TWI248744B - Multisignature scheme with message recovery for group authorization in mobile networks - Google Patents
Multisignature scheme with message recovery for group authorization in mobile networks Download PDFInfo
- Publication number
- TWI248744B TWI248744B TW92105426A TW92105426A TWI248744B TW I248744 B TWI248744 B TW I248744B TW 92105426 A TW92105426 A TW 92105426A TW 92105426 A TW92105426 A TW 92105426A TW I248744 B TWI248744 B TW I248744B
- Authority
- TW
- Taiwan
- Prior art keywords
- signature
- message
- mod
- signer
- public key
- Prior art date
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
Description
1248744 玖、發萌說明 (發明說明應敘明:發明所屬之技術領域、先前技術、內容、實施方式及圖式簡 單說明) 【發明所屬之<技術領域】 本發明係有關於一種'用於群體授權 (group authorization ) 之多重簽章機制(multisignature scheme ),更特別有關於一種 用於群體授櫂且具有訊息還原功能之有效多重簽章機制,該機 制係用於一不可靠之網路系統中例如:具有不可靠之通訊連 結且屢次連不上主機等特性之行動網路。 10 1248744 [先前麵 , 隨著科技與半導體技術之發展’電腦已廣受流行’且透過 電腦網路做資訊交換’更是與曰俱增。因此’資訊的保護措施 引起關注例如:資訊交換者之身份鑑定。目前社會已進入資訊 化階段,資訊將如同辨識貨物一般’且透過公開通訊網路之資 訊傳輸更形重要。相對地’由於資訊的非法暴露或變更所造成 之損害也會持續增加。 4/ 爲了預防損害,透過通訊網路例如:公開通訊網路傳遞資 訊時之保護措施更引起關注,且相關的各種硏究正迅速展開。 例如:鑑定機制(identiHcationscheme)已被提出,用以當資 料透過各種通訊路徑例如:公開通訊網路做交換時,允許證實 一同爲通訊者身分或所接收之資料來源;以及數位簽章機制 (digital signature scheme),用以於通訊程序前之終端機上, 使一電子文件之一數位簽章產生效力,其中該數位簽章係爲一 創作者編碼而成之二位元序列簽章,取代了傳統文件上之手寫 簽名方式。該電子簽章機制使所傳送之文件來源能被鑑定如: 內容確認與文件是否被非法變更。 於該鑑定機制與數位簽章機制中,假設p係爲一大質數, q係爲另一用於除P-1之質數,g係爲一介於1與p間之自然 數,且g之q次方除以p會得一餘數1 〇gqmodp),然後g,q 與P係通常爲使用者利用之系統係數。假如每一使用者隨機選 取一介於1與q之數s當成一秘密金鑰(secret key ),且使用 一由g之-s次方除以p而得的餘數v ( mod p)爲一公開金 1248744 鑰(public key),而個別使用者所使用之公開係數係爲<,g,q 與p 〇 從這些公開係數中找出一秘密金鑰S係爲困難。真難度也 等於計算一散離對數之解。許多公開金鑰鑑定機制與數位簽章 \ * 機制係以困難的散離對數計算爲安全基礎。 一數位簽章可視爲一***之特殊形式,而且該數位簽童使 用於一需受信任之訊息來源(如同***做驗證)。有三種數位·-簽章機制之模式:一具、有附件之數位簽章機制、一授予訊息還 原功能之數位簽章、以及一整合這些方法之混合型(hybrid) _ 數位簽章機制。 具有附件之數位簽章機制模式中,該數位簽章與其對應的 訊息一倂送給一收件者。該訊息本身並無加密且受該收件者驗 證。使用附件模式之著名數位簽章機制係爲ElGamal數位簽章 機制,其中該機制係以散離對數問題爲基礎。 於使用附件型式與訊息還原型式所組合而成之混合型數 位簽章機制中,適當地將一訊息之一數位簽章產生成爲附件型 態或訊息還原型態,係依據簽署訊息之長度(二位元字串)或 簽章目的做決定。對一短訊息而言,該混合型簽章機制使用訊 息還原方法,使得驗證數位簽章之資料量減少,同時通訊量之 φ 需求也會減少。對一長訊息而言,當包括了訊息相關之資訊 時,則該混合型簽章機制使用附件方法。如上所述,該混合型 數位簽章機制之特點,係能適應性的依據一簽署訊息之長短產 生一數位簽章。 1248744 及V之;C次方的乘積除以p而得的餘數(mod p),用以 還原該訊息m。驗證者可藉由證實該還原後之訊息m之內容 去驗證該數位簽章(x,y)之確實性。 、、於此,將對金鑰交換方法做一詳細說明,其中使用與N-R 數位簽章機制相同之演算法,使得於使用者之間產生一協議金 鏡。 假設使用者A與B共同使用系統係數g,q與p,該使用者〜 A之秘密金綸係爲sa,且其公開金鑰係爲va ( sg' mod p ),而 該使用者B之秘密金鑰係爲sb,且其公開金鑰係爲VB( mod P)。當使用者A與B之間欲產生一協議金鑰時,使用者A選 取一介於1與q之間之任意數R或r,且計算x( =gRg" mod p ) 與y (r+sAm〇dq)。該計算結果(x,y)送至B。使用者A計算 協議金鑰K ( <vb)r),該數係由使用者B之公開金鑰vB(与、 mod p)之R次方除以p而得的餘數。使用者B從使用者A所 接收之(x,y)計算gR( vax mod p),藉此還原gR,而且計 算由gR2-sB次方除以p而得的餘數K(<gR;TSBm〇dp)。因此, 藉由一次傳送/接收,使用者A與B相互之間能夠產生協議金 鑰。 對於另一將基礎建立於散離對數問題之安全的金鑰交換 而言,已提出Diffe-Hellman金鑰交換方法,用以於兩位使用 者之間產生一協議金鑰。於該方法中,假設兩位使用者A與B 係使用g,q與p爲系統係數,該使用者A與B係個別選取介 於1與q之間之兩任意數a與b,且計算ga與gb。假如將所算 1248744 /出之,與gb相互交換,則使用者八與B 一般會得到K値。 習用之數位簽章機制通常只允許單一簽署者簽署一訊 ;息。然而,對於某些網路環境而言,簽署一訊息之責任或許是 歸屬於一群簽、.署者,而且一訊息可能需要藉由多位簽署者做簽 > 署授權。 於群體導向應用上,一訊息之群體授櫂可藉由簽署該群成 員之數位簽章於該訊息上而達成。於該方法中,一群使用者可·” 藉由簽署一含程式/文件之訊息而完成該訊息之授權,而且外 部驗證者可驗證該簽章,並決定該要求訊息之權限。例如:一 φ 公司之政策於實施之前,必須經過一些經理投票或簽署做表 決;而目前認證代表(authenticating delegate)於·—行動碼系 統中係爲另一種應用。所以有必要提供一種多重簽章方式。 一多重簽章係由一群具有多重保密觀念之簽署者所產 ' 生。一般而言,一手寫(handwritten )多重簽章與一數位(digit) · 多重簽章之一最大不同點係在於多重簽章之形式大小。對於一 手寫式多重簽章,該形式大小與簽署者人數成線性關係,但對 於一數位式多重簽章,該形式大小則與單一簽署者完全相同。 於一多重簽章機制中,該群體所有成員合作產生一有效多 重簽章,而且每一成員對於該簽署訊息皆具有相同之責任。換 β 言之,一多重簽章之簽署者於開始時就被驗證,而且該多重簽 章之確實性必須與該使用者之公開金鑰一起被鑑定。因此,任 一局外者能確信,當該多重簽章產生時,該群體之每一成員係 爲一參與者。 1248744 然而,以這些機ίι而言,該簽署者或簽名順序仍必須預先 決定,或者一多重簽章之大小變化仍與簽署者人數成比例。 考慮一群體#向服務爲例,該服務係於多個行動伺服器之 間所劃分,其中該伺服器可能是指定用戶所攜帶之行動裝置。 一客戶可發出含一文件/行動碼之一請求訊息給任一行動伺服 器。依據所接收之請求,該代表伺服器(delegate server)將 代表該群行動伺服器作出反應。該代表伺服器轉送該要求訊恳·” 給所有可連上線之伺服器並等待其回應。假如該代表伺服器從 該行動伺服器端接收到多於法定數量之回應時,該任務係成功 地完成,而且該代表伺服器會回傳結果給該客戶。於此運作程 序中,該參與運算之行動伺服器必須受認證,如此,非法入侵 才得以被偵測。也就是當回覆訊息回傳給該客戶時,就必須透 過一行動伺服器之法定數量作簽署。這對於一種具有訊息還原 能力之門檻多重簽章機制之需求產生了動機。於一可靠之網路 中,多重簽章機制可能已滿足需求。然而,對於不可靠之通訊 連結,以及屢次連不上主機之行動網路而言,或許還不夠。 此外,於多重簽章機制中,一外部之驗證者需要使用該群 體成員之所有公開金鑰以驗證該多重簽章之確實性。藉此,該 驗證者能夠確信每一位成員係爲該多重簽章之一參與者。該驗 證者所關切係爲一訊息至少必須透過〖位成員之簽署,而且 該成員係必須真正來自於該群體。然而,該驗證者沒辦法驗證 一群體成員是否參與該群體多重簽章之產生。因此,習用之多 重簽章機制於這些應用中並不可實行,而應該由(Λ /7)門檻 1248744 多重簽章機制取而代之。 '' 於(r,r)門檻多重簽章機制,該同一群體~之f個甚至更 多個成員合作產生一有效群體簽章。當一驗It者需要驗證該簽 章之確實性時,該驗證者需要使用所有成員之公開金鑰去取得 該群體之公開金鑰。因爲該群體公開金鑰係由所有成員之公開 金鑰所取得,而並非由實際參與者,所以該驗證者不能對個別 之參與簽署者做鑑定。 數位多重簽章機制與(Λ 77)門檻多重簽章機制於過去文 獻資料中已被提出,於1994年由L.Hani提出一以散離對數問 題爲基礎之平行數位多重簽章機制,見於nGroup-oriented (t,η) threshold digital signature scheme and digital multisignature," IEE Proc. of Computers and Digital Technique., Vol. 141,No. 5, pp. 307-313, Sep. 1994.。該平行數位多重簽章機制允許多位簽 署者分別簽署一相同訊息,而且傳送該個別簽署訊息給一指定 之登記員(derk),該登記員使每一個別簽署生效,然後將所 有個別簽署組合成一多重簽章。此外,Ham將該多重簽章機 制發展成一平行(Λ /0門檻多重簽章機制,見於uNew digital signature scheme based on discrete logarithm,'1 Electronics Letters, Vol· 30, No· 5, pp. 396-298, Mar· 1994·。於(Λ /7)門檻多重簽 章機制中,該群體之〖個甚至更多個成員合作產生一有效群 體簽章,而且該驗證者不需鑑定該個別簽署者,就可驗證該群 體簽章之確實性。然而,Harn所提出之機制,簽署者間之訊 息交換成本較高。此外,該機制不支援訊息還原功能,且訊息 1248744 並未加密。 另外,Langford首次介紹數位簽章標準(Digital Signature Standard ; DSS),該標準係以(t,η)門檻多重簽章爲基礎, 見於 “Threshold DSS Signatures without a Trusted Party,” Advances in Cryptology - Crypto’ 95 proceedings, Springer-Veriag pp. 397-409,19Q5。 一種保密分享技術(secret sharing technique )之增修版本-係於私用金鑰實際構成前,用於產生該私用金鑰之分享部分。 有兩種普遍之門檻DSS多重數位簽章機制被提出。第一個 t-out-of-n門檻機制依靠一分享之預算名冊(pre-computed list)以防止分享者簽署超過一個具有相同k値之訊息。第二 個機制需要位簽署者參與該簽章機制,用以達成 t-out-of-ri之安全機制,因此對於大〖値而言,係爲一種不切 實際之情形。Langford所提出之機制有可查明的安全等級,但 尙未提及訊息還原問題。1248744 玖 发 发 ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( 【 【 【 【 【 【 【 【 【 【 Multi-signature scheme for group authorization, more specifically an effective multi-signature mechanism for group authorization and message restoration, which is used for an unreliable network system. For example, a mobile network with unreliable communication links and repeated connections to the host. 10 1248744 [In the past, with the development of technology and semiconductor technology, computers have become popular and the exchange of information through computer networks has increased. Therefore, the protection measures of information cause attention such as the identification of information exchangers. At present, the society has entered the informationization stage, and information will be more important than the identification of goods and the transmission of information through the open communication network. Relatively, damage caused by illegal exposure or alteration of information will continue to increase. 4/ In order to prevent damage, the protection measures when transmitting information through communication networks such as public communication networks are attracting more attention, and related research is rapidly expanding. For example, an authentication mechanism (identiHcationscheme) has been proposed to allow the identification of the identity of the correspondent or the source of the data received when the data is exchanged through various communication paths such as the public communication network; and the digital signature mechanism (digital signature) Scheme) is used to make a digital signature of an electronic document valid on a terminal before the communication program, wherein the digital signature is a two-digit sequence signature encoded by a creator, replacing the traditional The method of handwritten signature on the document. The electronic signature mechanism enables the source of the transmitted document to be authenticated as follows: Content confirmation and whether the document was illegally altered. In the identification mechanism and the digital signature mechanism, it is assumed that p is a large prime number, q is another prime number for P-1, g is a natural number between 1 and p, and q is q. The second power divided by p will have a remainder of 1 〇gqmodp), and then the g, q, and P systems are usually system coefficients utilized by the user. Suppose each user randomly selects a number between 1 and q as a secret key, and uses a remainder v (mod p) obtained by dividing g-s power by p as a public Gold 1248744 key (public key), and the disclosure coefficient used by individual users is <, g, q and p 〇 It is difficult to find a secret key S from these public coefficients. The true difficulty is also equal to the solution of a discrete logarithm. Many public key authentication mechanisms and digital signatures \ * mechanisms are based on difficult discrete logarithm calculations. A digital signature can be viewed as a special form of a seal, and the digital signature is used as a source of trusted information (as stamped for verification). There are three types of digital signing mechanisms: a digital signing mechanism with attachments, a digital signature that grants a message to restore functionality, and a hybrid _ digital signature mechanism that integrates these methods. In the digital signature mechanism mode with attachments, the digital signature is sent to a recipient along with its corresponding message. The message itself is not encrypted and is verified by the recipient. The famous digital signature mechanism using the attachment mode is the ElGamal digital signature mechanism, which is based on the logarithm of the logarithm. In the hybrid digital signature mechanism combined with the attachment type and the message reduction type, a digital signature of a message is appropriately generated as an attachment type or a message reduction type, according to the length of the signed message (2) The bit string) or the purpose of the signature is to make a decision. For a short message, the hybrid signature mechanism uses a message restoration method to reduce the amount of data for verifying the digital signature and reduce the demand for traffic φ. For a long message, when the message-related information is included, the hybrid signature mechanism uses the attachment method. As mentioned above, the characteristics of the hybrid digital signature mechanism are based on the ability to adapt to the length of a signed message to produce a digital signature. 