Cryptanalysis of a Certificateless Hybrid Signcryption Scheme and a Certificateless Encryption Scheme for Internet of Things

Shan, Shan

doi:https://doi.org/10.1155/2022/6174031

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 6174031 | https://doi.org/10.1155/2022/6174031

Cryptanalysis of a Certificateless Hybrid Signcryption Scheme and a Certificateless Encryption Scheme for Internet of Things

Shan Shan¹

Academic Editor: Jie Cui

Received09 Apr 2022

Revised13 Jun 2022

Accepted29 Jun 2022

Published13 Jul 2022

Abstract

In wireless and mobile networks with limited storage and computing resources, certificateless cryptography has more advantages because of its low dependence on infrastructure and short security parameters. Recently, Gong et al. and Karati et al., respectively, proposed a new certificateless scheme in the Internet of Things environment, one of which is a certificateless hybrid signcryption scheme, and the other’s basis is a certificateless encryption scheme. Gong et al. and Karati et al. gave the formal security proof for their schemes, respectively. In this article, the attack algorithms against these two schemes are presented separately, thus proving that their schemes are insecure and not suitable for the Internet of Things environment.

1. Introduction

The primary problem to be solved in public key cryptography is how to certify the ownership of key pairs. In certificate-based public key infrastructure (PKI), a trusted third party called certificate authority (CA) issues certificates that provide a trusted link between the user’s identity and the public key based on digital signature technology. However, certificate management is very complex. Shamir [1] proposed the concept of an identity-based cryptosystem in 1984 to simplify certificate management issues. The main idea is that you can easily export a user’s public key from any string that corresponds to the user’s identifying information, such as name, phone number, and E-mail address. A private key generator (PKG) calculates the private keys using the master key and securely distributes these private keys to the users participating in the scheme. From an efficiency and convenience standpoint, an identity-based system may be a good alternative to a certificate-based system. But key escrow, which means the user’s private key is generated and known by PKG, is an inherent problem resulting in no authenticity and no privacy for the user in an identity-based system.

As a variant of the identity-based cryptosystem, the concept of certificateless was proposed in 2003 to eliminate these problems simultaneously [2]. Each user in a certificateless scheme independently generates a secret key and gets another partial private key from the key generation center (KGC). Thus, each user’s secret consists of two parts, one obtained from a trusted third party (KGC) and one generated by the user himself. Certificateless scheme successfully solves the key escrow problem. In addition, this kind of scheme does not require the trusted third party to authenticate the corresponding public key ownership, which makes public key management very efficient. Because of these advantages, certificateless schemes have attracted wide attention and become one of the hot topics of public key cryptography. In recent years, certificateless signcryption [3, 4], certificateless hybrid signcryption [5, 6], certificateless multireceiver signcryption [7–9], certificateless generalized signcryption [10–14], and certificateless online/offline signcryption [15, 16] have been put forward one after another.

In wireless and mobile networks with limited storage and computing resources, certificateless cryptography has more advantages because of its low dependence on infrastructure and short security parameters. However, while achieving low computational costs, many certificateless schemes proposed in the Internet of things environment [17–23] cannot simultaneously provide provable security. Kumar et al. [17] claimed that their newly proposed certificateless aggregate signature scheme is secure against both types of attackers. Zhan and Wang [24] proved that an attacker could forge a valid signature and valid aggregate signature. Lin et al. [25] pointed out that the certificateless signcryption (CL-SC) scheme proposed by Rastegari et al. [18] is insecure. Zhan et al. [26] analyzed a pairing-free CLAS scheme proposed in [20] and pointed out that the scheme is insecure. On this basis, to solve the security vulnerability, an improved scheme was proposed at the same time. Khan et al. [21] proposed a certificateless offline/online signature scheme. Unfortunately, their scheme is not secure against adaptive selective message attacks. Hussain et al. [27] proved that an adversary could forge a valid signature on a message by replacing a public key. Kasyoka et al. [28] showed the security vulnerabilities of Wei and Ma’s [19] signcryption scheme and proposed corresponding modifications to show how their scheme could be made more secure. Xu and Zeng [29] pointed out that the certificateless aggregate arbitrated signature scheme proposed by Lee et al. [22] is not secure for type-1 attackers that can replace user public keys. They also showed that Addobea et al.’s [23] offline-online certificateless signature scheme cannot achieve correctness. Therefore, the certificateless solution described above cannot be deployed in real Internet of things environment and mobile applications. Most of the schemes fail because the definition of the security model is not complete, and in the proving process, the adversary capability is not successfully reduced to solve difficult problems. There has been an ongoing effort in the Internet of things to make greater advances in security and performance.

