SlideShare a Scribd company logo

CONSTRUCTING THE 2-ELEMENT AGDS PROTOCOL BASED ON THE DISCRETE LOGARITHM PROBLEM

IJNSA Journal, profile picture
IJNSA Journal

The document presents a new group signature scheme based on the discrete logarithm problem that allows for the signing of electronic documents by subsets of signers while concealing individual identities. It introduces a mechanism to embed signer information within a two-element signature, thereby reducing its size and improving protocol efficiency. The proposed approach maintains security while utilizing a randomization parameter derived from a collective digital signature and the manager's secret key, allowing for the identification of signers upon group signature disclosure.

Engineering
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 DOI: 10.5121/ijnsa.2021.13402 13 CONSTRUCTING THE 2-ELEMENT AGDS PROTOCOL BASED ON THE DISCRETE LOGARITHM PROBLEM Tuan Nguyen Kim1 , Duy Ho Ngoc2 and Nikolay A. Moldovyan3 1 Faculty of Information Technology - Duy Tan University, Da Nang 550000, Vietnam 2 Department of Information Technology, Ha Noi, Vietnam 3 St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, St. Petersburg, Russia ABSTRACT It is considered a group signature scheme in frame of which different sets of signers sign electronic documents with hidden signatures and the head of the signing group generates a group signature of fixed size. A new mechanism for imbedding the information about signers into a group signature is proposed. The method provides possibilities for reducing the signature size and to construct collective signature protocols for signing groups. New group signature and collective signature protocols based on the computational difficulty of discrete logarithm are proposed. KEYWORDS Groupdigital signature, Collective digital signature, difficult computational problems, Signing group. 1. INTRODUCTION In modern information technologies, Electronic Digital Signature (EDS) protocols are widely used [1]. The variety of applications of EDS led to the development of special types of EDS protocols: blind signatures [2,3], group digital signatures [4-6], collective digital signatures [7,8], Approved Group Digital Signatures (AGDS) [9], etc. The protocols of the latter two types are of considerable practical interest. In practice, a public key infrastructure deployed at present can be used to support applications of conventional individual EDS. In these types of cryptographic schemes, the EDS is a pair of natural numbers of a sufficiently large size, i.e. is a two-element one, except for the protocols of the AGDS, in which the signature contains three elements (integers). Inclusion of the third number in the EDS is due to the fact that it stores information about all the persons involved in the formation of the electronic document and in generation of the AGDS to the prepared document. This information is accessible only to the head of the group of signers, who can perform the procedure of identification of signers [9,10] (disclosure of the AGDS). However, the storage of such information in the third element of the signature leads to a significant increase in its size. This article proposes a new mechanism for storing the information necessary for the disclosure of the AGDS and the AGDS protocols with a two-element signature. Elimination of the need to use the third element of the signature is provided by embedding the information about all signers in the randomization parameter of the digital signature scheme based on the computational the difficulty of the discrete logarithm problem. In the developed protocols, the randomizing parameter is generated not by random choice, but by some algorithm generating pseudo-random
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 14 values. This parameter is formed as the transformed value of the collective signature of signers, which depends on the secret key of the manager of the signing group (using the manager’s secret key defines secrecy of the pseudo-random value containing the information about signers) and on the value of the hash-function value computed from the signed document (using the hash value provides the uniqueness of the pseudo-random value). 2. AGDS PROTOCOL WITH THREE-ELEMENT SIGNATURE 2.1. Approved Group Digital Signatures The concepts of group EDS [1,11] and collective EDS [3,8] have significant differences. A collective signature is called an EDS, formed by a given set of signers. The signature of the last type proves conclusively that each of the indicated signers has really signed the considered electronic document. A signature of the first type (called group signature) confirms that the electronic document is signed by some collegial organization (signing group), and different subsets of the persons (individual signers) included in the signing group can form group signatures. When performing the collective signature verification procedure, the public keys of all signers are used. When verifying the authenticity of the group signatures, the fixed public key of the collegial organization is used. The usual requirements for the group signature protocol are as follows: 1) arbitrary subset of the individual signers has the possibility to sign a document on behalf of the signing group; 2) the manager of the signing group can identify all persons who participated in the process of forming a given specific signature; 3) external persons can’t establish a subset of individual signers who have formed any group EDS. The scheme of the approved group EDS [9,10] satisfies additionally the following requirements of practical interest: 1) During the calculation of the group signature the individual signers use personal secret keys that are unknown to the manager and anyone else; 2) The generation of a group EDS is performed in two stages: in the first stage a draft group signature is calculated, and in the second stage the manager transforms the draft group signature into the final group signature (the second stage can be considered as a procedure for approving the signed document); 3) Any non-empty subset of the signer can form a draft group signature to a given electronic document; 4) Only the manager is able to identify the subset of individual signers who participated in the formation of some given signature. The last requirement in the AGDS protocols is realized by including the third element in the signature, which contains some hidden information about the persons participating in the formation of the group signature (the value of this additional number depends on the signed document and on the manager's secret key). In the paper [9] it was shown that the AGDS based on the discrete logarithm problem in the ground finite field provides the 80-bit security with the signature size equal to 1280 bits. Implementation [10] of the AGDS based on the computational difficulty of the discrete logarithm problem on the elliptic curves provides the 80-bit security with the digital signature size equal to only 481 bits. Let us consider an AGDS scheme based on computations on an elliptic curve (EC).
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 15 2.2. AGDS Scheme Based on Computations on an Elliptic Curve Suppose it is given an EC satisfying the standard security requirements and the point G has the large prime order q. The group manager calculates his public key as the point L = zG, where z is his private secret key. Each of m signers (members of the signing group) generates his private key kj and his public key Pi = kiG, i = 1 ,…, m. The AGDS signature generation procedure includes the following steps: 1. The group manager computes hash value from document M: 𝐻 = 𝐹𝐻(𝑀),where FH is some specified hash function, calculates masking coefficients 𝜆𝑖 = 𝐹𝐻 (𝐻||𝑥𝑃𝑖 ||𝐹𝐻(𝐻||𝑥𝑃𝑖 ||𝑧)), (1) and sends each value i to the corresponding i-th group member, for i=1, 2, .., m. Then the group manager computes the first element of the group signature 𝑈 = 𝜆1𝑃1 + 𝜆2𝑃2+. . . +𝜆𝑚𝑃𝑚. (2) 2. Each i-th individual signer (i = 1, 2, …,m) generates a random number i < q, computes the value Ri = iG and sends Ri to the group manager. 3. The group manager generates the random number  < q and computes the values 𝑅 =  𝐺 , (3) 𝑅 = 𝑅 + 𝑅1 + 𝑅2 +. . . +𝑅𝑚 , (4) and 𝑒 = 𝐹𝐻(𝑀 || 𝑥𝑅 || 𝑥𝑈) 𝑚𝑜𝑑  (5) where  is a large prime having length || = 160 bits, xR and xU are abscissa of points R and U, and e is the second element of the group signature. Then he sends the value e to all group members who have initiated the protocol. 4. Each i-th group member (i = 1, 2, …,m) computes his signature share: 𝑠𝑖 = 𝜌𝑖 − 𝑒𝜆𝑖𝑘𝑖 𝑚𝑜𝑑 𝑞 (6) and sends it to the group manager. 5. The group manager verifies the correctness of each share si by checking equality Ri = λiePi + siG (7) If all signature shares Si satisfy the last verification equation (7), then he computes his share: 𝑠 =  + 𝑧𝑒 𝑚𝑜𝑑 𝑞 (8) and the third element of the group signature:
