![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
116
leaders. The problem is how to create a single digital signature [1-2] that represents this
collective. The requirement of digital signature-based authentication [3-4] for a multi-functional
collective is quite common in today's cyberspace. Both group signature protocols [5-9] and
collective signature [10] ones can be used to produce a unique signature for a group of multiple
signers, but they cannot be used to generate a common signature for a multi-level signing
collective as described above. The reason for this is that the group signature scheme [11] can only
create a common signature for each group, and the collective signature scheme [12] can only
generate a common signature for the group leaders and individual members, or for all collective
members [12]. Therefore, we propose a new type of multi-signature scheme, the representative
collective signature scheme, which is structured from the combination of the group signature
scheme and the collective signature scheme.
Two stages are required to create the representative collective signature. Firstly, the group
signature protocol is used to establish group signatures for each group of the collective. The
collective signature protocol is then used to generate collective signatures from each group and
every other individual. The final signature represents a signing collective made up of several
signing groups and individual signers, and it comprises the information of everyone who
participated in the formation of this signature.
Most of the digital signature schemes can be built based on a difficult problem or at the same
time two difficult problems [13-15]. In this article, we utilize Schnorr's digital signature standard
[16] to develop two types of representative collective signature schemes using two tough
challenges simultaneously. For the discrete logarithm problem [17-18], we use a specially
structured prime modulo, 𝑝 = 2𝑛 + 1, where 𝑛 = 𝑞′𝑞; 𝑞′ and 𝑞 are two large primes of
magnitude 512 bits, or 1024 bits, used as the signer's private key. When attempting to find 𝑞′ and
𝑞 from 𝑛, the factorization problem [19-20] is applied.
2. THE RELATED BASE DIGITAL SIGNATURE SCHEMES
The Schnorr digital signature protocol is built on the difficult problem of the discrete logarithm in
prime fields, with the input parameter set selected according to the DSA digital signature
standard, but without constraints on size and structure of 𝑝 and 𝑞. We propose a modification
from the Schnorr scheme by i) Choosing prime modulus with special structure, 𝑝 = 2𝑛 + 1,
where 𝑛 = 𝑞 𝑞; 𝑞 and 𝑞 are large prime numbers having the 512 bit size or more (the primes 𝑞
and 𝑞 are such that the value 3 does not divide 𝑞 − 1 nor 𝑞 − 1); ii) Change the expression for
calculating the value S in the the signature generation procedure and iii) Change the expression
𝑅∗
in the signature checking procedure (𝑆 is replaced by the parameter 𝑆 ). A new prime
modulus has been used for constructing the randomized signature security of which is based on
the factorization of the value 𝑛 = (𝑝 − 1)/2.
2.1. The Single Signature Scheme (The SDS-2.1 scheme)
In this scheme we select the parameter 𝛼 having the order 𝑛 𝑚𝑜𝑑𝑢𝑙𝑜 𝑝. The primes 𝑞 and 𝑞 are
elements of the private key.
We assume that the signer has a secret key 𝑥 (1 < 𝑥 < 𝑛 − 1), 𝑥 is chosen at random. The
private key of the signer is 𝑥. His/Her corresponding public key 𝑦: 𝑦 = 𝛼 𝑚𝑜𝑑 𝑝.
Let 𝐹 be a one-way hash function such as SHA-1 or SHA- 2, which produces the hash value 𝐻
from the document 𝑀: 𝐻 = 𝐹 (𝑀).](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-2-320.jpg)
![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
118
𝑅∗
= 𝛼 𝑦 𝑚𝑜𝑑 𝑝
= 𝛼( )(𝛼 ) 𝑚𝑜𝑑 𝑝
= 𝛼 𝛼 𝑚𝑜𝑑 𝑝
= 𝛼 𝑚𝑜𝑑 𝑝 = 𝑅
Since 𝑅∗
= 𝑅 so 𝐸∗
= 𝐸 (𝐸∗
= 𝑅∗
𝐻 𝑚𝑜𝑑 = 𝑅𝐻 𝑚𝑜𝑑 = 𝐸) is always exists.
The correctness of the SDS.2-1 scheme has been proved.
The collective signature scheme described below (the CDS-2.2 scheme) is built on the basis of
this signature scheme (the SDS-2.1 scheme).
2.2. The Collective Signature Scheme (the CDS-2.2 scheme)
We assume that there are 𝑚 signers in the signing collective, 1 ≤ 𝑖 ≤ 𝑚, to sign the same
document 𝑀. Each signer randomly selects an integer 𝑥 from the interval [1, 𝑛 − 1] and
computes a corresponding public key: 𝑦 = 𝛼 𝑚𝑜𝑑 𝑝 (𝑥 is the secret key of the i-th user).
The collective signature scheme based on factoring and discrete logarithm problems (CDS-2.2) is
described as below:
The collective signature generation procedure on the document M
It includes the following steps:
1. Each signer selects a random number 𝑘 , 𝑘 ∈ [1, 𝑛 1], and then computes the value 𝑅 :
𝑅 = 𝛼 𝑚𝑜𝑑 𝑝 (7)
The signer sends Ri to all other signers in the signing collective.
2. One of the signers in the signing collective, or a element in the PKI system, calculates the
common randomization value 𝑅:
𝑅 = 𝑅 𝑚𝑜𝑑 𝑝
(8)
Anh calculates the first part of the collective signature:
𝐸 = 𝑅𝐻 𝑚𝑜𝑑 (9)
where is a large prime, || = 160 bits; and 𝐻 is a hash value of the document 𝑚.
The value 𝐸 is sent to all signers in the signing collective.
3. Each signer computes it’s a shared signature 𝑆 :
𝑆 = (𝑘 + 𝑥 𝐸) /
𝑚𝑜𝑑 𝑛. (10)
4. One of the signers in the signing collective, or a element in the PKI system, calculates the](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-4-320.jpg)
![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
120
= 𝛼 𝑚𝑜𝑑 𝑝
= 𝑅 𝑚𝑜𝑑 𝑝 = 𝑅
Since 𝑅∗
= 𝑅 so 𝐸∗
= 𝐸 (𝐸∗
= 𝑅∗
𝐻 𝑚𝑜𝑑 = 𝑅𝐻 𝑚𝑜𝑑 = 𝐸) is always exists.
The correctness of the signature scheme has been proved.
It is easy to see that, in this scheme, none of the signers generates his/her individual signature.
The signer generates only its shared signature in the collective signature that corresponds exactly
to the given document M and to the assigned set of m users. Besides, it is computationally
difficult to manipulate with shares 𝑆 , 𝑆 , … , 𝑆 , and compose another collective digital
signature, relating to some different set of users.
3. THE PROPOSED SIGNATURE SCHEMES
In this part, we first construct a group signature scheme for a signing group of 𝑚 members using
the group signature protocol provided in [8]. Then, we utilize this scheme and the collective
signature scheme mentioned in section 2.2, as the basic schemes, to build two types of the
representative collective signature scheme: i) the collective signature for several signing groups
and ii) the collective signature for several individual signings and several signing groups
3.1. Constructing The Group Signature Scheme (GDS-3.1)
Suppose there is a signing group of m signers who want to sign the document M. Each of the
signers selects a private key x. His/Her corresponding public key is 𝑦 = 𝛼 𝑚𝑜𝑑 𝑝, 𝑖 =
1, 2, … , 𝑚. The public key 𝑌 of the group manager is a public key of the group and is calculated
as follows 𝑌 = 𝛼 𝑚𝑜𝑑 𝑝, where 𝑋 is the manager’s private key. The group manager, can be a
element in the PKI system. The value 𝑌 is used in the signature verification procedure of the
GDS-3.1 scheme. Let 𝐹 is some specified hash function.
