WO2012156254A1 - A method for performing a group digital signature - Google Patents

A method for performing a group digital signature Download PDF

Info

Publication number
WO2012156254A1
WO2012156254A1 PCT/EP2012/058578 EP2012058578W WO2012156254A1 WO 2012156254 A1 WO2012156254 A1 WO 2012156254A1 EP 2012058578 W EP2012058578 W EP 2012058578W WO 2012156254 A1 WO2012156254 A1 WO 2012156254A1
Authority
WO
WIPO (PCT)
Prior art keywords
group
digital signature
mod
signature
party
Prior art date
Application number
PCT/EP2012/058578
Other languages
French (fr)
Inventor
Luis HERNÁNDEZ ENCINAS
Jaime MUÑOZ MASQUÉ
José Raúl DURÁN DÍAZ
Fernando HERNÁNDEZ ÁLVAREZ
Víctor GAYOSO MARTÍNEZ
Agustín MARTÍN MUÑOZ
Víctor FERNÁNDEZ MATEOS
David PRIETO MARQUÉS
Original Assignee
Telefónica, S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefónica, S.A. filed Critical Telefónica, S.A.
Publication of WO2012156254A1 publication Critical patent/WO2012156254A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

  • the present invention generally relates to a method to perform a group digital signature, where a selected member of a group signs a digital document on behalf of the rest of members of the group, and more particularly to a method comprising using a common public key for verifying the group digital signature.
  • Hash functions are used (see [MOV97], [NIST02]). These functions compute a hash or digest of the document, so that it is this digest what gets eventually signed, instead of the full document. Hash functions will be denoted by /-/( ⁇ ) along the present document.
  • a group signature is a digital signature protocol whereby a member of a group of f signers,
  • the signed message receiver is able to verify that the signature is a valid group signature, i.e., it has been carried out by one legitimate member of the group. However, the receiver will not be able to determine which particular group member actually signed the message. 3. If required (in case of a dispute, for example) it is possible to disclose the signer, i.e., to reveal which user actually signed the message.
  • Group signatures can be considered a generalization of schemes of credential authentication, whereby a person proves that she belongs to a particular group. In particular, they can be seen as an extension of the credential mechanisms proposed by Chaum ([Cha85]), and member authentication schemes ([OOK90], [SKI90]), where a group member is able to convince a verifier that she belongs to a certain group without revealing her identity.
  • group signatures make use of schemes whose security is based on computationally-intractable mathematical problems.
  • problems are the Integer Factorization Problem (IFP) and the Discrete Logarithm Problem (DLP).
  • the simplest process to carry out a group digital signature is the following: 1 .
  • the Trusted Third Party, 7 selects the public key cryptosystem, (E, D), and the hash function, H, to be used in the process of group digital signature. 7 makes the triple (E, D, H) publicly known.
  • One of the users in G is randomly selected (the choice could be done by 7), be it F.
  • This signer whose key pair is denoted by (e, d), will carry out the signing process on behalf of the group.
  • the verifier is sure that the signature is valid, since each public key is associated with a corresponding private key. However, the verifier is not able to determine who was the actual signer, since the list of public keys has been randomly sorted. If the number of potential signers is high so it is the number of public keys. This means that the verification process could imply a heavy computational load since, in the worst case, all the public keys must be checked before completing the verification.
  • the invention presented in [KT08] consists of a method and apparatus that generates a unique digital signature of an S/MI ME signed message, further transmitted by a member of the group of signers. In fact, [KT08] is not useful to sign on behalf of a group.
  • a ring-signature scheme is adapted so that at least one of the variability parameter values used is an identity trace of the anonymous signer, determined as a function of anonymity withdrawal data stored and held secret by an anonymity withdrawal entity in connection with an identification of the anonymous signatory.
  • This provides a subsequent controlled capacity of withdrawing the anonymity of the signatory, either by an authority, or by the signatory himself.
  • the ring signatures do not comply with the requirements of group signatures since there is no central authority and the anonymity cannot be eliminated, unless otherwise stated by the signer. For this reason, for [MFM09] the ring signature scheme has been conveniently modified: each potential signer has her public-private key pair, associated with the RSA system.
  • this invention is slow, and requires much memory and computation.
  • MCGT10 discloses a method allowing any group member (by means of personal data) to generate a message signature that can be used to prove before a judge or verifier that the message has been in fact originated by a group member.
  • the invention is characterized by the fact that the personal data are conveyed by some physical electronic device, such as a smart card.
  • This device has a built-in system, based on RSA and AES, which is able to encrypt the personal data and to sign the message, which are further concatenated.
  • the use of personal data can be considered as a drawback and the overall system performance is lower than that of our invention.
  • the objective of the patent [Ter08] is to provide a group signature scheme where an open means is provided to not an issuer but an opener and a data required for operating the open means does not include a key pair of the issuer, so that it is possible to accurately operate the open means even if the issuer generates the public key in an illegal manner.
  • the implementation can be based on the Discrete Logarithm; in that case, the system works similarly to those systems based on EIGamal scheme.
  • Digital signature It is a cryptographic primitive for demonstrating the authenticity of a digital message or document.
  • the purpose of a digital signature is to provide a means for an entity to bind its identity to a piece of information.
  • Group signature A digital signature carried out by one single signer on behalf of a group of signers.
  • Hash function It is a computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length.
  • the present invention provides a method to perform a group digital signature, comprising:
  • the method of the invention comprises generating, by said Trusted Third Party, a common public key for all of said group members and using said common public key for performing said group digital signature verification of step iv).
  • group signature is defined as a signature carried out by one single signer on behalf of a group of signers.
  • the method of the invention allows generating the keys for a Trusted Third
  • Figure 1 shows a general scheme of a digital signature procedure representative of the protocol of a standard digital signature procedure
  • Figure 2 shows the flowchart for a generic group signature scheme, indicating the actors and the process followed in order to perform a group signature.
  • Figure 3 shows, by means of a flowchart, the proposed scheme for a group signature according to an embodiment of the method of the invention, showing the actors and the process to elaborate a group signature.
  • FIG. 4 shows an architecture of a system implementing the procedure of the invention for an embodiment. Detailed Description of Several Embodiments
  • One of the group members randomly chosen, signs a document on behalf of the group, by using her own private key.
  • a public key which is shared by all the group members, the verifier is able to check both that the signature is valid and that it has been elaborated by one of the group members.
  • the verifier cannot tell which particular member actually signed the document.
  • TTP Trusted Third Party
  • the invention presented here guarantees that a true group signature is generated for a given message. Moreover, the invention improves existing protocols in terms of user friendliness, computational efficiency, time and bandwidth saving.
  • a group signature or signature on behalf of a group is a procedure whereby a randomly chosen member of the group
  • the so- elaborated signature can be verified by anyone in the knowledge of the original document, (or a hash thereof, m), the signature, and the public key associated to the protocol.
  • phases 1 generation of the keys
  • 2 verification of the keys
  • the steps to generate the keys of 7 are the following: 1. 7 chooses two large prime numbers p and q verifying the following conditions:
  • the size of r i.e., its bitlength, must be sufficiently large so as to render computationally infeasible the Subgroup Discrete Logarithm Problem (SDLP) with order r of the integers module n, Z .
  • SDLP Subgroup Discrete Logarithm Problem
  • n p ⁇ q
  • the first step is to determine an element g e _3 ⁇ 4 whose order is ⁇ ( ⁇ ).
  • the procedure consists in randomly choosing an element g e _3 ⁇ 4 and verifying that g raised to all the possible divisors of ⁇ ( ⁇ ), module n, is different from 1 in all cases.
  • the values ( ⁇ , ⁇ , r, n) are made public, whereas 7 keeps the values (p, q, s) in secret.
  • the factor r of p-1 and q-1 is known and n is the product of two primes, p and q, currently there is no efficient algorithm capable of calculating the two factors of n (an algorithm is deemed efficient if the output can be obtained in polynomial running time; otherwise, algorithms with exponential or sub-exponential running times are considered inefficient).
  • each participant in the group signature protocol is in possession of a private key, and all participants share a common public key.
  • (f, g) be the digital signature corresponding to the message hash m for the group G.
  • the verifier must proceed as follows. First, the verifier obtains the public key, (P, Q), corresponding to the group G. Next, it suffices to check whether the following equality holds:
  • the scheme proposed in this invention is secure, since no member of the group G is able to determine neither the secret value s nor the private key of the TTP.
  • the private key (a 0 , b 0 , c 0 , d 0 ) of T was randomly generated.
  • the equations (2) and (3) hold for these values but computing them is also intractable, since it would imply to solve the DLP.
  • T is the Trusted Third Party.
  • T generates its own private key and the public key.
  • a number r with 192 bits has been generated, which makes the discrete logarithm problem infeasible in a subgroup of order r.
  • the prime numbers p and q have been generated to have, approximately 512 bits each one, which means that n has around 1024 bits. This size is big enough to guarantee its security against the factorization attacks during a reasonable time (the digits of each number has been separated into groups of 10 to improve its legibility).
  • the calculated values are the following:
  • ⁇ ( ⁇ ) 2369410636 6333472157 0279162522 3265024454 3745068299 0936304998
  • ⁇ ( ⁇ ) 2279889529 5624842025 0564697110 6664790296 5569615758 5687024706
  • the next step is the calculation of the private keys of the signers of the group G. To do so, 7 calculates, in the first place, the following values:
  • T randomly chooses one of the members, second for example.
  • This signer's signature is:
  • any two signers for example, F 2 and F 3 , try to conspire in order to obtain the secret value, s, of T, they would join their respective signatures, (f 2 , g 2 ) and (f 3 , g 3 ), and compute
  • the scheme proposed to perform group digital signatures has been implemented as a "Notebook" of the software application Maple v.13 in a computer with an Intel® CoreTM2 Quad CPU Q4900 processor at 2.66 GHz, with the operating system Windows 7 of Microsoft with 64 bits and with a 4 GB RAM.
  • the proposed scheme enjoys the following properties: security is based upon three computationally-intractable mathematical problems: the Integer Factorization Problem (IFP), the Discrete Logarithm Problem (DLP), and the Subgroup Discrete Logarithm Problem (SDLP).
  • IFP Integer Factorization Problem
  • DLP Discrete Logarithm Problem
  • SDLP Subgroup Discrete Logarithm Problem
  • the memory requirements are modest. Moreover, the number of keys is equal to one plus the number of users, who only possess their private (therefore, secret) key. The public key is common for all of them.
  • the verifier is able to check the validity of the group signature, since this process only requires the knowledge of the public key. However the verifier is not able to spot the actual signer, for this would imply the knowledge of the signers' private keys.
  • the TTP could "open" a signature and reveal the actual signer. This is possible because the TTP is in possession of the private keys of all signers.
  • a new user can join the group at any time with no disruption of the scheme. In fact, it suffices that 7 determines a fresh private key for the user who has just joined the group, thus becoming eligible for the group signature process, if she happens to be randomly Applications of the invention
  • the invention is applicable whenever it is required that a person signs a document on behalf of a group of persons.
  • these applications can be mentioned:
  • examples of groups could be several companies as members of a joint venture, or several persons as members of a committee inside a company. In these and similar cases, they may take advantage of the present invention to digitally sign documents or agreements involving all the parties.
  • the signature process can be passed on to one of the members, who will act as a representative of the group in the signature process. Remark that the representative may change at any time with no impact in the process.
  • the present invention can be used to restrict the access to a set of given resources to sets of users fulfilling certain special properties (such as being members of a given department, having special offices or status, and so on). Only if a user is in possession of a private key, which identifies her as a member of a specific group, then she is able to access the resources available to such group.
  • Notary public documents Most notarial documents (purchase and sale documents, mortgages, declarations of heirship, and the like) need the signatures of all the involved parties, and the signature of the notary public attesting the validity of the process as well.
  • the proposed invention may prove useful when one of the parties is formed by a group of persons, represented by a single individual thereof.
  • the growing internet usage may lead to the necessity of signing on-line agreements or documents.
  • the proposed invention may be conveniently used since the involved parties can be represented by a single member of each of the two parties, who will actually sign the on-line agreement or document on behalf of their respective party.

