Intenational Jounal of Netwok Secuity, Vol.17, No.2, PP.129-134, Ma. 2015 129 On the Secuity of A Povably Secue Cetificate Based Ring Signatue Without Paiing Ji Geng 1, Hu Xiong 1,2, Fagen Li 1, and Zhiguang Qin 1 (Coesponding autho: Hu Xiong) School of Compute Science and Engineeing, Univesity of Electonic Science and Technology of China 1 No. 4, Noth Jianshe Road, Chenghua Distict, chengdu, Sichuan 610054, China State Key Laboatoy of Infomation Secuity, Institute of Softwae, Chinese Academy of Sciences 2 No. 19 Yuquan Road, Shijingshan Distict, Beijing 100190, China (Email: xionghu.uestc@gmail.com) (Received Feb. 11, 2014; evised and accepted Nov. 6, 2014) Abstact Featued with anonymity and spontaneity, ing signatue has been widely adopted in vaious envionments to offe anonymous authentication. To simplify the cetificate management in taditional public key infastuctue (PKI) and solve the inheent key escow poblem in the Identity-based cyptogaphy, Qin et al. popose a paiingfee ing signatue scheme in the cetificate-based cyptosystem ecently. Unfotunately, we demonstate that thei scheme is not secue against the malicious cetificate authoity (CA) and key eplacement attacks by giving concete attack. Concetely, a malicious cetificate authoity (CA) can foge a signatue on abitay message in name of any use s identity and a uncetified use is also able to foge a message. Keywods: Cetificate-based signatue, fogey attack, ing signatue 1 Intoduction Ring signatue [19], which allows a use to issue a signatue on behalf of a goup of possible signes (ing), has been intoduced by Rivest et al. in Asiacypt 2001. The esulting ing signatue can convince a veifie that one membe in the ing indeed signed the message without evealing the eal identity of the actual signe. Diffeent fom goup signatue [4], thee is not goup manage in the ing signatue to handle the enollment and evocation of the ing membes. Specifically, the actual signe can conscipt the othe ing membes to fom the ing without thei consent. Featued with anonymity and spontaneity, ing signatue has been widely adopted to offe anonymous authentication in vaious scenaios. As a epesentative example, potable devices o mobile applications in the infastuctue-less mobile ad hoc netwoks (MANETs) can shae data with the othe paticipants to behave in intelligent mannes. It is challenging to secue MANETs due to the openness and lack of the cental authoity. Taking MANETs as an example, thee ae seveal secuity equiements a pactical system must satisfy, including: Authenticity: In the situation of MANETs, the data sent fom the othe paticipants would be misleading if it is foged by advesaies. Thus, it is desiable to authenticate the eceiving data to esist the attacks mounted by the outside advesaies; Anonymity: The shaed data in MANETs contains vast infomation of uses, fom which one can extact the location of the taget uses, etc. Theefoe, any failues with egad to the pivacy peseving may lead to the eluctance fom the uses to shae data with othes; Ad hoc: In the MANETs, the fomation of a goup whee the actual use hidden fom is spontaneous due to the lack of cental authoity; and Efficiency: Taking the huge numbe of uses in MANETs into account, a pactical system must lowe the computation and communication ovehead as much as possible. Ring signatue can be viewed as an efficient solution on the afoementioned situation whee the data authenticity and anonymity ae expected. In addition to the data shaing in the MANETs (instantiated as Vehicula ad hoc netwoks [21] and wieless senso netwoks [11]), ing signatue can also be deployed in othe envionments such as outing potocol [16] and electonic auction potocol [22, 23]. Futhemoe, ing signatues can also be viewed as the building block of concuent signatues [5, 7] and optimistic fai exchange [12]. The suvey of ing signatues can be found in [6, 25].
