Improved DSA variant for batch verification - Semantic Scholar

Applied Mathematics and Computation 169 (2005) 75–81 www.elsevier.com/locate/amc

Improved DSA variant for batch verification Chu-Hsing Lin

a,*

, Ruei-Hau Hsu a, Lein Harn

b

a

b

Department of Computer Science and Information Engineering, Tunghai University, 181 Section 3, Taichung-kang Road, 407 Taichung City, Taiwan Department of Computer Networking, University of Missouri, Kansas City, MO 64110, USA

Abstract Batch verification is a method to verify multiple signatures at once. There are two issues associated with batch verification. One is the security problem and the other is the computational speed. In 1998, Bellare et al. have proposed an approach called small exponents test, to preserve the security of batch verification of a digital signature algorithm (DSA) variant. In this letter, we propose an efficient scheme to speed up DSA batch verification. Our scheme does not need to compute modular inverse and at the same time, the security is preserved. We have included the performance evaluation to compare computational time between our scheme and the existed DSA batch verification. Ó 2004 Elsevier Inc. All rights reserved. Keywords: Digital signature algorithm; Batch verification; Small exponent test; Inverse computation; Signature verification

1. Introduction The digital signature algorithm (DSA) [1] was proposed in 1991 by the US government. Naccache et al. [2] have proposed a batch verification scheme to *

Corresponding author. E-mail addresses: [email protected] (C.-H. Lin), [email protected] (R.-H. Hsu), [email protected] (L. Harn). 0096-3003/$ - see front matter Ó 2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.10.041

76

C.-H. Lin et al. / Appl. Math. Comput. 169 (2005) 75–81

verify multiple DSA signatures at once. Later, Lim and Lee [3] found a security problem of DSA batch verification. In 1998, Bellare et al. [4] proposed an approach called small exponents test, to overcome the security problem. In this letter, we propose an efficient scheme to process batch verification. Our scheme is based on Bellare et al. scheme with small exponents test. However, our scheme is more efficient than Bellare et al. scheme since there is no need to compute modular inverse. In the following section, we will review DSA batch verification with small exponents test proposed by Bellare et al. In Section 3, we propose an efficient batch verification scheme. In Section 4, we include the performance evaluation. Conclusion is in Section 5.

2. Review of Bellare et al. batch verification scheme We review Bellare et al. [4] batch verification in this section. Bellare et al. batch verification scheme uses small exponents test [4] to prevent the forgery signatures. The batch verification scheme is one of DSA variant. We define some parameters of batch verification below: p q g x y

a large prime a prime divisor of p
1 an element of order q in GF (p) the secret key of the signer in GF (q) the public key of the signer, where y = gx mod p

The signer generates signatures (r1, s1), (r2, s2), . . ., (rt, st) of messages m1, m2, . . ., mt, respectively. The signature signing and batch verification procedures are listed below. 2.1. Signature signing Each pair of the signature (ri, si) is generated by first selecting a random integer ki, and computes ri ¼ gki mod p, and computes si ¼ k
1 i ðmi þ xr i Þ mod q for i = 1, 2, . . ., t. 2.2. Batch verification First, the verifier chooses l-bit random number bi, where i = 1, 2, . . ., t. The verifier then verifies multiple signatures through the batch verification equation as listed below:

C.-H. Lin et al. / Appl. Math. Comput. 169 (2005) 75–81 t Y

t P

mi s
1 i bi mod q ? rbi i  g i¼1

t P

y i¼1

ri s
1 i bi mod q

77

ðmod pÞ

i¼1

If the equation holds, the signatures are verified. 3. Secure and efficient batch verification for DSA variant 3.1. Our proposed scheme In this section, we propose an efficient scheme to process batch verification proposed by Bellare et al. The parameters used in our proposed scheme are the same as we have presented in the previous section. The signature pairs (r1, s1), (r2, s2), . . . (rt, st) of messages m1, m2, . . ., mt are generated following the same signing equation as introduced by Bellare et al. After receiving multiple signature pairs, he/she can verify the signature pairs according to following steps: l Step 1. Pick b1, b2, . . ., bQ t 2 {0, 1} randomly. t Step 2. Compute S j ¼ i¼1^i6¼j si mod q, for j = 1, 2, . . ., t and then compute S = (s1S1) mod q. Step 3. Check the batch verification equation as 0 P 1 t t !S P t mi S i bi mod q ri S i bi mod q Y ? A mod p: rbi mod p mod p ¼@g i¼1 y i¼1 i

i¼1

If the equation holds, accept. Otherwise, reject. Here, we prove that the above batch verification equation is identical to Bellare et al.
s equation. Since we have t Y

!S rbi i modp

0 P 1 t t P mi S i bi mod q ri S i bi mod q A modp modp ¼ @g i¼1 y i¼1

i¼‘

)

t Y

i

i¼‘

)

t Y

0 P 1 t t P mi S i S
1 bi mod q ri S i S
1 bi mod q A modp rbi modp ¼ @g i¼1 y i¼1 i

i¼‘

)

0 P 1S
1 t t P mi S i bi mod q ri S i bi mod q A modp rbi modp ¼ @g i¼1 y i¼1

t Y

0 P 1 t t P mi s
1 ri s
1 i bi mod q i bi mod q A modp rbi modp ¼ @g i¼1 y i¼1 i

i¼‘

Thus, our batch verification equation is identical to Bellare et al.
s equation.

