Abstract
Certificateless cryptography does not require any certificate for the public key authentication and users' public keys are transmitted with ciphertext/signatures or by making them available in the IoT-based public directory in a proper way. Due to these features, certificateless cryptosystems are considered as fundamental cryptographic buildingblocks to provide authenticity, integrity and non-repudiation suitable for IoT applications. Yeh proposed a transaction scheme based on a certificateless signature scheme for IoT-based mobile payments implementing on Android Pay. He showed that the CLS scheme was unforgeable against Type I and Type II adversaries under the intractability of the mathematical problem. Despite the security proofs, we show that Yeh's scheme is still insecure against both Type I and Type II adversaries. Recently, Gayathri et al. constructed a compact certificateless aggregate signature scheme for Healthcare Wireless Medical Sensor Networks. Their aggregate signatures are constant-size independent of the number of signers. In this paper, we show that anyone can forge certificateless aggregate signatures of their scheme on any sets of messages and identities from only publicly known information, i.e. their scheme is entirely broken. We then discuss some improvements.
Highlights
Public-key cryptography requires the public key authentication by a trusted third party called ‘Certificate Authority’
We show that Gayathri et al.’s certificateless aggregate signature (CLAS) scheme is insecure against universal forgery attacks
UNIVERSAL FORGERY ATTACKS ON GAYATHRI et al.’s SCHEMES we show that anyone can forge certificateless signatures and aggregate signatures of Gayathri et al.’s schemes on any messages for any identities using only publicly known information, i.e. their CLS and CLAS schemes are vulnerable to universal forgery attacks
Summary
Public-key cryptography requires the public key authentication by a trusted third party called ‘Certificate Authority’. AI succeeds in forging a certificateless signature on any message m for {IDi, PKi } without knowing the partial private key for IDi generated by the master secret key s. Suppose that a Type II adversary AII , who knows the master secret s, intends to forge a signature on any message m for a user with a user public key PKi and an identity IDi. Ri = ID−i 1 · (aP − PKi), hi = H (IDi, Ri, PKKGC ), Ti = tP, ki = H (m, Ti, PKi, hi), τi = ti + ki · (a + hi · s) mod n. Algebraic relations in the underlying group allow the adversary to generate specific values for removing the master secret key and the user secret key that results in forging signatures and aggregate signatures of the schemes. It is trivial that Gayathri et al.’s CLS and CLAS schemes are insecure against both Type I and Type II adversaries with special abilities
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