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 16 𝑠 = 𝑠 + 𝑠1 + 𝑠2 + . . . + 𝑠𝑚 𝑚𝑜𝑑 𝑞 (9) The algorithm outputs the group signature as the triple (U , e, s). The AGDS verification procedure includes the following steps: 1. The verifier computes the hash-function value from the document M: H = FH(M). Using the group public key L and signature (U, e, s) he computes value: 𝑅*= 𝑠𝐺 − 𝑒(𝑈 + 𝐿) (10) 2. He computes value: 𝑒*= 𝐹𝐻(𝑀||𝑥𝑅∗||𝑥𝑈)mod  (11) 3. He compares the values e and 𝑒*. If 𝑒*= 𝑒, then the verifier concludes that the group signature is valid. Otherwise, he rejects the signature. 3. CONSTRUCTING THE AGDS PROTOCOL WITH A TWO-ELEMENT SIGNATURE 3.1. The Two-Element AGDS Protocol Randomized EDS schemes, which include protocols based on the computational difficulty of the discrete logarithm problem, when performing the digital signature generation procedure use the uniformly random number that is called randomization parameter (the value t in the protocol described in Section 3). The purpose of this parameter is to protect the private key of the signer, i.e. in order to ensure the computational impossibility of finding the secret key from the signature value. This assignment is ideally realized by means of using uniformly random values as the values of the randomization parameter. Protection of the private secret key of the signer is also provided in the case of using pseudo- random value as the value of the signature randomization parameter, which satisfies the following three requirements: unpredictability, uniqueness, and secrecy. In the case when the initial values (seeds) of the process of generating pseudo-random values are known the indicated requirements can be quite easily fulfilled. The last remark shows the potential possibility of embedding information about individual signers in the value of the randomization parameter used to form the AGDS. Indeed, if each document to be signed is unique, then uniqueness and unpredictability can be defined by computing the randomization parameter t as some value dependent on the hash value H from the document. To fulfill the privacy requirement, one can specify the computation of the value t depending on the manager’s private secret key z. Thus, using information about signers as a seed of some specified pseudo-random transformation that is performed depending on the values H and z one can calculate the pseudo-random value t, for example, as follows t = Hz mod q, where q is a prime number that is the order of the algebraic group above which the signature scheme is defined and  is the number containing information about signers.
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 17 In the simplest case, one can use the list of signers (participating in the formation of the group signature) as the value . Using his private key the manager can recover the value t, and hence the value , from the signature. Thus, the manager is able to identify the set of signers who participated the formation of the given group signature, but the signers have the possibility to deny their participation in the formation of the disclosed group signature. To prevent such potential possibility the number  must also contain evidence of the fact that identified set of signers actually participated in the procedure for computing the disclosed AGDS. It is reasonable to use the collective DS to document M, which is generated by the set of individual signers appointed by the manager for signing the document M as the mentioned evidence. Thus, it is possible to propose the following general scheme for the formation of AGDS: 1. A subset of individual signers form a collective signature to the specified electronic document M and transfer it to the head. 2. The manager calculates the randomization parameter, depending on the received value of the collective signature, the value M, and his private secret key. 3. Using the computed pseudo-random value of the randomization parameter, the manager forms his individual EDS to document M, which is taken as AGDS. In such a scheme it is assumed that the manager's public key is accepted as the public key of the group of signers, which he heads. Let us consider a detailed implementation of the AGDS protocol constructed in accordance with the described general construction scheme. 3.2. Protocol Based on the Problem of Discrete Logarithm on the Finite Field We denote the bit length of some natural number n as |n|. It is quite easy to generate some 2560- bit prime number p such that p  1 contains prime factors r and q of length |r| = 161 and |q| = 256 bits. It is also quite easy to compute the numbers  and  having orders (modulo p) equal to r and q, respectively. The protocol with two-element AGDS is described as follows: Each j-th signer generates his private secret key as a random number xj and calculates his public key𝑦𝑗 = 𝛼𝑥𝑗 𝑚𝑜𝑑 𝑝; j = 1,2, 3, …, g); g is the number of signers excluding the manager. The manager selects his private secret key in the form of the random value z < q and computes his public key L =  z mod p, which is accepted as the public key of the group signer, i.e. the value L is used when verifying the authenticity of the group signature. The procedure for forming a group signature to the electronic document M by a subset of some m individual signers with public keys 𝑦𝑖 = 𝛼𝑥𝑖 𝑚𝑜𝑑 𝑝, where i = 1,2, …, m, includes the following steps: 1. Individual signers form a collective digital signature to the document M: 1.1. Each i-th signer generates a random number ti < rand sends the value 𝑅𝑖 = 𝛼𝑡𝑖 𝑚𝑜𝑑 𝑝 (12) to the other signers (i = 1,2, …, m). 1.2. Signers calculate the values:
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 18 𝑅𝑐𝑜𝑙 = (𝑅1𝑅2. . . 𝑅𝑚) 𝑚𝑜𝑑 𝑝 = 𝛼𝑡1+𝑡1+..+𝑡𝑚 𝑚𝑜𝑑 𝑝 (13) and 𝐸col = 𝐹𝐻(𝑀 || 𝑅col) 𝑚𝑜𝑑 280 , (14) where FH is some specified hash function. The value Ecol is the first element of the collective EDS. 1.3. Each i-th signer calculates his share of the signature 𝑆𝑖 = 𝐸col(𝑡𝑖 + 𝑥𝑖𝐸col) 𝑚𝑜𝑑 𝑟, (15) where i = 1,2, …, m, and sends it to the other signers. 1.4. The signers calculate the second element of the collective EDS in the form of the number 𝑆col = (𝑆1 + 𝑆2+. . . +𝑆𝑚) 𝑚𝑜𝑑 𝑟. (16) Then they give the signature (Ecol, Scol), the length of which is|Ecol| + |Scol|  240 bit, to the manager. 2. The manager verifies the authenticity of the signature (Ecol, Scol) by means of the verification of the equation 𝑅col = 𝑦col −𝐸col 𝛼𝐸col −1 𝑆col 𝑚𝑜𝑑 𝑝, (17) where 𝑦col = (𝑦1𝑦2.. . 𝑦𝑚) 𝑚𝑜𝑑 𝑝. (18) If the collective signature is genuine, then he calculates the pseudo-random number 𝑇 = (𝐸col || 𝑆col)𝑧∗ 𝐻𝑧 𝑚𝑜𝑑 q, (19) Where z* = min{zi: zi = z + i; gcd(zi, q  1) = 1; i = 0, 1, 2,...}}, and Hz = FH(M, z) mod q. 3. Then the manager calculates the values 𝑅 = 𝛼𝑇 𝑚𝑜𝑑 𝑝, (20) 𝐸 = 𝐹𝐻(𝑀 || 𝑅) 𝑚𝑜𝑑 2128 (21) And 𝑆 = 𝐸(𝑇 + 𝑧𝐸) 𝑚𝑜𝑑 𝑞, (22) where (E, S)is the group signature, whose size is | E | + | S | = 384 bits.
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 19 The procedure for disclosing the AGDS (identification of signers) is carried out by the manager as follows. By the value of the group signature (E, S) and the value Hz = FH(M, z) mod q, the manager calculates the value 𝑇 = 𝑆𝐸−1 − 𝑧𝐸 𝑚𝑜𝑑 𝑞, (23) and then the value of the collective signature 𝐸col||𝑆col = (𝑇𝐻𝑧 −1 )𝑧−1 𝑚𝑜𝑑 (𝑞−1) . (24) Next, it performs the procedure for authentication of the collective EDS for all possible values of the collective public key, i.e. for all possible subsets of potential signatories. The collective public key, for which the verification procedure of the EDS confirms the authenticity of the collective signature, uniquely identifies all signers related to the disclosed AGDS. The fact that the head indicates a collective signature passing the authentication procedure by their collective key proves unambiguously that they did form the given collective signature (the probability of random coincidence is negligible). 3.3. Protocol Based on the Problem of Discrete Logarithm on Elliptic Curves The AGDS protocol can be constructed using computations on elliptic curves (EC). Suppose two curves EC1 and EC2 having orders #E1 and #E2 are defined over the ground finite field GF(p). Suppose also that the 256-bit prime number w divides #E1, i.e. w|#E1, and 520-bit prime number q divides #E2, i.e. q|#E2. Suppose that for the first and second EC there are given the points G1 and G2, the order of which is w and q, respectively. The private secret key of the i-th signer is formed as a random number ki<w, and the corresponding public key is computed in the form of the point Pi = tiG1. The manager computes his public key L using the formula L = zG2, where z is his private secret key (z < q). The proposed AGDS protocol on the basis of the Russian digital signature standard GOST R 34.10-2012 is described as follows. 1. A subset m of ordinary signers forms a collective signature to the document M: 1.1. Each i-th signer generates a random number ti < wand sends the point EC1 𝑅𝑖 = 𝑡𝑖𝐺1 (25) to the other signers (i = 1,2, …, m). 1.2. The signers calculate the point 𝑅col = 𝑅1 + 𝑅2 +. . . + 𝑅𝑚, (26) the value 𝑟𝑐𝑜𝑙 = 𝑥𝑅 𝑚𝑜𝑑 𝑤 , (27) where xR is the first coordinate of the point Rcol, and the value of the first element of the collective signature: 𝑒col = 𝐹𝐻(𝑀 || 𝑥𝑅) 𝑚𝑜𝑑 𝑤. (28)