Intenational Jounal of Netwok Secuity, Vol.17, No.2, PP.129-134, Ma. 2015 130 Table 1: Notations Notations Desciptions MANETs: Mobile Ad hoc NETwoks PKI: Public Key Infastuctue ID-PKC: Identity-based Public Key Cyptogaphy CB-PKC: Cetificate-Based Public Key Cyptogaphy CA: Cetificate Authoity PKG: Pivate Key Geneato ID i : The identity of the use i (upk IDi, usk IDi ): The use public/secet key pai of the use i (R, k i ): The cetificate of the use i L ID = {ID 1,, ID n }: The identity set of n ing membes L upk = {upk ID1,, upk IDn }: The public key set of n ing membes G: A multiplicative goup with ode q, whee q is pime numbe. g: A andom geneato chosen fom G π ui : The poof-of-knowledge (PoK) such that P K{(u i ) : U 1 = g ui U 2 = X ui } H: Secue hash function such as H : {0, 1} Z q In taditional public key infastuctue (PKI), a semitusted cetificate authoity (CA) is involved to geneate a digital cetificate to bind the public key and the coesponding identity. The management ovehead of the public key cetificate is consideed to be costly. To simplify the cetificate management, the notion of Identitybased public key cyptogaphy (ID-PKC) has been intoduced [20]. In ID-PKC, the public key of use can be easily deived fom its digital identity such as email addess o telephone numbe. To enjoy the meits of ID-PKC, the notion of ID-based ing signatue schemes along with the extensions have been extensively investigated [2, 8, 24]. Unfotunately, a fully-tusted pivate key geneato (PKG) is needed to geneate the pivate key fo each use accoding to its espective identity in ID-PKC. Thus, the key escow poblem is intoduced into ID-PKC. To simplify the heavy cetificate management in taditional PKI and solve the key escow poblem in ID-PKC, a new paadigm, cetificate-based public key cyptogaphy (CB-PKC), is poposed by Genty [10]. In CB-PKC, each use will geneate the public and pivate key pai itself and the CA will issue the cetificate using the pivate key geneation algoithm in ID-PKC. In this way, the cetificate will be used as pat of the pivate key and thidpaty queies on cetificate status in taditional PKI has aleady been eliminated in CB-PKC. Au et al. [1] intoduce the notion of ing signatue in the CB-PKC setting to enjoy the meits of CB-PKC and ing signatue togethe, and futhe poposed a concete cetificate based ing signatue based on bilinea paiing. In ode to emove the costly bilinea paiing opeation, Qin et al. [18] poposed a paiing fee cetificatebased ing signatue ecently. Futhemoe, they claimed that thei scheme is povably secue in the andom oacle model assuming the Discete Logaithm assumption holds. Unfotunately, in this pape, we show that thei scheme cannot achieve the claimed secuity by demonstating two fogey attacks. Concetely, a malicious CA equipped with the maste secet key can foge a valid signatue on abitay message. In addition, a uncetified entity without a cetificate issued by CA can also foge a valid signatue on abitay message but eplacing the public keys. The est of this pape is oganized as follows. In Section 2, we eview Qin et al. s paiing-fee cetificate based ing signatue scheme. In Section 3, we show that Qin et al. s scheme is not secue and analyze the basic eason fo the attack. Finally, the conclusions ae given in Section 4. 2 Review of Qin et al. s Scheme Qin et al. s cetificate based ing signatue scheme [18] is based on cetificate-based signatue scheme in [17] and ID-based ing signatue scheme in [13]. The notation used in [18] is listed in Table 1 to impove the eadability and we eview Qin et al. s scheme as follows. 1) Setup: Let G be a multiplicative goup with ode q. The CA selects a andom geneato g G and andomly chooses x R Z q as the maste secet key. It sets X = g x. Let H : {0, 1} Z q be a cyptogaphic hash function. The public paametes ae given by paams=(g, q, g, X, H) The multiplicative goup can be implemented on the Elliptic cuve cyptogaphy (ECC). Accoding to [3], to achieve the compaable level of secuity to 1024-bits RSA, the Koblitz elliptic cuve y 2 = x 3 + ax 2 + b defined on F 2 163 poviding ECC goup can be adopted. Hee, a is equal to 1 and b is a 163-bit andom pime. Thus, the size of the element in goup G (the maste public key and the use public key) is assumed to be 163-bit. 2) UseKeyGen: Use ID i selects a secet value u i Z q
