Improvement of digital signature with message recovery using self-certified public keys and its variants

Transcription

1 Applied Mathematics and Computation 159 (2004) Improvement of digital signature with message recovery using self-certified public keys and its variants Zuhua Shao Department of Computer and Electronic Engineering, Zhejiang University of Science and Technology, No. 85, Xueyuan Road, Hangzhou, Zhejiang , PR China Abstract By combining the concepts of self-certified public key and signature with message recovery, Tseng et al. proposed a self-certified public key signature scheme with message recovery. The proposed scheme has two properties that the signerõs public key can simultaneously be authenticated in verifying the signature and the receiver also obtains the message. Based on the proposed scheme, they further presented two variants:one is an authenticated encryption scheme that only allows a specified receiver to verify and recover the message. The other scheme is the authenticated encryption scheme with message linkages, which is used to transmit large message. In this paper, we first propose an insider forgery attack, which means that the security of the authenticated encryption scheme is not as good as the Girault schemes. Then we point out that these schemes do not have nonrepudiation. In a case of dispute, neither the sender nor the receiver can convince arbiters if the signature is valid, unless they reveal their Diffie Hellman key, which would destroy forward security. Finally we propose an improvement to these schemes to overcome the weakness. Ó 2003 Elsevier Inc. All rights reserved. Keywords: Cryptography; Digital signature; Authenticated encryption; Self-certified public key; Forward security address: zhshao_98@yahoo.com (Z. Shao) /$ - see front matter Ó 2003 Elsevier Inc. All rights reserved. doi: /j.amc

2 392 Z. Shao / Appl. Math. Comput. 159 (2004) Introduction Digital signature is very important in the modern electronic data processing systems. A digital signature is analogous to an ordinary hand-written signature and establishes both of sender authenticity and data authenticity. The signer uses his private key to generate a signature for the given message, and the verifier uses the signerõs public key to verify the signature. In the public-key cryptosystem, it is essential to maintain the integrity of public keys, though it is no longer necessary to safeguard public keys from exposure. Classically, a certification authority CA is used to bind users to their public keys. Then every user relies on CA to validate public keys in the system. The notion of self-certified public keys was first introduced by Girault [1]. Each userõs public key is derived from the signature of the userõs private key with his identity, signed by the system authority using the systemõs private key. The public key of each user need not be accompanied with a separate certificate to be authenticated by verifiers. The authentication of the public key can be implicitly accomplished with the signature verification. Therefore, self-certified public keys contribute to reducing the amount of storage and computations in public key schemes. The notion of signature with message recovery was introduced by Nyberg and Rueppel [2]. Later, Horster et al. [3] proposed an authenticated encryption scheme modified from Nyberg Rueppel scheme. In the authenticated encryption scheme, the signer may generate the signature for a message and then send it to a specified receiver, and only the specified receiver can recover and verify the message. Therefore, the authenticated encryption scheme can be regarded as the combination of data encryption scheme and digital signature scheme. Recently, extended from the self-certified public system proposed by Girault, Tseng et al. [4] proposed a new digital signature scheme with message recovery. Subsequently, they presented two variants based on the proposed digital signature with message recovery, which provided different kinds of applications. These proposed schemes have the same property that the signerõs public key can simultaneously be authenticated in verifying the signature. The public keys and certificate directory maintained by the system authority are not required, and the private key of each user is chosen by the user himself. In this paper, we first propose an insider forgery attack, which means that the security of the authenticated encryption scheme is not as good as the Girault schemes. The security of each user depends entirely on the honesty of the system authority. Then we would like to point out that these schemes do not have nonrepudiation, which must be satisfied by any digital signature scheme. In a case of dispute, neither the sender nor the receiver can convince a third party if the signature is valid, unless they reveal their Diffie Hellman key, which would destroy forward security. Finally we propose an improvement to these schemes to overcome this weakness.

