Constructing Representative Collective Signature Protocols Using The GOST R34.10-1994 Standard

1  Introduction

As is known, digital signatures (DS) [1] are a key component of digital authentication systems [2]. Therefore, in order to have an authentication system that meets the specific requirements of a certain practical application, we must first build a corresponding digital signature. More precisely, it is necessary to build a DS scheme (DSS) that helps to create the desired digital signature.

Currently, many types of digital signatures have been researched and published such as single digital signatures (SDS), group digital signatures (GDS) [3–6], collective digital signatures (CDS) [7–9], single-blind digital signatures [10,11], blind collective digital signatures (BCS) [12], representative collective digital signatures (RCS) [9], … The SDSs is used to authenticate a particular personal. Meanwhile, GDSs, CDSs and RCSs are used to authenticate a signing group of many members [13,14]. The difference between a RCS and a GDS and a CDS is that it is formed from group digital signatures of many different signing groups. These signing groups may have no members at all, in which case the group leader can be viewed as personal signers. The RCS fulfils the authentication requirement for the multi-functional collectives. It is a new form of authentication, which is now quite common in e-commerce applications operating in the environment of Internet.

The DSS is usually built based on one of three common difficult problems such as factor analysis problem, discrete logarithmic problem on finite prime fields [15,16], discrete logarithmic problem on Elliptic curve [17,18]. At present, there are also some newly proposed difficult problems such as the problem of finding the modulo roots of large primes [19], the discrete logarithmic problem on the ring of residual classes, the discrete logarithmic problem on the two-dimensional non-circular subgroup.

The above mentioned difficult problems are the basis for a number of standard single-digital signature schemes, which are RSA (Rivest–Shamir–Adleman) [20] signature scheme, Schnorr’s signature scheme and ElGamal signature scheme. Some countries such as United States, Russian Federation or Belarus also rely on existing difficult problems to build their own digital signature standards or digital signature scheme standards. United States’s digital signature scheme standards include DSS (Digital Signature Standard) and DSA (Digital Signature Algorithm). Similarly, Russian Federation has digital signature scheme standards such as GOST R34.10-1994 [21], GOST R34.10-2001 [21] and GOST R34.10-2012 [22]. These signature scheme standards not only inherit the level of security of the difficult problem it uses, but also have enhanced security features brought about by the scheme’s own internals.

In this paper, we use the GOST R34.10-1994 standard (GOST-1994) [21], developed based on the logarithmic problem on prime finite field, to suggest two types of RCS scheme: (i) the CDS is shared by many signing groups and (ii) the CDS is shared by many signing groups and many personal signers. First, we use the single signature scheme built by this standard to build a CDS for a signing collective of m members. This scheme is resistant to two types of attacks, originating from the inside, which are quite common, that is, attack on the secret key and attack forgery scraping the signature of a member of the signing collective; Next, we build a GDS for a group of m signing members and a leader. The RSA asymmetric key pair generation algorithm, the signer’s public key masking technique, and the mutual authentication mechanism are implemented in this scheme. These are considered the security advantages of our proposed group signature scheme; Finally, two new forms of RCS schemas are formed from the two base schemas CDS and GDS. All DSS built in this article are proven correct.

The security advantages and time costs of the proposed RCS schemes are analyzed, calculated and shown at the end of this paper.

2  The Related Basis Digital Signature Schemas

The following, the GOST-1994 of the Russian Federation will be used to develop two basic schemas: The CDS schema (in 2.1) and the GDS schema (in 2.2). In the GDS schema, the public key of the signing group member is hidden by masking techniques. These schemas will be used to build RCS schemas.

2.1 The Collective Digital Signature Schema According to The GOST R34.10-1994 Digital Signature Standard (The CDS-2 Schema)

The common parameters are similar to those defined for GOST-1994 [21].

