Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University

2 Proxy Signature Introduced by Mambo et al. in Allow a designated signer (proxy signer) to sign the message on behalf of an original signer Involve three entities:  Original Signer  Proxy Signer  Verifier Convince the verifier that the signature is signed by the proxy signer who obtains the delegation right from the original signer Applications: e-cash system, global distribution network, grid computing, mobile agent applications, etc.

3 Traditional PKC Introduced by Diffie and Hellman in 1976 Required certificate Certificate Authority (CA) AliceBob Certificate Public Key Private Key Communication Authentication

4 ID-Based PKC Introduced by Shamir in Implicit certification - Inherent key escrow problem Communication Authentication Private Key Generator (PKG) Private Key Identity (ID) AliceBob

5 Certificateless PKC Introduced by Al-Riyami and Paterson in Implicit certification + Solved the inherent key escrow problem Bob Alice Key Generating Center (KGC) ID User’s Public Key Partial Private Key User’s Private Key Authentication Communication

6 This Research Show that the following schemes are insecure against universal forgery The Qian and Cao IBPS scheme (ISPA 2005) – RSA-based The Guo et al. IBPS scheme (IMSCCS 2006) – bilinear pairing The Li et al. CLPS scheme (Lithuanian Mathematical Journal 2005) – bilinear pairing Any user can act as a cheating proxy signer, to forge the proxy signature on behalf of the original signer, without obtaining the official delegation from the original signer.

7 The Qian and Cao IBPS Scheme Setup Compute n = pq, where p, q: prime Select e at random where gcd (e,φ(n)) = 1 Compute master-key d where ed = 1 mod φ(n) Choose H 1 : {0, 1} * → Z φ(n) and H 2 : {0, 1} * → Z n Extract Compute D ID = Q ID d where Q ID = H 2 (ID) Proxy Key Generation Original Signer: Make a warrant m w which records the delegation policy Choose r A ∊ Z n and compute R A = r A e mod n Compute S A = D A. r A h1 mod n where h1 = H 1 (R A ||m w ) Send σ A = (R A,S A ) and m w to the proxy signer B Proxy Signer: Check whether S A e = Q A. R A h1 mod n

8 The Qian and Cao IBPS Scheme Proxy Signature Generation Choose r B ∊ Z n and compute R B = r B e mod n Compute h = H 1 (R B ||m w ||m) Compute S B = D B. (r B. S A ) h mod n Proxy signature σ = (R A, R B, S B ) Proxy Signature Verification Check the warrant m w Compute Q A = H 2 (ID A ) and Q B = H 2 (ID B ) Check whether S B e = Q B. (R B. Q A. R A h1 ) h mod n

9 Cryptanalysis on the Qian and Cao IBPS Scheme A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B) Make a warrant m w Choose r A ∊ Z n and compute R A = r A e mod n Choose r B ∊ Z n and compute R B = r B e. Q A -1 mod n Compute S B = D B. (r B. r A h1 ) h mod n Proxy Signature Verification Check whether S B e = Q B. (R B. Q A. R A h1 ) h mod n S B e = D B e. (r B e. r A eh1 ) h = Q B. (r B e. R A h1 ) h = Q B. (R B. Q A. R A h1 ) h where r B e = R B. Q A

10 The Guo et al. IBPS Scheme Setup Choose groups G 1, G 2 of prime order q Choose a generator P ∈ G 1 and a bilinear map e : G 1  G 1  G 2 Choose H 1 : {0, 1} * → G 1 and H 2 : {0, 1} * → Z q * Choose s ∈ Z q * as master key and set P pub = sP as public key Publicize params = (G 1, G 2, e, q, P, P pub, H 1, H 2 ) Extract Compute D ID = sQ ID where Q ID = H 1 (ID)

11 The Guo et al. IBPS Scheme Proxy Key Generation Original Signer: Make a warrant m w which records the delegation policy Choose x A ∊ Z q * and compute X A = x A D A and X’ A = x A Q A Compute T = e(X’ A,P pub ) = e(X A,P) Compute r = H 2 (m w ||T|| X’ A ) Compute S = (x A - r)D A Send (X’ A, S, r) and m w to the proxy signer Proxy Signer: Compute T’ = e(S,P) e(rQ A,P pub ) = e(X’ A,P pub ) Check whether r’ = H 2 (m w ||T’|| X’ A ) = r Proxy key = (D B, S)

