A SM2 Elliptic Curve Threshold Signature Scheme without a Trusted Center

Abstract

Threshold signature is very important in identity authentication and some other applications. In December 2010, Chinese Encryption Administration released the SM2 elliptic curve digital signature algorithm as the first standard of the digital signature algorithm in China. At present, the papers on the threshold signature scheme based on this algorithm are few. A SM2 elliptic curve threshold signature scheme without a trusted center is proposed according to the Joint-Shamir-RSS algorithm, the Joint-Shamir-ZSS algorithm, the sum or diff-SS algorithm, the Mul-SS algorithm, the Inv-SS algorithm and the PM-SS algorithm. The proposed scheme is analyzed from correctness, security and efficiency. The correctness analysis shows that the proposed scheme can realize the effective threshold signature. The security analysis shows that the proposed scheme can resist some kinds of common attacks. The efficiency analysis shows that if the same secret sharing algorithms are used to design the threshold signature schemes, the SM2 elliptic curve threshold signature scheme will be more efficient than the threshold signature scheme based on ECDSA.

1. Introduction

With the development of E-Commerce and E-Government, digital signature becomes more and more important. In some applications, more than a specified number of members need to accomplish the effective signature together, and anyone receiving the signature can validate the effectiveness of the signature by the public key. Threshold signature can satisfy the needs of these applications. Threshold signature is the important research content in threshold cryptography and it was first proposed by Boyd [1] and Desmedt [2]. In 1991, Desmedt and Frankel [3] designed the first (t,n) threshold signature scheme based on RSA digital signature algorithm by threshold secret sharing algorithm. In the (t,n) threshold signature scheme, the trusted center distributes the private key shares to the signers. At least t signers accomplish the signature together by their private key shares, which works out the problem of authority abuse well. Later on, threshold signature attracted the attention of the researchers and many research production were achieved. Harn [4] proposed a threshold signature scheme without a trusted center based on ElGamal signature algorithm. Gennaro et al. [5] proposed the sharing algorithm of the multiplication of two secrets and the sharing algorithm of the inverse of the secret, and proposed a DSS threshold signature scheme on this basis. Wang et al. [6] proposed a threshold signature scheme with a trusted center based on the intractability of the discrete logarithm problem. Miyazaki [7] proposed a threshold signature scheme based on the elliptic curve ElGamal cryptosystem. HAN Jin-rong et al. [8] proposed a (t,n) verifiable threshold signature scheme based on the Nyberg Ruepple elliptic curve signature algorithm and the Pedersen verifiable secret sharing algorithm. Peng Hua-xi et al. [9] introduced the concept of forward security into the threshold signature scheme based on the bilinear pairing, and proposed a forward secure threshold signature scheme based on the bilinear pairing. SHEN Zhong-hua et al. [10] proposed a new (t,n) threshold signature scheme based on the multivariate linear polynomial according to the ElGamal public key cryptosystem and Schnorr signature algorithm. According to the standard lattice problem, Slim Bettaieb et al. [11] and Qingbin Wang et al. [12] proposed an improved lattice-based threshold signature scheme respectively. Fei Li et al. [13] proposed a new identity-based threshold signature scheme from bilinear pairings and the proposed scheme has the advantages in efficiency and functionality. Jung Yeon Hwang et al. [14] proposed an enhanced (t,n) threshold signature scheme based on the Computational Diffie-Hellman Problem. Raman Kumar et al. [15] proposed an enhanced secure threshold signature scheme based on RSA cryptosystem. In the proposed scheme, both the combiner and the secret share holder can verify the correctness of the information that they receive from each other.

The elliptic curve cryptosystem was proposed in 1986, which is better than traditional cryptosystem (such as RSA and DSA cryptosystem) in security and efficiency. It has become the mainstream algorithm of public key algorithms gradually. In December 2010, in order to satisfy the needs of the identity authentication in E-Commerce and E-Government, Chinese Encryption Administration [16] released the SM2 elliptic curve public key algorithms including SM2 elliptic curve digital signature algorithm. As the first standard of public key algorithm released by Chinese government, the SM2 elliptic curve public key algorithms play an important role in the construction of Chinese information security system. At present, the papers on the threshold signature scheme based on SM2 elliptic curve digital signature algorithm are few, so a SM2 elliptic curve threshold signature scheme without a trusted center is proposed in this paper.