The group signature scheme based on factoring and discrete logarithm problems (GDS-3.1) is
described as follows:
The group signature generation procedure on the document M
It consists of stages:
1. The group manager does the following tasks:
- Computes hash value from document 𝑀:
𝐻 = 𝐹 (𝑀) (15)
- Calculates masking coefficients :
= 𝐹 (𝐻 || 𝑦 || 𝐹 (𝐻 ||𝑦 || 𝑋)) (16)](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-6-320.jpg)
![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
129
Signature forgery attack:
Assuming the signing group consists of 𝑚 members. The group manager of this signing group
knows the values 𝑆 , 𝑅 , 𝑦 so if the group manager wants to attack the m-th person in the
signing group he perform the following steps:
Choose 𝑋 ∈ [1, 𝑛 − 1] and calculate his public key:
𝑌 = 𝑦 𝛼 𝑚𝑜𝑑 𝑝 (53)
And calculate the common public value of group.
𝑈 = 𝑦 𝑚𝑜𝑑 𝑝
Choose 𝐾 ∈ [1, 𝑛 − 1] and compute:
𝑅 = 𝑅 𝛼 𝑚𝑜𝑑 𝑝
Compute 𝑅 and 𝐸, send 𝐸 to all other member of group.
𝑅 = 𝑅 𝑅 𝑚𝑜𝑑 𝑝
𝐸 = 𝐹 𝑀 |𝑅| 𝑈 𝑚𝑜𝑑 𝛿
Compute: 𝑆 = (𝑆 + 𝐾 + 𝑋𝐸) /
𝑚𝑜𝑑 𝑛
And:
𝑆 = 𝑆 + 𝑆
/
𝑚𝑜𝑑 𝑛
The tuple (𝑈, 𝐸, 𝑆) still satisfy the test equation 𝑅 = 𝛼 (𝑈𝑌) 𝑚𝑜𝑑 𝑝. Because:
𝑅∗
= 𝛼 (𝑈𝑌) 𝑚𝑜𝑑 𝑝
= 𝛼 ∑
𝑦 𝛼 𝑦 𝑚𝑜𝑑 𝑝
= 𝛼 ( ) ∑
𝑦 𝛼 𝑦 𝑚𝑜𝑑 𝑝
= 𝛼( ) ( ) ∑ ( )
𝛼 𝛼 𝛼∑
𝑚𝑜𝑑 𝑝
= 𝛼 ∑
= 𝑅 𝑅 𝑚𝑜𝑑 𝑝 = 𝑅
When deploying the scheme to prevent this type of attack, it is necessary to have a trusted
department to act as the group manager. The PKI plays an important role in this case [21-22].
(54)
(55)
(56)
(57)
(58)
(59)](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-15-320.jpg)
![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
130
When building a signing group, that department is responsible for receiving the public key of
each signing member, then calculating and publishing the public public key of the signing group,
the public keys of the members must also be made public. Publicly announced in the signing
group for all members of the group to know. The private-public keys of the members and the
public keys of the whole group are fixed, and the attacker will not be able to recompute them as
shown in expression (53). So the scheme is safe if implemented correctly (53).
The security level of the collective digital signature and the collective digital signature of signing
groups are similar to Security level of digital signature for signing group we mention above.
4.2. Performance evaluation of the proposed collective digital signature schemes
The performance of a digital signature scheme can be evaluated by calculating the time cost of
signature generation and the time cost of signature verification. We do it this way. The time costs
of representative collective signature schemes proposed in this paper are shown in Table 1.
Notations: 𝑇 : Time cost of a hash operation in 𝑍 ; 𝑇 : Time cost of a scalar multiplication in 𝑍 ;
𝑇 : Time cost of a inverse operation in 𝑍 ; 𝑇 : Time cost of an exponent operation in 𝑍 ; 𝑇 :
Time cost of a modular multiplication in 𝑍 . According to [23]: 𝑇 ≈ 𝑇 , 𝑇 ≈ 29𝑇 , 𝑇 ≈
240𝑇 ,
𝑇 ≈ 240𝑇 , 𝑇𝑠𝑞𝑟𝑡 ≈ 290𝑇𝑚.
Table 1. Time cost of the proposed collective signature scheme: RCS.01-3.2 and RCS.02-3.3
The scheme Time for Signature generation
Time for
Signature verification
RCS.01-3.2
𝑈 = (243𝑚 + 1) 𝑇
𝑒 = [ 241𝑚 + 240 + 1]𝑇
𝑆 = [ 1254𝑚 + 1781 + 290]𝑇
𝑆𝑢𝑚 = [ 1738𝑚 + 2022 + 291]𝑇
(723 + 𝑔)𝑇
RCS.02-3.3
𝑈 = (243𝑚 + 1) 𝑇
𝑒 = [ 241𝑚 + 240 + 241𝑚 + 1]𝑇
𝑆 = [ 1254𝑚 + 1781 + 1250𝑚 + 290]𝑇
𝑆𝑢𝑚 = [ 1738𝑚 + 2022 + 1491𝑚 + 292]𝑇
(723 + 𝑔 + 𝑚)𝑇](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-16-320.jpg)
![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
131
Table 1 shows that the time cost for the generation of signature components and for the signature
verification of the proposed collective signature schemes are is much higher than that of the
similar signature scheme in [24]. This is considered as a limitation that needs to be overcome for
schemes built on two difficult problems factoring and discrete logarithm [25-27].
5. CONCLUSION
In this paper, we have shown that there is a new authentication requirement that requires
collective key generation and signature generation algorithms to satisfy. Our proposed collective
signature can meet this new requirement.
In addition, we have succeeded in using simultaneously two difficult problems factoring and
discrete logarithm to build two types of representative collective signature schemes, which are: i)
the collective signature scheme for many signing groups and ii) the collective signature scheme
for many individual signers and many signing groups. These types of schemes are essential for
the multi-level authentication requirements of many information exchange applications in today's
network environment and it is also easy to deploy on existing PKI systems.
The simultaneous combination of two difficult problems factoring and discrete logarithm is
demonstrated by choosing a prime modulo p with a special structure, 𝑝 = 2𝑛 + 1 with
𝑛 = 𝑞′𝑞, 𝑞 and 𝑞 are large prime numbers having the 512 bit size or 1024 bit. The security level
of the proposed collective signature schemes is inherited from the base scheme which has been
analyzed in section 4.1. That is, to break the proposed collective signature scheme, the attacker
must also solve two difficult problems simultaneously.
The paper also calculated and compared the performance of the two proposed schemes with the
performance of some other schemes.
CONFLICT OF INTEREST
The authors declare no conflict of interest.
REFERENCES
[1] Pieprzyk J., Hardjono T. & Seberry J., (2003) “Fundamentals of Computer Security”, Springer-
Verlag, Berlin Heidelberg.
[2] National Institute of Standards & Technology, (2009) “Digital Signature Standard”, Federal
Information Processing Standards Publication 186-3.
[3] Ganeshkumar K. & Arivazhagan D., (2014) “Generating A Digital Signature Based On New
Cryptographic Scheme For User Authentication And Security”, Indian Journal of Science and
Technology.
[4] Girault M., Poupard G. & Stern J., (2006) “On the Fly Authentication and Signature Schemes Based
on Groups of Unknown Order”, In Journal of Cryptology, no.19, pp.463-487.
[5] Seetha R. & Saravanan R., (2016) “Digital Signature Schemes for group communication: A Survey”,
International Journal of Applied Engineering Research, no.11, pp.4416–4422.
[6] Enache A. C., (2012) “About Group Digital Signatures”, Journal of Mobile, Embedded and
Distributed Systems, no.4, pp.193–202.
[7] Alamélou Q., Blazy O., Cauchie S. & Ph. Gaborit, (2017) “A code-based group signature scheme”,
Designs, Codes and Cryptography, vol.82, no.1-2.
[8] Moldovyan A. A. & Moldovyan N. A, (2014) “Group signature protocol based on masking public
keys”,Quasigroups and related systems, no.22, pp.133–140.](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-17-320.jpg)
![International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022
132
[9] Xie R., Xu C., He C. & Zhang X., (2016) “A new group signature scheme for dynamic membership”,
International Journal of Electronic Security and Digital Forensics, vol.8, no.4.
