Cryptanalyzing the Efficient Identity-Based RSA and GQ Multisignature Schemes Weihan Goh School of Computer Engineering Nanyang Technological University, Singapore Email: gohwh@ntu.edu.sg Chai Kiat Yeo School of Computer Engineering Nanyang Technological University, Singapore Email: asckyeo@ntu.edu.sg Abstract—The Harn-Ren and Harn-Ren-Lin identity-based multisignature (IBMS) schemes are schemes derived from the RSA and GQ identity-based signature (IBS) schemes respectively. These IBMS schemes were claimed to be efficient based on two metrics - fixed length and constant verification time. This paper shows that both schemes suffer from similar flaws that allow adversaries to manipulate the list of signatories in a signature, with some of the attacks not requiring the adversaries to even possess valid signer keys. Such flaws render the schemes impractical for use in real-life where it can be safely assumed that they will be used non-atomically. Techniques to address the flaws are also discussed and a solution based on cryptography presented. I. I NTRODUCTION An identity-based multisignature (IBMS) scheme is a signa- ture scheme that allows multiple parties to collectively sign a message as equal parties, of which signature verification can be done later using the identities of the signer. This saves the need for verifiers to store individual public keys for each signer, as they can be derived from the identity of the signers themselves. One such scheme was proposed by Harn and Ren in [1], based on the Shamir identity-based signature (IBS) scheme [2]. The proposed scheme is of interest as it was said to be efficient based on two metrics - fixed length and constant verification time; fixed length in that the generated multisignature has the same length as a signature produced in the Shamir IBS scheme, and constant verification time in that the verification time (specifically the number of modulo exponentiations re- quired) is independent of the number of signers. The scheme by Harn and Ren is a parallel scheme, which requires broadcasting and synchronization of the signature generation steps. It is essentially an extension of the Shamir IBS scheme, thus could theoretically be implemented by those already, or seeking to adopt Shamir’s IBS scheme. Given that the scheme utilizes operations of the Shamir IBS scheme, both schemes could theoretically co-exist with each other. Such efficiency and practicality would be very beneficial to areas that could use identity-based multisignature schemes, provided the security of the scheme is sound. That, however is not exactly the case. In [3], Yang, Lo and Liao outlined two attacks on the Harn and Ren scheme, though it appears that only the second attack is useful (the first attack was directed at what was essentially a typographical error in [1]). Nevertheless, it demonstrates a weakness in the scheme when used with small public exponent values. In addition to [3], a paper by Li and Zhu describes yet an- other weakness in the Harn and Ren scheme, this time allowing an adversary to obtain a multisignature purportedly from a set of signers, by engaging each of the signers separately [4] (i.e. each signer does not know it is signing with the other signers). It will be shown later that the attack described is merely a specific instance of a more generalized attack. After [1], Harn and Ren, together with Lin introduced a second identity-based multisignature scheme [5], this time based on the Guillou and Quisquater (GQ) identity-based signature scheme [6]. The scheme follows a somewhat simi- lar broadcast-and-synchronization mechanism to generate the multisignature, and is essentially an extension of the underly- ing GQ IBS scheme. In this article, it will be shown that both the schemes in [1] and [5] suffer from similar flaws that allows an adversary to: • Add signer(s) to a multisignature without any of the original signers’ consent. • Forge a multisignature purportedly from a set of signers, without consent from the signers regarding the composi- tion of the signers. The remainder of this paper is organized as follow: • Section II describes the protocols in [1] and [5], as well as the underlying protocols they were based on. • Section III details the attacks against the protocols. • Section IV presents a technique based on cryptography to address the flaws. • Section V concludes the paper. II. BACKGROUND AND RELATED WORKS Identity-based signature (IBS) schemes are asymmetric-key signature schemes that uses the identity of the signer as public key in the verification process. Unlike traditional digital signatures, there is no need for a verifier to obtain the signer’s public key prior to verification as that key is deducible from the signer’s identity. IBS was first presented by Shamir in [2], based on the hard problem of integer factorization. It has been proven 978-1-4799-0959-9/14/$31.00 c  2014 IEEE