Cryptanalysis of Some Proxy Signature Schemes without Certificates

1
Cryptanalysis of Some Proxy Signature Schemes
without Certificates

• Wun-She Yap, Swee-Huay Heng
• Bok-Min Goi
• Multimedia University

2
Proxy Signature

• Introduced by Mambo et al. in 1996.
• Allow a designated signer (proxy signer) to sign
  the message on behalf of an original signer
• Involve three entities
• Original Signer
• Proxy Signer
• Verifier
• Convince the verifier that the signature is
  signed by the proxy signer who obtains the
  delegation right from the original signer
• Applications e-cash system, global distribution
  network, grid computing, mobile agent
  applications, etc.

3
Traditional PKC

• Introduced by Diffie and Hellman in 1976
• Required certificate

Certificate
Public Key
Authentication
Private Key
Communication
Alice
Bob
4
ID-Based PKC

• Introduced by Shamir in 1984
• Implicit certification
• - Inherent key escrow problem

Private Key Generator (PKG)
Private Key
Authentication
Identity (ID)
Communication
Alice
Bob
5
Certificateless PKC

• Introduced by Al-Riyami and Paterson in 2003
• Implicit certification
• Solved the inherent key escrow problem

Key Generating Center (KGC)
Partial Private Key
Authentication
Users Private Key
Users Public Key
Communication
ID
Alice
Bob
6
This Research

• Show that the following schemes are insecure
  against universal forgery
• The Qian and Cao IBPS scheme (ISPA 2005)
  RSA-based
• The Guo et al. IBPS scheme (IMSCCS 2006)
  bilinear pairing
• The Li et al. CLPS scheme (Lithuanian
  Mathematical Journal 2005) bilinear pairing
• Any user can act as a cheating proxy signer, to
  forge the proxy signature on behalf of the
  original signer, without obtaining the official
  delegation from the original signer.

7
The Qian and Cao IBPS Scheme

• Setup
• Compute n pq, where p, q prime
• Select e at random where gcd (e,f(n)) 1
• Compute master-key d where ed 1 mod f(n)
• Choose H1 0, 1 ? Zf(n) and H2 0, 1 ? Zn
• Extract
• Compute DID QIDd where QID H2(ID)
• Proxy Key Generation
• Original Signer
• Make a warrant mw which records the delegation
  policy
• Choose rA ? Zn and compute RA rAe mod n
• Compute SA DA . rAh1 mod n where h1
  H1(RAmw)
• Send sA (RA,SA) and mw to the proxy signer B
• Proxy Signer
• Check whether SAe QA . RAh1 mod n

8
The Qian and Cao IBPS Scheme

• Proxy Signature Generation
• Choose rB ? Zn and compute RB rBe mod n
• Compute h H1(RBmwm)
• Compute SB DB . (rB . SA)h mod n
• Proxy signature s (RA, RB, SB)
• Proxy Signature Verification
• Check the warrant mw
• Compute QA H2(IDA) and QB H2(IDB)
• Check whether SBe QB . (RB . QA . RAh1)h mod n

9
Cryptanalysis on the Qian and Cao IBPS Scheme

• A Original signer B Cheating proxy signer
• Proxy Signature Generation (perform by B)
• Make a warrant mw
• Choose rA ? Zn and compute RA rAe mod n
• Choose rB ? Zn and compute RB rBe . QA-1 mod n
• Compute SB DB . (rB . rAh1)h mod n
• Proxy Signature Verification
• Check whether SBe QB . (RB . QA . RAh1)h mod n
• SBe DBe . (rBe . rAeh1)h
• QB . (rBe . RAh1)h
• QB . (RB . QA . RAh1)h
• where rBe RB . QA

10
The Guo et al. IBPS Scheme

• Setup
• Choose groups G1, G2 of prime order q
• Choose a generator P ? G1 and a bilinear map e
  G1?G1?G2
• Choose H1 0, 1 ? G1 and H2 0, 1 ? Zq
• Choose s ? Zq as master key and set Ppub sP
  as public key
• Publicize params (G1, G2, e, q, P, Ppub, H1,
  H2)
• Extract
• Compute DID sQID where QID H1(ID)

11
The Guo et al. IBPS Scheme

• Proxy Key Generation
• Original Signer
• Make a warrant mw which records the delegation
  policy
• Choose xA ? Zq and compute XA xADA and XA
  xAQA
• Compute T e(XA,Ppub) e(XA,P)
• Compute r H2(mwT XA)
• Compute S (xA - r)DA
• Send (XA, S, r) and mw to the proxy signer
• Proxy Signer
• Compute T e(S,P) e(rQA,Ppub) e(XA,Ppub)
• Check whether r H2(mwT XA) r
• Proxy key (DB, S)