[10] Moldovyan N. A., Nguyen Hieu Minh, Dao Tuan Hung & Tran Xuan Kien, (2016) “Group Signature
Protocol Based on Collective Signature Protocol and Masking Public Keys Mechanism”,
International Journal of Emerging Technology and Advanced Engineering, no.6, pp.1–5.
[11] Rajasree R. S., (2014) “Generation of Dynamic Group Digital Signature”, International Journal of
Computer Applications, no.98, pp.1–5.
[12] Moldovyan N. A., (2011) “Blind Collective Signature Protocol”, Computer Science Journal of
Moldova, no.19, pp.80–91.
[13] Tahat N., Ismail E., and Ahmad R., (2009) “A New Blind Signature Scheme Based on Factoring and
Discrete Logarithms,” International Journal of Cryptology Research, vol.1, no.1, pp.1-9.
[14] Minh N., Binh D., Giang N. & Moldovyan N. A., (2012) “Blind Signature Protocol Based on
Difficulty of Simultaneous Solving Two Difficult Problems”, Journal of Applied Mathematical
Sciences, vol.6, no.139, pp.6903-6910.
[15] Berezin A., Moldovyan N. A. & Victor S., (2013) “Cryptoschemes Based on Difficulty of
Simultaneous Solving Two Different Difficult Problems”, Computer Science Journal of Moldova,
vol.21, no.2,
pp.280-290.
[16] Schnorr C. P., (1991) “Efcient signature generation by smart-cards”, In Journal of Cryptology, vol.4,
no.3, pp.161-174.
[17] Camenisch J. L., Piveteau J. -M. & Stadler M. A., (1995) “Blind Signatures Based on the Discrete
Logarithm Problem”, In: Advances in Crypology – EUROCRYPT'94 Proc, Lecture Notes in
Computer Science, Springer-Verlag, Berlin Heidelberg New York, vol.950, pp.428–432.
[18] Moldovyan N. A. & Moldovyan A. A, (2010) “Blind Collective Signature Protocol Based on Discrete
Logarithm Problem”, Int. Journal of Network Security, no.11, pp.106–113.
[19] Nimbalkar A. B., (2018) “The Digital Signature Schemes Based on Two Hard Problems:
Factorization and Discrete Logarithm”, Advances in Intelligent Systems and Computing, Cyber
Security. vol.729, pp.493.498.
[20] Moldovyan N. A., (2011) “Blind Signature Protocols from Digital Signature Standards”, Int. Journal
of Network Security, no.13, pp.22–30.
[21] Selvakumaraswamy S. & Govindaswamy U., (2016) “Efficient Transmission of PKI Certificates
using ECC and its Variants”, The International Arab Journal of Information Technology, vol.13, no.1,
pp.38-43.
[22] Shivkumar S. and Umamaheswari G., (2015) “Efficient Transmission of PKI Certificates using
Elliptic Curve Cryptography and its Variants”, The International Arab Journal of Information
Technology, pp. 38-43.
[23] 21Popescu C., (1999) “Blind signature and BMS using elliptic curves”, Studia univ babes–bolyai,
Informatica, pp.43-49.
[24] 22Tuan N. K., Van V.L., Moldovyan D. N., Duy H. N. & Moldovyan A. A., (2018) “Collective
signature protocols for signing groups”, In Proc. Information Systems Design and Intelligent
Applications. Advances in Intelligent Systems and Computing, India.
[25] 23Moldovyan N. A., (2008) “Digital Signature Scheme Based on a New Hard Problem”, Computer
Science Journal of Moldova, no.16, pp.163–18.
[26] 24Lee J., Kim H., Lee Y., Hong S. M. & Yoon H., (2017) “Parallelized scalar multiplication on
elliptic curves defined over optimal extension field”, International Journal of Network Security, vol.4,
p.99-106.
[27] 26Chaum D., (1983) “Blind Signatures for Untraceable Payments”, Advances in Cryptology: Proc. of
CRYPTO’82, Plenum Press, p.199–203.](https://image.slidesharecdn.com/14222cnc07-220413114446/85/CONSTRUCTING-NEW-COLLECTIVE-SIGNATURE-SCHEMES-BASE-ON-TWO-HARD-PROBLEMS-FACTORING-AND-DISCRETE-LOGARITHM-18-320.jpg)
CONSTRUCTING NEW COLLECTIVE SIGNATURE SCHEMES BASE ON TWO HARD PROBLEMS FACTORING AND DISCRETE LOGARITHM
- 1. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 DOI: 10.5121/ijcnc.2022.14207 115 CONSTRUCTING NEW COLLECTIVE SIGNATURE SCHEMES BASE ON TWO HARD PROBLEMS FACTORING AND DISCRETE LOGARITHM Tuan Nguyen Kim1 , Nguyen Tran Truong Thien1 , Duy Ho Ngoc2 and Nikolay A. Moldovyan3 1 School of Computer Science - Duy Tan University, Da Nang, Vietnam 2 Department of Information Technology, Ha Noi, Vietnam 3 SPIIRAS, St. Petersburg, Russia ABSTRACT In network security, digital signatures are considered a basic component to developing digital authentication systems. These systems secure Internet transactions such as e-commerce, e-government, e- banking, and so on. Many digital signature schemes have been researched and published for this purpose. In this paper, we propose two new types of collective signature schemes, namely i) the collective signature for several signing groups and ii) the collective signature for several individual signings and several signing groups. And then we used two difficult problems factoring and discrete logarithm to construct these schemes. To create a combination of these two difficult problems we use the prime module p with a special structure: p = 2n +1. Schnorr's digital signature scheme is used to construct related basic schemes such as the single signature scheme, the collective signature scheme, and the group signature scheme. The proposed collective signature schemes are built from these basic schemes. The proposed signature scheme is easy to deploy on existing PKI systems. It can support PKIs in generating and providing a unique public key, a unique digital signature, and a unique digital certificate for a collective of many members. This is essential for many collective transactions on today's Internet. KEYWORDS Network security, digital signature authentication, collective signature, group signature, signing group. 1. INTRODUCTION To ensure the security of transactions on the Internet, people often use authentication systems based on digital signatures. A digital signature not only supports "authentication" of the origin of information but also helps to check the "integrity" of information when it is transmitted from source to destination and prevent the "non-repudiation" of a communication partner. Most of the existing authentication systems are built on the basis of single digital signature schemes, so it can only support the validation of an individual signer, it is difficult to validate for a collective of many signers. In this paper, we propose and build a signature scheme that can support authentication for a group of signers, with different functions, with only a single public key and signature. This new authentication request is described below. Assume that there is a collective made up of several groups, each of which has a large number of members and is managed by a group leader. There are another few individual members in this collective that do not belong to any groups, but they are functionally equivalent to the group
- 2. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 116 leaders. The problem is how to create a single digital signature [1-2] that represents this collective. The requirement of digital signature-based authentication [3-4] for a multi-functional collective is quite common in today's cyberspace. Both group signature protocols [5-9] and collective signature [10] ones can be used to produce a unique signature for a group of multiple signers, but they cannot be used to generate a common signature for a multi-level signing collective as described above. The reason for this is that the group signature scheme [11] can only create a common signature for each group, and the collective signature scheme [12] can only generate a common signature for the group leaders and individual members, or for all collective members [12]. Therefore, we propose a new type of multi-signature scheme, the representative collective signature scheme, which is structured from the combination of the group signature scheme and the collective signature scheme. Two stages are required to create the representative collective signature. Firstly, the group signature protocol is used to establish group signatures for each group of the collective. The collective signature protocol is then used to generate collective signatures from each group and every other individual. The final signature represents a signing collective made up of several signing groups and individual signers, and it comprises the information of everyone who participated in the formation of this signature. Most of the digital signature schemes can be built based on a difficult problem or at the same time two difficult problems [13-15]. In this article, we utilize Schnorr's digital signature standard [16] to develop two types of representative collective signature schemes using two tough challenges simultaneously. For the discrete logarithm problem [17-18], we use a specially structured prime modulo, 𝑝 = 2𝑛 + 1, where 𝑛 = 𝑞′𝑞; 𝑞′ and 𝑞 are two large primes of magnitude 512 bits, or 1024 bits, used as the signer's private key. When attempting to find 𝑞′ and 𝑞 from 𝑛, the factorization problem [19-20] is applied. 2. THE RELATED BASE DIGITAL SIGNATURE SCHEMES The Schnorr digital signature protocol is built on the difficult problem of the discrete logarithm in prime fields, with the input parameter set selected according to the DSA digital signature standard, but without constraints on size and structure of 𝑝 and 𝑞. We propose a modification from the Schnorr scheme by i) Choosing prime modulus with special structure, 𝑝 = 2𝑛 + 1, where 𝑛 = 𝑞 𝑞; 𝑞 and 𝑞 are large prime numbers having the 512 bit size or more (the primes 𝑞 and 𝑞 are such that the value 3 does not divide 𝑞 − 1 nor 𝑞 − 1); ii) Change the expression for calculating the value S in the the signature generation procedure and iii) Change the expression 𝑅∗ in the signature checking procedure (𝑆 is replaced by the parameter 𝑆 ). A new prime modulus has been used for constructing the randomized signature security of which is based on the factorization of the value 𝑛 = (𝑝 − 1)/2. 2.1. The Single Signature Scheme (The SDS-2.1 scheme) In this scheme we select the parameter 𝛼 having the order 𝑛 𝑚𝑜𝑑𝑢𝑙𝑜 𝑝. The primes 𝑞 and 𝑞 are elements of the private key. We assume that the signer has a secret key 𝑥 (1 < 𝑥 < 𝑛 − 1), 𝑥 is chosen at random. The private key of the signer is 𝑥. His/Her corresponding public key 𝑦: 𝑦 = 𝛼 𝑚𝑜𝑑 𝑝. Let 𝐹 be a one-way hash function such as SHA-1 or SHA- 2, which produces the hash value 𝐻 from the document 𝑀: 𝐻 = 𝐹 (𝑀).
