Weaknesses and improvements of an efficient certificateless signature ...

4 downloads 5744 Views 145KB Size Report
May 27, 2012 - The certificateless signature (CLS) scheme is a special signature ..... Step 2. The adversary replaces the old master key Ppub with a new master key P0 pub. .... David P, Jacque S. Security Arguments for Digital Signatures and ...
INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS Int. J. Commun. Syst. (2012) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/dac.2388

SHORT COMMUNICATION

Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings Jia-Lun Tsai1, * ,† , Nai-Wei Lo1 and Tzong-Chen Wu1,2 1 Department

of Information Management, National Taiwan University of Science and Technology, Taipei 106, Taiwan Information Security Center (TWISC), National Taiwan University of Science and Technology, Taipei 106, Taiwan

2 Taiwan

SUMMARY The certificateless signature (CLS) scheme is a special signature scheme that solves the key escrow problem in identity-based signature schemes. In CLS schemes, the private key is generated cooperatively by the key generator center (KGC) and signer, such that a malicious KGC cannot masquerade as the signer and sign a message. He et al. in 2011 proposed an efficient CLS scheme without using bilinear pairings. However, we discovered that the CLS scheme by He et al. cannot resist a strong type 2 adversary if this adversary replaces the master public key of the KGC. This work proposes an improved scheme that overcomes this weakness. Copyright © 2012 John Wiley & Sons, Ltd. Received 10 December 2011; Revised 18 March 2012; Accepted 27 May 2012 KEY WORDS:

certificateless signature; key escrow problem; identity-based; key generator center (KGC)

1. INTRODUCTION Although people can share sensitive information via an insecure network, adversaries can easily modify or interrupt this information. A signature scheme is always used with transmitted information to ensure that sensitive information has not been modified by an adversary. Traditional signature schemes allow a signer to sign a message using his/her private key. In such a cryptosystem, the public key of the user is always associated with a certificate issued by a trusted Certificate Authority (CA). Therefore, the verifier incurs heavy computational costs when determining the validity of a signer’s public key and a large amount of storage is needed to store them. Shamir [1] in 1984 first developed an identity-based cryptosystem. This identity-based cryptosystem can be seen as a simplified traditional public key cryptosystem. In this cryptosystem, trusted private key generator (KGC) first generates a master key and all public parameters. Each user who wants to become a legal signer must send his/her identity information to register on a KGC. The KGC generates his/her private key using the signer’s identity information and its master key. The signer’s public key is only his/her identity information. In this way, the verifier only needs to acquire the signer’s identity information and the public key issued by the KGC to assess signature validity. Therefore, the verifier does not need to hold the public keys of all signers. Several identity-based signature schemes have since been proposed. However, because the KGC is responsible for generating

*Correspondence to: Jia-Lun Tsai, Department of Information Management, National Taiwan University of Science and Technology, Taipei 106, Taiwan. † E-mail: [email protected] Copyright © 2012 John Wiley & Sons, Ltd.