Abstract

A method for creating a group digital signature, comprising : i) generating, by a Trusted Third Party ( T), a private key for each member ( F1,F 2,...., Ft ) of a group (G); ii) randomly selecting, by said Trusted Third Party (T), one member of said group (G) to act as a signer in charge of signing a digital document (M) on behalf of the group (G); iii) elaborating, by said signer, a group digital signature using his private key to sign said digital document (M); and iv) verifying said group digital signature; Wherein the method comprises generating, by said Trusted Third Party (T), a common public key for all of said group members (F 1,F 2, F t ) and using said common public key for performing said group digital signature verification of step iv).

Description

A METHOD FOR PERFORMING A GROUP DIGITAL SIGNATURE
Field of the art
The present invention generally relates to a method to perform a group digital signature, where a selected member of a group signs a digital document on behalf of the rest of members of the group, and more particularly to a method comprising using a common public key for verifying the group digital signature.
Prior State of the Art
There are currently different methods and algorithms to perform, in a safe way, electronic or digital signatures by means of computer networks. Most of these protocols are based on Public Key Cryptography (PKC), (see [EIG85], [MOV97], [RSA78]). The main feature of this kind of cryptography is that each individual has two keys, one public key, called e, and one private key, called d. The public key allows any user to encrypt the messages addressed to the owner of the key, by using an encryption procedure, £. Therefore, this key is publicly known. On the other hand, the private key is only known by its owner and it is the one which allows decrypting the received encrypted messages, through a decryption procedure, D. The processes of encryption and decryption will be denoted respectively by Ek and Dk when the key k is used.
The algorithms, £ and D, for encryption and decryption in digital signature protocols must meet the following conditions:
1. The encryption of a message M with the public key, Ee, followed by its decryption with the private key, Dd, must have as output the original message, i.e. ,
Dd (Ee (M)) = Dd (c) = M.
2. The encryption of a message M performed with a private key Ed, followed by its decryption performed with the corresponding public key De must have the original message as output, i.e., the procedures H and D must verify:
De (Ed (M)) = De (C) = M.
Additionally, to make the procedures of digital signatures and their electronic transmission more efficient, hash functions are used (see [MOV97], [NIST02]). These functions compute a hash or digest of the document, so that it is this digest what gets eventually signed, instead of the full document. Hash functions will be denoted by /-/() along the present document.
The general procedure to perform the digital signature of a document, M, follows the next steps, as shown in Figure 1 : l. Selection of the public key cryptosystem, (£, D), and the hash function, H, to be used in the signature procedure. The triple (£, D, H) will be publicly known.
2. Generation of the public and private keys, e, d, of the user who is to sign the document. The keys can be also provided by a third party.
3. Computation of the digest of the message to be signed:
H (M) = m.
4. Digital signature of the message digest by using the signer's private key, d:
Ed (m) = f.
5. Publication of the original document and its corresponding digital signature: (M, f).
On its turn, the verifier of the digital signature:
1. Checks the signature correctness of the signed document by using the published message, M, the digital signature, f, and the signer's public key, e, as follows:
De (f) = De (Ed (m)) = m,
H(M) = m
m' i-Ί m.
The development and the simplicity regarding computer use and common internet access for the citizens have led to the emergence of new digital signature methods. Now it is possible to tackle problems that had no solution in the past.
One of these problems is how to allow one single user to digitally sign a document in such a way that the signature is done on behalf of a previously determined group of users (to which the signer belongs). This type of signature is known as group signature or signature on behalf of a group. A group signature is a digital signature protocol whereby a member of a group of f signers,
G = {F1,F2, ..., Ft},
signs a document on behalf of the rest of the group members (see, for example, [ACJ00], [AM03], [BSZ05], [BBX04], [CL04], [CH91 ], [CHY05], [FC04], [NS04], [TW05]).
These signature schemes show some outstanding characteristics: 1. Only a group member can validly sign a document or message.
2. The signed message receiver is able to verify that the signature is a valid group signature, i.e., it has been carried out by one legitimate member of the group. However, the receiver will not be able to determine which particular group member actually signed the message. 3. If required (in case of a dispute, for example) it is possible to disclose the signer, i.e., to reveal which user actually signed the message.
Group signatures can be considered a generalization of schemes of credential authentication, whereby a person proves that she belongs to a particular group. In particular, they can be seen as an extension of the credential mechanisms proposed by Chaum ([Cha85]), and member authentication schemes ([OOK90], [SKI90]), where a group member is able to convince a verifier that she belongs to a certain group without revealing her identity.
There exist several proposals for group signatures, which use a number of cryptographic primitives (e.g. [CH91 ]). Some of these proposals need a Trusted Third Party (TTP), at least for the initialization process. Other schemes, however, allow any user to create the group she chooses to belong to.
As a general rule, group signatures make use of schemes whose security is based on computationally-intractable mathematical problems. Typically, such problems are the Integer Factorization Problem (IFP) and the Discrete Logarithm Problem (DLP).
As shown in Figure 2, the simplest process to carry out a group digital signature is the following: 1 . The Trusted Third Party, 7, selects the public key cryptosystem, (E, D), and the hash function, H, to be used in the process of group digital signature. 7 makes the triple (E, D, H) publicly known.
2. 7 generates a couple of public and private keys (e„ of,-), /' = 1 , ...,f, for each of the users in the group G.
3. 7 sorts randomly the list of the users' public keys and publishes the sorted list.
4. One of the users in G is randomly selected (the choice could be done by 7), be it F. This signer, whose key pair is denoted by (e, d), will carry out the signing process on behalf of the group.
5. F determines the hash of the message to be signed:
H (Af) = m.
6. F performs the digital signature of the message hash by using her own private key, d:
Ed (m) = f.
7. 7 publishes both the signed message and the group signature computed by F: (M, f).
The verifier of the digital signature:
1 . Gets the list of the public keys of the users in G.
2. Checks whether the following formula applied on the published message, M, holds when one of the public keys in the list, e, is used:
De (f) = De (Ed (m)) = m,
H(M) = m
m' ι= m.
If the formula holds for one of the public keys, the verifier is sure that the signature is valid, since each public key is associated with a corresponding private key. However, the verifier is not able to determine who was the actual signer, since the list of public keys has been randomly sorted. If the number of potential signers is high so it is the number of public keys. This means that the verification process could imply a heavy computational load since, in the worst case, all the public keys must be checked before completing the verification.
Besides the schemes already mentioned, there exist several patents related to group signatures: [HCW06], [KT08], [MFM09], [MCGT10] and [Ter08].
Problems with existing solutions:
The protocols mentioned above show some limitations.
For example, the schemes described in [ACJ00], [AM03], and [NS04] have a security problem (see [SG02] for an extended explanation). Moreover, the security of the schemes presented in [BBX04] and [CL04] is tested under artificial and unlikely conditions (see [BB04]).
Several patents display some drawbacks as well. Among them it is the different definition of the term "group signature". In many cases this term is used in different sense from the one used in this document.
In [HCW06], a method is proposed that permits to generate group signatures for any message m under the condition that 1 < m≤ n, with n a composite number, the product of at least 2 distinct primes. This scheme uses RSA system, since the signature is computed as f = md, d being the user's private key. Actually, it is a multi- signature, rather than a group signature.
