Hierarchical signature scheme based on elliptic curve digital signature algorithm

Abstract

In this article, we have proposed a hierarchical signature scheme based on Elliptic Curve Digital Signature Algorithm. The motivation for our proposed signature scheme is from a scenario of a company in which a group of users is partitioned into hierarchical levels. If an author wants signature(s) on a message from the company, a threshold number of users from each level (or higher) can combinely sign the message. Our scheme is verifiable, computationally secure and efficient. We have given an explicit example for illustration purposes.

Appendices

Appendix A

In this section, we give an example using SageMath. We follow the notations as in Subsection 2.4.

1.1 Example 1

In this example, we have considered three distinct levels. In Level \(U_1, ~ n_1 = 2\) participants are there and the threshold is \(t_1 = 1.\) In a similar manner, the number of participants in the Level \(U_2\) and \(U_3\) are \(n_2 = 3, n_3 = 5\) and the thresholds are \(t_2 = 3, t_3 = 4\), respectively. We consider the elliptic curve \(E: y^2 = x^3 + 7x + 13\) over \({\mathbb {F}}_{101}.\) The discriminant is \(81 \ne 0\) and the order of E is \(111 = 3 \times 37.\) We consider \(\ell = 37\) and a point \(P = E(59, 13)\) of order 37.

Key generation

We use some of the computations done in [3].

The owner considers the matrices \(M_1 =\begin{pmatrix} 3\\ 4 \end{pmatrix}, M_2 = \begin{pmatrix} 4 &{} 6 &{} 1\\ 2 &{} 5 &{} 8\\ 1 &{} 0 &{} 9\\ 5 &{} 2 &{} 10\\ 7 &{} 3 &{} 11 \end{pmatrix} \) and \( M_3 = \begin{pmatrix} 3 &{} 1 &{} 5 &{} 7 &{} 1 &{} 9\\ 2 &{} 4 &{} 9 &{} 3 &{} 6 &{} 1\\ 5 &{} 2 &{} 11 &{} 7 &{} 10 &{} 2\\ 1 &{} 1 &{} 2 &{} 3 &{} 5 &{} 7\\ 2 &{} 9 &{} 6 &{} 15 &{} 12 &{} 16\\ 10 &{} 0 &{} 3 &{} 1 &{} 2 &{} 4\\ 4 &{} 5 &{} 1 &{} 7 &{} 2 &{} 9\\ 3 &{} 2 &{} 8 &{} 0 &{} 5 &{} 3\\ 1 &{} 7 &{} 11 &{} 12 &{} 10 &{} 4\\ 4 &{} 8 &{} 9 &{} 2 &{} 3 &{} 1\\ \end{pmatrix}.\) The owner chooses \( a_{11}=11, a_{12} = 9, a_{21} = 33, a_{22} = 32, a_{23} =5, a_{31} = 6, a_{32}= 25, a_{33}= 8, a_{34} = 19, a_{35}= 7, a_{36}= 20 \) and \(b_{11}=33, b_{12}=7, b_{21}=4, b_{22}=20, b_{23}=12, b_{31}=12, b_{32}=3, b_{33}=5, b_{34}=18, b_{35}=5\) as \((b_{11} ~ b_{12})^T = M_1. (a_{11}) = (33 ~ 7)^T\) and \((b_{11} ~ b_{12} ~ b_{21} ~ b_{22} ~ b_{23})^T = M_2. (a_{21} ~ a_{22} ~ a_{23}) = (33 ~ 7 ~ 4 ~ 20 ~ 12)^T\) and \((b_{11} ~ b_{12} ~ b_{21} ~ b_{22} ~ b_{23} ~ b_{31} ~ b_{32} ~ b_{33} ~ b_{34} ~ b_{35})^T = M_2. (a_{31} ~ a_{32} ~ a_{33} ~ a_{34} ~ a_{35} ~ a_{36}) = (33 ~ 7 ~ 4 ~ 20 ~ 12 ~ 12 ~ 3 ~ 5 ~ 18 ~ 5)^T.\) We can easily check that \(11P = (91, 16),9P = (81, 16), 33P = (38, 56), 32P = (89, 25), 5P = (89, 76), 6P = (17, 55), 25P = (31,23), 8P = (46,99), 19P = (49, 21).\) The owner distributes 11P, 9P to the users in Level \(U_1\), 33P, 32P, 5P to the users in Level \(U_2\) and 6P, 25P, 8P, 19P, 7P to the users in Level \(U_3\).

