Research Journal of Applied Sciences, Engineering and Technology 5(1): 270-274, 2013 ISSN: 2040-7459; e-ISSN: 2040-7467 © Maxwell Scientific Organization, 2013 Submitted: June 02, 2012 Accepted: June 23, 2012 Published: January 01, 2013

Adaptive Universal Composability Framework for Server-Aided Threshold Signature

Xuan Hong and Luqun Li Department of Computer Science and Technology, Shanghai Normal University, Shanghai 200234, China

Abstract: The threshold signature scheme is a protocol that allows any subset of t parties out of n to generate a signature. Since the t members can cooperate together to compute the secret , we introduce the server-aided threshold signature, which provides controllability for activating the signing function in a certain enhanced way. In this study, we present a server-aided threshold RSA signature protocol against the adaptive attacks. We give the universally composable secure model for the server-aided threshold signature primitive and prove that the proposed protocol is claimed to be well-formed, correct and unforgeability. As a separate contribution we also prove that it is also secure in the adaptive universal composability framework. After the discussion about the security and the performance, we claim that the protocol is practical and efficient.

Keywords: Adaptive security, server-aided, threshold signature, universal composability framework

INTRODUCTION that the password is divided into several pieces which are shared among a group of members. Only at least t A threshold signature scheme is a protocol that members together have the privilege to access the allows any subset of t parties out of n to generate a classified file. However, when some t members are signature. Meanwhile, it disallows the creation of a corrupted, the file will be leaked out. valid signature if fewer than t parties participate in the Therefore, we introduce the verifiable server, protocol. It should also be robust, meaning that which is physical secure and can be trusted by the corrupted parties should not be able to prevent company gateway. The server-aided threshold signature uncorrupted parties from generating signature. Though scheme, where the signing function can be activated by threshold schemes based on the discrete logarithm a server, provides user controllability for activating the problem are relatively straightforward to build, Basing user’s signing function. That is, if anyone has a power threshold schemes on the RSA problem is more to activate the signing function of the servers, he can difficult, due to the fact that the modulus Ф (N) cannot easily compute valid signatures for a specific be leaked to any of the shareholders. Boyd (1989) and organization without knowing the private key. Xu and Frankel (1989) present the first RSA based threshold Sandhu (2003) provided a general construction to build signature independently. These earlier protocols server assisted threshold signatures. Yang et al. (2006) additively share the signing key d among the parties. Rabin (1998) present the first reasonable efficient and also design two types of proactive secret sharing robust solutions. However, they tend to be more schemes which are suitable for server assisted threshold complex and less efficient in comparison to the discrete signatures. logarithm schemes. These earlier protocols additively In this study, we propose a server-aided threshold share the signing key d among the parties and they tend RSA signature protocol with adaptive universally to be more complex and less efficient. Later, (Shoup, composable security. In this protocol, the system is 2000) described his practical threshold signatures, composed of one server and multiple users who share which is widely regarded as the efficient threshold RSA the private key together. The server and all users must signature scheme. cooperate to produce a valid signature. In addition, the We consider a scenario that a classified file is proposed protocol has the adaptively UC-security, stored in a file server which locates behind the company which makes the adversary forge signatures of previous gateway. To access the file, someone outside the periods more difficultly even though she can corrupt company should launch the successful users at any time. The proposed protocol shares the with a correct password between himself and the secret with the additional sharing. The size of the authentication gateway. However the file is so sensitive signing key is constant and the size of the partial

Corresponding Author: Xuan Hong, Department of Computer Science and Technology, Shanghai Normal University, 100 Guilin Road, Shanghai 200234, China 270

