On the Linkability of Some Group Signature Schemes

A group signature scheme is a digital signature scheme that allows a group member to sign messages anonymously on behalf of the group. Recently, Tseng and Jan proposed two group signature schemes based on self-certified and ID-based public keys respectively. However, these two schemes were shown to be insecure against forgery due to Joye et al. Later, Sun et al. showed that Tseng and Jan’s self-certified group signature scheme is linkable. In this paper, we first point out that the proposed linking equation, which is used to check the linkability of Tseng and Jan’s self-certified scheme, cannot work because the inverse problem of RSA is hard. A repaired linking equation is consequently proposed to fix this problem. Then, we show that Tseng and Jan’s IDbased scheme is still linkable because given any two valid group signatures it is easy to decide whether these two group signatures are generated by the same group member or not.