J.-L. TSAI, N.-W. LO AND T.-C. WU

private keys for all signers, a serious key escrow problem exists [2] for identity-based cryptosystems. That is, a malicious KGC can masquerade as any registered signer to forge a signature on its message. Al-Riyami and Paterson [2] developed a certificateless cryptosystem to overcome weaknesses of identity-based cryptosystems. The private key in identity-based cryptosystem is cooperatively generated by a KGC and a signer. Thus, a strong certificateless cryptosystem must withstand a malicious KGC, and withstand malicious outsiders who can replace the signer’s public key. Several certificateless cryptosystems have since been developed. To date, most of the certificateless signature (CLS) schemes are based on bilinear pairings [2–14]. As is known, the pairing operation is a heavier operation than the other public key operations, such as Elliptic Curve point multiplication. Some efficient CLS schemes have been designed that reduce the computational complexity of pairing operations. In 2011, He et al. [15] developed an efficient short CLS scheme. The benefit of this scheme is that no pairing operations are used. Additionally, the signature length of this CLS scheme is short. Therefore, this scheme by He et al. is more efficient than other schemes. They also proved that their CLS scheme is secure against type 1 and 2 adversaries under a random oracle [16, 17]. However, the CLS scheme by He et al. cannot withstand a strong type 2 adversary. To overcome this weakness in the CLS scheme by He et al., this work proposes an improved CLS scheme. 2. PRELIMINARIES This section first introduces works related to CLS schemes, and then introduces the notations and adversaries of the CLS scheme. 2.1. Related work In a CLS scheme, private keys are constructed cooperatively by a KGC and a signer. Such a signature scheme can overcome the key escrow problem of identity-based signature schemes. The concept of a CLS scheme was first introduced by Al-Riyami and Paterson [2] in 2003. However, Huang et al. [7] demonstrated that the CLS scheme by Al-Riyami and Paterson is vulnerable to type 1 adversaries. Huang et al. also proposed a new CLS scheme. Yum and Lee [12] proposed a generic construction CLS scheme. However, because Hu et al. [6] showed that their scheme cannot resist type 1 adversaries, Yum and Lee improved their scheme. Li et al. [8], Zhang et al. [13] and Gorantla and Saxena [5] proposed a new CLS scheme using bilinear pairings. However, these three schemes require three or four pairing operations for signature verification. Some relatively more efficient and secure CLS schemes [9, 11, 14] were proposed to overcome this high computational cost. Obviously, these CLS schemes are not short signature schemes. To reduce signature size and computational cost, Du and Wen [4] and Tso et al. [10] designed short CLS schemes using bilinear pairings. However, Choi et al. [3] demonstrated that the CLS scheme by Du and Wen [4] cannot withstand a key replacement attack. A key replacement attack can also work with the scheme by Tso et al. [10]. Choi et al. [3] then proposed an improved short CLS scheme in 2011. They argued that their CLS scheme is secure under the security model developed by Huang et al. However, the bilinear pairing operation is still used for signature verification. To remove the bilinear pairing operation, He et al. developed a new CLS scheme that does not use bilinear pairings. Because the bilinear pairing operation is not used in the CLS scheme developed by He et al. [15], computational cost for signature generation and verification are lower than that in other schemes. However, the CLS scheme by He et al. cannot resist strong type 2 adversaries when such an adversary replaces the master public key generated by the KGC. 2.2. Notations of the certificateless signature scheme A CLS scheme consists of seven algorithms: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Sign, and Verify. Each algorithm is described as follows: Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac

AN IMPROVED CERTIFICATELESS SIGNATURE SCHEME WITH USING PAIRINGS

Setup: This algorithm takes a secure parameter k as its input, and then outputs a master private key x, a corresponding master public key Ppub , and public parameters params. The KGC then publishes public parameters params and keeps the master private key x as secret. Partial-Private-Key-Extract: This algorithm takes system parameters params and an entity’s identity ID as inputs and then outputs this entity’s secret value xID . Set-Private-Key: This algorithm takes the identity ID of a user and then returns the user’s private key sID . Set-Public-Key: This algorithm outputs PID as its public key. Sign: After inputting system parameters params, a user’s private key xID , and a message m, this algorithm returns a signature  on a message m. Verify: This algorithm takes system parameters params, the KGC’s public key Ppub , a user’s public key PID , signature  , and a message m as input, and then returns true when the signature  is valid. Otherwise, it returns false. 2.3. Adversaries of certificateless signature schemes Generally, CLS schemes have type 1 and type 2 adversaries. A type 1 adversary cannot access the master key generated by the KGC, but can replace the public keys of users. A type 2 adversary is a malicious KGC that has the master key but cannot replace the public keys of a signer. Huang et al. [18] in 2007 developed a new security model for CLS schemes. According to their classification, type 1 and 2 adversaries of the CLS scheme can be classified as normal, strong, and super type 1 and 2 adversaries. A normal type 1 and 2 adversary only has the ability to learn valid signatures. A strong type 1 and 2 adversary can replace a public key to forge a valid signature when the adversary sends a secret value. A super type 1 and 2 adversary can learn valid signatures for a replaced public key without any submission. 3. REVIEW AND CRYPTANALYSIS OF THE CLS SCHEME BY HE ET AL. This section briefly reviews the CLS scheme by He et al. [15] and then demonstrates that this CLS scheme cannot withstand a strong type 2 adversary when this adversary replaces the master public key issued by the KGC. 3.1. Review of the certificateless signature scheme by He et al. Details of each phase in the CLS scheme by He et al. are described as follows: Setup: Let G be a cyclic additive group, let E=Fp be an elliptic curve E over a prime finite field Fp defined by an equation y 2 D x 3 C ax C ba, and let p be a k-bit prime number, where P 2 G. Initially, the KGC computes its master public key Ppub D xP and chooses two secure one-way hash functions: H1 W ¹0, 1º  G ! Zn , and H2 W ¹0, 1º  G ! Zn , where x 2 Zn is the master key chosen by the KGC. The KGC then publishes public parameters ¹Fp , E=Ep , G, P , Ppub , H1 , H2 º and keeps master key x as secret. Set-Secret-Value: A signer chooses his/her identity ID and his/her secret value xID . The signer then computes PID D xID P and keeps xID as secret. Partial-Private-Key-Extract: The KGC computes RID D rID P and hID D H1 .ID, RID , PID / for each signer with his/her identity ID, where rID 2 Zn is a random number. The KGC then computes sID D rID C hID x mod n and sends (sID , RID ) to the user via a secure channel. Notably, the tuple (sID , RID ) is the partial private key of the user and the user can confirm its validity by checking the following equation: sID  P D RID C hID  Ppub .

