Information Processing Letters 71 (1999) 1–4 Attacks on threshold signature schemes with traceable signers Yuh-Min Tseng, Jinn-Ke Jan ∗ Institute of Applied Mathematics, National Chung Hsing University, Taichung, Taiwan 402 Received 6 April 1999; received in revised form 1 July 1999 Communicated by K. Iwama Abstract In 1998, Wang et al. proposed two new (t,n)-threshold signature schemes with traceable signers that can withstand conspiracy attacks without attaching a secret number. However, this article will show that the proposed schemes are insecure by presenting a forgery attack on them. Any malicious attacker can generate a valid group signature for any message without knowing any secret keys of members in a group.  1999 Elsevier Science B.V. All rights reserved. Keywords: Cryptography; Threshold signature; Group-oriented cryptography 1. Introduction Group-oriented (or (t,n)-threshold) signature is a method that only certain subsets of a group can collaborate to produce a valid signature on behalf of the group. It should not be confused with the notion of group signature presented in [8]. Group signature is a kind of signature scheme that allows individual members of a group to make signatures on behalf of the group. In the case of a later dispute, the signer can be identified by a group authority. In 1991, Desmedt and Frankel [1] first proposed the concept of a (t,n)-threshold signature scheme based on the RSA system [6]. The (t,n)-threshold signature scheme [1] has the feature that t or more members of the group can cooperate to generate a valid group sig- nature on behalf of the group. The verifier can verify the validity of the group signature without identifying the identities of the signers. Moreover, Harn [3] em- ∗ Corresponding author. Email: jkjan@amath.nchu.edu.tw. ployed Lagrange interpolating polynomials and ElGa- mal’s signature scheme [2] to construct another (t,n)- threshold signature scheme. Unfortunately, both schemes [1,3] suffer from con- spiracy attacks and the secret keys of the group can be revealed [4]. To avoid the conspiracy attacks, Li et al. [4] proposed a new (t,n)-threshold signature scheme with traceable signers. The proposed scheme attaches a random number to the secret key held by each member, then the security of the scheme is guaranteed. Meanwhile, the additional random num- ber makes the (t,n)-threshold signature scheme have the property of traceability. However, Michels and Horster [5] showed that the signer cannot make sure who his co-signers are in Li et al.’s scheme. The weak- ness violates the property of traceability. Recently, Wang et al. [7] proposed two (t,n)-threshold signa- ture schemes with traceable signers. Both schemes can withstand conspiracy attacks without attaching a secret number as in the Li et al.’s scheme. One is a threshold signature scheme with the assistance of 0020-0190/99/$ – see front matter  1999 Elsevier Science B.V. All rights reserved. PII:S0020-0190(99)00078-2