Cryptanalysis of an Elliptic Curve-based Signcryption Scheme †

Mohsen Toorani ‡ Ali A. Beheshti

Abstract communication costs when it is compared with the

traditional elliptic curve-based signature-then-
The signcryption is a relatively new cryptographic encryption schemes [3]. There are also many other
technique that is supposed to fulfill the functionalities of signcryption schemes that are proposed throughout the
encryption and digital signature in a single logical step. years, each of them having its own problems and
Although several signcryption schemes are proposed limitations, while they are offering different level of
over the years, some of them are proved to have security services and computational costs.
security problems. In this paper, the security of Han et In a signcryption scheme, the sender usually uses the
al.'s signcryption scheme is analyzed, and it is proved public key of recipient for deriving a session key of a
that it has many security flaws and shortcomings. symmetric encryption, while the recipient uses his
Several devastating attacks are also introduced to the private key for deriving the same session key. Exposure
mentioned scheme whereby it fails all the desired and of session keys can be a devastating attack to a
essential security attributes of a signcryption scheme. cryptosystem since such an attack typically implies that
all the security guarantees are lost. In this paper, we
Keywords: Public key cryptography, Elliptic curves, prove that a recent signcryption scheme, i.e. Han et al.'s
Invalid-curve attack, Unknown key share attack. scheme [4] that will be referred to as HYH throughout
this paper, has such vulnerability and many other
security flaws. This paper is organized as follows.
1. Introduction Section 2 briefly describes some preliminaries on
signcryption and its desired attributes. Section 3 is
The confidentiality, integrity, non-repudiation, and devoted to cryptanalysis of HYH signcryption scheme,
authentication are the most important security services and Section 4 provides the conclusions.
in the security criteria. The encryption and digital
signature are two fundamental security mechanisms that 2. Preliminaries to Signcryption
are simultaneously required in many applications. Until
the previous decade, they have been viewed as Any signcryption scheme   (Gen, SC ,USC ) typically
important but distinct building blocks of various
consists of three algorithms: Key Generation (Gen),
cryptographic systems. In public key schemes, a
Signcryption (SC), and Unsigncryption (USC). Gen
traditional method is to digitally sign a message then
generates a pair of keys for any user U:
followed by an encryption (signature-then-encryption)
that has two problems: Low efficiency and high cost of ( SDKU ,VEKU )  Gen (U ,  ) where λ is the security
such summation, and the case that any arbitrary scheme parameter, SDKU is the private signing/decryption key
cannot guarantee the security. The signcryption is a of user U, and VEKU is his public
relatively new cryptographic technique that is supposed verification/encryption key. For any message m  M ,
to fulfill the functionalities of digital signature and
the signcrypted text  is obtained as
encryption in a single logical step, and can effectively
decrease the computational costs and communication   SC ( m, SDK S ,VEK R ) where S denotes the sender,
overheads in comparison with the traditional signature- and R is the recipient. SC is generally a probabilistic
then-encryption schemes. The first signcryption scheme algorithm while USC is most likely to be deterministic
was introduced by Zheng in 1997 [1] but it fails the where m  {}  USC ( , SDK R ,VEK S ) in which 
forward secrecy of message confidentiality [2]. Zheng denotes the invalid result of unsigncryption. A formal
also proposed an elliptic curve-based signcryption proof for the security of signcryption is provided in [5].
scheme that saves 58% of computational and 40% of

†
Reprinted from International Journal of Network Security, Vol. 10, No. 1, pp. 51-56, Jan. 2010. Published version of this
manuscript is available at: http://ijns.femto.com.tw/contents/ijns-v10-n1/ijns-2010-v10-n1-p51-56.pdf.
‡
Corresponding Author, ResearcherID: A-9528-2009

