Cryptanalysis and improvements of an efficient certificate-based proxy signature scheme for IIoT environments

Highlights

• Revisit the adversary's ability defined in a recent pairing-free certificate-based proxy signature (PFCBPS) scheme.

• Show that the PFCBPS scheme is insecure against an adversary who can replace the proxy signer's public key.

• Discuss the related reason for our attack and provide an improved scheme PFCBPS⁺.

Abstract

Recently, Verma et al. (2020) [10] proposed the first pairing-free certificate-based proxy signature (PFCBPS) scheme for IIoT environments. They defined two kinds of adversaries in the PFCBPS scheme and proved that their construction was secure against Type I and Type II adversaries under a standard cryptographic assumption in the random oracle model. In this work, we revisit adversaries' abilities defined by Verma et al. and show that the PFCBPS scheme cannot resist the signature forgery attack performed by a malicious proxy signer (a weak Type II adversary). As a result, the above signature scheme cannot be deployed in practical IIoT applications. Moreover, we discuss the reason for such an attack and provide an improved scheme PFCBPS⁺.

Introduction

The increasing development of the Internet of things (IoT) technology has brought great convenience to the world in recent years. For example, patients equipped with smart devices can track and monitor their physiological data and enjoy real-time telemedicine services; mobile payments can save people's time and energy to promote greater personal productivity. According to Statista's forecast, the number of internet-connected things worldwide will rise to more than 25.4 billion in 2030 [1].

The widespread deployment and expansion of IoT devices in the industry have promoted the emergence of the Industrial Internet of Things (IIoT), enabling companies to have lower quality management costs and higher operator productivity. In an IIoT system, in practice, each device has its own identity and has the ability of sensing, computing, and communication. As these devices are collecting, processing, and exchanging large amounts of valuable data, they are becoming the goldmine of data for malicious attackers. For example, data tampering attacks may cause medical service providers to misdiagnose patients in medical IIoT systems and may lead to wrong business decisions in manufacturing IIoT systems. Therefore, data security is a big concern in IIoT applications.

In history, to ensure that the data comes from the claimed owner and has not been unintentionally or maliciously modified during the transmission, various types of signature schemes [4], [13] have been presented for IIoT systems.

Certificate-based signature (CBS) [5] is an attractive paradigm for resource-constrained (such as limited computation and storage power) IIoT environments. This kind of signature comes from the idea of certificate-based encryption (CBE) introduced by Gentry [2] and can simultaneously solve the certificate management problem in traditional public-key signature schemes and the key escrow problem in identity-based signature schemes. A comprehensive introduction of CBS was presented in [11]. On the other hand, as introduced by Mambo et al. [8], the proxy signature is a meaningful primitive for ensuring service availability. In this primitive, one original signer is capable of delegating his/her signing right to another proxy signer so that the latter is allowed to sign messages on behalf of the former [12].

Combined with the merits of both, Kang et al. [5] firstly proposed the concept of certificate-based proxy signature (CBPS) and provided a concrete construction in the random oracle (RO) model. However, Li et al. [6] pointed out that the scheme in [5] cannot resist the key replacement attack and further proposed two CBPS schemes. Huang et al. [3] analyzed the relationship between CBSs and proxy signatures and put forward a generic construction of CBPS from CBS schemes. Besides, Verma et al. [9] proposed a CBPS scheme with a short signature size, thereby requiring less communication overhead than previous constructions. However, all the above CBPS schemes are pairing-based constructions [7], which require expensive computation costs and hence do not suitable for constrained signers.

To reduce costly pairing operations, recently, Verma et al. [10] presented the first pairing-free CBPS (PFCBPS) scheme for IIoT environments. The authors discussed the related security model and proved its security in the RO model, assuming that the elliptic curve discrete log problem (ECDLP) is hard.

Contributions. In this work, we find that the PFCBPS scheme cannot achieve unforgeability, a vital security property that a signature scheme should provide. Specifically, Verma et al. defined two types of adversaries: The Type I adversary controls both the certification officer (CO) and the original signer; the Type II adversary controls both CO and the proxy signer. We first show that this brief classification does not sufficiently reflect the adversary's ability. Instead, we divide the adversaries into six types according to their different abilities. We then show that the PFCBPS scheme cannot resist the attack from a Type 4 adversary (i.e., a weak Type II adversary defined by Verma et al.) who can replace the proxy signer's public key. Therefore, the insecure PFCBPS scheme cannot be deployed in practical IIoT applications. Moreover, we discuss the related reason and provide relevant improvements to prevent such an attack, such as introducing a secure modified scheme PFCBPS⁺.

The remaining paper is organized as follows: We review Verma et al.'s PFCBPS scheme, analyze its security, and present our improved construction in Sec. 2. Conclusions are drawn in Sec. 3.