I. Introduction
In 1984, Shamir[11] introduced an identity (ID)-based cryptosystem to simplify key management procedures of the infrastructure (PKI). This notion is to use a binary string which can uniquely identify a user as the user’s public key. Examples of such a binary string include email address, IP address and social security number, etc. Certificates are only needed for some trusted authorities called a Private Key Generator (PKG) which is responsible for generating private keys for users. An inherent problem of the ID-based cryptography is the key escrow problem, i.e., the private key of a user is known to the PKG. The PKG can decrypt any ciphertext and forge signature on any message for any user. In 2003, Al-Riyami and Paterson[1] introduced a certificateless Public Key Cryptosystem (CL-PKC) in order to avoid the inherent key escrow problem of identity-based cryptosystems and not to require certificates to guarantee the authenticity of public keys. A user’s private key in a CL-PKC is not generated by the Key Generation Center (KGC) alone. Instead, it is a combination of some contribution of the KGC and some user’s chosen secret, in such a way that the key escrow problem can be solved. Some additional user’s public-key needs to be certified by any trusted authority and CL-PKC schemes are not purely ID-based. Al-Riyami and Paterson proposed a certificateless public-key signature (CLS) but they didn’t formalize a security model for unforgeability. However, their CLS scheme was recently found vulnerable to a key replacement attack by Huang et al.[8]. Since Al-Riyami and Paterson’s CLS scheme, several CLS schemes have been proposed[4,5,9]. They provided only informal analysis and were subsequently found to be vulnerable to key replacement attacks by type I adversaries[2]. Later, proven secure CLS schemes in the random oracle model[3,8,14] have been proposed. Recently, Liu et al.[10] proposed a provably secure CLS scheme in the standard model. In addition to these direct constructions, there exist a generic construction that converts existing signature schemes in different infrastructures into CLS schemes. Yum and Lee[13] proposed a generic construction for CLS schemes by combining any standard signature (SS) scheme with any ID-based signature (IBS) scheme. Subsequently, Hu et al.[7] showed that this construction is insecure against key replacement attacks and then proposed its improved version by modifying the input of signing algorithm. In particular Hu et al.[7] established a simplified definition and formal security model for CLS schemes which are shown to be more versatile than the previous ones[8]. Recently, Au et al.[2] suggested a malicious-but-passive KGC attack where a KGC may not generate master public/secret key pair honestly to mount the attack, they then modified Hu et al.’s model for capturing the attack. They also showed that Al-Riyami and Paterson’s scheme and its variants [2,7,9] are insecure against the malicious-but-passive KGC attacks and the security of the CLS scheme converted from the modified Yum-Lee’s construction is preserved in their new model.
Recently, Guo et al.[6] and Wang et al.[12] proposed new efficient CLS schemes based on Li et al.’s scheme[9]. Guo et al. proved its security against a type I adversary and a type II adversary in the random oracle model under the q-th Strong Diffie-Hellman assumption and the Computational Diffie-Hellman assumption, respectively, while Wang et al. didn’t provide its formal security proof. In this paper, we show that two CLS schemes are insecure against key replacement attacks by a type Ⅰ adversary.
The remainder of this paper is organized as follows. In Section 2, we review Wang et al.’s and Guo et al.’s CLS schemes. In Section 3, we present key replacement attacks on the schemes. Concluding remarks are given in Section 4.
II. Review of Two CLS Schemes
We first review Wang et al.’s and Gu et al.’s CLS schemes that follow Al-Riyami and Paterson’s definition[1].
■ Wang et al.’s CLS Scheme
Setup. Given a security parameter k, the algorithm works as follows :
1. Run a generator to output descriptions of G1 and G2 of prime order q and a bilinear pairing e: G1×G1→G2.
2. Choose an arbitrary generator P ∈ G1.
3. Choose a random #, set Ppub = sP, and compute g = e(P,P), where s is a master secret.
4. Choose cryptographic hash functions
# and #.
5. The system parameters are
params =< G1 , G2,e, q, P, Ppub, g, H1, H2 >.
