Journal of Applied Mathematics

Volume 2014, Article ID 176085, 9 pages

http://dx.doi.org/10.1155/2014/176085

## A Rational Threshold Signature Model and Protocol Based on Different Permissions

^{1}School of Electronic and Computer Engineering, Peking University, Shenzhen 518055, China^{2}College of Computer Science and Technology, Beijing University of Technology, Beijing 100124, China

Received 3 April 2014; Revised 1 July 2014; Accepted 4 July 2014; Published 23 July 2014

Academic Editor: Young-Sik Jeong

Copyright © 2014 Bojun Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

This paper develops a novel model and protocol used in some specific scenarios, in which the participants of multiple groups with different permissions can finish the signature together. We apply the secret sharing scheme based on difference equation to the private key distribution phase and secret reconstruction phrase of our threshold signature scheme. In addition, our scheme can achieve the signature success because of the punishment strategy of the repeated rational secret sharing. Besides, the bit commitment and verification method used to detect players’ cheating behavior acts as a contributing factor to prevent the internal fraud. Using bit commitments, verifiable parameters, and time sequences, this paper constructs a dynamic game model, which has the features of threshold signature management with different permissions, cheat proof, and forward security.

#### 1. Introduction

Secret sharing (SS) scheme, first proposed by Shamir [1] in the paper “How to share a secret,” is a significant method used for the important information management. There are other SS schemes presented by Blakeley [2] and Asmuth and Bloom [3]. These -threshold schemes above split the secret to * *shares and distribute these shares to legal players, meaning that all the players in the secret sharing system have the same permissions. However, in some specific situations, like in a company, managers and employees are supposed to have different authority in the confidential secret management. As a result, all the SS schemes are not suitable to be applied to such scenario. Later, many scholars devoted themselves to the weighted threshold SS schemes, which can solve the above problem. Shamir was concerned with weighted threshold SS in his paper “How to share a secret”—the president of a company has three shares, the vice presidents have two shares, and others have one share. Later, Morillo et al. [4] developed some main properties related to the information ratio, which measures a secret sharing system’s security. After that, many researchers used their work to develop weight SS schemes, and some are with bipartite [5–7]. Chan and Chang [8] developed a new -threshold scheme based on differential equations, which was completely different from the mechanism of weighted SS scheme and shared the same notion with Li [9]. Instead of the traditional weighted threshold SS schemes, which have the symmetrical permissions limitation, they proposed -threshold SS scheme that is based on homogeneous constant coefficient linear difference equation. In the scheme, all players are divided into two groups (denoted by , ) with the different secret management authority; just players from and players from can recover the original secret information. For example, a company divides its business secret into shares, in which shares are possessed by specific employees and shares are distributed to managers. Any employees and managers can retrieve the business secret.

Threshold signature is based on SS, which was first proposed by Desmedt and Frankel [10] and based on RSA signature mechanism. Shamir [11] introduced the concept of signature authentication based on identity. Paterson and Schuldt [12] presented efficient identity-based signatures in the standard model. In this paper, to illustrate our model, we adopt Okamoto’s signature method [13], which is based on the identification scheme and is provably secure.

Another important issue about the traditional SS scheme is that they are all based on the assumption that every player is either honest or malicious. However, in practice, players are more likely to be selfish, trying to maximize their own utility. Halpern and Teague [14] introduced the notion of rational secret sharing (RSS) in 2004 and presented a randomized protocol for a SS scheme, which can achieve Nash equilibrium after repeated elimination of weakly dominated strategy. Gordon and Katz [15] improved Halpern’s protocol to conditions. The mechanism proposed by Maleka et al. [16] is called repeated rational secret sharing (RRSS), in which the distributor needs to do second-time segmentation of the secret shares and made the players share the subshares repeatedly. Maleka’s method uses punishment strategies to prevent players from finking, which is different from Halpern and Teague’s RSS protocol, in which some rounds of secret sharing are meaningless.

In this paper, we present a rational threshold signature model, in which the participants are divided into two sets with the different permissions. We adopt the SS scheme based on the difference equations to distribute shares and recover the original secrets. In the recover phrase, players exchange their subshares repeatedly based on Maleka’s RRSS scheme. In our model, we use several modules to manage the functions, respectively. The parameter sequence generator is used to generate the parameters of the difference equations and parameter distributor is used to distribute the parameters to the participants as their shares. Rounds controller is used to generate the random number of rounds so that the players cannot know when the repeated games will end. Bit commitment module is utilized for the players to commit their own subshares and verify others’. Besides, when a player cheats in a specific round by sending the wrong subshare, the verifiable module can detect it and the protocol will be stopped so that nobody can acquire the secret.