1
Any signcryption scheme should have the following  Public Verifiability: Any third party can verify that
properties [6]: the signcrypted text is the valid signcryption of its
corresponding message, without any need for the
1) Correctness: A signcryption scheme is correct only
private key of sender or recipient.
if for any sender S, recipient R, and message m  M ,
USC ( SC ( m, SDK S ,VEK R ), SDK R ,VEK S )  m . Many of available signcryption schemes involve
modular exponentiation while some of them including
2) Efficiency: The computational costs and the HYH signcryption scheme are based on elliptic
communication overheads of a signcryption scheme curves. The elliptic curve-based schemes are usually
should be smaller than those of the best known based on difficulty of Elliptic Curve Discrete
signature-then-encryption schemes with the same Logarithm Problem (ECDLP) that is computationally
provided functionalities. infeasible under certain circumstances [7]. The elliptic
3) Security: Any signcryption scheme should curve-based systems can attain to a desired security
simultaneously fulfill the security attributes of level with significantly smaller keys than those of
encryption and those of a digital signature. Such required by their exponential-based counterparts. This
properties mainly include: Confidentiality, can enhance the speed and leads to efficient use of
Unforgeability, Integrity, and Non-repudiation. Some power, bandwidth, and storage that are the basic
signcryption schemes provide some additional attributes limitations of resource-constrained devices [8].
such as Public verifiability and Forward secrecy of
message confidentiality while the others do not provide
them. Such properties are the attributes that are required 3. Cryptanalysis of Han et al.'s Scheme
in some applications while the others may not require
them. Public verifiability is not a security attribute but it The signcryption and unsigncryption stages of the Han
can be regarded as a facility. Hereunder, the above- et al.'s signcryption scheme (HYH) [4] are depicted in
mentioned attributes are briefly described. Figure 1 where the deployed notations are described in
Figure 2. The public keys of Alice and Bob are
 Confidentiality: It should be computationally
infeasible for an adaptive attacker to gain any partial generated as U A  d AG and U B  d B G respectively.
information on the contents of a signcrypted text, HYH aims to provide the attributes of confidentiality,
without knowledge of the sender's or designated unforgeability, integrity, non-repudiation, and public
recipient's private key. verifiability. However, as we prove in this section, it has
 Unforgeability: It should be computationally several security flaws so that it fails all the desired
infeasible for an adaptive attacker to masquerade an security attributes of a signcryption scheme.
honest sender in creating an authentic signcrypted Throughout this section, Alice is the sender, Bob is the
text that can be accepted by the unsigncryption designated recipient, and Mallory is the malicious
algorithm. active attacker.
 Non-repudiation: The recipient should have the
ability to prove to a third party (e.g. a judge) that the
sender has generated the signcrypted text. This
ensures that the sender cannot deny his previously
signcrypted texts.
 Integrity: The recipient should be able to verify that
the received message is the original one that was
signcrypted by the sender.
 Forward Secrecy of message confidentiality: If the
long-term private key of the sender is compromised,
no one should be able to extract the plaintext of
previously signcrypted texts. In a regular
signcryption scheme, when the long-term private key
is compromised, all the previously issued signatures Figure 1. HYH Signcryption Scheme [4]
will not be trustworthy anymore. As the
cryptographic computations are performed more
frequently on poorly protected devices such as
mobile phones, the threat of key exposure is
becoming more acute and the forward secrecy seems
an essential security attribute in such systems.

