On the linkability of some group signature schemes

(1)

2003 Institute of Mathematics and Informatics, Vilnius

On the Linkability of Some Group Signature Schemes

Hung-Min SUN,

Department of Computer Science, National Tsing Hua University Hsinchu, Taiwan 300

e-mail: hmsun@cs.nthu.edu.tw

Her-Tyan YEH, Tzonelih HWANG

Department of Computer Science and Information Engineering National Cheng Kung University

Tainan, Taiwan 701

e-mail: htyeh@ismail.csie.ncku.edu.tw Received: March 2003

Abstract. A group signature scheme is a digital signature scheme that allows a group member to

sign messages anonymously on behalf of the group. Recently, Tseng and Jan proposed two group signature schemes based on self-certified and ID-based public keys respectively. However, these two schemes were shown to be insecure against forgery due to Joye et al. Later, Sun et al. showed that Tseng and Jan’s self-certified group signature scheme is linkable. In this paper, we first point out that the proposed linking equation, which is used to check the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse problem of RSA is hard. A repaired linking equation is consequently proposed to fix this problem. Then, we show that Tseng and Jan’s ID- based scheme is still linkable because given any two valid group signatures it is easy to decide whether these two group signatures are generated by the same group member or not.

Key words: cryptography, group signatures, digital signatures, ID-based, self-certified, data

security.

1. Introduction

Digital signatures are becoming more important in the industrial and commercial areas.

It allows the owner of an electronic message to sign the message that everyone is able to verify the validity of the signature and no one can forge a valid signature on behalf of the signer.

Group signature (Chaum and van Heyst, 1993) is a digital signature that allows a group member to sign messages anonymously on behalf of the group. More formally, a group signature has the following properties:

1. Only the group members are able to sign on behalf of the group.

2. The receiver can verify that it is a valid signature of that group, but cannot distin-

guish which group member made the signature.

(2)

3. In case of disputes, the signature can be “opened” to reveal the identity of the signer.

So far, various group signature schemes have been proposed (Camenisch, 1997; Ca- menisch and Michels, 1998; Camenisch and Stadler, 1997; Chen and Pedersen, 1995; Lee and Chang, 1998; Petersen, 1998; Park et al., 1997; Tseng and Jan, 1999b). Park et al.

(1997) presented an ID-based group signature, which is based on the Ohta–Okamoto’s ID-based signature scheme (Ohta and Okamoto, 1988). Their scheme suffers from the weakness that the size of a group signature is dependent upon the number of group members. Moreover, it has been shown in (Mao and Lim, 1998) that their scheme does not provide anonymity. In 1998, Lee and Chang (1998) suggested another efficient group signature scheme. However their scheme doesn’t enjoy the desirable property of unlinkability and is insecure against some attacks (Joye et al., 1999a). In order to provide the unlinkability property in Lee and Chang’s scheme, Tseng and Jan (Tseng and Jan, 1999a) proposed an improved group signature scheme. Soon, the improved scheme was shown to be linkable due to Sun (1999) and be insecure against forgery due to Joye, Lee and Hwang (Joye et al., 1999a). Recently, based on self-certified public keys (Saeednia, 1997; Wu et al., 1998), Tseng and Jan (1999) proposed a group signature scheme using self-certified public keys. Later, Sun, Chen and Hwang showed that Tseng and Jan’s scheme is linkable. In order to enhance the security and improve the performance of Park et al.’s scheme, Tseng and Jan (1999) further proposed a novel ID-based group signature scheme in which the size of a group signature is constant. However, these two group signature schemes (self-sertified and ID-based) proposed by Tseng et al. were shown to be insecure against forgery due to Joye, Kim and Lee (1999). In this paper, we first point out that the proposed linking equation, which is used to check the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse problem of RSA is hard. A repaired linking equation is consequently proposed to fix this problem. Then, we show that Tseng and Jan’s ID-based scheme is still linkable because given any two valid group signatures it is easy to decide whether these two group signatures are generated by the same group member or not.

The rest of this paper is organized as follows. In Section 2, we briefly review Tseng and Jan’s group signature schemes. In Section 3, we review the linkability of Tseng and Jan’s self-certified group signature scheme. In Section 4, we comment on the linking equation, which is proposed by Sun, Chen and Hwang, and propose a repaired linking equation to fix this problem. In Section 5, we show the linkability of Tseng and Jan’s ID-based group signature scheme. Finally, we conclude this paper in Section 6.

