On the Security of A Short ID-based Group Signature Scheme

Group signature is an important anonymous technique. Two primitive properties of group signature is anonymity and unforgeability. It allows a group member to sign messages anonymously on behalf of the group such that any one can verify the signature but no one (except group manager) can find out which group member produce it. However, group manager can reveal the identity of the originator of a signature in case of a dispute. Recently Elaalim et.al proposed a short ID-based group signature, and claimed that the scheme is secure against forgeability attack and linkability attack. Unfortunately, in the paper, we show that the scheme is insecure, it exists universal forgeability, namely, anyone can forge a group signature on arbitrary message; and the scheme is linkable, namely, given two different group signatures, anyone can distinguish whether they are produced by the signer. Finally, the corresponding attacks are mounted, and the reason to such attacks are analyzed.