On the Security of Hwang-Lo-Hsiao-Chu Authenticated Encryption ...

Available online at www.sciencedirect.com

Procedia Computer Science 19 (2013) 565 – 569

The 4th International Conference on Ambient Systems, Networks and Technologies (ANT 2013)

On the Security of Hwang-Lo-Hsiao-Chu Authenticated Encryption Schemes Mohamed Rasslan∗

Abstract In 2006, Hwang et al. presented a forgery attack against Tseng et al.’s efficient authenticated encryption schemes with message linkages for message flows. Moreover, they proposed some modified schemes to repair these flaws. In this paper, we show that the improved authenticated encryption schemes proposed by Hwang et al. are insecure by presenting another attack that allows a dishonest referee, dealing with a dispute, to decrypt all the future and past authenticated ciphertext between the contending parties. This attack proves that Hwang et al.’s schemes contradict the forward and backward confidentiality requirements of authenticated encryption schemes.

© 2013 The Authors. Published by Elsevier B.V. c 2011 Published  by Elsevier Ltd.responsibility of Elhadi M. Shakshuki Selection and peer-review under Keywords: Authenticated encryption, confidentiality, non-repudiation, cryptanalysis.

1. Introduction Typical authenticated encryption schemes guarantee confidentiality, authenticity (unforgeability) and non-repudiation properties [1, 2]. Several authenticated encryption schemes have been proposed in the literature to achieve theses three essential requirements. Nyberg and Rueppel [1, 3] proposed the first authenticated encryption scheme with message recovery. To improve upon the communication and computation complexities of the original Nyberg and Rueppel scheme, several variants of authenticated encryption schemes have been proposed. For example, the schemes in [3, 4, 5] achieve these requirements, but they are costly in terms of their communications and computations overhead. On the other hand, schemes that simultaneously combine the authenticity and the confidentiality operations are more efficient [6]. For more details regarding efficient authenticated encryption schemes and their advantages and disadvantages, we refer the reader to [7, 8, 9, 10, 11, 12, 13]. Tseng et al. [6] proposed an efficient authenticated encryption scheme and its generalization, both with message linkages. The first scheme is a basic one that requires the recipient (verifier) to wait until she receives all of the signature blocks before she can recover any of the received message blocks. The second scheme is a generalized one that allows the recipient to recover the message blocks upon receiving their ∗ Corresponding

author Email address: [email protected] (Mohamed Rasslan )

1877-0509 © 2013 The Authors. Published by Elsevier B.V. Selection and peer-review under responsibility of Elhadi M. Shakshuki doi:10.1016/j.procs.2013.06.075

566

Mohamed Rasslan / Procedia Computer Science 19 (2013) 565 – 569

corresponding signature blocks. This makes it an attractive choice in many applications such as packet switched networks. Unfortunately, Hwang et al. [14] showed that these authenticated encryption schemes do not fulfill claims to their integrity and authenticity properties. To overcome these security problems, Hwang et al. proposed a modification of these schemes [14]. In this paper, we show that the modified schemes proposed by Hwang et al. do not overcome the shortcomings of the original Tseng et al. scheme. In particular, we present an attack that allows the referee, dealing with a dispute, to decrypt all the authenticated traffic between the signer and the designated recipient of the authenticated ciphertext. The remainder of this paper is organized as follows. In the next section, we briefly review the details of Hwang et al.’s schemes that are relevant to our attack. Our proposed attack is presented in section 3. Finally we offer concluding comments in section 4.

