A ack
n a h e h ld
igna
e cheme ba ed n he RSA
c
em
YUH-DAUH LYUU
Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University
No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan MING-LUEN WU
Dept. of Computer Science & Information Engineering National Taiwan University
No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan and
Dept. of Information Management Chung-Yu Institute of Technology No. 40, Yi-7th Rd, Keelung, Taiwan
Abstract: - Recently, Hwang et al. propose an efficient (t, n) threshold proxy signature scheme in
which the original signer can authorize n proxy signers such that only the cooperation of t or more of them is able to generate a proxy signature on behalf of the original signer. Their scheme is based on the RSA cryptosystem. They claim that any t out of n proxy signers cannot derive the original signer’s private key. This paper disproves this claim by showing that their system can be broken using only the public information. This result is obtained without even the need to obtain cipher-text or the factorization of the RSA modulus. Hence the signature scheme of Hwang et al. is insecure.
Key-Words: - Cryptography, Threshold proxy signature, RSA, Lagrange interpolation,
Cryptanal-ysis.
1
Introduction
A (t, n) threshold proxy signature scheme allows the original signer to authorize n proxy signers such that only the cooperation of t or more proxy signers is able to generate a proxy signature on behalf of him [2–4, 6–8]. In 2003, Hwang et al. present an efficient threshold proxy signature scheme based on the RSA cryptosystem [3, 5].
Their scheme is divided into three phases: proxy sharing, proxy signature issuing, and verification. In the proxy sharing phase, the original signer computes the partial proxy signing keys from his private key and sends them to each autho-rized proxy signer. In the proxy signature issuing phase, t proxy signers with their proxy signing keys cooperate to generate a proxy signature on
a message. In the verification phase, proxy sig-natures are verified and the actual proxy signers can be identified.
In Hwang et al.’s scheme, each signer has his own public and private keys as in the RSA cryp-tosystem. They claim that even the cooperation of any t proxy signers cannot obtain the original signer’s private key. Their argument is essen-tially based on the difficulty of the factorization of the RSA modulus. This paper disproves this claim by showing that their system can be easily broken using only the public information. This result is obtained without even the need to ob-tain ciphertext or the factorization of the RSA modulus. Hence the signature scheme of Hwang et al. is insecure.
2
The proxy sharing phase of
Hwang et al.’s scheme
In Hwang et al.’s scheme, there are three types of players. They are original signer P0, proxy signers P1, P2, . . . , Pn, and the combiner. The combiner manages to generate proxy signatures with the help of proxy signers. The scheme has three phases: proxy sharing, proxy signature is-suing, and verification. Each signer uses the RSA cryptosystem [5]. Let Pi’s public key be (ei, Ni)
and private key be di, i = 0, 1, . . . , n. Note that
modulus Ni is the product of two large primes
pi and qi such that eidi ≡ 1 (mod φ(Ni)) and
gcd(ei, φ(Ni)) = 1, where φ(Ni) = (pi−1)(qi−1).
mdi mod N
i is m signed with Pi’s private key,
and mei mod N
i is m encrypted with Pi’s public
key, using the RSA cryptosystem. In addition, let w denote the warrant that contains impor-tant information such as the expiration time of the proxy key, and the identities of the original signer and proxy signers. Denote by || the con-catenation of two strings. Pi’s identity will be
the number i.
Because Hwang et al.’s scheme can be broken right after the proxy sharing phase, we describe
this phase in the following.
1. (Proxy generation). P0generates the proxy signature key D and its corresponding proxy verification key E, where
D = dw0 mod φ(N0),
E = ew0 mod φ(N0).
P0 publishes (w, E, (w||E)d0 mod N0).
2. (Proxy sharing). P0 randomly generates a secret polynomial f of degree t − 1,
f (X) = D+a1X+· · ·+at−1Xt−1mod φ(N0),
where a1, a2, . . . , at−1 are random integers modulo φ(N0). P0 computes Pi’s partial
proxy signing key ki = f (i) and sends
(kd0
i mod N0||ki)ei mod Ni to Pi.
3. (Proxy sharing generation). After receiving (kd0
i mod N0||ki)ei mod Ni, each Pi can
de-crypt it to obtain kd0
i mod N0and ki. Each
Pithen confirms the validity of kiand keeps
it secret.