1248744 and V; the remainder of the product of the power of C divided by p (mod p) is used to restore the message m. The verifier can verify the authenticity of the digital signature (x, y) by verifying the content of the restored message m. Here, the key exchange method will be described in detail, in which the same algorithm as the N-R digital signature mechanism is used, so that a protocol mirror is generated between the users. Suppose that user A and B use the system coefficients g, q and p together, the secret of the user ~ A is sa, and the public key is va ( sg ' mod p ), and the user B The secret key is sb and its public key is VB (mod P). When a user wants to generate a protocol key between A and B, user A selects an arbitrary number R or r between 1 and q, and calculates x(=gRg" mod p ) and y (r+sAm) 〇dq). The result of the calculation (x, y) is sent to B. The user A calculates the protocol key K ( <vb) r), which is the remainder obtained by dividing the R of the user B's public key vB (and mod p) by the power of p. User B calculates gR( vax mod p) from (x, y) received by user A, thereby restoring gR, and calculating the remainder K obtained by dividing gR2-sB power by p (<gR; TSBm) 〇dp). Therefore, users A and B can generate a protocol key with each other by one transmission/reception. For another secure key exchange based on the logarithm of the logarithm problem, the Diffe-Hellman key exchange method has been proposed to generate a protocol key between two users. In this method, it is assumed that two users A and B use g, q and p are system coefficients, and the user A and B individually select two arbitrary numbers a and b between 1 and q, and calculate Ga and gb. If the calculated 1248744 / is compared with gb, then users 8 and B will generally get K値. The customary digital signature mechanism usually only allows a single signer to sign a message. However, for some network environments, the responsibility for signing a message may be attributed to a group of signers, and a message may need to be signed by multiple signers. For group-oriented applications, group authorization for a message can be achieved by signing the digital signature of the group member on the message. In this method, a group of users can "authorize" the message by signing a message containing the program/file, and the external verifier can verify the signature and determine the permissions of the request message. For example: a φ Before the company's policy is implemented, it must be voted or signed by some managers; currently, the authenticating delegate is another application in the action code system. Therefore, it is necessary to provide a multiple signature method. The re-signature is produced by a group of signatories with multiple secrecy concepts. In general, one handwritten multiple signatures and one digits. One of the biggest differences is the multiple signatures. The size of the form. For a handwritten multiple signature, the size of the form is linear with the number of signers, but for a multiple-digit signature, the form is exactly the same size as a single signer. In this case, all members of the group cooperate to produce a valid multiple signature, and each member has the same responsibility for the signed message. In other words, the signer of a multiple signature is verified at the outset, and the authenticity of the multiple signature must be authenticated along with the public key of the user. Therefore, any outsider can be sure that when When the multiple signatures are generated, each member of the group is a participant. 1248744 However, in the case of these machines, the signer or signature sequence must still be predetermined, or the size of a multiple signature still changes. In proportion to the number of signers. Consider a group of # service to the service, which is divided between multiple mobile servers, where the server may be the mobile device carried by the designated user. One of the file/action code requests a message to any of the mobile servers. Depending on the request received, the representative server will respond on behalf of the group of mobile servers. The representative server forwards the request message." Give all servers that can be connected to the line and wait for them to respond. If the representative server receives more than a quorum of responses from the mobile server, the task is successfully completed and the representative server returns the results to the client. In this operating procedure, the participating mobile server must be authenticated so that illegal intrusions can be detected. That is, when a reply message is sent back to the customer, it must be signed by a quorum of the mobile server. This has motivated the need for a multi-signature mechanism with a threshold for message restoration. In a reliable network, multiple signature mechanisms may already meet the needs. However, it may not be enough for unreliable communication links and mobile networks that are repeatedly connected to the host. In addition, in the multiple signature mechanism, an external certifier needs to use all of the public keys of the group member to verify the authenticity of the multiple signatures. In this way, the verifier can be sure that each member is a participant in the multiple signature. The concern of the certifier is that at least one message must be signed by the member, and the member must actually come from the group. However, the verifier cannot verify whether a group of members participate in the multiple signatures of the group. Therefore, the multi-signature mechanism used in practice is not practicable in these applications, but should be replaced by the (Λ / 7) threshold 1248744 multiple signature mechanism. ''(r,r) threshold multiple signature mechanism, the same group ~ f or even more members cooperate to produce a valid group signature. When an Iter needs to verify the authenticity of the signature, the verifier needs to use the public key of all members to obtain the public key of the group. Since the group public key is obtained by the public key of all members and not by the actual participants, the verifier cannot identify individual signatories. The digital multiple-signature mechanism and the (Λ 77) threshold multiple signature mechanism have been proposed in the past literature. In 1994, L. Hani proposed a parallel digital multi-signature mechanism based on the logarithm of the logarithm problem. -oriented (t, η) threshold digital signature scheme and digital multisignature, " IEE Proc. of Computers and Digital Technique., Vol. 141, No. 5, pp. 307-313, Sep. 1994. The parallel digital multi-signature mechanism allows multiple signers to sign an identical message, and transmits the individual signing message to a designated registrar (derk) that validates each individual signature and then combines all individual signatures Become a multiple signature. In addition, Ham developed the multiple-signature mechanism into a parallel (Λ/0 threshold multiple signature mechanism, see uNew digital signature scheme based on discrete logarithm, '1 Electronics Letters, Vol. 30, No. 5, pp. 396-298 Mar. 1994. In the (Λ /7) threshold multiple signature mechanism, one or more members of the group cooperate to produce a valid group signature, and the verifier does not need to identify the individual signer. The authenticity of the group signature can be verified. However, the mechanism proposed by Harn has a higher cost of message exchange between signers. In addition, the mechanism does not support message restoration and the message 1248744 is not encrypted. In addition, Langford first introduced Digital Signature Standard (DSS), based on the (t, η) threshold multiple signatures, found in "Threshold DSS Signatures without a Trusted Party," Advances in Cryptology - Crypto' 95 proceedings, Springer- Veriag pp. 397-409, 19Q5. An updated version of the secret sharing technique - before the actual use of the private key, To generate the shared part of the private key. There are two general thresholds for the DSS multiple digit signature mechanism. The first t-out-of-n threshold mechanism relies on a shared pre-computed list. In order to prevent the sharer from signing more than one message with the same k値. The second mechanism requires the signer to participate in the signing mechanism to achieve the t-out-of-ri security mechanism, so for the big 値, This is an unrealistic situation. The mechanism proposed by Langford has an identifiable level of security, but does not mention the issue of message restoration.