Assuming there are m signers who want to create a CDS on the message M (M). Private key and public key of i-th signer be xi and yi=αximodp, where xi is an integer chosen at random by the signer in the range [1, q − 1]; Let FH be a secure hash function and H=FH(M).

• The algorithm to create CDS on M:

Includes the following stages:

1. Each signer selects random number ki∈[1,q−1] and computes:

Ri=(αkimodp)modq(1)

and sends (broadcasts) Ri to all signers.

2. It is calculated the first element of the CDS:

R=R1R2…Rmmodq(2)

The values R is broadcasted to the other signers.

3. Each signer computes its signature share Si using the hash function value H corresponding

to the message M and the value R as follows:

Si=kiH+xiRmodq(3)

4. Calculate the second element of the CDS:

S=S1+S2+…+Smmodq(4)

The (R, S) number pair is the CDS on M.

∙ The algorithm to check CDS on M:

The signature verifier does the following:

Input: α,p,q,M,(R,S),KP={yi|i=1,2,..,m}.

Output: True/False

    [1]. If (R=0 or S=0) then

            Return False

    [2]. y←1, For i=1 to m do

    [2.1]. y←y×yimodp

    [3]. H←FH(M)

    [4]. R′←(αS/Hy−R/Hmodp)modq

    [5]. If (R′=R) then

            Return True

       Else

            Return False

If R′=R (True): The signature on M is valid; Otherwise, the signature on M is invalid, it is rejected.

∙ Proof of the correctness of the CDS-2 scheme:

To prove the correctness of this scheme, we only need to prove the existence of the check expression R∗=R in the signature check procedure. Conspicuously, the test expression R∗=R always exists. Indeed:

Substituting the value S=∑i=1mSimodq into the expression R∗, R∗=(αS/Hy−R/Hmodp)modq, we get:

R∗=(α∑i=1mSiH(∏i=1myi)−RHmodp)modq=(∏i=1mαSiH∏i=1myi−RHmodp)modq=(∏i=1m(αSiHα−xiRHmodp))modq=(∏i=1m(α(kiH+xiR)Hα−xiRHmodp))modq=(∏i=1mαkimodp)modq=(∏i=1mRi)modq=R

So R∗=R always exists.

2.2 The Group Digital Signature Schema According to The GOST R34.10-1994 Digital Signature Standard (The GDS-2 Schema)

Assuming there is a signing group that wants to create a GDS on the message M. Private key and public key of i-th signer be xi and yi=αximodp, where 1≤i≤m; xi is an integer chosen at random by the signer in the range [1, q − 1]; Let FH be a secure hash function and H=FH(M).

Private key and public key of the group manager be X and Y=αXmodp. Y is also the public key of the signing group so it is also used in the GDS-2 scheme.

In this schema, the group manager’s internal public key is used, which is a number pair (n, e) and is generated as follows: (1) n=wr, where r and w are strong primes; and (2) φ(n)=(w−1)(r−1); (3) chooses a integer number e that e∈(1,ϕ(n)) and gcd(e,ϕ(n))=1; (4) d=e−1modφ(n), d is a private value of manager. The (n,e) is only for the signers of the group headed by the manager.

The generalized scheme of the proposed group signature protocol includes the following steps [6,7]:

     i)  Considering the message M to be signed the group manager masks the public keys of the assigned signers. To mask the public key yi of a signer: The group manager computes the exponent λi=(H+yi)dmodn, H is the hash value of M, and sends λi to the i-th member.

    ii)  Using λi each i-th member calculates their shared value in the collective signature and sends it to the group manager.

   iii)  The group manager verifies the shared value of all assigned members and calculates his shared value in the group signature. Then he/she calculates the group signature as triple (U,R,S), where S is sum of all shares; U is the product of the modified public keys of all signers.

