An Efficient and Secure Weighted Threshold Signcryption Scheme 1523
An Efficient and Secure Weighted Threshold Signcryption Scheme
Chien-Hua Tsai
Department of Accounting Information, Chihlee University of Technology, Taiwan [email protected]*
Abstract intersection as the secret in t-dimensional hyperplanes and to recover it from n distinct hyperplanes (shares). Threshold cryptosystems are well suited for the And Shamir’s secret sharing scheme is based on a application of group-oriented collaborations which is of polynomial interpolation method to produce a (t−1)th such a nature that specific cooperation should be degree polynomial with the secret and to reconstruct it established in connection with a number of organizational from any t out of n shares. Unlike Shamir’s and tasks, such as multigroup computation, threshold Blakely’s schemes, Mignotte’s and Asmuth-Bloom’s signature, and electronic information transfer. Over the approaches [1, 28] suggest another two threshold secret years many researchers have made salient contributions sharing schemes based on the Chinese remainder to the concept of allowing group members to sign or theorem, and employ a special sequence of coprime encrypt digital messages on behalf of the entire group. positive integers to construct the secret given any of Yet almost all the group-oriented signature or encryption the n choose t−1 shares, but will not reveal it less than cryptosystems have been developed on the premise that any choice of t−1 of them. In order to design more members of the party have the same weights (fixed-size thresholds) and the tasks (shared secrets), cannot be efficient secret sharing schemes, several well-known adjusted. This study proposes a new weighted threshold advanced strategies based on Blakley’s [5, 14], signcryption scheme based on elliptic curve cryptography Shamir’s [9, 22, 27], and Mignotte’s/Asmuth-Bloom’s (ECC) with a dynamic knapsack-type technique and the [16, 18, 23] protocols, respectively, have been Chinese remainder theorem (CRT) to customize its proposed in the literature. weight values of group members in such a way that they In addition to delivering high efficiency benefits, are appropriately arranged to perform a more flexible security requirements have also become a great group-oriented signcryption task on behalf of a group. concern within a threshold cryptosystem. For the reason, Desmedt and Frankel [10] in 1991, present a (t, Keywords: Threshold cryptosystem, Elliptic curve n) threshold signature scheme based on the RSA cryptography, Dynamic knapsack cryptosystem, cryptosystem to secure authenticators. Since then, Chinese remainder theorem, Weighted more improvements and variants of the threshold threshold signcryption signature schemes have been proposed [6, 15, 26]. Most of the existing threshold signature solutions are 1 Introduction based on the equivalent-weight assumption with respect to each group member. However, there are In today’s organizations where the use of teams is some of the real life applications, that depend on increasingly widespread, important decision making different weight values such as authorizing an e- that was once reserved for a single individual is more transfer on financial transactions, making critical often than not now made by teams [19]. In situations decisions in developing and influencing organizational that specifically involve both the identification of activities, or launching various dedicated weapon authorized members and the access privileges of systems in legal, ethical and operational norms. The sensitive or critical data group decision-making idea of the weighted threshold secret sharing method actually often faces the challenge of information was offered in the late 1990s by Morillo et al. [31], sharing. Therefore, secret sharing or threshold schemes who proposed that a weighted threshold scheme are appropriate to be applied to such applications. The assigns different weights to involved members, and a threshold secret sharing schemes were introduced subset of the participants is authorized to reconstruct independently by Blakley [4] and Shamir [33] in 1979. the secret if the total combined weights are greater than Blakley’s threshold scheme is based on a hyperplane or equal to the threshold. After that, numerous other geometry subspace to create a specific point of studies contribute to this idea [11-12, 24, 35], which
*Corresponding Author: Chien-Hua Tsai; E-mail: [email protected] DOI: 10.3966/160792642019092005018
1524 Journal of Internet Technology Volume 20 (2019) No.5 have brought much-needed attention to weight The main contributions of this study can be assignment applications. For example, Li et al. [24] summarized as follows: 1. The mechanism enabling introduce the weighted threshold Mignotte sequence the reliable transmission of critical information into secret image sharing, where the participants share performs much better than the existing RSA-based different shadow images and the secret image can be approaches in terms of security properties. 2. This reconstructed losslessly if and only if the sum of all of efficient but elegant structure of the fast computation the shadow images’ weights is no less than the given of elliptic curves provides significant performance weight threshold; whereas Dikshit and Singh [11] improvements over the existing similar algorithms in present a weighted threshold scheme with bitcoin its resource consumption [25, 32]. 3. The rigorous and wallets using elliptic curve digital signature algorithm, effective design of the authentication method is able to in which all the players get unequal priorities and the avoid the collusion of intentional members to make method can provide a higher level of security to bitcoin sure that each member of the group has adequate transactions. opportunity providing their comments during the group Recently, two articles by Iftene and Grindei [17] and decision-making process. The remainder of the paper is Guo and Chang [13] apply the digital signature divided into five sections. Section 2 provides technology to this area of the weighted threshold background information that links theoretical scheme. Iftene and Grindei’s method combines the prerequisites to the study. Section 3 presents the weighted threshold secret sharing scheme with the methodology of a new weighted threshold signcryption RSA public-key cryptosystem to provide the weighted work based on ECC. Section 4 analyzes the security of threshold decryption as well as generating a digital the proposed scheme, and Section 5 covers the result of signature inside its security perimeter. Guo and experiments along with computational efficiency and Chang’s algorithm employs a proactive weighted performance evaluation. Finally, conclusions and signature skill based on the generalized Chinese future research areas appear in Section 6. remainder theorem, to offer the group members the use of RSA-based signature for secure mission-critical 2 Preliminary Backgrounds documents. Although the correctness of the weighted threshold signature schemes has been explicitly proven To begin with, this section presents a quick primer and assured given in these studies, it is generally on the concept of dynamic knapsack cryptosystem considered that most problems relevant for the security whose structure is difficult but complex. Then, a basic breaches still remain possible. Additionally, if using a understanding of the threshold secret sharing scheme better solution offers further performance will be included in this section. These techniques and improvements for almost all RSA-based weighted methods are appropriately utilized in this paper, and threshold protocols, this significantly enhances critical are thoroughly described in Section 3 and Section 4. information on weight distribution, security and efficiency in applications of secret sharing schemes. 