1.1. Our Contributions

Recently, Gong et al. [30] and Karati et al. [31], respectively, proposed a new certificateless scheme in the Internet of things environment, one of which is a certificateless hybrid signcryption scheme, and the other’s basis is a certificateless encryption scheme. Their schemes were claimed to be secure, and the formal security was presented which reducing adversary capabilities in solving difficult problems. It is a pity that Gong et al.’s scheme and Karati et al.’s scheme are not secure in the case of internal attacks as shown in this paper. The attack algorithms against these two schemes are presented separately, thus proving that their schemes are insecure and not suitable for the Internet of things environment.

1.2. Paper Organization

In Section 2, we give the cryptanalysis of Gong et al.’s scheme, and we give the cryptanalysis of Karati et al.’s certificateless encryption scheme for the industrial Internet of things in Section 3. Section 4 provides a conclusion.

2. Cryptanalysis of Gong et al.’s Certificateless Hybrid Signcryption Scheme

Because of the limitation of symmetric cryptography, public key-based authentication technology has attracted extensive attention. It provides secure communication and accesses mechanism for various applications. Compared with single-factor or two-factor protocols, multifactor schemes have been proven to achieve higher security levels. Wang et al. [32–34] have made a series of representative achievements in multifactor authentication. However, in some applications, people have to strike a balance between availability and security and adopt single-factor technology to achieve authentication, such as digital signature and digital signcryption. Signcryption can provide confidentiality and authentication at the same time and is widely used in many applications where multiple security features are required. Gong et al.’s scheme is a concrete certificateless hybrid signcryption scheme.

2.1. Gong et al.’s Scheme

As shown below, their scheme includes five algorithms altogether: Setup, Extract-Partial-Private-Key, Generate-User-Keys, Signcrypt, and Unsigncrypt.

2.1.1. Setup

KGC runs the following algorithms:(i)Generate two distinct cyclic groups (an additive cyclic group with a generator ) and (a multiplicative cyclic group) of prime order . is a bilinear map.(ii)Chooses , computes .(iii)Chooses one-way hash functions as , , , , .(iv)Finally, keeps safely and outputs as the system parameter.

2.1.2. Extract-Partial-Private-Key

Given the identity information , to generate the corresponding partial private key , KGC runs the following algorithms:(i)Computes (ii)Sets the partial private key

2.1.3. Generate-User-Keys

The user chooses and computes which is the public key and sets the full private key .

2.1.4. Signcrypt

A sender runs the following algorithms to generate the ciphertext.(i)Chooses (ii)Computes , and , where (iii)Computes and (iv)Computes and (v)Outputs as the ciphertext

2.1.5. Unsigncrypt

A receiver runs the following algorithms for unsigncryption.(i)Computes , , and .(ii)Computes message . If output , refuses the message.(iii)Computes .(iv)Checks holds or not. If it holds, get , else refuses the message.

2.2. Cryptanalysis of Gong et al.’s Scheme

2.2.1. Attack Algorithm 1 (Internal Attacks to the Unforgeability)

Once receives a valid signcryption text , the receiver can impersonate the sender to generate signcryption text for any message sent to him. The attack algorithm is described as follows:(i)Chooses (ii)Computes , , and (iii)Computes , , where (iv)Computes (v)Computes (vi)Computes and (vii)Send the ciphertext of message

2.2.2. Correctness

The signcryption ciphertext is validly related with as shown in the following.

Since , , , the receiver can compute where .

The equation always holds since

Thus, is a valid signcryption ciphertext.

Any user can launch the attack after receiving a valid signcryption ciphertext sent to him, so the nonrepudiation and source authentication that should be satisfied by the digital signcryption scheme cannot be realized.

2.2.3. Attack Algorithm 2 (Internal Attacks to the Master Secret Key)

As shown in the Extract-Partial-Private-Key algorithm, KGC generates by computing and .

Since is a random element in and is a hash function that maps strings to distinct elements in , any partial private key holder can compute the master secret key by directly. Any security of the whole system cannot be realized when the master secret key is leaked. Any user that receives a valid partial private key can launch the attack.