Res. J. Appl. Sci. Eng. Technol., 5(1): 270-274, 2013 signature is constant, which are independent to the the signer is corrupted and FSATSig is asked to verify (m, number of the users. Furthermore, the threshold s), then FSATSig allows the ideal-process adversary to signature generation stage and the signature combining force the answer to be “1”, even if m was never before stage are completely non-interactive. At last, the signed. We add the corrupted signer and make the correctness and security have been analyzed. whole framework more reasonable. The functionality FSATSig is also the standard UNIVERSAL COMPOSABLE SECURE MODEL corruption functionality, with an additional stipulation. OF SERVER-AIDED THRESHOLD When a user P is corrupted, FSATSig records this fact and reports to the adversary all the signing and verification Recently some efforts were made towards requests made by P. If P is the signer then the adversary capturing the security requirements within the universal gets also the signature share generation algorithm SS composability framework. This modeling has some together with its current state. The verification significant advantages in designing and analyzing algorithm V is deterministic guarantees consistency, complex system. The framework maintains the security, namely that all verification requests for the same triple regardless of execution environment. That is suitable return the same answer. Verifying that V (m, σ) = 1 at for analyzing the mobile ad-hoc networks. Canetti signature generation time guarantees completeness, introduced the universal composability framework namely that if a signature was generated legally then it (Canetti and Rabin, 2003; Canetti, 2004) as the new will pass verification. The check for forgery at approach for designing and analyzing the security of verification time guarantees unforgeability. cryptographic primitives and protocols. The main concern is to create new approach for the assessment of Proxy threshold signature F : . It is guaranteed that a protocol SATSig with UC security maintains its security even when  Setup: When received (Setup, sid) from party P, running concurrently with others. When analyzing multiprotocol systems, we analyze each protocol as if it where sid = (P, sid’), FSATSig sends (Setup, sid) to is stand alone Then the composition theorem is used to the adversary A. When received (Algorithms, sid, deduce the security of all instances when running SS, SV, SC, V) from the adversary A, where SS is concurrently. description of a PPT ITM and SV, SC, V are Security of the protocol π is achieved via description of the deterministic PPT ITMs. FSATSig comparing the protocol execution in the real-life model sends (VeriAlgo, sid, SV) to the party P and to the ideal model. This is formalized by considering an (VeriAlgo, sid, V) to the server. environment Z, which represents all the other protocols  Signature share: When received (ThSign, sid, m) running in the system, including the protocols that from the party P, where sid = (P, sid’), FSATSig sets provide inputs to and obtain outputs from. Security is σ = SS (m), records the entry (m, σ), sends required that comparing protocol π with an ideal (ThSignature, sid, m, σ) to party P. functionality F, that is, whatever Z could achieve by  Combine: When received (Combine, sid, m, σ1, σ2, attacking π, it could also achieve by interacting with F. …, σt) from the server S, FSATSig check whether all in other words, if no environment can distinguish the t shares are registered. If so, FSATSig lets σ = SC interactions with π from those with F, the protocol π is (σ1,…,σt), records the entry (m, σ), outputs secure in the hybrid model. To make this precise, a (Combined, sid, m, σ) to S. special ITM S is introduced. The goal of S is to  Verify: When received (Verify, sid, m, σ) from simulate the adversary’s view of π, based on the party P, output (Verified, sid, m, σ, f)) to P, where information is willing to exchange with environment. f is determined as follows: We define the functionality FSATSig for the server- aided threshold signature, whose basic ideal is o If V’ = V and the entry (m, σ) is recorded, then set f providing a registry service" where the users can = 1. register their (message, share) pairs. Any party that o Else, if V’ = V and no entry (m, σ) is recorded, then provides the right verification key can check whether a set f = 0. given pair is registered. It takes four types of inputs, o Else, if V’ ≠ V, then set f = 0. which correspond to the four basic modules of the signature protocol: Setup, signature share, combine and SERVER-AIDED THRESHOLD SIGNATURE verify. PROTOCOL We also deal with the case that the signer is corrupted. Corrupted signers are controlled by the We present the server assisted threshold RSA adversary, which is different from the honest ones. If signature protocol π, which realizes FSATSig in a 271

Res. J. Appl. Sci. Eng. Technol., 5(1): 270-274, 2013 straightforward way. All parties in the protocol run zskcr i  the following code:

Combine: When the server receives the t signature Setup: It is run by the Key Generation Center (KGC). shares from some t signers. It firstly checks whether Given the security parameter k, the KGC perform RSA these shares are valid: key generation with secure parameter k to obtain modulus N, where, ? 4242z zc cHvxv'( , ,i , , vx , ) Npqpp, 2'1, q 2'1 q If the verification equations hold simultaneously, the with p, q, p’, q’ themselves prime. server can compute the signature for the group as The KGC lets M = p’q’, computes the RSA follows: components:  jS'\{} j(')ij Defines   ij, (')jj e,d, where ed 1mod M  jS'\{} j

The KGC chooses the secret key d’ at random for the 224  2 d ' 0,1  0,t x server, then sets a0 = d-d’ and chooses ai from { 1 t 0,…,m-l}, for 11in . These numbers define the polynomial: a, b, where 412 aeb

f ()xax i ab d' d  i The signature '()x xHMes

The KGC computes the secret key for each signer Si: Verify: Every party P can checks whether that:

skfiM ()mod e i   HMes()mod N

Now, the KGC computes the proofs for every signer Si. If so, the signature is valid.

