MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY PHAM VAN HIEP CONSTRUCTING SOME COLLECTIVE DIGITAL SIGNATURE SCHEMAS BASED ON THE INTEGER FACTORIZATION PROBLEM Specialization: Mathematical Foundation for Informatic Code: 46 01 10 SUMMARY OF PhD THESIS IN MATHEMATICAL Ha Noi, 2022 This thesis has been completed at ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY MINISTRY OF NATIONAL DEFENCE Scientific Supervisors: Dr Nguyen Huu Mong Dr Ngo Trong Mai Reviewer 1: Assoc Prof Dr Le My Tu Academy of Cryptography Techniques Reviewer 2: Assoc Prof Dr Đo Trung Tuan University of Sciences - Vietnam National University, Hanoi Reviewer 3: Assoc Prof Dr Nguyen Ngoc Hoa University of Technology - Vietnam National University, Hanoi The thesis will be defended in front of thesis examination Committee at Academy of Military Science and Technology in hour on date , 2022 The thesis can be found at: - Liblary of Academy of Military Science and Technology - Vietnam National Liblary INTRODUCTION The necessary of the thesis Science and technology is developing more and more, especially in the field of Information Technology, then the application of electronic transactions on the network is also promoted and more frequent The need for data security is always a top priority, the information must be accurate and the recipient will receive the correct data from the sender The advent of digital signatures has been meeting the requirements of certifying the origin of data information Today, single digital signatures are being used in many fields of e-commerce, egovernment, However, in online transaction where many people participating in signing the use of single signature is not suitable If using single signature of many people on a data message, the size of the signature will increase with the number of signatures Thus, collective signature is a solution for many people participating in signing Nowadays, collective signature is used in many application such as electronic voting, multi-factor authentication, broadcasting channels, etc Digital signatures in general and collective digital signatures in particular are built on a number of different cryptographic systems One of the most commonly used cryptosystems is the RSA public key cryptosystem [57] The security of the RSA cryptosystem is based on the difficulty of factoring, large integers, and the problem of calculating the square root of e modulo n However, the RSA cryptosystem will also be insecure when used incorrectly, the security of the RSA cryptosystem will be broken when it only needs to solve one of the factorization problems or the root problem In addition, digital signatures are also built and developed on other cryptosystems such as: Rabin cipher system, Elgamal cipher system, The security of cryptosystems is also based on the difficulty of factoring, the difficulty of the discrete logarithmic problem on finite fields, etc However, the security of signature schemes can also be broken if the parameters and secret keys are chosen inappropriately In the process of constructing and developing digital signature algorithms, some scientists have proposed a research direction that combines difficult problems in number theory such as factorization problem, root problem, discrete logarithmic problem in order to improve the safety and performance of algorithms when applied in practice In addition, the current digital signature application models have allowed to meet the requirements for certifying the origin of information created by independent entities The technology infrastructure of digital authentication is the public key infrastructure with the foundation of public key cryptography and digital signatures [52] However, when the need to use collective digital signatures in many fields is increasing, the research and improvement of digital signature models and more suitable digital signature schemes will be of interest in the future The objectives of the research - Propose a collective digital signature model suitable to practical needs and applications, from which to construct collective digital signature schemes that meet the requirements of origin authentication and integrity - Develop basic digital signature schemes based on difficult problems in number theory and popular digital signature standards - Prove the safety and efficiency of the implementation of the schema The object and scope of the research - The basis of RSA public-key cryptosystems, Elgamal cryptosystems and GOST R34.10-94 signature standard - Difficult problems in number theory such as: factorization problem, root problem, discrete logarithmic problem - Digital signature model and application in practice - Digital signature schemes, collective digital signatures The content of the research - RSA, Elgamal public key cryptosystems and GOST R34.10-94 signature standard - Construct a model of collective digital signature in combination form - Develop basic digital signature schemes and collective digital signatures based on the combination of factorization problems with root problems, discrete logarithmic problems to improve safety and real efficiency The research method Research and refer to scientific works and reports in the field of cryptography and digital signatures; Analyze and evaluate the safety and effectiveness of digital signature schemes The scientific and practical significance - Regarding the scientific significance: The thesis proposes to build a model of collective digital signature in combination form that meets the requirements of authentication of origin and integrity of data at all levels Propose general and basic schema types, from which to build collective digital signature schemes The proposed new schemes ensure safety, can reduce the size of digital signatures, and improve the implementation efficiency of the scheme in practical applications - In terms of practical significance: The proposed new collective signature schemes are suitable for agencies, schools, enterprises, and convenient in storing and deploying on current network infrastructures CHAPTER COLLECTIVE DIGITAL SIGNATURE AND SOME PROBLEMS 1.1 Digital signatures This section presents about digital signatures, some types of attacks and breaks of digital signature scheme, safety standards of parameters used in digital signatures, legality of digital signatures in Vietnam and the application of digital signatures in practice 1.2 Collective digital