ON THE SECURITY OF TWO RING SIGNCRYPTION SCHEMES
S. Sree Vivek
∗
, S. Sharmila Deva Selvi and C. Pandu Rangan
⋆
Theorectical Computer Science Lab, Department of Computer Science
Indian Institute of Technology Madras, Chennai-600036, India
Keywords:
Identity-based, Ring signcryption, Bilinear pairing, Cryptanalysis.
Abstract:
Ring signcryption is a cryptographic primitive, that allows an user to send a message in confidential, authentic
and anonymous way, i.e. the recipient of the message is convinced that the message is valid and it comes
from one of the ring member, but does not know the actual sender. In this paper, we show attacks on ring
signcryption schemes by Li et al. (Li et al., 2008b) and Chung et al. (Chung et al., 2006). We demonstrate
anonymity and confidentiality attack on the scheme by Li et al. (Li et al., 2008b) and confidentiality attack on
the scheme by Chung et al. (Chung et al., 2006).
1 INTRODUCTION
Ring signature is a cryptographic primitive that en-
ables an user to sign a message in an anonymous way
by forming a ring(group) of users. The user forms
the ring without getting any acceptance or acknowl-
edgment from the users included in the ring. The
verifier of the ring signature will get convinced that
the signature is generated by one of the ring mem-
bers without knowing which ring member has actu-
ally generated the signature. This primitive was first
introduced by Rivest et al. (Rivest et al., 2001). Due
to its elegance and wide spread application, ring sig-
natures have widely attracted the research commu-
nity. Since its introduction in 2001, a lot of ring sig-
nature schemes were proposed (Rivest et al., 2001)
(Abe et al., 2002) (Zhang and Kim, 2002) (Herranz
and S´aez, 2004) (Bender et al., 2006).
Message security and sender authentication for com-
munication in the open channel is an essential and
important requirement. A technique for answering
such a requirement was proposed by Yulien Zheng in
1997 (Zheng, 1997). The solution given by Zheng
achieves confidentiality and authentication in single
logical step called signcryption. After the develop-
ment of signcryption primitive, a number of efficient
signcryption schemes were proposed in literature till
date.
∗
Work supported by Project No. CSE/05-
06/076/DITX/CPAN on Protocols for Secure Commu-
nication and Computation sponsored by Department of
Information Technology, Government of India
In scenarios where a user want to communicate a
message confidentially with sender authentication and
without disclosing his identity, ring signcryption is a
good solution which achieves this functionality in an
efficient way. Ring signcryption is a primitive which
offers the services providedby both ring signature and
signcryption. A number of ring signcryption schemes
(Huang et al., 2005) (Yu Fang Chung, 2008) (Wang
et al., 2007) (Yu et al., 2008) (Zhang et al., 2008)(Li
et al., 2008b) (Li et al., 2008a) (Zhun and Zhang,
2008) (Zhang et al., 2009) were proposed in the re-
cent past.
In this paper, we show the security weaknesses in the
identity-based ring signcryption scheme by Li et al.
(Li et al., 2008b) and the PKI based ring signcryption
scheme by Chun et al. (Chung et al., 2006). First, we
review Li et al. scheme (Li et al., 2008b) in section
3.1. Next, We show the attack on confidentiality of
Li et al.’s scheme in section 3.2.2 and the attack on
anonymity of Li et al.’s scheme in section 3.2.1. Then,
we review Chung et al.’s scheme in section 4.1. Also,
we demonstrate the attack on anonymity of Chung et
al.’s scheme in section 4.2.
Bilinear Pairing. Since both the schemes are based
on bilinear pairing, we review the basis of bilinear
pairing.
Let G
1
be an additive cyclic group generated by P,
with prime order q, and G
2
be a multiplicative cyclic
group of same order q. A bilinear pairing is a map
ˆe : G
1
× G
1
→ G
2
with the following properties.