Randomly select vQ N (subgroup of squares in ZN). Sets: SECURITY DISCUSSION

We will prove that for the server assisted vvski Q iN threshold signature protocol is correct, consistent and unforgeable under chosen message attack against The signature share verification key is (v, vi) and the adaptive adversary. The proposed protocol also public key is (N, e). implements the signature functionality defined before.

Signature share: We need a hash function H (·) Correctness: The following theorem shows that the mapping messages to elements of ZN. If signer Si wants signature produced by the proposed protocol satisfies to sign a valid signature on message Mes, it computes: the correctness. Theorem 1: The proposed scheme is verifiable, if the x  HMes() server and all the users follow the issuing protocol.

2ski iNx Q , where n! Proof 1: Let S is the set of t or more users and their

secret key is ski. The polynomial f(x) of degree t-1 is The signature share is σi and its proof is (z, c): expressed as:

rr4 vvxx',' t1 f ()xaax01  ... axto 1 mod M

42 cHvxv '( , ,ii , , vx ', ') where,

272

Res. J. Appl. Sci. Eng. Technol., 5(1): 270-274, 2013

f (0)add 'mod M Considering the zero-knowledge simulation, B can 0 also construct A’s view without knowing the value k . t This view includes the values of the random oracle Therefore, f(0) can be derived by the Lagrange formula: H’(·) at those points where the adversary A has queried the oracle, so B is in complete charge of the random f (0)  S  fj ( )mod M  jS 0, j o oracle. Whenever A asks a query to the random oracle, if the oracle has not been previously defined at the On the other hand, from the proposed scheme, we learn: given point, B defines it to be a random value and in any case returns the value to the A. When an uncorrupted proxy signers is supposed to 2 S 2 S  ede()xxx0,i1 0,it  ' generate a proof of correctness, B choose: ii1 t 4(()efi SS  ...()  fi   d ') k ||2Nk 10,iti1 0,t 4((0)')ef  d c {0,...,2 1} , z {0,...,2 1} xx

4()2 HMes  xN mod o at random and for given values xi, x, defines the value z cz2 c of the random oracle at (,vxv ,tt , x , vv t , xx t ) to If the signature δ is computed using the extended be c. Since B has not defined the random oracle at this Euclidean algorithm, it must satisfy the verification point before, it is free to do so now. The proof is just (z, equation. Hence, the theorem is proved. c). It is straightforward to verify that the distribution produced by B is statistically close to perfect. Unforgeability: An outside adversary may try to derive Hence, B can outputs a valid RSA signature (x, y), a forged proxy signature. We will show that all attacks while x has not been queried, with negligible fail on our scheme. probability. The scheme is proved.

Theorem 2: Suppose H(·), H’(·) be the random oracle, Active security: As in the passive case, the simulation there is t or fewer corrupted proxy signers, the proposed is statistically close to the protocol until the user is scheme is a secure threshold proxy signature scheme corrupted. In the active case, the adversary should assuming that the standard RSA signature scheme is corrupt any user at any time. The simulation should secure. forge the valid signature and parse the corrupt signer’s signature share verification. As the functionality FSATSig Proof 2: If there is an adversary A can forge our store all the signature share verification algorithms in proposed proxy signature, then there is an adversary B his database, he can answer all the queries. Since who can forge a RSA signature. We focus on how to FSATSig can answer the corrupted user’s secret key share simulate the adversary’s view. Giving access to an RSA queries in the simulation, FSATSig can correctly answer signing oracle which we use only when A asks for a A’s signature share verification queries. Thus, security signature share from an uncorrupted signer. of the proposed protocol can be reduced to the security Let i1,…,it-1 be the set of corrupted proxy signers. of RSA problem. B choose the ki belonging to the set of corrupted signers at random form {0,…, M-1}. We easily know that the Lemma 3: The proposed protocol is well formed, statistical distance between the uniform distribution on correct, unforgeable relative to the environments which {0,…, M-1} and the uniform distribution on {0,…, M- -1/2 corrupt and adaptively, at most t-1 parties. 1} is O(N ). Once all ki are chosen, the values ki for Theorem 4: The proposed protocol securely realizes the uncorrupted signers are also completely determined, the ideal functionality of server-aided threshold while can’t be computed without M. B requests the signature. RSA signing oracle to get δ. Then B easily computes: Briefly, this result is shown by constructing a UC simulator S, which will generate on its own a set of 2k i j keys for the signature scheme by executing internally xxt  an instance of π. Let A be an adversary that interacts with parties running π in the ideal model. We construct for the uncorrupted signer as: an ideal process adversary (simulator) S such that the view of any environment Z of an interaction with A and 2(SSek ( ...  S k ) π is distributed identically to its view of an interaction ttiitii,0 ,11 , tt 1 1 xyt  with S in the ideal process of FSATSig. Generally