2. Review of Tseng and Jan’s Group Signature Schemes

In this section, we give a short description of the Tseng–Jan group signature schemes.

We refer the reader to (Tseng and Jan, 1999b; Tseng and Jan, 1999c) for more details.

These schemes involve four roles of participants: a trusted authority, a group authority,

group members, and verifiers. The trusted authority is responsible for setting up system

(3)

parameters. The group authority is responsible for issuing membership certificates to new group members who join the group, and in case of a dispute for opening the contentious group signature to reveal the identity of the actual signer. The group members sign messages on behalf of the group, and the verifiers check the validity of the group signatures using the group public key.

Tseng and Jan’s schemes are divided into three stages: the system setup stage, the group signature and verification stage, and the user identification stage.

2.1. Self-Certified Group Signature Scheme

2.1.1. System Setup Stage

This stage consists of the system initialization phase and the group creation phase.

System Initialization Phase. The trusted authority chooses: two large primes p and q of the same size and N = pq such that p = 2p

+ 1 and q = 2q

+ 1 where p

and q

are also primes, a base g ∈ Z

Z^∗

with order v = p

q

, and a large integer u < v. The trusted authority then selects an odd integer e ∈ Z

v^∗

and computes the corresponding value d such that e · d = 1 mod v. The parameters d, p, q, p

, and q

are kept secret. The parameters e, N, g and u are made public.

When a user U

i

(whose identity description is D

i

) wants to join the system, he randomly selects his secret key s

i

∈ Z

u

and computes g

^sⁱ

mod N . Then he sends g

^sⁱ

mod N and D

i

to the trusted authority for requesting his public key. The trusted authority computes and publishes his public key as p

i

= g

^sⁱ^·ID⁻¹ⁱ ^·d

mod N , where ID

i

= f (D

i

).

After getting the public key, the user can verify the validity of his public key by checking whether the equation: p

^e_i^·IDⁱ

= g

^sⁱ

mod N holds.

Besides, there exists a group authority (whose identity description is GD) for setting up the group signature scheme. Similarly, the group authority randomly selects his secret key x ∈ Z

u

and computes g

^x

mod N , then sends g

^x

mod N and GD to the trusted authority for requesting his public key. The trusted authority computes and publishes his public key as y = g

^x^·GID⁻¹

mod N , where GID = f (GD). The group authority can verify the validity of his public key by checking whether the equation: y

^GID

= g

^x

mod N holds. The trusted authority also computes another secret key for the group authority as s

G

= g

^−x·d

mod N and sends it to the group authority secretly.

Group Creation Phase. The responsibility of the group authority is to create a group such that each member in this group can sign a message on behalf the group. Therefore, for each group member U

i

with identity ID

i

, the group authority computes x

i

= p

^ID_i ⁱ^·x

· s

G

mod N (= g

^sⁱ^·d·x

· g

^−x·d

mod N ) as another secret key of U

i

. The secret key x

i

is transmitted to the group member U

i

secretly. The group member U

i

can verify the validity of the secret key by checking whether the equation: x

^e_i

= y

^GID^·sⁱ

· y

^−GID

mod N holds.

2.1.2. Group Signature and Verification Stage

When a group member U

i

wants to sign a message M on behalf of the group, he first

chooses three random integers r

1

, r

2

, and r

3

in Z

u

. Then the group signature parameters

{A, B, C, D, E} are computed as follows.

(4)

A = r

1

· s

i

, B = r

₂^−e·A

mod N , C =

y

^GID^·A

r3

mod N , D = s

i

· h

M A B C

+ r

3

· C, E = x

i

· r

2^h(M^ABCD)

mod N , where ‘ | |’ denotes concatenation.

Thus the 6-tuple {M, A, B, C, D, E} is a valid group signature.

Upon receiving the group signature {M, A, B, C, D, E}, anyone (verifier) can verify the validity of the signature by checking whether the following congruence holds:

y

^GID^·A

D

=

E

^e^·A

· B

^h(M^ABCD)

· y

^GID^·A

h(MABC)

· C

^C

mod N.

