Insecurity of Chait et al.’s RSA-Based Aggregate Signature Scheme

Recently, Chait et al. proposed a new aggregate signature scheme under the RSA setting (IEEE Access, 2023). In this paper, we show that Chait et al.’s aggregate signature scheme is insecure when two signers collude with their own secret keys, by presenting an attack algorithm that forges aggregate signatures of aggregator or individual signatures of all other (non-colluding) users. More concretely, our attack algorithm consists of three sub-algorithms: The first sub-algorithm computes a multiple of <inline-formula> <tex-math notation="LaTeX">$\phi (N)$ </tex-math></inline-formula> from secret keys of two users where <inline-formula> <tex-math notation="LaTeX">$N$ </tex-math></inline-formula> is the RSA modulus that is included in the public parameter of the system and <inline-formula> <tex-math notation="LaTeX">$\phi $ </tex-math></inline-formula> is the Euler totient function. The second sub-algorithm recovers an equivalent secret key of a target user that is congruent to his/her original secret key modulo <inline-formula> <tex-math notation="LaTeX">$\phi (N)$ </tex-math></inline-formula> from his/her public key and the multiple of <inline-formula> <tex-math notation="LaTeX">$\phi (N)$ </tex-math></inline-formula> which is the output of the first sub-algorithm. Finally, with the equivalent secret key obtained by the second sub-algorithm, the last sub-algorithm generates valid aggregate/individual signatures of the target user. Our attack algorithm always succeeds in forging aggregate/individual signatures. Furthermore, it is lightweight in the sense that it requires several integer operations, gcd computations, and an execution of aggregate/individual signing algorithm only. For example, when the pubic parameter and secret keys of all users, except the target user, are provided, our experimental results demonstrate that the proposed attack algorithm takes less than 1 second only in total to forge an aggregate signature of 29 individual signatures including that of the target user, where <inline-formula> <tex-math notation="LaTeX">$N$ </tex-math></inline-formula> is 3,072 bits for 128-bit security.


