Security Analysis of Two Certificateless Signature Schemes

두 인증서 없는 서명 기법들에 관한 안전성 분석

Abstract

Certificateless cryptography eliminates the need of certificacates in the public key crytosystems and solves the inherent key escrow problem in identity-based cryptosystems. This paper demonstrates that two certificateless signature schemes proposed by Guo et al. and Wang et al. respectively are insecure against key replacement attacks by a type I adversary. We show that the adversary who can replace a signer's public key can forge signatures under the replaced public key. We then make a suggestion to prevent the attacks.

인증서 없는 공개키 시스템은 기존의 공개키 암호시스템에서 인증서의 필요성을 제거하고 신원 기반 암호시스템에서 키 위탁 문제를 해결하였다. 본 논문에서는 Guo 등과 Wang 등에 의해서 제안된 각각의 인증서 없는 서명 기법들이 공격자 종류 I에 의해 키 대치공격에 취약하다는 것을 보인다. 다시 말해, 서명자의 공개키를 대치할 수 있는 능력을 가진 공격자가 서명자의 비밀키를 알지 못함에도 불구하고 서명을 위조할 수 있음을 보이고 이러한 공격을 방지하기 위한 대응법을 제안한다.

I. Introduction

In 1984, Shamir[11] introduced an identity (ID)-based cryptosystem to simplify key management procedures of the infrastructure (PKI). This notion is to use a binary string which can uniquely identify a user as the user’s public key. Examples of such a binary string include email address, IP address and social security number, etc. Certificates are only needed for some trusted authorities called a Private Key Generator (PKG) which is responsible for generating private keys for users. An inherent problem of the ID-based cryptography is the key escrow problem, i.e., the private key of a user is known to the PKG. The PKG can decrypt any ciphertext and forge signature on any message for any user. In 2003, Al-Riyami and Paterson[1] introduced a certificateless Public Key Cryptosystem (CL-PKC) in order to avoid the inherent key escrow problem of identity-based cryptosystems and not to require certificates to guarantee the authenticity of public keys. A user’s private key in a CL-PKC is not generated by the Key Generation Center (KGC) alone. Instead, it is a combination of some contribution of the KGC and some user’s chosen secret, in such a way that the key escrow problem can be solved. Some additional user’s public-key needs to be certified by any trusted authority and CL-PKC schemes are not purely ID-based. Al-Riyami and Paterson proposed a certificateless public-key signature (CLS) but they didn’t formalize a security model for unforgeability. However, their CLS scheme was recently found vulnerable to a key replacement attack by Huang et al.[8]. Since Al-Riyami and Paterson’s CLS scheme, several CLS schemes have been proposed[4,5,9]. They provided only informal analysis and were subsequently found to be vulnerable to key replacement attacks by type I adversaries[2]. Later, proven secure CLS schemes in the random oracle model[3,8,14] have been proposed. Recently, Liu et al.[10] proposed a provably secure CLS scheme in the standard model. In addition to these direct constructions, there exist a generic construction that converts existing signature schemes in different infrastructures into CLS schemes. Yum and Lee[13] proposed a generic construction for CLS schemes by combining any standard signature (SS) scheme with any ID-based signature (IBS) scheme. Subsequently, Hu et al.[7] showed that this construction is insecure against key replacement attacks and then proposed its improved version by modifying the input of signing algorithm. In particular Hu et al.[7] established a simplified definition and formal security model for CLS schemes which are shown to be more versatile than the previous ones[8]. Recently, Au et al.[2] suggested a malicious-but-passive KGC attack where a KGC may not generate master public/secret key pair honestly to mount the attack, they then modified Hu et al.’s model for capturing the attack. They also showed that Al-Riyami and Paterson’s scheme and its variants [2,7,9] are insecure against the malicious-but-passive KGC attacks and the security of the CLS scheme converted from the modified Yum-Lee’s construction is preserved in their new model.

Recently, Guo et al.[6] and Wang et al.[12] proposed new efficient CLS schemes based on Li et al.’s scheme[9]. Guo et al. proved its security against a type I adversary and a type II adversary in the random oracle model under the q-th Strong Diffie-Hellman assumption and the Computational Diffie-Hellman assumption, respectively, while Wang et al. didn’t provide its formal security proof. In this paper, we show that two CLS schemes are insecure against key replacement attacks by a type Ⅰ adversary.

The remainder of this paper is organized as follows. In Section 2, we review Wang et al.’s and Guo et al.’s CLS schemes. In Section 3, we present key replacement attacks on the schemes. Concluding remarks are given in Section 4.

II. Review of Two CLS Schemes

We first review Wang et al.’s and Gu et al.’s CLS schemes that follow Al-Riyami and Paterson’s definition[1].

