Cryptanalysis of Some Proxy Signature Schemes without Certificates

Wun-She Yap, Swee-Huay Heng Bok-Min Goi

Multimedia University

2

Proxy Signature Introduced by Mambo et al. in 1996. Allow a designated signer (proxy signer) to

sign the message on behalf of an original signer

Involve three entities: Original Signer Proxy Signer Verifier

Convince the verifier that the signature is signed by the proxy signer who obtains the delegation right from the original signer

Applications: e-cash system, global distribution network, grid computing, mobile agent applications, etc.

3

Traditional PKC Introduced by Diffie and Hellman in 1976 Required certificate

Certificate Authority (CA)

Alice Bob

Certificate

Public Key

Private Key

Communication

Authentication

4

ID-Based PKC Introduced by Shamir in 1984 + Implicit certification - Inherent key escrow problem

Communication

Authentication

Private Key Generator (PKG)Private Key

Identity (ID)

Alice Bob

5

Certificateless PKC Introduced by Al-Riyami and Paterson in 2003 + Implicit certification + Solved the inherent key escrow problem

BobAlice

Key Generating Center (KGC)

ID

User’s Public Key

Partial Private Key

User’s Private Key

Authentication

Communication

6

This Research Show that the following schemes are insecure

against universal forgery The Qian and Cao IBPS scheme (ISPA 2005) – RSA-

based The Guo et al. IBPS scheme (IMSCCS 2006) – bilinear

pairing The Li et al. CLPS scheme (Lithuanian Mathematical

Journal 2005) – bilinear pairing

Any user can act as a cheating proxy signer, to forge the proxy signature on behalf of the original signer, without obtaining the official delegation from the original signer.

7

The Qian and Cao IBPS Scheme Setup

Compute n = pq, where p, q: primeSelect e at random where gcd (e,φ(n)) = 1Compute master-key d where ed = 1 mod φ(n) Choose H1: {0, 1}* → Zφ(n) and H2: {0, 1}* → Zn

ExtractCompute DID = QID

d where QID = H2(ID) Proxy Key Generation

Original Signer:Make a warrant mw which records the delegation

policyChoose rA ∊ Zn and compute RA = rA

e mod nCompute SA = DA . rA

h1 mod n where h1 = H1(RA||mw)Send σA = (RA,SA) and mw to the proxy signer B

Proxy Signer:Check whether SA

e = QA . RAh1 mod n

8

The Qian and Cao IBPS Scheme

Proxy Signature GenerationChoose rB ∊ Zn and compute RB = rB

e mod n

Compute h = H1(RB||mw||m)

Compute SB = DB . (rB . SA)h mod n

Proxy signature σ = (RA, RB, SB) Proxy Signature Verification

Check the warrant mw

Compute QA = H2(IDA) and QB = H2(IDB)

Check whether SBe = QB . (RB . QA . RA

h1)h mod n

9

Cryptanalysis on the Qian and Cao IBPS Scheme

A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B)

Make a warrant mw

Choose rA ∊ Zn and compute RA = rAe mod n

Choose rB ∊ Zn and compute RB = rBe . QA

-1 mod nCompute SB = DB . (rB . rA

h1)h mod n

Proxy Signature VerificationCheck whether SB

e = QB . (RB . QA . RAh1)h mod n

SBe = DB

e . (rBe . rA

eh1)h = QB . (rB

e . RAh1)h

= QB . (RB . QA . RAh1)h

where rBe = RB . QA

10

The Guo et al. IBPS Scheme

SetupChoose groups G1, G2 of prime order q

Choose a generator P ∈ G1 and a bilinear map e : G1G1G2

Choose H1: {0, 1}* → G1 and H2: {0, 1}* → Zq*

Choose s ∈ Zq* as master key and set Ppub = sP as public

keyPublicize params = (G1, G2, e, q, P, Ppub, H1, H2)

ExtractCompute DID = sQID where QID = H1(ID)

11

The Guo et al. IBPS Scheme Proxy Key Generation

Original Signer:Make a warrant mw which records the delegation

policyChoose xA ∊ Zq

* and compute XA = xADA and X’A = xAQA

Compute T = e(X’A,Ppub) = e(XA,P)

Compute r = H2(mw||T|| X’A)

Compute S = (xA - r)DA

Send (X’A, S, r) and mw to the proxy signerProxy Signer:

Compute T’ = e(S,P) e(rQA,Ppub) = e(X’A,Ppub)

Check whether r’ = H2(mw||T’|| X’A) = r

Proxy key = (DB, S)

12

The Guo et al. IBPS Scheme Proxy Signature Generation

Choose xB ∊ Zq* and compute U = xBQB

Compute h = H2(m||mw||U)

Compute V = S + (xB + h)DB

Proxy signature σ = (X’A, U, V, mw, m) Proxy Signature Verification

Check the warrant mw

Compute T’’ = e(X’A,Ppub)

Compute r’ = H2(mw||T’’|| X’A)

Compute h’ = H2(m||mw||U)

Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)

13

Cryptanalysis on the Guo et al. IBPS Scheme

A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B)

Make a warrant mw

Choose xA ∊ Zq* and compute X’A = xAQA

Compute r’ = H2(mw||T|| X’A) where T = e(X’A,Ppub)

Choose xB ∊ Zq* and compute U = xBQB - X’A + rQA

Compute h = H2(m||mw||U)

Compute V = (xB + h)DB

Return σ = (X’A, U, V, mw, m) as the proxy signature

14

Cryptanalysis on the Guo et al. IBPS Scheme

Proxy Signature VerificationCompute T’’ = e(X’A,Ppub)

Compute r’ = H2(mw||T’’|| X’A)

Compute h’ = H2(m||mw||U)

Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)

15

Li et al. CLPS Scheme Derived from the Cha and Cheon IBS scheme and the Hess

IBS scheme The only CLPS scheme Setup

Choose groups G1, G2 of prime order q

Choose a generator P ∈ G1 and a bilinear map e : G1G1G2

Choose H1: {0, 1}* → G1 and H2: {0, 1}* x G1 → Zq*

Choose s ∈ Zq* as master key and set Ppub = sP as public

key

Publicize params = (G1, G2, e, q, P, Ppub, H1, H2) Set-Partial-Private-Key

Compute DID = sQID where QID = H1(ID) Set-Secret-Value

Select a random xID ∈ Zq*

16

Li et al. CLPS Scheme Set-Private-Key

SID = xIDDID

Set-Public-Key

XID = xIDP; YID = xIDPpub

Proxy Key GenerationOriginal Signer:

Choose r ∊ Zq* and compute U = rQA

Compute hA = H2(mw||U)

Compute V = (r + hA)SA

Send (U, V) and mw to the proxy signerProxy Signer:

Check whether e(XA,Ppub) = e(YA,P)Compute hA = H2(mw||U)

Check whether e(P,V) = e(YA, U + hAQA)

Proxy key Sp = V + SB

17

Li et al. CLPS Scheme Proxy Signature Generation

Choose a ∊ Zq* and compute R = e(P,P)a

Compute hB = H2(mw||R)

Compute S = hBSp + aP

Proxy signature σ = (R, U, S, mw, m)

Proxy Signature VerificationCheck whether e(XA,Ppub) = e(YA,P)

Check whether e(XB,Ppub) = e(YB,P)

Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB)

where hA = H2(mw||U) and hB = H2(mw||R)

Accept iff hB = H2(mw||R’)

18

Cryptanalysis on the Li et al. CLPS Scheme

Public key replacement attack (Type I adversary) The adversary performs the following: Proxy Signature Generation

Select U, S ∈ G1 and compute hA = H2(mw||U)

Select a random r ∊ Zq*

Compute R = e(P,S) e(Ppub, -(U + hAQA)) e(rPpub, -QB)

Compute hB = H2(mw||R)

Set xA = hA -1 ∊ Zq

* and xB = hB

-1r ∊ Zq*

Compute X’A = xAP; Y’A = xAPpub; X’B = xBP; Y’B = xBPpub

Replace the user public key with (X’A , Y’A , X’B , Y’B)

Return the proxy signature σ = (R, U, S, mw, m)

19

Cryptanalysis on the Li et al. CLPS Scheme

Proxy Signature GenerationCheck whether e(XA,Ppub) = e(YA,P)

Check whether e(XB,Ppub) = e(YB,P)

Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB)

where hA = H2(mw||U) and hB = H2(mw||R)

Accept iff hB = H2(mw||R’)

20

Conclusion

We have shown that following schemes are insecure The Qian and Cao IBPS scheme The Guo et al. IBPS scheme The Li et al. CLPS scheme

The security of the proxy signature schemes deriving from the provable secure IBS scheme is not guaranteed.