2.1.3. User Identification Stage

In the case of a later dispute, the group signature may be “opened” such that the identity of the signer is revealed. Because the group authority knows all of secret keys xi of the group members, for i = 1, 2, ..., k, where k is the number of the group members, the identity of the signer can be found by the equation

(x

i

)

^e^·A

· B

−h(MABCD)

= E

^e^·A

mod N.

If the equation holds, then xi is the secret key of the signer. In order to convince others, the group authority randomly selects an integer r in Z

u

, and computes

R = ((p

^ID_i ⁱ^·e

· g

⁻¹

)

^A

)

^r

mod N,

S = r + h(R M A B C D) · x.

Then the group authority publishes the identification information (R, S) and the user’s identity ID

i

. Upon receiving the information from the group authority, anyone can identity the identity ID

i

of the signer for the group signature {M, A, B, C, D, E} by checking whether the following equation holds:

R ·

E

^e^·A

· B

^h(M^ABCD)

h(RMABCD)

=

p

^ID_i ⁱ

· g

⁻¹

S·A

mod N.

2.2. ID-Based Group Signature Scheme

2.2.1. System Setup Stage

System Initialization Phase. For setting up the system, the trusted authority selects two

large primes p

1

(≡ 3mod8) and p

2

(≡ 7mod8) such that both (p

1

− 1)/2 and (p

2

− 1)/2

are odd and relatively prime. Note that with the above limitations for p

1

and p

2

, it is fea-

sible for the trusted authority to find the discrete logarithms for p

1

and p

2

(Lim and Lee,

1992; Maurer and Yacobi, 1992; Maurer and Yacobi, 1996). Let N = p

1

p

2

. The trusted

authority also selects two integers e and t in Z

_{φ(N )}^∗

and computes the corresponding val-

ues d and v which satisfies

(5)

ed ≡ 1(modφ(N)), vt ≡ 1(modφ(N)),

but keeps t, d, and v in secret and publishes e. Let g be a primitive element in Z

_N^∗

. Then the trusted authority computes a public value

F = g

^v

modN ,

where v ≡ t

⁻¹

(modφ(N )).

When a user U

i

(with identity information D

i

) wants to join the group, the trusted authority computes:

s

i

= et log

_g

ID

i

mod φ(N ), where

ID

i

=

D

i

mod N if D

i

/N ) = 1 2D

i

mod N if(D

i

/N ) = −1

.

Finally, the trusted authority sends s

i

to the user U

i

secretly.

Group Creation Phase. Let GA be a group authority with secret key x and computes the corresponding public key y = F

^x

modN . For each group member U

i

(with identity information ID

i

), the group authority computes:

x

i

= ID

_i^x

mod N .

Then, GA sends x

i

to the user U

i

secretly.

From the above phases, the system parameters are summarized as follows:

1. The secret values of the trusted authority are (p

1

; p

2

; d; v; t; x).

2. The public values of the trusted authority are (N ; e; g; F ; y).

3. The secret key of the group authority is x.

4. The public key of the group authority is y.

5. The secret key of the user U

i

is the pair (s

i

, x

i

).

6. The public key of the user U

i

is ID

i

.

2.2.2. Group Signature and Verification Stage

When a group member U

i

wants to sign a message M on behalf of the group, he first chooses two random integers r

1

, r

2

in Z

_N^∗

. Then the group signature (A, B, C, D) for the message M is computed as follows.

A = y

^r¹

mod N , B = y

^r²^·e

mod N ,

C = s

i

+ r

1

· h (M A B) + r

2

· e, D = x

i

· y

^r²·h(MABC)

mod N ,

where ‘ ’ denotes concatenation and h() is a one-way hash function.

Upon receiving the group signature (A, B, C, D) on the message M , anyone (verifier) can verify the validity of the group signature by checking whether the following congruence holds:

D

^e

· A

^h(M^AB)

= y

^C

· B

^h(M^ABC)

mod N .

(6)

2.2.3. User Identification Stage

In case of a dispute, the group authority can open the group signature in order to know who indeed signs the group signature by finding ID

i

satisfying the following equation:

(ID

i

)

^x^·e

= D

^e

· B

−h(MABC)

mod N

for i = 1 . . . k, where k is the number of the group numbers.

In order to convince other verifiers that the user U

i

with identity ID

i

is indeed the signer, the group authority randomly selects an integer r in Z

_N^∗

, and computes

R = (ID

i

)

^r^·e

mod N ,

S = r + h(M A B R) · x.

