2012 Fourth International Conference on Intelligent Networking and Collaborative Systems
Cryptanalysis of a Certificateless Encryption Scheme in the Standard Model
Limin Shen1 , Futai Zhang1 , Yinxia Sun1
1 2
Jiangsu Engineering Research Center of
Information Security and Privacy Protection Technology,
School of Computer Science and Technology,
Nanjing Normal University, Nanjing 210097, China
Email: shenlimin@njnu.edu.cn
zhangfutai@njnu.edu.cn, 73003@njnu.edu.cn
Abstract—Certificateless public key cryptography (CL-PKC)
is an important type of public key cryptography, which
effectively solves the inherent key escrow problem in identity
based public key cryptography while keeps its certificate-free
property. As the adversarial models in CL-PKC are relatively
complex, designing efficient and secure certificateless encryp-
tion schemes in the standard model has been an interesting and
challenging research topic. In this paper, we give cryptanalysis
to an existing certificateless encryption scheme in the standard
model. We show its insecurity by demonstrating two kinds of
attacks.
Keywords-certificateless encryption, bilinear pairing, stan-
dard model, malicious KGC
I. I NTRODUCTION
In traditional public key cryptography, the authenticity of
public keys is ensured by certificates signed by a certificate
authority (CA). But the issues associated with certificate
management are quite complex and costly. In 1984, Shamir
[1] first invented a new paradigm called Identity Based
Encryption (IBE) which eliminates the need for certificate
by deriving public keys for users directly from their identity
information, such as e-mail address, telephone number or
other identifiers. The user’s private key is generated by a
trusted third party, called a private key generator (PKG)
and is given to the user through a secure channel. By now,
many IBE schemes have been proposed [2,3,4,5]. However
this approach creates a new inherent problem namely the
key escrow of a user’s private key, since the PKG must be
completely trusted and it has the knowledge of every user’s
private key. Clearly, PKG can decrypt any ciphertext and
forge the signature of any user.
To fill the gap between traditional cryptography and iden-
tity based cryptography (ID-PKC), Al-Riyami and Paterson
[6] introduced a new notion called certificateless public key
cryptography (CL-PKC) and presented the first certificate-
less encryption(CLE) scheme in 2003. In contrast to tradi-
tional public key cryptography, CL-PKC does not require the
use of any certificates to ensure the authenticity of public
keys of users. Similar to ID-PKC, CL-PKC also relies on the
existence of a trusted third party —– key generation center
978-0-7695-4808-1/12 $26.00 © 2012 IEEE
DOI 10.1109/iNCoS.2012.68
Sujuan Li1,2
College of Sciences, Nanjing University of Technology
Nanjing 210009, China
Email: lisujuan1978@126.com
(KGC) who possesses the system master key and generates
a partial private key for a user. Nevertheless, a user produces
its own full private key by combining its partial private key
and a secret value chosen by itself. In this way, the KGC
cannot get to know the full private key of any user. Thus,
CL-PKC does not suffer from the key escrow problem that
seems to be inherent in ID-PKC. Without key escrow and
no need for certificates make CL-PKC a very interesting
research area in public key cryptography. A subsequent
work by Yum-Lee [7] considered a generic construction
of Certicateless encryption. However their construction was
insecure against Type II adversaries as shown by Galindo
et al. In 2005, Al-Riyami and Paterson gave another CLE
scheme [8] which was independently broken and modified
by Libert-Quisquater [9] and Zhang-Feng [10].
In most security models, the Type II adversary is an
honest-but-curious KGC. While, Man Ho Au et al.[14]
considered a strong security model for certificateless cryp-
tography, in which, the KGC can be malicious-but-
passive. A malicious KGC may not generate system
parameters and master key strictly following the scheme
specification. To defend from the malicious KGC attack,
Hwang and Liu [11] presented a CLE scheme using a
different type of public key, but it could not withstand the
key replacement attack as shown by Zhang and Wang in
[12]. Zhang and Wang [12] put forward a CLE scheme (ZW
scheme) with a shorter public key. They claimed the ZW
scheme was CCA secure in the standard model and can
withstand malicious KGC attack. Unfortunately, we find
their security conclusion is wrong.
In this paper, we show that the CLE scheme in [12] is
flawed by demonstrating two kinds of attacks against it. In
our first attack, we show that a Type II adversary who knows
master key can successfully distinguish the ciphertexts of
challenge messages. In the second attack, we show that a
malicious KGC can successfully distinguish the ciphertexts
of challenge messages by injecting some special information
into the system parameters. Therefore, the scheme [12]
is vulnerable to the attacks of both Type II adversaries
and malicious KGC. Thus, the original CLE scheme of
329
Zhang and Wang [12] fails to achieve the security goal of
indistinguishability.
we give cryptanalysis to the ZW scheme. We demonstrate
two kinds of attacks which show how can a Type II adversary
and a malicious KGC break the indistinguishability of the
scheme.
The rest of this paper is organized as follows. Section
II gives some preliminaries, including the definition
of bilinear pairing, our complexity assumptions, the
notion and security model of CLE schemes. Section III
reviews the certificateless encryption scheme of zhang
and wang [13]. And section IV presents the attacks on
ZW scheme. Finally, the conclusions are given in Section V.
II. P RELIMINARIES
In this section, we review some fundamental backgrounds
required in this paper, namely bilinear pairing, complexity
assumptions and the basic notions of certificateless public
key encryption.
A. Bilinear pairing
Let G and GT denote two multiplicative cyclic groups
of prime order p and g be a generator of G. A map ê :
G × G −→ GT is called a bilinear pairing if it satisfies the
following properties:
− Bilinear: ê(g a , hb ) = ê(g, h)ab for all g, h ∈ G and a, b ∈
Zp∗ .
− Non-degenerate: ê(g, g) = IGT , where IGT is the identity
element of GT .
− Computable: There exits an efficient algorithm to compute
ê(g, h) for all g, h ∈ G.
B. Complexity Assumptions
Definition 1 (Decisional truncated q-ABDHE assump-
tion) We define the decisional truncated q-ABDHE problem
[15] as follows: Given a vector of q + 3 elements
(g  , g α
q+2 2 q
, g, g α , g α , · · · , g α ) ∈ Gq+3
and an element Z ∈ GT as input, output 1 if Z =
q+1
ê(g  , g α ) and output 0 otherwise. We say that the
decisional truncated (t, , q)-ABDHE assumption holds in
(G, GT , ê) if no t-time algorithm has adavantage at least 
over random guessing in solving the decisional q-ABDHE
problem in (G, GT , ê).
Definition 2 (Decisional bilinear Diffie-Hellman (DB-
DH) assumption) The DBDH problem [16] is defined as
follows: On input (g, g a , g b , g c ) ∈ G4 , with uniformly
random choices of a, b, c ∈ Zp∗ and a random element
Z ∈ GT , output 1 if Z = ê(g, g)abc and 0 otherwise. We
say that the(t, )-DBDH assumption holds in (G, GT , ê) if
no t-time algorithm has adavantage at least  over random
guessing in solving the DBDH problem in (G, GT , ê).
330
C. Certificateless public key encryption
A certificateless public key encryption scheme is de-
fined by seven algorithms [12] (which is slightly different
from [6]): Setup, Set-Secret-Value, Set-Public-Key, Extract-
Partial-Private-Key, Set-Private-Key, Encrypt and Decrypt.
The description of each algorithm is as follows.
• Setup(k): Taking as input a security parameter k, the
key generation center (KGC) runs this algorithm to generate
a master key msk and a list of public parameters params.
• Set-Secret-Value(params, IDi ): Taking as input params
and IDi , the user with identity IDi runs this algorithm to
generate a secret value xi for himself.
• Set-Public-Key(params, xi ): Taking as input params and
xi , the user runs this algorithm to generate a public key P Ki .
• Extract-Partial-Private-Key(msk, params, IDi , P Ki ):
Taking as input msk, params, a user’s identity IDi and
public key P Ki , KGC runs this algorithm to generate a
partial private key di for the user.
• Set-Private-Key(params, di , xi ): Taking as input params,
IDi , di and xi , the user runs this algorithm to generate a
private key SKi .
• Encrypt(params, P Ki , IDi , M ): Taking as input a mes-
sage M , params, a user’s identity IDi and public key P Ki ,
a message sender runs this algorithm to return a ciphertext
C.
• Decrypt(params, SKi , C): Taking as input the cipher-
text C, params and the private key SKi , the user runs this
algorithm to return a message M or a ”reject” message.
D. Adversarial model of certificateless public key encryption
As defined in [6], there are two types of adversaries with
different capabilities in CL-PKC.
Type I Adversary: This type of adversary AI models an
adversary which does not have access to the master secret
key msk, but has the ability to replace the public key of
any entity with a value of his choice, because there is no
certificate involved in CL-PKC.
Type II Adversary: This type of adversary AII models
an honest-but-curious KGC in most security models. A
type II adversary AII has access to the master secret key
msk but cannot perform public key replacement.
A malicious KGC may not generate system parameters
and master key strictly following the scheme specification
[14]. One restriction is that it cannot perform public key
replacement.
Definition 3 (IND-CCA2 Secure[12, 13]) A certificate-
less public key encryption scheme is said to be secure against
adaptive chosen ciphertext attack (IND-CCA2 secure) if no
polynomial-bounded adversary A of Type I or Type II has
a non-negligible advantage in the following game:
1. (params, msk) ←− ChallengerSetup (k)
2. (ID∗ , (M0 , M1 )) ←− Aoracles (params, inf )
3. b ←− {0, 1}, C ∗ ←− ChallengerEncrypt (Mb , ID∗ )
 4. b ←− Aoracles (params, inf, C ∗ )
A wins the game if and only if b = b. The advantage of A
is defined as
1 secret key is msk=α.
Adv(A)IN
CLE
D−CCA2
= 2|P r[b = b] − |
2
If A is a Type I adversary, then inf = ∅, else if A is a Type
II adversary, then inf = msk. A general adversary A may
access the oracles (in Phase 2 and Phase 4 of the game) as
follows:
• Public key request query PK(ID): On receiving such
a query, the challenger responds by running algorithm Set-
Public-Key to generate the public key P KID and returns
P KID to A. (first running Set-Secret-Value if necessary)
• Partial private key extraction query PPK(ID, P KID ):
On receiving such a query, the challenger responds by
running algorithm Extract-Partial-Private-Key to generate
the partial private key dID .(for AI only)
• Private key extraction query PrK(ID): On receiving
such a query, if the public key has not been replaced, then
the challenger can respond by running algorithm Set-Private-
Key to generate the private key SKID .
• Public key replacement query PKR(ID): Such a query
allows the adversary A to replace the public key of a user
ID with any value of its choice. The new value will be
recorded and will be used by the challenger in the coming
computations or responses to the adversary’s queries.(for AI
only)
• Decryption query Dec(ID, P KID , C): On receiving
such a query, the challenger returns the correct decryption
of ciphertext C under identity ID and public key P KID ,
even if the corresponding public key for the user ID has
been replaced. This is a rather strong property for the
security model (after all, the challenger may no longer know
the correct private key). However, this capability gives the
adversary more power in breaking the scheme.
There are some restrictions as follows:
• AI , AII cannot extract the private key for the challenge
identity ID∗ .
∗
• AI , AII cannot make a decryption query on C .
• AI cannot request the private key for any identity
whose public key has already been replaced.
∗
• AI cannot extract the partial private key for ID if
it has replaced the public key for ID∗ before the
challenge phase.
• AII cannot replace public keys at any point.
III. R EVIEW OF ZW S CHEME
In this section, we review the ZW scheme from [12]. Let
G and GT denote two multiplicative cyclic groups of prime
order p and let ê : G × G −→ GT be a bilinear pairing. The
ZW scheme is as follows.
• Setup: Pick random generators (g, h1 , h2 , h3 ) ∈ G4
and a random α ∈ Zp∗ , compute g1 = g α ∈ G.
331
Then choose a Hash function H from a family of u-
niversal one-way Hash functions. The public parameters
are params=(G, GT , ê, H, g, g1 , h1 , h2 , h3 ) and the master
• Set-Secret-Value: Pick x ∈ Zp∗ at random and return the
user secret key sk = x.
• Set-Public-Key: Compute
P KID = (pk1 , pk2 ) = (g x , hx1 )
and run a zero-knowledge proof protocol with the KGC
to prove the possession of the knowledge of x. Publish
P KID = (pk1 , pk2 ) = (g x , hx1 ).
• Extract-Partial-Private-Key: Pick r1 , r2 , r3 ∈ Zp∗ and
compute
1 1
hID,1 = (pk2 g −r1 ) α−ID = (hx1 g −r1 ) α−ID
1
hID,i = (hi g −ri ) α−ID , i = 2, 3.
Return dID = (r1 , hID,1 , r2 , hID,2 , r3 , hID,3 ) as the an-
swer.
• Set-Private-Key: Set SKID = (s1 , s2 , s3 , s4 , s5 , s6 , s7 )
= (sk, dID ) = (x, r1 , hID,1 , r2 , hID,2 , r3 , hID,3 ).
• Encrypt: To encrypt the message m ∈ GT , parse
P KID = (pk1 , pk2 ) = (g x , hx1 )
and then check whether it has the right format by verifying
the equation
ê(pk1 , h1 ) = ê(pk2 , g).
If so, choose s ∈ Zp∗ and compute C = (C0 , C1 , C2 , C3 ) as
follows:
C0 = g1s g −IDs
C1 = ê(g, g)s
C2 = m · ê(pk1 , pk2 )−s
C3 = ê(g, h2 )s ê(g, h3 )sβ
where β = H(C0 , C1 , C2 , ID, P KID ).
• Decrypt: Parse C as (C0 , C1 , C2 , C3 ) and the private
key SKID as (s1 , s2 , s3 , s4 , s5 , s6 , s7 ). Compute
β = H(C0 , C1 , C2 , ID, P KID )
and check whether
C3 = ê(C0 , s5 sβ7 )C1s4 +s6 β .
Reject C if the equation does not hold.
Otherwise, return
m = C2 (ê(C0 , s3 )C1s2 )s1 .
 IV. S ECURITY A NALYSIS OF ZW S CHEME
As defined in [6], a certificateless encryption scheme is
secure iff it resists against both type I and type II adversaries.
Recall that a type II adversary AII is given the master
secret key msk but is not allowed to replace public keys of
users, and a malicious KGC even can not generate system
parameters and master key strictly following the scheme
specification. We show that the ZW scheme in [12] can not
resist the attacks of a type II adversary and a malicious
KGC. We present two kinds of attacks in which adversaries
can get the plaintext Mb underline the challenge ciphertext
C ∗ , while C ∗ has not been submitted to the decryption query
for the combination (ID∗ , P KID∗ ) under which Mb has
been encrypted. Our attacks on ZW scheme [12] are shown
as follows.
A. Attacks by Type II Adversaries
• Let (ID∗ , M0 , M1 ) be the challenge query being sub-
mitted to the challenger by a type II adversary AII ,
here AII models an honest-but-curious KGC.
• Let C ∗ = (C0 , C1 , C2 , C3 ) be the challenge ciphertext
returned by the challenger. Note that C ∗ is the encryp-
tion of Mb under the target identity ID∗ and its current
public key P KID∗ . From the encryption algorithm we
know
∗
C0 = g1s g −ID s
C1 = ê(g, g)s
C2 = m · ê(pk1 , pk2 )−s
s sβ
C3 = ê(g, h2 ) ê(g, h3 )
where β = H(C0 , C1 , C2 , ID∗ , P KID∗ ).
• Now, AII can generate another ciphertext C  =
(C0 , C1 , C2 , C3 ) for identity ID∗ with public key
P KID∗ as follows.
It picks at random a ∈ Zp∗ (a = 1), computes