3 2. Review of the Tseng signature schemes 2.1. Signature scheme with message recovery The proposed scheme consists of three phases:the system initialization phase, signature generation and message recovery phases. System initialization phase. In the system initialization, there is a trusted authority that is responsible for generating system parameters. The trusted authority first chooses two large primes p and q of almost the same size such that p ¼ 2p 0 þ 1 and q ¼ 2q 0 þ 1, where p 0 and q 0 are also primes and computes N ¼ p q. Then, the trusted authority selects an integers g which is a base element of order p 0 q 0. In addition, the trusted authority keeps p; q; p 0 and q 0 secret and publishes N and g to all users. The trusted authority also publishes a public one-way function h() which accepts a variant-length input string of bits and produces a fixed-length output string of bits as specified in [5], that is hðmþ < minðp 0 ; q 0 Þ. When a user U i (whose identity is ID i ) intends to join the system, the user U i randomly chooses a private key x i and computes p i ¼ g xi mod N. Then U i sends p i and ID i to the trusted authority. After receiving p i and ID i, the trusted authority computes and publishes public key of U i as y i ¼ ðp i ID i Þ hðidiþ 1 modn. U i may check the validity of the public key y i by verifying the equation y hðidiþ i þ ID i ¼ g xi modn. Signature generation phase. Suppose that a user U i wants to sign a message M, where M contains redundancy for later verification when it is recovered. The signature generation procedure is as follows. The signer U i first chooses a random integer k. Then U i computes the signature fr; sg for the message M, where r ¼ M g k modn: s ¼ k x i hðrþ: Afterwards, the signer U i sends fr; sg to the verifier. Message recovery phase. Upon receiving fr; sg, any user can use the public value y i and ID i to recover the message M as M ¼ r g s ðy hðidiþ i þ ID i Þ hðrþ modn: The recovered massage M must be verified by checking the validity of the embedded redundancy within it Variants Z. Shao / Appl. Math. Comput. 159 (2004) Tseng et al. proposed two variants based on the scheme proposed above. One is called authenticated encryption scheme that only allows a specified

4 394 Z. Shao / Appl. Math. Comput. 159 (2004) receiver to verify and recover the message. The other is called authenticated encryption scheme with message linkages that is used to transmit large message Authenticated encryption scheme The authenticated encryption scheme integrates the mechanisms of signature and encryption. Only the specified receiver can verify and recover the message, but the other receivers are unable to do it. Signature generation phase. Suppose that a user U i wants to sign and encrypt a message M to a specified receiver U j, where M contains redundancy for later verification when it is recovered. The signature generation procedure is as follows. The signer U i first chooses a random integer k. Then U i computes the signature fr; sg for the message M, where r ¼ M ðy HðIDjÞ j þ ID j Þ k mod N; s ¼ k x i hðrþ: Afterwards, the signer U i sends fr; sg to the verifier. Message recovery phase. Upon receiving fr; sg, the specified receiver U j first computes g k ¼ g s ðy hðidiþ i þ ID i Þ hðrþ modn and then uses his/her private key x j to compute the value g kxj modn. Thus the message M can be recovered as M ¼ r ðg s ðy hðidiþ i þ ID i Þ hðrþ Þ xj modn: The recovered massage M must be verified by checking the validity of the embedded redundancy within it Authenticated encryption scheme with message linkages When the signing message is large, the signing message must be divided into a sequence of message blocks. The authenticated encryption scheme with message linkages links up the message blocks to avoid the message being reordered, replicated, or partially deleted during transmission. Signature generation phase. Without loss of generality, assume that a signer U i wants to sign and encrypt a message M to a specified receiver U j. The message M is made up of the sequence fm 1 ; M 2 ;...; M n g, where M i 2 GF ðnþ for i ¼ 1; 2;...; n. Thus the signer U i carries out the following procedure to generate the signature blocks for the large message M. 1. Let r 0 ¼ 0 and chooses a random number k. 2. Compute t ¼ðy hðidjþ j þ ID j Þ k modn. 3. Compute r i ¼ M i hðr i 1 tþmodn for i ¼ 1; 2;...; n, where denotes the exclusive operator. 4. Compute s ¼ k x i r, where r ¼ hðr 1 kr 2 k...kr n Þ, and k denotes the concatenation operator.