- 3. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 117 The signature scheme based on factoring and discrete logarithm problems is described as below: The signature generation procedure on the document M: It includes the following steps: 1. The signer generates the random value 𝑘, 𝑘 < 𝑛, and then computes the value 𝑅: 𝑅 = 𝛼 𝑚𝑜𝑑 𝑝 (1) 2. The signer computes the value E: 𝐸 = 𝑅𝐻 𝑚𝑜𝑑 , (2) where is a large prime, || = 160 bits; and 𝐻 is a hash value of the document 𝑀. The value 𝐸 is the first part of the signature. 3. The signer computes the value 𝑆: 𝑆 = (𝑘 + 𝑥𝐸) / 𝑚𝑜𝑑 𝑛 (3) such that: 𝑅 = 𝛼 𝑦 𝑚𝑜𝑑 𝑝 (4) The pair of value (𝐸, 𝑆) is the signer’s signature on the document M. The signature verification procedure on the document M: It includes the following steps: 1. The verifier computes the value 𝑅∗ : 𝑅∗ = 𝛼 𝑦 𝑚𝑜𝑑 𝑝 (5) 2. The verifier computes the value 𝐸∗ : 𝐸∗ = 𝑅∗ 𝐻 𝑚𝑜𝑑 , (6) 3. The verifier compares values 𝐸∗ with 𝐸. If 𝐸∗ = 𝐸: The signature is valid; Otherwise the signature is invalid. It is rejected. Proof of correctness of the SDS-2.1 scheme: To prove the correctness of this signatue scheme we only need to prove the existence of the equation 𝐸∗ = 𝐸. It is easy to see 𝑅∗ = 𝑅. Indeed:
- 4. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 118 𝑅∗ = 𝛼 𝑦 𝑚𝑜𝑑 𝑝 = 𝛼( )(𝛼 ) 𝑚𝑜𝑑 𝑝 = 𝛼 𝛼 𝑚𝑜𝑑 𝑝 = 𝛼 𝑚𝑜𝑑 𝑝 = 𝑅 Since 𝑅∗ = 𝑅 so 𝐸∗ = 𝐸 (𝐸∗ = 𝑅∗ 𝐻 𝑚𝑜𝑑 = 𝑅𝐻 𝑚𝑜𝑑 = 𝐸) is always exists. The correctness of the SDS.2-1 scheme has been proved. The collective signature scheme described below (the CDS-2.2 scheme) is built on the basis of this signature scheme (the SDS-2.1 scheme). 2.2. The Collective Signature Scheme (the CDS-2.2 scheme) We assume that there are 𝑚 signers in the signing collective, 1 ≤ 𝑖 ≤ 𝑚, to sign the same document 𝑀. Each signer randomly selects an integer 𝑥 from the interval [1, 𝑛 − 1] and computes a corresponding public key: 𝑦 = 𝛼 𝑚𝑜𝑑 𝑝 (𝑥 is the secret key of the i-th user). The collective signature scheme based on factoring and discrete logarithm problems (CDS-2.2) is described as below: The collective signature generation procedure on the document M It includes the following steps: 1. Each signer selects a random number 𝑘 , 𝑘 ∈ [1, 𝑛 1], and then computes the value 𝑅 : 𝑅 = 𝛼 𝑚𝑜𝑑 𝑝 (7) The signer sends Ri to all other signers in the signing collective. 2. One of the signers in the signing collective, or a element in the PKI system, calculates the common randomization value 𝑅: 𝑅 = 𝑅 𝑚𝑜𝑑 𝑝 (8) Anh calculates the first part of the collective signature: 𝐸 = 𝑅𝐻 𝑚𝑜𝑑 (9) where is a large prime, || = 160 bits; and 𝐻 is a hash value of the document 𝑚. The value 𝐸 is sent to all signers in the signing collective. 3. Each signer computes it’s a shared signature 𝑆 : 𝑆 = (𝑘 + 𝑥 𝐸) / 𝑚𝑜𝑑 𝑛. (10) 4. One of the signers in the signing collective, or a element in the PKI system, calculates the
- 5. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 119 second element of the collective digtal signature 𝑆: 𝑆 = ( 𝑆 ) / 𝑚𝑜𝑑 𝑛 (11) The pair of value (𝐸, 𝑆) is the collective digital signature of the signing collective, there are 𝑚 signers, on the message M. The signature verification procedure on the document M It includes the following steps (the verifier can be a element in the PKI system): 1. The verifier computes the collective public key y: 𝑦 = 𝑦 𝑚𝑜𝑑 𝑝 (12) 2. The verifier computes the value 𝑅∗ : 𝑅∗ = 𝛼 𝑦 𝑚𝑜𝑑 𝑝. (13) 3. The verifier computes the value 𝐸∗ : 𝐸∗ = 𝑅∗ 𝐻 𝑚𝑜𝑑 . (14) 4. The verifier compares values 𝐸∗ and 𝐸. If 𝐸∗ = 𝐸: The signature is valid; Otherwise the signature is invalid. It is rejected. Proof of correctness of the CDS-2.2 scheme: To prove the correctness of this signatue scheme we only need to prove the existence of the equation 𝐸∗ = 𝐸. It is easy to see 𝑅∗ = 𝑅. Indeed: Substituting the value 𝑆 = (∑ 𝑆 ) / 𝑚𝑜𝑑 𝑛 in the right part of the verification equation 𝑅∗ = 𝛼 𝑦 𝑚𝑜𝑑 𝑝, we get: 𝑅∗ = 𝛼∑ 𝑦 𝑚𝑜𝑑 𝑝 = 𝛼 𝛼 ( ) 𝑚𝑜𝑑 𝑝 = 𝛼 𝛼 ( ) 𝑚𝑜𝑑 𝑝
- 6. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 120 = 𝛼 𝑚𝑜𝑑 𝑝 = 𝑅 𝑚𝑜𝑑 𝑝 = 𝑅 Since 𝑅∗ = 𝑅 so 𝐸∗ = 𝐸 (𝐸∗ = 𝑅∗ 𝐻 𝑚𝑜𝑑 = 𝑅𝐻 𝑚𝑜𝑑 = 𝐸) is always exists. The correctness of the signature scheme has been proved. It is easy to see that, in this scheme, none of the signers generates his/her individual signature. The signer generates only its shared signature in the collective signature that corresponds exactly to the given document M and to the assigned set of m users. Besides, it is computationally difficult to manipulate with shares 𝑆 , 𝑆 , … , 𝑆 , and compose another collective digital signature, relating to some different set of users. 3. THE PROPOSED SIGNATURE SCHEMES In this part, we first construct a group signature scheme for a signing group of 𝑚 members using the group signature protocol provided in [8]. Then, we utilize this scheme and the collective signature scheme mentioned in section 2.2, as the basic schemes, to build two types of the representative collective signature scheme: i) the collective signature for several signing groups and ii) the collective signature for several individual signings and several signing groups 3.1. Constructing The Group Signature Scheme (GDS-3.1) Suppose there is a signing group of m signers who want to sign the document M. Each of the signers selects a private key x. His/Her corresponding public key is 𝑦 = 𝛼 𝑚𝑜𝑑 𝑝, 𝑖 = 1, 2, … , 𝑚. The public key 𝑌 of the group manager is a public key of the group and is calculated as follows 𝑌 = 𝛼 𝑚𝑜𝑑 𝑝, where 𝑋 is the manager’s private key. The group manager, can be a element in the PKI system. The value 𝑌 is used in the signature verification procedure of the GDS-3.1 scheme. Let 𝐹 is some specified hash function. The group signature scheme based on factoring and discrete logarithm problems (GDS-3.1) is described as follows: The group signature generation procedure on the document M It consists of stages: 1. The group manager does the following tasks: - Computes hash value from document 𝑀: 𝐻 = 𝐹 (𝑀) (15) - Calculates masking coefficients : = 𝐹 (𝐻 || 𝑦 || 𝐹 (𝐻 ||𝑦 || 𝑋)) (16)
