Sie befinden Sich nicht im Netzwerk der Universität Paderborn. Der Zugriff auf elektronische Ressourcen ist gegebenenfalls nur via VPN oder Shibboleth (DFN-AAI) möglich. mehr Informationen...
Insecurity of Chait et al.’s RSA-Based Aggregate Signature Scheme
Ist Teil von
IEEE access, 2024, Vol.12, p.16462-16473
Ort / Verlag
Piscataway: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Erscheinungsjahr
2024
Link zum Volltext
Quelle
EZB-FREE-00999 freely available EZB journals
Beschreibungen/Notizen
Recently, Chait et al. proposed a new aggregate signature scheme under the RSA setting (IEEE Access, 2023). In this paper, we show that Chait et al.’s aggregate signature scheme is insecure when two signers collude with their own secret keys, by presenting an attack algorithm that forges aggregate signatures of aggregator or individual signatures of all other (non-colluding) users. More concretely, our attack algorithm consists of three sub-algorithms: The first sub-algorithm computes a multiple of [Formula Omitted] from secret keys of two users where [Formula Omitted] is the RSA modulus that is included in the public parameter of the system and [Formula Omitted] is the Euler totient function. The second sub-algorithm recovers an equivalent secret key of a target user that is congruent to his/her original secret key modulo [Formula Omitted] from his/her public key and the multiple of [Formula Omitted] which is the output of the first sub-algorithm. Finally, with the equivalent secret key obtained by the second sub-algorithm, the last sub-algorithm generates valid aggregate/individual signatures of the target user. Our attack algorithm always succeeds in forging aggregate/individual signatures. Furthermore, it is lightweight in the sense that it requires several integer operations, gcd computations, and an execution of aggregate/individual signing algorithm only. For example, when the pubic parameter and secret keys of all users, except the target user, are provided, our experimental results demonstrate that the proposed attack algorithm takes less than 1 second only in total to forge an aggregate signature of 29 individual signatures including that of the target user, where [Formula Omitted] is 3,072 bits for 128-bit security.