The invention presented in [KT08] consists of a method and apparatus that generates a unique digital signature of an S/MI ME signed message, further transmitted by a member of the group of signers. In fact, [KT08] is not useful to sign on behalf of a group.
In [MFM09], a ring-signature scheme is adapted so that at least one of the variability parameter values used is an identity trace of the anonymous signer, determined as a function of anonymity withdrawal data stored and held secret by an anonymity withdrawal entity in connection with an identification of the anonymous signatory. This provides a subsequent controlled capacity of withdrawing the anonymity of the signatory, either by an authority, or by the signatory himself. As it is well known, the ring signatures do not comply with the requirements of group signatures since there is no central authority and the anonymity cannot be eliminated, unless otherwise stated by the signer. For this reason, for [MFM09] the ring signature scheme has been conveniently modified: each potential signer has her public-private key pair, associated with the RSA system. However, this invention is slow, and requires much memory and computation.
In [MCGT10] discloses a method allowing any group member (by means of personal data) to generate a message signature that can be used to prove before a judge or verifier that the message has been in fact originated by a group member. The invention is characterized by the fact that the personal data are conveyed by some physical electronic device, such as a smart card. This device has a built-in system, based on RSA and AES, which is able to encrypt the personal data and to sign the message, which are further concatenated. In practice, the use of personal data can be considered as a drawback and the overall system performance is lower than that of our invention.
The objective of the patent [Ter08] is to provide a group signature scheme where an open means is provided to not an issuer but an opener and a data required for operating the open means does not include a key pair of the issuer, so that it is possible to accurately operate the open means even if the issuer generates the public key in an illegal manner. The implementation can be based on the Discrete Logarithm; in that case, the system works similarly to those systems based on EIGamal scheme.
Next, some technical definitions useful to understand the present invention are given:
Digital signature: It is a cryptographic primitive for demonstrating the authenticity of a digital message or document. The purpose of a digital signature is to provide a means for an entity to bind its identity to a piece of information.
Discrete logarithm problem: Given a prime number p, a generator g of Z and an element y in 1* find the integer x, 0 < x≤ p-2, such that g" = y (mod p).
Group signature: A digital signature carried out by one single signer on behalf of a group of signers.
Hash function: It is a computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length.
Integer factorization problem: Given a positive integer n, find its prime factorization; that is, write n = p-ie1 p2 e2 ■■■ Pkek where the p, are pairwise distinct primes and each ei≥ 1 .
Subgroup discrete logarithm problem: Let p be a prime and q a prime divisor of p-1 . Let G be the unique cyclic subgroup of Έ* of order q, and let g be a generator of G. The subgroup discrete logarithm problem in G is the following: Given p, q, g and y in G, find the unique integer x, 0 < x≤ q-1 , such that g* = y (mod p).
Description of the Invention
It is necessary to offer an alternative to the state of the art that overcomes the above mentioned problems from which existing solutions suffer.
To that end, the present invention provides a method to perform a group digital signature, comprising:
i) generating, by a Trusted Third Party, a private key for each member of a group;
ii) randomly selecting, said Trusted Third Party, one member of said group to act as a signer in charge of signing a digital document on behalf of the group;
iii) elaborating, said signer, a group digital signature using his private key to sign said digital document; and
iv) verifying said group digital signature.
On contrary to known proposals, the method of the invention comprises generating, by said Trusted Third Party, a common public key for all of said group members and using said common public key for performing said group digital signature verification of step iv).
In the present description the term "group signature" is defined as a signature carried out by one single signer on behalf of a group of signers.
The method of the invention allows generating the keys for a Trusted Third
Party, who will generate the common public key and the private keys of each user in a given group of users. One of the users will sign a document on behalf of the group in such a way that it will be possible to verify that one user of the group did sign the document but it will not be possible to determine its identity within the group.
Once the group signature is performed, anyone knowing the common public key of the group of users will be able to verify the correctness of the group signature or else to declare it invalid.
Other embodiments of the procedure of the invention are described according to appended claims 2 to 6, and in a subsequent section related to the detailed description of several embodiments.
Brief Description of the Drawings The previous and other advantages and features will be more fully understood from the following detailed description of embodiments, with reference to the attached drawings (some of which have already been described in the Prior State of the Art section), which must be considered in an illustrative and non-limiting manner, in which:
Figure 1 shows a general scheme of a digital signature procedure representative of the protocol of a standard digital signature procedure;
Figure 2 shows the flowchart for a generic group signature scheme, indicating the actors and the process followed in order to perform a group signature.
Figure 3 shows, by means of a flowchart, the proposed scheme for a group signature according to an embodiment of the method of the invention, showing the actors and the process to elaborate a group signature.
Figure 4 shows an architecture of a system implementing the procedure of the invention for an embodiment. Detailed Description of Several Embodiments
As already mentioned when dealing with existing technologies, the general process for devices permitting a group signature (see Figure 2) follows the next steps:
1. Generation of the keys, performed by the TTP.
2. Verification of the signers' keys.
3. Elaboration of the group signature, performed by one of the group members.
4. Verification of the group signature.
In this invention, a procedure is presented that permits to carry out all the steps mentioned above. It is important to remark that steps 1 (generation of the keys, performed by the TTP) and 2 (verification of the signer's keys) above are part of the procedure but not of the invention. For this reason, both of them are not claimed.
One of the group members, randomly chosen, signs a document on behalf of the group, by using her own private key. Using a public key, which is shared by all the group members, the verifier is able to check both that the signature is valid and that it has been elaborated by one of the group members. However, the verifier cannot tell which particular member actually signed the document.
Let G = {F-i, F2, Ft} be the group of individuals allowed to sign a document and let 7 be a Trusted Third Party (TTP). The TTP generates both its own keys and the keys for each group member. The TTP will be able to determine which group member actually signed a document, if such information must be revealed before the judge, or in case of dispute.
The invention presented here guarantees that a true group signature is generated for a given message. Moreover, the invention improves existing protocols in terms of user friendliness, computational efficiency, time and bandwidth saving.
For a given set F-i , F2, Ft of f users, a group signature or signature on behalf of a group is a procedure whereby a randomly chosen member of the group
G = {F F2, ..., Ft}
signs a document on behalf of the group by following a specific protocol. The so- elaborated signature can be verified by anyone in the knowledge of the original document, (or a hash thereof, m), the signature, and the public key associated to the protocol.
As previously mentioned, these digital signature protocols need a Trusted Third Party, 7, which generates both its own keys and the keys of each signer. This invention presents a protocol to elaborate a signature.