#### 2. Relative Works

##### 2.1. The Model of Li Bin Scholar

The model is outlined as follows.

Maker constructs homogeneous constant coefficient linear differential equation: Master key: , Shadow keys of participants in set are , Shadow keys of participants in set are .

The general term formula of homogeneous constant coefficient linear differential equation is

Because coefficient determinant is nondegenerate second-order tensor, Participants in set calculate constant vector:

Any participant in set makes can obtain the system master key:

##### 2.2. Problems

The model mentioned above is a big innovation in the field of threshold structure; however, if applied directly to the threshold signature, while in practical use, some problems may exist as follows.(1)The permissions in this model have limitations. The second component of -threshold shared structure on behalf of the second category participants with special privileges; these participants have excessive permissions, because anyone of them can represent the group. Thus, weexpand the second component into structure. Wei et al.’s scholars [17, 18] at Shandong University have proposed the definition of such structure. However, when this scheme is implemented, its two groups both use the polynomial ring, which possesses the symmetrical nature, thus it will break the different privileges characteristic of the homogeneousconstant coefficient linear differential equation. This paper promotes structure based on homogeneous constant coefficient linear differential equation, extends permissions, in the meantime, and improves the original proposal.(2)This model cannot resist conspiracy attacks, because of that when greater than or equal to the (,0) threshold number of participants work out the constant vector group of equation (4), at the same time, the equation (2) is determined. Conspires can get the the private key of the participants of the first set, using the general term formula, and one copy of the private key of the second set’s participant can be used to conjecture the others’ private keys in the second set.(3)The model cannot resist internal fraud. When put into practical use, the model does not have a verifiable, and the participants’ fraud is undetectable. If there are no validation measures, the participants may run this protocol arbitrarily, or send their false shares, and these cannot be tolerated.(4)The model has the dealer, who is the trusted third party. In the distributed network environment, the parameters is generated by a machine or by the secure multiparty computation.(5)This model does not have the rational characteristics. When the signature private keys are generated, and when the first set’s participants compute the equation (2)—after computing the general term formula, the participants in the second set have no motive to expose their private key to the participants in the first set, after they generate their private keys. This loses fairness.

#### 3. Protocol Model

##### 3.1. The Structure of Model

The structure of the model is shown in Figure 1.

*(**1) Parameter Sequence Generator*. Each time while in the signature step, the registers in parameters sequence generator dynamically generate the next state parameters according to the last state parameters. Each signature call the module once; the use of time series technology makes the model have forward security.

The initial vector in parameter sequence generator is

The iterative formulas of parameter sequence generator are as follows:

Other parameters are generated like this way.

Theorem 1. *The model has forward security.*

*Proof. *On the completion of the last signature, in next signature step, the parameter sequence generator precompiled the iteration values in registers. After iteration, according to recurrence relations (7), the last data in registers will not exist. That is to say, this time’s signature data in registers will cover the last data in them. According to the recurrence relations (7), if an attacker wants to get last data in registers, he or she must calculate mode square root:

The mode square root in polynomial time is computationally infeasible, and the mode indices are random; attacker cannot predict. So the model has forward security.

*(**2) Rounds Controller*. This model, which runs multiple rounds in the signature process, is a limited time repetitions dynamic game. It is vital in the model and controls the operation of the entire process. Here we use the idea of stochastic process [19] to construct model.

Theorem 2. *The distribution of round obeys Poisson distribution with parameter .*

*Proof. *In the condition of time limited game process, note that the number of deceptions in each round is , with the probability satisfying the following formula:
Participants’ behavior is independent in each round.

Assuming the number of rounds has continuity, that is to say, the process of game is taken as continuous function with time,
and it satisfies that

This means that, the probability of cracking the system with computational advantages can be negligible, when the threshold signature process is not performed. The model satisfies the four conditions mentioned above and meets the definition of Poisson process with intensity. That is,

Theorem 3. *The expectations rounds of this model are , each time the model convergence time complexity is .*

*Proof. *Differential equations are established for the rounds respectively, based on the four conditions mentioned above

The mathematical expectation is
So the expectations rounds of this model are , each time the model convergence time complexity is .