12 The Guo et al. IBPS Scheme Proxy Signature Generation Choose x B ∊ Z q * and compute U = x B Q B Compute h = H 2 (m||m w ||U) Compute V = S + (x B + h)D B Proxy signature σ = (X’ A, U, V, m w, m) Proxy Signature Verification Check the warrant m w Compute T’’ = e(X’ A,P pub ) Compute r’ = H 2 (m w ||T’’|| X’ A ) Compute h’ = H 2 (m||m w ||U) Check whether e(P,V) = e(P pub, X’ A – r’Q A + U + h’Q B )

13 Cryptanalysis on the Guo et al. IBPS Scheme A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B) Make a warrant m w Choose x A ∊ Z q * and compute X’ A = x A Q A Compute r’ = H 2 (m w ||T|| X’ A ) where T = e(X’ A,P pub ) Choose x B ∊ Z q * and compute U = x B Q B - X’ A + rQ A Compute h = H 2 (m||m w ||U) Compute V = (x B + h)D B Return σ = (X’ A, U, V, m w, m) as the proxy signature

14 Cryptanalysis on the Guo et al. IBPS Scheme Proxy Signature Verification Compute T’’ = e(X’ A,P pub ) Compute r’ = H 2 (m w ||T’’|| X’ A ) Compute h’ = H 2 (m||m w ||U) Check whether e(P,V) = e(P pub, X’ A – r’Q A + U + h’Q B )

15 Li et al. CLPS Scheme Derived from the Cha and Cheon IBS scheme and the Hess IBS scheme The only CLPS scheme Setup Choose groups G 1, G 2 of prime order q Choose a generator P ∈ G 1 and a bilinear map e : G 1  G 1  G 2 Choose H 1 : {0, 1} * → G 1 and H 2 : {0, 1} * x G 1 → Z q * Choose s ∈ Z q * as master key and set P pub = sP as public key Publicize params = (G 1, G 2, e, q, P, P pub, H 1, H 2 ) Set-Partial-Private-Key Compute D ID = sQ ID where Q ID = H 1 (ID) Set-Secret-Value Select a random x ID ∈ Z q *

16 Li et al. CLPS Scheme Set-Private-Key S ID = x ID D ID Set-Public-Key X ID = x ID P; Y ID = x ID P pub Proxy Key Generation Original Signer: Choose r ∊ Z q * and compute U = rQ A Compute h A = H 2 (m w ||U) Compute V = (r + h A )S A Send (U, V) and m w to the proxy signer Proxy Signer: Check whether e(X A,P pub ) = e(Y A,P) Compute h A = H 2 (m w ||U) Check whether e(P,V) = e(Y A, U + h A Q A ) Proxy key S p = V + S B

17 Li et al. CLPS Scheme Proxy Signature Generation Choose a ∊ Z q * and compute R = e(P,P) a Compute h B = H 2 (m w ||R) Compute S = h B S p + aP Proxy signature σ = (R, U, S, m w, m) Proxy Signature Verification Check whether e(X A,P pub ) = e(Y A,P) Check whether e(X B,P pub ) = e(Y B,P) Compute R’ = e(P,S) e(Y A, -h B (U + h A Q A )) e(Y B, -h B Q B ) where h A = H 2 (m w ||U) and h B = H 2 (m w ||R) Accept iff h B = H 2 (m w ||R’)

18 Cryptanalysis on the Li et al. CLPS Scheme Public key replacement attack (Type I adversary) The adversary performs the following: Proxy Signature Generation Select U, S ∈ G 1 and compute h A = H 2 (m w ||U) Select a random r ∊ Z q * Compute R = e(P,S) e(P pub, -(U + h A Q A )) e(rP pub, -Q B ) Compute h B = H 2 (m w ||R) Set x A = h A -1 ∊ Z q * and x B = h B -1 r ∊ Z q * Compute X’ A = x A P; Y’ A = x A P pub ; X’ B = x B P; Y’ B = x B P pub Replace the user public key with (X’ A, Y’ A, X’ B, Y’ B ) Return the proxy signature σ = (R, U, S, m w, m)

19 Cryptanalysis on the Li et al. CLPS Scheme Proxy Signature Generation Check whether e(X A,P pub ) = e(Y A,P) Check whether e(X B,P pub ) = e(Y B,P) Compute R’ = e(P,S) e(Y A, -h B (U + h A Q A )) e(Y B, -h B Q B ) where h A = H 2 (m w ||U) and h B = H 2 (m w ||R) Accept iff h B = H 2 (m w ||R’)

20 Conclusion We have shown that following schemes are insecure The Qian and Cao IBPS scheme The Guo et al. IBPS scheme The Li et al. CLPS scheme The security of the proxy signature schemes deriving from the provable secure IBS scheme is not guaranteed.