Abstract

Tian and Huang proposed a lattice-based CLS scheme based on the hardness of the SIS problem and proved, in the random oracle model, that the scheme is existentially unforgeable against strong adversaries. Their security proof uses the general forking lemma under the assumption that the underlying hash function is a random oracle. We show that the hash function in the scheme is neither one-way nor collision-resistant in the view of a strong Type 1 adversary. We point out flaws in the security arguments and present attack algorithms that are successful in the strong Type 1 adversarial model using the weak properties of the hash function.

1. Introduction

The notion of certificateless signature (CLS) has been introduced by Al-Riyami and Paterson [1] in 2003 as a variant of identity-based signature (IBS) to eliminate the key escrow problem inherent in IBS and assuage the certificate management of regular signatures. To solve the key escrow problem, a user’s private key in a CLS scheme is not generated by the KGC alone. Instead, it is a combination of a secret from the KGC and one chosen by the user. More precisely, each user has two secrets: a secret value generated by the user and a partial private key produced by the KGC, who holds the master key. Signing requires both secrets. Since the KGC does not have access to the secret value generated by the user, the key escrow problem can be solved.

Lattice-based signature schemes are an important alternative for the current number-theoretic signature schemes and are emerging as a promising candidate for postquantum cryptography on the basis of Shor’s work [2]. There are many lattice-based cryptosystems, including encryption schemes [3, 4]. There have been various attempts to construct lattice-based CLS schemes.

The first lattice-based signature scheme was proposed by Gentry et al. [5] as a Hash-and-Sign signature scheme and its security is based on the hardness SIS problem on the average case. Lyubashevsky and Micciancio [6] proposed a lattice-based one-time signature scheme in 2008. Lyubashevsky [7] proposed a lattice-based signature by extending the scheme of Lyubashevsky and Micciancio [6] in the framework of Fiat-Shamir. Since then, a number of lattice-based signature schemes have been proposed in the context of PKI. Tian and Huang [8] proposed a IBS scheme following the framework of Lyubashevsky [7].

In 2015, Tian and Huang [9] proposed a lattice-based CLS scheme and proved under the SIS assumption that the scheme is existentially unforgeable against strong adversaries, in the random oracle. In this paper, we discuss security flaws in the CLS scheme of Tian and Huang by scrutinizing misuses of the hash function in the security arguments. The security proof of the scheme is given in random oracle model and uses the general forking lemma under the assumption that the underlying hash function is a random oracle. We show that the hash function is neither one-way nor collision-resistant in the view of a strong Type 1 adversary. This means that the hash function defined from cannot be modelled as a random oracle and this indicates critical flaws in the security argument.

We show that the CLS scheme is insecure against strong Type 1 adversaries by providing effective attack algorithms. The attack algorithms, which are successful in the strong Type 1 adversarial model, are based on the weak properties of the hash function that we have found.

The rest of the paper is organized as follows. In Section 2 we give preliminaries on CLS schemes and review the CLS scheme of Tian and Huang as well as their security proofs. In Section 3, we analyze the security arguments of Tian and Huang and point out security flaws. We show that the scheme is insecure under strong Type 1 attack. We draw our conclusion in Section 4.

2. Review of the Certificateless Signature Scheme of Tian and Huang

In 2015, Tian and Huang proposed a CLS scheme (from hereon in referred to simply as “Tian-Huang scheme”) and they claimed that their scheme is provably secure in the strong Type 1 adversarial model by assuming the hardness of the SIS problem [9]. In this section, we review some basics of Tian-Huang scheme and their security proof.

2.1. Some Basics of SIS Problem

The security of Tian-Huang scheme is based on the hardness of the SIS problem. The SIS problem can be stated as follows.

Definition 1. Given a positive integer , a matrix , and a positive real number , the -SIS problem for is to find a nonzero vector such that and .

One of the related problems of the SIS problem is the Inhomogeneous-SIS (ISIS) problem that can be described as follows.

Definition 2. Given a positive integer , a matrix , a vector , and a positive real number , the -ISIS problem for is to find a nonzero vector such that and .

For any polynomial-bounded and for any prime , it is known by Micciancio and Regev [10] that solving SIS on average is hard as approximating some intractable lattice problem.

The polynomial-time algorithms and are building blocks of Tian-Huang scheme. We skip the details of each algorithms in this paper.(i) if and only if is of full rank and each column vector of is a solution of -SIS problem for the matrix .(ii)For , if and only if each of the column vectors of is a solution of -ISIS problem for .

