- About this Journal
- Abstracting and Indexing
- Aims and Scope
- Annual Issues
- Article Processing Charges
- Articles in Press
- Author Guidelines
- Bibliographic Information
- Citations to this Journal
- Contact Information
- Editorial Board
- Editorial Workflow
- Free eTOC Alerts
- Publication Ethics
- Reviewers Acknowledgment
- Submit a Manuscript
- Subscription Information
- Table of Contents
Mathematical Problems in Engineering
Volume 2013 (2013), Article ID 761694, 4 pages
On the Security of a Certificateless Proxy Signature Scheme with Message Recovery
1Department of Electronic Engineering, Northeastern University at Qinhuangdao, Qinhuangdao 066004, China
2School of Mathematics and Statistics, Wuhan University, Wuhan, Hubei 430072, China
3National Key Laboratory of Mechatronic Engineering and Control, School of Mechatronical Engineering, Beijing Institute of Technology, Beijing 100081, China
Received 19 January 2013; Accepted 5 April 2013
Academic Editor: Wanquan Liu
Copyright © 2013 Wenbo Shi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
A proxy signature scheme allows a proxy signer to sign messages on behalf of an original signer within a given context. It has lots of practical applications in distributed systems, grid computing, mobile agent applications, distributed shared object systems, global distribution networks, and mobile communications. Recently, Padhye et al. proposed a certificateless proxy signature scheme with message recovery and claimed the scheme is secure against both of the two types of adversaries. However, in this paper, we will show that Padhye et al.’s scheme is not secure against the Type I adversary. The analysis shows their scheme is not secure for practical applications.
The proxy signature scheme is an important cryptographic mechanism, which was introduced first by Mambo et al.  in 1996. In the scheme, the original signer could delegate his signing capability to the proxy signer. After that, the proxy signer could sign a message on behalf of the original signer. The proxy signature has been widely used in distributed shared object systems, grid computing, mobile agent environment and global distribution networks, where delegation of rights is quite common [2, 3].
Recently, certificateless public key cryptography was studied widely since it could solve the certificate management problem in the traditional public key cryptography and the problem in the identity-based public key cryptography. Many certificateless key agreement schemes [4–6] and certificateless signature schemes [7–9] have been proposed for different applications. To satisfy the applications in the certificateless environment, many certificateless proxy signature (CLPS) schemes [10–17] have been proposed. In 2005, Li et al.  proposed the first CLPS scheme. Later, Yap et al.  and Lu et al.  found that Li et al.’s scheme is not secure at all. Lu et al.  also proposed an improved CLPS scheme. In 2009, Chen et al.  proposed the first security model for the CLPS scheme. They also proposed a new CLPS scheme and demonstrated it was provably secure in the security model. To improve performance, several other CLPS schemes [14–16] with provably security were also proposed. All the above CLPS schemes are based on bilinear pairings. The performance of these schemes [10–16] is not satisfactory since the bilinear pairing operation is very complicated. To avoid bilinear pairing operation, Padhye and Tiwari  proposed a certificateless proxy signature scheme with message recovery. They also proved their scheme is secure against chosen message and identity attacks in the random oracle model. In this letter, we will show and discuss the security of Padhye et al.’s scheme and show it is not secure against the Type I adversary.
The rest of the paper is organized as follows. Section 2 gives a review of Padhye et al.’s scheme. Section 3 discusses the security problem in Padhye et al.’s scheme. Finally, we conclude the paper in Section 4.
2. Review of Padhye et al.’s Scheme
In this section, we will review Padhye et al.’s scheme. For convenience, some notations used in the paper are described in the Abbreviations section.
Padhye et al.’s CLPS scheme is composed of ten algorithms, which are Setup, Partial-Private-Key-Extract, Set-Secret-Value,. Set-Private-Key, Set-Public-Key, DelGen, DelVerif, PKGen, PSign, and PSVerif. The details of these algorithms are described as follows.