- 7. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 121 - Sends each value to the corresponding i-th group member - Computes the first element of the group signature 𝑈: 𝑈 = 𝑦 𝑚𝑜𝑑 𝑝 (17) 2. Each i-th signer in the signing group does the following tasks: - Generates a random number 𝑘 , 𝑘 < 𝑛, anh then computes the value 𝑅 : 𝑅 = 𝛼 𝑚𝑜𝑑 𝑝 (18) - Sends 𝑅 to the group manager 3. The group manager does the following tasks: - Generates the random number 𝐾, 𝐾 < 𝑞, and then computes the values 𝑅′, 𝑅, 𝐸: 𝑅 = 𝛼 𝑚𝑜𝑑 𝑝 (19) 𝑅 = 𝑅′ 𝑅 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ (20) and 𝐸 = 𝐹 (𝑀||𝑅||𝑈) 𝑚𝑜𝑑 (21) where is a large prime, || = 160 bit. - Sends value E to all signers in signing group E is the second element of the group signature. 4. Each i-th signer in the signing group does the following tasks: - Computes his/her shared signature 𝑆 : 𝑆 = (𝑘 + 𝑥 𝐸) / 𝑚𝑜𝑑 𝑛 (22) - Sends 𝑆 to the group manager 5. The group manager does the following tasks: - Verifies the correctness of each shared signature 𝑆 by checking equality: 𝑅 = 𝛼 𝑦 𝑚𝑜𝑑 𝑝 (23) - If all signature shared signatures Si satisfy the last verification equation, then he/she
- 8. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 122 computes his shared signature: 𝑆 = (𝐾 + 𝑋𝐸) 𝑚𝑜𝑑 𝑛 (24) - Computes the third element of the group signature 𝑆: 𝑆 = (𝑆 + 𝑆 ) / 𝑚𝑜𝑑 𝑛 The tuple (𝑈, 𝐸, 𝑆) is a group signature of the signing group on the document M. The signature verification procedure on the document M It includes the following steps (The verifier can be a element in the PKI system): 1. The verifier computes the hash function value from the document M: 𝐻 = 𝐹H(𝑀) 2. The verifier computes value 𝑅∗ : 𝑅∗ = 𝛼 (𝑈𝑌) 𝑚𝑜𝑑 𝑝 (26) 3. The verifier computes value 𝐸∗ : 𝐸∗ = 𝐹 (𝑀||𝑅∗ ||𝑈) 𝑚𝑜𝑑 (27) 4. The verifier compares the values 𝐸∗ with 𝐸. If 𝐸∗ = 𝐸: The group signature is valid; Otherwise, the group signature is invalid. It is rejected. Proof of correctness of this signature scheme: To prove the correctness of this signatue scheme we only need to prove the existence of the equation 𝐸∗ = 𝐸. It is easy to see 𝑅∗ = 𝑅. Indeed: 𝑅∗ = 𝛼 (𝑈𝑌) 𝑚𝑜𝑑 𝑝 = 𝛼 .∑ 𝛼 𝑦 mod 𝑝 = 𝛼( ).∑ ( ) 𝛼 𝛼 mod 𝑝 = 𝛼 ∑ 𝑚𝑜𝑑 𝑝 = 𝑅 Since 𝑅∗ = 𝑅 so 𝐸∗ = 𝐸 (𝐸∗ = 𝑅∗ 𝐻 𝑚𝑜𝑑 = 𝑅𝐻 𝑚𝑜𝑑 = 𝐸) is always exists. (25)
- 9. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 123 The correctness of the signature scheme has been proved. 3.2. Constructing the Collective Digital Signature For Several Signing Groups Let 𝑔 signing groups with public keys 𝑌 = 𝛼 𝑚𝑜𝑑 𝑝, where 𝑗 = 1,2, … , 𝑔. 𝑋 is the secret key of the j-th goup manager, have intention to sign the document 𝑀. Suppose also the j-th signing goup inclues 𝑚 active individual signers (persons appointed to act on behalf of the j-th signing goup). The collective signature scheme for several signing group (RCS.01-3.2) is described as below. The collective signature generation procedure on the document M It consists of stages: 1. Each j-th group manager in the signing collective does the following tasks: - Based on the group signature generation procedure described above (section 3.1) to generals masking parameters 𝜆 for the signers of j-th group. - Computes the value 𝑈 (where 𝑖 = 1, 2, … , 𝑚 ): 𝑈 = 𝑦 𝑚𝑜𝑑 𝑝 𝑈 as the shared element of the j-th group in the first element of the collective signature. - Comutes the randomizing parameter 𝑅 : 𝑅 = 𝑅 𝑅 𝑚𝑜𝑑 𝑝 - Sends values 𝑈 and 𝑅 to all other group managers in the signing collective. 2. Each j-th group manager in the signing collective computes values 𝑈, 𝑅 and 𝐸: 𝑈 = 𝑈 𝑚𝑜𝑑 𝑝 𝑅 = 𝑅 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ 𝑚𝑜𝑑 𝑝 and 𝐸 = 𝐹 (𝑀||𝑅||𝑈) 𝑚𝑜𝑑 𝑈 and 𝐸 are the first and second elements of the collective signature. (28) (29) (30) (31) (32)
- 10. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 124 3. Each j-th group manager does the following tasks: - Computes the shared signature of j-th group: 𝑆 = 𝑆 + 𝑆 / 𝑚𝑜𝑑 𝑛 Where 𝑆 in the shared signature of the i-th signer in the j-th group, - Sends 𝑆 to other group managers in the signing collective. 4. Each j-th group manager does the following tasks: - Can verify the correctness of each shared signature 𝑆 by cheaking equality: 𝑅∗ = 𝛼 (𝑈 𝑌) 𝑚𝑜𝑑 𝑝 - If all shared signatures 𝑆 satisfy the last verification equation, then the third element S of the collective signature is computed: 𝑆 = ( 𝑆 ) / 𝑚𝑜𝑑 𝑛 The tuple (𝑈, 𝐸, 𝑆) is the collective signature on the document M of the signing collective there are 𝑔 signing groups. The signature verification procedure on the document M It includes the following steps (The verifier can be a element in the PKI system): 1. The verifier computes the collective public key shared by all signing groups: 𝑌 = 𝑌 𝑚𝑜𝑑 𝑝 2. The verifier computes the value 𝑅∗ : 𝑅∗ = 𝛼 (𝑈𝑌 ) 𝑚𝑜𝑑 𝑝 3. The verifier computes the value 𝐸∗ : 𝐸∗ = 𝐹 (𝑀||𝑅∗ ||𝑈) 𝑚𝑜𝑑 4. The verifier Compares the values 𝐸∗ with 𝐸. If 𝐸∗ = 𝐸: The collective signature is valid. Otherwise, the collective signature is invalid. It is rejected. (33) (34) (35) (36) (37) (38)
