Security Analysis of a Certificateless Signature from Lattices

Tian and Huang proposed a lattice-based CLS scheme based on the hardness of the SIS problem and proved, in the random oracle model, that the scheme is existentially unforgeable against strong adversaries. Their security proof uses the general forking lemma under the assumption that the underlying hash function H is a random oracle. We show that the hash function in the scheme is neither one-way nor collision-resistant in the view of a strong Type 1 adversary. We point out flaws in the security arguments and present attack algorithms that are successful in the strong Type 1 adversarial model using the weak properties of the hash function.


Introduction
The notion of certificateless signature (CLS) has been introduced by Al-Riyami and Paterson [1] in 2003 as a variant of identity-based signature (IBS) to eliminate the key escrow problem inherent in IBS and assuage the certificate management of regular signatures.To solve the key escrow problem, a user's private key in a CLS scheme is not generated by the KGC alone.Instead, it is a combination of a secret from the KGC and one chosen by the user.More precisely, each user has two secrets: a secret value generated by the user and a partial private key produced by the KGC, who holds the master key.Signing requires both secrets.Since the KGC does not have access to the secret value generated by the user, the key escrow problem can be solved.
Lattice-based signature schemes are an important alternative for the current number-theoretic signature schemes and are emerging as a promising candidate for postquantum cryptography on the basis of Shor's work [2].There are many lattice-based cryptosystems, including encryption schemes [3,4].There have been various attempts to construct latticebased CLS schemes.
The first lattice-based signature scheme was proposed by Gentry et al. [5] as a Hash-and-Sign signature scheme and its security is based on the hardness SIS problem on the average case.Lyubashevsky and Micciancio [6] proposed a lattice-based one-time signature scheme in 2008.Lyubashevsky [7] proposed a lattice-based signature by extending the scheme of Lyubashevsky and Micciancio [6] in the framework of Fiat-Shamir.Since then, a number of latticebased signature schemes have been proposed in the context of PKI.Tian and Huang [8] proposed a IBS scheme following the framework of Lyubashevsky [7].
In 2015, Tian and Huang [9] proposed a lattice-based CLS scheme and proved under the SIS assumption that the scheme is existentially unforgeable against strong adversaries, in the random oracle.In this paper, we discuss security flaws in the CLS scheme of Tian and Huang by scrutinizing misuses of the hash function in the security arguments.The security proof of the scheme is given in random oracle model and uses the general forking lemma under the assumption that the underlying hash function  is a random oracle.We show that the hash function is neither one-way nor collision-resistant in the view of a strong Type 1 adversary.This means that the hash function defined from  cannot be modelled as a random oracle and this indicates critical flaws in the security argument.
We show that the CLS scheme is insecure against strong Type 1 adversaries by providing effective attack algorithms.The attack algorithms, which are successful in the strong Type 1 adversarial model, are based on the weak properties of the hash function that we have found.
The rest of the paper is organized as follows.In Section 2 we give preliminaries on CLS schemes and review the CLS scheme of Tian and Huang as well as their security proofs.
In Section 3, we analyze the security arguments of Tian and Huang and point out security flaws.We show that the scheme is insecure under strong Type 1 attack.We draw our conclusion in Section 4.

Review of the Certificateless Signature Scheme of Tian and Huang
In 2015, Tian and Huang proposed a CLS scheme (from hereon in referred to simply as "Tian-Huang scheme") and they claimed that their scheme is provably secure in the strong Type 1 adversarial model by assuming the hardness of the SIS problem [9].In this section, we review some basics of Tian-Huang scheme and their security proof.