2.1 Dynamic Knapsack Cryptosystem Naturally, it takes the ECC-based [20, 30] weighted threshold signcryption [38] operation from an RSA- In 1988, Chor and Rivest [7] proposed a public key based weighted threshold signature perspective into cryptosystem of high-density dynamic knapsack, consideration. which has several advantages, including fast, efficient, This paper concentrates on weighted threshold and secure calculations that the knapsack system offers. signature schemes. In order to provide an efficient and This algorithm has been proven resistant to many secure solution with respect to the secret share classes of attacks, for instance, low density attack dissemination, we apply an ECC-based signcryption which can be done by requesting a direct solution to technique and also incorporate the dynamic knapsack the knapsack problem. This category contains the cryptosystem approach with the Chinese remainder following known operations. ‧ = theorem as well as the ECC to construct a secure and Select two random knapsack vectors U (u1, …, un) = n−i fast weighted threshold cryptosystem. In addition, the and V (v1, …, vn) where vi = ui −2 , i =1,…,n. weight of each group member remains unknown from ‧ Generate a two-dimensional reversible matrix W each other except the designated dealer in our scheme, whose elements are integers, and is denoted as W−1. while two of the existing weighted threshold signature T T ‧ Calculate the transposed matrix (G, H) = W(U, V) works have publicly disclosed the weights of group = members involved. Having designed such features for to get two transformed knapsack vectors G (g1, …, = the weighted threshold signature solution, this gn) and H (h1, …, hn). ‧ proposed protocol has the ability to reduce the Choose two arbitrary prime numbers p and q, that satisfy the given conditions > 2 max { , − } consequences of making poor group decisions such as p ∑ >0 gi ∑ <0 gi gi gi ignoring the lower weight voice, tending to achieve the and q > 2 max { h , − h }. ∑h >0 i ∑h <0 i higher weight towards a decision, or arising from the i i formation of sub-coalitions and collusion. ‧ Use the Chinese remainder theorem to generate
An Efficient and Secure Weighted Threshold Signcryption Scheme 1525
another random vector A = (a1, …, an) where 0 ≤ ai ≤ 3 The Proposed Weighted Threshold pq − 1, and compute ai such that ai ≡ gi(mod p) and ai Signcryption Scheme ≡ hi(mod q) for i = 1, …, n. Also, let A be a public −1 key while p, q and W are the private keys. In this section, we present a new group-oriented ‧ For the encryption, let m = m1 m2 … mn where mi is weighted threshold signcryption scheme with an n-bit long binary plaintext, and the ciphertext c is adjustable values, which combines three cryptographic then produced as a1m1 + a2m2 + … anmn. techniques with the secret sharing method for ‧ In the process of decryption, require to compute cp = transmission of digital messages. One is the elliptic c(mod p) and cq = c(mod q), where cp and cq take the curve discrete logarithm problem (ECDLP), another is sum of the absolute minimum remainders of modulo the dynamic knapsack problem (DKP) and the other is the primes p and q. the Chinese remainder theorem (CRT). The proposed ‧ Reckon the equation for the secret knapsack vector mechanism consists of the following seven phases: T −1 T initial phase, registration phase, encryption phase, by (sp, sq) = W (cp, cq) where sp and sq stand for the authentication phase, participant selection phase, corresponding message before binary transfer, and weight distribution phase, signature production phase. thus m = (sp − sq) is given in return the original binary There are four kinds of roles in our group-oriented plaintext. weighted threshold signature scheme, namely a group The deeper the matrix transformation (G, H)T = W(U, T A of n members, a dedicated administrator GMA as a V) uses, the more the relationship between the private dealer, a sender C as a user outside the group A, and a = = vectors of U (u1, …, un) and V (v1, …, vn) certificate authority CA as a trusted third party, complicates apparatus. Therefore, the improved respectively. The operational context diagram of this knapsack calculation has a security intensity of higher scheme is shown in Figure 1, and Table 1 lists the resistance of against key recovery attack. symbols and the denotations thereof about the protocol 2.2 Threshold Secret Sharing Scheme used. A secret sharing scheme is a method used in several Certificate Authority (CA) cryptographic protocols and distributes a secret among Sender C I Initial Phase a group of participants, each of whom is allocated a share of the secret. The secret can only be III Encryption Phase reconstructed from its shares when the shares are VII Signature Production Phase m combined together, and any participant in the group II Registration Phase cannot reveal any partial information on the secret. p p1 2 pt δ δ 1 2 Such a technique is called a (t, n)-threshold scheme [3]. δ t Administrator (GMA) The essential idea of secret-sharing threshold scheme is t ∑ δ i ≥ wt as follows. i=1 IV Authentication Phase ‧ a subgroup A′ of the group A p p Suppose using a (t, n) threshold to share the secret S. 1 p2 3 p4 δ δ 1 δ 2 3 δ 4 ‧ Pick a large prime number p which is a positive VI Weight Distribution Phase * pn integer in a finite field Z p . δ V Participant Selection Phase n ‧ Let a0 be the shared secret (i.e., a0 = S) and t be the a group A of n members number of players needed to reconstruct the secret where 0 < t ≤ n < p and a0 < p. Figure 1. The operational context diagram of the ‧ Choose t −1 random integers a1, a2, …, at −1 with ai < proposed model p, and compute a1, a2, …, at −1 mod p. 2 ‧ Build the polynomial f(x) = a0 + a1x + a2x + … + at −1 x t −1. Table 1. The system parameters and the meanings ‧ Construct n pieces from the polynomial to obtain (i, Item Notation Description f(i)) where i ≠ 0. 1 E(Fq) an elliptic curve E over a finite field Fq ‧ Give each player a different pair of the form (x, f(x)) 2 G a base point G of an elliptic curve and find the coefficients of the polynomial. 3 h an order n of an elliptic curve 256 ‧ Reconstruct the secret S (i.e., f(0)) from any subset 4 q a large prime number q such that q > 2 H of t of these pairs. 5 ( ) a universal one-way hash function CA If t = n then all players are required to reconstruct public keys of a certificate authority , an administrator GMA, a sender C, a 6 Yi the secret. Now each player has a distinct pair for dedicated group A, and selected members producing secret shares. Therefore, the secret S can be of a group derived from t of these pairs using the interpolation polynomial in the Lagrange form.
