ID-based Serial Multisignature Scheme using
Bilinear Pairings
⋆
Raju Gangishetti, M. Choudary Gorantla, Manik Lal Das,
Ashutosh Saxena and Ved P. Gulati
Institute forDevelopment and Research in Banking Technology
Castle Hills, Road #1, Masab Tank, Hyderabad 500057, AP, INDIA.
Abstract. This paper presents an ID-based serial multisignature scheme using
bilinear pairings. We use Hess’s ID-based signature scheme as the base scheme
for our multisignature scheme. Our scheme requires a forced verification at every
level to avoid the overlooking of the signatures of the predecessors. We show that
the scheme is secure against existential forgery under adaptive chosen message
attack in the random oracle model.
1 Introduction
Shamir [18] introduced the concept of ID-based cryptosystems where, a user’s public
key could be easily derived from his identity and the user’s private key is generated
by a trusted third party called Private Key Generator (PKG). ID-based cryptosystems
are advantageous over the traditional public key cryptosystems (PKCs), as key distrib-
ution and revocation are not required. A verifier can verify a signature just by using the
signer’s identity.
In day-to-day life, many legal documents require signatures from more than one
party e.g. contracts, decision making processes, petitions etc. To meet these require-
ments in the digital environment, cryptography provides a mechanism known as mul-
tisignature. A multisignature scheme provides:
– multiple signers to generate a signature for a single message
– a convincing mechanism to the verifier that each stated signer had signed the mes-
sage.
A multisignature scheme is practicable when the size of the multisignature by n signers
is less than the total size of n signatures in the single signature scheme, on which the
multisignature scheme is based. Accordingly, the verification cost gets reduced.
Based on the nature of applications, the multisignatures have been categorized into
two types: serial and parallel. In serial multisignature, a signer signs the message and
sends it to the next signer for further processing; the next signer after verifying his
⋆
This work is supported in part by the Ministry of Communications and Information Technol-
ogy, Govt. of India, under the grant no. 12(35)/05-IRSD.
Gangishetti R., Choudary Gorantla M., Lal Das M., Saxena A. and P. Gulati V. (2005).
ID-based Serial Multisignature Scheme using Bilinear Pairings.
In Proceedings of the 3rd International Workshop on Security in Information Systems, pages 40-47
DOI: 10.5220/0002559100400047
Copyright
c
SciTePress
predecessor’s signature, signs the received signed component. The message signing is
considered complete when the last signer’s signature is appended. In the case of parallel
multisignature, the signature of each signer is carried out on the content of the message
but not on the signatures of the other signers. Many financial transactions require serial
multisignatures and verification at each level like maker-checker, wherein the maker,
checker and approval concept is being followed in a sequence and every signer is logi-
cally forced to verify his immediate predecessor’s signature. Our scheme, presented in
this work requires a forced verification at every level to avoid the overlooking of the
signatures of the predecessors.
In this paper, we propose an ID-based serial multisignature scheme using bilin-
ear pairings. We use Hess’s ID-based signature scheme [8] as the base scheme for our
multisignature scheme. The scheme is secure against existential forgery under adap-
tive chosen message attack in the random oracle model assuming weak Deffie-Helman
problem is hard.
The rest of the paper is organized as follows. In Section 2, we briefly review the
related works. In Section 3, we describe background concepts on bilinear pairings and
some related mathematical problems. In Section 4, we present our proposed serial mul-
tisignature scheme and analyze the scheme in Section 5. Finally, we conclude the paper
in Section 6.
2 Related Work
In 1983 Itakura and Nakamura [10] first introduced the notion of multisignature. Since
then, several schemes [2], [5], [7], [9], [11]-[13], [15]-[17] for multisignatures have
been proposed. The proposal of [7] was cryptanalyzed by [9]. Ohta et al. [15] pro-
posed a scheme to avoid the restriction on the signing order. The security analysis of the
scheme [16] does not consider the key generation phase. A formal notion of security for
multisignature was proposed by Micali et al.[13]. Then, Lin et al.[12] proposed a struc-
tured multisignature scheme from the Gap-Diffie-Hellman group. Recently, Boldyreva
[2] proposed a generic notion of security for multisignature scheme based on bilinear
pairings. In 2001 Lin et al. [11] proposed ID-based structured multisignature scheme
on which successful attack was carried out by Mitchell [14]. In 2003, Chen et al.[6]
proposed a multi proxy signature scheme using parallel multisignatures.
3 Background Concepts
In this section, we briefly review the basic concepts on bilinear pairings and some re-
lated mathematical problems.
