Security Remarks on a Group Signature Scheme ... - Semantic Scholar

Download PDF
2 downloads 135092 Views 200KB Size Report
Comment
group signature scheme [15] is linkable and does not support secure group member deletion. Keywords: digital signature, group signature, member deletion.
Security Remarks on a Group Signature Scheme with Member Deletion Guilin Wang, Feng Bao, Jianying Zhou, and Robert H. Deng Infocomm Security Department Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 http://www.i2r.a-star.edu.sg/icsd/ {glwang, baofeng, jyzhou, deng}@i2r.a-star.edu.sg

Abstract. A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable fashion. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on the Camenisch-Michels group signature scheme [7, 8], Kim, Lim and Lee proposed the first group signature scheme with a member deletion procedure at ICISC 2000 [15]. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper, we first identify an effective way that allows any verifier to determine whether two valid group signatures are signed by the same group member. Secondly, we find that in their scheme a deleted group member can still update his signing key and then generate valid group signatures after he was deleted from the group. In other words, the Kim-Lim-Lee group signature scheme [15] is linkable and does not support secure group member deletion. Keywords:

1

digital signature, group signature, member deletion.

Introduction

In 1991, Chaum and van Heyst first introduced the concept of group signatures [10]. In a group signature scheme, each group member of a given group is able to sign messages anonymously and unlinkably on behalf of the group. However, in case of later disputes, a designated entity called the group manager can reveal the identity of the signer by “opening” a group signature. From the viewpoints of verifiers, they only need to know a single group public key to verify group signatures. On the other hand, from the viewpoint of the signing group, the group conceals its internal organizational structures, but still can trace the signer’s identity if necessary. In virtue of these advantages, group signatures have many potentially practical applications, such as authenticating price lists, press releases, digital contract, e-voting, e-bidding and e-cash etc [11, 16, 1]. A secure group signature scheme must satisfy the following six properties [1, 2]:

– Unforgeability: Only group members are able to sign messages on behalf of the group. – Anonymity: Given a valid signature of some message, identifying the actual signer is computationally hard for everyone but the group manager. – Unlinkability: Deciding whether two different valid signatures were computed by the same group member is computationally hard. – No Framing: Neither a group member nor the group manager can sign on behalf of other group members. – Traceability: The group manager is always able to open a valid signature and identify the actual signer. – Coalition-resistance: A colluding subset of group members (even if comprised of the entire group) cannot generate a valid signature that the group manager cannot link to one of the colluding group members. Up to now, a number of new group signature schemes and improvements have been proposed. In [11], Chen and Pedersen constructed the first scheme which allows new members to join the group dynamically. Camenisch and Stadler proposed the first group signature scheme in which the group public key and signatures have lengths independent of the group size [6]. At the same time, they introduced the new concept of signatures of knowledge, which has become a standard tool in the design of group signature schemes and other related cryptographic protocols. Generally speaking, signatures of knowledge allow a prover to non-interactively prove the knowledge of one or several secrets with respect to some public information. Based on the strong RSA assumption, Camenisch and Michels presented an efficient group signature scheme in [7, 8]. Ateniese and Tsudik pointed out some obstacles that stand in the way of real world applications of group signatures, such as coalition attacks and member deletion [2]. In [1], Ateniese et al. presented a provably secure coalition-resistant group signature scheme. Based on the scheme in [7, 8], Kim, Lim and Lee proposed the first group signature scheme with a member deletion procedure [15]. Their extension is very efficient in both communication and computation aspects. Whenever a member joins or leaves the group, the group manager only needs to publish two pieces of public information by doing several modular multiplications and exponentiations, and each group member can update his secret key by doing only one modular multiplication. Bresson and Stern also provided a group signature scheme with member deletion [5]. However, their scheme is not efficient when the number of deleted members is large. In addition, to deal with exposure of group members’ secret keys, Song constructed two forward secure group signature schemes in [18]. At the same time, she also extended her schemes to support member deletion. However, these two extensions are not much efficient in the sense that to verify a signature a verifier has to search all revocation tokens (Section 4.4 of [18]) by checking whether the signature is revoked. Therefore, the computational cost in signature verification is proportional to the size of deleted members. Based on the notion of dynamic accumulators, Camenisch and Lysyanskaya proposed a new efficient method for the member deletion problem in group signature schemes [9].

