Authentication of Concast Communication - CiteSeerX

Authentication of Concast Communication Mohamed Al-Ibrahim1 and Hossein Ghodosi2 and Josef Pieprzyk3 1

Center for Computer Security Research, University of Wollongong Wollongong, NSW 2522, Australia 2

[email protected]

School of Information Technology, James Cook University Townsville, Qld 4811, Australia 3

[email protected]

Department of Computing, Macquarie University Sydney, NSW 2109, Australia [email protected]

Abstract. In this paper we tackle the problem of nding an ecient signature veri cation scheme when the number of signatures is signi cantly large and the veri er is relatively weak. In particular, we tackle the problem of message authentication in many-to-one communication networks known as concast communication. The paper presents three signature screening algorithms for a variant of ElGamal-type digital signatures. The cost for these schemes is n applications of hash functions, 2n modular multiplications, and n modular additions plus the veri cation of one digital signature, where n is the number of signatures. The paper also presents a solution to the open problem of nding a fast screening signature for non-RSA digital signature schemes.

1 Introduction One of the greatest outcomes of the invention of public-key cryptography [10] is the digital signature. It creates a sort of digital encapsulation for the document such that any interference with either its contents or the signature has a very high probability of being detected. Because of this characteristic, the digital signature plays an important role in authentication systems. Authentication systems, however, are subject to a variety of attacks, and therefore the veri cation of digital signatures is a common practice. A veri cation of digital signature needs to apply a particular (in general, a publicly-known) algorithm. So, a digital signature scheme is a collection of two algorithms, and it must have the following properties: 1. The signing algorithm SigK : KM ! assigns a signature = SigK (M), where M 2 M is a message, K 2 K is the secret key of the signer and is the set of all possible values of the signatures. 2. The signing algorithm executes in polynomial time when the secret key K is known. For an opponent, who does not know the secret key, it should

be computationally intractable to forge a signature, that is, to nd a valid signature for a given message. 3. The veri cation algorithm Vk : k M ! fyes, nog takes public information k 2 K of the signer, a message M 2 M and a given signature 2 of the message M. It returns \yes" if is the signature of the message M; otherwise it returns \no". 4. The veri cation algorithm, in general, is a publicly known (polynomial time) algorithm. So, anyone can use it to check whether a message M matches the signature or not. Several digital signature schemes, for dierent purposes, have been introduced in the literature of public-key cryptography. In original digital signature schemes (e.g., [16,11]), both parties of the system (the signer and the veri er) are individuals. The invention of society and group oriented cryptography [7] led to the generation and/or veri cation of digital signatures by a group of participants rather than individuals (see, for example, [4,8, 14,19]). In almost all of these digital signature schemes, the generation/veri cation of a signature requires the performance of some exponentiation. Since exponentiation is a costly operation, the design of ecient digital signature schemes (from both the generation and veri cation points of view) was the subject of investigation by several researchers (see, for example, [13,18,9,6]). The eciency of the system is of paramount importance when the number of veri cations is considerably large (e.g., when a bank issues a large number of electronic coins and the customer wishes to verify the correctness of the coins).

1.1 Relevant Work In our schemes, veri cation of a digital signature implies modular exponentiation. Thus, previous works on improving the performance of modular exponentiation [5,17] and batch veri cation of modular exponentiation [12,3] are highly relevant to this work. The latest work on batch veri cation of modular exponentiation is by Bellare et al [3]. In their work, a batch instance consists of a sequence (x1; y1); : : :; (xn; yn ), and the query is whether or not yi = gxi for all i = 1; : : :n (where g is a primitive element in a group). Their proposed algorithms solve this problem with an error probability of 2?` for a predetermined parameter `. They have also considered batch veri cation for the RSA signatures, where the veri cation relation is modular exponentiation with a common exponent. That is, given a sequence of pairs (Mi ; i), one would like to verify the ith signature by checking that ie = H(Mi ) mod N, where H(:) is a hash function and e, N are the RSA public key and modulus respectively. In their solution to this particular case {also called screening algorithm{ the batch instance (Mi ; i), i = 1; 2; : : :; n, passes the test if n n !e Y Y i=1

i

=

i=1

H(Mi ) (mod N):

It is obvious that the batch instance (M; x); (M; x=) is incorrect, but passes their veri cation test. However, they have shown that this is not really a problem from a screening perspective, since one wants to make sure that M has been sighted by the legitimate signer, even though the signature is not correct. They have proved that if RSA is one-way, then an adversary cannot produce such a batch instance that was never signed by the signer but still passes their test. Note that, in their work [3], fast screening algorithms for other signature schemes and several other issues have been left as open problems.

