Cryptanalysis of a Certificateless Hybrid Signcryption Scheme and a Certificateless Encryption Scheme for Internet of Things

, which


Introduction
e primary problem to be solved in public key cryptography is how to certify the ownership of key pairs.In certificate-based public key infrastructure (PKI), a trusted third party called certificate authority (CA) issues certificates that provide a trusted link between the user's identity and the public key based on digital signature technology.However, certificate management is very complex.Shamir [1] proposed the concept of an identity-based cryptosystem in 1984 to simplify certificate management issues.e main idea is that you can easily export a user's public key from any string that corresponds to the user's identifying information, such as name, phone number, and E-mail address.A private key generator (PKG) calculates the private keys using the master key and securely distributes these private keys to the users participating in the scheme.From an efficiency and convenience standpoint, an identity-based system may be a good alternative to a certificate-based system.But key escrow, which means the user's private key is generated and known by PKG, is an inherent problem resulting in no authenticity and no privacy for the user in an identity-based system.
As a variant of the identity-based cryptosystem, the concept of certificateless was proposed in 2003 to eliminate these problems simultaneously [2].Each user in a certificateless scheme independently generates a secret key and gets another partial private key from the key generation center (KGC).us, each user's secret consists of two parts, one obtained from a trusted third party (KGC) and one generated by the user himself.Certificateless scheme successfully solves the key escrow problem.In addition, this kind of scheme does not require the trusted third party to authenticate the corresponding public key ownership, which makes public key management very efficient.Because of these advantages, certificateless schemes have attracted wide attention and become one of the hot topics of public key cryptography.In recent years, certificateless signcryption [3,4], certificateless hybrid signcryption [5,6], certificateless multireceiver signcryption [7][8][9], certificateless generalized signcryption [10][11][12][13][14], and certificateless online/offline signcryption [15,16] have been put forward one after another.
In wireless and mobile networks with limited storage and computing resources, certificateless cryptography has more advantages because of its low dependence on infrastructure and short security parameters.However, while achieving low computational costs, many certificateless schemes proposed in the Internet of things environment [17][18][19][20][21][22][23] cannot simultaneously provide provable security.Kumar et al. [17] claimed that their newly proposed certificateless aggregate signature scheme is secure against both types of attackers.Zhan and Wang [24] proved that an attacker could forge a valid signature and valid aggregate signature.Lin et al. [25] pointed out that the certificateless signcryption (CL-SC) scheme proposed by Rastegari et al. [18] is insecure.Zhan et al. [26] analyzed a pairing-free CLAS scheme proposed in [20] and pointed out that the scheme is insecure.On this basis, to solve the security vulnerability, an improved scheme was proposed at the same time.Khan et al. [21] proposed a certificateless offline/online signature scheme.Unfortunately, their scheme is not secure against adaptive selective message attacks.Hussain et al. [27] proved that an adversary could forge a valid signature on a message by replacing a public key.Kasyoka et al. [28] showed the security vulnerabilities of Wei and Ma's [19] signcryption scheme and proposed corresponding modifications to show how their scheme could be made more secure.Xu and Zeng [29] pointed out that the certificateless aggregate arbitrated signature scheme proposed by Lee et al. [22] is not secure for type-1 attackers that can replace user public keys.ey also showed that Addobea et al.'s [23] offline-online certificateless signature scheme cannot achieve correctness.
erefore, the certificateless solution described above cannot be deployed in real Internet of things environment and mobile applications.Most of the schemes fail because the definition of the security model is not complete, and in the proving process, the adversary capability is not successfully reduced to solve difficult problems.
ere has been an ongoing effort in the Internet of things to make greater advances in security and performance.
1.1.Our Contributions.Recently, Gong et al. [30] and Karati et al. [31], respectively, proposed a new certificateless scheme in the Internet of things environment, one of which is a certificateless hybrid signcryption scheme, and the other's basis is a certificateless encryption scheme.eir schemes were claimed to be secure, and the formal security was presented which reducing adversary capabilities in solving difficult problems.It is a pity that Gong et al.'s scheme and Karati et al.'s scheme are not secure in the case of internal attacks as shown in this paper.e attack algorithms against these two schemes are presented separately, thus proving that their schemes are insecure and not suitable for the Internet of things environment.