*(**3) Parameter Distributor*. A machine can analog the behavior of distributor (maker) and can be a trusted server in the distributed network.

*(**4) Pedersen Bit Commitment Module*. Pedersen bit commitment protocol [20] is a security protocol taken as commitment to the bit stream information. In each time of signature, the system generates coefficients of homogeneous constant coefficients differential equations, and the coefficients of algebraic curved with order , which correspond to the participants in set . After storing the coefficients in the binary bits formation, we note them as form of , in the form of bits stream. The parameter distributor is also attached with the bit commitment model to prevent it from attacks.

Theorem 4. *The model can detect whether the parameter distributor is under attack or not.*

*Proof. *The model adapts the Pedersen’s bit stream commitment protocol.

Parameter distributor selects a random number , timestamp information , and secure hash function .

To make bit stream and timestamp above hash process. The primitive element of group is ; publish
The triple will be publish to the public, right after the end of the signature process. Set and set participants can verify commitment to make sure whether parameter distributor is being attacked or not.

*(**5) Verifiable Parameter Distribution Module*. Using the idea of Feldman’s [21] verification. First, publicize bivariate one-way function . In each threshold signature process, parameter distributor generates polynomial with orders which corresponds to set participants:

Our model uses the primitive element in the finite fields , which is , to compute the number of the operation rounds, which is , according to the Poisson distribution with parameter , and then distribute the points sequence: Then it arbitrarily selects points in the field of except the ones in the equation (17), and publish them to the public.

Then it saves the vector and calls Pedersen’s bit commitment module.

After that, it broadcasts: Send each participant in set : In the set , the parameter distributor generates the primitive element, which is , in the infinite field , according to this polynomial with orders:

And then, with the rounds number noted before, the system distributes publish the points sequence: We adopt () threshold structure constructed by matrix method. players in set participate in the repeated games and recover the secret using the published points. As a result, the players in set can input after they get the general term formula of homogeneous constant coefficient linear differential equation.

Save vector And call Pedersen’s bit commitment module.

After that, it broadcasts:

Send each participant in set :

Theorem 5. *The model is verifiable.*

*Proof. *When distributing point’s sequence and broadcasting corresponding authentication information, participants can simultaneously verify the information.

Set participants verify

Set participants verify
If the verification succeeds, participants can trust the information sent by others.

*(**6) Participants*. Participants in two different permissions together constitute the threshold structure . In addition, , and the threshold values are and .

*(**7) Okamoto Signature Module*. After calculating the threshold signature private key, take as the first private key component of the signature module, while the second private key component is generated by public key signature method; select private keys; and publicize public keys, respectively. The model adopts Okamoto signature algorithm to signature finally.

Theorem 6. *The model can resist conspiracy attack.*

*Proof. *The second component of the private key in Okamoto signature algorithm can avoid conspiracy attacks which are performed by using general term formula to get other participants’ private keys when meeting the threshold condition to calculate homogeneous linear differential equations with constant coefficients general term formula in original model. The second component of everyone’s private key has to be kept privately by each individual. On condition that the second component of the private key ensures the privacy, the threshold signature cannot be forged. Furthermore, we can establish a mechanism, that is when there is a dispute, the system will check every participant involving the process of signature arise disputes.

##### 3.2. Improved Threshold Model

We adopt (, ) threshold structure constructed by matrix method. players in set participate in the repeated games and recover the secret using the published points. As a result, the players in set can input after they get the general term formula of homogeneous constant coefficient linear differential equation.

Make two field extensions: Expansion order of algebraic number field is

Remove the noise terms and to get coefficients information of homogeneous constant coefficient linear differential equation.

##### 3.3. Dynamic Game Model

*Definition 7. *
The Computable complete and perfect information dynamic game satisfies: Participants are noted as represents the nature and parameter distributor). The set of Types is . Actions set is . Strategy set is . Rounds set is . Full history set is depicted as game tree, whose root is empty history node . The information set can be tested and is perfect. Outcome set is . Utility function set is and satisfies . The above game can be calculated in polynomial time.

*Definition 8. *Computable complete and perfect information dynamic game with elastic equilibrium will reach the equilibrium results, under the conditions that it satisfies the Definition 7 and that each participants is rational. That is, , is multiple real variable function .