signature Present general knowledge about collective digital signatures, components of collective digital signature scheme and collective digital signature classification 1.3 Mathematical basis used in the thesis In this section, the thesis presents some concepts, definitions and some number theory problems related to the content of the thesis such as: factorization problem (IFP), root problem (RSAP), discrete logarithm problem (DLP) 1.4 Popular digital signature schemes and digital signature standards Present popular digital signature schemes and digital signature standards applied in practice such as RSA, Elgamal, GOST 34.10-94 1.5 Some issues raised and research orientation of the thesis 1.5.1 Existing problems of digital signature scheme and digital signature model Over the years, there have been many studies on digital signature schemes built on difficult problems such as factorization problem, discrete logarithmic problem, discrete logarithmic problem on elliptic curve Digital signature schemes have been applied in many fields to support activities of authenticaing the origin of data information in electronic transactions However, after a while, some digital signature schemes have been proven by scientists to be unsafe, signatures can be forged Specifically in some works such as [41], [44] In order to improve the security of digital signature schemes many scientists have proposed, building signature schemes based on a combination of difficult problems such as factorization and discrete logarithmic problems, factorization and root problems, discrete logarithmic problems and root problems However, after a while, some signature schemes have been proven by many scientists to be insecure such as [32], [38], [42], [60], [63], [77] or the security of these schemes is based only on a difficult problem discussed in [23], [27] Besides, when the number of electronic transactions is increasing, the issue of authentication of the origin and integrity of information at different levels but still technically guaranteed and convenient in Information transmission will be interested by many agencies and organizations in the coming time Current models/algorithms such as: single-signature algorithms RSA [57], DSA [51], GOST R34.10-94 [31], or models with multiple signature algorithms, group signatures [16], [5], [4], [48], [59] all not mention this issue Meanwhile, such requirements are becoming increasingly necessary to ensure that the authentication of information in electronic administrative procedures is consistent with administrative procedures in real society The issue of ensuring information security in online transactions is always a challenge for researchers As the Information Technology infrastructure is increasingly developed, it is only a matter of time before using mainframe systems to solve difficult problems in number theory Therefore, continuing to research and propose models and algorithms to ensure safety, in accordance with current practical needs, is always of interest to many researchers 1.5.2 Research orientation of the thesis From the remaining problems as analyzed above, the Ph.D candidate gives specific research orientations as follows: - Propose a model of collective digital signature in combination form to ensure the requirements of authentication of origin and integrity for data messages at different levels in electronic transactions, in accordance with current network infrastructure in the storage and transmission of information - Development of digital signature schemes based on difficult problems: the basic digital signature schemes are built based on the combination of factorization problem (IFP) with root problems (RSAP) or discrete logarithm problem (DLP) to improve the safety of algorithms From the proposed combined collective digital signature model and the basic signature schemes, to develop the combined collective signature schemes suitable to current practical needs 1.6 Conclusion Chapter In this chapter, the thesis has presented some concepts and terms related to digital signatures, collective digital signatures and mathematical basis for constructing digital signature schemes in the thesis The results of domestic and abroad research on the development process of collective digital signatures, outstanding problems in some digital signature schemes The thesis gives some analysis on the security of digital signature schemes that can be broken when the selected parameters are not reasonable, or just need to solve a difficult problem From the above analysis, the thesis gives directions for further research to improve the security of signature schemes based on the combination of difficult problems in number theory Simultaneously, constructing and developing a model of collective digital signature in combination form suitable for transaction activities using electronic digital signatures at agencies and organizations with legal status in society CHAPTER DEVELOPIING A COLLECTIVE DIGITAL SIGNATURE ALGORITHM BASED ON THE PROBLEMS IFP AND RSAP 2.1 Model of collective digital signature in combination form On the basis of studying the development process of digital signatures, in order to promote the application of collective digital signatures in practical applications and improve the safety of digital signatures, the thesis proposes a "model combined collective digital signature" The proposed model is suitable for government agencies, schools, businesses In the proposed model, the collective signature is formed on the basis of the individual signature of the signing entity (one or a group of signing objects) and the CA's certificate In which, the CA has the role of the organization's authentication for the data message to be signed The mechanism for forming the combined signature is illustrated in Figure 2.3 Figure 2.3 Diagram illustrating the mechanism of collective signature Based on the proposed new model, the thesis will construct and develop collective digital signature schemes, in order to meet the needs of today's reality 2.2 Constructing signature scheme IFP-RSAP base I In this section, the thesis proposes a method to build signature scheme IFP-RSAP base I (general form) From the general form signature scheme, it is possible to create a new family of signature schemes similar to the Elgamal signature family built on the discrete logarithm problem 2.2.1 Steps to construct signature scheme IFP-RSAP base I 2.2.1.1 Select and