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 20 1.3. Each i-th signer calculates his share of the signature 𝑠𝑖 = (𝑡𝑖 + 𝑒𝑐𝑜𝑙𝑘𝑖) 𝑚𝑜𝑑 𝑤 (29) and sends the value si to the other signers. 1.4. The signers calculate the second element of the collective EDS 𝑠col = (𝑠1 + 𝑠2+. . . +𝑠𝑚) 𝑚𝑜𝑑 𝑤. (30) Then they directed the signature (ecol, scol) to the head (the signature length is |ecol| + |scol| = 512 bits, where the bit length of the number x is denoted as |x|). 2. The manager verifies the authenticity of the signature (ecol, scol), by the verification equation 𝑅col = 𝑠col𝐺 − 𝑒col𝑃col, (31) Where 𝑃col = 𝑃1 + 𝑃2+. . . +𝑃𝑚. (32) If the collective signature is genuine, then he calculates a pseudo-random number t* = (ecol||scol) z* Hz mod q, (33) where z* = min{zi: zi = z + i; gcd(zi, q  1) = 1; i = 0, 1,,...}, and Hz = FH(M, z) mod q. 3. Then the manager computes the point 𝑅∗ = 𝑡∗ 𝐺2, (34) the first element of the group signature as the number: 𝑒∗ = 𝐹𝐻(𝑀 || 𝑥𝑅∗) 𝑚𝑜𝑑 𝑤 (35) and its second element 𝑠∗ = 𝑡∗ + 𝑒∗ 𝑧 𝑚𝑜𝑑 𝑞 (36) A group EDS is a pair (e* , s* ), whose size is equal to |e* | + |s* | = 776 bits, and security is equal to2256 multiplication operations modulo p having the length |p|  520 bits. 4. COLLECTIVE SIGNATURE PROTOCOL FOR SIGNING GROUPS The proposed method of embedding information about signers in the pseudo-random value of the randomization parameter leads to the construction of AGDS protocols, which are computationally indistinguishable by signatures from the protocols of the individual EDS (for anybody, except the manager of the signing group). Even a subset of signers who participated in the formation of the AGDS can’t show that this signature was formed using their collective signature to the specified document.
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 21 The noted in distinguish ability of the group signature from the individual signature of the manager means that the known protocols of the collective EDS for individual signers [7,8] can be applied for the cases of the formation of a single collective signature to a given document M, shared by i) an arbitrary number of signing groups (collective EDS schemes for signing groups) and ii) an arbitrary number of signing groups and an arbitrary number of individual signers (schemes of combined collective EDS). 5. EVALUATE THE SECURITY OF THE ALGORITHM Security of the AGDS protocol based on the signature standard GOST R34.10-2012 against known attacks is defined by the security of the GOST. However, it should be estimated security against attack performed by a coalition of the sets of signers participating in the procedure of the formation of the AGDS. Suppose the signers form two different collective signatures (ecol||scol)1 and (ecol||scol)2 to the same document and the manager computes two different group signatures (e1 * , s1 * ) and (e2 * , s2 * ). Then the signers can compose the following system of three equations with three unknowns z, t1 * , and t2 * : { 𝑠1 = 𝑡1 ∗ + 𝑧𝑒1 𝑚𝑜𝑑 𝑞; 𝑠2 = 𝑡2 ∗ + 𝑧𝑒2 𝑚𝑜𝑑 𝑞; 𝑡1 ∗ 𝑡2 ∗ = ( (𝑒𝑐𝑜𝑙 || 𝑠𝑐𝑜𝑙)1 (𝑒𝑐𝑜𝑙 || 𝑠𝑐𝑜𝑙)2 ) 𝑧+1 𝑚𝑜𝑑 𝑞 (37) Even in the case of the known value i (one should suppose the value z be known since the value i is a small integer) solving this system of equations is difficult since it contains one exponentiation equation and the modulus q is sufficiently large. 6. CONCLUSION A new method of embedding information about signers in the AGDS protocol was proposed, on the basis of which the AGDS protocols with a two-element signature were first developed. This method allows reducing the length of EDS for a given level of security. In the developed protocols, the signature is formed as an individual EDS by the manager of the signing group. Only the manager can open the signature and identify those who participated in the formation of a group signature. When using the proposed approach for the formation of AGDS, the protocols of collective EDS [3,7,8] are easily extended to cases when a single collective signature is formed by i) an arbitrary number of the signing groups (collective signatures for signing groups) and ii) signing groups and individual signers (combined protocols of collective signature). The proposed protocols and protocols of the latter two types can be implemented by analogy with protocols breaking of which requires simultaneous solving two different computationally difficult problems [12], but this question is of interest for a separate study. REFERENCES [1] Shah F., Patel H.,“A Survey of Digital and Group Signature”, International Journal of Computer Science and Mobile Computing, Vol.5 Issue.6, P. 274-278, (2016). [2] Camenisch J.L., Piveteau J.M., Stadler M.A.,“Blind Signatures Based on the Discrete Logarithm Problem”, Advances in Crypology – EUROCRYPT'94 Proc, Lecture Notes in Computer Science. Springer Verlang, Vol. 950,P. 428–432, (1995). [3] Moldovyan A.A., Moldovyan N.A.,“Blind Collective Signature Protocol Based on Discrete Logarithm Problem”,Int. Journal of Network Security, Vol. 11, No. 2, P. 106–113, (2010).
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 22 [4] Qi Su, Wen-Min Li, “Improved Group Signature Scheme Based on Quantum Teleportation”, International Journal of Theoretical Physics, Vol. 53, No. 4, P. 1208, (2016). [5] Alamélou Q, Blazy O, Cauchie S., Gaborit Ph.,“A code-based group signature scheme”, Designs, Codes and Cryptography, Vol. 82, No 1-2, P. 469–493, (2017). [6] San Ling, Khoa Nguyen, Huaxiong Wang, “Group signature from lattices: simpler, tighter, shorter, ring-based”, Proc. of 18th IACR International Conference on Practice and Theory in Public-Key Cryptography,P.427-449, (2015). [7] Moldovyan N.A,“Blind Signature Protocols from Digital Signature Standards”, Int. Journal of Network Security, Vol. 13, No. 1, P. 22–30, (2011). [8] Duy H.N., Binh D.V., Minh N.H., Moldovyan N.A. “240-bit collective signature protocol in a non- cyclic finite group”, 2014 International conference on Advanced Technologies for Communications (ATC),Hanoi, P. 467 – 470, (2014). (DOI 10.1109/ATC.2014.7043433) [9] Moldovyan A.A., Moldovyan N.A., “Group signature protocol based on masking public keys”, Quasigroups and related systems, Vol. 22, P. 133-140, (2014). [10] Moldovyan N.A., Nguyen Hieu Minh, Dao Tuan Hung, Tran Xuan Kien,“Group Signature Protocol Based on Collective Signature Protocol and Masking Public Keys Mechanism”, International Journal of Emerging Technology and Advanced Engineering, Vol. 6, Issue. 6, P. 1-5, (2016). [11] Phong Q. Nguyen, Jiang Zhang, Zhenfeng Zhang, “Simpler efficient group signature from lattices”, Proc. of 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, P.401-426, (2015). [12] Berezin A. N., Moldovyan N. A., Shcherbakov V. A.,“Cryptoschemes Based on Difficulty of Simultaneous Solving Two Different Difficult Problems”, Computer Science Journal of Moldova, Vol. 21,No.2(62), P. 280-290, (2013). AUTHORS Tuan Nguyen Kim was born in 1969, received B.E, and M.E from Hue University of Sciences in 1994, and Hanoi University of Technology in 1998. He has been a lecturer at Hue University since 1996. From 2011 to the present (2021) he is a lecturer at School of Computer Science, Duy Tan University, Da Nang, Vietnam. His main research interests include Computer Network Technology and Information Security. Duy Ho Ngoc was born in 1982. He received his Ph.D. in Cybersecurity in 2007 from LETI University, St. Petersburg, Russia Federation. He has authored more than 45 scientific articles in cybersecurity. Nikolay A. Moldovyan is an honored inventor of Russian Federation (2002), a laboratory head at St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, and a Professor with the St. Petersburg State Electrotechnical University. His research interests include computer security and cryptography. He has authored or co-authored more than 60 inventions and 220 scientific articles, books, and reports. He received his Ph. D. from the Academy of Sciences of Moldova (1981).