I. INTRODUCTION
An aggregate signature scheme is a specialized type of signature scheme that offers an additional functionality: It allows to combine multiple signatures from different users on different messages into a compact aggregate signature.Then, when verified, this aggregate signature serves as a convincing proof to the verifier that all individual signatures involved are valid.It enables us to reduce the storage for storing signatures and to improve the efficiency for verification of signatures.So, it can be applied for various scenarios, e.g., sensor networks [1], vehicular ad-hoc network [2], smart The associate editor coordinating the review of this manuscript and approving it for publication was Barbara Masucci .
However, while many aggregate signature schemes and their variants have been proposed in the DL setting [1], [2], [3], [4], [5], [7], [8], [9], [10], [11], [12], [13], [14], only a few (variants of) aggregate signatures have been proposed in the RSA setting [18], [19], [20], [21].For instance, in [18], Lysyanskaya et al. proposed sequential aggregate signature schemes from trapdoor permutations, in which the set of signers is ordered, and provided its instantiation under the RSA setting where several distinct RSA moduli were used.Selvi et al. [19] presented an identity-based aggregate signature scheme.Their construction hires only one RSA modulus, but a secret key of each user is an RSA signature of identity and so they did not exploit the key generation paradigm of the original RSA cryptosystem [22] several times.Guo and Wang [20] proposed an RSA-based synchronized aggregate signature scheme, in which a signer can generate at most one signature for each time period and aggregation of signatures is only possible for signatures generated within the same time period.However, in their construction, each user has the same secret key which is composed of factors of the common RSA modulus.So, it is insecure since the adversary in the security game of aggregate signature scheme can have secret keys of all users, except the target user.Later, Hohenberger and Waters [21] proposed another synchronized aggregate signature scheme under the RSA setting.Their construction uses only one RSA modulus N , but it exploits relations of DLs over a multiplicative group Z * N and does not generate a pair of public and secret keys as in the original RSA signature scheme [22] as well.Thus, to the best of our knowledge, there had been no known aggregate signature scheme under the RSA setting where it uses only one RSA modulus as well as exploits the key generation paradigm of the original RSA signature scheme which generates a random element and its inverse modulo φ(N ) as public and secret keys, respectively, to generate a pair of public and secret keys of each user, where N is the RSA modulus and φ is the Euler totient function.
Very recently, Chait et al. proposed a new aggregate signature scheme under the RSA setting [23], where all users in their construction use the same RSA modulus N which is the product of two (safe) primes.In the general RSA setting, if a user has a pair of public and secret keys (e, d) satisfying e × d = 1 (mod φ(N )), then he/she can recover factors of N , which is the secret information in the RSAbased cryptosystem.In fact, this feature is the main obstacle when designing a cryptosystem for multiple users under the RSA setting, while adhering to the key generation paradigm of the original RSA cryptosystem [22] with hiring only one RSA modulus.To avoid this obstacle, in the key generation algorithm of Chait et al.'s construction, it is assumed that there exists a trusted-third party (TTP) and the TTP generates pairs of public and secret keys of all users including the RSA modulus N .For this purpose, it first generates N and a pair (e r , d r ) satisfying e r × d r = 1 and d r = t × r (mod φ(N )) for some integers t and r.Then, it generates a pair of public and secret keys (e i , d ′ i ) for each user U i so that e i × d i = 1 and d ′ i = d i + r (mod φ(N )).Here, it was expected that the exact value d i is hard to be calculated when d ′ i and other public parameters are given, because it was masked by r.In addition, even though secret keys of multiple users are provided as in the traditional security game of aggregate signature schemes, it was also claimed that recovering a secret key of the target user is hard and so forging a signature of the target user is infeasible.
In this paper, we analyze the security of Chait et al.'s aggregate signature scheme.To that end, we present an attack algorithm that forges Chait et al.'s aggregate/individual signatures of the target user when secret keys of two other users are given.We note that in the traditional security game of aggregate signature schemes, the adversary can possess secret keys of all users, except the target user, thus the requirement for our attack algorithm is natural in the security model of aggregate signature schemes.
Our attack algorithm can be divided into three subalgorithms.The first sub-algorithm takes secret keys of two users, the public parameter including the RSA modulus N and public keys of users as inputs, and then returns a multiple of φ(N ).The second sub-algorithm takes a public key of the target user and a multiple of φ(N ), which is obtained by the first sub-algorithm, as inputs, and returns an equivalent secret key of the target user that is congruent to the original secret key of the target user modulo φ(N ).In fact, after executing the second sub-algorithm, the adversary can get the equivalent secret key of the target user which is congruent to the original secret key of the target user modulo φ(N ), and so it can generate any valid aggregate/individual signatures of the target user.Finally, with the equivalent secret key of the target user obtained by the second sub-algorithm and secret keys of other users, the adversary can generate a valid aggregate signature and an individual signature of the target user by calling Chait et al.'s original aggregate algorithm and signing algorithm, respectively.
Our attack algorithm is very efficient: It requires several integer operations, gcd computations, and an execution of Chait et al.'s original aggregate/signing algorithm only.We confirm it by presenting implementation results of our attack algorithm.Our experimental results demonstrate that for 128-bit security with 3,072-bit RSA modulus N , our attack algorithm takes less than 1 second in total to forge an aggregate signature of 29 individual signatures, when secret keys of two users as well as the public parameters are provided.In particular, under the same setting as above, it takes less than 30 ms to recover an equivalent secret key of the target user by running the first and second sub-algorithms sequentially.As the running time of the aggregation algorithm of Chait et al.'s scheme is proportional to the value of t which is the number of signatures to be aggregated at a time, our attack algorithm also takes a longer time as t is larger.However, our attack algorithm takes about 5.2 seconds only in total to forge an aggregate signature of t = 1,009 individual signatures when secret keys of all users, except the target user, are provided.
Since our attack requires secret keys of two users, Chait et al.'s scheme may be secure if there is only one user in the system or it is assumed that all users do not collude each other.However, these assumptions are too restricted in aggregate signature schemes.Thus, their construction lost its own attraction as aggregate signature.Furthermore, it seems hard to fix their construction with maintaining the current setting that not only uses the common RSA modulus in the system, but also follows the key generation paradigm of the original RSA cryptosystem for key generation of users in the system, because a pair of public and secret keys generated by the RSA key generation algorithm may seem to leak the factoring information of the corresponding RSA modulus.Therefore, it also seems to be a challenging task to fix their scheme for supporting aggregation under the current setting and we leave it as an open problem.
Outline of the Paper.In the following section, we provide an overview of related works on aggregate signature schemes.Section III presents a comprehensive review of Chait et al.'s RSA-based aggregate signature scheme, including its system model, description, and security model.Our attack algorithm with theoretical analysis and toy example is given in Section IV.Section V provides experimental results of our attack algorithm.We conclude with remarks in Section VI.

