On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension

Zhao, Zhenguo; Shi, Wenbo

doi:https://doi.org/10.1155/2014/345686

The Scientific World Journal

On this page

Abstract Introduction Conclusion Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2014 | Article ID 345686 | https://doi.org/10.1155/2014/345686

On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension

Zhenguo Zhao¹and Wenbo Shi²

Academic Editor: Junghyun Nam

Received09 Apr 2014

Revised20 May 2014

Accepted03 Jun 2014

Published12 Jun 2014

Abstract

Probabilistic signature scheme has been widely used in modern electronic commerce since it could provide integrity, authenticity, and nonrepudiation. Recently, Wu and Lin proposed a novel probabilistic signature (PS) scheme using the bilinear square Diffie-Hellman (BSDH) problem. They also extended it to a universal designated verifier signature (UDVS) scheme. In this paper, we analyze the security of Wu et al.’s PS scheme and UDVS scheme. Through concrete attacks, we demonstrate both of their schemes are not unforgeable. The security analysis shows that their schemes are not suitable for practical applications.

1. Introduction

Signature scheme is an important modern cryptographic mechanism of the public key cryptosystem. In the signature scheme, the signer uses his private key to sign a message and generate a signature, which could be verified by other users using the signer’s public key. The signature could provide integrity, authenticity, and nonrepudiation; then it could be used in modern electronic commerce [1–5].

The undeniable signature (US) scheme is a variation of the signature scheme, which was first introduced by Chaum and van Antwerpen [6]. In the US scheme, the verifier should get the signer’s cooperation to finish the verification. In order to remove the complicated cooperation between the signer and the verifier, Jakobsson et al. [7] introduced the concept of the designated verifier signature (DVS) scheme and proposed a concrete DVS scheme. However, Wang [8] found that there is serious security vulnerability in Jakobsson et al.’s scheme. Later, Steinfeld et al. [9, 10] introduced the concept of the universal designated verifier signature (UDVS) scheme to generate the concept of the DVS scheme. In the UDVS scheme, the signer could generate a signature and only the designated verifier could verify the signature using his private key.

Later, Zhang et al. [11] used Diffie-Hellman problem to construct a UDVS scheme and demonstrated that their scheme is provably secure in the standard model. Unfortunately, Cheon [12] found that Zhang et al.’s scheme had a security flaw. To enhance security, Huang et al. [13] presented a new UDVS scheme using the gap bilinear Diffie-Hellman problem. In order to satisfy applications in identity-based systems, Chen et al. [14] proposed the first identity-based UDVS scheme. In order to improve efficiency, Wu and Lin [15] proposed a probabilistic signature (PS) scheme using the bilinear square Diffie-Hellman (BSDH) problem. Then, they extended this PS scheme to a UDVS scheme. They also demonstrated that both of their schemes are provably secure in the random oracle. In this paper, we analyze the security of both Wu and Lin’s PS scheme and UDVS scheme. Through concrete attacks, we show that neither of their schemes is unforgeable. We will also propose efficient countermeasures to withstand those attacks.

The organization of the paper is sketched as follows. Section 2 gives a brief review of Wu et al.’s PS scheme and UDVS scheme. Section 3 presents our attacks against Wu et al.’s PS scheme and UDVS scheme. Section 4 presents our countermeasures to withstand the proposed attacks. At last, Section 5 presents some conclusion of the paper.

2. Review of Wu and Lin’s Schemes

In this section, we will give the details of Wu et al.’s PS scheme and UDVS scheme.

2.1. Review of Wu and Lin’s PS Scheme

There are two participants in Wu and Lin’s PS scheme, that is, a signer and a verifier, where the signer generates a publicly verifiable signature (PV-signature) using his private key and the verifier could verify the validity of the PV-signature using the signer’s public key. There are three algorithms in Wu and Lin’s PS scheme, that is, Setup, PV-Signature-Generation, and PV-Signature-Verification.

Setup. Taking a security parameter as input, the system authority (SA) runs the following steps to generate system parameters. Besides, the user registers his public key.(1)SA chooses a random number and selects two multiplicative groups and with the same order , where the bit length of is .(2)SA chooses a generator of the group and a bilinear pairing .(3)SA chooses two secure hash functions and , where and .(4)SA publishes the system parameters .(5) chooses a random number as his private key and registers his public key .

PV-Signature-Generation. Upon receiving the message , the signer runs the following steps to generate a PV-signature .(1) chooses a random number and computes , , and .(2) outputs as the PV-signature of the message .