■ Wang et al.’s CLS Scheme

Setup. Given a security parameter k, the algorithm works as follows :

1. Run a generator to output descriptions of G₁ and G₂ of prime order q and a bilinear pairing e: G₁×G₁→G₂.

2. Choose an arbitrary generator P ∈ G₁.

3. Choose a random #, set P_pub = sP, and compute g = e(P,P), where s is a master secret.

4. Choose cryptographic hash functions

# and #.

5. The system parameters are

params =< G₁ , G_2,e, q, P, P_pub, g, H₁, H₂ >.

Partial-Private-Key-Extract. This algorithm takes as input a security parameter k, the system parameters params, the master secret s and a user A’s identity ID_A, and returns a partial private key corresponding to ID_A. It adopts the blind technique to remove a confidential and authentic channel between A and the KGC.

1. The user A chooses a value #, computes kP and then sends < ID_A, kP >to the KGC.

2. After receiving the message, the KGC checks that A has a claim to a particular online identifier ID_A. If it does, the KGC computes

#

and then sends it to A through an open channel.

3. On the receipt of #, A computes a partial private key # as

#

Notice that A can verify the correctness of the output of the Partial-Private- Key-Extract algorithm by checking that

#

Set-Secret-Value. This algorithm takes as input the system parameters params and an identity ID_A, and returns a secret value x_A corresponding to ID_A for a random #.

Set-Private-Key. This algorithm takes as input the system parameters params, a partial private key # and a secret value x_A , and returns a (full) private key # as

#

Set-Public-Key. This algorithm takes as input the system parameters params, an identity ID_A, a secret value x_A and outputs a public key # corresponding to ID_A, where # and #.

Sign. Given a message m∈{0,1}^* and a private key #,

1. Choose #, and compute r= g^a∈G₂ and #.

2. Compute #. Then  σ=(U, v) is a signature on m for {ID_A, < X_A, Y_A >}.

Verify. To verify a signature σ=(U, v) on a message m for {ID_A, < X_A, Y_A >},

1. Check whether the equality

e(X_A, P_pub)= e(Y_A, P) holds or not. If it holds, compute

r= e(U, H₁(ID_A)X_A+Y_A)·g^-v.

2. Check whether the equality v= H₂(m||r) holds or not. If it holds, accept the signature.

■ Guo et al.’s CLS Scheme

Algorithms in Guo et al.’s scheme except the following three algorithms are the same as those in Wang et al.’s scheme.

Set-Partial-Private-Key. Given a security parameter k, the master secret s and an identity ID_A, output # as a partial-private-key correspond to ID_A.

Set-Private-Key. Given a partial private Key #, an identity ID_A and a secret value x_A, output # as a (full) private key correspond to ID_A.

Set-Public-Key. Given an identity ID_A and a secret value x_A, compute X_A=x_AP, Y_A=x_AP_pub and set #.

The main difference of Wang et al.’s scheme from Guo et al.’s scheme is to use the blind technique for eliminating a secure channel between the signer and the KGC in Partial-Private-key-Extract stage.

III. Key Replacement Attacks on the Two CLS Scheme

Now, we present key replacement attacks on the two CLS schemes described in the previous section. In CLS schemes, there exist two types of adversaries with the following capabilities;

• Type I adversary A_Ⅰ as a third party is not allowed to access to the master secret but A_Ⅰ may replace user public keys of its choices.

• Type II adversary A_Ⅱ as a malicious KGC is allowed to access to the master secret but not replace user public keys.

Now, we show that the two CLS schemes are insecure against key replacement attacks by a type I adversary.

■ Key Replacement Attack on Wang et al.’s Scheme

Suppose that a type I adversary A_Ⅰ wants to forge a certificateless signature of Wang et al.’s scheme. We assume that A_Ⅰ has obtained a certificateless signature σ=(U,v) on m for # where #, # and v= H₂(m|| r). Then A_Ⅰ can forge σ´=(U´ ,v´) on the same message m for another public key pair #, corresponding to ID_A as follows:

- A_Ⅰ selects a random # and computes a new public key pair being replaced as # and #.

- Next, A_Ⅰ computes U´=tU and sets v´=v. Then σ´=(U´, v´) is a valid signature on m for # since it satisfies the verification equations as follow;

#

and v=H₂(m||r´) since

#

i.e., #

where # and # is a valid private key of ID_A corresponding to the replaced public key #.

This result shows that it is insecure against a type Ⅰ adversary since the adversary can forge a user’s certificateless signature under the replaced public key. The same attack can be applied to Li et al.’s[9] and to Guo et al.’s[6] CLS schemes since they use the same signing method as Wang et al.’s one.

IV. Conclusion

We presented the key replacement attacks on Wang et al. and Guo et al.’s CLS schemes. Their weakness against the attacks are due to the lack of binding technique between messages and user public keys being signed. These attacks can be prevented by adding a user public key PK_ID together with m to the input of the hash function, i.e., h=H(m||r||PK_ID) as described in [13].

* 이 논문은 2008년 정부(교육과학기술부)의 재원으로 학술연구재단의 지원을 받아 수행된 연구임. (저자¹-2단계 BK21 지원사업, 저자^1,2-KRF-2008-313-C00118)