120 likes | 128 Views
This paper presents cryptanalysis of Saeednia's identity-based society oriented signature scheme with anonymous signers. Security analyses reveal vulnerabilities when members leave or join the organization, exposing secret keys. Recommendations for enhancing security are discussed.
E N D
Cryptanalysis of “an identity-based society oriented signature scheme with anonymous signers” Author :Zuhua Shao Source : Department of Computer and Electronic Engineering, Zhejiang University of Science and Technology, Information Processing Letters 86 (2003) 295–298 Speaker: Zi-Yan Wu(吳紫嫣) Date :2004/12/23
Outline • Introduction • Brief review of Saeednia’s society signature scheme • Security analyses
Introduction • There are two kinds of the society signature schemes: with knownsigners and with anonymous signers. • Saeednia proposed an identity-based society oriented signature scheme with anonymous signers based on the Quillou–Quisquater signature scheme. • In this paper, we will show that Saeednia’s society signature scheme is not secure. If some members leave or join the organization, their secret keys would be revealed.
Brief review of Saeednia’s society signature scheme • This scheme needs a trusted authority TA responsible for generating the secret keys for each user, linked to his identity. • TA randomly chooses two large safe primes p and q, and computes a common modulus n = pq. • Then TA chooses a prime v of some prescribed size and a one-way hash function h( ). • For each user with identity Ji , TA computes xi = Ii-v-1(mod n)and sends xito the user in a secure channel, where Ii = Red(Ji ) and v-1 is computed modulo (p -1)(q -1).
Brief review of Saeednia’s society signature scheme(cont.) • Suppose that an organization wants to enable k members, with identities J1,J2, ...,Jkand the corresponding secret key x1, x2,..,xk, respectively, to sign together messages on behalf of the organization. • The organization with identity JGgives the name of those members to the authority, which computesIc= IG(I1I2 ...IK)-1(mod n) and xc = Ic-v-1(mod n) then gives back xcto the organization. Here IG= Red(JG). • Here xG is the secret key of the organization.
Brief review of Saeednia’s society signature scheme(cont.) • To sign a message m, each signer with identity Jifirst chooses an integer ri ∈ Zn at random and computes ti = riv (mod n) and sends it to all other cosigners. When all ti ’s are received, each Ji computes d =h(T , m), and zi =rixid(mod n) • verifies each individual signature(zi, d) with respect to the related identity by checking whether zivI id(mod n) = ti .
Brief review of Saeednia’s society signature scheme(cont.) • If all signatures are valid, the clerk computes and sends the final organization signature (Z, d) together with the message m to a verifier. • To verify the signature, the verifier checks whether h( ZvI Gd(mod n),m )=d.
Security analyses • “if some members of a given group leave that group or if some new members join the group, the remaining members can still sign messages with their unique secret keys, . . . . The only value that is modified is xc, which is public and is only used by the clerk.”
Security analyses(cont.) • (1) A new member with identityJk+1 joins the group. Suppose that the members of the present group have identities J1,J2, . . . ,Jk. They have the secret key x1, x2, . . . ,xk, respectively, which satisfies the relation Ic’ =IG(I1I2. . . IkIk+1)-1(mod n) and xc’= (Ic’)-v-1(mod n)
Security analyses(cont.) xk+1=xc/xc’(mod n) • which is linked to the identity of the user Jk+1. Hence the outsider can impersonate the user with the identity Jk+1 to sign messages on behalf of the organization or generate own signature.
Security analyses(cont.) • (2) A member with identityJkleaves the group. Similar to case (1), any outsider can obtain xc” satisfying the relation • then obtain the secret key of the member Jkby calculating xk= xc”/xc (mod n).
Security analyses(cont.) • One straightforward way to overcome this weakness is to keep xcsecret. Thus the outsider cannot obtain xc’or xc”. • For reason of security, the organization must appoint an honest member as the clerk trusted by all co-signers. • The organization chooses a popular signature scheme, for example, DSA or RSA. Each member chooses own favorite signature scheme. • Therefore, the trusted clerk would shoulder the whole burden of the society oriented signature for the organization.