Paper Organization.
In Section 2, we give the cryptanalysis of Gong et al.'s scheme, and we give the cryptanalysis of Karati et al.'s certificateless encryption scheme for the industrial Internet of things in Section 3. Section 4 provides a conclusion.

Cryptanalysis of Gong et al.'s Certificateless Hybrid Signcryption Scheme
Because of the limitation of symmetric cryptography, public key-based authentication technology has attracted extensive attention.It provides secure communication and accesses mechanism for various applications.Compared with singlefactor or two-factor protocols, multifactor schemes have been proven to achieve higher security levels.Wang et al. [32][33][34] have made a series of representative achievements in multifactor authentication.However, in some applications, people have to strike a balance between availability and security and adopt single-factor technology to achieve authentication, such as digital signature and digital signcryption.Signcryption can provide confidentiality and authentication at the same time and is widely used in many applications where multiple security features are required.Gong et al.'s scheme is a concrete certificateless hybrid signcryption scheme.

Setup. KGC runs the following algorithms:
(i) Generate two distinct cyclic groups G 1 (an additive cyclic group with a generator P) and G 2 (a multiplicative cyclic group) of prime order q(q ≥ 2 c ). e is a bilinear map.(ii) Chooses x∈ R Z * q , computes P pub � e(P, P) x .(iii) Chooses one-way hash functions as (iv) Finally, keeps x safely and outputs params � P, { P pub , G 1 , G 2 , q, e, n, h i , E, D} as the system parameter.

Extract-Partial-Private-Key.
Given the identity information u i , to generate the corresponding partial private key d i , KGC runs the following algorithms: e user chooses x i ∈ R Z * q and computes P i � e(P, P) x i which is the public key and sets the full private key s i � (x i , d i ).

Signcrypt.
A sender u A runs the following algorithms to generate the ciphertext.
Security and Communication Networks 2.1.5.Unsigncrypt.A receiver u B runs the following algorithms for unsigncryption.
(i) Computes y � P A � e(zP, R) holds or not.If it holds, u B get m, else u B refuses the message.

Attack Algorithm 1 (Internal Attacks to the Unforgeability).
Once receives a valid signcryption text σ � (c, R, s), the receiver can impersonate the sender to generate signcryption text for any message m ′ sent to him.e attack algorithm is described as follows: Correctness.e signcryption ciphertext σ ′ � (c ′ , R ′ , s ′ ) is validly related with m ′ as shown in the following. Since e

equation P s′•f′ A
� e(z ′ P, R ′ ) always holds since (2) Any user can launch the attack after receiving a valid signcryption ciphertext sent to him, so the nonrepudiation and source authentication that should be satisfied by the digital signcryption scheme cannot be realized.

Attack Algorithm 2 (Internal Attacks to the Master Secret Key).
As shown in the Extract-Partial-Private-Key algorithm, KGC generates d i by computing Since x is a random element in Z * q and h 1 is a hash function that maps strings to distinct elements in Z * q , any partial private key holder can compute the master secret key Any security of the whole system cannot be realized when the master secret key is leaked.Any user that receives a valid partial private key can launch the attack.

Cryptanalysis of Karati et al.'s Certificateless Encryption Scheme
In order to achieve more complex security goals, people often adopt the method of extending features on the basis of the general scheme.Karati et al.'s reliable data sharing protocol is based on a certificateless encryption scheme.(i) Generates three distinct cyclic groups G 1 , G 2 , and G 3 , and e: Security and Communication Networks (iv) Outputs PP i � (d i , P i3 , D i ′ ) On receiving PP i securely, device i may check it by the equation e(P ) � e(g, h).

Set-Full-Public-Key and Set-Full-Private-Key.
e full public key of Device i can be expressed as PK i � (P i1 , P i2 , P i3 ), and the full private key can be expressed as 3.1.5.Encrypt.Given the message m i and keyword w ij ∈ 0, 1 { } n 3 , a sender, whose private key is SK s , runs the following algorithms to generate a ciphertext sending to receiver R with public key PK r .