 

2. SM2 Elliptic Curve Digital Signature Algorithm

First, we assume that the parameters of the SM2 elliptic curve public key algorithms include GF(p) , E , G , p and q . GF(p) is a finite field, E is an elliptic curve over GF(p) , G = (xG, yG) is a base point on the elliptic curve E (where G has a large order q ), p and q are two large prime numbers. d is the private key of the user, where d ∈ [1,q - 1] . P = dG is the public key of the user. h(·) is a Hash function.

The signature process of SM2 elliptic curve digital signature algorithm is described as follows.

Step 1. The signer chooses a random number k ∈ [1,q - 1] , then computes kG = (x1, y1) .

Step 2. For the message m to be signed, the signer computes r = (h(m) + x1)mod q . If r = 0 or r + k = q , the signer will go back to Step 1.

Step 3. The signer computes s = (1 + d)-1 (k - rd)mod q . If s = 0 , the signer will go back to Step 1, else he will get the signature (r, s) of the message m.

The signature validation process of SM2 elliptic curve digital signature algorithm is described as follows.

Step 1. When the verifier receives the message m and its signature (r, s) , he will validate whether (r, s) satisfy r, s∈[1,q - 1] and r + s ≠ q or not. If (r, s) doesn’t satisfy any one of them, the signature will be invalid, else the verifier will compute

Step 2. The verifier computes , then validates whether r' = r or not. If r' = r , the signature will be valid, else the signature will be invalid.

 

3. Several Secret Sharing Algorithms

According to the signature process of SM2 elliptic curve digital signature algorithm in section 2, the signer chooses a random number k , then computes kG = (x1, y1) in Step 1, so the secret sharing algorithm of a random secret number and the secret sharing algorithm of the multiplication of a number and a point are required in the design of the SM2 elliptic curve threshold signature scheme. The signer needs to compute (1 + d)-1 , k - rd and (1 + d)-1(k - rd) in Step 3, so the secret sharing algorithm of the inverse of the secret, the secret sharing algorithm of the sum of the secrets or the difference between the secrets and the secret sharing algorithm of the multiplication of two secrets are required in the design of the SM2 elliptic curve threshold signature scheme. The secret sharing algorithm of 0 is used to improve the safety of the algorithm in the secret sharing algorithm of the multiplication of two secrets. Therefore, the above 6 secret sharing algorithms used in the design of the SM2 elliptic curve threshold signature scheme are introduced in this section.

3.1 Joint-Shamir-RSS [5]

In the joint Shamir random secret sharing algorithm, the participants U1, U2, ⋯, Un chooses a random secret number respectively, and each participant distributes the secret shares of its random secret number to the other participants. The special trusted center is not needed in this process. The participants U1, U2, ⋯, Un realize the sharing of a random secret number which equals the sum of all the random secret numbers chosen by the participants. The detailed process of the joint Shamir random secret sharing algorithm is described as follows.

Step 1. Each participant Ui (i = 1,2,⋯,n) chooses a random secret number and constructs a secret polynomial (where the order of fi(x) is t ).

Step 2. Each participant Ui computes fi(g) , g = 1,2,⋯,n , then sends fi(g) to the participant Ug secretly.

Step 3. The participant Ug receives the secret shares fi(g) sent by the other participants Ui (1 ≤ i ≤ n and i ≠ g ) , then computes as its secret share.

The above algorithm is called joint Shamir random secret sharing algorithm or Joint-Shamir-RSS algorithm for short. The participants U1, U2, ⋯, Un share the secret by this algorithm. Accordingly, the polynomial used to share the secret σ is

3.2 Joint-Shamir-ZSS [5]

The joint Shamir zero secret sharing algorithm is similar to the joint Shamir random secret sharing algorithm. The only difference is that the random secret number chosen by each participant Ui (i = 1,2,⋯,n) is , so the secret shared by the participants is . The joint Shamir zero secret sharing algorithm is called Joint-Shamir-ZSS algorithm for short.

