Efficient Identification of Bad Signatures in RSA ... - IEICE Transactions

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.1 JANUARY 2006

74

PAPER

Special Section on Cryptography and Information Security

Efficient Identification of Bad Signatures in RSA-Type Batch Signature Seungwon LEE†a) , Nonmember, Seongje CHO††b) , Member, Jongmoo CHOI††c) , Nonmember, and Yookun CHO†d) , Member

SUMMARY As the use of electronic voting systems and e-commerce systems increases, the efficient batch verification of digital signatures becomes more and more important. In this paper, we first propose a new method to identify bad signatures in batches efficiently for the case when the batch contains one bad signature. The method can find out the bad signature using smaller number of modular multiplications than the existing method. We also propose an extension to the proposed method to find out two or more bad signatures in a batch instance. Experimental results show that our method yields better performance than the existing method in terms of the number of modular multiplications. key words: batch verification, batch identification, RSA

1.

Introduction

The expanding use of e-commerce has raised the need for digital signatures. For example, geographically distributed merchants and consumers should belong to a single realm of trust in web-based commerce. By employing digital signatures, they guarantee authentication, integrity, and nonrepudiation for each transaction. To implement digital signatures, we need signing and verification algorithms. While the signing algorithm is executed once by the one holding a secret-key, the verification algorithm may be executed many times by anyone holding the corresponding public-key. A growing usage of digital signatures for electronic payment systems and electronic voting systems stresses the need for streamlining of the signature verification. Therefore, verification is a very important factor in the performance of a system that uses a digital signature. In such environment, verifying multiple digital signatures simultaneously instead of verifying each digital signature individually is an attractive approach. Much work has been conducted to verify multiple signatures in batches [1]–[6]. Among them, Bellare et al. have suggested the generic test for fast verification of digital signatures in batches [1]. If a batch instance, or a collection of signatures, passes the generic test, it means that there are no Manuscript received March 24, 2005. Manuscript revised June 17, 2005. Final manuscript received August 19, 2005. † The authors are with the School of Computer Science and Engineering, Seoul National University, Seoul, 151-742 Korea. †† The authors are with the Division of Information and Computer Science, Dankook University, Seoul, 140-714 Korea. a) E-mail: [email protected] b) E-mail: [email protected] c) E-mail: [email protected] d) E-mail: [email protected] DOI: 10.1093/ietfec/e89–a.1.74

bad signatures so that the verifier can accept all the signatures as valid. Otherwise, there are some invalid signatures in the batch instance. Some invalid signatures in a batch instance incur another problem of identifying which ones are bad in a batch instance. Several methods have been proposed to identify the bad signatures efficiently. One method referred to as divide-and-conquer verifier, is to take a contaminated batch, split it into subsets and apply the generic test to each subset repeatedly until all bad signatures are identified. Another method referred to as Hamming Code Verifier is to look for the location of a bad signature in a batch instance when there is only one bad signature. Hamming Code verifier is to create subsets according to a parity check matrix based Hamming Codes. Then it applies the generic test to each subset and finds out the position of the bad signature [7]. In this paper, we propose a new method for identifying bad signatures efficiently in a batch instance. Our method can identify which signature is a bad one under the condition that there is only one bad signature in a batch instance. The method can tell where the bad signature is in a batch without applying divide-and-conquer approach. When there are multiple bad signatures in a batch, we adopt the divide-andconquer approach. But the number of divided sub-instances is much smaller than that of the existing method. Performance evaluation results show that our method reduces the number of generic tests invoked significantly, and outperforms conventional methods in terms of the number of modular multiplication operations. The rest of the paper is organized as follows. Section 2 gives an introduction on the prior methods to identify bad signatures in batches. In Sect. 3, we propose a new method for identifying a bad signature efficiently. Section 4 compares our method with the previous method in the number of generic tests invoked and the number of modular multiplications. The paper concludes in Sect. 5. 2.