• Bilinearity. For all P, Q, R ∈ G
1
,
219
Sree Vivek S., Deva Selvi S. and Rangan C. (2009).
ON THE SECURITY OF TWO RING SIGNCRYPTION SCHEMES.
In Proceedings of the International Conference on Security and Cryptography, pages 219-224
DOI: 10.5220/0002205702190224
Copyright
c
SciTePress
– ˆe(P+ Q, R) = ˆe(P, R) ˆe(Q, R)
– ˆe(P, Q+ R) = ˆe(P, Q) ˆe(P, R)
– ˆe(aP, bQ) = ˆe(P, Q)
ab
• Non-Degeneracy. There exist P,Q ∈ G
1
such that
ˆe(P, Q) 6= I
G
2
, where I
G
2
is the identity element of
G
2
.
• Computability. There exists an efficient algorithm
to compute ˆe(P, Q) for all P, Q ∈ G
1
.
2 IDENTITY-BASED RING
SIGNCRYPTION SCHEME
(IBRSS)
2.1 Generic Scheme
A generic identity-based ring signcryption scheme
consists of the following four algorithms.
Let U be the set of ring members and U
ψ
∈ U be the
actual sender.
• Setup(κ). Given a security parameter κ, the pri-
vate key generator (PKG) uses this algorithm to
generate the master private key Msk and system
public parameters params. Here the params are
made public to the user and Msk is kept secret by
the PKG.
• Extract(ID
i
). Given an identity ID
i
by user U
i
to
PKG, the PKG uses this algorithm to generate the
corresponding private key S
i
. PKG sends the pri-
vate key S
i
to ID
i
through a secure channel.
• Signcrypt(m, U ={ID
1
, . . . , ID
n
}, ID
ψ
, S
ψ
, ID
B
)
. On input of a message m ∈ M , a set of ring
members U , the identity of the actual sender
ID
ψ
, the private key S
ψ
of the actual sender ID
ψ
,
the receiver identity ID
B
to this algorithm by the
actual sender ID
ψ
, this algorithm outputs the ring
signcryption σ of message m from U to U
B
.
• Unsigncrypt(σ, U , ID
B
, S
B
). On providing the
ring signcryption σ, the set of ring members U ,
the receiver identity ID
B
and the private key of
the receiver S
B
as input to this algorithm by ID
B
,
the Unsigncrypt algorithm recovers the plaintext
m, if σ is a valid signcryption of m from U to ID
B
and outputs m to the user with identity ID
B
. Else,
the algorithm outputs “INVALID”.
We further assume that the validity of the consistency
constraint that, if σ = Signcrypt(m, U , ID
ψ
, S
ψ
, ID
B
),
then m = Unsigncrypt (σ, ID
B
, S
B
).
2.2 Security Model
In this section we formally define the security model
for identity-based ring signcryption scheme.
Confidentiality:
An identity-based ring signcryption (IBRSS) is indis-
tinguishable against adaptive chosen ciphertext attack
(IND-IBRSS-CCA2) if there exists no polynomially
bounded adversary that has non-negligible advantage
in the following game:
1. Setup Phase. The challenger C runs the Setup al-
gorithm with the security parameter κ and sends
the system parameters params to the adversary
A and keeps the master private key Msk secret.
A chooses a target identity ID
T
and gives ID
T
to C . It is assumed that A never queries the
KeyExtractOracle for the private key of ID
T
dur-
ing the entire confidentiality game.
2. First Phase. During the FirstPhase of training A
makes polynomially bounded number of requests
to the oracles controlled by C . The description
of the oracles and the responses provided by the
oracles in the first phase are listed below:
• Key Extract Oracle. A submits an identity ID
i
to C and requests the private key of ID
i
. C re-
turns the private key S
i
of ID
i
to A .
• Signcrypt Oracle. A submits a message m, a set
of ring members U , the actual sender ID
ψ
∈ U ,
a receiver identity ID
B
to C . C generates σ,
the ring signcryption of m from U to ID
B
and
returns σ to A .