More Related Content

PDF
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...
IJNSA Journal
 
PDF
Proposing an Encryption Algorithm based on DES
International Journal of Science and Research (IJSR)
 
PDF
Blind multi-signature scheme based on factoring and discrete logarithm problem
TELKOMNIKA JOURNAL
 
PDF
A Universal Bit Level Block Encoding Technique Using Session Based Symmetric ...
ijait
 
PDF
Compressed Image Authentication using CDMA Watermarking and EMRC6 Encryption
Al musanna College of Technology.,Sultanate of Oman
 
PDF
New modification on feistel DES algorithm based on multi-level keys
IJECEIAES
 
PDF
A General Session Based Bit Level Block Encoding Technique Using Symmetric Ke...
ijcseit
 
DOCX
3dpassword
Divyaprathapraju Divyaprathapraju
 
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...
IJNSA Journal
 
Proposing an Encryption Algorithm based on DES
International Journal of Science and Research (IJSR)
 
Blind multi-signature scheme based on factoring and discrete logarithm problem
TELKOMNIKA JOURNAL
 
A Universal Bit Level Block Encoding Technique Using Session Based Symmetric ...
ijait
 
Compressed Image Authentication using CDMA Watermarking and EMRC6 Encryption
Al musanna College of Technology.,Sultanate of Oman
 
New modification on feistel DES algorithm based on multi-level keys
IJECEIAES
 
A General Session Based Bit Level Block Encoding Technique Using Symmetric Ke...
ijcseit
 
3dpassword
Divyaprathapraju Divyaprathapraju
 

What's hot (13)

DOCX
3d
Divyaprathapraju Divyaprathapraju
 
PDF
IRJET- A Work Paper on Email Server using 3DES
IRJET Journal
 
PDF
Image encryption using jumbling salting
Mauryasuraj98
 
PDF
A Novel Secret Sharing Technique Using QR Code
CSCJournals
 
PDF
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 
PDF
A novel method for digital data encoding-decoding
TELKOMNIKA JOURNAL
 
PDF
A heuristic approach for web log mining using bayesian networks
Alexander Decker
 
PDF
How encryption works
RaxTonProduction
 
PPTX
3dpassword by janapriya
janapriyanaidu
 
PDF
Dft based individual extraction of steganographic compression of images
eSAT Journals
 
PDF
Dft based individual extraction of steganographic compression of images
eSAT Publishing House
 
PDF
A Survey on Different Data Hiding Techniques in Encrypted Images
ijsrd.com
 
PDF
HSCC Practice Exam (Questions and Answers)
BDPA Education and Technology Foundation
 
3d
Divyaprathapraju Divyaprathapraju
 
IRJET- A Work Paper on Email Server using 3DES
IRJET Journal
 
Image encryption using jumbling salting
Mauryasuraj98
 
A Novel Secret Sharing Technique Using QR Code
CSCJournals
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 
A novel method for digital data encoding-decoding
TELKOMNIKA JOURNAL
 
A heuristic approach for web log mining using bayesian networks
Alexander Decker
 
How encryption works
RaxTonProduction
 
3dpassword by janapriya
janapriyanaidu
 
Dft based individual extraction of steganographic compression of images
eSAT Journals
 
Dft based individual extraction of steganographic compression of images
eSAT Publishing House
 
A Survey on Different Data Hiding Techniques in Encrypted Images
ijsrd.com
 
HSCC Practice Exam (Questions and Answers)
BDPA Education and Technology Foundation
 
Ad

Similar to CONSTRUCTING THE 2-ELEMENT AGDS PROTOCOL BASED ON THE DISCRETE LOGARITHM PROBLEM (20)

PDF
Constructing New Collective Signature Schemes Base on Two Hard Problems Facto...
IJCNCJournal
 
