A New Attack against the Selvi-Vivek-Rangan Deterministic Identity ...

A New Attack against the Selvi-Vivek-Rangan Deterministic Identity Based Signature Scheme from ACISP 2012 Yanbin Pan and Yingpu Deng Key Laboratory of Mathematics Mechanization, NCMIS, Academy of Mathematics and Systems Science, Chinese Academy of Sciences Beijing 100190, China {panyanbin,dengyp}@amss.ac.cn

Abstract. In ACISP 2012, Selvi, Vivek and Rangan claimed that they proposed the first fully deterministic identity based signature scheme, based on which they also proposed the first fully aggregate identity based signature scheme with no prior communication among different signers. Under the strong RSA assumption, they showed their schemes could resist the adaptive chosen message and adaptive chosen identity attack in the random oracle model. However, Nose gave a universal attack to recover the private key successfully recently. In this paper, we independently present a new universal attack to show there is an alternative way to forge a valid signature on any message instead of using the legal signing procedure with the original private key. The new attack appears more simple, and efficient both in theory and practice. What’s more, with our attack, the mistake in the original security proof can be easily pointed out. Such mistake should be avoided in other similar security proofs. Keywords: Cryptanalysis, Identity Based Deterministic Signature, Aggregate Signature, Full Aggregation.

1

Introduction

To simplify the key management procedures of certificate-based public key infrastructures (PKIs), Shamir [15] first proposed the concept of identity based cryptography in 1984, both identity based encryption and identity based signature (IBS) schemes, by allowing any user to use his identity as the public key. The corresponding secret key is generated by a trusted Private Key Generator (PKG), who derives it from a secret master secret that only the PKG knows. Since then, a lot of identity based signature schemes have been proposed. Among them, many schemes, like [3,7,5,12], have probabilistic key generation

This work was supported in part by the NNSF of China (No.11201458, and No.61121062), in part by 973 Project (No. 2011CB302401) and in part by the National Center for Mathematics and Interdisciplinary Sciences, CAS.

W. Susilo and Y. Mu (Eds.): ACISP 2014, LNCS 8544, pp. 148–161, 2014. c Springer International Publishing Switzerland 2014

A New Attack against the Selvi-Vivek-Rangan IBS Schemes

149

algorithm and signing algorithm, whereas some others [9,13] have the deterministic signing algorithm but probabilistic key generation algorithm. In ACISP 2012, Selvi, Vivek and Rangan [14] proposed the first fully deterministic IBS scheme which has both the deterministic key generation and deterministic signing algorithms. A fully deterministic IBS scheme has many advantages. For example, the forking lemma is not necessary to analyze its security and the security reduction will be tight due to the determinism, whereas the former IBS schemes usually employ the forking lemma to prove their security. What’s more, the Selvi-VivekRangan IBS scheme is shown to be more efficient in practice since it contains just one component, while the former schemes often involve at least two or more components. Based on the fully deterministic IBS scheme, they also proposed the first full aggregate identity based signature scheme with no prior communication among different signers. An aggregate signature scheme consists of finding a more compact signature to replace a list of signatures produced by different signers. More precisely, suppose there are some signatures σ1 , · · · , σt on messages m1 , · · · , mt by users ID1 , · · · , IDt , then the aggregate signature scheme generates a single signature σagg to take place of those σi ’s. It is expected that the size of σagg is substantially smaller than sum of the sizes of σi ’s, so one can transmit or store σagg instead of σ1 , · · · , σt , and the communication cost or storage requirements can be significantly reduced. An aggregate signature scheme is called partial aggregation if |σagg | depends on the number of signatures or number of messages (or both) and called full aggregation if |σagg | is independent of both the number of messages and signatures. Since the public key is just the ID of users, identity based aggregate signature scheme is shown to be more efficient in practice for it does not need transmit the users’ public keys and the corresponding signatures from the certification authority. Meanwhile, transmitting or storing fewer data also accords with the original intention to design an aggregate signature scheme. There are some full aggregate identity based signature schemes that are provably secure in the random oracle model, like [6,8,4,2]. However, these schemes require some communication among users to produce the aggregate signatures, which decreases the efficiency and involves some risks. Selvi, Vivek and Rangan [14] claimed that their aggregate signature scheme does not require any communication among users since the basic IBS scheme is fully deterministic, which settles the open problem proposed in [10]. The security of the Selvi-Vivek-Rangan schemes is related to the strong RSA problem, which asks to write an integer as a non-trivial power in a residue class ring defined by an RSA modulus. Selvi, Vivek and Rangan showed that if the strong RSA problem is hard, both of their schemes are secure against the adaptive chosen message and adaptive chosen identity attack. However, Nose [11] very recently gave a universal attack against the SelviVivek-Rangan signature scheme. More precisely, it can be shown that the private key of a user can be recovered efficiently by eight genuine signatures on average. Hence, the adversary can then use it to generate forged signatures on