Setup. Taking a security parameter as inputs, the KGC runs this algorithm to generate the system parameters. (1)KGC chooses a -bit prime , generates an elliptic curve over finite field , generates a group of elliptic curve points on with prime order , and determines a generator of .(2)KGC chooses the master key and computes the master public key .(3)KGC chooses four cryptographic secure hash functions , where .(4)KGC publishes as system parameters and secretly keeps the master key .
Partial-Private-Key-Extract. Taking a user’s identity , system parameters params, and the master key as inputs, KGC runs the algorithm to generate the user’s partial private key.(1)KGC generates a random number and computes and .(2)KGC computes and sends to the user through a secure channel.
Set-Secret-Value. Taking system parameters params as inputs, the user runs the algorithm to generate the secure value.(1) generates a random number and computes .(2) sets as the secret value.
Set-Private-Key. Taking the secret value and the partial private key as inputs, the user sets as his private key.
Set-Public-Key. Taking and as inputs, the user sets as his public key.
DelGen. Taking system parameters params, the original signer ’s private key , the proxy signer ’s public key , and a warrant message as inputs, the original signer runs this algorithm to generate a delegation on the warrant message .(1) generates a random number and computes .(2) computes and sends the delegation to the proxy signer , where .
DelVerif. Take the delegation , system parameters params, and ’s public key as inputs; runs the algorithm to verify the validity of the delegation.(1) computes and .(2) checks whether the equation holds. If it holds, accepts the delegation; otherwise, rejects the delegation.
PKGen. Taking system parameters params, the delegation , and ’s private key as inputs, runs the algorithm to generate his proxy private key.(1) computes .(2) computes and sets as the proxy key.
PSign. Taking a message , system parameters params, and the proxy private key as inputs, runs this algorithm to generate a proxy signature.(1) generates a random number and computes .(2) computes , where denotes the -coordinates of the elliptic curve group point .(3) computes and .(4) outputs as the proxy signature.
PSVerif. Taking the proxy signature , the message , ’s public key , ’s public key , and system parameters params as inputs, the verifier runs this algorithm to verify the validity of the proxy signature.(1) computes , , , , and .(2) computes + + + .(3) checks whether the hash result of the recovered is equal to . If they are equal, accepts the signature; otherwise, rejects the signature.
3. Security Analysis of Padhye et al.’s Scheme
There are two types of adversaries with different capabilities in CLPS schemes. They are known as Type I adversaries and Type II adversaries. The Type I adversary models an outsider adversary, who could replace the public key of any user with a value of his choice, but he does not have access to the master key. The Type II adversary models the malicious KGC who has access to the master key, but he cannot replace the user’s public key replacement. Padhye et al. claimed their scheme was secure against both of the two types of adversaries. In this section, we will show that a Type I adversary could generate a legal delegation of any warrant message and a legal proxy signature of any message.
3.1. Attack on the Delegation
Let be the original signer with identity and the public key . Let be a Type I adversary. could generate a proxy signature of a message and the warrant message through the following steps.(1) generates a random number and computes and .(2) replaces with .(3) generates a random number and computes .(4) computes and sends the delegation to the proxy signer , where .
Since and , then we have
Therefore, the generated delegation could pass the proxy signer ’s verification and generates a delegation of a warrant message successfully.
3.2. Attack on the Proxy Signature
Let be the original signer with identity and the public key . Let be the original signer with identity and the public key . Let be a Type I adversary. could generate a delegation of a warrant message through the following steps.(1) generates two random number and computes , , , and .(2) replaces and with and separately.(3) generates a random number and computes , and .(4) generates a random number and computes , , , and .(5) outputs as the proxy signature.
Since , , , and , then we have Therefore, the generated signature could pass the verification and generates a signature successfully.