3.3 Sum or Diff-SS

Suppose that the participant Ui gets the secret shares ui = fu(i) and vi = fv(i) of the secret numbers u and v respectively by Joint-Shamir-RSS algorithm, where u = fu(0) , v = fv(0) , fu(x) and fv(x) are two different polynomials whose order is t . Q is the set composed of the subscripts w of any t + 1 participants’ symbols Uw . The sum of the secret numbers u and v or the difference between the secret numbers u and v can be expressed as follows.

Let zi denote the participant’s secret share of the secret number z which is got by Joint-Shamir-RSS algorithm, then

According to equation (1) and equation (2), it can be derived that

That is to say, the participant’s secret share of the sum of two secret numbers equals to the sum of the secret shares of the two secret numbers, and the participant’s secret share of the difference between two secret numbers equals to the difference between the secret shares of the two secret numbers. The polynomial used to share the secret number z is fz(x) = fu(x) ± fv(x) . The order of the polynomial fz(x) is also t . The above algorithm is called sum of secrets or difference between secrets sharing algorithm, and it is called Sum or Diff-SS algorithm for short.

3.4 Mul-SS [5]

Suppose that the participant Ui gets the secret shares ui = fu(i) and vi = fv(i) of the secret numbers u and v respectively by Joint-Shamir-RSS algorithm, where u = fu(0) , v = fv(0) , fu(x) and fv(x) are two different polynomials whose order is t . Like the sum or diff-SS algorithm, the participant’s secret share of the multiplication h = uv of two secret numbers u and v is computed as follows.

The polynomial used to share h = uv is fh(x)= fu(x)·fv(x). The order of the polynomial fh(x) is 2t . So at least 2t + 1 participants can recover the secret h = uv . Since fh(x) is the multiplication of two polynomials, it is an irreducible polynomial and its coefficients are not random completely, which reduces the security. So in order to make the coefficients of fh(x) random and improve the security of fh(x) , it is required to add a random polynomial whose order is 2t to fh(x) . The detailed process is described as follows.

Step 1. Each participant Ui gets the secret share αi of 0 by the Joint-Shamir-ZSS algorithm.

Step 2. Each participant Ui computes hi = uivi + αi as the secret share of h = uv .

The order of the polynomial fh(x) is 2t , so at least 2t + 1 participants can recover the secret h = uv . The above algorithm is called multiplication of secrets sharing algorithm or Mul-SS algorithm for short.

3.5 Inv-SS [5]

Suppose that the participants have shared the secret number u and Ui has got the secret share ui of the secret number u . The detailed process of sharing u-1 by the participants is described as follows.

Step 1. The participants share the random secret number β by the Joint-Shamir-RSS algorithm. Ui gets the secret share βi of the random secret number β .

Step 2. At least 2t + 1 participants share the multiplication βu of u and β by the Mul-SS algorithm. Each participant Ui gets the secret share (βu)i and broadcasts (βu)i to the other participants.

Step 3. Each participant Ui receives (βu)j (1 ≤ j ≤ n and j ≠ i ) broadcasted by the other participants, then computes βu as follows according to the interpolation formula.

Where Q is the set composed of the subscripts w of any 2t + 1 participants’ symbols Uw who share βu .

Step 4. Each participant Ui computes the secret share of u-1 as follows.

Since the order of the polynomial used to share the random secret number β is t , the order of the polynomial used to share u-1 is also t . So at least t + 1 participants sharing u-1 can recover u-1 . The above algorithm is called inverse of secret sharing algorithm or Inv-SS algorithm for short.

3.6 PM-SS

Suppose that the participant Ui gets the secret share ui of the secret number u by the Joint-Shamir-RSS algorithm. Q is the set composed of the subscripts w of any t + 1 participants’ symbols Uw . According to the interpolation formula, it can be derived that

So the participant Ui can get the secret share of the secret uG by computing uiG , and at least t + 1 participants can recover the secret uG . The above algorithm is called point multiplication secret sharing algorithm or PM-SS algorithm for short.

 

4. Design of the SM2 Elliptic Curve Threshold Signature Scheme

We can design a SM2 elliptic curve threshold signature scheme without a trusted center according to the above secret sharing algorithms. The scheme is divided into 3 parts including the initialization, the threshold signature and the signature validation.