150

Y. Pan and Y. Deng

any messages. Nevertheless, Nose did not discuss why the original security proof in [14] is not correct. In this paper, we independently present a new universal chosen message attack against the Selvi-Vivek-Rangan fully deterministic IBS scheme. Instead of recovering the private key of some user, we find there is another way to generate a valid signature on any message besides the original signing procedure. The new attack looks more simple and much easier to understand. Both the theory and experiments show that the attack is very efficient. Since the basic IBS scheme is not secure, the corresponding aggregate signature scheme is not as secure as they claimed. What’s more, our attack reveals the mistake in the original security proof in [14] easily. It can be shown by the fact that the corresponding strong RSA problem can not be solved with our attack by following the idea in the security proof. Simply speaking, we need to find an invertible matrix by querying the signing oracle to complete our attack. However, such an invertible matrix can never be found in their proof since the challenger always returns two dependent hash values in the training phase, but in the random oracle model or the real life we show that such an invertible matrix can be found efficiently with very high probability. Hence, the oracles to replace the hash functions provided by the challenger can be easily distinguished from random oracles, which shows that the proof in [14] was not given in the real random oracle model. Such mistake should be avoided in the security proof of any scheme. Roadmap: The remainder of the paper is organized as follows. In Section 2, we give some preliminaries needed. We describe the Selvi-Vivek-Rangan schemes in Section 3, and present our attack in Section 4. In Section 5, we explain why the original security proof is not correct. Finally, a short conclusion is given in Section 6.

2

Preliminaries

We denote by Z the integer ring, by Zn the residue class ring Z/nZ and by Z∗n the group of all the invertible elements in Zn . Let GL(2, Zn ) be the general linear group that consists of all the invertible matrices over Z2×2 n , and log(·) be the natural logarithm. 2.1

Computational Assumption

The security of the Selvi-Vivek-Rangan deterministic IBS scheme and the corresponding aggregate signature scheme is based on the hardness of the strong RSA problem. Definition 1 (Strong RSA Problem). Given a randomly chosen RSA modulus n and a random c ∈ Z∗n , the strong RSA problem asks to find b > 1 and a ∈ Z∗n , such that c = ab mod n.


151

Roughly speaking, the strong RSA assumption supposes that the strong RSA problem is hard. Formally, Definition 2 (Strong RSA Assumption). For any probabilistic polynomial sRSA time algorithm F to solve the strong RSA problem in Z∗n , the advantage AdvF is negligibly small, where sRSA = Pr[F (n, c) → {a, b}|(a ∈ Z∗n , b > 1) ∧ (c = ab mod n)]. AdvF

2.2

Generic Framework

Generally, an identity based signature scheme consists of the first four polynomialtime algorithms described below, and the corresponding identity based aggregate signature scheme consists of all the six polynomial-time algorithms below. – Setup: With the security parameter κ, the private key generator (PKG) generates the system parameters params and the master private key msk. Then, PKG publishes params and keeps msk secret. – Extract: Given a user’s identity ID, the PKG generates the corresponding private key D, and sends it to user ID through a secure channel. – Sign: The user uses his identity ID, his private key D, and the system parameters params to produce a signature σ on a message m. – Verify: The verifier checks whether σ is a valid signature on message m by ID or not. – AggregateSign: On receiving the signatures (σi )i=1 to t on message (mi )i=1 to t from different users (IDi )i=1 to t , any third party or one of the signers can generate the aggregate signature σagg for the set of (mi , IDi )i=1 to t . – AggregateVerify: Checks whether σagg is a valid aggregate signature on (mi , IDi )i=1 to t or not. Definition 3 (Fully Deterministic IBS Scheme). An identity based signature scheme is said to be fully deterministic if both the key generation and signing algorithms are deterministic, or equivalently, the signature for a message by a fixed user is always the same. 2.3