II. RELATED WORKS
In this section, we provide a brief survey on RSA-based aggregate signature schemes, which are closely related to the work in this paper.The concept of aggregate signature with its instantiation was firstly introduced by Boneh et al. [6].In aggregate signature schemes, multiple individual signatures from different users on different messages can be combined into a compact aggregate signature and then used to convince a verifier that all individual signatures involved are valid by verifying an aggregate signature only.It can be widely applied for various scenarios since it enables us to reduce the storage and to improve the efficiency of verification.Thus, there have been proposed variants of aggregate signatures, identity-based [8], [13], certificateless [2], sequential [7], [11], synchronized [1], and unrestricted [10].However, most of existing aggregate signature schemes were mainly designed under the DL setting.
The first RSA-based aggregate signature scheme was presented by Lysyanskaya et al. [18].They presented a generic construction of sequential aggregate signatures from trapdoor permutations, in which the set of signers to be aggregated is ordered, and provided an instantiation of their generic construction under the RSA setting.In their RSAbased instantiation, each signature is generated using a distinct RSA modulus: The authors of [18] first considered the case that RSA moduli satisfy the order N 1 < N 2 < • • • < N ℓ where N i is the RSA modulus for the i-th signature in the aggregation sequence.Then, they presented a way to remove such a restriction.But, both cases exploit several RSA moduli in the system.
Later, in [19], Selvi et al. proposed an identity-based aggregate signature scheme from the (strong) RSA assumption.In their identity-based signature scheme, the trusted authority has a pair of public and secret keys of the original RSA signature scheme as the public parameter and the master secret key, respectively.Then, it issues a signature of the hash value of identity ID as the secret key of user ID.Then, each user who has his/her own secret key generates a signature of message by calculating modular exponentiations with message-dependent exponent.Their construction can be easily extended to identity-based aggregate signature schemes.So, their construction hires only one RSA modulus, but it does not use the key generation algorithm of the original RSA signature scheme which generates a pair of (e, d) such that e × d = 1 (mod φ(N )), to issue a pair of public and secret keys of each user, where N is an RSA modulus and φ is the Euler totient function.
Guo and Wang [20] presented a synchronized aggregate signature scheme from the RSA assumption.In the synchronized aggregate signature scheme, an individual signer can generate at most one signature for each time period and only the set of signatures generated in the same period can be aggregated.However, in their construction, each user has the same secret key which consists of the factors of the common RSA modulus.It does not match the traditional security model of aggregate signature schemes where the adversary can have secret keys of all users, except the target user.That is, the construction proposed by Guo and Wang is insecure under the traditional security model of aggregate signature schemes.
In 2018, Hohenberger and Waters [21] proposed a synchronized aggregate signature scheme from the RSA assumption.In their construction, the key generation algorithm generates a product of e i 's, E = ℓ i=1 e i , where e i 's are easily computable.Then, when a signature is generated at time j, it computes a modular exponentiation of original signature with exponent E/e j and then verifies using e j and E. Thus, all users in their construction use the same RSA modulus, but it does not follow the key generation paradigm of the original RSA cryptosystem to generate each user's key.
Finally, very recently, Chait et al. [23] presented the RSA-based aggregate signature scheme.Differently from the previous (secure) constructions, Chait et al.'s construction follows the key generation paradigm of the original RSA cryptosystem to generate public and secret keys of each user.In the key generation algorithm of their construction, the TTP first generates an RSA modulus N and computes (e r , d r ) such that e r × d r = 1 and d r = t × r (mod φ(N )) for some integers t and r.Then, it generates a pair of public and secret keys (e i , d ′ i ) for each user U i so that e i × d i = 1 and ).The authors of [23] claimed that it is hard to calculate d ′ i and/or d i for the target user, when public parameters and secret keys of other users are given.However, in this paper, we show that their construction is not secure.Refer to Sections III and IV for the details of Chait et al.'s scheme and our attack algorithm, respectively.

III. CHAIT ET AL.'S RSA-BASED AGGREGATE SIGNATURE SCHEME
In this section, we review Chait et al.'s RSA-based aggregate signature scheme, including its system model, description, and security model.