4.1 Initialization

Suppose that the set of the participants is {U1,U2,⋯,Un} , n ≥ 2t + 1 and the message to besigned is m . The participants complete the initialization process before the threshold signature process. The participants share a random secret number by the Joint-Shamir-RSS algorithm. The random secret number is the private key d of the system actually. Ui gets the secret share di of the private key d , then computes diG to get the secret share of dG and broadcasts diG . Each participant receives diG broadcasted by the other participants, then computes the public key P = dG of the system according to the equation (7). Besides, since d' = (1 + d)-1 is used in the signature process of the SM2 elliptic curve digital signature algorithm, the participants can complete the sharing of d' = (1 + d)-1 in the initialization process to improve the efficiency of the threshold signature scheme. According to the Inv-SS algorithm, the detailed process of sharing d' = (1 + d)-1 by the participants is described as follows.

Step 1. The participants share the random secret number β by the Joint-Shamir-RSS algorithm. Ui gets the secret share βi of the random secret number β .

Step 2. The participants choose the polynomials which have the order 2t , then execute the Joint-Shamir-ZSS algorithm. Ui gets the secret share αi of 0.

Step 3. According to the Mul-SS algorithm, Ui gets the secret share γi = βi(1 + di) + αi of the multiplication γ = β(1 + d) . Then Ui broadcasts γi to the other participants.

Step 4. Each participant Ui receives γj (1 ≤ j ≤ n and j ≠ i ) broadcasted by the other participants, then computes γ as follows according to the interpolation formula.

Where Q is the set composed of the subscripts w of any 2t + 1 participants’ symbols Uw who share γ = β(1 + d) .

Step 5. Each participant Ui computes the secret share of d' = (1 + d)-1 as follows.

4.2 Threshold Signature and Signature Validation

At least 2t + 1 participants complete the threshold signature process as follows.

Step 1. Since the signer chooses a random number k in the signature process of SM2 elliptic curve digital signature algorithm, the participants share the random secret number k by the Joint-Shamir-RSS algorithm in the threshold signature process. Ui gets the secret share ki of the random secret number k .

Step 2. Since the participants need to get x1 by computing kG = (x1, y1) and each participant only has the secret share ki of the random secret number k , the participants can compute kG by the PM-SS algorithm. According to the PM-SS algorithm, each participant Ui gets the secret share of kG by computing kiG , then broadcasts kiG . Each participant Ui receives the secret shares of kG broadcasted by the other participants, then computes

Where Q is the set composed of the subscripts w of any t + 1 participants’ symbols Uw .

Step 3. Each participant Ui computes

Step 4. Since the signature s = (1 + d)-1 (k - rd)mod q , the participants need to get the secret share of k - rd by the Sum or Diff-SS algorithm to get the secret share of the signature s finally. According to the Sum or Diff-SS algorithm, each participant Ui computes the secret share ki - rdi of k - rd .

Step 5. Since the signature s = (1 + d)-1 (k - rd)mod q and the participants have already got the secret shares of (1 + d)-1 and k - rd , the participants can get the secret share of the signature s by the Mul-SS algorithm. According to the Mul-SS algorithm, the participants choose the polynomials which have the order 2t , then execute the Joint-Shamir-ZSS algorithm. Ui gets the secret share μi of 0, then computes the secret share si of the signature s = (1 + d)-1 (k - rd)mod q as follows.

Step 6. Each participant Ui broadcasts his signature share si . When the number of the signature shares got by any one participant or signature receiver reaches 2t + 1 , he can compute the signature s according to the interpolation formula. Thus the signature (r, s) of the message m is got.

The signature validation process of SM2 elliptic curve threshold signature scheme is the same as that of SM2 elliptic curve digital signature algorithm in section 2.

 

5. Correctness, Security and Efficiency Analysis

5.1 Correctness Analysis

Theorem 1. For the message m and the signature (r, s) , if r' = r , then (r, s) will be the effective threshold signature of the message m.

Proof. According to the equations (8), (9), (12), we obtain

Then according to the interpolation formula, we have

and

Now proof is completed.

5.2 Security Analysis

The security of the threshold signature scheme in this paper is mainly based on the computational intractability of the Elliptic Curve Discrete Logarithm Problem (ECDLP) over a finite field. The definition of the Elliptic Curve Discrete Logarithm Problem is given as below.

