Certificateless cryptography has attracted a lot of attention from the research community, due to its applicability in information security. In this paper, we analyze two recently proposed certificateless signature schemes and point out their security flaws. In particular, we demonstrate universal forgeries against these schemes with known message attacks

Huang, Xinyi

Li, Sujuan

Miao, Songqin

Mu, Yi

Susilo, Willy

Zhang, Futai

Agora University Editing House: Journals

Int. J. of Computers, Communications & Control, ISSN 1841-9836, E-ISSN 1841-9844Vol. V (2010), No. 4, pp. 586-591Cryptanalysis on Two Certificateless Signature SchemesF. Zhang, S. Li, S. Miao, Y. Mu, W. Susilo, X. HuangFutai Zhang, Songqin Miao1. School of Computer Science and technologyNanjing Normal University,Nanjing 210046, P.R. China, and2. Jiangsu Engineering Research Center on Information Security and Privacy Protection TechnologyNanjing 210046, P.R. ChinaE-mail: zhangfutai@njnu.edu.cn, miaosongqin@163.comSujuan Li1. School of Computer Science and technologyNanjing Normal University,Nanjing 210046, P.R. China, and2. Nanjing University of TechnologyNanjing 210037, P.R. ChinaE-mail: lisujuan1978@126.comYi Mu, Willy Susilo, Xinyi HuangCentre for Computer and Information Security ResearchSchool of Computer Science and Software EngineeringUniversity of WollongongNSW 2522, AustraliaE-mail: ymu@uow.edu.au, wsusilo@uow.edu.au, xyhuang81@gmail.comAbstract:Certificateless cryptography has attracted a lot of attention from the researchcommunity, due to its applicability in information security. In this paper, we analyzetwo recently proposed certificateless signature schemes and point out their securityflaws. In particular, we demonstrate universal forgeries against these schemes withknown message attacks.Keywords: certificateless cryptography, certificateless signature, public key replace-ment, universal forgery.1 IntroductionCertificateless cryptography [1] is a new paradigm that not only removes the inherent key escrowproblem of identity based public cryptography [2] (ID-PKC for short), but also eliminates the cumber-some certificate management in traditional PKI. In CL-PKC, the actual private key of a user is comprisedof two secrets: a secret value and a partial private key. The user generates a secret value by himself, whilethe partial private key is generated by a third party called Key Generating Center (KGC), who makes useof a system wide master key and the user’s identity information. In this way, the key escrow problem inidentity-based public key cryptosystems is removed. A user’s public key is derived from his/her actualprivate key, identity and system parameters. It could be available to other entities by transmitting alongwith signatures or by placing in a public directory. Unlike the traditional PKI, there is no certificate incertificateless public key cryptography to ensure the authenticity of the entity’s public key. A number ofcertificateless signature schemes [3–14] have been proposed. Some of them are analysed under reason-able security models with elaborate security proofs [8, 11, 13, 14], while some others are subsequentlybroken due to flawed security proof or unreasonable model [3, 6–8, 12].Copyright c 2006-2010 by CCC PublicationsCryptanalysis on Two Certificateless Signature Schemes 587Recently two certificateless signature schemes were proposed in [4] and [5] respectively. They wereclaimed to provide high efficiency and provable security. In this short note, unfortunately, we show thatthese two schemes [4, 5] are insecure even in a very weak security model. Namely these two schemesare suffering from universal forgeries under known message attacks.2 Review of the Original SchemesWe omit the preliminaries, basic notions, and security models about