Universal forgery on a group signature scheme using self-certified public keys Author : Guilin Wang Source : Information Processing Letters Vol. 89 , 2004 , pp. 227-231 Speaker : Pay-Chai Chang (張培才)

Outline Introduction Tseng-Jan scheme review Ateniese, Joye and Tsudik attack The Attack Conclusions

Introduction (1/1) Group signatures A secure group signature scheme must satisfy the following properties : (1) Unforgeability (2) Anonymity (3) Unlinkability (4) Exculpability (5) Traceability (6) Coalition-resistance

Tseng-Jan scheme review(1/7) The scheme involves four parties : TA (a trusted authority) GM (a group manager) Ui (group members) Verifiers

Tseng-Jan scheme review(2/7) TA (1) n:= p q with p:=2 +1 and q:=2 +1 where p , q , , are all primes. (2) Selects an element of order v:= and satisfying ed = 1 mod v (3) Chooses a publicly known hash function and publishes public key ( n , e , g , ) secret key ( p , q , d )

Tseng-Jan scheme review(3/7) GM with identity information GD wants to establish a group (1) chooses a secret key x (2) computes z:= gx mod n (3) sends z to the TA Then TA (1) evaluates GID := f (GD) (2) calculates y : = zGID-1 mod n , sG = z -d mod n (3) sends y and sG to GM

Tseng-Jan scheme review(4/7) GM chooses a publicly known hash function h(·) and publishes public key ( y , h(·) ) secret key ( x , sG ) GM checks the validity of his key pair by sG e y -GID mod n A User Ui, with identity information Di, wants to join the group : (1) selects his secret key si

Tseng-Jan scheme review(5/7) (2) computes zi = gsi mod n and sends zi to the TA (3) TA sends back pi := (zi) IDi-1·d mod n where IDi : = f (Di ) (4) Ui checks whether piIDi e zi mod n. If pi is correct, User Ui sends pi to GM (5) GM returns xi to Ui , xi : = piIDi ·x • sG mod n (6) Ui checks whether xie yGID • (si-1) mod n holds. If the answer is yes, the Ui stores his membership certificate (si, xi)

Tseng-Jan scheme review(6/7) User Ui signs a message m with his certificate ( si , xi ) Randomly selects three numbers r1 , r2 , r3 computes his signature (A , B , C , D , E) A : = r1si B : = r2-e A mod n C : = y GID • A • r3 mod n D : = si • h (m || A || B || C ) + r3C E : = xi • r2 h (m || A || B || C || D ) mod n To verify the validity of signature (A, B, C, D, E) on message m, a verifier checks whether yGID • A • D (EeA B h (m || A || B || C || D ) yGID • A) h (m || A || B || C) •Cc mod n

Tseng-Jan scheme review(7/7) (4) In case of disputes, the group manager’s checking: (xi) eA B -h (m || A || B || C || D ) EeA mod n Verify the correctness (1) xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n (2) xi = sG -si+1 = ( yGID ) d(si – 1 ) mod n (3) ( EeA B h yGID • A ) h • C c = ( y GID • A (si – 1 ) • y GID • A ) h • y GID • A • r3C mod n = y GID • A (sih + r3C ) mod n = y GID • A • D mod n

Ateniese, Joye and Tsudik attack (1/2) Assume that two colluding group members U1 and U2 have certificates (s1, x1) and (s2, x2) , respectively. Let c: = gcd (s1-1, s2-1) (the case of c=1) By using extended Euclidean algorithm, they can find , Z such that c = (s1-1) + (s2-1) From xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n , they can find : sG c =

Ateniese, Joye and Tsudik attack (2/2) (3) Choose a random number r, then define respectively : : = cr + 1 and : = (sG c) -r mod n ( , ) is a valid but illegal membership certificate = (sG c) -r = sG ( -cr-1 )+1 = sG -s+1 mod n

The attack (1/3) yGID • A • D (EeA B h (m || A || B || C || D ) yGID • A) h (m || A || B || C) •Cc mod n Choose four random numbers a1, a2, a3, A , then define: B : = ya1 mod n C : = ya2 mod n E : = ya3 mod n From verification equation, we get the condition for D : GID ·A ·D = [a3eA + a1 ·h(m||A||B||C ||D)] h(m||A||B||C ) + GID ·A · h ( m||A||B||C ) + a2C mod v Let a3eA + a1 ·h(m||A||B||C ||D) = 0 GID ·A ·D = GID ·A · h(m||A||B||C) + a2C

The attack (2/3) Summarize of attack We choose two random numbers a1, a2 and re-define a1, a2 a1 : = a1eA a2 = a2 ·GID·A then D = h(m||A||B||C ) + a2C Z a3 = -a1 ·h(m||A||B||C ||D) Z Summarize of attack Select three random numbers a1, a2 and A Then define : B : = ya1 eA mod n C : = ya2·GID ·A mod n D : = h(m||A||B||C ) + a2C Z E : = y -a1 · h(m||A||B||C ) mod n

The attack (3/3) (3) Output (A, B, C, D, E) as group signature for message m Prove that the forgery is successful. ( EeA B h yGID • A ) h • C c = y -a1 heAh • y a1 eA hh • y GID • Ah • y a2 • GID • AC mod n = y GID • A ( h+ a2 C ) mod n = y GID • A • D mod n

Conclusions (1/1) ~ Thanks all ~ Tseng-Jan group signature scheme is insecure Anybody can forge a valid group signature on any message such that the group manager is unable to determine the identity of the signer Universally forgeable ~ Thanks all ~