1.2 Concast Scenario Multicast is a one-to-many communication mode that has greatly interested the research community in the past few years as a tool for delivering messages to a group of recipients in an ecient way. The main bene t behind deploying multicast is that it minimizes the bandwidth utilization in the already congested network [9,1]. Multicast communication is usually not a one-way direction communication. A group of recipients, in reliable multicast applications for example, may contact the sender as a feedback acknowledgment. A wide range of many-to-one applications also includes shared-whiteboard, collaborative applications, and report-in style applications. This sort of many-to-one communication is known as concast communication. The well known implosion problem in broadcast communication is addressed here. The problem occurs when a receiver is overwhelmed with messages from dierent senders and has to process them eciently. The problem of implosion could be worse if security validation was required to authenticate a group of messages. In this case, an ecient authentication scheme is required to alleviate the burden on the receiver. In this paper, we present dierent schemes that solve this problem. Our rst scheme works with the help of a trusted combiner. The second scheme works with no help from a trusted party, but requires interaction between signatories. The third scheme, however, minimizes the interaction between parties in the system.

2 The Model Given a sequence of signatures (M1 ; 1); : : :; (Mn ; n), a recipient {with relatively small computing resources accessible to him{ wishes to verify these signatures. The naive method is to verify each signature individually and to accept the whole set if all signatures pass the veri cation algorithm. Obviously, this is a very time consuming task and is not applicable for a recipient with small computing power. An alternative method could be to use the batch veri cation strategy, in which a randomly selected subset of signatures is veri ed, and, if that subset passes the veri cation, then we accept (with some probability) that the whole sequence will pass the veri cation algorithm. However, this technique

might only be acceptable if there is a strong and trusted entity between the receiver and the senders. A desirable solution could be if the veri er can perform a signature screening and accept the whole set of signatures if they pass the test. In other words, screening is the task of determining whether the signer has at some point authenticated the text Mi , rather than the task of checking that the particular string i provided is a valid signature of Mi . Note that the screening technique of [3] does not seem to be applicable for RSA based signatures in a concast environment. In this paper, we present a signature screening for a variant of ElGamal [11] type digital signatures.

3 Components of the System This section considers the basic tools which we will use for the implementation of our schemes.

3.1 Communication Channel Each signer and the veri er is connected to a common broadcast medium with the property that messages sent to the channel instantly reach every party connected to it. We assume that the broadcast channel is public, that is, everybody can listen to all information communicated via the channel, but cannot modify it. These assumptions for this model of communication channel may seem somewhat severe (i.e., does not t the Internet or cellular network). However, the purpose of these assumptions is to focus on the proposed protocol at a high level. It is worth noting that these assumptions can be substituted with standard cryptographic techniques for achieving privacy and authenticity.

3.2 Signature Scheme We employ a variant of ElGamal-type digital signature, which is a slightly modi ed version of a signature that has been used in [15]. Let p; q be large primes such that qj(p ? 1), and let g 2 Zp = GF(p) be an element of order q. Let H(:) be an appropriate hash function that hashes messages of arbitrary length into an element of Zq . Also let xi 2 Zq be the secret key and yi = gxi (mod p) be the public key associated with user ui . The values p, q, g, yi , and the hash function H(:), are the common parameters in the network.

Signature Generation:

In order to sign a message m = H(M) 2 Zq , the signer chooses a random k and computes r = mg?k (mod p) (1) 0 s = k ? r xi (mod q) (2)

where r0 = r (mod q).