In this paper, we discuss the security of the first group signature scheme with a member deletion procedure proposed by Kim, Lim and Lee in [15]. First of all, we point out that the requirements for security parameters listed in [15] are not sufficient to guarantee the system security. Secondly, we identify an effective way that allows any verifier to determine whether two valid group signatures are signed by the same group member. Thirdly, we find that in their scheme a deleted group member can also update his signing key and then generate valid group signatures after he was deleted from the group. In other words, the KimLim-Lee group signature scheme is linkable and does not support group member deletion. Furthermore, we discover that a newly joined group member can derive signing keys corresponding to the time periods before he joins the group. In some scenarios, this is also not a desirable property. The rest of this paper is organized as follows. We introduce related cryptographic assumptions in Section 2. Then, we review Kim-Lim-Lee scheme in Section 3 and present our security analysis in Section 4, respectively. Finally, the conclusion is given in Section 5.

2

Assumptions

In this section we give a brief description of three assumptions: strong RSA assumption [3, 14], modified strong RSA assumption [7, 8], and decisional DiffieHellman assumption [13, 4]. These three assumptions are the security basis of the schemes in [7, 8, 15]. Let `g be a suitable security parameter and G(`g ) denote the set of groups whose order has length `g and consists of two prime factors of length (`g − 2)/2. k, `1 , `2 < `g and ² are further security parameters. For simplicity, we define two intervals Γ and Γ 0 by Γ := [2`1 − 2`2 , 2`1 + 2`2 ] and ˜ ˜ Γ 0 := [2`1 − 2` , 2`1 + 2` ], where `˜ := ²(`2 + k) + 1. In addition, let M(G, z) := {(u, e)|z = ue , u ∈ G, e ∈ Γ, e ∈ primes}. Let K be a key-generation algorithm that on input 1`g outputs a group G ∈ G(`g ) and z ∈ G/{±1}. Assumption 1 (Strong RSA Assumption): There exists a probabilistic polynomial-time algorithm K such that, for all probabilistic polynomial-time algorithm A and all sufficiently large `g , the probability that A on input (G, z) outputs e ∈ Z>1 and u ∈ G satisfying z = ue is negligible. Assumption 2 (Modified Strong RSA Assumption): There exists a probabilistic polynomial-time algorithm K such that, for all probabilistic polynomialtime algorithm A, all sufficiently large `g , all M ⊂ M(G, z) with |M| = O(`g ), and suitably chosen k, `1 , `2 and ², the probability that A on input (G, z, M) outputs u ∈ G and e ∈ Γ 0 satisfying z = ue and (u, e) ∈ / M is negligible. Assumption 3 (Decisional Diffie-Hellman Assumption): There exists a probabilistic polynomial-time algorithm K such that, for all probabilistic polynomialtime algorithm A and all sufficiently large `g , the probability that A on input g, g x , g y , and g z ∈R G can distinguishe whether g xy and g z are equal is negligible.

For more discussions about these assumptions, please refer to [8]. Especially, Camenisch and Michels pointed out that Assumption 1 implies Assumption 2 (Section 3 of [8]).

