Cryptanalysis of two group signature schemes

Lecture Notes in Computer Science, 2003

At Eurocrypt'91, Chaum and van Heyst introduced the concept of group signature. In such a scheme, each group member is allowed to sign messages on behalf of a group anonymously. However, in case of later disputes, a designated group manager can open a group signature and identify the signer. In recent years, researchers have proposed a number of new group signature schemes and improvements with different levels of security. In this paper, we present a security analysis of five group signature schemes proposed in [25, 27, 18, 30, 10]. By using the same method, we successfully identify several universally forging attacks on these schemes. In our attacks, anyone (not necessarily a group member) can forge valid group signatures on any messages such that the forged signatures cannot be opened by the group manager. We also discuss the linkability of these schemes, and further explain why and how we find the attacks.

Lecture Notes in Computer Science, 2004

A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable way. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on Song's forward-secure group signature schemes, Zhang, Wu, and Wang proposed a new group signature scheme with forward security at ICICS 2003. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper we present a security analysis to show that their scheme is linkable, untraceable, and forgeable.

Advances in Intelligent Systems and Computing, 2015

Group signature schemes allow a user to sign a message in an anonymous way on behalf of a group. In general, these schemes need the collaboration of a Key Generation Center or a Trusted Third Party, which can disclose the identity of the actual signer if necessary (for example, in order to settle a dispute). This paper presents the results obtained after implementing a group signature scheme using the Integer Factorization Problem and the Subgroup Discrete Logarithm Problem, which has allowed us to check the feasibility of the scheme when using big numbers.

Lecture Notes in Computer Science, 1997

. The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It allows a member of a group to sign messagesanonymously on behalf of the group. In case of a later dispute adesignated group manager can revoke the anonymity and identify theoriginator of a signature. In this paper we propose a new efficient groupsignature scheme. Furthermore we

International Journal of Science and Engineering Applications, 2014

In group signature schemes, the members of the group are allowed to sign messages anonymously on the behalf of the group. In this case, other group members and the outsiders from the group cannot see which member signed the messages. The organizational structure which should support the safety of privacy may need to provide a degree of anonymity to the individuals conducting the transactions. Moreover, the current methods of revocation property of the group signature scheme do not revoke to allow valid signature under an old secret key of the group manager. And it is remaining as a challenge to be independent on the size of the group public key when the group size is increasing. For this above facts, this paper will be proposed to achieve anonymous revocation based on the concept of group signature more effectively.

Journal of Computer Science and Technology, 2007

Group signature schemes allow a member of a group to sign messages anonymously on behalf of the group. In the case of later dispute, a designated group manager can revoke the anonymity and identify the originator of a signature. In Asiacrypt 2004, Nguyen and Safavi-Naini proposed a group signature scheme that has a constant-size public key and signature length, and more importantly, their group signature scheme does not require trapdoor. Their scheme is very efficient and the sizes of signatures are shorter compared to the existing schemes that were proposed earlier. In this paper, we point out that Nguyen and Safavi-Naini's scheme is insecure. In particular, we provide a cryptanalysis of the scheme that allows a non-member of the group to sign on behalf of the group. The resulting group signature can convince any third party that a member of the group has indeed generated such a signature, although none of the members has done it. Therefore, in the case of dispute, the group manager cannot identify who has signed the message. We also provide a new scheme that does not suffer against this problem.

Information and Communications Security, 2003

A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable fashion. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on the Camenisch-Michels group signature scheme [7, 8], Kim, Lim and Lee proposed the first group signature scheme with a member deletion procedure at ICISC 2000 [15]. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper, we first identify an effective way that allows any verifier to determine whether two valid group signatures are signed by the same group member. Secondly, we find that in their scheme a deleted group member can still update his signing key and then generate valid group signatures after he was deleted from the group. In other words, the Kim-Lim-Lee group signature scheme [15] is linkable and does not support secure group member deletion.

2005

We provide a construction for a group signature scheme that is provably secure in a universally composable framework, within the standard model with trusted parameters. Our proposed scheme is fairly simple and its efficiency falls within small factors of the most efficient group signature schemes with provable security in any model (including random oracles). Security of our constructions require new cryptographic assumptions, namely the Strong LRSW, EDH, and Strong SXDH assumptions. Evidence for any assumption we introduce is provided by proving hardness in the generic group model.

Mathematics

Group signatures are a leading competing signature technique with a substantial amount of research. With group settings, group signatures provide user anonymity. Any group member with access to the group can generate a signature while remaining anonymous. The group manager, however, has the authority to expose and identify the signer if required. Since the privacy of the sender should be preserved, this is a conflict between privacy and accountability. Concerning high performance on security, we propose a novel, well-balanced security and privacy group signature scheme based on a general linear group over group ring. To the best of our knowledge, our work represents the first comprehensive framework for a group signature scheme that utilizes generic linear groups over group rings. We demonstrate that the competing security goals of message trustworthiness, privacy, and accountability are effectively resolved by our protocol. The results of the performance evaluation and simulation d...

Cryptography

This survey reviews the two most prominent group-oriented anonymous signature schemes and analyzes the existing approaches for their problem: balancing anonymity against traceability. Group signatures and ring signatures are the two leading competitive signature schemes with a rich body of research. Both group and ring signatures enable user anonymity with group settings. Any group user can produce a signature while hiding his identity in a group. Although group signatures have predefined group settings, ring signatures allow users to form ad-hoc groups. Preserving user identities provided an advantage for group and ring signatures. Thus, presently many applications utilize them. However, standard group signatures enable an authority to freely revoke signers’ anonymity. Thus, the authority might weaken the anonymity of innocent users. On the other hand, traditional ring signatures maintain permanent user anonymity, allowing space for malicious user activities; thus achieving the req...