Veri cation: The veri er accepts the signature (M; s; r) if the following equation holds true: H(M) = gs yir r (mod p) 0

3.3 An Approach to Digital Multisignature

In society and group oriented cryptography it is required that a cryptographic transformation be performed by a group of participants rather than an individual. Let U = fu1; : : :; ung be the set of all users and assume that the group policy requires that a group signature must be mutually generated by all group members. This is known as a multisignature scheme. The group signature on message m = H(M) 2 Zq can be generated using the following protocol:

Signature Generation: Each ui chooses a random ki 2 Zp and computes ri = mg?ki (mod p). After participants broadcast their ri , every signatory calculates r = Qn rall (mod p). i=1 i 3. Each ui (i = 1; : : :; n) generates his signature as si = ki ? r0xi (mod q), where r0 r (mod q). 4. Each ui (i = 1; : : :; n) sends his partial signature (si ; ri) of message m to the combiner (through the public channel). 5. Once all partial group signatures are received, the group signature of message m can be generated as (s; r), where

1. 2.

s=

Veri cation:

n X i=1

si (mod q):

The veri cation of the group signature is similar to the veri cation of an individual signature. Note that, the secret key of the groupQnis, in fact, x = Pn x (mod q), and the public key of the group is y = i=1 yi (mod p). i=1 i The veri er accepts the signature (M; r; s) if the following equation holds true: mn = gs yr r (mod p) Note that the concast scenario is dierent from the multisignature scheme in at least the following ways: { In a concast environment the set of users (signatories) is not xed. { In a concast environment each user may sign a dierent message. 0

4 Scheme 1 This scheme utilizes a particular hash function, known as a sibling hash function [20,2]. The sibling hash function has the property that given a set of initial strings colliding with one another, it is computationally infeasible to nd another string that would collide with the initial strings. The performance of this scheme also requires the employment of a trusted Concast Manager (CM) who designs the sibling hash.

Signature Generation: Let a set of n participants wish to sign their own messages. Each participant (using the public channel) sends his message to the CM, who is responsible for designing the sibling hash. After receiving all messages, CM generates the hash value of all messages and transmits it (through the public channel) to all signatories. Note that, although the messages were dierent, their hash values are the same, and thus, from the signature algorithm's point of view, a single message needs to be signed. That is, the problem of signing dierent messages has now been converted to the problem of signing a single message by a set of n participants. This is the multisignature scheme, and the protocol in Section 3.3 can be applied.

4.1 Security Issues The security analysis of a multisignature system comprises the following: (i) The set of partial signatures and the group signature must not give away any information about the secret keys of the users or the secret key of the group. It is not dicult to see that this requirement is satis ed in the proposed multisignature scheme. (ii) An opponent might try to impersonate user ui and participate in the signing protocol. Since the secret key of each user has chosen randomly and independently from the secret keys of other users, a successful attack implies that the underlying digital signature is not unforgeable. (iii) A pair (s; r) will be accepted as the group signature on message, m, if it passes the signature veri cation test. Note that, if all partial signatures are genuine then the combined signature is a genuine signature, but the other way around is not necessarily correct. For example, in the proposed multisignature scheme every set of random values f(r1; s1 ); : : :; (rn; sn)g that satisfy r = in=1ri (mod p)

and

s = in=1 si (mod q)

will generate a correct group signature. However, knowing that a group signature cannot be generated by any unauthorized set of users, generation of faulty partial signatures {that combine to a correct group signature{ is only possible by the set of legitimate users.

The main drawback of this scheme is that it does not work without the help of a trusted CM. Considering the fact that agreement on who is trusted is not easily reached, cryptographic systems that rely on the use of a trusted party are not very desirable. Remark: In multisignature schemes, if the generated group signature cannot pass the veri cation test, then the combiner performs partial signature veri cation, in order to nd the malicious user. The commonly used algorithm requires the veri cation of all partial signatures, that is, in O(n) running time. This is a very time consuming task. In this paper, after providing necessary background information, we will present an algorithm that detects a faulty partial signature in O(logn) running time (see Section 7).

5 Scheme 2 In this scheme we omit the trusted CM. Let users u1 ; : : :; un wish to sign the messages m1 ; : : :; mn respectively, where mi = H(Mi ). We suggest the following protocol, which works in almost the same manner as multisignature schemes, although the messages are dierent.

