Cryptanalysis of an Elliptic Curve-based Signcryption Scheme

Mohsen Toorani ‡

Ali A. Beheshti

† Reprinted from International Journal of Network Security, Vol. 10, No. 1, pp. 51-56, Jan. 2010. Published version of this manuscript is available at: http://ijns.femto.com.tw/contents/ijns-v10-n1/ijns-2010-v10-n1-p51-56.pdf . ‡ Corresponding Author, ResearcherID: A-9528-2009 Abstract

The signcryption is a relatively new cryptographic technique that is supposed to fulfill the functionalities of encryption and digital signature in a single logical step. Although several signcryption schemes are proposed over the years, some of them are proved to have security problems. In this paper, the security of Han et al.’s signcryption scheme is analyzed, and it is proved that it has many security flaws and shortcomings. Several devastating attacks are also introduced to the mentioned scheme whereby it fails all the desired and essential security attributes of a signcryption scheme.

Keywords: Public key cryptography, Elliptic curves, Invalid-curve attack, Unknown key share attack.

1. Introduction

The confidentiality, integrity, non-repudiation, and authentication are the most important security services in the security criteria. The encryption and digital signature are two fundamental security mechanisms that are simultaneously required in many applications. Until the previous decade, they have been viewed as important but distinct building blocks of various cryptographic systems. In public key schemes, a traditional method is to digitally sign a message then followed by an encryption (signature-then-encryption) that has two problems: Low efficiency and high cost of such summation, and the case that any arbitrary scheme cannot guarantee the security. The signcryption is a relatively new cryptographic technique that is supposed to fulfill the functionalities of digital signature and encryption in a single logical step, and can effectively decrease the computational costs and communication overheads in comparison with the traditional signature- then-encryption schemes. The first signcryption scheme was introduced by Zheng in 1997 [1] but it fails the forward secrecy of message confidentiality [2]. Zheng also proposed an elliptic curve-based signcryption scheme that saves 58% of computational and 40% of communication costs when it is compared with the traditional elliptic curve-based signature-then- encryption schemes [3]. There are also many other signcryption schemes that are proposed throughout the years, each of them having its own problems and limitations, while they are offering different level of security services and computational costs.

In a signcryption scheme, the sender usually uses the public key of recipient for deriving a session key of a symmetric encryption, while the recipient uses his private key for deriving the same session key. Exposure of session keys can be a devastating attack to a cryptosystem since such an attack typically implies that all the security guarantees are lost. In this paper, we prove that a recent signcryption scheme, i.e. Han et al.’s scheme [4] that will be referred to as HYH throughout this paper, has such vulnerability and many other security flaws. This paper is organized as follows. Section 2 briefly describes some preliminaries on signcryption and its desired attributes. Section 3 is devoted to cryptanalysis of HYH signcryption scheme, and Section 4 provides the conclusions.

2. Preliminaries to Signcryption

Any signcryption scheme ) , , ( USC SC Gen   typically consists of three algorithms: Key Generation (Gen), Signcryption (SC), and Unsigncryption (USC). Gen generates a pair of keys for any user U: ) , ( ) , (  U Gen VEK SDK U U  where λ is the security parameter, U SDK is the private signing/decryption key of user U, and U VEK

is his public verification/encryption key. For any message , M m

the signcrypted text  is obtained as ) , , ( R S VEK SDK m SC   where S denotes the sender, and R is the recipient. SC is generally a probabilistic algorithm while USC is most likely to be deterministic where ) , , ( } { S R VEK SDK USC m     in which  denotes the invalid result of unsigncryption. A formal proof for the security of signcryption is provided in [5].

2 Any signcryption scheme should have the following properties [6]:

1. Correctness: A signcryption scheme is correct only if for any sender S, recipient R, and message , M m

m VEK SDK VEK SDK m SC USC S R R S   ) , ), , , ( ( .

Efficiency: The computational costs and communication overheads of a signcryption scheme should be smaller than those of the best known signature-then-encryption schemes with the same provided functionalities.

Security: Any signcryption scheme should simu

…(Full text truncated)…