Then the group authority publishes the identification information (R, S) and the user’s identity ID

i

. Upon receiving the announcement from the authority, the verifier may iden- tify the identity ID

i

of the signer for the group signature (A, B, C, D) by checking the following equation

(ID

i

)

^S^·e

= R ·

y

^C

· A

^−h(MAB)

· B

⁻¹

h(MABR)

mod N.

If the above equation holds, the user with the identity ID

i

is identified.

3. Review of Linkability of Tseng and Jan’s Self-Certified Group Signature Scheme

One of the main properties of group signatures is allowing the group members to anonymously sign on behalf of the group. This property is called unlinkability. I. e., two valid different group signatures are unlinkable if no one (but the group authority) can decide whether these two signatures were generated by the same group member or not.

In this following, we review Sun et al.’s attack (Sun et al., 1999) that Tseng and Jan’s self-certified scheme is linkable, i.e., given two group signatures, it can be easily decided if both signatures are generated by the same group member.

Without loss of generality, we assume that {M, A, B, C, D, E} and {M

, A

, B

, C

, D

, E

} are two valid group signatures. If the same group member U

i

generates these two group signatures, then from the signature generation stage we know:

B

^A⁻¹·h(MABCD)

= r

−e·h(MABCD)

2

mod N, (1)

E

^e

= x

^e_i

· r

^e·h(MABCD)

2

mod N, (2)

(B

)

^(A⁾⁻¹^·h(M^A^B^C^D⁾

= (r

2

)

^−e·h(M^A^B^C^D⁾

mod N, (3) (E

)

^e

= x

^e_i

· (r

2

)

^e^·h(M^A^B^C^D⁾

mod N. (4) Let (1) multiply (2), we obtain:

B

^A⁻¹·h(MABCD)

· E

^e

= x

^e_i

mod N. (5)

(7)

Similarly, let (3) multiply (4), we obtain:

(B

)

^(A⁾⁻¹^·h(M^A^B^C^D⁾

· (E

)

^e

= x

^e_i

mod N. (6) From (5) and (6), we know:

B

^A⁻¹·h(MABCD)

· E

^e

= (B

)

^(A⁾⁻¹^·h(M^A^B^C^D⁾

· (E

)

^e

mod N. (7)

Thus the proposed group signature scheme is linkable by checking whether (7) holds (note that e is public). That is, if (7) holds, then these two group signatures come from the same signer, and vice verse.

4. Comment and Repair of Sun, Chen and Hwang’s Attack

4.1. Comments on the Linking Equation

In fact, the linking equation (7) cannot work because both A

⁻¹

mod φ(N ) and (A

)

⁻¹

mod φ(N ) are unknown to any verifier due to the difficulty of factoring N . This is similar to the inverse problem of RSA that one who knows the public exponent is infeasible to compute the secret exponent.

4.2. A Repaired Linking Equation

We need only raise AA

to two sides of the linking (7). Thus we can obtain the following linking equation:

B

^A⁻¹·h(MABCD)

· E

^A(A^)e

= (B

)

^(A⁾⁻¹^·h(M^A^B^C^D⁾

· (E

)

^A(A^)e

mod N. (8)

This linking equation (8) is feasible because the inverse problem of RSA no longer exists in this equation.

5. Linkability of Tseng and Jan’s ID-Based Group Signature Scheme

In this following, we apply the model of Sun, Chen and Hwang’s attack to show that Tseng and Jan’s ID-based scheme is still linkable because given two valid group signatures, it can be easily decided if the same group member generates both signatures.

We assume that (A, B, C, D) and (A

, B

, C

, D

) are two valid group signatures.

From the signature generation stage we know:

B

^h(M^ABC)

= y

^r²·h(MABC)

mod N, (9)

D

^e

= x

^e_i

· y

^r²·e·h(MABC)

mod N, (10)

(8)

(B

)

^h(M^A^B^C⁾

= y

^r²^·h(M^A^B^C⁾

mod N, (11) (D

)

^e

= (x

_i

)

^e

· y

^r²^·e·h(M^A^B^C⁾

mod N. (12) From (9) and (1)0, we obtain:

B

^h(M^ABC)

· x

^ei

= D

^e

mod N. (13)

Similarly, from (11) and (12), we obtain:

(B

)

^h(M^A^B^C⁾

· (x

i

)

^e

= (D

)

^e

mod N. (14) From (13) and (14), we know:

B

^h(M^ABC)

· (D

)

^e

· x

^ei

= (B

)

^h(M^A^B^C⁾

· D

^e

· (x

i

)

^e

mod N. (15)

If these two group signatures are generated by the same group member, then x

i

is equal to x

_i

. So, in this case, (15) can be reduced into:

B

^h(M^ABC)

· (D

)

^e

= (B

)

^h(M^A^B^C⁾

· D

^e

mod N. (16)

Since no secret parameter is included in (16), we can check whether (16) holds or not. If (16) holds, then these two group signatures come from the same signer. If (16) doesn’t hold, then these two group signatures come from different group members. So, Tseng and Jan’s group signature scheme is linkable. In the following, we give an example to illustrate the point about the linkability.

Example. Let p

= 3, q

= 5, p = 2p

+ 1 = 7, q = 2q

+ 1 = 11, N = pq = 77, e = 7, d = 13, ed ≡ 1 mod p

q

. Two group signatures (A, B, C, D) = (3, 2, 5, 2), (A

, B

, C

, D

) = (11, 13, 7, 3). Let h(M A B C) = 2, h(M

A

B

C

) = 1. We can find B

^h(M^ABC)

· (D

)

^e

mod N = 2

²

· 3

⁷

mod 77 = 47, and (B

)

^h(M^A^B^C⁾

· D

^e

mod N = 13

¹

· 2

⁷

mod 77 = 47. By (16), we can decide that these two group signatures come from the same signer.

6. Conclusions

In this paper, we first point out that the proposed linking equation, which is used to check

the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse

problem of RSA is hard. A repaired linking equation is consequently proposed to fix this

problem. Then, we show that Tseng and Jan’s ID-based scheme still suffers from the

weakness of linkability.

(9)

References

Camenisch, J. (1997). Efficient and generalized group signatures. Advances in Cryptology EUROCRYPT ’97, LNCS, 1233, 465–479.

Camenisch, J., and M. Michels (1998). A group signature scheme based on an RSA variant. BRICS report, preliminary version in Advances in Cryptology – ASIACRYPT ’98, LNCS, 1514, 160–174.

Camenisch, J., and M. Stadler (1997). Efficient group signature schemes for large groups. Advances in Cryp- tology – CRYPTO ’97, LNCS, 1296, 410–424.

Chaum, D., and E. van Heyst (1993). Group signatures. Advances in Cryptology – EUROCRYPT’91, LNCS, 547, 257–265.

Chen, L., and T.P. Pedersen (1995). New group signature schemes. In Advances in Cryptology – EURO- CRYPT’94. pp. 163–173.

Joye, M., N.Y. Lee and T. Hwang (1999a). On the security of the Lee–Chang group signature scheme and its derivatives, Information Security Workshop.

Joye, M., S. Kim and N.Y. Lee (1999b). Cryptanalysis of two group signature schemes. In M. Mambo and Y. Zheng (Eds.), Information Security, Lecture Notes in Computer Science, Vol. 1729. pp. 271–275.

Lee, W.B., and C.C. Chang (1998). Efficient group signature scheme based on the discrete logarithm. In IEE Proc. Comput. Digit. Tech., 145(1). pp. 15–18.

Lim, W.B., and P.J. Lee (1992). Modified Maurer–Yacobi’s scaeme and its application. In Proc. AUSCRYPT’91.

pp. 308–323.

Mao, W., and C.H. Lim (1998). Cryptanalysis in prime order subgroups of Zn. Advances in Cryptology – ASIACRYPT’98, LNCS, 1514, 214–226.

Maurer, U.M., and Y. Yacobi (1992). Non-interactive public-key Cryptography. In Proc. EUROCRYPT’91. pp.

498–507.

Maurer, U.M., and Y. Yacobi (1996). A non-interactive public-key distribution system. Designs, Codes and Cryptography, 9, 305–316.

Ohta, K., and E. Okamoto (1988). Practical extension of Fiat–Shamir scheme. Electronics Letters, 24(15), 955–

956.

Petersen, H. (1998). How to convert any digital signature scheme into a group signature. Security Protocols Workshop, LNCS, 1361.

Park, S., S. Kim and D. Won (1997). ID-based group signature. Electronics Letters, 33(19), 1616–1617.