A. SYSTEM MODEL FOR CHAIT ET AL. 'S RSA-BASED AGGREGATE SIGNATURE SCHEME
We first recall the system model for Chait et al.'s scheme.It consists of a TTP and users.Throughout the paper, we denote by n the number of users that have the signing ability in the system.The TTP generates a public parameter of the system, and a pair of secret and public keys for each user in the system.Each user may play roles of both aggregator and individual signer.For simple description, we assume that user 1 is an aggregator and a signer, but all other users are just signers.
Once the system is established, the TTP first generates a public parameter, and a pair of secret and public keys for each user.Then, it publishes the public parameter and the public keys of all users.The secret key of user i is passed to user i through a secure channel.When user 1 who is the aggregator would like to generate an aggregate signature of message, it first generates a signature of that message and diffuses it in the system.Once each user receives that signature, it verifies, and if the verification is passed, then it generates a signature of the corresponding message under its own secret key.When user 1 collects t signatures including its own signature, it aggregates them into one aggregate signature.In this process, it additionally generates a signature of the list of users that contribute to generate the aggregate signature using its own secret key.Finally, anyone can confirm the validity of all signatures combined into the aggregate signature by checking the validity of the aggregate signature as well as the signature of the list of involved users.• KeyGen(1 λ ): This algorithm is run by the TTP.Given the security parameter λ, it performs as follows: 1) Select two primes p, q and set N = p × q.
3) Set the value of t, which corresponds to the number of signatures required for generating a valid aggregate signature.(We note that gcd(t, φ(N )) = 1 for the correctness.)• IndividualSign: This algorithm is run by an individual user.It behaves differently with respect to the executor.
-IndividualSign(pp, H, sk 1 , m): If it is run by the aggregator (i.e., user U 1 ), it takes the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), the hash function H, the secret key sk 1 = d ′ 1 of user U 1 , and a message m as inputs, and performs as follows: -IndividualSign(pp, H, sk ℓ , (m, s 1 )): If it is run by an individual signer U ℓ with ℓ ̸ = 1, it takes the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), the hash function H, the secret key sk ℓ = d ′ ℓ of user U ℓ , and a signature (m, s 1 ) of user U 1 as inputs, and performs as follows: 1) Run IndividualVerify(pp, H, (m, s 1 ), 1), described below.If it outputs 1, then proceed the following steps.Otherwise, abort.
• IndividualVerify(pp, H, (m, s), ℓ): This algorithm can be executed by anyone.Given the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), the hash function H, a signature (m, s) of user U ℓ and the index ℓ, it runs as follows: 1) Calculate h = H(m).
• AggSign(pp, H, sk 1 , (m, {s ℓ } ℓ∈I ,|I |=t )): This is done by the aggregator (i.e., user U 1 ).Given the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), the hash function H, the secret key sk 1 of user U 1 , and the message m and t signatures {s ℓ } ℓ∈I of message m where I is the set of indices of cardinality t, it performs as follows: 1) Run IndividualVerify(pp, H, (m, s ℓ ), ℓ) for each ℓ ∈ I .If at least one of results is 0, then abort.Otherwise, proceed the following steps.2) Calculate σ = ℓ∈I s ℓ (mod N ).
Otherwise, return 0. We investigate the correctness of verification algorithms for individual and aggregate signatures of Chait et al.'s scheme.First, the correctness of the verification algorithm for individual signature (m, s) comes from the relation that = h e r ×t × h e ℓ = h e r ×t+e ℓ = y (mod N ) where h = H(m) since Next, the correctness of the verification algorithm for aggregate signature (m, σ, L, SL) comes from the validity of individual signature (L, SL) and the relation that  [6], [21] and is defined using the security game between the adversary A and the challenger C.
We say that t-aggregate signature scheme is secure against existential forgery in the aggregate chosen-key model if there is no probabilistic polynomial-time (PPT) adversary A whose advantage is negligible in the security parameter λ in the following game with the challenger C: • Setup: A receives a public key pk 1 for user U 1 which is randomly generated and (pk i , sk i ) for user U i with 2 ≤ i ≤ t.
• Queries: A may request signatures with the public key pk 1 on the message chosen by A itself.
• Response: A outputs an aggregate signature σ agg which is composed of individual signatures of U 1 , . . ., U t .We say that A wins the above game if • AggVerify(pp, H, σ agg ) = 1 and • m ′ did not appear in the Queries phase.The advantage of A is defined as the probability that A wins in the above game.
Remark 1: The security definition of t-aggregate signature schemes in [23] has some typos: It is stated that a secret key sk 1 = d ′ 1 is given to A at the Setup phase.In their original description, a secret key sk 1 = d ′ 1 should be replaced by a public key pk 1 = e 1 .
We note that our attack algorithm is sufficient if it takes two secret keys d ′ i and d ′ j with the public parameter pp.It does not need to have access to the signing oracle.The details of our attack algorithm will be provided in the next section.

IV. OUR ATTACK ALGORITHM
In this section, we provide our attack algorithm against Chait et al.'s aggregate signature scheme with its theoretical analysis and toy example.