∙ The group signature generation algorithm on M

It consists of stages:

1. The group manager does the following tasks:

  - Computes hash value from message M:

H=FH(M)(5)

  - Calculates masking coefficients λi:

λi=(H+yi)dmodn(6)

  - Sends each value λi to the corresponding i-th group member

  - Computes the first element of the group signature U:

U=∏i=1myiλimodp(7)

2. The i-th signer does as follow:

  - Randomly choose a number ki, ki<q, and then computes the value Ri:

Ri=(αkimodp)modq(8)

  - Sends Ri to the signing group’s manager (GM)

3. GM does as follow:

  - Randomly choose a number K, K<q, and calculates R′,R:

R^\prime=(αKmodp)modq(9)

R=R′∏i=1mRimodq=(αK+∑i=1mkimodp)modq(10)

4. The i-th signer does as follow:

  - Calculates his/her shared value, Si:

Si=kiH+xiλiRmodq(11)

  - Sends Si to GM

5. GM does as follow:

  - Verifies the correctness of each Si by checking Ri∗:

Ri∗=(αSi/Hy−Rλi/Hmodp)modq(12)

  - If all signature shared signatures Si satisfy the last verification equation, then he/she computes

   his shared signature:

S^\prime=KH+XRmodq(13)

  - Calculates the third element of GDS, S:

S=S′+∑i=1mSimodq(14)

The tuple (U,R,S) is a GDS of the signing group on M.

∙ The signature verification algorithm on M

Done by signature verifiers:

Input: U,Y,α,p,q,M,(U,R,S)

Output: True/False

   [1]. If (U=0 or R=0 or S=0) then

        Return False

   [3]. H←FH(M)

   [4]. R′←(αS/H(UY)−R/Hmodp)modq

   [5]. If (R′=R) then

        Return True

     Else

        Return False

If R∗=R (True): GDS on M is valid; Otherwise, GDS on M is invalid.

∙ Proof of correctness of the GDS-2 schema:

If R∗=R exists, then the correctness of this schema is guaranteed.

Conspicuous:

R∗=(αSH(UY)−RHmodp)modq=(αS′+∑i=1mSiH(Y∏i=1myiλi)−RHmodp)modq=(αS′H∏i=1mαSiHY−RH∏i=1myi−RλiHmodp)modq=(αKH+XRHα−XRH∏i=1m(α(kiH+xiλiR)Hα−xiλiRH)modp)modq=(αK∏i=1mαkimodp)modq=(R′∏i=1mRi)modq=R

Since R∗ =R always exist.

3  Constructing The New CDS Protocol Using The GOST R34.10-1994 Digital Signature Standard

The following, we use the CDS schema and the GDS schema built above to construct two types of RCS schemas [9]:

i)   The CDS schema (type 1): This scheme helps to create a DS that deputize for a signing collective whose members are representatives, they are group leaders, for different signing groups.

ii)   The CDS schema (type 2): This scheme helps to create a DS that deputize for a signing collective whose membership consists of two groups of members: That is, people who represent different signing groups. And, personal signers. These people do not belong to any sign group, they are also considered group representatives, but their group has no members.

3.1 The CDS Schema For Signing Groups (RCS.01)

Let g signing groups with public keys Yj=αXjmodp, where j=1,2,…,g. Xj is the secret key of the j-th group manager, have intention to sign the message M.

Suppose also the j-th signing group includes mj active personal signers (persons appointed to act on behalf of the j-th signing group).

The CDS scheme for signing groups (RCS.01) is as below.

∙The CDS generation procedure on M

It include of steps:

1. Each j-th group manager in the signing collective does the following tasks:

- Based on the group signature generation procedure described above (Section 2.2) to generals masking parameters λji for the signers of j-th group.

- Computes the value Uj (where i=1,2,…,mj):

Uj=∏i=1mjyjiλjimodp(15)

U as the shared element of the j-th group in the first element of the CDS.

- Computes Rj:

Rj=Rj′∏i=1mjRjimodq(16)

- Sends values Uj and Rj to all other group managers in the signing collective.