273

Res. J. Appl. Sci. Eng. Technol., 5(1): 270-274, 2013 speaking, simulator S runs an internal copy of A and model for the server-aided threshold signature and each of the involved parties. prove that the proposed protocol is claimed to be well- Thus using the private keys, it can trivially simulate formed correct, consistent and t-1 unforgeability. As a the environment Z’s view of π by simply following the separate contribution we also prove that it is also secure protocol to generate signature. We can observe that the in the universal composability framework. It shares the only way it could differ from actual execution is if Z secret with the additional sharing. The size of the can produce a valid signature that was not legally signing key is constant and the size of the signature is generated. However, the unsolvable of the RSA constant, those are independent to the number of users. assumption ensures that such event occur with The proposed scheme reduces large amounts of negligible probability. modular exponential computations and communications. It can be applied to the mobile agent PERFORMANCE DISCUSSION system, regardless what the environment it interacts with. The study shares the secret key by using a simple Lagrange formula but not extra cryptographic ACKNOWLEDGMENT techniques. We hide the secret information M with the subgroup of squares. The proposed protocol satisfies the This Study is supported by the National Natural server assisted property, when the user wants to enjoy a threshold protection of her private signing function by Science Foundation of China (NSFC) under Grant taking advantage of multiple servers. It shares the secret No. 61003215 and Innovation Program of Shanghai with the additional sharing. The size of the signing key Municipal Education Commission No.12YZ072. is constant and the size of the signature is constant, those are independent to the number of users. REFERENCES Furthermore, the signature generation stage and the signature combining stage are completely non- Boyd, C., 1989. Digital Multisignatures. interactive. Owing to its simple algorithm and fewer and Coding, (Ed.), Oxford University Press, parameter requirements needed, the proposed protocol Oxford, pp: 241-246. requires the fewer calculations and the fewer Canetti, R. and T. Rabin, 2003. Universal composition transactions. with joint state: In Crypto. LNCS, 2729: 265-281. Mobile agent is one of the best application areas of Canetti, R., 2004. Universally Composable Signature, server-aided threshold signature scheme. The mobile certification and authentication. Proceedings of agent is autonomous software entity, which migrates the 17th IEEE workshop on Computer Security across different execution environments through the Foundations, IEEE Computer Society Press, New network. The characteristics of the mobile agent, York, pp: 219-233. mobility and autonomy, make it ideal for electronic Frankel, Y., 1989. A practical protocol for large group commerce applications in many ways, such as oriented networks: In EUROCRYPT. LNCS, 434: ubiquitous computing, mobile commerce. As the agents 56-61. are not trustworthy, or may be malicious, there are great Rabin, T., 1998. A simplified approach to threshold challenges. One way to reduce the computation cost on and proactive RSA: In CRYPTO. LNCS, 1462: mobile devices is to get help from a verifiable and a 89-104. powerful server. Shoup, V., 2000. Practical threshold signatures: In A possible solution is to adopt the server assisted EUROCRYPT. LNCS, 1807: 207-220. threshold signature. We store securely secret private Xu, S.H. and R. Sandhu, 2003. Two efficient and keys by servers instead of each mobile agent and provably secure schemes for server-assisted perform securely their cryptographic functions. threshold signature: In CT-RSA. LNCS, 2612:

355-373. CONCLUSION Yang, J.P., K.H. Rhee and K. Sakurai, 2006. A In this study, we present a simple, efficient and Proactive Secret Sharing for Server Assisted adaptively secure server-aided threshold RSA signature Threshold Signatures: In HPCC. LNCS, 4208: protocol. We give the universally composable secure 250-259.

274