Information Processing Letters 70 (1999) 79–81

The security of two ID-based multisignature protocols forsequential and broadcasting architectures

Narn-Yih Leea,∗, Tzonelih Hwangb, Chih-Hung Wangba Department of Applied Foreign Language, Nan-Tai Institute of Technology, Tainan, Taiwan, Republic of China

b Institute of Information Engineering, National Cheng-Kung University, Tainan, Taiwan, Republic of China

Received 1 September 1998Communicated by S.G. Akl

Abstract

In 1996, Wu, Chou and Wu proposed two ID-based digital multisignature protocols based on the difficulty of factorizationproblem. This paper will show that Wu–Chou–Wu’s schemes are not secure enough by presenting two attacks on them. 1999Elsevier Science B.V. All rights reserved.

Keywords:Cryptography; ID-based system; Multisignature; Cryptanalysis

1. Introduction

Wu, Chou and Wu [1], in 1996, proposed twoID-based multisignature schemes based on Maurer–Yacobi’s noninteractive public key cryptosystem [2].One is suitable for the sequential architecture, and theother for the broadcasting. Unfortunately, the originalMaurer–Yacobi scheme has been broken by Maurer–Yacobi [3] and Lim–Lee [4], which implies that thesame attack can be used to break Wu–Chou–Wu’sID-based multisignature schemes as well. Moreover,a new attack is presented to show that ‘hackers’ canforge the multisignatures of Wu–Chou–Wu’s schemes.

In the following section, we will briefly review Wu–Chou–Wu’s ID-based multisignature schemes. Then,Section 3 gives two attacks on their schemes. Finally,a concluding remark is given in Section 4.

∗ Corresponding author. Email: nylee@mail.ntc.edu.tw.

2. Wu–Chou–Wu’s ID-based multisignatureschemes

Two ID-based multisignature schemes were pro-posed by Wu, Chou and Wu [3]. Both schemes havethe samesystem set-up stageandmultisignature veri-fication stage. The only difference between these twoschemes is themultisignature generation stage.

〈System set-up stage:〉There is a trusted authority (CA) in the system. CA

is responsible for generating the system parametersand a secret keysi for each userUi in the system. CAproceeds with the following steps to assign secret keysi toUi .

Step 1: Choose a large numberN = P1P2P3P4, wherePi , 16 i 6 4, are primes satisfying the conditionthat (Pi − 1)/2 are odd and relatively prime. Be-sides, according to [2], the length ofPi should bechosen to be 60–70 digits such that computing dis-

0020-0190/99/$ – see front matter 1999 Elsevier Science B.V. All rights reserved.PII: S0020-0190(99)00044-7

80 N.-Y. Lee et al. / Information Processing Letters 70 (1999) 79–81

crete logarithms moduloZ∗N is feasible if and onlyif the factorization ofN is known.

Step 2: Choose two numberse andd inZN , such thated = 1 modL, where

L= lcm(P1− 1,P2− 1,P3− 1,P4− 1).

Step 3: Choose a primitive elementα of GF(Pi), for16 i 6 4, and compute

T = α−d modN.

Step 4: Choose a one-way hashing functionh( ).

Step 5: For each userUi with the identityIDi , com-puting secret keysi such that

αsi = ID2i modN (see [2] for details).

Step 6: Sendsi toUi and publish the system parame-tersN , e, T andh( ).

〈Multisignature generation stage:〉Assume thatn users,U1,U2, . . . ,Un, want to sign a

documentD in the sequential approach. A documentissuer setsSG0 = 1 and sends{D,SG0} to the signerU1. For each signerUi receiving{D,SGi−1}, he/sheperforms the following two steps.

Step 1: ComputeMi = T sih(D) modN , andSGi =SGi−1 ·Mi modN .

Step 2: Send{D,SGi} to the next signerUi+1.

The multisignature of the documentD is SGn,where

SGn =n∏i=1

Mi =n∏i=1

T sih(D) = T∑ni=1 sih(D) modN.

On the other hand, ifn users,U1,U2, . . . ,Un, wantto sign a documentD in the broadcasting approach,each signerUi , 16 i 6 n, performs the following twosteps.

Step 1: ComputeMi = T sih(D) modN .

Step 2: SendMi to a designated collector.