Related Work

Digital signatures can be classified as either DSA-type signatures or RSA-type signatures [7]. In this paper, we consider only RSA-type signatures. In a RSA-type signature scheme with a message m and its signature s, the following equation must hold. m ≡ se mod N

c 2006 The Institute of Electronics, Information and Communication Engineers Copyright 

(1)

LEE et al.: EFFICIENT IDENTIFICATION OF BAD SIGNATURES IN RSA-TYPE BATCH SIGNATURE

75

In the equation, e is a relative prime to (p − 1) × (q − 1) and N is p × q where p and q are large prime numbers. A batch instance x = ((m1 , s1 ), (m2 , s2 ), · · · , (mn , sn )) with n signatures can be verified by checking if it satisfies the following equation.  n e n

 mi ≡  si  mod N (2) i=1

i=1

In the equation, mi is a message and si is mi ’s signature. When all of the signatures s1 , s2 , · · · , sn in x are valid, Eq. (2) is satisfied [6], [7]. However, even though it is rare, there is a possibility that two or more bad signatures in a batch instance affect mutually and make a side effect that Eq. (2) is satisfied. To decrease the possibility, Bellare et al. presented batch verification tests [1]. These batch verification tests, denominated as GT (Generic Test) in previous study [7], make use of a probabilistic algorithm and is defined as follows: Definition 1 (GT (x, n)): Given a batch instance x = ((m1 , s1 ), (m2 , s2 ), · · · , (mn−1 , sn−1 ), (mn , sn )) and security parameter l. The GT (x, n) takes x and i) returns “true” whenever all signatures are valid. The test never makes mistakes for this case. ii) returns “false” whenever there is at least one bad signature. In this case the test makes mistakes with probability 2−l . To implement GT , the Random Subset Test and the Small Exponents Test were proposed in the previous study [8]. The two batch verification tests are described in Fig. 1. By applying GT , we can decide whether the batch instance contains bad signatures or not. Consider the case when GT fails (i.e. GT (x, n) = “false”). This means that there is at least one bad signature in a batch instance. However, GT does not provide any information about the number of the bad signatures and each location of them. Therefore, the verifier is faced with another problem of identifying bad signatures. To handle this problem, identification of bad signatures can be performed by so called Divide-and-Conquer verifier (DCVα ) which is defined as follows: GIVEN : ((m1 , s1 ), (m2 , s2 ), · · · , (mn , sn )) and a security parameter l. Random Subset (RS) Test : Repeat the following atomic test, independently l times, and returns “true” if all sub-tests return “true”: i) ii) iii) iv)

For each i = 1, . . . , n pick bi ∈ {0, 1} at random Let S = {i : bi = 1}   Compute m = i∈S mi and s = i∈S si e If m ≡ s mod N then return “true,” else return “false.”

Small Exponents (SE) Test : i) Pick h1 , . . . , hn ∈ {0, 1}l at random   ii) Compute m = ni=1 mi hi and s = ni=1 si hi e iii) If m ≡ s mod N then return “true,” else return “false.” Fig. 1

Batch verification tests for RS A.

Definition 2 (DCVα (x, n)): Given a batch instance x = ((m1 , s1 ), · · · , (mn , sn )). i) If n=1, then run GT (x, 1). If GT (x, 1) is “true,” return “true” and exit. Otherwise return x as a bad signature. ii) If n
1, then run GT (x, n). If GT (x, n) is “true,” return “true” and exit. Otherwise go to the step iii). iii) Divide instance x into α batch instances (x1 , x2 , · · · , xα ) containing αn signatures each. Apply DCVα to α subinstance each, i.e. DCVα (x1 , αn ), · · ·, DCVα (xα , αn ). If all signatures in a batch instance are valid, then DCVα returns “true.” Otherwise, DCVα returns a sequence of signatures as bad signatures in a batch instance. 3.