3

Review of Kim-Lim-Lee Scheme

In this section we review the Kim-Lim-Lee group signature scheme [15]. In their scheme, the group manager is split into two roles: the membership manager (MM) and the revocation manager (RM). The whole scheme consists of six stages, i.e., system setup, join, delete, sign, verify and open. Hereafter, r ∈R denotes to select an element r from a set R uniformly and randomly. 3.1

System Setup

The group manager (MM) executes the following procedures: ˆ `1 , `2 , k, ² such that ² > 1, `g > `1 > `2 and 1-1). Set security parameters `g , `, `g > ²(`2 + k) + 2, and choose a hash function H : {0, 1}∗ → {0, 1}k . 1-2). Choose a group G = hgi with order ]G and two random elements z, h ∈R G with the same large order (≈ 2`g ) such that: a) In G assumptions 2 and 3 hold; b) Computing discrete logarithms in G to the bases g, h or z is infeasible. 1-3). Set a RSA modulus n = pq, where p and q (≈ 2`g /2 ) are two large secure primes such that p, q 6= 1 mod 8 and p 6= q mod 8. 1-4). Choose a secret/public key pair (dN , eN ) such that dN eN = 1 mod φ(n). ˆ `1 , `2 , k, ² and prove that g, h and z have 1-5). Publish n, eN , G, g, h, z, H, `g , `, the same order, but keep p, q, and ]G privately. At the same time, the revocation manager (RM) selects his secret key xR ∈R [0, 2`g − 1] and publishes yR = g xR as his public key. 3.2

Join

Assume that C := {G1 , G2 , · · · , Gm−1 } is the set of (m − 1) current group members in the system, and the membership key of the group member Gi is a pair (xi , yi ) that satisfies yixi = z,

xi ∈R [2`1 , 2`1 + 2`2 − 1],

where the secret key xi is a prime selected by the group member Gi and the public key yi is extracted by MM. When a user, say Alice, wants to join the system as the m-th group member, she does as follows:

ˆ

ˆ

2-1). Choose two random primes xm ∈R [2`1 , 2`1 + 2`2 − 1], x ˆm ∈R [2`−1 , 2` − 1] 1 such that xm , x ˆm 6= 1 mod 8 and xm 6= x ˆm mod 8 . 2-2). Alice computes x ˜m := xm x ˆm , z˜ := z xˆm , and commits to x ˜m and z˜. Then, she sends x ˜m , z˜ and their commitments to MM. 2-3). To convince MM that x ˜m and z˜ are prepared correctly, Alice and MM execute the following interactive statistical zero-knowledge protocol2 : W = SP K{(τ, ρ) : z x˜m = z˜τ ∧ z˜ = z ρ ∧ τ ∈ Γ 0 }(˜ z ). Now, we assume that the group’s public property key is UM := y1 · · · ym−1 y 0 , where random element y 0 ∈R G is known only by MM. When the above protocol is executed successfully, MM does the followings: 2-4). Generate Alice’s public key ym := z˜1/˜xm (= z 1/xm ). 2-5). Compute the new group’s public property key U M := y1 · · · ym−1 ym y 00 by choosing a random number y 00 ∈R G. 2-6). Compute the new group’s public renewal property key U N := (ym y 00 /y 0 )dN . 2-7). Generate the member Gm ’s secret property key Um := (y1 · · · ym−1 y 00 )dN . 2-8). Publish (U M , U N ), and send (ym , Um ) to Alice securely. As the m-th group member Gm , Alice verifies her membership key (xm , ym ) by checking xm ym ≡ z, and ym (Um )eN ≡ U M . At the same time, each other valid group member Gi (1 ≤ i ≤ m − 1) updates his secret property key from Ui := (y1 · · · yi−1 yi+1 · · · ym−1 y 0 )dN into U i := Ui · U N = (y1 · · · yi−1 yi+1 · · · ym−1 ym y 00 )dN . He can also verify his new U i by checking yi (U i )eN ≡ U M . 3.3

Delete

Let the current group’s public property key be UM = y1 · · · ym y 0 where y 0 ∈R G. To delete a group member Gj (1 ≤ j ≤ m), MM performs the following deletion protocol: 3-1). By selecting y 00 ∈R G, compute a new group’s public property key U M := UM y 00 /(yj y 0 ) (= y1 · · · yj−1 yj+1 · · · ym y 00 ). 3-2). Compute a new group’s renewal public property key U N := (y 00 /(yj y 0 ))dN . 3-3). Publish (U M , U N ). Each valid group member Gi updates his secret property key from Ui to U i by computing U i := Ui · U N , and verifies U i by checking yi (U i )eN ≡ U M . 1

2

ˆ

ˆ

The authors of [15] require that xm , x ˆm ∈R [2`−1 , 2` − 1]. However, this is wrong. Otherwise, Alice is unable to prove that she knows the value of xm belonging to the interval Γ 0 . Therefore, we correct this error according to the descriptions in [7, 8]. For the security of this protocol, please consult Theorem 2 in Section 5.5 of [7].

