A note on An efficient certificateless aggregate signature with constant pairing computations

Transcription

1 A ote o A effcet certfcateless aggregate sgature wth costat parg computatos Debao He Maomao Ta Jahua Che School of Mathematcs ad Statstcs Wuha Uversty Wuha Cha School of Computer Scece ad Techology Uversty of Scece ad Techology of Cha Hefe Cha Emal: chejahuamath@gmalcom Abstract: Recetly Xog et al [H Xog Z Gua Z Che F L A effcet certfcateless aggregate sgature wth costat parg computatos Iformato Scece 9 pp ] proposed a effcet certfcateless sgature (CLS) scheme ad used t to costruct a certfcateless aggregate sgature (CLAS) scheme wth costat parg computatos They also demostrated that both of the two schemes are provably secure the radom oracle model uder the computatoal Dffe-Hellma assumpto Ufortuately by gvg cocrete attacks we pot out that Xog et al s schemes are ot secure ther securty model Key words: Certfcateless cryptography; Aggregate sgature; Blear parg Itroducto A aggregate sgature scheme whch was proposed by Boeh et al [] s a sgature scheme whch allows to aggregate sgatures o dstct messages from dstct users to a sgle sgature The valdty of a aggregate sgature wll covce a verfer that the users dd deed sg the orgal messages Aggregato s useful to reduce badwdth ad storage ad s especally attractve for moble devces lke sesors cell phoes ad PDAs where commucato s more power-expesve tha computato ad cotrbutes sgfcatly to reducg battery lfe Recetly certfcateless publc key cryptography [] was studedly sce t could solve the certfcate maagemet problem the tradtoal publc key cryptography ad the key escrow problem the -based publc key cryptography [5] To satsfy the applcatos certfcateless evromet certfcateless aggregate sgature (CLAS) scheme have attracted much atteto Several CLAS schemes [ ] have proposed by dfferet researchers However most of these schemes [3 4 8] have computatoal complexty for

2 parg computatos that grows learly wth the umber of sgers Besdes both of the schemes [7 8] of Zhag et al requre a certa sychrozato e all sgers must share the same sychrozed clocks to geerate aggregate sgature It s easy to say that t s dffcult to acheve sychrozato may commucato scearos Recetly Xog et al [6] proposed a effcet certfcateless sgature (CLS) scheme ad costruct a smple CLAS scheme usg the CLS scheme Compared wth prevous CLAS schemes Xog et al s scheme s very effcet ad the verfcato procedure eeds oly a very small costat umber of parg computatos depedet of the umber of aggregated sgatures Besdes ther scheme does ot requre certa sychrozato for aggregatg radomess They also demostrated that both of the two schemes are provably secure the radom oracle model uder the computatoal Dffe-Hellma assumpto Ufortuately we fd that a Type II adversary could forge a legal sgature of ay message agast Xog et al s schemes The aalyss shows Xog et al s schemes are ot secure for practcal applcatos The orgazato of the paper s sketched as follows Secto gves a bref revew of Xog et al s schemes The securty flaws of Xog et al s schemes are show Secto 3 Fally we gve some coclusos Secto 4 Revew of Xog et al s schemes Xog et al s CLS scheme I ths subsecto we wll brefly revew Xog et al s CLS scheme Ther CLS scheme cossts of fve algorthms: MasterKeyGe PartalKeyGe UserKeyGe Sg ad Verfy The detal of these algorthms s descrbed as follows MasterKeyGe : Gve a securty parameter k KGC rus the algorthm as follows ) Geerate a cyclc addtve group G ad a cyclc multplcatve group G wth prme order q ) Geerate two geerators PQ of G ad a admssble parg e: G G G

3 3) Geerate a radom umber s Z q ad compute P pub = sp 4) Choose cryptographc hash fuctos H :{0} G ad H :{0} Zq 5) KGC publshes the system parameters are { qg G epqp pub H H } ad key the master key s secretly PartalKeyGe : Gve a user s detty partal prvate key Q ( ) = H KGC computes the user s = sq ad trasmts t to the user secretly where UserKeyGe : The user wth detty selects a radom umber x Z q as hs secret key usk ad computes hs publc key as upk = usk P Sg : Gve a message m the partal prvate key the secret key usk the user wth detty s ad the correspodg publc key s performs the followg steps to geerate a sgature upk ) Geerate a radom umber r Z ad compute U = rp q ) Compute h = H ( ) m upk U V = + h r P + h x Q pub 3) Output ( U ) as the sgature o m Verfy : Gve a sgature ( U ) of message correspodg publc key upk : m o detty ad ) Compute Q = H ( ) ad h = H ( ) m upk U ) Verfy e( V P) = e( h U + Q P ) e( h upk Q) holds or ot If t pub holds accept the sgature Xog et al s CLAS scheme I ths subsecto we wll brefly revew Xog et al s CLAS scheme Ther CLAS scheme cossts of sx algorthms: MasterKeyGe PartalKeyGe UserKeyGe Sg Aggregate ad AggregateVerfy The frst four algorthms are the same as those ther CLS scheme The detal of other two algorthms s descrbed as follows 3