Signature Generation: 1. Each ui chooses a random ki 2 Zp and computes ri = mi g?ki (mod p). 2. After participants broadcast their ri , every signatory calculates r = Qn rall (mod p). i=1 i 3. Each ui (i = 1; : : :; n) generates his signature as si = ki ? r0xi (mod q), where r0 r (mod q). 4. Each ui (i = 1; : : :; n) sends his signature (Mi ; si ; ri) through the public channel.

Veri cation:

1. After receiving n signatures (M1 ; s1; r1); : : :; (Mn; sn ; rn), the veri er computes n n Y X s = si (mod q); and m = H(Mi ) mod p i=1

i=1

2. The veri cation of the combined signature (m; s; r) is the same as in the underlying signature scheme, that is, the signatures are accepted if m = gs yr r (mod p) 0

5.1 Performance Issues

Given n signatures (M1 ; s1 ; r1); : : :; (Mn; sn ; rn) the scheme requires n applications of hash functions (to generate H(Mi ); i = 1; : : :; n), n modular multiplications (to compute m), n modular multiplications (to compute r), and n modular

additions (to generate s) in order to construct the combined signature (m; s; r). After having the signature (m; s; r), the veri er needs to verify a single signature as in the underlying digital signature scheme. That is, from an eciency point of view, the cost of our scheme is n applications of hash functions, 2n modular multiplications, and n modular additions plus the veri cation of one digital signature. However, from a practical point of view, the scheme still needs some interaction between the signatories. Although this is a common practice in almost all society-oriented cryptographic systems, it may not be very reasonable in a concast environment, since the signatories do not form the body of an organization. In the next scheme, we will present a protocol that works with no interaction between the signatories.

6 Scheme 3 In this section, we present a modi ed version of our algorithm from Scheme 2, which requires no interaction between the signatories. In this algorithm, instead of broadcasting ri = mi g?ki by each user ui and then computing r, in the beginning of each time period, a random value R is broadcast to the network. (This value, R, plays the role of r in the previous algorithm.) The time period is chosen such that no signatory generates more than one signature in a time period. That is, all signatures generated in time period tj use a common parameter Rj which is broadcast by the veri er.

Signature Generation: 1. In the beginning of time period tj , the veri er broadcasts a random value Rj 2R Zp . 2. Each ui chooses a random ki and computes ri = mi g?ki (mod p). 3. Each ui generates his signature as si = ki ? R0j xi (mod q), where R0j Rj mod q. 4. ui sends his signature (Mi ; si ; ri) through the public channel.

Veri cation: 1. After receiving n signatures (M1 ; s1 ; r1); : : :; (Mn ; sn; rn) in time period j, the veri er { calculates rn+1 = Rj (in=1ri)?1 mod p, { chooses a random kn+1 and calculates sn+1 = kn+1 ? R0j xn+1 (mod q), where xn+1 is the secret key of the veri er. That is, the veri er signs a message mn+1 = H(Mn+1 ) such that rn+1 = mn+1 g?kn+1 (mod p). Note that knowing rn+1 and kn+1 it is easy to calculate mn+1 , although the veri er does not know (and does not need to know) the relevant message Mn+1 (since the underlying hash function is one-way).

2. The veri er computes m=

nY +1 i=1

mi mod p

and

s=

nX +1 i=1

si (mod q)

3. The combined signature (m; s; r) is accepted if m = gs yRj Rj (mod p) Remark: The purpose of signing a dummy message by the veri er is to transform the veri cation of the signatures received into the general veri cation formula used in the proposed multisignature scheme. Note that, this type of signature generation is not a security problem, since the message cannot be chosen by the forgery signer. In fact, if M is chosen rst then the pair (s; r) must be calculated such that gs yr r is equal to a predetermined value. Knowing the public values of g and y and choosing one of the parameters r (or s), achieving a correct result requires solving a discrete logarithm problem for the other parameter. Considering the fact that r0 = r mod q, one cannot select r0 and s randomly and then solve the equation r = H(M) (gs yr )?1 for calculating r. 0

0

0

6.1 Performance Issues

The cost of our scheme is n applications of hash functions, 2n modular multiplications, and n modular additions, plus the veri cation of one digital signature. The main advantage of this scheme is that there is no need for any interaction among the users. Indeed, the major shortcoming of all interactive systems is that the system must be highly synchronized. That is, for example, in signature generation applications one cannot generate his signature before all participants have broadcast their computed value (ri, in our protocols).