• Unsigncrypt Oracle. A produces a ring sign-
cryption σ, the set of ring members U , a re-
ceiver identity ID
B
to C . The challenger C re-
trieves the private key S
B
= Keygen(ID
B
) and
recovers m from σ and checks whether σ is a
valid ring signcryption of m from U to ID
B
. If
σ is valid then C returns m to A . Else, C returns
“INVALID” to A .
A adaptively queries all the above oracles, i.e.
the current oracle requests may depend on the
responses obtained from the previous oracle
queries.
3. Challenge. A chooses two plaintext {m
0
, m
1
} ∈
M , a set of n ring members U and the tar-
get receiver identity ID
T
(chosen by A during the
SetupPhase on which A wants to be challenged)
and give this to C . C now chooses a bit b ∈
R
{0, 1}
and computes the challenge ring signcryption σ
∗
of m
b
from U to ID
T
. C sends σ to A .
SECRYPT 2009 - International Conference on Security and Cryptography
220
4. Second Phase. A performs polynomially
bounded number of oracle queries as in
FirstPhase, with the restrictions that,
• A cannot make KeyExtract query for any user
in the ring U .
• A cannot make KeyExtract query for ID
T
.
• A should not query for Unsigncrypt oracle
with (σ
∗
, U , ID
T
) as input.
5. Guess. Finally, A produces a bit b
′
and wins the
game if b
′
= b. The success probability of A is
defined as,
Succ
IND−IBRSS−CCA2
A
(κ) =
1
2
+ ε
We require that ε to be negligible with respect to κ
and ε is called the advantage for the adversary in the
attack.
Unforgeability:
An identity-based ring signcryption scheme (IBRSS)
is said to be existentially unforgeable against adaptive
chosen messages attacks (EUF-IBRSS-CMA) if no
polynomially bounded adversary has a non-negligible
advantage in the following game:
1. Setup Phase. The challenger C runs the Setup al-
gorithm with a security parameter κ and gener-
ates the system parameters params and the mas-
ter private key Msk. C gives the system param-
eters to the adversary A and keeps Msk secret.
A then chooses a set of ring members U
T
=
{U
1
,U
2
, . . . ,U
n
∗
} and gives U
T
to C . It should
be noted that A is not allowed to query the private
key of ring members U
T
.
2. Training Phase. After the SetupPhase, A per-
forms a polynomially bounded number of ora-
cle queries as in FirstPhase of section 2.2. The
queries may be adaptive, i.e. the current query
may depend on the responses to the previous ora-
cle queries.
3. Forgery. After getting sufficient training from
C , A produces new (σ, U , ID
B
) (i.e. σ was
not produced by the signcryption oracle), where
the private key of ID
B
) was not queried in the
TrainingPhase. A wins the game if the result of
the Unsigncrypt (σ, U , ID
B
) is some message m
and σ is a valid signcryption of m ∈ M from the
ring U
T
to ID
B
.
3 LI ET AL. RING
SIGNCRYPTION SCHEME (Li
et al., 2008b) (LRSS)
3.1 Review of the Scheme
Li et al. given an efficient identity-based ring
signcryption scheme in (Li et al., 2008b). This
scheme does not use any pairing computation in
ring signcryption generation and uses only two
pairing for ring unsigncryption. This scheme is
identity-based and it comprises of four algorithms
namely: LRSS.Setup, LRSS.Extract, LRSS.Signcrypt
and LRSS.Unsigncrypt, which we describe below.
