Cryptanalysis of the Structure-Preserving Signature Scheme on Equivalence Classes from Asiacrypt 2014

At Asiacrypt 2014, Hanser and Slamanig presented a new cryptographic primitive called structure-preserving signature scheme on equivalence classes in the message space (G1), where G1 is some additive cyclic group. Based on the signature scheme, they constructed an efficient multi-show attribute-based anonymous credential system that allows to encode an arbitrary number of attributes. The signature scheme was claimed to be existentially unforgeable under the adaptive chosen message attacks in the generic group model. However, for ` = 2, Fuchsbauer pointed out a valid existential forgery can be generated with overwhelming probability by using 4 adaptive chosen-message queries. Hence, the scheme is existentially forgeable under the adaptive chosen message attack at least when ` = 2. In this paper, we show that even for the general case ` ≥ 2, the scheme is existentially forgeable under the non-adaptive chosen message attack and universally forgeable under the adaptive chosen message attack. It is surprising that our attacks will succeed all the time and need fewer queries, which give a better description of the scheme’s security.