certificateless signature schemes.Please refer to [1, 8, 11, 13, 14] for details. The two original schemes [4, 5] are based on bilinear maps.They were both called McCLS scheme. To distinguish them, we call the one in [4] as McCLS1, and theother one in [5] as McCLS2.2.1 Description of McCLS1We first describe McCLS1. It consists of the following five algorithms. Setup. On input a security parameter, it generates a list of system parameters f p, G1, G2, e^, P,Ppub, H1, H2g and a system master private key s2 Zp, where p is a large prime, G1;G2 are groups oforder p with an admissible bilinear map e^ : G1G1! G2, H1 : f0;1g! G1 and H2 : f0;1g! Zpare cryptographical Hash functions, P is a generator of G1, and Ppub = sP. Extract Partial Private Key. On input a user identity ID, it computes QID =H1(ID), and outputsDID = sQID as the user’s partial private key. Generate Key Pair. A user with identity ID selects a random x 2 Zp as its secret value SID, andpublish its public key PID = xPpub. CL-Sign. Given a user’s private keys (DID;SID) and a message M, the user randomly picks anelement r 2 Zp, computes S = SID-1DID, R = (r- SID)P, V = H2(M;R;PID)r, and outputs s =(S;R;V ) as his/her signature on message M under the public key PID. CL-Verify. Given a signature (S;R;V ) on a message M of a user ID with public key PID, a veri-fier computes h = H2(M;R;PID) and checks whether (Ppub;VP- hR;h-1S;QID) is a valid Diffie-Hellman tuple, namely whether the equation e^(VP-hR;h-1S) = e^(Ppub;QID) holds.2.2 Description of McCLS2The first three algorithms of McCLS2 in [5] are exactly the same as those of McCLS1 in [4]. Thereare slight differences in the CL-Sign and CL-Verify algorithms. We just depict the differences here. CL-Sign. Given a user’s private keys (DID;SID) and a message M, the user randomly picks anelement r 2 Zp, computes S = SID-1DID, R = (r- SID)P, V = H2(M;R;PID)rP and outputs s =(S;R;V ) as his/her signature on message M under public key PID. CL-Verify. Given a signature (S;R;V ) on a messageM of a user ID with public key PID, a verifiercomputes h=H2(M;R;PID) and checks whether (Ppub;V-hR;h-1S;QID) is a valid Diffie-Hellmantuple, namely whether the equation e^(V -hR;h-1S) = e^(Ppub;QID) holds.588 F. Zhang, S. Li, S. Miao, Y. Mu, W. Susilo, X. Huang3 Universal forgeryAs we can see, in the McCLS schemes, a signature on a message M of a user ID with public keyPID consists of three components S, R and V . Note that for a user ID with public key PID, S remainsunchanged for all messages, R andV are irrelevant to the partial private key DID. Here we give two kindsof universal forgery under known message attacks.3.1 Attacks Against McCLS11. Universal forgery by replacing public keyThe scheme McCLS1 cannot resist public key replacement attacks of a type I adversaryA. For thedefinition of type I and type II adversaries, please refer to [1, 4, 5, 8, 11, 13, 14]. Let s = (S;R;V )be ID’s valid signature on a message M, whereS = SID-1DID, R= (r-SID)P, V = H2(M;R;PID)r, and r 2R Zp.Given R and V , the random number r can be easily derived as r = VH2(M;R;PID)-1. And thenSIDP is known as SIDP= rP-R. NowA is able to forge a user ID’s valid signature on any messagem as follows:(a) Choose a random c 2 Zp and let r 0 = cr 2 Zp;(b) Replace ID’s public key as P 0ID = cPID (the new secret value corresponding to the public keyP 0ID is S 0ID = cSID );(c) Compute S 0 = c-1S;R 0 = cR;V 0 = H2(m;R 0;P 0ID)r0;(d) Set s 0 = (S 0;R 0;V 0) as ID’s signature on message m under the public key P 0ID. We can seethat (Ppub;V 0P-H2(m;R 0;P 0ID)R0;H2(m;R 0;P 0ID)-1S 0;QID) is a valid Diffie-Hellman tuplesincee^(V 0P-H2(m;R 0;P 0ID)R0;H2(m;R 0;P 0ID)-1S 0)= e^((H2(m;R 0;P 0ID)crP)-H2(m;R0;P 0ID)(crP- cSIDP));H2(m;R0;P 0ID)-1c-1S)= e^(H2(m;R 0;P 0ID)cSIDP;H2(m;R0;P 