A. OUR KEY RECOVERY AND FORGE ALGORITHMS
We first present the description of our attack algorithm that forges an individual signature for the target user or an aggregate signature which is generated by the target user as an aggregator.Our attack algorithm can be divided into three sub-algorithms: The first sub-algorithm, called ComMulPhiN, computes a multiple of φ(N ) when secret keys d ′ i , d ′ j of two users U i , U j , respectively, in addition to the public parameter pp are given as inputs where N is the common RSA modulus of the system and φ is the Euler totient function.The second algorithm, called RecSecKey, recovers a value congruent to the secret key of the target user modulo φ(N ) when the public key of the target user and the multiple of φ(N ), which is obtained from the first algorithm, are given as inputs.The last algorithm, called Forge, generates an individual or aggregate signature using outputs of the first and second sub-algorithms.
For our attack, we assume that at least two users collude with their own secret keys and thus the adversary has secret keys d ′ i , d ′ j of two users U i , U j , respectively.This requirement is natural since in the security game it is assumed that the adversary has secret keys of all users, except the target user.
Let us elaborate our first algorithm that computes a multiple of φ(N ).This algorithm takes the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ) and d ′ i , d ′ j as inputs.That is, we assume that users U i and U j collude to recover a secret key of user U k .The algorithm computes phi = (e i e j d ′ i − e j e i d ′ j ) + (e i − e j ).Then, phi is a multiple of φ(N ).(See Theorem 1 in Section IV-B for the correctness of the first algorithm.)The formal description of the first algorithm is given in Algorithm 1.  phi ← phi/ gcd(t, phi) Finally, on top of ComMulPhiN and RecSecKey algorithms, we build the forge algorithm that generates an individual or aggregate signature of the target user U k with respect to the input mode mode ∈ {Ind, Agg} in Algorithm 3. It takes pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), secret keys {d ′ ℓ } ℓ∈I where I is the set of indices of cardinality t − 1, the index k of the target user U k where k ̸ ∈ I , a cryptographic hash function H : {0, 1} * → Z N , and a mode mode ∈ {Ind, Agg} as inputs.The input mode determines a type of output signature between an individual signature and an aggregate signature: Ind and Agg indicate an individual signature and an aggregate signature, respectively.We remark that our algorithm requires secret keys of two users only to recover an equivalent secret key of the target user and to forge an individual signature.However, by considering the case for forging an aggregate signature as an aggregator, we describe the algorithm so that it takes t − 1 secret keys as in the security game of aggregate signature schemes in Section III-C.This algorithm first selects two indices i, j, runs ComMulPhiN(pp, d i , d j ) to obtain phi, and then runs RecSecKey(pp,   Theorem 1: Algorithm 1 with inputs (pp, d ′ i , d ′ j ) always returns a multiple of φ(N ) where the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ) and secret keys d i , d j of users U i , U j , respectively, are involved in the output of the key generation algorithm KeyGen of Chait et al.'s scheme.
Proof: Let (e i , d ′ i ) and (e j , d ′ j ) be pairs of public and secret keys of users U i and U j , respectively.Then, since they are generated by the key generation algorithm of Chait et al.'s signature scheme, they hold the relations e i × d ′ i = e i d i + e i r = 1 + q i φ(N ) + e i r and e j × d ′ j = e j d j + e j r = 1 + q j φ(N ) + e j r as integers for some integers q i and q j .Thus, e i e j d ′ i = e i e j (d i + r) = e i e j d i + e i e j r = e j (1 + q i φ(N )) + e i e j r = e j + e j q i φ(N ) + e i e j r and e i e j d ′ j = e i e j (d j + r) = e i e j d j + e i e j r = e i (1 + q j φ(N )) + e i e j r = e i + e i q j φ(N ) + e i e j r Therefore, phi = e i e j d ′ i − e i e j d ′ j + (e i − e j ) = (e j + e j q i φ(N ) + e i e j r) − (e i + e i q j φ(N ) + e i e j r) + (e i − e j ) = (e j q i − e i q j )φ(N ) which is a multiple of φ(N ).If phi in Equation ( 1) is negative, take −phi so that the output of the algorithm is always positive.However, regardless of the sign of phi, phi is still a multiple of φ(N ) and the theorem is proved.Remark 2: The output of Algorithm 1 cannot be 0. First, since e i and e j are different, since e i , e j ≥ 2 and c ≥ 1, and so Similarly, suppose that since e i , e j ≥ 2 and c ′ ≥ 1, and so Therefore, the output of Algorithm 1 cannot be 0. ■ Next, the following theorem shows the correctness of Algorithm 2 when Algorithm 1 is correct.
Theorem 2: Algorithm 2 returns a value congruent to the secret key of the target user U k modulo φ(N ) if Algorithm 1 works correctly as in Theorem 1.
Proof: Suppose that Algorithm 1 returns a multiple of φ(N ).That is, phi = qφ(N ) for some positive integer q.Assume that gcd(e k , phi) = 1, gcd(e r , phi) = 1, and gcd(t, phi) = 1.Otherwise, we can adjust it by setting phi 16468 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
From Steps 7-9, r, d k and d ′ k satisfy e r × t × r = 1 (mod phi) and Thus, it holds that e r × t × r ≡ 1 (mod φ(N )) and from the definitions of r and d k .Therefore, we have Finally, Theorem 3 shows that Algorithm 3 generates a valid individual or aggregate signature of the target user U k .
Theorem 3: If Algorithms 1 and 2 work correctly, Algorithm 3 with inputs (pp, {d ′ ℓ } ℓ∈I , k, H, mode) outputs a valid individual signature of the target user U k when mode = Ind and a valid aggregate signature of the target user U k when mode = Agg, where the public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ) and secret keys {d ′ ℓ } ℓ∈I of users U ℓ for I which is the set of indices of cardinality t − 1 are generated by the key generation algorithm of Chait et al.'s scheme, k is the index of the target user U k , H : {0, 1} * → Z N is a cryptographic hash function, and mode ∈ {Ind, Agg}.
Proof: The proof of this theorem is straightforward from the correctness of Algorithms From Theorems 1-3, we confirm that our attack succeeds.Efficiency Analysis of Our Attack.We now analyze the efficiency of our attack algorithm by concentrating on the computationally intensive operations that primarily account for the execution time within the algorithm.Algorithm 1 takes 4 integer multiplications at Steps 1-2.Algorithm 2 requires several gcd computations at Steps 1-6, and 2 modular inverse calculations at Steps 7-8.We remark that the number of gcd computations is bounded above by 2 log N when two factors of N are safe primes as in the key generation algorithm of Chait et al.'s scheme.However, according to our experiments in Section V, it is less than 4 on average if we select e i , t, and r as random primes.Refer to Table 3 in