3. Cryptanalysis of Karati et al.’s Certificateless Encryption Scheme

In order to achieve more complex security goals, people often adopt the method of extending features on the basis of the general scheme. Karati et al.’s reliable data sharing protocol is based on a certificateless encryption scheme.

3.1. Karati et al.’s Scheme

As shown below, their scheme includes ten algorithms: Setup, Set-Secret-Value, Set-Public-Value, Set-Partial-Private-Key, Set-Full-Public-Key, Set-Full-Private-Key, Encrypt, Gen-TrapdoorTest-Trapdoor, and Decrypt.

3.1.1. Setup

KGC runs the following algorithms.(i)Generates three distinct cyclic groups , , and , and is a bilinear map(ii)Chooses generator (iii)Chooses , , and for some and , which are one-way hash functions(iv)Computes for (v)Keeps safely and publishes

3.1.2. Set-Secret-Value and Set-Public-Value

(i)Chooses and sets secret-value (ii)Generates public value

3.1.3. Set-Partial-Private-Key

KGC runs the following algorithms to generate the partial private key of device :(i)Chooses and (ii)Computes and (iii)Computes and (iv)Outputs

On receiving securely, device may check it by the equation .

3.1.4. Set-Full-Public-Key and Set-Full-Private-Key

The full public key of Device can be expressed as , and the full private key can be expressed as .

3.1.5. Encrypt

Given the message and keyword , a sender, whose private key is , runs the following algorithms to generate a ciphertext sending to receiver R with public key .(i)Chooses and (ii)Sets (iii)Computes , , where and (iv)Outputs for

3.1.6. Gen-Trapdoor

Given a tester’s private-public key pair , receiver runs the following algorithms to generate a trapdoor .(i)Computes (ii)Computes and for

3.1.7. Test-Trapdoor

The tester computes and retrieves if the condition holds.

3.1.8. Decrypt

Given a keyword , , , the receiver computes and . The first bit of is returned as if .

3.2. Cryptanalysis of Karati et al.’s Scheme

To show the usability, Karati et al. defined their scheme as -KDCLEKS. We noticed that if the sender sends a message directly without any keyword, -KDCLEKS is a common certificateless encryption scheme, which can be marked as -KDCLEKS.

In this section, it will be shown that the encryption algorithm -KDCLEKS is not secure under public-key replacement attacks launched by an adversary .

3.2.1. Attack Algorithm 1 (Internal Attacks to the Partial Private Key)

Assume the following conditions a user declares his public value as . Once receives a valid partial private key , it can calculate and generate a partial private key for this user as follows:(1)Compute and (2)Compute (3)Compute

3.2.2. Correctness

is a valid partial private key related to public value as shown in the following equation:

Thus, can always be accepted as a valid partial private key related to public value . Any user that receives a valid partial private key can launch the attack. This means that the user’s partial private key can be forged, leading to the lack of availability.

3.2.3. Attack Algorithm 2 (Internal Attacks to the Confidentiality)

Once receives a valid Full-Public-Key and corresponding Full-Private-Key , he can decrypt the ciphertext of any user with through public key replacement attacks. The attack algorithm is described as follows:(1)Select random parameter , and compute , and where (2)Replace the public key of user with the value

On inputs and receiver s public key with message , the sender selects , and sets , where , , where . Finally, the sender outputs as the ciphertext.

Given the ciphertext , can successfully decrypt it using the following algorithm:(1)Compute (2)Compute , , (3)Compute , where

3.2.4. Correctness

The decryption process is always successful as shown in the following equation:

Thus, reveals with probability 1. This attack can be launched by a user who receives any legal partial private key sent to him, and he can decrypt the ciphertext of any user through public key replacement attacks without knowing the master secret . This means that any user’s public key can be replaced, and the message can be revealed by the attacker, leading to the lack of confidentiality.

4. Conclusion

Gong et al. gave a formal security proof in the random oracle model, and Karati et al. proved their scheme is secure against adversaries. Unfortunately, we noticed that in Gong et al.’s scheme, internal users can forge the signcryption ciphertext sent to them, the nonrepudiation and source authentication that should be satisfied by the digital signcryption scheme cannot be realized. The more serious is that any partial private key holder can directly calculate the master secret key, which leads to the failure to implement security features. Any user who obtains a partial private key in Karati et al.’s basic certificateless encryption scheme can either forge the partial private key of another user or replace the public key of another user to decrypt the ciphertext. Therefore, their solutions are insecure and not suitable for the Internet of things environment.