- 11. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 125 Proof of correctness of this signature scheme: To prove the correctness of this signatue scheme we only need to prove the existence of the equation 𝐸∗ = 𝐸. It is easy to see 𝑅∗ = 𝑅. Indeed: 𝑅∗ = 𝛼 (𝑈𝑌 ) 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ ( 𝑈 𝑌 ) 𝑚𝑜𝑑 𝑝 = 𝛼 (𝑌𝑈 ) 𝑚𝑜𝑑 𝑝 = 𝑅 𝑚𝑜𝑑 𝑝 = 𝑅 Since 𝑅∗ = 𝑅 so 𝐸∗ = 𝐸 (𝐸∗ = 𝐹 (𝑀|| 𝑅∗|| 𝑈) = 𝐹 (𝑀|| R|| 𝑈) = 𝐸) is always exists. The correctness of the signature scheme has been proved. 3.3. Constructing the Collective Digital Signature Scheme for Several Individual Signers and Several Signing Groups The collective signature generation procedure of this scheme is similar to that of the RCS.01-3.2 scheme, but for individual signers, 𝑈𝑗 is equal to 1. Suppose 𝑥 and 𝑦 = 𝛼 , where 𝑗 = 𝑔 + 1, 𝑔 + 2, … , 𝑔 + 𝑚, are a private key and a public key, correspondingly, of 𝑚 individual signers participating in the protocol for generating the collective digital signature for g signing groups and m individual signers. The collective signature scheme for 𝑚 individual signers 𝑔 signing groups (RCS.02-3.3) is described as below. The signature generation procedure on the document M It consists of stages: 1. Each j-th group manager in the signing collective does the following tasks: - Based on the group signature generation procedure described above (section 3.1) to generals masking parameters 𝜆 for the signers of j-th group. - Computes the value 𝑈 (where 𝑖 = 1,2, … , 𝑚 ): 𝑈 = 𝑦 𝑚𝑜𝑑 𝑝 𝑈 as the shared element of the j-th group in the first element of the collective signature. (39)
- 12. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 126 - Computes the randomizing parameter 𝑅 : 𝑅 = 𝑅 𝑅 𝑚𝑜𝑑 𝑝 (40) - Send values 𝑈 and 𝑅 to all other managers and all individual signers in the signing collective. 2. Each j-th individual signer (𝑗 = 𝑔 + 1, 𝑔 + 2, … , 𝑔 + 𝑚) does the following tasks: - Generates a random value 𝐾 , 𝐾 < 𝑛, and then computes the value 𝑅 : 𝑅 = 𝛼 𝑚𝑜𝑑 𝑝 - Sent 𝑅 to all group managers and other individual signers in the signing collective. - Each j-th group manager and each j-th individual signer in the signing collective computes values 𝑈, 𝑅 and 𝐸: 𝑈 = 𝑈 𝑚𝑜𝑑 𝑝 𝑅 = 𝑅 𝑚𝑜𝑑 𝑝 And 𝐸 = 𝐹 (𝑀||𝑅||𝑈) 𝑚𝑜𝑑 where 𝛿 is a large prime having, |δ| = 160 bits; 𝑈 = 0 for 𝑗 = 𝑔 + 1, 𝑔 + 2, … , 𝑔 + 𝑚. 𝑈 and 𝐸 are the first and second elements of the signature. 3. a) Each j-th group manager computes the shared signature of j-th group 𝑆 : 𝑆 = (𝑆 + 𝑆 ) / 𝑚𝑜𝑑 𝑛 where 𝑆 is the shared signature of the i-th signer in the j-th signing group. And sends 𝑆 to all individual signers and other group managers. b) Each j-th individual signer computes his/her shared signature 𝑆 : 𝑆 = (𝐾 + 𝑋 𝐸) / 𝑚𝑜𝑑 𝑛 And sends 𝑆 to all group managers and other individual signers. (41) (42) (43) (44) (45) (46)
- 13. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 127 4. Each j-th group manager and each individual signers does the following tasks: - Can verify the correctness of each share signatures 𝑆 by checking equality: - 𝑅∗ = 𝛼 (𝑈 𝑌) 𝑚𝑜𝑑 𝑝 For 𝑗 = 1, 2, … , 𝑔 and 𝑅∗ = 𝛼 𝑌 𝑚𝑜𝑑 𝑝 For 𝑗 = 𝑔 + 1, 𝑔 + 2, … , 𝑔 + 𝑚. - If all shares S satisfy the last verification equation, then the third element Sof the collective signature is computed: 𝑆 = ( 𝑆 ) / 𝑚𝑜𝑑 𝑛 The tuple (𝑈, 𝐸, 𝑆) is the collective signature on the document M of the signing collective there are 𝑔 signing groups and 𝑚 individual signers. The first element 𝑈 of the collective signature contains information about the all group members of each signing group who signed the document 𝑀. The signature verification procedure on the document M It includes the following steps (The verifier can be a element in the PKI system): 1. The verifier computes the collective public key shared by all signing groups and individual signers: 𝑌 = 𝑌 𝑚𝑜𝑑 𝑝 2. The verifier computes the value 𝑅∗ : 𝑅∗ = 𝛼 (𝑈𝑌 ) 𝑚𝑜𝑑 𝑝 3. The verifier computes the value 𝐸∗ : 𝐸∗ = 𝐹 (𝑀|| 𝑅∗ || 𝑈) 4. The verifier Compares the value 𝐸∗ with 𝐸. If 𝐸∗ = 𝐸: The collective signature is valid; Otherwise, the collective signature is invalid. It is rejected. Proof of correctness of this signature scheme: To prove the correctness of this signatue scheme we only need to prove the existence of the (47) (48) (49) (50) (51) (52)
- 14. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 128 equation 𝐸∗ = 𝐸. It is easy to see 𝑅∗ = 𝑅. Indeed: 𝑅∗ = 𝛼 (𝑈𝑌 ) 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ ( 𝑈 𝑌 ) 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ ∑ ( 𝑈 𝑌 𝑌 ) 𝑚𝑜𝑑 𝑝 = 𝛼 𝑈 𝑌 𝛼 𝑌 𝑚𝑜𝑑 𝑝 = 𝑅 𝑅 𝑚𝑜𝑑 𝑝 = 𝑅 Since 𝑅∗ = 𝑅 so 𝐸∗ = 𝐸 (𝐸∗ = 𝐹 (𝑀|| 𝑅∗|| 𝑈) = 𝐹 (𝑀|| R|| 𝑈) = 𝐸) is always exists. The correctness of the signature scheme has been proved. 4. SECURITY ANALYSIS AND PERFORMANCE EVALUATION 4.1. Security analysis of the proposed collective digital signature schemes 4.1.1. Security level of the single digital signature (SDS-2.1) It is easy to see that, the solution of the discrete logarithm problem in 𝐺𝐹(𝑝) is not sufficient for breaking this signature scheme. To break the scheme it is required to know the factorization of n. Indeed, the solution of the discrete logarithm problem leads to the computation of the secret key x and the possibility to calculate the value 𝑘 + 𝑥𝐸 𝑚𝑜𝑑 𝑛. However, to calculate the signature element𝑆 is required to extract the 2-th root modulo n from 𝑘 + 𝑥𝐸 𝑚𝑜𝑑 𝑛. This requires factoring the modulus 𝑛. This is the second difficult problem. 4.1.2. Security level of the group digital signature scheme (GDS-3.1) With the group signature scheme, there are two main types of attacks: Internal attacks and external attacks. In external attacks, the attacker only knows the system parameters and the public keys, along with the document M, while in internal attacks, the attacker will know a lot more information. Let’s take a look at the most likely successful case where the attacker is the group manager, since he has the most information. Attack to reveal secret key: Assuming the signing group consists of 𝑚 members. Since the group manager knows the values 𝑆 , 𝑅 , 𝑦 so if he wants to attack the m-th person in the signing group he can do the following: He needs to calculate: 𝑥 = 𝑙𝑜𝑔 𝑦 𝑚𝑜𝑑 𝑝; or computes: 𝑘 = log 𝑅 𝑚𝑜𝑑 𝑝; and then computes: 𝑥 = 𝑆 − 𝑥𝐸 𝑚𝑜𝑑 𝑛. These require solving the discrete logarithm problem.