2. Hwang et al. improved authenticated encryption schemes In this section, we briefly review the relevant details of the authenticated encryption schemes proposed by Hwang et al. For further details about these schemes, the reader is referred to [14]. Similar to Tseng et al. [6], the improved schemes proposed by Hwang et al. consist of three phases: the system initialization phase, the signing phase, and the message recovery phase. Here, we focus only on the basic scheme but our attack equally applies to the generalized scheme. System Initialization Phase: The system authority (SA) selects a large prime p such that p − 1 has a large prime factor q. SA also picks an integer, g, with order q in GF(p). Let f (·) be a secure one-way hash function. The SA publishes p, q, g, and f (·). Each user, Ui , chooses a secret key xi ∈ Zq∗ and computes the corresponding public key yi = g xi mod p. To overcome the weaknesses in Tseng et al.’s scheme, Hwang et al. require the signer Ua to send t = gk mod p in addition to s, and r1 , r2 , . . . , rn to the verifier Ub . Hwang et al.’s scheme then proceeds as follows: The Signing Phase: When the signer Ua wants to send the authenticated encrypted message M to a designated recipient Ub , she divides the message M into the sequence {M1 , M2 , · · · , Mn }, where Mi ∈ GF(p). Then, the signer Ua performs the following operations to generate the signature blocks for the message M: (1) Pick a random number k ∈ Zq∗ and set r0 = 0, then compute ykb mod p and t = gk mod p. (2) Compute

ri = Mi · f (ri−1 ⊕ ykb ) mod p

(1)

for i = 1, . . . , n, where ⊕ denotes the exclusive-or operator. (3) Compute

s = k − r · xa mod q

where r = f (r1 ||r2 || · · · ||rn ), and || denotes the concatenation operator. Finally, Ua sends (n + 2) signature blocks (t, s, r1 , r2 , . . . , rn ) to Ub over the insecure channel.

(2)

567

Mohamed Rasslan / Procedia Computer Science 19 (2013) 565 – 569

The Message Recovery Phase: After the designated recipient Ub receives all the signature blocks (t, s, r1 , r2 , . . . , rn ), she performs the following operations on them to recover the message blocks {M1 , M2 , · · · , Mn }. (1) Compute

r = f (r1 ||r2 || · · · ||rn ) ?

(3)





Then, check whether t xb = ybs yrab mod p holds, where yab = yaxb mod p. If t xb = ybs yrab mod p holds, then Ub moves to the second step. (2) Recover the message blocks {M1 , M2 , · · · , Mn } as Mi = ri · f (ri−1 ⊕ t xb )−1 mod p

(4)

for i = 1, . . . , n and r0 = 0. 3. The proposed attack In this section we introduce our attack on Hwang et al.’s schemes. Our attack shows that, when mediating a dispute, the involved third party (referee) can decrypt all future and past traffic between the contended parties. Consider the case where a verifier, Ub , wants to convince a third party (referee) that she is the designated recipient of the signature blocks that originated from the signer (encrypter) Ua . In other words, Ub wants to achieve the property of non-repudiation. So, she reveals t xb to the referee. Then Ub proves (e.g. using zero-knowledge protocol [15]) to the referee that the discrete logarithm of r t xb · y−s b mod p to the base ya mod p equals the discrete logarithm of yb mod p to the base g. The correctness of this step follows by noting that. logyra t xb · y−s b mod p

= loggxa ·r gk·xb · g−xb (k−r·xa ) mod p = loggxa ·r g xb ·k−xb ·k+xb ·r·xa mod p = loggr·xa gr·xa ·xb mod p = xb ,

logg yb mod p

= logg g xb mod p = xb .



(5)

(6) 

Also, the referee can calculate r = f (r1 ||r2 || · · · ||rn ), and verifies that r = r. Knowing both t xb mod p and the signature blocks, (t, s, r1 , r2 , . . . , rn ), the referee is able to calculate yab mod p as follows: First, she raises yb to s and re-orders the exponents and bases as in the following equation: ybs

a = yk−r·x mod p b k −r = yb · yab mod p,

By noting that, ykb mod p then, she drives yrab as:

= t xb mod p.

yrab mod p = t xb · y−s b mod p

(7)

(8) (9)

568

Mohamed Rasslan / Procedia Computer Science 19 (2013) 565 – 569

Finally, she calculates yab as follows: r yab = (t xb · y−s b )

−1

mod p

(10)

Later, the referee can intercept the traffic between Ua and Ub . Hence, she can decrypt the signature blocks as follows: 











(1) Assume that the new signature blocks are (t , s , r1 , . . . , rn ), where t = gk mod p. The attacker (i.e.,      the dishonest former referee) calculates r = f (r1 ||r2 || · · · ||rn ) then calculates (t ) xb mod p as follows: 



