BY JYH-HAW YEHCOMPUTER SCIENCE DEPT.BOISE STATE UNIVERSITY
Proxy Credential Forgery Attack to Two Proxy
Signcryption Schemes
Proxy Signcryption
Signcryption: combining two words – Signature and Encryption.
Proxy Signcryption: proxy signs and encrypts a message in one scheme. Protect the confidentiality of the signed messages
from eavesdroppers. Applications: online proxy auction or online
contract signing by an authorized proxy.
Proxy Signcryption
Three entities involved: original signer (OS), proxy signer (PS) and signature verifier (SV).
Scenario: OS delegates his signing right to PS PS, on behave of OS, signs and encrypts a message to
SV SV recovers and verifies the message
Proxy Signcryption
One cryptosystem with five phases: Cryptosystem setup (by Key Generation Center) Proxy credential generation (by OS) Proxy credential verification (by PS) Signcrypted message generation (by PS) Signature recovery and verification (by SV)
Proxy Signcryption
Security requirement: Proxy credential non-repudiation: OS cannot deny a
proxy credential issued by him/her later. Require proxy credential unforgeability Require correct proxy credential generation/verification
algorithms If OS denies a proxy credential, a trusted third party
should resolve the conflict
Proxy Signcryption
Security requirement: Signcrypted message non-repudiation: PS cannot deny
a signcrypted message from him/her later Require signcrypted message unforgeability Require correct signcrypted message
generation/verification algorithms If OS/PS later denies a signcrypted message, a trusted
third party should resolve the conflict.
Proxy Credential Forgery attack
The attack tries to cryptanalyzing the proxy credential and find a way to generate a fake credential which can pass the verification process.
If a proxy credential can be forged, then the scheme will not have non-repudiation property
Math Background
Many proxy signcryption schemes were designed based on “bilinear pairings” Two cyclic groups (G1, +) and (G2, x), B is a generator
of G1 A bilinear map e: G1×G1 G2 X, Y, Z in G1 e(X,Y) = e(Y,X) e(aX, bY) = e(X,Y)^{ab} e(X,Y+Z) = e(X,Y)e(X,Z)
Math Background
Given X and Y, e(X,Y) can be computed in poly-time Given B, aB and bB, it’s hard to compute abB Given B, aB, bB, cB, it’s hard to identify an element h
in G2 such that h = e(B,B)^{abc}
LWXY Scheme
Setup: KGC chooses system para (G1, G2, q, B, e, h1, h2, ,3), where q is the order of G1 and G2 h1: {0,1}^k × G1 Z_q h2: G1 G1 h3: G2 × G1 {0,1}^k Each user i chooses a private key x_i in Z_q and a
public key Y_i = x_iB
LWXY Scheme
Proxy credential (σ, N, w) generation: W: proxy warrant specifies delegated rights N = dB, where d is a random nymber σ = (x_o + dw) mod q
Proxy credential verification: σB ?= Y_o + wN. Why? Since
σB = (x_o + dw)B = x_oB + dBw = Y_o + wN
Signcrypted message generation: ignoredSignature recovery and verification: ignored
Proxy Credential Forgery Attack to LWXY
PS can create a fake proxy credential (σ’, N’, w’) from his original one to increase his signing power Generate w’ to increase his delegation time and/or
add designated signature verifiers. σ’=(w’/w) σ = (w’/w) x_o + dw’ mod q N’ = ((w’/w) Y_o + w’ N – Y_o)/w’
Proxy Credential Forgery Attack to LWXY
The fake credential can pass the verification, since
σ’B = ((w’/w) x_o + dw’ )B = (w’/w)Y_o + w’N = Y_o + (w’/w)Y_o + w’N – Y_o = Y_o + w’(((w’/w)Y_o + w’N – Y_o)/w’) = Y_o + w’ N’
Modify LWHY to Prevent The Attack
Change the way to create proxy credentials N = dB σ = (x-coordinate of N)x_o + dw mod q
Change the proxy credential verification to σB ?= (x-coordinate of N)Y_o + wN
EA Scheme
Setup: KGC chooses system para (G1, G2, q, B, Y_pub, e, h1, h2, h3), where Y_pub = sB is a system public key and s is a system
master key. h1: {0,1}^* G1 h2: G2 {0,1}^n h3: {0,1}^* × G2 Z_q Each user i has public-private keys pairs Y_i = h1(ID_i) and X_i = sY_i
EA Scheme
Proxy credential (σ, N) generation: σ = X_o + dY_pub, where d is a random number N = dB
Proxy credential verification: e(B, σ) ?= e(Y_pub, Y_o + N). Why? Since e(B, σ) = e(B, X_o + dY_pub) = e(B, sY_o + dsB) = e(sB, Y_o + dB) = e(Y_pub, Y_o + N)
Signcrypted message generation: ignoredSignature recovery and verification: ignored
Proxy Credential Forgery Attack to EA
PS can create a fake a proxy credential (σ’, N’) from his original one and give it to another person without the permission of OS σ’ = σ + d’Y_pub = X_o + (d+d’)Y_pub = X_o + d”Y_pub N’ = N + d’B = dB + d’B = (d+d’)B = d”B
Proxy Credential Forgery Attack to EA
The fake credential (σ’, N’) can pass the verification, since
e(B, σ’) = e(B, X_o + d”Y_pub) = e(B, sY_o + d”sB) = e(sB, Y_o + d”B) = e(Y_pub, Y_o + N’)
Modify EA to Prevent Attack
Change the way to create proxy credentials N = dB σ = (x-coordinate of N)X_o + dY_pub mod q
Change the proxy credential verification to e(B, σ) ?= e(Y_pub, (x-coordinate of N)Y_o + N)
Efficiency
Comparing to LWHY, the modified LWHY adds 1 modular multiplication (MM) and 1 point multiplication (PM) in G1 Both LWHY/modified LWHY requires 4 bilinear pairing
(BP) operations 1 BP is about 11,110 MM 1PM is about a few hundred MM
Comparing to EA, the modified EA adds 3 PM Both EA/modified EA require 8 BP
Top Related