Improvement of Tseng et al.’s authenticated encryption scheme

Applied Mathematics and Computation 165 (2005) 1–4 www.elsevier.com/locate/amc

Improvement of Tseng et al.Õs authenticated encryption scheme Shin-Jia Hwang Department of Computer Science and Information Engineering, TamKang University, Tamsui, Taipei Hsien, 251, Taiwan, ROC

Abstract An attack is proposed to show that Tseng et al.Õs authenticated encryption scheme is not secure enough to provide confidentiality for messages. So an improvement is also proposed. Ó 2004 Elsevier Inc. All rights reserved. Keywords: Authenticated encryption scheme; Signature scheme; Message recovery; Cryptanalysis; Self-certified public keys

1. Introduction To provide integrity, authentication, and non-repudiation services, the digital signature schemes play an important role. The proposed digital signature schemes can be classified into two general classes. One is the digital signature schemes with appendix and one is the digital signature schemes with message recovery [2]. In the signature schemes with message recovery, the message can be recovered from the signature while the message cannot be obtained

E-mail address: [email protected] 0096-3003/$ - see front matter Ó 2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.04.042

2

S.-J. Hwang / Appl. Math. Comput. 165 (2005) 1–4

from the signature in signature schemes with appendix. Due to the message recovery property, an authenticated encryption scheme is proposed by integrating the public key cryptosystem and the digital signature scheme. Except integrity, authentication, and non-repudiation services, the authenticated encryption scheme should also provide the confidentiality services for messages. Based on GiraultÕs self-certified public key system [1], Tseng et al. [4] proposed an authenticated encryption scheme. Tseng et al. illustrated many attacks to prove the security of their authenticated encryption scheme. However, a missed attack will be proposed to defeat the security of the authenticated encryption scheme at the stage of message recovery. To guard against the new attack, an improvement will be proposed. In the next section, Tseng et al.Õs authenticated encryption scheme and our attack are given. Then, in Section 3, an improvement is proposed. The final section is our conclusion.

2. Our attack on Tseng et al.’s authenticated encryption scheme The brief review of Tseng et al.Õs authenticated encryption scheme [4] is given first. In Tseng et al.Õ scheme, there are some system-wide parameters. First, the trusted authority (TA for short) first chooses two large prime numbers p and q such that p = 2p 0 + 1 and q = 2q 0 + 1, where p 0 and q 0 are two large primes. Then TA computes the product N = pq. TA also finds a generator g with order p 0 q 0 in ZN. Finally, the parameters p, q, p 0 , and q 0 are secret while N and g are public. In their scheme, there is also a public one-way hash function h. Suppose that a user Ui with a unique identity IDi wants to join the system. The user Ui first chooses his secret key xi and computes pi = gxi mod N. Then Ui submits pi and IDi to TA. Then TA computes and publishes the public key 1 yi = (piIDi)h(IDi) mod N for the user Ui. The user Ui verifies the public key hðID Þ yi by using the equation y i i þ IDi  gxi ðmod N Þ. To generate the signature for the message M encoded by a message redundancy scheme for the receiver Uj, the singer Ui randomly selects an integer k and constructs the signature (r, s) by the following two equations hðIDj Þ

r ¼ Mðy j

þ IDj Þ

k

mod N ;

and

s ¼ k  xi hðrÞ:

The receiver Uj verifies the signature and recoveries the message M by using the equation hðIDi Þ

M 0 ¼ rðgs ðy i

þ IDi ÞhðrÞ Þxj mod N :

Finally, the recovered message M 0 is validated by the message redundancy scheme.

S.-J. Hwang / Appl. Math. Comput. 165 (2005) 1–4

3

However, an attack is proposed on the above scheme. Suppose that an attacker obtains two signatures (r1 1) and (r2, s2) such that h(r1) and h(r2) are relatively prime. Since two signatures (r1, s1) and (r2, s2) are generated by Ui for Uj, they are satisfying the following equations: x

hðIDi Þ

þ IDi Þ

hðIDi Þ

þ IDi Þhðr2 Þ Þxj mod N ¼ r2 psj2 ðpi j Þhðr2 Þ mod N :

M 1 ¼ r1 ðgs1 ðy i M 2 ¼ r2 ðgs2 ðy i

hðr1 Þ xj

Þ mod N ¼ r1 psj1 ðpi j Þ

hðr1 Þ

mod N ;

and

x

Due to the Theorem 2.2 [3], the linear combination ah(r1) + bh(r2) = 1 is existed for h(r1) and h(r2) are relatively prime. The solution (a, b) can be found by using the extended Euclidean algorithm [2]. Therefore, the attacker is able to find the x x secret common item pi j mod N between the users Ui and Uj by ðpi j Þ  xj ahðr1 Þþbhðr2 Þ s1 1 a s2 1 b ðM 1 ðr1 pj Þ Þ ðM 2 ðr2 pj Þ Þ  ðpi Þ ðmod N Þ. Now the attacker is able to recover any message M3 form the signature (r3, s3) between Ui and Uj x hðr Þ due to M 3 ¼ r3 psj3 ðpi j Þ 3 mod N .

3. Our improvement and security analysis x

In order to remove our attack, the secret common item pi j mod N should be protected. To generate the signature for the message M for the receiver Uj, the singer Ui randomly selects an integer k and constructs the signature (r, s) by using the following equations: hðIDj Þ

D ¼ hððy j

k

þ IDj Þ mod N Þ; r ¼ MgD mod N ; and s ¼ k  xi hðrÞ:

The receiver Uj verifies the signature and recoveries the message M by using the two equations hðIDi Þ

D ¼ hððgs ðy i

þ IDi Þ

hðrÞ xj

Þ mod N Þ

and

M ¼ rgD mod N :

Finally, the recovered message M is validated by the message redundancy scheme. x Now the common item pi j mod N is protected by not only the one-way hash function but also the discrete logarithm problem over ZN. The another purpose hðID Þ hðrÞ x of using the one-way hash function h on (gs ðy i i þ IDi Þ Þ j mod N is to reduce the computational cost.

4. Conclusions An attack on Tseng et al.Õs authenticated encryption scheme [4] is proposed to show that the scheme cannot provide confidential services for messages. Without the signerÕs secret key, an attacker can recover the message from

4

S.-J. Hwang / Appl. Math. Comput. 165 (2005) 1–4

the signature directly by adopting our attack. An improvement is proposed to remove our attack.

References [1] M. Girault, Self-certified public key, in: Advances in Cryptology––EUROCRYPTÕ91, SpringerVerlag, New York, 1991, pp. 491–497. [2] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, New York, 1997, p. 67. [3] K.H. Rosen, Elementary Number Theory and Its Application, 2nd ed., Addison–Wesley, Reading, MA, 1988. [4] Yuh-Min Tseng, Jinn-Ke Jan, Hung-Yu Chien, Digital signature with message recovery using self-certified public keys and its variants, Applied Mathematics and Computation 136 (2003) 203–214.