Security Model

An IBS scheme is said to be secure against existential forgery under adaptive chosen identity and message attack if for any probabilistic polynomial time algorithm forger F , its advantage to win the following game is negligibly small. Game: Setup Phase: The challenger C runs the setup algorithm, publishes params and keeps msk secret. Training Phase: F can query the two oracles provided by C: – Extract Oracle: C will send F the private key D of user with identity ID, when F makes an extract query with ID.

152

Y. Pan and Y. Deng

– Signing Oracle: C will send F a valid signature σ on m by ID, when F makes a signing query with ID and message m. Forgery Phase: F outputs a signature σ on a message m, with IDS as the signer, without querying the extract oracle with IDS and without querying the signing oracle with (IDS , m). F wins the game if σ is a valid signature. The probability of F succeeding is called its advantage. Similarly, for the identity based aggregate signature scheme, we say F wins the game if F outputs a valid aggregate signature σagg for signatures (σi )i=1 to t from the users (IDi )i=1 to t on messages (mi )i=1 to t , where at least one identity in the list of identities, for example IDS , is not queried by F to the extract oracle and the corresponding pair (IDS , mS ) is not queried to the signing oracle. If there is no probabilistic polynomial time algorithm F has non-negligible advantage to win the game, the identity based aggregate signature scheme is called secure against existential forgery under adaptive chosen identity and message attack.

3 3.1

Description of the Selvi-Vivek-Rangan Schemes A Simple Description of the Selvi-Vivek-Rangan Schemes

We first describe the deterministic IBS scheme as in [14]. – Setup(κ): Given security parameter κ, the PKG generates params and msk as follows: • Chooses two primes p and q with κ bits, such that (p− 1)/2 and (q − 1)/2 are also primes. • Computes the RSA modulus n = pq and the Euler’s totient function ϕ(n) = (p − 1)(q − 1). • Chooses e with κ/4 bits such that there is a d with ed = 1 mod ϕ(n). • Chooses three hash functions H0 : {0, 1}∗ × {0, 1} → Z∗n , H1 : {0, 1}lm × {0, 1}l1 × {0, 1} → {0, 1}κ/2, H2 : {0, 1}lm × {0, 1}l1 × {0, 1} → {0, 1}κ/2, where lm is the size of message and l1 is the size of identity of a user. The system parameters published by PKG is params = (κ, n, e, H0 , H1 , H2 ) and the unpublished master secret key is msk = (p, q, d). – Extract(ID): After receiving some user’s identity ID, the PKG performs the following to generate the private key D of the corresponding user:


153

• Compute g0 = H0 (ID, 0) and g1 = H0 (ID, 1). • Compute d0 = (g0 )d mod n and d1 = (g1 )d mod n. The private key sent to the corresponding user through a secure and authenticated channel is D = (d0 , d1 ). – Sign(m, ID, D): To generate a deterministic signature on a message m, the user with identity ID does the following: • Picks β ∈R {0, 1}, • Computes h1 = H1 (m, ID, β) and h2 = H2 (m, ID, β). • Computes σ = (d0 )h1 (d1 )h2 mod n. Selvi et al. suggested picking β = P RF (D, ID, m), where P RF () is a private random function (private to the signer). Thus, β is random from others’ view but fixed with respect to the signer. Now the signature is S = (σ, β). – Verify(m, σ, β, ID): In order to verify the validity of a signature (σ, β) with respect to the identity ID and message m, the verifier: • Computes g0 = H0 (ID, 0) and g1 = H0 (ID, 1). • Computes h1 = H1 (m, ID, β) and h2 = H2 (m, ID, β). • Checks whether

?

