Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author : Guilin Wang Source : Information Processing Letters

Published byAnna Robertson Modified over 6 years ago

Similar presentations

Presentation on theme: "Author : Guilin Wang Source : Information Processing Letters"— Presentation transcript:

1 Universal forgery on a group signature scheme using self-certified public keys
Author : Guilin Wang Source : Information Processing Letters Vol. 89 , 2004 , pp Speaker : Pay-Chai Chang (張培才)

2 Outline Introduction Tseng-Jan scheme review
Ateniese, Joye and Tsudik attack The Attack Conclusions

3 Introduction (1/1) Group signatures
A secure group signature scheme must satisfy the following properties : (1) Unforgeability (2) Anonymity (3) Unlinkability (4) Exculpability (5) Traceability (6) Coalition-resistance

4 Tseng-Jan scheme review(1/7)
The scheme involves four parties : TA (a trusted authority) GM (a group manager) Ui (group members) Verifiers

5 Tseng-Jan scheme review(2/7)
TA (1) n:= p q with p:= and q:= where p , q , , are all primes. (2) Selects an element of order v:= and satisfying ed = 1 mod v (3) Chooses a publicly known hash function and publishes public key ( n , e , g , ) secret key ( p , q , d )

6 Tseng-Jan scheme review(3/7)
GM with identity information GD wants to establish a group (1) chooses a secret key x (2) computes z:= gx mod n (3) sends z to the TA Then TA (1) evaluates GID := f (GD) (2) calculates y : = zGID-1 mod n , sG = z -d mod n (3) sends y and sG to GM

7 Tseng-Jan scheme review(4/7)
GM chooses a publicly known hash function h(·) and publishes public key ( y , h(·) ) secret key ( x , sG ) GM checks the validity of his key pair by sG e y -GID mod n A User Ui, with identity information Di, wants to join the group : (1) selects his secret key si

8 Tseng-Jan scheme review(5/7)
(2) computes zi = gsi mod n and sends zi to the TA (3) TA sends back pi := (zi) IDi-1·d mod n where IDi : = f (Di ) (4) Ui checks whether piIDi e zi mod n. If pi is correct, User Ui sends pi to GM (5) GM returns xi to Ui , xi : = piIDi ·x • sG mod n (6) Ui checks whether xie yGID • (si-1) mod n holds If the answer is yes, the Ui stores his membership certificate (si, xi)

9 Tseng-Jan scheme review(6/7)
User Ui signs a message m with his certificate ( si , xi ) Randomly selects three numbers r1 , r2 , r3 computes his signature (A , B , C , D , E) A : = r1si B : = r2-e A mod n C : = y GID • A • r3 mod n D : = si • h (m || A || B || C ) + r3C E : = xi • r2 h (m || A || B || C || D ) mod n To verify the validity of signature (A, B, C, D, E) on message m, a verifier checks whether yGID • A • D (EeA B h (m || A || B || C || D ) yGID • A) h (m || A || B || C) •Cc mod n

10 Tseng-Jan scheme review(7/7)
(4) In case of disputes, the group manager’s checking: (xi) eA B -h (m || A || B || C || D ) EeA mod n Verify the correctness (1) xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n (2) xi = sG -si+1 = ( yGID ) d(si – 1 ) mod n (3) ( EeA B h yGID • A ) h • C c = ( y GID • A (si – 1 ) • y GID • A ) h • y GID • A • r3C mod n = y GID • A (sih + r3C ) mod n = y GID • A • D mod n

11 Ateniese, Joye and Tsudik attack (1/2)
Assume that two colluding group members U1 and U2 have certificates (s1, x1) and (s2, x2) , respectively. Let c: = gcd (s1-1, s2-1) (the case of c=1) By using extended Euclidean algorithm, they can find , Z such that c = (s1-1) (s2-1) From xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n , they can find : sG c =

12 Ateniese, Joye and Tsudik attack (2/2)
(3) Choose a random number r, then define respectively : : = cr + 1 and : = (sG c) -r mod n ( , ) is a valid but illegal membership certificate = (sG c) -r = sG ( -cr-1 )+1 = sG -s+1 mod n

13 The attack (1/3) yGID • A • D (EeA B h (m || A || B || C || D ) yGID • A) h (m || A || B || C) •Cc mod n Choose four random numbers a1, a2, a3, A , then define: B : = ya1 mod n C : = ya2 mod n E : = ya3 mod n From verification equation, we get the condition for D : GID ·A ·D = [a3eA + a1 ·h(m||A||B||C ||D)] h(m||A||B||C ) GID ·A · h ( m||A||B||C ) + a2C mod v Let a3eA + a1 ·h(m||A||B||C ||D) = GID ·A ·D = GID ·A · h(m||A||B||C) + a2C

14 The attack (2/3) Summarize of attack
We choose two random numbers a1, a2 and re-define a1, a2 a1 : = a1eA a2 = a2 ·GID·A then D = h(m||A||B||C ) + a2C Z a3 = -a1 ·h(m||A||B||C ||D) Z Summarize of attack Select three random numbers a1, a2 and A Then define : B : = ya1 eA mod n C : = ya2·GID ·A mod n D : = h(m||A||B||C ) + a2C Z E : = y -a1 · h(m||A||B||C ) mod n

15 The attack (3/3) (3) Output (A, B, C, D, E) as group signature for message m Prove that the forgery is successful. ( EeA B h yGID • A ) h • C c = y -a1 heAh • y a1 eA hh • y GID • Ah • y a2 • GID • AC mod n = y GID • A ( h+ a2 C ) mod n = y GID • A • D mod n

16 Conclusions (1/1) ~ Thanks all ~
Tseng-Jan group signature scheme is insecure Anybody can forge a valid group signature on any message such that the group manager is unable to determine the identity of the signer Universally forgeable ~ Thanks all ~

Download ppt "Author : Guilin Wang Source : Information Processing Letters"

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Design and Security Analysis of Marked Blind Signature

Design and Security Analysis of Marked Blind Signature
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Efficient Group Signatures from Bilinear Pairing Author: Xiangguo Cheng, Huafei Zhu, Ying Qiu, and Xinmei Wang Presenter: 紀汶承.

Efficient Group Signatures from Bilinear Pairing Author: Xiangguo Cheng, Huafei Zhu, Ying Qiu, and Xinmei Wang Presenter: 紀汶承.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Computer and Information Security 期末報告 學號 92321501 姓名 莊玉麟.

Computer and Information Security 期末報告 學號 姓名 莊玉麟.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
A New Multi-Proxy Multi- Signature Scheme Source: National Computer Symposium, vol. F, Taiwan, pp. 19-26, 2001 Author: Shin-Jia Hwang and Chiu-Chin Chen.

A New Multi-Proxy Multi- Signature Scheme Source: National Computer Symposium, vol. F, Taiwan, pp , 2001 Author: Shin-Jia Hwang and Chiu-Chin Chen.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏聲尊.

Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏聲尊.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
By Jyh-haw Yeh Boise State University ICIKM 2013.

By Jyh-haw Yeh Boise State University ICIKM 2013.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall

Similar presentations

Ads by Google