Partial-Private-Key-Extract. This algorithm takes as input a security parameter k, the system parameters params, the master secret s and a user A’s identity IDA, and returns a partial private key corresponding to IDA. It adopts the blind technique to remove a confidential and authentic channel between A and the KGC.
1. The user A chooses a value #, computes kP and then sends < IDA, kP >to the KGC.
2. After receiving the message, the KGC checks that A has a claim to a particular online identifier IDA. If it does, the KGC computes
#
and then sends it to A through an open channel.
3. On the receipt of #, A computes a partial private key # as
#
Notice that A can verify the correctness of the output of the Partial-Private- Key-Extract algorithm by checking that
#
Set-Secret-Value. This algorithm takes as input the system parameters params and an identity IDA, and returns a secret value xA corresponding to IDA for a random #.
Set-Private-Key. This algorithm takes as input the system parameters params, a partial private key # and a secret value xA , and returns a (full) private key # as
#
Set-Public-Key. This algorithm takes as input the system parameters params, an identity IDA, a secret value xA and outputs a public key # corresponding to IDA, where # and #.
Sign. Given a message m∈{0,1}* and a private key #,
1. Choose #, and compute r= ga∈G2 and #.
2. Compute #. Then σ=(U, v) is a signature on m for {IDA, < XA, YA >}.
Verify. To verify a signature σ=(U, v) on a message m for {IDA, < XA, YA >},
1. Check whether the equality
e(XA, Ppub)= e(YA, P) holds or not. If it holds, compute
r= e(U, H1(IDA)XA+YA)·g-v.
2. Check whether the equality v= H2(m||r) holds or not. If it holds, accept the signature.
■ Guo et al.’s CLS Scheme
Algorithms in Guo et al.’s scheme except the following three algorithms are the same as those in Wang et al.’s scheme.
Set-Partial-Private-Key. Given a security parameter k, the master secret s and an identity IDA, output # as a partial-private-key correspond to IDA.
Set-Private-Key. Given a partial private Key #, an identity IDA and a secret value xA, output # as a (full) private key correspond to IDA.
Set-Public-Key. Given an identity IDA and a secret value xA, compute XA=xAP, YA=xAPpub and set #.
The main difference of Wang et al.’s scheme from Guo et al.’s scheme is to use the blind technique for eliminating a secure channel between the signer and the KGC in Partial-Private-key-Extract stage.
III. Key Replacement Attacks on the Two CLS Scheme
Now, we present key replacement attacks on the two CLS schemes described in the previous section. In CLS schemes, there exist two types of adversaries with the following capabilities;
• Type I adversary AⅠ as a third party is not allowed to access to the master secret but AⅠ may replace user public keys of its choices.
• Type II adversary AⅡ as a malicious KGC is allowed to access to the master secret but not replace user public keys.
Now, we show that the two CLS schemes are insecure against key replacement attacks by a type I adversary.
■ Key Replacement Attack on Wang et al.’s Scheme
Suppose that a type I adversary AⅠ wants to forge a certificateless signature of Wang et al.’s scheme. We assume that AⅠ has obtained a certificateless signature σ=(U,v) on m for # where #, # and v= H2(m|| r). Then AⅠ can forge σ´=(U´ ,v´) on the same message m for another public key pair #, corresponding to IDA as follows:
- AⅠ selects a random # and computes a new public key pair being replaced as # and #.
- Next, AⅠ computes U´=tU and sets v´=v. Then σ´=(U´, v´) is a valid signature on m for # since it satisfies the verification equations as follow;
#
and v=H2(m||r´) since
#
i.e., #
where # and # is a valid private key of IDA corresponding to the replaced public key #.
This result shows that it is insecure against a type Ⅰ adversary since the adversary can forge a user’s certificateless signature under the replaced public key. The same attack can be applied to Li et al.’s[9] and to Guo et al.’s[6] CLS schemes since they use the same signing method as Wang et al.’s one.
