of them is able to generate a proxy signature on behalf of the original signer. ... 0 mod Ï(N0),. E = ew. 0 mod Ï(N0). P0 publishes (w, E,(w||E)d0 mod N0). 2.
Attacks on a threshold proxy signature scheme based on the RSA cryptosystem YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan MING-LUEN WU Dept. of Computer Science & Information Engineering National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan and Dept. of Information Management Chung-Yu Institute of Technology No. 40, Yi-7th Rd, Keelung, Taiwan
Abstract: - Recently, Hwang et al. propose an efficient (t, n) threshold proxy signature scheme in which the original signer can authorize n proxy signers such that only the cooperation of t or more of them is able to generate a proxy signature on behalf of the original signer. Their scheme is based on the RSA cryptosystem. They claim that any t out of n proxy signers cannot derive the original signer’s private key. This paper disproves this claim by showing that their system can be broken using only the public information. This result is obtained without even the need to obtain ciphertext or the factorization of the RSA modulus. Hence the signature scheme of Hwang et al. is insecure. Key-Words: - Cryptography, Threshold proxy signature, RSA, Lagrange interpolation, Cryptanalysis.
1
Introduction
Their scheme is divided into three phases: proxy sharing, proxy signature issuing, and verification. In the proxy sharing phase, the original signer computes the partial proxy signing keys from his private key and sends them to each authorized proxy signer. In the proxy signature issuing phase, t proxy signers with their proxy signing keys cooperate to generate a proxy signature on
A (t, n) threshold proxy signature scheme allows the original signer to authorize n proxy signers such that only the cooperation of t or more proxy signers is able to generate a proxy signature on behalf of him [2–4, 6–8]. In 2003, Hwang et al. present an efficient threshold proxy signature scheme based on the RSA cryptosystem [3, 5]. 1
a message. In the verification phase, proxy sig- this phase in the following. natures are verified and the actual proxy signers 1. (Proxy generation). P0 generates the proxy can be identified. signature key D and its corresponding In Hwang et al.’s scheme, each signer has his proxy verification key E, where own public and private keys as in the RSA cryptosystem. They claim that even the cooperation D = dw of any t proxy signers cannot obtain the original 0 mod φ(N0 ), w signer’s private key. Their argument is essenE = e0 mod φ(N0 ). tially based on the difficulty of the factorization of the RSA modulus. This paper disproves this P0 publishes (w, E, (w||E)d0 mod N0 ). claim by showing that their system can be easily broken using only the public information. This 2. (Proxy sharing). P0 randomly generates a result is obtained without even the need to obsecret polynomial f of degree t − 1, tain ciphertext or the factorization of the RSA modulus. Hence the signature scheme of Hwang f (X) = D+a1 X+· · ·+at−1 X t−1 mod φ(N0 ), et al. is insecure.
2
where a1 , a2 , . . . , at−1 are random integers modulo φ(N0 ). P0 computes Pi ’s partial proxy signing key ki = f (i) and sends (kid0 mod N0 ||ki )ei mod Ni to Pi .
The proxy sharing phase of Hwang et al.’s scheme
In Hwang et al.’s scheme, there are three types of players. They are original signer P0 , proxy signers P1 , P2 , . . . , Pn , and the combiner. The combiner manages to generate proxy signatures with the help of proxy signers. The scheme has three phases: proxy sharing, proxy signature issuing, and verification. Each signer uses the RSA cryptosystem [5]. Let Pi ’s public key be (ei , Ni ) and private key be di , i = 0, 1, . . . , n. Note that modulus Ni is the product of two large primes pi and qi such that ei di ≡ 1 (mod φ(Ni )) and gcd(ei , φ(Ni )) = 1, where φ(Ni ) = (pi −1)(qi −1). mdi mod Ni is m signed with Pi ’s private key, and mei mod Ni is m encrypted with Pi ’s public key, using the RSA cryptosystem. In addition, let w denote the warrant that contains important information such as the expiration time of the proxy key, and the identities of the original signer and proxy signers. Denote by || the concatenation of two strings. Pi ’s identity will be the number i. Because Hwang et al.’s scheme can be broken right after the proxy sharing phase, we describe
3. (Proxy sharing generation). After receiving (kid0 mod N0 ||ki )ei mod Ni , each Pi can decrypt it to obtain kid0 mod N0 and ki . Each Pi then confirms the validity of ki and keeps it secret. Let T be a set of t numbers. Polynomial f (X) can be expressed as a Lagrange interpolating polynomial [1], f (X) =
X
Li (X)f (i) mod φ(N0 ),
i∈T
where Li (X) =
Y i,j∈T,j6=i
X −j . i−j
Now, D ≡ f (0) X ≡ Li (0)f (i) i∈T
2
(mod φ(N0 )).
