Identity-based threshold group signature scheme based on multiple hard number theoretic problems

ABSTRACT


INTRODUCTION
In 1971, the idea of digital signature was first presented by Diffie and Helman [1] that enabled a signer in possession of a secrete key to sign a message, while anybody using a public key could perform verification of the signature. The notion of threshold signatures was presented by Desmedt [2] in 1987. A secret key, and correspondingly, the signing power, is shared to a collection of players in a ( , ) threshold signature scheme, where this is accomplished in a manner that any subset of players is able to collectively deliver a signature on the account of the group, whereas a subset composed of up to −1 players is incapable. The threshold signature is fundamental yet of a great significance cryptographic scheme that is due to its bifold function: by boosting the opportunity of the signing agency while simultaneously improving the safeguarding process against fraudulence through completing the learn process of the secret signature key for the antagonist. Subsequent to Desmedt's creation, in the commonly-named threshold cryptography domain, several threshold signature approaches incorporated on diverse premise were formulated, such as [3][4][5][6][7][8]. In order to streamline key management processes in certificate based public key setting, Shamir [9] in 1984, called for identity-based (ID-based) encryption and signature methods. Thenceforth, in the scope of this commonly-named ID-based cryptography, scores of identity-based cryptography techniques were put forward, such as the works of [10,11]. The remarkably prominent tool has proposed bilinear pairing [10] in constructing identity-based cryptography primitives, where ID-based could be substituted for certificatebased in public key setting. This is of a special interest particularly when there is a requirement for efficient key management while moderate security is needed. The entire developed literature put forward on ID-based threshold group signature contains approaches that rely on an individual hard problem such as factoring,  [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]. Hereafter, if a solution of any of these problems is achieved, then the security of the associated ID-based threshold group signature would be compromised. Therefore, we present in this work a secure ID-based threshold group signature incorporated on discrete logarithms and residuosity problem. Our techniques enhancement arises from the difficulty in finding simultaneous solution of both problems. We demonstrate that our approach persists to be secure, despite attaining solution of one of the problems. The remainder of the paper is structured as follows: the IBTHS is introduced in Section 2. Section 3 presents security analysis of our technique. Performance study and resultant efficiency are carried out in Section 4. Finally, we conclude in Section 5.

THE PROPOSED IBTHS
Here, we will introduce our identity based threshold signature technique that relies on a pair of hard number theoretical problems; namely, residuosity and discrete logarithm. As was stated, the security if this technique builds on the premise that it is burdensome to simultaneously achieve solutions of this pair of problems. The framework of our technique presumes, out of signers are able to jointly sign the message on the account of the group, whereas an individual verifier is able to corroborate the group signature [21].

System setup
The trusted dealer (TD) of the system, following the framework of [21], selects a large prime -a 1024-bits, = 1 1 is a factor of − 1, where 1 and 1 are two safe primes, an element generator of order , adhering to ≡ 1 (mod ) , and where ℎ( ) is the one-way hash function for the message .

Generating keys
Within this stage, TD carries-out the consecutive operations [21] to produce the secret and public keys of the technique: -Selects in a random fashion: ∈ * such that gcd( 2 , ) = 1 -Calculate ≡ 2 ( ) -After that, construct a ( , ) threshold function ( ) = ∘ + 1 + ⋯ + −1 −1 (mod ), where are random integers between 1 and − 1, and = 0,1,2, … , − 1 -Set the group secret key (0) , then compute the associated group public key = (0) (mod ) -Each of the group members picks an integer ∈ ( ) in a random manner as his private key and calculates his public key: = ( ). -Each participant registers an identity and then sends to TD. -After TD obtains the complete identities, s/he calculates: ( ) and = ( ) (mod p) and forwards ( ) to the group's members individually. Public and retain a copy of ( ), . In the event that an extra member wishes to participate within the group following negotiation with the TD, s/he posts her/his identity to the TD. After which, TD calculates and transmits ( ) to her/him. Then, TD calculates and publics: = ( ) (mod p). The public and secret keys for an individual represented as ( , ) ( ( ) , ) , respectively. While for group, the public and secret keys are ( , ) and ( , (0)) , respectively.

