2003 Institute of Mathematics and Informatics, Vilnius
On the Linkability of Some Group Signature Schemes
Hung-Min SUN,
Department of Computer Science, National Tsing Hua University Hsinchu, Taiwan 300
e-mail: hmsun@cs.nthu.edu.tw
Her-Tyan YEH, Tzonelih HWANG
Department of Computer Science and Information Engineering National Cheng Kung University
Tainan, Taiwan 701
e-mail: htyeh@ismail.csie.ncku.edu.tw Received: March 2003
Abstract. A group signature scheme is a digital signature scheme that allows a group member to
sign messages anonymously on behalf of the group. Recently, Tseng and Jan proposed two group signature schemes based on self-certified and ID-based public keys respectively. However, these two schemes were shown to be insecure against forgery due to Joye et al. Later, Sun et al. showed that Tseng and Jan’s self-certified group signature scheme is linkable. In this paper, we first point out that the proposed linking equation, which is used to check the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse problem of RSA is hard. A repaired linking equation is consequently proposed to fix this problem. Then, we show that Tseng and Jan’s ID- based scheme is still linkable because given any two valid group signatures it is easy to decide whether these two group signatures are generated by the same group member or not.
Key words: cryptography, group signatures, digital signatures, ID-based, self-certified, data
security.
1. Introduction
Digital signatures are becoming more important in the industrial and commercial areas.
It allows the owner of an electronic message to sign the message that everyone is able to verify the validity of the signature and no one can forge a valid signature on behalf of the signer.
Group signature (Chaum and van Heyst, 1993) is a digital signature that allows a group member to sign messages anonymously on behalf of the group. More formally, a group signature has the following properties:
1. Only the group members are able to sign on behalf of the group.
2. The receiver can verify that it is a valid signature of that group, but cannot distin-
guish which group member made the signature.
3. In case of disputes, the signature can be “opened” to reveal the identity of the signer.
So far, various group signature schemes have been proposed (Camenisch, 1997; Ca- menisch and Michels, 1998; Camenisch and Stadler, 1997; Chen and Pedersen, 1995; Lee and Chang, 1998; Petersen, 1998; Park et al., 1997; Tseng and Jan, 1999b). Park et al.
(1997) presented an ID-based group signature, which is based on the Ohta–Okamoto’s ID-based signature scheme (Ohta and Okamoto, 1988). Their scheme suffers from the weakness that the size of a group signature is dependent upon the number of group mem- bers. Moreover, it has been shown in (Mao and Lim, 1998) that their scheme does not provide anonymity. In 1998, Lee and Chang (1998) suggested another efficient group signature scheme. However their scheme doesn’t enjoy the desirable property of unlink- ability and is insecure against some attacks (Joye et al., 1999a). In order to provide the unlinkability property in Lee and Chang’s scheme, Tseng and Jan (Tseng and Jan, 1999a) proposed an improved group signature scheme. Soon, the improved scheme was shown to be linkable due to Sun (1999) and be insecure against forgery due to Joye, Lee and Hwang (Joye et al., 1999a). Recently, based on self-certified public keys (Saeednia, 1997; Wu et al., 1998), Tseng and Jan (1999) proposed a group signature scheme us- ing self-certified public keys. Later, Sun, Chen and Hwang showed that Tseng and Jan’s scheme is linkable. In order to enhance the security and improve the performance of Park et al.’s scheme, Tseng and Jan (1999) further proposed a novel ID-based group signature scheme in which the size of a group signature is constant. However, these two group sig- nature schemes (self-sertified and ID-based) proposed by Tseng et al. were shown to be insecure against forgery due to Joye, Kim and Lee (1999). In this paper, we first point out that the proposed linking equation, which is used to check the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse problem of RSA is hard. A repaired linking equation is consequently proposed to fix this problem. Then, we show that Tseng and Jan’s ID-based scheme is still linkable because given any two valid group signatures it is easy to decide whether these two group signatures are generated by the same group member or not.
The rest of this paper is organized as follows. In Section 2, we briefly review Tseng and Jan’s group signature schemes. In Section 3, we review the linkability of Tseng and Jan’s self-certified group signature scheme. In Section 4, we comment on the linking equation, which is proposed by Sun, Chen and Hwang, and propose a repaired linking equation to fix this problem. In Section 5, we show the linkability of Tseng and Jan’s ID-based group signature scheme. Finally, we conclude this paper in Section 6.