PDF
CONSTRUCTING NEW COLLECTIVE SIGNATURE SCHEMES BASE ON TWO HARD PROBLEMS FACTO...
IJCNCJournal
 
PDF
Identity-based threshold group signature scheme based on multiple hard number...
IJECEIAES
 
PDF
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
ijcisjournal
 
PDF
AN EFFICIENT AND SECURE DIGITAL MULTISIGNATURE PROTOCOL BASED ON ECC
ijcisjournal
 
PDF
New Blind Muti-signature Schemes based on ECDLP
IJECEIAES
 
PDF
50120130405004 2
IAEME Publication
 
PDF
Low Power Elliptic Curve Digital Signature Design for Constrained Devices
CSCJournals
 
PDF
Journal of Electronic & Information Systems | Vol.4, Iss.1 April 2022
Bilingual Publishing Group
 
PDF
Offline signatures matching using haar wavelet subbands
TELKOMNIKA JOURNAL
 
PDF
Radical Data Compression Algorithm Using Factorization
CSCJournals
 
PDF
Working with cryptographic key information
IJECEIAES
 
PDF
N33066069
IJERA Editor
 
PDF
Visualize network anomaly detection by using k means clustering algorithm
IJCNCJournal
 
PDF
Architecture design for a multi-sensor information fusion processor
TELKOMNIKA JOURNAL
 
PPTX
Final_Presentation_ENDSEMFORNITJSRI.pptx
2023pgcsis004
 
PDF
Design Package to Build and Evaluate Encryption Algorithms
IOSRjournaljce
 
PDF
LSTM deep learning method for network intrusion detection system
IJECEIAES
 
PDF
Speech encryption by multiple chaotic maps with fast fourier transform
IJECEIAES
 
PDF
DIVISION AND REPLICATION OF DATA IN GRID FOR OPTIMAL PERFORMANCE AND SECURITY
ijgca
 
Constructing New Collective Signature Schemes Base on Two Hard Problems Facto...
IJCNCJournal
 
CONSTRUCTING NEW COLLECTIVE SIGNATURE SCHEMES BASE ON TWO HARD PROBLEMS FACTO...
IJCNCJournal
 
Identity-based threshold group signature scheme based on multiple hard number...
IJECEIAES
 
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
ijcisjournal
 
AN EFFICIENT AND SECURE DIGITAL MULTISIGNATURE PROTOCOL BASED ON ECC
ijcisjournal
 
New Blind Muti-signature Schemes based on ECDLP
IJECEIAES
 
50120130405004 2
IAEME Publication
 
Low Power Elliptic Curve Digital Signature Design for Constrained Devices
CSCJournals
 
Journal of Electronic & Information Systems | Vol.4, Iss.1 April 2022
Bilingual Publishing Group
 
Offline signatures matching using haar wavelet subbands
TELKOMNIKA JOURNAL
 
Radical Data Compression Algorithm Using Factorization
CSCJournals
 
Working with cryptographic key information
IJECEIAES
 
N33066069
IJERA Editor
 
Visualize network anomaly detection by using k means clustering algorithm
IJCNCJournal
 
Architecture design for a multi-sensor information fusion processor
TELKOMNIKA JOURNAL
 
Final_Presentation_ENDSEMFORNITJSRI.pptx
2023pgcsis004
 
Design Package to Build and Evaluate Encryption Algorithms
IOSRjournaljce
 
LSTM deep learning method for network intrusion detection system
IJECEIAES
 
Speech encryption by multiple chaotic maps with fast fourier transform
IJECEIAES
 
DIVISION AND REPLICATION OF DATA IN GRID FOR OPTIMAL PERFORMANCE AND SECURITY
ijgca
 
Ad

Recently uploaded (20)

PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPT
CRASH COURSE IN ALTERNATIVE PLUMBING CLASS
rene militante
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
CRASH COURSE IN ALTERNATIVE PLUMBING CLASS
rene militante
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PPT on Performance Review to get promotions
prashant593122
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Well-logging-methods_new................
ZafriFarid
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 

