Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.

Published byMaryann O’Connor’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University."— Presentation transcript:

1 Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University

2 2 Proxy Signature Introduced by Mambo et al. in 1996. Allow a designated signer (proxy signer) to sign the message on behalf of an original signer Involve three entities:  Original Signer  Proxy Signer  Verifier Convince the verifier that the signature is signed by the proxy signer who obtains the delegation right from the original signer Applications: e-cash system, global distribution network, grid computing, mobile agent applications, etc.

3 3 Traditional PKC Introduced by Diffie and Hellman in 1976 Required certificate Certificate Authority (CA) AliceBob Certificate Public Key Private Key Communication Authentication

4 4 ID-Based PKC Introduced by Shamir in 1984 + Implicit certification - Inherent key escrow problem Communication Authentication Private Key Generator (PKG) Private Key Identity (ID) AliceBob

5 5 Certificateless PKC Introduced by Al-Riyami and Paterson in 2003 + Implicit certification + Solved the inherent key escrow problem Bob Alice Key Generating Center (KGC) ID User’s Public Key Partial Private Key User’s Private Key Authentication Communication

6 6 This Research Show that the following schemes are insecure against universal forgery The Qian and Cao IBPS scheme (ISPA 2005) – RSA-based The Guo et al. IBPS scheme (IMSCCS 2006) – bilinear pairing The Li et al. CLPS scheme (Lithuanian Mathematical Journal 2005) – bilinear pairing Any user can act as a cheating proxy signer, to forge the proxy signature on behalf of the original signer, without obtaining the official delegation from the original signer.

7 7 The Qian and Cao IBPS Scheme Setup Compute n = pq, where p, q: prime Select e at random where gcd (e,φ(n)) = 1 Compute master-key d where ed = 1 mod φ(n) Choose H 1 : {0, 1} * → Z φ(n) and H 2 : {0, 1} * → Z n Extract Compute D ID = Q ID d where Q ID = H 2 (ID) Proxy Key Generation Original Signer: Make a warrant m w which records the delegation policy Choose r A ∊ Z n and compute R A = r A e mod n Compute S A = D A. r A h1 mod n where h1 = H 1 (R A ||m w ) Send σ A = (R A,S A ) and m w to the proxy signer B Proxy Signer: Check whether S A e = Q A. R A h1 mod n

8 8 The Qian and Cao IBPS Scheme Proxy Signature Generation Choose r B ∊ Z n and compute R B = r B e mod n Compute h = H 1 (R B ||m w ||m) Compute S B = D B. (r B. S A ) h mod n Proxy signature σ = (R A, R B, S B ) Proxy Signature Verification Check the warrant m w Compute Q A = H 2 (ID A ) and Q B = H 2 (ID B ) Check whether S B e = Q B. (R B. Q A. R A h1 ) h mod n

9 9 Cryptanalysis on the Qian and Cao IBPS Scheme A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B) Make a warrant m w Choose r A ∊ Z n and compute R A = r A e mod n Choose r B ∊ Z n and compute R B = r B e. Q A -1 mod n Compute S B = D B. (r B. r A h1 ) h mod n Proxy Signature Verification Check whether S B e = Q B. (R B. Q A. R A h1 ) h mod n S B e = D B e. (r B e. r A eh1 ) h = Q B. (r B e. R A h1 ) h = Q B. (R B. Q A. R A h1 ) h where r B e = R B. Q A

10 10 The Guo et al. IBPS Scheme Setup Choose groups G 1, G 2 of prime order q Choose a generator P ∈ G 1 and a bilinear map e : G 1  G 1  G 2 Choose H 1 : {0, 1} * → G 1 and H 2 : {0, 1} * → Z q * Choose s ∈ Z q * as master key and set P pub = sP as public key Publicize params = (G 1, G 2, e, q, P, P pub, H 1, H 2 ) Extract Compute D ID = sQ ID where Q ID = H 1 (ID)

11 11 The Guo et al. IBPS Scheme Proxy Key Generation Original Signer: Make a warrant m w which records the delegation policy Choose x A ∊ Z q * and compute X A = x A D A and X’ A = x A Q A Compute T = e(X’ A,P pub ) = e(X A,P) Compute r = H 2 (m w ||T|| X’ A ) Compute S = (x A - r)D A Send (X’ A, S, r) and m w to the proxy signer Proxy Signer: Compute T’ = e(S,P) e(rQ A,P pub ) = e(X’ A,P pub ) Check whether r’ = H 2 (m w ||T’|| X’ A ) = r Proxy key = (D B, S)

12 12 The Guo et al. IBPS Scheme Proxy Signature Generation Choose x B ∊ Z q * and compute U = x B Q B Compute h = H 2 (m||m w ||U) Compute V = S + (x B + h)D B Proxy signature σ = (X’ A, U, V, m w, m) Proxy Signature Verification Check the warrant m w Compute T’’ = e(X’ A,P pub ) Compute r’ = H 2 (m w ||T’’|| X’ A ) Compute h’ = H 2 (m||m w ||U) Check whether e(P,V) = e(P pub, X’ A – r’Q A + U + h’Q B )