• LRSS.Setup. The setup algorithm is run by the
PKG. Given a security parameter κ as input, this
algorithm performs the following,
– Chooses G
1
an additivecyclic group, G
2
a mul-
tiplicative cyclic group, both of the same prime
order q, ˆe an admissible bilinear pairing given
by ˆe : G
1
× G
1
→ G
2
. Defines three hash func-
tions H
1
: {0, 1}
∗
→ G
1
, H
2
: G
2
→ {0, 1}
n
1
and H
3
: {0, 1}
∗
→ Z
∗
q
. Chooses master pri-
vate key s ∈
R
Z
∗
q
(Msk = s) and sets master pub-
lic key P
pub
= sP, where P is a generator of
G
1
. Also, chooses a secure symmetric cipher
(E, D). The system parameters params are
(G
1
, G
2
, n
1
, ˆe, q, P, P
pub
, E, D, H
1
, H
2
, H
3
).
• LRSS.Extract. The PKG on getting the identity of
any user ID
A
as input, computes the private/public
key pair hQ
A
, S
A
i as,
– Public key Q
A
= H
1
(ID
A
) ∈ G
1
.
– private key S
A
= sQ
A
.
– PKG sends S
A
to the user through secure chan-
nel.
• LRSS.Signcrypt. User ID
ψ
for generating a ring
signcryption provides the message m, the set of
ring members U ={U
1
,U
2
,...,U
n
}, the identity of
the actual sender ID
ψ
∈ U , the private key S
i
of
ID
ψ
and the receiver identity ID
B
as input to the
LRSS.Signcrypt algorithm. This algorithms gen-
erates a valid ring signcryption on m with ring
members U as senders and ID
B
as receiver. This
is done by performing,
– Chooses r
ψ
∈
R
Z
∗
q
and computes X = r
ψ
Q
ψ
.
– Computes k = H
2
( ˆe(r
ψ
S
ψ
, Q
B
).
– Computes c = E
k
(m).
– For all i ∈ {1, 2, .. . , n}, i 6= ψ, chooses a
i
∈
R
Z
∗
q
,
computes R
i
= a
i
P and h
i
=H
3
(ckU kR
i
).
– Computes R
ψ
= X −
∑
n
i=1,i6=ψ
{R
i
+ h
i
Q
i
}.
ON THE SECURITY OF TWO RING SIGNCRYPTION SCHEMES
221
– Computes h
ψ
= H
3
(ckU kR
ψ
) and V =
(h
ψ
+r
ψ
)S
ψ
.
– Finally, the LRSS.Signcrypt algo-
rithm output the ring signcryption
σ = {U , X, c,
S
n
i=1
{R
i
},V} to ID
ψ
.
• LRSS.Unsigncrypt. For unsigncrypting any ring
signcryption σ = {U , X, c,
S
n
i=1
{R
i
},V} from
ID
ψ
to ID
B
, the receiver ID
B
provides the
ring signcryption σ, the receiver identity ID
B
,
private key §
B
of receiver ID
B
as input to
LRSS.Unsigncrypt algorithm. Unsigncryption is
carried out by doing the computations given be-
low:
– Computes k
′
= H
2
( ˆe(X, S
B
)).
– Recovers the message m = D
′
k
(c).
– Computes h
i
=H
0
(ckU kR
i
) for all i ∈ {1, 2, ..n}.
– Checking whether ˆe(P
pub
,
∑
n
i=1
(R
i
+ h
i
Q
i
))
?
=
ˆe(P,V).
– Returns the message m if σ is a valid signcryp-
tion on message m from ID
ψ
to ID
B
. Else, re-
turn “INVALID”.
3.2 Attacks on the Identity-based Ring
Signcryption Scheme LRSS
This section demonstrates two different attacks on (Li
et al., 2008b). The first attack is on the anonymity of
the and is given in section 3.2.1. The second attack is
on the confidentiality the scheme and the details are
given in 3.2.2.
