Cryptanalysis of a Digital Signature Scheme on ID-Based Key-Sharing Infrastructures

Authors:
Hongjun Wu;Feng Bao;Robert H. Deng
Affiliations:
-;-;-
Venue:
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Year:
2001

Citing 10
Cited 0

Identity-based cryptosystems and signature schemes

Proceedings of CRYPTO 84 on Advances in cryptology
Use of elliptic curves in cryptography

Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Public-key systems based on the difficulty of tampering (Is there a difference between DES and RSA?)

Proceedings on Advances in cryptology---CRYPTO '86
A matrix key-distribution scheme

Journal of Cryptology
Multisecret threshold schemes

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Broadcast encryption

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
On the Key Predistribution System: A Practical Solution to the Key Distribution Problem

CRYPTO '87 A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology
Perfectly-Secure Key Distribution for Dynamic Conferences

CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
A New Digital Signature Scheme on ID-Based Key-Sharing Infrastructures

ISW '99 Proceedings of the Second International Workshop on Information Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

At ISW'99, Nishioka, Hanaoka and Imai proposed a digital signature scheme on ID-based key-sharing infrastructures. That signature scheme is claimed to be secure if the discrete logarithm problem is hard to solve. Two schemes (the ID-type and the random-type schemes) based on the linear scheme for the Key Predistribution Systems (KPS) and the discrete logarithm problem (DLP) were given. In this paper we show that those two schemes fail to meet the nonrepudiation requirement: with negligible amount of computation, a signature could be forged. For the ID-type signature scheme, any verifier could forge a signature to raise repudiation between that verifier and the signer. The random type signature scheme has the same weakness. Furthermore, for the random-type signature scheme, once a signer issued a signature, anyone (not only the user in the scheme) could forge that signer's signature for a n arbitrary message.