2.2. A Description of Tian-Huang Scheme [9]

In this subsection we give a brief description of Tian-Huang scheme; for the full details, see [9]. Major public parameters of the scheme are the following:(i): security parameter.(ii): prime number.(iii): a positive real number.(iv): positive integers with and . The scheme consists of the following seven algorithms: (i)Setup: on input the security parameter , the KGC(a)computes ,(b)chooses a random matrix ,(c)chooses two secure hash functions (d)outputs the master secret and the public parameters .(ii)PartialPrivateKeyExtract(: on input , the KGC obtains and sends it to the user with . Upon receiving , the user with checks the correctness of by verifying if and . If so, the user sets his partial private key as .(iii)SetSecretValue(: on input , the user with selects a random matrix satisfying and outputs his secret value .(iv)SetPrivateKey(: on input , the user with outputs his full private key .(v)SetPublicKey(: on input , the user with outputs his public key .(vi)CLSign(: on input , the user with (a)selects and and sets .(b)sets and .(c)computes .(d)outputs the signature on with probability . If nothing is outputted, repeat this algorithm.(vii)CLVfy(: on input , the algorithm outputs only if , where .

Correctness. The correctness of Tian-Huang scheme is clear from the fact that the following holds for any correctly computed key pairs and a signature on .

2.3. Security Model for CLS Schemes

The most general security notion of regular signature is the existential unforgeability under an adaptively chosen message attack. It is extended to IBS, namely, existential unforgeability under an adaptively chosen message and an adaptively chosen-ID attack, where an adversary can choose its messages and its identities adaptively. The security notion of CLS is similar to that of IBS, but it is more complicated from the following facts:(i)The KGC should be considered as an adversary because it is not a trusted party.(ii)There is no way to authenticate the public key of the user because no certificate of is given. Therefore, replacing the public key of the user is allowed. Such issues necessitate considering two types of adversaries in CLS, namely, Type 1 and Type 2 adversaries. The Type 1 adversary models outside attacker which is allowed to replace any user’s public key. The Type 2 adversary models a malicious KGC which is allowed to obtain the master secret . For each type, the adversary is also given access to the signing oracle for any messages for any identities of its chosen. However, none of Type 1 and Type 2 adversaries are allowed to replace and obtain at the same time.

In 2007, Hu et al. [11] defined formal security models and Huang et al. [12, 13] also defined formal security models in which the adversaries can be categorized into normal, strong, super adversaries (ordered based on their attack powers), which are accessed different sign oracles. Because our focus in this paper is the Type 1 security of Tian-Huang scheme against strong adversary, we describe the Type 1 security model of CLS against strong adversary, only. The Type 1 security of a CLS against strong adversary is formalized by using the following security game, CL-EUF game between the challenger and a Type 1 adversary .

[CL-EUF-Game 1] [Initialization] the challenger runs setup and sends to . [Queries] can request the following queries adaptively to the challenger . CreateUser Query. For the requested identity , if has already been created, nothing is to be carried out. Otherwise, the oracle runs the algorithms PartialPrivateKeyExtract, SetSecretValue, SetPrivateKey, and SetPublicKey to generate , , , and . In both cases, is returned. RevealSecretValue Query. For the requested identity , the oracle returns the corresponding secret value . ReplacePublicKey Query. For the requested , the oracle replaces the public key of the original user with and returns the replaced . The replacement will be recorded. RevealPartialPrivateKey Query. For the requested , the challenger returns the corresponding partial private key . StrongSign Query. For the requested , returns the signature such that  [Forgery] finally, outputs on a message for an identity . We say that the adversary wins the [CL-EUF-Game 1] if(1) has never been requested to the RevealPartialPrivateKey oracle,(2) the pair has never been requested to the StrongSign oracle, where is the corresponding secret of ,(3).

The security of CLS against strong Type 1 adversaries is defined as follows.

Definition 3. For any polynomial-time strong Type I adversary, if the probability of the adversary win CL-EUF-Game 1 is negligible, then we say the CLS scheme is existentially unforgeable against strong Type 1 adversaries under adaptive chosen message and chosen identity attacks.

Note that, for the security of CLS, one should consider both of Type 1 and Type 2 adversaries. However, we believe that the description of Type 1 security of CLS is enough to read the ideas of this paper and we omit the description of Type 2 security of CLS in this paper.

2.4. Summary of the Security Proof of Tian-Huang Scheme in [9]

The security proof of Tian-Huang scheme in [9] is given in random oracle model where the hash functions and are viewed as random oracles and controlled by the challenger .

Suppose there is a polynomial-time strong Type 1 adversary that requests CreateUser, RevealPartialPrivateKey, RevealSecretValue, ReplacePublicKey, StrongSign, and and queries and outputs a forged signature for Tian-Huang scheme with nonnegligible probability. Tian and Huang proved that the challenger can solve the -SIS problem with nonnegligible probability using . Now, we give a brief review of how the challenger solves a given SIS problem by using the successful strong Type 1 adversary; for the full details, see [9]. Suppose that a specific -SIS problem with matrix is given to .

First, the challenger simulates the security game with the adversary for with a randomly chosen and two secure hash functions and . Even though the challenger does not know the corresponding trapdoor , can respond to Create-User-Oracle query or Extract-Partial-Private-Key-Oracle query correctly by using the hash function as a random oracle which is controlled and recorded by . The challenger also records the list corresponding to of -oracle query as a random oracle. Finally, outputs a signature forgery on a message for an identity and with nonnegligible probability.