The protocol is divided into several phases, as follows (see Figure 3):
1. Generation of the keys.
2. Verification of the keys.
3. Elaboration of the group digital signature. 4. Verification of the digital signature.
As it was mentioned above, phases 1 (generation of the keys) and 2 (verification of the keys) are part of the procedure but not of the invention. For this reason, both of them are not claimed.
In the following, a detailed description of each phase will be presented.
. Generation of the keys
First of all, the keys of 7 and then the keys of the signers, must be generated.
The steps to generate the keys of 7 are the following: 1. 7 chooses two large prime numbers p and q verifying the following conditions:
Figure imgf000012_0001
where r, p are prime numbers and Ui, u2 even integer numbers, whose greatest common divisor (gcd) is
Figure imgf000012_0002
i.e., t/i = 2 Vi and u2 = 2 v2.
To guarantee the security of the protocol, the size of r, i.e., its bitlength, must be sufficiently large so as to render computationally infeasible the Subgroup Discrete Logarithm Problem (SDLP) with order r of the integers module n, Z .
2. 7 computes
n = p q,
φ(η) = (p-1 )(q-1 ) = Ui u2 · r2 ■ p^ q
λ(η) = lcm(p-1 , q-1 ) = 2 v-[ v2 r p^ q- , where Icm represents the least common multiple, φ(η) is Euler totient function, and λ(η) is the Carmichael function.
3. Next, 7 chooses an integer number a e ¾ with multiplicative order r, module n, and meeting the condition
gcd(a, φ(η)) = gcd(a, u^ u2 r2 ■ p^ q^) = 1.
Let S,- be the subgroup of ¾ generated by a. Obtaining the generator a can be carried out in an efficient way, i.e., in a polynomial time, just by following Lemma 3.1 of [Sus09].
Indeed, according to this lemma, the first step is to determine an element g e _¾ whose order is λ(η). The procedure consists in randomly choosing an element g e _¾ and verifying that g raised to all the possible divisors of λ(η), module n, is different from 1 in all cases.
This procedure is fast since the factorization of λ(η) is known and it has only a few prime factors, so the list of its divisors can be easily computed. In case the randomly chosen element does not verify this condition, another one has to be chosen and the procedure repeated. Once the element g with order λ(η) has been determined, the searched-for generator a is computed as:
4. 7 generates a random secret number s > r in Sr and computes β = cr5 (mod n). (1 )
The values (α, β, r, n) are made public, whereas 7 keeps the values (p, q, s) in secret. Though the factor r of p-1 and q-1 is known and n is the product of two primes, p and q, currently there is no efficient algorithm capable of calculating the two factors of n (an algorithm is deemed efficient if the output can be obtained in polynomial running time; otherwise, algorithms with exponential or sub-exponential running times are considered inefficient).
To generate the keys of the members of the group G, 7 carries out the next process:
1 . First of all, 7 determines its private key by randomly generating four integer numbers
Figure imgf000013_0001
Next, it obtains the common public key for all the signers by computing
P = a p¾B (mod n), (2)
(3)
From the expressions above, 7 determines the following values:
P = αα° p¾D (mod n) = a^+^Cmod n),
Q = α ¾■ p≤0 (mod n} = ac^s^ (mM n),
Since both P and Q are elements of the subgroup Sr, this means that there exist integer numbers k, h e Zr, such that h = (a0 + s bo) (mod r), k = (Co + s do) (mod r). 2. Next, T determines the private key for each signer F, e G, with /' = 1 , f, taking into account that all of them will share a common public key (P, Q). For group member, it computes four integer numbers α,, b,, c„ d, e Zr, verifying h = (a, + s fa,-) (mod r), k = (d + s el,) (mod r),
or, equivalently, a,= {h - s bi) (mod r), (4) c, = (/ - s of,-) (mod r). (5)
Therefore, since 7 knows the values s, h, and k, it determines f private keys for the signers F, by simply generating f pairs of random numbers, b,, of,- e Zf and, then, computing the corresponding values for a,, c, e Ir according to the equations (4) and (5).
Once T has obtained the private keys, it distributes them to the signers via some secure channel. 2. Verification of the keys
To verify that the key of T is correct, each signer, F, e G, / = 1 , f, simply checks that: a≠ 1 (mod n), a r = 1 (mod n). Moreover, each signer must check if the known public key corresponds to her private key. To do this, each signer has to verify if the two following equations hold: p . ¾ (mod n\t
Q = α^-β* (mod n).
Following this procedure, each participant in the group signature protocol is in possession of a private key, and all participants share a common public key.
3. Elaboration of the group digital signature The Trusted Third Party chooses randomly one of the group members, be it F„ in G. Next, it determines the hash of the message to be signed, H(M) = m, and signs it by computing the group signature as follows:
Figure imgf000015_0001
Last, T publishes the pair (f, g) = (4 g,), as the group G signature of the message M.
4. Verification of the digital signature
Let (f, g) be the digital signature corresponding to the message hash m for the group G. To verify the validity of such signature, the verifier must proceed as follows. First, the verifier obtains the public key, (P, Q), corresponding to the group G. Next, it suffices to check whether the following equality holds:
P Qm = af ■ β9 (mod n).
Actually, if the equality holds then the signature is valid, since
P - Q" = aei - β^α*/ - ptfi 'm(mod n) = aa^mc~>■ p¾+fn"C (mod n) = or p9(mod n)
5. Security of the group signature
The scheme proposed in this invention is secure, since no member of the group G is able to determine neither the secret value s nor the private key of the TTP. a) In fact, computing s from a and β = cr5 (mod n) (see equation (1 )) would require the computation of discrete logarithms in the ogenerated subgroup Sr, of order r, and r was chosen so as to render the SDLP intractable. b) The private key (a0, b0, c0, d0) of T was randomly generated. Actually, the equations (2) and (3) hold for these values but computing them is also intractable, since it would imply to solve the DLP. c) Any two members of the group G, say F, and Fy, could conspire in order to obtain the secret value s of T. Each one of them could sign a fixed message obtaining the signatures, say (4 g) and (4 g). Then, they compute:
Figure imgf000016_0001
ο,Η' = H s{^' (mod n)
However, since the order of a modulo n is r, then
Figure imgf000016_0002
and, hence, they get the following value
s' = {fi - fi) {9j - 9 (mod r).
However, the value s' differs from s since s > r, with s e S, c Έη and s' e Z*, with n » r. The global architecture of a system implementing the procedure proposed in this invention is depicted in Figure 4, for an embodiment.
Next, a possible implementation of the complete group signature procedure is described, beginning with the key generation until the signature verification, stepping through the generation of the signature. In this implementation the current recommended key sizes will be used in order to avoid possible attacks. Such attacks can be mounted either if it were possible to factorize the module n (Integer Factorization Problem), or if it were possible to solve the Discrete Logarithm Problem, either in the multiplicative subgroup of integer numbers module n or in a subgroup of order r. Suppose that the group of signers consists of ί = 5 members: G =
{F-i , F2, F3, F4, F5} and that T is the Trusted Third Party.
1 . Generation of the keys
Following the steps mentioned in the previous sections, T generates its own private key and the public key. In order to show an example which can be used in practical applications, with warranties of security, a number r with 192 bits has been generated, which makes the discrete logarithm problem infeasible in a subgroup of order r. Besides, the prime numbers p and q have been generated to have, approximately 512 bits each one, which means that n has around 1024 bits. This size is big enough to guarantee its security against the factorization attacks during a reasonable time (the digits of each number has been separated into groups of 10 to improve its legibility). The calculated values are the following:
υΛ = 34 = 2 17,
u2 = 92 = 2 46,
r = 5196327729 7212780082 4848913362 2135332644 9216681008 58471147, p1 = 2028030256 8624283012 4917097720 9990926008 1778040407 0833743250 8411552997 5896618235 6493244941 0114807,
q = 1383267238 8083602865 6088052772 3360516183 2923846298 4673026119 7962825109 1940681433 8179650989 2194549,
p = 3583025352 5523207970 9356443848 9739083662 8681740844 7277976277 9970616586 5447536616 7403235326 3974113364 9332978571 4305849991 1196721619 4346808025 4032680077 103387,
q = 6612877117 7840782959 2482914689 4056162094 7923138658 3375138116