compute parameters Choose two distinct primes p and q Parameters p, q can be selected according to the standard FIPS 186 – [51] Computer: n  p.q and  (n )  ( p  1)( q  1) The value  (n) is called the Euler function Choose secret key x1 between (1, n) and satisfy the condition gcd( x1 , n)  compute the public key y: 3.1 Choose exponent t whose values are in the range: < 𝑡 < 𝜑(𝑛) and satisfy the conditions: gcd(𝑡, 𝜑(𝑛)) = 3.2 Parameter y can be calculated in terms of (2.1a) or (2.1b): 𝑦 = 𝑥1𝑡 𝑚𝑜𝑑 𝑛 (2.1a) −𝑡 Or : 𝑦 = 𝑥1 𝑚𝑜𝑑 𝑛 (2.1b) 3.3 If 𝑦 ≥ 𝜑(𝑛) or gcd(𝑦, 𝜑(𝑛)) ≠ then return to step 3.1 If 𝑦 < 𝜑(𝑛) and gcd(𝑦, 𝜑(𝑛)) = then finish calculating y 1 Computer: x  y mod  (n) (2.2) Notes: - y is public key; n, t are public parameters; - x1, x2 are secret keys; p, q  (n) are secret parameters 2.2.1.2 Generate signature IFP-RSAP base I Algorithm for generating signature IFP-RSAP base I Input: n, t, x, f1, f2, f3, M – Data messages to be signed Output: ( R, S ) / ( E , S ) - Signature Randomly choose a value of k in the range (1, n) The first component of the signature has two forms calculated according to the following formulas: R  k t mod n (2.3) f2 M ,R  mod n) Or: E  f1 ( M , R (2.4) The second component of the signature is calculated by one of the following formulas:  S  k f M , R   x f ( M , R )   x2  mod n (2.5) f M , R   x f ( M , E ) mod n Or: S  k (2.6) Return ( R, S ) / ( E , S ) Notes: - f1 (.) : The function of M and R is in the range (1, n) and in some specific cases need to satisfy the condition gcd( f1 , n)  for the function f1 to exist inversely for n; - f (.), f (.) : The function of M and R or E has a value in the range (1, 𝜑(𝑛)); - ( R, S ) : Signatures created by (2.3) and (2.5); - ( E , S ) : Signatures created by (2.4) and (2.6) 2.2.1.3 Verify signature IFP-RSAP base I Algorithm for verifying signature IFP-RSAP base I x2 a Signature case is ( R, S ) Input: n, t, y, ( R, S ) , M Output: ( R, S ) = true / false t Computer: u  S mod n f2 M ,R  f3  M , R  y mod n Computer: v  R If (u  v) Then ( R, S ) = true Else ( R, S ) = false b Signature case is ( E , S ) Input: n, t, y, ( E , S ) , M Output: ( E , S ) = true / false (2.7) (2.8) f M ,E  mod n Computer : u  S  y (2.9) Computer : v  f1 (M , u) (2.10) If ( v  E ) Then ( E , S ) = true Else ( E , S ) = false Notes: - ( R, S ) / ( E , S ) = true: valid signature, message M recognized for origin and integrity - ( R, S ) / ( E , S ) = false: forged signature and/or M is not intact 2.2.2 The correctness of the signature scheme IFP-RSAP base I Lemma 2.1: Let p, q be two prime numbers, n  p  q ,  (n)  ( p  1)  (q  1) , choose a, b, c, x, k that satisfy the condition  a, b, c   (n) ,  x, k  n t a b a c If: y  x mod n , R  k mod n , S  k  x mod n Then: S  R  y mod n Theorem 2.1 The method of forming and checking signatures according to formulas (2.3), (2.5), (2.7) and (2.8) is correct Lemma 2.2: Let p, q be two prime numbers, n  p  q ,  (n)  ( p  1)  (q  1) , choose a, b, c, x, k that satisfy the condition  a, b, c   ( n) ,  x, k  n , gcd( x, n)  a b c a b c a If: y  x mod n , R  k mod n , S  k  x mod n Then: R  S  y mod n Theorem 2.2 The method of forming and checking signatures according to formulas (2.4), (2.6), (2.9) and (2.10) is correct 2.3 Signature scheme IFP-RSAP base II The signature scheme IFP-RSAP base II is built based on the basic IFP-RSAP schema I (general form) and is based on the difficulty of solving factorization problems (IFP) and rooting problems on Zn (RSAP) 2.3.1 General Procedure 2.3.1.1 Selection of parameters and keys Choose the pair of large prime numbers p and q Set: lp  len( p ) , lq  len( q ) ; lp, lq are the lengths of numbers p, q in binary bits Computer: n  p.q and  (n )  ( p  1)( q  1) b a c Parameters p, q can be selected according to the standard FIPS 186 – [51] Choose secret key x1 between (1, n) and satisfy the condition gcd( x1 , n)  compute the public key y: 2.1 Choose a prime t that is co-prime to n, i.e gcd(t , n)  2.2 Computer y  x1  mod n 2.3 If y   (n) or gcd( y, (n))  then return to step 2.1 Computer: x  y 1 mod  (n) Choose a hash function H: 0,1  Z h , with: h  n Hash function H(.) selectable according to FIPS 180 - [50] Notes: - y is public key; n, t are public parameters; - x1, x2 are secret keys; p, q  (n) are secret parameters 2.3.1.2 Generate signature IFP-RSAP base II Algorithm for generating signature IFP-RSAP base II Input: n, t, x1, x2, M - Data messages to be signed Output: ( E , S ) - Signature Randomly choose a value of k in the range (1, n) t Calculate the value of R in terms of: R  k  mod n Calculate the first component of the signature: E  H (M || R) t Calculate the second component of the signature: S  k  x1  Return ( E , S ) Notes: - Operator “||” is the concatenation of two bit strings 2.3.1.3 Verify signature IFP-RSAP base II Algorithm for verifying signature IFP-RSAP base II Input: n, t, y, ( E , S ) , M Output: ( E , S ) = true / false  E x2 Calculate the value of S in terms of: S  S  mod n y Calculate the value of R in terms of: R  S    y  mod n t E (2.12) mod n (2.13) (2.14) (2.15) Calculate the value of E in terms of: E  H ( M || R ) (2.16) If ( E  E ) Then {return true} Else {return false} Notes: - ( E , S ) = true: valid signature, message M recognized for origin and integrity - ( E , S ) = false: signature or/and data message M is forged 2.3.2 The correctness of the signature scheme IFP-RSAP base II Theorem 2.3: Suppose we have parameters and keys and signature pair ( E , S ) selected and generated by the steps in the IFP-RSAP base schema II Component E is the value generated by the test algorithm according to the formula 2.16, then we have: E  E 11 1.1 1.2 For i = to N ui  H ( yi || IDi ) vi   ui  ca mod n x Return (ui , vi ) 2.4.1.4 Check the legitimacy of the members Algorithm 2.4 Input: n, N, yi, yca, IDi, (ui , vi ) Output: (TV1 , TV2 , TVN ) = true / false For i = to N ui  H ( yi || IDi ) 1.1 1.2 u i   vi  yca mod n If ( u i  ui ) Then TVi = True Else TVi = false Return (TV1 , TV2 , TVN ) Notes: - TVi = true: Signing object Ui is confirmed as a member of the system - TVi = false: Ui is a mock object 2.4.1.5 Generate collective IFP-RSAP signatures Algorithm 2.5 Input: n, t, N, M, xca, KS, KP Output: ( E , S ) – Signature of U and CA on M For i = to N ki  H ( xi || M ) 1.1 1.3 1.2 1.3 4.1 4.2 5.1 5.2 Ri  ki  mod n Send Ri to CA R ← 1; For i = to N R  R  Ri mod n E  H ( M || R ) , send E to {U1, U2, , Ui, , UN}; For i = to N E S i  k i  x i  mod n Send Si to CA Su ← 1; For i = to N t E If ( Ri   Si    yi  mod n ) Then {return (0,0)} t   (2.19) (2.20) (2.21) S u  S u  S i  mod n x If E  Then S  S u  ca mod n Return ( E , S ) Notes: - Steps 1, are performed by the signing object - Steps 2, 3, 5, and performed by CA (2.22) 12 2.4.1.6 Collective IFP-RSAP signature verification Algorithm 2.6 Input: n, t, yca, M, KP, ( E , S ) Output: ( E , S ) = true / false If (E = or S = 0) Then {return false} y ← 1; For i = to N y  y  yi mod n (2.23) u  S yca mod n (2.24) (2.25)  v u y t E mod n E  H ( M || v) If ( E  E ) Then {return true} Else {return false} Notes: - ( E , S ) = true: valid signature, message M recognized for origin and integrity - ( E , S ) = false: signature or/and data message M is forged 2.4.2 The correctness of collective IFP-RSAP signature scheme Theorem 2.4: With the parameters and keys of the same ( E , S ) signature pair selected and calculated at the steps of the collective IFP-RSAP algorithm, the collective IFPRSAP signature scheme is correct, that is: E  E 2.4.3 Security of collective IFP-RSAP signature scheme 2.4.3.1 Attack on secret key The security of the collective IFP-RSAP signature scheme is established based on the security of scheme IFP-RSAP base II proposed in section 2.3.3 Therefore, the security of the collective IFP-RSAP signature scheme is also determined by the difficulty of the IFP(n) and RSAP(n,e) problem 2.4.3.2 Signature forgery attack In the signature formation algorithm in the collective signing scheme, the components R and Su are generated from many pairs of values ( Ri , Si ) of the members of the signing group In other words, the collective signature here is created from many individual signatures of the members, so the attack to forge the private signatures of the signers in the collective signature formation procedure would be a potential security risk for the newly proposed collective signature scheme Therefore, to solve this problem, the CA conducts checking and validating the personal signatures of the signing group members made in step 5.1 in Algorithm 2.5 2.4.4 Time complexity of collective IFP-RSAP signature scheme 2.4.5 Evaluation of the time complexity of proposed collective digital signature scheme In this section, the thesis compares the time complexity of the collective IFPRSAP scheme with the collective digital signature schemes LD 1.02 and LD 1.03 in [6] It is assumed that the comparison schemes are calculated with the same security parameter in Zn and the number of members of the signer collective is N The results 13 in Table 2.7 show the total time complexity cost of the letter generation algorithm signature and signature check of the proposed collective IFP-RSAP digital signature scheme is lower than that of the schemes in [6] However, the LD 1.03 scheme in [6] is built according to the provisions of the signing sequence of the group members, and the collective signature is generated when the members perform the correct order of signing Therefore, the time complexity of the algorithms in the LD 1.03 scheme is higher than that of the compared algorithms in Table 2.7 2.5 Algorithm Installation and testing The test part installs the algorithms in the collective IFP-RSAP digital signature scheme to illustrate the work of checking and authenticating the signatures of members in the management of training activities at Hanoi University of Industry The test results show that the proposed new collective digital signature scheme is completely consistent with actual administrative procedures and is convenient for storing and deploying in the current network environment 2.6 Conclusion of chapter In Chapter 2, the thesis presented the collective signature model in the combined form to meet the requirements of authenticating the origin and integrity of the data message at the level of the entity that created it and the organization of the entity Collective signatures are formed from the signatures of one or a group of CA's signing and certifying objects, but digital signature storage and management is only one component that has been combined This is suitable for storage and deployment on current network infrastructures In the next part, the thesis proposes signature scheme IFP-RSAP base I (general form) and signature scheme IFP-RSAP base II These schemes are based on two problems IFP and RSAP on Zn The proposed base signature schemes have been proven correct, and the security of schemes is determined by the difficulty of solving IFP (n) and RSAP(n,e) problems Based on the signature scheme IFP-RSAP base II, the thesis proposes to construct a collective IFP-RSAP signature scheme according to the combined collective digital signature model The security of the collective IFP-RSAP signature scheme is also determined by the difficulty of the IFP and RSAP problems The proposed new collective signature scheme is resistant to signature forgery from within the system by using the CA to authenticate the individual signatures of the signing group members The collective IFP-RSAP scheme has been proven correct, secure and effective The results of the test installation Chapter show that the collective IFP-RSAP signature scheme ensures the legitimacy of the members of the organization, and at the same time authenticate the origin and integrity of data messages The proposed new scheme is applicable in practice in administrative agencies, schools, enterprises The main results of chapter are published in the works [CT2], [CT4] and [CT5] 14 CHAPTER DEVELOPIING A COLLECTIVE DIGITAL SIGNATURE ALGORITHM BASED ON THE PROBLEMS IFP AND DLP 3.1 Introduction Digital signature schemes are often constructed based on difficult problems in number theory such as: integer factorization problem, discrete logarithmic problem, discrete logarithmic problem on elliptic curve However, in the current period, with the development of science and technology, many mainframe systems have very high processing speed, so solving difficult problems is only a matter of time and then the security of the signature scheme can be broken In order to improve the performance of schemas in practical applications, scientists need to further promote the combination of difficult problems to ensure the safety of the schemas, and at the same time reduce the size of digital signatures Following that research orientation, the thesis continues to build and develop digital signature