Some Basics of SIS Problem.
The security of Tian-Huang scheme is based on the hardness of the SIS problem.The SIS problem can be stated as follows.
Definition 1.Given a positive integer , a matrix A ∈ Z ×  , and a positive real number , the (, , )-SIS problem for A is to find a nonzero vector v ∈ Z  such that Av = 0 (mod ) and ‖v‖ ≤ .
One of the related problems of the SIS problem is the Inhomogeneous-SIS (ISIS) problem that can be described as follows.
Definition 2. Given a positive integer , a matrix A ∈ Z ×  , a vector u ∈ Z  , and a positive real number   , the (, ,   )-ISIS problem for (A, u) is to find a nonzero vector v ∈ Z  such that Av = u (mod ) and ‖v‖ ≤   .
For any polynomial-bounded ,  and for any prime  ≥  ⋅ (√ log ), it is known by Micciancio and Regev [10] that solving SIS on average is hard as approximating some intractable lattice problem.
The polynomial-time algorithms  and  are building blocks of Tian-Huang scheme.We skip the details of each algorithms in this paper.
(i) (A, T  ) ← (, , , ) if and only if T  ∈ Z × is of full rank and each column vector of T  is a solution of (, , )-SIS problem for the matrix A ∈ Z ×  .
(ii) For (A, T  ) ← (, , , ), (D ∈ Z ×  ) ← (A, T  ,   , ) if and only if each of the column vectors of D is a solution of (, ,   )-ISIS problem for (A, u).[9].In this subsection we give a brief description of Tian-Huang scheme; for the full details, see [9].Major public parameters of the scheme are the following:

A Description of Tian-Huang Scheme
(i) : security parameter.
(iii) : a positive real number.
The scheme consists of the following seven algorithms: (d) outputs the master secret  = T  and the public parameters  = {A, B, , }.
(ii) PartialPrivateKeyExtract(id, , ): on input (id,  = T  , ), the KGC obtains D id ∈ Z  1 × ← (A, T  , , (id)) and sends it to the user with id.Upon receiving D id , the user with id checks the correctness of D id by verifying if AD id = (id) and ‖D id ‖ ≤ √ 1 .If so, the user sets his partial private key as  id = D id .
(iii) SetSecretValue(id, ): on input (id, ), the user with id selects a random matrix S id ∈ Z  2 × satisfying ‖S id ‖ ∞ ≤  and outputs his secret value  id = S id .
(iv) SetPrivateKey(id,  id ,  id , ): on input (id,  id = S id ,  id = D id , ), the user with id outputs his full private key (v) SetPublicKey(id, SK id , ): on input (id, SK id = (D id , S id ), ), the user with id outputs his public key PK id = BS id .
(vi) CLSign(id, SK id , m, ): on input (id, SK id = (D id , S id ), m, ), the user with id If nothing is outputted, repeat this algorithm.
(vii) CLVfy(id, PK id , , m, ): on input (id, PK id = BS id , sig = (h, z), m, ), the algorithm outputs Correctness.The correctness of Tian-Huang scheme is clear from the fact that the following holds for any correctly computed key pairs and a signature (h, z) on m. (2) 2.3.Security Model for CLS Schemes.The most general security notion of regular signature is the existential unforgeability under an adaptively chosen message attack.It is extended to IBS, namely, existential unforgeability under an adaptively chosen message and an adaptively chosen-ID attack, where an adversary can choose its messages and its identities adaptively.The security notion of CLS is similar to that of IBS, but it is more complicated from the following facts: (i) The KGC should be considered as an adversary because it is not a trusted party.
(ii) There is no way to authenticate the public key PK id of the user id because no certificate of PK id is given.Therefore, replacing the public key PK id of the user id is allowed.
Such issues necessitate considering two types of adversaries in CLS, namely, Type 1 and Type 2 adversaries.The Type 1 adversary models outside attacker which is allowed to replace any user's public key.The Type 2 adversary models a malicious KGC which is allowed to obtain the master secret .For each type, the adversary is also given access to the signing oracle for any messages for any identities of its chosen.However, none of Type 1 and Type 2 adversaries are allowed to replace PK id and obtain  at the same time.
In 2007, Hu et al. [11] defined formal security models and Huang et al. [12,13] also defined formal security models in which the adversaries can be categorized into normal, strong, super adversaries (ordered based on their attack powers), which are accessed different sign oracles.Because our focus in this paper is the Type 1 security of Tian-Huang scheme against strong adversary, we describe the Type 1 security model of CLS against strong adversary, only.The Type 1 security of a CLS against strong adversary is formalized by using the following security game, CL-EUF game between the challenger C and a Type 1 adversary A.
[Queries] A can request the following queries adaptively to the challenger C.
CreateUser Query.For the requested identity id ∈ {0, 1} * , if id has already been created, nothing is to be carried out.Otherwise, the oracle runs the algorithms PartialPrivate-KeyExtract(id, , ), SetSecretValue(id, ), SetPrivateKey(id,  id ,  id , ), and SetPublicKey(id,  id , ) to generate  id ,  id , SK id , and PK id .In both cases, PK id is returned.RevealSecretValue Query.For the requested identity id ∈ {0, 1} * , the oracle returns the corresponding secret value  id .ReplacePublicKey Query.For the requested (id, PK  id ), the oracle replaces the public key PK id of the original user with PK  id and returns the replaced (id, PK  id ).The replacement will be recorded.RevealPartialPrivateKey Query.For the requested id ∈ {0, 1} * , the challenger C returns the corresponding partial private key  id .StrongSign Query.For the requested (id,  id ,   ), C returns the signature   such that CLVf y (id, PK id , sig  ,   , ) = 1. ( [Forgery] finally, A outputs sig * on a message  * for an identity id * .We say that the adversary A wins the [CL-EUF-Game 1] if (1) id * has never been requested to the RevealPartialPrivateKey oracle, (2) the pair (id * ,  id * ,  * ) has never been requested to the StrongSign oracle, where  id * is the corresponding secret of PK id * , (3) CLVfy(id * , PK id * , sig * ,  * , ) = 1.
The security of CLS against strong Type 1 adversaries is defined as follows.
Definition 3.For any polynomial-time strong Type I adversary, if the probability of the adversary win CL-EUF-Game 1 is negligible, then we say the CLS scheme is existentially unforgeable against strong Type 1 adversaries under adaptive chosen message and chosen identity attacks.
Note that, for the security of CLS, one should consider both of Type 1 and Type 2 adversaries.However, we believe that the description of Type 1 security of CLS is enough to read the ideas of this paper and we omit the description of Type 2 security of CLS in this paper.[9].The security proof of Tian-Huang scheme in [9] is given in random oracle model where the hash functions  and  are viewed as random oracles and controlled by the challenger C.

