Cryptanalysis of Tseng et al.’s authenticated encrption schemes Source: Applied Mathematics and Computation 158(2004) 1-5 Authors: Qi Xie, Xiu Yuan Yu Speaker: Hao-Wen Huang Date: 2004/12/15

Outline Brief review of the Tseng et al.’s authenticated encrption scheme with message linkages Cryptanalysis and improvement Conclusion

§2. Tseng et al.’s scheme Initialization phase Signature generation phase Message recovery phase

§2.1. System initialization phase 1> p and q are large primes s.t. p=2 p’ +1 and q =2 q’ +1,where p’ and q’ are still primes. 2>compute N= pq Let g be a generator of a multiplicative subgroup with order p’ q’ h() is a one-way hash function. Notation: green  secret red  public There are signer A (IDA) ,a specified verifier B(IDB) and one trusted center. 3>PA=gxA mod N and PB=gxB mod N, where XA and XB are w.r.t. A’s and B’s secret key. 4>PA, PB  trusted center 5>center publishes YA=(PA-IDA) h(IDA) -1 and YB=(PB-IDB) h(IDB) -1 w.r.t. A’s and B’s public key.

§2.2. Signature generation phase Message M={M1,M2,…,Mn} 1>r0=0 and select a random number k. 2>Compute t=(YB h(IDB) + IDB)k mod N 3>Compute ri=Mi*h(ri-1⊕ t) mod N for i=1,2,…..,n. 4>Compute s=k- XA r, where r = h(r1||r2||…||rn) 5>A----(r, s, r1, r2 ,…… ,rn)-------B

§2.3. Message recovery phase 1>B computes r’= h(r1||r2||…||rn) ,check r’ ?= r 2>solve t by following procedure: [step1] gk= gs(YA h(IDA) + IDA)r mod N [step2] t = (gk)xB mod N 3>Recover the message {M1,M2,…,Mn} Mi = ri *h(ri-1⊕ t)-1 mod N

§3. Cryptanalysis and improvement(1/3) Case 1: If the specified verifier B substitutes XB , he can forge the signature for any message. Suppose B wants to forge the signature for message E={E1,E2,….,En} 1>Compute σi=Ei*h(σi-1⊕ t) mod N for i=1,2,…..,n and σ0=0 σ = h(σ1||σ2||…||σn) 2>slove x’B from rXB = σx’B then slove s’ from sXB = s’x’B 3>compute P’B = gx’B mond N,then B asks the trusted center publishes a new public key Y’ B.

§3. Cryptanalysis and improvement(2/3) Case 1: If the specified verifier B substitutes XB , he can forge the signature for any message. 4>(σ, s’, σ1, σ2 ,…… , σn) is the valid signature blocks. pf: [gs’(YA h(IDA) + IDA)σ] x’B mod N = gs’ x’B (YA h(IDA) + IDA)σx’B mod N = gs xB (YA h(IDA) + IDA)r xB mod N = (gk)xB mod N = t mod N

§3. Cryptanalysis and improvement(3/3) Case 2: If the signer A generates the signature with this scheme for two or more specified verifiers, thy can cooperate to forge the signature for any message. Improved approach: signature blocks (r, s, r1, r2 ,…… ,rn) ---- (r, s, gk,r1, r2 ,…… ,rn)

Conclusion Tseng et al.’s scheme is not secure and give out a small modification to improve their scheme.