3.1 Bilinear Pairings
Let G
1
be an additive cyclic group of prime order q, G
2
be a multiplicative cyclic
group of the same order and P be a generator of G
1
. A bilinear map e is defined as
e : G
1
× G
1
→ G
2
with the following properties:
41
Bilinear: e(aR, bS) = e(R, S)
ab
∀R, S ∈ G
1
and a, b ∈ Z
∗
q
. This can be restated as
∀R, S, T ∈ G
1
, e(R + S, T ) = e(R, T )e(S, T ) and e(R, S + T ) = e(R, S)e(R, T ).
Non-degeneracy: If P is a generator of G
1
, then e(P, P ) is a generator of G
2
. In other
words e(P, P ) 6= 1.
Computable: There exists an efficient algorithm to compute e(R, S) ∀R, S ∈ G
1
.
In general implementation, G
1
will be the group of points on an elliptic curve and
G
2
will denote a multiplicative subgroup of a finite field. Typically, the mapping e will
be derived from either the Weil or the Tate pairing on an elliptic curve over a finite field.
We refer to [3] for more comprehensive description on how these groups, pairings and
other parameters are defined.
3.2 Computational Problems
Now, we give some computational problems, which will form the basis of security for
our schemes.
Discrete Logarithm Problem (DLP): Given two elements R, S ∈ G
1
, find an integer
n ∈ Z
∗
q
, such that S = nR whenever such an integer exists.
Computational Diffie-Hellman Problem (CDHP): For any a, b ∈ Z
∗
q
, given < P , aP ,
bP >, compute abP .
Decisional Diffie-Hellman Problem(DDHP): For any a, b, c ∈ Z
∗
q
, given < P , aP , bP ,
cP >, decide whether c ≡ ab mod q.
Bilinear Diffie-Hellman Problem (BDHP): For any a, b, c ∈ Z
∗
q
, given < P , aP , bP ,
cP >, compute e(P, P )
abc
.
Gap Diffie-Hellman Problem(GDHP): A class of problems where CDHP is hard while
DDHP is easy.
Weak Diffie-Hellman Problem(WDHP): For S ∈ G
1
and for some a ∈ Z
∗
q
, given
< P, S, aP > compute aS.
4 Proposed Serial Multisignature Schemes
The entities involves in our scheme are the Private Key Generator (PKG), set of Sign-
ers S and the Verifier V. The proposed serial multisignature scheme consists of four
phases: Setup, Private Key Extraction, Multisignature Generation and Multisignature
Verification.
4.1 Setup
PKG publishes system parameters params={G
1
, G
2
, e, q, P, P
pub
, H, h}, here G
1
is
a cyclic additive group and G
2
is a cyclic multiplicative group with prime order q.
P (∈ G
1
) is a generator of G
1
, e : G
1
× G
1
→ G
2
is a bilinear map between the groups
G
1
and G
2
, H : {0, 1}
∗
→ G
∗
1
and h : {0, 1}
∗
× G
2
→ Z
∗
q
where G
∗
1
= G
1
\ {0}
are the cryptographic hash functions. P
pub
= s
0
P is the public key of the PKG where
s
0
∈ Z
∗
q
is master secret of the PKG.
42
4.2 Private Key Extraction
Let the set of n Signers with identities I={ID
1
, ID
2
,...,ID
n
} ∈ {0, 1}
∗
. For the signer
with ID
i
the public key Q
ID
i
= H(ID
i
) and the private key is S
ID
i
= s
0
Q
ID
i
.
4.3 Multisignature Generation
In this phase n signers with identities {ID
1
, ID
2
,...,ID
n
} ∈ {0, 1}
∗
sequentially gener-
ate the multisignature and the final signer sends it to the verifier. To have a multisigna-
ture on message m, without losing the generality we present it in following stages.
Signature generation by First Signer: To sign a message m the first signer, picks a
random integer k
1
∈
R
Z
∗
q
and computes
r
′
1
= e(P, P )
k
1
r
1
= r
′
1
c
1
= h(m, r
1
)
u
1
= c
1
S
ID
1
+ k
1
P
The signature by the first signer is the tuple hu
1
, c
1
i ∈ (G
1
, Z
∗
q
) and sends to the second
signer along with the message m.
Verification and Signature by intermediate (ith) Signer: The ith signer verifies the
signature hu
i−1
, c
1
, c
2
, ..., c
i−1
i received from (i − 1)th signer by computing
r
i−1
= e(u
i−1
, P )e(
i−1
X
j=1
c
j
Q
ID
j
, −P
pub
)
Accepts the signature if and only if c
i−1
= h(m, r
i−1
)
Signature generation by ith signer as follows, picks a random integer k
i
∈
R
Z
∗
q
then
computes
r
′
i
= e(P, P )
k
i
r
i
= r
i−1
r
′
i
c
i
= h(m, r
i
)
u
i
= u
i−1
+ c
i
S
ID
i
+ k
i
P
Then he sends the partial multisignature hu
i
, c
1
, c
2
, ..., c
i
i to the (i + 1)th signer. One
may note that ith signer cannot generate his signature without verifying the (i − 1)th
signers signatures, because for computing r
i
the ith signer has to extract r
i−1
from the
signature hu
i−1
, c
1
, c
2
, ..., c
i−1
i received. This confirms the correctness of the prede-
cessors signature.
