Information Processing Letters 107 (2008) 83–86

www.elsevier.com/locate/ipl

Rogue-key attacks on the multi-designated verifierssignature scheme

Kyung-Ah Shim

Department of Mathematics, Ewha Womans University, 11-1 Daehyun-dong, Seodaemun-gu, Seoul 120-750, Republic of Korea

Received 6 July 2007; received in revised form 27 November 2007; accepted 30 November 2007

Available online 7 February 2008

Communicated by D. Pointcheval

Abstract

In 1996, Jakobsson, Sako, and Impagliazzo and, on the other hand, Chaum introduced the notion of designated verifier signaturesto solve some of the intrinsic problems of undeniable signatures. The generalization of this concept was formally investigated byLaguillaumie and Vergnaud as multi-designated verifiers signatures. Recently, Laguillaumie and Vergnaud proposed the first multi-designated verifiers signature scheme which protects the anonymity of signers without encryption. In this paper, we show that theirscheme is insecure against rogue-key attacks.© 2008 Elsevier B.V. All rights reserved.

Keywords: Cryptography; Digital signature; Multi-designated verifiers signature; Bilinear pairing; Rogue-key attack

1. Introduction

Designated verifier proofs, proposed in 1996 byJakobsson et al. [7] and Chaum [3], were introduced tosolve some of the problems inherent to undeniable sig-natures. These proofs can be converted into designatedverifier signatures via the Fiat and Shamir heuristic [5].Desmedt [4] extended these signatures to a multi-usersetting. This new primitive was formally investigatedby Laguillaumie and Vergnaud [9], as multi-designatedverifiers signatures, where a generic multi-designatedverifiers signature scheme based on discrete-log ringsignatures was proposed. Jakobsson et al. [7] also sug-gested that designated verifier signatures should providean additional notion of privacy: given such a signa-ture and two potential signing public keys, it should be

E-mail address: kashim@ewha.ac.kr.

0020-0190/$ – see front matter © 2008 Elsevier B.V. All rights reserved.doi:10.1016/j.ipl.2007.11.021

computationally infeasible for an eavesdropper to de-termine under which of the two corresponding secretkeys the signature was performed. This property hasbeen formalized in [10] and naturally extended to themulti-user setting in [9], where a bi-designated verifierssignature scheme was also proposed which takes advan-tage of Joux’s non-interactive tripartite key exchange [8]to achieve this property. However, the generic schemefrom [9] did not catch the notion of privacy of sign-er’s identity without an additional encryption layer. Re-cently, Laguillaumie and Vergnaud [11] proposed thefirst multi-designated verifiers signature scheme whichprotects the anonymity of signers without encryption,which is based on Boneh et al.’s ring signatures [2]. Inthis paper, we show that their scheme is insecure againstrogue-key attacks.

The rest of the paper is organized as follows. InSection 2, we review the Laguillaumie–Vergnaud multi-

84 K.-A. Shim / Information Processing Letters 107 (2008) 83–86

designated verifiers signature scheme. In Section 3, weshow that the scheme is insecure against rogue-key at-tacks. Concluding remarks are given in Section 4.

2. Review of the Laguillaumie–Vergnaudmulti-designated verifiers signature scheme

In this section, we review the Laguillaumie–Vergnaudmulti-designated verifiers signature (MDVS) schemefrom bilinear pairings [11] and the security notion forMDVS schemes [9].

2.1. The Laguillaumie–Vergnaud multi-designatedverifiers signature scheme

Let k ∈ Z be a security parameter. We denote by A

the signer and by Bi a designated verifier. The schemeis illustrated as follows:

The multi-designated verifiers signature scheme:SMDVS

– Setup: Let Gen be a prime-order-BDH-parameter-generator and (q,P,G,H, e) be the output ofGen(k) satisfying the following conditions: a primenumber q with 2k−1 � q � 2k , G and H are groupsof order q , P generates G and e : G × G → H is anadmissible bilinear pairing. Let [{0,1}∗ × G

n+2 →G] be a hash function family, and H be its randommember.

– SKeyGen: It randomly picks an integer a ∈ [1,

q − 1] which is the secret key of the signer A. Itspublic key is PA = aP .

– VKeyGen: It randomly picks an integer bi ∈[1, q − 1] which is the secret key of the verifierBi . It’s public key is PBi

= biP .– Sign: Given a message m ∈ {0,1}∗, A computes

the key PB = PB1 + · · · + PBn , chooses a randomnumber r ∈ [1, q − 1] and computes YBi

= rPBi

for all i = 1, . . . , n and Y = rP . Next, A com-putes M = H(m,PA,PB1 , . . . ,PBn,Y ), chooses arandom number r ′ ∈ [1, q − 1] and computes

QA = a−1(M − r ′PB), QB = r ′P.

The (n+ 2)-tuple σ = (QA,QB,YB1 , . . . , YBn) is amulti-designated verifiers signature.

– Verify: Given a message m ∈ {0,1}∗ and a sig-nature σ = (QA,QB,YB1 , . . . , YBn), each Bi (i =1, . . . , n) retrieves Y = rP by computing b−1

i YBi.