3.4

Sign

To sign a message M , the member Gi , with the membership key (xi , yi ) and his secret property key Ui , does the followings: w 4-1) Choose a random integer w ∈R {0, 1}`g , compute a := g w , b := yi yR , d := xi w w w weN g h , α := Ui h and β := yR h . 4-2) Choose r1 ∈R {0, 1}²(`2 +k) , r2 ∈R {0, 1}²(`g +`1 +k) , and r3 ∈R {0, 1}²(`g +k) . 4-3) Compute t1 := br1 (1/yR )r2 , t2 := ar1 (1/g)r2 , t3 := g r3 , t4 := g r1 hr3 , and r 3 r 3 eN t5 := yR h . 4-4) Evaluate c := H(g||h||yR ||z||a||b||d||β||t1 ||t2 ||t3 ||t4 ||t5 ||M ). 4-5) Calculate s1 := r1 − c(xi − 2`1 ), s2 := r2 − cwxi , s3 := r3 − cw (all in Z).

The resulting signature on the message M is (c, s1 , s2 , s3 , a, b, d, α, β). Kim et al. [15] pointed out that such a group signature would be denoted by λ ∧ 1 = aθ /g λ ∧ a = g µ L = SP K{(θ, λ, µ) : z = bθ /yR µ µeN θ µ ∧ d = g h ∧ β = yR h ∧ θ ∈ Γ 0 }(M ).

3.5

Verify

To verify a group signature (c, s1 , s2 , s3 , a, b, d, α, β) on a message M , a verifier checks its validity as follows: `1

`1

s2 , t02 := as1 −c2 /g s2 , t03 := ac g s3 , t04 := 5-1) Compute t01 := z c bs1 −c2 /yR `1 s dc g s1 −c2 hs3 , and t05 := β c yR3 hs3 eN . 5-2) Evaluate c0 := H(g||h||yR ||z||a||b||d||β||t01 ||t02 ||t03 ||t04 ||t05 ||M ). 5-3) Check c ≡ c0 ∈ {0, 1}k , s1 ∈ [−2`2 +k , 2²(`2 +k) ], s2 ∈ [−2`g +`1 +k , 2²(`g +`1 +k) ], s3 ∈ [−2`g +k , 2²(`g +k) ], and a, b, d, α, β ∈ G. 5-4) Accept the signature if and only if βUM /αeN ≡ b 3 .

3.6

Open

To trace the identity of the signer of a signature σ = (c, s1 , s2 , s3 , a, b, d, α, β), RM first checks its validity, then decrypts the ElGamal cipher text (a, b) to find yi = b/axR , generates the signature of knowledge P := SP K{ρ : yR = g ρ ∧ b/yi = aρ }(yi ||σ||M ) and reveals (yi , P). In this way, RM shows that he does not misattribute the group member Gi . The authors of [15] also provided a sign-tracing procedure that allows MM (under the help of RM) to check whether a specific valid group signature is signed by a specific member. We omit this procedure since our discussion has no relation to it. 3

Kim et al. assume that the list of all UM ’s and the corresponding updated dates are publicly available, and that the generating date is embedded in a signature. Therefore, the verifier can find a proper UM to check the validity of a given signature.

4 4.1

Security of Kim-Lim-Lee Scheme Security Parameters

In this subsection, we will point out that the requirements for security parameters given in [15] are not sufficient to guarantee the security. The security parameters, ˆ are only required to satisfy the following conditions (see ², k, `1 , `2 , `g and `, Definition 1 in Section 4.4 of [15]) ² > 1,

` g > `1 > `2 ,

and `g > ²(`2 + k) + 2.