Suppose the \(1^{st}\) participant from Level \(U_1\), \(1^{st}, 2^{nd}, 3^{rd}\) participants from Level \(U_2\) and \(1^{st}, 2^{nd}, 3^{rd}, 4^{th}\) participants from Level \(U_3\) come together to sign a message \({\mathcal {M}} = 29.\) The jth participant of the Level \(U_i\) randomly chooses \(k_{ij}\) from [0, 36] where \( k_{11}=7, k_{21}=12, k_{22}=8, k_{23}=19, k_{31}=13, k_{32}=2, k_{33}=21, k_{34}=7.\) Now the \(2^{nd}\) co-ordinate of \(a_{11}P\) is 16. Thus we consider, \(Q_{11} = 16P = (13, 68).\) Similarly, \(Q_{21} = 19P = (49, 21), Q_{22}=25P=(31, 23), Q_{23}=2P= (16, 22 ), Q_{31} = 18P = (49, 80), Q_{32}=23P=(63, 83 ), Q_{33}=25P=(31, 23), Q_{34}=21P=(13, 33)\) and finally \(Q=Q_{11}+Q_{21}+Q_{22}+Q_{23}+Q_{31}+Q_{32}+Q_{33}+Q_{34},\) served as the public group key.

Before proceeding further, we need the following calculations.

\(R_{11}=7P=(26, 55 ), R_{21}=12P=(31, 78), R_{22}=8P=(46, 99), R_{23}=19P=(49, 21 ), R_{31}=13P= (58, 46 ), R_{32}=2P= (16, 22 ), R_{33}=21P=(13, 33 ), R_{34}=7P=(26, 55 ).\) Since the first coordinate of \(k_{11}P\) is 26,  the \(1^{st}\) participant keeps 26 for signing purpose. In a similar fashion, the \(1^{st}\) participant of the \(2^{nd}\) compartment keeps 31 with himself. Interestingly, the \(2^{nd}\) participant of the \(2^{nd}\) compartment calculates \(k_{22}P = 8P = (46, 99).\) Since \(46 \equiv 9 \pmod {37},\) the \(2^{nd}\) participant keeps 9 for his signing purpose. In a similar fashion, the \(3^{rd}\) participant of the \(2^{nd}\) compartment keeps 12,  the \(1^{st}\) participant of the \(3^{rd}\) compartment keeps 21,  the \(2^{st}\) participant of the \(3^{rd}\) compartment keeps 16,  the \(3^{rd}\) participant of the \(3^{rd}\) compartment keeps 13 and the \(4^{th}\) participant of the \(3^{rd}\) compartment keeps 26 for the respective individual secret.

Finally, \(R=R_{11}+R_{21}+R_{22}+R_{23}+R_{31}+R_{32}+R_{33}+R_{34} = (50,74).\)

\(r = x- codinate of R i.e 50 \mod 37 = 13\) and \(r^{-1}= 20.\) Using the extended Euclidean algorithm, we can easily see that \(50 \times 20 \equiv 13 \times 20 \equiv 1 \pmod {37}.\) Therefore, we have \(r^{-1} = 20.\)

We now assume \(e' = H({\mathcal {M}}) = {\mathcal {M}} =29.\) Since \(S_{ij} = (k_{ij} - e.a_{ij})r^{-1} \pmod {37},\) we have \(s_{11} =36, s_{21} =24, s_{22}=16, s_{23}=34, s_{31} = 32, s_{32} = 20, s_{33} = 17, s_{34}=22\).

Finally, \(s=s_{11}+s_{21}+s_{22}+s_{23}+s_{31}+s_{32}+s_{33}+s_{34} = 36 + 24 + 16 + 34+32+20+17+22 \equiv 16 \pmod {37}.\)

Therefore, the authorized set of signers combinely send \((s, r, {\mathcal {M}}) = (13, 16, 29)\) to the verifier.

