Attack on Libert et al.＇s ID-Based Undeniable Signature Scheme.pdfVIP

ChineseJourna1ofElectronics Vo1．17，No．4，Oct．2008 Attack on Liberteta1．’sID—BasedUndeniable SignatureScheme术 LIZichen ．YAN Yunsheng。andZHANG Juanmei。 (1．DepartmentD，InformationSecurity，BeijingEelctronicScienceandTechnologyInstitute，Beijing100070，China) (2．College Science，HenanUniversityofTechnology，Zhengzhou450052，China) (3．DepartmentofBasicSciences，BeijingEelctronicScienceandTechnologyInstitute，Beijing100070,China) Abstract——In2004，Libertand Quisquaterproposed LetG1beanadditivegroupofprimeorderqandG2bea an identitybased undeniablesignatureschem eusing pair- multiplicativegroupofthesameorder．A cryptographicbilin— ingsover elliptic curves．In this paper，we show that the earpairingisamapping ：G1×G1 G2thatsatisfiesthe schem e is notsecure． In otherwords，ifa signerreveala followingproperties： pairofsignature and m essage，an adversary can forge the signer’ssignatureforarbitrary m essage．Thesignaturewill 1． Bilinearity：VP，Q ∈G1，Va，b ∈ Zq，wehave beconfirmed with thisprotocol，and can notbedenied by (0P，bQ)= (P，Q)； the signer． M ore im portantly,through this exam ple，we 2．Non—degeneracy：VP ∈G1，ifP≠0，thena(P，P)≠1； illustrate thatthe bilinear property ofpairings，although 3．Computability：Themapping can beefficientlycorn— isusefulof rthe design ofcryptographic schem es，isalso a puted． source ofrsecurity flaws． Libertetaf．’sidentitybasedundeniablesignaturescheme Key words-———ID ·b·ased cryptography,U ndeniable sig- consistsoffivealgorithms：Setup，Keygen，Sign，Confirm ， nature，Attck，Bilinearpairin