PV-Signature-Verification. Upon receiving the message , the PV-signature , and the signer’s public key , the verifier runs the following steps to verify the validity of the PV-signature.(1) checks whether the equation holds.(2)If the equation holds, confirms the PV-signature is valid; otherwise, confirms that the PV-signature is not valid.

2.2. Review of Wu and Lin’s UDVS Scheme

There are two participants in Wu and Lin’s UDVS scheme, that is, a signer and a verifier, where the signer generates a designated verifiable signature (DV-signature) using his private key and only the designated verifier could verify the validity of the DV-signature using the signer’s public key. There are five algorithms in Wu and Lin’s UDVS scheme, that is, Setup, PV-Signature-Generation, PV-Signature-Verification, DV-Signature-Generation, and DV-Signature-Verification. Because the first three algorithms are the same as those in PS scheme, only the last two algorithms will be described in detail.

DV-Signature-Generation. Upon receiving a message and the designated verifier ’s public key , the signer runs the following steps to generate a DV-signature .(1) chooses a random number and computes , , , and .(2) outputs as the DV-signature of the message .

DV-Signature-Verification. Upon receiving a message , the DV-signature , and the signer’s public key , the designated verifier runs the following steps to verify the validity of the DV-signature.(1) checks whether the equation holds.(2)If the equation holds, confirms the DV-signature is valid; otherwise, confirms that the PV-signature is not valid.

3. Security Analysis of Wu and Lin’s Schemes

In this section, we will give the security analysis of Wu et al.’s PS scheme and UDVS scheme.

3.1. Security Analysis of Wu and Lin’s PS Scheme

Wu and Lin claimed that their PS scheme was unforgeable against various attacks. Through concrete attack, we will show that an adversary without the signer ’s private key could forge a legal PV-signature of any message. Given a message , the adversary could forge a legal PV-signature through the following steps.(1) generates a random number and computes and .(2) outputs as the PV-signature of the message .

Since and , we could get

From (1), we know that the equation holds. Then, the PV-signature generated by the adversary could pass the verifier’s check. Therefore, the adversary could forge a legal PV-signature.

3.2. Security Analysis of Wu and Lin’s UDVS Scheme

Wu and Lin claimed that their UDVS scheme was unforgeable against various attacks. Through concrete attack, we will show that an adversary without the signer ’s private key could forge a legal DV-signature of any message. Given a message and the designated verifier ’s public key , the adversary could forge a legal DV-signature through the following steps.(1) generates a random number and computes , and .(2) outputs as the DV-signature of the message .

Since , , , and , we could get

From (2), we know that the equation holds. Then, the DV-signature generated by the adversary could pass the verifier’s verification. Therefore, the adversary could forge a legal DV-signature.

4. Countermeasures

4.1. Countermeasure for Wu and Lin’s PS Scheme

From the details of Wu and Lin’s PS scheme, we know that the value has no relation with the value of . Then the adversary could choose the value freely to remove the relation between and . To withstand the attack described in Section 3.1, we just need to modify Wu and Lin’s PS scheme slightly.

DV-Signature-Generation. Upon receiving a message , the signer runs the following steps to generate a PV-signature .(1) chooses a random number and computes , , and .(2) outputs as the PV-signature of the message .

DV-Signature-Verification. Upon receiving a message , the PV-signature , and the signer’s public key , the verifier runs the following steps to verify the validity of the PV-signature.(1) checks whether the equation holds.(2)If the equation holds, confirms the PV-signature is valid; otherwise, confirms that the PV-signature is not valid.

After the modification, the adversary could generate a random number and compute , . However, the equation never holds since the adversary cannot use to remove the function . Then, the modified scheme is secure against the attack described in Section 3.1.

4.2. Countermeasure for Wu and Lin’s UDVS Scheme

From the details of Wu and Lin’s UDVS scheme, we know that the value has no relation to the value of . Then the adversary could choose the value freely to remove the relation between and . To withstand the attack described in Section 3.2, we just need to modify Wu and Lin’s UDVS scheme slightly.

DV-Signature-Generation. Upon receiving a message and the designated verifier ’s public key , the signer runs the following steps to generate a DV-signature .(1) chooses a random number and computes , , , and .(2) outputs as the DV-signature of the message .

DV-Signature-Verification. Upon receiving a message , the DV-signature , and the signer’s public key , the designated verifier runs the following steps to verify the validity of the DV-signature.(1) checks whether the equation holds.(2)If the equation holds, confirms the DV-signature is valid; otherwise, confirms that the PV-signature is not valid.

After the modification, the adversary could generate a random number and compute , and . However, the equation never holds since the adversary cannot use to remove the function . Then, the modified scheme is secure against the attack described in Section 3.2.