C. TOY EXAMPLE OF OUR ATTACK
In this subsection, we provide a toy example of our attack to help readers' understanding.In our example, we select two safe primes p, q as p = 1, 283, q = 1, 307, and so N , φ(N ) are set to We confirm that phi is a multiple of φ(N ) from phi = 6, 330, 553 × φ(N ).
Then, we calculate Finally, we investigate the correctness of our attack in the above example by checking that the following relation holds: We omit an example for Algorithm 3 because its correctness trivially comes from that of Chait et al.'s scheme.In summary, from the example given in this subsection, we confirmed the correctness of our attack algorithm.

V. EXPERIMENTAL ANALYSIS
In this section, we provide experimental results of our attack algorithm.The source code related to our implementation in this section is publicly available at GitHub repository. 1

A. EXPERIMENTAL ENVIRONMENTS
Our source code was written in C++.The OpenSSL library [24] of version 3.0.10was used for integer and modular operations with large numbers, and cryptographic hash function, SHA-256.We have tested on the machine running Ubuntu 20.04.6 LTS on virtual machine which was installed on Windows Server 2019 Standard with Intel(R) Xeon(R) Silver 4215R processor at 3.20 GHz with 128 GB of RAM.

B. EXPERIMENTAL RESULTS
Now, we present experimental results of our attack algorithm.We conducted several types of experiments with respect to the bit size of N , the value of t, and the bit size of user's public key e i .All experiments were executed 100 times and all numbers in the tables are averages of 100 trials each.
Table 1 shows execution times of our attack algorithm for various sizes of RSA modulus N and users' public keys when the number t of individual signatures required for aggregation is fixed.We set t to 13 for all experiments in Table 1.The bit sizes of RSA modulus N , which is a product of two safe primes, were set to 1024, 2048, and 3072.For sizes of user's public keys, we consider two cases: (1) each e i is selected randomly from Z * φ(N ) as the original description of Chait et al.'s scheme and ( 2) each e i is selected randomly from the set of 40-bit integers which are relatively prime with 1 https://github.com/CRYPTO-REPO/Attacks-on-Chait-s-scheme16470 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.φ(N ) by reflecting the case that uses small public keys to improve the efficiency in practice.Table 1 presents execution times of Algorithm 1, Algorithm 2, and Algorithm 3 with Ind and Agg as input mode.It demonstrates that the execution time of our attack algorithm increases as the bit size of N increases.Since each algorithm performs operations with e i 's, the running times of algorithms depend on the size of e i , and our algorithms are slightly faster when e i 's are small.But, for all cases our attack algorithm takes less than 21 ms only to recover an equivalent secret key of the target user by running Algorithm 1 and Algorithm 2, and takes less than 1 second only to forge an aggregate signature by running Algorithm 2 with input mode = Agg.While other algorithms do not depend on the value of t, Algorithm 3 with input mode = Agg depends on the value of t since it generates an aggregate signature of t individual signatures.Table 2 presents execution times of algorithms for various t = 29, 109, 251, 503, 1009 and two cases of e i as in Table 1.It shows that the running time of Algorithm 3 with input mode = Agg increases as t increases, but those of all algorithms does not depend on the value of t.
Finally, to make up for our theoretical analysis on the number of required gcd computations in Algorithm 2, we measured the number of gcd computations through Steps 1-6 of Algorithm 2 in our experiments.In Section IV-B, we roughly stated that the number of required gcd computations is bounded above by 2 log N .Table 3 presents average numbers of gcd computations at Steps 1-2, Steps 3-4, and Steps 5-6, respectively, in Algorithm 2 with various t and two sizes of e i as in Table 1 when N is 3072 bits.It shows that in fact the number of required gcd computations is less than 4 for all cases.TABLE 2. Execution time of our attack algorithm with respect to the value of t and the bit size of e i when N is 3072 bits (unit: ms).