Intenational Jounal of Netwok Secuity, Vol.17, No.2, PP.129-134, Ma. 2015 131 as his secet key usk IDi, and computes his public key upk IDi =, X u i, π ui ) whee π ui is the following non-inteactive poof-of-knowledge (PoK): P K{(u i ) : U 1 = g u i U 2 = X u i.} The subscipt of u i has been inadvetently omitted in [18]. This omission has been coected to be consistent. 3) CetGen: Let h i = H(upk IDi, ID i ) fo use ID i with public key upk IDi and binay sting ID i which is used to identify the use. To geneate a cetificate fo use ID i, the CA andomly chooses R Z q, computes R = g and k i = 1 ( h i xr) mod q. The cetificate is (R, k i ). Note that a coectly geneated cetificate should satisfy the following equality: R k i X R = g h i. 4) Ring-Sign: Suppose thee is a goup of n uses whose identities fom the set L ID = {ID 1,, ID n }, and thei coesponding public keys fom the set L upk = {upk ID1,, upk IDn }. To sign a message m {0, 1} on behalf of the goup, the actual signe, indexed by s using the secet key usk IDs and the cetificate cet IDs, pefoms the following steps. a. Fo each i {1,, n} \ {s}, selects y i R Z q unifomly at andom and computes Y i = R y i. b. Compute h i = H(m L upk L ID Y i ) fo i {1,, n} \ {s}. c. Choose y s R Z q, computes Y s = ) h i h i ) hir. R y s i s i s d. Compute h s = H(m L upk L ID Y s ). e. Compute z = ( n y i + h s k s u s ) mod q. f. Output the ing signatue on m as σ = {Y 1,, Y n, R, z, π u1,, π un }. Though {R, π u1,, π un } is needed in the Veify algoithm, it has been inadvetently omitted in the signatue of [18]. This omission has been coected to be consistent. 5) Veify: To veify a ing signatue σ = {Y 1,, Y n, R, z, π u1,, π un } on a message m with identities in L ID and coesponding public keys in L upk, the veifie pefoms the following steps. a. Check whethe π ui is a valid PoK. If not, outputs, Othewise, un the next step. b. Compute h i = H(m L upk L ID Y i ) and h i = H(upk IDi, ID i ) fo all i {1,, n}. c. Check whethe n (g ui ) hi h i? n = R z Y 1 Y n (X ui ) hir d. Accept the ing signatue as valid and outputs 1 if the above equation holds, othewise, output 0. 3 Analysis of Qin et al. s Scheme It is non-tivial to devise secue cetificate-based encyption/signatue scheme since the cetificate of the use will no longe be used to cetify the coesponding public key instead it will be implicitly used as pat of pivate key in the decyption/signing algoithm. In fact, seveal cetificate-based encyption scheme [26] and cetificatebased signatue scheme [14, 17] have been shown to be insecue against the attacks mounted by an uncetified entity o malicious CA espectively [9, 15, 27]. Motivated by these attacks, we obseve that Qin et al. s cetificate-based ing signatue [18] is also insecue against the fogey attack. Compaing with the existing attack algoithms with espect to cetificate based encyption/signatue schemes [9, 15, 27], ou wok mainly focus on the insecuity of the cetificate-based ing signatue, whee a lage numbe of uses ae involved in the pocess of the signatue geneation. Accoding to [14, 15, 18, 27], two diffeent types of attacks by the malicious CA and by an uncetified use should be consideed in CB-PKC. On the one hand, the malicious CA, who has the maste secet key, cannot obtain the use secet key and mount the public key eplacement attack. On the othe hand, the uncetified use can eplace public keys of any entities in the system, but is not allowed to obtain the taget use s cetificate. 3.1 Malicious CA Attack on Qin et al. s Scheme Given a ing signatue σ = {Y 1,, Y n, R, z, π u1,, π un } with the identities in L ID = {ID 1,, ID n } and coesponding public keys in L upk = {upk ID1,, upk IDn }, the CA equipped with the maste key x can foge a valid signatue on abitay message m as follows: 1) Randomly choose j R {1,, n}. 2) Compute h j = H(upk IDj, ID j ). 3) Compute R = x 1 h j, whee x is the maste key. 4) Fo each i {1,, n} \ {j}, selects y i R Z q unifomly at andom and computes Y i = (R ) y i. 5) Compute h i = H(m L upk L ID Y i ) fo i {1,, n} \ {j}. 6) Choose y j R Z q, computes Y (R ) y j ) h i R. 7) Compute z = n y i mod q. j = 8) Output the ing signatue on m as σ = 1,, Y n, R, z, π u1,, π un }.