2. Review of Tseng and Jan’s Group Signature Schemes
In this section, we give a short description of the Tseng–Jan group signature schemes.
We refer the reader to (Tseng and Jan, 1999b; Tseng and Jan, 1999c) for more details.
These schemes involve four roles of participants: a trusted authority, a group authority,
group members, and verifiers. The trusted authority is responsible for setting up system
parameters. The group authority is responsible for issuing membership certificates to new group members who join the group, and in case of a dispute for opening the contentious group signature to reveal the identity of the actual signer. The group members sign mes- sages on behalf of the group, and the verifiers check the validity of the group signatures using the group public key.
Tseng and Jan’s schemes are divided into three stages: the system setup stage, the group signature and verification stage, and the user identification stage.
2.1. Self-Certified Group Signature Scheme
2.1.1. System Setup Stage
This stage consists of the system initialization phase and the group creation phase.
System Initialization Phase. The trusted authority chooses: two large primes p and q of the same size and N = pq such that p = 2p
+ 1 and q = 2q
+ 1 where p
and q
are also primes, a base g ∈ Z
Z∗with order v = p
q
, and a large integer u < v. The trusted authority then selects an odd integer e ∈ Z
v∗and computes the corresponding value d such that e · d = 1 mod v. The parameters d, p, q, p
, and q
are kept secret. The parameters e, N, g and u are made public.
When a user U
i(whose identity description is D
i) wants to join the system, he ran- domly selects his secret key s
i∈ Z
uand computes g
simod N . Then he sends g
simod N and D
ito the trusted authority for requesting his public key. The trusted authority com- putes and publishes his public key as p
i= g
si·ID−1i ·dmod N , where ID
i= f (D
i).
After getting the public key, the user can verify the validity of his public key by checking whether the equation: p
ei·IDi= g
simod N holds.
Besides, there exists a group authority (whose identity description is GD) for setting up the group signature scheme. Similarly, the group authority randomly selects his secret key x ∈ Z
uand computes g
xmod N , then sends g
xmod N and GD to the trusted author- ity for requesting his public key. The trusted authority computes and publishes his public key as y = g
x·GID−1mod N , where GID = f (GD). The group authority can verify the validity of his public key by checking whether the equation: y
GID= g
xmod N holds. The trusted authority also computes another secret key for the group authority as s
G= g
−x·dmod N and sends it to the group authority secretly.
Group Creation Phase. The responsibility of the group authority is to create a group such that each member in this group can sign a message on behalf the group. Therefore, for each group member U
iwith identity ID
i, the group authority computes x
i= p
IDi i·x· s
Gmod N (= g
si·d·x· g
−x·dmod N ) as another secret key of U
i. The secret key x
iis transmitted to the group member U
isecretly. The group member U
ican verify the validity of the secret key by checking whether the equation: x
ei= y
GID·si· y
−GIDmod N holds.
2.1.2. Group Signature and Verification Stage
When a group member U
iwants to sign a message M on behalf of the group, he first
chooses three random integers r
1, r
2, and r
3in Z
u. Then the group signature parameters
{A, B, C, D, E} are computed as follows.
A = r
1· s
i, B = r
2−e·Amod N , C =
y
GID·Ar3mod N , D = s
i· h
M A B C
+ r
3· C, E = x
i· r
2h(MABCD)mod N , where ‘ | |’ denotes concatenation.
Thus the 6-tuple {M, A, B, C, D, E} is a valid group signature.
Upon receiving the group signature {M, A, B, C, D, E}, anyone (verifier) can verify the validity of the signature by checking whether the following congruence holds:
y
GID·AD=
E
e·A· B
h(MABCD)· y
GID·Ah(MABC)· C
Cmod N.
2.1.3. User Identification Stage
In the case of a later dispute, the group signature may be “opened” such that the identity of the signer is revealed. Because the group authority knows all of secret keys xi of the group members, for i = 1, 2, ..., k, where k is the number of the group members, the identity of the signer can be found by the equation
(x
i)
e·A· B
−h(MABCD)= E
e·Amod N.