3.2.1 Attack on Anonymity
We show that the ring signcryption scheme LRSS
does not provide anonymity. Any passive ob-
server including the receiver, who is in posses-
sion of a ring signcryption can identify the sender
in this scheme. This can be demonstrated as
follows, Let m be any message and σ = {U =
{ID
1
, ID
2
, . . . , ID
n
}, X, c,
S
n
i=1
{R
i
},V} be the ring
signcryption on m from the ring U to ID
B
and ID
ψ
∈
U be the actual sender. On seeing the ring signcryp-
tion σ anyone can do the following operations to iden-
tify the actual sender ID
ψ
∈ U . It is to be noted that
the private key of any ID
i
∈ U or ID
B
is not required
during this computation.
Anyone can do the following to identify the actual
signer in the ring. For all values of i (i = 1 to n) per-
form the following.
h
i
= H
3
(ckU kR
i
), (c, U , R
i
are taken from the
cipher-text).
Check whether ˆe(V, P)
?
= ˆe(h
i
Q
i
+ X, sP). (1)
If the check holds for some value of i then ID
i
is the
actual sender.
The following Lemma1 and Lemma2 will prove that
the test given above (equation (1)) is valid.
Lemma 1. Let H
ψ
= X +h
ψ
Q
ψ
where U
ψ
is the actual
signer. Let R
′
= ˆe(V, P), then R
′
= ˆe(H
ψ
, P
pub
).
Proof.
H
ψ
= X + h
ψ
Q
ψ
= (r
ψ
+ h
ψ
)Q
ψ
and
R
′
= ˆe(V, P)
= ˆe((r
ψ
+ h
ψ
)S
ψ
, P)
= ˆe((r
ψ
+ h
ψ
)Q
ψ
, P
pub
)
= ˆe(H
ψ
, P
pub
Lemma 2. Let H
i
= X + h
i
Q
i
where U
i
∈ U is the
not the actual signer. Let R
′
= ˆe(V, P), then R
′
6=
ˆe(H
i
, P
pub
).
Proof.
H
ı
= X + h
i
Q
i
= r
ψ
Q
ψ
+ h
i
Q
i
and
R
′
= ˆe(V, P)
= ˆe((r
ψ
+ h
ψ
)S
ψ
, P)
= ˆe((r
ψ
+ h
ψ
)Q
ψ
, P
pub
)
6= H
i
From Lemma1 and Lemma2 it is clear that R
′
= H
i
iff
i = ψ.
3.2.2 Attack on Confidentiality
The LRSS is not CCA2 secure. As per the se-
curity model of (Li et al., 2008b), during the
ChallengePhase of confidentiality game, the adver-
sary A provides two messages m
0
and m
1
and a set
of ring members U = {ID
1
, ID
2
, . . . , ID
n
} including
the actual sender ID
ψ
to C (Note that A does not
know the actual sender ID
ψ
). C selects randomly
a bit b and builds the challenge ring signcryption
σ = {U , X, c,
S
n
i=1
{R
i
},V} on message m
b
from the
ring U to ID
T
. A is given access to the secret key of
all users, except the target receiver ID
T
and members
of the ring U . Now, A can perform the following,
• Set X
∗
= X and c
∗
= c.
• Form a new ring U
∗
= {U
1
,U
2
. . . ,U
t
} with the
property U
∗
* U and also A knows the secret key
of at least one U
j
, j ∈ {1, 2,. . . ,t}. Let U
ψ∗
be a
user from ring U
∗
, for which A knows the private
key.
• For all j ∈ {1, 2, .. . ,t}, j 6= ψ
∗
, A chooses a
j
∈
R
Z
∗
q
, computes R
j
= a
j
P and h
j
=H
3
(ckU kR
j
).
SECRYPT 2009 - International Conference on Security and Cryptography
222
• Chooses a random r
ψ
∗
∈ Z
∗
q
and computes R
ψ
∗
=
r
ψ
∗
Q
ψ
∗
−
∑
n
j=1,2, j6=ψ
∗
{R
j
+ h
j
Q
j
}.
• Computes h
ψ
∗
= H
3
(ckU kR
ψ
) and V∗ =
(h
ψ
∗
+r
ψ
∗
)S
ψ
∗
.