(1)

However, to guarantee the security of their scheme, we note that the following two conditions are also necessary. `2 >> `1 − (`ˆ + `1 )/4,

and `1 > ²(`2 + k) + 2.

(2)

We explain the reasons as follows. If `2 >> `1 − (`ˆ + `1 )/4 does not hold, due to the work of Coppersmith in [12], MM can factor the value of x ˜m which is sent to him in Join protocol. Once x ˜m ’s two factors x ˆm and xm are known, MM can mount a framing attack by generating valid group signatures under the name of the member Gm (remember that MM has already know ym and Um ). Therefore, to provide the property of no framing, the first condition in Equation (2) is necessary. The requirement `1 > ²(`2 + k) + 2 is not given in [7], while it is added in [8]. We note that without this requirement, the scheme in [7] may be insecure. For example, Camenisch and Michels suggested that the security parameters can be selected as follows (see Section 5.6 in [7]): ² = 9/8, k = 160, `1 = 860, `2 = 600, and `g = `ˆg = 1200. It is obvious that this suit of parameters satisfies all requirements in equations (1) and (2). Therefore, in such a case the security is guaranteed. However, if there is no requirement `1 > ²(`2 + k) + 2, one can re-set `2 = 760 but keep other parameters unchanged. In this case, all requirements in equations (1) and `2 >> `1 − (`ˆ + `1 )/4 are also satisfied but the scheme [7] is insecure because anybody (not necessarily a group member) can use (u := z, e := 1) as a valid membership certificate to generate valid group signatures. The correctness of this attack can be directly checked (refer to Section 5.3 of [7] for details of signature generation and verification). As for Kim-Lim-Lee scheme [15], similar attack is unlikely mounted unless an attacker also obtains a secret property key (UM /z)dN . However, it seems natural to add requirement `1 > ²(`2 + k) + 2 to the Kim-Lim-Lee scheme since this scheme is an extension of the scheme in [7, 8]. 4.2

Linkability

The authors of [15] claimed that similar to the Camenisch-Michels scheme [7, 8] their scheme is also unlinkable. However, we find in fact their scheme is linkable. Before discussing the linkability of the Kim-Lim-Lee scheme, we first prove that yi g xi eN is an invariant for the group member Gi . More specifically, for i 6= j,

we want to show that yi g xi eN = yj g xj eN holds only with a negligible probability. Since z, yi , yj ∈ G = hgi, we assume that z = g a0 , yi = g ai and yj = g aj for some x unknown a0 , ai , aj ∈ Z]G . From z = yixi = yj j , we have ai xi = a0 mod ]G and x i eN x j eN aj xj = a0 mod ]G. If yi g = yj g , we get xi eN + ai = xj eN + aj mod ]G. Then, using ai xi = a0 mod ]G and aj xj = a0 mod ]G, we have (xi xj eN − a0 )(xi − xj ) = 0 mod ]G. This implies ]G|(xi xj eN − a0 )(xi − xj ).

(3)

Note that xi , xj ∈ [2`1 , 2`1 + 2`2 − 1] are two random primes selected by the members Gi and Gj , and they must be different. Otherwise, if Gi and Gj set xi = xj , then MM will extract the same value for yi and yj and find they are cheaters. Therefore, we have xi 6= xj and |xi | = |xj | = `1 + 1 (|r| denotes the bit-length of the integer r). At the same time, |]G| ≈ `g > `1 , ]G (the order of the cyclic group G) consists of two large prime factors and only MM knows the value of ]G. Furthermore, group members do not know the value of a0 , i.e., the discrete logarithm of z to the base g. Therefore, it is not difficult to see that Equation (3) holds only with a negligible probability. Consequently, for different i and j, yi g xi eN = yj g xj eN holds only with a negligible probability. Given a valid signature pair (c, s1 , s2 , s3 , a, b, d, α, β) on a message m, according to Step 4-1) in the signing protocol, we know that w w weN b = yi yR , d = g xi hw , α = Ui hw , β = yR h ,

for some wR ∈ {0, 1}`g .

