A New Digital Multisignature
Scheme With Distinguished
Signing Authorities
Source: Journal of Information Science and Engineering,
Vol. 19, No. 5, pp. 881-887, 2003
Author: Shin-Jia Hwang, Min-Shiang Hwang and
Shiang-Feng Tzeng
Speaker: Jen-Ho Yang
Team member: Yung-Chen Chou and Tai-Yan Tu
Date: Nov. 17, 2003
1
Outline




Introduction
Harn’s Scheme
Proposed Scheme
Conclusions
2
Introduction
Manager
3
Introduction (cont.)

Multisignature features:



Generated only through the cooperation of
all the members
Easy verified by using the group public-key
Infeasible to generate multisignature
without the knowledge of the secret keys
of all the members in the group
4
Harn’s Scheme

The features of Han’s algorithm:



Each member in the signing group may be
allowed to only access partial contents of
the whole document
The partial contents can be easily verified
without revealing the whole message
Based on ElGamal signature
5
Harn’s Scheme (cont.)

The parameters:




U1, U2, …, Un: users
xi: secret key of each user
yi: public key of each user, where
yi=gxi mod p
n
y   yi mod p: the group public key
i 1
6
Harn’s Scheme (cont.)
r1=gk1 mod p
h(m1)
(r1,s1)
clerk
Nancy (u1)
ri=gki mod p
r1, h(m1) h(mi)
r1, h(m1)
(ri,si)
ri, h(mi)
s  (s1  s2  ...  sn ) mod p  1
ri, h(mi)
r2, h(m2)
(r2,s2)
John (ui)
r2, h(m2)
n
r   r j mod p
=gk2
r2
mod p
h(m2)
j 1
m'  h( h( m1 ), h( m2 ),..., h( mn ))
Bob (u2)
si  k i r  xi m' mod ( p  1)
yim '  g si  ri r mod p
7
Harn’s Scheme (cont.)


(r,s) is the multisignature of m’.
Verification:
y m'  g s  r r (mod p)
8
Harn’s Scheme (cont.)

Weakness:


A dishonest member Uj may announce that
his/her partial content is mi, and that the
partial content signed by Ui is mj. (ri,si) and
(rj,sj) cannot be used as evidence to show
that his/her announcement is not correct
because both (ri,si) and (rj,sj) are
generated on the same digest
h(h(m1),h(m2),…,h(mn)).
Insider forgery attack
9
Insider forgery attack


Step 1: the insider attacker Uk randomly selects
secret key xk  1, p  1
Step 2: the insider attacker Uk waits until he/she
receives all other public key y1,…,yk-1,yk+1,…,yn; then
instead of broadcasting yk  g x mod p , he/she
computes yˆ  y  y mod p and reveals the quantity ŷ k as
his/her public key.
Step 3: the integer t  1, p 1 is randomly selected and
r=gk mod p is computed.
Step 4: to any set of messages {m1,m2,…,mn} he/she
computes s=xkm’-kr mod (p-1), where
m’=h(h(m1),h(m2),…,h(mn))
k
k
1
i
k
i 1,i  k


10
Insider forgery attack (cont.)
Finally, the forged multisignature is (r,s).
Proof of the attack:

2.
y  y1... yk 1 yk yk 1... yn mod p
y  y1... yk 1 yˆ k yk 1... yn  yk mod p
3.
y  g  r mod p
1.
m'
s
r
 y  g  g mod p
m'
k
g
xk m '
s
g
kr
s  kr
mod p
11
Proposed Scheme

The parameters:
U1, U2, …, Un: users
 xi: secret key of each user
 yi: public key of each user, where
yi=gxi mod p
n
y
y 
y
 i mod p: the group public key

i
i 1
12
Proposed Scheme (cont.)
r1=gk1 mod p
h(m1)
(r1,s1)
clerk
Nancy (u1)
ri=gki mod p
r1, h(m1) h(mi)
r1, h(m1)
(ri,si)
ri, h(mi)
s  (s1  s2  ...  sn ) mod p  1
ri, h(mi)
r2, h(m2)
(r2,s2)
John (ui)
r2, h(m2)
n
n
r   ri h ( h ( mi ), ri )
r   r j mod p
=gk2
r2
mod p
h(m2)
i 1
si  xi yi h( m' )  rk i h( h( mi ), ri ) mod Q
j 1
m'  h( h( m1 ), h( m2 ),..., h( mn ))
Bob (u2)
si  k i r  xi m' mod ( p  1)
yim '  g si  ri r mod p
13
Proposed Scheme (cont.)


(r,s) is the multisignature of m’.
Verification:
g m '  Y H  r r (mod p)
n
 si
g  g i1
s
n
 ( xi yi h ( h ( m1 ),h ( m2 ),..., h ( mn ))  rki h ( h ( mi ),ri )
 g i1
n
 xi yi h ( h ( m1 ),h ( m2 ),..., h ( mn ))
 g i1
 Y H  r r (mod p)
n
 ki h ( h ( mi ), ri )
 ( g i1
)r
14
Conclusions




The new multisignature scheme satisfies the five
properties of multisignature schemes with
distinguished signing authorities.
The new scheme provides additional evidence of
each partial message such that the members of
the group can use it to prove their distinguished
signing responsibility.
The scheme can prevent Li et al.’s attack
The size of the multisignature is still the same as
that of a signature generated by a single singer.
15