Abstract: As an important anonymity technology, proxy blind signature scheme is an important cryptographic primitive, it not only has the advantages of blind signature and proxy signature but also has some new features, it can solve many practical problems and has wide applications. Recently, an efficient certificateless proxy blind signature scheme is built with forward security. However, by our analysis, we show that the scheme is insecure, it exists unforgeable attack and also not provides forward security. Finally, the corresponding attacks are given and we also analyze the reason to produce such attack.
INTRODUCTION
In traditional Public Key Infrastructure (PKI), the public key is a "random" string that is unrelated to the identity of the user. Thus, a trusted authority is needed to assure the relationship between public key and the user by producing a certificate which results in complex certificate management, such as key distribution, certificate revocation. When using a public key of a user, we first verify whether a certificate is valid or not. In 1984, the notion of ID-based cryptography is introduced to solve the certifi-cate management problem (to simplify key management and remove the public key certificate). A distinguishing property of ID-based is introduced cryptography is that a user's public key can be any binary string, such as IP address or an email address, that can identify the user's identity. The private key of a user is produced by a trusted party called a Private Key Generator (PKG), with the help of the PKG’s master secret key. In such a setting, the only thing that should be certificated is the public key of the PKG, so ID-based cryptography drastically reduces the needs for certificate. However, an inherent problem of ID-PKC is that a Key Generation Center (KGC) generates any user's private key using a master-key of KGC. Obviously a malicious KGC is able to forge the signature of any signer. This is called "key escrow" problem. It means that all users must unconditionally trust the KGC.
To solve key escrow problem, Al-Riyami and Paterson (2003) proposed a novel public cryptosystem. In this system, the user's private key is not generated by the KGC solely but by the combination of part private key which generated by KGC and the secret which user selected. Without any certificates, it solves the certificates management problem in certificate-based public key systems and more suitable for secure application in low bandwidth and low-power environment.
The notion of proxy signature scheme introduced by Mambo et al. (1996). A proxy signature scheme allows an entity called original signer to delegate his signing capability to other entities which were called proxy signer. Since it is proposed, the proxy signature schemes have been suggested for use in many applications, particularly in distributed computing where delegation of rights is quite common. Examples discussed in the literature include distributed systems, grid computing, mobile agent applications, distributed shared object systems, global distribution networks and mobile communications. And to adapt different situations, many proxy signature variants are produced, such as one-time proxy signature, proxy blind signature, multi-proxy signature and so on. Since the proxy signature appears, it attracts many researchers’ great attention. Based on the delegation type, proxy signature schemes are divided into full delegation, partial delegation and delegation by warrant. According whether the original signer know the proxy secret key, proxy signatures can also be classified as proxy-unprotected and proxy-protected schemes. In a proxy-protected scheme the original signer cannot forge the proxy signer to produce proxy signature. Thus we can clearly distinguish the rights and responsibilities between the original signer and the proxy signer.
Chaum (1983) first proposed blind signature, in the scheme, the signer can sign the document without knowing the content of it. Since, it was introduced, blind signature schemes have been used in numerous application, most prominently in anonymous voting and anonymous e-cash. By combining blind signature and proxy signature, proxy blind signature scheme not only has the advantages of blind signature and proxy signature but also has some new features, it can solve many practical problems and has wide applications. First of all Lin and Jan (2000) proposed proxy blind signature by the combination of proxy signature and blind signature. Later, a proxy blind signature scheme was proposed based on discrete logarithm. However, Wang et al. (2005) pointed out that this scheme was insecure and proposed a new proxy blind signature scheme based on scheme (Mambo et al., 1996). Sun and Hsieh (2004) showed that the schemes didn’t satisfy the unforgeability and unlinkability properties and they also pointed out that Lal’s scheme (Wang et al., 2005) didn’t possess the unlinkability property either. Recently, Sun et.al proposed an efficient ceritificateless proxy blind signature based on pairing and claimed that their scheme was secure and satisfied forward security. By our analysis, we show that the scheme is insecure and the corresponding attacks are given.
REVIEWS OF CERTIFICATELESS PROXY BLIND SIGNATURE
Sun et al. (2011), gave a new forward-security certificateless proxy blind signature scheme and showed that their scheme was secure. To better explain the security of the scheme, the scheme is detailed as follows.
System establishment: Let G1 and G2 be two cyclic groups with prime order q. P is a generator of group G1. e: G1xG1→G2 is a bilinear pairing map. H1: {0,1}*→G1, H2: {0,1}*xG1→Zq are two hash function. Randomly choose s∈Zq and compute Ppub = sP, then the master key s is secretly kept. The system parameters Param = (G1, G2, e, P, Ppub, H1, H2) are published.
Key generations:
| Step 1: | The original signer A chooses xA∈Zq to compute XA = xAP, YA = xAPpub, then publish PA = <XA, YA> as public key |
| Step 2: | The original signer A uses his legal identity IDA to apply to the KGC. KGC verifies the legitimacy of the identity and computes QA = H1 (IDA||PA), DA = sQA, then send DA to the original signer via a secure authentication channel |
| Step 3: | A verifies whether e(DA, P) = e(QA, Ppub) is valid. If it is, then the original signer A computes SA = xA DA and keeps (xA, SA) as private key |
| Step 4: | The proxy signer B generates his public key PB = <XB, YB> and private key (xB, SB) as the same process of A |
Proxy authorization:
| Step 1: | Original signer A randomly chooses rA∈Zq, then compute UA = rAQA, h = H2(mw, UA), VA = (rA+h) SA, where mw is the proxy warrant which includes a detailed description. A sends (mw, UA, VA) to the proxy signer B |
| Step 2: | Proxy signer B verifies w hether e(XA,Ppub) = e(YA, P) is correct or not. If it is valid, then it computes h = H2(mw, UA) and verifies whether e(P, VA) = e(YA, hQA+UA) is correct or not. If it is valid, then accept (mw, UA, VA) and choose ri∈Zq to compute proxy signing key R0 = r0QB, SP0 = VA+r0SB |
Key update: When in i period, B uses proxy signing key (Ri-1, Spi-1) of i-1 period, chooses ri∈Zq, then compute the proxy signing key of i period:
Ri = Ri-1+riQB |
Spi = Spi-1+riSB
= VA+Σij = 0 rjSB |
Forward-secure proxy blind signature: The client C has a signed message m, it collaborates with B to execute as below:
| Step 1: | B chooses P1∈G1 to compute rB = e(P1,P), then send (rB,mw) to C |
| Step 2: | Upon receiving (rB, mw), C randomly chooses P2∈G1,
k, c∈Zq to compute |
| Step 3: | After B receives V’, it computes UB = V’SPi+P1 and sends UB to C |
| Step 4: | After C obtains UB, it computes U = kUB+cP2, then the signature on message m is (U, UA, V, mw, Ri). Note that in study of Sun et al. (2011), UA is left out. It should be attached in the signature, otherwise, it cannot be verified |
Signature verifying: The verifier of proxy blind signature can verify the validity of the proxy blind signature (U, UA, V, mw, Ri) of message m:
| Step 1: | It checks whether the message m is in accord with the requirement in the warrant mw |
| Step 2: | Then it computes QA = H1(IDA||PA), QB = H1(IDB||PB), h = H2(mw, UA) |
| Step 3: | Finally, it verifies the equation e(U, P) = e(YA, hQA+UA)V e(YB, Ri)V r |
| Step 4: | If it holds, then this signature is valid |
SECURITY ANALYSIS
Sun et al. (2011) claimed that their scheme was secure. It satisfies unforgeability, blindness and forward security. However, by analyzing the security of the scheme, it is showed that their scheme is insecure. It does not satisfy unforgeability which is a primitive property of a digital signature and forward security. And it is universally forgeable, note that any one can produce a forged blind signature on arbitrary a message.
Attack on unforgeability: In the subsection, we show the scheme is universally forgeable. Assume that an adversary wants to attack the scheme, it can do the following:
| Step 1: | Let m* be a forged message |
| Step 2: | It randomly chooses U'A∈G1, V'∈Zq |
| Step 3: | Then it computes QA = H1(IDA||PA), QB = H1(IDB||PB), h* = H2(mw, U'A) |
| Step 4: | It sets r* = e(YA, h*QA+U'A)-V' |
| Step 5: | Randomly choose k∈Zq to compute Ri* = kP |
| Step 6: | It sets: U*A = U'A, V* =V', U* = kV*Y B |
| Step 7: | The forged blind signature is: U*, V*, mw, r*, R*i, U*A |
In the following, we show that our forged signature can pass the verification of signature.
Since:
Obviously, our forged blind signature satisfies the verification equation of signature, it means that our attack is valid. The main reason to our attack is that V in the signature is free. In fact, our attack is easily resisted. V should not be a part of the blind signature, it should be computed by V = H2(m, r, PB). However, even if V is represented as V = H2(m, r, PB), it is also attacked. In the following, we give another an attack.
Another attack on unforgeability: In a certificateless cryptography, the user can randomly choose his public key, thus the unforgeability of a certificateless signature scheme must be able to against such attack. In the following, we will show that Sun et al’s scheme is not able to resist such attack, namely, an adversary can produce a forgery in name of the proxy signer without the delegation of the original signer. The detail attack is given as follows:
| Step 1: | The adversary randomly chooses k∈Zq to set
|
| Step 2: | Then the adversary randomly chooses l∈Zq to compute r* = e(P, lP) |
| Step 3: | Compute |
| Step 4: | Randomly choose αεZq and U'A to set Ri* = -k-1(hQA+U'A)+αP |
| Step 5: | Finally, the adversary computes U* = kαV*YA+lP and U*A = U'A |
| Step 6: | The resultant blind signature on message m is (U*, U*A, R*i, r*, V*) |
In the following, we show that the forged signature (U*, U*A, R*i, r*, V*) is valid.
Since:
According the above equation, we know that the forged signature can pass verification equation of signature. It means that our forgery is valid.
By the same way, we also show that the original signer can also produce a forgery in name of the proxy signer but it has not delegate the right to the proxy signer. The main reason to produce such attack is that Ri in the signature is freedom and YB (or YA) can been randomly chosen.
Attack on forward security: In Sun et al’s scheme, they claimed that their scheme satisfies forward security. Namely, the adversary obtains the i period proxy signing key (Ri, SPi), he cannot fore the valid proxy blind signature in the j (j<i) period. In the following, by analyzing the scheme, we will show that the scheme doesn’t satisfy forward security.
According the key update, we know that:
Ri = Ri-1+riQB,
Spi = Spi-1+ri-1SB |
Thus, we have:
CONCLUSION
As an important cryptographic primitive, Proxy blind signature not only has the advantages of blind signature and proxy signature but also has some new features, it can solve many practical problems and has wide applications. To realize efficient management and solve key escrow problem, Researchers gave an efficient certificateless proxy blind signature scheme with forward security. And they claimed that their scheme was secure. However, by our analysis, we show that the scheme is insecure, it exists unforgeable attack and also not provides forward security. Finally, the corresponding attacks are given and we also analyze the reason to produce such attack.
ACKNOWLEDGMENT
This study was supported partly by Beijing Natural Science Foundation (No. 4122024).