Details

Autor(en) / Beteiligte

• Park, Chanhyeok
• Cho, Sangrae
• Cho, Young-Seob
• Kim, Soohyung
• Lee, Hyung Tae

Titel

Insecurity of Chait et al.’s RSA-Based Aggregate Signature Scheme

Ist Teil von

• IEEE access, 2024, Vol.12, p.16462-16473

Ort / Verlag

Piscataway: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)

Erscheinungsjahr

2024

Link zum Volltext

Quelle

EZB-FREE-00999 freely available EZB journals

Beschreibungen/Notizen

• Recently, Chait et al. proposed a new aggregate signature scheme under the RSA setting (IEEE Access, 2023). In this paper, we show that Chait et al.’s aggregate signature scheme is insecure when two signers collude with their own secret keys, by presenting an attack algorithm that forges aggregate signatures of aggregator or individual signatures of all other (non-colluding) users. More concretely, our attack algorithm consists of three sub-algorithms: The first sub-algorithm computes a multiple of [Formula Omitted] from secret keys of two users where [Formula Omitted] is the RSA modulus that is included in the public parameter of the system and [Formula Omitted] is the Euler totient function. The second sub-algorithm recovers an equivalent secret key of a target user that is congruent to his/her original secret key modulo [Formula Omitted] from his/her public key and the multiple of [Formula Omitted] which is the output of the first sub-algorithm. Finally, with the equivalent secret key obtained by the second sub-algorithm, the last sub-algorithm generates valid aggregate/individual signatures of the target user. Our attack algorithm always succeeds in forging aggregate/individual signatures. Furthermore, it is lightweight in the sense that it requires several integer operations, gcd computations, and an execution of aggregate/individual signing algorithm only. For example, when the pubic parameter and secret keys of all users, except the target user, are provided, our experimental results demonstrate that the proposed attack algorithm takes less than 1 second only in total to forge an aggregate signature of 29 individual signatures including that of the target user, where [Formula Omitted] is 3,072 bits for 128-bit security.