1526 Journal of Internet Technology Volume 20 (2019) No.5
Table 1. The system parameters and the meanings equation (2) for GMA. (continue) eHIDY= ( || ) GMAAA GM GM (2) private keys of a certificate authority CA, GM C * an administrator A, a sender , a ‧ Then, CA randomly selects an integer lGM ∈Zq as a 7 di A dedicated group A, and selected members of a group secret authentication argument to calculate the GMA’s respective point, WGM , such that WGM = 8 IDi digital identities for relevant entities A A 9 li, ri, τi, ki random integer values (,xy ) GMAA GM , by equation (3). 10 α, β large prime numbers u v WlGxy=⋅=(, ) 11 i, i, confusion values GMAA GM GM AA GM (3) GM σ digital credentials issued by A for 12 i ‧ Last, CA issues the certificate of identity, ca , to group members GM A identity certificates for an administrator 13 cai GMA using equation (4). GMA and a sender C −1 14 ρi, θi weight-encoded valves ca=⋅ l() e + x ⋅ d GMAAA GM GM GM A CA (4) weighted values for each individual 15 δi participant 3.3 Encryption Phase 16 wt a globally weighted threshold value a weighted threshold signature on behalf 17 (r, s) When a user outside the group A, i.e., the sender C, of the group tends to make communication among members pi of the group, they need to agree on many different 3.1 Initial Phase parameters and then exchange a series of information about encryption. This process is performed to provide First, a secure elliptic curve E(Fq) is defined over a high security in the encrypted message, m, as follows. finite field Fq, where q is a large prime number such ‧ First of all, C registers his/her identity information that the number equals approximately 256 bits, i.e., a to CA, and creates the individual public-private key 256-bit key in ECC is considered to be as secured as pair (YC, dC) in the same style as equation (1). 3072-bit key in RSA [2]. Next, an order h will be given, * ‧ Second, C takes a random integer rC chosen from Z together with the base point G on the elliptic curve q and converts it to a nonce point on an elliptic curve E(Fq), and the proper choice satisfies h ⋅ G = O, where O is the point at infinity. Then, the CA chooses a one- using equation (5). Doing this as a one-time token way hash function H(). After that, to generate a public- value can effectively prevent replay attacks. private key pair (YCA, dCA), the CA uses a secret number R =⋅=rG(, x y ) CC RRCC (5) of dCA as the private key, and the associated public key is the point YCA = dCA ⋅ G. Finally, the global system ‧ And then, to achieve high security level, the x- parameters are publicly known to all parties including coordinate of a point on an elliptic curve must not E(Fq), G, h, YCA and H(). equal zero, where the condition needs to be met. This ensures that E(Fq) is non-singular and has no 3.2 Registration Phase repeated roots. That is to say, while x equals zero, RC The members pi, i = 1, …, n, of the group A (e.g., the C will repeat the preceding equation again. Thus, C administrator GMA) and external users (e.g., a sender C) combines the hash value H(m) with GMA’s public all need to register the knowledge of their identities key Y to encrypt m by performing the addition of GM A and relationships with the CA as legitimate participants ⋅ two points (m, H(m)) and (rC YGM ) on E(Fq). before the cryptographic or sharing process. Since this A way all applications are dealing with the same rules for According to Menezes-Vanstone primes [21], there all users, we hereby describe the GMA’s activity is no need for mapping a point on E(Fq) and this applied to make the process easy to understand. For the form of (m, H(m)) can significantly improve the registration phase, the following steps are performed. performance of the scalar multiplication operation. ‧First, GMA registers his/her identity information, e.g., Therefore, it proceeds by equation (6). the account ID , to CA, and creates the individual GM A MmHmrY=+⋅(, ()) CGMA (6) public-private key pair (Y , d ) which satisfies GM A GM A ‧ After that, C produces a digital signature sC on the equation (1). message from equation (7), by applying his/her YdG=⋅ C C GMAA GM (1) private key d and r . The digital signature is used to verify whether the original message sent by the ‧ Next, CA takes ID and the public key Y to GM A GM A sender is valid- made by the owner of the compute the association value e according to corresponding private key, and it can assist in a non- GM A
An Efficient and Secure Weighted Threshold Signcryption Scheme 1527
repudiation argument. Note that equation (6) and ‧To generate a public/private key pair for the group A, equation (7) simultaneously fulfill the signcryption GMA adds the secret values of f(0) and g(0) together functions of both a secure encryption and a digital to get a composite with equation (13) as the private signature. key dA, and the corresponding public key YA is s =⋅rHmdx−1 (() +⋅ ) denoted by equation (14). CC CRC (7) dA = f(0) + g(0) (13) ‧ Finally, C transmits the set of messages, (M, sC, RC, WC, eC, caC), through a secure channel to GMA. YA = dA ⋅ G = (f(0) + g(0)) ⋅ G (14)