CONSTRUCTING THE 2-ELEMENT AGDS PROTOCOL BASED ON THE DISCRETE LOGARITHM PROBLEM

  • 1. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 DOI: 10.5121/ijnsa.2021.13402 13 CONSTRUCTING THE 2-ELEMENT AGDS PROTOCOL BASED ON THE DISCRETE LOGARITHM PROBLEM Tuan Nguyen Kim1 , Duy Ho Ngoc2 and Nikolay A. Moldovyan3 1 Faculty of Information Technology - Duy Tan University, Da Nang 550000, Vietnam 2 Department of Information Technology, Ha Noi, Vietnam 3 St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, St. Petersburg, Russia ABSTRACT It is considered a group signature scheme in frame of which different sets of signers sign electronic documents with hidden signatures and the head of the signing group generates a group signature of fixed size. A new mechanism for imbedding the information about signers into a group signature is proposed. The method provides possibilities for reducing the signature size and to construct collective signature protocols for signing groups. New group signature and collective signature protocols based on the computational difficulty of discrete logarithm are proposed. KEYWORDS Groupdigital signature, Collective digital signature, difficult computational problems, Signing group. 1. INTRODUCTION In modern information technologies, Electronic Digital Signature (EDS) protocols are widely used [1]. The variety of applications of EDS led to the development of special types of EDS protocols: blind signatures [2,3], group digital signatures [4-6], collective digital signatures [7,8], Approved Group Digital Signatures (AGDS) [9], etc. The protocols of the latter two types are of considerable practical interest. In practice, a public key infrastructure deployed at present can be used to support applications of conventional individual EDS. In these types of cryptographic schemes, the EDS is a pair of natural numbers of a sufficiently large size, i.e. is a two-element one, except for the protocols of the AGDS, in which the signature contains three elements (integers). Inclusion of the third number in the EDS is due to the fact that it stores information about all the persons involved in the formation of the electronic document and in generation of the AGDS to the prepared document. This information is accessible only to the head of the group of signers, who can perform the procedure of identification of signers [9,10] (disclosure of the AGDS). However, the storage of such information in the third element of the signature leads to a significant increase in its size. This article proposes a new mechanism for storing the information necessary for the disclosure of the AGDS and the AGDS protocols with a two-element signature. Elimination of the need to use the third element of the signature is provided by embedding the information about all signers in the randomization parameter of the digital signature scheme based on the computational the difficulty of the discrete logarithm problem. In the developed protocols, the randomizing parameter is generated not by random choice, but by some algorithm generating pseudo-random
  • 2. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 14 values. This parameter is formed as the transformed value of the collective signature of signers, which depends on the secret key of the manager of the signing group (using the manager’s secret key defines secrecy of the pseudo-random value containing the information about signers) and on the value of the hash-function value computed from the signed document (using the hash value provides the uniqueness of the pseudo-random value). 2. AGDS PROTOCOL WITH THREE-ELEMENT SIGNATURE 2.1. Approved Group Digital Signatures The concepts of group EDS [1,11] and collective EDS [3,8] have significant differences. A collective signature is called an EDS, formed by a given set of signers. The signature of the last type proves conclusively that each of the indicated signers has really signed the considered electronic document. A signature of the first type (called group signature) confirms that the electronic document is signed by some collegial organization (signing group), and different subsets of the persons (individual signers) included in the signing group can form group signatures. When performing the collective signature verification procedure, the public keys of all signers are used. When verifying the authenticity of the group signatures, the fixed public key of the collegial organization is used. The usual requirements for the group signature protocol are as follows: 1) arbitrary subset of the individual signers has the possibility to sign a document on behalf of the signing group; 2) the manager of the signing group can identify all persons who participated in the process of forming a given specific signature; 3) external persons can’t establish a subset of individual signers who have formed any group EDS. The scheme of the approved group EDS [9,10] satisfies additionally the following requirements of practical interest: 1) During the calculation of the group signature the individual signers use personal secret keys that are unknown to the manager and anyone else; 2) The generation of a group EDS is performed in two stages: in the first stage a draft group signature is calculated, and in the second stage the manager transforms the draft group signature into the final group signature (the second stage can be considered as a procedure for approving the signed document); 3) Any non-empty subset of the signer can form a draft group signature to a given electronic document; 4) Only the manager is able to identify the subset of individual signers who participated in the formation of some given signature. The last requirement in the AGDS protocols is realized by including the third element in the signature, which contains some hidden information about the persons participating in the formation of the group signature (the value of this additional number depends on the signed document and on the manager's secret key). In the paper [9] it was shown that the AGDS based on the discrete logarithm problem in the ground finite field provides the 80-bit security with the signature size equal to 1280 bits. Implementation [10] of the AGDS based on the computational difficulty of the discrete logarithm problem on the elliptic curves provides the 80-bit security with the digital signature size equal to only 481 bits. Let us consider an AGDS scheme based on computations on an elliptic curve (EC).
  • 3. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 15 2.2. AGDS Scheme Based on Computations on an Elliptic Curve Suppose it is given an EC satisfying the standard security requirements and the point G has the large prime order q. The group manager calculates his public key as the point L = zG, where z is his private secret key. Each of m signers (members of the signing group) generates his private key kj and his public key Pi = kiG, i = 1 ,…, m. The AGDS signature generation procedure includes the following steps: 1. The group manager computes hash value from document M: 𝐻 = 𝐹𝐻(𝑀),where FH is some specified hash function, calculates masking coefficients 𝜆𝑖 = 𝐹𝐻 (𝐻||𝑥𝑃𝑖 ||𝐹𝐻(𝐻||𝑥𝑃𝑖 ||𝑧)), (1) and sends each value i to the corresponding i-th group member, for i=1, 2, .., m. Then the group manager computes the first element of the group signature 𝑈 = 𝜆1𝑃1 + 𝜆2𝑃2+. . . +𝜆𝑚𝑃𝑚. (2) 2. Each i-th individual signer (i = 1, 2, …,m) generates a random number i < q, computes the value Ri = iG and sends Ri to the group manager. 3. The group manager generates the random number  < q and computes the values 𝑅 =  𝐺 , (3) 𝑅 = 𝑅 + 𝑅1 + 𝑅2 +. . . +𝑅𝑚 , (4) and 𝑒 = 𝐹𝐻(𝑀 || 𝑥𝑅 || 𝑥𝑈) 𝑚𝑜𝑑  (5) where  is a large prime having length || = 160 bits, xR and xU are abscissa of points R and U, and e is the second element of the group signature. Then he sends the value e to all group members who have initiated the protocol. 4. Each i-th group member (i = 1, 2, …,m) computes his signature share: 𝑠𝑖 = 𝜌𝑖 − 𝑒𝜆𝑖𝑘𝑖 𝑚𝑜𝑑 𝑞 (6) and sends it to the group manager. 5. The group manager verifies the correctness of each share si by checking equality Ri = λiePi + siG (7) If all signature shares Si satisfy the last verification equation (7), then he computes his share: 𝑠 =  + 𝑧𝑒 𝑚𝑜𝑑 𝑞 (8) and the third element of the group signature:
  • 4. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 16 𝑠 = 𝑠 + 𝑠1 + 𝑠2 + . . . + 𝑠𝑚 𝑚𝑜𝑑 𝑞 (9) The algorithm outputs the group signature as the triple (U , e, s). The AGDS verification procedure includes the following steps: 1. The verifier computes the hash-function value from the document M: H = FH(M). Using the group public key L and signature (U, e, s) he computes value: 𝑅*= 𝑠𝐺 − 𝑒(𝑈 + 𝐿) (10) 2. He computes value: 𝑒*= 𝐹𝐻(𝑀||𝑥𝑅∗||𝑥𝑈)mod  (11) 3. He compares the values e and 𝑒*. If 𝑒*= 𝑒, then the verifier concludes that the group signature is valid. Otherwise, he rejects the signature. 3. CONSTRUCTING THE AGDS PROTOCOL WITH A TWO-ELEMENT SIGNATURE 3.1. The Two-Element AGDS Protocol Randomized EDS schemes, which include protocols based on the computational difficulty of the discrete logarithm problem, when performing the digital signature generation procedure use the uniformly random number that is called randomization parameter (the value t in the protocol described in Section 3). The purpose of this parameter is to protect the private key of the signer, i.e. in order to ensure the computational impossibility of finding the secret key from the signature value. This assignment is ideally realized by means of using uniformly random values as the values of the randomization parameter. Protection of the private secret key of the signer is also provided in the case of using pseudo- random value as the value of the signature randomization parameter, which satisfies the following three requirements: unpredictability, uniqueness, and secrecy. In the case when the initial values (seeds) of the process of generating pseudo-random values are known the indicated requirements can be quite easily fulfilled. The last remark shows the potential possibility of embedding information about individual signers in the value of the randomization parameter used to form the AGDS. Indeed, if each document to be signed is unique, then uniqueness and unpredictability can be defined by computing the randomization parameter t as some value dependent on the hash value H from the document. To fulfill the privacy requirement, one can specify the computation of the value t depending on the manager’s private secret key z. Thus, using information about signers as a seed of some specified pseudo-random transformation that is performed depending on the values H and z one can calculate the pseudo-random value t, for example, as follows t = Hz mod q, where q is a prime number that is the order of the algebraic group above which the signature scheme is defined and  is the number containing information about signers.
  • 5. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 17 In the simplest case, one can use the list of signers (participating in the formation of the group signature) as the value . Using his private key the manager can recover the value t, and hence the value , from the signature. Thus, the manager is able to identify the set of signers who participated the formation of the given group signature, but the signers have the possibility to deny their participation in the formation of the disclosed group signature. To prevent such potential possibility the number  must also contain evidence of the fact that identified set of signers actually participated in the procedure for computing the disclosed AGDS. It is reasonable to use the collective DS to document M, which is generated by the set of individual signers appointed by the manager for signing the document M as the mentioned evidence. Thus, it is possible to propose the following general scheme for the formation of AGDS: 1. A subset of individual signers form a collective signature to the specified electronic document M and transfer it to the head. 2. The manager calculates the randomization parameter, depending on the received value of the collective signature, the value M, and his private secret key. 3. Using the computed pseudo-random value of the randomization parameter, the manager forms his individual EDS to document M, which is taken as AGDS. In such a scheme it is assumed that the manager's public key is accepted as the public key of the group of signers, which he heads. Let us consider a detailed implementation of the AGDS protocol constructed in accordance with the described general construction scheme. 3.2. Protocol Based on the Problem of Discrete Logarithm on the Finite Field We denote the bit length of some natural number n as |n|. It is quite easy to generate some 2560- bit prime number p such that p  1 contains prime factors r and q of length |r| = 161 and |q| = 256 bits. It is also quite easy to compute the numbers  and  having orders (modulo p) equal to r and q, respectively. The protocol with two-element AGDS is described as follows: Each j-th signer generates his private secret key as a random number xj and calculates his public key𝑦𝑗 = 𝛼𝑥𝑗 𝑚𝑜𝑑 𝑝; j = 1,2, 3, …, g); g is the number of signers excluding the manager. The manager selects his private secret key in the form of the random value z < q and computes his public key L =  z mod p, which is accepted as the public key of the group signer, i.e. the value L is used when verifying the authenticity of the group signature. The procedure for forming a group signature to the electronic document M by a subset of some m individual signers with public keys 𝑦𝑖 = 𝛼𝑥𝑖 𝑚𝑜𝑑 𝑝, where i = 1,2, …, m, includes the following steps: 1. Individual signers form a collective digital signature to the document M: 1.1. Each i-th signer generates a random number ti < rand sends the value 𝑅𝑖 = 𝛼𝑡𝑖 𝑚𝑜𝑑 𝑝 (12) to the other signers (i = 1,2, …, m). 1.2. Signers calculate the values:
  • 6. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 18 𝑅𝑐𝑜𝑙 = (𝑅1𝑅2. . . 𝑅𝑚) 𝑚𝑜𝑑 𝑝 = 𝛼𝑡1+𝑡1+..+𝑡𝑚 𝑚𝑜𝑑 𝑝 (13) and 𝐸col = 𝐹𝐻(𝑀 || 𝑅col) 𝑚𝑜𝑑 280 , (14) where FH is some specified hash function. The value Ecol is the first element of the collective EDS. 1.3. Each i-th signer calculates his share of the signature 𝑆𝑖 = 𝐸col(𝑡𝑖 + 𝑥𝑖𝐸col) 𝑚𝑜𝑑 𝑟, (15) where i = 1,2, …, m, and sends it to the other signers. 1.4. The signers calculate the second element of the collective EDS in the form of the number 𝑆col = (𝑆1 + 𝑆2+. . . +𝑆𝑚) 𝑚𝑜𝑑 𝑟. (16) Then they give the signature (Ecol, Scol), the length of which is|Ecol| + |Scol|  240 bit, to the manager. 2. The manager verifies the authenticity of the signature (Ecol, Scol) by means of the verification of the equation 𝑅col = 𝑦col −𝐸col 𝛼𝐸col −1 𝑆col 𝑚𝑜𝑑 𝑝, (17) where 𝑦col = (𝑦1𝑦2.. . 𝑦𝑚) 𝑚𝑜𝑑 𝑝. (18) If the collective signature is genuine, then he calculates the pseudo-random number 𝑇 = (𝐸col || 𝑆col)𝑧∗ 𝐻𝑧 𝑚𝑜𝑑 q, (19) Where z* = min{zi: zi = z + i; gcd(zi, q  1) = 1; i = 0, 1, 2,...}}, and Hz = FH(M, z) mod q. 3. Then the manager calculates the values 𝑅 = 𝛼𝑇 𝑚𝑜𝑑 𝑝, (20) 𝐸 = 𝐹𝐻(𝑀 || 𝑅) 𝑚𝑜𝑑 2128 (21) And 𝑆 = 𝐸(𝑇 + 𝑧𝐸) 𝑚𝑜𝑑 𝑞, (22) where (E, S)is the group signature, whose size is | E | + | S | = 384 bits.
  • 7. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 19 The procedure for disclosing the AGDS (identification of signers) is carried out by the manager as follows. By the value of the group signature (E, S) and the value Hz = FH(M, z) mod q, the manager calculates the value 𝑇 = 𝑆𝐸−1 − 𝑧𝐸 𝑚𝑜𝑑 𝑞, (23) and then the value of the collective signature 𝐸col||𝑆col = (𝑇𝐻𝑧 −1 )𝑧−1 𝑚𝑜𝑑 (𝑞−1) . (24) Next, it performs the procedure for authentication of the collective EDS for all possible values of the collective public key, i.e. for all possible subsets of potential signatories. The collective public key, for which the verification procedure of the EDS confirms the authenticity of the collective signature, uniquely identifies all signers related to the disclosed AGDS. The fact that the head indicates a collective signature passing the authentication procedure by their collective key proves unambiguously that they did form the given collective signature (the probability of random coincidence is negligible). 3.3. Protocol Based on the Problem of Discrete Logarithm on Elliptic Curves The AGDS protocol can be constructed using computations on elliptic curves (EC). Suppose two curves EC1 and EC2 having orders #E1 and #E2 are defined over the ground finite field GF(p). Suppose also that the 256-bit prime number w divides #E1, i.e. w|#E1, and 520-bit prime number q divides #E2, i.e. q|#E2. Suppose that for the first and second EC there are given the points G1 and G2, the order of which is w and q, respectively. The private secret key of the i-th signer is formed as a random number ki<w, and the corresponding public key is computed in the form of the point Pi = tiG1. The manager computes his public key L using the formula L = zG2, where z is his private secret key (z < q). The proposed AGDS protocol on the basis of the Russian digital signature standard GOST R 34.10-2012 is described as follows. 1. A subset m of ordinary signers forms a collective signature to the document M: 1.1. Each i-th signer generates a random number ti < wand sends the point EC1 𝑅𝑖 = 𝑡𝑖𝐺1 (25) to the other signers (i = 1,2, …, m). 1.2. The signers calculate the point 𝑅col = 𝑅1 + 𝑅2 +. . . + 𝑅𝑚, (26) the value 𝑟𝑐𝑜𝑙 = 𝑥𝑅 𝑚𝑜𝑑 𝑤 , (27) where xR is the first coordinate of the point Rcol, and the value of the first element of the collective signature: 𝑒col = 𝐹𝐻(𝑀 || 𝑥𝑅) 𝑚𝑜𝑑 𝑤. (28)
