In the process of constructing and developing digital signature algorithms, some scientists have proposed a research direction that combines difficult problems in number theory such as f
Trang 1MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE
ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY
PHAM VAN HIEP
CONSTRUCTING SOME COLLECTIVE DIGITAL
SIGNATURE SCHEMAS BASED ON THE INTEGER
Trang 2This thesis has been completed at
ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY
MINISTRY OF NATIONAL DEFENCE
Scientific Supervisors:
1 Dr Nguyen Huu Mong
2 Dr Ngo Trong Mai
Reviewer 1: Assoc Prof Dr Le My Tu
Academy of Cryptography Techniques
Reviewer 2: Assoc Prof Dr Đo Trung Tuan
University of Sciences - Vietnam National University, Hanoi
Reviewer 3: Assoc Prof Dr Nguyen Ngoc Hoa
University of Technology - Vietnam National University, Hanoi
The thesis will be defended in front of thesis examination Committee
at Academy of Military Science and Technology in hour on date , 2022
The thesis can be found at:
- Liblary of Academy of Military Science and Technology
- Vietnam National Liblary
Trang 3INTRODUCTION
1 The necessary of the thesis
Science and technology is developing more and more, especially in the field of Information Technology, then the application of electronic transactions on the network
is also promoted and more frequent The need for data security is always a top priority, the information must be accurate and the recipient will receive the correct data from the sender The advent of digital signatures has been meeting the requirements of certifying the origin of data information
Today, single digital signatures are being used in many fields of commerce, government, However, in online transaction where many people participating in signing the use of single signature is not suitable If using single signature of many people on a data message, the size of the signature will increase with the number of signatures Thus, collective signature is a solution for many people participating in signing Nowadays, collective signature is used in many application such as electronic voting, multi-factor authentication, broadcasting channels, etc
e-Digital signatures in general and collective digital signatures in particular are built
on a number of different cryptographic systems One of the most commonly used cryptosystems is the RSA public key cryptosystem [57] The security of the RSA cryptosystem is based on the difficulty of factoring, large integers, and the problem of
calculating the square root of e modulo n However, the RSA cryptosystem will also
be insecure when used incorrectly, the security of the RSA cryptosystem will be broken when it only needs to solve one of the factorization problems or the root problem In addition, digital signatures are also built and developed on other cryptosystems such as: Rabin cipher system, Elgamal cipher system, The security of cryptosystems is also based on the difficulty of factoring, the difficulty of the discrete logarithmic problem on finite fields, etc However, the security of signature schemes can also be broken if the parameters and secret keys are chosen inappropriately
In the process of constructing and developing digital signature algorithms, some scientists have proposed a research direction that combines difficult problems in number theory such as factorization problem, root problem, discrete logarithmic problem in order to improve the safety and performance of algorithms when applied in practice.