Proposed Method

We propose a new method for identifying bad signatures efficiently in a batch instance. Our method can not only detect the existence of bad signatures but also identify the position of bad signatures in a batch instance. We first present a basic method that works for the case when only one bad signature exists in a batch instance. Next, we enhance the basic method using a divide-and-conquer approach that works for the case when multiple bad signatures exist. Our basic method, denominated as DBIbasic (Division Based Identifier Basic), returns “true” when all signatures are valid. DBIbasic returns an integer as the index of a bad signature when only a bad signature exists in a batch instance and it returns “false” when two or more bad signatures exist. DBIbasic defined as follows: Definition 3 (DBIbasic (x, n)): Given a batch instance x = ((m1 , s1 ), (m2 , s2 ), · · · , (mn−1 , sn−1 ), (mn , sn )) of length n. DBIbasic tries to i) Apply GT to the given batch instance. If GT (x, n) is “true,” return “true” and exit. Otherwise, go to the next step.   ii) Compute ni=1 mi i mod N and ni=1 si i mod N. Then, n i e compute ( i=1 si ) modN. iii) Find an integer k which satisfies the following equation where 1 ≤ k ≤ n. 

n ( i=1 si )e k ( ni=1 si i )e n ≡ n mod N (3) i i=1 mi i=1 mi If an integer k exists, go to the next step. Otherwise, return “false” and exit. iv) Apply GT to the given instance without the k-th signature x = ((m1 , s1 ), · · · , (mk−1 , sk−1 ), (mk+1 , sk+1 ), · · · , (mn , sn )). If GT (x , n − 1) is “true,” return k as the index of the bad signature. Otherwise, return “false” and exit. The main parts of DBIbasic are step ii) and iii), that is Eq. (3). We will elaborate what Eq. (3) implies in Theorem 1. Note that step iv) in Definition 3 is carried out to confirm that k is actually the position of the bad signature. In fact, this step is not required when there is only one bad signature in a batch instance. This is required because the k could not be

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.1 JANUARY 2006

76

the index of a bad signature when there are two or more bad signatures. Theorem 1: Given a batch instance of length n which has one bad signature. If an integer k (1 ≤ k ≤ n) satisfies Eq. (3), then (mk , sk ) is the bad signature in the batch instance. Proof: Assuming that the j-th signature s j is invalid in a batch instance x. Since all signatures except (m j , sj ) satisfies  (

n

s )e

(

n

s i )e

i i and i=1 Eq. (1), we can reduce the fractions ( i=1 n n i ) to i=1 mi i=1 mi their lowest terms as follows:  (s j )e ( ni=1 si )e (s1 )e (s2 )e (sn )e n ≡ · ··· ··· m1 m2 mj mn i=1 mi e (s j ) ≡ mod N mj  (s j ) je ( ni=1 si i )e (s1 )e (s2 )2e (sn )ne n ≡ · · · · · · · i m1 mj j (mn )n m2 2 i=1 mi

≡

(s j ) je mod N. (m j ) j

By substituting

s je mj

and

(s j e ) j (m j ) j

for

(

n si )e i=1 n i=1 mi

and

in Eq. (3) respectively, we can derive the equation

n si i )e i=1 n i i=1 mi  e k sj ≡ mj (

(s j e ) j . (m j ) j

This implies that k is equal to j, which is the index of the bad signature. The DBIbasic invokes GT only twice when there is one bad signature, while the previous method DCVα invokes GT αlogα n + 1 times [7]. However, there is a trade-off that DBIbasic needs some additional overheads to figure out an integer k from Eq. (3). These overheads is not incurred in DCVα . In the next section, we will discuss how these overheads are compared with the overhead of GT . Suppose there are multiple bad signatures in a batch instance. To find the multiple bad signatures efficiently, we extend DBIbasic to DBIα using divide-and-conquer approach. We define DBIα as follows: Definition 4 (DBIα (x, n)): Given a batch instance x = ((m1 , s1 ), (m2 , s2 ), · · · , (mn−1 , sn−1 ), (mn , sn )) of length n. DBIα tries to i) In case n=1, run GT (x, 1). If GT (x, 1) is “true,” return “true” and exit. Otherwise return x as a bad signature. ii) In case n=2 such that x = ((m1 , s1 ), (m2 , s2 )), run GT (x, 2). ii-1) If GT (x, 2) is “true,” return “true” and exit. ii-2) Otherwise, compute (s1 s22 )e and find an integer k which satisfies