Shieh等人提出另一用於群體導向且以散離對數問題爲基 礎之平行數位多重簽章機制,見於"Digital Multisignature Schemes for Authenticating Delegates in Mobile Code Systems,'1 IEEE Transactions on Vehicular Technology, Vol. 49, No. 4, July 2000, pp. 1464-1473.。該機制提供訊息還原能力,而且對於訊 息交換成本之需求比Harn所提出之機制更低。該機制並無簽 署訊息於該機制之每對簽署者之間交換,有別於Harn之機 制。然而,該機制需要額外一共同信任之公證者以參與簽章產 1248744 生階段。且該機制不容許主機與通訊之連結失敗’而且未設計 於行動通訊應用中。 參考圖1,該圖顯示一說明數位簽章機制之表格’該數位 簽章係見頒佈給Park等人之美國專利第5,966,445號之先前技 術,其標題爲 “identification scheme single or multi-digital signature scheme giving message recovery single or multi-digitai signature scheme with appendix key exchange scheme and blind digital signature scheme”。其揭示了 一鑑定機制,該機制允許 一證明者(prover)更確定地鑑定自己之身分給驗證者,而且 預防使用過之鑑定資訊被重複使用;一金鑰交換,其中於兩使 用間使用了一共同秘密金鑰,係爲了不允許一未經授權者之不 當利用;一授予訊息還原功能之數位簽章機制與具有附件之數 位簽章機制,且依據一簽署之訊息大小,用以產生一訊息還原 形式或具有附件形式之數位簽章;一多重數位(multi-digital) 簽章機制,用以允許多位簽署者產生有關於同一訊息之數位簽 章,而且依據一簽署之訊息長度,將該數位簽章產生爲一訊息 還原形式或具有附件之形式;以及一隱藏式(blind)數位簽 章機制,用以當簽署訊息不應開放於公開場合與簽署者時產 生,因此一簽署者不知道該訊息上之內容。 然而,儘管有了這些機制,該簽署者與簽名順序仍必須預 先決定,或者一多重簽章之大小變化仍與簽署者人數成比例。 且這些機制通常尙缺乏了訊息還原能力,或不可支援行動網路 中之群體授權。 9 1248744 有鑑於此,便有需要提供一種具有訊息還原功能之新式 (G /7)門檻多重簽章機制,該機制整合了( Λ /7)門檻秘密分 ζ享機制(threshold secret sharing scheme)與多重簽章機制之理 念,習用之(、乂 //)門檻秘密分享機制將該主要秘密分解成^ * 個投影,於此一方法中,除非每一個ί投影被集合,否則主要 秘密將無法還原。而整合門檻秘密分直機制與多Γ巧牽機制r 不容易。 - 【內容】 . 本發明之主要目的在於提供一種具有訊息還原特性之有 效數位多重簽章機制,用以克服先前技術之缺點。 本發明之次要目的在於提供一種由多重簽章機制發展出 之(Λ万)門檻多重簽章機制,其中該門檻多重簽章機制也具 有訊息還原能力,且支援行動網路中之群體授權。 依據本發明之主要目的,其提供一種一具訊息還原功能之 多重簽章機制之電腦實施方法,用以產生以及驗證數位簽章。 其中系統係數係爲大質數A α及一單向雜湊函數(one-way hash function) Η ;多位簽署者產生用於一訊息m之一連續數位 | 簽章;以及於0與;7-/之間亂數選取其私用金鑰,使得gccKX:, ,/) = 1,然後計算Yi s (c〇Xi mod 當爲其公開金鑰,該方法 係包括下列步驟··多位簽署者之一初始簽署者簽署具有適當冗 位(Kdundancy)之訊息M,且Μ藉由該簽署者之私密金鑰 10 1248744 Χι加密後係成爲密文(ciphertext) m ;於1與π-l之間選取一* 隨機數h,而且計算一由(α)4/與訊息m之乘積除以ρ而得的 餘數 rl ( e [m · (cO-klfmod; p),以及計算一由[XI - - rl)] 除以ρ-l而得的餘數sl(s [XI - U7 - rl)] .Μ &-乃);傳送(n, Sl,.H(M))給所有其他簽署者。一第i位簽署者(其中2 < i S 77)係使用Y]. · rl · (α)Γΐ-$1還原該密文m,其中該€巧之 密文m在此標示爲m’ ;且藉由使用該初始簽署者之公圖金 鑰去驗證該簽章(n,Sl)之確實性。接收(n, Sl,H(M))之第 i位簽署者(其中2 S i S /7)選取一介於1與ρ-l之隨機數 么,而且計算由(α)4/與訊息m之乘積除以p而得的餘數ri(s [Π1 ·⑻七]/27W;7),以及計算一由[Xi - (h·- ri)]除以p-1而得 的餘數 si O [Xi -(上/ - ri)] /Z7W ;傳回(n,Si)給該初 始簽署者。依據所接收之任一個別簽章(n,Sl),其中2 ^ i S η,該初始簽署者使用Yi · ri · (〇〇ri-si還原該密文m,且藉 使用第i位簽署者之公開金鑰以驗證該個別簽章(n,Si)之確 實性。該初始簽署者計算R( 4m·⑻-(ir/-rl)-…-(h-nz) ] mod /7)與 S 〇 R-l · [si + s2 +···+ s;7] mod (θ-1)),組合一用於該 訊息M且含有η位簽署者之多重簽章(R,S,H(M));以及傳 送該多重簽章給外部驗證者。該外部驗證係依據所接收之該用 於訊息Μ之組合式多重數位簽章(R,S,H(M)),驗證該多重 簽章之確實性,而且藉由使用所有簽署者之公開金鑰Y,(其 中1 S i S 77),將訊息m從多重簽章中還原出來。 依據本發明之另一目的,其提供一種一具訊息還原功能之 1248744 (t,η)門檻多重簽章機制之電腦實施方法Γ用以產生以及驗 證數位簽章,其中系統係數係爲大質數Α 及一單向雜湊函 數(one-way hash function) Η,多位簽署者產生用於一訊息m 之一連續數位簽章,以及於0與之間亂數選取其私用金鑰 ,使得gcd(Xi,少乃=1,然後計算Ξ (a)Xi m〇d β當爲其 公開金鑰,該方法係包括下列步驟: 一第·;位簽署者於 中選取一含ί-l項之隨機多項式,使得+ —·//"mod (/;-/),其中X係爲第i位簽署者之私 用金鑰;而且於一安全通道中將以以傳送至仂(其中1 < jShieh et al. propose another parallel-digit multi-signature mechanism based on group-oriented and based on the logarithm of the logarithm problem, as found in "Digital Multisignature Schemes for Authenticating Delegates in Mobile Code Systems, '1 IEEE Transactions on Vehicular Technology, Vol. 49, No. 4, July 2000, pp. 1464-1473. This mechanism provides message reduction capabilities and the need for message exchange costs is lower than that proposed by Harn. The mechanism does not have a signing message exchanged between each pair of signers of the mechanism, which is different from Harn's mechanism. However, the mechanism requires an additional notary public of common trust to participate in the signature phase of the 1248744 birth. And the mechanism does not allow the connection between the host and the communication to fail' and is not designed for mobile communication applications. Referring to Fig. 1, there is shown a table illustrating the digital signature mechanism. The digital signature is described in the prior art of U.S. Patent No. 5,966,445 issued to Park et al., entitled "identification scheme single or multi-digital signature scheme". Giving message recovery single or multi-digitai signature scheme with appendix key exchange scheme and blind digital signature scheme". It reveals an authentication mechanism that allows a prover to more accurately identify one's identity to the verifier and prevent reuse of the authentication information from being reused; a key exchange, which is used between the two uses A common secret key is to prevent improper use of an unauthorized person; a digital signature mechanism for granting a message restoration function and a digital signature mechanism with an attachment, and based on the size of a signed message, to generate a A form of message restoration or a digital signature with an attachment; a multi-digital signature mechanism to allow multiple signers to generate a digital signature for the same message, and based on the length of a signed message, Generating the digital signature as a form of message restoration or in the form of an attachment; and a blind digital signature mechanism for generating when the signed message should not be open to the public and the signatory, thus a signer I don't know what's on the message. However, despite these mechanisms, the signer and signature sequence must still be pre-determined, or the size of a multiple signature change is still proportional to the number of signers. And these mechanisms often lack the ability to restore information or support group authorization in mobile networks. 9 1248744 In view of this, there is a need to provide a new (G / 7) threshold multi-signature mechanism with message restoration function, which integrates the ( Λ / 7) threshold secret sharing scheme and The concept of multiple signature mechanism, the use of (, 乂 / /) threshold secret sharing mechanism to break the main secret into ^ * projections, in this method, unless each ί projection is collected, the main secret will not be restored . It is not easy to integrate the threshold secret mechanism and the multi-function mechanism. - [Contents] The main object of the present invention is to provide an effective digital multi-signature mechanism with message restoration characteristics to overcome the disadvantages of the prior art. A secondary object of the present invention is to provide a multi-signature mechanism developed by a multi-signature mechanism, wherein the multi-signature mechanism also has a message-reduction capability and supports group authorization in a mobile network. In accordance with a primary object of the present invention, a computer implementation method for a multiple signature mechanism of a message restoration function for generating and verifying a digital signature is provided. The system coefficients are a large prime number A α and a one-way hash function Η ; multiple signers generate one consecutive digits for a message m | signature; and 0 and 7-/ Select the private key between the random numbers so that gccKX:, , /) = 1, and then calculate Yi s (c〇Xi mod when it is publicly disclosed, the method includes the following steps. · Multiple signers An initial signer signs a message M with appropriate redundancy and is encrypted by the signer's private key 10 1248744 Χι as ciphertext m; between 1 and π-l a * random number h, and calculate a remainder rl ( e [m · (cO-klfmod; p)) obtained by dividing the product of (α) 4 / and the message m by ρ, and calculating one by [XI - - rl )] The remainder obtained by dividing ρ-l (s [XI - U7 - rl)] .Μ &- is); (n, Sl, .H(M)) is transmitted to all other signers. An i-th signer (where 2 < i S 77) restores the ciphertext m using Y]. rl · (α) Γΐ-$1, wherein the ciphertext m is denoted here as m'; And verifying the authenticity of the signature (n, Sl) by using the initial signer's public key. Receive the (i, Sl, H(M)) ith signer (where 2 S i S /7) to select a random number between 1 and ρ-l, and calculate by (α) 4 / and message m The remainder of the product divided by p is ri(s [Π1 ·(8)7]/27W; 7), and the remainder si 0 obtained by dividing [Xi - (h·- ri)] by p-1 [ Xi -(上 / - ri)] /Z7W ; Pass back (n, Si) to the initial signer. According to any individual signature (n, S1) received, where 2 ^ i S η, the initial signer uses Yi · ri · (〇〇ri-si to restore the ciphertext m, and sign by using the ith bit The public key to verify the authenticity of the individual signature (n, Si). The initial signer calculates R( 4m ·(8)-(ir/-rl)-...-(h-nz) ] mod /7) Combine with S 〇Rl · [si + s2 +···+ s;7] mod (θ-1)), combine a multiple signature (R, S, H) for the message M and containing the η-bit signer M)); and transfer the multiple signatures to the external verifier. The external verification verifies the authenticity of the multiple signatures based on the combined multi-digit signature (R, S, H(M)) received for the message, and by using the disclosure of all signers The key Y, (where 1 S i S 77), restores the message m from the multiple signatures. According to another object of the present invention, a computer implementation method for a 1248744 (t, η) threshold multiple signature mechanism for message restoration is provided for generating and verifying a digital signature, wherein the system coefficients are large prime numbers. And a one-way hash function Η, a plurality of signers generate a consecutive number of signatures for a message m, and select a private key between 0 and a random number to make gcd ( Xi, less is =1, and then calculate Ξ (a)Xi m〇d β as the public key, the method includes the following steps: a first; the signer selects a random number containing ί-l Polynomial, such that + —·//" mod (/;-/), where X is the private key of the i-th signer; and will be transmitted to 仂 in a secure channel (where 1 < j