In addition, the current digital signature application models have allowed to meet the requirements for certifying the origin of information created by independent entities The technology infrastructure of digital authentication is the public key infrastructure with the foundation of public key cryptography and digital signatures [52] However, when the need to use collective digital signatures in many fields is
Trang 4increasing, the research and improvement of digital signature models and more suitable digital signature schemes will be of interest in the future
2 The objectives of the research
- Propose a collective digital signature model suitable to practical needs and applications, from which to construct collective digital signature schemes that meet the requirements of origin authentication and integrity
- Develop basic digital signature schemes based on difficult problems in number theory and popular digital signature standards
- Prove the safety and efficiency of the implementation of the schema
3 The object and scope of the research
- The basis of RSA public-key cryptosystems, Elgamal cryptosystems and GOST R34.10-94 signature standard
- Difficult problems in number theory such as: factorization problem, root problem, discrete logarithmic problem
- Digital signature model and application in practice
- Digital signature schemes, collective digital signatures
4 The content of the research
- RSA, Elgamal public key cryptosystems and GOST R34.10-94 signature standard
- Construct a model of collective digital signature in combination form
- Develop basic digital signature schemes and collective digital signatures based
on the combination of factorization problems with root problems, discrete logarithmic problems to improve safety and real efficiency
5 The research method
Research and refer to scientific works and reports in the field of cryptography and digital signatures; Analyze and evaluate the safety and effectiveness of digital signature schemes
6 The scientific and practical significance
- Regarding the scientific significance: The thesis proposes to build a model of collective digital signature in combination form that meets the requirements of authentication of origin and integrity of data at all levels Propose general and basic schema types, from which to build collective digital signature schemes The proposed new schemes ensure safety, can reduce the size of digital signatures, and improve the implementation efficiency of the scheme in practical applications
- In terms of practical significance: The proposed new collective signature schemes are suitable for agencies, schools, enterprises, and convenient in storing and deploying on current network infrastructures
Trang 5CHAPTER 1 COLLECTIVE DIGITAL SIGNATURE AND SOME PROBLEMS 1.1 Digital signatures
This section presents about digital signatures, some types of attacks and breaks
of digital signature scheme, safety standards of parameters used in digital signatures, legality of digital signatures in Vietnam and the application of digital signatures in practice
1.2 Collective digital signature
Present general knowledge about collective digital signatures, components of collective digital signature scheme and collective digital signature classification
1.3 Mathematical basis used in the thesis
In this section, the thesis presents some concepts, definitions and some number theory problems related to the content of the thesis such as: factorization problem (IFP), root problem (RSAP), discrete logarithm problem (DLP)
1.4 Popular digital signature schemes and digital signature standards
Present popular digital signature schemes and digital signature standards applied
in practice such as RSA, Elgamal, GOST 34.10-94
1.5 Some issues raised and research orientation of the thesis
1.5.1 Existing problems of digital signature scheme and digital signature model
Over the years, there have been many studies on digital signature schemes built
on difficult problems such as factorization problem, discrete logarithmic problem, discrete logarithmic problem on elliptic curve Digital signature schemes have been applied in many fields to support activities of authenticaing the origin of data information in electronic transactions
However, after a while, some digital signature schemes have been proven by scientists to be unsafe, signatures can be forged Specifically in some works such as [41], [44]
In order to improve the security of digital signature schemes many scientists have proposed, building signature schemes based on a combination of difficult problems such as factorization and discrete logarithmic problems, factorization and root problems, discrete logarithmic problems and root problems
