200 likes | 361 Views
Cryptanalysis of Some Proxy Signature Schemes without Certificates. Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University. Proxy Signature. Introduced by Mambo et al. in 1996. Allow a designated signer (proxy signer) to sign the message on behalf of an original signer
E N D
Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University
Proxy Signature • Introduced by Mambo et al. in 1996. • Allow a designated signer (proxy signer) to sign the message on behalf of an original signer • Involve three entities: • Original Signer • Proxy Signer • Verifier • Convince the verifier that the signature is signed by the proxy signer who obtains the delegation right from the original signer • Applications: e-cash system, global distribution network, grid computing, mobile agent applications, etc.
Certificate Authority (CA) Traditional PKC • Introduced by Diffie and Hellman in 1976 • Required certificate Certificate Public Key Authentication Private Key Communication Alice Bob
ID-Based PKC • Introduced by Shamir in 1984 • + Implicit certification • - Inherent key escrow problem Private Key Generator (PKG) Private Key Authentication Identity (ID) Communication Alice Bob
Certificateless PKC • Introduced by Al-Riyami and Paterson in 2003 • + Implicit certification • + Solved the inherent key escrow problem Key Generating Center (KGC) Partial Private Key Authentication User’s Private Key User’s Public Key Communication ID Alice Bob
This Research • Show that the following schemes are insecure against universal forgery • The Qian and Cao IBPS scheme (ISPA 2005) – RSA-based • The Guo et al. IBPS scheme (IMSCCS 2006) – bilinear pairing • The Li et al. CLPS scheme (Lithuanian Mathematical Journal 2005) – bilinear pairing • Any user can act as a cheating proxy signer, to forge the proxy signature on behalf of the original signer, without obtaining the official delegation from the original signer.
The Qian and Cao IBPS Scheme • Setup Compute n = pq, where p, q: prime Select e at random where gcd (e,φ(n)) = 1 Compute master-key d where ed = 1 mod φ(n) Choose H1: {0, 1}* → Zφ(n) and H2: {0, 1}* → Zn • Extract Compute DID = QIDd where QID = H2(ID) • Proxy Key Generation Original Signer: Make a warrant mw which records the delegation policy Choose rA∊ Zn and compute RA = rAe mod n Compute SA = DA . rAh1 mod n where h1 = H1(RA||mw) Send σA = (RA,SA) and mw to the proxy signer B Proxy Signer: Check whether SAe = QA . RAh1 mod n
The Qian and Cao IBPS Scheme • Proxy Signature Generation Choose rB∊ Zn and compute RB = rBe mod n Compute h = H1(RB||mw||m) Compute SB = DB . (rB . SA)h mod n Proxy signature σ = (RA, RB, SB) • Proxy Signature Verification Check the warrant mw Compute QA = H2(IDA) and QB = H2(IDB) Check whether SBe = QB . (RB . QA . RAh1)h mod n
Cryptanalysis on the Qian and Cao IBPS Scheme • A: Original signer; B: Cheating proxy signer • Proxy Signature Generation (perform by B) Make a warrant mw Choose rA∊ Zn and compute RA = rAe mod n Choose rB∊ Zn and compute RB = rBe . QA-1 mod n Compute SB = DB . (rB . rAh1)h mod n • Proxy Signature Verification Check whether SBe = QB . (RB . QA . RAh1)h mod n SBe = DBe . (rBe . rAeh1)h = QB . (rBe . RAh1)h = QB . (RB . QA .RAh1)h where rBe = RB . QA
The Guo et al. IBPS Scheme • Setup Choose groups G1, G2 of prime order q Choose a generator P ∈ G1 and a bilinear map e : G1G1G2 Choose H1: {0, 1}* → G1 and H2: {0, 1}* → Zq* Choose s ∈ Zq* as master key and set Ppub = sP as public key Publicize params = (G1, G2, e, q, P, Ppub, H1, H2) • Extract Compute DID = sQID where QID = H1(ID)