(t,n) Threshold signature generation phase
Consider a scenario where the members that cooperate in producing the signature [21] are 1 , 2 , … , . Ahead to their collaborative signature of the message, a selected member is appointed as a clerk to perform partial signature verification. The sequential steps of message signing are illustrate as follows: a. Each signer selects ∈ * and computes b. The { } broadcasted to members by means of a channel that is secure. When entire are acquired, they are utilized collectively in the computation of the value as c. Calculate ISSN: 2088-8708  Identity-based threshold group signature scheme based on multiple hard number … (Nedal Tahat) 3697 Then send along with ( , ) as the partial signature for the hash-function message ℎ( ) to the clerk. Later, the clerk performs validation of the partial signature through demonstrating that the subsequent equality is fulfilled: d. Following demonstrating the validity of all partial signatures by the clerk, s/he obtains solution for: and the signature of message is { , } .

(t,n) Threshold signature verification phase
The signature can be verified by a stranger pending that s/he can get a hold of to the public key [21]. Following to their reception of the group signature { , } s/he examines the equation: If this condition is fulfilled, accordingly the group signature is valid. Theorem 1. Succeeding the utilized protocol, thus the verification within the signature verification part is accomplished.

SECURITY ANALYSIS
We demonstrate here that the presented scheme for identity-based threshold signature is unforgeable found on the complexity of finding solutions simultaneous to the pair of hard number theoretical problems; residuosity and discrete logarithm. Forth while, we shall substantiate that our technique is heuristically secure against example cryptographic attacks [21]. Attack 1: Suppose that the adversary (Adv) attempts to acquire the secret keys , (0) taken from the equations ≡ 2 ( ) and = (0) (mod ) . It is evidently infeasible in view of the hindrance of figuring out residuosity and discrete logarithm problems. Also Adv cannot derive the secret key ( ) from the equation = ( ) (mod p) by virtue of the complication of solving DLP. Attack 2: Assume that the discrete logarithm problem can be figured-out.
-By means of the equation 2 ( ) , Adv can find 2 ( ). Nonetheless, s/he is still incapable of recovering because of the adversity of solving residuosity problem.
-Adv may likewise attempt to figure-out the entire secret keys of the signer utilizing the relationship = ( ) (mod p). Considering that discrete logarithm can be figured-out, at that point s/he can discover all secret keys ( ) , and thereafter construct the entire partial signature of the group. Although, s/he is unable to identify the group signature through the relationship 2 = −2 ∑ =1 ( ) due to the fact that s/he is not aware of the prime factorization of . Attack 3: Assume that the residuosity problem is solvable. In this situation, s/he has knowledge of the prime factorization, 1 and 1 . Consequently, s/he will attempt to figure-out the formula ≡ 2 ( ). Nevertheless, s/he remains incapable of figuring-out relying on this condition due to the fact that s/he is not aware of 2 ( ) for the reason that a discrete logarithm problem can not be unraveled. Attack 4: Adv can in addition attempt to gather pairs of message -signature ( , ) and where = 1,2, … , also tries to seek-out the individual secret key ( ) . Meanwhile, Adv possesses equations in this fashion: The number of unknowns is ( + 2) in the previous formulas of (8), i.e., ( ) , and . Hence, ( ) and remain complex to identify considering that Adv can reproduce a limited number of solutions to this set of linear equations although s/he is not capable of identifying which is the right one. Attack 5: Adv could seek to pose as signer by choosing in a random fashion integers and announcing g ≡ ( ). Because the entire signers decided on the group signature, in the absence of knowledge of the respective secret key ( ), Adv is incapable of generating a correct partial signature ( , ) to fulfill the verification formula. Attack 6: Adv may contend to evolve a group signature ( , ) of his own using the verifying equation ) for a specific message through fixing one integer, while seeking to identify the other. In this scenario, Adv picks and seeks the value of . Adv begins by calculating ≡ ℎ( ) − ( ) and finding ≡ 2 ( ) for . Unsuccessfully, s/he is unable to figure-out utilizing this equation because of the adversity of figuring-out, simultaneously, the residuosity and discrete logarithm problems. In addition, Adv could attempt to set and figure-out . In this situation, s/he computes ≡ ℎ( ) − 2 ( ) and seeks out a solution to ≡ ( ). This scenario is the worst due to the fact that although both problems of residuosity and discrete logarithm can be solved, the value remains difficult to determine aside from a trial and error procedure, thus characterized by consumption of time and effort [15].