3.4 Authentication Phase ‧ Each pi of A independently picks a random number ∈ Z * After completing the encryption process, C is able to ki q and converts this value to the elliptic-curve effectively convey an encoded message to the group form by equation (15). All these Ki are sent to GMA members pi. The authentication procedure between C as arranged. In the meanwhile, GMA chooses * A and GM is presented as below. arbitrary integers τi ∈ Zq for pi and takes the input ‧ Upon receiving the message set, GMA uses his/her arguments (τi, Ki) to produce an individual hash private key d GM , the one-time pad point RC and the A value for each member using equation (16). CA’s public key YCA to verify that the authenticity of Subsequently, the hash values σi as digital identities C’s identity, and that the hash embedded in the or credentials are sent back to the group members signature matches the encrypted message M by when they have been correctly computed. By checking equations (8) and (9). evaluating the corresponding hash value, it is led to Md−⋅= R(, mHm ()) determine whether a particular member is legal, GMA C (8) whereas GMA can also intervene on a member’s withdrawal in the group after modifying the identity = ⋅ + ⋅ IC caC (eC G xC YCA) (9) attribute of pi to specify the status-participation σ = ‧ If IC = WC, GMA is ensured that this message set is relationship. For example, GMA simply resets i coming from C. To assert the authenticity of the H(1) and the credential state is currently unassigned to the member. message set that is tied to C, GMA feeds the hash digest H(m) and C’s public key YC into the Ki = ki ⋅ G (15) verification equation (10) to check the signature Γ validity. If there is a signature point on E(Fq) σi = H(τi║Ki) (16) when xR = xΓ in the x-axis, GMA confirms that this C ‧ Once selected members of the group are assembled, message is indeed originated with the signed sender GMA creates a respective public-private key pair (Yi, C and is not altered along the way. di) for all participants, represented by (Yi, di) in Γ =⋅⋅+⋅⋅=(()H ms−−11 Gs x Y )( xy , ) equations (17) and (18), according to the same way CCRCΓC Γ (10) of calculating the group key pair (YA, dA). In addition, GMA makes public to the participants after the 3.5 Participant Selection Phase relevant parameters are well established, such as As each member in the group A finishes the E(Fq), G, H(), YA and Yi. registration with CA, GMA is capable of building a di = f(xi) + g(xi) (17) work team of the participants to share a secret link through the following measures, and some of the group Yi = di ⋅ G = (f(xi) + g(xi)) ⋅ G (18) members pi can accordingly accomplish the specific tasks that have been agreed upon. 3.6 Weight Distribution Phase ‧ GMA sets a weighted (wt, t, n)-threshold value for the group to establish a secret according to the two For a given message, GMA casually distributes a equations (11) and (12). Let f (x) and g(x) be share of the secret among the selection of participants. polynomials over the field Fq, whose two leading Each participant pi ∈ A receives shares corresponding terms a0 and b0 are the secret parameters, for all to different weight coefficients wt1, wt2, …, wtn, and arguments x, where t is a non-negative integer, a0 = any portion of the threshold combined together such * that wt ≥ wt can open the shared secret by fulfilling f(0), b0 = g(0), and a1,...,at−1,b1,...,bt−1 ∈Zq . ∑ i pi∈A 21t − f (xaaxax )=+01 + 2 ++… axt − 1 (mod q) (11) particular conditions. The calculation procedure is explained in the following steps. 21t− ‧ To start with, GMA determines a concatenated data gx()=+ b01 bx + bx 2 ++… bt− 1 x (mod q) (12) set B = (δ1, …, δi, …, δn) with weight values, where
1528 Journal of Internet Technology Volume 20 (2019) No.5
δ1 = max(δi) and B is a vector space with an ordered total weights, which fulfill the given participants in the basis such that the ordered n-tuple is a sequence of n subgroup A′. The signature production process takes positive integers. According to the DKP, the place in several steps and involves an individual knapsack packages the specified items, i.e., weight signature and a group signature. values, to produce a variety of combinations. Also, ‧ Each player of the subgroup participants randomly GMA picks two prime numbers w and γ at random, chooses an integer ki to convert it into an elliptic n and gives γ in the range δ < γ < 2δ . Then an ωi ϕi ∑ i=1 i i curve point ( , ) from equation (23). Also, each participant pi in A′ creates an individual signature (ri, encrypted set of weight values ρ1, ρ2, …, ρn is si) on m, and the signature is computed by a set of collected as an n-dimensional vector D = (ρ1, ρ2, …, parameters (m, ωi, di, ci, ki) where di is the private ρn), and the corresponding components of the vector key of the respective member and ci is the secret D, are chosen by equation (19). value of the individual player, through equations (24) ρi = w × δi (mod γ), i = 1, …, n (19) to (26). The digital signature will be used to authenticate the identity of the player and the ‧ Then GMA converts this positive integer ρi to a integrity of the message to be verified at a later time. binary string and separates two asymmetric partitions from the decimal number in binary form, Ki = ki ⋅ G = (ωi, ϕi) for i = 1, …, t (23) which contains the sequence ei in the upper j bits and = ω the sequence vi in the lower n−j bits as described by ri H(H(m)║ i) (24) equation (20). Additionally, to avoid the carry propagation that converts overflows in its binary t −ω ∏ jji=≠1, i representation into an error return decimal value, ei ci = (25) j ωω− and vi need to meet the condition of ( ei + z × vi) < 2 − ij 1, where z is a non-negative integer. n−j si = (ri ⋅ di ⋅ ci + ki) = (ri ⋅ (f(xi) + g(xi)) ⋅ ci + ki) (26) j » n−j, ρi = ei × 2 + vi (20) ‧ All of the 3-tuples (ri, si, θi) containing an individual ‧ Next, GMA sets up a confusion value ui which makes signature and an encrypted weight thereof, are the relationship between two parts consisting of the transmitted back to GMA to check if the lower n−j bits and the upper j bits as chaotic as corresponding values are valid. Then, GMA can use necessary, i.e., the substitution-permutation the signatory’s public key Yi to verify the validity of technique, from equation (21). this signature if equation (27) holds true at the ui = ei + z × vi, i = 1, …, n (21) specific values.