k (s1 s22 )e (s1 s2 )e ≡ mod N m1 m2 m1 m22 for 1 ≤ k ≤ 2. If k is 1, then return s1 as a bad signature and exit. If k is 2, then return s2 as bad one and exit. Otherwise, return {s1 , s2 } as the bad signatures and exit.

iii) In case n > 2, run GT (x, n). If GT (x, n) is “true,” return “true” and exit. Otherwise, go tothe next step. iv) Compute ni=1 mi i mod N and ni=1 si i mod N. Then, compute ( ni=1 si i )e mod N. v) Find an integer k which satisfies Eq. (3) where 1 ≤ k ≤ n. If the integer k exist, go to the next step. Otherwise, go to the step vii). vi) Apply GT on the given instance without the k-th signature, x = ((m1 , s1 ), · · · , (mk−1 , sk−1 ), (mk+1 , sk+1 ), · · · , (mn , sn )). If GT (x , n − 1) is “true,” return k as the index of the bad signature and exit. Otherwise, go to the next step. vii) Divide x into α batch instances (x1 , x2 , · · · , xα ) containing αn signatures each. Apply DBIα to each α sub instance, i.e. DBIα (x1 , αn ), · · ·, DBIα (xα , αn ). If there is no bad signature in a batch instance, then DBIα returns “true.” Otherwise, DBIα returns a sequence of integers as indexes of bad signatures in a batch instance. Note that the steps from iii) to vi) are similar to the steps of the DBIbasic . Also, The steps i) and vii) are adopted from the divide-and-conquer approach. Finally, note that the steps ii) is for the special case of DBIbasic when n is 2. We consider the case separately since our method can identify bad signatures without the divide-and-conquer while the previous method DCVα can not. 4.

Performance Analysis

In this section, we evaluate the performance of the proposed method. First, we compute both the maximum number and the average number of GT s that is invoked in DBIα , and compare the results of DBIα with those of DCVα . In the previous method DCVα , the analytic results have been reported only when α is two (the method is referred to as DCV2 ), and both the number of bad signatures and the size of batch instance are powers of two [7].Note that the cost of GT depends on n and l which are the number of signatures and security parameter respectively. To compare DBIα and DCVα , we analyze the performance with the same conditions proposed by Pastuszak et al. [7]. Then, we perform some simulations to compare DBIα and DCVα with various parameters. We show the simulation results for various values of the number of divided subinstances, the number of bad signatures and the size of batch instance. Finally, we compare the experimental results of two methods in terms of the number of modular multiplications. 4.1 Number of GT s Invoked : Analytic Results We first consider the case when α is two, that is DCV2 and DBI2 . Let Nmax (n, t) be the maximum number of GT s invoked to identify all t bad signatures out of total n signatures. When there is one bad signature in a batch instance, DBI2 can identify the bad signature by invoking GT twice, i.e. Nmax (n, 1) = 2.