0ID)-1c-1S)= e^(SIDP;S)= e^(P;DID)= e^(Ppub;QID)2. Universal forgery without replacing public keyFrom ID’s valid signature s = (S;R;V ) on a messageM, the adversary can getr =VH2(M;R;PID)-1;SIDP= rP-R:With these he can forage a signature s 0 = (S 0;R 0;V 0) on any message m without replacing ID’spublic key as follows:Pick r 0 2R Zp, and compute S 0 = S, R 0 = r 0P- sIDP, V 0 = H2(m;R 0;PID)r 0.The verification will always output “accept" since(Ppub;V 0P-H2(m;R 0;PID)R 0;H2(m;R 0;PID)-1S 0;QID)Cryptanalysis on Two Certificateless Signature Schemes 589is really a valid Diffie-Hellman tuple. The reason ise^(V 0P-H2(m;R 0;PID)R 0;H2(m;R 0;PID)-1S 0)= e^(H2(m;R 0;PID)r 0P-H2(m;R 0;PID)(r 0P-SIDP);H2(m;R 0;PID)-1S)= e^(H2(m;R 0;PID)SIDP;H2(m;R 0;PID)-1S)= e^(SIDP;S)= e^(Ppub;QID)3.2 Attacks Against McCLS21. Universal forgery by replacing public keyLet s = (S;R;V ) be ID’s valid signature on a messageM. It is obvious thatrP= H2(M;P;PID)-1V , SIDP= rp-R:A type I adversary A may forge ID’s valid signature on any message m as follows:(a) Choose a random c 2 Zp and let r 0 = cr 2 Zp.(b) Replace ID’s public key as P 0ID = cPID (this implies the new secret value corresponding to thenew public key P 0ID is S 0ID = cSID ).(c) ComputeS 0 = c-1S;R 0 = (r 0-S 0ID)P= cR;V0 = H2(m;R 0;P 0ID)r0P= cH2(m;R 0;P 0ID)rP.(d) Set s 0 = (S 0;R 0;V 0) as ID’s signature on message m using public key P 0ID.We can see (Ppub;V 0-H2(m;R 0;P 0ID)R0;H2(m;R 0;P 0ID)-1S 0;QID) is a valid Diffie-Hellmantuple sincee^(V 0-H2(m;R 0;P 0ID)R0;H2(m;R 0;P 0ID)-1S 0)= e^(H2(m;R 0;P 0ID)crP-H2(m;R0;P 0ID)(crP- cSIDP);H2(m;R0;P 0ID)-1c-1S)= e^(H2(m;R 0;P 0ID)cSIDP;H2(m;R0;P 0ID)-1c-1S)= e^(SIDP;S)= e^(P;DID)= e^(Ppub;QID)2. Universal forgery without replacing public keyThe adversary can getrP= H2(M;R;PID)-1V , SIDP= rP-R= H2(M;R;PID)-1V -R,from ID’s valid signature s = (S;R;V ) on a message M. Then it (may be type I or type II) canforge a signature s 0 = (S 0;R 0;V 0) on any message m without replacing ID’s public key as follows:Pick r 0 2R Zp, and compute S 0 = S, R 0 = r 0P- sIDP, V 0 = H2(m;R 0;PID)r 0P.The verification will always output “accept" since(Ppub;V 0-H2(m;R 0;PID)R 0;H2(m;R 0;PID)-1S 0;QID)590 F. Zhang, S. Li, S. Miao, Y. Mu, W. Susilo, X. Huangis really a valid Diffie-Hellman tuple. This is becausee^(V 0-H2(m;R 0;PID)R 0;H2(m;R 0;PID)-1S 0)= e^(H2(m;R 0;PID)r 0P-H2(m;R 0;PID)(r 0P-SIDP);H2(m;R 0;PID)-1S)= e^(H2(m;R 0;PID)SIDP;H2(m;R 0;PID)-1S)= e^(SIDP;S)= e^(Ppub;QID)From these attacks, one can see McCLS1 and McCLS2 are insecure even in the weakest securitymodel.4 ConclusionRecently, two certificateless signature schemes McCLS1 and McCLS2 were proposed for MobileWireless Cyber-Physical Systems. They only require two scalar multiplications in signing phase andtwo scalar multiplications and one pairing in verification phase. So they are efficient with respect tocomputational cost. Although the authors claimed and proved that McCLS1 and McCLS2 were secure,as we have shown in this paper they are in fact insecure. Universal forgeries against those two schemeshave been presented under known message attacks.5 AcknowledgmentThis research is supported by the Natural Science Foundation of China under grant number 60673070and Academic Discipline Fund of NJUT.Bibliography[1] S. Al-Riyami, K. Paterson. Certificateless public key cryptography. Proceedings of Asiacrypt 2003,Lecture Notes in Computer Science 2894, Springer-Verlag, 452-473, 2003.[2] A. Shamir. Identity based cryptosystems and signature schemes. Proceedings of Crypto’84, 47-53,1984.[3] X. Huang, W. Susilo, Y. Mu, F. Zhang. On the security of a certificateless signature scheme. Pro-ceedings of ACISP 2005, 13-25, 2005.[4] Z. Xu, X. Liu, G. Zhang, W. He, G. Dai, W. Shu. A Certificateless Signature Scheme for MobileWire-less Cyber-Physical Systems. The 28th International Conference on Distributed Computing SystemsWorkshops, 489-494, 2009.