• Sets σ
∗
= {U
∗
, X
∗
, c
∗
,
S
t
j=1
{R
j
},V
∗
}.
• σ
∗
is entirely different from the challenge
signcryption σ and hence A can request the
Unsigncrypt oracle for the unsigncryption of σ
∗
as if σ
∗
is a signcryption of m
b
from ring U
∗
to
receiver ID
T
.
The challenger will correctly respond with m
b
.
Hence, A can exactly find whether σ is a signcryption
of m
0
or m
1
without solving any hard problem. Thus,
breaking the confidentiality of the Li et al.’s identity-
based ring signcryption scheme.
Correctness of σ
∗
:
ˆe(P
pub
,
∑
t
j=1
(R
j
+ h
j
Q
j
)) = ˆe((r
ψ
∗
+ h
ψ
∗
)Q
ψ∗
, P
pub
)
= ˆe((r
ψ
∗
+ h
ψ
∗
)S
ψ∗
, P)
= ˆe(V
∗
, P)
4 CHUNG ET AL.’S ANONYMOUS
SIGNCRYPTION SCHEME
(CAS)
In this section, we review the anonymous signcryp-
tion scheme given by Chung et al. (Chung et al.,
2006) and demonstrate an attack on confidentiality of
the scheme in (Chung et al., 2006).
4.1 Review of the Scheme
Let q denote a large prime number, E denote an
elliptic curve, P denote a base point on the ellip-
tic curve E with order q and H denote a dispersed
row function with collision resistance, where q, E, P
and H are public parameters, and Z
q
is a finite field
with q elements. Let U be the ring formed by
(U
1
,U
2
, . . . ,U
n
) , the private keys ofU
1
,U
2
, . . . ,U
n
are
d
1
, d
2
, . . . , d
n
respectively. The corresponding pub-
lic keys Q
1
, Q
2
, . . . , Q
n
satisfies Q
i
= d
i
P, where i =
1, 2, .. ., n. The private and public keys of verifier U
v
are d
v
and Q
v
= d
v
P respectively.
CAS.Signcrypt: For sending a ring signcryption
on a message m, from a ring U = {U
1
,U
2
, . . . ,U
n
}
with U
ψ
∈ U as actual sender and U
v
as receiver,
U
ψ
performs the following,
• Randomly selects r, k ∈
R
[1, q− 1]
• Calculates (x
ψ
, y
ψ
) = T
i
= kP, (x
r
, y
r
) = R = rP,
and (x
e
, y
e
) = T
e
= rQ
v
.
• When t = 1 and t − 1 = n, let t = ψ + 1, ψ +
2, . . ., n, 1, . . . ,ψ − 1, select s
t
∈
R
[1, q− 1] and
compute c
t
= H(m||x
t−1
) and (x
t
, y
t
) = T
t
=
s
t
P+ c
t
Q
t
.
• Compute c
ψ
= H(mkx
ψ−1
) and s
ψ
= k −
d
ψ
c
ψ
(modq).
• m
′
= E
x
e
(m), here x
e
acts as a symmetric key.
• sends the encrypted text σ =
(m
′
, c
1
, s
1
, s
2
, . . . , s
n
, R) to the verifier U
v
.
CAS.Unsigncrypt: On receiving a ring signcryp-
tion σ = (m
′
, c
1
, s
1
, s
2
, . . . , s
n
, R), the receiver U
v
to unsigncrypt σ uses his secret key d
v
and per-
form the following computations,
• Let (x
r
, y
r
) = R, calculates (x
d
, y
d
) = d
v
R and
m
′′
= E
x
d
(m
′
).
• Let t = 1, 2, . . . , n − 1, calculate (x
t
, y
t
) = T
t
=
s
t
P+ c
t
Q
t
and c
t+1
= H(m
′′
kx
t
).