σ e mod n = (g0 )h1 (g1 )h2 mod n. • If the above check holds, outputs ”Valid”, otherwise outputs ”Invalid”. It is easy to see that the verification is correct since

σ e = ((d0 )h1 (d1 )h2 )e = ((g0d )h1 (g1d )h2 )e = (g0 )h1 (g1 )h2 mod n. Based on the deterministic IBS scheme, Selvi et al. also proposed a deterministic full aggregation identity based signature scheme as below: – AggregateSign: Given a set of t signatures {(σi , βi )}i=1 to t and the corresponding message identity pair {(mi , IDi )}i=1 to t , such that (σi , βi ) is the valid signature on mi by IDi , the identity based aggregate signature on the corresponding list of messages, identities is (σagg =

t

σi mod n, {mi , IDi , βi }i=1 to t ).

i=1

– AggregateVerify: To verify an aggregate signature, check whether e σagg =

t

((gi0 )hi1 (gi1 )hi2 ) mod n

i=1

holds or not, where gi0 = H0 (IDi , 0), gi1 = H0 (IDi , 1), hi1 = H1 (mi , IDi , βi ) and hi2 = H2 (mi , IDi , βi ).

154

3.2

Y. Pan and Y. Deng

Security of the Selvi-Vivek-Rangan Schemes

Selvi et al. claimed that if the strong RSA problem is assumed to be hard in Z∗n , where n = pq, and p, q, (p − 1)/2 and (q − 1)/2 are large prime numbers, then – their identity based signature scheme (D-IBS) is secure in the random oracle model under adaptive chosen message and adaptive chosen identity attack. – their identity based aggregate signature scheme (IBAS) is secure in the random oracle model under adaptive chosen message and adaptive chosen identity attack.

4

Our New Chosen Message Attack

In this section, we will present a new chosen message attack against the SelviVivek-Rangan identity based signature scheme and show that it is efficient for F to forge a valid signature on any message. Hence the IBS scheme is not secure. As a corollary, the corresponding identity based aggregate signature scheme is not secure either. 4.1

Another Way to Sign

After challenger C runs the setup algorithm with parameter κ, generates params = (κ, n, e, H0 , H1 , H2 ) and secret msk, the forger F can do the following to forge a valid signature S ∗ on any message m∗ with identity ID. For every signing query in the training phase, F queries C with identity ID, message mi (mi = m∗ ) randomly uniformly independently chosen from Z∗n and gets the corresponding valid signatures Si = (σi , βi ). We denote

(i)

(i)

h1 = H1 (mi , ID, βi ), h2 = H2 (mi , ID, βi ). F makes K signing queries until one can find a β ∗ such that there are two signatures with β = β ∗ , for simplicity, S1 = (σ1 , β ∗ ), S2 = (σ2 , β ∗ ) satisfying the corresponding matrix defined by (1) (2) h1 h1 (1) (2) h2 h2 is invertible in Z2×2 , where e is contained in the public system parameters e params. We will show later for K polynomial in κ, such matrix can be found with high probability. Once the invertible matrix is obtained, F can forge a valid signature S ∗ on any message m∗ with identity ID efficiently.


155

– For any m∗ , F first computes h∗1 = H1 (m∗ , ID, β ∗ ), h∗2 = H2 (m∗ , ID, β ∗ ). Solving the following linear equation, F can easily find x1 , x2 ∈ Z such that (1) (2) h1 h1 x1 h∗1 = mod e, (1) (2) x2 h∗2 h2 h2 since the matrix is invertible in Z2×2 . Moreover, F can also find w1 , w2 ∈ Z e efficiently such that (1) (2) x1 h1 + x2 h1 + ew1 = h∗1 (1) (2) x1 h2 + x2 h2 + ew2 = h∗2 . – F then computes g0 = H0 (ID, 0), g1 = H0 (ID, 1), and

σ ∗ = σ1x1 σ2x2 g0w1 g1w2 mod n,

and finally outputs the signature on m∗ by ID S ∗ = (σ ∗ , β ∗ ). We next show that S ∗ is a valid signature on m∗ by ID. To verify the validity of the signature S ∗ , the verifier – Computes g0 = H0 (ID, 0) and g1 = H0 (ID, 1). – Computes h∗1 = H1 (m∗ , ID, β ∗ ) and h∗2 = H2 (m∗ , ID, β ∗ ). – Checks whether ∗

∗

(σ ∗ )e mod n = (g0 )h1 (g1 )h2 mod n. ?

