Information Sciences 179 (2009) 303–306

Contents lists available at ScienceDirect

Information Sciences

journal homepage: www.elsevier .com/locate / ins

Breaking the short certificateless signature scheme

Kyung-Ah ShimDivision of Industrial Mathematics, National Institute for Mathematical Science, 628 Daeduk-Boylevard, Yuseong-gu, Daejeon 305-340, Republic of Korea

a r t i c l e i n f o

Article history:Received 11 July 2007Received in revised form 23 November 2007Accepted 20 August 2008

Keywords:Public key infrastructureDigital signatureIdentity-based cryptographyCertificateless signature

0020-0255/$ - see front matter � 2008 Elsevier Incdoi:10.1016/j.ins.2008.08.024

E-mail address: kashim@nims.re.kr

a b s t r a c t

Certificateless cryptography eliminates the need of certificates in the Public Key Infrastruc-ture and solves the inherent key escrow problem in the identity-based cryptography.Recently, Huang et al. proposed two certificateless signature schemes from pairings. Theyclaimed that their first short certificateless signature scheme is provably secure against anormal type I adversary and a super type II adversary. In this paper, we show that theirshort certificateless signature scheme is broken by a type I adversary who can replaceusers’ public keys and access to the signing oracle under the replaced public keys.

� 2008 Elsevier Inc. All rights reserved.

1. Introduction

In the traditional public key infrastructure (PKI), when Bob wishes to send a message to Alice, first he must obtain herauthenticated public key in public directories. The identity (ID)-based infrastructure makes deployment practical; it allowsa user’s public key to be easily derivable from her known identity information such as an email address or a cellular phonenumber [13]. Such cryptosystems alleviate the certificate overhead and solve the problems of PKI technology. The ID-basedinfrastructure involves users and a Private Key Generator (PKG or KGC) which is responsible for generating private keys forusers (unlike conventional public key schemes, users do not generate their own private keys). This feature leads to the inher-ent key escrow problem of ID-based cryptography. That is, the private key of a user is known to PKG and so PKG can decryptany ciphertext and forge signatures on any message for any user. At 2003, Al-Riyami and Paterson [1] introduced certificate-less public key cryptography (CL-PKC) which solves the key escrow problem in the ID-based cryptosystems. In the CL-PKC, auser private key is a combination of some contribution of PKG (called a partial private key) and some user-chosen secret, insuch a way that the key escrow problem can be solved. The CL-PKC is not purely ID-based since a signature is transmittedtogether with an additional user public key which does not need to be certified by any trusted authority. In order to encrypt amessage and verify a signed message, one has to know both the user’s identity and this additional public key.

Since Al-Riyami and Paterson’s certificateless signature (CLS) scheme, several CLS schemes have been proposed [12,8,14].They provided only informal analysis [12,14,8] and were subsequently found to be vulnerable to key replacement attacks bya type I adversary [16,6,2]. Later, proven secure CLS schemes [10,17,7] have proposed. There also exists a generic construc-tion that converts existing signature schemes in different infrastructures into CLS schemes. In [15], Yum and Lee proposed ageneric construction for CLS schemes by combining any standard signature (SS) scheme with any ID-based signature (IBS)scheme. Subsequently, Hu et al. [9] showed that Yum–Lee’s construction is insecure against key replacement attacks andthen proposed its improved version by modifying the inputs of the signing algorithm. In particular, Hu et al. [9] establisheda simplified definition and formal security model for CLS schemes which are shown to be more versatile than the previous

. All rights reserved.

304 K.-A. Shim / Information Sciences 179 (2009) 303–306

ones [10,16]. Recently, Au et al. [2] suggested a malicious-but-passive-KGC attack where KGC may not generate master pub-lic/secret key pair honestly to mount the attack and then modified Hu et al.’s model for capturing the attack. They alsoshowed that Al-Riyami and Paterson’s scheme and its variants [1,10,12] are insecure against the malicious-but-passive-KGC attacks and the security of the CLS scheme obtained from the modified Yum–Lee’s construction is preserved in theirnew model. Recently, Huang et al. [11] revisited the security models of CLS schemes and proposed two concrete certificate-less signature schemes. They divided three kinds of adversaries against certificateless signatures according to their attackpower into normal adversary, strong adversary and super adversary (ordered by their attack power). Combined with theknown type I adversary and type II adversary, normal type I adversary, strong type I adversary and etc can be obtained. Theyclaimed that their first scheme is a short CLS scheme provably secure against a normal type I adversary and a Super type IIadversary. In this paper, we show that their short CLS scheme is by a type I adversary who can replace users’ public keys andaccess to the signing oracle under the replaced public keys. That is, the type I adversary can recover a user’s partial privatekey by replacing the user’s public key with a new public key of its choice.

The rest of the paper is organized as follows. In Section 2, we review Huang et al.’s short certificateless signature scheme.In Section 3, we show that it is universally forgeable by a type I adversary not a normal type I adversary. Concluding remarksare given in Section 4.

2. Review of Huang et al.’s short CLS scheme

In this section, we review Huang et al.’s short CLS scheme based on pairings. We first describe admissible pairings. Let G1

and GT be two cyclic groups of a large prime order p. We write G1 additively and GT multiplicatively. We assume that thediscrete logarithm problems in both G1 and GT are hard.

Admissible pairing: We call e an admissible pairing if e : G1 �G1 ! GT is a map with the following properties:

1. Bilinearity: eðaP; bQÞ ¼ eðP;QÞab for all P;Q 2 G1 and for all a; b 2 Z.2. Non-degeneracy: there exists P 2 G1 such that eðP; PÞ–1.3. Computability: there is an efficient algorithm to compute e(P, Q) for any P;Q 2 G1.

The Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modified to createsuch admissible pairings, as in [3].

Huang et al.’s CLS scheme. Huang et al.’s CLS scheme [11] consists of the following six algorithms;[Setup.] Given a security parameter k 2 Z, the algorithm works as follows:

1. Run the parameter generator G on input k to generate a prime q, two groups G1, GT of order p, a generator P in G1 and anadmissible pairing e : G1 �G1 ! GT .

2. Pick a random s 2 Z�p and set PPub ¼ sP.3. Choose cryptographic hash functions H0;H1 : f0;1g� ! G1. The system parameters is

Params ¼< p;G1;GT ; e; P; PPub;H1;H2 >.

[Partial-private-key-extract.] Given a user’s identity ID, KGC first computes Q ID ¼ H0ðIDÞ. It then sets this user’s partialprivate key DID ¼ sQ ID and transmits it to the user via a secure channel.

[Set-secret-value.] The user with an identity ID chooses a random number xID 2 Z�p and sets xID as its secret value.[Set-public-key.] Given the secret value xID, the user with an identity ID computes its public key PKID ¼ xIDP.[Sign.] For a message m, the user with an identity ID computes

r ¼ DID þ xID � H1ðmjjIDjjPKIDÞ 2 G1:

[Verify.] Given a signature r on a message m and a user ID’s public key PKID, check whether

eðr; PÞ ¼ eðQ ID; PpubÞ � eðPKID; H1ðmjjIDjjPKIDÞÞ

holds or not. Output true if it holds. Otherwise, output false.

3. Cryptanalysis of Huang et al.’s CLS scheme

In CLS schemes, there are two types of adversaries; a type I adversary represents a malicious third party who can replace auser public key and a type II adversary is a malicious KGC who knows the master secret, but cannot replace user public key.Existence of the type I adversary is due to the uncertified feature of a user public key and considering the type II adversary isfor solving the key escrow problem, i.e., disclosure of KGC’s master secret does not compromise the secret of each user. Re-cently, Huang et al. defined different signing oracles (normal sign, strong sign and super sign) to different adversaries anddivided the adversaries according to their attack power into normal adversary, strong adversary and super adversary (or-dered by their attack power). Combined with the known type I adversary and type II adversary, normal type I adversary,strong type I adversary and etc can be obtained. They claimed that their first short CLS scheme is provably secure against

K.-A. Shim / Information Sciences 179 (2009) 303–306 305

a normal type I adversary and a super type II adversary. In fact, the security against a super type I (II) adversary guaranteesthe security against a normal and a strong type I (II) adversaries. But, the security against a normal type I (II) adversary doesnot guarantee the security against a strong and a super type I (II) adversaries. Nevertheless, they did not analyze the securityof the short CLS scheme against other type I adversaries (strong and super) who can replace users’ public keys and access tothe signing oracle under the replaced public keys. Now, we show that the Huang et al.’s short CLS scheme is universallyforgeable by the type I adversary, i.e., the adversary can forge user’s certificateless signatures on any message at any time.Let AI be a type I adversary.

� First, AI chooses a random number x0ID 2 Z�p and replaces the user public key PKID with PK0ID ¼ x0IDP.� Next, AI submits a CL-Sign query on a message m. It is possible because the type I adversary can access to the signing

oracle and replace user public keys with new public keys of its choice in the security model defined in [11]. Then, the sign-ing oracle returns a valid signature r0 on the message m with respect to the public key PK0ID ¼ x0IDP, that is,

r0 ¼ DID þ x0IDHðmjjIDjjPK0IDÞ;

where DID ¼ sH0ðIDÞ.� Finally, AI, who knows the secret key x0ID corresponding to PK0ID, can successfully extract the partial private key DID from r0

by computing

DID ¼ r0 � x0IDHðmjjIDjjPK0IDÞ:

Therefore, the adversary can generate the user’s certificateless signatures on any message with respect to any public keys.

The weakness of the scheme against the type I adversary is due to the fact that the adapted standard signature scheme isdeterministic. In fact, the resulting signature of Huang et al.’s scheme is an aggregation of two BLS short signatures [5]; one isthe signature on the identity by KGC’s master secret and the other is the signature on the message by user’s secret key. Con-sequently, it uses the aggregate signature technique proposed in [4]. In the case that the certificateless signature is a certaingroup operation (e.g., sum or multiplication) of two deterministic standard signatures, the type I adversary, who is able toreplace the user public keys, can retrieve the partial private keys of the user by removing the signature part involved to theuser secret key from the certificateless signature via its inverse operation. Because both the signature part involved to theuser secret key on the same message and the partial private key of the user are unique. Therefore, to secure integrationof existing signature schemes for constructing CLS schemes, if the partial private key of a user is obtained the deterministicstandard signature scheme then the randomized signature part involved to the user secret key must be added to the result-ing certificateless signature. Of course, the BLS short signature scheme [5] and the BGLS aggregate signature scheme [4] areproven secure in the formal security models defined in [5,4] as signature schemes in the Public Key Infrastructure. But, ourresult shows that the security of a signature scheme in an infrastructure do not guarantee the security of the scheme in adifferent infrastructure.

4. Conclusion

Recently, Huang et al. proposed the short CLS scheme whose resulting signature is an aggregation of two BLS short sig-natures [5]. We showed that the certificateless signature scheme is universally forgeable against type I adversaries who canreplace users’ public keys and obtain signatures under the replaced public keys. This result shows that the security of a sig-nature scheme in an infrastructure do not guarantee the security of the scheme in a different infrastructure.

References

[1] S.S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, in: Advances in Cryptography-Asiacrypt’03, LNCS, vol. 2894, Springer-Verlag,2003, pp. 452–473.

[2] M.H. Au, J. Chen, J.K. Liu, Y. Mu, D.S. Wong, G. Yang, Malicious KGC attacks in certificateless cryptography, in: ASIACCS’07, ACM, 2007, pp. 302–311, oravailable at Cryptology ePrint Archive: Report 2006/255.

[3] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in: Advances in Cryptology: Crypto’01, LNCS, vol. 2139, Springer-Verlag, 2001,pp. 213–229.

[4] D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in: Advances in Cryptology-Eurocrypt’03,LNCS, vol. 2656, Springer-Verlag, 2003, pp. 416–432.

[5] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in: Advances in Cryptology-Asiacrypt’01, LNCS, vol. 2248, Springer-Verlag, 2002,pp. 514–532.

[6] X. Cao, K.G. Paterson, W. Kou, An attack on a certificateless signature scheme, Cryptology ePrint Archive: Report 2006/367.[7] K.Y. Choi, J.H. Park, J.Y. Hwang, D.H. Lee, Efficient certificateless signature schemes, in: ACNS’07, LNCS, vol. 4521, Springer-Verlag, 2007, pp. 443–458.[8] M.C. Gorantla, A. Saxena, An efficient certificateless signature scheme, in: CIS’05, LNAI, vol. 3802, Springer-Verlag, 2005, pp. 110–116.[9] B.C. Hu, D.S. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certificateless signature, in: ACISP’06, LNCS, vol. 4058,

Springer-Verlag, 2006, pp. 235–246.[10] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of certificateless signature schemes from Asiacrypt 2003, in: CANS’05, LNCS, vol. 3810, Springer-

Verlag, 2005, pp. 13–25.[11] X. Huang, Yi Mu, W. Susilo, D.S. Wong, W. Wu, Certificateless signature revisited, in: ACISP’07, LNCS, vol. 4586, Springer-Verlag, 2007, pp. 308–322.[12] X. Li, K. Chen, L. Sun, Certificateless signature and proxy signature schemes from bilinear pairings, Lithuanian Mathematical Journal 45 (1) (2005) 76–

83.

306 K.-A. Shim / Information Sciences 179 (2009) 303–306

[13] A. Shamir, Identity-based cryptosystems and signature schemes, in: Advances in Cryptography-Crypto’84, LNCS, vol. 196, Springer-Verlag, 1984, pp.47–53.

[14] W.S. Yap, S.H. Heng, B.M. Goi, An efficient certificateless signature scheme, emerging directions in embedded and ubiquitous computing, in: EUCWorkshops 2006, LNCS, vol. 4097, Springer-Verlag, 2006, pp. 322–331.

[15] D.H. Yum, P.J. Lee, Generic construction of certificateless signature, in: ACISP’04, LNCS, vol. 3108, Springer-Verlag, 2004, pp. 200–211.[16] Z. Zhang, D. Feng, Key replacement attack on a certificateless signature scheme, Cryptology ePrint Archive: Report 2006/453.[17] Z. Zhang, D. Wong, J. Xu, D. Feng, Certificateless public-key signature: security model and efficient construction, in: ACNS’06, LNCS, vol. 3989, Springer-

Verlag, 2006, pp. 293–308.