LEE et al.: EFFICIENT IDENTIFICATION OF BAD SIGNATURES IN RSA-TYPE BATCH SIGNATURE

77

When there are two bad signatures in a batch instance, the worst scenario is that the two bad signatures belong to the same sub-instance continuously until each sub-instance contains only two signatures. In the scenario, the division in the step vii) in Definition 4 is executed by (log2 n − 1) times and GT is invoked 2 times at each division (one for the left sub-instance and the other for the right sub-instance). Then GT is invoked once additionally at the outset. So, we obtain that in the worst scenario the maximum number of GT s invoked by DBI2 is Nmax (n, 2) = 2log2 n−1. Note that the number of GT s invoked by DCV2 in the worst scenario for DBI2 is 2log2 n + 1. If there are more than two bad signatures in a batch instance, the estimation of Nmax (n, t) can be carried out as follows. We assume t is powers of two, that is t = 2r , likely as [7]. In the DBI2 , the worst case occurs when all subinstances contain precisely two bad signatures after the (r − 1)-th recursive step. In the case, DBI2 should invoke GT s (2r−1 − 1) times. So, we obtain that  n Nmax (n, 2r ) = 2r−1 − 1 + 2r−1 × Nmax r−1 , 2 . 2 We can identify two bad signatures in each sub-instance of n by calling GT 2(log2 n − r) + 1 times. Therefore, size 2r−1 we obtain that Nmax (n, 2r ) = 2r (log2 n − r + 1) − 1.

(4)

The worst scenario of DCV2 is that all sub-instances contain precisely one bad signature, which differs from that of DBI2 . The maximum number of GT s invoked by DCV2 under the worst scenario is 2r+1 (log2 n − r + 1) − 1 [7]. Now, we compute the average number of GT s invoked in DBI2 by applying the same approach used in [7]. We denote by Navg (t, n) the average number of GT s invoked to identify t bad signatures out of total n signatures. As the DBI2 is probabilistic in its nature, the number Navg (t, n) is in fact a random variable. So we derive the probability distribution for the variable Navg (t, n) to estimate the average number. Assume n = 2q which is the same condition as [7]. When t = 1, the DBI2 calls GT twice, i.e. Navg (1, n) = 2. When t = 2, the random variable Navg (2, n) can be expressed by variables Navg (2, n2 ) and Navg (1, n2 ) according to the following equation:

1 + 2Navg (1, n2 ) with p1,0 Navg (2, n) = 2 + Navg (2, n2 ) with p2,0 where p1,0 is the probability that the initial batch instance is split into two sub-instances containing one bad signature each and p2,0 is the probability that two bad signatures are contained within the same sub-instance. The above term, Navg (2, n2 ), can be expressed as follows:  n    with p1,1 1 + 2N  n  avg 1, 2    2 Navg 2, =   n  2   with p2,1  2 + Navg 2, 2 2

where p1,1 is the probability that the batch instance is split into two sub-instances containing one bad signature each at the first phase, while p2,1 is 1 − p1,1 . Finally, we can generalize as   n    1, with p1,i 1 + 2N avg   n  2i+1 Navg (2, i ) =    n  2   with p2,i  2 + Navg 2, i+1 2 where i = 2, . . . , q − 1. Assume that, at the j-th phase, two bad signatures clustered together in a single instance have been split into two different sub-instances. This means that the bad signatures are placed in the same instance j times in a row. Therefore, we can reduce the above equation as  n Navg (2, n)( j) = 2 j + 1 + 2Navg 1, j+1 = 2 j + 5 2 where j = 0, 1, . . . , q − 1. Now we calculate the probability p1,i and p2,i . The p1,i n is the probability that we choose a sub-instance of 2i+1 −1 valid signatures and one bad signature from the batch instance of 2ni signatures ( 2ni − 2 valid signatures and 2 bad signatures). The probability can be calculated by using the hypergeometric distribution [9]. So, the probability p1,i and p2,i can be written as follows: 2 n −2  p1,i =

1



2i n 2i+1 n 2i n 2i+1

−1



p2,i = 1 − p1,i =

=

n 2(n − 2i )

n − 2i+1 2(n − 2i )

where i = 0, 1, . . . , q − 1. Therefore, the probability that two bad signatures are splitting into different sub-instance at the n 1 . Finally, j-th phase is p2,0 × p2,1 × · · ·× p2, j−1 × p1, j = n−1 2 j+1 we have the probability distribution of Navg (2, n) as follows: P(Navg (2, n) = 2 j + 5) =

