1 / 20

Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes

Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes. By Jyh -haw Yeh Computer Science Dept. Boise State University. Proxy Signcryption. Signcryption : combining two words – Signature and Encryption. Proxy Signcryption : proxy signs and encrypts a message in one scheme.

zephania-camacho
Download Presentation

Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes By Jyh-haw Yeh Computer Science Dept. Boise State University

  2. Proxy Signcryption • Signcryption: combining two words – Signature and Encryption. • Proxy Signcryption: proxy signs and encrypts a message in one scheme. • Protect the confidentiality of the signed messages from eavesdroppers. • Applications: online proxy auction or online contract signing by an authorized proxy.

  3. Proxy Signcryption • Three entities involved: original signer (OS), proxy signer (PS) and signature verifier (SV). • Scenario: • OS delegates his signing right to PS • PS, on behave of OS, signs and encrypts a message to SV • SV recovers and verifies the message

  4. Proxy Signcryption • One cryptosystem with five phases: • Cryptosystem setup (by Key Generation Center) • Proxy credential generation (by OS) • Proxy credential verification (by PS) • Signcrypted message generation (by PS) • Signature recovery and verification (by SV)

  5. Proxy Signcryption • Security requirement: • Proxy credential non-repudiation: OS cannot deny a proxy credential issued by him/her later. • Require proxy credential unforgeability • Require correct proxy credential generation/verification algorithms • If OS denies a proxy credential, a trusted third party should resolve the conflict

  6. Proxy Signcryption • Security requirement: • Signcrypted message non-repudiation: PS cannot deny a signcrypted message from him/her later • Require signcrypted message unforgeability • Require correct signcrypted message generation/verification algorithms • If OS/PS later denies a signcrypted message, a trusted third party should resolve the conflict.

  7. Proxy Credential Forgery attack The attack tries to cryptanalyzing the proxy credential and find a way to generate a fake credential which can pass the verification process. If a proxy credential can be forged, then the scheme will not have non-repudiation property

  8. Math Background • Many proxy signcryption schemes were designed based on “bilinear pairings” • Two cyclic groups (G1, +) and (G2, x), B is a generator of G1 • A bilinear map e: G1×G1  G2 • X, Y, Z in G1 e(X,Y) = e(Y,X) e(aX, bY) = e(X,Y)^{ab} e(X,Y+Z) = e(X,Y)e(X,Z)

  9. Math Background • Given X and Y, e(X,Y) can be computed in poly-time • Given B, aB and bB, it’s hard to compute abB • Given B, aB, bB, cB, it’s hard to identify an element h in G2 such that h = e(B,B)^{abc}

  10. LWXY Scheme • Setup: KGC chooses system para (G1, G2, q, B, e, h1, h2, ,3), where • q is the order of G1 and G2 • h1: {0,1}^k × G1 Z_q • h2: G1  G1 • h3: G2 × G1  {0,1}^k • Each user ichooses a private key x_i in Z_q and a public key Y_i = x_iB

  11. LWXY Scheme • Proxy credential (σ, N, w) generation: • W: proxy warrant specifies delegated rights • N = dB, where d is a random nymber • σ= (x_o + dw) mod q • Proxy credential verification: • σB ?= Y_o + wN. Why? Since σB = (x_o + dw)B = x_oB + dBw = Y_o + wN • Signcrypted message generation: ignored • Signature recovery and verification: ignored

  12. Proxy Credential Forgery Attack to LWXY • PS can create a fake proxy credential (σ’, N’, w’) from his original one to increase his signing power • Generate w’ to increase his delegation time and/or add designated signature verifiers. • σ’=(w’/w) σ = (w’/w) x_o + dw’ mod q • N’ = ((w’/w) Y_o + w’ N – Y_o)/w’

  13. Proxy Credential Forgery Attack to LWXY The fake credential can pass the verification, since σ’B = ((w’/w) x_o + dw’ )B = (w’/w)Y_o + w’N = Y_o + (w’/w)Y_o + w’N – Y_o = Y_o + w’(((w’/w)Y_o + w’N – Y_o)/w’) = Y_o + w’ N’

  14. Modify LWHY to Prevent The Attack • Change the way to create proxy credentials • N = dB • σ = (x-coordinate of N)x_o + dw mod q • Change the proxy credential verification to • σB ?= (x-coordinate of N)Y_o + wN

  15. EA Scheme • Setup: KGC chooses system para (G1, G2, q, B, Y_pub, e, h1, h2, h3), where • Y_pub = sB is a system public key and s is a system master key. • h1: {0,1}^*  G1 • h2: G2  {0,1}^n • h3: {0,1}^* ×G2  Z_q • Each user i has public-private keys pairs Y_i = h1(ID_i) and X_i = sY_i

  16. EA Scheme • Proxy credential (σ, N) generation: • σ = X_o + dY_pub, where d is a random number • N = dB • Proxy credential verification: • e(B, σ) ?= e(Y_pub, Y_o + N). Why? Since e(B, σ) = e(B, X_o + dY_pub) = e(B, sY_o + dsB) = e(sB, Y_o + dB) = e(Y_pub, Y_o + N) • Signcrypted message generation: ignored • Signature recovery and verification: ignored

  17. Proxy Credential Forgery Attack to EA • PS can create a fake a proxy credential (σ’, N’) from his original one and give it to another person without the permission of OS • σ’ = σ+ d’Y_pub = X_o + (d+d’)Y_pub = X_o + d”Y_pub • N’ = N + d’B = dB + d’B = (d+d’)B = d”B

  18. Proxy Credential Forgery Attack to EA The fake credential (σ’, N’) can pass the verification, since e(B, σ’) = e(B, X_o + d”Y_pub) = e(B, sY_o + d”sB) = e(sB, Y_o + d”B) = e(Y_pub, Y_o + N’)

  19. Modify EA to Prevent Attack • Change the way to create proxy credentials • N = dB • σ = (x-coordinate of N)X_o + dY_pub mod q • Change the proxy credential verification to • e(B, σ) ?= e(Y_pub, (x-coordinate of N)Y_o + N)

  20. Efficiency • Comparing to LWHY, the modified LWHY adds 1 modular multiplication (MM) and 1 point multiplication (PM) in G1 • Both LWHY/modified LWHY requires 4 bilinear pairing (BP) operations • 1 BP is about 11,110 MM • 1PM is about a few hundred MM • Comparing to EA, the modified EA adds 3 PM • Both EA/modified EA require 8 BP

More Related