If the equation holds, then xi is the secret key of the signer. In order to convince others, the group authority randomly selects an integer r in Z
u, and computes
R = ((p
IDi i·e· g
−1)
A)
rmod N,
S = r + h(R M A B C D) · x.
Then the group authority publishes the identification information (R, S) and the user’s identity ID
i. Upon receiving the information from the group authority, anyone can iden- tity the identity ID
iof the signer for the group signature {M, A, B, C, D, E} by check- ing whether the following equation holds:
R ·
E
e·A· B
h(MABCD)h(RMABCD)=
p
IDi i· g
−1S·Amod N.
2.2. ID-Based Group Signature Scheme
2.2.1. System Setup Stage
System Initialization Phase. For setting up the system, the trusted authority selects two
large primes p
1(≡ 3mod8) and p
2(≡ 7mod8) such that both (p
1− 1)/2 and (p
2− 1)/2
are odd and relatively prime. Note that with the above limitations for p
1and p
2, it is fea-
sible for the trusted authority to find the discrete logarithms for p
1and p
2(Lim and Lee,
1992; Maurer and Yacobi, 1992; Maurer and Yacobi, 1996). Let N = p
1p
2. The trusted
authority also selects two integers e and t in Z
φ(N )∗and computes the corresponding val-
ues d and v which satisfies
ed ≡ 1(modφ(N)), vt ≡ 1(modφ(N)),
but keeps t, d, and v in secret and publishes e. Let g be a primitive element in Z
N∗. Then the trusted authority computes a public value
F = g
vmodN ,
where v ≡ t
−1(modφ(N )).
When a user U
i(with identity information D
i) wants to join the group, the trusted authority computes:
s
i= et log
gID
imod φ(N ), where
ID
i=
D
imod N if D
i/N ) = 1 2D
imod N if(D
i/N ) = −1
.
Finally, the trusted authority sends s
ito the user U
isecretly.
Group Creation Phase. Let GA be a group authority with secret key x and computes the corresponding public key y = F
xmodN . For each group member U
i(with identity information ID
i), the group authority computes:
x
i= ID
ixmod N .
Then, GA sends x
ito the user U
isecretly.
From the above phases, the system parameters are summarized as follows:
1. The secret values of the trusted authority are (p
1; p
2; d; v; t; x).
2. The public values of the trusted authority are (N ; e; g; F ; y).
3. The secret key of the group authority is x.
4. The public key of the group authority is y.
5. The secret key of the user U
iis the pair (s
i, x
i).
6. The public key of the user U
iis ID
i.
2.2.2. Group Signature and Verification Stage
When a group member U
iwants to sign a message M on behalf of the group, he first chooses two random integers r
1, r
2in Z
N∗. Then the group signature (A, B, C, D) for the message M is computed as follows.
A = y
r1mod N , B = y
r2·emod N ,
C = s
i+ r
1· h (M A B) + r
2· e, D = x
i· y
r2·h(MABC)mod N ,
where ‘ ’ denotes concatenation and h() is a one-way hash function.
Upon receiving the group signature (A, B, C, D) on the message M , anyone (ver- ifier) can verify the validity of the group signature by checking whether the following congruence holds:
D
e· A
h(MAB)= y
C· B
h(MABC)mod N .
2.2.3. User Identification Stage
In case of a dispute, the group authority can open the group signature in order to know who indeed signs the group signature by finding ID
isatisfying the following equation:
(ID
i)
x·e= D
e· B
−h(MABC)mod N
for i = 1 . . . k, where k is the number of the group numbers.
In order to convince other verifiers that the user U
iwith identity ID
iis indeed the signer, the group authority randomly selects an integer r in Z
N∗, and computes
R = (ID
i)
r·emod N ,
S = r + h(M A B R) · x.
Then the group authority publishes the identification information (R, S) and the user’s identity ID
i. Upon receiving the announcement from the authority, the verifier may iden- tify the identity ID
iof the signer for the group signature (A, B, C, D) by checking the following equation
(ID
i)
S·e= R ·
y
C· A
−h(MAB)· B
−1h(MABR)mod N.
If the above equation holds, the user with the identity ID
iis identified.