Cryptanalysis of Karati et al.'s Scheme.
To show the usability, Karati et al. defined their scheme as (M, C, W, Γ)-KDCLEKS.We noticed that if the sender sends a message directly without any keyword, (M, C, ⊥, ⊥)-KDCLEKS is a common certificateless encryption scheme, which can be marked as (M, C)-KDCLEKS.
In this section, it will be shown that the encryption algorithm (M, C)-KDCLEKS is not secure under public-key replacement attacks launched by an adversary A I .

Attack Algorithm 1 (Internal Attacks to the Partial
Private Key).Assume the following conditions a user declares his public value as PV j � (P j1 � h y j , P j2 � e(g, h) 1/y j ).Once A I receives a valid partial private key PP i � (d i , P i3 , D i ′ ), it can calculate and generate a partial private key for this user as follows: (1) Compute P j3 � P α i i3 and α j � H 1 (ID j , P j3 , P j1 , P j2 ) 3.2.2.Correctness.PP j � (d j , P j3 , D j ′ ) is a valid partial private key related to public value PV j as shown in the following equation: � e(g, h). ( us, PP j � (d j , P j3 , D j ′ ) can always be accepted as a valid partial private key related to public value PV j .Any user that receives a valid partial private key can launch the attack.
is means that the user's partial private key can be forged, leading to the lack of availability.

Attack Algorithm 2 (Internal Attacks to the Confidentiality).
Once A I receives a valid Full-Public-Key PK i � (P i1 , P i2 , P i3 ) and corresponding Full-Private-Key SK i � (y i , d i , D i ), he can decrypt the ciphertext of any user J with ID j through public key replacement attacks.e attack algorithm is described as follows: (1) Select random parameter y ′ ∈ R Z * p , and compute P j1 � P y′ i1 � h y i •y′ , P j2 � P 1/y′ i2 � e(g, h) 1/(y i •y′) and P j3 � P α i i3 where α i � H 1 (ID i , P i3 , P i1 , P i2 ) (2) Replace the public key of user J with the value PK j � (P j1 , P j2 , P j3 ) On inputs params and receiver J ′ s public key PK J with message m j ∈ 0, 1 ) where α j � H 1 (ID j , P j3 , P j1 , P j2 ).Finally, the sender outputs C j as the ciphertext.
Given the ciphertext C j , A I can successfully decrypt it using the following algorithm: (1) Compute α j � H 1 (ID j , P j3 , P j1 , P j2 )

Correctness.
e decryption process is always successful as shown in the following equation: � e g u• β i α i α j +x KGC d j  , h x i / α j •y i •y′    � e g u• β i α i α j +x KGC α j d i  , h 1/ β i α i α j +x KGC α j d i y i •y′    � e(g, h) u/ y i •y′ ( ) � P u j2 .
(4) us, A I reveals m j � � � � � σ � c j3 ⊕ H 3 (δ 2 ) with probability 1. is attack can be launched by a user who receives any legal partial private key sent to him, and he can decrypt the ciphertext of any user through public key replacement attacks without knowing the master secret MSK. is means that any user's public key can be replaced, and the message can be revealed by the attacker, leading to the lack of confidentiality.

Conclusion
Gong et al. gave a formal security proof in the random oracle model, and Karati et al. proved their scheme is secure against adversaries.Unfortunately, we noticed that in Gong et al.'s scheme, internal users can forge the signcryption ciphertext sent to them, the nonrepudiation and source authentication that should be satisfied by the digital signcryption scheme cannot be realized.e more serious is that any partial private key holder can directly calculate the master secret key, which leads to the failure to implement security features.Any user who obtains a partial private key in Karati et al.'s basic certificateless encryption scheme can either forge the partial private key of another user or replace the public key of another user to decrypt the ciphertext.erefore, their solutions are insecure and not suitable for the Internet of things environment.
j •y i •y′  i and H 3 : G 3 ⟶ 0, 1 { } n 1 +n 2 for some n 1 and n 2 , which are one-way hash functions (iv) Computes g 1 � g x KGC for x KGC ∈ R Z * i ) 3.1.3.Set-Partial-Private-Key. KGC runs the following algorithms to generate the partial private key of device i: w ik ‖αs‖αr) ] v′ and τ ik2 