Untraceability of Wang-Fu Group Signature Scheme
Zhengjun Cao†Lihua Liu‡
†Center of Information Security,Academy of Mathematics and Systems Science,
Chine Academy of Sciences,Beijing,P.R.China.
‡Department of Mathematics,Shanghai Jiaotong University
Abstract Wang ly propod an improved edition bad on Tng-Jan group signature scheme[1].In the paper,we show that the scheme is
鼠标不动了怎么办
untraceable by a simple attack.
Keywords group signature scheme,full-anonymity,full-traceability.
1Introduction
曲折历程
Group signatures,introduced by Chaum and Heyst[2],allow individual members to make signatures on behalf of the group.More formally,a cure group signature scheme must satisfy the following propertie
s[6]:
•Unforgeability:Only group members are able to sign messages on behalf of the group.
•Anonymity:Given a valid signature of some message,identifying the actual signer is computationally hard for everyone but the group manager.
•Unlinkability:Deciding whether two different valid signatures were produced by the same group member is computationally hard.
•Exculpability:Neither a group member nor the group manager can sign on behalf of other group member.
•Traceability:The group manager is always able to open a valid signature and identify of the actual signer.
•Coalition-resistance:A colluding subt or group members(even if comprid of the entire group)cannot generate a valid signature that the group manager cannot
link to one of the colluding group members.
1
The anonymity and traceability of group signature scheme make it very uful in E-commerce activities[3,4].
Lee and Chang propod a group signature in1998[5],but it has rious drawbacks.Hence, Tng and Jan propod two improved group signature schemes bad on Lee-Chang scheme. Regrettably,their schemes are all incure,too.Z.C.Li et al.have prented veral attacks on them[7,8,9,10,11,12,13].Incidentally,We have given a new and simple attack in a script.
Recently,Wang and Fu propod a new edition bad on Tng-Jan scheme.In this paper, we show that the new edition is also incure by a simple attack.It shows that Wang-Fu group signature scheme is untraceable.
2Wang-Fu group signature scheme
2.1Setup
(1)Pick two large primes p,q,such that q|(p−1),g∈GF(p)is a generator of
order q.Open p,q,g as public parameters.
(2)Member u i randomly choos cret key x i∈Z∗q,computes public key y i=
g x i(mod p).Group manager T randomly choos cret key x T∈Z∗q,computes
public key y T=g x T(mod p).
(3)Choo a cure Hash function h.
2.2Join
When u i join the group,he executes as follows:
(1)T randomly picks k i∈Z∗q,computes
r i=g−k i y k i
i
(mod p),s i=k i−r i x T(mod q)
nds s i,r i to u i in cret,keeps(s i,r i,k i)in record.
(2)After u i receives(s i,r i),he verifies
g s i y r i
T r i?=(g s i y r i
T
)x i(mod p)
If it holds,u i accepts(s i,r i).
2
2.3Sign
Given a message m,u i randomly choos a,b,d,t∈Z∗q,computes
C=r i a−d(mod q),
A=y b i(mod p),
D=g b(mod p),
E=r a i(1+g−s i a y−r i a
T
)x i(mod p),
F=y d T(mod p),
B=s i a−bh(A,C,D,E,F)+bh(E,D,F)(mod q),
αi=[D h(E,D,F)+g B y C T F D h(A,C,D,E,F)](mod p),
R=αt i(mod p),
s=t−1[h(m,R)−x i R](mod q).
The signature is(s,R,A,B,C,D,E,F,m).
2.4Verify兔子新娘
Verifier computes
αi=D h(E,D,F)+g B y C T F D h(A,C,D,E,F)(mod p),
δi=A h(E,D,F)[αi D−h(E,D,F)−1]E(mod p) Check
αh(m,R) i ?=δR
i
R s(mod p)
If it holds,then(s,R,A,B,C,D,E,F,m)is a valid group signature.
2.5Open
Group Manager T who knows(s i,r i,k i)of member u i,(i=1,2,···,n.)computes
v i=s−1
大白山
i
k i(mod q),ωi=g v i(mod p)
and checks
g B y C T F D h(A,C,D,E,F)=ωB i D[h(A,C,D,E,F)v i−h(E,D,F)v i+h(E,D,F)](mod p)
Therefore,he can reveal the signer of(s,R,A,B,C,D,E,F,m).
3
2.6Delete member
Omitted.
3Untraceability
In recent,Bellare et al.have pointed out that full-anonymity and full-traceability are two basic requirements of group signature,one can refer to[6]or[14]for more details.Without question,it is an excellent explanation after the concept of group signature has been invented. But wefind that the improved scheme is untraceable although it overcomes some drawbacks of original scheme.
Attack:
Given a message m,member u i randomly picks a,b,d,t∈Z∗q,ρ∈Z∗q,computes
C=r i a−d(mod q),
A=y b i(mod p),
D=g b(mod p),
)x i(mod p),
E=r a i(1+g−s i a y−r i a
T
ˆF=y d
gρ(mod p),
T
阅江楼ˆB=s
ˆF)+bh(E,D,ˆF)−ρ(mod q),
i a−bh(A,C,D,E,
αi=[D h(E,D,ˆF)+g B y C TˆF D h(A,C,D,E,ˆF)](mod p),
R=αt i(mod p),
s=t−1[h(m,R)−x i R](mod q).