Data Availability

All data generated or analyzed during this study are included in this published article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

References

A. Shamir, “Identity-based cryptosystem and signature scheme,” in Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, pp. 120–126, Paris, France, April 1984.
View at: Google Scholar
S. Al-Riyami and K. Paterson, “Certificateless public key cryptography,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 452–474, Taipei, Taiwan, December 2003.
View at: Google Scholar
M. Barbosa and P. Farshim, “Certificateless signcryption,” in Proceedings of the ACM Symposium on Information, Computer and Communications Security-ASIACCS, pp. 369–372, New York, NY, USA, March 2008.
View at: Google Scholar
H. Yang and B. Yang, “Pairing-free and secure certificateless signcryption scheme,” The Computer Journal, vol. 60, no. 8, pp. 1187–1196, 2017.
View at: Publisher Site | Google Scholar
F. Li, M. Shirase, and T. Takagi, “Certificateless hybrid signcryption,” in Proceedings of the 5th International Conference on Information Security Practice and Experience, pp. 112–123, Nanjing, China, December 2009.
View at: Google Scholar
A. Liang and H. Liang, “Certificateless hybrid signcryption scheme for secure communication of wireless sensor networks,” Wireless Personal Communications, vol. 80, no. 3, pp. 1049–1062, 2015.
View at: Publisher Site | Google Scholar
S. Selvi, D. Shukla, and P. R. Chandrasekaran, “Efficient and provably secure certificateless multi-receiver signcryption,” in Proceedings of the Provable Security Second International Conference, ProvSec, vol. 5324, pp. 52–67, Springer, Berlin, Germany, October 2008.
View at: Google Scholar
J. Qiu, K. Fan, K. Zhang, Q. Pan, H. Li, and Y. Yang, “An efficient multi-message and multi-receiver signcryption scheme for heterogeneous smart mobile IoT,” IEEE Access, vol. 7, pp. 180205–180217, 2019.
View at: Publisher Site | Google Scholar
C. Peng, J. Chen, M. S. Obaidat, P. Vijayakumar, and D. He, “Efficient and provably secure multireceiver signcryption scheme for multicast communication in edge computing,” IEEE Internet of Things Journal, vol. 7, no. 7, pp. 6056–6068, 2020.
View at: Publisher Site | Google Scholar
C. Zhou, Z. Zhao, and W. Zhou, “Certificateless key insulated generalized signcryption scheme without bilinear pairings,” Security and Communication Networks, vol. 2017, Article ID 8405879, 9 pages, 2017.
View at: Google Scholar
A. Zhang, L. Wang, X. Ye, and X. Lin, “Light-weight and robust security-aware d2d-assist data transmission protocol for mobile-health systems,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 3, pp. 662–675, 2017.
View at: Publisher Site | Google Scholar
B. Zhang, Z. Jia, and C. Zhao, “An efficient certificateless generalized signcryption scheme,” Security and Communication Networks, vol. 2018, Article ID 3578942, 13 pages, 2018.
View at: Google Scholar
A. Karati, C. I. Fan, and R. H. Hsu, “Provably secure and generalized signcryption with public verifiability for secure data transmission between resource-constrained IoT devices,” IEEE Internet of Things Journal, vol. 6, no. 6, pp. 10431–10440, 2019.
View at: Publisher Site | Google Scholar
C. Zhou, “An improved lightweight certificateless generalized signcryption scheme for mobile-health system,” International Journal of Distributed Sensor Networks, vol. 15, no. 1, Article ID 155014771882446, 2019.
View at: Publisher Site | Google Scholar
J. Li, J. Zhao, and Y. Zhang, “Certificateless online/offline signcryption scheme,” Security and Communication Networks, vol. 8, no. 11, pp. 1979–1990, 2015.
View at: Publisher Site | Google Scholar
F. Li, Y. Han, and C. Jin, “Certificateless online/offline signcryption for the Internet of Things,” Wireless Networks, vol. 23, no. 1, pp. 145–158, 2017.
View at: Publisher Site | Google Scholar
P. Kumar, S. Kumari, V. Sangaiah, A. K. Wei, J. Li, and X. Li, “A certificateless aggregate signature scheme for healthcare wireless sensor network,” Sustainable Computing: Informatics and Systems, vol. 18, pp. 80–89, 2018.
View at: Publisher Site | Google Scholar