1 n n − 1 2 j+1

(5)

for j = 0, 1, . . . , q − 1 and n = 2q . Note that the probability distribution of Navg (2, n) in DCV2 is as follows [7]: P(Navg (2, n) = 4q − 2 j − 1) =

1 n n − 1 2 j+1

for j = 0, 1, . . . , q − 1 and n = 2q . The above equations are probability distributions for the number of GT s invoked to identify bad signature(s) when t = 2. Since we know the probability distribution, we can find out the average number of GT s by multiplying the expected value and its probability. We can derive the probability distributions for Navg (t, n) when t ≥ 3 and analytically compute the average number of GT s when t = 3, 4, . . . , n in the similar manner. However, we will not present the detailed analysis. Instead we show the estimated value of the average number of GT s invoked using a computer simulation. The simulation results are shown in the next section.

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.1 JANUARY 2006

78

Fig. 2

The average number of GT s invoked in DBI2 and DCV2 .

4.2 Number of GT s Invoked : Simulation Results We built a simulator for the DBI2 and the DCV2 . Then, based on a synthetic workload which contains t bad signatures out of n signatures, we have measured the average number of GT s invoked in each method. Our simulation results of DCV2 are identical to those of DCV2 reported in [7]. The results are shown in Fig. 2. In the figure, X-axis is the number of bad signatures and Y-axis is the average number of GT s invoked, while n is the total number of signatures considered. The values reported here are the average of 10000-th trials. From the results, we can find out that the DBI2 method shows better performance than the DCV2 method. As n and t increase, the performance gap also increases. This implies that the proposed DBI2 is more efficient with the large number of signatures in batches. We have also evaluated the performance of DBIα and DCVα when α ≥ 2. The simulation results are shown in Fig. 3 where n is fixed to 4096 while t and α are ranged from 1 to 32 and from 2 to 16 respectively. The results show that DBIα performs better than DCVα for all cases of α considered. Also, we can see that DBI2 and DBI4 show similar performance each other, while DBI8 and DBI16 show worse performance than the formers. The results imply that the larger α increases the number of sub-instances, which makes more invocations of GT s. These results are observed in DCVα too. 4.3 Number of Modular Multiplications There are two performance implications in the proposed DBI2 . In Fig. 2, the DBI2 reduces significantly the number of GT s compared with the DCV2 . However, another factor has to be considered to evaluate the overall performance. That is, the DBI2 causes some additional overhead to solve Eq. (3) which is not incurred in the previous DCV2 . Consequently, to compare the DBI2 with the DCV2 thoroughly,

Fig. 3 The average number of GT s invoked in DBIα and DCVα when n = 4096.

it is necessary to measure the performance of each method in terms of the number of modular multiplications. To do so, we convert the additional overhead into the number of modular multiplications. The additional overhead of DBI2 is incurred in the step iv) and v) of Definition 4.  In the step iv) of Definition 4, we can get ni=1 mi i  and ni=1 si i duringn modular multiplications. Specifically,  while computing ni=1 mi and ni=1 si in step iii),we can obtain the intermediate values such as mn , mn mn−1 , · · · , mn mn−1 · · · m2 m1 and sn , sn sn−1 , · · · , sn sn−1 · · · s2 s1 . Then by multiplying all the intermediate values of ni=1 mi like as (mn × mn mn−1 × · · · × mn m n−1 · · · m2 m1 ) and multiplying all the intermediate values of ni=1si like as (sn × sn sn−1 × · · · × sn sn−1 · · · s2 s1 ), we can obtain ni=1 mi i and ni=1 si i . Now consider the overhead incurred in step v). Let g   ( ni=1 si )e ( ni=1 si i )e   denote n mi and h denote n mi i . Then Eq. (3) can be i=1