Let T be a set of t numbers. Polynomial
f (X) can be expressed as a Lagrange
interpo-lating polynomial [1], f (X) =X i∈T Li(X)f (i) mod φ(N0), where Li(X) = Y i,j∈T,j6=i X − j i − j . Now, D ≡ f (0) ≡X i∈T Li(0)f (i) (mod φ(N0)). (1) 2
3
The attack
We will show that using only the public informa-tion, anyone can obtain d ∈ Z such that e0d ≡ 1 (mod φ(N0)). As this d and the actual d0 differ by some integer multiple of φ(N0), it will work exactly as d0, thus breaking the original signer’s cryptosystem. This result is obtained without even the need to obtain ciphertext or the factor-ization of N0. Our attack algorithm is described as follows.
Input: The public parameters e0, N0, w, E. Output: An integer d such that e0d ≡ 1
(mod φ(N0)). Step 1: Compute ew
0 − E. Step 2: Compute g according as
g = gcd(edlog2(ew0−E)e
0 , ew0 − E). Step 3: Compute
N = ew0 − E g .
Step 4: Solve for d satisfying e0d ≡ 1 (mod N ). Step 5: Output d.
Now we prove that e0d ≡ 1 (mod φ(N0)).
Proof. As ew
0 ≡ E (mod φ(N0)), we can write ew
0 − E = rφ(N0) for some
inte-ger r. Note that the attacker does not
know r. As gcd(e0, φ(N0)) = 1, we have gcd(edlog2(ew0−E)e
0 , r) = g. So N = e
w 0−E
g =
r0φ(N0), where r0 = r/g is an integer. Clearly gcd(e0, N ) = 1. Thus a d satisfying e0d ≡ 1 (mod N ) exists and is unique modulo N . Hence we have e0d ≡ 1 (mod φ(N0)) because
φ(N0)|N .
From the above proof, we know that any in-teger multiple of φ(N0) can be used to replace
ew
0 − E in the attack algorithm. Next we show how any t proxy signers can derive a smaller inte-ger that is an inteinte-ger multiple of φ(N0). Assume that T is the set of the t proxy signers’ identities. They compute D0 as
D0 =X
i∈T
Li(0)ki.
Note that in Hwang et at.’s scheme, all Li(0)
must be integers. By Eq. (1), we have D0 ≡ D
(mod φ(N0)) because ki= f (i). So
D0E ≡ DE ≡ dw0ew0
≡ 1 (mod φ(N0)). Hence φ(N0)|(D0E − 1).
4
Conclusions
In this paper, we have shown that Hwang et al.’s scheme can be broken with only the public infor-mation. This result is obtained without even the the need to obtain ciphertext or the factorization of the RSA modulus. If any t or more proxy sign-ers collude, the attack can be made even more efficient. Hwang et al.’s scheme is therefore inse-cure.
References:
[1] R. L. Burden and J. D. Faires, Numerical
Analysis. PWS Publishers, 4th ed., 1988.
[2] C.-L. Hsu, T.-S. Wu, and T.-C. Wu, “New repudiable threshold signature scheme with known signers,” The Journal of Systems and
Software, vol. 58, pp. 119–124, 2001.
[3] M.-S. Hwang, E. J.-L. Lu, and L.-C. Lin, “A practical (t, , n) threshold proxy signa-ture scheme based on the RSA cryptosys-tem,” IEEE Transactions on Knowledge and 3
Data Engineering, vol. 15, no. 6, pp. 1552–
1560, 2003.
[4] S. Kim, S. Park, and D. Won, “Proxy sig-natures, revisited,” in Information and
Com-munications Security—ICICS’97, vol. 1334 of LNCS, pp. 223–232, Springer-Verlag, 1997.
[5] R. L. Rivest, A. Shamir, and L. M. Adle-man, “A method for obtaining digital signa-tures and public-key cryptosystems,” CACM, vol. 21, pp. 120–126, Feb. 1978.
[6] H.-M. Sun, “An efficient nonrepudiable
threshold proxy signature scheme with known signers,” Computer Communications, vol. 22, pp. 717–722, 1999.
[7] C.-S. Tsai, S.-F. Tseng, and M.-S. Hwang, “Improved non-repudiable threshold proxy signature scheme with known signers,”
IN-FORMATICA: An International Journal,
vol. 14, no. 3, pp. 393–402, 2003.
[8] K. Zhang, “Threshold proxy signature schemes,” in Information Security, First
In-ternational Workshop, ISW ’97, vol. 1396 of LNCS, pp. 282–290, Springer-Verlag, 1998.