The group signature is(s,R,A,ˆB,C,D,E,ˆF,m).
Correctness:Since
αi=D h(E,D,ˆF)+gˆB y C TˆF D h(A,C,D,E,ˆF)
=g bh(E,D,ˆF)+g s i a g−bh(A,C,D,E,ˆF)g bh(E,D,ˆF)g−ρg x T r i a g−x T d g x T d gρg bh(A,C,D,E,ˆF)
=g bh(E,D,ˆF)(1+g s i a g x T r i a)=g bh(E,D,ˆF)(1+g k i a)(mod p)
气排球站位
δi=A h(E,D,ˆF)[αi D−h(E,D,ˆF)−1]E(mod p)
4
we have
αH(m,R) i =αx i R
i
αts i=[g bh(E,D,ˆF)x i g k i ax i(1+g−k i a)x i]R R s
=[A h(E,D,ˆF)g k i a r a i(1+g−s i a y−r i a
T
)x i]R R s
=[A h(E,D,ˆF)(αi g−bh(E,D,ˆF)−1)r a i(1+g−s i a y−r i a
T
)
x i]R R s =δR i R s(mod p)
But
gˆB y C TˆF D h(A,C,D,E,ˆF)=g k i a g bh(E,D,ˆF)(mod p)
ωˆB i D[h(A,C,D,E,ˆF)v i−h(E,D,ˆF)v i+h(E,D,ˆF)]
=(g s−1i k i)[s i a−bh(A,C,D,E,ˆF)+bh(E,D,ˆF)−ρ]g bh(A,C,D,E,ˆF)s−1i k i g−bh(E,D,ˆF)s−1i k i g bh(E,D,ˆF)
=g k i a g bh(E,D,ˆF)ω−ρ
i
(mod p)
gˆB y C TˆF D h(A,C,D,E,ˆF)=ωˆB i D[h(A,C,D,E,ˆF)v i−h(E,D,ˆF)v i+h(E,D,ˆF)](mod p)
It means that the scheme is untraceable.(Underlined parts show the differentia between the attack and the original scheme!!)
Remark The two attacks prented in[7]on original Tng-Jan group signature scheme are applied to the new edition.But our attack is more simple becau it only needs to choo another random numberρ.
4Conclusion
In the paper,we analyze Wang-Fu group signature scheme,and show its untraceability by a simple attack.We hold that the structure of Tng-Jan group signature is too loo to withstand any attacks.Various editions of the scheme have been studied in[7,8,9,10,11,12,13].It’s easy to e that the scheme has no any specialities whether in tup pha or in open pha.So, we think that it’s no necessary to make any improvements of it.
References
[1]Xiaoming Wang,Fangwei Fu.A Secure Group Signature Scheme.Journal of Elecetronics and Infor-
mation(in Chine),2003Vol.25No.5.pp.657-663.
[2] D.Chaum,F.Heyst.Group Signatures.Proc.EUROCRYPT’91,1992,pp.257-265.
如何吸烟5
[3]G.Maitland and C.Boyd.Fair electronic cash bad on a group signature scheme In:Information
Security and Cryptography(ICICS2001),LNCS2229,pp.461-465,Springer-Verlag:2001.
[4]S.Canard and J.Traore.On Fair E-cash Systems Bad on Group Signature Schemes.In:Informa-
tion Security and Privacy(ACISP’03),LNCS2727,pp.237-248.Berlin:Springer-Verlag,2003.
[5]W.Lee,C.Chang.Efficient Group Signature Scheme Bad on the Discrete Logarithm.IEE Pro.
Comput.Digital Techniques.1998,145(1),pp.15-18.
[6]M.Bellare,D.Micciancio,B.Warinschi.Foundations of Group Signatures:Formal Definitions,
Simplified Requirements,and a Construction Bad on General Assumptions.EUROCRYPT2003.
LNCS2656,pp.614-629,2003.
[7]Guilin Wang.Security of Several Group Signature Schemes.eprint.iacr/2003/194.
[8]Z.C.Li,L.C.K.Hui,et al.Security of Tng-Jan’s Group Signature Schemes.Information Processing
Letters,2000,75(5),187-189.
[9]M.Joye,N-Y.Lee,and T.Hwang.On the curity of the Lee-Chang group signature scheme and
its derivatives.In:Information Security(ISW’99),LNCS1729,pp.47-51.Springer-Verlag,1999.
苏美尔文明
[10]H.Sun.Comment:Improved group signature scheme bad on discrete logarithm problem.Elec-
tronics Letters,1999,35(13):1323-1324.
[11]Y.-M.Tng and J.-K.Jan.Improved group signature scheme bad on the discrete logarithm
problem.Electronics Letters,1999,35(1):37-38.
[12]Y.-M.Tng and J.-K.Jan.Reply:improved group signature scheme bad on discrete logarithm
problem.Electronics Letters,1999,35(13):1324-1325.
[13]Guilin Wang and Sihan Qing.Security Flaws in Several Group Signatures Propod by Popescu.
Cryptology ePrint archive,report2003/207,Sep2003.eprint.iacr/2003/207.
[14]Mihir Bellare and Haixia Shi and Chong Zhang.Foundations of Group Signatures:The Ca of
Dynamic Groups.eprint.iacr/2004/077.
6
