3. Proposed Approach
In this paper, a new RSA-based undeniable signatures approach for a group is proposed. A group member can sign a document on behalf of the group without revealing the identity of the actual signer. The group secret key is split into two parts by Group Manager, one part is provided, as his group membership secret, to the group member; and the other part is provided to a trusted security mediator, SM. In our scheme, it is ensured that the group public key size and the group signature length are independent of the group size and, therefore, remain constant. The group signature is realized by the collaboration of the group member and the SM. Neither of the two can produce a ...view middle of the document...
But in our scheme neither the SM nor group member(s) is able to factor the modulus and compute the private key corresponding to group public key. So the scheme allows sharing of common modulus. However, a user-SM coalition can totally break the signature scheme. Therefore, SM must be assumed to be completely trusted party.
4. The Proposed Scheme
Assumption: All the internal communications are secure. A • B denotes A multiply B.
Step 1. Setup:
GM generates two large random prime numbers, P & Q. He then computes N = P × Q and Φ(N) = (P-1) × (Q-1). The parameters D, E ∈ Z*N are selected such that DE≡ 1 mod Φ(N).
SM also generates two large random prime numbers, p & q and computes n = p × q, where n < N, and Φ(n) = (p-1) × (q-1). The parameters d, e ∈ Z*n are selected such that de≡ 1 mod Φ(n).
SM also selects a generator g ∈ Z*n, g ≠ 1, and a parameter y = gd (mod n) is computed.
The group public keys are (N, E) and (n, g, y), while D and (d, e) are kept secret by GM and SM, respectively.
Step 2. Join:
Suppose that a member Ui wants to join the group. GM chooses a random number Xi ∈R Z*N and computes Yi= (D– Xi) (mod Φ(N)). Xi is sent to Ui and (Yi, Ui) is sent to SM.
After the join protocol, Ui becomes a valid member of the group with Xi as his group membership secret key. Following conditions must be met while generating the members’ secret keys:
• Xi ≠ Xj for each i ≠ j.
• X1 + X2 + …+ Xk ≠ D (mod Φ(N)) for any positive integer k.
• X1 + X2 + …+ Xi ≠ Xj (mod Φ(N)) for any positive integers i and j.
It is to be noted that Xi is the partial secret key of the member Ui and Yi is the partial secret key of SM.
Step 3. Sign:
The group signature on message M is generated by the collaboration between Ui and SM as:
Ui computes m= H(M).
Ui→ SM: (m, Ui).
SM checks that Ui’s membership has not been revoked. He then stores (Ui, m) and computes A = md (mod n) and partial group signature, B = AYi...