PERFORMANCE EVALUTION
To investigate the performance of identity-based threshold signature, computation and communication overheads will be used to estimate it. Here, we will examine primarily the performance of our suggested technique. To facilitate this treatment, we employ the following notations in our analysis of the computation and communication complexity [22][23][24][25]. The number of secret and public keys are denoted by SK and PK, respectively. Modular exponentiation time is represented by; , while stands for the time for modular multiplication; and the time for a modular inverse computation is represented by ; denotes complexity of time for executing computation of the modular square; presents the complexity for executing calculation of the modular square root. ℎ determines the one map-to-point hash function time, while | | specifies the length of bits of . We must note that other computational operations times are ignored, since they are much smaller than , , and ℎ . We summarize the computation and communication cost of our proposed scheme in Table 1. As shown in Table 1, the computation complexity [22] for signature and verification are 4 + (4 2 + + 1)+( 2 − + 1) + + + ℎ and 3 + + + ℎ in our scheme, respectively. Also the total communication cost are (2 + 1)| | + (3 + 1)| |.

Keys generation
In this step, the subsequent actions are carried-out by TD to generate the scheme's secret and public keys: a. Selects in a random fashion = 223 ∈ * and observing that gcd( 2 , ) = 1. Calculate ≡ 8 6391 mod14447 ≡ 8853 mod 14447. Select a polynomial ( ) = 311 + 733 + 123 2 ( mod 7223) . Set the group secret key (0) = 311 and calculates the corresponding group public key = 8 311 mod 14447 ≡ 10022 mod 14447 . b. Each of the three members of the group, in a random fashion, picks an integer as: 1

(t,n) Threshold signature generation phase
Assume that the members participating in the signature generation are 1 , 2 , … , . Preceding to jointly signing the message, one of these members is appointed as a clerk to perform verification the partial signature. We describe the elements of message signing in sequence as follows: Each signer selects 1 = 117 , 2 = 147, 3  The { } are broadcasted through a secure channel to the members. Subsequent to reception of the entire , each of them computes the value as = ∏ 3 =1 ( ) = (10094 × 2746 × 1247) mod ≡ 9787 Calculates 1 = 5195, 2 = 3174 , 3 = 1583. Then send along with ( , ) , representing the hash-function message ℎ( ) partial signature, to the clerk. Subsequent to validation of entire partial signatures by the clerk, s/he determines solution of 2 = −2 ∑ =1 ( ) for , 2 = 1172(2894)mod 7223 ≡ 4181.

( , ) Threshold signature verification phase
Any newcomer is able to perform verification of the signature granted that s/he can access the public key. Succeeding to his reception of the group signature, { , } he reviews:

CONCLUSION
A new technique for ID-based threshold group signature was proposed, which is founded on the problems of residuosity and discrete logarithm. The technique relies on two difficult hard problems and offers an improved level of security relative to an individual difficult problem. Also, we have investigated some potential attacks and demonstrated the security of the scheme against such attacks. In addition, the scheme is resistant to both of repeat and conspiracy attacks. Moreover, each of group signature and group key sizes do not rely on the number of members.