3. Review of Linkability of Tseng and Jan’s Self-Certified Group Signature Scheme
One of the main properties of group signatures is allowing the group members to anony- mously sign on behalf of the group. This property is called unlinkability. I. e., two valid different group signatures are unlinkable if no one (but the group authority) can decide whether these two signatures were generated by the same group member or not.
In this following, we review Sun et al.’s attack (Sun et al., 1999) that Tseng and Jan’s self-certified scheme is linkable, i.e., given two group signatures, it can be easily decided if both signatures are generated by the same group member.
Without loss of generality, we assume that {M, A, B, C, D, E} and {M
, A
, B
, C
, D
, E
} are two valid group signatures. If the same group member U
igenerates these two group signatures, then from the signature generation stage we know:
B
A−1·h(MABCD)= r
−e·h(MABCD)2
mod N, (1)
E
e= x
ei· r
e·h(MABCD)2
mod N, (2)
(B
)
(A)−1·h(MABCD)= (r
2)
−e·h(MABCD)mod N, (3) (E
)
e= x
ei· (r
2)
e·h(MABCD)mod N. (4) Let (1) multiply (2), we obtain:
B
A−1·h(MABCD)· E
e= x
eimod N. (5)
Similarly, let (3) multiply (4), we obtain:
(B
)
(A)−1·h(MABCD)· (E
)
e= x
eimod N. (6) From (5) and (6), we know:
B
A−1·h(MABCD)· E
e= (B
)
(A)−1·h(MABCD)· (E
)
emod N. (7)
Thus the proposed group signature scheme is linkable by checking whether (7) holds (note that e is public). That is, if (7) holds, then these two group signatures come from the same signer, and vice verse.
4. Comment and Repair of Sun, Chen and Hwang’s Attack
4.1. Comments on the Linking Equation
In fact, the linking equation (7) cannot work because both A
−1mod φ(N ) and (A
)
−1mod φ(N ) are unknown to any verifier due to the difficulty of factoring N . This is similar to the inverse problem of RSA that one who knows the public exponent is infeasible to compute the secret exponent.
4.2. A Repaired Linking Equation
We need only raise AA
to two sides of the linking (7). Thus we can obtain the following linking equation:
B
A−1·h(MABCD)· E
A(A)e= (B
)
(A)−1·h(MABCD)· (E
)
A(A)emod N. (8)
This linking equation (8) is feasible because the inverse problem of RSA no longer exists in this equation.
5. Linkability of Tseng and Jan’s ID-Based Group Signature Scheme
In this following, we apply the model of Sun, Chen and Hwang’s attack to show that Tseng and Jan’s ID-based scheme is still linkable because given two valid group signa- tures, it can be easily decided if the same group member generates both signatures.
We assume that (A, B, C, D) and (A
, B
, C
, D
) are two valid group signatures.
From the signature generation stage we know:
B
h(MABC)= y
r2·h(MABC)mod N, (9)
D
e= x
ei· y
r2·e·h(MABC)mod N, (10)
(B
)
h(MABC)= y
r2·h(MABC)mod N, (11) (D
)
e= (x
i)
e· y
r2·e·h(MABC)mod N. (12) From (9) and (1)0, we obtain:
B
h(MABC)· x
ei= D
emod N. (13)
Similarly, from (11) and (12), we obtain:
(B
)
h(MABC)· (x
i)
e= (D
)
emod N. (14) From (13) and (14), we know:
B
h(MABC)· (D
)
e· x
ei= (B
)
h(MABC)· D
e· (x
i)
emod N. (15)
If these two group signatures are generated by the same group member, then x
iis equal to x
i. So, in this case, (15) can be reduced into:
B
h(MABC)· (D
)
e= (B
)
h(MABC)· D
emod N. (16)
Since no secret parameter is included in (16), we can check whether (16) holds or not. If (16) holds, then these two group signatures come from the same signer. If (16) doesn’t hold, then these two group signatures come from different group members. So, Tseng and Jan’s group signature scheme is linkable. In the following, we give an example to illustrate the point about the linkability.
Example. Let p
= 3, q
= 5, p = 2p
+ 1 = 7, q = 2q
+ 1 = 11, N = pq = 77, e = 7, d = 13, ed ≡ 1 mod p
q
. Two group signatures (A, B, C, D) = (3, 2, 5, 2), (A
, B
, C
, D
) = (11, 13, 7, 3). Let h(M A B C) = 2, h(M
A
B
C
) = 1. We can find B
h(MABC)· (D
)
emod N = 2
2· 3
7mod 77 = 47, and (B
)
h(MABC)· D
emod N = 13
1· 2
7mod 77 = 47. By (16), we can decide that these two group signatures come from the same signer.