Sn,且j # i)以及播送^(~)111()<^,多位簽署者中之一初始 簽署者簽署了具有適當冗位(redundancy)之訊息Μ,且Μ藉 由該簽署者之私密金鑰I加密後係成爲密文m ;於1與/7-1 之間選取一隨機數h,而且計算一由(α)4/與訊息m之乘積除 以P而得的餘數rl ( 4m ·⑼彳/] /z7Wp),以及計算一由[Xl-UZ - rl) + QlLl] 除以 p-1 而得 的餘數 sl( 4X1 - (々/ - rl) + Q1L1] 剔J 厂);傳送(n,Sl,H(M))給所有其他簽署者;其中因 . Ω1 =(X/;(^)mod(/7-l)) 爲只有Ui知道每一個,所以 ㈣ 只可藉Sn, and j # i) and broadcast ^(~)111()<^, one of the multi-signers, the initial signer signed the message with the appropriate redundancy, and by the signer The private key I is encrypted and becomes ciphertext m; a random number h is selected between 1 and /7-1, and a remainder rl of (α)4/ multiplied by the message m divided by P is calculated. (4m ·(9)彳/] /z7Wp), and calculate the remainder of [Xl-UZ - rl) + QlLl] divided by p-1 (4X1 - (々/ - rl) + Q1L1] Transfer; (n, Sl, H(M)) to all other signers; where Ω1 = (X/; (^) mod(/7-l)) is only Ui knows each one, so (4) can only borrow
Lt^( ΓΤ -^~mod(p~l)) 由山做計算(其中任何1),且因爲 値 無關任何秘密資訊,所以該値係爲公開。該第i位簽署者(其 中2 S i S 〇係使用γ卜λΐυ · rl · (〇〇rl-sl還原該密文m ; 12 1248744 而且藉由使用該初始簽署者之公開金鑰以驗證該簽章(n,si) 之確實性;其中該還原之密文m標示爲m’ ,而且 ^ ξ γ^α/]{χ〇 mod(/7-l) ^ 。該第i位簽署者(其中2 S i S /?)接 收(n,s^,H(M)),選取一介於1與Μ之隨機數么·,而且計算 由(a)-h與訊息m之乘積除以P而得的的餘數ri( =· 〇*力·Ύ πΜ/Ο,以及計算一由[Xi - (h· - ri) - QiLi]除以ρ-1而f守的餘〜 數 si ( 4Xi -(々/ - ri) - QiLi] &-");以及傳回(Γι,sO 給 Ω/ Ξ X/y(^)mod(p~l) 該初始簽署者,其中 ~ ,且Lt^( ΓΤ -^~mod(p~l)) is calculated by the mountain (any of them 1), and since 値 has no secret information, the 値 is public. The i-th signer (where 2 S i S is γ λ λ · rl · (〇〇 rl-sl restores the ciphertext m; 12 1248744 and by using the initial signer's public key to verify the The authenticity of the signature (n, si); wherein the reduced ciphertext m is denoted by m', and ^ ξ γ^α/]{χ〇mod(/7-l) ^. The i-th signer ( Where 2 S i S /?) receives (n, s^, H(M)), selects a random number between 1 and Μ, and calculates the product of (a)-h and the message m divided by P. The remainder ri( =· 〇 * force·Ύ πΜ/Ο, and the calculation one by [Xi - (h· - ri) - QiLi] divided by ρ-1 and the remainder of f s ~ (si) (4Xi - ( 々 / - ri) - QiLi] &-"); and return (Γι,sO to Ω/ Ξ X/y(^)mod(p~l) the initial signer, where ~ , and
Lt s FT —mod(p-l) 娜H 。依據所接收之任一個別簽章(n,Si),其 中2 S i S t,該初始簽署者係使用Yi · XiL· · ri ·⑻ri-si還 原該密文m,而且藉使用第i位簽署者之公開金鑰以驗證該個 Λ = Y[afM) ναοά{ρ-I) 別簽章(n,Si)之確實性;其中 。該初始 簽署者計算 R (s [χη· (a)- (ir/-r 1) ·…-] mod /7)與 S (R-l · [si + s2 +···+ sr] mod (/Μ)),組合一用於該訊息 M 且 含有η位簽署者之多重簽章(R,S,H(M));以及發送該多重簽 章給外部驗證者。依據所接收之該用於訊息Μ之組合式多重 數位簽章(R,S,Η(Μ)),一外部驗證者驗證該多重簽章之確實 性’而且藉由使用所有簽署者之公開金鑰Υι(其中1 S i ^ 將訊息m從多重簽章中還原出來。 13 1248744 爲了讓本創作之上述和其他目的、特徵、和優點能更顯, 下文特舉本創作較佳實施例,並配合所附圖示,作詳細說明如 下。 [實施 下文特舉本發明之較佳具體實施例,並參照附圖做詳 細說明。 具有訊息還原功能之有效多重簽章機制 第一圖顯示一用以說明根據本發明的一具有訊息還原功 能之多重簽章機制之一表格。考慮一行動通訊應用,其中代表 存取(delegated accesse)能應用於無線網際網路,係藉由傳 送出一具有行動碼之訊息而完成。而利用多重簽章,所有代表 係能以平行方式去簽署該行動碼,因此,該接收端能鑑定該行 動碼之簽署者,且決定該行動碼之存取權限。 本發明提供一種以散離對數爲基礎且具有訊息還原功能 之新式有效多重簽章機制。該公開資訊(public information) 係由一質數/;、一自然數α、一成員IL之公開金鑰Yi、以及該 簽章所組成。且該秘密資訊包括該成員之私密金鑰X:與隨機 數上。現給予本發明機制做安全分析。 令P爲一大質數、α爲質數p所產生之有限場GF(p)內 之一元素、以及一單向雜湊函數H。所有成員皆已知A α與H。 每一成員各自於0與之間亂數選取其私用金鑰义,使得 gccKX:,,/) = 1,然後計算Υ: ξ (a)Xi mod/?係爲其公開金鑰。 1248744 i設有位成員欲簽署一訊息Μ € Ζθ,則可簡明扼要的假設 該/7位成員係爲Ui,U2,…,Un.i,以及Un。而不同於Harn所提 出之機制,本發明之機制並不需一指定登記員。該初始簽署者 IM系扮演首先簽署該訊息Μ之初始者,並且告知該其他成員 k 簽署該訊息Μ。匕也負責集合與驗證每一 IL之個別簽章(其 中2 S i S /7),並且產生一用於訊息^中之所有成A之組合 式多重簽章。本發明之機制係由下列階段所組成:個別簽章產·、 生階段、多重簽章產生階段、以及多重簽章鑑定階段。 個別簽章產生階段 φ -基本個別簽章之產生: 當U!簽署該具有適當冗位之訊息Μ時,該U!使用其私密 金鑰义1將Μ加密。假設m係爲Μ之密文。IL選取一介於1 與Ρ-1之間之隨機數h,且計算 、 rl = [m · {〇)-kl} mod p (1) si ξ [XI - {kl - rl)] mod (p-1) (2) IL於訊息M中所簽署之基本簽章係由(n,Sl,H(M))三部 份組成。簽署訊息M然後,Ui會傳送(n,Sl,H(M))給所有其 · 他成員U2,U3,...,以及U",且私下保存該數ki。 -基本個別簽章之鑑定'· 當其他成員IM其中2 S i S ;7)接收(n,st,H(M))時, U,將試著還原該密文m,並且藉由使用U!之公開金鑰去驗證 15 1248744 該基本個別簽章(n,Sl)之確實性。U,執行下列/方程式用以還 原m : Y1 · rl · (〇〇rl-sl = [(α)Χ1 · m · (a)-ir/ · (a)-Xl+i:7] modp ξ m mod p ( 3 ) 爲了不致混淆,所以在此將還原之m標示爲m’ , Ui 使用之公開金鑰將m’解密爲本文Μ’ ( p^aintexi ), 並且檢驗Μ’是否滿足等式H(M’)二H(M) mod7。藉由式 (3) ,Ui也驗證了該基本個別簽章(n,Sl)之確實性。 -個別簽章之產生 假如IL同意Μ之內容,則會依下列步驟去簽署m,並且 產生其個別簽章。 步驟1 :隨機選取一介於1與Θ-1間之數h,且計算 ri ξ [m · (a)-Jcj] mod p (4) 步驟2 :解該等式 si ξ [Xi - (Jcj - ri)] mod (p-1) (5)Lt s FT — mod(p-l) Na H. According to any individual signature (n, Si) received, where 2 S i S t, the initial signer restores the ciphertext m using Yi · XiL· ri · (8) ri-si, and uses the ith bit The signer's public key to verify the authenticity of the Λ = Y[afM) ναοά{ρ-I) signature (n, Si); The initial signer calculates R (s [χη· (a)- (ir/-r 1) ·...-] mod /7) and S (Rl · [si + s2 +···+ sr] mod (/Μ )), combining a multiple signature (R, S, H(M)) for the message M and containing the η-bit signer; and transmitting the multiple signature to the external verifier. According to the received multi-digit signature (R, S, Η (Μ)) for the message, an external verifier verifies the authenticity of the multiple signatures and by using the disclosure of all the signatories Key ι (where 1 S i ^ restores the message m from the multiple signatures. 13 1248744 In order to make the above and other objects, features, and advantages of the present invention more apparent, the preferred embodiment of the present invention is described below, and DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT(S) The following is a detailed description of the preferred embodiments of the present invention and will be described in detail with reference to the accompanying drawings. A table of a multiple signature mechanism with message restoration function according to the present invention is described. Consider a mobile communication application in which a delegated accesse can be applied to a wireless internet by transmitting an action code The message is completed. With multiple signatures, all representatives can sign the action code in parallel, so the receiver can identify the signer of the action code and decide the line. The invention provides a new effective multi-signature mechanism based on the logarithm of logarithm and having a message restoration function. The public information is composed of a prime number/; a natural number α, a The public key Yi of the member IL and the signature are composed, and the secret information includes the member's private key X: and the random number. The mechanism of the present invention is now used for security analysis. Let P be a large prime number, α One of the finite field GF(p) produced by the prime number p, and a one-way hash function H. All members are known to have A α and H. Each member is randomly selected from 0 and its private use. The key meaning makes gccKX:,, /) = 1, and then calculates Υ: ξ (a) Xi mod/? is the public key. 1248744 i has a member who wants to sign a message Μ € Ζ θ, which makes it simple and concise. The /7 members are Ui, U2,..., Un.i, and Un. Unlike the mechanism proposed by Harn, the mechanism of the present invention does not require a registrar. The initial signer IM acts as the initiator of the first signing of the message and informs the other member k to sign the message.匕 is also responsible for assembling and verifying each individual IL signature (2 S i S /7) and generating a combined multi-signature for all of the messages in A. The mechanism of the present invention consists of the following stages: individual signature production, production stage, multiple signature generation stage, and multiple signature identification stage. Individual signature generation phase φ - Generation of basic individual signatures: When U! signs the message with appropriate redundancy, the U! uses its private key meaning 1 to encrypt it. Suppose m is the ciphertext of Μ. IL selects a random number h between 1 and Ρ-1, and calculates, rl = [m · {〇)-kl} mod p (1) si ξ [XI - {kl - rl)] mod (p- 1) (2) The basic signature signed by IL in message M consists of three parts: (n, Sl, H(M)). Signing the message M Then, Ui will send (n, S1, H(M)) to all of his members U2, U3, ..., and U", and privately save the number ki. - Identification of basic individual signatures'· When other members IM, 2 S i S ; 7) receive (n, st, H(M)), U, will try to restore the ciphertext m, and by using U The public key to verify 15 1248744 The authenticity of the basic individual signature (n, Sl). U, perform the following / equation to restore m : Y1 · rl · (〇〇rl-sl = [(α)Χ1 · m · (a)-ir/ · (a)-Xl+i:7] modp ξ m Mod p ( 3 ) In order not to be confused, the m restored is denoted here as m ' , Ui uses the public key to decrypt m ' into the text Μ ' ( p ^ aintexi ), and checks whether Μ ' satisfies the equation H (M') two H(M) mod7. By equation (3), Ui also verifies the authenticity of the basic individual signature (n, Sl). - If the individual signature is generated, if IL agrees to the content, then The m will be signed and the individual signatures will be generated as follows: Step 1: Randomly select a number h between 1 and Θ-1, and calculate ri ξ [m · (a)-Jcj] mod p (4) Step 2: Solve the equation si ξ [Xi - (Jcj - ri)] mod (p-1) (5)
Ui於訊息M中之個別簽章係由(n,s!)兩部份組成。The individual signatures of Ui in message M consist of two parts (n, s!).