‧ Afterwards in order to apply the CRT, two positive Ki = si ⋅ G − ri ⋅ ci ⋅ Yi (27) integers, α and β, that are relatively prime, are ‧ When the specific individual signatures of the chosen randomly such that α > n u and ∑ i=1 i subgroup participants have been fulfilled, GMA β > n v . The Chinese remainder theorem says generates a group signature (r, s) for the ∑ i=1 i collaborating individuals. First, GMA deciphers the every pair of congruence relations for an unknown ′ = θ θ … θ θ weight-encoded vector A ( 1, 2, , t) assigned integer i as it is a weight-encoded valve in our case, to each participant, to derive the sum of all the where 0 ≤ θi ≤ αβ−1, i = 1, …, n, of the form in weights δi for the selected party A′, and the total equation (22), gives a unique solution with coprime weight ε is obtained by equation (28). Next, GMA moduli. compares the two weight values to determine if the θi = ui (mod α) = vi (mod β), i = 1, …, n (22) sum of the weights of participants involved, ε, is greater than or equal to the fixed weight, wt. Then, if ‧ In the end, GMA distributes the secret vector A = (θ1, the condition is satisfied, GMA uses equations (29) θ … θ 2, , n) among the selection of participants, and and (30) to compute the sum of the signature pairs each of them has a portion of the threshold based on (ri, si) for the selection of t participants. Last, GMA different weights of share allocation. accomplishes a weighted threshold signature (r, s) 3.7 Signature Production Phase on behalf of the subgroup A′ on the message m. ε = ∑t δ While accomplishing different weighting the i=1 i (28) allocation of share to the selected participants pi, for ′ t instance, t subjects in this set A , GMA prepares for r = ∑ r giving a share of the secret to the players. Before doing i=1 i (29) so, there are specific conditions such as the verification of the respective player signs and the inspection of the
An Efficient and Secure Weighted Threshold Signcryption Scheme 1529
s = t s Base case. Since the sum of an 1-weight set ≥ wt, and ∑i=1 i (30) the statement P(n) is true for n = 1. 3.8 Correctness of the Proposed Scheme Induction step. ‧ Suppose P(k) is true, i.e., that the sum of any k- The correctness of the proposed scheme can be weight set ≥ wt. verified by examining if the form of equation is Ki = si ⋅ ‧ We seek to show that P(k + 1) is true as well, i.e., G − ri ⋅ ci ⋅ Yi, and determining if the relation of any (k + 1)-weight set ≥ wt. t δ ≥ wt holds. While these statements and ‧ + ∑i=1 i Let A be a set of with (k 1) weights. ‧ ′ = − equations can stand true for some fixed values of, si, ri, Let a be a weight of A, and let A A {a} (so that ci, Yi, δi, in order to define the weighted threshold is A′ set with k weights). signcryption algorithm as a general secret sharing ‧ The sets can be written as the form A = A′ ∪ {a}. scheme, we must prove the properties of equivalent Since A′ has k weights, the induction hypothesis can expressions. Namely, GMA with each signatory’s be applied to this set and we get that the sum of the public key Yi can verify the correctness of an individual set of k weights is greater than or equal to wt. Hence signature (ri, si) and an encrypted weight value ci the total number of weights of A is (k + 1). thereof, to achieve the weighted threshold scheme. ‧ Since A is an arbitrary (k + 1)-weight set, we have Getting to the proof we can formalize it as follows: proved that the sum of any (k + 1)-weight set ≥ wt. Theorem 1. Let (ri, si) be a participant’s signature of Thus P(k + 1) is true, completing the induction step. the group, and let ci be the encrypted weight value of Conclusion. By the principle of induction, P(n) is true the participant. Then Ki = si ⋅ G − ri ⋅ ci ⋅ Yi is correct. ∈ Z* Proof. To perform the theorem, we use a direct proof for all n q . [29]. Because equations (18), (24), (25) and (26) are Therefore, the sum of any set of n weights is greater defined for particular values of the individual signature, t than or equal to wt. This shows ∑ δ i ≥ wt and we are able to write: i=1 completes the proof of the theorem. si ⋅ G − ri ⋅ ci ⋅ Yi = (ri ⋅ di ⋅ ci + ki) ⋅ G − H(H(m)║ωi) ⋅ ∏t −ω 4 Security Analysis of the Weighted j=1, j≠i i ⋅ + ⋅ (f(xi) g(xi)) G. Threshold Signcryption Scheme ωi −ωj
Expanding the form, we get: The security of the proposed algorithm is based upon the difficulties of solving the ECDLP, the DKP, t −ω ∏j=1, j≠i i and the CRT; thus, it satisfies the essential security ki ⋅ G + H(H(m)║ωi) ⋅ (f(xi) + g(xi)) ⋅ ⋅ ωi −ωj requirements such as confidentiality, authentication, anonymity, and unforegeability as formalized t −ω ∏j=1, j≠i i specifications from the existing threshold-related G − H(H(m)║ωi) ⋅ ⋅ (f(xi) + g(xi)) ⋅ G. signature works [6, 10, 13, 17]. In addition, our scheme ωi −ωj provides the threshold signature model with the critical Now, we can simplify the expression as ki ⋅ G, by properties of elasticity of weights assignment and anti- eliminating a positive and a negative of the same term. collusion attack, to increase security measures. We By equation (15), we have Ki = ki ⋅ G. Thus, the inspect the characteristics of the proposed solution in signature (ri, si) is verified correctly. This proves that terms of the security goals and needs as follows. the theorem stands in this case. 4.1 Confidentiality Theorem 2. Let wt be a globally fixed threshold value with the weights corresponding to each participant δ1, Confidentiality prevents unauthorized disclosure or δ2, …, δt, and the global threshold of wt is defined by use of sensitive digital information, ensuring that only t δ ≥ wt. Then the sum of the weights of participants those individuals or entities who have a legitimate ∑ i=1 i access to the contents. In this study, all messages (such involved is greater than or equal to the globally fixed δ threshold. as the message m, the weight values i or the signatures (ri, si)) are encrypted by the addition operation of on a Proof. As in the preceding section, GMA deciphers the randomly chosen elliptic curve, and passed through a weight-encoded vector (θ1, θ2, …, θt) as a set of (δ1, δ2, series of permutation processes. If any adversary …, δt), and the sum of associated weights δi involved intercepts the transmission of the enciphered message has to satisfy ∑t δ ≥ wt . We will prove by induction i=1 i as (ri, si, θi, ci, Yi, Ki, G), the interceptor is unable to * that [34], for all n ∈ Zq , the following holds: P(n) → decrypt the session data without knowing anything about implementations of the underlying ECDLP. For The sum of any set of n weights is greater than or equal example, the point of Ki on E(Fq), which depends to wt.