Summary of the Security Proof of Tian-Huang Scheme in
Suppose there is a polynomial-time strong Type 1 adversary A that requests CreateUser, RevealPartialPrivateKey, RevealSecretValue, ReplacePublicKey, StrongSign, and  and  queries and outputs a forged signature for Tian-Huang scheme with nonnegligible probability.Tian and Huang proved that the challenger C can solve the (,  1 , 4√ + 2√ 1 )-SIS problem with nonnegligible probability using A. Now, we give a brief review of how the challenger C solves a given SIS problem by using the successful strong Type 1 adversary; for the full details, see [9].Suppose that a specific (,  1 , 4√ + 2√ 1 )-SIS problem with matrix A is given to C.
First, the challenger C simulates the security game with the adversary A for  = {A, B, , } with a randomly chosen B ∈ Z × 2  and two secure hash functions  and .Even though the challenger C does not know the corresponding trapdoor   , C can respond to Create-User-Oracle query or Extract-Partial-Private-Key-Oracle query correctly by using the hash function  as a random oracle which is controlled and recorded by C. The challenger C also records the list   = {(k  ,   , h  )} corresponding to id  of -oracle query as a random oracle.Finally, A outputs a signature forgery sig * = (h * , z * ) on a message  * for an identity id * and P id * with nonnegligible probability.
To solve the given SIS problem for the matrix A, the challenger C reruns the adversary A with the same random tape but different outputting sequence of -oracle.The general forking lemma assures that A will output a new forgery sig  * on a message  * for an identity id * and P id * such that h * ̸ = h  and where In particular, we see that Az * 1 −(id * )h * = Az  1 −(id * )h  .By inserting (id * ) = AD id * , we have Since ‖z * 1 ‖, ‖z  1 ‖ ≤ 2√ and ‖D id * h  ‖, ‖D id * h * ‖ ≤ √ 1 with overwhelming probability, we can see that The fact h * ̸ = h  and the nonuniqueness of the solution of ISIS problem for (A, (id * )) yields with probability at least 1/2.Therefore, Remark 4. The security proof above is based on the forking lemma assuming the underlying hash function  can be modelled as a random oracle.However, as we will see in the next section, for the strong Type I adversary, the specific hash function in the scheme, which is related but has a different property from the given , is neither one-way nor collisionresistant.This means that the hash function defined from  cannot be modelled as a random oracle.Therefore, we see that there is a critical flaw in their security proof.In fact, we present successful strong Type 1 adversarial algorithms on the scheme in the next section.

