Available online at www.sciencedirect.com

ces 30 (2008) 121–123www.elsevier.com/locate/csi

Computer Standards & Interfa

Forgery attacks on the ID-based multisignature scheme without reblockingand predetermined signing order

Kyung-Ah Shim

Department of Mathematics, Ewha Womans University, 11-1 Daehyun-dong, Seodaemun-gu, Seoul, 120-750, South Korea

Received 31 August 2006; received in revised form 16 April 2007; accepted 10 August 2007Available online 29 August 2007

Abstract

Recently, Chang et al. proposed an ID-based multisignature scheme based on RSA without reblocking and predetermined signing order. Thescheme simplifies the public key certification process and overcomes the moduli clashes problem. In this paper, we show that the scheme isinsecure against several forgery attacks.© 2007 Published by Elsevier B.V.

Keywords: ID-based system; Digital signature; Multisignature scheme

1. Introduction

With the rapid growth of computer network technologies,more and more applications are developed to run over computernetworks. Security is an important requirement for such appli-cations. Specifically, authentication and integrity are critical tocommercial applications. Digital signature is one of the mostuseful tools for meeting the security required in such applica-tions. When a message has to be signed by several signers, suchas an electronic contract, traditional signature schemes wouldsee their limitations. The most popular digital signature scheme,RSA, cannot be directly applied to obtain a multisignaturescheme. In this case, usersU1,…,Ukwant to sign a contract so asto achieve authentication, integrity and non-repudiation proper-ties. Let di be the ith user's private key, and ei and ni=pi ·qi bethe public key of this user, where pi and qi are two large primenumbers and ei ·di=1 mod ϕ (ni). In order to generate thesignature for this contract, the ith user must sign on the signatureSi− 1 generated by the (i−1)th user. That is, the signature Si isdefined as SiuSdii�1 mod ni, where S0 is an original document.The computations are operated in modulus ni. Unfortunately,this system is unlikely to work in practice because signers'moduli ni are likely to be different. In order to avoid having themessage larger than the modulus, the message must be

E-mail address: kashim@ewha.ac.kr.

0920-5489/$ - see front matter © 2007 Published by Elsevier B.V.doi:10.1016/j.csi.2007.08.014

reblocked. This is called the moduli clashes problem [3,4,6].To overcome the moduli clashes problem, a RSA-basedmultisignature scheme that predetermines the signing orderaccording to the signers' moduli was proposed by Harn andKiesler [2]. However, in reality, it is usually difficult todetermine the signing order a priori because the signatories ofa document are usually determined dynamically in real worldapplications. Recently, Chang et al. [1] proposed an ID-basedmultisignature scheme based on RSA, which achieves require-ments of multisignature schemes described in [2–4,6], i.e., itrequires neither reblocking of the signed message nor pre-determined order of signing. It also overcomes the moduliclashes problem and simplifies the public key certificationprocess by using ID-based infrastructure. In this paper, we showthat the scheme is insecure against several forgery attacks.

The rest of this paper is organized as follows. In Section 2,we review Chang et al.'s ID-based multisignature scheme basedon RSA. In Section 3, we present several forgery attacks on thescheme. A concluding remark is given in Section 4.

2. Review of Chang et al.'s ID-based multisignature scheme

In this section, we review Chang et al.'s ID-based multi-signature scheme [1] based onRSA [7], i.e., its security depends onthe intractability of the integer factorization problem. The schemeis composed of three types of participants; a Key Authentication

122 K.-A. Shim / Computer Standards & Interfaces 30 (2008) 121–123

Center (KAC) for generating the private keys for all authorizedusers, signers for generating the multisignatures and a receiver forverifying the multisignatures. In addition, the scheme consists offour phases; the initial phase, the key generation phase, the signingphase and the verification phase. The phases are described asfollows.

2.1. Initial phase

At the system set up stage, the KAC randomly chooses twodistinct large primes, p and q. It then calculates N, such thatN=p ·q and chooses E which is relatively prime to ϕ (N), i.e.,gcd(N, E)=1 and 1bEbϕ (N). Here, ϕ (N) is the Euler's totientfunction of N, which is the number of positive integers less thanN and relatively prime to N, i.e., ϕ (N)= (p−1) · (q−1). Afterthat, D is computed by using the Euclidean algorithm such that

E � D ¼ 1 mod / Nð Þ:

Finally, the KAC publishes (N, E) as its public key, whilekeeping (p, q, D) as secrets.