Verification by the verifier

After receiving the signature \((s, r, {\mathcal {M}}),\) the verifier calculates in the following manners,

\(R' = srP + e'Q = (16 \times 13 )P + 29Q = (50, 74).\)

Since, \(50 \equiv 13 \pmod {37},\) that is, the \(1^{st}\) coordinate of (50, 74) is same as \(r = 13,\) the verifier confirms his verification.

In this way, any number of signers from as many levels as one wants can sign a hierarchical multisignature using our proposed scheme.

Appendix B

Proof of Theorem 4

Proof

We first prove it for Level \(U_1.\) It is known that \(M_1\) is a \(n_1\times t_1\) matrix and any \(t_1\times t_1\) submatrix of \(M_1\) is invertible. For a \(t_1\times t_1\) submatrix \(M_1',\) its transpose is invertible.

We prove this theorem by contradiction. If possible, let a group of \(t_1'\) participants from \(U_1\) can sign a valid signature at the first level, where \(t_1' < t_1.\) Then, they must satisfy the signature verification algorithm at the initial level. But

$$\begin{aligned} R'= & {} u_1P + u_2Q \\= & {} srP + e'Q \\= & {} (\sum \limits _{j=1}^{t_1'} s_j)rP + e' \sum \limits _{j=1}^{t_1} Q_j\\= & {} (\sum \limits _{j=1}^{t_i'}(d_{ij}. k_{ij}) - e(d_{ij}. a_{ij}))r^{-1}rP + e'\sum \limits _{j=1}^{t_1} (d_{ij}. a_{ij})P \\= & {} (\sum \limits _{j=1}^{t_1'}(d_{ij}. k_{ij})P - e(d_{ij}. a_{ij}))P + e'\sum \limits _{j=1}^{t_1} (d_{ij}. a_{ij})P \\\ne & {} (\sum \limits _{j=1}^{t_1}(d_{ij}. k_{ij})P \\ \end{aligned}$$

Therefore, we arrive at a contradiction. Similarly, we can prove for other levels \(U_j\) for \(2 \le j \le m.\) This completes the proof. \(\square \)

Appendix C

Complexity of the proposed scheme

The multiplication of a \(n_i\times t_i\) matrix with \(t_i\times 1\) matrix involves \(t_in_i\) operations. The Double-and-Add algorithm technique [4] takes \(O(\textrm{log}_2 \ell )\) time to compute the scalar multiplication of a point on an elliptic curve, where \(\ell \) is the point’s order. Finding the inverse of a matrix of order \(t_i\) requires computing \(t_i^3\) in time. For an elliptic curve, the computational cost of adding two different points is I+2M+S, and for doubling, it is I+2M+2S (see [1]), where I stand for inverse,, S stand for squaring and M stand for multiplication, respectively.

During the secret distribution phase. In our method, the owner needs to perform \(O(mn^2)\) operations on to compute m matrices of various size. Calculating \(b_{ij}x_{ij}P\) requires n scalar multiplication, which have an expense of \(O(n\textrm{log}_2\ell ).\) Additionally, the owner must carry out m point additions to compute Q and R,  which results in a cost of O(m).

During the process of reconstructing secret. The collaborating users are tasked with calculating the inverse of a set of m matrices, each of which has an order denoted as \(t_i\) (where \(1\le i\le m\)). This computation involves a total of \(\sum \limits _{i=1}^m t_i^3\) operations. Given that each \(t_i\) is less than or equal to \(n_i,\) and the sum of all \(n_i\) values equal n,  it follows that \(\sum \limits _{i=1}^m t_i^3\le n^3\) is constrained to be less than or equal to \(n^3.\) To derive the secret \(a_{ij}P\) at Level \(U_i\), the users are required to perform \(t_i^2\) point additions. Additionally, in order to compute Q the users need to carry out m point additions and the same applies to the computation of R.

Furthermore, they required m additions of points to compute Q and m additions of points to compute R.

During the process of signing. Two multiplications and one inverse for each authorized signer. For signing, the total number of operations is \(3 \sum \limits _{i=1}^m t_i.\)

At the time of verification. The verifier needs to calculate two scalar multiplications and one point addition for verification, which costs \(O(\textrm{log}_2\ell ).\)

Therefore, considering all these the computational complexity of the scheme amounts to a time complexity of \(O(n^3).\)

However, the complexity of our scheme is \(O(n^3)\).