7095506192 9552960216 8655806913 9429106295 0100969439 6903737016 4875673000 0462980089 4112076100 348677,
n = 2369410636 6333472157 0279162522 3265024454 3745068299 0936304998
6644279605 2216764909 4596790023 2779151836 5681758028 1475578173
8081159949 5241657168 8724667837 0631434633 1727045533 1896986032
7171936812 4846595370 6087676670 7393446416 2920016216 0102642221
2628222865 0029175235 5574874469 7936927230 9061086193 7352777702 9948776689 99,
φ(η) = 2369410636 6333472157 0279162522 3265024454 3745068299 0936304998
6644279605 2216764909 4596790023 2779151836 5681758028 1475578173
8081159949 5241657168 8724667837 0631424437 2702342169 1987684193
3586553017 2389018765 7292646017 6249499350 1692221215 5134306162 2205819461 7832575801 6094763260 2066851158 5114891383 9471629558 2387002169 36,
λ(η) = 2279889529 5624842025 0564697110 6664790296 5569615758 5687024706
7558976288 6870103849 0869858508 9424366650 9701841095 9948209301
5685993352 5851815894 1821280462 6749131753 6173614621 4316553449 4947413447 4462654398 4562121360 0477629718 4131725282 2242458184 7267613757 4044.
Then 7 determines an element, g in the group of integer modulo n, ¾, whose order is λ(η), and computes the element, a e ¾, of order r. g = 6079318766 2986796287 0007977731 1862235207 4445856138 0231899149 5774688205 8571151224 5379513946 3465899529 7629149469 8738881432 7092495744 2014011430 6452298559 5837148062 3223570321 1246080863 8620308474 1211868723 8171601682 6840575721 9008403383 2065415409 4371455844 6131628250 8442318044 3471825171 4396414097 0291128632 0782852649 2,
a = 1367564182 4033610260 0495280576 7420842676 8287195239 0233472697 1916347971 3979505094 3642389948 2653639814 9026918385 0736850236 9757062812 1638110173 3904619494 1041274736 7750086756 4943939381 6216777468 7068215125 8169301237 3397103889 8395685305 7355517115 7894840723 9702895081 4465244741 2119441623 6438825980 7605306745 6179684654 7.
Subsequently, 7 generates a secret number s e Sr. To achieve this, it generates a random number, z, en the range [1 , r] and computes s = az (mod n). Then, it determines the element β:
z = 4713658101 7409167224 1142496711 8332602621 2793905993 24379912, s = 1585746780 5269067300 7933645724 8967015527 9838982770 1279763950 2590148357 1963787196 3948637783 3416367703 4001959902 4692205809 3413173591 6691873990 5078914274 6726839667 1174004262 2033806000 7817705947 3452504019 6230047079 7953885522 0274335694 7206830011 1930792201 3823780217 3944205729 9182407986 7576676015 2866532316 3184671843 86,
β = 1901252829 3242521658 5096999145 8430186762 0141372828 8055465598 3793301373 2578581115 1574791997 6954083566 4380158002 6354548744 2233477774 3799357310 1119331834 5172543184 8212732727 2677129698 5449221730 0628514918 5270759863 3847617316 9101112119 6087752277 6586337221 0233970579 6105677764 3286911277 2559077381 5849672544 8197917407 84.
7 determines its private key, a0, b0, c0, d0 e Zr and the public key, (P, Q), which will be shared by all signers in the group G:
do = 2851470515 8070556667 6188814197 9230706395 5633135103 98864021 , bo =3871692298 3490241676 2100311099 7045266628 2845940533 75975881 , Co = 1250361890 7338822746 5235333397 2625961733 7110909230 81656835, do = 4854925496 4785812096 9396766705 0103771180 2586686698 1758690,
P = 1226458762 4175407165 4051082387 1553818459 1598871990 4675567454
9670283196 4320692391 1611779270 2373692361 7846971407 8865007637
6391593968 2090275901 7750095104 8721273004 0817313882 2214546153 9470395358 4876291347 0933634186 5534838215 2543262919 7979623531
7314657081 7644049726 9331991569 3961121667 7706643586 6011002403 3573611685 98,
Q = 1665567910 7051229440 5936855255 5459822448 0387667463 6073700364
2485848931 9637920347 6571603265 1246134221 2407959462 4717449986 2434868723 0802677050 4358873236 2610930359 0961055894 0789864769
8680793795 2990988175 3035373059 1963401532 8728418038 7655281422
8922019579 7261119084 6795757324 3510158991 8731540560 6953777900 5866751462 51. 7 broadcasts the values (α, β, n, r).
The next step is the calculation of the private keys of the signers of the group G. To do so, 7 calculates, in the first place, the following values:
h = 1113594031 8537712759 8124811264 7511481251 3165082263 18956218, k = 7645981190 6907469606 9780226135 1488448627 6736518190 3762615.
Finally, 7 generates random values b„ d, e Z*,with / = 1 , 5, and determines the corresponding values for a, and c,. In this way, it obtains the 5 private keys, which will be distributed via a secure channel to each of the signers of the group:
(αι , Ci , di) = (9479193074 2466673250 0634860276 3943818730 4116012949 4952436, 4301760524 6488056343 6683482412 6114962548 2702116042 12840856, 2979008705 2077810470 3193418338 1577854476 5341402439 64385827, 5149141898 9810007125 5381706490 8786375894 2847279054 78622779),
(a2, b2, c2, d2) = (3010140312 4934156505 7125465680 4869003288 5082440003 81031466, 6594843413 5490440166 4484106044 7753596711 3287485785 8952323, 1682895911 4519780206 8229290917 3191198386 9614555863 74806087, 1323473114 8161819659 2881035741 2074512927 9273132360 55494277),
(a3, b3, c3, d3) = (4836736540 7039577719 5091696231 3781699510 7745955366 19214332, 4923959429 6583787879 8856884940 2795390361 3394207522 27899026, 3182589277 0974074122 8808824677 4298378445 5515681187 01723599, 3090586737 5349950405 9938048150 8025032564 6581174412 54195906),
4, b4, c4, d4) = (3191510562 4343544216 2249837614 1865586533 2451137671 9229447, 2317496376 4788189350 9391095274 8545719917 0057279761 10944450, 3920175057 4468125384 9387692633 6252461429 4125190461 91997478, 2484680209 6165988309 3927117852 4378624954 9728688978 62713852),
(a5, b5, c5, d5) = (1764981422 1800430392 9194620558 2932409511 3545719870 78142692, 2969747205 3508890348 7533120624 1667568859 6375484360 2785686, 5100875944 6457789426 1242532111 9520492788 4522110733 05695885, 9692033568 7059209502 6100039850 3589986984 46061762).
2. Verification of the keys
To verify both the key of T and the shared public key, it suffices that each signer just checks the following equalities:
a≠ 1 (mod n),
a r = 1 (mod n),
Figure imgf000020_0001
Q = a^-p * (mod n). 3. Elaboration of the group signature
Assume that the message to be signed is the following:
"Ejemplo de mensaje a firmar con firma en nombre de un grupo"
The hash for this message, computed using the MD5 hash function, yields the following 160-bit result, expressed in hexadecimal and decimal, respectively: m = 9c ec 27 95 Od 94 9d 7 f 3a be a7 6b cd dO cc 11
= 2085857522 2423482244 1347134656 246500369.
T randomly chooses one of the members, second for example. This signer's signature is:
(f, g) = (f2, g2) = (3738700843 5180238287 7240373797 3862403206 8446309874 54969275, 4851882837 8284593233 8822347014 7866172039 9022155598 71520407). 4. Verification of the group signature
To verify the validity of the previous signature, any verifier in the knowledge of the hash, m, and the public key, (P, Q), has to check the following equality:
P Qm = af ■ β9 (mod n),
which is immediate, since both sides in the equality are:
7226358811 7679130110 6290398898 2601254475 7169925672 5283234060 9391467192 6653770575 7429123255 0896510955 7868587451 9573256644 2567828104 0207863021 6026845753 0918869684 6333651455 6337178119 6462482598 1572657201 7634003862 2192804379 5623719366 6112433138 3563203426 3810189932 7060204871 4980943789 3713986455 4777545955 5067471910 5.
5. Security
In the case that any two signers, for example, F2 and F3, try to conspire in order to obtain the secret value, s, of T, they would join their respective signatures, (f2, g2) and (f3, g3), and compute
s' = {f2 - h) {93 - &) (mod r) =
1648311949 6452759530 1243710909 1236881133 1380800474 69066335, but this is not the actual value of s:
s = 1585746780 5269067300 7933645724 8967015527 9838982770 1279763950 2590148357 1963787196 3948637783 3416367703 4001959902 4692205809 3413173591 6691873990 5078914274 6726839667 1174004262 2033806000 7817705947 3452504019 6230047079 7953885522 0274335694 7206830011 1930792201 3823780217 3944205729 9182407986 7576676015 2866532316 3184671843 86.
Any other pair of signers would obtain the same value s', should they try to mount the same attack. Therefore, no more information is leaked even if the number of conspirers increases.
Finally, the same kind of conspiracy for signatures of different messages would not provide any improvement either, because the value obtained signing different messages is the same, as before.
6. Operation and implementation issues
The scheme proposed to perform group digital signatures has been implemented as a "Notebook" of the software application Maple v.13 in a computer with an Intel® Core™2 Quad CPU Q4900 processor at 2.66 GHz, with the operating system Windows 7 of Microsoft with 64 bits and with a 4 GB RAM.
