1 / 16

Universal forgery on a group signature scheme using self-certified public keys

This paper explores the vulnerability of the Tseng-Jan group signature scheme to universal forgery, allowing anyone to create valid group signatures, making signer identity unverifiable. The attack method and its implications are detailed.

toddwalsh
Download Presentation

Universal forgery on a group signature scheme using self-certified public keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Universal forgery on a group signature scheme using self-certified public keys Author : Guilin Wang Source : Information Processing Letters Vol. 89 , 2004 , pp. 227-231 Speaker : Pay-Chai Chang (張培才)

  2. Outline • Introduction • Tseng-Jan scheme review • Ateniese, Joye and Tsudik attack • The Attack • Conclusions

  3. Introduction (1/1) • Group signatures • A secure group signature scheme must satisfy the following properties :(1) Unforgeability(2) Anonymity(3) Unlinkability(4) Exculpability(5) Traceability(6) Coalition-resistance

  4. Tseng-Jan scheme review(1/7) • The scheme involves four parties : • TA (a trusted authority) • GM (a group manager) • Ui (group members) • Verifiers

  5. Tseng-Jan scheme review(2/7) TA(1) n:= p qwith p:=2 +1 and q:=2 +1 where p , q , , are all primes. (2) Selects an elementof orderv:=and satisfying ed = 1 mod v (3) Chooses a publicly known hash function and publishes public key ( n , e , g , )secret key( p , q , d )

  6. Tseng-Jan scheme review(3/7) GM with identity information GDwants to establish a group (1) chooses a secret key x(2) computes z:= gx mod n(3) sends z to the TA Then TA (1)evaluatesGID := f (GD)(2)calculatesy : = zGID-1 mod n , sG = z -d mod n(3)sends y and sGto GM

  7. Tseng-Jan scheme review(4/7) GM chooses a publicly known hash function h(·) and publishespublic key ( y , h(·))secret key( x , sG) GM checks the validity of his key pair bysG e y -GID mod n A User Ui, with identity information Di, wants to join the group : (1) selects his secret keysi

  8. Tseng-Jan scheme review(5/7) (2) computeszi = gsi mod nand sendszito the TA(3) TA sends backpi := (zi) IDi-1·d mod n whereIDi : = f (Di )(4) Ui checks whetherpiIDi e zi mod n. Ifpiis correct, User Ui sendspi to GM (5) GM returns xi to Ui ,xi : = piIDi ·x • sG mod n(6)Uichecks whether xie yGID • (si-1) mod nholds.If the answer is yes, the Ui stores his membership certificate (si, xi)

  9. Tseng-Jan scheme review(6/7) • User Ui signs a message m with his certificate( si , xi ) • Randomly selects three numbers r1 , r2 , r3 • computes his signature (A , B , C , D , E) A : = r1si B : = r2-e A mod n C : = y GID • A• r3mod n D : = si • h (m || A || B || C ) + r3C E : = xi • r2 h(m || A || B || C || D ) mod n • To verify the validity of signature (A, B, C, D, E) on message m, a verifier checks whether yGID • A• D(EeA Bh(m || A || B || C || D ) yGID • A) h (m || A || B || C)•Cc mod n

  10. (4) In case of disputes, the group manager’s checking: • (xi) eA B-h(m || A || B || C || D )EeA mod n • Verify the correctness • (1) xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n • (2) xi = sG -si+1 = ( yGID ) d(si – 1 )mod n • (3) • ( EeA Bh yGID • A ) h • C c = ( y GID • A (si – 1 )• y GID • A ) h • y GID • A • r3Cmod n= y GID • A (sih+ r3C)mod n = y GID • A • D mod n Tseng-Jan scheme review(7/7)

  11. Assume that two colluding group members U1 and U2 • have certificates (s1, x1) and (s2, x2) , respectively. • Let c: = gcd (s1-1, s2-1) (the case of c=1) • By using extended Euclidean algorithm, they can find , Z such that c = (s1-1) + (s2-1) • Fromxi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n , they can find : sG c = Ateniese, Joye and Tsudik attack (1/2)

  12. Ateniese, Joye and Tsudik attack (2/2) (3) Choose a random number r, then define respectively : : = cr + 1 and : = (sG c) -rmod n ( , ) is a valid but illegal membership certificate = (sG c) -r= sG ( -cr-1 )+1 = sG -s+1 mod n

  13. The attack (1/3) • yGID • A• D(EeA Bh(m || A || B || C || D ) yGID • A) h (m || A || B || C)•Cc mod n • Choose four random numbers a1, a2, a3, A, then define:B : = ya1 mod n C : = ya2 mod n E : = ya3 mod n • From verification equation, we get the condition for D :GID ·A ·D = [a3eA + a1 ·h(m||A||B||C ||D)] h(m||A||B||C ) + GID ·A · h ( m||A||B||C ) + a2C mod v • Let a3eA + a1 ·h(m||A||B||C ||D) = 0GID ·A ·D = GID ·A · h(m||A||B||C) + a2C

  14. We choose two random numbers a1, a2 and re-define a1, a2a1 : = a1eA a2 = a2 ·GID·Athen • D = h(m||A||B||C ) + a2C Za3 = -a1 ·h(m||A||B||C ||D) Z • Summarize of attack • Select three random numbers a1, a2 and A • Then define :B : = ya1eA mod nC : = ya2·GID ·A mod nD : = h(m||A||B||C ) + a2C ZE : = y -a1 · h(m||A||B||C ) mod n The attack (2/3)

  15. (3) Output (A, B, C, D, E) as group signature for message m Prove that the forgery is successful. ( EeA Bh yGID • A ) h • C c = y -a1heAh • y a1eA hh • y GID • Ah • y a2 • GID • AC mod n = y GID • A ( h+ a2 C ) mod n = y GID • A • D mod n The attack (3/3)

  16. Tseng-Jan group signature scheme is insecure • Anybody can forge a valid group signature on any message such that the group manager is unable to determine the identity of the signer • Universally forgeable • ~ Thanks all ~ Conclusions (1/1)

More Related