Definition 1 (Elliptic Curve Discrete Logarithm Problem). Given the elliptic curve E defined over a finite field GF(p) , P and Q are any two points on the elliptic curve E . For a integer k , Q = kP . The problem that finding k according to P , Q and the elliptic curve E is called the Elliptic Curve Discrete Logarithm Problem (ECDLP) over the finite field GF(p) .

Over the past decade, the ECDLP has attracted the attention of many mathematicians from all over the world. It has been proved that it is relatively easy to solve Q according to k and P , but it is difficult to solve k according to Q and P . Until now, the effective solving method whose taking time is less than the exponential time has not been proposed for the general ECDLP. Therefore, it is difficult to solve the ECDLP over a finite field, that is to say, it is infeasible on computation.

This scheme may suffer from the attacks of the insiders or the external attackers in the threshold signature process and the signature validation process. It can be shown that this scheme can resist the common attacks by the following analysis.

Attack 1. The attacker tends to solve the private key of the system using the open information and the signature.

Situation 1. The attacker tends to solve the private key d of the system using the public key P of the system.

Since P = dG, it is equivalent to solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) that the attacker tends to solve d using P , which is difficult on computation.

Situation 2. The attacker tends to solve the private key d of the system using the message m and its threshold signature (r, s) .

According to the proof process of Theorem 1, the attacker can compute kG = sG + (r + s)P , but it is equivalent to solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) that solving the random number k on this basis, which is difficult on computation. Therefore two unknown numbers d and k exist in the equation s = (1 + d)-1(k - rd)mod q for the attacker. It is impossible to solve the private key d of the system.

Attack 2. The attacker tends to solve the private key share di of the participant Ui using the signature share si of Ui ( i = 1,2,⋯,n ).

According to the proof process of Theorem 1, many unknown numbers β, d , βi, ki and μi exist in the equation si = ((β(1 + d))-1 βiki - (β(1 + d))-1 βirdi + μi)mod q for the attacker. Therefore it is impossible to solve the private key share di of the participant Ui using the signature share si of Ui (i = 1,2,⋯,n).

Attack 3. The attacker tends to forge the threshold signatures of other messages using the open information in the threshold signature scheme.

Situation 1. The attacker tends to forge the signature share si of the message m produced by the participant Ui according to the threshold signature scheme, then use 2t + 1 signature shares to forge the threshold signature s of the message m according to the interpolation formula.

According to the proof process of Theorem 1, the signature share of the message m produced by the participant Ui is si = ((β(1 + d))-1 βiki - (β(1 + d))-1 βirdi + μi)mod q . Since the attacker doesn’t know the private key d of the system or the private key share di of the participant Ui , he can’t forge the signature share si of the message m produced by the participant Ui . Consequently, the attacker can’t forge the threshold signature s of the message m according to the interpolation formula.

Situation 2. The attacker tends to forge the threshold signature (r, s) of the message m directly by making them satisfy the signature validation equations and

If the attacker chooses the message m and a random number k , he can compute . But it is not easier than solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) that solving s according to the equation , which is difficult on computation.

If the attacker chooses the message m and r , he can solve according to the equation . But it is not easier than solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) that solving s according to the equation , which is difficult on computation.

If the attacker chooses the message m and s , it will not be easier than solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) that solving r according to the signature validation equations and , which is difficult on computation.

5.3 Efficiency Analysis

The efficiency of the proposed SM2 elliptic curve threshold signature scheme is analyzed from the traffic and the calculation in this paper. And the proposed SM2 elliptic curve threshold signature scheme is compared with the threshold signature scheme based on Elliptic Curve Digital Signature Algorithm (ECDSA) in efficiency.

We assume that the parameters of the ECDSA are the same as that of the SM2 elliptic curve public key algorithms, therefore the signature process of ECDSA can be described as follows.

Step 1. The signer chooses a random number k ∈ [1,q - 1] , then computes kG = (x1, y1) .

Step 2. The signer computes r = x1 mod q . If r = 0 , the signer will go back to Step 1.