- 15. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 129 Signature forgery attack: Assuming the signing group consists of 𝑚 members. The group manager of this signing group knows the values 𝑆 , 𝑅 , 𝑦 so if the group manager wants to attack the m-th person in the signing group he perform the following steps: Choose 𝑋 ∈ [1, 𝑛 − 1] and calculate his public key: 𝑌 = 𝑦 𝛼 𝑚𝑜𝑑 𝑝 (53) And calculate the common public value of group. 𝑈 = 𝑦 𝑚𝑜𝑑 𝑝 Choose 𝐾 ∈ [1, 𝑛 − 1] and compute: 𝑅 = 𝑅 𝛼 𝑚𝑜𝑑 𝑝 Compute 𝑅 and 𝐸, send 𝐸 to all other member of group. 𝑅 = 𝑅 𝑅 𝑚𝑜𝑑 𝑝 𝐸 = 𝐹 𝑀 |𝑅| 𝑈 𝑚𝑜𝑑 𝛿 Compute: 𝑆 = (𝑆 + 𝐾 + 𝑋𝐸) / 𝑚𝑜𝑑 𝑛 And: 𝑆 = 𝑆 + 𝑆 / 𝑚𝑜𝑑 𝑛 The tuple (𝑈, 𝐸, 𝑆) still satisfy the test equation 𝑅 = 𝛼 (𝑈𝑌) 𝑚𝑜𝑑 𝑝. Because: 𝑅∗ = 𝛼 (𝑈𝑌) 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ 𝑦 𝛼 𝑦 𝑚𝑜𝑑 𝑝 = 𝛼 ( ) ∑ 𝑦 𝛼 𝑦 𝑚𝑜𝑑 𝑝 = 𝛼( ) ( ) ∑ ( ) 𝛼 𝛼 𝛼∑ 𝑚𝑜𝑑 𝑝 = 𝛼 ∑ = 𝑅 𝑅 𝑚𝑜𝑑 𝑝 = 𝑅 When deploying the scheme to prevent this type of attack, it is necessary to have a trusted department to act as the group manager. The PKI plays an important role in this case [21-22]. (54) (55) (56) (57) (58) (59)
- 16. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 130 When building a signing group, that department is responsible for receiving the public key of each signing member, then calculating and publishing the public public key of the signing group, the public keys of the members must also be made public. Publicly announced in the signing group for all members of the group to know. The private-public keys of the members and the public keys of the whole group are fixed, and the attacker will not be able to recompute them as shown in expression (53). So the scheme is safe if implemented correctly (53). The security level of the collective digital signature and the collective digital signature of signing groups are similar to Security level of digital signature for signing group we mention above. 4.2. Performance evaluation of the proposed collective digital signature schemes The performance of a digital signature scheme can be evaluated by calculating the time cost of signature generation and the time cost of signature verification. We do it this way. The time costs of representative collective signature schemes proposed in this paper are shown in Table 1. Notations: 𝑇 : Time cost of a hash operation in 𝑍 ; 𝑇 : Time cost of a scalar multiplication in 𝑍 ; 𝑇 : Time cost of a inverse operation in 𝑍 ; 𝑇 : Time cost of an exponent operation in 𝑍 ; 𝑇 : Time cost of a modular multiplication in 𝑍 . According to [23]: 𝑇 ≈ 𝑇 , 𝑇 ≈ 29𝑇 , 𝑇 ≈ 240𝑇 , 𝑇 ≈ 240𝑇 , 𝑇𝑠𝑞𝑟𝑡 ≈ 290𝑇𝑚. Table 1. Time cost of the proposed collective signature scheme: RCS.01-3.2 and RCS.02-3.3 The scheme Time for Signature generation Time for Signature verification RCS.01-3.2 𝑈 = (243𝑚 + 1) 𝑇 𝑒 = [ 241𝑚 + 240 + 1]𝑇 𝑆 = [ 1254𝑚 + 1781 + 290]𝑇 𝑆𝑢𝑚 = [ 1738𝑚 + 2022 + 291]𝑇 (723 + 𝑔)𝑇 RCS.02-3.3 𝑈 = (243𝑚 + 1) 𝑇 𝑒 = [ 241𝑚 + 240 + 241𝑚 + 1]𝑇 𝑆 = [ 1254𝑚 + 1781 + 1250𝑚 + 290]𝑇 𝑆𝑢𝑚 = [ 1738𝑚 + 2022 + 1491𝑚 + 292]𝑇 (723 + 𝑔 + 𝑚)𝑇
- 17. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 131 Table 1 shows that the time cost for the generation of signature components and for the signature verification of the proposed collective signature schemes are is much higher than that of the similar signature scheme in [24]. This is considered as a limitation that needs to be overcome for schemes built on two difficult problems factoring and discrete logarithm [25-27]. 5. CONCLUSION In this paper, we have shown that there is a new authentication requirement that requires collective key generation and signature generation algorithms to satisfy. Our proposed collective signature can meet this new requirement. In addition, we have succeeded in using simultaneously two difficult problems factoring and discrete logarithm to build two types of representative collective signature schemes, which are: i) the collective signature scheme for many signing groups and ii) the collective signature scheme for many individual signers and many signing groups. These types of schemes are essential for the multi-level authentication requirements of many information exchange applications in today's network environment and it is also easy to deploy on existing PKI systems. The simultaneous combination of two difficult problems factoring and discrete logarithm is demonstrated by choosing a prime modulo p with a special structure, 𝑝 = 2𝑛 + 1 with 𝑛 = 𝑞′𝑞, 𝑞 and 𝑞 are large prime numbers having the 512 bit size or 1024 bit. The security level of the proposed collective signature schemes is inherited from the base scheme which has been analyzed in section 4.1. That is, to break the proposed collective signature scheme, the attacker must also solve two difficult problems simultaneously. The paper also calculated and compared the performance of the two proposed schemes with the performance of some other schemes. CONFLICT OF INTEREST The authors declare no conflict of interest. REFERENCES [1] Pieprzyk J., Hardjono T. & Seberry J., (2003) “Fundamentals of Computer Security”, Springer- Verlag, Berlin Heidelberg. [2] National Institute of Standards & Technology, (2009) “Digital Signature Standard”, Federal Information Processing Standards Publication 186-3. [3] Ganeshkumar K. & Arivazhagan D., (2014) “Generating A Digital Signature Based On New Cryptographic Scheme For User Authentication And Security”, Indian Journal of Science and Technology. [4] Girault M., Poupard G. & Stern J., (2006) “On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order”, In Journal of Cryptology, no.19, pp.463-487. [5] Seetha R. & Saravanan R., (2016) “Digital Signature Schemes for group communication: A Survey”, International Journal of Applied Engineering Research, no.11, pp.4416–4422. [6] Enache A. C., (2012) “About Group Digital Signatures”, Journal of Mobile, Embedded and Distributed Systems, no.4, pp.193–202. [7] Alamélou Q., Blazy O., Cauchie S. & Ph. Gaborit, (2017) “A code-based group signature scheme”, Designs, Codes and Cryptography, vol.82, no.1-2. [8] Moldovyan A. A. & Moldovyan N. A, (2014) “Group signature protocol based on masking public keys”,Quasigroups and related systems, no.22, pp.133–140.