(1)
3
The attack
From the above proof, we know that any integer multiple of φ(N0 ) can be used to replace ew 0 − E in the attack algorithm. Next we show how any t proxy signers can derive a smaller integer that is an integer multiple of φ(N0 ). Assume that T is the set of the t proxy signers’ identities. They compute D0 as X D0 = Li (0)ki .
We will show that using only the public information, anyone can obtain d ∈ Z such that e0 d ≡ 1 (mod φ(N0 )). As this d and the actual d0 differ by some integer multiple of φ(N0 ), it will work exactly as d0 , thus breaking the original signer’s cryptosystem. This result is obtained without even the need to obtain ciphertext or the factori∈T ization of N0 . Our attack algorithm is described as follows. Note that in Hwang et at.’s scheme, all Li (0) must be integers. By Eq. (1), we have D0 ≡ D Input: The public parameters e0 , N0 , w, E. (mod φ(N0 )) because ki = f (i). So D0 E ≡ DE
Output: An integer d such that e0 d ≡ 1 (mod φ(N0 )).
w ≡ dw 0 e0
≡1
Step 1: Compute ew 0 − E.
Hence φ(N0 )|(D0 E − 1).
Step 2: Compute g according as dlog2 (ew 0 −E)e
g = gcd(e0
(mod φ(N0 )).
4
, ew 0 − E).
Conclusions
In this paper, we have shown that Hwang et al.’s scheme can be broken with only the public information. This result is obtained without even the ew − E the need to obtain ciphertext or the factorization . N= 0 g of the RSA modulus. If any t or more proxy signers collude, the attack can be made even more Step 4: Solve for d satisfying e0 d ≡ 1 (mod N ). efficient. Hwang et al.’s scheme is therefore insecure. Step 5: Output d. References: Now we prove that e0 d ≡ 1 (mod φ(N0 )). [1] R. L. Burden and J. D. Faires, Numerical Proof. As ew ≡ E (mod φ(N )), we can Analysis. PWS Publishers, 4th ed., 1988. 0 0 write ew − E = rφ(N ) for some inte0 0 ger r. Note that the attacker does not [2] C.-L. Hsu, T.-S. Wu, and T.-C. Wu, “New repudiable threshold signature scheme with know r. As gcd(e0 , φ(N0 )) = 1, we have w −E known signers,” The Journal of Systems and dlog2 (ew −E)e e 0 gcd(e0 , r) = g. So N = 0 g = Software, vol. 58, pp. 119–124, 2001. r0 φ(N0 ), where r0 = r/g is an integer. Clearly gcd(e0 , N ) = 1. Thus a d satisfying e0 d ≡ [3] M.-S. Hwang, E. J.-L. Lu, and L.-C. Lin, “A practical (t, , n) threshold proxy signa1 (mod N ) exists and is unique modulo N . ture scheme based on the RSA cryptosysHence we have e0 d ≡ 1 (mod φ(N0 )) because tem,” IEEE Transactions on Knowledge and φ(N0 )|N . Step 3: Compute
3
threshold proxy signature scheme with known signers,” Computer Communications, vol. 22, pp. 717–722, 1999.
Data Engineering, vol. 15, no. 6, pp. 1552– 1560, 2003.
[4] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in Information and Com- [7] C.-S. Tsai, S.-F. Tseng, and M.-S. Hwang, “Improved non-repudiable threshold proxy munications Security—ICICS’97, vol. 1334 of signature scheme with known signers,” INLNCS, pp. 223–232, Springer-Verlag, 1997. FORMATICA: An International Journal, [5] R. L. Rivest, A. Shamir, and L. M. Adlevol. 14, no. 3, pp. 393–402, 2003. man, “A method for obtaining digital signatures and public-key cryptosystems,” CACM, [8] K. Zhang, “Threshold proxy signature schemes,” in Information Security, First Invol. 21, pp. 120–126, Feb. 1978. ternational Workshop, ISW ’97, vol. 1396 of LNCS, pp. 282–290, Springer-Verlag, 1998. [6] H.-M. Sun, “An efficient nonrepudiable
4