Ui產生了訊息M之個別簽章後,會傳回(n,給該初 始者,並且私下保存該數上。 多重簽章產生階段 -個別簽章之驗證: 依據所接收之任一個別簽章(r·,s,),其中2 < i S η, 16 1248744 IL將試著還原該密文m,並且藉使用之公開金鑰以驗證該 個別簽章(n,sO之確實性。藉由式(6)之執行,可還原 該訊息m。After Ui generates the individual signature of the message M, it will return (n, to the initiator, and save the number privately. Multiple signature generation phase - verification of individual signatures: based on any individual signature received (r·, s,), where 2 < i S η, 16 1248744 IL will try to restore the ciphertext m, and use the public key to verify the authenticity of the individual signature (n, sO. The message m can be restored by the execution of equation (6).
Yi · ri · (a)ri-si ξ [(a)Xi · m · (a)-iri· mod p ξ m’ mod p ( 6 ) 藉由式(6)還原該訊息m’然後,U,將該還原訊息m’ 與傳送給Ui之原始訊息做比較,並且核對兩訊息是否一致° 假如該兩訊息一致,該個別簽章(r:,Si)之確實性係被驗證。 當該個別簽章驗證通過時,也就是從該個別簽章還原 出之訊息與該原始訊息係爲一致時,然後係藉由執行式(7) 將(〇〇-上//Z7W/7由Γί還原。 ri · m-1 = [m 9 {d)-ki · m-1] mod p = {c〇-ki mod p (7) -組合式多重簽章之產生 一旦接收所有個別簽章,而且該個別簽章全部通過驗 證,接著所有係被算出,然後仏可算出R與S,其定義 如 R 三[rl · (c〇-M · ... · (c〇-i:77 · (a)/7 · ··· · (a)r;7] mod p (8) Ξ [m · (a)-七/+rl-々^+r2-上J+r3-...-irz?+r77 ] mod Ξ [m · (a)- (kl-rl) - ·**- {kn-ui) ] mod p S s R-l · [si + s2 +...+ sn] mod (p-1) 然後,用於該訊息M之IL,lh, ·.·,U"./以及U,之組合式多 17 (9) 1248744 重簽章係爲(R,S,H(M))。Ui將該多重簽章傳送給外部驗證 者。 多重簽章驗證階段 依據所接收之訊息Μ之組合式多重數位簽章(R,S, Η(Μ)),一外部驗證者必須使用所有簽署者之公開金鑰Yi (其 Φ 1 S i £ /7)驗證該多重簽章之確實性,竝且將訊麽m從 該多重簽章中還原。與所有簽署者有關聯之群體公開金鑰Y 係由式(10)決定。 Υ ξ Π Yi mod p, where l < i < η (10) 而還原及驗證之程序,其步驟如下: 步驟1 :計算 Y · R · (a)-SR (11) ξ [(α)(Χ1 + ···+Χτ?) · m · (a)-ir/+rl-U+r2...-i:77+r/7 · (a)-Xl+ir/-rl-X2+i:^-r2··· - Xn^Jcn-vn] mod p ξ m’ mod p 步驟2:使用IL之公開金鑰將m’解密爲本文M’ ,且檢 驗式(11)所還原出之Μ’是否滿足等式H(M’)= H(M) mod ;;。假如Μ’滿足該等式,則該組合式多重簽章之確實性係被 驗證。 具有訊息還原功能之門檻多重簽章機制 第三圖顯示一用以說明根據本發明的一具有訊息還原功 1248744 能ί門檻多重簽章機制之表格。雖然多重簽章機制能分享一組 簽%者間之簽署訊息責任,但卻不能阻止一驗證者保證一成員 1系爲一多重簽章之一真正參與者。於一些應用中,最爲驗證者 所關切係爲一訊息被群體之法定最低人數所簽署。但必須讓該 驗證者不能驗證某人是否真正參與產生該群體之一簽章。於此 情況:便需要一(Λ /7 )門檻多重簽章機制。 藉由改進第3節所說明之多重簽章機制以設計一具有訊-息還原功能之門檻多重簽章機制。爲了簡化陳述’下列符號係 與第二圖所使用之符號相同。且將以數學證明方式以證實本發 明之機制能夠正確執行。 簡明扼要的假設這些出自於α成員中之〖位簽署者係 爲IL,U2,...,Uh以及Ut。該初始簽署者仏係扮演初始者, 亦即首位簽署者,並且告知該其他參予者去簽署該訊息M。 也負責集合與驗證所有Ui之個別簽章(其中2 S i $ /?), 並且產生一用於訊息Μ中之所有成員之組合式多重簽章。本 發明之機制係由下列階段所組成:私用金鑰分享階段、個別簽 章產生階段、多重簽章產生階段,以及多重簽章鑑定階段。 初步:私用金鎗分享階段 當系統開始運作,每一群體成員必須依據該(Λ /7)門檻 秘密分享機制扮演一分發者(dealer)以將各自秘密金鑰之投 影分配給其他群體成員。 假設係爲與成員IL有關聯之公開資訊,而且Xi係爲U, 之私密金鑰。每一群體成員係於厶./中選取一含〖-1項之隨機 1248744 以L1値係爲公開。 、 U!於訊息Μ中所簽署之基本簽章係由(n, Sl, H(M))~三部 份組成。而簽署訊息Μ然後,IL傳送(n,Si, H(M))备所有其 他成員U2, U3,·.·,以及U,,且私下保存該數k〖。 -基本個別簽章之鑑定: 當任一成員U:C其中2 S 1 S幻接收(ri,Si,H(M)) 時,Ui將試著還原該密文m,並且藉由使用IL之公開金鑰以, 驗證該基本個別簽章(n,Sl)之確實性。首先執行下列方程 式用以還原m Y1 · XlLi · rl · (a)rl-sl (23) =[(cc)Xl*(a)QlLl*m· (cx)rl - XI + kl ~ rl-QILl] mod p =m, mod p = mod(/? — 1) 其中 _ e 然後IL使用IL之公開金鑰將m’解密爲本文M’ ,並且 檢驗M’是否由式(23)還原並滿足等式H(M’)= H(M)mod 藉由式(23),IL也驗證了該基本個別簽章(n,SI)之確實 -個別簽章之產生 假如U,同意Μ之內容,則會依下列步驟去簽署m,並且 產生其個別簽章。 21 1248744 步驟1 :隨機選取一介於1與>·1間之數上’且計算 ri ξ [m · mod p (24) 1 步驟2 :解該等式 ' si 三[Xi - (h. - ri) - QiLi]拉以 Γρ-" (25)Yi · ri · (a) ri-si ξ [(a)Xi · m · (a)-iri· mod p ξ m' mod p ( 6 ) Restore the message m' by equation (6) Then, U, The restoration message m' is compared with the original message transmitted to Ui, and the two messages are checked for consistency. If the two messages are identical, the authenticity of the individual signature (r:, Si) is verified. When the individual signature verification is passed, that is, the message restored from the individual signature is consistent with the original message, then the execution is performed by (7) (〇〇-上//Z7W/7 ΓίRestore ri · m-1 = [m 9 {d)-ki · m-1] mod p = {c〇-ki mod p (7) - Generation of combined multiple signatures Once all individual signatures have been received, Moreover, the individual signatures are all verified, and then all the systems are calculated, and then R and S can be calculated, which are defined as R three [rl · (c〇-M · ... · (c〇-i: 77 · ( a)/7 · ··· · (a)r;7] mod p (8) Ξ [m · (a)-seven/+rl-々^+r2-on J+r3-...-irz? +r77 ] mod Ξ [m · (a)- (kl-rl) - ·**- {kn-ui) ] mod p S s Rl · [si + s2 +...+ sn] mod (p-1 Then, for the message M, IL, lh, ·.·, U"./ and U, the combination of 17 (9) 1248744 re-signing is (R, S, H (M)). Ui The multiple signatures are transmitted to the external verifier. The multiple signature verification phase is based on the combined multi-digit signature (R, S, Η (Μ)) of the received message, and an external verifier must use all of the signers. Public key Yi (its Φ 1 S i £ /7) Verifies the authenticity of the multiple signatures and restores the message from the multiple signatures. The group public key Y associated with all signers is determined by equation (10). ξ Π Yi mod p, where l < i < η (10) The procedure for restoration and verification, the steps are as follows: Step 1: Calculate Y · R · (a)-SR (11) ξ [(α)( Χ1 + ···+Χτ?) · m · (a)-ir/+rl-U+r2...-i:77+r/7 · (a)-Xl+ir/-rl-X2+i :^-r2··· - Xn^Jcn-vn] mod p ξ m' mod p Step 2: Decrypt m' into M' using the public key of IL, and verify the 还原 还原'Is it satisfied that the equation H(M') = H(M) mod ;;. If Μ' satisfies the equation, the authenticity of the combined multiple signature is verified. The threshold of message restoration is multiple signatures The third diagram of the mechanism shows a table for explaining the multiple signature mechanism with the message restoration function 1248744 according to the present invention. Although the multiple signature mechanism can share the responsibility of signing a message between a group of signers, it cannot Prevent a verifier from guaranteeing that a member 1 is one of a multiple signatures And who. In some applications, the most certifier's concern is that a message is signed by the legal minimum number of people in the group. However, the certifier must be unable to verify that someone is actually involved in generating a signature for that group. In this case: a (Λ /7) threshold multiple signature mechanism is required. By improving the multiple signature mechanism described in Section 3, a multi-signature mechanism with a message-recovery function is designed. In order to simplify the statement, the following symbols are the same as those used in the second figure. It will be mathematically proven to demonstrate that the mechanism of the invention can be performed correctly. Concise assumptions These bit signers from the alpha members are IL, U2, ..., Uh and Ut. The initial signer acts as the initiator, the first signer, and informs the other participants to sign the message M. It is also responsible for assembling and verifying all individual signatures of Ui (where 2 S i $ /?) and generating a combined multiple signature for all members of the message. The mechanism of the present invention consists of the following phases: a private key sharing phase, an individual signature generation phase, a multiple signature generation phase, and a multiple signature identification phase. Preliminary: Private Golden Gun Sharing Phase When the system is operational, each group member must act as a distributor in accordance with the (Λ / 7) threshold secret sharing mechanism to distribute the projections of their secret keys to other group members. The hypothesis is public information associated with member IL, and Xi is a private key of U. Each group member is selected from 厶./, and a random number of 1248744 containing 〖-1 items is disclosed as L1 値. The basic signature signed by U! in the message is composed of (n, Sl, H(M))~ three parts. After signing the message, the IL transmits (n, Si, H(M)) all other members U2, U3, .., and U, and privately saves the number k. - Identification of basic individual signatures: When any member U:C where 2 S 1 S phantom reception (ri, Si, H(M)), Ui will try to restore the ciphertext m, and by using IL The public key is used to verify the authenticity of the basic individual signature (n, Sl). First, the following equation is executed to restore m Y1 · XlLi · rl · (a) rl-sl (23) = [(cc)Xl*(a)QlLl*m· (cx)rl - XI + kl ~ rl-QILl] Mod p =m, mod p = mod(/? — 1) where _ e then IL decrypts m' as the M' using the public key of IL, and verifies whether M' is restored by equation (23) and satisfies the equation H(M')= H(M)mod By Equation (23), IL also verifies that the basic individual signature (n, SI) is true - if the individual signature is generated as U, agree with the content, then Follow the steps below to sign m and generate its individual signature. 21 1248744 Step 1: Randomly select a number between 1 and >·1 and calculate ri ξ [m · mod p (24) 1 Step 2: Solve the equation ' si three [Xi - (h. - Ri) - QiLi] pull Γρ-" (25)
Ω, = ^fjiz^modip-l) 其中 ^Ω, = ^fjiz^modip-l) where ^
Ui於訊息M中之個別簽章係由(ri,Sl)兩部份組成。The individual signatures of Ui in message M are composed of two parts (ri, Sl).