Note that at any moment in the system lifetime, UM = yi (Ui )eN holds for any current member Gi . Therefore, we have the following equalities (d/α)eN = g xi eN /UieN = yi g xi eN /UM .

(4)

Note that UM is unchanged in the time period T in which the group’s public property key UM is valid. At the same time, we have proved that yi g xi eN is an invariant for the member Gi , so the right most expression in equation (4) is an invariant for the group member Gi in the time period T . This implies that all signatures signed by the same group member in the same time period T are linkable. That is, given two valid group signatures (c, s1 , s2 , s3 , a, b, d, α, β) and ¯α ¯ which are signed in the same period T , anybody (not (¯ c, s¯1 , s¯2 , s¯3 , a ¯, ¯b, d, ¯ , β) necessarily a group member) can know whether they are the signatures of the same group member by checking ¯ α. d/α ≡ d/¯

(5)

Furthermore, according to equation (4) and the fact that UM β = bαeN , we have the following equalities: deN b/β = deN UM /αeN = yi g xi eN .

(6)

Since yi g xi eN is an invariant for the member Gi (in all time periods), the above equalities show that deN b/β is also an invariant for the member Gi . This implies

that all signatures signed by the same group member in all time periods are linkable. Equation (6) also shows that even one value of α or β is released, group signatures signed by the same member are still linkable. In other words, the Kim-Lim-Lee scheme reveals much more information so that it does not satisfy the unlinability. Note that linability also means that the anonymity of a signer does not satisfy in the sense that one opened group signature will reveal all other group signatures signed by the same group member. 4.3

A Member Is Deleted From the Group

In Setion 5 of [15], Kim et al. claimed that “The following theorem implies that non-group member or a deleted group member with his obsolete secret key cannot generate any valid signature by showing that forging a valid signature is equivalent to solving the RSA problem.” Theorem 1 [15]. There exists a probabilistic polynomial algorithm that on input yR , yi , h, UM and eN outputs (w, α) satisfying βUM /(αeN ) = b where β = w weN w yR h and b = yi yR if and only if it is able to solve the RSA problem. We do not find any problem in their proof of Theorem 1. However, we notice that Theorem 1 does not imply that a deleted group member cannot use his obsolete secret key to generate valid signatures. In other words, the above claim they made is wrong. The reason is that a deleted group member not only has yR , yi , h, UM and eN , but also has xi and Ui such that yixi = z and yi (Ui )eN = UM . Therefore, in the essence Theorem 1 has no relation to the forging ability of a deleted member after he is deleted. In the following, we give an example to show how a deleted group member can update his secret key and then generate valid group signatures as a valid member does (The authors of [9] also point out this problem but without details.). The only assumption is that he can access the newly updated group’s public renewal property key UN . This assumption is reasonable since UN is a public information (at least in the group of system members). Therefore, in the case a deleted member cannot access newly updated UN , we assume that he may collude with a valid group member. Let G1 , G2 , · · · , Gm , Gm+1 be (m + 1) current group members in the system, and the current group’s public property key be UM = y1 · · · ym ym+1 y 0 . Later, for some reason, one group member is deleted by MM. Without loss of generality, we assume that Gm+1 is the deleted group member. Then, MM publishes the new group’s property key U M = y1 · · · ym y 00 , for some y 00 ∈R G, and new group’s renewal property key U N = (y 00 /ym+1 y 0 )dN . By using U N and U M , each valid group member updates his secret property key as described in Delete protocol in Section 3.3. For a secure group signature scheme with member deletion, Gm+1 should not be able to update his secret property key any more. However, in the scheme [15], Gm+1 can update his secret property key Um+1 as follows.

