Information Technology Reference
In-Depth Information
4. In case of dispute,
can disclose the signer since it knows part of the private
key of each member of
G
.
In fact, as
T
knows the values of
A
i
and
C
i
of the signer
U
i
,byusingthe
equations in (6) defining the group signature, it can compute
T
C
i
α
λ
i
F
A
i
·
A
i
·
·
=
α
λ
i
.
(mod
n
)
≡
C
i
C
i
A
i
·
Then,
T
can prove, without the collaboration of
U
i
,that
(mod
n
)
=
F
A
i
·
(
α
λ
i
)=
H
i
.
h
h
C
i
4 Security Analysis
Moreover, the scheme is secure as no member of
G
,say
U
i
, knowing only his
own private key, (
b
i
,d
i
,A
i
,C
i
), and the shared public key, (
P
=
α
a
0
+
s·b
0
,Q
=
α
s·c
0
+
d
0
), can determine neither the secret value
s
of
T
,noritsprivatekey
(
a
0
,b
0
,c
0
,d
0
).
In fact, determining
s
from
α
and
β
α
s
(mod
n
), see formula (1), means
solving the discrete logarithm problem in the subgroup
S
r
,oforder
r
generated
by
α
, which is impossible as the size of
r
was chosen such that the SDLP was
unfeasible to solve, and moreover, the factorization of
n
is infeasible as well.
Moreover, the private key of
≡
was generated at random and it is only known
that it verifies the equation (2), but computing any of the values of this key
implies solving the DLP in
T
Z
n
.
It is also impossible for any
U
i
to determine the values of
h
=
a
i
+
s
·
b
i
,and
c
i
+
d
i
, as he only knows
b
i
,d
i
,α
a
i
,β
c
i
. In all cases, it is necessary to
solve a discrete logarithm problem.
Furthermore, two members of
G
,say
U
i
k
=
s
·
and
U
j
, could conspire and try to
compute any of the secret values of
:
s, h, k, a
0
,b
0
,c
0
,d
0
, or generate a false
signature for the group. To carry out any of these attacks, both could generate
their signatures for a message, say (
F
i
,G
i
,H
i
)and(
F
j
,G
j
,H
j
), respectively.
Then, from the verification identity (7), they have
T
Q
m
.
F
i
·
G
i
(mod
n
)
≡
F
j
·
G
j
=
P
·
Hence, they obtain
C
i
β
b
i
α
m·d
i
≡
C
j
β
b
j
α
m·d
j
A
i
·
·
·
A
j
·
·
·
(mod
n
)
,
or equivalently,
α
a
i
β
m·c
i
β
b
i
α
m·d
i
≡
α
a
j
β
m·c
j
β
b
j
α
m·d
j
·
·
·
·
·
·
(mod
n
)
,
and as
α
has order
r
modulo
n
,itresults
(
a
i
+
m
·
d
i
)+
s
(
b
i
+
m
·
c
i
)
≡
(
a
j
+
m
·
d
j
)+
s
(
b
j
+
m
·
c
j
)(mod
r
)
.
Search WWH ::
Custom Search