2. Each j-th group manager in the signing collective computes values U and R:

U=∏j=1gUjmodp(17)

R=∏j=1gRjmodq=(α∑j=1gkjmodp)modq(18)

U and R are the first and second elements of the CDS.

3. Each j-th group manager does the following tasks:

- Computes the shared signature of j-th group:

Sj=Sj′+∑i=1mjSjimodq(19)

where Sji in the shared signature of the i-th signer in the j-th group,

- Sends Sj to other group managers in the signing collective.

4. Each j-th group manager does the following tasks:

- Can verify the correctness of each shared signature Sj by cheaking equality:

Rj∗=(αSjH(UjYj)−RHmodp)modq(20)

- If all shared signatures Sj satisfy the last verification equation, then the third element S of the CDS is computed:

S=∑j=1gSjmodq(21)

The tuple (U,R,S) is the CDS on M of the signing collective there are g signing groups.

∙ The CDS verification algorithm on M

Input: α,p,q,M,(U,R,S),{Yi|i=1,2,..,g}.

Output: True/False

   [1]. If (U=0 or R=0 or S=0) then

        Return False

   [2]. Y←1, For i=1 to g do

     [2.1]. Ycol←Y×Yimodp

   [3]. H←FH(M)

   [4]. R∗←(αSH(UYcol)−RHmodp)modq

   [5]. If (R∗=R) then

        Return True

      Else

        Return False

If R∗=R (True): The CDS is authenticated. Otherwise, the CDS is not authenticated.

∙ Demonstrate the RCS.01 schema correctness:

If we prove the existence of calculation formulas Sji and R∗ then the correctness of the RCS scheme described above is guaranteed. It’s easy to see it always exists. Indeed:

Rj∗=(αSjH(UjYj)−RHmodp)modq=(αSj′+∑i=1mjSjiH(Yj∏i=1mjyjiλji)−RHmodp)modq=(αSj′H∏i=1mjαSjiHYj−RH∏i=1mjyji−RλjiHmodp)modq=(αKjH+XjRHα−XjRH∏i=1mj(αkjiH+xjiλjiRHα−xjiλjiRH)modp)modq=(αKj∏i=1mjαkjimodp)modq=(Rj′∏i=1mjRji)modq=Rj

We see R∗ =R always exists. Indeed:

R∗=(αSH(UYcol)−RHmodp)modq=(α∑j=1gSjH(∏j=1gYj∏j=1gUj)−RHmodp)modq=(∏j=1g(αSjH(YjUj)−RH)modp)modq=∏j=1gRjmodq=R

3.2 The CDS Schema For Signing Groups And Personal Signers (RCS.02)

The CDS schema in 3.2 is similar to RCS.01, but for signing groups and personal signers. In this case, the personal signer is treated as a signing group, but this group has no members, only the group manager. So Uj = 1.

Suppose xj, yj=αxj, j=g+1,g+2,…,g+m, are private key and public key of m personal signers participating in the protocol for generating the CDS for g signing groups and m personal signers.

Input parameters, public keys, and private keys are as in the CDS-02 diagram and the GDS-02 diagram. The CDS scheme for m personal signers and g signing groups (RCS.02) is as follows:

∙ The procedure for generating the CDS for g signing groups and m personal signers on M

It consists of stages:

1. Each j-th group manager in the signing collective does the following tasks:

- Based on the group signature generation procedure described above (Section 2.2) to generals masking parameters λji for the signers of j-th group.

- Computes the value Uj (where i=1,2,…,mj):

Uj=∏i=1mjyjiλjimodp(22)

U as the shared element of the j-th group in the first element of the CDS.

- Computes Rj:

Rj=Rj′∏i=1mjRjimodq(23)

- Send values Uj and Rj to all other managers and all personal signers in the signing collective.