Since S1 and S2 are valid signatures, we have (1) (1) h h σ1e = g0 1 g1 2 mod n, h

(2)

h

(2)

σ2e = g0 1 g1 2 mod n. Hence, (σ ∗ )e = (σ1x1 σ2x2 g0w1 g1w2 )e mod n = σ1ex1 σ2ex2 g0ew1 g1ew2 mod n (1)

x h1

= g0 1

(2)

(2)

x h1

g0 2

(2)

x h2

g1 2

(1)

g0ew1 g1ew2 mod n (2)

x h1 +x2 h1 +ew1 x1 h2 +x2 h2 +ew2 g1 ∗ h∗ h g0 1 g1 2 mod n ∗

= g0 1 =

(1)

(1)

x h2

g1 1

mod n

– Hence, F succeeds to construct a ”Valid” signature S on m∗ with ID. is found, the Remark 1. It is obvious that once the invertible matrix in Z2×2 e attack can succeed on any message m∗ . Taking the procedures of finding the invertible matrix and computing its inverse as precomputation, the attack can be completed in O(κ3 ) regardless of the computation of the hash values.

156

4.2

Y. Pan and Y. Deng

A Theoretical Estimation on K

We next estimate the size of K, which is very important to analyze the time complexity of the attack. A Rough Bound. We first give a lemma to compute the probability that . The proof can be found in a uniformly random matrix is invertible in Z2×2 e Appendix A. Lemma 1. Given a positive integer e = ps11 ps22 · · · pst t , where pi ’s are different primes, the probability that a matrix A uniformly randomly chosen from Z2×2 is e invertible is exactly t 1 1 P (e) = (1 − )(1 − 2 ). p p i i i=1 As suggested in [14], e has κ/4 bits and is odd (since gcd(e, ϕ(n)) = 1). We next give a lower bound of P (e). Denote by p(k) the k-th prime, then p(1) = 2, p(2) = 3, p(3) = 5,· · · . Let ew be the product of the first t primes except 2 , that is, ew = 3 · 5 · 7 · · · p(t) t where t is the least number s.t. i=2 p(i) ≥ 2κ/4 . By [1], we know that asymptotically, ew = exp((1 + o(1))t log t). Hence, for t = κ/4 − 1 with κ large enough, ew ≥ 2κ/4 . Notice that the function r(p) = (1− p1 )(1− p12 ) increases when prime p increases and r(p) < 1 holds for every prime p. Together with the fact that P (e) is related to the number of e’s distinct prime factors, it is easy to conclude that for any odd e with κ/4 bits, P (e) ≥P (ew ) 1 1 1 1 1 1 =(1 − )(1 − ) · (1 − )(1 − ) · · · (1 − (t) )(1 − (t) 2 ) 3 9 5 25 p (p ) 1 1 1 >(1 − )2 · (1 − )2 · · · (1 − (t) )2 3 5 p 1 1 1 ))2 >((1 − ) · (1 − ) · · · (1 − 3 4 t+1 2 2 ) =( t+1 8 =( )2 . κ


157

2

If we query the signing oracle for K = κ16 times, then there must exists β ∗ κ2 such the number of signatures with β = β ∗ is no less than K 2 = 32 . Taking κ 2 , we have K every two signatures as a pair to generate a matrix in Z2×2 e 4 = (8) corresponding matrices, then the probability of that there exists an invertible matrix is greater than κ 2 8 1 − (1 − ( )2 )( 8 ) ≈ 1 − exp(−1) ≈ 0.6321, κ

which leads to Proposition 1. Under the assumption that the outputs of the hash functions H1 2 and H2 are independently uniformly distributed over {0, 1}κ/2, when K = κ16 , ∗ F will output a valid forged signature on m by ID with probability greater than 0.6321, and the total time complexity is bounded by O(κ4 ) regardless of the computation of the hash values. Exact Value of P (ew ). In fact, the estimation of K above is very loose due to the loose estimation of the lower bound of P (ew ). We list the exact values of P (ew ) for κ from 512 to 4098 in Table 1. It can be easily concluded that even for κ = 4096, we just query the signing oracle for at most 4 · 7.31 = 32 times to make sure the probability of success is greater than 0.6321. Table 1. The Real P (ew ) κ 512 1024 1536 2048 2560 3072 3584 4096 t 27 45 61 76 91 105 119 132 p(t) 103 197 283 383 467 571 653 743 P (ew ) 0.1916 0.1694 0.1586 0.1517 0.1465 0.1426 0.1394 0.1368 1 5.22 5.90 6.30 6.59 6.83 7.01 7.17 7.31 P (ew )

