Attacks Based on Small Factors in Various Group Structures

  • Chris Pavlovski
  • Colin Boyd
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2119)


We describe new attacks that can be launched on some well known signature schemes. The attacks are related to Lim and Lee’s key recovery attacks in prime order subgroups. Several new attacking scenarios are described where the group order can be either prime, composite, or unknown. These attacks are able to compromise certain properties of complex protocols such as identity revelation by the revocation manager in a group signature setting, or owner tracing in fair electronic cash. It is suggested that safe primes must be considered for use in all such protocols, together with a proof of safe parameter selection.


Signature Scheme Group Manager Discrete Logarithm Small Factor Collusion Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Giuseppe Ateniese and Gene Tsudik, Some Open Issues and New Directions in Group Signatures, Financial Cryptography’99, Springer-Verlag, 1999.Google Scholar
  2. 2.
    F. Boudot, On the Soundness of Girault’s Scheme. Poster paper at Eurocrypt 2000 Rump Session, 2000.Google Scholar
  3. 3.
    S. Brands, Rethinking public key infrastructures and digital certificates-building in privacy. PhD Dissertation, Ponsen & Looijen BV Publishing, September 1999.Google Scholar
  4. 4.
    S. Brands CS-R9323, Technical Report, 1993.Google Scholar
  5. 5.
    S. Brands. Untraceable Off-line Cash in Wallet with Observers. Advances in Cryptology-Crypto’ 93, LNCS, Springer-Verlag, Vol. 773, pp302–318, 1993.Google Scholar
  6. 6.
    M. Burmester, A Remark on the Efficiency of Identification Schemes, Advances in Cryptology-Eurocrypt’90, pp. 493–495, Springer-Verlag, 1991.Google Scholar
  7. 7.
    Jan Camenisch and Markus Michels, A Group Signature Scheme with Improved Efficiency, Advances in Cryptology-Asiacrypt’98, pp. 160–174, Springer-Verlag, 1998. (Revised version available at Scholar
  8. 8.
    D. Chaum and E. van Heyst, Group Signatures, Advances in Cryptology-Eurocrypt’91, Springer-Verlag, 1991, pp. 257–265.Google Scholar
  9. 9.
    J. Camenisch and M. Stadler, Efficient Group Signature Schemes for Large Groups, Advances in Cryptology-Crypto’97, Springer-Verlag, 1997, pp. 410–424.Google Scholar
  10. 10.
    Jan Camenisch and Markus Michels, Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes, Advances in Cryptology-EUROCRYPT’ 99, pages 106–121, Springer Verlag, 1999.Google Scholar
  11. 11.
    D. Chaum, Blind signature system, Advances in Cryptology: Proceedings of Crypto’ 83, pp. 153–156, Plenum Publishing, 1984.Google Scholar
  12. 12.
    D. Chaum and T. Pedersen. Wallet databases with observers. Crypto’ 92, pp89–105, 1992.Google Scholar
  13. 13.
    R. Cramer, R. Gennaro and B. Schoenmakers, A Secure and Optimally Efficient Multi-Authority Election Scheme, Advances in Cryptology-Eurocrypt’ 97, pp. 103–118, Springer-Verlag, 1997.Google Scholar
  14. 14.
    W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, 1976.Google Scholar
  15. 15.
    A. Fiat and A. Shamir, How to prove yourself: practical solutions to identification and signature problems, Advances in Cryptology-Crypto’ 86, pp. 186–194, Springer-Verlag, 1986.Google Scholar
  16. 16.
    Y. Frankel, Y. Tsiounis, and M. Yung. Indirect Discourse Proofs: Achieving Efficient Fair Off-Line E-Cash, Asiacrypt’ 96, Springer-Verlag, pp. 286–300, 1996.Google Scholar
  17. 17.
    Marc Girault, An identity-based identification scheme based on discrete logarithms modulo a composite number”, Advances in Cryptology-Eurocrypt’ 90, pp. 481–486, Springer-Verlag, 1990.Google Scholar
  18. 18.
    J. van de Graaf and R. Peralta, A Simple and Secure Way to Show the Validity of Your Public Key, Advances in Cryptology-Crypto’87, pp. 128–134, Springer-Verlag, 1987.Google Scholar
  19. 19.
    C.H. Lim and P.J. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, Burton S. Kaliski Jr. (Ed.), Advances in Cryptology-CRYPTO’ 97, LNCS, Springer-Verlag, Vol. 1294, pp. 249–263, 1997.CrossRefGoogle Scholar
  20. 20.
    S.C. Pohlig and M.E. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, IT-24(1), pp. 106–110, 1978.CrossRefMathSciNetGoogle Scholar
  21. 21.
    R. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM, 21, pp. 120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    C.P. Schnorr, Efficient Signature Generation for Smart Cards, Advances in Cryptology-Crypto’ 89, Springer-Verlag, pp. 239–252, 1990.Google Scholar
  23. 23.
    Markus Stadler, Publicly Verifiable Secret Sharing, Advances in Cryptology-Eurocrypt’96, pp. 190–199, Springer-Verlag, 1996.Google Scholar
  24. 24.
    Jacques Traoré, Group Signatures and Their Relevance to Privacy-Protecting Off-Line Electronic Cash Systems, Information Security and Privacy, ACISP’99, Springer-Verlag, 1999, pp. 228–243.Google Scholar
  25. 25.
    Jacques Traoré, personal communication.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Chris Pavlovski
    • 1
    • 2
  • Colin Boyd
    • 1
  1. 1.Information Security Research Centre, School of Data CommunicationsQueensland University of TechnologyBrisbaneAustralia
  2. 2.IBM Global ServicesBrisbaneAustralia

Personalised recommendations