5. Conclusion

Recently, Wu and Lin proposed a PS scheme using the bilinear square Diffie-Hellman problem and extended it to a UDVS scheme. They also demonstrated that their scheme is provably secure in the random oracle. Through concrete attacks, we demonstrate that neither of their schemes is unforgeable against common adversary. To improve security, we also propose efficient countermeasures to withstand the proposed attacks.

Conflict of Interests

The authors declare that they have no conflict of interests.

Acknowledgments

The authors thank Professor Junghyun Nam and anonymous reviewers for their valuable comments. This study was supported by the International S&T Cooperation Program from the Ministry of Science and Technology of China (no. 2012DFA91530), the “Twelfth five-year-plan” Support Plan Projects (no. 2011BAD25B01), the introduction of high-level Talents Foundation of North China University of Water Resources and Electric Power (no. NCWU201248), the Key Technique Program of the Education Department of Henan Province (13A570704), and the National Science foundation of China (no. 61202447).

References

N. Tiwari and S. Padhye, “Analysis on the generalization of proxy signature,” Security and Communication Networks, vol. 6, no. 5, pp. 549–566, 2013.
View at: Publisher Site | Google Scholar
L. Yi, G. Bai, and G. Xiao, “Proxy multi-signature scheme: a new type of proxy signature scheme,” Electronics Letters, vol. 36, no. 6, pp. 527–528, 2000.
View at: Publisher Site | Google Scholar
C. Hsu, T. Wu, and T. Wu, “New nonrepudiable threshold proxy signature scheme with known signers,” Journal of Systems and Software, vol. 58, no. 2, pp. 119–124, 2001.
View at: Google Scholar
Z. Shao, “Proxy signature schemes based on factoring,” Information Processing Letters, vol. 85, no. 3, pp. 137–143, 2003.
View at: Publisher Site | Google Scholar
D. He, B. Huang, and J. Chen, “New certificateless short signature scheme,” IET Information Security, vol. 7, no. 2, pp. 113–117, 2013.
View at: Publisher Site | Google Scholar
D. Chaum and H. van Antwerpen, “Undeniable signature,” in Proceedings of the 10th Annual International Cryptology Conference (CRYPTO '90), Advances in Cryptology, pp. 212–216, Springer, Berlin, Germany, 1990.
View at: Google Scholar
M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifier proofs and their applications,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '96), Advances in Cryptology, pp. 143–154, Springer, Berlin, Germany, 1996.
View at: Google Scholar
G. Wang, “An attack on not-interactive designated verifier proofs for undeniable signatures,” Cryptology ePrint archive, 2003, http://eprint.iacr.org/2003/243.
View at: Google Scholar
R. Steinfeld, L. Bull, H. Wang, and J. Pieprzyk, “Universal designated-verifier signatures,” in Proceedings of the 9th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT '03), Advances in Cryptology, pp. 523–542, Springer, Berlin, Germany, 2003.
View at: Google Scholar
R. Steinfeld, H. Wang, and J. Pieprzyk, “Efficient extension of standard Schnorr/RSA signatures into universal designated-verifier signatures,” in Proceedings of the Public Key Cryptography (PKC '04), pp. 86–100, Springer, Berlin, Germany, 2004.
View at: Google Scholar
R. Zhang, J. Furukawa, and H. Imai, “Short signature and universal designated verifier signature without random oracles,” in Proceedings of the 3rd International Conference on Applied Cryptography and Network Security (ACNS '05), vol. 3531, pp. 483–498, Springer, Berlin, Germany, June 2005.
View at: Google Scholar
J. H. Cheon, “Security analysis of the strong Diffie- Hellman problem,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '96), Advances in Cryptology, pp. 1–11, Springer, Berlin, Germany, 2006.
View at: Google Scholar
X. Huang, W. Susilo, Y. Mu, and W. Wu, “Secure universal designated verifier signature without random oracles,” International Journal of Information Security, vol. 7, no. 3, pp. 171–183, 2008.
View at: Publisher Site | Google Scholar
X. Chen, G. Chen, F. Zhang, B. Wei, and Y. Mu, “Identity-based universal designated verifier signature proof system,” International Journal of Network Security, vol. 8, no. 1, pp. 52–58, 2009.
View at: Google Scholar
T. Wu and H. Lin, “A novel probabilistic signature based on bilinear square Diffie-Hellman problem and its extension,” Security and Communication Networks, vol. 6, no. 6, pp. 757–764, 2013.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2014 Zhenguo Zhao and Wenbo Shi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

649

Downloads

593

Citations