7 Security The main issue in security consideration of a digital signature is to determine whether an adversary, without knowing the secret key, is able to generate a signature of a message which has never been signed by the legitimate signer but passes the veri cation test. This is a general question, and the answer is given in the security analysis of the underlying digital signature. (Obviously, a digital signature that allows forgery will be considered completely useless.) In our signature screening algorithms, however, one would like to check whether it is possible to have a sequence of signatures that passes the test but contains fake signatures. We begin our security analysis in regard to this type of attack by the following theorem. Theorem 1. Given a set, S , consisting of n digital signatures (M1 ; s1; r1); : : :; (Mn ; sn; rn) that pass our screening test, it is impossible to nd two subsets A and B such that A \B = ;, S = A [ B, and signatures in A (or B) pass the test but signatures in B (or A) fail the test.

Proof. Without loss of generality, let A = (M1 ; s1 ; r1); : : :; (M` ; s` ; r`) and

B = (M` ; s` ; r` ); : : :; (Mn; sn ; rn), for an integer 0 ` n. De ne ` ` ` Y` Y X X Y` +1

mA =

i=1

+1

+1

mi , s A =

i=1

si , kA =

i=1

ki , y A =

i=1

yi , and rA =

i=1

ri

Similarly, mB ; sB ; kB ; yB , and rB can be de ned. Note that, we have m = mA mB , s = sA + sB , k = kA + kB , y = yA yB , and r = rA rB . Let the sequence of signatures in the set A pass our screening test. The sequence of signatures in A forms a combined signature (mA ; sA ; rA) such that sA =

` X i=1

si = k A ? r 0

` X i=1

xi (mod q)

and thus the veri cation implies that the following equation must be true mA = gsA yAr rA (mod p):

(3)

0

On the other hand, the set of all signatures in the set S also passes the test, that is, m = gs yr r (mod p) which can be written as 0

mA mB = gsA gsB yAr yBr rA rB (mod p): 0

(4)

0

Now, dividing both sides of equation (4) by equation (3) gives mB = gsB yBr rB (mod p) 0

which indicates that the sequence of signatures in the set B also passes the test. An immediate consequence of Theorem 1 is that:

Theorem 2. If a set, S = f(M ; s ; r ); : : :; (Mn; sn; rn)g that passes our screen1

1

1

ing test consists of some fake signatures, then the set of all fake signatures must also pass the screening test. Proof. Split the sequence of signatures in S into two sets A and B, such that

A consists of all genuine signatures but B consists of all fake signatures. Using Theorem 1, since A passes the test, B must also pass the test. Corollary 1. Given a set S , consisting of n digital signatures (M ; s ; r ); : : :; (Mn ; sn; rn) that passes our screening test, it is impossible that S contains only one fake signature. That is, either there exists no fake signature in S or there is more than one fake signature in S . 1

1

1

Note that, knowing a signature (M; s; r), it is easy to form a set of fake signatures that passes the screening test. For example, in order to form aPset of ` s ` fake signatures, one can form a set of ` pairs (s ; r ) such that s = i i i=1 i Q and r = `i=1 ri. Clearly, this set of ` fake signatures (M; s1 ; r1); : : :; (M; s` ; r`) passes our screening test. This is similar to the problem identi ed in [3]. We observe that it is not dicult to overcome this problem. In particular, it is easy to deal with this problem in the RSA type signatures of [3] (the RSA signature is deterministic and thus a message cannot have dierent signatures). That is, a sequence with such instances will be easily detected as faulty sequences. However, we observe another way to create a faulty sequence of signatures that passes the screening test. The method is applicable to both our schemes and the scheme introduced in [3]. Let (M1 ; 1; ); : : :; (Mn ; n) be a sequence of n genuine signatures. Obviously, this set passes the screening test. On the other hand, the set (M1 ; (1)); : : :; (Mn ; (n)), where (:) is a random permutation over f1; 2; : : :; ng, also passes the screening test. That is, no matter how secure are the underlying digital signatures, it is always possible to produce a sequence of faulty signatures (in the above manner) that passes the signature screening test. However, as mentioned in [3], this is not a security problem since these attacks do not succeed without knowing the signatures of the messages, that is, the messages must be signed by legitimate signers. A serious threat to the scheme could be if an adversary can select messages of his own choice and then generate a (set of) signature(s) that pass(es) our screening test. The following theorem indicates the security assurance of our screening technique.

