Download presentation
Presentation is loading. Please wait.
Published byGerard Trick Modified over 9 years ago
1
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes
2
Proxy Signcryption Signcryption: combining two words – Signature and Encryption. Proxy Signcryption: proxy signs and encrypts a message in one scheme. Protect the confidentiality of the signed messages from eavesdroppers. Applications: online proxy auction or online contract signing by an authorized proxy.
3
Proxy Signcryption Three entities involved: original signer (OS), proxy signer (PS) and signature verifier (SV). Scenario: OS delegates his signing right to PS PS, on behave of OS, signs and encrypts a message to SV SV recovers and verifies the message
4
Proxy Signcryption One cryptosystem with five phases: Cryptosystem setup (by Key Generation Center) Proxy credential generation (by OS) Proxy credential verification (by PS) Signcrypted message generation (by PS) Signature recovery and verification (by SV)
5
Proxy Signcryption Security requirement: Proxy credential non-repudiation: OS cannot deny a proxy credential issued by him/her later. Require proxy credential unforgeability Require correct proxy credential generation/verification algorithms If OS denies a proxy credential, a trusted third party should resolve the conflict
6
Proxy Signcryption Security requirement: Signcrypted message non-repudiation: PS cannot deny a signcrypted message from him/her later Require signcrypted message unforgeability Require correct signcrypted message generation/verification algorithms If OS/PS later denies a signcrypted message, a trusted third party should resolve the conflict.
7
Proxy Credential Forgery attack The attack tries to cryptanalyzing the proxy credential and find a way to generate a fake credential which can pass the verification process. If a proxy credential can be forged, then the scheme will not have non-repudiation property
8
Math Background Many proxy signcryption schemes were designed based on “bilinear pairings” Two cyclic groups (G1, +) and (G2, x), B is a generator of G1 A bilinear map e: G1 × G1 G2 X, Y, Z in G1 e(X,Y) = e(Y,X) e(aX, bY) = e(X,Y)^{ab} e(X,Y+Z) = e(X,Y)e(X,Z)
9
Math Background Given X and Y, e(X,Y) can be computed in poly-time Given B, aB and bB, it’s hard to compute abB Given B, aB, bB, cB, it’s hard to identify an element h in G2 such that h = e(B,B)^{abc}
10
LWXY Scheme Setup: KGC chooses system para (G1, G2, q, B, e, h1, h2,,3), where q is the order of G1 and G2 h1: {0,1}^k × G1 Z_q h2: G1 G1 h3: G2 × G1 {0,1}^k Each user i chooses a private key x_i in Z_q and a public key Y_i = x_iB
11
LWXY Scheme Proxy credential ( σ, N, w) generation : W: proxy warrant specifies delegated rights N = dB, where d is a random nymber σ = (x_o + dw) mod q Proxy credential verification: σB ?= Y_o + wN. Why? Since σB = (x_o + dw)B = x_oB + dBw = Y_o + wN Signcrypted message generation: ignored Signature recovery and verification: ignored
12
Proxy Credential Forgery Attack to LWXY PS can create a fake proxy credential ( σ’, N’, w’) from his original one to increase his signing power Generate w’ to increase his delegation time and/or add designated signature verifiers. σ’=(w’/w) σ = (w’/w) x_o + dw’ mod q N’ = ((w’/w) Y_o + w’ N – Y_o)/w’
13
Proxy Credential Forgery Attack to LWXY The fake credential can pass the verification, since σ’B = ((w’/w) x_o + dw’ )B = (w’/w)Y_o + w’N = Y_o + (w’/w)Y_o + w’N – Y_o = Y_o + w’(((w’/w)Y_o + w’N – Y_o)/w’) = Y_o + w’ N’
14
Modify LWHY to Prevent The Attack Change the way to create proxy credentials N = dB σ = (x-coordinate of N)x_o + dw mod q Change the proxy credential verification to σB ?= (x-coordinate of N)Y_o + wN
15
EA Scheme Setup: KGC chooses system para (G1, G2, q, B, Y_pub, e, h1, h2, h3), where Y_pub = sB is a system public key and s is a system master key. h1: {0,1}^* G1 h2: G2 {0,1}^n h3: {0,1}^* × G2 Z_q Each user i has public-private keys pairs Y_i = h1(ID_i) and X_i = sY_i
16
EA Scheme Proxy credential ( σ, N) generation: σ = X_o + dY_pub, where d is a random number N = dB Proxy credential verification: e(B, σ) ?= e(Y_pub, Y_o + N). Why? Since e(B, σ) = e(B, X_o + dY_pub) = e(B, sY_o + dsB) = e(sB, Y_o + dB) = e(Y_pub, Y_o + N) Signcrypted message generation: ignored Signature recovery and verification: ignored
17
Proxy Credential Forgery Attack to EA PS can create a fake a proxy credential ( σ’, N’) from his original one and give it to another person without the permission of OS σ’ = σ + d’Y_pub = X_o + (d+d’)Y_pub = X_o + d”Y_pub N’ = N + d’B = dB + d’B = (d+d’)B = d”B
18
Proxy Credential Forgery Attack to EA The fake credential ( σ’, N’) can pass the verification, since e(B, σ’) = e(B, X_o + d”Y_pub) = e(B, sY_o + d”sB) = e(sB, Y_o + d”B) = e(Y_pub, Y_o + N’)
19
Modify EA to Prevent Attack Change the way to create proxy credentials N = dB σ = (x-coordinate of N)X_o + dY_pub mod q Change the proxy credential verification to e(B, σ) ?= e(Y_pub, (x-coordinate of N)Y_o + N)
20
Efficiency Comparing to LWHY, the modified LWHY adds 1 modular multiplication (MM) and 1 point multiplication (PM) in G1 Both LWHY/modified LWHY requires 4 bilinear pairing (BP) operations 1 BP is about 11,110 MM 1PM is about a few hundred MM Comparing to EA, the modified EA adds 3 PM Both EA/modified EA require 8 BP
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.