[5] Z. Xu, X. Liu, G. Zhang, W. He. McCLS: Certificateless Signature Scheme for Emergency MobileWireless Cyber-Physical Systems. International Journal of Computers, Communications & Control(IJCCC), 3(4): 395-411, 2008.[6] W. Yap, S. Heng, B. Goi1. An efficient certificateless signature scheme. Proceedings of EUC Work-shops 2006, Lecture Notes in Computer Science 4097, Springer-Verlag, 322-331, 2006.[7] J. Park. An attack on the certificateless signature scheme from EUC Workshops 2006. CryptologyePrint Archive, Report 442, 2006.Cryptanalysis on Two Certificateless Signature Schemes 591[8] Z. Zhang, D. Feng. Key replacement attack on a certificateless signature scheme. Cryptology ePrintArchive, Report 453, 2006.[9] K. Choi, J. Park, J. Hwang, D. Lee. Efficient certificateless signature schemes. Proceedings of ACNS2007, Lecture Notes in Computer Science 4521, Springer-Verlag, 443-458, 2007.[10] R. Castro, R. Dahab. Two notes on the security of certificateless signatures. Proceedings of ProvSec2007, Lecture Notes in Computer Science 4784, Springer-Verlag, 85-102, 2007.[11] Z. Zhang, D. Wong, J. Xu, D. Feng. Certificateless public-key signature: security model and effi-cient construction. Proceedings of ACNS 2006, Lecture Notes in Computer Science 3989, Springer-Verlag, 293-308, 2006.[12] B. Hu, D. Wong, Z. Zhang, X. Deng. Key replacement attack against a generic construction ofcertificateless signature. Proceedings of ACISP 2006, Lecture Notes in Computer Science 4058,Springer-Verlag, 235-346, 2006.[13] X. Huang, Y. Mu, W. Susilo, D. Wong, W. Wu. Certificateless signature revisited. Proceedings ofACISP 2007, Lecture Notes in Computer Science 4586, Springer-Verlag, 308-322, 2007.[14] L. Zhang, F. Zhang, F. Zhang. New efficient certificateless signature scheme. Proceedings of EUCWorkshops 2007, Lecture Notes in Computer Science 4809, Springer-Verlag, 692-703, 2007.Futai Zhang (b. Augest 28, 1965) received his M.Sc. in Mathematics (1990) from ShaanxiNormal University, China, and PhD in Cryptology (2001) from Xidian University, China. Nowhe is a professor at Nanjing Normal University, China. His current research interest is public keycryptography.Sujuan Li is now a PhD candidate in Nanjing Normal University, China. Her current researchinterests include information security and cryptography.Songqin Miao is now a M.Sc candidate in Nanjing Normal University, China. Her main researchinterest is cryptography.Yi Mu received his PhD from the Australian National University in 1994. He is an associateProfessor at the School of Computer Science and Software Engineering at the University ofWollongong. He is the co-director of Centre for Computer and Information Security Research(CCISR) at the University of Wollongong. His current research interests include network security,electronic payment, cryptography, access control, and computer security.Willy Susilo received a Ph.D. in Computer Science from University of Wollongong, Australia.He is a Professor at the School of Computer Science and Software Engineering at the Universityof Wollongong. He is the co-director of Centre for Computer and Information Security Research(CCISR) at the University of Wollongong.His current research interests include informationsecurity and cryptography.Xinyi Huang received his Ph.D. in Computer Science from University of Wollongong, Australiain 2009. His current research mainly focuses on cryptography and its applications.

Cryptanalysis on Two Certificateless Signature Schemes

http://univagora.ro/jour/index.php/ijccc/article/view/2517/978

Cryptanalysis on Two Certificateless Signature Schemes

Abstract

Similar works

Full text

Available Versions

Agora University Editing House: Journals