The Guo et al. IBPS Scheme • Proxy Key Generation Original Signer: Make a warrant mw which records the delegation policy Choose xA∊ Zq*and compute XA = xADAand X’A = xAQA Compute T = e(X’A,Ppub)= e(XA,P) Compute r = H2(mw||T|| X’A) Compute S = (xA - r)DA Send (X’A, S, r) and mw to the proxy signer Proxy Signer: Compute T’ = e(S,P) e(rQA,Ppub) = e(X’A,Ppub) Check whether r’ = H2(mw||T’|| X’A) = r Proxy key = (DB, S)
The Guo et al. IBPS Scheme • Proxy Signature Generation Choose xB∊ Zq*and compute U = xBQB Compute h = H2(m||mw||U) Compute V = S + (xB + h)DB Proxy signature σ = (X’A, U, V, mw,m) • Proxy Signature Verification Check the warrant mw Compute T’’ = e(X’A,Ppub) Compute r’ = H2(mw||T’’|| X’A) Compute h’ = H2(m||mw||U) Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)
Cryptanalysis on the Guo et al. IBPS Scheme • A: Original signer; B: Cheating proxy signer • Proxy Signature Generation (perform by B) Make a warrant mw Choose xA∊ Zq*and compute X’A = xAQA Compute r’ = H2(mw||T|| X’A) where T = e(X’A,Ppub) Choose xB∊ Zq*and compute U = xBQB - X’A + rQA Compute h = H2(m||mw||U) Compute V = (xB + h)DB Return σ = (X’A, U, V, mw,m) as the proxy signature
Cryptanalysis on the Guo et al. IBPS Scheme • Proxy Signature Verification Compute T’’ = e(X’A,Ppub) Compute r’ = H2(mw||T’’|| X’A) Compute h’ = H2(m||mw||U) Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)
Li et al. CLPS Scheme • Derived from the Cha and Cheon IBS scheme and the Hess IBS scheme • The only CLPS scheme • Setup Choose groups G1, G2 of prime order q Choose a generator P ∈ G1 and a bilinear map e : G1G1G2 Choose H1: {0, 1}* → G1 and H2: {0, 1}* x G1 → Zq* Choose s ∈ Zq* as master key and set Ppub = sP as public key Publicize params = (G1, G2, e, q, P, Ppub, H1, H2) • Set-Partial-Private-Key Compute DID = sQID where QID = H1(ID) • Set-Secret-Value Select a random xID∈ Zq*
Li et al. CLPS Scheme • Set-Private-Key SID = xIDDID • Set-Public-Key XID = xIDP; YID = xIDPpub • Proxy Key Generation Original Signer: Chooser∊ Zq*and compute U = rQA Compute hA = H2(mw||U) Compute V = (r + hA)SA Send (U, V) and mw to the proxy signer Proxy Signer: Check whether e(XA,Ppub) = e(YA,P) Compute hA = H2(mw||U) Check whether e(P,V) = e(YA, U + hAQA) Proxy key Sp = V + SB
Li et al. CLPS Scheme • Proxy Signature Generation Choose a∊ Zq* and compute R = e(P,P)a Compute hB = H2(mw||R) Compute S = hBSp + aP Proxy signature σ = (R, U, S,mw,m) • Proxy Signature Verification Check whether e(XA,Ppub) = e(YA,P) Check whether e(XB,Ppub) = e(YB,P) Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB) where hA = H2(mw||U) and hB = H2(mw||R) Accept iff hB = H2(mw||R’)
Cryptanalysis on the Li et al. CLPS Scheme • Public key replacement attack(Type I adversary) • The adversary performs the following: • Proxy Signature Generation Select U, S ∈ G1 and compute hA = H2(mw||U) Select a random r∊ Zq* Compute R = e(P,S) e(Ppub, -(U + hAQA)) e(rPpub, -QB) Compute hB = H2(mw||R) Set xA = hA -1 ∊ Zq*and xB = hB -1r∊ Zq* Compute X’A = xAP; Y’A = xAPpub; X’B = xBP; Y’B = xBPpub Replace the user public key with (X’A ,Y’A , X’B ,Y’B) Return the proxy signature σ = (R, U, S,mw,m)
Cryptanalysis on the Li et al. CLPS Scheme • Proxy Signature Generation Check whether e(XA,Ppub) = e(YA,P) Check whether e(XB,Ppub) = e(YB,P) Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB) where hA = H2(mw||U) and hB = H2(mw||R) Accept iff hB = H2(mw||R’)
Conclusion • We have shown that following schemes are insecure • The Qian and Cao IBPS scheme • The Guo et al. IBPS scheme • The Li et al. CLPS scheme • The security of the proxy signature schemes deriving from the provable secure IBS scheme is not guaranteed.