1 / 20

Cryptanalysis of Some Proxy Signature Schemes without Certificates

Cryptanalysis of Some Proxy Signature Schemes without Certificates. Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University. Proxy Signature. Introduced by Mambo et al. in 1996. Allow a designated signer (proxy signer) to sign the message on behalf of an original signer

vala
Download Presentation

Cryptanalysis of Some Proxy Signature Schemes without Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University

  2. Proxy Signature • Introduced by Mambo et al. in 1996. • Allow a designated signer (proxy signer) to sign the message on behalf of an original signer • Involve three entities: • Original Signer • Proxy Signer • Verifier • Convince the verifier that the signature is signed by the proxy signer who obtains the delegation right from the original signer • Applications: e-cash system, global distribution network, grid computing, mobile agent applications, etc.

  3. Certificate Authority (CA) Traditional PKC • Introduced by Diffie and Hellman in 1976 • Required certificate Certificate Public Key Authentication Private Key Communication Alice Bob

  4. ID-Based PKC • Introduced by Shamir in 1984 • + Implicit certification • - Inherent key escrow problem Private Key Generator (PKG) Private Key Authentication Identity (ID) Communication Alice Bob

  5. Certificateless PKC • Introduced by Al-Riyami and Paterson in 2003 • + Implicit certification • + Solved the inherent key escrow problem Key Generating Center (KGC) Partial Private Key Authentication User’s Private Key User’s Public Key Communication ID Alice Bob

  6. This Research • Show that the following schemes are insecure against universal forgery • The Qian and Cao IBPS scheme (ISPA 2005) – RSA-based • The Guo et al. IBPS scheme (IMSCCS 2006) – bilinear pairing • The Li et al. CLPS scheme (Lithuanian Mathematical Journal 2005) – bilinear pairing • Any user can act as a cheating proxy signer, to forge the proxy signature on behalf of the original signer, without obtaining the official delegation from the original signer.

  7. The Qian and Cao IBPS Scheme • Setup Compute n = pq, where p, q: prime Select e at random where gcd (e,φ(n)) = 1 Compute master-key d where ed = 1 mod φ(n) Choose H1: {0, 1}* → Zφ(n) and H2: {0, 1}* → Zn • Extract Compute DID = QIDd where QID = H2(ID) • Proxy Key Generation Original Signer: Make a warrant mw which records the delegation policy Choose rA∊ Zn and compute RA = rAe mod n Compute SA = DA . rAh1 mod n where h1 = H1(RA||mw) Send σA = (RA,SA) and mw to the proxy signer B Proxy Signer: Check whether SAe = QA . RAh1 mod n

  8. The Qian and Cao IBPS Scheme • Proxy Signature Generation Choose rB∊ Zn and compute RB = rBe mod n Compute h = H1(RB||mw||m) Compute SB = DB . (rB . SA)h mod n Proxy signature σ = (RA, RB, SB) • Proxy Signature Verification Check the warrant mw Compute QA = H2(IDA) and QB = H2(IDB) Check whether SBe = QB . (RB . QA . RAh1)h mod n

  9. Cryptanalysis on the Qian and Cao IBPS Scheme • A: Original signer; B: Cheating proxy signer • Proxy Signature Generation (perform by B) Make a warrant mw Choose rA∊ Zn and compute RA = rAe mod n Choose rB∊ Zn and compute RB = rBe . QA-1 mod n Compute SB = DB . (rB . rAh1)h mod n • Proxy Signature Verification Check whether SBe = QB . (RB . QA . RAh1)h mod n SBe = DBe . (rBe . rAeh1)h = QB . (rBe . RAh1)h = QB . (RB . QA .RAh1)h where rBe = RB . QA

  10. The Guo et al. IBPS Scheme • Setup Choose groups G1, G2 of prime order q Choose a generator P ∈ G1 and a bilinear map e : G1G1G2 Choose H1: {0, 1}* → G1 and H2: {0, 1}* → Zq* Choose s ∈ Zq* as master key and set Ppub = sP as public key Publicize params = (G1, G2, e, q, P, Ppub, H1, H2) • Extract Compute DID = sQID where QID = H1(ID)

  11. The Guo et al. IBPS Scheme • Proxy Key Generation Original Signer: Make a warrant mw which records the delegation policy Choose xA∊ Zq*and compute XA = xADAand X’A = xAQA Compute T = e(X’A,Ppub)= e(XA,P) Compute r = H2(mw||T|| X’A) Compute S = (xA - r)DA Send (X’A, S, r) and mw to the proxy signer Proxy Signer: Compute T’ = e(S,P) e(rQA,Ppub) = e(X’A,Ppub) Check whether r’ = H2(mw||T’|| X’A) = r Proxy key = (DB, S)