Theorem 9. *The model converges to computable complete and perfect information dynamic game with elastic equilibrium.*

*Proof. *Participants who accord with threshold signature conditions possess superiority of . They can get threshold signature private key without the normal operation of the model. Definitions of utility functions are as follows:

: participants’ ideal utility without the normal operation of the model to obtain the threshold signature private key;

: the utility that participant gets signature private key and others do not get it in round;

: utility that participant does not comply with the normal execution of the model when model run round;

: utility that participant complies with the normal execution of the model when model run round;

: normal utility that participant always complies with the operation of the model obtains threshold signature private key when model reaches the last one round;

: utility that all participants do not obtain the threshold signature private key. Illustrate that there are some participants had deceived cause model abnormal termination.

Utility function satisfies the strong partial: .

Define events as follows. A: participant uses the advantage of to crack threshold signature private key. B: participant implements protocol. C: participant takes honesty policy in round . D: participant takes fraud policy in round .We denote the utility of departing from the protocol as and denote the expected utility as . We can get the equation as follows.
In our protocol,

Distribution function satisfies

The following formulas are met:
in which

The above equation can determine the range of parameters selection, so that the model converges to computable complete and perfect information dynamic game with elastic equilibrium.

Theorem 10. *The model can resist inner fraud.*

*Proof. *According to Theorem 9, a rational participant will not depart from the protocol execution in any round. The model overcomes the sensitivity of backward induction and adopts mixed strategy equilibrium. If participants adopted a deceptive strategy in the model execution of any round, this caused the decrease in revenue of participants to . When the protocol terminates, punishment strategies can be used, thus putting an end to deceiving behavior effectively. So the model can prevent inner fraud.

#### 4. Protocol Procedure

##### 4.1. Parameters Generation Process

Determine the order of set and set ; determine the threshold value according to the requirements, respectively. Select big prime meets . Select primitive element in finite field and in finite field . The participants in set and set select signature private key as the second component of the Okamoto signature, respectively.

Parameter sequence generator generates coefficient constants vector of homogeneous constant coefficient linear differential equation:

Superscript represents signature number of times; 0 represents the first signature.

##### 4.2. Dynamic Games Process

Rounds controller according to Poisson distribution with parameter secret generates threshold signature round . According to the number of participants in set and set , the threshold value generates coefficient constants vector of polynomial and , respectively:

Superscript signature represents the number of rounds; 0 represents the first round.

Parameter distributor according to (17) and (22) distributes and publicizes points. Participants in set and set can use the verifiable parameter distribution module for verification. If there is no cheating behavior, the protocol continues to execute. Otherwise, the verifiable parameter distribution module goes to the interrupt processing. In every round of the games, the players in set and set use the published points sequence and generate and , respectively.

Parameter distributor verifies, respectively,

If and (37) holds, calculate (2), and then

If and (37) does not hold, and equal the expected value and the protocol enters into the next round.

If and (37) does not hold, meanwhile, and do not equal the expected value, someone of the players have cheated. At this time, the parameter distributor can perceive the cheating behavior so that the player cannot obtain the signature private key. According to Theorem 10, the rational participants will not deceive.

##### 4.3. Threshold Signature Process

The Okamoto signature module is used to complete the feature of signature.

Okamoto signature algorithm contains two private keys: the first is threshold signature private key just generated, and the second is each participator’s signature private key in set and set . Only after verification, parameter distributor can call Okamoto signature module. Two private key generation equations are as follows: Verify equation

is message sequence, and SHA is secure hash function.

We use the equation (41) to complete signature

Validation process can use standard Okamoto algorithm.

##### 4.4. Several Models Comparison

Table 1 is several models comparison. The parameters range of this model uses the limiting form of (31), (32), (33), and (34).

#### 5. Conclusion

This paper proposed computable complete and perfect information dynamic game with elastic equilibrium, based on the homogeneous constant coefficient linear differential equation. We constructs a dynamic game model and protocol using time sequences, bit commitments, Feldman’s verification menthod, and Okamoto’s signature permissions. The model achieves two different threshold signature permissions. We proved that, during the game, no participant has the tendency of departing from normal operation, so that the model achieves the purpose of preventing fraud. Our method expands the idea of permission and overcomes five inherent problems in homogeneous constant coefficient linear differential equation.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This work is supported by the National Natural Science Foundation of China (No.61170221). The authors appreciate the help as well as the hard work of the editor.

#### References

- A. Shamir, “How to share a secret,”
*Communications of the Association for Computing Machinery*, vol. 22, no. 11, pp. 612–613, 1979. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus - G. Blakeley, “Safeguarding cryptographic keys,” in
*Proceedings of the National Computer Conference*, pp. 313–317, AFIPS Press, New York, NY, USA, 1979. - C. Asmuth and J. Bloom, “A modular approach to key safeguarding,”
*IEEE Transactions on Information Theory*, vol. 29, no. 2, pp. 208–210, 1983. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - P. Morillo, C. Padró, G. Sáez, and J. L. Villar, “Weighted threshold secret sharing schemes,”
*Information Processing Letters*, vol. 70, no. 5, pp. 211–216, 1999. View at Publisher · View at Google Scholar - C. Padró and G. Sáez, “Secret sharing schemes with bipartite access structure,”
*IEEE Transactions on Information Theory*, vol. 46, no. 7, pp. 2596–2604, 2000. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - T. Tassa and N. Dyn, “Multipartite secret sharing by bivariate interpolation,”
*Journal of Cryptology*, vol. 22, no. 2, pp. 227–258, 2009. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - O. Farràs, J. R. Metcalf-Burton, C. Padró, and L. Vázquez, “On the optimization of bipartite secret sharing schemes,”
*Designs, Codes and Cryptography*, vol. 63, no. 2, pp. 255–271, 2012. View at Publisher · View at Google Scholar · View at MathSciNet - C.-W. Chan and C.-C. Chang, “A new (t, n)-threshold scheme based on difference equations,” in
*Combinatorics, Algorithms, Probabilistic and Experimental Methodologies*, pp. 94–106, Springer, Berlin, Germany, 2007. View at Google Scholar - B. Li, “Differential secret sharing scheme based on special access secret sharing scheme,”
*Journal of Sichuan University (Natural Science)*, vol. 43, no. 1, pp. 78–83, 2006. View at Google Scholar · View at MathSciNet - Y. Desmedt and Y. Frankel, “Shared generation of authenticators and signatures,” in
*Proceedings of Advances in Cryptology-CRYPTO '91, Santa Barbara, Calif, USA, 1991*, pp. 457–469, Springer, Berlin, Germany, 1992. View at Google Scholar - A. Shamir, “Identity-based cryptosystems and signature schemes,” in
*Advances in Cryptology*, vol. 196 of*Lecture Notes in Computer Science*, pp. 47–53, Springer, Berlin, Germany, 1985. View at Google Scholar - K. G. Paterson and J. C. N. Schuldt, “Efficient identity-based signatures secure in the standard model,” in
*Information Security and Privacy*, vol. 4058 of*Lecture Notes in Computer Science*, pp. 207–222, Springer, Berlin, Germany, 2006. View at Publisher · View at Google Scholar - T. Okamoto, “Provable secure and practical identification schemes and corresponding signature schemes,” in
*Advances in Cryptology-CRYPTO '92*, vol. 740 of*Lecture Notes in Computer Science*, pp. 31–53, Springer, Berlin, Germany, 1992. View at Publisher · View at Google Scholar - J. Halpern and V. Teague, “Rational secret sharing and multiparty computation: extended abstract,” in
*Proceedings of the 36th Annual ACM Symposium on Theory of Computing (STOC '04)*, pp. 623–632, New York, NY, USA, 2004. View at Publisher · View at Google Scholar · View at MathSciNet - S. D. Gordon and J. Katz, “Rational secret sharing, revisited,” in
*Security and Cryptography for Networks*, vol. 4116 of*Lecture Notes in Computer Science*, pp. 229–241, Springer, Berlin, Germany, 2006. View at Publisher · View at Google Scholar - S. Maleka, A. Shareef, and C. P. Rangan, “The deterministic protocol for rational secret sharing,” in
*Proceedings of the 22nd IEEE International Parallel and Distributed Processing Symposium (IPDPS '08)*, pp. 1–7, IEEE, April 2008. View at Publisher · View at Google Scholar · View at Scopus - D. Wei and X. Qiuliang, “Special permission-based rational secret sharing scheme,”
*China Electronic Business: Communications Market*, no. 2, pp. 180–184, 2009. View at Google Scholar - W. Dong,
*Secret sharing based on game theory and application of the theory [M.S. thesis]*, Shandong University, 2011. - F. Z. Ben,
*Stochastic Process*, Science Press, Beijing, China, 2011. - Q. Weidong,
*Crypto Graphic Protocols Foundation*, Higher Education Press, Beijing, China, 2009. - P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” in
*Proceedings of the 28th IEEE Symposium on Foundations of Computer Science*, pp. 427–437, 1987.