5 Z. Shao / Appl. Math. Comput. 159 (2004) Finally, U i sends n þ 2 signature blocks (r; s; r 1 ; r 2 ;...; r n )tou j in a public way. Note that r i is used as a linking parameter to generate ith and (i þ 1)th message blocks. Message recovery phase. After receiving the set (r; s; r 1 ; r 2 ;...; r n ), U j performs the following verification procedure to recover message blocks fm 1 ; M 2 ;...; M n g. 1. Compute r 0 ¼ hðr 1 kr 2 k...kr n ) and check that r 0 ¼ r holds or not. 2. Compute g k ¼ g s ðy hðidiþ i þ ID i Þ r modn and then uses his/her private key x j to compute the value g kxj modn. It is equal to t. 3. Recover the message blocks fm 1 ; M 2 ;...; M n g as follows M i ¼ r i hðr i 1 tþ 1 modn for i ¼ 1; 2;...; n and r 0 ¼ 0. Obviously, if the signer and the receiver follow this protocol, the message blocks fm 1 ; M 2 ;...; M n g would be recovered correctly. 3. Security analysis Tseng et al. analyzed the security of the proposed schemes. They discussed six possible attacks against their proposed schemes. They thought that none of these attacks could break their schemes. However, this discussion does not mean that there do not exist other attacks against their proposed schemes Insider forgery attack Suppose that three insiders have the knowledge of p 0 q 0 and are given a valid message M and its signature fr; sg, for instance, one is the trusted authority, one is the receiver U j. Thus they have the following equation: M ¼ r ðg s ðy hðidiþ i þ ID i Þ hðrþ Þ xj modn: Let M 0 be any message containing enough redundancy. They can forge the signature of M 0 as follows: 1. Compute d ¼ M 0 =M modn. 2. Compute r 0 ¼ d r mod N. 3. Compute s 0 ¼ s hðr 0 ÞhðrÞ 1 mod p 0 q 0 and x 0 j ¼ x j hðrþhðr 0 Þ 1 modp 0 q The third insider Uj 0 chooses x 0 j as his private key and computes pj 0 ¼ g x0 j modn. Then U 0 j sends pj 0 and ID0 j to the trusted authority. After receiving pj 0 and ID0 j, the trusted authority computes and publishes public key of U j 0 as yj 0 ¼ðp0 j ID0 j ÞhðID0 j Þ 1 mod N.

6 396 Z. Shao / Appl. Math. Comput. 159 (2004) Thus they can claim that fr 0 ; s 0 g is the signature of the message M 0 signed by the user U i and the specified receiver is the user U 0 j. Because M ¼ r ðg s ðy hðidiþ i implies So þ ID i Þ hðrþ Þ xj modn d M ¼ d r ðg s ðy hðidiþ i þ ID i Þ hðrþ Þ x j mod N: M 0 ¼ r 0 ðg shðr0 ÞhðrÞ 1 ðy hðidiþ i þ ID i Þ hðr0þ Þ xjhðrþhðr0 Þ 1 modn: That is M 0 ¼ r 0 ðg s0 ðy hðidiþ i þ ID i Þ hðr0þ Þ x0 j modn. This insider attack seems impossible. However, it means that one advantage Tseng claimed is meaningless, i.e. the private key of each user is chosen by the user himself and remains unknown to the system authority. Even so, the security of each user depends entirely on the honesty of the system authority. As it stands, the security of the authenticated encryption scheme is not as good as the Girault self-certified public key schemes Forward security In the authenticated encryption scheme, the receiver U j recovers the transmitted message M by the following equation: M ¼ r ðg s ðy hðid iþ i þ ID i Þ hðrþ Þ xj modn; which is equivalent to the equation: M ¼ r ðg xixj Þ hðrþ ðy hðidjþ j þ ID j Þ s mod N: If by accident, one message M becomes known to a third party, he would derive the value ðg xixj Þ hðrþ modn. If the third party was the trusted authority, he could further derive the Differ Hellman key K ¼ðg x ix j Þ. With this knowledge, he would derive all messages transmitted between the users U i and U j. If the third party had not the knowledge of p 0 q 0, he would derive all messages M 0 transmitted between the users U i and U j, if hðrþjhðr 0 Þ and M 0 ¼ r 0 ðg xixj Þ hðr0þ ðy hðidjþ j þ ID j Þ s0 modn. Moreover, if the third party obtains some more ðg xixj Þ hðr1þ ;...; ðg xixj Þ hðrtþ, he would be likely to derive some more messages. Because, he can obtain ðg xixj Þ d modn; d ¼ GCDðhðr 1 Þ;...; hðr t ÞÞ, it is more likely that djhðr 0 Þ. Similar to the authenticated encryption scheme with message linkages, if the signature equation is modified as r ¼ M hððy HðIDjÞ j þ ID j Þ k Þ 1 modn;