P. Rastegari, W. Susilo, and M. Dakhlalian, “Efficient certificateless signcryption in the standard model: revisiting Luo and Wan’s scheme from wireless personal communications,” Computer Journal, vol. 62, no. 8, pp. 1178–1193, 2018.
View at: Google Scholar
L. Wei and W. Ma, “Secure and efficient data sharing scheme based on certificateless hybrid signcryption for cloud storage,” MDPI-Electronics., vol. 8, no. 590, pp. 1–12, 2019.
View at: Google Scholar
J. Liu, L. Yu, and Y. Yu, “Improved security of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks,” IEEE Internet of Things Journal, vol. 7, no. 6, pp. 5256–5266, 2020.
View at: Publisher Site | Google Scholar
M. A. Khan, S. U. Rehman, M. I. Uddin et al., “An online-offline certificateless signature scheme for internet of health things,” Journal of Healthcare Engineering, vol. 2020, Article ID 6654063, 10 pages, 2020.
View at: Publisher Site | Google Scholar
D. H. Lee, K. Yim, and I. Y. Lee, “A certificateless aggregate arbitrated signature scheme for iot environments,” Sensors, vol. 20, no. 14, p. 3983, 2020.
View at: Publisher Site | Google Scholar
A. A. Addobea, J. Li, and Q. Li, “MHCOOS: an offline-online certificateless signature scheme for M-health devices,” Security and Communication Networks, vol. 2020, Article ID 7085623, 12 pages, 2020.
View at: Publisher Site | Google Scholar
Y. Zhan and B. Wang, “Cryptanalysis of a certificateless aggregate signature scheme for healthcare wireless sensor network,” Security and Communication Networks, vol. 2019, Article ID 6059834, 5 pages, 2019.
View at: Publisher Site | Google Scholar
X. J. Lin, L. Sun, Z. Zhang, X. Qu, and H. Qu, “On the security of a certificateless signcryption with known session-specific temporary information security in the standard model,” The Computer Journal, vol. 63, no. 8, pp. 1259–1262, 2020.
View at: Publisher Site | Google Scholar
Y. Zhan, B. Lu, and R. Lu, “Cryptanalysis and improvement of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks,” IEEE Internet of Things Journal, vol. 8, no. 7, pp. 5973–5984, 2021.
View at: Publisher Site | Google Scholar
S. Hussain, S. Sajid Ullah, M. Shorfuzzaman, M. Uddin, and M. Kaosar, “Cryptanalysis of an online/offline certificateless signature scheme for internet of health things,” Intelligent Automation & Soft Computing, vol. 30, no. 3, pp. 983–993, 2021.
View at: Publisher Site | Google Scholar
P. Kasyoka, M. Angolo, and S. M. Angolo, “Cryptanalysis of a pairing-free certificateless signcryption scheme,” Ict Express, vol. 7, no. 2, pp. 200–204, 2021.
View at: Publisher Site | Google Scholar
F. Xu and H. Zeng, “Cryptanalysis of two signature schemes for IOT and mobile health systems,” Wireless Personal Communications, vol. 122, no. 3, pp. 2035–2043, 2022.
View at: Publisher Site | Google Scholar
B. Gong, Y. Wu, Q. Ren, Yh Guo, and C. Guo, “A secure and lightweight certificateless hybrid signcryption scheme for Internet of Things,” Future Generation Computer Systems, vol. 127, pp. 23–30, 2022.
View at: Publisher Site | Google Scholar
A. Karati, C. I. Fan, and E. S. Zhuang, “Reliable data sharing by certificateless encryption supporting keyword search against vulnerable KGC in Industrial Internet of Things,” IEEE Transactions on Industrial Informatics, vol. 18, no. 6, pp. 3661–3669, 2022.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, D. Wang, and P. Wang, “On the challenges in designing identity-based privacy-preserving authentication schemes for mobile devices,” IEEE Systems Journal, vol. 12, no. 1, pp. 916–925, 2018.
View at: Publisher Site | Google Scholar
S. Qiu, D. Wang, G. Kumari, and S. Kumari, “Practical and provably secure three-factor Authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 1338–1351, 2020.
View at: Publisher Site | Google Scholar
Q. Wang, D. Wang, C. He, and D. He, “Quantum2FA: efficient quantum-resistant two-factor Authentication scheme for mobile devices,” IEEE Transactions on Dependable and Secure Computing, p. 1, 2022.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Shan Shan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

275

Downloads

412

Citations