IV. Conclusion
We presented the key replacement attacks on Wang et al. and Guo et al.’s CLS schemes. Their weakness against the attacks are due to the lack of binding technique between messages and user public keys being signed. These attacks can be prevented by adding a user public key PKID together with m to the input of the hash function, i.e., h=H(m||r||PKID) as described in [13].
* 이 논문은 2008년 정부(교육과학기술부)의 재원으로 학술연구재단의 지원을 받아 수행된 연구임. (저자1-2단계 BK21 지원사업, 저자1,2-KRF-2008-313-C00118)
References
- S. Al-Riyami and K. Paterson, "Certificateless public key cryptogaphy," Advances in Cryptology, ASIACRYPT 2003, LNCS 2894, pp. 452-473, 2003
- M.H. Au, Y. Mu, D.S. Wong, J.K. Liu, J. Chen, and G. Yang, "Malicious KGC attack in certificateless cryptography," ACM Symposium on Information, Computer and Communications Security, ASIACCS 2007, pp. 302-311, Mar. 2007 https://doi.org/10.1145/1229285.1266997
- K.Y. Choi, J.H. Park, J.K. Hwang, and D.H. Lee, "Efficient certificateless signature schemes," International Conference on Applied Cryptography and Network Security, ACNS 2007, LNCS 4521, pp. 443-458, 2007
- M. Gorantla, R. Gangishetti, M. Das, and A. Saxena, "An effiective certificateless signature scheme based on bilinear pairings," International Workshop on Security in Information Systems, WOSIS 2005, pp. 31-39, May 2005
- M. Gorantla and A. Saxena, "An efficient certificateless signature scheme," International Conference on Computational Intelligence and Security, CIS 2005, LNCS 3802, pp. 110-116, 2005
- L. Guo, L. Hu, and Y. Li, "A practical certificateless signature scheme," International Symposium on Data, Privacy, and E-Commerce, IEEE ISDPE 2007, pp. 248-253, Jan. 2007 https://doi.org/10.1109/ISDPE.2007.74
- B. Hu, D. Wong, Z. Zhang, and X. Deng, "Key replacement attack against a generic construction of certificateless signature," Australasian Conference on Information Security and Privacy, ACISP 2006, LNCS 4058, pp. 235-246, 2006
- X. Huang, W. Susilo, Y. Mu, and F. Zhang, "On the security of certificateless signature scheme from ASIACRYPT 03," International Conference on Cryptology and Network Security, CANS 2005, LNCS 3810, pp. 13-25, 2005
- X. Li, K. Chen, and L. Sun, "Certificateless signature and proxy signature schemes from bilinear pairings," Lithuanian Mathematical Journal, vol. 45, no. 1, pp. 95-103, Jan. 2005 https://doi.org/10.1007/s10986-005-0008-5
- J.K. Liu, M.H. Au, and W. Susilo, "Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model," ACM Symposium on Information, Computer and Communications Security, ASIACCS 2007, pp. 273-283, Mar. 2007 https://doi.org/10.1145/1229285.1266994
- A. Shamir, "Identity-base cryptosystems and signature schemes," Advances in Cryptology, CRYPTO 84, LNCS 196, pp. 47-53, 1985 https://doi.org/10.1007/3-540-39568-7_5
- C. Wang, H. Huang, and Y. Tang, "An efficient certificateless signature from pairings," International Symposium on Data, Privacy, and E-Commerce, IEEE ISDPE 2007, pp. 236-238, Jan. 2007 https://doi.org/10.1109/ISDPE.2007.15
- D. Yum and P. Lee, "Generic construction of certificateless signature," Australasian Conference on Information Security and Privacy, ACISP 2004, LNCS 3108, pp. 200-211, 2004
- Z. Zhang, D.S. Wong, J. Xu, and D. Feng, "Certificateless public-key signature : security model and efficient construction," International Conference on Applied Cryptography and Network Security, ACNS 2006, LNCS 3989, pp. 293-308, 2006