2.2. Key generation phase

A new user joins the system by sending its identityinformation to the KAC for registration as an authorized userin the system. The key generation phase involves the followingsteps;

1. Given user's personal information, such as user name, socialsecurity number or something else, the KAC derives theunique identity information IDi for the user Ui such thatIDi∈ZN, where ZN is an integer ring.

2. The KAC generates a long-term private key di forUi as follows;

di ¼ IDidDIDi mod / Nð Þ:

3. The KAC publishes IDi and returns the private key di to Ui

in a highly secure manner. Upon successful completion ofthe registration process, Ui can sign any document with itsprivate key di.

2.3. Signing Phase

Assume that authorized users U1, U2,…, Um will collectivelysign on a document M. In order to generate a multisignature onM, Ui (1≤ i≤m) uses its private key di to generate its ownsignature Si such that

Si ¼ Sdii�1 mod N ;

where S0= [M] denotes an original document. Note that thescheme allows the signing order to be decided dynamically.Finally, the multisignature S is defined as

S ¼ Md1d d2 N dm ¼ MID1d ID2 N IDmd DID1þ N þ IDmmod N :

2.4. Verification phase

To verify the multisignature ofM, the verifier needs only theidentities {ID1,…, IDm} of all signers and the public key of theKAC. The knowledge of the signing order of the multisignatureis not important to the verifier. The multisignature is verified asfollows;

1. Compute

C ¼ SEID1þ N þIDm

mod N :

Then

C ¼ MID1d ID2 N IDmd DID1þ N þ IDm� �EID1þ N þ IDm

¼ MID1d ID2 N IDm� � DID1þ N þ IDmð Þd EID1þ N þ IDmð Þ

¼ MID1d ID2 N IDm mod N :

2. Check whether the relation

C ¼ MID1d ID2 N IDm mod N

holds or not.3. If the equation holds, S is accepted as a valid multisignature.

3. Forgery attacks on Chang et al.'s ID-based multisignaturescheme

Now, we show that Chang et al's ID-based multisignaturescheme is insecure against several forgery attacks.

3.1. Forgery attack I

Suppose that an adversary A has already obtained amultisignatures (S, M, {ID1,…, IDn}) on the message M for asigners' group {U1,…, Un} with identities {ID1,…, IDn}. Then Acan obtain valid multisignatures on new messages for the distinctsigners' group. First, A computes Mi ¼ MIDi mid N ; and Si ¼SE

IDi mod N. Then Si can be expressed as

Si ¼ SEIDi ¼ MID1 N IDnd DID1þ : : :þ IDn d EIDi

¼ MIDi� �ID1 N ID̂i N IDn N DID1þ : : : ID̂i N þ IDn

mod N ;

where ID̂i represents the omission of IDi. Therefore, (Si, Mi) is avalid multisignature for {ID1,…, ID̂i, … IDn}. In general, E canobtain multisignatures SI′ on the message MI/I′ for the signers'group {IDi1,…, IDik} such that (i1,…, ik)⊂ (i,…, n), where I′= IDi1 ·IDi2 ···· IDik and I= ID1·····IDn. Therefore, E can obtain 2n−2multisignatures on all distinct messages from a valid multi-signature (S, M, {ID1,…, IDn}).

3.2. Forgery attack II

Suppose that an adversary A has already obtained two validmultisignatures (S1, M1, {ID1,…, IDn}) and (S2, M2, {ID1,…,IDn}) on distinct messages M1 and M2 for the same signers'

123K.-A. Shim / Computer Standards & Interfaces 30 (2008) 121–123

group {U1,…, Un} with identities {ID1,…, IDn}. Then A canforge a valid multisignature S′ on a new message M′=M1 ·M2

for the same signers' group {U1,…, Un} by computing

S0 ¼ S1d S2 ¼ MID1 N IDnd DID1þ N þ IDn

1 dMID1 N IDnd DID1þ N þ IDn

2

¼ M1dM2ð ÞID1 N IDnd DID1þ N þIDnmod N :

Therefore, A obtains a valid multisignature S′ on M′=M1·M2 for {ID1,…, IDn} because the verification equation

S0ð ÞEID1þd þIDn¼ S1d S2ð ÞEID1þ N þ IDn

¼ SEID1þd þ IDn

1 d SEID1þ N þ IDn

2¼MID1 N IDn

1 dMID1 N IDn2 ¼ M 0ð ÞID1 N IDn mod N :

holds. Similarly, E can obtain a valid multisignature S″ on a newmessage M″=M1/M2 for the same signers' group {ID1,…, IDn}(where M1/M2 can be computed in module N, i.e, M2

−1 can becomputed by the Extended Euclidean Algorithm [5]). Thegreater the number of collected multisignatures for the fixedsigners' group {IDi,…, IDn}, the more forged multisignatures forthe same group increase.