78

C.-H. Lin et al. / Appl. Math. Comput. 169 (2005) 75–81

3.2. Fast computation In this section, we proposed a method to speed up the batch verification equation. First, we need to compute 2(t
1) values as follows. A1 = s1 A2 = s1s2 A3 = s1s2s3 Æ Æ Æ At
1 = s1s2s3 . . . st
1

B 1 = st B2 = st st
1 B3 = st st
1st
2 Æ Æ Æ Bt
1 = st st
1st
2 . . . s2

We can then use those values to compute S1,S2, . . ., St as needed in our batch verification equation. Following table illustrates this process. S1 = Bt
1 = s2s3s4 . . . st S2 = A1*Bt
2 = s1*s3s4. . .st S3 = A2*Bt
3 = s1s2*s4s5 . . . st S .. 4 = A3*Bt
4 = s1s2s3*s5s6. . .st . St
1 = At
2*B1 = s1s2 . . . st
2*st St = At
1 = s1s2 . . . st
1 Thus, our batch verification of DSA variant can be completed without using any modular inverse computation. We include the pseudocode of this proposed computational algorithm below. Algorithm 1 (Speed-up computation of Sj) INPUT: q, s[1, t] //q is a modulus, s is an signature array of (s1, s2, . . ., st) OUTPUT: S[1, t] // S is an array of (S1, S2, . . ., St) Step: 1. define array temp_1[1, t
1] and array temp_2[1, t
1]; 2. temp_1[1]=s[1], temp_2[1]=s[t]; 3. for i = 2 to t
1 3.1 temp_1[i]=s[i]*temp_1[i
1] mod q; 3.2 temp_2[i]=s[t
i
1]*temp_2[i
1] mod q; 4. S[1]=temp_2[t
1], S[t]=temp_1[t
1]; 5. for j =2 to t
1 5.1 S[j]=temp_1[j
1]*temp_2[t
j] mod q; 6. return S[1, t];

C.-H. Lin et al. / Appl. Math. Comput. 169 (2005) 75–81

79

4. Performance evaluation First, we discuss the performance of Bellare al.
s scheme. In [4], it takes Qet t l + tl/2 modular multiplications to compute i¼1 rbi i mod p with small exponents. In addition, Pit takes 4t modular multiplications to compute Pt t
1
1 m s i i mod q and i¼1 i¼1 r i si mod q. In total, it takes l + t(4 + l/2) modular multiplications, 2 modular exponentiations, and t modular inverses to complete batch verification. On the other hand, our proposed scheme takes additional 3(t
2) modular multiplications to compute S1, S2, . . ., St according Qt to our speed-up scheme and l + tl/2 modular multiplications to compute i¼1 rbi i with small exponents. In total, our proposed batch verification takes l + t(7 + l/2)
6 modular multiplications, and three modular exponentiations to complete batch verification. It needs none of modular inverse in ours. The comparison between Bellare et al. scheme and ours is listed below in Table 1. From above analysis, our proposed scheme requires some more modular multiplications; however, Bellare et al. scheme requires more modular inverses. Since the computational complexity of each modular inverse computation is almost equivalent to a modular exponentiation, our proposed scheme is more

Table 1 The performance comparison between Bellare et al. scheme and ours Operation scheme

Exponentiation

Multiplication

Inversion

Bellare et al. Our scheme

2 3

l + t(4 + l/2) l + t(7 + l/2)
6

t 0

t is the number of signatures and l is the bit number of small exponents test.

Table 2 Experimental results (in millisecond) # of Signatures

Bellare
s scheme

Our scheme

5000 10 000 15 000 20 000 25 000 30 000 35 000 40 000 45 000 50 000

39 765 83 375 149 157 186 109 256 015 309 937 379 953 434 250 507 219 575 766

5954 11 828 17 906 24 156 30 688 37 296 44 219 50 860 58 016 65 266

80

C.-H. Lin et al. / Appl. Math. Comput. 169 (2005) 75–81

Verification time (second)

Experimental Results 700 600 500 400 300 200 100 0

5

10

15 20 25 30 35 40 Number of Signatures (t x 1000) Bellare's Scheme

45

50

Our Proposed Scheme

Fig. 1. Histogram of the batch verification time.

efficient than Bellare et al. scheme. We have also included a performance evaluation using x86 PC, P4 1.8G Intel CPU, 1G DDR RAM, Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL) [5], MSVC compiler, MS Windows XP OS. Table 2 is the result of the simulation. We also present the histogram in Fig. 1. The experimental result also demonstrates the efficiency of our scheme. 5. Conclusion In this paper, we have presented an efficient scheme to batch verification of a DSA variant. Our scheme does not need any modular inverse.

Acknowledgement This research was partially supported by the National Science Council, TAIWAN, under grant number, NSC 92-2213-E-029-017.

References [1] Proposed Federal Information Processing Standard for Digital Signature Standard, Federal Register 56 (169) (1991) 42980–42982. [2] D. Naccache, D. M
Raihi, D. Rapheali, S. Vandenay: Can DSA be improved: complexity tradeoffs with the digital signature standard, Proceedings of Advances in Cryptology––EUROCRYPT
94, LNCS 950, 1995, pp. 77–85. [3] C.H. Lim, P.J. Lee, Security of interactive DSA batch verification, Electronics Letters 30 (19) (1994) 1592–1593.

C.-H. Lin et al. / Appl. Math. Comput. 169 (2005) 75–81

81

[4] M. Bellare, J.A. Garay, T. Rabin, Fast batch verification for modular exponentiation and digital signatures, Proceedings of Advances in Cryptology––EUROCRYPT
98, LNCS 1403, 1998, pp.236–250. [5] Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL), Available from .