Remarks on ''Analysis of one popular group signature scheme'' in Asiacrypt 2006

In [3], a putative framing “attack” against the ACJT group signature scheme [1] is presented. This note shows that the attack framework considered in [3] is invalid. As we clearly illustrate, there is no security weakness in the ACJT group signature scheme as long as all the detailed specifications in [1] are being followed. Group signature schemes allow a group member to sign messages anonymously on behalf of the group. In case of a dispute, the group manager (GM) can recover the identity of the actual signer. In [1], Ateniese, Camenisch, Joye, and Tsudik introduced a provably secure group signature scheme, the so-called ACJT scheme. In an upcoming paper [3], Cao presents an alleged framing attack against the ACJT scheme. This attack is based on the assumption that the GM knows the value t = loga0 a. This assumption is clearly invalid in the verifiable setting considered in [1] since the parameters a and a0 are verifiably random to GM. Although a verifiable setting involves no trusted party, evidence that the parameters are well-formed must be provided. For random parameters this means that they are generated as the outputs of practical pseudo-random functions (PRFs) or pseudo-random permutations (PRPs), such as those based on SHA or AES. This is needed in order to generate an unpredictable output sequence. The SETUP phase in [1] is assumed to be verifiable. We quote directly from [1]: “ ... We note that, in practice, components of Y must be verifiable to prevent framing attacks ... ” (where Y is the group signature public key). The above is general enough to completely invalidate the assumption underlying the alleged framing attack in [3]. However, we admit that the original paper [1] does not describe exactly how GM selects the values a and a0 (e.g., as a function of h(S) and h(S0), respectively, for a standard hash function h(·) and public strings S and S0). Refer to IEEE P1363 and ANSI X9.62 standards for prominent examples of methods used to generate verifiably random parameters. We further note that a verifiable or trusted SETUP phase is a common assumption among many group signature schemes in the literature. For instance, the work of Kiayias and Yung [4], (which provides a full proof of a variant of the ACJT scheme in a complete security model) assumes the SETUP phase to be a trusted operation. However, we stress that the ACJT scheme is secure as long as t = loga0 a is unknown. As the proof that GM cannot frame users was rather condensed in [1], we expand it here. Indeed, it is not hard to see that an ACJT group signature amounts to a proof of knowledge of values u and v such that: (T1/T2) ≡ aa0 (mod n) , where x = logg y (one of GM’s secret keys). Now, we note that, if T1/T2 x ≡ Ai (mod n) for some user Ui, it follows that: Ai u ≡ aa0 (mod n) . In other words, the party who generated a group signature must know values u and v such that this equation holds. A group member, Ui, is able to do so using u = ei and v = xi as witnesses. GM might be able to do so as well, — provided that it knows t = loga0 a (and can thus frame any user Ui)— by setting u = k(p′q′), for some k such that u lies in the required range (and thus u ≡ 0 (mod p′q′)), and v = −1/t mod p′q′ (cf. Cao [3]). We now show that, if GM does not know loga0 a, it is unable to frame a user Ui, i.e., to compute a group signature with T1/T2 ≡ Ai (mod n). For the sake of the argument, let us assume that factorization of n = pq = (2p′+1)(2q′+1) is known. We argue that, if GM can produce a group signature with T1/T2 ≡ Ai (mod n) then it can compute either loga0 a or a representation of C2 w.r.t. random bases a and a0, where C2 is computed as ai (mod n) during the JOIN protocol by the user corresponding to Ui. From the JOIN protocol in [1], we know that Ai ≡ C2a0 (mod n) holds. Therefore, we conclude that u and v must satisfy: C2 u ≡ (Ai)i a0 ≡ ai a0i (mod n) . First, we assume that u ≡ 0 (mod p′q′). Then, we have 1 ≡ (aa0)i (mod n). Now, provided that gcd(ei, p′q′) = 1 (otherwise, GM would leak the factorization of n in the JOIN protocol and it can be verified by Ui), we can conclude that computing a v satisfying aa0 ≡ 1 (mod n) (i.e., v = −1/t mod p′q′)‡ is infeasible under the discrete logarithm assumption. Thus, we get a contradiction and can rule out that u ≡ 0 (mod p′q′). W.l.o.g., we now assume that u 6≡ 0 ‡ Note that gcd(t, p′q′) = 1 since a is of order p′q′. (mod p′). In this case — since we assume that p′ is known— ei/u mod p′ can be computed and thus: C2 ≡ avei/uai 0 (mod p) , i.e., a representation of C2 w.r.t. random bases a0 and a in a group of order a (known) prime, which is infeasible under the discrete logarithm assumption [2] since C2 was chosen randomly by Ui. In all cases, we have a contradiction. ut In conclusion, provided that the discrete logarithm problem is hard and that loga0 a is unknown, the ACJT group signature scheme is provably secure against framing by GM. We point out, once again, that loga0 a is unknown in the verifiable setting, as in [1], where GM provides evidence that a and a0 are indeed random. It is similarly unknown in a trusted setting, as in [4], where the generation of a, a0 is trusted. Acknowledgments. We are grateful to Aggelos Kiayias and Moti Yung for their insightful comments and suggestions. We thank Zhengjun Cao for providing us with a copy of [3] upon our request.