2. Each j-th personal signer (j=g+1,g+2,…,g+m) does the following tasks:

- Generates a random value Kj, Kj<n, and computes Rj:

Rj=(αKjmodp)modq(24)

- Sent Rj to all group managers and other personal signers in the signing collective.

- Each j-th group manager and each j-th personal signer in the signing collective computes values U,R and E:

U=∏j=1g+mUjmodp(25)

R=∏j=1g+mRjmodq(26)

where δ is a large prime having, |δ|=160 bits; U=1 for j=g+1,g+2,…,g+m.

U and E are the first and second elements of the signature.

3. a) Each j-th group manager computes the shared signature of j-th group Sj:

Sj=Sj′+∑i=1mjSjimodq(27)

where Sji is the shared signature of the i-th signer in the j-th signing group.

And sends Sj to all personal signers and other group managers.

  b) Each j-th personal signer computes his/her shared signature Sj:

Sj=KjH+XjRmodq(28)

And sends Sj to all group managers and other personal signers.

4. Each j-th group manager and each personal signers do the following tasks:

- Can verify the correctness of each share signatures Sj by checking equality:

Rj∗=(αSjH(UjYj)−RHmodp)modq(29)

For j=1,2,…,g and

Rj∗=(αSjHYj−RHmodp)modq(30)

For j=g+1,g+2,…,g+m.

- If all shares Sj satisfy the last verification equation, then the third element S of the CDS is computed:

S=∑j=1g+mSjmodq(31)

The tuple (U,R,S) is the CDS on the message M of the signing collective there are g signing groups and m personal signers.

∙ The algorithm for verification the CDS for g signing groups and m personal signers on M

To check the validity of the received signature, the verifier performs the following steps:

Input: α,p,q,M,(U,R,S),{Yi|i=1,2,..,g+m}.

Output: True/False

[1].  If (U=0 or R=0 or S=0) then

       Return False

[2].  Y←1, For i=1 to g+m do

    [2.1]. Ycol←Y×Yimodp

[3].  H←FH(M)

[4].  R∗←(αSH(UYcol)−RHmodp)modq

[5].  If (R∗=R) then

         Return True

      Else

         Return False

If R∗=R (True): The CDS is authenticated; Otherwise, the CDS is not authenticated.

∙ Demonstrate the RCS.02 schema correctness:

If we prove the existence of calculation formulas Sj of each signing group Rj∗ (35), Sj by each personal signer Rj∗ (36) and expression R∗ then the correctness of the RCS scheme described above is guaranteed.

i) Conspicuously, the formula Sji always exists. Indeed:

Rj∗=(αSjH(UjYj)−RHmodp)modq=(αSj′+∑i=1mjSjiH(Yj∏i=1mjyjiλji)−RHmodp)modq=(αSj′H∏i=1mjαSjiHYj−RH∏i=1mjyji−RλjiHmodp)modq=(αKjH+XjRHα−XjRH∏i=1mj(αkjiH+xjiλjiRHα−xjiλjiRH)modp)modq=(αKj∏i=1mjαkjimodp)modq=(Rj′∏i=1mj⁡Rji)modq=Rj

ii) Conspicuously, the formula for checking the shared signature Si shared by the Rj personal signer always exists.

Indeed:

Rj∗=(αSjHYj−RHmodp)modq=(αKjH+XjRHα−XjRHmodp)modq=(αKjmodp)modq=Rj

iii) Same as above, R∗=R always exists.

Indeed:

R∗=(αSH(UYcol)−RHmodp)modq=(α∑j=1g+mSjH∏j=1g+m(UjYj)−RHmodp)modq=(∏j=1g+mαSjH(UjYj)−RHmodp)modq=((∏j=1gαSjH(UjYj)−RH∏j=g+1g+mαSjHYj−RH)modp)modq=∏j=1gRj∏j=g+1g+mRjmodq=R

Since R∗ =R, the correctness of the signature scheme has been proved.

