first, last); /* Step 2: verify the product through single signature * verification procedure. */ If(SignatureVerify(product, issuer.publickey.value)) {/*At least one of the s[] is wrong. */ return (BatchSignatureVerify(s, first, (first+last)/2, status)+BatchSignatureVerify(s, ((first+last)/2+1), last, status)); } else return 0; } 2. THE BINARY TREE-SEARCHING ALGORITHM Assume that s1, s2, …, sn, are n signatures signed by the same entity, for instance, a CA who issues public key certificates to its clients. By using the batch verification criterion as proposed in [5, 6], these n signatures can be verified at once. Only one operation is needed if all signatures are valid signatures. If there are more invalid signatures in the batch, one operation is not enough. Based on the classical binary-search approach, an efficient algorithm to identify these invalid signatures is given below. This algorithm divides the signature batch into two subarrays, s1, s2, …, sn/2 and sn/2 +1,…, sn, and applies a batch verification criterion on each subarray again. It uses the divide-and-conquer procedure recursively until all invalid signatures have been identified. We will analyze its performance in the next section. 3. COMPLEXITY ANALYSIS Theorem 1. Let n be the number of elements in the array s, and k n be the number of faulty elements in the array. The number of SignatureVerify operations in the Binary Tree-Searching Algorithm is upper bounded by 2k (log n - log k) +2k - 1. Proof. Any execution of the algorithm can be modeled by a binary tree, in which each node represents a SignatureVerify operation. (Let us simply call it operation.) Binary Tree-Searching Algorithm int BatchSignatureVerify(const signature s[], int first, int last, const Issuer & issuer, int status[]) {/* This function is used to verify multipl signatures * generated by the same entity who is identified by * the issuer. * s[]: signatures needed to be verified in a batch; * first: index of the starting s[]; * last: index of the ending s[]; * issuer: stores issuer’s information, who generates s[]; * status[]: store verification status of s[]; 0; valid, * 1: invalid; * return value: * 0: all s[] are valid; >0: number of failed certificates. * All status[] are initialized as 0 before passed into the * function; */ Signature * product; if (first = = last) { If a node is an internal vertex, then its two subtrees represent recursive executions on the two subarrays divided at this node. From the algorithm, we can assume that m/2 elements are there in the left subtree, and m/2 elements in the right subtree under an internal node of m elements. If a node is a leaf, we color the leaf based on the following two cases: (1) A leaf is marked black if the result of the operation identifies a single fault at this leaf. Obviously, there are exactly k black leaves. (2) A leaf is marked white if the result of the operation finds no faults. Obviously, there is no need to do further search from this node, no matter how many elements are involved in this operation. Now, we prove the theorem by induction on k. -2- 2ilogn/2 + 2(k - i) logn/2 - 2(ilogi + (k - i)log(k - i)) + 2k - 1 Basis, k = 1. In the worst case, the single fault is always contained in the larger subarray when an array is splitted into two subarrays at a node. Fig. 1 illustrates this situation. 2k log n/2 - 2(ilog i + (k - i)log(k - i)) + 2k – 1. From Calculus, it is easy to show that (ilog i + (k - i)log(k - i)) klog(k/2). n elements n/2 elements Therefore, the total number of operations is 2k log n/2 - 2klog(k/2)+ 2k – 1 n/4 elements = 2k log n/2 - 2klog k + 4k – 1. If we can show log n/2 = log n -1, then the total number of operations will be 2k( log n - 1) - 2klog k + 4k – 1 n/2p elements Fig. 1. AN ILLUSTRATION OF BINARY SEARCH TREE WITH K = 1. = 2k( log n - log k) + 2k – 1, Because n/2p = 1, p = log n . Therefore, the total number of operations is 2p + 1 = 2log n + 1. The theorem is true for k =1. and the induction will be done. Thus, let us prove log n/2 = log n -1. Let n = 2p + m, 0 m 2p . Induction step. Suppose that for any k-1 or less faulty elements, the theorem is true, we will show that it will be true for k faulty (k 2) elements