Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Wang-Li Threshold Signature Scheme

Published byHerman Tanudjaja Modified over 5 years ago

Similar presentations

Presentation on theme: "Security of Wang-Li Threshold Signature Scheme"— Presentation transcript:

1 Security of Wang-Li Threshold Signature Scheme
Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing , P.R. China address: Abstract. In 2003, Wang et al.[1] proposed a (t, n) threshold signature scheme without a trusted party based on the discrete logarithm problem. In this paper, according to [5]’s attacking method, we show that there are still some security leaks in that scheme, and give some methods of forgery attack. Moreover, we point out this scheme is vulnerable to universal forgery by an insider attacker under reasonable assumptions. Keywords threshold signature; secret sharing; trusted party 1 Introduction In 1991, Desmedt and Frankel proposed a (t,n) threshold signature scheme based on RSA [2]. In [3], the author gives a threshold group signature scheme based on Discrete Logarithm. Harn showed a threshold group signature scheme based on ELGamal signature without a trusted party [4]. As under many specific applying environment, a trusted center which is trusted by all group members does not exist, the threshold group signature without a trusted center takes on attraction. In [1], the author uses secret sharing technique, all group members decide group public key and group members’ secret key. 2 Review of Wang et al.’s Threshold Signature Schemes Their scheme consists of three parts: group public key and secret shares generation phase, partial signature generation and verification phase, and group signature generation and verification phase. Part 1: Group Public Key and Secret Shares Generation Phase Let A(|A| = n) be the set of all shareholders, B be any subset in A of size t (|B| = t). The public parameters, (H,p,q,α), should be agreed by all shareholders in advance. a collision free one-way hash function H. p= a large prime modulus, where 2511 < p < 2512. q= a prime divisor of p-1, where 2159 < p < 2160. a positive integer α = hp−1/q mod p, where 1 ≤ h ≤ p−1, and g is a generator with order q in GF(p). Each shareholders i, i ∈ A, randomly selects a (t − 1)-th degree polynomial, fi(x), and an integer xi associated with each shareholder i, where xi ∈ [1, q − 1]. Then he computes λi,j = fi(xj)modq for other n − 1 members, and sends λi,j to Uj by broadcast. We notice λi,i = fi(xi)modq and Ui keeps λi,i. After every members finished above procedure, group member Ui computes λi = Pt λj,i mod q.That j=1 is, λi = Pt fj(xi) mod q. Now we define a new fuction f(x) = Pt fi(x) mod q. Although Ui doesn’t j=1 i=1 1

2 Xs = si, Pt Qt j=1,j6=i Qt j=1,j6=i
know F(x), he easily knows λi = F(xi). Ui chooses a randomly number ki in [1,p − 1]. Xi = λikimodq is a U0is secret key and yi = gximodp is his public key. Let ri = gkimodp Ui sends ri to other members by broadcast. Every member computes R = Qn ri mod p. Because threshold value is t, t members can obtain F(0) i=1 Pt by using Lagrange interpolating polynomials to compute F(0) = ( i=1 F(xi) · Qt j=1,j6=i xi−xj ) mod q. Then −xj y =gF(0)xR mod p is group’s public key and the corresponding group secret key x is F(0)+ Pnki mod q. i=1 Part 2: Partial Signature Generation and Verification Phase At first, members decide which members participate group signature by arranging. Group members of participating group signature forms the set S. suppose S = {Ui|i = 1, 2, · · · , n}. Then every member Ui chooses a new random number ti in [1, q − 1]. Ui computes the following equation:Ti = gti mod p and zi = gti×(ki)−1mod pwhere ki is U0is random number in secret key generating phase. Ui sends Ti and zi to other members of participating singatures through a broadcast channel. After receiving Ti and zi from other members, Ui chooses frontal t members in S and form the set St. Ui computes r =Q zj mod p. According to the following equation Ui solve si: uj∈St kisi = (kiλiCi) x h(m) − r x timod q (1) The above equation is equivalence to: si = (λiCi) x h(m) − r x ti x (ki)−1mod q (2) Where Ci = Qt j=1,j6=i −xj xi−xj . Then, the messages (m, ri, si, yi, r, Ti, i) are transmitted to a DC(Designated Combiner) who is only responsible for collecting and evaluating information. Note that the DC here is different from a mutually trusted center since he does not select any parameter for users. Here, the individual signature si is a partial signature of the message m. On receiving the messages (m, ri, si, yi, r, Ti, i), the DC uses public key yi to check whether the following equation is true: rsi i (Ti)r ≡?(yi)h(m)cimod p (3) If the equation holds, the partial signature si of the message m received from Ui has been verified. Part 3: Group Signature Generation and Verification Phase Once all these t partial signature are verified by the DC, the DC can generate the group signature for the message m as {m, s, r, R}, where Xs = si, Ui∈St That is, s = P Ui∈St (λiCi)h(m) − r P (ti x k−1 i ) mod q. To verify the validity of the group signature {m, r, s, R}, the verifier has to compute the following equation: gsrr ≡(y x R−1)h(m). (4) 3 An exterior Attack on Wang et al.’s threshold signature schemes [1] 2