4  Security Analysis And Performance Evaluation

4.1 Resistance to Attack of The New CDS Schemas

CDS schemes can be attacked by people who are not members of the signing collective (known as external attacks) or by people who are members of the signing collective (known as internal attacks), it happens more often. In this section we will analyze the two most common types of internal attacks. Specifically, the CDS-02 scheme is resistant to the following two types of attacks:

∙ The first attack (the member signature forgery): Assuming that n – 1 signers attempt to figure out a CDS respectively to n signers owning the public key y=y′ynmodp, where y′=∏i=1n−1yimodp, i.e., n –1 users unite their efforts to figure out an (R, S) number pair such that R=(αS/Hy′yn−R/Hmodp)modq.

Assuming that they are able to do this. Thus, under our assumption the collective forger (i.e., the considered n – 1 users) is able to figure out the CDS (R*, S*) respectively to public key y=y′yn′modp, where yn′ is a supposedly public key having the value yn′=yn/y′modp.

The CDS satisfies the following relation:

R∗=(αS∗Hy−R∗Hmodp)modq=(αS∗H(y′yn′)−R∗Hmodp)modq⇒R∗=(αS∗Hyn−R∗Hmodp)modq

The last means that (R*, S*) is a personal DS of the nth user. Thus, we have formally proved that possibility to forge the CDS leads to possibility to forge the personal DS corresponding to the DS algorithm used in the protocol. In other words the CDS protocol is not less secure against the forgery attack than the used DS algorithm. Since GOST-1994 algorithm is secure the considered collective signature protocol is also secure (We consider GOST 34.10-1994 as a secure DS algorithm since it has been widely investigated and used in practice).

∙ The second attack (the member signature secret key forgery): Assuming that n – 1 signers that shares a CDS (R, S) with the nth signer are able to figure out the secret key of the nth signer. Suppose also that (R*, S*) is a personal DS of the nth user formed using the underlying DS algorithm and the signature (R*, S*) corresponds to the hash value H calculated from the message. Then we have:

R∗=(αS∗Hy−R∗Hmodp)modq(32)

Attackers can generate values ki and calculate Ri=(αkimodp)modq for i = 1, 2, …, n − 1. Then they computes parameters R=(R∗∏i=1n−1Rimodp)modq and Si satisfying the equation:

Ri=(αSiHyi−RHmodp)modq(33)

Using designation: y∗=yR∗Rmodp

From (32) and (33) we get: R=(αS/HY−R/Hmodp)modq,

where S=(S∗+∑i=1n−1Si)modq and Y=(y∗∏i=1n−1yi)modp.

This means that the attackers have get the collective signature value (R, S) that corresponds to n signers, the nth signer owning the public key y∗=αx∗modp. In accordance to our assumption the attackers are able to compute the secrete key x∗ from (R, S). From (33) it is easy to get: x=Rx∗/R∗modq.

Thus, the attackers have calculated the secret key of the nth user using his personal DS, i.e., it is formally proved that if the CDS protocol is insecure, then the underlying DS algorithm is also insecure (in other words, the CDS protocol is not less secure than the underlying DS algorithm).

The RCS schemes proposed in this article use the CDS scheme as the basic scheme, so it is resistant to these two types of internal attacks.

4.2 Security Advantages of The New CDS Schemas

•   We use GOST-1994 to build the RCS schemes, so basically these schemes have all the security advantages that the discrete logarithm problem over prime finite fields and this signature standard provides.

•   The collective signature scheme, the CDS-02 scheme, has the following two outstanding security advantages: (i) Any illegal actions on generating the values Ri and Si and the signers that have produced such actions can be easily detected using the values Ri and Si and the following equation: Ri=(αSi/Hyi−R/Hmodp)modq, which holds only if the values Ri and Si are produced correctly by the i-th signer and (ii) None of the members generates a valid DS. This fact imparts to the CDS the property of the internal integrity. It is evident that the size of the CDS does not depend on m.