Assume that before Gm+1 has been deleted, his secret property key is Um+1 , eN which satisfies ym+1 Um+1 = UM where Um+1 = (y1 · · · ym y 0 )dN . To update his secret property key, he needs to compute a value U m+1 such that eN

ym+1 U m+1 = U M .

(7)

−1 −1 This implies U m+1 = (U M ym+1 )dN = (y1 · · · ym y 00 ym+1 )dN = (y1 · · · ym y 0 )dN · 00 0 dN (y /(y ym+1 )) = Um+1 U N . Therefore, by using the same method, the deleted member Gm+1 can also update his secret property key as a valid group member does. Consequently, Gm+1 can generate valid group signatures by using his membership key (xm+1 , ym+1 ) and newly secret property key U m+1 even after he has been deleted from the system. Now, we further consider whether the deleted member Gm+1 can update his secret property key continuously when the group of system members changes dynamically. The answer is positive. We assume the system is set up at the time τ0 , and a member joins or is deleted at the time τj . The time sequence satisfies τ0 < τ1 < · · · < τj < τj+1 < τ · · ·. At the time τj , MM publishes the group’s public property key UMj and the τj group’s public renewal property key UN . During the time period Tj := [τj , τj+1 ), τ each group member Gi uses his secret property key Ui j to generate signatures. Therefore, for each valid member Gi in the time period Tj , the following equality holds: τ τ yi (Ui j )eN = UMj . (8)

In addition, from the description of Join and Delete protocols, it is not difficult to see that either a member joins the system or is deleted from the system in the time period Tj , the following equality always holds: τ

τ

τ

UNj = (UMj /UMj−1 )dN .

(9)

Assume that the member Gm+1 is deleted at the time τj . He wants to get τj+t his secret property key Um+1 for the time period Tj+t that satisfies Equation τj+t eN τ τj+t τ dN = (8), i.e., ym+1 (Um+1 ) = UMj+t . This implies that Um+1 = (UMj+t )dN /ym+1 τj+t τj+t−1 dN τ τ dN j+t j+t−1 UN · (UM ) /ym+1 = UN · Um+1 . Therefore, for any time period Tj+t , the deleted member Gm+1 can update his secret property key by using the following equation: τ

τ

τ

τ

τ

τ

j+t j Um+1 = UNj+t · UNj+t−1 · · · UNj+2 · UNj+1 · Um+1 ,

for any t ∈ Z>0 .

(10)

By using Equation (10), a deleted member can update his secret property key as a valid member does. Therefore, the authors of [15] failed to provide a group signature scheme supporting secure member deletion. 4.4

A Member Joins the Group

Now, we want to know when a new group member joins the system in the time period Tj , whether he can get his secret property key corresponding to the time period Tj 0 where j 0 < j? Again, the answer is positive.

Assume that Gm+1 joins the system at time τj , and gets his secret property τj key Um+1 for time period Tj . Similar to equation (10), we can derive the following equation: τ

τ

τ

τ

τ

j−t j Um+1 = (UNj−t+1 · · · UNj−1 · UNj )−1 · Um+1 ,

for any 0 < t < j.

(11)

Therefore, if a group member Gm+1 who joins the system in time period Tj can get old renewal property keys, he is able to derive his secret property key corresponding to early time periods. According to how to bind the signature generation date and time in a signature (Lim et. al do not provide details), this kind of secret property keys may enable group members who joins the group later to generate back-dated group signatures. The generation time and date are normally embedded in a signature to allow a verifier to easily find the appropriate public property key UM to check the validity of a signature. In such a case, a newly joined member can use an earlier secret property key to generate signatures which look as if they are signed before. In some applications, this property may be not desirable.