To solve the given SIS problem for the matrix , the challenger reruns the adversary with the same random tape but different outputting sequence of -oracle. The general forking lemma assures that will output a new forgery on a message for an identity and such that and where and .

In particular, we see that . By inserting , we haveSince and with overwhelming probability, we can see thatThe fact and the nonuniqueness of the solution of ISIS problem for yieldswith probability at least . Therefore, is a solution of the given SIS problem to .

Remark 4. The security proof above is based on the forking lemma assuming the underlying hash function can be modelled as a random oracle. However, as we will see in the next section, for the strong Type I adversary, the specific hash function in the scheme, which is related but has a different property from the given , is neither one-way nor collision-resistant. This means that the hash function defined from cannot be modelled as a random oracle. Therefore, we see that there is a critical flaw in their security proof. In fact, we present successful strong Type 1 adversarial algorithms on the scheme in the next section.

3. Main Results

In this section, we discuss the flaws that we have found in the arguments of their security proof against a strong Type 1 adversary. Then we give two successful strong Type 1 attack algorithms.

3.1. Analysis of Cryptographic Usage of Hash Functions in the Tian-Huang Scheme

The Tian-Huang scheme uses a collision-resistant hash function in an essential way in the security proof. In this section, we discuss the usage of the hash function and analyze how the security arguments utilize its cryptographic properties incorrectly.

Lemma 5. Let and . Consider a signature on a message , where . Then is valid under if the following holds:(1).(2)

Proof. By (2) we have and so

The converse is true with overwhelming probability if the hash function is collision-resistant:

Lemma 6. Let and . If a signature on a message is valid under where , then with overwhelming probability we have

By Lemmas 5 and 6, we see that the validity of a signature on the message under for and is (computationally) equivalent to the following:(1),(2) for .

Now we analyze some cryptographic properties concerning where is a collision-resistant hash function.

Theorem 7. Suppose that we have functions  , ,such that For any given , one can efficiently compute if the following data are known:

Proof. Given together with , one can recover by computing and taking the second component of

Theorem 7 can be interpreted as asserting that the function cannot acquire one-wayness in the presence of the (additional) data for , even though is closely related to a secure hash function . We note that this additional data is always available to any strong Type 1 adversary against the Tian-Huang scheme by requesting ReplacePublicKey queries and a StrongSign query. In fact, we will use this to design a successful strong Type 1 attack on the Tian-Huang scheme in Section 3.2.1.

Theorem 8. Suppose we have functions  , ,such that For any given preimage of , one can efficiently compute a second preimage of .

Proof. Suppose we are given such that . Choose a such that and . Compute and . Then

By Theorem 8, the function cannot be collision-resistant even if is. In Section 3.2.2 we show how to utilize a second preimage of to design a successful strong Type 1 attack on the Tian-Huang scheme.

Theorems 7 and 8 show that the functions and cannot be a secure hash function even if the underlying function is a one-way and collision-resistant if some additional data is known. Moreover we see that such additional information is always available to any strong Type 1 adversaries against the Tian-Huang scheme. In other words, none of the functions and is a secure hash function in the view of strong Type 1 adversaries against the Tian-Huang scheme. Tian and Huang claimed that their CLS scheme is provably secure against strong Type 1 adversaries. The arguments of the proof are based on the fact that and are cryptographically secure hash functions and they can be modelled as a random oracle, which are assumed by the authors from the secure choice of . By Theorems 7 and 8, however, we see that this is not correct under the strong Type 1 adversarial model and so are their security proofs. In fact, we present two successful strong Type 1 attacks in the sections that follow.

3.2. Strong Type 1 Attacks on the Tian-Huang Scheme

We present two attack algorithms on the Tian-Huang scheme. The first attack is successful by considering the hash function in the scheme as

The second attack is successful by considering the hash function in the scheme as

3.2.1. Attack Algorithm 1

The idea of the attack is that a strong Type 1 adversary, by requesting ReplacePublicKey queries and a StrongSign query, is always able to obtain the data needed to compute the preimage of as in Theorem 7.

A strong Type 1 adversary proceeds as follows.

Step 1. choose any , to be used as a new secret value for , and sets .

Step 2. submits a query ReplacePublicKey, so that the public key corresponding to is now .

Step 3. submits a query StrongSign to obtain a signaturewhere (i); we may assume that ; that is, there is such that the th component of is nonzero. (So there is such that  where is a standard unit vector, with all components zero except for the th, which is one.)(ii); we may assume that ; that is, for some .(iii).

Step 4. computes ; note that .

Step 5. chooses so that ; for instance, one can simply let to be the matrix whose entries are all zero except for the -entry, which is set to be (recall that from Step 3). computes and submits a query ReplacePublicKey.

Step 6. forges a signature by computing(i);(ii).

Validity of the Forged Signature. The validity of as a signature on under can be checked using Lemma 5:(i)Noting , we have (ii)Since , we have