BY JYH-HAW YEHCOMPUTER SCIENCE DEPT.BOISE STATE UNIVERSITY

Proxy Credential Forgery Attack to Two Proxy

Signcryption Schemes

Proxy Signcryption

Signcryption: combining two words – Signature and Encryption.

Proxy Signcryption: proxy signs and encrypts a message in one scheme. Protect the confidentiality of the signed messages

from eavesdroppers. Applications: online proxy auction or online

contract signing by an authorized proxy.

Proxy Signcryption

Three entities involved: original signer (OS), proxy signer (PS) and signature verifier (SV).

Scenario: OS delegates his signing right to PS PS, on behave of OS, signs and encrypts a message to

SV SV recovers and verifies the message

Proxy Signcryption

One cryptosystem with five phases: Cryptosystem setup (by Key Generation Center) Proxy credential generation (by OS) Proxy credential verification (by PS) Signcrypted message generation (by PS) Signature recovery and verification (by SV)

Proxy Signcryption

Security requirement: Proxy credential non-repudiation: OS cannot deny a

proxy credential issued by him/her later. Require proxy credential unforgeability Require correct proxy credential generation/verification

algorithms If OS denies a proxy credential, a trusted third party

should resolve the conflict

Proxy Signcryption

Security requirement: Signcrypted message non-repudiation: PS cannot deny

a signcrypted message from him/her later Require signcrypted message unforgeability Require correct signcrypted message

generation/verification algorithms If OS/PS later denies a signcrypted message, a trusted

third party should resolve the conflict.

Proxy Credential Forgery attack

The attack tries to cryptanalyzing the proxy credential and find a way to generate a fake credential which can pass the verification process.

If a proxy credential can be forged, then the scheme will not have non-repudiation property

Math Background

Many proxy signcryption schemes were designed based on “bilinear pairings” Two cyclic groups (G1, +) and (G2, x), B is a generator

of G1 A bilinear map e: G1×G1 G2 X, Y, Z in G1 e(X,Y) = e(Y,X) e(aX, bY) = e(X,Y)^{ab} e(X,Y+Z) = e(X,Y)e(X,Z)

Math Background

Given X and Y, e(X,Y) can be computed in poly-time Given B, aB and bB, it’s hard to compute abB Given B, aB, bB, cB, it’s hard to identify an element h

in G2 such that h = e(B,B)^{abc}

LWXY Scheme

Setup: KGC chooses system para (G1, G2, q, B, e, h1, h2, ,3), where q is the order of G1 and G2 h1: {0,1}^k × G1 Z_q h2: G1 G1 h3: G2 × G1 {0,1}^k Each user i chooses a private key x_i in Z_q and a

public key Y_i = x_iB

LWXY Scheme

Proxy credential (σ, N, w) generation: W: proxy warrant specifies delegated rights N = dB, where d is a random nymber σ = (x_o + dw) mod q

Proxy credential verification: σB ?= Y_o + wN. Why? Since

σB = (x_o + dw)B = x_oB + dBw = Y_o + wN

Signcrypted message generation: ignoredSignature recovery and verification: ignored

Proxy Credential Forgery Attack to LWXY

PS can create a fake proxy credential (σ’, N’, w’) from his original one to increase his signing power Generate w’ to increase his delegation time and/or

add designated signature verifiers. σ’=(w’/w) σ = (w’/w) x_o + dw’ mod q N’ = ((w’/w) Y_o + w’ N – Y_o)/w’

Proxy Credential Forgery Attack to LWXY

The fake credential can pass the verification, since

σ’B = ((w’/w) x_o + dw’ )B = (w’/w)Y_o + w’N = Y_o + (w’/w)Y_o + w’N – Y_o = Y_o + w’(((w’/w)Y_o + w’N – Y_o)/w’) = Y_o + w’ N’

Modify LWHY to Prevent The Attack

Change the way to create proxy credentials N = dB σ = (x-coordinate of N)x_o + dw mod q

Change the proxy credential verification to σB ?= (x-coordinate of N)Y_o + wN

EA Scheme

Setup: KGC chooses system para (G1, G2, q, B, Y_pub, e, h1, h2, h3), where Y_pub = sB is a system public key and s is a system

master key. h1: {0,1}^* G1 h2: G2 {0,1}^n h3: {0,1}^* × G2 Z_q Each user i has public-private keys pairs Y_i = h1(ID_i) and X_i = sY_i

EA Scheme

Proxy credential (σ, N) generation: σ = X_o + dY_pub, where d is a random number N = dB

Proxy credential verification: e(B, σ) ?= e(Y_pub, Y_o + N). Why? Since e(B, σ) = e(B, X_o + dY_pub) = e(B, sY_o + dsB) = e(sB, Y_o + dB) = e(Y_pub, Y_o + N)

Signcrypted message generation: ignoredSignature recovery and verification: ignored

Proxy Credential Forgery Attack to EA

PS can create a fake a proxy credential (σ’, N’) from his original one and give it to another person without the permission of OS σ’ = σ + d’Y_pub = X_o + (d+d’)Y_pub = X_o + d”Y_pub N’ = N + d’B = dB + d’B = (d+d’)B = d”B

Proxy Credential Forgery Attack to EA

The fake credential (σ’, N’) can pass the verification, since

e(B, σ’) = e(B, X_o + d”Y_pub) = e(B, sY_o + d”sB) = e(sB, Y_o + d”B) = e(Y_pub, Y_o + N’)

Modify EA to Prevent Attack

Change the way to create proxy credentials N = dB σ = (x-coordinate of N)X_o + dY_pub mod q

Change the proxy credential verification to e(B, σ) ?= e(Y_pub, (x-coordinate of N)Y_o + N)

Efficiency

Comparing to LWHY, the modified LWHY adds 1 modular multiplication (MM) and 1 point multiplication (PM) in G1 Both LWHY/modified LWHY requires 4 bilinear pairing

(BP) operations 1 BP is about 11,110 MM 1PM is about a few hundred MM

Comparing to EA, the modified EA adds 3 PM Both EA/modified EA require 8 BP