(1)

If Equation (1) holds, the partial private key (sID , RID ) is valid; otherwise, the signer rejects the partial private key (sID , RID ). Set-Private-Key: The signer uses skID D .xID , sID / as his/her private key. Set-Public-Key: The signer adopts pkID D .PID , RID / as his/her public key. Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac

J.-L. TSAI, N.-W. LO AND T.-C. WU

Sign: When a signer wants to sign a message m, he/she performs the following steps to generate signature (R, s) on message m: Step 1. The signer computes R D l P, h D H2 .m, R, PID , RID / ,

(2) (3)

where l is a random number. Step 2. The signer checks whether gcd.l C h, n/ equals 1. If it does not hold, the signer returns to the step 1. Step 3. The signer computes s D .l C h/1 .xID C sID / mod n

(4)

and then sends (m, R, s/ to the verifier. Verify: Upon receiving the signature (R, s) and message m from the signer, the verifier can confirm the validity of signature (R, s) using the following equation: s  .R C h  P / D PID C RID C hID  Ppub ,

(5)

where h D H2 .m, R, PID , RID / and hID D H1 .ID, RID , PID /. If Equation (5) holds, signature (R, s) is valid; otherwise, the verifier rejects signature (R, s). 3.2. The strong type 2 adversary of the certificateless signature scheme by He et al. The CLS scheme by He et al. cannot withstand strong type 2 adversaries. The following two attacks on the CLS scheme by He et al. can be successful. Attack 1: The strong type 2 adversary can complete the following steps to forge a valid signature (s 0 , R0 / on a chosen message m0 . Step 1. First, the adversary chooses a random number x and a message m0 . Next, the adversary computes s 0 D x, R0 D

1  .PID C RID /, x

0 D Ppub

h0 x P, h0ID

(6) (7)

(8)

where h0 D H2 .m0 , R0 , PID , RID / and h0ID = H1 (ID, RID , PID /. Notably, .R0 , s 0 / is the forged signature. 0 Step 2. The adversary replaces the old master key Ppub with a new master key Ppub . The following demonstrates that the forged signature can pass signature verification by Equation (5). s 0  .R0 C h0  P / D x  .R0 C h0  P / 1 D x   .PID C RID / C x  h0  P x D PID C RID C x  h0  P h0 D PID C RID C h0ID  x  0  P hID 0 0 D PID C RID C hID  Ppub Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac

AN IMPROVED CERTIFICATELESS SIGNATURE SCHEME WITH USING PAIRINGS

Attack 2: A strong type 2 adversary can forge a valid signature on his/her chosen message m0 as follows. Step 1. The adversary first chooses two random numbers k 2 Zn and t 2 Zn and then computes R0 D kP , s0 D

0 D Ppub

(9)

t , k C h0

(10)

1  .PID  RID C tP /, , h0ID

(11)

where h0 D H1 (ID, RID , PID / and h0ID D H2 .m0 , R0 , PID , RID /. Note that .R0 , s 0 / is a forged signature. 0 Step 2. The adversary replaces the old master key Ppub with a new master key Ppub . Now, the forged signature can pass verification by Equation (5). The following shows that the forged signature can pass Equation (5). t  .R0 C h0  P / kCh t  ..k C h0 /P / D k C h0 D tP 1 D PID C RID C h0ID  0  .PID  RID C tP / hID 0 0 D PID C RID C hID  Ppub

s 0  .R0 C h0  P / D

4. THE IMPROVED SCHEME This work has demonstrated that the CLS scheme by He et al. [15] is not secure against strong type 2 adversaries. The improved scheme is as follows. The security leak in the CLS scheme by He et al. is that the public key generated by the KGC can be replaced by a malicious KGC. To overcome this weakness, the sign and verify phases must be modified. Details of the improved sign and verify phases are as follows. Sign: Assume a signer wants to sign a message m. The signer completes the following steps to generate a signature (R, s/ on the chosen message m: Step 1. The signer computes R D l P,

