Docstoc

paper2

Document Sample
paper2 Powered By Docstoc
					Universal forgery on a group signature
scheme using self-certified public keys

Author : Guilin Wang
Source : Information Processing Letters
         Vol. 89 , 2004 , pp. 227-231
Speaker : Pay-Chai Chang (張培才)


                                          1
             Outline
1. Introduction
2. Tseng-Jan scheme review
3. Ateniese, Joye and Tsudik attack
4. The Attack
5. Conclusions
                                      2
   Introduction (1/1)
1. Group signatures
2. A secure group signature scheme must
   satisfy the following properties :
  (1) Unforgeability
  (2) Anonymity
  (3) Unlinkability
  (4) Exculpability
  (5) Traceability
  (6) Coalition-resistance                3
Tseng-Jan scheme review(1/7)
The scheme involves four parties :
• TA (a trusted authority)
• GM (a group manager)
• Ui (group members)
• Verifiers


                                     4
Tseng-Jan scheme review(2/7)
TA (1) n:= p q with p:=2 p +1 and q:=2 q +1
       where p , q , p , q are all primes.
   (2) Selects an element   g   * of order v:= p  q 
                                  n

       and e, d  Z v satisfying ed = 1 mod v
                     *


   (3) Chooses a publicly known hash function f 
       and publishes
       public key ( n , e , g , f  )
       secret key ( p , q , d )
                                                     5
Tseng-Jan scheme review(3/7)
GM with identity information GD
   wants to establish a group
   (1) chooses a secret key x
   (2) computes z:= gx mod n
   (3) sends z to the TA
Then TA
   (1) evaluates GID := f (GD)
   (2) calculates y : = z GID-1 mod n , s = z -d mod n
                                         G
   (3) sends y and sG to GM                        6
Tseng-Jan scheme review(4/7)
GM chooses a publicly known hash function h(·)
   and publishes
   public key ( y , h(·) )
   secret key ( x , sG )
GM checks the validity of his key pair by
   sG e  y -GID mod n

A User Ui, with identity information Di, wants to
join the group :
                                                7
   (1) selects his secret key si
Tseng-Jan scheme review(5/7)
 (2) computes zi = gsi mod n and sends zi to the TA
(3) TA sends back pi := (zi)    IDi-1·d mod n

     where IDi : = f (Di )
(4) Ui checks whether piIDi e  zi mod n. If pi is
     correct, User Ui sends pi to GM
(5) GM returns xi to Ui , xi : = piIDi ·x • sG mod n
(6) Ui checks whether xie  yGID • (si-1) mod n holds.
    If the answer is yes, the Ui stores his
    membership certificate (si, xi)                  8
      Tseng-Jan scheme review(6/7)
User Ui signs a message m with his certificate ( si , xi )
(1) Randomly selects three numbers r1 , r2 , r3
(2) computes his signature (A , B , C , D , E)
    A : = r 1s i
    B : = r2-e A mod n
    C : = y GID • A • r3 mod n
    D : = si • h (m || A || B || C ) + r3C
    E : = xi • r2 h (m || A || B || C || D ) mod n
(3) To verify the validity of signature (A, B, C, D, E)
    on message m, a verifier checks whether yGID • A • D
   eA B h (m || A || B || C || D ) yGID • A) h (m || A || B || C) •Cc mod n
    (E                                                                         9
     Tseng-Jan scheme review(7/7)
(4) In case of disputes, the group manager’s checking:

   (xi) eA B -h (m || A || B || C || D )  EeA mod n
Verify the correctness
(1) xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1 mod n
(2) xi = sG -si+1 = ( yGID ) d(si – 1 ) mod n
(3) E eA B h  x eAr eAh  r eAh  x eA  y GID A( si 1) mod n
                i   2       2        i



 ( EeA B h yGID • A ) h • C c
  = ( y GID • A (si – 1 ) • y GID • A ) h • y GID • A • r3C mod n    10
  = y GID • A (sih + r3C ) mod n = y GID • A • D mod n
  Ateniese, Joye and Tsudik attack (1/2)
Assume that two colluding group members U1 and U2
have certificates (s1, x1) and (s2, x2) , respectively.
Let c: = gcd (s1-1, s2-1) (the case of c=1)
(1) By using extended Euclidean algorithm, they can find
     ,   Z such that c =  (s1-1) +  (s2-1)

(2) From xi = piIDi • x • sG = (zi ) dx • sG = (gxd ) si • sG = sG -si+1
    mod n , they can find :
    sG c =      ( s1 1)   ( s2 1)             
             sG                        x1        x2       mod n     11
Ateniese, Joye and Tsudik attack (2/2)

(3) Choose a random number r, then define respectively :
     s : = cr + 1 and x : = (sG c) -r mod n


   ( s , x ) is a valid but illegal membership certificate
     x = (sG c) -r = sG ( -cr-1 )+1 = sG -s+1 mod n


                                                       12
                         The attack (1/3)
yGID • A • D  eA B h (m || A || B || C || D ) yGID • A) h (m || A || B || C) •Cc
              (E
               mod n
(1) Choose four random numbers a1, a2, a3, A , then define:
    B : = ya1 mod n    C : = ya2 mod n     E : = ya3 mod n
(2) From verification equation, we get the condition for D :
    GID ·A ·D = [a3eA + a1 ·h(m||A||B||C ||D)] h(m||A||B||C )
                + GID ·A · h ( m||A||B||C ) + a2C mod v
(3) Let       a3eA + a1 ·h(m||A||B||C ||D) = 0
              GID ·A ·D = GID ·A · h(m||A||B||C) + a2C
                                                                               13
                   The attack (2/3)
We choose two random numbers a1, a2 and re-define a1, a2
   a1 : = a1eA       a2 = a2 ·GID·A     then
  D = h(m||A||B||C ) + a2C  Z
  a3 = -a1 ·h(m||A||B||C ||D)  Z

Summarize of attack
(1) Select three random numbers a1, a2 and A
(2) Then define :
   B : = ya1 eA mod n                   C : = ya2·GID ·A mod n
   D : = h(m||A||B||C ) + a2C           Z                       14
   E : = y -a1 · h(m||A||B||C ) mod n
               The attack (3/3)
(3) Output (A, B, C, D, E) as group signature for
    message m

Prove that the forgery is successful.
( EeA B h yGID • A ) h • C c
   = y -a1 heAh • y a1 eA hh • y GID • Ah • y a2 • GID • AC mod n
   = y GID • A ( h+ a2 C ) mod n
   = y GID • A • D mod n

                                                             15
          Conclusions (1/1)
- Tseng-Jan group signature scheme is insecure

- Anybody can forge a valid group signature on
  any message such that the group manager is
  unable to determine the identity of the signer

- Universally forgeable



                ~ Thanks all ~
                                              16

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:2/22/2012
language:
pages:16