  • 8. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 20 1.3. Each i-th signer calculates his share of the signature 𝑠𝑖 = (𝑡𝑖 + 𝑒𝑐𝑜𝑙𝑘𝑖) 𝑚𝑜𝑑 𝑤 (29) and sends the value si to the other signers. 1.4. The signers calculate the second element of the collective EDS 𝑠col = (𝑠1 + 𝑠2+. . . +𝑠𝑚) 𝑚𝑜𝑑 𝑤. (30) Then they directed the signature (ecol, scol) to the head (the signature length is |ecol| + |scol| = 512 bits, where the bit length of the number x is denoted as |x|). 2. The manager verifies the authenticity of the signature (ecol, scol), by the verification equation 𝑅col = 𝑠col𝐺 − 𝑒col𝑃col, (31) Where 𝑃col = 𝑃1 + 𝑃2+. . . +𝑃𝑚. (32) If the collective signature is genuine, then he calculates a pseudo-random number t* = (ecol||scol) z* Hz mod q, (33) where z* = min{zi: zi = z + i; gcd(zi, q  1) = 1; i = 0, 1,,...}, and Hz = FH(M, z) mod q. 3. Then the manager computes the point 𝑅∗ = 𝑡∗ 𝐺2, (34) the first element of the group signature as the number: 𝑒∗ = 𝐹𝐻(𝑀 || 𝑥𝑅∗) 𝑚𝑜𝑑 𝑤 (35) and its second element 𝑠∗ = 𝑡∗ + 𝑒∗ 𝑧 𝑚𝑜𝑑 𝑞 (36) A group EDS is a pair (e* , s* ), whose size is equal to |e* | + |s* | = 776 bits, and security is equal to2256 multiplication operations modulo p having the length |p|  520 bits. 4. COLLECTIVE SIGNATURE PROTOCOL FOR SIGNING GROUPS The proposed method of embedding information about signers in the pseudo-random value of the randomization parameter leads to the construction of AGDS protocols, which are computationally indistinguishable by signatures from the protocols of the individual EDS (for anybody, except the manager of the signing group). Even a subset of signers who participated in the formation of the AGDS can’t show that this signature was formed using their collective signature to the specified document.
  • 9. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 21 The noted in distinguish ability of the group signature from the individual signature of the manager means that the known protocols of the collective EDS for individual signers [7,8] can be applied for the cases of the formation of a single collective signature to a given document M, shared by i) an arbitrary number of signing groups (collective EDS schemes for signing groups) and ii) an arbitrary number of signing groups and an arbitrary number of individual signers (schemes of combined collective EDS). 5. EVALUATE THE SECURITY OF THE ALGORITHM Security of the AGDS protocol based on the signature standard GOST R34.10-2012 against known attacks is defined by the security of the GOST. However, it should be estimated security against attack performed by a coalition of the sets of signers participating in the procedure of the formation of the AGDS. Suppose the signers form two different collective signatures (ecol||scol)1 and (ecol||scol)2 to the same document and the manager computes two different group signatures (e1 * , s1 * ) and (e2 * , s2 * ). Then the signers can compose the following system of three equations with three unknowns z, t1 * , and t2 * : { 𝑠1 = 𝑡1 ∗ + 𝑧𝑒1 𝑚𝑜𝑑 𝑞; 𝑠2 = 𝑡2 ∗ + 𝑧𝑒2 𝑚𝑜𝑑 𝑞; 𝑡1 ∗ 𝑡2 ∗ = ( (𝑒𝑐𝑜𝑙 || 𝑠𝑐𝑜𝑙)1 (𝑒𝑐𝑜𝑙 || 𝑠𝑐𝑜𝑙)2 ) 𝑧+1 𝑚𝑜𝑑 𝑞 (37) Even in the case of the known value i (one should suppose the value z be known since the value i is a small integer) solving this system of equations is difficult since it contains one exponentiation equation and the modulus q is sufficiently large. 6. CONCLUSION A new method of embedding information about signers in the AGDS protocol was proposed, on the basis of which the AGDS protocols with a two-element signature were first developed. This method allows reducing the length of EDS for a given level of security. In the developed protocols, the signature is formed as an individual EDS by the manager of the signing group. Only the manager can open the signature and identify those who participated in the formation of a group signature. When using the proposed approach for the formation of AGDS, the protocols of collective EDS [3,7,8] are easily extended to cases when a single collective signature is formed by i) an arbitrary number of the signing groups (collective signatures for signing groups) and ii) signing groups and individual signers (combined protocols of collective signature). The proposed protocols and protocols of the latter two types can be implemented by analogy with protocols breaking of which requires simultaneous solving two different computationally difficult problems [12], but this question is of interest for a separate study. REFERENCES [1] Shah F., Patel H.,“A Survey of Digital and Group Signature”, International Journal of Computer Science and Mobile Computing, Vol.5 Issue.6, P. 274-278, (2016). [2] Camenisch J.L., Piveteau J.M., Stadler M.A.,“Blind Signatures Based on the Discrete Logarithm Problem”, Advances in Crypology – EUROCRYPT'94 Proc, Lecture Notes in Computer Science. Springer Verlang, Vol. 950,P. 428–432, (1995). [3] Moldovyan A.A., Moldovyan N.A.,“Blind Collective Signature Protocol Based on Discrete Logarithm Problem”,Int. Journal of Network Security, Vol. 11, No. 2, P. 106–113, (2010).
  • 10. International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.4, July 2021 22 [4] Qi Su, Wen-Min Li, “Improved Group Signature Scheme Based on Quantum Teleportation”, International Journal of Theoretical Physics, Vol. 53, No. 4, P. 1208, (2016). [5] Alamélou Q, Blazy O, Cauchie S., Gaborit Ph.,“A code-based group signature scheme”, Designs, Codes and Cryptography, Vol. 82, No 1-2, P. 469–493, (2017). [6] San Ling, Khoa Nguyen, Huaxiong Wang, “Group signature from lattices: simpler, tighter, shorter, ring-based”, Proc. of 18th IACR International Conference on Practice and Theory in Public-Key Cryptography,P.427-449, (2015). [7] Moldovyan N.A,“Blind Signature Protocols from Digital Signature Standards”, Int. Journal of Network Security, Vol. 13, No. 1, P. 22–30, (2011). [8] Duy H.N., Binh D.V., Minh N.H., Moldovyan N.A. “240-bit collective signature protocol in a non- cyclic finite group”, 2014 International conference on Advanced Technologies for Communications (ATC),Hanoi, P. 467 – 470, (2014). (DOI 10.1109/ATC.2014.7043433) [9] Moldovyan A.A., Moldovyan N.A., “Group signature protocol based on masking public keys”, Quasigroups and related systems, Vol. 22, P. 133-140, (2014). [10] Moldovyan N.A., Nguyen Hieu Minh, Dao Tuan Hung, Tran Xuan Kien,“Group Signature Protocol Based on Collective Signature Protocol and Masking Public Keys Mechanism”, International Journal of Emerging Technology and Advanced Engineering, Vol. 6, Issue. 6, P. 1-5, (2016). [11] Phong Q. Nguyen, Jiang Zhang, Zhenfeng Zhang, “Simpler efficient group signature from lattices”, Proc. of 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, P.401-426, (2015). [12] Berezin A. N., Moldovyan N. A., Shcherbakov V. A.,“Cryptoschemes Based on Difficulty of Simultaneous Solving Two Different Difficult Problems”, Computer Science Journal of Moldova, Vol. 21,No.2(62), P. 280-290, (2013). AUTHORS Tuan Nguyen Kim was born in 1969, received B.E, and M.E from Hue University of Sciences in 1994, and Hanoi University of Technology in 1998. He has been a lecturer at Hue University since 1996. From 2011 to the present (2021) he is a lecturer at School of Computer Science, Duy Tan University, Da Nang, Vietnam. His main research interests include Computer Network Technology and Information Security. Duy Ho Ngoc was born in 1982. He received his Ph.D. in Cybersecurity in 2007 from LETI University, St. Petersburg, Russia Federation. He has authored more than 45 scientific articles in cybersecurity. Nikolay A. Moldovyan is an honored inventor of Russian Federation (2002), a laboratory head at St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, and a Professor with the St. Petersburg State Electrotechnical University. His research interests include computer security and cryptography. He has authored or co-authored more than 60 inventions and 220 scientific articles, books, and reports. He received his Ph. D. from the Academy of Sciences of Moldova (1981).