(12)

h1 D H2 .m, R, PID , RID /,

(13)

h2 D H2 .m, R, PID , RID , Ppub /, where rID is a random number. Step 2. The signer assesses whether gcd(l C h, n/ equals 1. If this holds, the signer returns to Step 1. Step 3. The signer computes s D .l C h1 /1  .h2  xID C sID /

mod n

(14)

and then sends (m, R, s/ to the verifier. Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac

J.-L. TSAI, N.-W. LO AND T.-C. WU

Verify: The verifier can check the following equation to confirm the validity of received signature .R, s/: s  .R C h1  P / D h2  PID C RID C hID  Ppub ,

(15)

where h1 D H2 .m, R, PID , RID /, h2 D H2 .m, R, PID , RID , Ppub /, and hID D H1 (ID, RID , PID /. If Equation (15) holds, signature .R, s/ is accepted by the verifier; otherwise, the verifier rejects signature .R, s/. This work now proves the correctness of Equation (15). s  .R C h1  P / D .l C h1 /1  .h2  xID C sID /  .R C h1  P / D .h2  xID C sID /  P D h2  PID C RID C hID  Ppub 5. SECURITY ANALYSES This section shows that attacks cannot succeed in the improved scheme. Other security analyses can be found in the work by He et al. and are not shown here. Resistance to attack 1: Attack 1 cannot be successful with the proposed scheme. We assume a malicious KGC wants to masquerade as a legal signer and sign a message m0 by replacing the master public key. Without knowledge of the signer’s private key skID = (xID , sID /, the malicious KGC must choose a random number s and then compute R0 to pass Equation (15), the verification equation. However, the malicious KGC will fail because h2 D H2 .m, R, PID , RID , Ppub / consists of R, PID , and RID . The malicious KGC cannot determine R and h2 D H2 .m, R, PID , RID , Ppub / simultaneously. Therefore, the malicious KGC cannot plot the attack 1 successfully. Resistance to attack 2: The proposed scheme can resist attack 2. We assume a malicious KGC wants to masquerade as a legal signer and sign a message m0 by replacing the master public key. Without knowledge of the signer’s private key skID = (xID , sID /, the malicious KGC must compute R0 D kP and s 0 D t =k C h01 , and then determine the malicious KGC’s public key Ppub to subtract the signer’s public key (PID , RID / and pass Equation (15), where k 2 Zn and t 2 Zn are two random numbers. However, this malicious KGC cannot simultaneously determine the malicious KGC’s public key Ppub and h2 D H2 .m, R, PID , RID , Ppub /, because h2 consists of m, R0 , PID , RID , and Ppub . Therefore, attack 2 cannot work with the improved CLS scheme. 6. CONCLUSIONS He et al. [15] recently proposed a novel and efficient CLS scheme without using bilinear pairings. This work shows that the CLS scheme by He et al. cannot resist a strong type 2 adversary. The work presented here proposed an improved CLS signature to overcome weaknesses in the CLS scheme by He et al. The improved CLS scheme benefits from the advantages of the CLS scheme by He et al., and overcomes its weaknesses. In addition, the proposed scheme has the lowest computation costs compared with the other related works. Therefore, the proposed improved scheme can be implemented easily in low-computing mobile environments.

ACKNOWLEDGEMENTS

The authors gratefully acknowledge the support from Taiwan Information Security Center (TWISC) and National Science Council, Taiwan, under the Grant Numbers NSC 100-2219-E-011-002, NSC 100-2218E-011-002, NSC 100-2218-E-011-005 and NSC 101-2219-E-011-004. Ted Knoy is appreciated for his editorial assistance. Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac

AN IMPROVED CERTIFICATELESS SIGNATURE SCHEME WITH USING PAIRINGS

REFERENCES 1. Shamir A. Identity-based cryptosystems and signature schemes. Proceedings of CRYPTO 84 on Advances in Cryptology, Santa Barbara, California, USA, 1984; 47–53. 2. Al-Riyami S, Paterson KG. Certificateless public key cryptography. Proceedings of ASIA CRYPT 2003, Taipei, Taiwan, 2003; 452–473. 3. Choi K, Par J, Lee D. A new provably secure certificateless short signature scheme. Computers and Mathematics with Applications 2011; 61:1760–1768. 4. Du H, Wen Q. Efficient and provably-secure certificateless short signature scheme from bilinear pairings. Computer Standards & Interfaces 2009; 31:390–394. 5. Gorantla M, Saxena A. An efficient certificateless signature scheme. 2005 International Conference on Computational Intelligence and Security, Xi’an, China, 2005; 110–116. 6. Hu BC, Wong DS, Zhang Z, Deng X. Key replacement attack against a generic construction of certificateless signature. In ACISP 2006, Vol. 4058, LNCS. Springer-Verlag: Melbourne, Australia, 2006; 235–246. 7. Huang X, Susilo W, Mu Y, Zhang F. On the security of certificateless signature schemes from asiacrypt 2003. In CANS 2005, Vol. 3810, LNCS. Springer-Verlag: Xiamen, Fujian Province, China, 2005; 13–25. 8. Li X, Chen K, Sun L. Certificateless Signature and Proxy Signature Schemes from Bilinear Pairings. Lithuanian Mathematical Journal 2005; 45:76–83. 9. Park J, Kang B. Security analysis of the certificateless signature scheme proposed at SecUbiq 2006. In EUC Workshops 2007, Vol. 4809, LNCS. Springer-Verlag: Taipei, Taiwan, 2006; 686–691. 10. Tso R, Yi X, Huang X. Efficient and short certificateless signatures secure against realistic adversaries. Journal of Supercomputing 2011; 55:173–191. 11. Yap W, Heng S, Goi B. An efficient certificateless signature scheme. 2006 Proceeding of Emerging Directions in Embedded and Ubiquitous Computing, 2006; 322–331. 12. Yum D, Lee P. Generic construction of certificateless signature. 9th Australasian Conference on Information Security and Privacy, Sydney Australia, 2004; 200–211. 13. Zhang Z, Wong D, Xu J. Certificateless public-key signature: security model and efficient construction. 4th International Conference on Applied Cryptography and Network Security, Singapore, 2006; 293–308. 14. Zhang L, Zhang F, Zhang F. New efficient certificateless signature scheme. In EUC Workshops 2007, Vol. 4809, LNCS. Springer-Verlag: Taipei, Taiwan, 2007; 692–703. 15. He D, Chen J, Zhang R. An efficient and provably-secure certificateless signature scheme without bilinear pairings. International Journal of Communication Systems. DOI: 10.1002/dac.1330. Article first published online: 26 SEP 2011. 16. Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited. Journal of ACM 2004; 51(4):557–594. 17. David P, Jacque S. Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology 2000; 13(3):361–396. 18. Huang X, Mu Y, Susilo W, Wong DS, Wu W. Certificateless signature revisited. In ACISP 2007, Vol. 4586, LNCS. Springer-Verlag: Townsville, Australia, 2007; 308–322. AUTHORS’ BIOGRAPHIES

Jia-Lun Tsai graduated from the Department of E-Learning from National Chiao Tung University in 2007. Now, he is working for his PhD degree at the Department of Information Management from the National Taiwan University of Science and Technology (NTUST). He has published more than 10 papers on journals and conferences. His research interests include cryptography, wireless security, and network security.

Nai-Wei Lo received his BS degree in Engineering Science from the National Cheng-Kung University, Tainan, Taiwan, in 1988, and his MS and PhD degrees in Computer Science and Electrical Engineering from the State University of New York at Stony Brook, NY, in 1992 and 1998, respectively. He is currently an associate professor in the Department of Information Management at the National Taiwan University of Science and Technology and a member of the IEEE communications society. His research interests include cryptography, RFID applications and security, wireless network routing and security, web technology, and fault tolerance.

Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac

J.-L. TSAI, N.-W. LO AND T.-C. WU

Tzong-Chen Wu is a professor at the Department of Information Management at the National Taiwan University of Science and Technology (NTUST), Taiwan. He completed his PhD in the Department of Computer Science and Information Engineering from National Chiao Tung University, Taiwan, in 1992. Now, he serves as the dean of School of Management, NTUST, and direct chair of the Chinese Cryptology and Information Security Association (CCISA). He is also one of the members of the IEEE and ACM. His current research interests include cryptography, data security, network security, and data engineering.

Copyright © 2012 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. (2012) DOI: 10.1002/dac