Intenational Jounal of Netwok Secuity, Vol.17, No.2, PP.129-134, Ma. 2015 132 The following equations show that the signatue σ = 1,, Y n, R, z, π u1,, π un } is valid. n (g ui ) hi hi = (g ui g xujh j x 1 hj = g xu jh j R = X u jh j R = (R ) n y i (R ) y i (R ) y j (g ui n ) h i R ) h i R n = (R ) z Y 1 Y n ) h i R. 3.2 Key Replacement Attack on Qin et al. s Scheme In the following, we show that the scheme is not against an uncetified entity attack. Concetely, an entity without a cetificate issued by CA can foge a valid signatue on abitay message m by eplacing the public keys. The attack is depicted as follows: 1) Randomly choose R Z q and compute R = g. 2) Randomly choose j R {1,, n}. n (g ui ) hi h i = g uj h jh j (g ui = g a h j hjh j = g ah j (g ui = g ah j X ar X a h h j R j = g ah j X ar X u jh j R j = (g ) ah + n y i g y i X ar g y j n ) h i R ) h i R 4 Conclusions n = (R ) z Y 1 Y n (X ui ) h i R. In this pape, we have showed that the Qin et al. [18] s cetificate based ing signatue scheme is not secue against the fogey attack. We conside paiing-fee cetificate based ing signatue scheme along with povable secuity as an open poblem and ou futue eseach wok. 3) Fo each i {1,, n} \ {j}, selects y i R Z q unifomly at andom and computes Y i = g y i. 4) Compute h i = H(m L upk L ID Y i ) fo i {1,, n} \ {j}. 5) Choose y j R Z q, computes Y X ar g y j ) h i R. 6) Compute h j = H(upk IDj, ID j ). j = 7) Compute u j = ã h j as the secet key of use with identity ID j, and set upk IDj = (g u j, X u j, π uj ) as the public key of this use, whee π uj is the following non-inteactive poof-of-knowledge (PoK): P K{(u j ). : U 1 = g u j U 2 = X u j }. 8) Compute z = ah n j + y i mod q. 9) Output the ing signatue on m as σ = 1,, Y n, R, z, π u1,, π un }. The following equations show that the signatue σ = 1,, Y n, R, z, π u1,, π un } is valid. Acknowledgments This wok is patially suppoted by National Natual Science Foundation of China unde Gant Nos. 61003230, 61370026, 61300191 and 61103206, the Fundamental Reseach Funds fo the Cental Univesities unde Gant No. ZYGX2013J073 and ZYGX2012J077, and the Applied Basic Reseach Pogam of Sichuan Povince unde Gant No. 2014JY0041. Refeences [1] Man Ho Au, Joseph K. Liu, Willy Susilo, and Tsz Hon Yuen, Cetificate based (linkable) ing signatue, in 3d Intenational Confeence on Infomation Secuity Pactice and Expeience-ISPEC 2007, pp. 79 92, Hong Kong, China, May 2007. [2] Amit K Awasthi and Sunde Lal, Id-based ing signatue and poxy ing signatue schemes fom bilinea paiings, Intenational Jounal of Netwok Secuity, vol. 4, no. 2, pp. 187 192, 2007. [3] Xuefei Cao, Weidong Kou, and Xiaoni Du, A paiing-fee identity-based authenticated key ageement potocol with minimal message exchanges, In-
