Upload
maryann-oconnor
View
213
Download
0
Embed Size (px)
Citation preview
Cryptanalysis of Some Proxy Signature Schemes without Certificates
Wun-She Yap, Swee-Huay Heng Bok-Min Goi
Multimedia University
2
Proxy Signature Introduced by Mambo et al. in 1996. Allow a designated signer (proxy signer) to
sign the message on behalf of an original signer
Involve three entities: Original Signer Proxy Signer Verifier
Convince the verifier that the signature is signed by the proxy signer who obtains the delegation right from the original signer
Applications: e-cash system, global distribution network, grid computing, mobile agent applications, etc.
3
Traditional PKC Introduced by Diffie and Hellman in 1976 Required certificate
Certificate Authority (CA)
Alice Bob
Certificate
Public Key
Private Key
Communication
Authentication
4
ID-Based PKC Introduced by Shamir in 1984 + Implicit certification - Inherent key escrow problem
Communication
Authentication
Private Key Generator (PKG)Private Key
Identity (ID)
Alice Bob
5
Certificateless PKC Introduced by Al-Riyami and Paterson in 2003 + Implicit certification + Solved the inherent key escrow problem
BobAlice
Key Generating Center (KGC)
ID
User’s Public Key
Partial Private Key
User’s Private Key
Authentication
Communication
6
This Research Show that the following schemes are insecure
against universal forgery The Qian and Cao IBPS scheme (ISPA 2005) – RSA-
based The Guo et al. IBPS scheme (IMSCCS 2006) – bilinear
pairing The Li et al. CLPS scheme (Lithuanian Mathematical
Journal 2005) – bilinear pairing
Any user can act as a cheating proxy signer, to forge the proxy signature on behalf of the original signer, without obtaining the official delegation from the original signer.
7
The Qian and Cao IBPS Scheme Setup
Compute n = pq, where p, q: primeSelect e at random where gcd (e,φ(n)) = 1Compute master-key d where ed = 1 mod φ(n) Choose H1: {0, 1}* → Zφ(n) and H2: {0, 1}* → Zn
ExtractCompute DID = QID
d where QID = H2(ID) Proxy Key Generation
Original Signer:Make a warrant mw which records the delegation
policyChoose rA ∊ Zn and compute RA = rA
e mod nCompute SA = DA . rA
h1 mod n where h1 = H1(RA||mw)Send σA = (RA,SA) and mw to the proxy signer B
Proxy Signer:Check whether SA
e = QA . RAh1 mod n
8
The Qian and Cao IBPS Scheme
Proxy Signature GenerationChoose rB ∊ Zn and compute RB = rB
e mod n
Compute h = H1(RB||mw||m)
Compute SB = DB . (rB . SA)h mod n
Proxy signature σ = (RA, RB, SB) Proxy Signature Verification
Check the warrant mw
Compute QA = H2(IDA) and QB = H2(IDB)
Check whether SBe = QB . (RB . QA . RA
h1)h mod n
9
Cryptanalysis on the Qian and Cao IBPS Scheme
A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B)
Make a warrant mw
Choose rA ∊ Zn and compute RA = rAe mod n
Choose rB ∊ Zn and compute RB = rBe . QA
-1 mod nCompute SB = DB . (rB . rA
h1)h mod n
Proxy Signature VerificationCheck whether SB
e = QB . (RB . QA . RAh1)h mod n
SBe = DB
e . (rBe . rA
eh1)h = QB . (rB
e . RAh1)h
= QB . (RB . QA . RAh1)h
where rBe = RB . QA
10
The Guo et al. IBPS Scheme
SetupChoose groups G1, G2 of prime order q
Choose a generator P ∈ G1 and a bilinear map e : G1G1G2
Choose H1: {0, 1}* → G1 and H2: {0, 1}* → Zq*
Choose s ∈ Zq* as master key and set Ppub = sP as public
keyPublicize params = (G1, G2, e, q, P, Ppub, H1, H2)
ExtractCompute DID = sQID where QID = H1(ID)
11
The Guo et al. IBPS Scheme Proxy Key Generation
Original Signer:Make a warrant mw which records the delegation
policyChoose xA ∊ Zq