• VerifierU
v
calculates (x
n
, y
n
) = T
n
= s
n
P+ c
n
Q
n
and c
′
1
= H(m
′′
kx
n
).
• If c
′
1
= c
1
then σ = (m
′
, c
1
, s
1
, s
2
, . . . , s
n
, R)
is a valid anonymous signcryption from the
group U = (U
1
,U
2
, . . . ,U
n
); otherwise, return
“INVALID”.
4.2 Attack on Chung et al. Scheme
(CAS)
In this section we demonstrate the attack on confiden-
tiality of Chung et al. Scheme (Chung et al., 2006).
4.2.1 Attack on Confidentiality
The anonymous signcryption scheme CAS is not
CCA2 secure. The attack on confidentiality is also
similar to the attack proposed in 3.2.2. During the
challenge phase of the confidentiality game of the
ring signcryption scheme, the adversary A provides
two messages m
0
and m
1
, receiver U
v
and a set of
ring members U = {U
1
,U
2
, . . . ,U
n
} including the
actual sender U
ψ
to C . C selects randomly a bit
b and generates the challenge ring signcryption σ
= (m
′
, c
1
, s
1
, s
2
, . . . , s
n
, R) on message m
b
. Here, A
does not know the private key of the target user
U
v
and the private key of the ring members U =
{U
1
,U
2
, . . . ,U
n
}. A generates a valid signcryption σ
∗
with a new set of ring member U
∗
= {U
1
,U
2
, . . . ,U
t
}
from the challenge signcryption σ as given below,
• Let U
ψ
∗
∈ U
∗
be the actual sender and A knows
the private key d
ψ
∗
corresponding to U
ψ
∗
.
• Sets R
∗
= R and (x
∗
e
, y
∗
e
) = T
∗
e
= T
e
.
• Calculates (x
ψ
∗
, y
ψ
∗
) = T
i
= k
∗
P, where k
∗
∈
R
[1, q− 1].
ON THE SECURITY OF TWO RING SIGNCRYPTION SCHEMES
223
• When j = 1 and j − 1 = n, let j = ψ
∗
+ 1, ψ
∗
+
2, . . ., t, 1, . . . , ψ
∗
− 1, select s
∗
j
∈
R
[1, q − 1] and
compute c
∗
j
= H(m
0
||x
∗
j− 1
) and (x
∗
j
, y
∗
j
) = T
∗
j
=
s
j
P+ c
j
Q
j
.
• Compute c
ψ
∗
= H(mkx
ψ
∗
−1
) and s
ψ
∗
= k
∗
−
d
ψ
∗
c
ψ
∗
(modq).
• m
∗
= m
′
= E
x
e
(m
b
).
• sends σ
∗
= (m
∗
, c
∗
1
, s
∗
1
, s
∗
2
, . . . , s
∗
t
, R
∗
) to the
Unsigncrypt oracle with U
v
as receiver.
• Unsigncrypt oracle returns m
0
if σ is a valid sign-
cryption on m
0
. In other words, if m
∗
= m
′
is
the encryption of m
0
then the signature generated
as part of σ
∗
by A with m
0
is a valid signature
and hence σ
∗
is a valid signcryption from U
∗
to
receiver U
v
. Else, m
′
is the encryption of m
1
.
Hence, if the output of Unsigncrypt oracle is m
0
if σ
∗
is a valid signcryption of m
0
. Otherwise,
A returns ”INVALID”. Thus A can distinguish
whether σ is the signcryption of m
0
or m
1
with-
out knowing the private key of the receiver U
v
.
Thus, breaking the confidentiality of Chung et al.
scheme.
5 CONCLUSIONS
In this paper we have showed attacks on confidential-
ity and anonymity of Li et al.’s identity-based ring
signcryption scheme. Also, we have showed the at-
tack on confidentiality of Chung et al.’s anonymous
signcryption scheme.