schemes based on the difficulty of simultaneously solving two factorization problems (IFP) and discrete logarithms (DLP) in order to improve safety, and the performance of the algorithm 3.2 Constructing signature scheme IFP-DLP base I In this section, the thesis proposes a method to build signature scheme IFP-DLP base I (general form) The scheme is built based on the difficulty of simultaneously solving two integer factorization problems (IFP) and discrete logarithmic problems on Zp (DLP) From the signature schema of the general form, it is possible to create a new family of signature schemes similar to the Elgamal signature family built on the discrete logarithm problem 3.2.1 Steps to construct signature scheme IFP-DLP base I 3.2.1.1 Select and compute parameters Choose the pair of large prime numbers p and q Set: lp  len( p) , lq  len(q ) so that the problem of integer factorization on Zn is difficult to solve Parameters p, q can be selected according to the standard FIPS 186 – [51] Computer: n  p.q , and  (n )  ( p  1)( q  1) Choose p1, q1 to be prime numbers, where: p1 | ( p  1) and q1 | ( q  1) ; p1 ( q  1) and q1 ( p  1) Computer: m  p1 q1 Choose g to be a generator of the group Zn* of degree m(ord g  m) , calculated in:  (n) g   m mod n and satisfy: gcdg , n   , with:   1, n Choose the first secret key x1 in the range (1, m ) and compute the public key y according to the following algorithm: x 4.1 Public key calculation: y  g mod n (3.1) 4.2 If: y   (n) or: gcd( y,  (n))  reselect x1 in the range (1,m) 15 Calculate the second secret key : x2  y mod (n) Choose a hash function H: 0,1  Z h , với: h  n Hash function H(.) selectable according to FIPS 180 - [50] Notes: - y is public key; n, g are public parameters; - m, x1, x2 are secret keys; p, q, p1, q1  (n) are secret parameters 3.2.1.2 Generate signature IFP-DLPP base I Algorithm for generating signature IFP-DLP base I Input: n, g, x1, m, x2, M – Data messages to be signed Output: ( E , S ) - Signature Randomly choose a value of k in the range (1, m ) Computer: 1 (3.2) R  g k mod n (3.3) Calculate the first component of the signature: E  f1 ( M , R ) (3.4) The second component of the signature is calculated by one of the following formulas:   S  x2  k  f  M , E   x1  f  M , E  mod m 1 (3.5) IF gcd( f ( M , E ), m)  then return to step Or: S  x2  k   f  M , E   x1  f3  M , E   mod m 1 (3.6) IF gcd( f ( M , E )  x1  f 3( M , E ), m)  then return to step   Or: S   x1   x2  k  f  M , E   f3  M , E  mod m 1 1 (3.7) If gcd( f ( M , E ), m)  then return to step Return ( E , S ) Notes: - k is the corresponding secret number for each data message; - f1 (.) : functions of M and R have values in the range (1, n) ; - f (.), f (.) : functions of M and R or E have values in the range (1,  ( n)) 3.2.1.3 Verify signature IFP-DLP base I Algorithm for verifying signature IFP-DLP base I Input: n, g, y, ( E , S ) , M Output: ( E , S ) = true / false Calculate the value of u: S f2  M , E  y  g f2  M ,E  f3  M ,E  mod n (3.8) S f  M , E  y  y S f  M ,E  y mod n If S is calculated according to (3.6): u  g (3.9) If S is calculated according to (3.5): u  y 1 S f M ,E y f M ,E If S is calculated according to (3.7): u  y    g   Calculate the value of v: v  f1 ( M , u) If ( v  E ) Then {return true} Else {return false} 2 1 f3  M , E  mod n (3.10) (3.11) 16 Notes: - ( E , S ) = true: valid signature, message M recognized for origin and integrity - ( E , S ) = false: forged signature and/or M is not intact 3.2.2 The correctness of the signature scheme IFP-DLP sở I The correctness of the proposed new method is proven through Lemmas 3.1, 3.2, and 3.3 and presented on pages 78-80 of the thesis 3.3 Signature scheme IFP-DLP base II The signature scheme IFP-DLP base II is built based on the scheme IFP-DLP base I (general form) and based on the difficulty of solving two problems of integer factorization and discrete logarithmic problems on Zp at the same time with the aim of to enhance the security of the signature algorithm In addition, the signature scheme IFP-DLP base II has a reduced signature size that will improve the implementation efficiency of the scheme in real applications 3.3.1 General Procedure 3.3.1.1 Selection of parameters and keys Choose the pair of large prime numbers p and q Set: lp  len( p) , lq  len(q ) so that the problem of integer factorization on Zn is difficult to solve Parameters p, q can be selected according to the standard FIPS 186 – [51] Computer: n  p.q , and:  (n)  ( p  1)  (q  1) Choose p1, q1 to be prime numbers, where: p1 | ( p  1) q1 | ( q  1) ; p1 ( q  1) q1 ( p  1) Computer: m  p1 q1 Choose g to be a generator of the group Zn* of degree m(ord g  m) , satisfy the condition gcd  g , n   Calculated in:  (n) g  m mod n , with:   1, n  Choose the first secret key x1 in the range (1, m ) 6.1 Calculate the public key y according to: y   g  mod n 6.2 If y   ( n) or gcd( y,  (n))  reselect x1 in the range (1,m) 1 Calculate the second secret key: x2  y mod  (n) Choose a hash function H: 0,1  Z h , với: h  n Hash function H(.) selectable according to FIPS 180 - [50] Notes: - len(.) is a function to calculate length (in bits); - y is public key; n, g are public parameters; - x1, x2 are secret keys; p, q, p1, q1, m  (n) are secret parameters 3.3.1.2 Generate signature IFP-DLP base II Algorithm for generating signature IFP-DLP base II Input: n, g, m, x1, x2, M – Data messages to be signed Output: ( E , S ) - Signature  x1 (3.18) (3.19) 17 Randomly choose a value of k in the range:  k  m k Calculate the value of R in terms of: R  g mod n Calculate the first component of the signature: E  H ( M || R) Calculate the second component of the signature: S  x2  k  x1  E  mod m Return ( E , S ) Notes: - Operator “||” is the concatenation of two bit strings 3.3.1.3 Verify signature IFP-DLP base II Algorithm for verifying signature IFP-DLP base II Input: n, g, y, ( E , S ) , M Output: ( E , S ) = true / false    y S Calculate the value of R in terms of: R  g y E mod n Calculate the value of E in terms of: E  H ( M || R ) (3.20) (3.21) (3.22) (3.23) (3.24) If ( E  E ) Then {return true} Else {return false} Notes: - ( E , S ) = true: valid signature, message M recognized for origin and integrity - ( E , S ) = false: signature or/and data message M is forged 3.3.2 The correctness of the signature scheme IFP-DLP base II Theorem 3.1: Suppose we have parameters and keys and signature pair ( E , S ) selected and