It is easy to show that the constructed representative collective signature schemes also have these security advantages.

•   The group signature scheme GDS-02 has the following characteristics: The technique of “masking” the signing group member’s public key is used to ensure the privacy of the signer; Information of all signers is contained in the U component. When a signature dispute occurs, the group manager can completely resolve it thanks to the information stored in this component; The request for mutual authentication between the members of the signing group and the group manager can be done through the formula to generate the λ mask coefficient and the internal key pair (n,e) generated from the RSA algorithm; There is absolutely no exchange or sharing of private keys and secret values between the signing team member and the team leader, so this scheme can be implemented on Internet or on existing PKI [23].

4.3 Performance of The New CDS Schemas

This cost of RCS schemas in this article are shown in Tab. 1. For details on the information in this table see [24]; For the notations and conventions in this table see [25].

Tab. 1 shows that the time cost to create and to verify the signature of the RCS schema in this article is not much more extensive than compared to CDSs in [8].

5  Discussion

•   Obviously, until now, only the representative collective digital signatures and the representative digital signature schemes can meet the requirement of authentication based on a single digital signature, that is, only one-time authentication, for all members in multi-level functional signing collectives. Members of this signing collective include: (i) People representing different signing groups, they are called group leaders, and (ii) Single signers, but acting as group leaders. This is why the representative collective signature is formed in two steps: First, the group leader of each group signs together with their members to create the group signature of that signing group. Then, all group’s leaders and personal signers in the signing collective will together create a RCS of the signing collective. Subsequent authentication is based solely on this final signature.

•   Since the group leader uses the secret key d, generated from the RSA algorithm, to generate the λ coefficient so receiving this coefficient, the signing group members can easily check to see if it came from their group leader or not by using the public key e to decrypt the λ coefficient.

•   The formulas for generating λ coefficients and the U-component in the group signature generation procedure show that only the group leader can “open” the generated signature to identify all the people who participated in the generation of GDS of the signing group that he/she manages [6].

•   The limitation of these new RCSs is the increase in the size of the signature. This limitation can be overcome if there is some signature scheme that helps to create a representative collective signature consisting of only two components but still contains the information of all the people who participated in the creation of this signature.

6  Conclusion

In this paper, first, we use GOST-1994 digital signature standard to build a CDS scheme and a GDS scheme. We then use these two schemes as the basis for building the proposed CDS schemes and protocols: (i) CDS for multiple signing groups; (ii) CDS for multiple signing groups and multiple personal signers. The RCSs are created on digital message M consisting of three components (U,R,S), with a fixed size, equal to |p|+2|q|, independent of the number of signing groups and personal signers. Information of every member participating in signature formation is stored in the U component. It is used for the signer and problem-solving the “disclaimer of liability” later. All signature schemes in this paper have been proven correct.

The article also shows that the collective digital signature protocol built according to GOST-1994 digital signature standard is capable of resisting two common types of inside attacks: (i) Attacks on the secret key of signing group members; (ii) Forging the signature of a member of the signing group. With the GDS scheme, the public key “masking” technique, through the λ coefficient, is applied to both the signing group member and the group leader. This not only ensures the privacy of every signing group member, but also creates mutual authentication between the signing group members and the group manager. This is one of the advantages of the group signature scheme that we propose in this study. Finally, we analyzed the security advantages and evaluated the performance, and time costs to create the signature and verify the signature, of each RCS scheme built.

The results obtained in this study show that the representative collective signature (RCS) has high feasibility and an acceptable level of security. However, because GOST-1994 is formed on the basis of the discrete logarithm problem on finite prime fields so there are some limitations that can be overcome if the scheme is formed according to the GOST R34.10-2001 digital signature standards or the GOST R34.10-2012 digital signature standards. This is our future work.

Funding Statement: This article is supported by Duy Tan University, Da Nang, Vietnam.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.