Step 3. For the message m to be signed, the signer computes s = k-1 (h(m) + rd)mod q . If s = 0 , the signer will go back to Step 1, else he will get the signature (r, s) of the message m.

The signature validation process of ECDSA is described as follows.

Step 1. When the verifier receives the message m and its signature (r, s) , he will validate whether (r, s) satisfy r, s ∈ [1,q - 1] or not. If (r, s) doesn’t satisfy r, s∈[1,q - 1] , the signature will be invalid, else the verifier will compute w = s-1 mod q .

Step 2. The verifier computes u1 = h(m)wmod q and u2 = rwmod q .

Step 3. The verifier computes , then validates whether r' = r or not. If r' = r , the signature will be valid, else the signature will be invalid.

Like the design of the SM2 elliptic curve threshold signature scheme, the secret sharing algorithms introduced in section 3 are still used to design the threshold signature scheme based on ECDSA. The participant Ui gets the secret share di of the private key d and the public key P = dG of the system in the initialization process of the threshold signature scheme. Then, at least 2t + 1 participants complete the threshold signature process as follows.

Step 1. The participants share the random secret number k by the Joint-Shamir-RSS algorithm. Ui gets the secret share ki of the random secret number k .

Step 2. According to the PM-SS algorithm, each participant Ui gets the secret share of kG by computing kiG , then broadcasts kiG . Each participant Ui receives the secret shares of kG broadcasted by the other participants, then computes

Where Q is the set composed of the subscripts w of any t + 1 participants’ symbols Uw .

Step 3. Each participant Ui computes

Step 4. Each participant Ui computes the secret share h(m) + rdi of h(m) + rd .

Step 5. The participants share k-1 by the Inv-SS algorithm. Ui gets the secret share of k-1 .

Step 6. The participants share the signature s = k-1(h(m) + rd)mod q by the Mul-SS algorithm. Ui gets the secret share si of s .

Step 7. Each participant Ui broadcasts his signature share si . When the number of the signature shares got by any one participant or signature receiver reaches 2t + 1 , he can compute the signature s according to the interpolation formula. Thus the signature (r, s) of the message m is got.

The signature validation process of the threshold signature scheme based on ECDSA is the same as that of the ECDSA above.

According to the above threshold signature scheme, it can be seen that the main differences between the proposed SM2 elliptic curve threshold signature scheme and the threshold signature scheme based on ECDSA include the following two points. First, the participants need not to execute the Inv-SS algorithm in the threshold signature process of the SM2 elliptic curve threshold signature scheme, but the participants need to execute the Inv-SS algorithm to share k-1 in the threshold signature process of the threshold signature scheme based on ECDSA. Second, the verifier needs not to execute the inverse computation and the modular multiplication computation in the signature validation process of the SM2 elliptic curve threshold signature scheme, but the verifier needs to execute the inverse computation to compute w = s-1 mod q and execute the modular multiplication to compute u1 = h(m)wmod q and u2 = rwmod q in the signature validation process of the threshold signature scheme based on ECDSA.

5.3.1 Traffic Analysis

The traffic of the threshold signature scheme is estimated by the amount of the data transmitted in the scheme in this paper. |x| denotes the data length of the number x in the following analysis, and its unit is bit.

Since the initialization process of the threshold signature scheme has been completed before the threshold signature process, and the verifier needs not to communicate with others in the signature validation process, only the traffic in the threshold signature process is considered. Suppose that the number of the participants is T (T ≥ 2t + 1) in the SM2 elliptic curve threshold signature scheme. Each participant needs to transmit (T - 1)|q| bits of data to the other T - 1 participants secretly when executing the Joint-Shamir-RSS algorithm to share the random secret number k . Each participant needs to broadcast 2|p| bits of data when broadcasting kiG . Each participant needs to transmit (T - 1)|q| bits of data to the other T - 1 participants secretly when executing the Joint-Shamir-ZSS algorithm. Each participant needs to broadcast |q| bits of data when broadcasting his signature share si . Therefore each participant needs to transmit a total of 2(T - 1)|q| bits of data secretly and broadcast a total of 2|p| + |q| bits of data in the threshold signature process.