4.3

Experimental Results

We implemented the attack on an Inter(R)Core(TM) i7 Processor, 2.93 GHz PC with Windows 7 operating system. We did not implement any concrete hash functions, but randomly uniformly independently chose an integer in {0, 1}κ/2 as the output of those hash functions. We either did not choose a random β ∈ {0, 1} for every signing query but fixed a β ∗ . This would not affect the results since at most 2u signatures contains u signatures with the same β ∗ . Notice that we did not have to take every two signatures as a pair to generate a matrix in Z2×2 as in e the theoretical analysis, since the analysis asks the matrices to be independent whereas the experiments did not need. In our experiments, we checked all the pairs for K signatures. possible K(K−1) 2

158

Y. Pan and Y. Deng

For every κ from 512 to 4096 by 512, we tested 100 instances. The attack always succeeded when an invertible matrix was found. We list the average number of K for every κ in Table 2. It can be seen that the invertible matrix can be found efficiently in the average case. Table 2. The Average Number of K in Our Experiments κ 512 1024 1536 2048 2560 3072 3584 4096 Average(K) 2.28 2.29 2.26 2.44 2.37 2.18 2.16 2.31

5

Why the Original Security Proof Is Incorrect?

To prove a signature scheme is secure in the random oracle model, every hash function used in the scheme is always replaced by a random oracle. Although the random oracle is often programmable, the distribution of its outputs must be, at least extremely close to, uniform. When there are more random oracles than one, it is reasonable to ask them to be independent and the joint distribution to be uniform. However, we can show that the oracles provided by the challenger in the original security proof are dependent and the joint distribution is far from uniform. Hence, these oracles can be easily distinguished from the random oracles, which implies the original security proof is not completed in a random oracle model. As seen in our attack, the key point is to find an invertible matrix over Z2×2 e from some legally obtained signatures. However, such an invertible matrix can never been found in the original security proof. More precisely, in the proof, the challenger in the training phase will output a signature of mi with identity ID, in which the two hash values are set to be: (m )

(m )

(m )

h1 i = v (mi ) + s1 i e + t1 i y (m ) (m ) (m ) h2 i = −v (mi ) w + s2 i e + t2 i y where y is a factor of e with κ/8 bits, w is a fixed κ/8 bits integer, and (m ) (m ) (m ) v (mi ) , s1 i , t1 i , t2 i ∈R {0, 1}κ/4. For any two messages m1 and m2 , the corresponding matrix in our attack turns out to be

(m )

(m )

h1 1 h1 2 (m ) (m ) h2 1 h2 2

.


159

Notice that the matrix can not be invertible in Z2×2 , since y is a factor of e and e (m ) (m ) h1 1 h1 2 det mod y (m1 ) (m ) h2 h2 2 (m ) (m ) (m ) (m ) v (m1 ) + s1 1 e + t1 1 y v (m2 ) + s1 2 e + t1 2 y mod y = det (m ) (m ) (m ) (m ) −v (m1 ) w + s2 1 e + t2 1 y −v (m2 ) w + s2 2 e + t2 2 y (m ) v 1 v (m2 ) = det mod y −v (m1 ) w −v (m2 ) w =v (m1 ) · (−v (m2 ) w) − v (m2 ) · (−v (m1 ) w) mod y =0 mod y. (m )

This means that in their proof, although each individual hash value h1 i and (m ) h2 i returned by the challenger seems random, the two values are never indepen(m ) (m ) dent again. Moreover, the distribution of (h1 i , h2 i ) over {0, 1}κ/2 × {0, 1}κ/2 is far from uniform, since we have proved that an invertible matrix can be found with very high probability for random oracles with the uniform distribution. Hence, it is possible to distinguish the oracles provided by the challenger from random oracles by checking whether such a matrix is invertible or not.

