190 likes | 247 Views
An efficient threshold RSA digital signature scheme. Source : Applied Mathematics and Computation, Volume 166, Issue 1, 6 July 2005, Pages 25-34 Author : Qiu-Liang Xu, Tzer-Shyong Chen Speaker : 李士勳 Date : 2005,12,14. Outline. Introduction Descriptions of the scheme
E N D
An efficient threshold RSA digital signature scheme Source:Applied Mathematics and Computation, Volume 166, Issue 1, 6 July 2005, Pages 25-34 Author:Qiu-Liang Xu, Tzer-Shyong Chen Speaker:李士勳 Date:2005,12,14
Outline • Introduction • Descriptions of the scheme • Analysis of security and efficiency • Conclusions
Introduction • Resisting conspiracy attack • (t,n) threshold signature scheme
Introduction • 1991:Desmedt and Frankel fist proposed the threshold signature scheme • 1994:Li et al. presented two (t,n) threshold signature schemes • 1997:Michels and Horster proved them insecure • 1998:Wang et al. presented two (t,n) threshold signature schemes
Descriptions of the scheme p and q are large primes
Descriptions of the scheme • represent the set of all members in the system
Initialization phase • Key Dealing Center(KDC) must establish four parameters • RSA parameters • Lagrange interpolation parameters • Parameters used in modulus convention • Parameters used in partial signature verification
RSA parameters • p,q,n,e and d to generatethe group signature, where n=p*q, p and p are two safe primes, (n,e) is the public key, and d is the private key • P,Q,N,E and D which is used by the signature generator(SG), where N=P*Q>n, P and Q are also two safe primes, (N,E) is the public key, and D is the private key
Lagrange interpolation parameters • Select a large public prime r>n • Select a random polynomial f(x), d=f(0)
Parameters used in modulus convention • Consider a sample message , so that the order of in group is • Compute • Make public
Parameters used in partial signature verification • Select randomly an element of order compute i=1,2,…,n and send publicly v and to the signature generator SG
Signature phase • Chaum-Pedersen zero-knowledge protocol
Chaum-Pedersen zero-knowledge protocol • One-way hash function H(), and a random number u, compute z=xc+u • (z,c) proves , the verifier acepts the proof if and only if • Clearly, when ,the proof holds
Signature phase • denotes the t shareholders who participate in signing
Signature phase • Select a random number • Compute , • Send to SG • , , • (m,s(m),S(m)) is the signature on message m
Signature phase • If then (m,s(m),S(m)) is appetped as a valid signature
Analysis of security and efficiency • The fist step of the initialization phase builds only the RSA cryptosystem, without providing any extra information • The second step is to establish a (t,n) threshold system based on Lagrange interpolation • The third and forth step is hard to slove the discrete logarithm problem
Conclusions • Resisting conspiracy attack