i=1

abbreviated as gk ≡ h mod N. This problem is a kind of the discrete logarithm problem (DLP) [10], [11]. It is generally known that there is no polynomial time algorithm to solve the DLP. However, the proposed DBI2 is in a restricted domain of DLP, that is, k lies in the certain interval of integer, say [1,n]. Some efficient algorithms have been proposed for this case. To solve DBI2 efficiently, we employ Shanks’ baby-step√giant-step algorithm [12] which √ can compute k in at most 2 n modular multiplications (3 n/2 on the average case) [11]. As a result, DBI2 requires one modular exponen√ tiation and 2n+3 n/2 modular multiplications additionally. Next, we convert the computational cost of GT into the number of modular multiplications under two different assumptions. In first assumption, the random subset test [8] is used as GT . GT requires l modular exponentiations and 2 × l × (c − 1) modular multiplications where l is a security parameter and c is the order of S in Fig. 1. c is n/2 in average case where n is the size of a batch instance. In the second assumption, the small  exponents test [8]is used as GT . We can compute m = i∈S mi hi and s = i∈S si hi with l + nl/2 modular multiplication respectively in Fig. 1. So, the computational cost of GT is one modular exponen-

LEE et al.: EFFICIENT IDENTIFICATION OF BAD SIGNATURES IN RSA-TYPE BATCH SIGNATURE

79

tiation and 2l + nl modular multiplications when the small exponents test is used as GT . Note that l is commonly set to 60 [8], [13]. Finally, we convert the computational cost of a modular exponentiation as the number of modular multiplications to compare performance results precisely. We suppose that a modular exponentiation is implemented as the sliding-window algorithm [14]. One modular exponentiation in RSA can be computed by 17 modular multiplications where key length is 1024 bits and public key value is 65537 [15], [16]. Figure 4 shows the performance comparison between DBI2 and DCV2 in terms of the number of modular multiplications when the random subset test is used as GT . In the figure, X-axis is the number of bad signatures and Y-axis is the average number of modular multiplications. From the results, we can observe that the DBI2 method reduces considerably the average number of modular multiplications compared with DCV2 when the bad signatures in a batch are identified. That is, DBI2 reduces the number of modular

multiplications by 21–30% when n is 1024. This means that our method can improve the overall performance even considering the additional overhead which is incurred in Eq. (3). Figure 5 shows the performance comparison between DBI2 and DCV2 in terms of the number of modular multiplications when the small exponents test is used as GT . From the results, we can observe that DBI2 reduces the number of modular multiplications by 11–33% compared with DCV2 when n is 1024. We also find out that the random subset test shows better performance than the small exponents test when bad signatures exist in a batch instance and n gets larger. On the contrary, the small exponents test surpasses the random subset test when there is no bad signature in a batch instance [8]. 5.

Conclusion

In this paper, we proposed a new batch identification method, DBIα that could identify bad signatures in a batch instance. When there is only one bad signature, DBIα√ can identify it with one modular exponentiation and 2n + 3 n/2 modular multiplications where n is the size of a batch instance. When there are multiple bad signatures in a batch, DBIα adopt the divide-and-conquer approach. However, the number of divided sub-instances in the approach is much smaller than that of DCVα . Experimental results have shown that the proposed method outperforms the previous method in terms of both the number of GT s invoked and the number of modular multiplications. Acknowledgement We appreciate anonymous reviewers for their critical comments and this work was supported by the Brain Korea 21 Project in 2005. References

Fig. 4 The average number of modular multiplications in DBI2 and DCV2 when the random subset test is used as GT .

Fig. 5 The average number of modular multiplications in DBI2 and DCV2 when the small exponents test is used as GT .