In this paper, we have demonstrated that Padhye et al.’s CLPS scheme with message recovery is not secure against the Type I adversary by giving concrete attacks. The analysis shows their scheme is not secure for practical applications. We will try to give a countermeasure to overcome weaknesses in their scheme in the future.
|:||A large prime number|
|:||A finite field|
|:||An elliptic curve defined by the equation , where and|
|:||The group consists of points on and the infinite point|
|:||The order of , where is a large prime number|
|:||A generator of group|
|The master/public key pair of the key generation centre (KGC)|
|:||The identity of|
|:||The partial private key of|
|:||The secret value of|
|:||The private key of|
|:||The public key of|
|:||The original signer|
|:||The proxy signer|
|:||The proxy key.|
The authors thank the editors and the anonymous reviewers for their valuable comments. This research was supported by National Natural Science Foundation of China (nos. 61202447 and 61201180), Natural Science Foundation of Hebei Province of China (no. F2013501066), Northeastern University at Qinhuangdao Science and Technology Support Program (no. xnk201307), Beijing Natural Science Foundation (no. 4132055), and Excellent Young Scholars Research Fund of Beijing Institute of Technology.
- M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E79-A, no. 9, pp. 1338–1354, 1996.
- S. F. Tzeng and M. S. Hwang, “Digital signature with message recovery and its variants based on elliptic curve discrete logarithm problem,” Computer Standards and Interfaces, vol. 26, no. 2, pp. 61–71, 2004.
- M. S. Hwang, C. C. Lee, and S. F. Tzeng, “A new proxy signature scheme for a specified group,” Information Sciences, vol. 227, pp. 102–115, 2013.
- D. He, Y. Chen, J. Chen, R. Zhang, and W. Han, “A new two-round certificateless authenticated key agreement protocol without bilinear pairings,” Mathematical and Computer Modelling, vol. 54, no. 11-12, pp. 3143–3152, 2011.
- D. He, J. Chen, and J. Hu, “A pairing-free certificateless authenticated key agreement protocol,” International Journal of Communication Systems, vol. 25, no. 2, pp. 221–230, 2012.
- D. He, S. Padhye, and J. Chen, “An efficient certificateless two-party authenticated key agreement protocol,” Computers & Mathematics with Applications, vol. 64, no. 6, pp. 1914–1926, 2012.
- D. He, J. Chen, and R. Zhang, “An efficient and provably-secure certificateless signature scheme without bilinear pairings,” International Journal of Communication Systems, vol. 25, no. 11, pp. 1432–1442, 2012.
- D. He, Y. Chen, and J. Chen, “A provably secure certificateless proxy signature scheme without pairings,” Mathematical and Computer Modelling, vol. 57, no. 9-10, pp. 2510–2518, 2013.
- D. He, B. Huang, and J. Chen, “A new certificateless short signature scheme,” IET Information Security. In press.
- X. Li, K. Chen, and L. Sun, “Certificateless signature and proxy signature schemes from bilinear pairings,” Lithuanian Mathematical Journal, vol. 45, no. 1, pp. 76–83, 2005.
- W. Yap, S. Heng, and B. Goi, “Cryptanalysis of some proxy signature schemes without certificates,” in Proceedings of the 1st Workshop on Information Security Theory and Practices (WISTP '07), vol. 4462 of Lecture Notes in Computer Science, pp. 115–126, Springer, Heraklion, Greece, May 2007.
- R. Lu, D. He, and C. Wang, “Cryptanalysis and improvement of a certificateless proxy signature scheme from bilinear pairings,” in Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD '07), pp. 285–290, Qingdao, China, July 2007.
- H. Chen, F.-T. Zhang, and R.-S. Song, “Certificateless proxy signature scheme with provable security,” Journal of Software, vol. 20, no. 3, pp. 692–701, 2009.
- H. Xiong, F. Li, and Z. Qin, “A provably secure proxy signature scheme in certificateless cryptography,” Informatica, vol. 21, no. 2, pp. 277–294, 2010.
- L. Zhang, F. Zhang, and Q. Wu, “Delegation of signing rights using certificateless proxy signatures,” Information Sciences, vol. 184, pp. 298–309, 2012.
- S. Seo, K. Choi, J. Hwang, and S. Kim, “Delegation of signing rights using certificateless proxy signatures,” Information Sciences, vol. 188, pp. 321–337, 2012.
- S. Padhye and N. Tiwari, “ECDLP-based certificateless proxy signature scheme with message recovery,” Transactions on Emerging Telecommunications Technologies, 2012.