cryptanalysis of a certificate-based on signature scheme
TRANSCRIPT
Procedia Engineering 29 (2012) 2821 – 2825
1877-7058 © 2011 Published by Elsevier Ltd.doi:10.1016/j.proeng.2012.01.397
Available online at www.sciencedirect.comAvailable online at www.sciencedirect.com
Procedia Engineering 00 (2011) 000–000
ProcediaEngineering
www.elsevier.com/locate/procedia
2012 International Workshop on Information and Electronics Engineering (IWIEE)
Cryptanalysis of a Certificate-Based on Signature Scheme
Lin Cheng*, Ying Xiao, Gang Wang
State Key Laboratory of Networking and Switch Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Abstract
Certificate-based cryptosystem combines the advantage of both traditional public key cryptosystem and identity based cryptosystem as it avoids the usage of certificates and resolves the key escrow problem. Recently, Liu et al. proposed a short and efficient certificate-based signature scheme and showed that the scheme was secure in the random oracles. In this paper, we show that Liu et al.’s certificate-based signature scheme is universally forgeable by a Type I adversary who models an uncertified entity and can replace the public keys of entities at will, but is not allowed to obtain the target user’s certificate.
© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Harbin University of Science and Technology.
Keyword: Short signatures; Certificate-based signatures; Security model; Provable security; Cryptanalysis
1. Introduction
In a traditional public key cryptosystem (PKC), when Alice wishes to send a message to Bob, Alice signs a message using her private key, verifier Bob verifies the signature using Alice’s public key. However, Alice’s public key is just merely a random string and it needs a certificate issued by a trusted party called the Certificate Authority (CA) to guarantee the authenticity of her public key. It is generally considered that the certificates in traditional PKC are costly to use and manage. Identity-based cryptosystem (IBC) solves the aforementioned problem by using Alice’s identity (or email address) as her public key while the corresponding private key is generated by a trusted third party called the private key generator (PKG). However, there exists an inherent drawback called private key escrow problem in an ID-
* Corresponding author. Email addresses: [email protected]
2822 Lin Cheng et al. / Procedia Engineering 29 (2012) 2821 – 28252 L. Cheng et al. / Procedia Engineering 00 (2011) 000–000
based public key cryptography. That is, the PKG knows the private key of every user and can decrypt any ciphertext or forge the user’s signature on any message. Certificate-based cryptosystem combines the advantage of both traditional public key cryptosystem and identity based cryptosystem. In 2004, Kang et al.[1] firstly proposed the notion of certificate-based signature. In a certificate-based signature scheme, each user generates his/her own private and public keys and requests a certificate from the Certificate Authority (CA) while the CA generates the certificate from the user’s identity and his/her public key. To sign for a message, the signer must have the knowledge of both certificate and private key. Knowing only one of them should not be able to generate a valid signature. Li et al. [2] showed that Kang et al.’s certificate-based signature [1] was insecure against key replacement attacks, and refined their security model for certificate-based signature. As introduced in [2], adversaries in certificate-based signature can be roughly divided into two types. The Type I attacker simulates the scenario where the adversary (anyone except the CA) can replace the public keys of entities at will, but is not allowed to obtain the target user’s certificate, while the Type II attacker simulates a malicious CA who can produce certificates but cannot replace the target user’s public key. More elaborated security models of certificate-based signature are given in [3, 4], where the Type I/II adversary for certificate-based signatures are classifiedinto three kinds, namely, normal adversary, strong adversary and super adversary(ordered by their attack power). Recently, using the enhanced security model given in [2], Liu et al. [5] proposed a short and efficient certificate-based signature scheme, which is provably secure in the random oracle model and just requires one scalar elliptic curve multiplication for the signing stage and contains one element for both the public key and signature size. It is shorter than the previous certificate-based signature schemes [1, 2, 6, 7, 8, 9] which require at least two elements for the signature size. In this paper, we show that Liu et al.’s certificate-based signature scheme [5] is insecure against the Type I adversaries.
The rest of paper is organized as follows. In Section 2, we review Liu et al.’s certificate-basedsignature scheme. In Section 3, we show that Liu et al.’s certificate-based signature scheme is not secure against the Type I adversaries. Concluding remarks are given in Section 4.
2. Review of Liu et al.’s certificate-based signature scheme
Liu et al.’s certificate-based signature scheme [5] involves three entities, i.e. CA, signer and verifier, and consists of the following five algorithms: Setup. The CA firstly selects a pairing : Te G G G× → where the order of G is p , a generator g of G , two collision resistant cryptographic hash functions: { }1 : 0,1H G
∗ → , { }2 : 0,1 pH Z∗ → , then
randomly selects pZα ∈ and computes
1g gα= (1)
The public parameters params are ( )1, , , , ,Te G G p g g and the master secret key msk is α .UserKeyGen. User selects a secret value px Z∈ as his secret key usk , and computes his public key PK as
xY g= (2)
Certify. Given public parameters params , the master secret key msk , public key PK of the user ID ,the CA computes certificate
( )1 ,C H ID PKα= (3)
2823Lin Cheng et al. / Procedia Engineering 29 (2012) 2821 – 2825L. Cheng al. / Procedia Engineering 00 (2011) 000–000 3
Sign. To sign a message { }0,1m∗∈ , the signer computes
2
1( , , )x H m ID PKCδ += (4)
δ is the resultant signature on the message m .Verify. On receiving a signature on a message m , the verifier checks whether
( )( ) ( )( )2 , ,1 1, , ,H m ID PKe Y g e H ID PK gδ ⋅ = (5)
3. Cryptanalysis of Liu et al.’s certificate-based signature scheme
The security models of certificate-based signatures are defined by two different games. In Game I, the type I adversary models an uncertified entity, while in Game II, the type II adversary models the malicious CA in possession of the master key msk attacking a fixed entity’s public key. In this section, we firstly describe game I specified in [2, 5], which is used to show a certificate-based signature scheme to be existential unforgeable against the Type I adversaries. Then we show that Liu et al.’s certificate-based signature scheme is insecure, even is universally forgeable by a Type I adversary. That is, there exists a Type I adversary who can always win the Game I and forge a signature on any message.
3.1. Secure against a Type I adversary
Game 1. The challenger runs Setup to generate public parameters params and the master secret key msk , and gives params to the adversary IA and keeps msk to itself. The adversary IA adaptively performs a polynomially bounded number of oracle queries as below: User-Key-Gen Query ( )ID . On receiving this request, if ID has been already created, nothing is to be carried out. Otherwise, the challenger runs the algorithm UserKeyGen to obtain a secret/public key pair ( ),usk PK . Then it adds the triple ( ), ,ID usk PK to the list L. In this case, ID is said to be created. In both cases, PK is returned. Corruption Query ( )ID . On receiving this request, the challenger checks the list L. If ID is there, it returns the corresponding secret key usk . Otherwise nothing is returned. Certification Query ( )ID . On receiving this request, the challenger runs Certify and returns certificateC .Key-Replace Query ( ), ,ID PK usk . On receiving this request, the challenger checks if PK is the public key corresponding to the secret key usk . If yes, it updates the secret/public key pair to the list L. Otherwise it outputs ⊥meaning invalid operation. Signing Query ( , , )ID PK m . On receiving this request, the challenger generates δ by using algorithm Sign.Eventually, IA outputs ( , , )ID m δ∗ ∗ ∗ , where ID∗ is the identity of a target user, m∗ is a message, and δ ∗ is a signature for m∗ . IA wins the game if (1) δ ∗ is a valid signature on the message m∗ under the public key PK ∗ with user information ID∗ ,where PK ∗ is either the one returned from User-Key-Gen Query or a valid input to the Key-Replace Query.(2) ID∗has never been submitted to the Certification Query.(3) ( , , )ID PK m∗ ∗ ∗ has never been submitted to the Signing Query.
IA ’s advantage in this game is defined as
2824 Lin Cheng et al. / Procedia Engineering 29 (2012) 2821 – 28254 L. Cheng et al. / Procedia Engineering 00 (2011) 000–000
Adv(A ) = Pr[A wins] I I (6)
3.2. Attacks on Liu et al.’s certificate-based signature scheme
Recently, using the enhanced security model given in [2], Liu et al. [5] proposed a short and efficient certificate-based signature scheme, and claimed that their scheme [5] was proved to be secure against the type I/II adversaries. In this section, we will show that Liu et al.’s certificate-based signature scheme is not secure against the Type I adversaries. That is, a Type I adversary A I can obtain the partial private key of a target user (with identity ID∗ ).