However, after a while, some signature schemes have been proven by many scientists to be insecure such as [32], [38], [42], [60], [63], [77] or the security of these schemes is based only on a difficult problem discussed in [23], [27]
Besides, when the number of electronic transactions is increasing, the issue of authentication of the origin and integrity of information at different levels but still technically guaranteed and convenient in Information transmission will be interested
by many agencies and organizations in the coming time Current models/algorithms
Trang 6such as: single-signature algorithms RSA [57], DSA [51], GOST R34.10-94 [31],
or models with multiple signature algorithms, group signatures [16], [5], [4], [48], [59] all do not mention this issue Meanwhile, such requirements are becoming increasingly necessary to ensure that the authentication of information in electronic administrative procedures is consistent with administrative procedures in real society
The issue of ensuring information security in online transactions is always a challenge for researchers As the Information Technology infrastructure is increasingly developed, it is only a matter of time before using mainframe systems to solve difficult problems in number theory Therefore, continuing to research and propose models and algorithms to ensure safety, in accordance with current practical needs, is always of interest to many researchers
1.5.2 Research orientation of the thesis
From the remaining problems as analyzed above, the Ph.D candidate gives specific research orientations as follows:
- Propose a model of collective digital signature in combination form to ensure the requirements of authentication of origin and integrity for data messages at different levels in electronic transactions, in accordance with current network infrastructure in the storage and transmission of information
- Development of digital signature schemes based on difficult problems: the basic digital signature schemes are built based on the combination of factorization problem (IFP) with root problems (RSAP) or discrete logarithm problem (DLP) to improve the safety of algorithms From the proposed combined collective digital signature model and the basic signature schemes, to develop the combined collective signature schemes suitable to current practical needs
1.6 Conclusion Chapter 1
In this chapter, the thesis has presented some concepts and terms related to digital signatures, collective digital signatures and mathematical basis for constructing digital signature schemes in the thesis The results of domestic and abroad research on the development process of collective digital signatures, outstanding problems in some digital signature schemes
The thesis gives some analysis on the security of digital signature schemes that can
be broken when the selected parameters are not reasonable, or just need to solve a difficult problem From the above analysis, the thesis gives directions for further research to improve the security of signature schemes based on the combination of difficult problems
in number theory Simultaneously, constructing and developing a model of collective digital signature in combination form suitable for transaction activities using electronic digital signatures at agencies and organizations with legal status in society
Trang 7CHAPTER 2 DEVELOPIING A COLLECTIVE DIGITAL SIGNATURE ALGORITHM BASED ON THE PROBLEMS IFP AND RSAP
2.1 Model of collective digital signature in combination form
On the basis of studying the development process of digital signatures, in order
to promote the application of collective digital signatures in practical applications and improve the safety of digital signatures, the thesis proposes a "model combined collective digital signature" The proposed model is suitable for government agencies, schools, businesses
In the proposed model, the collective signature is formed on the basis of the individual signature of the signing entity (one or a group of signing objects) and the CA's certificate In which, the CA has the role of the organization's authentication for the data message to be signed.The mechanism for forming the combined signature is illustrated in Figure 2.3
Figure 2.3 Diagram illustrating the mechanism of collective signature
Based on the proposed new model, the thesis will construct and develop collective digital signature schemes, in order to meet the needs of today's reality
2.2 Constructing signature scheme IFP-RSAP base I
In this section, the thesis proposes a method to build signature scheme IFP-RSAP base I (general form) From the general form signature scheme, it is possible to create