Suppose that the number of the participants is T (T ≥ 2t + 1) in the threshold signature scheme based on ECDSA designed by the same secret sharing algorithms. Each participant needs to transmit (T - 1)|q| bits of data to the other T - 1 participants secretly when executing the Joint-Shamir-RSS algorithm to share the random secret number k and broadcast 2|p| bits of data when broadcasting kiG . In the process of sharing k-1 by the participants, according to the Inv-SS algorithm, each participant needs to transmit (T - 1)|q| bits of data to the other T - 1 participants secretly when executing the Joint-Shamir-RSS algorithm to share the random secret number β, transmit (T - 1)|q| bits of data to the other T - 1 participants secretly when executing the Joint-Shamir-ZSS algorithm, and broadcast |q| bits of data when executing the Mul-SS algorithm. After this, the participants share s=k-1(h(m) + rd)mod q by the Mul-SS algorithm. Each participant needs to transmit (T - 1)|q| bits of data to the other T - 1 participants secretly when executing the Joint-Shamir-ZSS algorithm. At last, each participant needs to broadcast |q| bits of data when broadcasting his signature share si . Therefore each participant needs to transmit a total of 4(T - 1)|q| bits of data secretly and broadcast a total of 2|p| + 2|q| bits of data in the threshold signature scheme based on ECDSA designed by the secret sharing algorithms in the SM2 elliptic curve threshold signature scheme.

Since the number of the participants is T , the traffic contrast between the two threshold signature schemes is shown in Table 1. Obviously the traffic of the SM2 elliptic curve threshold signature scheme is less than that of the threshold signature scheme based on ECDSA. The main reason is that the process of sharing the inverse of the secret has been completed in the initialization of the SM2 elliptic curve threshold signature scheme and is not needed in the threshold signature process, but the process of sharing k-1 needs to be completed and increases the traffic to some extent in the threshold signature process of the threshold signature scheme based on ECDSA.

Table 1.Traffic contrast between the two threshold signature schemes

5.3.2 Calculation Analysis

Compared with the hash computation, the point addition computation and the scalar multiplication computation based on the elliptic curve E , the inverse computation, the exponent computation and the modular multiplication computation over the finite field Zq , the calculated amount of the other computations is smaller in the threshold signature scheme, so the number of the above computations are used to estimate the calculated amount of the threshold signature scheme in this paper.

The calculation analysis is similar to the traffic analysis. Since the initialization process of the threshold signature scheme has been completed before the threshold signature process, only the calculation in the threshold signature process and the signature validation process is considered. Suppose that the number of the participants is T (T ≥ 2t + 1) in the threshold signature process of the SM2 elliptic curve threshold signature scheme. Each participant needs to execute T·t exponent computations when executing the Joint-Shamir-RSS algorithm to share the random secret number k . According to the PM-SS algorithm, each participant needs to execute t + 2 scalar multiplication computations and t point addition computations in the process of getting kG . Each participant needs to execute 1 hash computation when computing r = (h(m) + x1)mod q . Each participant needs to execute 2T·t exponent computations when executing the Joint-Shamir-ZSS algorithm to share 0 in the process of getting the secret share si of s according to the Mul-SS algorithm. In the signature validation process of the SM2 elliptic curve threshold signature scheme, the verifier needs to execute 2 scalar multiplication computations and 1 point addition computation when computing and execute 1 hash computation when computing . One scalar multiplication computation is composed of a number of point addition computations. One scalar multiplication computation mG can be transformed into 2(|q| - 1) point addition computations for the integer m ∈ Zq and the base point G on the elliptic curve. Therefore the calculation of each participant can be equivalent to 3T·t exponent computations, 2(t + 2)(|q| - 1) + t point addition computations and 1 hash computation in the threshold signature process of the SM2 elliptic curve threshold signature scheme, and the calculation of the verifier can be equivalent to 4(|q| - 1) + 1 point addition computations and 1 hash computation in the signature validation process of the SM2 elliptic curve threshold signature scheme.