6. Conclusions
In this paper, we first point out that the proposed linking equation, which is used to check
the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse
problem of RSA is hard. A repaired linking equation is consequently proposed to fix this
problem. Then, we show that Tseng and Jan’s ID-based scheme still suffers from the
weakness of linkability.
References
Camenisch, J. (1997). Efficient and generalized group signatures. Advances in Cryptology EUROCRYPT ’97, LNCS, 1233, 465–479.
Camenisch, J., and M. Michels (1998). A group signature scheme based on an RSA variant. BRICS report, preliminary version in Advances in Cryptology – ASIACRYPT ’98, LNCS, 1514, 160–174.
Camenisch, J., and M. Stadler (1997). Efficient group signature schemes for large groups. Advances in Cryp- tology – CRYPTO ’97, LNCS, 1296, 410–424.
Chaum, D., and E. van Heyst (1993). Group signatures. Advances in Cryptology – EUROCRYPT’91, LNCS, 547, 257–265.
Chen, L., and T.P. Pedersen (1995). New group signature schemes. In Advances in Cryptology – EURO- CRYPT’94. pp. 163–173.
Joye, M., N.Y. Lee and T. Hwang (1999a). On the security of the Lee–Chang group signature scheme and its derivatives, Information Security Workshop.
Joye, M., S. Kim and N.Y. Lee (1999b). Cryptanalysis of two group signature schemes. In M. Mambo and Y. Zheng (Eds.), Information Security, Lecture Notes in Computer Science, Vol. 1729. pp. 271–275.
Lee, W.B., and C.C. Chang (1998). Efficient group signature scheme based on the discrete logarithm. In IEE Proc. Comput. Digit. Tech., 145(1). pp. 15–18.
Lim, W.B., and P.J. Lee (1992). Modified Maurer–Yacobi’s scaeme and its application. In Proc. AUSCRYPT’91.
pp. 308–323.
Mao, W., and C.H. Lim (1998). Cryptanalysis in prime order subgroups of Zn. Advances in Cryptology – ASIACRYPT’98, LNCS, 1514, 214–226.
Maurer, U.M., and Y. Yacobi (1992). Non-interactive public-key Cryptography. In Proc. EUROCRYPT’91. pp.
498–507.
Maurer, U.M., and Y. Yacobi (1996). A non-interactive public-key distribution system. Designs, Codes and Cryptography, 9, 305–316.
Ohta, K., and E. Okamoto (1988). Practical extension of Fiat–Shamir scheme. Electronics Letters, 24(15), 955–
956.
Petersen, H. (1998). How to convert any digital signature scheme into a group signature. Security Protocols Workshop, LNCS, 1361.
Park, S., S. Kim and D. Won (1997). ID-based group signature. Electronics Letters, 33(19), 1616–1617.
Saeednia, S. (1997). Identity-based and self-certified key-exchange protocols. In Proc. Information Security and Privacy, Second Australasian Conf., Sydney, Australia. pp. 303–313.
Sun, H.M. (1999). Comments on improved group signature scheme based on the discrete logarithm. IEE Elec- tronics Letters, 35(16), 1323–1324.
Sun, H.M., B.J. Chen and T. Hwang (1999). Cryptanalysis of group signature scheme using self-certified public keys. Electronics Letters, 35(22), 1938–1939.
Tseng, Y.M., and J.K. Jan (1999a). Improved group signature scheme based on the discrete logarithm. Elec- tronics Letters, 35(1), 37–38.
Tseng, Y.M., and J.K. Jan (1999b). A group signature scheme using self-certified public keys. In Proc. of the Ninth National Conference on Information Security. pp. 165–172.
Tseng, Y.M., and J.K. Jan (1999c). A novel ID-based group signature. Information Sciences, 120, 131–141.
Wu, T.C., Y.S. Chang and T.Y. Lin (1998). Improvement of Saeednia’s self-certified key exchange protocols.
Electronics Letters, 34(11), 1094–1095.