1530 Journal of Internet Technology Volume 20 (2019) No.5
parametrically on ki (an arbitrary integer) and G (a base generated signature and to determine the real identity point), can be hard to deal with by other means. Also, of the signatory. Thus, the signature algorithm fulfills he/she cannot find the private key di from Yi = di ⋅ G as the characteristic of unforgeability. given by equation (18), to obtain one of the signature 4.5 Threshold Characteristic values si. Accordingly, the signature method satisfies the confidentiality requirement. Threshold characteristic indicates that a threshold 4.2 Authentication method is used to distribute a secret d among n members such that any party of size k or more can Authentication is the process of determining whether construct the secret d but smaller parties cannot. In the an individual or entity’s identity is valid or not to the proposed suggestion, each player in A is given a system. If an antagonist pretends to be C to manipulate positive integer weighted state δi which is associated the sensitive data, he/she needs to forge the message with distinct encoding patterns θi, and the shared secret (RC, sC) from equations (5) and (7), to masquerade as can be reconstructed when the sum of the weights of C’s identity. When the malicious user intends to the players involved meets an established threshold wt. identify the critical parameters obtained, this leads to Furthermore, GMA is able to elastically assign or some intractable problems involving the relevant eliminate the units the weight to group members encrypted parameters, of a random integer rC, of C’s through the specific security governance as the DKP private key dC or the x-coordinate of a point on E(Fq) and CRT mechanisms. In such a way, the elasticity by exploiting released public data. Besides the ECDLP, feature of this model enables the leader of the group to if the antagonist impersonates C’s identity that sends identify and apply the appropriate strategy to the fake message to GMA that purports to come from C, dynamically adjust the security responsibilities as the but instead includes the antagonist’s public key, GMA individual members’ needs, in order to reduce the can then detect whether the personator he/she is talking biases arising from group decision-making such as to is genuine by requesting the mutual authentication, high group cohesiveness, insulation from outside i.e., by checking against IC = WC, as described for experts, and flawed procedures for handling tasks, as equation (9). Hence, the proposed model ensures the well as to satisfy their performance goals. authentication property. 4.6 Anti-collusion Attack 4.3 Anonymity A collision attack denotes that a number of users Anonymity means that an agent who performs a may collude with one another in order to obtain the certain action is not letting the details of that action to a access permission beyond their privileges or perform set of all possible subjects. In this design, all of the the intended action against the referenced object. In the legal participants create their own digital signatures (ri, work, the participants bear different weights with si) through rigorous mechanisms, and the members are unequal privileges for the threshold secret sharing, and unable to derive other members’ signatures from their the weights and the shared secret are processed by message digests (e.g., ri) along with the private keys di adequate dual-protection technologies. One is applying except for the participant himself/herself and GMA. To the combination of two functions f(x) and g(x) with put it another way, the identity of the participants in the their respective domains, which give quite different group remains anonymous to each other throughout. results even they have the same rule, to evaluate the Therefore, the signature solution offers the anonymity secret parameters (e.g., the leading terms a0 and b0). as one of the security features. The other is adopting the interpolation polynomial in the Lagrange form as given by equation (25), which 4.4 Unforgeability admits a unique solution from any designated points, to Unforgeability refers that no one is able to produce a recognize the secret value ci associated to the valid digital signature on any arbitrary message other participant’s representation (e.g., ωi). If some than the legitimate signer. In the proposed approach, if participants try to collude together in order to increase an opponent Opp can forge a digital signature, he/she their weights by sharing their secrets like up to more has to possess the knowledge to generate a message- than a coalition of size t, there is no way to measure the signature tuple of (M, sOpp, ROpp WOpp, eOpp, caOpp) such leading coefficients f(0) and g(0) at the same time, to that anyone could verify that the message indeed say nothing of deriving the parameter ci in the structure. originated from the opponent Opp. That is, each Consequently, the proposed program has the anti- member of A can verify that the signature sOpp by collusion ability to prevent illegal coalitions within the checking to see if they match the relative reference group from this kind of collusion attacks, where −−11 ΓHms=⋅⋅+⋅⋅=(()Opp Gs Opp x R Y Opp (, xy Γ Γ ) in equation multiple members collude by recovering the threshold Opp group signature (r, s) of their individual acquired (10) both belongs to the illegitimate user and is invalid weights. for the associated message. Likewise, GMA is always If we reinvestigate the similarity models of the able to distinguish the forged signature from a properly
An Efficient and Secure Weighted Threshold Signcryption Scheme 1531 existing weighted threshold signature methods, it is exponentiation, and modular inversion. evident that the current method provides for effective countermeasures in security considerations. Conversely, Table 3. The modular mathematical notation Iftene and Grindei’s algorithm [17] combines the Symbol Description Operation cost generalized Mignotte sequences whose modules are the time for the multiplicative not necessarily pairwise coprime to choose the TECMUL operation of an elliptic curve ≈ 29TMUL weighted threshold elements with the RSA point cryptosystem, and its security of the signature the time for the addition verification for the group members cannot be TECADD operation of two points on an ≈ 5TMUL guaranteed. Likewise, Guo and Chang’s approach [13] elliptic curve exploits the cryptographic techniques of extended the time for the hash operation TECh ≈ 23TMUL Asmuth-Bloom sequences based on the RSA of an elliptic curve point cryptosystem without applying anonymous mechanism the time for the modular TINVS ≈ 240TMUL onto the signatures, and might cause the participants in multiplicative inverse operation the time for the modular the group to be subject to the conspiracy issues. Table TEXP ≈ 240TMUL 2 presents a comparison between our approach and the exponential operation The time two existing proposals along with the corresponding the time for the modular TADD complexity for weighted threshold signature techniques. Symbol “√” addition operation TADD is negligible indicates that the algorithm satisfies the security The time Δ the time for