Intenational Jounal of Netwok Secuity, Vol.17, No.2, PP.129-134, Ma. 2015 133 fomation Sciences, vol. 180, no. 15, pp. 2895 2903, 2010. [4] David Chaum and Eugene van Hevst, Goup signatue, in Advances in Cyptology-EUROCRYPT 1991, pp. 257 265, Bighton, UK, Apil 1991. [5] Liqun Chen, Caoline Kudla, and Kenneth G. Pateson, Concuent signatues, in Advances in Cyptology-EUROCRYPT 2004, pp. 287 305, Intelaken, Switzeland, May 2004. [6] Sheman S. M. Chow, Richad W. C. Lui, Lucas Chi Kwong Hui, and Siu-Ming Yiu, Identity based ing signatue: Why, how and what next, in EuoPKI 2005, pp. 144 161, Cantebuy, UK, June 2005. [7] Sheman S.M. Chow and WILLY Susilo, Geneic constuction of (identity-based) pefect concuent signatues, in 7th Intenational Confeence on Infomation and Communications Secuity-ICICS 2005, pp. 194 206, Beijing, China, Decembe 2005. [8] Sheman S.M. Chow, Siu-Ming Yiu, and Lucas C.K. Hui, Efficient identity based ing signatue, in 3d Intenational Confeence on Applied Cyptogaphy and Netwok Secuity-ACNS 2005, pp. 499 512, NY, USA, June 2005. [9] David Galindo, Paz Moillo, and Cala Ràfols, Beaking yum and lee geneic constuctions of cetificate-less and cetificate-based encyption schemes, in 3d Euopean PKI Wokshop: Theoy and Pactice-EuoPKI 2006, pp. 81 91, Tuin, Italy, June 2006. [10] Caig Genty, Cetificate-based encyption and the cetificate evocation poblem, in Advances in Cyptology-EUROCRYPT 2003, pp. 272 293, Wasaw, Poland, May 2003. [11] Daojing He, Jiajun Bu, Sencun Zhu, Sammy Chan, and Chun Chen, Distibuted access contol with pivacy suppot in wieless senso netwoks, IEEE Tansactions on Wieless Communications, vol. 10, no. 10, pp. 3472 3481, 2011. [12] Qiong Huang, Guomin Yang, Duncan S. Wong, and Willy Susilo, Efficient optimistic fai exchange secue in the multi-use setting and chosen-key model without andom oacles, in The Cyptogaphes Tack at the RSA Confeence, CT-RSA 2008, pp. 106 120, San Fancisco, CA, USA, Apil 2008. [13] Gemán Sáez Javie Heanz, New identity-based ing signatue schemes, in 6th Intenational Confeence on Infomation and Communications Secuity- ICICS 2004, pp. 27 39, Malaga, Spain, Octobe 2004. [14] Bo Gyeong Kang, Je Hong Pak, and Sang Geun Hahn, A cetificate-based signatue scheme, in Topics in Cyptology-CT-RSA 2004, pp. 99 111, CA, USA, Febuay 2004. [15] Jiguo Li, Xinyi Huang, Yi Mu, Willy Susilo, and Qianhong Wu, Cetificate-based signatue: Secuity model and efficient constuction, in EuoPKI 2007, pp. 110 125, Palma de Malloca, Spain, June 2007. [16] Xiaodong Lin, Rongxing Lu, Haojin Zhu, Pin-Han Ho, Xuemin (Sheman) Shen, and Zhenfu Cao, Aspake: An anonymous secue outing potocol with authenticated key exchange fo wieless ad hoc netwoks, in Poceedings of IEEE Intenational Confeence on Communications, ICC 2007, pp. 1247 1253, Scotland, UK, June 2007. [17] Joseph K. Liu, Joonsang Baek, Willy Susilo, and Jianying Zhou:, Cetificate-based signatue schemes without paiings o andom oacles, in 11th Intenational Confeence on Infomation Secuity-ISC 2008, pp. 285 297, Taipei, Taiwan, Septembe 2008. [18] Zhiguang Qin, Hu Xiong, and