The security of two ID-based multisignature protocols for sequential and broadcasting architectures

Information Processing Letters 70 (1999) 79–81

The security of two ID-based multisignature protocols for sequential and broadcasting architectures Narn-Yih Lee a,∗ , Tzonelih Hwang b , Chih-Hung Wang b a Department of Applied Foreign Language, Nan-Tai Institute of Technology, Tainan, Taiwan, Republic of China b Institute of Information Engineering, National Cheng-Kung University, Tainan, Taiwan, Republic of China

Received 1 September 1998 Communicated by S.G. Akl

Abstract In 1996, Wu, Chou and Wu proposed two ID-based digital multisignature protocols based on the difficulty of factorization problem. This paper will show that Wu–Chou–Wu’s schemes are not secure enough by presenting two attacks on them.  1999 Elsevier Science B.V. All rights reserved. Keywords: Cryptography; ID-based system; Multisignature; Cryptanalysis

1. Introduction Wu, Chou and Wu [1], in 1996, proposed two ID-based multisignature schemes based on Maurer– Yacobi’s noninteractive public key cryptosystem [2]. One is suitable for the sequential architecture, and the other for the broadcasting. Unfortunately, the original Maurer–Yacobi scheme has been broken by Maurer– Yacobi [3] and Lim–Lee [4], which implies that the same attack can be used to break Wu–Chou–Wu’s ID-based multisignature schemes as well. Moreover, a new attack is presented to show that ‘hackers’ can forge the multisignatures of Wu–Chou–Wu’s schemes. In the following section, we will briefly review Wu– Chou–Wu’s ID-based multisignature schemes. Then, Section 3 gives two attacks on their schemes. Finally, a concluding remark is given in Section 4. ∗ Corresponding author. Email: [email protected].

2. Wu–Chou–Wu’s ID-based multisignature schemes Two ID-based multisignature schemes were proposed by Wu, Chou and Wu [3]. Both schemes have the same system set-up stage and multisignature verification stage. The only difference between these two schemes is the multisignature generation stage. hSystem set-up stage:i There is a trusted authority (CA) in the system. CA is responsible for generating the system parameters and a secret key si for each user Ui in the system. CA proceeds with the following steps to assign secret key si to Ui . Step 1: Choose a large number N = P1 P2 P3 P4 , where Pi , 1 6 i 6 4, are primes satisfying the condition that (Pi − 1)/2 are odd and relatively prime. Besides, according to [2], the length of Pi should be chosen to be 60–70 digits such that computing dis-

0020-0190/99/$ – see front matter  1999 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 0 - 0 1 9 0 ( 9 9 ) 0 0 0 4 4 - 7

80

N.-Y. Lee et al. / Information Processing Letters 70 (1999) 79–81 ∗ is feasible if and only crete logarithms modulo ZN if the factorization of N is known.

Step 2: Choose two numbers e and d in ZN , such that ed = 1 mod L, where L = lcm(P1 − 1, P2 − 1, P3 − 1, P4 − 1). Step 3: Choose a primitive element α of GF(Pi ), for 1 6 i 6 4, and compute T = α−d mod N.

SGn =

n Y

i=1 Pn

=T

αsi = ID2i mod N (see [2] for details). Step 6: Send si to Ui and publish the system parameters N , e, T and h( ). hMultisignature generation stage:i Assume that n users, U1 , U2 , . . . , Un , want to sign a document D in the sequential approach. A document issuer sets SG0 = 1 and sends {D, SG0 } to the signer U1 . For each signer Ui receiving {D, SGi−1 }, he/she performs the following two steps. Step 1: Compute Mi = T si h(D) mod N , and SGi = SGi−1 · Mi mod N . Step 2: Send {D, SGi } to the next signer Ui+1 . The multisignature of the document D is SGn , where n n Pn Y Y SGn = Mi = T si h(D) = T i=1 si h(D) mod N. i=1

i=1

On the other hand, if n users, U1 , U2 , . . . , Un , want to sign a document D in the broadcasting approach, each signer Ui , 1 6 i 6 n, performs the following two steps. Step 1: Compute Mi = T si h(D) mod N .

n Y

T si h(D)

i=1

i=1 si h(D)

mod N.