a new family of signature schemes similar to the Elgamal signature family built on the discrete logarithm problem
2.2.1 Steps to construct signature scheme IFP-RSAP base I
2.2.1.1 Select and compute parameters
1 Choose two distinct primes p and q
Parameters p, q can be selected according to the standard FIPS 186 – 4 [51]
Trang 82. Computer: n p q and ( ) n (p1)(q1) The value ( )n is called the Euler function
3. Choose secret key x1 between (1, )n and satisfy the condition gcd( , )x n 1 1
compute the public key y:
3.1 Choose exponent t whose values are in the range: 1 < 𝑡 < 𝜑(𝑛) and satisfy the conditions: gcd(𝑡, 𝜑(𝑛)) = 1
3.2 Parameter y can be calculated in terms of (2.1a) or (2.1b):
Or : 𝑦 = 𝑥1−𝑡 𝑚𝑜𝑑 𝑛 (2.1b)
3.3 If 𝑦 ≥ 𝜑(𝑛) or gcd(𝑦, 𝜑(𝑛)) ≠ 1 then return to step 3.1
If 𝑦 < 𝜑(𝑛) and gcd(𝑦, 𝜑(𝑛)) = 1 then finish calculating y
4. Computer: x2 y1mod(n) (2.2) Notes:
- y is public key; n, t are public parameters;
- x1, x2 are secret keys; p, q và (n)are secret parameters
2.2.1.2 Generate signature IFP-RSAP base I
Algorithm for generating signature IFP-RSAP base I
Input: n, t, x, f1, f2, f3, M – Data messages to be signed
Output: ( , )R S / ( , ) E S - Signature
1 Randomly choose a value of k in the range (1, ) n
2 The first component of the signature has two forms calculated according to the following formulas:
n k
R t mod (2.3)
)mod,
1
R M f
- f1(.): The function of M and R is in the range (1, ) n and in some specific cases
need to satisfy the condition gcd( , ) 1f n 1 for the function f1 to exist inversely for n;
- f2(.),f3(.): The function of M and R or E has a value in the range (1, 𝜑(𝑛));
- ( , )R S : Signatures created by (2.3) and (2.5);
- ( , )E S : Signatures created by (2.4) and (2.6)
2.2.1.3 Verify signature IFP-RSAP base I
Algorithm for verifying signature IFP-RSAP base I
Trang 9- ( , )R S / ( , ) E S = false: forged signature and/or M is not intact
2.2.2 The correctness of the signature scheme IFP-RSAP base I
Lemma 2.1: Let p, q be two prime numbers, n pq, ( ) (n p 1) (q 1), choose a,
b, c, x, k that satisfy the condition 1a b c, , ( )n , 1 ,x k n
If: y x a modn, Rk a modn, S k bx c modn
Then: S a R b y c modn
Theorem 2.1 The method of forming and checking signatures according to formulas
(2.3), (2.5), (2.7) and (2.8) is correct
Lemma 2.2: Let p, q be two prime numbers, n p q, ( )n (p 1) (q 1), choose
a, b, c, x, k that satisfy the condition 1a b c, , ( )n , 1 ,x k n, gcd(x,n)1
If: y xa modn, Rk a modn, S k b x c modn
Then: R b S ay cmodn
Theorem 2.2 The method of forming and checking signatures according to formulas
(2.4), (2.6), (2.9) and (2.10) is correct
2.3 Signature scheme IFP-RSAP base II
The signature scheme IFP-RSAP base II is built based on the basic IFP-RSAP schema I (general form) and is based on the difficulty of solving factorization problems
(IFP) and rooting problems on Z n (RSAP)
2.3.1 General Procedure
2.3.1.1 Selection of parameters and keys
1. Choose the pair of large prime numbers p and q Set: lplen p( ),
( )
lq len q ; lp, lq are the lengths of numbers p, q in binary bits
Computer: n p q and ( )n (p1)(q1)
Trang 10Parameters p, q can be selected according to the standard FIPS 186 – 4 [51]
2 Choose secret key x1 between (1, )n and satisfy the condition gcd( , )x n 1 1
compute the public key y:
2.1 Choose a prime t that is co-prime to n, i.e gcd(t,n) 1 2.2 Computer y x1 t modn
2.3 If y(n) or gcd(y,(n))1 then return to step 2.1
3 Computer: x2 y1 mod(n)
4 Choose a hash function H: Z h
1 ,
0 , with: hn
Hash function H(.) selectable according to FIPS 180 - 4 [50]
Notes:
- y is public key; n, t are public parameters;
- x1, x2 are secret keys; p, q và (n)are secret parameters
2.3.1.2 Generate signature IFP-RSAP base II
Algorithm for generating signature IFP-RSAP base II
Input: n, t, x 1 , x 2 , M - Data messages to be signed
Output: ( , )E S - Signature
1 Randomly choose a value of k in the range (1, )n
2 Calculate the value of R in terms of: R k t modn
3 Calculate the first component of the signature: E H(M||R) (2.12)
4 Calculate the second component of the signature: S k x1 Ex2modn (2.13)
5 Return ( , )E S
Notes:
- Operator “||” is the concatenation of two bit strings
2.3.1.3 Verify signature IFP-RSAP base II
Algorithm for verifying signature IFP-RSAP base II
Input: n, t, y,( , )E S , M
Output: ( , )E S = true / false.
1 Calculate the value of S in terms of: S S ymodn (2.14)
2 Calculate the value of R in terms of: R S t y E modn (2.15)
3 Calculate the value of E in terms of: E H(M ||R) (2.16)
4 If (E E ) Then {return true} Else {return false}
Notes:
- ( , )E S = true: valid signature, message M recognized for origin and integrity
- ( , )E S = false: signature or/and data message M is forged.