Saeednia, S. (1997). Identity-based and self-certified key-exchange protocols. In Proc. Information Security and Privacy, Second Australasian Conf., Sydney, Australia. pp. 303–313.

Sun, H.M. (1999). Comments on improved group signature scheme based on the discrete logarithm. IEE Elec- tronics Letters, 35(16), 1323–1324.

Sun, H.M., B.J. Chen and T. Hwang (1999). Cryptanalysis of group signature scheme using self-certified public keys. Electronics Letters, 35(22), 1938–1939.

Tseng, Y.M., and J.K. Jan (1999a). Improved group signature scheme based on the discrete logarithm. Elec- tronics Letters, 35(1), 37–38.

Tseng, Y.M., and J.K. Jan (1999b). A group signature scheme using self-certified public keys. In Proc. of the Ninth National Conference on Information Security. pp. 165–172.

Tseng, Y.M., and J.K. Jan (1999c). A novel ID-based group signature. Information Sciences, 120, 131–141.

Wu, T.C., Y.S. Chang and T.Y. Lin (1998). Improvement of Saeednia’s self-certified key exchange protocols.

Electronics Letters, 34(11), 1094–1095.

(10)

H.-M. Sun received his B.S. degree in applied mathematics from National Chung–Hsing University in 1988, his M.S. degree in applied mathematics from National Cheng Kung University in 1990, and his Ph.D. degree in computer science and information engineering from National Chiao–Tung University in 1995, respectively. He was an associate professor with the Department of Information Management, Chaoyang University of Technology from 1995 to 1999, and the Department of Computer Science and Infor- mation Engineering, National Cheng Kung University from 1999 to 2002. Currently he is an associate professor with the Department of Computer Science, National Tsing Hua University. He has published over seventy papers. He was the program chair of 2001 National Information Security Conference and the program committee member of 1997 Information Security Conference, 2000 Workshop on Internet and Distributed Systems, Workshop on the 21st Century Digital Life and Internet Technologies, 1998 and 1999 Na- tional Conference on Information Security. His research interests include cryptography, information theory, network security, image compression.

H.-T. Yeh was born in Tainan, Taiwan, in 1965. He received his B.S. degree in Infor- mation Science from Soochow University in 1989 and M.S. degrees in Computer Sci- ence and Information Engineering from Nation Taiwan University in 1996. Now, he is currently pursuing his Ph.D. degree in Institute of Computer Science and Information Engineering, National Cheng Kung University, Tainan, Taiwan.

T. Hwang was born in Tainan, Taiwan ROC in March, 1958. He received his undergrad- uate education from National Cheng Kung University, Taiwan ROC in 1980 and the M.S.

and Ph.D. degrees in Computer Science from the University of Southwestern Louisiana USA in 1988. He is presently a professor of the Department of Information Engineering, National Cheng Kung University, Taiwan ROC. His research interests include cryptology, network security and coding theory. Dr. Hwang is a member of IEEE and also a member of International Association for Cryptographic Research.

Apie kai kuri u grup˙es paraš

u atskiriamum

a

Hung-Min SUN, Her-Tyan YEH, Tzonelih HWANG

Grup˙es parašas yra skaitmeninis parašas, kuris leidžia grup˙es nariui pasirašyti pranešimus ano-

nimiškai grup˙es vardu. Neseniai Tseng ir Jan pasi¯ul˙e du grup˙es parašo metodus, pagr istus serti-

fikatais ir vartotojo tapatybe nustatanˇciais viešaisiais raktais. Taˇciau Joye et al. irod˙e, jog šie du

metodai yra nesaug¯us klastojimui. V˙eliau Sun et al. parod˙e, kad Tseng ir Jan sertifikuotas grup˙es

parašas yra atskiriamas. Šiame straipsnyje parodoma, kad si¯uloma atskyrimo lygtis, kuri yra naudo-

jama patikrinti Tseng ir Jan sertifikavimo metod a, negali veikti, kadangi atvirkštin˙e RSA problema

yra sud˙etinga. Šiai problemai spr esti si¯uloma pataisyta atskiriamumo lygtis. Tuomet parodoma, kad

Tseng ir Jan vartotojo tapatybe pagr istas metodas yra atskiriamas, kadangi, turint bet kuriuos du

galiojanˇcius grup˙es parašus, lengva nuspr esti, ar šie parašai yra sukurti to paties grup˙es nario, ar

ne.