=

(t ) xb



ybs · yrab mod p





(11)



(2) The attacker recovers the message blocks {M1 , M2 , · · · , Mn } as 







Mi = ri · f (ri−1 ⊕ (t ) xb )−1 mod p

(12)



for i = 1, . . . , n and r0 = 0. The attack is correctly carried out as follows: First, the new signature is: s



=





k − r · xa mod q

(13)

Moreover, 



= gk ·xb mod p  = ykb mod p

(t ) xb

(14)

Using Equation (13), 



ybs · yrab mod p

= = = = =





g s ·xb · gr ·xa ·xb mod p    g xb (k −r ·xa ) · gr ·xa ·xb mod p    g xb ·k −r ·xa ·xb · gr ·xa ·xb mod p  g xb ·k mod p  ykb mod p

(15)

As demonstrated above, targeting the non-repudiation property allows the referee to decipher the ciphertext between Ua and Ub . The same attack can apply to the generalized from of Hwang et al.’s scheme. 4. Conclusion The improved authenticated encryption schemes proposed by Hwang et al. fail to simultaneously satisfy both the confidentiality and the non-repudiation properties. In particular, as illustrated by our attack, dishonest arbitrator is able to decrypt all future, as well as past, communications between contending parties. Further research is needed to improve upon the security features of both of these schemes.

Mohamed Rasslan / Procedia Computer Science 19 (2013) 565 – 569

References [1] K. Nyberg, R. Rueppel, A new signature scheme based on the dsa giving message recovery, in: 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, 1993, pp. 58–61. [2] M. Lee, D. Kim, K. Park, An authenticated encryption scheme with public verifiability, in: Japan-Korea Joint Workshop on Algorithms and Computation (WAAC2000), 2000, pp. 49–56. [3] K. Nyberg, R. Rueppel, Message recovery for signature schemes based on the discrete logarithm, in: Advances in Cryptology, Eurocrypt’94, 1994, pp. 175–190. [4] L. Kohnfelder, On the siganture reblocking problem in public key cryptosystems, Communications of ACM 31 (19) (1995) 1656–1657. [5] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and publick-key cryptosystems, Communications of ACM 21 (2) (1978) 120–126. [6] Y.-M. Tseng, J.-K. Jan, H.-Y. Chien, Authenticated encryption schemes with message linkages for message flows, Computers and Electrical Engineering 29 (1) (2003) 101–109. [7] K. Chen, Authenticated encryption schemes based on quadratic residue, Electron. Lett. 34 (22) (1998) 2115–2116. [8] M.-S. Hwang, C.-C. Chang, K.-F. Hwang, An elgamal-like cryptosystem for enciphering large messages, IEEE Trans. Knowl. Data Eng. 14 (2) (2002) 445–446. [9] M.-S. Hwang, C.-Y. Liu, Authenticated encryption schemes: Current status and key issues, Int. J. Network Security 1 (2) (2005) 61–73. [10] C.-L. Hsu, T.-C. Wu, Authenticated encryption schemes with (t, n) shared verification, IEE Process. Comp. and Digit. Tech. 145 (2) (1998) 117–120. [11] W.-B. Lee, C.-C. Chang, Authenticated encryption schemes without using a one way function, Electron. Lett. 31 (19) (1995) 1656–1657. [12] K. Nyberg, R. Rueppel, Message recovery for signature schemes based on the discrete logarithm, Des., Codes Cryptogr. 7 (1-2) (1996) 61–81. [13] T.-S. Wu, T.-C. Wu, W.-H. He, Authenticated encryption schemes with double message linkage, in: Proc. 9th National Conference on Information Security, R.O.C., 1999, pp. 303–308. [14] M.-S. Hwang, J.-Y. Hsiao, Y.-P. Chu, Improvement of authenticated encryption schemes with message linkages for message flows, IEICE Trans. Inf. and Syst. e89-d (4) (2006) 1575–1577. [15] J. Boyer, D. Chaum, I. Damgard, T. Pederson, Convertable undeniable signatures, in: Crypto’90, 1991, pp. 189–205.

569