[1] M. Bellare, J. Garay, and T. Rabin, “Fast batch verification for modular exponentiation and digital signatures,” Advances in Cryptology—EUROCRYPT’98, no.1403, pp.236–250, 1998. [2] L. Harn, “Batch verifying multiple RSA-type digital signatures,” Electron. Lett., vol.34, pp.1219–1220, 1998. [3] D. Naccache, D.M’Raiya, S. Vaudenay, and D. Raphaeli, “Can DSA be improved? Complexity trade-offs with the digital signature standard,” Eurocrypt’94, pp.77–85, 1994. [4] S. Yen and C. Laih, “Improved digital signature suitable for batch certification,” IEEE Trans. Comput., vol.44, no.7, pp.957–959, 1995. [5] D. Marihi and D. Naccache, “Batch exponentiation—A fast DLPbased signature generation strategy,” 3rd ACM Conference on Computer and Communications Security, pp.58–61, 1996. [6] L. Harn, “Batch verifying multiple DSA-type digital signatures,” Electron. Lett., vol.34, pp.870–871, 1998. [7] J. Pastuszak, D. Michalek, J. Pieprzyk, and J. Seberry, “Identification of bad signatures in batches,” PKC 2000, 2000. [8] M. Bellare, J.A. Garay, and T. Rabin, “Batch verification with applications to cryptography and checking,” Lecture Notes in Computer Science, vol.1380, 1998. [9] W. Feller, An Introduction to Probability Theory and Its Applications, Wiley, 1968.

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.1 JANUARY 2006

80

[10] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Wiley, 1996. [11] E. Teske, “Computing discrete logarithms with the parallelized kangaroo method,” Discrete Appl. Math., vol.130, pp.61–82, 2003. [12] J. Buchmann, M. Jacobson, and E. Teske, “On some computational problems in finite Abelian groups,” Mathematics of Computation, vol.66, no.220, pp.1663–1687, 1997. [13] J.-S. Coron and D. Naccache, “On the security of RSA screening,” PKC99, pp.197–203, 1999. [14] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997. [15] J. Sauerbrey and A. Dietel, “Resource requirements for the application of addition chains in modulo exponentiation,” Advances in Cryptology-Eurocrypt’92, Lect. Notes Comput. Sci., 1992. [16] J. Bos and M. Coster, “Addition chain heuristics,” Advances in Cryptology, Proceedings of Crypto 89, pp.400–407, 1989.

Seungwon Lee received the M.S. degree in computer engineering from the Seoul National University and a B.S. in computer science from the Korea Advance Institute of Science and Technology (KAIST), South Korea. He is currently a Ph.D. student in the School of Computer Science and Engineering at Seoul National University. Also, he is a senior engineer in the truscom company from 1999. His main research interests include system security, network security and cryptographic algorithm.

Seongje Cho received the B.S., M.E., and Ph.D. degrees in computer engineering from Seoul National University in 1989, 1991, and 1996, respectively. He has been with the Division of Information and Computer Science at Dankook University, Seoul, Korea since 1997. Currently, he is an associate professor in the Department of Computer Science at Dankook University. He was a visitor researcher at the Univ. of California, Irvine during 2001. His research interests include computer security, realtime systems, system software, and embedded systems.

Jongmoo Choi received the B.S. degree in oceanography from Seoul National University, Korea, in 1993 and the M.S. and Ph.D. degrees in computer engineering from Seoul National University in 1995 and 2001, respectively. He was a senior engineer in the Ubiquix Company from 2001 to 2003, where he developed a real-time embedded micro-kernel for PDAs. Currently, he is an assistant professor in the Division of Information and Computer Science at Dankook University, Seoul, Korea. His research interests include operating system, embedded system, and mobile storage system.

Yookun Cho received the Ph.D. and M.S. degrees both in computer science from the University of Minnesota and a B.S. from the Seoul National University, Seoul, Korea. He is currently a professor in the Department of Computer Engineering. He has served on the program and steering committees of several conference and published numerous papers in international and Korean journals. He also served as a vice president of the Korean Information Science Society. His main research interests includes design and analysis of algorithms, operating systems, and system security. He is a member of the IEEE, ACM, and KISS.