6

Conclusion

In this paper, we present a new universal chosen message attack against the Selvi-Vivek-Rangan schemes to show that they are not secure both in theory and practice. The new attack appears more simple, and easy to understand. Moreover, due to our attack, the mistake in the original proof becomes possible to understand. Acknowledgement. We very thank the anonymous referees for their valuable suggestions on how to improve the presentation of this paper.

References 1. Tom, M.: Apostol: Introduction to Analytic Number Theory. Springer (1976) 2. Bagherzandi, A., Jarecki, S.: Identity-Based Aggregate and Multi-Signature Schemes Based on RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 480–498. Springer, Heidelberg (2010) 3. Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.-J.: Efficient and Provably-Secure Identity-Based Signatures and Signcryption from Bilinear Maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005) 4. Boldyreva, A., Gentry, C., ONeill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing, http://eprint.iacr.org/

160

Y. Pan and Y. Deng

5. Cha, J.C., Cheon, J.H.: An Identity-Based Signature from Gap Diffie-Hellman Groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2002) 6. Cheng, X., Liu, J., Wang, X.: Identity-Based Aggregate and Verifiably Encrypted Signatures from Bilinear Pairing. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Lagan´ a, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005, Part IV. LNCS, vol. 3483, pp. 1046–1054. Springer, Heidelberg (2005) 7. Galindo, D., Garcia, F.D.: A Schnorr-Like Lightweight Identity-Based Signature Scheme. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 135–148. Springer, Heidelberg (2009) 8. Gentry, C., Ramzan, Z.: Identity-Based Aggregate Signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006) 9. Herranz, J.: Deterministic identity-based signatures for partial aggregation. The Computer Journal 49(3), 322–330 (2006) 10. Hwang, J.Y., Lee, D.H., Yung, M.: Universal forgery of the identity-based sequential aggregate signature scheme. In: Computer and Communications Security, ASIACCS 2009, pp. 157–160. ACM (2009) 11. Nose, P.: Security weaknesses of a signature scheme and authenticated key agreement protocols. Information Processing Letters 114, 107–115 (2014) 12. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, pp. 135–148 (2000) 13. Sharmila Deva Selvi, S., Sree Vivek, S., Pandu Rangan, C.: Identity-Based Deterministic Signature Scheme without Forking-Lemma. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 79–95. Springer, Heidelberg (2011) 14. Sharmila Deva Selvi, S., Sree Vivek, S., Pandu Rangan, C.: Deterministic Identity Based Signature Scheme and Its Application for Aggregate Signatures. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 280–293. Springer, Heidelberg (2012) 15. Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) Advances in Cryptology - CRYPT0 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)

A

Proof for Lemma 1

Lemma 1. Given a positive integer e = ps11 ps22 · · · pst t , where pi ’s are different is primes, the probability that a matrix A uniformly randomly chosen from Z2×2 e invertible is exactly t 1 1 P (e) = (1 − )(1 − 2 ). p p i i i=1 Proof. i) For e = p where p is a prime, there are p2 − 1 choices to pick the first column of A to make A a candidate invertible matrix. After getting the first column, we only have p2 − p choices for the second column. So the probability is P (e) =

1 (p2 − 1)(p2 − p) 1 = (1 − )(1 − 2 ). 4 p p p


161

ii) For e = ps , notice that A ∈ GL(2, Zps ) is equivalent to A ∈ GL(2, Zp ) since the determinant of A must be coprime with p. That is, A = A0 + pB is invertible 2×2 in Z2×2 . Hence, the probability becomes pe is equivalent to A0 is invertible in Zp P (e) =

1 1 (p2 − 1)(p2 − p)(p4(s−1) ) = (1 − )(1 − 2 ). p4s p p

iii) For e = ps11 ps22 · · · pst t , by the Chinese Remainder Theorem, it is easy to conclude that the probability is P (e) =

t i=1

So the lemma follows.

(1 −

1 1 )(1 − 2 ). pi pi