also. After the first operation, we have two cases: If m = 0, log n/2 = log 2p-1 = p – 1 = log n - 1. If m > 0, log n/2 = log(2p+m)/2 = log 2p-1+m/2 = p =(p +1)–1 = log n - 1. Case 1. Both left and right subtrees have faulty elements. Therefore, the claim is true. We assume there are i faulty elements in the left subtree and (k-i) elements in the right subtree. Fig. 2 illustrates this case. Case 2. The left subtree of the root has no faulty elements. In this case, we need only search the right subtree. Soon or later, we will arrive to a node whose both subtrees have faulty elements. We can assume that after p operations, we arrive to this node x. Fig. 3 illustrates this situation. i faults (k - i) faults n elements Fig. 2. AN ILLUSTRATION OF CASE 1. w p operations w By induction, the number of operations to search all faulty elements in the left tree is 2i( log n/2 - log i) + 2i – 1; in the right tree is 2(k – i)( log n/2 - log(k - i)) + 2(k – i) – 1; and at the root is 1. x w i faults Thus the total number of operations is n/2p elements (k - i) faults Fig. 3. AN ILLUSTRATION OF CASE 2. -3- The node x has n/2p elements. From case 1, the total number of operations on the tree rooted at x is upper bounded by has n leaves, all of which are black. From Graph Theory, this tree has (n-1) internal vertices [7]. Therefore, the number of operations is bounded by 2n-1. 2k( log n/2p - log k) + 2k – 1. 4. CONCLUSIONS Since there are p operations at internal nodes before node x, plus the p operations for the p white leaves outside the tree of x, the total number of operations is upper bounded by 2k( log n/2p - log k) + 2k – 1 + 2p This paper presents a binary tree-searching algorithm for batch-verifying n signatures, and a detailed analysis of this algorithm. Compared with the linearverifying algorithm that needs n operations, this algorithm needs only Min(2n-1, 2k(log n - logk) + 2k – 1) operations. It is more efficient than the linearverifying algorithm when k < 0.5n/logn. For a large k, this algorithm may need slightly more operations, but never needs more than 2n-1 operations even under the worst scenario. = 2k( log n - p – log k) + 2k – 1 + 2p < 2k( log n - log k) + 2k – 1. From theorem 1, we conclude that when k is a small number, the number of operations is in the order of O(logn). Thus batch verification is much faster than the linear verification. When k is not small, but k < 0.5n/log n, from Theorem 1, the number of operations is still less than n, meaning that this algorithm is still better than the linear search. REFERENCES [1] R. L Rivest, A. Shamir, and L. Adelman, A method for obtaining digital signatures and public-key cryptosystem, Commun. ACM, 1978, 21, (2), 120126. [2] T. ElGamal, A public-key cryptosystem and signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, 1985, IT-31, 469-472. [3] IEEE P1363: Standard Specifications For Public Key Cryptography, http://grouper.ieee.org/groups/1363/. [4] SET specification, http://www.setco.org/set_specifications.html.. [5] L. Harn, Batch verifying multiple RSA digital signatures, Electronics Letters, Vol. 34, No. 12, June 1998, 1219-1220. [6] L. Harn, Batch verifying multiple DSA-type digital signatures, Electronics Letters, Vol. 34, No. 9, April 1998, 870-871. [7] R. Johnsonbaugh, Discrete Mathematics, (Prentice Hall, fourth edition, 1997) 408. For a large k, the bound given by Theorem 1 may not be in favor of the batch verification. However, even for a large k, we claim that the performance of this algorithm is not bad. Theorem 2 shows that the number of operations used by the batch verification will never needs more than 2n-1 operations. Theorem 2. Let n be the number of elements in the array s, and k n be the number of faulty elements in the array. The number of SignatureVerify operations is upper bounded by Min(2n –1, 2k (log n - log k) + 2k – 1). Proof. From Theorem 1, we need only to show that in any case, the number of operations will be bounded by 2n-1. It is obvious that the worst case occurs when all elements are faulty, because the binary tree for this case contains maximum number of nodes. The binary tree of any other case is a subtree of this tree. This binary tree -4-