C0 = C0 , C1 = C1 , C2 = aC2 , C3 = ê(g, h2 )s ê(g, h3 )sβ
where β  = H(C0 , C1 , C2 , ID∗ , P KID∗ ).
= C3
As C  is a valid ciphertext different from the challenge
ciphertext C ∗ for the challenge identity ID∗ , AII can
submit (C  , ID∗ , P KID∗ ) for a Decryption query. As a
result, AII gets the plaintext M  from the Decryption query.
It is clear that the plaintext Mb (b ∈ {0, 1}) underline C ∗ is
Mb = a−1 M  . Hence, the adversary AII can successfully
distinguish the ciphertexts of challenge messages M0 , M1 .
Therefore, the ZW scheme [12] is insecure against chosen
ciphertext attack of a type II adversary AII .
B. M alicious KGC Attacks
Let A model a malicious KGC. In the initialization
phase, A generates the master secret key msk and the system
parameters params for challenger. In particular, A defines the
parameters h2 , h3 as below:
h2 = g b , h3 = g c
Where b, c ∈R Zp∗ are chosen by adversary A. The attack is
as follows.
∗
• Let (ID , M0 , M1 ) be the challenge query being sub-
mitted to the challenger by an adversary A.
∗
• Let C = (C0 , C1 , C2 , C3 ) be the challenge ciphertext
returned by the challenger. Note that C ∗ is the encryp-
tion of Mb under the target identity ID∗ and its current
public key P KID∗ . From the encryption algorithm we
know
∗
C0 = g1s g −ID s
C1 = ê(g, g)s
C2 = m · ê(pk1 , pk2 )−s
C3 = ê(g, h2 )s ê(g, h3 )sβ
where β = H(C0 , C1 , C2 , ID∗ , P KID∗ ).
• Now, A can generate another ciphertext C  =
(C0 , C1 , C2 , C3 ) for identity ID∗ with public key
P KID∗ as follows.
It picks at random t ∈ Zp∗ (t = 1), computes
C0 = C0 , C1 = C1 , C2 = tC2 , C3 = C1b+cβ


1
α−ID ∗
To compute C3 , AII first gets g s = C0 from α
where β  = H(C0 , C1 , C2 , ID∗ , P KID∗ ).
and C0 , then computes     
• We can see that C = (C0 , C1 , C2 , C3 ) is really a valid
 
C3 = ê(g, h2 )s ê(g, h3 )sβ = ê(g s , h2 )ê(g s , h3 )β . ciphertext for identity ID on message M  = tMb
∗

with public key P KID∗ , since we have

• We can see that C  = (C0 , C1 , C2 , C3 ) is really a valid C1b+cβ


ciphertext for identity ID∗ on message M  = aMb 

= ê(g, g)sb ê(g, g)scβ
with public key P KID∗ , since we have 

 β 
s4 +s6 β  = ê(g, g b )s ê(g, g c )sβ
ê(C0 , s5 s7 )C1 = ê(g, h2 )s ê(g, h3 )sβ )

 
= ê(C0 , hID∗ ,2 hβID∗ ,3 )C1r2 +r3 β = C3
∗ 1 β
= ê(g1s g −ID s , (h2 g −r2 ) α−ID∗ (h3 g −r3 ) α−ID∗ ) 
As C is a valid ciphertext different from the challenge

ê(g, g)s(r2 +r3 β ) ciphertext C ∗ for the challenge identity ID∗ , A can suc-
 
= ê(g s , h2 g −r2 · (h3 g −r3 )β ) · ê(g, g)s(r2 +r3 β ) cessfully distinguish the ciphertexts of challenge messages

= ê(g s , h2 )ê(g s , h3 )β M0 , M1 like above. Therefore, the ZW scheme [12] is

332
insecure against chosen ciphertext attack of a malicious
KGC.
V. C ONCLUSION
In this paper, we reviewed the security of a certificateless
encryption scheme (ZW scheme) proposed in [12] and
showed it is insecure against both the type II adversary
and malicious KGC. Two kinds of concrete attacks are
demonstrated to show how can an adversary break the CCA
security of the ZW scheme.
[12] G. Zhang and X. Wang, Certificateless Encryption Scheme
Secure in Standard Model. Tsinghua Science and Technology.
pp452-459, 2009.
[13] F. Zhang, Y. Sun, L. Zhang, M. Geng and S. Li, Research on
Certificateless Public Key Cryptography. Journal of Software,
22(6),pp1316-1332, 2011.
[14] Man Ho Au, J. Chen, K. Joseph Liu, Yi Mu, Duncan
S. Wong, and G. Yang, Malicious KGC attacks in certificateless
cryptography. In Proc. ASIACCS 2007, Singapore, Mar. 20-22,
PP302-311, 2007.

[15] C. Gentry, Practical identity-based encryption without ran-

ACKNOWLEDGMENT
This research is supported by the Nature Science Foun-
dation of China (No. 61170298) and Natural Science Foun-
dation of Jiangsu Province, China (No. BK2011101).
R EFERENCES
[1] A. Shamir, Identity-based cryptosystems and signature
schemes. In CRYPTO, pp47-53, 1984.
dom oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006.
LNCS, vol. 4004,Springer, Heidelberg, pp445-464, 2006.
[16] K. Joseph Liu and J. Zhou. Efficient Certificate-Based En-
cryption in the Standard Model. R.Ostrovsky,R.De Prisco, and
I.Visconti (Eds.): SCN 2008, LNCS 5229, pp144-155,2008. c
Springer-Verlag Berlin Heidelberg 2008.

[2] D. Boneh and F. Franklin, Identity-based encryption from the

Weil pairing. Lecture Notes in Computer Science, 2139 pp213-
229, 2001.

[3] S L. Paulo , M, Barreto, L. Benoit , et al., Efficient and provably

secure identity based signature and signcryption from bilinear
maps. Lecture Notes in Computer Science, 3788 pp515-532,
2005.

[4] B. Lee, C. Boyd, E. Dawson, et al., Secure key issuing in ID-

based cryptography. In: Proceedings of the Second Australian
Information Security WorkshopłAISW 2004. Dunedin, New
Zealand, 32 pp69-74, 2004.

[5] V. Goyal, Reducing trust in the PKG in identity based cryp-

tosystems. Lecture Notes in Computer Science, 4450, pp430-
447, 2007.

[6] S. S. Al-Riyami and K. G. Paterson, Certificateless Public

Key Cryptography. Advances in Cryptography-Asiacrypt 2003,
LNCS 2894, pp452-473, Springer-Verlag, Berlin, 2003.

[7] D. Yum, P. Lee, Generic construction of certicateless encryp-

tion, In ICCSA 2004, Vol.3043 of LNCS, Berlin: Springer-
Verlag, pp802-811, 2004.

[8] S.S. Al-Riyami, K.G. Paterson, CBE from CL-PKE: A Generic

Construction and Efficient schemes, In PKC 2005, Vol.3386 of
LNCS, Berlin: Springer-Verlag, pp398-415, 2005.

[9] B. Libert, J.J. Quisquater, On constructing certicateless cryp-

tosystems from identity based encryption, In PKC 2006,
Vol.3958 of LNCS, Berlin: Springer-Verlag, pp474-490, 2006.

[10] Z. Zhang, D. Feng, On the security of a certicateless public-

key encryption, Available from http://eprint.iacr.org/2005/426.

[11] Y. H. Hwang, J.K. Liu, Certificateless public key encryption

secure against malicious KGC attacks in the standard model.
Journal of Universal Computer Science, 14(3)pp463-480, 2008.

333