the conventional feature, and symbol “ ” refers that the model partially Th complexity for Th hash operation supports the security capability. is negligible Note. Modular multiplication is a fundamental operation in Table 2. Comparative analysis of different existing many popular public-key cryptosystems. It converts various weighted threshold signature algorithms based on their operations units to the time complexity in terms of TMUL. security properties Although the above mentioned two techniques have Iftene & Guo & Algorithms not the exactly same steps as the new proposed Grindei’s Chang’s The proposed Security scheme scheme scheme weighted threshold signcryption approach, we still attributes [17] [13] establish the baseline whenever possible to compare Confidentiality Δ √ √ the outcomes of different stages on the same measure. Authentication √ √ √ Table 4 summarizes the computational costs of each Anonymity Δ Δ √ step involved in these weighted threshold signature Unforgeability Δ √ √ models. Compared to other two related algorithms for Threshold performing cryptographic operations along with the √ √ √ characteristic signature or encryption function, we observe that the Anti-collusion proposed scheme takes much less TMUL time for the Δ √ √ attack parameter generation, signature (encryption) generation and verification, and weighted threshold signature 5 Performance Evaluation of the Proposed (encryption) stages where in our case they are - initial and registration - encryption and authentication - Model participant selection, weight distribution, and signature production phases. For example, our method consumes Having described the effectiveness of the proposed (2t + 255)TMUL time in handling the weighted threshold countermeasures in security requirements, we next signature (encryption) generation and verification evaluate the performance of the proposed algorithm in process, whereas the two approaches spend significantly terms of the execution time, and show that it brings more time for this purpose as (244t + 243)TMUL and (t + great efficiency compared with the existing works with 2168)TMUL time respectively. The modulus and respect to the application of weighted threshold exponent operations increase the computation time per signature methods. We examine the theoretical task in RSA-based cryptosystems, since they are more framework of these various solutions for solving the expensive to deal with factoring large prime numbers techniques of cryptology related to computation costs to create the encrypted message. Unlike the two incurred by each task in accordance with the concept of existing works depending on the RSA standards, the modular arithmetic operations [8, 36-37]. The notation proposed ECC-based solution takes tremendously low of modular multiplications has been widely used in computation cost for both the encryption and many public-key cryptosystems for evaluating the authentication phases. complexity in terms of time and resources needed, and the main operations shown in Table 3 include scalar (or point) multiplication, point addition, modular
1532 Journal of Internet Technology Volume 20 (2019) No.5
Table 4. Performance comparison between the proposed scheme and the existing algorithms Method Iftene & Grindei’s scheme Guo & Chang’s scheme The proposed scheme [17] [13] Cost Computational Rough Computational Rough Computational Rough
cost estimation cost estimation cost estimation Stage 4TECMUL + Initial T + T + T + 1 EXP t + 2 MUL Parameter 1 MUL 241 t + T + (3 242) T + 381 T T (3 2) MUL T 1 ADD T Generation 1 EXP MUL t T MUL MUL Registration 2 ADD 1TINVS + 1TECh 8TECMUL + 7TEXP + Individual Signature Encryption 2TMUL + 2TINVS + (2n + t + (Encryption) 1TMUL + 721 4TECADD + 1020 (2n + t + 2)TMUL + 2162) Generation and 3TEXP TMUL 1TADD + TMUL n TADD + TMUL Verification Authentication 3TINVS + 1Th 2TECh Participant Weighted Threshold 6TECMUL + Selection Signature (t + 2)TEXP + 8TEXP + 2t TMUL + Weight (244t +243) (t + 2168) (2t + 225) (Encryption) (4t + 2)TMUL + 1TINVS + 1TECADD + Distribution TMUL TMUL TMUL Generation and 1TADD (t + 8)TMUL (2n + 3t)TADD + Signature Verification 2TECh Production Annex 1: Iftene and Grindei only propose an elegant encryption-decryption-signature function for the CRT-based weighted threshold secret sharing method, while Guo and Chang apply a signature idea to the GCRT-based weighted threshold secret sharing solution. The two studies mainly introduce the application of RSA cryptosystems, and we first give a signcryption function for the weighted threshold secret sharing scheme based on the ECC algorithm. Annex 2: In a (t, n)-threshold secret sharing scheme, the parameter n refers to all members in a group and t is the participants in the group.
efficiency gain, and the results show that the model is 6 Conclusion able to achieve lower consumption with less computational cost and communication overhead when This paper presents a new group-oriented weighted compared to two other existing algorithms. threshold signcryption scheme based on the three hard To the best of our knowledge, the mechanism problems — the elliptic curve discrete logarithm described in this paper is the first weighted threshold problem (ECDLP), the dynamic knapsack problem signcryption using ECC-based cryptographic primitives. (DKP) and the Chinese remainder theorem (CRT). To Providing efficient and secure solutions in such a improve the security of digital messages signed on malicious cyber activity environment requires the behalf of the group members, the signcryption abilities of the possession special features accordingly. technique is properly incorporated into the weighted We are convinced that the current scheme provides threshold protocol. Simultaneously the ECC-based significant ameliorations with the characteristics for cryptosystem makes the weighted threshold secret the application of weighted threshold secret sharing sharing process more efficient in the underlying field cryptosystems. Threshold-related cryptosystems are operations. Apart from the two primary benefits of still worth exploring new developments in various security and efficiency improvements, the rigorous research topics. In our future work, for example, we authentication process embedded in the proposed will try to construct a non-centralized model, which scheme can effectively prevent potential group will appropriately facilitate the distribution of weights members from the colluding agreements. between the leader and the individual members while We give the correctness proof of the proposed generating a global threshold for the group. We will algorithm, that the group signature is indeed created by also devote more attention to processing multiple the sum of the weights of participants involved and the digital messages received from various group total is greater than or equal to a globally fixed situations in the area of threshold cryptography. threshold value, as well as the verification of the group signature. Through the security analysis, the study References satisfies the security requirements for a weighted threshold secret sharing cryptosystem. In addition, we [1] C. Asmuth, J. Bloom, A Modular Approach to Key have evaluated the time complexity to demonstrate the