Since each user needs her own private (secret) key, more keys must be generated so more time-consuming is needed. In spite of this, once the key generation phase is over, the signing running time depends only on the length of the key to be used, since the scheme computes only one signature in all cases, irrespective of the number of members in the group.
Advantages of the Invention:
The proposed scheme enjoys the following properties: security is based upon three computationally-intractable mathematical problems: the Integer Factorization Problem (IFP), the Discrete Logarithm Problem (DLP), and the Subgroup Discrete Logarithm Problem (SDLP).
2 It is efficient since all the operations run in polynomial time.
3 The memory requirements are modest. Moreover, the number of keys is equal to one plus the number of users, who only possess their private (therefore, secret) key. The public key is common for all of them.
4 The verifier is able to check the validity of the group signature, since this process only requires the knowledge of the public key. However the verifier is not able to spot the actual signer, for this would imply the knowledge of the signers' private keys.
5 In case of dispute, the TTP could "open" a signature and reveal the actual signer. This is possible because the TTP is in possession of the private keys of all signers.
A new user can join the group at any time with no disruption of the scheme. In fact, it suffices that 7 determines a fresh private key for the user who has just joined the group, thus becoming eligible for the group signature process, if she happens to be randomly Applications of the invention
The invention is applicable whenever it is required that a person signs a document on behalf of a group of persons. Among others, these applications can be mentioned:
• Any process requiring a digital signature and involving several signers.
• Access to specific resources for which some credentials or special permissions are required. The permission or credentials can be considered equivalent to the possession of a private key associated to a given public key.
• Corporative digital signatures, business-to-business or business-to- customer digitally-signed agreements.
• Digital signatures between companies or citizens and Government offices.
• Digital signatures for signing contracts.
• Signing of agreements, acts, and/or joint ventures, among several entities.
These applications may prove very useful in several settings:
• Electronic governance (local, regional, or national public administration).
Any time a committee, composed out of several members, must digitally sign a jointly-elaborated document, it may take advantage of the present invention: a single member of the committee would be able to sign on behalf of the full committee. The process becomes much simpler, faster and more flexible, since the task of signing can be passed on to a single signer. The verification guarantees the validity of the so-signed document.
• Corporations. In this case, examples of groups could be several companies as members of a joint venture, or several persons as members of a committee inside a company. In these and similar cases, they may take advantage of the present invention to digitally sign documents or agreements involving all the parties. Clearly, it is more convenient if the signature process can be passed on to one of the members, who will act as a representative of the group in the signature process. Remark that the representative may change at any time with no impact in the process.
Resources usage. The present invention can be used to restrict the access to a set of given resources to sets of users fulfilling certain special properties (such as being members of a given department, having special offices or status, and so on). Only if a user is in possession of a private key, which identifies her as a member of a specific group, then she is able to access the resources available to such group.
Notary public documents. Most notarial documents (purchase and sale documents, mortgages, declarations of heirship, and the like) need the signatures of all the involved parties, and the signature of the notary public attesting the validity of the process as well. The proposed invention may prove useful when one of the parties is formed by a group of persons, represented by a single individual thereof.
Banking. In a similar way, bank-related processes often require signing documents where several parties are involved, including the bank. The invention may prove useful in this setting as well.
Internet. The growing internet usage may lead to the necessity of signing on-line agreements or documents. The proposed invention may be conveniently used since the involved parties can be represented by a single member of each of the two parties, who will actually sign the on-line agreement or document on behalf of their respective party.
A person skilled in the art could introduce changes and modifications in the embodiments described without departing from the scope of the invention as it is defined in the attached claims. ACRONYMS
DLP Discrete Logarithm Problem
IFP Integer Factorization Problem
SDLP Subgroup Discrete Logarithm Problem
TTP Trusted Third Party
REFERENCES
[ACJOO] G. Ateniese, J. Camenish, M. Joyce, and G. Tsudik, A practical and provable secure coalition-resistant group signature scheme, Lecture Notes in Comput. Sci. 1880 (2000), 255-270.
[AM03] G. Ateniese and B. de Medeiros, Efficient group signatures without trapdoors, Lecture Notes in Comput. Sci. 2894 (2003). 246-268.
[BSZ05] M. Bellare, H. Shi, and C. Zhang, Foundations of group signatures: the case of dynamic groups, Lecture Notes in Comput. Sci. 3376 (2005), 136-153.
[BB04] D. Boneh and X. Boyen, Short Signatures Without Random Oracles, Lecture Notes in Comput. Sci. 3027 (2004), 56-73.
[BBX04] D. Boneh, X. Boiyen, and H. Shacham, Short group signatures, Lecture Notes in Comput. Sci. 3152 (2004), 41-55.
[CL04] J. Camenisch and A. Lysyanskaya, Signature Schemes and Anonymous Credentials from Bilinear Maps, Lecture Notes in Comput. Sci. 3152 (2004), 56- 72.
[Cha85] D. Chaum, Showing credentials without identification, Lecture Notes in Comput. Sci. 219 (1985), 241-244.
[CH91] D. Chaum and E. van Heyst, Group signatures, Lecture Notes in Comput. Sci. 547 (1991 ), 257-265.
[CHY05] L. Chen, X. Huan, and Y. You, Group signature schemes with forward secure properties, Appl. Math. Comput. 170 (2005), 841 -849.
[EIG85] T. EIGamal, A public-key cryptosystem and a signature scheme based on discrete logarithm, IEEE Trans. Inform. Theory 31 (1985), 469-472.
[FC04] X. Fu and C. Xu, A new group signature scheme with unlimited group size, Progress on Cryptography. 25 Years of Cryptography in China, Kluwer
Academic Publishers, 89-96, New York, 2004.
[HCW06] D.W. Hopkins, T.W. Collins, and S.W. Wierenga, (Hewlett-Packard Development Company, L.P., Houston, TX, USA), Group signature generation system using multiple primes, United States Patent: US 7093133B2, Aug. 15, 2006.
[KT08] M. Kurosaki and N. Terao, (Fiju Xerox Co. Ltd, Tokyo, Japan), Group signature apparatus and method, United States Patent: US 7318156B2, Jan. 8, 2008.
[MOV97] A. Menezes, P. van Oorschot and S. Vanstone, Handbook of applied cryptography, CRC Press, Boca Raton, FL, USA, 1997.
[MFM09] D.A. Modiano, L. Frish, and D. Mouton, (France Telecom, Paris,
France), Electronic group signature method with revocable anonymity, equipment and programs for implementing the method, United States Patent: US 7526651 B2, Apr. 28, 2009.
[MCGT10] D.A. Modiano, S. Canard, M. Girault, and J. Traore, (France Telecom, Paris, France), Cryptographic system for group signature, United States Patent:
US 7673144B2, Mar. 2, 2010.
[NIST02] National Institute of Standards and Technology, Secure Hash Standard (SHS), Federal Information Processing Standard Publication 180-2, 2002.
[NS04] L. Nguyen and R. Safavi-Naini, Efficient and Provably Secure Trapdoor- free Group Signature Schemes from Bilinear Pairings, Lecture Notes in Comput.
Sci. 3329 (2004), 89-102.
[OOK90] K. Ohta, T. Okamoto, K. Koyama, Membership authentication for hierachical multigroup using the extended Fiat-Shamir scheme, Lecture Notes in Comput. Sci. 473 (1990), 446-457.
[SKI90] H. Shizuya, S. Koyama, T. Itoh, Demostrating possession without revelating factors and its applications, Lecture Notes in Comput. Sci. 453 (1990), 273-293.
[RSA78] R.L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems", Comm. ACM 21 (1978), 120-126. [SG02] V. Shoup and R. Gennaro, Securing Threshold Cryptosystems against
Chosen Ciphertext Attack, Journal of Cryptology 15, 2 (2002), 75-96.
[Sus09] W. Susilo, Short fail-stop signature scheme based on factorization and discrete logarithm assumption", Theor. Comput. Sci. 410 (2009), 736-744.
[Ter08] I. Teranishi, (NEC Corporation), Group signature scheme, US 2008/0152130A1 , Jun. 26, 2008.
[TW05] M. Trolin and D. Wikstrom, Hierarchical group signatures, Lecture Notes in Comput. Sci. 3580 (2005), 446-458.