REFERENCES
Abe, M., Ohkubo, M., and Suzuki, K. (2002). 1-out-of-
n signatures from a variety of keys. In ASIACRYPT
’02: Proceedings of the 8th International Confer-
ence on the Theory and Application of Cryptology and
Information Security, pages 415–432, London, UK.
Springer-Verlag.
Bender, A., Katz, J., and Morselli, R. (2006). Ring signa-
tures: Stronger definitions, and constructions without
random oracles. In TCC 06, volume 3876 of Lecture
Notes in Computer Science, pages 60–79. Springer.
Chung, Y.-F., Wu, Z. Y., Lai, F., and Chen, T.-S. (2006).
Anonymous signcryption in ring signature scheme
over elliptic curve cryptosystem. In JCIS 06. Atlantis
Press.
Herranz, J. and S´aez, G. (2004). New identity-based ring
signature schemes. In ICICS, volume 3269 of Lecture
Notes in Computer Science, pages 27–39. Springer.
Huang, X., Susilo, W., Mu, Y., and Zhang, F. (2005).
Identity-based ring signcryption schemes: Crypto-
graphic primitives for preserving privacy and authen-
ticity in the ubiquitous world. In AINA ’05, pages
649–654.
Li, F., Shirase, M., and Takagi, T. (2008a). Analysis
and improvement of authenticatable ring signcryption
scheme. In ProvSec ’08.
Li, F., Xiong, H., and Yu, Y. (2008b). An efficient id-
based ring signcryption scheme. In International Con-
ference on Communications, Circuits and Systems -
2008. ICCCAS 2008., pages 483–487. IEEE.
Rivest, R. L., Shamir, A., and Tauman, Y. (2001). How to
leak a secret. In ASIACRYPT ’01, pages 552–565.
Wang, L., Zhang, G., and Ma, C. (2007). A secure ring
signcryption scheme for private and anonymous com-
munication. In NPC ’07: Proceedings of the 2007
IFIP International Conference on Network and Paral-
lel Computing Workshops, pages 107–111, Washing-
ton, DC, USA. IEEE Computer Society.
Yu, Y., Li, F., Xu, C., and Sun, Y. (2008). An effi-
cient identity-based anonymous signcryption scheme.
Wuhan University Journal of Natural Sciences, Vol-
ume: 13, Number: 6, December, 2008:670–674.
Yu Fang Chung, Zhen Yu Wu, T. S. C. (2008). Ring signa-
ture scheme for ecc-based anonymous signcryption.
In Computer Standards & Interfaces Journal.
Zhang, F. and Kim, K. (2002). Id-based blind signature and
ring signature from pairings. In ASIACRYPT’02: Pro-
ceedings of the 8th International Conference on the
Theory and Application of Cryptology and Informa-
tion Security, pages 533–547, London, UK. Springer-
Verlag.
Zhang, J., Gao, S., Chen, H., and Geng, Q. (2009). A
novel id-based anonymous signcryption scheme. In
APWeb/WAIM ’09, volume 5446 of Lecture Notes in
Computer Science, pages 604–610. Springer.
Zhang, M., Yang, B., Zhu, S., and Zhang, W. (2008). Ef-
ficient secret authenticatable anonymous signcryption
scheme with identity privacy. In PAISI, PACCF and
SOCO ’08: Proceedings of the IEEE ISI 2008 PAISI,
PACCF, and SOCO international workshops on In-
telligence and Security Informatics, pages 126–137.
Springer-Verlag.
Zheng, Y. (1997). Digital signcryption or how to achieve
cost(signature & encryption) < < cost(signature) +
cost(encryption). In CRYPTO ’97, pages 165–179.
Zhun, L. and Zhang, F. (2008). Efficient idbased ring signa-
ture and ring signcryption schemes. In International
Conference on Computational Intelligence and Secu-
rity, 2008. CIS ’08., volume 2, pages 303–307.
SECRYPT 2009 - International Conference on Security and Cryptography
224