43
Verification and Signature by the final(nth) Signer: The nth signer verifies the sig-
nature hu
n−1
, c
1
, c
2
, ..., c
n−1
i received from (n − 1)th signer by computing
r
n−1
= e(u
n−1
, P )e(
n−1
X
j=1
c
j
Q
ID
j
, −P
pub
)
Accepts the signature if and only if c
n−1
= h(m, r
n−1
)
Signature generation by nth signer as follows, picks a random integer k
n
∈
R
Z
∗
q
then
computes
r
′
n
= e(P, P )
k
n
r
n
= r
n−1
r
′
n
c
n
= h(m, r
n
)
u
n
= u
n−1
+ c
n
S
ID
n
+ k
n
P
Then he sends the final multisignature hu
n
, c
1
, c
2
, ..., c
n
i along with the message m to
the verifier.
4.4 Multisignature Verification
On receiving a signature hu
n
, c
1
, c
2
, ..., c
n
i and message m, the receiver verifies the
signature by computing
r
n
= e(u
n
, P )e(
n
X
i=1
c
i
Q
ID
i
, −P
pub
)
accepts the multisignature if and only if c
n
= h(m, r
n
)
5 Analysis
5.1 Correctness
The verification of the multisignature hu
n
, c
1
, c
2
, ..., c
n
i is justified by the following
equations:
e(u
n
, P )e(
n
X
i=1
c
i
Q
ID
i
, −P
pub
) = e(
n
X
i=1
(c
i
S
ID
i
+ k
i
P ), P )e(
n
X
i=1
c
i
Q
ID
i
, −P
pub
)
= e(
n
X
i=1
c
i
S
ID
i
, P )e(
n
X
i=1
k
i
P, P )e(
n
X
i=1
c
i
Q
ID
i
, −P
pub
)
= e(
n
X
i=1
c
i
Q
ID
i
, P
pub
)e(
n
X
i=1
k
i
P, P )e(
n
X
i=1
c
i
Q
ID
i
, −P
pub
)
= e(
n
X
i=1
k
i
P, P )
44
=
n
Y
i=1
e(P, P )
k
i
=
n
Y
i=1
r
′
i
= r
n
So, one can verify c
n
= h(m, r
n
)
5.2 Security
Here we first define the adversary for our scheme and then present the security analysis.
The adversary for our serial multisignature scheme (SMS) is defined with following
capabilities:
SMS-Adversary Given the system parameters params an adversary A
SMS
, which
can ask hash and signing queries, executes the following ∀j ∈ [1, l] with given l.
– An SMS adversary A
SMS
selects a message m
j
, the ith signer S
i
j
and the signer’s
identity ID
i
j
.
– Generates a valid partial multisignature hu
i
j
−1
, c
1
j
, c
2
j
, ..., c
i
j
−1
i by colluding with
S\S
i
j
,
– Sends hu
i
j
−1
, c
1
j
, c
2
j
, ..., c
i
j
−1
i to S
i
j
– Gets a valid partial multisignature hu
i
j
, c
1
j
, c
2
j
, ..., c
i
j
i from the S
i
j
.
We say that the SMS adversary A
SMS
is successful if after l iterations of these steps,
it can compute a multisignature for a message m such that m 6= m
j
and at least one ID
of the signers is not in ID
i
j
∀j ∈ [1, l].
Theorem 1: The scheme proposed in [8] is secure against existential forgery under
adaptive chosen message attack in the random oracle model.
Proof of the above theorem is also given in [8].
Theorem 2: The SMS is a secure serial multisignature scheme in the random oracle.
Proof: Let A
SMS
be a polynomial-time adversary for our SMS scheme and let A
HS
be
a polynomial-time adversary for our base scheme [8]. Utilizing the result of Theorem
1, we prove that our SMS is secure.