Ui產生了訊息Μ之個別簽章後’會傳回(ri,Si)給該初 始者U!,並且私下保存該數1 ° 多重簽章產生階段 •個別簽章之驗證: 依據所接收之任一個別簽章si),其中2 S i ^ r, Ut將試著還原該訊息m,且藉使用1^之公開金鑰去驗證該個 別簽章(n,Sl)之確實性。U!還原該訊息m係藉由下式完成:Ui generates a message after the individual signature, 'will return (ri, Si) to the initiator U!, and privately save the number 1 ° multiple signature generation phase • verification of individual signatures: according to the received A different signature si), where 2 S i ^ r, Ut will try to restore the message m, and use the public key of 1^ to verify the authenticity of the individual signature (n, Sl). U! Restore the message m is done by:
Yi · λίίΐ · ri · (a)ri-si (26)Yi · λίίΐ · ri · (a)ri-si (26)
Ξ [(a)Xi · (a)QiLi · m ·(〇〇-々/· (a)ri - Xi + h. - ri · QiLi] /770(/ P Ξ m’ mod p 1248744 ξ γ[α/Μ)τηοά(ρ-1) 其 φ J^t+l οΞ [(a)Xi · (a)QiLi · m ·(〇〇-々/· (a)ri - Xi + h. - ri · QiLi] /770(/ P Ξ m' mod p 1248744 ξ γ[α /Μ)τηοά(ρ-1) Its φ J^t+l ο
藉由式(26)還原該訊息m’然後,IL將m’與傳送給 U,之原始訊息做比較,並且核對兩訊息是否一致。假如該兩訊 息一致,該個別簽章(n, Sl)之確實性係被驗證。當該個別簽 章被驗證通過時,也就是從該個別簽章還原出之訊息與該原始 訊息係爲一致,1;1將(〇)〃/瓜以/7由r:還原,藉田執行 ri · m-1 = [m · · m-1] mod p Ξ {d)-kl mod p (27) -組合式多重簽章之產生 一旦接收所有已通過驗證之個別簽章然後,會計 算所有(a)-h、R、以及S,其定義如下: R s [rl · (a)-Jc2 · ... · (a)-Jct · (a)rl · ... · (a)vt] mod p (28) ξ [m · {o)-klJri\-k2Jri2-k3Jrxl)~,..-kt^xt ] mod p =[m · (a)- (kl-vl) - ··· - (Jct-xt) ] mod p S ξ R-i · [si + s2 +···+ sf] mod 〇7-l)The message m' is restored by equation (26). The IL then compares m' with the original message transmitted to U, and checks if the two messages are identical. If the two messages are consistent, the authenticity of the individual signature (n, Sl) is verified. When the individual signature is verified, that is, the message restored from the individual signature is consistent with the original message, 1; 1 (〇)〃/瓜/7 is restored by r: Ri · m-1 = [m · · m-1] mod p Ξ {d)-kl mod p (27) - Generation of combined multiple signatures Once all verified individual signatures have been received, all are calculated (a) -h, R, and S, which are defined as follows: R s [rl · (a)-Jc2 · ... · (a)-Jct · (a) rl · ... · (a) vt] Mod p (28) ξ [m · {o)-klJri\-k2Jri2-k3Jrxl)~,..-kt^xt ] mod p =[m · (a)- (kl-vl) - ··· - ( Jct-xt) ] mod p S ξ Ri · [si + s2 +···+ sf] mod 〇7-l)
(29) 然後,用於該訊息m之U!,lh,·.·,U,./以及U,之組合武多 重簽章係爲(r,S, H(M))。IL將該多重簽章傳送給驗證考。 多重簽章驗證階段 於接收該用於訊息Μ之組合式多重數位簽章(R,S,H(M)) 23 1248744 然後,一外部驗證者必須使用所有簽署者之公開金鑰t (其 中1 S i S 以驗證該多重簽章之確實性,並且將訊息m 從該多重簽章中還原出來。與所有簽署者有關聯之群體公開金 鑰Y係由式(30)決定。 Y ^ ΠΥί mod p, where l < i < η (30: 該還原及驗證之程序,其步驟如下: 步驟1 :計算 Y · R ·⑻-SR (31) Ξ [(a)(Xl + ... + Xt+Xt+l + ."+X/7) · d · (〇〇-^r/+r 1- U+r2 -上·?+r3'·.- 々ί+rt · (a)-Xl+i/-rl-X2+上么r2.…- Xt+h-rt - + mod;? ξ m’ mod p 步驟2:將m’解密爲本文M’ ,且檢驗式(31)還原出 之Μ’是否滿足等式H(M’)= H(M) mod/7。假如Μ’滿足該 等式,則該組合式多重簽章之確實性係被驗證。 具有訊息還原功能之有效多重簽章機制之安全分析 本發明之具有訊息還原功能之多重簽章機制可能遭受之 侵害(attack),依據分析結果共可分爲三種類型。第一類型之 侵害係爲獲得該群體成員之私密金鑰。第二類型之侵害係爲僞 造該簽章(n,Sl)或任何多重簽章(R,S)。第三類型之侵害係 爲揭露該簽章中之訊息 24 1248744 以獲得私用金鎗爲目標之侵害 侵害1 :欲意取得一簽署者之私用金鑰。 有三種可能方法用以取得任一群體成員之私密金鑰: 1. 從立即還原出X: 因爲Yi Ξ(α)Χί/27ί^/7’所以從所對應之公開金鑰Yi中將 成員R之私用金鑰X,還原,係等於解決該散離對數問題。 2. 藉由IL所產生之該組多重簽章中決定Xi。". 藉由集合IL所產生之用於^不同訊息之多重簽章{(n.i, Si.l), ( Γΐ,2, Si.2), ..., ( Ti.w, Si.w)} * 一入侵者或許能試著去解開形 式爲 SU Ξ Xi - (hy - ru) mod (/7-1)之 V 方程式(其中 1 Sj S w)。因爲有w+1項爲未知數(因爲每一多重簽章使用不同 之秘密么〃),所以該方程式之系統係未完全被決定,而且Ui 之私用金繪係爲安全。 3. 還原任一秘密hy,再藉由上心·決定Xi 一入侵者可能欲直接從〜·還原一些么·.,·,或藉由解開上述 之該方f壬式Ξ Xi (hy - n,j) mod (/7-1)之系統以決定if/.y。 假如一入侵者可得到一些秘密數h/,則藉由解開該方程式 sXi - (hy - r“)mod (/7-1)可決定Xi。雖然每一個人可能能夠集 合一組IL所產生之多重簽章,但藉由解開該方程式之系統以 計算任一秘密數么.y係不可實行。因爲該未知數係比方程式之 數多出一個。另一方面,從(a) -h,y· /77 W 還原該數1../·係等於 解決該散離對數問題。 侵害 2 ··共謀(Conspiracy) 25 1248744 當一些成員之私用金鑰被揭露或一群合法成員共謀時,則 任一其他成員之私用金鑰將會被洩漏。假設一群合法成員(Uuw ^ Ul,2,…,Uu)共謀(其中2 < ί <刀-1),或該群成員之私用 金鑰已被掲.露。於此狀況中,這些成員之私用金鑰Xuj與秘密 數(其中1 ^ < t)係不再具安全性。假如該群共謀者 或入侵者欲取得其他成員之私用金鑰,則該群共謀者或入侵者 唯一能使用之方法係與侵害1中所述相同。因此,雖然成員之… 私密金鑰被洩漏或一群合法成員共謀,但其他成員之安全問題 仍然未被損害。 以僞造簽章爲目的之侵害 侵害3 : —僞造者可能僅以公開資訊,便欲僞造首位簽署 者IL所簽署之個別簽章(n,Si),其中1 S j S η,或僞造由 簽署者匕所簽署之任一已知訊息Μ之多重簽章(R, S)。 有三種方法可僞造個別簽章(n,Si)或多重簽章(R,S): 假如一僞造者固定Μ與η,且欲計算一滿足M = Yi· η · (oOri-simM;;之51値,貝(|解Si値之計算等於解決該散離對數問 題。 假如一僞造者固定Μ與η,且欲計算一滿足31^义1-(b · n) 727W 之51値,然後解Sl之運算係等於去取得該私 用金鑰尤或於侵害1中所述之隨機秘密。 該侵害係稱爲取代侵害(substitution attack),且如下分 析。 侵害4:僞造有〜較強形式,其中知道一具有相對應簽章 1248744 的訊息Μ之一僞造者,可產生一些用於一特殊訊息形式Μ =: m· (c〇e mV/;之有效簽章。雖然該Μ値之結果係無法受控制,: 但該僞造侵害之較強形式對於所有EIGamal機制及RSA係仍— 具有危害;該侵害之典型預防係藉由一單向hash函數或一冗 位機制去完成。而下文中將提及該取代侵害係如何影響組合式 多·重簽章之架構。 一僞造者可能會先於Zp中選擇任兩個整數A與B,並且… 計算 R’ ^ Μ · (α)-ΑΒ mod p e = A · (R, - B) 令Lets’ =A,然後該對(R’,S’ )係爲該訊息M’ = M*(a)emod;7之組合式多重簽章。當任一驗證者接收(R’, S’ )時,可將Μ’從該多重簽章中還原,藉由執行 Υ · R’ · (a).S* R’ ξ [Y · Μ · (α)-ΑΒ · (a)-AR, ] mod p ξ [M · (a)A(Rf -B)] mod p =[M · (a)e] mod p ξ M’ mod p 藉此方式,一僞造者可冒充爲一初始者,並且使用類似之 運算以產生一用於某些不受控(uncontrolled)訊息之僞造有效 基本簽章。因此,縱使該個別簽章不能被僞造,該機制仍需要 一單向hash函數或適合之冗位機制去預防該種侵害。 揭露訊息之侵害 侵害5 :簽署訊息之揭露 27 1248744 本發明所提出之具有訊息還原功能之多重簽章機翁Γ並不 保證該簽署訊息之隱私性。例如:任一人只要可截取仏之個 別簽章(n,Si)或多重簽章(R,S),就能藉由具有^公開資訊 Α α,Y!,…,與γ"之式(6)或(11)步驟,將該原始訊息Μ 還原。 提出不具資料保護能力之機制,其理由係由於許多使用數 位簽章之應用允許該訊息內容之顯露。假如該簽署訊息之隱私·-性係爲重要,也僅需一額外加密程序用以加強本發明所提出之 機制。 該加密程序係爲直接,簡言之,傳送者Ui係利用接收者 Uj之公開金鑰Yj,將其個別簽章元素η加密:(29) Then, the combination of U!, lh, ···, U, ./, and U for the message m is (r, S, H(M)). The IL transmits the multiple signatures to the verification test. The multiple signature verification phase receives the combined multi-digit signature for the message (R, S, H(M)) 23 1248744 Then, an external verifier must use the public key of all signers t (1 of which S i S to verify the authenticity of the multiple signatures and to restore the message m from the multiple signatures. The group public key Y associated with all signers is determined by equation (30). Y ^ ΠΥί mod p, where l < i < η (30: The procedure for the restoration and verification, the steps are as follows: Step 1: Calculate Y · R · (8)-SR (31) Ξ [(a)(Xl + ... + Xt+Xt+l + ."+X/7) · d · (〇〇-^r/+r 1- U+r2 -上·+r3'·.- 々ί+rt · (a)- Xl+i/-rl-X2+ on r2....- Xt+h-rt - + mod;? ξ m' mod p Step 2: Decrypt m' to this paper M', and test equation (31) Μ 'Is it satisfied that the equation H(M') = H(M) mod/7. If Μ' satisfies the equation, the authenticity of the combined multiple signature is verified. Effective multi-sign with message restoration Security Analysis of the Mechanism of the Invention The multiple signature mechanism with message restoration function of the present invention may suffer from Attacks can be divided into three types according to the analysis results. The first type of infringement is to obtain the private key of the members of the group. The second type of infringement is to forge the signature (n, Sl) or any Multiple signatures (R, S). The third type of infringement is to expose the message in the signature 24 1248744 to obtain a private gun for the purpose of infringement 1 : Desire to obtain a signer's private key. There are three possible ways to get the private key of any group member: 1. Restore X from the immediate: Because Yi Ξ(α) Χί/27 ί^/7', the member R will be from the corresponding public key Yi The private key X, restored, is equal to solving the problem of the logarithm of the separation. 