Then Bi verifies, for j = 1, . . . , n and j �= i, thate(PBj

, rP ) = e(YBj,P ). If they hold, Bi com-

putes M = H(m,PA,PB1 , . . . ,PBn,Y ) and checkswhether

e(M,P ) = e(QA, PA) · e(QB, PB)

holds or not. If it holds, the signature is accepted.

2.2. Unforgeability of multi-designated verifierssignature schemes

Let B = {B1, . . . ,Bn} be a group of n entities (thedesignated verifiers), k be an integer and MDVS be an-designated verifiers signature scheme with securityparameter k. For digital signature schemes, the strongestsecurity notion was defined by Goldwasser, Micali andRivest in [6] as an existential forgery against an adap-tively chosen message attack (EF-CMA). In the MDVSsetting, an EF-CMA-adversary A is given the n pub-lic keys of Bi as well as access to the random oracleH and to the signing oracle Σ . As A cannot verify asignature by himself, one may give him access to a veri-fying oracle to check the validity of signatures, as forsingle designated verifier signature schemes [14]. Onthe other hand, the attacker is allowed to corrupt up to(n − 1) designated verifiers (and to do so adaptively),i.e., he can access to a corrupting oracle Ξ to obtainthe secret information of the corresponding corruptedverifier. Therefore, he is able to verify a signature byhimself, and one can omit the verifying oracle. Also, Ais allowed to query the signing oracle on the challengemessage m but is supposed to output a signature of themessage m not given by Σ .

Security against existential forgery. Let B be n enti-ties, k and t be integers and ε be a real in [0,1], let MDVSbe an n-designated verifiers signature scheme with se-curity parameter k. Let A be an EF-CMA-adversaryagainst MDVS. We consider the following random ex-periment:

Experiment: Expef-cmaMDVS,A(k)

params ← MDVS.Setup(k)

For i = 1, . . . , n do

(pkBi, skBi

) ←R MDVS.VKeyGen(params,Bi)

(pkA, skA) ←R MDVS.SKeyGen(params,A)

(m,σ ) ← AH,Σ,Ξ (params,pkB1, . . . ,pkBn

,pkA)

Return∨n

i=1MDVS.Verify(params,m,σ,pkA, skBi

).

We define the success of the adversary A, viaSuccef-cma

MDVS,A(k) = Pr[Expef-cmaMDVS,A(k)] = 1. MDVS is said

to be (k, t, ε)-EF-CMA secure, if no adversary A run-ning in time t has a success Succef-cma (k) � ε.

MDVS,A

K.-A. Shim / Information Processing Letters 107 (2008) 83–86 85

The security model against existential unforgeabilityfor MDVS schemes as mentioned above does not allowan adversary to choose its public key arbitrary. That is, itdoes not consider protection against rogue-key attacks.In next section, we will point out the vulnerability of theSMDVS against the attacks.

3. Cryptanalysis of the SMDVS scheme

Now, we show that the SMDVS scheme is insecureagainst rogue-key attacks. Suppose that an adversary E

wants to forge A’s multi-designated verifiers signatures.The attack is mounted as follows:

1. First, E chooses a random t ∈ [1, q − 1], computestP and tP − (PB1 + · · ·+ PBn). Next, E sets PE =tP − (PB1 + · · · + PBn) and issues it as its publickey. Note that E does not know its own private keyt − ∑n

i=1 xi corresponding to PE , while it knowst . Then E takes U = {PB1, . . . ,PBn,PE} as a groupof (n + 1) designated verifiers.

2. To forge A’s multi-designated verifiers signaturesfor the group of the designated verifiers U , E

chooses a random number r ∈ [1, q − 1] and com-putes

YBi= rPBi

, for i = 1, . . . , n,

YE = rPE and Y = rP .

Then E computes M = H(m,PA,PB1 , . . . ,PBn,

PE,Y ), PB = PB1 +· · ·+PBn +PE , chooses a ran-dom number r ′ ∈ [1, q − 1] and computes

QA = −PB + r ′P,

QB = PA + t−1(M − r ′PA).

Then the (n+3)-tuple σ = (QA,QB,YB1 , . . . , YBn,

YE) is a valid multi-designated verifiers signaturefor U . In fact, it satisfies the verification equation asfollows:

e(QA,PA) · e(QB,PB)

= e(−PB + r ′P,PA)

· e(PA + t−1M − t−1r ′PA,PB

)

= e(−PB,PA) · e(r ′P,PA) · e(PA,PB)

· e(t−1M,PB

) · e(−t−1r ′PA,PB

)

= e(PB,PA)−1 · e(PA,PB)

· e(r ′P,PA) · e(r ′PA,P )−1 · e(M,P )

= e(M,P )

since PB = PB1 + · · · + PBn + PE = tP and so

e(t−1M,PB

) = e(M,P ),

e(−t−1r ′PA,PB

) = e(r ′PA,P )−1,

and e(r ′P,PA) = e(r ′PA,P ) by bilinearity of e.Consequently, E can forge multi-designated ver-ifiers signatures on any messages for designatedverifiers’ groups containing itself as a member ofthe groups without knowing the secret key a of thesigner A.