generated by the steps in the IFP-DLP base schema II Component E is the value generated by the test algorithm according to the formula 3.24, then we have: E  E 3.3.3 Security of signature scheme IFP-DLP base II 3.3.3.1 Attack on secret key In the proposed scheme IFP-DLP base II, the secret key of a signing object is a pair (x1, x2), the security of the scheme will be completely broken when this key pair can be computed by a or unwanted objects From the method of forming parameters and keys, it is shown that in order to find x2 it is necessary to calculate the parameter  (n) , that is, to solve the problem IFP(n), and to calculate x1 it is necessary to solve the problem math DLP(n,g) Thus, in order to find this secret key pair, the attacker needs to simultaneously solve the two problems IFP(n) and DLP(n,g) shown above However, solving DLP(n,g) is as difficult as solving two problems IFP(n) and DLP(p,g) simultaneously Therefore, it can be shown that the key security of the proposed scheme is guaranteed by the difficulty of simultaneously solving two discrete logarithmic and integer factorization problems on Zp 3.3.3.2 Signature forgery attack From the condition of the signature checking algorithm in the proposed scheme, any pair ( E , S ) will be considered a valid signature of the object that owns the public 18 parameters (n, g , y ) on data message M if satisfied:   E  H M || g S   y y E mod n  (3.25) From (3.25) shows, finding the pair ( E , S ) by preselecting one of the two values, then calculating the other value is more difficult than solving DLP (n,g) Furthermore, if H(.) is chosen as a highly secure hash function (SHA 256/512, ) then random selection of the ( E , S ) pair satisfying (3.25) is completely infeasible in practical applications 3.3.4 Execution time complexity of schema IFP-DLP base II 3.3.5 Performance efficiency of schema IFP-DLP base II The effectiveness of a signature scheme can be assessed by the implementation cost of the signing algorithms, signature verification, and the signature size generated by the scheme The lower the time cost of performing the operations, the higher the performance of the schema In this section, the effectiveness of the proposed new scheme will be evaluated and compared with the results in [26] 3.3.5.1 Size of signature The signature size proposed by scheme IFP-DLP base II is compared with the signature size of the FS and SS schemes in [26] with the same parameter set selected The results show that the signature generated by the base II IFP-DLP scheme is 2.5 times smaller than the signature size generated by the schemes in [26] and has the same size as the this scheme when applying the signature reduction method according to [46] 3.2.5.2 Implementation cost of scheme IFP-DLP base II compared to other schemes From the comparison results between the basic IFP-DLP scheme and the schemas in [21], it shows that: the base IFP-DLP scheme II has a higher performance efficiency than the schemas [26] in both two cases of applying and not applying the method of reducing the signature size according to [46] 3.4 Proposal to construct collective IFP-DLP signature scheme The collective signature scheme is built according to the combined collective digital signature model and the base IFP-DLP digital signature scheme II 3.4.1 Steps to implement collective IFP-DLP signature scheme 3.4.1.1 Selection of CA's parameters and keys Algorithm 3.1 Input: lp, lq – length (in bits) of prime numbers p, q Output: n, m, g, xca1, xca2, yca Choose the pair of large prime numbers p and q Set: lp  len( p) , lq  len(q ) so that the problem of integer factorization on Zn is difficult to solve Parameters p, q can be selected according to the standard FIPS 186 – [51] Computer: n  p.q and  (n)  ( p  1).(q  1) Choose p1, q1 to be prime numbers, where: p1 | ( p  1) q1 | ( q  1) ; p1 ( q  1) q1 ( p  1) 19 Computer: m  p1 q1 Choose g to be a generator of the group Zn *, calculated in: g   (n) m mod n and satisfy: gcdg , n  , with:   1, n Choose the first secret key xca1 in the range (1,m) x Tính khóa cơng khai yca theo: yca   g  mod n If y ca   (n) or: gcd( y ca ,  (n))  then return to step (3.26) ca Calculate the secret key xca2 according to: xca   yca  mod  (n) (3.27) Choose a hash function H: 0,1  Z h , với: h < n Hash function H(.) selectable according to FIPS 180 - [50] Notes : - yca is public key; n, g are public parameters; - m, xca1, xca2 are secret keys; p, q, p1, q1  (n) are secret parameters 3.4.1.2 Selection of parameters and keys of members Algorithm 3.2 Input: n, m, g, N Output: K S   xi | i  1, 2, , N  , K P   yi | i  1, 2, , N  for i = to N 1.1 Choose a number xi in the range (1, m ) K S [i ]  xi 1.2 1 1.3 yi  g  xi mod n (3.28) K p [i]  yi 1.4 Return KS , KP 3.4.1.3 Certification of members participating in signing Algorithm 3.3 Input: n, g , m, N , IDi , K P , xca1 , xca Output: (ui , vi ) For i = to N ki  H ( xca1 || yi || xca || IDi ) 1.1 1.2 Ri  g ki mod n ui  H ( Ri || yi || IDi ) 1.3 1.4 vi  xca   ki  xca1  ui  mod m Return (ui , vi ) 3.4.1.4 Check the legitimacy of the members Algorithm 3.4 Input: n, N, IDi , yi , yca , ( ui , vi ) Output: ( KT1 , KT2 , KTN ) = true / false For i = to N (3.29) 20    y  yca ui 1.1 Ri  g vi 1.2 ui  H Ri || yi || IDi  ca mod n  If ( u i  u i ) Then KTi = True Else KTi = false Return ( KT1 , KT2 , KTN ) Notes: - KTi = true: Signing object Ui is confirmed as a member of the system - KTi = false: Ui is a mock object 3.4.1.5 Generate collective IFP-DLP signatures Algorithm 3.5 Input: M, n, m, N, kca, xca1, xca2, KS, KP Output: ( E , S ) – Signature of U and CA on M For i = to N ki  H ( xi || M ) 1.1 1.3 1.2 Ri  g ki mod n 1.3 Send Ri to CA 6.1 6.2 7.1 7.2 R  1; For i = to N R  R  Ri mod n k ca  H ( xca1 || M ) ; Rca  g kca mod n R  R  Rca mod n E  H ( R || M ) Send E to U1 ,U , ,U i , ,U N  ; For i = to N S i  ki  xi  E mod n (3.30) (3.31) (3.32) (3.33) Send Si to CA Su ← 0; For i = to N S if ( Ri  g i   yi  mod n ) then {return (0,0)} E Su  S u  S i  IF E  then S  xca  k ca  S u  mod m Else S=0 Return ( E , S ) ; Notes: - Steps 1, are performed by the signing object - Steps 2, 3, 4, 5, 7, and performed by CA 3.4.1.6 Collective IFP-DLP signature verification Algorithm 3.6 Input: g, n, yca, KP , M, ( E , S ) Output: ( E , S ) = true / false If (E = or S = 0) Then return false (3.34) 21 y ← 1; For i = to N y  y  y i mod n   v  g S yca  y E mod n (3.35) (3.36) E  H (v || M ) If ( E  E ) Then {return true} Else {return false} Notes: - ( E , S ) = true: valid signature, message M recognized for origin and integrity - ( E , S ) = false: signature or/and data message M is forged 3.4.2 The correctness of the collective IFP-DLP signature scheme Theorem 3.2: With the parameters and keys of the same ( E , S ) signature pair selected and calculated at the steps of the collective IFP-RSAP algorithm, the collective IFPDLP signature scheme is correct, that is: E  E 3.4.3 Security of collective IFP-DLP signature scheme 3.4.3.1 Attack on secret key The security level of the collective IFP-DLP signature scheme is established based on the security level of the scheme IFP-DLP base II proposed in section 3.3.3 Therefore, basically the security level of the collective IFP-DLP signature scheme is also determined by the difficulty of solving two problems IFP and DLP at the same time In addition, the collective IFP-DLP scheme is resistant to secret key attacks when the session key is exposed or the session key is duplicated As follows: - The case of short-term key k (session key) attack is exposed: Suppose that when the session key is exposed during a signing on some message M, the secret key xca2 is calculated from the formula: S  xca   kca  Su  mod m , where kca  H ( xca1 || M ) Deduce: xca  S   kca  Su  mod m 1 Since m is kept secret, it will be difficult for an attacker to identify xca2 - The case of short-term key k (session key) attack is duplicated: When the session key is duplicated, assuming messages M and M' use the same session key, then the secret key xca2 will be calculated by the formula: S  xca   kca  Su  mod m ↔ kca  (S  ( xca )1  Su ) mod m (3.40a)   S '  xca  kca  Su' mod m ↔ kca  (S '  ( xca )1  Su' ) mod m (3.40b) In which, the message M, M' and the value Su are calculated from steps 3÷7 in algorithm 3.5 From (3.40a) and (3.40b) we have the following equality: (S  ( xca )1  Su ) mod m  (S '  ( xca )1  Su' ) mod m Deduce: xca  (S  S ' )  (Su  Su' )1 mod m Since m is kept secret, it will be difficult for an attacker to identify xca2 22 Thus, in situations where the session key is exposed or the session key is duplicated, the signature scheme is still secure as long as g is large enough to resist attack by the algorithm in [18] 3.4.3.2 Signature forgery attack The security of the collective IFP-DLP signature scheme against signature forgery attacks has also been proven similar to that of signature scheme IFP-DLP base II From the condition of the signature checking algorithm in the proposed scheme, any pair ( E , S ) will be considered a valid signature of the object that owns the public parameters (n, g , y ) on data message M if satisfied:  E  H M || ( g S yca  y E ) mod n  (3.41) From (3.41) shows that, finding the pair ( E , S ) by preselecting one of the two values, then calculating the other value is more difficult than solving DLP (n,g) In addition, to improve the security of the algorithm, it is possible to choose a hash function with high security such as SHA-256, SHA-512, Then, the random selection of the ( E , S ) pair is satisfactory (3.41) is completely infeasible in practical applications In addition, with the multiple signature schemes in general and the collective signature scheme proposed here, there is always a potential risk of forgery attacks from inside the system In the collective IFP-DLP signature scheme, the collective signature here is created from many individual signatures of the members Therefore, it is possible to forge the private signatures of the signatories during the collective signature formation process To solve this problem, in algorithm 3.5 in step 7.1, the CA will check the legitimacy of the signing group members according to the test condition: S If Ri  g i   yi  mod n , the signature is forged ( E  0, S  0) , that is the member E is not in the system 3.4.4 Time complexity of collective IFP-RSAP signature scheme 3.4.5.Evaluation of the time complexity of proposed collective digital signature scheme In this section, the thesis will compare the time complexity of collective IFP-DLP signature scheme with scheme LD-C2_M232 [16] and schemas LD1-KPBTN, LD2PBTN [9] Assuming the comparison schemes are computed with the same number of members of the signer community as N, the security of the schemes is comparable The results show that the time complexity of the signature generation and signature checking algorithm of the proposed collective IFP-DLP signature scheme is lower than that of the LD-C2_M232 [16] and LD1-KPBTN, LD2-PBTN [9] schemes 3.5 Algorithm Installation and testing In this part, the thesis installs algorithms in the collective IFP-DLP scheme and tests to illustrate the signature generation process, signature forgery attack The testing process shows that the collective signature scheme built according to the proposed new model is completely suitable for current actual needs, the signing members will be checked and verified by the CA In this model, the CA here plays the 23 same role as the clerical department of an organization with legal status in society The signature system ensures safety and is resistant to forgery attacks from within 3.6 Conclusion of chapter In chapter 3, in order to improve the safety and performance of the schemas in practical applications, the thesis proposes a signature scheme IFP-DLP base I (general form) based on the DLP problem on the Zn ring The security of the proposed new scheme is guaranteed by the difficulty of solving two IFP and DLP problems simultaneously on the Zp field In the next part, the thesis proposes a signature scheme IFP-DLP base II based on a signature scheme IFP-DLP base I (general form) with the aim of improving the security of the digital signature algorithm The security of the scheme is ensured by the difficulty of solving two IFP and DLP problems simultaneously In addition, the proposed new scheme has a smaller size and higher performance than some previous schemes This will help to improve the implementation of the schema in real applications From the signature scheme IFP-DLP base II, the thesis continues to propose a collective IFP-DLP signature scheme according to the combined collective digital signature model The proposed new scheme ensures the certification of the legitimacy of members of the organization and attests to the origin and integrity of data messages In it, the collective signature is created as a combination of individual