Claims

Claims
1 . - A method to perform a group digital signature, comprising:
i) generating, by a Trusted Third Party (7), a private key for each member F2, Ft) of a group (G);
ii) randomly selecting, said Trusted Third Party (7), one member of said group (G) to act as a signer in charge of signing a digital document (M) on behalf of the group (G);
iii) elaborating, said signer, a group digital signature using his private key to sign said digital document (M); and
iv) verifying said group digital signature;
wherein the method is characterised in that it comprises generating, by said Trusted Third Party (7), a common public key for all of said group members {F^ , F2, Ft) and using said common public key for performing said group digital signature verification of step iv).
2. - A method as per claim 1 , wherein said step iii) comprises elaborating, said signer, said group digital signature on a digest (m) of said document (M).
3. - A method as per claim 2, wherein said group digital signature elaboration of step iii) is computed as:
wher
Figure imgf000029_0001
Cj = {k - s el,) (mod r);
b;, d; are pairs of random numbers generated by said Trusted Third Party (7); m is the digest or hash of the document (M) to be signed;
r is a prime number;
s is a random secret number generated by said Trusted Third Party (T);
h = (a0 + s bo)(mod r);
h= (Co + s c/0)(mod r); and
a0, bo, Co, do are integer numbers randomly generated by the Trusted Third Party
(T).
4. - Method as per claim 3, wherein a„ c„ b„ d, e Zr where Zr is the set of integers modulo r, s > r and belongs to a subgroup S, of ZB; where 2£Β is the set of integers modulo n and a0, b0, c0, d0 e zr are the Trusted Third Party (T) private keys.
5. - Method according to claim 4, comprising verifying, at iv), the group digital signature by checking whether the following equality holds:
P Qm = af ■ β9 (mod n)
where P and Q form said common public key, f and g are the group digital signature, a e E* is an integer number chosen by the Trusted Third Party (7) with multiplicative order r, module n, and β = cr5 (mod n).
6. - Method as per claim 5, where:
Figure imgf000030_0001
Q = a^'- * (mod n).
a = g2 ",'l¾p»'fli (mod fj);
β = cr5 (mod n);
n = P q;
g is an element randomly chosen which meet g e ¾ whose order is λ(η); qi are prime numbers;
u-i and t/2 are integer numbers, where U = 2 and u2 = 2 v2;
Vi, i 2 are coprimes;
Figure imgf000030_0002
φ(η) = (p-1 )(q-1 ) = u2 r2 ■ Pi Qi ; where φ(η) is the Euler function; λ(η) = lcm(p-1 , q-1 ) = 2 ■ ■ v2 r p^ q*\ ; where lcm represents the least common multiple, and λ(η) is the Carmichael function; and a meets the condition:
gcd(a, φ(η)) = gcd(a, u2 · r2 · Pi Qi) = 1
where gcd is the greatest common divisor.
PCT/EP2012/058578 2011-05-13 2012-05-09 A method for performing a group digital signature WO2012156254A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ESP201130779 2011-05-13
ES201130779A ES2400895B1 (en) 2011-05-13 2011-05-13 METHOD FOR MAKING A DIGITAL GROUP SIGNATURE

Publications (1)

Publication Number Publication Date
WO2012156254A1 true WO2012156254A1 (en) 2012-11-22

Family

ID=46046224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/058578 WO2012156254A1 (en) 2011-05-13 2012-05-09 A method for performing a group digital signature

Country Status (3)

Country Link
AR (1) AR086343A1 (en)
ES (1) ES2400895B1 (en)
WO (1) WO2012156254A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015024149A1 (en) * 2013-08-21 2015-02-26 Wang Weijian Method for establishing anti-attack public key cryptogram
WO2017063114A1 (en) * 2015-10-12 2017-04-20 王晓峰 Method for establishing secure attack-resistant public key cryptographic algorithm
CN110826091A (en) * 2018-08-14 2020-02-21 珠海金山办公软件有限公司 File signature method and device, electronic equipment and readable storage medium
CN112528237A (en) * 2021-02-08 2021-03-19 北京关键科技股份有限公司 Software version state protection method based on consensus mechanism
CN112926959A (en) * 2021-03-26 2021-06-08 陈丽燕 Hash-RSA blind signature digital currency scheme
CN113225190A (en) * 2021-02-08 2021-08-06 数字兵符(福州)科技有限公司 Quantum security digital signature method using new problem
CN115442044A (en) * 2022-05-25 2022-12-06 北京航空航天大学 Efficient secret election method and device based on linkable ring signature
CN113225190B (en) * 2021-02-08 2024-05-03 数字兵符(福州)科技有限公司 Quantum security digital signature method using new difficult problem

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2578864B (en) * 2018-09-24 2022-09-21 Metrarc Ltd Trusted ring

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0382240A (en) * 1989-08-25 1991-04-08 Nippon Telegr & Teleph Corp <Ntt> Digital signature system
US20040111607A1 (en) * 2002-12-06 2004-06-10 International Business Machines Corporation Method and system for configuring highly available online certificate status protocol responders
US20050081038A1 (en) * 2001-12-27 2005-04-14 David Arditti Modiano Cryptographic system for group signature
US7093133B2 (en) 2001-12-20 2006-08-15 Hewlett-Packard Development Company, L.P. Group signature generation system using multiple primes
US7318156B2 (en) 2002-03-29 2008-01-08 Fuji Xerox Co., Ltd. Group signature apparatus and method
US20080152130A1 (en) 2005-01-21 2008-06-26 Nec Corporation Group Signature Scheme
US7526651B2 (en) 2003-05-20 2009-04-28 France Telecom Electronic group signature method with revocable anonymity, equipment and programs for implementing the method
US7571324B2 (en) * 2002-01-04 2009-08-04 France Telecom Method and device for anonymous signature with a shared private key

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0382240A (en) * 1989-08-25 1991-04-08 Nippon Telegr & Teleph Corp <Ntt> Digital signature system
US7093133B2 (en) 2001-12-20 2006-08-15 Hewlett-Packard Development Company, L.P. Group signature generation system using multiple primes
US20050081038A1 (en) * 2001-12-27 2005-04-14 David Arditti Modiano Cryptographic system for group signature
US7673144B2 (en) 2001-12-27 2010-03-02 France Telecom Cryptographic system for group signature
US7571324B2 (en) * 2002-01-04 2009-08-04 France Telecom Method and device for anonymous signature with a shared private key
US7318156B2 (en) 2002-03-29 2008-01-08 Fuji Xerox Co., Ltd. Group signature apparatus and method
US20040111607A1 (en) * 2002-12-06 2004-06-10 International Business Machines Corporation Method and system for configuring highly available online certificate status protocol responders
US7526651B2 (en) 2003-05-20 2009-04-28 France Telecom Electronic group signature method with revocable anonymity, equipment and programs for implementing the method
US20080152130A1 (en) 2005-01-21 2008-06-26 Nec Corporation Group Signature Scheme

Non-Patent Citations (21)