The challenger runs Setup to generate public parameters 1( , , , , , )Tparams e G G p g g= and the master secret key msk , then gives params to the adversary A I and keeps msk to itself. Recall the restrictions in game I, it is legal for A I to carry out the following query. 1. A I makes user-key-gen query ( )ID∗ to obtain user’s public key PK ∗ .2. A I issues corruption query ( )ID∗ to obtain user’s secret key x .3. A I makes signing query ( , , )ID PK m∗ ∗ to obtain signature δ ∗ .4. A I obtains the hash value 2 ( , , )H m ID PK∗ ∗ by making hash query.
According to Sign algorithm, A I can compute the user’s certificate C as follows:
( ) 2 ( , , )x H m ID PK
C δ∗ ∗+∗=
(7)
As a result, the adversary A I can forge a signature on any message and win the Game I. Therefore, Liu
et al.’s certificate-based signature scheme [5] is insecure, even is universally forgeable by the Type I adversary.
The weakness of Liu et al.’s certificate-based signature scheme against the type I adversary is due to the fact that their signature scheme is deterministic. In fact, as in [8, 9], using random value in the Sign algorithm can resolve the problem, but it will be at cost of the signature length. So, the feasibility of a short certificate-based signature scheme provably fitting the enhanced security model of [2] still remains a challenging open problem.
4. Conclusion
Short signatures are important in low-bandwidth communication, low-storage and low-computation environments, such as printing a signature on a postage stamp, a commerce invoice or a bank bill. Recently, Liu et al. proposed a short and efficient certificate-based signature scheme [5] and showed that the scheme was secure in the random oracles. In this paper, we have showed that Liu et al.’s certificate-based signature scheme [5] is universally forgeable by a Type I adversary who models an uncertifiedentity and can replace the public keys of entities at will, but is not allowed to obtain the target user’s certificate. The feasibility of a short certificate-based signature scheme provably fitting the enhanced security model of [2] still remains a challenging open problem.
Acknowledgement
This work is supported by the National Natural Science Foundation of China (Grant Nos. 61170270, 61100203, 60873191, 60903152, 61003286, 60821001) and the Fundamental Research Funds for the Central Universities (Grant Nos. BUPT2011YB01, BUPT2011RC0505).
2825Lin Cheng et al. / Procedia Engineering 29 (2012) 2821 – 2825L. Cheng al. / Procedia Engineering 00 (2011) 000–000 5
References
[1] B. Kang, J. Park, S. Hahn, A certificate-based signature scheme, in: Okamoto, T. (ed.) CT-RSA 2004, LNCS, Springer,
Heidelberg, 2964 (2004), 99–111.
[2] J. Li, X. Huang, Y. Mu, W. Susilo, Q. Wu, Certificate-based signature: security model and efficient construction, in: Lopez,
J.,Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007, LNCS, Springer, Heidelberg, 4582 (2007) 110–125.
[3] W. Wu, Y.Mu, W. Susilo, X. Huang, Certificate-based signatures revisited, Journal of Universal Computer Science 15 (8)
(2009)1659–1684.
[4] W. Wu, Y. Mu, W. Susilo, X. Huang, Certificate-based signatures: New definitions and a generic construction from
certificateless signatures, in: K.-I. Chung, K. Sohn, and M. Yung (eds.) WISA 2008, LNCS, Springer, Heidelberg, 5379 (2009), 99–
114.
[5] J. Liu, J. Baek, W. Susilo, J. Zhou, Short and efficient certificate-based signature, in: V. Casares-Giner et al.(eds.)
NETWORKING 2011 Workshops, LNCS, IFIP International Federation for Information Processing, 6827(2011), 167–178.
[6] M. Au, J. Liu, W. Susilo, T. Yuen, Certificate based (linkable) ring signature, in: E. Dawson and D.S. Wong (eds.) ISPEC
2007, LNCS, Springer, Heidelberg, 4464 (2007), 79–92.
[7] J. Liu, J. Baek, W. Susilo, J. Zhou, Certificate-based signature schemes without pairings or random oracles, in: Wu, T.C., Lei,
C.L., Rijmen, V., Lee, D.T.(eds.) ISC 2008, LNCS, Springer, Heidelberg, 5222 (2008), 285–297.
[8] J. Zhang, On the security of a certificate-based signature scheme and its improvement with pairings, in: F. Bao, H. Li, and G.
Wang (eds.) ISPEC 2009, LNCS, Springer, Heidelberg, 5451 (2009), 47–58.
[9] J. Zhang, H. Chen, Y. Yang, A provably secure certificate-based signature scheme, in: Key Engineering Materials, Trans
Tech Publications, Switzerland, 439-440 (2010), 1271–1276.