Download Cryptanalysis of Shieh-Lin-Yang

Cryptanalysis of Shieh-Lin-YangSun Signature Scheme




Source: IEEE COMMUNICATIONS LETTERS,
Vol. 7, No. 4, APRIL. 2003, pp. 195-196
Authors: Shin-Jia Hwang and En-Ti Li
Speaker: Hao-Wen Huang
Date: 2004/10/
1
Outline
 Brief review of Shieh et al’.’s scheme
 Forgery attack
 Conclusions
2
Brief review of Shieh et al’.’s sheme(1)




p: be a large prime.( public parameter )
: be a primitive element in GF(p).( public parameter )
Xi: Ui’s private key.
Uniformly between 0 and p-1 such that gcd( Xi,p-1 )=1.
Yi : Ui’s public key.
Yi=()Xi mod p
3
Brief review of Shieh et al’.’s sheme(2)
Uj
Ui
Signature={ti, ri, S}
1) Compute S= (Yi)m mod p , message m Zp
2) Select a random number ki between 1 and p-1.
Compute ri= [m*()-ki] mod p
3) Solve ti from the following congruence equation:
(S+ti) = (Xi)-1(ki-ri) mod (p-1)
4
Brief review of Shieh et al’.’s sheme(3)
Uj
The Signature Verification and Recovery
step1) perform the formula to recover m.
(Yi)S+ti ∙ ri∙ () ri = ( m mod p)
step2) check S ?= (Yi)m mod p
.
if the above statement holds, the
authenticity of the initial signature is
verified
5
Brief review of Shieh et al’.’s sheme(4)

The Parallel Multisignature Scheme
The message m is first signed by an initiator
U1, and then is sent separately to all signer.
Finally,U1 is responsible for combining these
individual signature into a multisignature.
6
Brief review of Shieh et al’.’s sheme(5)

The Serial Multisignature Scheme
In the serial multisignature scheme, the
trusted center can play the role of the public
notary (PN). The responsibility of PN is to
endorse the signatures and manage users’
public keys.
7
Forgery attack on Shieh et al.’s scheme(1)
One major characteristic of these schemes
is to avoid using one-way hash functions
and message redundancy schemes.
However, this causes some security flaw.
8
Forgery attack on Shieh et al.’s scheme(2)
Performs the following six steps to forge the signature( ti’,ri’,S’ )
 Select a random integer  in{1,2,….,p-1} and
suppose  = ti’+ S’ mod (p-1).
 Choose a value of ri’ in GF(p) randomly.
ki’ by ki’ = (Y ) x ri’ mod p without
 Compute the value of 
i
knowing the value of ki’.
ki’ mod p.
 Obtain the message M = ri’ x 
M
 Compute S’ = (Yi) mod p.
 Compute ti’ =  -S’ mod (p-1).
9
Forgery attack on Shieh et al.’s scheme(3)
(Yi)ti’+S’ x ri’ x ()ri’ mod p
={ (Yi)( ti’+S’ ) x M x [()ki]-1 x ()ri’ } mod p
={ (Yi)  x M x [()ki’]-1 x ()ri’ } mod p
={()ki’ x [()ri’ ’]-1 x M x [()ki’]-1 x ()ri’ } mod p
= M mod p
Then the message M will pass the verification
S’ = (Yi)M mod p
10
Conclusions

To overcome this problem, the
straightforward way is to adopt the
message redundancy schemes.
11