12
The Guo et al. IBPS Scheme

• Proxy Signature Generation
• Choose xB ? Zq and compute U xBQB
• Compute h H2(mmwU)
• Compute V S (xB h)DB
• Proxy signature s (XA, U, V, mw, m)
• Proxy Signature Verification
• Check the warrant mw
• Compute T e(XA,Ppub)
• Compute r H2(mwT XA)
• Compute h H2(mmwU)
• Check whether e(P,V) e(Ppub, XA rQA U
  hQB)

13
Cryptanalysis on the Guo et al. IBPS Scheme

• A Original signer B Cheating proxy signer
• Proxy Signature Generation (perform by B)
• Make a warrant mw
• Choose xA ? Zq and compute XA xAQA
• Compute r H2(mwT XA) where T
  e(XA,Ppub)
• Choose xB ? Zq and compute U xBQB - XA
  rQA
• Compute h H2(mmwU)
• Compute V (xB h)DB
• Return s (XA, U, V, mw, m) as the proxy
  signature

14
Cryptanalysis on the Guo et al. IBPS Scheme

• Proxy Signature Verification
• Compute T e(XA,Ppub)
• Compute r H2(mwT XA)
• Compute h H2(mmwU)
• Check whether e(P,V) e(Ppub, XA rQA U
  hQB)

15
Li et al. CLPS Scheme

• Derived from the Cha and Cheon IBS scheme and the
  Hess IBS scheme
• The only CLPS scheme
• Setup
• Choose groups G1, G2 of prime order q
• Choose a generator P ? G1 and a bilinear map e
  G1?G1?G2
• Choose H1 0, 1 ? G1 and H2 0, 1 x G1 ?
  Zq
• Choose s ? Zq as master key and set Ppub sP
  as public key
• Publicize params (G1, G2, e, q, P, Ppub, H1,
  H2)
• Set-Partial-Private-Key
• Compute DID sQID where QID H1(ID)
• Set-Secret-Value
  Select a random xID ?
  Zq

16
Li et al. CLPS Scheme

• Set-Private-Key
• SID xIDDID
• Set-Public-Key
• XID xIDP YID xIDPpub
• Proxy Key Generation
• Original Signer
• Choose r ? Zq and compute U rQA
• Compute hA H2(mwU)
• Compute V (r hA)SA
• Send (U, V) and mw to the proxy signer
• Proxy Signer
• Check whether e(XA,Ppub) e(YA,P)
• Compute hA H2(mwU)
• Check whether e(P,V) e(YA, U hAQA)
• Proxy key Sp V SB

17
Li et al. CLPS Scheme

• Proxy Signature Generation
• Choose a ? Zq and compute R e(P,P)a
• Compute hB H2(mwR)
• Compute S hBSp aP
• Proxy signature s (R, U, S, mw, m)
• Proxy Signature Verification
• Check whether e(XA,Ppub) e(YA,P)
• Check whether e(XB,Ppub) e(YB,P)
• Compute R e(P,S) e(YA, -hB(U hAQA)) e(YB,
  -hBQB)
• where hA H2(mwU) and hB H2(mwR)
• Accept iff hB H2(mwR)

18
Cryptanalysis on the Li et al. CLPS Scheme

• Public key replacement attack (Type I adversary)
• The adversary performs the following
• Proxy Signature Generation
• Select U, S ? G1 and compute hA H2(mwU)
• Select a random r ? Zq
• Compute R e(P,S) e(Ppub, -(U hAQA)) e(rPpub,
  -QB)
• Compute hB H2(mwR)
• Set xA hA -1 ? Zq and xB hB -1r ? Zq
• Compute XA xAP YA xAPpub XB xBP YB
  xBPpub
• Replace the user public key with (XA , YA ,
  XB , YB)
• Return the proxy signature s (R, U, S, mw, m)

19
Cryptanalysis on the Li et al. CLPS Scheme

• Proxy Signature Generation
• Check whether e(XA,Ppub) e(YA,P)
• Check whether e(XB,Ppub) e(YB,P)
• Compute R e(P,S) e(YA, -hB(U hAQA)) e(YB,
  -hBQB)
• where hA H2(mwU) and hB H2(mwR)
• Accept iff hB H2(mwR)

20
Conclusion

• We have shown that following schemes are insecure
• The Qian and Cao IBPS scheme
• The Guo et al. IBPS scheme
• The Li et al. CLPS scheme
• The security of the proxy signature schemes
  deriving from the provable secure IBS scheme is
  not guaranteed.