TABLE 3.
The average number of gcd computations with respect to the value of t and the bit size of e i when N is 3,072 bits.

VI. CONCLUSION
In this paper, we assessed the security of the recent RSA-based aggregate signature scheme proposed by Chait et al. [23] which follows the paradigm of the key generation algorithm of the original RSA cryptosystem [22] under only one RSA modulus for key generation of users in the system.For this purpose, we presented an attack algorithm that recovers an equivalent secret key of the target user and then forges an individual or aggregate signature of the target user with the obtained equivalent secret key.Our attack algorithm is critical since it can recover an equivalent secret key of any users in the system with relatively cheap operations, e.g., several integer operations and modular operations, when secret keys of two users are given.We showed the efficiency of our attack algorithm by presenting experimental results.According to the experimental results, for the parameters of 128-bit security our algorithm forges an aggregate signature of 29 individual signatures in 1 second.
Since our attack works when secret keys of two users are given, Chait et al.'s scheme is no longer attractive as an aggregate signature.Furthermore, fixing it with minor modifications seems challenging due to the inherent leakage of information about the factorization of the RSA modulus when using key pairs generated by the original RSA cryptosystem, even with some modifications.We leave it as an open problem to design an RSA-based aggregate signature scheme under the common RSA modulus while adhering to the key generation paradigm of the original RSA for user key generation.

Algorithm 1 Algorithm 2 1 :
Compute a Multiple of φ(N ): ComMulPhiN(pp, D ′ i , D ′ j ) Input: The public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), secret keys d ′ i , d ′ j of users U i , U j , respectively Output: An integer phi 1: phi ← e i × e j × d ′ i (as integers) 2: phi ← phi − e i × e j × d ′ j (as integers) 3: phi ← phi + (e i − e j ) (as integers) 4: if phi < 0 then 5: phi ← −phi 6: return phi Next, on top of Algorithm 1, the second algorithm recovers an equivalent secret key congruent to the secret key d ′ k of the target user U k modulo φ(N ) from the target public key e k and phi, which is the output of Algorithm 1. Suppose that the second algorithm already obtained phi by running the first algorithm ComMulPhiN(pp, d ′ i , d ′ j ).In the second algorithm with inputs pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), d ′ i , d ′ j and phi, it should calculate the inverse of e k modulo phi, i.e., e −1 k (mod phi), where e k is the public key of the target user U k .Thus, gcd(e k , phi) = 1 should hold.Otherwise, i.e., if g = gcd(e k , phi) ̸ = 1, then the algorithm sets phi to phi/g and repeats this process until gcd(e k , phi) = 1.This additional process does not violate the correctness of our attack algorithm because the key generation algorithm of Chait et al.'s scheme selects e k so that gcd(e k , φ(N )) = 1.Similarly, gcd(e r , phi) = 1 and gcd(t, phi) = 1 should also hold to calculate the inverse of e r × t modulo phi and in fact they trivially hold since the key generation algorithm of Chait et al.'s scheme selects e r and t such that gcd(e r , φ(N )) = 1 and gcd(t, φ(N )) = 1.Then, it calculates r = (e k × t) −1 (mod phi) and then d ′ k = e −1 k + r (mod phi).Algorithm 2 provides the formal description of our second algorithm.The correctness of Algorithm 2 will be shown in Theorem 2 of Section IV-B.Recover a Secret Key: RecSecKey(pp, D ′ i , D ′ j , Phi, k) Input: The public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), secret keys d ′ i , d ′ j of users U i , U j , respectively, the modulus phi and the index of the target user U k with k ̸ = i, j Output: An integer d ′ k while gcd(e k , phi) ̸ = 1 do 2: phi ← phi/ gcd(e k , phi) 3: while gcd(e r , phi) ̸ = 1 do 4:phi ← phi/ gcd(e r , phi)

