Group signature is a primitive in digital signatures. A group signature allows members of a group to sign messages anonymously on behalf of the group. In the event of a dispute, a designated trusted entity can reveal the identity of the actual signer. The application of group signatures includes e-voting, e-bidding and e-cash. Recently Popescu proposed an efficient group signature scheme for large groups. The lengths of the group's public key and of signatures do not depend on the size of the group. In this paper, however, we find there are some problems in the Popescu group signature scheme. Moreover, this scheme is vulnerable to forgery attacks. Any adversary could easily forge a valid group signature for any message without the knowledge of the secret values of the legal members of the group.
Cryptography, group signature, discrete logarithm, factoring, forgery attack