* Cited by examiner, † Cited by third party
Title
A. MENEZES; P. VAN OORSCHOT; S. VANSTONE: "Handbook of applied cryptography", 1997, CRC PRESS
ATENIESE G ET AL: "A practical and provably secure coalition-resistant group signature scheme", ADVANCES IN CRYPTOLOGY. CRYPTO 2000. 20TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE, SANTA BARBARA, CA, AUG. 20 - 24, 2000. PROCEEDINGS; [LECTURE NOTES IN COMPUTER SCIENCE ; VOL. 1880], BERLIN : SPRINGER, DE, 1 January 2000 (2000-01-01), pages 255 - 270, XP007914127, ISBN: 978-3-540-67907-3 *
CAMENISCH J ET AL: "EFFICIENT GROUP SIGNATURE SCHEMES FOR LARGE GROUPS", ADVANCES IN CRYPTOLOGY - CRYPTO '97. SANTA BARBARA, AUG. 17 - 21, 1997; [PROCEEDINGS OF THE ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO)], BERLIN, SPRINGER, DE, vol. CONF. 17, 17 August 1997 (1997-08-17), pages 410 - 424, XP000767547, ISBN: 978-3-540-63384-6 *
D. BONEH; X. BOIYEN; H. SHACHAM: "Short group signatures", LECTURE NOTES IN COMPUT. SCI., vol. 3152, 2004, pages 41 - 55
D. BONEH; X. BOYEN: "Short Signatures Without Random Oracles", LECTURE NOTES IN COMPUT. SCI., vol. 3027, 2004, pages 56 - 73
D. CHAUM: "Showing credentials without identification", LECTURE NOTES IN COMPUT. SCI., vol. 219, 1985, pages 241 - 244
D. CHAUM; E. VAN HEYST: "Group signatures", LECTURE NOTES IN COMPUT. SCI., vol. 547, 1991, pages 257 - 265
G. ATENIESE; B. DE MEDEIROS: "Efficient group signatures without trapdoors", LECTURE NOTES IN COMPUT. SCI., vol. 2894, 2003, pages 246 - 268
G. ATENIESE; J. CAMENISH; M. JOYCE; G. TSUDIK: "A practical and provable secure coalition-resistant group signature scheme", LECTURE NOTES IN COMPUT. SCI., vol. 1880, 2000, pages 255 - 270, XP007914127
H. SHIZUYA; S. KOYAMA; T. ITOH: "Demostrating possession without revelating factors and its applications", LECTURE NOTES IN COMPUT. SCI., vol. 453, 1990, pages 273 - 293
J. CAMENISCH; A. LYSYANSKAYA: "Signature Schemes and Anonymous Credentials from Bilinear Maps", LECTURE NOTES IN COMPUT. SCI., vol. 3152, 2004, pages 56 - 72, XP003004517
K. OHTA; T. OKAMOTO; K. KOYAMA: "Membership authentication for hierachical multigroup using the extended Fiat-Shamir scheme", LECTURE NOTES IN COMPUT. SCI., vol. 473, 1990, pages 446 - 457
L. CHEN; X. HUAN; Y. YOU: "Group signature schemes with forward secure properties", APPL. MATH. COMPUT., vol. 170, 2005, pages 841 - 849, XP025260177, DOI: doi:10.1016/j.amc.2004.12.024
L. NGUYEN; R. SAFAVI-NAINI: "Efficient and Provably Secure Trapdoor- free Group Signature Schemes from Bilinear Pairings", LECTURE NOTES IN COMPUT. SCI., vol. 3329, 2004, pages 89 - 102
M. BELLARE; H. SHI; C. ZHANG: "Foundations of group signatures: the case of dynamic groups", LECTURE NOTES IN COMPUT. SCI., vol. 3376, 2005, pages 136 - 153
M. TROLIN; D. WIKSTR6M: "Hierarchical group signatures", LECTURE NOTES IN COMPUT. SCI., vol. 3580, 2005, pages 446 - 458
R.L. RIVEST; A. SHAMIR; L. ADLEMAN: "A method for obtaining digital signatures and public-key cryptosystems", COMM. ACM, vol. 21, 1978, pages 120 - 126
T. EIGAMAL: "A public-key cryptosystem and a signature scheme based on discrete logarithm", IEEE TRANS. INFORM. THEORY, vol. 31, 1985, pages 469 - 472
V. SHOUP; R. GENNARO: "Securing Threshold Cryptosystems against Chosen Ciphertext Attack", JOURNAL OF CRYPTOLOGY, vol. 15, no. 2, 2002, pages 75 - 96, XP001112787
W. SUSILO: "Short fail-stop signature scheme based on factorization and discrete logarithm assumption", THEOR. COMPUT. SCI., vol. 410, 2009, pages 736 - 744, XP025929258, DOI: doi:10.1016/j.tcs.2008.10.025
X. FU; C. XU: "25 Years of Cryptography in China", 2004, KLUWER ACADEMIC PUBLISHERS, article "A new group signature scheme with unlimited group size, Progress on Cryptography", pages: 89 - 96

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015024149A1 (en) * 2013-08-21 2015-02-26 Wang Weijian Method for establishing anti-attack public key cryptogram
WO2017063114A1 (en) * 2015-10-12 2017-04-20 王晓峰 Method for establishing secure attack-resistant public key cryptographic algorithm
CN110826091A (en) * 2018-08-14 2020-02-21 珠海金山办公软件有限公司 File signature method and device, electronic equipment and readable storage medium
CN110826091B (en) * 2018-08-14 2022-05-06 珠海金山办公软件有限公司 File signature method and device, electronic equipment and readable storage medium
CN112528237A (en) * 2021-02-08 2021-03-19 北京关键科技股份有限公司 Software version state protection method based on consensus mechanism
CN113225190A (en) * 2021-02-08 2021-08-06 数字兵符(福州)科技有限公司 Quantum security digital signature method using new problem
CN113225190B (en) * 2021-02-08 2024-05-03 数字兵符(福州)科技有限公司 Quantum security digital signature method using new difficult problem
CN112926959A (en) * 2021-03-26 2021-06-08 陈丽燕 Hash-RSA blind signature digital currency scheme
CN115442044A (en) * 2022-05-25 2022-12-06 北京航空航天大学 Efficient secret election method and device based on linkable ring signature
CN115442044B (en) * 2022-05-25 2024-05-03 北京航空航天大学 Efficient secret election method and device based on linkable ring signature

Also Published As

Publication number Publication date
ES2400895A2 (en) 2013-04-15
AR086343A1 (en) 2013-12-04
ES2400895B1 (en) 2014-03-24
ES2400895R1 (en) 2013-09-11

Similar Documents

Publication Publication Date Title
US9191214B2 (en) Procedure for a multiple digital signature
Yang et al. An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem
EP0503119B1 (en) Public key cryptographic system using elliptic curves over rings
US20070177727A1 (en) Method of a public key encryption and a cypher communication both secure against a chosen-ciphertext attack
Tzeng et al. Digital signature with message recovery and its variants based on elliptic curve discrete logarithm problem
US9088419B2 (en) Keyed PV signatures
Chen et al. Discrete logarithm based chameleon hashing and signatures without key exposure
WO2012156254A1 (en) A method for performing a group digital signature
Waheed et al. Cryptanalysis and improvement of a proxy signcryption scheme in the standard computational model
Islam et al. Certificateless strong designated verifier multisignature scheme using bilinear pairings
Ramasamy et al. Digital Signature Scheme with Message Recovery Using Knapsack-based ECC.
Andreevich et al. On Using Mersenne Primes in Designing Cryptoschemes
Thadvai et al. A novel authenticated encryption scheme with convertibility
Elkamchouchi et al. A new proxy signcryption scheme using warrants
Yuan et al. A new aggregate signature scheme in cryptographic currency
Tsaur et al. A mobile agent protected scheme using pairing-based cryptosystems
Wang Signer‐admissible strong designated verifier signature from bilinear pairings
Durán Díaz et al. A multisignature scheme based on the SDLP and on the IFP
Zhang et al. Subliminalfree Variant of Schnorr Signature with Provable Security
Das et al. A Novel Signcryption Scheme Based on ECC with Public Verifi-cation and Encrypted Message Authentication
Chain et al. A novel multisignature scheme based on chaotic maps
Wang A Review of Threshold Digital Signature Schemes
Tripathi et al. An Extension to Modified Harn Digital Signature Scheme with the Feature of Message Recovery
Abouelseoud New blind signcryption schemes with application to e-cash systems
Zhang et al. Efficient ID-based proxy chameleon signature from bilinear pairings

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12719730

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12719730

Country of ref document: EP

Kind code of ref document: A1