BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes

Proxy Signcryption Signcryption: combining two words – Signature and Encryption. Proxy Signcryption: proxy signs and encrypts a message in one scheme.  Protect the confidentiality of the signed messages from eavesdroppers. Applications: online proxy auction or online contract signing by an authorized proxy.

Proxy Signcryption Three entities involved: original signer (OS), proxy signer (PS) and signature verifier (SV). Scenario:  OS delegates his signing right to PS  PS, on behave of OS, signs and encrypts a message to SV  SV recovers and verifies the message

Proxy Signcryption One cryptosystem with five phases:  Cryptosystem setup (by Key Generation Center)  Proxy credential generation (by OS)  Proxy credential verification (by PS)  Signcrypted message generation (by PS)  Signature recovery and verification (by SV)

Proxy Signcryption Security requirement:  Proxy credential non-repudiation: OS cannot deny a proxy credential issued by him/her later.  Require proxy credential unforgeability  Require correct proxy credential generation/verification algorithms  If OS denies a proxy credential, a trusted third party should resolve the conflict

Proxy Signcryption Security requirement:  Signcrypted message non-repudiation: PS cannot deny a signcrypted message from him/her later  Require signcrypted message unforgeability  Require correct signcrypted message generation/verification algorithms  If OS/PS later denies a signcrypted message, a trusted third party should resolve the conflict.

Proxy Credential Forgery attack The attack tries to cryptanalyzing the proxy credential and find a way to generate a fake credential which can pass the verification process. If a proxy credential can be forged, then the scheme will not have non-repudiation property

Math Background Many proxy signcryption schemes were designed based on “bilinear pairings”  Two cyclic groups (G1, +) and (G2, x), B is a generator of G1  A bilinear map e: G1 × G1  G2  X, Y, Z in G1 e(X,Y) = e(Y,X) e(aX, bY) = e(X,Y)^{ab} e(X,Y+Z) = e(X,Y)e(X,Z)

Math Background  Given X and Y, e(X,Y) can be computed in poly-time  Given B, aB and bB, it’s hard to compute abB  Given B, aB, bB, cB, it’s hard to identify an element h in G2 such that h = e(B,B)^{abc}

LWXY Scheme Setup: KGC chooses system para (G1, G2, q, B, e, h1, h2,,3), where  q is the order of G1 and G2  h1: {0,1}^k × G1  Z_q  h2: G1  G1  h3: G2 × G1  {0,1}^k  Each user i chooses a private key x_i in Z_q and a public key Y_i = x_iB

LWXY Scheme Proxy credential ( σ, N, w) generation :  W: proxy warrant specifies delegated rights  N = dB, where d is a random nymber  σ = (x_o + dw) mod q Proxy credential verification:  σB ?= Y_o + wN. Why? Since σB = (x_o + dw)B = x_oB + dBw = Y_o + wN Signcrypted message generation: ignored Signature recovery and verification: ignored

Proxy Credential Forgery Attack to LWXY PS can create a fake proxy credential ( σ’, N’, w’) from his original one to increase his signing power  Generate w’ to increase his delegation time and/or add designated signature verifiers.  σ’=(w’/w) σ = (w’/w) x_o + dw’ mod q  N’ = ((w’/w) Y_o + w’ N – Y_o)/w’

Proxy Credential Forgery Attack to LWXY The fake credential can pass the verification, since σ’B = ((w’/w) x_o + dw’ )B = (w’/w)Y_o + w’N = Y_o + (w’/w)Y_o + w’N – Y_o = Y_o + w’(((w’/w)Y_o + w’N – Y_o)/w’) = Y_o + w’ N’

Modify LWHY to Prevent The Attack Change the way to create proxy credentials  N = dB  σ = (x-coordinate of N)x_o + dw mod q Change the proxy credential verification to  σB ?= (x-coordinate of N)Y_o + wN

EA Scheme Setup: KGC chooses system para (G1, G2, q, B, Y_pub, e, h1, h2, h3), where  Y_pub = sB is a system public key and s is a system master key.  h1: {0,1}^*  G1  h2: G2  {0,1}^n  h3: {0,1}^* × G2  Z_q  Each user i has public-private keys pairs Y_i = h1(ID_i) and X_i = sY_i

EA Scheme Proxy credential ( σ, N) generation:  σ = X_o + dY_pub, where d is a random number  N = dB Proxy credential verification:  e(B, σ) ?= e(Y_pub, Y_o + N). Why? Since e(B, σ) = e(B, X_o + dY_pub) = e(B, sY_o + dsB) = e(sB, Y_o + dB) = e(Y_pub, Y_o + N) Signcrypted message generation: ignored Signature recovery and verification: ignored

Proxy Credential Forgery Attack to EA PS can create a fake a proxy credential ( σ’, N’) from his original one and give it to another person without the permission of OS  σ’ = σ + d’Y_pub = X_o + (d+d’)Y_pub = X_o + d”Y_pub  N’ = N + d’B = dB + d’B = (d+d’)B = d”B

Proxy Credential Forgery Attack to EA The fake credential ( σ’, N’) can pass the verification, since e(B, σ’) = e(B, X_o + d”Y_pub) = e(B, sY_o + d”sB) = e(sB, Y_o + d”B) = e(Y_pub, Y_o + N’)

Modify EA to Prevent Attack Change the way to create proxy credentials  N = dB  σ = (x-coordinate of N)X_o + dY_pub mod q Change the proxy credential verification to  e(B, σ) ?= e(Y_pub, (x-coordinate of N)Y_o + N)

Efficiency Comparing to LWHY, the modified LWHY adds 1 modular multiplication (MM) and 1 point multiplication (PM) in G1  Both LWHY/modified LWHY requires 4 bilinear pairing (BP) operations  1 BP is about 11,110 MM  1PM is about a few hundred MM Comparing to EA, the modified EA adds 3 PM  Both EA/modified EA require 8 BP