3 (y ×R0−1)h(m) ≡ (y × (gs'rr)h(m)_1 · y−1)h(m)
Unfortunately, the signature scheme is insecure. Given a message m , anyone can forge a signature that will be verified, as follows: (1). Choose two random values a ∈ z∗q and d ∈ z∗q. (2).Compute r0i = yai mod p and Ti0 = r0d i mod p. (3). By verifying equation3have as' yi ,, adr h(m,)Ci yi = yi mod. p (5) Then we have s0i = a−1h(m)Ci − dr (6) (4). (r/i, s0i, r, Ti0) is a valid signature of message m. Because we have 0s' ,, ri (Ti0)r ≡ y iasyi adr yias',,+adr ≡ (yi)h(m)c,,mod p. (7) So (m, r0i, s0i, r, Ti') is a valid partial signature. That shows U0is partial signature can be forged by attackers. We compute S0 = Pt s0i mod q. i=1 By gs'rr ≡ (y × Ri−1)h(m). (8) We have R0 ≡ (gs'rr)h(m) · y mod p (9) (m, S0, r, R') is a valid group signature. Because (y ×R0−1)h(m) ≡ (y × (gs'rr)h(m)_1 · y−1)h(m) (y × R'−1)h(m)≡ gs'rr mod p. (10) Remark. In [1], the author mistakes R a signature. In fact, from constructing we can find R is a public key. If this case, the attack of [1] increases difficulty. The following is the attack after correcting. 4 An interior Attack on Wang et al.’s threshold signature schemes [1] First the possible attacker model are described. In the group environment we can distinguish between an insider, an outsider and a DC attack. The DC attack can be active (he does not follow the protocol) or passive(he just reveals some parameters). In the following, our attack assumes that one insider attackers and the passive DC collude, while the overwhelming majority of signers, more precisely all except the insider, can be assumed to be honest. Assume that an insider attacker 1, say Charley, wants his victims 2, · · · , t to sign a message m0 with him. They reject, but agree to sign the innocent message m with him. Therefore, signer (and victim) i (for all i ∈ {2, 3, · · · , n}) chooses a random number ki ∈ Z∗q and signer i(2 ≤ i ≤ t) chooses a random number ti ∈ Z∗q. They compute ri = gk,,,Ti = gt,,,zi = gt,,×(k,,)_1mod p. Ui sends ri to other members through a broadcast channel. Ui sends Ti to other members of participating signatures through a broadcast channel. Charley waits until he received r2, r3, · · · , rt. He randomly chooses k1 ∈ Z∗q.He computes r1 = gk1,T1 = gt1,z1 = gt1×(k1)_1mod p and r = fJ zj mod p.Then he u3∈St 3

4 References r−1 5 Conclusion 11t j=2
computes d = h(m') · h(m)−1 mod p, r0 = rd mod p and r01 =r0 r−1 j mod p. Charley sends r0 1 instead of r1 to other signers. Now the signer Ui computes r0 = r01 · Yt rj mod p, (11) j=2 s0i = (λiCi) × h(m) −r0× ti × (ki)−1mod q. (12) Then he sends s0i to DC.The DC, who colludes with Charley, reveals s02, s03, · · · ,s't. Charley computes s01 = (λ1C1) × h(m) −r0× t1 × (k1)−1mod q. (13) Now Charley can compute s0 = d · E s0i (mod q). Then (m', r0, s') is a valid signature of message m'. As r0 ≡ rd ≡ g i=1 tik−1 i(14) Pt i=1 s 0 i gs ≡ gd· d·( ≡ g i=1 λiCi×h(m)−r'×ti×(ki)−1) Pt ≡ g i=1 λiCi×d·h(m)−d·r'×ti×(ki)−1 ≡ (y × R−1)d·h(m) · r−d·r' ≡ (y × R−1)h(m0)· r0 −r0 5 Conclusion By forging attack, we show that is not secure. Moreover, we point out this scheme is vulnerable to universal forgery by an insider attacker under reasonable assumptions. References Bin Wang, Jianhua Li. (t, n) threshold signature schemes without trusted center . Journal of Com-puters, 2003, 26(11) : Desmedt Y. Frankel Y. Shared generation of authenticators. In:Proceedings of Crypto’91, Santa Barbara, California, USA, 1991, Wang C T, Lin C H, Chang C C. Threshold signautre schemes with traceable signers in group communications. Computer Communications,1998,21(8): Harn L. Group-oriented (t, n) threshold digital signature scheme and digital multisignature. IEE Proceedings of Computers and Digital and Technique, 1994,141(5): M. Michels, P.Horser, On the risk of disruption in several multiparty signauture scheme, in: Advances in Cryptology-ASIACRYPT’96, 1997, pp 4

Download ppt "Security of Wang-Li Threshold Signature Scheme"

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
8. Data Integrity Techniques

8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Bob can sign a message using a digital signature generation algorithm

Bob can sign a message using a digital signature generation algorithm
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

Similar presentations

Ads by Google