Insecurity of Chait et al.'s RSA-Based Aggregate Signature Scheme

Abstract

Recently, Chait et al. proposed a new aggregate signature scheme under the RSA setting (IEEE Access, 2023). In this paper, we show that Chait et al.'s aggregate signature scheme is insecure when two signers collude with their own secret keys, by presenting an attack algorithm that forges aggregate signatures of aggregator or individual signatures of all other (non-colluding) users. More concretely, our attack algorithm consists of three sub-algorithms: The first sub-algorithm computes a multiple of φ (N) from secret keys of two users where N is the RSA modulus that is included in the public parameter of the system and φ is the Euler totient function. The second sub-algorithm recovers an equivalent secret key of a target user that is congruent to his/her original secret key modulo φ (N) from his/her public key and the multiple of φ (N) which is the output of the first sub-algorithm. Finally, with the equivalent secret key obtained by the second sub-algorithm, the last sub-algorithm generates valid aggregate/individual signatures of the target user. Our attack algorithm always succeeds in forging aggregate/individual signatures. Furthermore, it is lightweight in the sense that it requires several integer operations, gcd computations, and an execution of aggregate/individual signing algorithm only. For example, when the pubic parameter and secret keys of all users, except the target user, are provided, our experimental results demonstrate that the proposed attack algorithm takes less than 1 second only in total to forge an aggregate signature of 29 individual signatures including that of the target user, where N is 3,072 bits for 128-bit security. © 2013 IEEE.