Theorem 3. Let a set, S , consist of n digital signatures (Mi ; si; ri); i = 1; : : :; n that passes our screening test. If the underlying digital signature is secure then S does not contain a message that has never been signed by a legitimate signer. Proof. Let A S and A consist of all messages that have never been signed by legitimate signers. Obviously, the set of all signatures in A passes the veri cation

test and thus a set of unauthorized users can sign a message in a multisignature manner, which is not the case. In multisignature schemes, if a set of unauthorized users tries to forge a signature, or when a malicious user tries to prevent the process of signature generation, the generated group signature is not genuine and fails to pass the veri cation test. The following theorem presents an ecient algorithm to detect such a faulty signature (malicious user).

Theorem 4. Let a set, S , consist of n digital signatures (Mi ; si; ri); i = 1; : : :; n and let S fail to pass our screening test. There exists an O(log n) running time algorithm that detects a faulty signature (a malicious user).

Proof. The following algorithm, which is an instance of the binary search al-

gorithm, works properly based on our results so far.

1. Split the set S into two subsets (with almost equal sizes) and submit one of them to the veri cation algorithm. If the set of signatures in this subset passes the veri cation test, then the other subset cannot do so (i.e. the faulty signature is in the other subset), otherwise this set contains the faulty signature. 2. Repeat step 1 on the subset that cannot pass the veri cation test as long as the cardinality of the set is larger than one.

8 Fast Screening for a Non-RSA Signature Scheme In [3], nding fast screening algorithms for signature schemes other than RSA has been left as an open problem. That is, instead of n signatories, a signer generates a large number of signatures and a receiver wishes to verify all these signatures (e.g., when a bank issues a large number of electronic coins and the customer wishes to verify the correctness of coins). We observe that this problem can be solved as a special case in our proposed schemes. In ElGamal-type signatures, however, the signer must use a fresh random number for every signature; otherwise, it compromises the secrecy of the secret key of the signer. Hence, performance of the proposed schemes, which use a common random number in the generation of n dierent messages in a concast environment, is not acceptable in this case. In order to avoid this problem, the signer needs to follow the original signature scheme (see Section 3.2).

Signature Generation: Let x and y = gx be the secret and public keys of the signer respectively. Also, let mi (i = 1; : : :; n) be the hash values (or any other encoding) of messages M1; : : :; Mn . In order to sign mi , the signer performs the following steps: 1. generates a random ki and computes ri = mi gki (mod p). 2. generates a signature on message mi as si = ki ? ri0 x (mod q), where ri0 = ri mod q. 3. sends all signatures (Mi ; si; ri) to the receiver.

Veri cation: 1. After receiving n signatures (M1 ; s1; r1); : : :; (Mn ; sn; rn), the veri er calculates r=

n Y

i=1

ri (mod p); m =

n Y

i=1

mi (mod p);

and s =

n X i=1

si (mod q)

2. The veri cation of the combined signature (m; s; r) is the same as in the underlying signature scheme, that is, the signatures are accepted if m = gs yr r (mod p) 0