2. Determine the Xi by the set of multiple signatures generated by IL. ". Multiple signatures {(ni, Si.l), ( Γΐ, 2, Si.2), ..., ( Ti.w, Si.w)} * An intruder may be able to try to unravel the form SU Ξ Xi - (hy - ru) mod (/7-1) V equation (where 1 Sj S w). Because there are w+1 terms unknown (because each multiple signature uses a different secret) , The system with this equation is not completely determined, and Ui's private gold painting is safe. 3. Restore any secret hy, and then decide on Xi. An intruder may want to restore some directly from ~. ·., or by deciphering the above system of the formula Ξ Xi (hy - n, j) mod (/7-1) to determine if /. y. If an intruder can get some secret number h/, then Xi can be determined by solving the equation sXi - (hy - r ") mod (/7-1). Although each person may be able to assemble a set of IL Multiple signatures, but by solving the system of the equation to calculate any secret number. y is not practicable because the unknown is one more than the equation. On the other hand, from (a) -h,y · /77 W Restoring the number 1../· is equal to solving the problem of the logarithm of the separation. Infringement 2 · Conspiracy 25 1248744 When some members' private keys are revealed or a group of legal members collude, then The private key of one other member will be leaked. Suppose a group of legal members (Uuw ^ Ul, 2, ..., Uu) collude (of which 2 < ί < knife-1), or the private money of the group members The key has been deprecated. In this case, the private key Xuj and the secret number (of which 1 ^ < t) of these members are no longer secure. If the group colluder or intruder wants to acquire other members The private key, the only method that the conspirators or intruders can use is the same as described in Infringement 1. Therefore Although the members of the private key were leaked or colluded by a group of legal members, the security issues of other members were still not compromised. Infringement of the infringement for the purpose of forging a signature 3: - Counterfeiters may only use the public information to forge the first place The individual signature (n, Si) signed by the signatory IL, 1 S j S η, or the multiple signatures (R, S) of any known message signed by the signatory 有. There are three ways It is possible to forge individual signatures (n, Si) or multiple signatures (R, S): If a counterfeiter fixes Μ and η, and wants to calculate a satisfying M = Yi· η · (oOri-simM;; 51値, The calculation of the solution (| solves Si値 is equivalent to solving the problem of the logarithm of the separation. If a counterfeiter fixes Μ and η, and wants to calculate 51値 which satisfies 31^yi 1-(b · n) 727W, then solves the operation of Sl Is equivalent to obtaining the private key or the random secret described in Infringement 1. The violation is called a substitution attack and is analyzed as follows. Infringement 4: Forgery has a stronger form, wherein one is known One of the counterfeiters with the corresponding signature 1248744 can produce some for The special message form Μ =: m· (c〇e mV/; is a valid signature. Although the result of the 系 is uncontrollable, the strong form of the forgery is still true for all EIGalmal and RSA systems Hazard; the typical prevention of the infringement is done by a one-way hash function or a redundant mechanism. The following will mention how the substitutional infringement affects the structure of the combined multi-resignature. A counterfeiter may Select any two integers A and B before Zp, and... Calculate R' ^ Μ · (α)-ΑΒ mod pe = A · (R, - B) Let Lets' = A, then the pair (R', S') is the combined multi-signature of the message M' = M*(a)emod;7. When any verifier receives (R', S'), Μ' can be restored from the multiple signatures by executing Υ · R' · (a).S* R' ξ [Y · Μ · ( ))-ΑΒ · (a)-AR, ] mod p ξ [M · (a)A(Rf -B)] mod p =[M · (a)e] mod p ξ M' mod p A counterfeiter can pretend to be an initiator and use a similar operation to generate a forged valid basic signature for certain uncontrolled messages. Therefore, even if the individual signature cannot be forged, the mechanism still needs a one-way hash function or a suitable redundancy mechanism to prevent such an infringement. Exposing the Infringement of the Message Infringement 5: The disclosure of the signed message 27 1248744 The multiple signature machine with the message restoration function proposed by the present invention does not guarantee the privacy of the signed message. For example, any person who can intercept individual signatures (n, Si) or multiple signatures (R, S) can have a public information Α α, Y!, ..., and γ" ) or (11), restore the original message Μ. The proposed mechanism for non-data protection is based on the fact that many applications that use digital signatures allow the content of the message to be revealed. If the privacy-sexuality of the signed message is important, only an additional encryption procedure is needed to enhance the mechanism proposed by the present invention. The encryption program is direct, in short, the transmitter Ui encrypts its individual signature element η using the public key Yj of the recipient Uj:
Ci ^ [(Yj) - Jcj^i . ri] m〇d p 亦即該原始簽章(n,Si)係被(G,Si)所取代,當Uj接 收該簽章時,該IL係依據下列步驟將n還原: 步驟1 :計算 [Yj · (a)-si] mod p = [(a)Xi · (a)-[Xi - {ki - ri)]] mod p ={〇){ki - ri) mod p 步驟2 :計算 {aiki - ri) )Xj mod p ^ (aXj) Uci - ri) mod p = (Yj)(^* - ri) mod p 步驟3 ··將n從已還原,係藉由執行 [(Yj)(^/- ri) · Ci]mod p = (Yj) - ri) · (Yj)(-々/+ri) · ri mod ρ ^ ή mod p 1248744 如此,IL能得到該原始簽章(n,Si),且依據3.1節以還原 該訊息Μ,並且認證該簽章。因爲僅Uj具有私密金鑰Xj,所: 以一截取者並不能藉上述三個步驟將η解密。因此,該簽署訊~ 息Μ仍具保密性。 具有訊息還原功能之(i,i/)門檻多重簽章機制之安全分 析 很明顯地,本發明所提出之門檻多重機制可抵制與上述相 同之侵害,也就是該取得秘密資訊之侵害、僞造簽章之侵害、 以及掲露訊息之侵害皆可被預防。 此外,藉由式(25),當一侵襲者欲冒充一合法成員Ui以 產生一個別簽章(n,Sl)時,必須先知道仂之秘密金鑰與秘密 投影(secret shadows) ’(Zl),其中 IS j</7,且 j=^io 但該侵害行爲具困難性,因爲從公開資訊欲得到A(Zi)係 等於去解決該散離對數問題。 比較Ci ^ [(Yj) - Jcj^i . ri] m〇dp, that is, the original signature (n, Si) is replaced by (G, Si). When Uj receives the signature, the IL is based on the following Step to restore n: Step 1: Calculate [Yj · (a)-si] mod p = [(a)Xi · (a)-[Xi - {ki - ri)]] mod p ={〇){ki - Ri) mod p Step 2: Calculate {aiki - ri) )Xj mod p ^ (aXj) Uci - ri) mod p = (Yj)(^* - ri) mod p Step 3 ··N is restored, By performing [(Yj)(^/- ri) · Ci]mod p = (Yj) - ri) · (Yj)(-々/+ri) · ri mod ρ ^ ή mod p 1248744 Thus, IL can be obtained The original signature (n, Si), and according to Section 3.1 to restore the message, and the signature is certified. Since only Uj has the private key Xj, it is not possible to decrypt η by the above three steps. Therefore, the signing message is still confidential. Security Analysis of (i, i/) Threshold Multiple Signature Mechanism with Message Restoration Function It is obvious that the threshold multi-mechanism proposed by the present invention can resist the same violation as above, that is, the infringement and forgery of obtaining secret information. Violations of the chapter and violations of the information can be prevented. In addition, by equation (25), when an attacker wants to impersonate a legal member Ui to produce a different signature (n, Sl), he must first know the secret key and secret shadows '(Zl) ), where IS j < /7, and j = ^ io but the violation behavior is difficult, because the A (Zi) system from the public information is equivalent to solving the problem of the logarithm of the separation. Comparison
於此比較本發明機制與先前技術之功能和通訊成本。於 Harn之平行多重簽章機制中,假如需要/7位參與者簽署一訊 息,每一位參與者須計算一用於簽署之新値(fresh value) η, 而且傳送該新簽署訊息給所有其他參予者。於每一對簽署者之 間傳送該簽署訊息時,必須使用數量級訊息。因爲該用 於簽署一訊息之新値r i必須傳送給所有其他簽署者,所以該簽 署者必須預先被決定。該需求也因此限制了該機制之使用。 29 1248744The functional and communication costs of the inventive mechanism and prior art are compared herein. In Harn's parallel multiple signature mechanism, if a /7 participant is required to sign a message, each participant must calculate a fresh value η for signing and send the new signed message to all others. Participant. An an order of magnitude message must be used when transmitting the signed message between each pair of signers. Since the new 用r i used to sign a message must be transmitted to all other signers, the signer must be pre-determined. This requirement therefore limits the use of this mechanism. 29 1248744
Ham之(Λ /?)門檻多重機制係相似於Ha&之多重簽 章機制。 一' 該r位簽署者必須預先被決定,而且於§簽署者間之新 値交換所需要之訊息數量係於數量級訊息中。該需求限 制了 Harn之(π)門檻多重機制於行動網路中之使用,其中 該行動網路之某些簽署者可能會由於行動節點或通訊連結失 敗而導致無法連線。於行動網路中,如果要請求一行動應用去… 預先決定該〖位簽署者,係有些不切實際。反而,該行動應 用必須動態地去決定該連上線之簽署者,用以選擇該〖位簽 署者。The multiple mechanism of Ham's (Λ /?) threshold is similar to the multiple signature mechanism of Ha& A 'the r-signer must be determined in advance, and the number of messages required by the new exchange between the § signers is in the order of magnitude. This requirement limits the use of Harn's (π) threshold multiple mechanisms in mobile networks where certain signatories to the mobile network may be unable to connect due to a failure of the mobile node or communication link. In the mobile network, if you want to request an action application to go... It is unrealistic to predetermine the bit signer. Instead, the action application must dynamically determine the signer of the connected line to select the signer.