5

Conclusion

In this paper, we presented a security analysis of the Kim-Lim-Lee group signature scheme with a member deletion procedure [15]. Our analysis showed that this scheme is linkable and does not support secure group member deletion. More specifically, we demonstrated that a verifier can easily determine whether two group signatures are signed by the same group member, and that a deleted group member can also update his signing key and then generate valid signatures after he was deleted from the group. Furthermore, we discovered that a newly joined group member can derive signing keys corresponding to the time before he joins the group and generate back-dated group signatures. In some scenarios, this may be not a desirable property. In addition, we pointed out that the requirements for security parameters listed in [15] are not sufficient to guarantee the system security. Therefore, the Kim-Lim-Lee group signature scheme is insecure though it provides a very efficient member deletion procedure.

References 1. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In: Advances in Cryptology CRYPTO’2000, LNCS 1880, pages 255-270. Berlin: Springer-Verlag, 2000. 2. G. Ateniese and G. Tsudik. Some open issues and new directions in group signature schemes. In: Financial Cryptography (FC’99), LNCS 1648, pages 196-211. Berlin: Springer-Verlag, 1999. 3. N. Baric and B. Pfitzman. Collision-free accumulators and fail-stopsignature schemes without trees. In: Advances in Cryptology - EUROCRYPT’97, LNCS 1233, pages 480-494. Berlin: Springer-Verlag, 1997.

4. D. Boneh. The decision Diffie-Hellman problem. In: Proceedings of the Third Algorithmic Number Theory Symposium, LNCS 1423, pages 48-63. Berlin: SpringerVerlag, 1998. 5. E. Bresson and J. Stern. Efficient revocation in group signatures. In: Public Key Cryptography (PKC’01), LNCS 1992, pages 190-206. Berlin: Springer-Verlag, 2001. 6. J. Camenisch and M. Stadler. Effient group signature schemes for large groups. In: Advances in Cryptology - CRYPTO’97, LNCS 1294, pages 410-424. Berlin: Springer-Verlag, 1997. 7. J. Camenisch and M. Michels. A group signature scheme with improved efficiency. In: Advances in Cryptology - ASIACRYPT’98, LNCS 1514, pages 160-174. Berlin: Springer-Verlag, 1998. 8. J. Camenisch and M. Michels. A group signature scheme based on an RSA-variant. Technical Report RS-98-27, BRICS, University of Aarhus, November 1998. An earlier version appears in [7]. 9. J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Advances in Cryptology - CRYPTO 2002, LNCS 2442, pages 61-76. Berlin: Springer-Verlag, 2002. 10. D. Chaum and E. van Heyst. Group signatures. In: Advances in Cryptology - EUROCRYPT’91, LNCS 950, pages 257-265. Berlin: Springer-Verlag, 1992. 11. L. Chen and T. P. Pedersen. New group signature schemes. In: Advances in Cryptology - EUROCRYT’94, LNCS 950, pages 171-181. Berlin: Springer-Verlag, 1995. 12. D. Coppersmith. Finding a small root of a Bivariatre interger equation; Factoring with high bits known. In: Advances in Cryptology - EUROCRYPT’96, LNCS 1070, pages 178-189. Berlin: Springer-Verlag, 1996. 13. W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 6(IT-22):644-C654, 1976. 14. E. Fujisaki and T. Okamoto. Statistical zero-knowledge protocols to prove modular polynomial relations. In: Advances in Cryptology - CRYPTO’97, LNCS 1294, pages 16-30. Berlin: Springer-Verlag, 1997. 15. H.J. Kim, J.I. Lim, and D.H. Lee. Efficient and secure member deletion in group signature schemes. In: Information Security and Cryptology (ICISC 2000), LNCS 2015, pages 150-161. Berlin: Springer-Verlag, 2001. 16. A. Lysyanskaya and Z. Ramzan. Group blind digital signatures: A scalable solution to electronic cash. In: Financial Cryptography (FC’98), LNCS 1465, pages 184-197. Berlin: Springer-Verlag, 1998. 17. H. Petersen. How to convert any digital signature scheme into a group signature scheme. In: Security Protocols Workshop, LNCS 1361, pages 177-190. Berlin: Springer-Verlag, 1997. 18. D.X. Song. Practical forward secure group signature schemes. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS 2001), pages 225-234. New York: ACM press, 2001.