References 1. M. Al-Ibrahim and J. Pieprzyk, \Authenticating Multicast Streams in Lossy Channels Using Threshold Techniques," in Networking { ICN 2001, First International Conference, Colmar, France, Lecture Notes in Computer Science, vol. 2094, P. Lorenz (ed), pp. 239{249, 2001. 2. M. Al-Ibrahim and J. Pieprzyk, \Authenticating of Transit Flows and K-Siblings One Time Signature" in Advanced Communications and Multimedia Security, B. Jerman-Blazic and T. Klobucar (ed.), pp. 41-55, Kluwer Academic Publisher, CMS'02, Portorz - Slovenia, September 2002. 3. M. Bellare, J. Garay, and T. Rabin, \Fast Batch Veri cation for Modular Exponentiation and Digital Signatures," in Advances in Cryptology - Proceedings of EUROCRYPT '98 (K. Nyberg, ed.), vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, 1998. 4. C. Boyd, \Digital Multisignatures," in Cryptography and Coding (H. Beker and F. Piper, eds.), pp. 241{246, Clarendon Press, 1989. 5. E. Brickell, D. Gordon, K. McCurley, and D. Wilson, \Fast Exponentiation with Precomputation," in Advances in Cryptology - Proceedings of EUROCRYPT '92 (R. Rueppel, ed.), vol. 658 of Lecture Notes in Computer Science, Springer-Verlag, 1993. 6. R. Cramer and I. Damgard, \New Generation of Secure and Practical RSA-Based Signatures," in Advances in Cryptology - Proceedings of CRYPTO '96 (N. Koblitz, ed.), vol. 1109 of Lecture Notes in Computer Science, pp. 173{185, Springer-Verlag, 1996. 7. Y. Desmedt, \Society and group oriented cryptography: a new concept," in Advances in Cryptology - Proceedings of CRYPTO '87 (C. Pomerance, ed.), vol. 293 of Lecture Notes in Computer Science, pp. 120{127, Springer-Verlag, 1988. 8. Y. Desmedt and Y. Frankel, \Shared generation of authenticators and signatures," in Advances in Cryptology - Proceedings of CRYPTO '91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Science, pp. 457{469, Springer-Verlag, 1992. 9. Y. Desmedt, Y. Frankel, and M. Yung, \Multi-receiver/Multi-sender network security: Ecient authenticated multicast/feedback," IEEE Infocom '92, pp. 2045{2054, 1992. 10. W. Die and M. Hellman, \New Directions in Cryptography," IEEE Trans. on Inform. Theory, vol. IT-22, pp. 644{654, Nov. 1976. 11. T. ElGamal, \A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Trans. on Inform. Theory, vol. IT-31, pp. 469{472, July 1985. 12. A. Fiat, \Batch RSA," Journal of Cryptology, vol. 10, no. 2, pp. 75{88, 1997. 13. A. Fiat and A. Shamir, \How To Prove Yourself: Practical Solutions to Identi cation and Signature Problems," in Advances in Cryptology - Proceedings of CRYPTO '86 (A. Odlyzko, ed.), vol. 263 of Lecture Notes in Computer Science, pp. 186{194, Springer-Verlag, 1987. 14. L. Harn, \Group-oriented (t, n) threshold digital signature scheme and digital multisignature," IEE Proc.-Comput. Digit. Tech., vol. 141, pp. 307{313, Sept. 1994. 15. K. Nyberg and R. Rueppel, \Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem," Designs, Codes and Cryptography, vol. 7, pp. 61{81, 1996. Also, Advances in Cryptology - Proceedings of EUROCRYPT '94 Vol. 950 LNCS, pp. 182-193.

16. R. Rivest, A. Shamir, and L. Adleman, \A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, vol. 21, pp. 120{ 126, Feb. 1978. 17. P. D. Rooij, \Ecient Exponentiation using Precomputation and Vector Addition Chains," in Advances in Cryptology - Proceedings of EUROCRYPT '94 (A. Santis, ed.), vol. 950 of Lecture Notes in Computer Science, Springer-Verlag, 1994. 18. C. Schnorr, \Ecient Signature Generation by Smart Cards," Journal of Cryptology, vol. 4, no. 3, pp. 161{174, 1991. 19. M. De Soete, J.-J. Quisquater, and K. Vedder, \A signature with shared veri cation scheme," in Advances in Cryptology - Proceedings of CRYPTO '89 (J. Brassard, ed.), vol. 435 of Lecture Notes in Computer Science, pp. 253{262, Springer-Verlag, 1990. 20. Y. Zheng, T. Hardjono, and J. Pieprzyk, \The Sibling Intractable Function Family (SIFF): Notion, Construction and Applications," IEICE Trans. Fundamentals, vol. E76-A, pp. 4{13, Jan. 1993.