Main Results
In this section, we discuss the flaws that we have found in the arguments of their security proof against a strong Type 1 adversary.Then we give two successful strong Type 1 attack algorithms.

Analysis of Cryptographic Usage of Hash Functions in
the Tian-Huang Scheme.The Tian-Huang scheme uses a collision-resistant hash function  : Z 2  × {0, 1} * → {−1, 0, 1}  in an essential way in the security proof.In this section, we discuss the usage of the hash function and analyze how the security arguments utilize its cryptographic properties incorrectly.By 2 ] , m).Then sig is valid under (id, P id ) if the following holds: (1) ‖z‖ ≤ 2√m.
Proof.By (2) we have By 2 ] = [  (id) and so The converse is true with overwhelming probability if the hash function  is collision-resistant: Lemma 6.Let P id = BS id and AD id = F(id).If a signature sig = (h, z) on a message m is valid under (id, P id ) where h = H ([ Ay 1 By 2 ] , m), then with overwhelming probability we have By Lemmas 5 and 6, we see that the validity of a signature (z, h) on the message m under (id, P id ) for P id = BS id and AD id = F(id) is (computationally) equivalent to the following: (1) ‖z‖ ≤ 2√m,

Theorem 7. Suppose that we have functions
For any given y 1 , m, h =   (y 1 , y 2 , m), one can efficiently compute y 2 if the following data are known: Proof.
), one can recover y 2 by computing and taking the second component of Theorem 7 can be interpreted as asserting that the function   cannot acquire one-wayness in the presence of the (additional) data (S id , z = [ D id S id ] h + [ y 1 y 2 ]) for h =   (y 1 , * , m), even though   is closely related to a secure hash function .We note that this additional data is always available to any strong Type 1 adversary against the Tian-Huang scheme by requesting ReplacePublicKey queries and a StrongSign query.In fact, we will use this to design a successful strong Type 1 attack on the Tian-Huang scheme in Section 3.2.1.

Theorem 8. Suppose we have functions
For any given preimage (z 1 , z 2 , P, id, m) of h =   ( * ), one can efficiently compute a second preimage of h.
Proof.Suppose we are given (z 1 , z 2 , P, id, m) such that   (z 1 , z 2 , P, id, m) = h.Choose a S  ∈ Z  2 × such that S  h ̸ = 0 and BS  ̸ = 0. Compute z  2 fl z 2 +S  h and P  fl P+BS  .Then ] − [  (id) By Theorem 8, the function   cannot be collisionresistant even if  is.In Section 3.2.2we show how to utilize a second preimage of h to design a successful strong Type 1 attack on the Tian-Huang scheme.
Theorems 7 and 8 show that the functions h =  ([ Ay 1 By 2 ] , m) and h =  ([ Az 1 Bz 2 ] − [ (id) P ] h, m) cannot be a secure hash function even if the underlying function  is a one-way and collision-resistant if some additional data is known.Moreover we see that such additional information is always available to any strong Type 1 adversaries against the Tian-Huang scheme.In other words, none of the functions   and   is a secure hash function in the view of strong Type 1 adversaries against the Tian-Huang scheme.Tian and Huang claimed that their CLS scheme is provably secure against strong Type 1 adversaries.The arguments of the proof are based on the fact that   and   are cryptographically secure hash functions and they can be modelled as a random oracle, which are assumed by the authors from the secure choice of .By Theorems 7 and 8, however, we see that this is not correct under the strong Type 1 adversarial model and so are their security proofs.In fact, we present two successful strong Type 1 attacks in the sections that follow.