The idea behind this proof is that if A
SMS
manages to frame an honest signer by
constructing a valid multisignature on an arbitrary message without interacting with
this honest signer, then A
HS
can forge a previously unsigned message. A
HS
can query
the hash and signing oracles with an identity ID for any arbitrary message. Whenever
A
SMS
wants to get a valid multisignature scheme by framing an honest signer, it sends
the signing query to A
HS
. Then, A
HS
forwards the signing query to its signing oracle
using the identity and the partial multisignature given by A
SMS
. A
HS
returns the reply
back to A
SMS
. It is easy to see that A
SMS
will be successful in its attempts if the
reply from A
HS
is a valid signature. But, A
HS
generating a valid signature is a clear
contradiction to the result of the Theorem 1. Hence the proof.
45
6 Conclusion
With Hess’s ID-based signature scheme as the base, we have presented an ID-based
serial multisignature scheme using bilinear pairings. Our scheme requires a forced ver-
ification at every level, which avoids the overlooking of the signatures of all the pre-
decessors. Moreover, the verification cost does not increase exponentially like some of
the existing multisignature schemes. To the best of our knowledge there is no existing
secure serial ID-based multisignature scheme using pairings. We also proved that the
scheme is secure against existential forgery under adaptive chosen message attack in
the random oracle model.
References
1. Bellare, M., Rogaway, P.: Random Oracles are Practicle - a paradigm for designing efficient
protocols. In: First ACM Conference and Communications Security, ACM, 1993 62-73
2. Boldyreva, A.: Threshold Signatures, Multi Signatures and Blind Signatures Based on the
GDH group Signature Scheme. In: PKC 2003, Lecture Notes in Computer Science, Vol.
2567, Springer-Verlag, (2003) 31-46
3. Boneh, D., Franklin, M.: Identity Based Encryption from the Weil Pairing. SIAM Journal of
Computing, , 32(3), (2003) 586-615. Extended abstract In: Proceedings of CRYPTO 2001,
Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag, (2001) 213-229.
4. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Asiacrypt
2001, Lecture Notes in Computer Science, Vol. 2248, Springer-Verlag, (2002) 514-532.
5. Boyd, C.: Digital Multisignatures. Cryptography and Coding, Oxford University Press,
(1989), 241-246.
6. Chen, X., Zhang, F., Kim, K.: ID-based Multi-Proxy Signature and Blind Multisignature
from Bilinear Pairings. In: Proceedings of KIISC’2003, Korea (2003) 11-19.
7. Harn, L.: Group-oriented (t, n) threshold digital signature scheme and multisignature. In:
IEE Proceedings - Computers and Digital Techniques, 141(5), (1994) 307-313.
8. Hess, F.: An Efficient Identity Based Signature Schemes Based on Pairings.In: SAC 2002,
Lecture Notes in Computer Science, Vol. 2595, Springer-Verlag, (2002) 310-324.
9. Horster, P., Michels, M., Petersen, H.: Meta-Multisignatures Schemes Based on the Discrete
Logarithm Problem. In: IFIP/Sec 1995, (1995) 128-142.
10. Itakura, K., Nakamura, K.: A Public Key Cryptosystem Suitable for Digital Multi Signatures.
In: NEC Research and Development,(1983) 71:1-8.
11. Lin, C. Y., Wu, T. C., Hwang, J.: ID-based Structured Multi Signature Schemes. In: Ad-
vances in Network and Distributed Systems Security, Kluwer Academic publishers (IFIP
Conference Proceedings 206), Boston (2001) 45-59.
12. Lin, C. Y., Wu, T. C., Zhang, F.: A Structured Multi Signature Scheme from the GDH group.
In: Cryptology ePrint Archive, Report 2003/090, available at http://eprint.iacr.org/2003/090.
13. Micali, S., Ohta, K., Reyzin, L.: Accountable Subgroup Multi Signatures. In: ACM Confer-
ence on Computer and Communications Security, ACM,(2001) 245-254.
14. Mitchell, C. J.: An attack an ID-based nulti signature sheme. In: Royal Holloway, Univer-
sity of London, Mathematics Department Technical Report RHUL-MA-2001-9 (December
2001).
15. Ohata, T., Okamoto, T.: A digital multisignature scheme based on the FiatShamir scheme. In:
Asiacrypt 91, Lecture Notes in Computer Science, Vol. 739, Springer-Verlag, (1991) 75-79.
46
16. Ohta, K., Okamoto, T.: Multi Signature Scheme Secure Against Active Insider Attacks. IE-
ICE Transactions on Fundamentals of Electronics Communications and Computer Sciences,
E82-A(1),(1999) 21-31.
17. Okamoto, T.: A Digital Multi Signature Schema Using Bijective Public Key Crypto Systems.
ACM Transactions on computer systems, ACM, 6(4), (1988) 432-441.
18. Shamir, A.: ID-based Cryptosystems and Signature Schemes. In: Proceedings of Crypto 84,
Lecture Notes in Computer Science, Vol. 196, Springer, (1985) 47-53.
47