Upon receiving allMi , 1 6 i 6 n, the designatedcollector computes the multisignatureSGn of thedocumentD as

SGn =n∏i=1

Mi =n∏i=1

T sih(D)

= T∑ni=1 sih(D) modN.

〈Multisignature verification stage:〉The verifier verifies the validity of the multisigna-

tureSGn by checking whether the following equationholds:

SGen ·(

n∏i=1

ID2i

)h(D)= 1 modN.

3. Two attacks on Wu–Chou–Wu’s schemes

The First Attack:The following attack to the Maurer–Yacobi scheme

[2] on which Wu–Chou–Wu are based was presentedin [3,4]. Sinceαsk = ID2

k modN , userUk can derive asquare root moduloN of the squared identityID2

k bycomputingαsk/2 modN (note thatsk is even). If for atleast one of the prime factorsPi of N ,

logα IDk modPi < (Pi − 1)/2,

and for at least some other prime factorPj of N ,

logα IDk modPj > (Pj − 1)/2,

then the obtained square root ofID2k is different from

IDk or −IDk and thus allows userUk to find all orpart of prime factors ofN . Consequently,Uk has thechance to find the system secrets and reveal the secretkeys of all users in the system.

The Second Attack:Assume that a hacker collects two multisignatures,

SGn1 and SGn2, generated from the same group ofn signers,U1,U2, . . . ,Un, on two documentsD1 andD2, respectively. If the hash valuesh(D1) andh(D2)

are relatively prime, the hacker can find two numbersa andb such that

ah(D1)+ bh(D2)=GCD(h(D1), h(D2)

)= 1

by the Euclidean algorithm [5,6]. The valueT∑ni=1 si

can be revealed by computing

(SGn1)a · (SGn2)

b

= T a∑ni=1 sih(D1) · T b

∑ni=1 sih(D2)

N.-Y. Lee et al. / Information Processing Letters 70 (1999) 79–81 81

= T∑ni=1 si (ah(D1)+bh(D2))

= T∑ni=1 si modN.

Then, the hacker can easily forge the multisig-nature of any documentD′ from thesen signers,U1,U2, . . . ,Un, by computing

SG′n =(T∑ni=1 si

)h(D′)modN.

Obviously, the validity of the multisignatureSG′ncanbe checked by computing

SG′en ·(

n∏i=1

ID2i

)h(D′)

= T e∑ni=1 sih(D

′) ·(

n∏i=1

αsi

)h(D′)= α−ed

∑ni=1 sih(D

′) · α∑ni=1 sih(D

′)

= α−∑ni=1 sih(D

′)+∑ni=1 sih(D

′)

= α0= 1 modN.

4. Conclusions

We have proposed two attacks on Wu–Chou–Wu’sID-based multisignature schemes. One is that a usercan use his/her identity information to derive thesystem secrets and the secret keys of the other users.

The other is that a hacker can forge the multisignaturesof Wu–Chou–Wu’s schemes on arbitrary documents.Both attacks show that Wu–Chou–Wu’s schemes arenot secure enough.

Acknowledgement

This work was supported by the National ScienceCouncil of Republic of China under the contractnumber NSC88-2213-E218-001.

References

[1] T.C. Wu, S.L. Chou, T.S. Wu, Two ID-based multisignatureprotocols for sequential and broadcasting architectures, Com-put. Comm. 19 (1996) 851–856.

[2] U.M. Maurer, Y. Yacobi, Non-interactive public key cryptog-raphy, in: EUROCRYPT’91, Springer, Berlin, 1991, pp. 498–507.

[3] U.M. Maurer, Y. Yacobi, A remark on a non-interactivepublic key distribution system, in: EUROCRYPT’92, Springer,Berlin, 1992, pp. 458–460.

[4] C.H. Lim, P.J. Lee, Modified Maurer–Yacobi’s scheme andits application, in: AUSCRYPT’92, Springer, Berlin, 1992,pp. 308–323.

[5] J.H. Moore, Protocol failures in cryptosystems, Proc. IEEE 76(5) (1988) 594–602.

[6] K.H. Rosen, Elementary Number Theory and Its Applications,2nd edn, Addison-Wesley, Reading, MA, 1992, pp. 80–86.