Multi-user signature schemes must be secure againstrogue-key attacks in which an adversary can chooseits public key(s) arbitrarily, previously considered inthe contexts of aggregate signature and multisignatureschemes [2,1,12,13]. There have been proposed coun-termeasures against the rogue-key attacks. One coun-termeasure is to require the adversary to prove knowl-edge of the discrete logarithms of his published publickeys. In the Boldyreva’s multisignature scheme [1], itrequires the proof of knowledge of secret keys duringthe public key registration. Micali et al. [12] also dis-cussed a series of more sophisticated approaches basedon zero-knowledge proofs, again with the effect thatthe adversary is constrained in his key selection. Forthese schemes, provable security has only been estab-lished under the knowledge of secret key (KOSK) as-sumption where the adversary is required to reveal thesecret keys it utilizes. In practice, certifying authoritiesrarely require the strong proofs of knowledge of secretkeys required to substantiate the KOSK assumption. In-stead, proofs of possession (POPs) are required and canbe as simple as just a signature over the certificate re-quest message. Recently, Ristenpart and Yilek [13] pro-posed a general registered key model, within which wecan model both the KOSK assumption and in-use POPprotocols. As in [1,13], the security SMDVS schemeagainst the rogue-key attacks can be proved under theKOSK assumption.

4. Conclusion

We showed that the Laguillaumie–Vergnaud multi-designated verifiers signature scheme is insecure againstrogue-key attacks. We also discussed countermeasuresagainst the attacks.

Acknowledgements

This work was supported by the Korea ResearchFoundation Grant funded by the Korean Government(MOEHRD) (KRF-2005-217-C00002).

86 K.-A. Shim / Information Processing Letters 107 (2008) 83–86

References

[1] A. Boldyreva, Efficient threshold signature, multisignature andblind signature schemes based on the Gap–Diffie–Hellman-group signature scheme, in: Proc. of PKC’03, in: Lecture Notesin Comput. Sci., vol. 2567, Springer-Verlag, 2003, pp. 31–46.

[2] D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and veri-fiably encrypted signatures from bilinear maps, in: Proc. of Euro-crypt’03, in: Lecture Notes in Comput. Sci., vol. 2656, Springer,Berlin, 2003, pp. 416–432.

[3] D. Chaum, Private signature and proof systems, US Patent5,493,614, 1996.

[4] Y. Desmedt, Verifier-designated signatures, rump session, in:Crypto’03, 2003.

[5] A. Fiat, A. Shamir, How to prove yourself: practical solutions toidentification and signature problems, in: Proc. of Crypto’86, in:Lecture Notes in Comput. Sci., vol. 263, Springer, Berlin, 1987,pp. 186–194.

[6] S. Goldwasser, S. Micali, R.L. Rivest, A digital signature schemesecure against adaptive chosen-message attacks, SIAM J. Com-put. 17 (2) (1988) 281–308.

[7] M. Jakobsson, K. Sako, R. Impagliazzo, Designated verifierproofs and their applications, in: Proc. of Eurocrypt’96, in: Lec-ture Notes in Comput. Sci., vol. 1070, Springer, Berlin, 1996,pp. 142–154.

[8] A. Joux, A one round protocol for tripartite Diffie–Hellman, in:Proc. of ANTS IV, in: Lecture Notes in Comput. Sci., vol. 1838,Springer, Berlin, 2000, pp. 385–394.

[9] F. Laguillaumie, D. Vergnaud, Multi-designated verifiers signa-tures, in: Proc. of ICICS’04, in: Lecture Notes in Comput. Sci.,vol. 3269, Springer, Berlin, 2004, pp. 495–507.

[10] F. Laguillaumie, D. Vergnaud, Designated verifier signature:anonymity and efficient construction from any bilinear map, in:Proc. of SCN’04, in: Lecture Notes in Comput. Sci., vol. 3352,Springer, Berlin, 2005, pp. 107–121.

[11] F. Laguillaumie, D. Vergnaud, Multi-designated verifierssignatures: anonymity without encryption, Inform. Process.Lett. 102 (2–3) (2007) 127–132.

[12] S. Micali, K. Ohta, L. Reyzin, Accountable-subgroup multisig-natures, in: Proc. of ACM CCS’01, ACM Press, 2001, pp. 245–254.

[13] T. Ristenpart, S. Yilek, The power of proofs-of-possession: Se-curing multiparty signatures against rogue-key attacks, in: Proc.of Eurocrypt’07, in: Lecture Notes in Comput. Sci., vol. 4515,Springer, Berlin, 2007, pp. 228–245.

[14] R. Steinfield, H. Wang, J. Pierprzyk, Efficient extension of stan-dard Schnorr/RSA signatures into universal designated-verifiersignatures, in: Proc. of PKC’04, in: Lecture Notes in Comput.Sci., vol. 2947, Springer, Berlin, 2004, pp. 86–100.