Fagen Li, A povably secue ceticate based ing signatue without paiing, Intenational Jounal of Netwok Secuity, vol. 16, no. 3, pp. 244 251, 2014. [19] Ronald L. Rivest, Adi Shami, and Yael Tauman, How to leak a secet, in Advances in Cyptology- AsiaCypt 2001, pp. 552 565, Gold Coast, Austalia, Decembe 2001. [20] Adi Shami, Identity-based cyptosystems and signatue schemes, in Advances in Cyptology-Cypto 1984, pp. 47 53, Califonia, USA, August 1984. [21] Hu Xiong, Konstantin Beznosov, Zhiguang Qin, and Matei Ripeanu, Efficient and spontaneous pivacypeseving potocol fo secue vehicula communication, in Poceedings of IEEE Intenational Confeence on Communications, ICC 2010, pp. 1 6, Cape Town, South Afica, May 2010. [22] Hu Xiong, Zhong Chen, and Fagen Li, Biddeanonymous english auction potocol based on evocable ing signatue, Expet Systems with Applications, vol. 39, no. 8, pp. 7062 7066, 2012. [23] Hu Xiong, Zhiguang Qin, and Fagen Li, An anonymous sealed-bid electonic auction based on ing signatue, Intenational Jounal of Netwok Secuity, vol. 8, no. 3, pp. 235 242, 2009. [24] Hu Xiong, Zhiguang Qin, and Fagen Li, A cetificateless poxy ing signatue scheme with povable secuity, Intenational Jounal of Netwok Secuity, vol. 12, no. 2, pp. 92 106, 2011. [25] Hu Xiong, Zhiguang Qin, and Fagen Li, A taxonomy of ing signatue schemes: Theoy and applications, IETE Jounal Of Reseach, vol. 59, no. 4, pp. 376 382, 2013. [26] Dae Hyun Yum and Pil Joong Lee, Identity-based cyptogaphy in public key management, in 1st Euopean PKI Wokshop: Reseach and Applications- EuoPKI 2004, pp. 71 84, Samos Island, Geece, June 2004. [27] Jianhong Zhang, On the secuity of a cetificatebased signatue scheme and its impovement with paiings, in 5th Intenational Confeence on Infomation Secuity Pactice and Expeience-ISPEC 2009, pp. 47 58, Xi an, China, Apil 2009. Ji Geng is a pofesso in the School of Compute Science and Engineeing, Univesity of Electonic Science and Technology of China. He eceived his M.S. degee fom
Intenational Jounal of Netwok Secuity, Vol.17, No.2, PP.129-134, Ma. 2015 134 Southwest Jiaotong Univesity in 1990. His eseach inteests include: infomation secuity and system softwae. Hu Xiong is an associate pofesso at Univesity of Electonic Science and Technology of China (UESTC). He eceived his Ph.D degee fom UESTC in 2009. His eseach inteests include: cyptogaphy and netwok secuity. Zhiguang Qin is the dean and pofesso in the School of Compute Science and Engineeing, Univesity of Electonic Science and Technology of China (UESTC). He eceived his PH.D. degee fom UESTC in 1996. His eseach inteests include: infomation secuity and compute netwok. Fagen Li eceived his Ph.D. degee fom Xidian Univesity in 2007. He is now an associate pofesso in the School of Compute Science and Engineeing, Univesity of Electonic Science and Technology of China. His ecent eseach inteests include cyptogaphy and netwok secuity.