Algorithm 3
Subsequently, it selects a message m and then performs with respect to the input mode: If mode = Ind, then it runs the individual signing algorithm of Chait et al.'s scheme, IndividualSign(pp, H, d ′ k , m), to generate an individual signature of the target user U k on message m.Otherwise, i.e., if mode = Agg, then it generates t individual signatures by running IndividualSign(pp, H, d ′ k , m) for the target user U k to obtain (m, s k ) and then IndividualSign(pp, H, d ′ ℓ , (m, s k )) for users U ℓ to obtain (m, s ℓ ) with ℓ ∈ I .Then, it runs the aggregate signing algorithm of Chait et al.'s scheme, AggSign(pp, H, d ′ k , (m, {s ℓ } ℓ∈J )), to obtain an aggregate signature where J = I ∪ {k}.We formally describe the third algorithm in Algorithm 3 and its correctness will be shown in Theorem 3 of Section IV-B.Forge a Signature: Forge(pp, {d ′ ℓ } ℓ∈I , k, H, mode) Input: The public parameter pp = (N , t, e r , {e ℓ } 1≤ℓ≤n ), secret keys {d ′ ℓ } ℓ∈I of users U ℓ with I of cardinality |I | = t − 1, the index of the target user U k with k ̸ ∈ I , a cryptographic hash function H, and mode ∈ {Ind, Agg} Output: An individual signature (m, s k ) or an aggregate signature (m, σ , L, SL) 1: Select two indices i, j from I then
Section V for detailed experimental results.Finally, for Algorithm 3 with input mode = Ind, it requires executions of Algorithm 1, Algorithm 2, and Chait et al.'s individual signing algorithm each sequentially.For Algorithm 3 with input mode = Agg, it additionally requires t − 1 executions of the individual signing algorithm and 1 execution of the aggregate signing algorithm of Chait et al.'s scheme.
Now, we present the description of Chait et al.'s RSAbased aggregate signature scheme.Chait et al.'s scheme can generate an aggregate signature once t individual signatures are collected.Such an aggregate signature scheme is called a t-aggregate signature scheme.It consists of the following five algorithms: KeyGen, IndividualSign, IndividualVerify, AggSign, and AggVerify.
Next, we take a look at the security model for Chait et al.'s scheme.It follows the original security model of aggregate signature schemes 1, 2 of this paper and that of individual and aggregate signing algorithms of Chait et al.'s scheme.Algorithm 3 first calls ComMulPhiN(pp, d ′ i , d ′ j ) and RecSecKey(pp, d ′ i , d ′ j , phi, k).As a result, we obtain an equivalent secret key d ′ k which is congruent to the secret key of the target user U k modulo φ(N ) from the assumption that Algorithms 1 and 2 work correctly.Then, it selects a message m and then calls IndividualSign(pp, H, d ′ k , m) to forge an individual signature of the target user U k on message m if mode = Ind.Otherwise, if mode = Agg, then it generates t individual signatures by running IndividualSign(pp, H, d ′ k , m) to obtain (m, s k ) and then IndividualSign(pp, H, d ′ ℓ , (m, s k )) to obtain (m, s ℓ ) for ℓ ∈ I .Then, it runs the aggregate signing algorithm AggSign(pp, H, d ′ k , (m, {s ℓ } ℓ∈J )) with t generated individual signatures where J = I ∪{k}.Therefore, since all inputs of the algorithms have the correct form, if Chait et al.'s construction is correct, Algorithm 3 returns a valid individual or aggregate signature.

TABLE 1 .
Execution time of our attack algorithm with respect to the bit sizes of N and e i when t = 13 (unit: ms).