Key Replacement Attack on a Certificateless Signature Scheme

Zhenfeng Zhang and Dengguo Feng

Presenter: Yu-Chi Chen

Outline

• Yap-Heng-Goi Certificateless Signature Scheme

• Public Key Replacement Attack on the Yap-Heng-Goi Scheme

• Remark

112/04/20 2

CL-PKC

• CL-PKC is better than PKC and ID-PKC.– CL-PKC does not need the certificate for identity

and the management about certificate.

– CL-PKC solves the key escrow problem in ID-PKC.

– KGC only generates the user’s partial-private-key.

112/04/20 3

112/04/20 4

Yap-Heng-Goi scheme

keyprivpartialIDsH

IDsHS

keymasterssPS

i

ii

T

__:)(

),(

_:,

1

1

),(:

)(

)||(

_

2

VUSignature

YhlV

UmHh

lQU

lrandom

i

i

),(),( iiT hQUXSeVPe

qZH

GH

*

2

11

}1,0{:

(.)

Sign:

Verify:

pkPxX

skSQxY

xrandom

ii

iii

i

:

:

_

An Attack on the Yap-Heng-Goi Scheme

• Replacement attack:

• An attacker uses public key replacement to generate a forged signature without knowing the master-key.

• The forged signature is valid via the verification.

112/04/20 5

An Attack on the GS Scheme

• The attacker chooses a random and replaces A's public key with the value

• It is able to generate a signature

• This signature (U,V) can be valid via Verify.

112/04/20 6

qZk

Ti StPX

)( ihQUtV

),())(,( iTii hQUSXehQUtPe

Remark.

• For example for signature,

• Remarks of the public key replacement attack.

112/04/20 7

...

...

...)(...

3

2

1

xBsAV

sxAV

AxsxAsAV