- 18. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 132 [9] Xie R., Xu C., He C. & Zhang X., (2016) “A new group signature scheme for dynamic membership”, International Journal of Electronic Security and Digital Forensics, vol.8, no.4. [10] Moldovyan N. A., Nguyen Hieu Minh, Dao Tuan Hung & Tran Xuan Kien, (2016) “Group Signature Protocol Based on Collective Signature Protocol and Masking Public Keys Mechanism”, International Journal of Emerging Technology and Advanced Engineering, no.6, pp.1–5. [11] Rajasree R. S., (2014) “Generation of Dynamic Group Digital Signature”, International Journal of Computer Applications, no.98, pp.1–5. [12] Moldovyan N. A., (2011) “Blind Collective Signature Protocol”, Computer Science Journal of Moldova, no.19, pp.80–91. [13] Tahat N., Ismail E., and Ahmad R., (2009) “A New Blind Signature Scheme Based on Factoring and Discrete Logarithms,” International Journal of Cryptology Research, vol.1, no.1, pp.1-9. [14] Minh N., Binh D., Giang N. & Moldovyan N. A., (2012) “Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems”, Journal of Applied Mathematical Sciences, vol.6, no.139, pp.6903-6910. [15] Berezin A., Moldovyan N. A. & Victor S., (2013) “Cryptoschemes Based on Difficulty of Simultaneous Solving Two Different Difficult Problems”, Computer Science Journal of Moldova, vol.21, no.2, pp.280-290. [16] Schnorr C. P., (1991) “Efcient signature generation by smart-cards”, In Journal of Cryptology, vol.4, no.3, pp.161-174. [17] Camenisch J. L., Piveteau J. -M. & Stadler M. A., (1995) “Blind Signatures Based on the Discrete Logarithm Problem”, In: Advances in Crypology – EUROCRYPT'94 Proc, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York, vol.950, pp.428–432. [18] Moldovyan N. A. & Moldovyan A. A, (2010) “Blind Collective Signature Protocol Based on Discrete Logarithm Problem”, Int. Journal of Network Security, no.11, pp.106–113. [19] Nimbalkar A. B., (2018) “The Digital Signature Schemes Based on Two Hard Problems: Factorization and Discrete Logarithm”, Advances in Intelligent Systems and Computing, Cyber Security. vol.729, pp.493.498. [20] Moldovyan N. A., (2011) “Blind Signature Protocols from Digital Signature Standards”, Int. Journal of Network Security, no.13, pp.22–30. [21] Selvakumaraswamy S. & Govindaswamy U., (2016) “Efficient Transmission of PKI Certificates using ECC and its Variants”, The International Arab Journal of Information Technology, vol.13, no.1, pp.38-43. [22] Shivkumar S. and Umamaheswari G., (2015) “Efficient Transmission of PKI Certificates using Elliptic Curve Cryptography and its Variants”, The International Arab Journal of Information Technology, pp. 38-43. [23] 21Popescu C., (1999) “Blind signature and BMS using elliptic curves”, Studia univ babes–bolyai, Informatica, pp.43-49. [24] 22Tuan N. K., Van V.L., Moldovyan D. N., Duy H. N. & Moldovyan A. A., (2018) “Collective signature protocols for signing groups”, In Proc. Information Systems Design and Intelligent Applications. Advances in Intelligent Systems and Computing, India. [25] 23Moldovyan N. A., (2008) “Digital Signature Scheme Based on a New Hard Problem”, Computer Science Journal of Moldova, no.16, pp.163–18. [26] 24Lee J., Kim H., Lee Y., Hong S. M. & Yoon H., (2017) “Parallelized scalar multiplication on elliptic curves defined over optimal extension field”, International Journal of Network Security, vol.4, p.99-106. [27] 26Chaum D., (1983) “Blind Signatures for Untraceable Payments”, Advances in Cryptology: Proc. of CRYPTO’82, Plenum Press, p.199–203.
- 19. International Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 AUTHORS Tuan Nguyen Kim was born in 1969, received B.E., and M.E from Hue University of Sciences in 1994, and from Hanoi University of Technology in 1998. He has been a lecturer at Hue University since 1996. From 2011 to the present (2021) he is a lecturer at School of Computer Science, Duy Tan University, Da Nang, Vietnam. His main research interests include Computer Network Technology and Information. Nguyen Tran Truong Thien was born in 1997, received B.E from Duy Tan University in 2020. He has been a security researcher main research interests include is Network Security, Information Security and Machine learning for Cybersecurity. Duy Ho Ngoc was born in 1982. He received his Ph.D. in Cybersecurity in 2007 from LETI University, St. Petersburg, Russia Federation. He has authored more than 45 scienti articles in cybersecurity. Nikolay A. Moldovyan is an honored inventor of Russian Federati head at St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, and a Professor with the St. Petersburg State Electrotechnical University. His research interests include computer security and cryptogr authored more than 60 inventions and 220 scienti received his Ph.D. from the Academy of Sciences of Moldova (1981). al Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 was born in 1969, received B.E., and M.E from Hue University of Sciences in 1994, and from Hanoi University of Technology in 1998. He has been a lecturer at Hue University since 1996. From 2011 to the present (2021) he is a lecturer at School of Science, Duy Tan University, Da Nang, Vietnam. His main research interests include Computer Network Technology and Information. was born in 1997, received B.E from Duy Tan University in 2020. He has been a security researcher at Duy Tan University since February 2021. main research interests include is Network Security, Information Security and Machine was born in 1982. He received his Ph.D. in Cybersecurity in 2007 from LETI University, St. Petersburg, Russia Federation. He has authored more than 45 scienti is an honored inventor of Russian Federation (2002), a laboratory head at St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, and a Professor with the St. Petersburg State Electrotechnical University. His research interests include computer security and cryptography. He has authored or co authored more than 60 inventions and 220 scientific articles, books, and reports. He received his Ph.D. from the Academy of Sciences of Moldova (1981). al Journal of Computer Networks & Communications (IJCNC) Vol.14, No.2, March 2022 133 was born in 1969, received B.E., and M.E from Hue University of Sciences in 1994, and from Hanoi University of Technology in 1998. He has been a lecturer at Hue University since 1996. From 2011 to the present (2021) he is a lecturer at School of Science, Duy Tan University, Da Nang, Vietnam. His main research interests was born in 1997, received B.E from Duy Tan University in at Duy Tan University since February 2021. His main research interests include is Network Security, Information Security and Machine was born in 1982. He received his Ph.D. in Cybersecurity in 2007 from LETI University, St. Petersburg, Russia Federation. He has authored more than 45 scientific on (2002), a laboratory head at St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, and a Professor with the St. Petersburg State Electrotechnical University. His aphy. He has authored or co- fic articles, books, and reports. He