Security Weaknesses in Two Certificateless Signcryption Schemes

Recently, a certificateless signcryption scheme in the standard model was proposed by Liu et al. in [1]. Another certificateless signcryption scheme in the standard model was proposed by Xie et al. in [2]. Here, we show that the scheme in [1] and [2] are not secure against Type-I adversary. 1 Certificateless Signcryption Scheme by Liu et al.[1] 1.1 Review of the Scheme In this section, we review the certificateless signcryption scheme secure against maliciousbut-passive KGC attacks in the standard model proposed by Liu et al. The proposed scheme involves three parties: a KGC, a sender with an identity US and a receiver with an identity UR. The scheme consists of the following algorithms. Setup : Let ( G,GT ) be bilinear groups, where |G| = |GT = p for some prime p and g be a generator of G. Let ê : G×G → GT be the bilinear pairing and H : {0, 1}∗ → GT be the collision resistant hash function. KGC chooses randomly α ∈ Zp and computes g1 = gα. Additionally, the KGC selects three random values g2, u′, v′ ∈ G and two vectors U = (ui)n, V = (vj)m whose elements are chosen from G at random. The system parameters are params = (G,GT , ê, g, g1, g2, u′, v′,U ,V,H) and the master secret key is gα 2 . Partial-Private-Key-Extract : Let u[i] denote the ith bit of an identity u ∈ {0, 1}n and û = {i|u[i] = 1, i = 1, . . . , n}. The KGC picks r ∈ Zp uniformly and computes, du = (du,1, du,2) = (gα 2 (u ′∏ui)r , gr). An entity with identity u is given du as his partial private key. Therefore, the sender and the receivers partial private keys are, dS = (dS,1, dS,2) = (gα 2 (u ′∏ui)rS , grS ). dR = (dR,1, dR,2) = (gα 2 (u ′∏ui)rR , grR). User-Key-Generate : An entity with an identity u chooses randomly a secret value xu ∈ Zp and computes a public key, pku = ê(g1, g2)u Private-Key-Extract : An entity with identity u picks r′ ∈ Zp at random, and computes a private key, sku = sku,1, sku,2 = ( du u,1 (u ′∏ui)r′ , du u,2gr′) where t = rxu + r′. Signcrypt : To send a messageM ∈ GT to the receiver with public key pkR = ê(g1, g2)R , the sender picks r′′ ∈ Zp randomly and carries out the following steps. – Compute σ1 = M.pkr ′′ R = m.ê(g1, g2) xRr ′′ . – Compute σ2 = gr ′′ . – Compute σ3 = (u′ ∏ ui) r′′ . – Set σ4 = skS,2 – Compute M̂ = H(σ1, σ2, σ3, σ4, uR, pkR) ∈ {0, 1}m, where m[j] denotes the jth bit of M̂ and M = {j|m[j] = 1, j = 1, 2, . . . ,m}. – Compute σ5 = skS,1. (v′ ∏ vi) r′′ . – Output the ciphertext σ = (σ1, σ2, σ3, σ4, σ5). Unsigncrypt : Upon receiving a ciphertext σ = (σ1, σ2, σ3, σ4, σ5), the receiver decrypts the ciphertext as follows. – Compute M̂ = H(σ1, σ2, σ3, σ4, uR, pkR) ∈ {0, 1}m, where m[j] denotes the jth bit of M̂ and M = {j|m[j] = 1, j = 1, 2, . . . ,m}. – Check that the equality, ê(σ5, g) = pkS .ê(u′ ∏ ui, σ4)ê(v ∏ vj , σ2) holds. If not output “Invalid′′. Otherwise, compute and outputM = σ1.ê(σ3, skR,2)/ê(σ2, skR,1) 1.2 Attack on the Scheme by Liu et al. : The scheme proposed by Liu et al. in [1] does not provide confidentiality against TypeI adversary. We show the scheme is not even CPA secure against Type-I adversary. The attack can be launched by a Type-I adversary by replacing the public key of the target receiver whose signcryption the adversary wants to designcrypt. This can be achieved in the following way : During the Type-I confidentiality game, – The challenger runs the setup and provides the system public parameters to the adversary. – The adversary has access to all the oracles namely Partial-Private-Key-Extract, Private-Key-Extract, Replace-Public-Key, Signcrypt and Unsigncrypt. – The adversary replaces the public key of the receiver (say R∗) which he wants to use during the challengephase by pkR∗ = ê(g, g)r ∗ where r∗ ∈R Zp. – Without asking any further queries the adversary now picks two messages {m0,m1} of equal length and a sender identity S and receiver identity R∗ on which the adversary wishes to be challenged and sends to the challenger. – The Challenger now picks a random bit δ ∈ {0, 1}, cooks up the signcryption σ∗ = (σ∗ 1, σ ∗ 2, σ ∗ 3, σ ∗ 4, σ ∗ 5) of message mδ and sends σ ∗ to the adversary. – Now the adversary can get back the key by performing mδ′ = σ∗ 1 ê(σ2, g r) and outputs δ′ to the challenger. – Hence the adversary can successfully distinguish the message being signcrypted. This clearly shows that the scheme given by Liu et al. is not CPA secure against Type-I adversary. 2 Certificateless Signcryption Scheme by Xie et al.[2] Since the scheme is available in public medium, we do not review the scheme here. Attack on the Scheme In this section we present a total break of the certificateless signcryption scheme in [2] by Type-I adversary. During the unforgeability game, the adversary knows the full private key of the receiver. Thus, during the training phase, the Type-I forger queries and obtains a ciphertext σ = 〈c, u, v, w〉 from the signcrypt oracle. Let σ be a signcryption from sender IDA to receiver IDB, where the private key DB corresponding to the receiver is known to the adversary. The adversary performs the following to compute the partial private key dA of the sender. – We know that w = xAh2+ r1. (It is known that Type-I adversary can replace the public key and hence have access to the sender secret value xA.) – Computes gr ′ 1 = ê(dB, u) and m = c⊕H3(g ′ 1 , xBu). – Computes h2 = H2(m,u, gr ′ 1 , xBu, pkA, pkB). – Computes r1 = w − xAh2. – It is now possible to compute dA = v ( r1−h2 r1 ) . Hence, a Type-I adversary can find out the partial private key of any legitimate user in the system, which leads to a total break of the system in [2].