3.3. Forgery attack III

Suppose thatA has already obtained a valid multisignature (S,M, {ID1,…, IDn}) on a message M for the signers' group {U1,…,Un} with identities {ID1,…, IDn}, where

S ¼ Md1d d2 N dn ¼ MID1d ID2 N IDnd DID1þ N þ IDnmod N :

Then A can find a set of valid identities {ID′1,…, ID′m} such that

Rni¼1IDi ¼ Rm

i¼1IDVi;

Pni¼1IDi ¼ Pm

i¼1IDVi

by a cut and choose method. Then a given signature S alsobecomes a valid multisignature on the same message M for anew set of signers' identities {ID′1,…, ID′m} because

S ¼ MID1 N IDDID1þ N þ IDnn ¼ MID V1 N ID VD

ID V1þd þ ID Vmm mod N :

Suppose that an adversary A has already obtained two validmultisignatures (S1M, {ID1,…, IDn}) and (S2,M, {ID′1,…, ID′m})on the same messageM for different signers’ groups {IDi}i=1

n and{ID′j}j=1

m such that IDi≠ ID′i for all 1≤ i≤n and 1≤ j≤m. ThenAcan obtain a multisignature S on the messageM for a new signers’group { ID1,…, IDn, ID′1,…, ID′m} by computing

S ¼ S1d S2 ¼ MID1 N IDnd DID1þ N þ IDndMID V

1 N ID Vmd D

ID V1þd þ ID Vm

¼ MID1 N IDnd ID V1 N ID VD

ID1þ N þ IDnþ ID V1þ N þ ID V

mm mod N :

4. Conclusion

We showed that Chang et al.'s ID-based multisignaturescheme based on RSA is insecure against several forgeryattacks. In fact, using hashed messages can prevent the forgery

attack I and II, i.e., S ¼ H Mð Þd1 N dnmod N : If the group ofsigners can be determined before signing then adding the set ofsigners’ identities in the input of a hash function together with amessage being signed can prevent the forgery attack III, i.e.,S ¼ H M ; ID1; N ; IDnð Þd1 N dnmod N . However, this counter-measure is not so desirable as well since, in real applications, thefirst signer cannot know the whole signers in advance. Theweaknesses of the scheme against forgery I, II, and III are due tothe multiplicative property of RSA and the algebraic relation-ships among identity values. To prevent these forgery attacks, acreative method is required to destroy the algebraic relation-ships among identity values and to bind the messages beingsigned and their identities' sets.

Acknowledgement

This work was supported by the Korea Research FoundationGrant funded by the Korean Government(MOEHRD)(KRF-2005-217-C00002).

References

[1] C.C. Chang, I.C. Lin, K.Y. Lam, An ID-based multisignature scheme with-out reblocking and predetermined signing order, Computer Standards &Interfaces 27 (2005) 407–413.

[2] L. Harn, T. Kiesler, New scheme for digital multisignature, ElectronicLetters on Computer Vision and Image Analysis 25 (15) (1989) 1002–1003.

[3] T. Kiesler, L. Harn, RSA blocking and multisignature schemes with no bitexpansion, Electronic Letters on Computer Vision and Image Analysis 26(18) (1990) 1490–1491.

[4] L.M. Kohnfelder, On the signature reblocking problem in public-keycryptography, Communications of the ACM 21 (2) (1978) 179.

[5] Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied cryptology,CRC Press, 1997.

[6] S.F. Pon, E.H. Lu, J.Y. Lee, Dynamic reblocking RSA-based multi-signatures scheme for computer and communication networks, IEEECommunications Letters 6 (1) (2002) 43–44.

[7] R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digitalsignatures and public-key cryptosystems, Communications of the ACM 21(2) (1978) 120–126.

Kyung-Ah Shim received her M.S. and Ph.D degreesin Mathematics from the Ewha Womans University in1994 and 1999, respectively. From 2000 to 2004, sheworked as a senior researcher in the Korea InformationSecurity Agency. Currently, she is a Research Professorat the department of Mathematics of the Ewha WomansUniversity. Her research activities are mainly focusedon cryptography and information security.