* and compute XA = xADA and X’A = xAQA
Compute T = e(X’A,Ppub) = e(XA,P)
Compute r = H2(mw||T|| X’A)
Compute S = (xA - r)DA
Send (X’A, S, r) and mw to the proxy signerProxy Signer:
Compute T’ = e(S,P) e(rQA,Ppub) = e(X’A,Ppub)
Check whether r’ = H2(mw||T’|| X’A) = r
Proxy key = (DB, S)
12
The Guo et al. IBPS Scheme Proxy Signature Generation
Choose xB ∊ Zq* and compute U = xBQB
Compute h = H2(m||mw||U)
Compute V = S + (xB + h)DB
Proxy signature σ = (X’A, U, V, mw, m) Proxy Signature Verification
Check the warrant mw
Compute T’’ = e(X’A,Ppub)
Compute r’ = H2(mw||T’’|| X’A)
Compute h’ = H2(m||mw||U)
Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)
13
Cryptanalysis on the Guo et al. IBPS Scheme
A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B)
Make a warrant mw
Choose xA ∊ Zq* and compute X’A = xAQA
Compute r’ = H2(mw||T|| X’A) where T = e(X’A,Ppub)
Choose xB ∊ Zq* and compute U = xBQB - X’A + rQA
Compute h = H2(m||mw||U)
Compute V = (xB + h)DB
Return σ = (X’A, U, V, mw, m) as the proxy signature
14
Cryptanalysis on the Guo et al. IBPS Scheme
Proxy Signature VerificationCompute T’’ = e(X’A,Ppub)
Compute r’ = H2(mw||T’’|| X’A)
Compute h’ = H2(m||mw||U)
Check whether e(P,V) = e(Ppub, X’A – r’QA + U + h’QB)
15
Li et al. CLPS Scheme Derived from the Cha and Cheon IBS scheme and the Hess
IBS scheme The only CLPS scheme Setup
Choose groups G1, G2 of prime order q
Choose a generator P ∈ G1 and a bilinear map e : G1G1G2
Choose H1: {0, 1}* → G1 and H2: {0, 1}* x G1 → Zq*
Choose s ∈ Zq* as master key and set Ppub = sP as public
key
Publicize params = (G1, G2, e, q, P, Ppub, H1, H2) Set-Partial-Private-Key
Compute DID = sQID where QID = H1(ID) Set-Secret-Value
Select a random xID ∈ Zq*
16
Li et al. CLPS Scheme Set-Private-Key
SID = xIDDID
Set-Public-Key
XID = xIDP; YID = xIDPpub
Proxy Key GenerationOriginal Signer:
Choose r ∊ Zq* and compute U = rQA
Compute hA = H2(mw||U)
Compute V = (r + hA)SA
Send (U, V) and mw to the proxy signerProxy Signer:
Check whether e(XA,Ppub) = e(YA,P)Compute hA = H2(mw||U)
Check whether e(P,V) = e(YA, U + hAQA)
Proxy key Sp = V + SB
17
Li et al. CLPS Scheme Proxy Signature Generation
Choose a ∊ Zq* and compute R = e(P,P)a
Compute hB = H2(mw||R)
Compute S = hBSp + aP
Proxy signature σ = (R, U, S, mw, m)
Proxy Signature VerificationCheck whether e(XA,Ppub) = e(YA,P)
Check whether e(XB,Ppub) = e(YB,P)
Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB)
where hA = H2(mw||U) and hB = H2(mw||R)
Accept iff hB = H2(mw||R’)
18
Cryptanalysis on the Li et al. CLPS Scheme
Public key replacement attack (Type I adversary) The adversary performs the following: Proxy Signature Generation
Select U, S ∈ G1 and compute hA = H2(mw||U)
Select a random r ∊ Zq*
Compute R = e(P,S) e(Ppub, -(U + hAQA)) e(rPpub, -QB)
Compute hB = H2(mw||R)
Set xA = hA -1 ∊ Zq
* and xB = hB
-1r ∊ Zq*
Compute X’A = xAP; Y’A = xAPpub; X’B = xBP; Y’B = xBPpub
Replace the user public key with (X’A , Y’A , X’B , Y’B)
Return the proxy signature σ = (R, U, S, mw, m)
19
Cryptanalysis on the Li et al. CLPS Scheme
Proxy Signature GenerationCheck whether e(XA,Ppub) = e(YA,P)
Check whether e(XB,Ppub) = e(YB,P)
Compute R’ = e(P,S) e(YA, -hB(U + hAQA)) e(YB, -hBQB)
where hA = H2(mw||U) and hB = H2(mw||R)
Accept iff hB = H2(mw||R’)
20
Conclusion
We have shown that following schemes are insecure The Qian and Cao IBPS scheme The Guo et al. IBPS scheme The Li et al. CLPS scheme
The security of the proxy signature schemes deriving from the provable secure IBS scheme is not guaranteed.