Strong Type 1 Attacks on the Tian-Huang Scheme.
We present two attack algorithms on the Tian-Huang scheme.The first attack is successful by considering the hash function in the scheme as The second attack is successful by considering the hash function in the scheme as A strong Type 1 adversary A proceeds as follows.
Step 1.A choose any S  id ∈ Z  2 × , to be used as a new secret value for id, and sets P  id fl BS  id .
Step 2. A submits a query ReplacePublicKey(id, P  id ), so that the public key corresponding to id is now P  id = BS  id .
Step 5. A chooses S * id ∈ Z  2 × so that S * id h = e ℓ ∈ Z  2 ; for instance, one can simply let S * id to be the matrix whose entries are all zero except for the (ℓ, )-entry, which is set to be ℎ  (recall that ℎ  ̸ = 0 from Step 3).A computes P * id = BS * id and submits a query ReplacePublicKey(id, P * id ).
Step 6.A forges a signature sig * = (h * , z * ) by computing Validity of the Forged Signature.The validity of sig * as a signature on m under (id, P * id ) can be checked using Lemma 5: Step 1.A starts with a(n eavesdropped) valid signature sig = (h, z) on a message m under the public key P id = BS id , where S id ] h.We may assume that z 2 ̸ = 0; that is, there is 1 ≤ ℓ ≤  2 such that  2ℓ is nonzero.So there is  ∈ {1, −1} such that     e ℓ + z 2     ≤     z 2     , where e ℓ is a unit vector, with all zero components except for the ℓth, which is one.The adversary A sets z  2 = e ℓ + z 2 .We may also assume that h ̸ = 0, say ℎ  ̸ = 0 for some 1 ≤  ≤ .
Step 2. A sets S  id ∈ Z  2 × to be the matrix whose entries are all zeros except for the (ℓ, )-entry, which is ℎ  .A computes Step 3. A submits a query ReplacePublicKey(id, P * id ); note that A does not know the secret value S * id = S id + S  id corresponding to P * id .
Step 4. A returns forged sig * = (h, z * ) as a signature on m under (id, P * id ).
Validity of the Forged Signature.The validity of sig * as a signature on m under (id, P * id ) can be checked using Lemma 5: (i) Noting that h =  ([

Conclusion
In this paper, we showed that the hash function used in Tian-Huang's scheme is not a secure hash function in the presence of a strong Type 1 adversary even though the function is defined from a cryptographically secure hash function.Such weakness of the hash function admits successful strong Type 1 attacks on their scheme.The security proof of the Tian-Huang scheme was done under the assumption that the hash function is a random oracle, which requires cryptographically security properties.It seems that to improve security argument one needs to make more careful use of the hash function in the simulation of the security game.

Lemma 5 .
Let P id = BS id and AD id = (id).Consider a signature sig = (h, z) on a message m, where h =  ([ Ay 1 (i) P * id ← P id + BS  id ; (ii) z * = [ Note that z * = [ 0 S  id ] h+z ̸= z and P id = BS id with S id unknown to A.
) 3.2.1.Attack Algorithm 1.The idea of the attack is that a strong Type 1 adversary, by requesting ReplacePublicKey queries and a StrongSign query, is always able to obtain the data needed to compute the preimage of h =   (y 1 , y 2 , m) as in Theorem 7.