13 13 Cryptanalysis on the Guo et al. IBPS Scheme A: Original signer; B: Cheating proxy signer Proxy Signature Generation (perform by B) Make a warrant m w Choose x A ∊ Z q * and compute X’ A = x A Q A Compute r’ = H 2 (m w ||T|| X’ A ) where T = e(X’ A,P pub ) Choose x B ∊ Z q * and compute U = x B Q B - X’ A + rQ A Compute h = H 2 (m||m w ||U) Compute V = (x B + h)D B Return σ = (X’ A, U, V, m w, m) as the proxy signature

14 14 Cryptanalysis on the Guo et al. IBPS Scheme Proxy Signature Verification Compute T’’ = e(X’ A,P pub ) Compute r’ = H 2 (m w ||T’’|| X’ A ) Compute h’ = H 2 (m||m w ||U) Check whether e(P,V) = e(P pub, X’ A – r’Q A + U + h’Q B )

15 15 Li et al. CLPS Scheme Derived from the Cha and Cheon IBS scheme and the Hess IBS scheme The only CLPS scheme Setup Choose groups G 1, G 2 of prime order q Choose a generator P ∈ G 1 and a bilinear map e : G 1  G 1  G 2 Choose H 1 : {0, 1} * → G 1 and H 2 : {0, 1} * x G 1 → Z q * Choose s ∈ Z q * as master key and set P pub = sP as public key Publicize params = (G 1, G 2, e, q, P, P pub, H 1, H 2 ) Set-Partial-Private-Key Compute D ID = sQ ID where Q ID = H 1 (ID) Set-Secret-Value Select a random x ID ∈ Z q *

16 16 Li et al. CLPS Scheme Set-Private-Key S ID = x ID D ID Set-Public-Key X ID = x ID P; Y ID = x ID P pub Proxy Key Generation Original Signer: Choose r ∊ Z q * and compute U = rQ A Compute h A = H 2 (m w ||U) Compute V = (r + h A )S A Send (U, V) and m w to the proxy signer Proxy Signer: Check whether e(X A,P pub ) = e(Y A,P) Compute h A = H 2 (m w ||U) Check whether e(P,V) = e(Y A, U + h A Q A ) Proxy key S p = V + S B

17 17 Li et al. CLPS Scheme Proxy Signature Generation Choose a ∊ Z q * and compute R = e(P,P) a Compute h B = H 2 (m w ||R) Compute S = h B S p + aP Proxy signature σ = (R, U, S, m w, m) Proxy Signature Verification Check whether e(X A,P pub ) = e(Y A,P) Check whether e(X B,P pub ) = e(Y B,P) Compute R’ = e(P,S) e(Y A, -h B (U + h A Q A )) e(Y B, -h B Q B ) where h A = H 2 (m w ||U) and h B = H 2 (m w ||R) Accept iff h B = H 2 (m w ||R’)

18 18 Cryptanalysis on the Li et al. CLPS Scheme Public key replacement attack (Type I adversary) The adversary performs the following: Proxy Signature Generation Select U, S ∈ G 1 and compute h A = H 2 (m w ||U) Select a random r ∊ Z q * Compute R = e(P,S) e(P pub, -(U + h A Q A )) e(rP pub, -Q B ) Compute h B = H 2 (m w ||R) Set x A = h A -1 ∊ Z q * and x B = h B -1 r ∊ Z q * Compute X’ A = x A P; Y’ A = x A P pub ; X’ B = x B P; Y’ B = x B P pub Replace the user public key with (X’ A, Y’ A, X’ B, Y’ B ) Return the proxy signature σ = (R, U, S, m w, m)

19 19 Cryptanalysis on the Li et al. CLPS Scheme Proxy Signature Generation Check whether e(X A,P pub ) = e(Y A,P) Check whether e(X B,P pub ) = e(Y B,P) Compute R’ = e(P,S) e(Y A, -h B (U + h A Q A )) e(Y B, -h B Q B ) where h A = H 2 (m w ||U) and h B = H 2 (m w ||R) Accept iff h B = H 2 (m w ||R’)

20 20 Conclusion We have shown that following schemes are insecure The Qian and Cao IBPS scheme The Guo et al. IBPS scheme The Li et al. CLPS scheme The security of the proxy signature schemes deriving from the provable secure IBS scheme is not guaranteed.

Download ppt "Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University."

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
By Md Emran Mazumder Ottawa University Student no: 6282845.

By Md Emran Mazumder Ottawa University Student no:
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:

A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Identity Based Encryption

Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏聲尊.

Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏聲尊.
Key Distribution CS 470 Introduction to Applied Cryptography

Key Distribution CS 470 Introduction to Applied Cryptography
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Similar presentations

Ads by Google