Langford提出兩種機制。第一種門檻機制需要一信任金鑰 (trusted key)產生中心以預先計算與儲存用於每一個別簽章 之分享部分。雖然單獨點(single point)失敗之風險能藉由採 用多重信任中心而會有所降低,但信任中心可能仍會成爲實施 之瓶頸或侵害點。此外,該機制假設係存在一用於該信任中心 之安全通道,用以使用一安全方式去分配秘密分享部分給簽署 者。於簽章產生階段時,建構該安全通道係需要額外安全協定 /結構之配合。該門檻(ί,/7)多重簽章機制會由於行動網路中 之頻繁的節點或連結之失敗,而有使用上之困難。於此情況 中,某些簽署者或該信任中心本身可能就無法連線。 於第二種機制中,信任中心被移除,但一組合者 (combiner·)係仍需要集合與整合個別簽章。該機制也假設該 安全通道之存在,該通道係藉由額外安全協定或技巧,用以作 1248744 訊息之交換。於該機制中,一預先決定之分發群體係%要協助 該分享部分之產生,而且於所有簽署者間,用以簽#所交換之 訊息數量係於數量級中。爲實現〖-out-of-zT之安全性,需 要〆V"位簽署者參與簽署過程。當起始點(author point)超 出界限時,該需求使第二種機制對於一大t而言變得不切實 際,因爲,必須小於或等於r値。 比較其他機制,本發明所提出之第一種多重簽章機制係叉•-援訊息還原能力,並且允許以動態方式決定簽署者。而除了簽 章產生階段需要數量級訊息外,並不需任何簽署訊息於 每一對簽署者間做交換。該機制也被延伸使用到支援行動網路 之群體簽章。 習知的多重簽章機制與門檻多重機制於不可靠之網路中 係不可實施如:行動網路,因爲於該機制中之所有簽署者必須 預先被決定,而且每一簽署者必須接收所有簽署者之簽署訊 息。於不可靠網路中,某些簽署者或許於一特定時間內無法連 線。而經比較後,本發明所提出之(t,η)門檻多重簽章機制 於行動網路中之表現係有效率,因爲該簽署者不需被預先決 定,而且通訊連結與主機失敗之原因係能夠被容許。而一法定 簽名人數之回覆係已足夠一門檻多重簽章之建構。 該比較結果係於表格1中作總結。最上面一列係列舉七種 不同種類之機制’其中包括了三種多重簽章機制與四種(ί,77) 門檻多重簽章機制。該表格中之每一個輸入指示了有關於一估 算標準之一機制特性。表格中使用項目之定義如下: 31 1248744 η 參與%人數 t 連線^署者之門檻人數 MS i重簽章機制 TMS 門檻多重簽章機制 MR 訊息還原 TC 信任中心 其中所比較之先前技術分別爲:Langford proposed two mechanisms. The first threshold mechanism requires a trusted key generation center to pre-compute and store the shared portion for each individual signature. While the risk of failure of a single point can be reduced by the use of multiple trust centers, the trust center may still be a bottleneck or a point of compromise. In addition, the mechanism assumes that there is a secure channel for the trust center to use a secure way to distribute the secret sharing portion to the signer. At the sign-in stage, the construction of this secure channel requires an additional security agreement/structure. This threshold (ί, /7) multiple signature mechanism can be difficult to use due to the failure of frequent nodes or links in the mobile network. In this case, some signers or the trust center itself may not be able to connect. In the second mechanism, the trust center is removed, but a combiner still needs to assemble and integrate individual signatures. The mechanism also assumes the existence of the secure channel, which is used to exchange 1248744 messages through additional security protocols or techniques. In this mechanism, a pre-determined distribution group system is required to assist in the generation of the sharing part, and the number of messages exchanged between # and all signers is in the order of magnitude. In order to achieve the security of [-out-of-zT, a V" signer is required to participate in the signing process. When the author point exceeds the limit, this requirement makes the second mechanism impractical for a large t because it must be less than or equal to r値. Comparing other mechanisms, the first multiple signature mechanism proposed by the present invention is a fork-and-request reduction capability and allows the signer to be determined dynamically. In addition to the number of levels of information required in the signature phase, no signing information is required to be exchanged between each pair of signers. This mechanism has also been extended to support group signatures for mobile networks. Conventional multiple signature mechanisms and thresholds are not enforceable in unreliable networks such as mobile networks because all signatories in the mechanism must be pre-determined and each signer must receive all signatures. Signing the message. In an unreliable network, some signers may not be able to connect for a certain period of time. After comparison, the (t, η) threshold multiple signature mechanism proposed by the present invention is effective in the mobile network because the signer does not need to be predetermined, and the reason for the communication link and the host failure is Can be tolerated. The response to a statutory signature is sufficient for the construction of multiple signatures. The results of this comparison are summarized in Table 1. The top-of-the-line series presents seven different types of mechanisms, including three multi-signature mechanisms and four (ί, 77) threshold multiple signature mechanisms. Each input in the table indicates a mechanism characteristic related to an estimation criterion. The definitions of the items used in the table are as follows: 31 1248744 η Number of participants in the number t Number of people who are connected to the department MS i Re-signature mechanism TMS threshold multiple signature mechanism MR message restoration TC Trust Center The prior art comparisons are:
[1] L. Harn, "Group-oriented (t, n) threshold digital signature scheme and digital multisignature,π IEE Proc. of Computers and Digital Technique., Vol. 141, No. 5, pp. 307-313, Sep. 1994.[1] L. Harn, "Group-oriented (t, n) threshold digital signature scheme and digital multisignature, π IEE Proc. of Computers and Digital Technique., Vol. 141, No. 5, pp. 307-313, Sep. 1994.
[2] L. Harn, nNew digital signature scheme based on discrete logarithm," Electronics Letters, Vol. 30, No. 5, pp. 396-298, Mar. 1994.[2] L. Harn, nNew digital signature scheme based on discrete logarithm, " Electronics Letters, Vol. 30, No. 5, pp. 396-298, Mar. 1994.
[3] S. K. Langford, “Threshold DSS Signatures without a Trusted Party,” Advances in Cryptology - Crypto9 95 proceedings, Springer-Verlag, pp. 397-409, 1995.[3] S. K. Langford, “Threshold DSS Signatures without a Trusted Party,” Advances in Cryptology - Crypto9 95 proceedings, Springer-Verlag, pp. 397-409, 1995.
現請參考第四圖,其中顯示用以說明不同多重簽章機制之 表格。如該表格所顯示,本發明機制提供了訊息還原能力。且 該機制傳送之簽章大小係不會因簽署者人數增加而變大。因爲 簽署訊息不必於參與者之間做交換,所以本發明機制之總通訊 成本係比其他機制更低。本發明之(C /7 )門檻多重簽章機制 係最適用於行動網路應用之群體授權機制^ 雖然本發明已經於其相關較佳實施例做說明,然其並 32 1248744 非用以限定本發明,應了解任何熟習此技藝者^在不脫離許本 發明之精神與範圍內,當可作各種之修改與更ir,而不脫離本 發明於此所申請專利範圍之精神與範圍。而~本發明之保護範圍 當視後附之申請專利範圍所界定者爲準。 、.、 [圖彌腳月] 第一圖顯示一用以說明先前技術之數位簽章機制之表格。·- 第二圖顯示用以說明根據本發明的一具有訊息還原功能 之多重數位簽章機制之表格。 第三圖顯示用以說明根據本發明的一具有訊息還原功能 之門檻多重簽章機制之表格。 第四圖顯示用以說明比較不同多重簽章機制之表格。Please refer to the fourth figure for a table showing the different multiple signature mechanisms. As shown in the table, the inventive mechanism provides message reduction capabilities. And the size of the signature transmitted by the mechanism will not increase as the number of signatories increases. Since the signing of the message does not have to be exchanged between the participants, the total communication cost of the mechanism of the present invention is lower than other mechanisms. The (C / 7) threshold multi-signature mechanism of the present invention is a group authorization mechanism that is most suitable for mobile network applications. Although the present invention has been described in its related preferred embodiments, it is not limited to The invention is to be understood as being limited by the spirit and scope of the invention as claimed in the appended claims. The scope of the invention is defined by the scope of the appended claims. The first figure shows a table showing the prior art digital signature mechanism. The second figure shows a table for explaining a multi-digit signature mechanism with message restoration function according to the present invention. The third figure shows a table for illustrating a threshold multiple signature mechanism with message restoration function in accordance with the present invention. The fourth figure shows a table to illustrate the comparison of different multiple signature mechanisms.
Claims (1)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW92105426A TWI248744B (en) | 2003-03-13 | 2003-03-13 | Multisignature scheme with message recovery for group authorization in mobile networks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW92105426A TWI248744B (en) | 2003-03-13 | 2003-03-13 | Multisignature scheme with message recovery for group authorization in mobile networks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW200418297A TW200418297A (en) | 2004-09-16 |
| TWI248744B true TWI248744B (en) | 2006-02-01 |
Family
ID=37429193
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW92105426A TWI248744B (en) | 2003-03-13 | 2003-03-13 | Multisignature scheme with message recovery for group authorization in mobile networks |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI248744B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101288260A (en) | 2005-01-27 | 2008-10-15 | 美商内数位科技公司 | Method and system for deriving an encryption key using jointrandomness not shared by others |
| US8280046B2 (en) | 2005-09-12 | 2012-10-02 | Interdigital Technology Corporation | Method and system for deriving an encryption key using joint randomness not shared by others |
| US11671255B2 (en) * | 2017-08-15 | 2023-06-06 | Nchain Licensing Ag | Threshold digital signature method and system |
-
2003
- 2003-03-13 TW TW92105426A patent/TWI248744B/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| TW200418297A (en) | 2004-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6535980B1 (en) | Keyless encryption of messages using challenge response | |
| US6298153B1 (en) | Digital signature method and information communication system and apparatus using such method | |
| US8670563B2 (en) | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure | |
| CN104641592B (en) | The method and system of (CLAE) is encrypted for no certificate verification | |
| US5796833A (en) | Public key sterilization | |
| US8661240B2 (en) | Joint encryption of data | |
| KR100684079B1 (en) | System and method for detecting the exposure of ocsp responder's session private key | |
| Chen et al. | A round-and computation-efficient three-party authenticated key exchange protocol | |
| US9544144B2 (en) | Data encryption | |
| CN101931536A (en) | Method for encrypting and authenticating efficient data without authentication center | |
| JP4791828B2 (en) | Group signature system, apparatus, program and method | |
| TWI248744B (en) | Multisignature scheme with message recovery for group authorization in mobile networks | |
| Bansal et al. | Analysis of digital signature based algorithm for authentication and privacy in digital data | |
| Ding et al. | Equipping smart devices with public key signatures | |
| CN110572257B (en) | Identity-based data source identification method and system | |
| Yap et al. | On the security of a lightweight authentication and encryption scheme for mobile ad hoc network | |
| JP2009111594A (en) | Authentication system using short sequence | |
| KR100718687B1 (en) | Id-based threshold signature scheme from bilinear pairings | |
| Yeun | Design, analysis and applications of cryptographic techniques | |
| Witzke et al. | Key management for large scale end-to-end encryption | |
| JP2005124095A (en) | Information encryption transmitting and receiving method | |
| JP3862397B2 (en) | Information communication system | |
| Tanwar et al. | Applications of Digital Signatures in Cryptography | |
| KR20010017358A (en) | Method for making the fair blind signatures | |
| Merkle | 4. Protocols for |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |