ResearchArticle - Hindawi Publishing...

Research ArticleCryptanalysis of a Certificateless Aggregate Signature Scheme forHealthcare Wireless Sensor Network

Yu Zhan 1 and BaocangWang 123

1The State Key Laboratory of Integrated Service Networks Xidian University Xirsquoan 710071 China2The Cryptographic Research Center Xidian University Xirsquoan 710071 China3TheKey Laboratory of Cognitive Radio and Information ProcessingMinistry of Education Guilin University of Electronic TechnologyGuilin 541004 China

Correspondence should be addressed to Baocang Wang bcwang79aliyuncom

Received 26 February 2019 Revised 30 April 2019 Accepted 25 May 2019 Published 9 June 2019

Academic Editor David Megias

Copyright copy 2019 Yu Zhan and BaocangWangThis is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

Certificateless aggregate signatures aggregate 119899 signatures from 119899 different users into one signature Therefore a verifier can judgewhether all signatures are valid by verifying once With this advantage certificateless aggregate signatures are widely used in theenvironment of limited computing resources Recently a novel certificateless aggregate signature scheme was proposed by Kumaret al This schemersquos security was claimed to be secure against two types of attackers under the random oracle model In this paperwe indicate that their scheme is unable to achieve this security goal We show an attack algorithm that the second type of attackercould forge a valid signature under an identity without the private key of the target user Moreover we demonstrate that the secondtype of attacker could forge a valid aggregate signature

1 Introduction

Digital signature is one of the most significant concerns inthe traditional public key cryptosystems There are severaltypes of signature schemes in the development of signa-ture technology public key infrastructure- (PKI-) basedsignature schemes identity-based signature schemes [1 2]and certificateless signature schemes [3 4] In the earliestPKI-based signature schemes a trusted certificate authority(CA) is needed to generate a certificate that corresponds tothe public key of a legitimate user Hence these schemesinitially have to obtain and verify the certificate This causesan amount of computational costs Identity-based signatureschemes leave out CA but each legitimate userrsquos privatekey is produced and secretly assigned by the private keygenerator (PKG) which is also fully trusted Accordingly thiskind of scheme is vulnerable to the attacks launched by thePKG Certificateless signature schemes (CLS) overcome theshortcomings of the two kinds of schemes above In thiskind of scheme key generation center (KGC) is in chargeof calculating partial private keys and assigning the keys to

legitimate users secretly Each user calculates his private keythat involves the partial private key Consequently not onlycan the userrsquos legitimacy be verified but also the KGC is inca-pable of launching an attack by recovering the userrsquos privatekey

In addition in some application scenarios the pattern ofverifying one signature one time fails tomeet the requirementof fast data processing To solve this problem Boneh et alfirst put forward the concept of aggregate signature in 2003[5] Aggregate signature enables multiple signatures signedby multiple users to be aggregated into a single signatureHence the verifier can believe that all signatures are valid byverifying only once This pattern greatly reduces the costs ofcommunication and computation

It is natural to combine the certificateless signature withthe aggregate signature As a result lots of certificatelessaggregate signature (CL-AS) schemes have been presentedsuch as [6ndash9] Recently Kumar et al proposed a novel certifi-cateless signature scheme with bilinear pairing Furthermorethey extended the CLS scheme to a CL-AS scheme [10] Theyillustrated that their schemes are secure against two types of

HindawiSecurity and Communication NetworksVolume 2019 Article ID 6059834 5 pageshttpsdoiorg10115520196059834

2 Security and Communication Networks

attackers These two types of attackers have been widely usedin the security proof of CL-ASThe details of the attackers aregiven below

(i) Type I an outside attacker who can replace the publickeys of users and compromise the private keys ofusers However the attacker is unable to recover themaster key or the partial private key

(ii) Type II an ldquohonest-but-curiousrdquo KGC with the mas-ter key However it cannot replace the public keys ofusers or compromise the private keys of users

We prove that Kumar et alrsquos schemes cannot prevent theType II attacker from forging a valid signatureThe rest of thispaper is organized as follows We review the related work inSection 2 and describe the details of Kumar et alrsquos schemes inSection 3 In Section 4 we show the attack algorithms Finallywe concluded in Section 5

2 Related Work

In 2003 Al-Riyami et al [3] first introduced the notionof certificateless public key cryptosystem that is designedto solve the key escrow and certificate management issuesBesides they proposed a CLS scheme as an instance Afterthat the design and cryptanalysis of certificateless signaturehave become attractive research focuses Huang et al [11]indicated that Al-Riyami et alrsquos scheme is incapable ofresisting the public key replacement attack and they proposedan improvement scheme to fix the security vulnerability Yumet al [12] utilized the standard signature scheme and the ID-based signature scheme to propose a generic construction ofCLS Similarly their scheme is insecure against the public keyreplacement attack [13] Zhang et al [14] presented a provablysecure CLS scheme with bilinear pairing Cao et al [15] gavean attack algorithm for Gorantla et alrsquos CLS scheme [4] Liuet al [16] presented a CLS scheme under the standard modelXiong et al [17] and Xia et al [18] soon showed that Liu etalrsquos scheme cannot achieve the security goals they claimedrespectively Yeh et al [19] proposed a CLS scheme whichproved to be insecure by Jia et al [20] In addition thereare several CLS schemes that have not yet been identified ashaving security issues such as [17 21 22]

As we mentioned above the design and analysis of CL-AS schemes have been the concern of researchers In 2007Castro et al [23] proposed an efficient CL-AS scheme Similarwith the later CL-AS schemes presented by Gong [24] andZhang [6] the computational complexity of their schemes istoo high to implement in practice In 2010 Zhang et al [25]introduced a novel CL-AS scheme However their scheme isunpractical since it needs a synchronous clock to aggregatesignatures In 2013 Xiong et al [7] proposed a CL-AS schemewhich needs constant bilinear pairing computations and ismore efficient than previous works Zhang et al [26] andHe et al [27] indicated that the scheme [7] cannot resistthe public key replacement attack Meanwhile Cheng etal [8] and Tu et al [28] presented improvement schemesbased onXiong et alrsquos respectively Recently researchers havegradually focused on the design of CL-AS schemes in specialapplication environments In 2015 Malhi et al [29] showed

a CL-AS scheme for vehicular ad hoc networks Kumar etal [30] found the security loophole of Malhi et alrsquos schemeand gave an improvement scheme However Yang et al[31] indicated that the improvement scheme is still insecureand they proposed a new improvement scheme Althoughthe security of many schemes is no longer convincing theschemes eg [8 28 31] are still secure now

3 Review of Kumar Et Alrsquos Scheme

In this section we first review the security model of Kumaret alrsquos schemes [10]

31 Security Model In their security model the challengerCprovides the following oracles to the adversaryA

KeyGen(119868119863119894) Input an identity 119868119863119894 of user and this oraclewill output a public key 119901119896119894 under the identity119868119863119894

RevealSK(119868119863119894) Input an identity 119868119863119894 of user and thisoracle will output the private key 119904119896119894 under the identity 119868119863119894

RevealPK(119868119863119894) Input an identity 119868119863119894 of user and thisoracle will output the partial private key 119901119901119896119894 under theidentity 119868119863119894

ReplaceKey(119868119863119894 1199011198961015840119894 1199041198961015840119894 ) Input an identity 119868119863119894 as well asa key pair (1199011198961015840119894 1199041198961015840119894 ) and the original key pair will be replacedwith the input one

Sign(119868119863119894 119898119894) If the identity 119868119863119894 has never been queriedwith the oracle 119870119890119910119866119890119899 return error symbol perp Else theoracle runs the signing algorithm with the current key pairunder 119868119863119894 and outputs the result

The EUF-CMA (existential unforgeability against chosenmessage attacks) security model [32] for their CLS schemeconsists of two games Games 1 and 2

Game 1 In this game the adversary corresponds to the TypeI attacker

Setup the challengerC runs the setup algorithmThenCkeeps the master key secretly and returns the correspondingpublic key toA

Queries the adversary A could query the above fiveoracles in polynomial bound

Output After querying the adversary outputs a message119898 the identity of target user 119868119863lowast and a signature of message120590lowastThe adversary A will win this game if 120590lowast is a valid

signature of 119898 while Sign(119868119863lowast 119898) and RevealPK(119868119863lowast) havenever been queried

Game 2 In this game the adversary corresponds to the TypeII attacker

Setup the challenger C runs the setup algorithm ThenC returns the master key and the corresponding public keytoA

Queries the adversary A can query the above oraclesexpect ReplaceKey in polynomial bound It is unnecessaryto provide the RevealPK oracle since the adversary couldcalculate the partial private key under an identity with themaster key by itself

Output after querying the adversary outputs a message119898 the identity of target user 119868119863lowast and a signature of message120590lowast

Security and Communication Networks 3

The adversary A will win this game if 120590lowast is a validsignature of 119898 while Sign(119868119863lowast 119898) and RevealSK(119868119863lowast) havenever been queried

The CLS scheme is EUF-CMA secure only if the proba-bility polynomial adversary cannot win in both games withnonnegligible advantages The security model for the CL-ASscheme consists of two games tooThe details are given below


The Setup and Queries stages are the same with Game 1Output After querying the adversary outputs a tuple(119898119894 119868119863lowast119894 120590lowast) where 119898119894 is a set of messages 119868119863lowast119868 is a

set of the identities of target users and 120590lowast is an aggregatesignature of 119898119894

If 120590lowast is a valid aggregate signature of 119898119894 while thereis at least one identity 119868119863119895 that has never been queried forSign(119868119863lowast119895 119898119895) and RevealPK(119868119863lowast119895 ) the adversaryAwins thisgame


The Setup and Queries stages are the same as Game 2Output After querying the adversary outputs a tuple(119898119894 119868119863lowast119894 120590lowast) where 119898119894 is a set of messages 119868119863lowast119894 is a


If 120590lowast is a valid aggregate signature of 119898119894 while thereis at least one identity 119868119863119895 that has never been queried forSign(119868119863lowast119895 119898119895) and RevealSK(119868119863lowast119895 ) the adversaryAwins thisgame

The CL-AS scheme is EUF-CMA secure only if theprobability polynomial adversary cannot win in both gameswith nonnegligible advantages

Next we review the Kumar et alrsquos scheme that includesseven algorithms The details are given below

32 Setup Algorithm Given the security parameter 120582 thesetup algorithm that was performed by KGC generates asystem parameter 119901119886119903119886119898 and a master key 119898119904119896 as follows

(1) Randomly select a prime 119901 according to the securityparameter 120582

(2) Select an additive cyclic group 1198661 and amultiplicativecyclic group 1198662 of prime order 119901 Particularly 119892 is arandom generator of 1198661

(3) Select a bilinear map 119890 1198661 times 1198661 997888rarr 1198662 which iseffective to compute

(4) Randomly select a master key 119898119904119896 = 119904 larr997888 Zlowast119901 andcompute the corresponding public key as 119898119901119896 = 119904119892

(5) Define three secure hash functions 1198670 0 1lowast 997888rarr1198661 1198671 0 1lowast 997888rarr 1198661 and 1198672 0 1lowast 997888rarr Zlowast119901

(6) Disclose the system parameter 119901119886119903119886119898 = (1198670 1198671 1198672119892 1198661 1198662 119890 119898119901119896) and keep 119898119904119896 secretly

All of the algorithms below need the system parameter119901119886119903119886119898 to calculate We omit it in the following descriptions

33 Partial Private Key Generation Algorithm With a userrsquosidentity 119868119863119894 this algorithmgenerates a partial private keyTheKGC performs as follows

(1) Calculate 119875119894 = 1198670(119868119863119894)(2) Calculate the partial private key as 119901119901119896119894 = 119904119875119894(3) Transmit 119901119901119896119894 through a secure communication

channel to the user 11988011989434 Key Generation Algorithm This algorithm outputs apublicprivate key pair for a user 119880119894 under 119868119863119894 The userperforms as follows

(1) Randomly select 119909119894 larr997888 Zlowast119901 as the private key ie119904119896119894 = 119909119894(2) Compute the public key as 119901119896119894 = 119909119894119892

35 Signing Algorithm Given a partial private key 119901119901119896119894 aprivate key 119904119896119894 under an identity 119868119863119894 the state information120572 (randomly selected from the public parameter) and amessage 119898119894 as inputs the user 119880119894 generates a signature 120590119894 of119898119894 as follows

(1) Randomly select 119903119894 larr997888 Zlowast119901 and compute 119879119894 = 119903119894119892(2) Calculate ℎ119894 = 1198672(119898119894 119868119863119894 119901119896119894 119879119894) and 119876 = 1198671(120572)(3) Calculate 119881119894 = 119901119901119896119894 + 119903119894119876 + ℎ119894119909119894119898119901119896(4) Set the signature as 120590119894 = (119879119894 119881119894)

36 Verification Algorithm This algorithm takes a public key119901119896119894 under an identity 119868119863119894 the state information 120572 a signature120590119894 and a message 119898119894 as inputs The verifier performs asfollows

(1) Compute 119875119894 = 1198670(119868119863119894) ℎ119894 = 1198672(119868119863119894 119898119894 119901119896119894 119879119894) and119876 = 1198671(120572)(2) Verify whether the equation 119890(119881119894 119892) = 119890(119875119894 +ℎ119894119901119896119894 119898119901119896)119890(119876 119879119894) holds If yes accept the signature120590119894

37 Aggregation Algorithm This algorithm takes 119899 signatures1205901 1205902 120590119899 of 119899 messages 1198981 1198982 sdot sdot sdot 119898119899 as inputsThese signatures are generated by 119899 users under identities1198681198631 1198681198632 119868119863119899 respectively Then the aggregator setsthe aggregate signature as 120590 = (1198791 1198792 119879119899 119881) after calcu-lating 119881 = sum119899119894=1 11988111989438 Aggregate Verification Algorithm Given an aggregatesignature 120590 119899 public keys 1199011198961 1199011198962 119901119896119899 under identities1198681198631 1198681198632 119868119863119899 119899messages 1198981 1198982 sdot sdot sdot 119898119899 and the stateinformation 120572 as inputs this algorithm performs as follows

(1) Compute 119875119894 = 1198670(119868119863119894) ℎ119894 = 1198672(119868119863119894 119898119894 119901119896119894 119879119894) for119894 = 1 119899(2) Compute 119876 = 1198671(120572)(3) Verify whether the equation 119890(119881 119892) = 119890(sum119899119894=1(119875119894 +ℎ119894119901119896119894) 119898119901119896)119890(119876 sum119899119894=1 119879119894) holds If yes accept 120590


We clearly show the loophole of their schemes in the nextsection

4 Cryptanalysis of the Kumar Et Alrsquos Schemes

We indicate that the KGC who owns the master key 119898119904119896 iscapable of forging a valid signature under an identity 119868119863119894without the corresponding private key 119904119896119894 Furthermore theKGC can forge a valid aggregate signature The details of theattacks are given below

41 Attack on the Certificateless Signature Scheme Given amessage 119898119894 a public key 119901119896119894 under an identity 119868119863119894 and thestate information 120572 the KGC forges a signature 120590 of 119898119894 asfollows

(1) Randomly select 119903lowast119894 larr997888 Zlowast119901 and calculate 119879lowast119894 = 119903lowast119894 119892(2) Calculate ℎlowast119894 = 1198672(119868119863119894 119898119894 119901119896119894 119879lowast119894 ) 119876 = 1198671(120572) and119875119894 = 1198670(119868119863119894)(3) Calculate 119881lowast119894 = 119904 sdot 119875119894 + 119903lowast119894 119876 + ℎlowast119894 sdot 119904 sdot 119901119896119894(4) Set the signature as 120590 = (119879lowast119894 119881lowast119894 )

Correctness119890 (119881lowast119894 119892) = 119890 (119904 sdot 119875119894 + 119903lowast119894 119876 + ℎlowast119894 sdot 119904 sdot 119901119896119894 119892)

= 119890 (119904 sdot 119875119894 + ℎlowast119894 sdot 119904 sdot 119901119896119894 119892) 119890 (119903lowast119894 119876 119892)= 119890 (119875119894 + ℎlowast119894 119901119896119894 119904119892) 119890 (119876 119903lowast119894 119892)= 119890 (119875119894 + ℎlowast119894 119901119896119894 119898119901119896) 119890 (119876 119879lowast119894 )

(1)

Hence 120590 = (119879lowast119894 119881lowast119894 ) is a valid signature of 119898119894 under 119868119863119894This CLS scheme is insecure against the attack launched bythe ldquohonest-but-curiousrdquo KGC

42 Attack on the Certificateless Aggregate Signature SchemeThe CL-AS scheme presented by Kumar et al is also insecureagainst the attack launched by the ldquohonest-but-curiousrdquoKGC Given 119899 messages 1198981 1198982 119898119899 and 119899 users under1198681198631 1198681198632 119868119863119899 the KGC performs as follows

(1) Generate 119899 signatures with the algorithm given inSection 35 (1198981 1205901) (1198982 1205902) sdot sdot sdot (119898119899 120590119899)

(2) Calculate 119881lowast = sum119899119894=1 119881lowast119894 (3) Set the aggregate signature as120590 = (119879lowast1 119879lowast2 119879lowast119899 119881lowast)

Correctness

119890 (119881lowast 119892) = 119890 ( 119899sum119894=1

119881lowast119894 119892)= 119890 (119904 sdot 1198751 + 119903lowast1119876 + ℎlowast1 sdot 119904 sdot 1199011198961 119892)sdot sdot sdot 119890 (119904 sdot 119875119899 + 119903lowast119899119876 + ℎlowast119899 sdot 119904 sdot 119901119896119899 119892)= 119890 (1198751 + ℎlowast11199011198961 119898119901119896) 119890 (119876 119879lowast1 )sdot sdot sdot 119890 (119875119899 + ℎlowast119899119901119896119899 119898119901119896) 119890 (119876 119879lowast119899 )= 119890 ( 119899sum119894=1

(119875119894 + ℎlowast119894 119901119896119894) 119898119901119896) 119890 (119876 119899sum119894=1

119879lowast119894 )

(2)

The forged aggregate signature 119904119894119892119898119886 = (119879lowast1 119879lowast2 119879lowast119899 119881lowast)is a valid aggregate signature according to Section 37 Hencethis CL-AS scheme is insecure either

5 Conclusions

Kumar et al [10] proposed a CLS scheme and a CL-ASschemeThey claimed that these two schemes are both secureagainst two types of attackers In this paper we present attackalgorithms for the two schemes respectively Details of ourattacks show that the KGC can forge a valid signature of amessage under a target identity without the correspondingprivate key Similarly the KGC can forge a valid aggregatesignature Hence their schemes are insecure to implement inpractical

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the National Key RampD Programof China under Grant No 2017YFB0802000 the NationalNatural Science Foundation of China under Grant Nos61572390 and U1736111 the National Cryptography Devel-opment Fund under Grant No MMJJ20180111 the Plan ForScientific Innovation Talent of Henan Province under GrantNo 184100510012 the Program for Science amp TechnologyInnovation Talents in the Universities of Henan Provinceunder Grant No 18HASTIT022 the Science amp TechnologyPlan Projects of Henan Province 182102210124 the Innova-tion Scientists and Technicians Troop Construction Projectsof Henan Province the Fundamental Research Funds forthe Central Universities and the Innovation Fund of XidianUniversity No 10221150004

References

[1] J C Choon and J H Cheon ldquoAn identity-based signature fromgap diffie-hellman groupsrdquo in Proceedings of the InternationalWorkshop on Theory and Practice in Public Key CryptographyPublic Key Cryptography vol 2567 pp 18ndash30 2003

[2] Xun Yi ldquoAn identity-based signature scheme from the Weilpairingrdquo IEEE Communications Letters vol 7 no 2 pp 76ndash782003

[3] S S Al-Riyami and K G Paterson ldquoCertificateless publickey cryptographyrdquo in Advances in Cryptology-ASIACRYPT vol2894 of Lecture Notes in Computer Science pp 452ndash473Springer 2003

[4] M C Gorantla and A Saxena ldquoAn efficient certificatelesssignature schemerdquo in Proceeings of the International Conferenceon Computational Intelligence and Security vol 3802 pp 110ndash116 2005


[5] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the International Conference on the Theory andApplications of Cryptographic Techniques pp 416ndash432 Springer2003

[6] L Zhang and F Zhang ldquoA new certificateless aggregate sig-nature schemerdquo Computer Communications vol 32 no 6 pp1079ndash1085 2009

[7] H Xiong Z Guan Z Chen and F Li ldquoAn efficient certificate-less aggregate signature with constant pairing computationsrdquoInformation Sciences vol 219 pp 225ndash235 2013

[8] L Cheng Q Wen Z Jin H Zhang and L Zhou ldquoCryptanal-ysis and improvement of a certificateless aggregate signatureschemerdquo Information Sciences vol 295 pp 337ndash346 2015

[9] S Horng S Tzeng P Huang X Wang T Li and M K KhanldquoAn efficient certificateless aggregate signature with conditionalprivacy-preserving for vehicular sensor networksrdquo InformationSciences vol 317 pp 48ndash66 2015

[10] P Kumar S Kumari V Sharma A K Sangaiah J Wei and XLi ldquoA certificateless aggregate signature scheme for healthcarewireless sensor networkrdquo Sustainable Computing Informatics ampSystems vol 18 pp 80ndash89 2018

[11] X Huang W Susilo Y Mu and F Zhang ldquoOn the securityof certificateless signature schemes from asiacrypt 2003rdquo inProceedings of the International Conference on Cryptology andNetwork Security pp 13ndash25 Springer 2005

[12] D H Yum and P J Lee ldquoGeneric construction of certificatelesssignaturerdquo in Proceedings of the Australasian Conference onInformation Security and Privacy pp 200ndash211 Springer 2004

[13] B C Hu D SWong Z Zhang and X Deng ldquoKey replacementattack against a generic construction of certificateless signaturerdquoin Proceedings of the Australasian Conference on InformationSecurity and Privacy pp 235ndash246 Springer 2006

[14] Z ZhangD SWong J Xu andD Feng ldquoCertificateless public-key signature security model and efficient constructionrdquo inProceedings of the International Conference on Applied Cryptog-raphy and Network Security pp 293ndash308 Springer 2006

[15] X Cao K G Paterson and W Kou ldquoAn attack on a certif-icateless signature schemerdquo Cryptology ePrint archive httpseprintiacrorg2006441

[16] J K Liu M H Au and W Susilo ldquoSelf-generated-certificatepublic key cryptography and certificateless signatureencryp-tion scheme in the standard modelrdquo in Proceedings of the 2ndACM Symposium on Information Computer and Communica-tions Security (ASIACCS rsquo07) pp 273ndash283 March 2007

[17] H Xiong Z Qin and F Li ldquoAn improved certificatelesssignature scheme secure in the standard modelrdquo FundamentaInformaticae vol 88 no 1-2 pp 193ndash206 2008

[18] Q Xia C Xu and Y Yu ldquoKey replacement attack on twocertificateless signature schemes without random oraclesrdquo KeyEngineering Materials vol 439-440 pp 1606ndash1611 2010

[19] K Yeh C Su K R Choo andW Chiu ldquoA Novel CertificatelessSignature Scheme for Smart Objects in the Internet-of-ThingsrdquoSensors vol 17 no 5 p 1001 2017

[20] X Jia D He Q Liu and K R Choo ldquoAn efficient provably-secure certificateless signature scheme for Internet-of-Thingsdeploymentrdquo Ad Hoc Networks vol 71 pp 78ndash87 2018

[21] X Huang Y Mu W Susilo D S Wong and W Wu ldquoCer-tificateless signatures new schemes and security modelsrdquo TheComputer Journal vol 55 no 4 pp 457ndash474 2012

[22] D He B Huang and J Chen ldquoNew certificateless shortsignature schemerdquo IET Information Security vol 7 no 2 pp113ndash117 2013

[23] R Castro and R Dahab ldquoEfficient certificateless signatures suit-able for aggregationrdquo IACRCryptology ePrint Archive httpspdfssemanticscholarorgf580b66051a832c4f9e39e5d533276f3afa3297bpdf

[24] Z Gong Y Long X Hong and K Chen ldquoTwo certificatelessaggregate signatures from bilinear mapsrdquo in Proceedings of theEighth ACIS International Conference on Software Engineer-ing Artificial Intelligence Networking and ParallelDistributedComputing (SNPD 2007) vol 3 pp 188ndash193 IEEE QingdaoChina July 2007

[25] L Zhang B Qin Q Wu and F Zhang ldquoEfficient many-to-one authentication with certificateless aggregate signaturesrdquoComputer Networks vol 54 no 14 pp 2482ndash2491 2010

[26] F Zhang L Shen and G Wu ldquoNotes on the security of certifi-cateless aggregate signature schemesrdquo Information Sciences vol287 pp 32ndash37 2014

[27] D He M Tian and J Chen ldquoInsecurity of an efficient certif-icateless aggregate signature with constant pairing computa-tionsrdquo Information Sciences vol 268 pp 458ndash462 2014

[28] H Tu D He and B Huang ldquoReattack of a certificateless aggre-gate signature scheme with constant pairing computationsrdquoTheScientific World Journal vol 2014 Article ID 343715 10 pages2014

[29] A K Malhi and S Batra ldquoAn efficient certificateless aggregatesignature scheme for vehicular ad-hoc networksrdquo DiscreteMathematics amp Theoretical Computer Science vol 17 no 1 pp317ndash338 2015

[30] P Kumar and V Sharma ldquoOn the security of certificatelessaggregate signature scheme in vehicular ad hoc networksrdquo inSoft ComputingTheories and Applications vol 583 pp 715ndash7222018

[31] X Yang C Chen T Ma Y Li and C Wang ldquoAn improvedcertificateless aggregate signature scheme for vehicular ad-hoc networksrdquo in Proceedings of the 2018 IEEE 3rd AdvancedInformation Technology Electronic and Automation ControlConference (IAEAC) pp 2334ndash2338 Chongqing China Octo-ber 2018

[32] X Huang Y Mu W Susilo D S Wong and W Wu ldquoCertifi-cateless signature revisitedrdquo in Proceedings of the AustralasianConference on Information Security and Privacy pp 308ndash322Springer 2007

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


attackers These two types of attackers have been widely usedin the security proof of CL-ASThe details of the attackers aregiven below

(i) Type I an outside attacker who can replace the publickeys of users and compromise the private keys ofusers However the attacker is unable to recover themaster key or the partial private key

(ii) Type II an ldquohonest-but-curiousrdquo KGC with the mas-ter key However it cannot replace the public keys ofusers or compromise the private keys of users

We prove that Kumar et alrsquos schemes cannot prevent theType II attacker from forging a valid signatureThe rest of thispaper is organized as follows We review the related work inSection 2 and describe the details of Kumar et alrsquos schemes inSection 3 In Section 4 we show the attack algorithms Finallywe concluded in Section 5

2 Related Work

In 2003 Al-Riyami et al [3] first introduced the notionof certificateless public key cryptosystem that is designedto solve the key escrow and certificate management issuesBesides they proposed a CLS scheme as an instance Afterthat the design and cryptanalysis of certificateless signaturehave become attractive research focuses Huang et al [11]indicated that Al-Riyami et alrsquos scheme is incapable ofresisting the public key replacement attack and they proposedan improvement scheme to fix the security vulnerability Yumet al [12] utilized the standard signature scheme and the ID-based signature scheme to propose a generic construction ofCLS Similarly their scheme is insecure against the public keyreplacement attack [13] Zhang et al [14] presented a provablysecure CLS scheme with bilinear pairing Cao et al [15] gavean attack algorithm for Gorantla et alrsquos CLS scheme [4] Liuet al [16] presented a CLS scheme under the standard modelXiong et al [17] and Xia et al [18] soon showed that Liu etalrsquos scheme cannot achieve the security goals they claimedrespectively Yeh et al [19] proposed a CLS scheme whichproved to be insecure by Jia et al [20] In addition thereare several CLS schemes that have not yet been identified ashaving security issues such as [17 21 22]

As we mentioned above the design and analysis of CL-AS schemes have been the concern of researchers In 2007Castro et al [23] proposed an efficient CL-AS scheme Similarwith the later CL-AS schemes presented by Gong [24] andZhang [6] the computational complexity of their schemes istoo high to implement in practice In 2010 Zhang et al [25]introduced a novel CL-AS scheme However their scheme isunpractical since it needs a synchronous clock to aggregatesignatures In 2013 Xiong et al [7] proposed a CL-AS schemewhich needs constant bilinear pairing computations and ismore efficient than previous works Zhang et al [26] andHe et al [27] indicated that the scheme [7] cannot resistthe public key replacement attack Meanwhile Cheng etal [8] and Tu et al [28] presented improvement schemesbased onXiong et alrsquos respectively Recently researchers havegradually focused on the design of CL-AS schemes in specialapplication environments In 2015 Malhi et al [29] showed

a CL-AS scheme for vehicular ad hoc networks Kumar etal [30] found the security loophole of Malhi et alrsquos schemeand gave an improvement scheme However Yang et al[31] indicated that the improvement scheme is still insecureand they proposed a new improvement scheme Althoughthe security of many schemes is no longer convincing theschemes eg [8 28 31] are still secure now

3 Review of Kumar Et Alrsquos Scheme

In this section we first review the security model of Kumaret alrsquos schemes [10]

31 Security Model In their security model the challengerCprovides the following oracles to the adversaryA

KeyGen(119868119863119894) Input an identity 119868119863119894 of user and this oraclewill output a public key 119901119896119894 under the identity119868119863119894

RevealSK(119868119863119894) Input an identity 119868119863119894 of user and thisoracle will output the private key 119904119896119894 under the identity 119868119863119894

RevealPK(119868119863119894) Input an identity 119868119863119894 of user and thisoracle will output the partial private key 119901119901119896119894 under theidentity 119868119863119894

ReplaceKey(119868119863119894 1199011198961015840119894 1199041198961015840119894 ) Input an identity 119868119863119894 as well asa key pair (1199011198961015840119894 1199041198961015840119894 ) and the original key pair will be replacedwith the input one

Sign(119868119863119894 119898119894) If the identity 119868119863119894 has never been queriedwith the oracle 119870119890119910119866119890119899 return error symbol perp Else theoracle runs the signing algorithm with the current key pairunder 119868119863119894 and outputs the result

The EUF-CMA (existential unforgeability against chosenmessage attacks) security model [32] for their CLS schemeconsists of two games Games 1 and 2


Setup the challengerC runs the setup algorithmThenCkeeps the master key secretly and returns the correspondingpublic key toA

Queries the adversary A could query the above fiveoracles in polynomial bound

Output After querying the adversary outputs a message119898 the identity of target user 119868119863lowast and a signature of message120590lowastThe adversary A will win this game if 120590lowast is a valid

signature of 119898 while Sign(119868119863lowast 119898) and RevealPK(119868119863lowast) havenever been queried


Setup the challenger C runs the setup algorithm ThenC returns the master key and the corresponding public keytoA

Queries the adversary A can query the above oraclesexpect ReplaceKey in polynomial bound It is unnecessaryto provide the RevealPK oracle since the adversary couldcalculate the partial private key under an identity with themaster key by itself

Output after querying the adversary outputs a message119898 the identity of target user 119868119863lowast and a signature of message120590lowast








































(1)





Correctness

119890 (119881lowast 119892) = 119890 ( 119899sum119894=1


(119875119894 + ℎlowast119894 119901119896119894) 119898119901119896) 119890 (119876 119899sum119894=1

119879lowast119894 )

(2)


5 Conclusions


Data Availability




Acknowledgments


References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









































(1)





Correctness

119890 (119881lowast 119892) = 119890 ( 119899sum119894=1


(119875119894 + ℎlowast119894 119901119896119894) 119898119901119896) 119890 (119876 119899sum119894=1

119879lowast119894 )

(2)


5 Conclusions


Data Availability




Acknowledgments


References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


ResearchArticle - Hindawi Publishing...

Documents

Transcript of ResearchArticle - Hindawi Publishing...