An Efficient and Secure Weighted Threshold Signcryption Scheme 1533
Safeguarding, IEEE Transactions on Information Theory, Vol. [17] S. Iftene, M. Grindei, Weighted Threshold RSA Based on the 29, No. 2, pp. 208-210, March, 1983. Chinese Remainder Theorem, Proceedings of the 9th [2] E. Barker, Recommendation for Key Management — part 1: International Symposium on Symbolic and Numeric General, Special Publication (NIST SP)-800-57, Revision 4, Algorithms for Scientific Computing, Timisoara, Romania, January, 2016. 2007, pp. 175-181. [3] A. Beimel, Secret-sharing Schemes: A Survey, Coding and [18] K. Kaya, A. A. Selcuk, Threshold Cryptography Based on Cryptology, Lecture Notes in Computer Science, Springer, Asmuth-Bloom Secret Sharing, Information Sciences, Vol. Berlin, Heidelberg, Vol. 6639, 2011, pp. 11-46. 177, No. 19, pp. 4148-4160, October, 2007. [4] G. R. Blakley, Safeguarding Cryptographic Keys, [19] B. L. Kirkman, Why Teams Often Make Riskier Decisions Proceedings of the 1979 AFIPS National Computer than Individuals (and What You Can Do about It), Enterprise Conference, Monval, NJ, USA, Vol. 48, 1979, pp. 313-317. Risk Management Initiative, Raleigh, NC, USA, 2017. [5] I. N. Bozkurt, K. Kaya, A. A. Selcuk, A. M. Guloglu, [20] N. Koblitz, Elliptic Curve Cryptosystems, Mathematics of Threshold Cryptography Based on Blakley Secret Sharing, Computation, Vol. 48, No. 177, pp. 203-209, January, 1987. Proceedings of Information Security and Cryptology [21] N. Koblitz, A. Menezes, S. Vanstone, The State of Elliptic Conference with International Participation — ISCTURKEY Curve Cryptography, Designs, Codes and Cryptography, Vol. 2008, Ankara, Turkey, 2008, pp. 183-186. 19, No. 2-3, pp. 173-193, March, 2000. [6] T. Y. Chang, C. C. Yang, M. S. Hwang, Threshold [22] J. Kurihara, S. Kiyomoto, K. Fukushima, T. Tanaka, A New Untraceable Signature for Group Communications, IEE (k, n)-Threshold Secret Sharing Scheme and Its Extension, Proceedings — Communications, IEEE, Vol. 151, No. 2, pp. Information Security, Lecture Notes in Computer Science, 179-184, April, 2004. Springer, Berlin, Heidelberg, Vol. 5222, 2008, pp. 455-470. [7] B. Chor, R. L. Rivest, A Knapsack-type Public Key [23] H. Lein, F. Miao, C. C. Chang, Verifiable Secret Sharing Cryptosystem Based on Arithmetic in Finite Field, IEEE Based on the Chinese Remainder Theorem, Security and Transactions on Information Theory, Vol. 34, No. 5, pp. 901- Communication Networks, Vol. 7, No. 6, pp. 950-957, June, 909, September, 1988. 2014. [8] J. P. David, K. Kalach, N. Tittley, Hardware Complexity of [24] M. Li, S. Ma, C. Guo, A Novel Weighted Threshold Secret Modular Multiplication and Exponentiation, IEEE Transactions Image Sharing Scheme, Security and Communication on Computers, Vol. 56, No. 10, pp. 1308-1319, 2007. Network, Vol. 8, No. 17, pp. 3083-3097, November, 2015. [9] E. Dawson, D. Donovan, The Breadth of Shamir’s Secret- [25] D. Mahto, D. K. Yadav, RSA and ECC: A Comparative Sharing Scheme, Computers & Security, Vol. 13, No. 1, pp. Analysis, International Journal of Applied Engineering 69-78, February, 1994. Research, Vol. 12, No. 19, pp. 9053-9061, October, 2017. [10] Y. Desmedt, Y. Frankel, Shared Generation of Authenticators [26] G. Mante, S. D. Joshi, Discrete Logarithm Based (t, n) and Signatures, Advances in Cryptology — CRYPTO ’91, Threshold Group Signature Scheme, International Journal of Lecture Notes in Computer Science, Springer, Berlin, Computer Applications, Vol. 21, No. 2, pp. 23-27, May, 2011. Heidelberg, Vol. 576, 1991, pp. 457-469. [27] R. J. McEliece, D. V. Sarwate, On Sharing Secrets and reed- [11] P. Dikshit, K. Singh, Weighted Threshold ECDSA for Solomon Codes, Communications of the ACM, Vol. 24, No. 9, Securing Bitcoin Wallet, ACCENTS Transactions on pp. 583-584, September, 1981. Information Security, Vol. 2, No. 6, pp. 43-51, April, 2017. [28] M. Mignotte, How to Share a Secret, EUROCRYPT 1982, [12] C. C. Dragan, F. L. Tiplea, Distributive Weighted Threshold Lecture Notes in Computer Science, Springer, Berlin, Secret Sharing Schemes, Information Sciences, Vol. 339, pp. Heidelberg, Vol. 149, 1982, pp. 371-375. 85-97, April, 2016. [29] V. Mihova, J. Ninova, Direct and Indirect Methods of Proof, [13] C. Guo, C. C. Chang, Proactive Weighted Threshold The Lehmus-Steiner Theorem, https://arxiv.org/pdf/1410. Signature Based on Generalized Chinese Remainder Theorem, 7526.pdf. Journal of Electronic Science and Technology, Vol. 10, No. 3, [30] V. S. Miller, Use of Elliptic Curves in Cryptography, pp. 250-255, September, 2012. Advances in Cryptology — CRYPTO ’85, Lecture Notes in [14] X. Hei, X. Du, B. Song, Two Matrices for Blakley’s Secret Computer Science, Springer, Berlin, Heidelberg, Vol. 218, Sharing Scheme, Proceedings of the 2012 IEEE International 1986, pp. 417-426. Conference on Communications (ICC), Ottawa, ON, Canada, [31] P. Morillo, C. Padro, G. Saez, J. L. Villar, Weighted 2012, pp. 810-814. Threshold Secret Sharing Schemes, Information Processing [15] C. L. Hsu, T. S. Wu, T. C. Wu, Improvements of Letters, Vol. 70, No. 5, pp. 211-216, June, 1999. Generalization of Threshold Signature and Authenticated [32] S. Nigam, K. N. Hande, Survey on “Security Architecture Encryption for Group Communications, Information Based on ECC (Elliptic Curve Cryptography) in Network”, Processing Letters, Vol. 81, No. 1, pp. 41-45, January, 2002. International Journal of Computer Science and Mobile [16] S. Iftene, General Secret Sharing Based on the Chinese Applications, Vol. 3, No. 1, pp. 17-23, January, 2015. Remainder Theorem with Applications in e-Voting, [33] A. Shamir, How to Share a Secret, Communications of the Electronic Notes in Theoretical Computer Science, Vol. 186, ACM, Vol. 22, No. 11, pp. 612-613, November, 1979. pp. 67-84, July, 2007. [34] A. Stefanowicz, Proofs and Mathematical Reasoning, https://
1534 Journal of Internet Technology Volume 20 (2019) No.5
www.birmingham.ac.uk/Documents/college-eps/college/stem/ Student-Summer-Education-Internships/Proof-and-Reasoning. pdf. [35] P. C. Su, C. H. Yang, J. H. Zeng, C. W. Yeh, C. S. Kao, A Design of Weighted Threshold Mechanism for Proxy Blind Signature, Proceedings of the 2017 Annual Conference on National Defense Management Academic and Symposium, Taipei, Taiwan, 2017, Vol. 1, pp. 158-174. [36] N. Tahat, E. E. Abdallah, A New Signing Algorithm Based on Elliptic Curve Discrete Logarithms and Quadratic Residue Problems, Italian Journal of Pure and Applied Mathematics, Vol. 32, pp. 125-132, August, 2014. [37] C. H. Tsai, P. C. Su, Multi-document Threshold Signcryption Scheme, Security and Communication Network, Vol. 8, No. 13, pp. 2244-2256, October, 2015. [38] Y. Zheng, Digital Signcryption or How to Achieve Cost (signature & encryption) < Biography Chien-Hua Tsai is currently an Associate Professor in the Department of Accounting Information at Chihlee University of Technology, Taiwan. He received his Ph.D. degree in Electrical Engineering and Computer Science from Case Western Reserve University, Ohio, USA in 2000. His research interests include Information System Security, Secure Communication Protocols, Public Key Cryptosystems and Electronic Transaction Security.