  12. The Guo et al. IBPS Scheme • Proxy Signature Generation Choose xB∊ Zq*and compute U = xBQB Compute h = H2(m||mw||U) Compute V = S + (xB + h)DB Proxy signature σ = (X’A, U, V, mw,m) • Proxy Signature Verification Check the warrant mw Compute T’’ = e(X’A,Ppub) Compute r’ = H2(mw||T’’|| X’A) Compute h’ = H2(m||mw||U) Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)

  13. Cryptanalysis on the Guo et al. IBPS Scheme • A: Original signer; B: Cheating proxy signer • Proxy Signature Generation (perform by B) Make a warrant mw Choose xA∊ Zq*and compute X’A = xAQA Compute r’ = H2(mw||T|| X’A) where T = e(X’A,Ppub) Choose xB∊ Zq*and compute U = xBQB - X’A + rQA Compute h = H2(m||mw||U) Compute V = (xB + h)DB Return σ = (X’A, U, V, mw,m) as the proxy signature

  14. Cryptanalysis on the Guo et al. IBPS Scheme • Proxy Signature Verification Compute T’’ = e(X’A,Ppub) Compute r’ = H2(mw||T’’|| X’A) Compute h’ = H2(m||mw||U) Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)

  15. Li et al. CLPS Scheme • Derived from the Cha and Cheon IBS scheme and the Hess IBS scheme • The only CLPS scheme • Setup Choose groups G1, G2 of prime order q Choose a generator P ∈ G1 and a bilinear map e : G1G1G2 Choose H1: {0, 1}* → G1 and H2: {0, 1}* x G1 → Zq* Choose s ∈ Zq* as master key and set Ppub = sP as public key Publicize params = (G1, G2, e, q, P, Ppub, H1, H2) • Set-Partial-Private-Key Compute DID = sQID where QID = H1(ID) • Set-Secret-Value Select a random xID∈ Zq*

  16. Li et al. CLPS Scheme • Set-Private-Key SID = xIDDID • Set-Public-Key XID = xIDP; YID = xIDPpub • Proxy Key Generation Original Signer: Chooser∊ Zq*and compute U = rQA Compute hA = H2(mw||U) Compute V = (r + hA)SA Send (U, V) and mw to the proxy signer Proxy Signer: Check whether e(XA,Ppub) = e(YA,P) Compute hA = H2(mw||U) Check whether e(P,V) = e(YA, U + hAQA) Proxy key Sp = V + SB

  17. Li et al. CLPS Scheme • Proxy Signature Generation Choose a∊ Zq* and compute R = e(P,P)a Compute hB = H2(mw||R) Compute S = hBSp + aP Proxy signature σ = (R, U, S,mw,m) • Proxy Signature Verification Check whether e(XA,Ppub) = e(YA,P) Check whether e(XB,Ppub) = e(YB,P) Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB) where hA = H2(mw||U) and hB = H2(mw||R) Accept iff hB = H2(mw||R’)

  18. Cryptanalysis on the Li et al. CLPS Scheme • Public key replacement attack(Type I adversary) • The adversary performs the following: • Proxy Signature Generation Select U, S ∈ G1 and compute hA = H2(mw||U) Select a random r∊ Zq* Compute R = e(P,S) e(Ppub, -(U + hAQA)) e(rPpub, -QB) Compute hB = H2(mw||R) Set xA = hA -1 ∊ Zq*and xB = hB -1r∊ Zq* Compute X’A = xAP; Y’A = xAPpub; X’B = xBP; Y’B = xBPpub Replace the user public key with (X’A ,Y’A , X’B ,Y’B) Return the proxy signature σ = (R, U, S,mw,m)

  19. Cryptanalysis on the Li et al. CLPS Scheme • Proxy Signature Generation Check whether e(XA,Ppub) = e(YA,P) Check whether e(XB,Ppub) = e(YB,P) Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB) where hA = H2(mw||U) and hB = H2(mw||R) Accept iff hB = H2(mw||R’)

  20. Conclusion • We have shown that following schemes are insecure • The Qian and Cao IBPS scheme • The Guo et al. IBPS scheme • The Li et al. CLPS scheme • The security of the proxy signature schemes deriving from the provable secure IBS scheme is not guaranteed.

More Related