7 Z. Shao / Appl. Math. Comput. 159 (2004) which can overcome this weakness. However, this modification still has another weakness as well as the authenticated encryption scheme with message linkages Arbitration As a signature scheme, if there are some disputes over the message signed, the signer or the receiver should be able to convince a third party if the signature is valid. In the proposed schemes, they need to reveal the value t ¼ðy HðIDjÞ j þ ID j Þ k modn to show that r i ¼ M i hðr i 1 tþmodn for i ¼ 1; 2;...; n, and r ¼ hðr 1 kr 2 k...kr n Þ. However, with the knowledge of t, the third party would derive ðg x ix j Þ r modn from the equation: t ¼ðg xixj Þ r ðy hðidjþ j þ ID j Þ s modn: Therefore the proposed schemes has the similar weakness to those in the signcryption schemes propose by Zheng [6]. 4. Improvement of signature schemes In this section, we present an improvement of the schemes. In addition to the three phases:the system initialization phase, signature generation phase and message recovery phase, the improved scheme has one more phase:dispute arbitration. The system initialization phase is the same as the one presented in Section 2. In the following, we only describe the other three phases. Signature generation phase. Without loss of generality, assume that a signer U i wants to sign and encrypt a message M to a specified receiver U j. The message M is made up of the sequence {M 1 ; M 2 ;...; M n }, where M i 2 GF ðnþ for i ¼ 1; 2;...; n. Thus the signer U i carries out the following procedure to generate the signature blocks for the large message M. 1. Let r 0 ¼ 0 and chooses a random number k. 2. Compute t ¼ðy hðidjþ j þ ID j Þ k modn and e ¼ g k modn. 3. Compute r i ¼ M i hðr i 1 tþmodn for i ¼ 1; 2;...; n, where denotes the exclusive operator. 4. Compute s ¼ k x i r, where r ¼ hðm; eþ. Finally, the signer U i sends n þ 2 signature blocks ðr; s; r 1 ; r 2 ;...; r n Þ to U j in a public way.

8 398 Z. Shao / Appl. Math. Comput. 159 (2004) Message recovery phase. After receiving the set ðr; s; r 1 ; r 2 ;...r n ), the receiver U j performs the following verification procedure to recover message blocks {M 1 ; M 2 ;...; M n g. 1. Compute g k ¼ g s ðy hðidiþ i þ ID i Þ r modn and then uses his/her private key x j to compute the value g kxj modn. It is equal to t. 2. Recover the message blocks {M 1 ; M 2 ;...; M n } as follows M i ¼ r i hðr i 1 tþ 1 mod N for i ¼ 1; 2;...; n and r 0 ¼ Verify the signature by checking r ¼ hðm; g s ðy hðidiþ i þ ID i Þ r mod NÞ. Obviously, if the signer and the receiver follow this protocol, the message blocks {M 1 ; M 2 ;...; M n } would be recovered correctly. Dispute arbitration phase. Obviously only the specified receiver is able to verify and recover the message M since the private key of the receiver is required to do it. If there are some disputes over the message signed, the signer or the receiver should have a way to convince a third party if the signature is valid. The verification equation of the improved scheme is the equation r ¼ hðm; g s ðy hðidiþ i þ ID i Þ r modnþ: Without the knowledge of the message M, anyone, except for the signer and the specified receiver, cannot check this equation. Hence as long as either signer or the specified receiver reveals the message M, any third party can verify the signature. Compared with the original schemes, only one more exponentiation is required in the improvement. Therefore the improvement preserves the main merits inherent in the self-certified public key cryptographic system. 5. Conclusions We have first proposed an insider forgery attack, which means that the security of the authenticated encryption scheme is not as good as the Girault schemes. The security of each user depends entirely on the honesty of the system authority. We have showed that there exists forward security weakness in the Tseng et al. signature schemes. If a message is revealed in the first variant scheme or there are some disputes over the transmitted messages in the two variant schemes, the Diffie Hellman key would be compromised, which would result in the forward security problem. By adding an exponentiation to the original schemes, the improvement can overcome this security weakness and preserve the main merits inherent in the self-certified public key cryptographic system.

9 Acknowledgements Z. Shao / Appl. Math. Comput. 159 (2004) This work is a project supported by Scientific Research Fund of Zhejiang Provincial Education Department. References [1] M. Girault, Self-certified public keys, in:advances in Cryptology EUROCRYPTÕ91, Springer, Berlin, 1991, pp [2] K. Nyberg, A.R. Rueppel, Message recovery for signature schemes based on the discrete logarithm problem, in:advances in Cryptology EurocryptÕ94, LNCS 950, Springer, Berlin, 1994, pp [3] P. Horster, M. Michels, H. Petersen, Authenticated encryption schemes with low communication costs, Electronics Letters 30 (15) (1994) [4] Y.-M. Tseng, J.-K. Jan, H.-Y. Chien, Digital signature with message recovery using self-certified public keys and its variants, Applied Mathematics and Computation 136 (2003) [5] NIST FIPS PUB 180, Secure hash Standard, National Institute of Standards and Technology, US Department of Commerce, DRAFT, [6] Y. Zheng, Digital signcryption or how to achieve cost(signature + encryption)cost(signature) + cost(encryption), LNCS 1294, in:advances in Cryptology CryptoÕ97, Springer, 1997, pp