Suppose that the number of the participants is T (T ≥ 2t + 1) in the threshold signature process of the threshold signature scheme based on ECDSA designed by the same secret sharing algorithms. Each participant needs to execute T·t exponent computations when executing the Joint-Shamir-RSS algorithm to share the random secret number k . According to the PM-SS algorithm, each participant needs to execute t + 2 scalar multiplication computations and t point addition computations in the process of getting kG . Each participant needs to execute 1 hash computation when computing h(m) + rdi . In the process of sharing k-1 by the participants, according to the Inv-SS algorithm, each participant needs to execute T·t exponent computations when executing the Joint-Shamir-RSS algorithm to share the random secret number β , execute 2T·t exponent computations when executing the Joint-Shamir-ZSS algorithm to share 0, and execute 1 inverse computation and 1 modular multiplication computation when computing . In the process of getting the secret share si of s by the Mul-SS algorithm, each participant needs to execute 2T·t exponent computations when executing the Joint-Shamir-ZSS algorithm to share 0. In the signature validation process of the threshold signature scheme based on ECDSA, the verifier needs to execute 1 inverse computation when computing w = s-1 mod q , execute 1 hash computation and 2 modular multiplication computations when computing u1 = h(m)wmod q and u2 = rwmod q , and execute 2 scalar multiplication computations and 1 point addition computation when computing . Since one scalar multiplication computation can be transformed into 2(|q| - 1) point addition computations, the calculation of each participant can be equivalent to 6T·t exponent computations, 2(t + 2)(|q| - 1) + t point addition computations, 1 hash computation, 1 inverse computation and 1 modular multiplication computation in the threshold signature process of the threshold signature scheme based on ECDSA, and the calculation of the verifier can be equivalent to 1 inverse computation, 1 hash computation, 2 modular multiplication computations and 4(|q| - 1) + 1 point addition computations in the signature validation process of the threshold signature scheme based on ECDSA.

Let Th, Tpa, Ti, Te and Tmm be the time for performing a hash computation, a point addition computation, a inverse computation, a exponent computation and a modular multiplication computation respectively. Suppose that the number of the participants is T (T ≥ 2t + 1) . The calculation contrast between the threshold signature processes of the two threshold signature schemes is shown in Table 2, and the calculation contrast between the signature validation processes of the two threshold signature schemes is shown in Table 3.

Table 2.Calculation contrast between the threshold signature processes of the two threshold signature schemes

Table 3.Calculation contrast between the signature validation processes of the two threshold signature schemes

Obviously the calculation in the threshold signature process and the signature validation process of the SM2 elliptic curve threshold signature scheme is less than that in the threshold signature process and the signature validation process of the threshold signature scheme based on ECDSA respectively. The main reasons include the following two points. First, the process of sharing the inverse of the secret has been completed in the initialization of the SM2 elliptic curve threshold signature scheme and is not needed in the threshold signature process, but the process of sharing k-1 needs to be completed in the threshold signature process of the threshold signature scheme based on ECDSA, which causes the participants to execute the Inv-SS algorithm and increases the calculation to some extent. Second, the verifier needs not to execute the inverse computation and modular multiplication in the signature validation process of the SM2 elliptic curve threshold signature scheme, but the verifier needs to execute the inverse computation and the modular multiplication computation when computing w, u1 and u2 in the signature validation process of the threshold signature scheme based on ECDSA, which increases the calculation to some extent.

 

6. Conclusion

A SM2 elliptic curve threshold signature scheme without a trusted center based on the SM2 elliptic curve digital signature algorithm released by Chinese Encryption Administration in December 2010 is proposed according to several secret sharing algorithms in this paper. The proposed scheme is analyzed from correctness, security and efficiency. The correctness analysis shows that the proposed scheme can realize the effective threshold signature. The security analysis shows that the proposed scheme can resist some kinds of common attacks. The efficiency of the proposed scheme is analyzed from the traffic and the calculation. If the secret sharing algorithms in this paper are used to design the threshold signature schemes, the traffic and the calculation of the designed SM2 elliptic curve threshold signature scheme will be all less than that of the designed threshold signature scheme based on ECDSA, that is to say, the former will be more efficient than the latter. At present, the papers on the threshold signature scheme based on the SM2 elliptic curve digital signature algorithm are few. The number of the signers may depend on the importance of the message to be signed in many practical applications, which demands that the threshold value of the threshold signature scheme be dynamic. Therefore the threshold signature scheme with dynamic threshold value based on the SM2 elliptic curve digital signature algorithm will be the next important research content.