hMultisignature verification stage:i The verifier verifies the validity of the multisignature SGn by checking whether the following equation holds: !h(D) n Y e 2 SGn · IDi = 1 mod N. i=1

Step 4: Choose a one-way hashing function h( ). Step 5: For each user Ui with the identity IDi , computing secret key si such that

Mi =

3. Two attacks on Wu–Chou–Wu’s schemes The First Attack: The following attack to the Maurer–Yacobi scheme [2] on which Wu–Chou–Wu are based was presented in [3,4]. Since αsk = ID2k mod N , user Uk can derive a square root modulo N of the squared identity ID2k by computing αsk /2 mod N (note that sk is even). If for at least one of the prime factors Pi of N , logα IDk mod Pi < (Pi − 1)/2, and for at least some other prime factor Pj of N , logα IDk mod Pj > (Pj − 1)/2, then the obtained square root of ID2k is different from IDk or −IDk and thus allows user Uk to find all or part of prime factors of N . Consequently, Uk has the chance to find the system secrets and reveal the secret keys of all users in the system. The Second Attack: Assume that a hacker collects two multisignatures, SGn1 and SGn2 , generated from the same group of n signers, U1 , U2 , . . . , Un , on two documents D1 and D2 , respectively. If the hash values h(D1 ) and h(D2 ) are relatively prime, the hacker can find two numbers a and b such that
ah(D1 ) + bh(D2 ) = GCD h(D1 ), h(D2 ) = 1

Step 2: Send Mi to a designated collector.

by the Euclidean algorithm [5,6]. The value T can be revealed by computing

Upon receiving all Mi , 1 6 i 6 n, the designated collector computes the multisignature SGn of the document D as

(SGn1 )a · (SGn2 )b =Ta

Pn

i=1 si h(D1 )

·Tb

Pn

i=1 si h(D2 )

Pn

i=1 si

N.-Y. Lee et al. / Information Processing Letters 70 (1999) 79–81

=T =T

Pn

i=1 si (ah(D1 )+bh(D2 ))

Pn

i=1 si

mod N.

Then, the hacker can easily forge the multisignature of any document D0 from these n signers, U1 , U2 , . . . , Un , by computing  Pn h(D0 ) SG0n = T i=1 si mod N. Obviously, the validity of the multisignature SG0n can be checked by computing !h(D0 ) n Y SG0e ID2i n · i=1

=Te

Pn

i=1 si h(D

0)

·

n Y

!h(D0 ) α si

i=1 P Pn 0 −ed ni=1 si h(D 0 ) =α · α i=1 si h(D ) P P − ni=1 si h(D 0 )+ ni=1 si h(D 0 )

=α

= α0 = 1 mod N. 4. Conclusions We have proposed two attacks on Wu–Chou–Wu’s ID-based multisignature schemes. One is that a user can use his/her identity information to derive the system secrets and the secret keys of the other users.

81

The other is that a hacker can forge the multisignatures of Wu–Chou–Wu’s schemes on arbitrary documents. Both attacks show that Wu–Chou–Wu’s schemes are not secure enough.

Acknowledgement This work was supported by the National Science Council of Republic of China under the contract number NSC88-2213-E218-001. References [1] T.C. Wu, S.L. Chou, T.S. Wu, Two ID-based multisignature protocols for sequential and broadcasting architectures, Comput. Comm. 19 (1996) 851–856. [2] U.M. Maurer, Y. Yacobi, Non-interactive public key cryptography, in: EUROCRYPT’91, Springer, Berlin, 1991, pp. 498– 507. [3] U.M. Maurer, Y. Yacobi, A remark on a non-interactive public key distribution system, in: EUROCRYPT’92, Springer, Berlin, 1992, pp. 458–460. [4] C.H. Lim, P.J. Lee, Modified Maurer–Yacobi’s scheme and its application, in: AUSCRYPT’92, Springer, Berlin, 1992, pp. 308–323. [5] J.H. Moore, Protocol failures in cryptosystems, Proc. IEEE 76 (5) (1988) 594–602. [6] K.H. Rosen, Elementary Number Theory and Its Applications, 2nd edn, Addison-Wesley, Reading, MA, 1992, pp. 80–86.