In this letter, we show that structured ElGamal-type multisignature scheme due to Burmester et al. is not secure if the adversary attacks key generation

Kefei Chen

Zheng Dong

Cryptology ePrint Archive

Cover  An attack on a multisignature scheme Zheng Dong, Kefei Chen  Department of Computer Science and Engineering Shanghai Jiaotong University Shanghai 200030, China {zheng-dong,chen-kf}@cs.sjtu.edu.cn  In this letter, we show that structured ElGamal-type multisignature scheme due to Burmester et al. is not secure if the adversary attacks key generation.  Keywords:  cryptanalysis, multisignature, authentication An attack on a multisignature scheme Zheng Dong, Kefei Chen  In this letter, we show that structured ElGamal-type multisignature scheme due to Burmester et al .is not secure if the adversary attacks key generation.   Introduction: Multisignature scheme realizes that plural users generate the signature on a message, and that the signature is verified. Recently, Burmester et al.[1] presented a structured ElGamal-type scheme (Burmester et al.’s scheme), which is based on discrete logarithm problem (DLP). This letter shows that the Burmester et al.’s scheme is not secure if the adversary attacks key generation. In the following, the brief review of Burmester et al.’s scheme is given, and then an attack is proposed.   Brief review of Burmester et al.’s scheme We assume that n signers I1 , I2 ,…In generate a signature on a fixed message M according to order fixed beforehand. Key generation: In their scheme, there are three public system parameters. The parameter p and q are two large prime numbers, qp > , the parameter *pZg ∈  is an element with order q. h( ) is a public hash function. Each user selects his private key *qi Za ∈ , then computes his public key sequentially as follows: )(mod11 pgya= , )(mod)( 1 pgyy iaii ⋅= − , then a public key of ordered group (I1 , I2 ,…In ) is set to nyy = .  Signature generation: (1) Generation of r: signer I1 , I2 ,…In generate r together as follows: 1. Player I1 selects *1 qZk ∈  randomly and computes pgrk mod11 = . If 1),gcd( 1 ≠qr , then select new 1k again. 2. For },...,2{ ni∈ , a signer Ii-1 sends 1−ir to iI . And iI selects *qi Zk ∈ randomly and computes )(mod1 pgrr iikaii ⋅= − . If 1),gcd( ≠qri , then select new ik again. 3. nrr =  (2) Generation of s: Signer I1, I2 ,…In generate s together as follows: 1. I1 computes qMrhrkas mod),(111 ⋅⋅+=  2. For },...,2{ ni∈ ; Ii-1 sends 1−is to Ii. Ii verifies that prygMrhriisi mod),(11?1 ⋅−−=− , then computes qMrhrkass iiii mod),()1( 1 ⋅⋅++= −  3. nss =  (3) The multisignature on M by order (I1, I2,…In ) is given by (r, s).  Signature verification: A multisignature (r, s) on M is verified by pryg Mrhris mod),(1?⋅−= . If the adversary attacks key generation, the above scheme is not secure at all. Our attack Key generation is the same as Burmester et al.’s scheme but that player Ij is bad and generates his public key by choosing a secret key *qj Za ∈ and setting )(mod pgy jaj = . The key of ordered group (I1, I2, …, In ) is set to nyy =  In this case, The multisignature (r, s) on M can be generate without I1 ,…, Ij-1 signing it:  (1) Generation of r: 1. Player Ij selects *qj Zk ∈  randomly and computes pgr jkj mod= . If 1),gcd( ≠qr , then select new jk again. 2. for },...,1{ nji +∈ , a signer Ii-1 sends 1−ir to iI . And iI selects *qi Zk ∈ randomly and computes )(mod1 pgrr iikaii ⋅= − . If 1),gcd( ≠qri , then select new ik again. 3. nrr =  (2) Generation of s: signer I1 , I2 ,…In generate s as follows:  1. Ij computes qMrhrkas jjj mod),(⋅⋅+=  2. for },...,1{ nji +∈ , Ii-1 sends 1−is to Ii. Ii verifies that prygMrhriisi mod),(11?1 ⋅−−=− , then computes qMrhrkass iiii mod),()1( 1 ⋅⋅++= −  3. nss =  The bad multisignature on M is (r, s) Verification: The following equation is still hold       pryg Mrhrs mod),(⋅⋅=  The above attack shows that Ij can cheat Ij+1, …, In to sign any message M without knowing I1,…, Ij-1 not signing it. Especially, when nj = , player Ij can sign any message M it wants on behalf of the entire group {I1, I2,…,In }. Conclusion:  we have presented an attack on Burmester et al.’s scheme, the attack shows that Burmester et al.’ scheme is insecure against attacks on key generation. It is possible to modify the Burmester et al.’s scheme by requiring that each player Ii to provide a zero-knowledge proof of knowledge (ZKPoK) of the discrete log of 1−ii yy in base g.  Acknowledgment: This work was partially supported by NSFC under grants 90104005, 60173032 and 60273049.   References [1] M. Burmester, Yvo Desmedt, Hiroshi Doi, Masahiro Mambo, Eiji Okamoto, Mitsure Tada, and Y. Yoshifuji, “a structured ElGamal-Type multisignature scheme”, Advances in Cryptology-Proceedings of PKC’2000, Lecture notes in computer science,(2000), Spfinger-Verlag, 466-482.  Authors’ affiliations: Zheng Dong, Kefei Chen (Department of Computer Science and Engineering, Shanghai Jiaotong University, 1954 Hua Shan Road, Shanghai 200030, People’s Republic of China) Email: {zheng-dong, chen-kf }@cs.sjtu.edu.cn  

an attack on a multisignature scheme

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive