On the security of an enhanced short signature scheme

Currently, short signature is receiving significant attention since it is particularly useful in low-bandwidth communication environments. However, most of the short signature schemes are only based on one intractable assumption. Recently, Su presented an identity-based short signature scheme based on knapsack and bilinear pairing. He claimed that the signature scheme is secure in the random oracle model. Unfortunately, in this paper, we show that his scheme is insecure. Concretely, an adversary can forge a valid signature on any message with respect to any identity in Su’s scheme.

💡 Research Summary

The paper conducts a thorough security analysis of the identity‑based short signature scheme proposed by Su, which combines the knapsack (subset‑sum) problem with bilinear pairings and claims security in the random‑oracle model (ROM). After introducing the motivation for short signatures in low‑bandwidth environments and reviewing related work on knapsack‑based and pairing‑based cryptography, the authors describe Su’s construction in detail. The scheme consists of a system‑setup phase that generates a master secret key and public parameters, a key‑extraction phase that derives a user’s secret key from his identity via a hash function, a signing algorithm that uses the knapsack vector together with pairing operations to produce a signature σ = (σ₁,…,σₙ), and a verification algorithm that checks the equation

 ∏₁ⁿ e(σᵢ, g₂) = e(g₁, PK_ID)·e(g₁, g₂)^{H(M)}.

Su argues that, because both the knapsack problem and the hardness of computing discrete logarithms in pairing groups are assumed intractable, the scheme enjoys existential unforgeability under adaptive chosen‑message attacks (EUF‑CMA) in the ROM.

The core contribution of the present work is an explicit forgery attack that works for any identity and any message. Exploiting the ROM, the adversary can program the hash value H(M*) for a target message M* to any desired value h*. The verification equation is then treated as a system of linear equations in the unknown signature components σᵢ. Since the pairing operation e(·, g₂) is bilinear, the left‑hand side becomes a product of pairings that is linear with respect to the exponents of σᵢ. By solving the resulting linear system—without solving the underlying knapsack problem—the attacker obtains concrete group elements σ₁,…,σₙ that satisfy the verification equation. Consequently, the attacker can produce a valid signature for any chosen identity ID* and message M*, breaking EUF‑CMA security.

The authors emphasize that the vulnerability stems from an inadequate integration of the two hardness assumptions. The verification equation relies solely on the linearity of the pairing, allowing the knapsack component to be bypassed. Moreover, the security proof in Su’s original paper fails to account for the adversary’s ability to program the random oracle, which is precisely what enables the forgery.

In the discussion, the paper outlines design lessons for future composite‑assumption schemes. First, each assumption must contribute an independent, non‑redundant security property; otherwise, one may dominate and render the other irrelevant. Second, verification equations should incorporate non‑linear or tightly coupled operations that prevent an attacker from isolating a subset of variables and solving them independently. Third, security reductions must model the ROM faithfully, explicitly considering the adversary’s power to set hash outputs.

The conclusion states that Su’s scheme is fundamentally insecure: an adversary can forge signatures on arbitrary identities and messages with negligible effort. Consequently, the scheme should be discarded, and practitioners are advised to rely on well‑studied single‑assumption short signature constructions that have withstood rigorous analysis.