Professional Documents
Culture Documents
Cryptanalysis of A Certificateless Encryption Scheme in The Standard Model
Cryptanalysis of A Certificateless Encryption Scheme in The Standard Model
Cryptanalysis of A Certificateless Encryption Scheme in The Standard Model
Abstract—Certificateless public key cryptography (CL-PKC) (KGC) who possesses the system master key and generates
is an important type of public key cryptography, which a partial private key for a user. Nevertheless, a user produces
effectively solves the inherent key escrow problem in identity its own full private key by combining its partial private key
based public key cryptography while keeps its certificate-free
property. As the adversarial models in CL-PKC are relatively and a secret value chosen by itself. In this way, the KGC
complex, designing efficient and secure certificateless encryp- cannot get to know the full private key of any user. Thus,
tion schemes in the standard model has been an interesting and CL-PKC does not suffer from the key escrow problem that
challenging research topic. In this paper, we give cryptanalysis seems to be inherent in ID-PKC. Without key escrow and
to an existing certificateless encryption scheme in the standard no need for certificates make CL-PKC a very interesting
model. We show its insecurity by demonstrating two kinds of
attacks. research area in public key cryptography. A subsequent
work by Yum-Lee [7] considered a generic construction
Keywords-certificateless encryption, bilinear pairing, stan- of Certicateless encryption. However their construction was
dard model, malicious KGC
insecure against Type II adversaries as shown by Galindo
et al. In 2005, Al-Riyami and Paterson gave another CLE
I. I NTRODUCTION
scheme [8] which was independently broken and modified
In traditional public key cryptography, the authenticity of by Libert-Quisquater [9] and Zhang-Feng [10].
public keys is ensured by certificates signed by a certificate In most security models, the Type II adversary is an
authority (CA). But the issues associated with certificate honest-but-curious KGC. While, Man Ho Au et al.[14]
management are quite complex and costly. In 1984, Shamir considered a strong security model for certificateless cryp-
[1] first invented a new paradigm called Identity Based tography, in which, the KGC can be malicious-but-
Encryption (IBE) which eliminates the need for certificate passive. A malicious KGC may not generate system
by deriving public keys for users directly from their identity parameters and master key strictly following the scheme
information, such as e-mail address, telephone number or specification. To defend from the malicious KGC attack,
other identifiers. The user’s private key is generated by a Hwang and Liu [11] presented a CLE scheme using a
trusted third party, called a private key generator (PKG) different type of public key, but it could not withstand the
and is given to the user through a secure channel. By now, key replacement attack as shown by Zhang and Wang in
many IBE schemes have been proposed [2,3,4,5]. However [12]. Zhang and Wang [12] put forward a CLE scheme (ZW
this approach creates a new inherent problem namely the scheme) with a shorter public key. They claimed the ZW
key escrow of a user’s private key, since the PKG must be scheme was CCA secure in the standard model and can
completely trusted and it has the knowledge of every user’s withstand malicious KGC attack. Unfortunately, we find
private key. Clearly, PKG can decrypt any ciphertext and their security conclusion is wrong.
forge the signature of any user. In this paper, we show that the CLE scheme in [12] is
To fill the gap between traditional cryptography and iden- flawed by demonstrating two kinds of attacks against it. In
tity based cryptography (ID-PKC), Al-Riyami and Paterson our first attack, we show that a Type II adversary who knows
[6] introduced a new notion called certificateless public key master key can successfully distinguish the ciphertexts of
cryptography (CL-PKC) and presented the first certificate- challenge messages. In the second attack, we show that a
less encryption(CLE) scheme in 2003. In contrast to tradi- malicious KGC can successfully distinguish the ciphertexts
tional public key cryptography, CL-PKC does not require the of challenge messages by injecting some special information
use of any certificates to ensure the authenticity of public into the system parameters. Therefore, the scheme [12]
keys of users. Similar to ID-PKC, CL-PKC also relies on the is vulnerable to the attacks of both Type II adversaries
existence of a trusted third party —– key generation center and malicious KGC. Thus, the original CLE scheme of
330
4. b ←− Aoracles (params, inf, C ∗ ) Then choose a Hash function H from a family of u-
A wins the game if and only if b = b. The advantage of A niversal one-way Hash functions. The public parameters
is defined as are params=(G, GT , ê, H, g, g1 , h1 , h2 , h3 ) and the master
1 secret key is msk=α.
Adv(A)IN
CLE
D−CCA2
= 2|P r[b = b] − | • Set-Secret-Value: Pick x ∈ Zp∗ at random and return the
2
user secret key sk = x.
If A is a Type I adversary, then inf = ∅, else if A is a Type • Set-Public-Key: Compute
II adversary, then inf = msk. A general adversary A may
access the oracles (in Phase 2 and Phase 4 of the game) as P KID = (pk1 , pk2 ) = (g x , hx1 )
follows:
• Public key request query PK(ID): On receiving such and run a zero-knowledge proof protocol with the KGC
a query, the challenger responds by running algorithm Set- to prove the possession of the knowledge of x. Publish
Public-Key to generate the public key P KID and returns P KID = (pk1 , pk2 ) = (g x , hx1 ).
P KID to A. (first running Set-Secret-Value if necessary) • Extract-Partial-Private-Key: Pick r1 , r2 , r3 ∈ Zp∗ and
• Partial private key extraction query PPK(ID, P KID ): compute
On receiving such a query, the challenger responds by 1 1
running algorithm Extract-Partial-Private-Key to generate hID,1 = (pk2 g −r1 ) α−ID = (hx1 g −r1 ) α−ID
the partial private key dID .(for AI only) 1
• Private key extraction query PrK(ID): On receiving hID,i = (hi g −ri ) α−ID , i = 2, 3.
such a query, if the public key has not been replaced, then
the challenger can respond by running algorithm Set-Private- Return dID = (r1 , hID,1 , r2 , hID,2 , r3 , hID,3 ) as the an-
Key to generate the private key SKID . swer.
• Public key replacement query PKR(ID): Such a query • Set-Private-Key: Set SKID = (s1 , s2 , s3 , s4 , s5 , s6 , s7 )
allows the adversary A to replace the public key of a user = (sk, dID ) = (x, r1 , hID,1 , r2 , hID,2 , r3 , hID,3 ).
ID with any value of its choice. The new value will be • Encrypt: To encrypt the message m ∈ GT , parse
recorded and will be used by the challenger in the coming
P KID = (pk1 , pk2 ) = (g x , hx1 )
computations or responses to the adversary’s queries.(for AI
only) and then check whether it has the right format by verifying
• Decryption query Dec(ID, P KID , C): On receiving the equation
such a query, the challenger returns the correct decryption
ê(pk1 , h1 ) = ê(pk2 , g).
of ciphertext C under identity ID and public key P KID ,
even if the corresponding public key for the user ID has If so, choose s ∈ Zp∗ and compute C = (C0 , C1 , C2 , C3 ) as
been replaced. This is a rather strong property for the follows:
security model (after all, the challenger may no longer know
C0 = g1s g −IDs
the correct private key). However, this capability gives the
adversary more power in breaking the scheme.
C1 = ê(g, g)s
There are some restrictions as follows:
• AI , AII cannot extract the private key for the challenge C2 = m · ê(pk1 , pk2 )−s
identity ID∗ .
∗
• AI , AII cannot make a decryption query on C . C3 = ê(g, h2 )s ê(g, h3 )sβ
• AI cannot request the private key for any identity
whose public key has already been replaced. where β = H(C0 , C1 , C2 , ID, P KID ).
∗
• AI cannot extract the partial private key for ID if • Decrypt: Parse C as (C0 , C1 , C2 , C3 ) and the private
it has replaced the public key for ID∗ before the key SKID as (s1 , s2 , s3 , s4 , s5 , s6 , s7 ). Compute
challenge phase.
• AII cannot replace public keys at any point. β = H(C0 , C1 , C2 , ID, P KID )
331
IV. S ECURITY A NALYSIS OF ZW S CHEME = C3
As defined in [6], a certificateless encryption scheme is As C is a valid ciphertext different from the challenge
secure iff it resists against both type I and type II adversaries. ciphertext C ∗ for the challenge identity ID∗ , AII can
Recall that a type II adversary AII is given the master submit (C , ID∗ , P KID∗ ) for a Decryption query. As a
secret key msk but is not allowed to replace public keys of result, AII gets the plaintext M from the Decryption query.
users, and a malicious KGC even can not generate system It is clear that the plaintext Mb (b ∈ {0, 1}) underline C ∗ is
parameters and master key strictly following the scheme Mb = a−1 M . Hence, the adversary AII can successfully
specification. We show that the ZW scheme in [12] can not distinguish the ciphertexts of challenge messages M0 , M1 .
resist the attacks of a type II adversary and a malicious Therefore, the ZW scheme [12] is insecure against chosen
KGC. We present two kinds of attacks in which adversaries ciphertext attack of a type II adversary AII .
can get the plaintext Mb underline the challenge ciphertext B. M alicious KGC Attacks
C ∗ , while C ∗ has not been submitted to the decryption query
for the combination (ID∗ , P KID∗ ) under which Mb has Let A model a malicious KGC. In the initialization
been encrypted. Our attacks on ZW scheme [12] are shown phase, A generates the master secret key msk and the system
as follows. parameters params for challenger. In particular, A defines the
parameters h2 , h3 as below:
A. Attacks by Type II Adversaries
h2 = g b , h3 = g c
• Let (ID∗ , M0 , M1 ) be the challenge query being sub-
mitted to the challenger by a type II adversary AII , Where b, c ∈R Zp∗ are chosen by adversary A. The attack is
here AII models an honest-but-curious KGC. as follows.
• Let C ∗ = (C0 , C1 , C2 , C3 ) be the challenge ciphertext ∗
• Let (ID , M0 , M1 ) be the challenge query being sub-
returned by the challenger. Note that C ∗ is the encryp- mitted to the challenger by an adversary A.
tion of Mb under the target identity ID∗ and its current ∗
• Let C = (C0 , C1 , C2 , C3 ) be the challenge ciphertext
public key P KID∗ . From the encryption algorithm we returned by the challenger. Note that C ∗ is the encryp-
know
∗
tion of Mb under the target identity ID∗ and its current
C0 = g1s g −ID s public key P KID∗ . From the encryption algorithm we
know
C1 = ê(g, g)s ∗
C0 = g1s g −ID s
C2 = m · ê(pk1 , pk2 )−s C1 = ê(g, g)s
s sβ
C3 = ê(g, h2 ) ê(g, h3 ) C2 = m · ê(pk1 , pk2 )−s
where β = H(C0 , C1 , C2 , ID∗ , P KID∗ ). C3 = ê(g, h2 )s ê(g, h3 )sβ
• Now, AII can generate another ciphertext C =
(C0 , C1 , C2 , C3 ) for identity ID∗ with public key where β = H(C0 , C1 , C2 , ID∗ , P KID∗ ).
P KID∗ as follows. • Now, A can generate another ciphertext C =
It picks at random a ∈ Zp∗ (a = 1), computes (C0 , C1 , C2 , C3 ) for identity ID∗ with public key
P KID∗ as follows.
C0 = C0 , C1 = C1 , C2 = aC2 , C3 = ê(g, h2 )s ê(g, h3 )sβ It picks at random t ∈ Zp∗ (t = 1), computes
where β = H(C0 , C1 , C2 , ID∗ , P KID∗ ). C0 = C0 , C1 = C1 , C2 = tC2 , C3 = C1b+cβ
1
α−ID ∗
To compute C3 , AII first gets g s = C0 from α
where β = H(C0 , C1 , C2 , ID∗ , P KID∗ ).
and C0 , then computes
• We can see that C = (C0 , C1 , C2 , C3 ) is really a valid
C3 = ê(g, h2 )s ê(g, h3 )sβ = ê(g s , h2 )ê(g s , h3 )β . ciphertext for identity ID on message M = tMb
∗
β
s4 +s6 β = ê(g, g b )s ê(g, g c )sβ
ê(C0 , s5 s7 )C1 = ê(g, h2 )s ê(g, h3 )sβ )
= ê(C0 , hID∗ ,2 hβID∗ ,3 )C1r2 +r3 β = C3
∗ 1 β
= ê(g1s g −ID s , (h2 g −r2 ) α−ID∗ (h3 g −r3 ) α−ID∗ )
As C is a valid ciphertext different from the challenge
ê(g, g)s(r2 +r3 β ) ciphertext C ∗ for the challenge identity ID∗ , A can suc-
= ê(g s , h2 g −r2 · (h3 g −r3 )β ) · ê(g, g)s(r2 +r3 β ) cessfully distinguish the ciphertexts of challenge messages
= ê(g s , h2 )ê(g s , h3 )β M0 , M1 like above. Therefore, the ZW scheme [12] is
332
insecure against chosen ciphertext attack of a malicious [12] G. Zhang and X. Wang, Certificateless Encryption Scheme
KGC. Secure in Standard Model. Tsinghua Science and Technology.
pp452-459, 2009.
V. C ONCLUSION
[13] F. Zhang, Y. Sun, L. Zhang, M. Geng and S. Li, Research on
In this paper, we reviewed the security of a certificateless Certificateless Public Key Cryptography. Journal of Software,
encryption scheme (ZW scheme) proposed in [12] and 22(6),pp1316-1332, 2011.
showed it is insecure against both the type II adversary
and malicious KGC. Two kinds of concrete attacks are [14] Man Ho Au, J. Chen, K. Joseph Liu, Yi Mu, Duncan
S. Wong, and G. Yang, Malicious KGC attacks in certificateless
demonstrated to show how can an adversary break the CCA cryptography. In Proc. ASIACCS 2007, Singapore, Mar. 20-22,
security of the ZW scheme. PP302-311, 2007.
333