signatures or of a group of signers and CA's certificate The security level of the collective signature scheme is established based on the security level of signature scheme IFP-DLP base II Therefore, basically the security level of the collective signature scheme is also determined by the difficulty of solving two problems IFP and DLP at the same time The collective IFP-DLP signature scheme has been proven correct, ensuring safety and performance The experimental part installs the collective IFP-DLP signature scheme to simulate the steps of document signing in the process of building a training program at a university Experimental results show that the collective IFP-DLP signature scheme built according to the combined collective digital signature model is consistent with the paper-based document signing model at Hanoi University of Industry This model can be completely applied to agencies and organizations with legal status in society The process of signing and approving documents at the current agencies is similar to the model that has been experimentally deployed in the thesis The main results of chapter are published in the works [CT1], [CT3] and [CT6] 24 CONCLUSION Research results of the thesis With the goal of building and developing algorithms to improve the security of signature schemes, and proposing a signature model that meets current practical requirements The thesis has achieved some results as follows: - Propose a model of collective signature in combination form to ensure the authentication requirements of the origin and integrity of data messages at all levels Collective signatures are formed from the signatures of one or a group of CA's signing and certifying objects, but digital signature storage and management is only one component that has been combined This is suitable for storage and deployment on current network infrastructures - Propose some signature schema IFP-RSAP base I (general form) and signature schema IFP-RSAP base II based on two problems IFP and problem RSAP on Zn The security of the schemes is determined by the difficulty of solving the IFP and RSAP problems From the signature schema IFP-RSAP base II, the thesis proposes to construct a collective IFP-RSAP signature scheme according to the combined collective digital signature model The security of the collective IFP-RSAP signature scheme is also based on the security of the signature schema IFP-RSAP base II - Propose some signature scheme IFP-DLP base I (general form) and signature scheme IFP-DLP base II based on the combination of two problems IFP and DLP in order to improve the security of the algorithm The security of this scheme is ensured by the difficulty of solving the above two problems simultaneously In addition, the proposed new signature scheme IFP-DLP base II has a smaller size and higher performance than some previous schemes Based on the signature scheme IFP-DLP base II, the thesis proposes a collective IFP-DLP signature scheme according to the combined collective signature model The security of the collective signature scheme is also based on the security of the signature scheme IFP-DLP base II, and has the ability to prevent forgery attacks from within the system New contribution of this thesis 1) Constructing a general digital signature scheme from combining two difficult problems IFP and RSAP, from which to select specific cases to construct a digital signature scheme, as a premise to build a digital signature scheme combined collective 2) Constructing a general digital signature scheme from combining two difficult problems IFP and DLP, from which to choose specific cases to construct a digital signature scheme, as a premise to build a digital signature scheme combined collective Further extensions of this thesis The thesis can be further researched and developed in the following direction: - Based on the proposed signature scheme IFP-DLP base I (general form), it is possible to continue to develop and create different signature schemes to meet the needs of practical applications - The results of the research on the combined collective signature model can be applied to the constructing of authentication systems in agencies and schools LIST OF SCIENTIFIC PUBLICATIONS [CT1] Pham Van Hiep, Nguyen Huu Mong, Luu Hong Dung (2018), “A signature algorithm based on difficulty of simultaneous solving integer factorization and discrete logarithm problem”, Journal of Science and Technology - The University of Danang, ISSN 1859-1531, No (128), pp.75-79 [CT2] Pham Van Hiep, Luu Hong Dung (2018), “Digital signature – Model and algorithm”, Proceeding of the 11th National Conference on Fundamental and Applied Infomation Technology Research, pp.88-95 [CT3] Pham Van Hiep, Luu Hong Dung (2018), “Developing a collective digital signature algorithm”, Journal of Military Science and Technology, ISSN 18591043, Number of IT specials, pp.74-82 [CT4] Pham Van Hiep, Vu Son Ha, Luu Hong Dung, Nguyen Thi Lan Phuong (2019), “A collective digital signature schemes based on the difficulty of integer factorization and finding root problems on the Zn ”, Journal of Military Science and Technology, ISSN 1859-1043, Number of IT specials, pp.42-49 [CT5] Pham Van Hiep, Luu Hong Dung (2020), “Developing a new type of digital signature scheme based on rsa problem”, Journal of Science and Technology on Information and Communications (Posts and Telecommunications Institute of Technology), ISSN 2525-2224, Vol.1, No (CS.01), pp.73-78 [CT6] Pham Van Hiep, Đoan Thi Bich Ngoc, Luu Hong Dung (2021), “The method of constructing the digital signature scheme is based on the difficulty of the discrete logarithmic problem on the ring Zn”, Journal of Science and Technology on Information and Communications (Posts and Telecommunications Institute of Technology), ISSN 2525-2224, Vol.1, No (CS.01), pp.56-60 ... presents about digital signatures, some types of attacks and breaks of digital signature scheme, safety standards of parameters used in digital signatures, legality of digital signatures in Vietnam... logarithm problem (DLP) 1.4 Popular digital signature schemes and digital signature standards Present popular digital signature schemes and digital signature standards applied in practice such as... large enough to resist attack by the algorithm in [18] 3.4.3.2 Signature forgery attack The security of the collective IFP-DLP signature scheme against signature forgery attacks has also been proven