4 Aggregate : For a aggregatg set of users { U U } wth dettes { } ad the correspodg publc keys { upk upk } ad messagesgature pars {( m σ = ( U)) ( m σ = ( U))} from { U U } respectvely the aggregate sgature geerator computes σ = ( U U ) as a aggregate sgature V = V ad outputs = AggregateVerfy : To verfy a aggregate sgature σ = ( U U) sged by users { U U } wth dettes { } ad the correspodg publc keys { upk upk } o messages { m m } the verfer performs the followg steps: ) Compute Q = H ( ) ad h = H ( ) m upk U for = ) Verfy pub = = holds or ot e( V P) = e( ( h U + Q ) P ) e( h upk Q) If t holds accept the sgature 3 Cryptaalyss of Xog et al s scheme Xog et al [6] clamed that both of ther schemes are provably secure agast two types of adversary the radom oracle model However ths secto we shall dsprove ther clams by gvg two cocrete attacks 3 Attack agast Xog et al s CLS scheme Xog et al [6] clamed ther CLS scheme s sematcally secure agast Tpye II adversary Ufortuately t s ot true sce there exsts a polyomal tme Type II adversary A who ca always w Game I as below: ad gets ) A submts a user U s detty U s partal prvate key ) A submts ad a message to the RevealPartalKey oracle = sq where Q = H ( ) m to the Sg oracle ad gets a legal sgature ( U ) of message m where U = rp h ( ) = H m upk U V = + h r P + h x Q ad r s a pub radom umber geerated by Sg oracle 4

5 3) A computes T = h ( V ) where h satsfy h h modq 4) For ay other message A computes U = U h ( ) = H upk U V = + h T 5) A outputs ( U ) as the sgature o Sce U = rp ad V = + h r P + h x Q we could have pub ad T = h ( V ) = h ( + h r P + h x Q ) pub = r P + x Q pub V = + h T = + h ( r P + x Q) pub = + h r P + h x Q pub ev ( P) = e( + h r P + h x Q P) pub = e ( + h r P Peh ) ( x QP ) pub = esq ( + h r sppeqh ) ( x P) = e( h U + Q sp) e( h upk Q) = eh ( U + Q sp ) eh ( upk Q) pub () () (3) The we kow that ( U ) s a legal sgature o Besdes has ot bee submtted to RevealSecertKey queres or ReplaceKey queres to get the secret key usk ad the oracle Sg has ever bee quered wth ) So the Tpye II adversary A ws Game I ( Therefore Xog et al s CLS scheme s ot secure agast attacks of the Type II adversary 3 Attack agast Xog et al s CLAS scheme Xog et al [6] clamed ther CLAS scheme s sematcally secure agast Tpye II adversary Ufortuately t s ot true sce there exsts a polyomal tme Type II adversary A who ca always w Game II as follows: Let { U U } be a aggregatg set of users wth dettes { } ad the correspodg publc keys { upk upk } 5

6 ) For = A does the followg fve sub-steps to geerate a legal sgature ( U ) o a message A submts a user U s detty oracle ad gets Q ( ) = H A submts ad a message U s partal prvate key to the RevealPartalKey = sq where m to the Sg oracle ad gets a legal sgature ( U ) of message m where U = rp h = H ( ) m upk U V = + h r P + h x Q ad r pub s a radom umber geerated by Sg oracle A computes T = h ( V ) where h satsfy h h modq For ay other message A computes U = U h = H ( ) upk U V = + h T A outputs ( U ) as the sgature o ) A computes V = V = 3) A outputs σ = ( U U ) as a aggregate sgature From the aalyss the above subsecto we kow that ( U ) satsfes the equato e( V P) = e( h U + Q sp ) e( h upk Q) ad pub pub V = + h r P + h x Q The we could have that ev ( P) = e( V P)= e( ( + h r P + h x Q) P) pub = = = e( ( + h r P ) P) e( h x Q P) pub = = = e( ( h U + Q ) P ) e( h upk Q) pub = = Thus we kow that σ = ( U U ) s a legal aggregate sgature o messages { } Besdes for ay { } (3) has ot bee submtted to RevealSecertKey queres or ReplaceKey queres to get the secret key usk ad the oracle Sg has ever bee quered wth ( ) So the Tpye II adversary A ws Game II 6

7 Therefore Xog et al s CLAS scheme s ot secure agast attacks of the Type II adversary 4 Cocluso Recetly Xog et al [6] proposed a CLS scheme ad used t to costruct a effcet CLAS scheme They clamed that both of ther schemes are provably secure the radom oracle model However after revew of ther scheme ad aalyss of ts securty we demostrate that both of the schemes caot wthstad the attack of Type II adversary The aalyss shows that ther schemes are secure for practcal applcatos Referece [] S Al-Ryam K Paterso Certfcateless Publc Key Cryptography AsaCrypt 003 LNCS 894 pp [] D Boeh C Getry B Ly H Shacham Aggregate ad Verfably Ecrypted Sgatures from Blear Maps EUROCRYPT 03 LNCS 307 pp [3] R Castro R Dahab Effcet Certfcateless Sgatures Sutable for Aggregato Cryptology eprt Archve Avalable ole: [4] Z Gog Y Log X Hog K Che Two certfcateless aggregate sgatures from blear maps : IEEE SNPD 007 vol 3 pp [5] A Shamr Idetty-Based Cryptosystems ad Sgature Schemes I Crypto 984 LNCS 96 Sprger-Verlag Berl pp [6] H Xog Z Gua Z Che F L A Effcet certfcateless aggregate sgature wth costat parg computatos Iformato Scece 9 pp [7] L Zhag B Q Q Wu F Zhag Effcet may-to-oe authetcato wth certfcateless aggregate sgatures Computer Networks 54(4) pp [8] L Zhag F Zhag A ew certfcateless aggregate sgature scheme Computer Commucatos 3(6) pp