2.3.2 The correctness of the signature scheme IFP-RSAP base II
Theorem 2.3: Suppose we have parameters and keys and signature pair ( , )E S selected
and generated by the steps in the IFP-RSAP base schema II Component E is the value generated by the test algorithm according to the formula 2.16, then we have: E E
Trang 112.3.3 Security of signature scheme IFP-RSAP base II
2.3.3.1 Attack on secret key
In the base schema, the secret key of the signing object is a pair (x1,x2), the security of the scheme is completely broken when this key pair can be computed by one or more unexpected objects From the parameter and key formation algorithm in the IFP-RSAP base schema II, it is shown that to find x2, it is necessary to calculate the parameter ( ) n , that is, to solve the integer factorization problem IFP(n), and to
calculate x1, need to solve the problem RSAP(n,e) Therefore, the primary security of the underlying scheme is determined by the difficulty of solving the IFP(n) and RSAP(n, e)
problems
2.3.3.2 Signature forgery attack
From the condition of the signature checking algorithm in the proposed scheme, any pair ( , )E S will be considered a valid signature of the object that owns the public
parameters ( , , )n t y on data message M if satisfied:
From the above condition, it can be seen that, if H(.) is chosen as a highly secure
hash function (SHA 256/512, ) then the random selection of the pair ( , )E S satisfying
the above condition is not feasible in practical applications
2.3.4 Time complexity of signature scheme IFP-RSAP base II
2.3.5 Performance efficiency of signature scheme IFP-RSAP base II
2.3.5.1 The efficiency of signature scheme IFP-RSAP base II compared to the RSA scheme
Preliminary assessment of the performance of schema IFP-RSAP base II, can be based on some comparative analysis with the performance of the RSA signature scheme [57] when choosing the same set of parameters The comparison results show that, in the signing algorithm, the execution speed of schema IFP-RSAP base II and RSA can be considered to be equivalent In the checking algorithm, the basis schema has to perform more exponential operations than RSA, so the execution speed of the basic schema check algorithm is slower than that of RSA However, the security of RSA will be completely broken if an attacker only needs to solve either IFP(n) or
the security of the scheme must solve both IFP(n) and RSAP(n,e) problems
2.3.5.2 Evaluation of time complexity of signature scheme IFP-RSAP base II compared with other signature scheme
This section compares the lower time complexity of scheme IFP-RSAP base II than that of the LD15.9-01 scheme [10] The comparison results in Table 2.3 show that the total cost and time complexity for the signature generation and signature checking algorithm of scheme IFP-RSAP base II is lower than that of the scheme LD15.9-01 [10] From the above evaluations and comparisons, it shows that the scheme IFP-RSAP
Trang 12base II can continue to be researched and developed into a collective digital signature scheme, meeting the needs of practical applications
2.4 Proposal to construct collective IFP-RSAP signature scheme
The collective signature scheme is built according to the combined collective digital signature model and the digital signature scheme IFP-RSAP base II
2.4.1 Steps to implement collective IFP-RSAP signature scheme
2.4.1.1 Selection of CA's parameters and keys
Algorithm 2.1
Input: lp, lq – length (in bits) of prime numbers p, q
Output: n, t, x ca , y ca
1 Choose a pair of large primes p, q with corresponding lengths lp and lq, so
that the problem of integer factorization on Z n p q . is difficult to solve
Parameters p, q can be selected according to the standard FIPS 186 – 4 [51]
0 , với: (hn)
Hash function H(.) selectable according to FIPS 180 - 4 [50].
Notes:
- y ca is public key; n, t are public parameters;
- x ca is secret keys; p, q, (n) are secret parameters
2.4.1.2 Selection of parameters and keys of members
Trang 13- TV i = true: Signing object U i is confirmed as a member of the system
- TV i = false: U i is a mock object
2.4.1.5 Generate collective IFP-RSAP signatures
- Steps 1, 4 are performed by the signing object
- Steps 2, 3, 5, 6 and 7 performed by CA