2
 latter may be stored on a hardware protected storage
media. If Mallory could have any access to such
stored pairs, he can easily deduce the long-term
private key of Alice by following the above-
mentioned method.
 The second feasibility is to misuse the possible
weaknesses of the deployed random number
generators. The generated random numbers are
Figure 2. Explanation of deployed notations actually pseudo-random and may have some biases,
especially when they are generated in the resource-
constrained devices. Mallory runs the deployed
1) The security of HYH completely depends on the
random number generator of his victims, generates
secrecy of random number r. It does not have any
the most probable pairs of (r, R), and saves them
resilience to disclosure of such ephemeral parameter,
offline. He then intercepts the Bob's terminal that
and the long-term private key of Alice d A will be
would have many transactions everyday (e.g. Bob
simply divulged with disclosure of r. The point R is can be a bank while Alice is a customer). Mallory
obtained as R  rG and it is clearly sent to Bob. If considers the clearly sent R in the intercepted
Mallory knows the corresponding r of R, he can easily messages and picks those messages for which he has
deduce the static private key of Alice from an their R in his compiled list. He simply deduces the
intercepted pair of ( R, C , s ) . He calculates long-term private keys of all the corresponding
K  rU B  ( xK , yK ) , and decrypts the ciphertext as senders from such chosen signcrypted texts by
following the above-mentioned method. This can be
M || e  C  xk . He then deduces the long-term private
considered as a chosen-ciphertext attack. He can use
1
key of Alice as d A  xR (rs  H ( M )) mod n . Therefore, the deduced private keys for impersonating himself
the confidentiality, unforgeability, non-repudiation, and as the legitimate users and performing his malicious
other claimed security attributes of HYH completely activities. If Mallory aims a definite entity, he may
depend on the secrecy of r and will be completely failed wait until his definite victim sends an R that he has
with its disclosure. This attack is feasible due to the it in his compiled list. Until then, Mallory can enrich
weak session key establishment of HYH. his list.
Although it is believed that finding the Although the mentioned attack works for awkward
corresponding r of a specific R is in deposit of solving implementations of HYH, it is completely regarded to
the ECDLP, it cannot be used for concluding the its weak session key derivation function that includes a
claimed security attributes of HYH. Resilient to simple elliptic curve point multiplication and taking the
disclosure of random parameter r is nowadays one of x-coordinate of the product as the session key.
the most important and essential security attributes of 2) An extra chosen-ciphertext attack is also applicable
any key exchange protocol so that it has been to HYH since it uses a simple XOR for the encryption.
considered in many standard and secure protocols such The chosen-ciphertext security (IND-CCA) is a
as MQV [9] and HMQV [10] that are approved by standard and acceptable notion of security for a public
national agencies such as NSA. However, HYH does key encryption scheme [11]. The chosen-ciphertext
not take benefit of such important attribute and it is attack to HYH can be accomplished by choosing those
completely vulnerable to disclosure of such ephemeral texts that are signcrypted with the same random number
parameter. Although finding the corresponding r of a r and consequently having the same clearly sent value
specific R is generally in deposit of solving the ECDLP, of R. For such chosen ciphertexts, we have:
there are some practical situations where Mallory can
defeat HYH and deduce the private key of Alice without C1  C 2  ( M 1  M 2 ) || [ H ( M 1 || r 1 ( H ( M 1 )  x R d A ))
any need for solving the ECDLP. Hereunder, we  H ( M 2 || r 1 ( H ( M 2 )  x R d A ))]
describe two practical scenarios for the mentioned state.
(1)
 The first feasibility is that many applications boost
their performance by pre-computing the ephemeral Where C1 and C2 are the corresponding ciphertexts of
pairs of (r, R) for their later uses. This may be
messages M 1 and M 2 respectively. Expression (1)
applied to resource-constrained devices as well as
high volume servers. In this case, the stored pairs shows a linear relationship between the plaintext and
are more vulnerable to leakage than the long-term ciphertext that can be a subject for several cryptanalysis
private keys. The former is typically stored on disks methods such as linear cryptanalysis.
and hence is exposed to more vulnerability while the

3
3) In certificate-based public key schemes, after doing order g i . She uses Wi instead of R, proceeds the
the certificate validation, the validity of public keys signcryption, and sends (Wi , C , s ) to Bob.
should be verified using the validated certificates.
Otherwise, the certificates and public keys can be easily Consequently, Bob computes K  d BWi  ( x K , y K )
forged and the scheme will succumb to the man-in-the- and performs the unsigncryption. Finally, when Bob
middle attack. The process of certificate validation sends the confirmation message M' and its
includes [12]: corresponding tag z  MAC x K (M ) to Alice, due to the
(a) Verifying the integrity and authenticity of the small order of point Wi , Alice can easily determine a
certificate by verifying the CA's signature on the
certificate. point K   Wi  satisfying z  MAC x K  (M ) . Hence,
(b) Verifying that the certificate is not expired. with
gi
number of trials, Alice can find d gi 2  d B 2 .
2
(c) Verifying that the certificate is not revoked. gi
However, HYH does not consider such considerations. She selects other Wi points of different orders g i , and
repeats the above-mentioned procedure. The orders of
4) HYH does not consider the public key validation so selected Wi points should be relatively prime so we
it is feasible to get certificates for the invalid public
keys. An invalid public key is of a small order resided should have gcd( g i , g j )  1, i  j . Such points can
on an invalid-curve that can be misused for an invalid- be selected from different invalid-curves. Each round of
curve attack [7]. The public key of user U, attack gives d gi 2  d B 2 . Ultimately, Alice finds the
U U  ( xUU , yUU ) is valid if all the following conditions gi

are simultaneously satisfied [13]: private key of Bob using the Chinese Remainder
Theorem (CRT) [12] while Bob is unaware that such an
(a) UU  O .
attack is taking place.
(b) xUU and yUU should have the proper format of
Fq elements. 6) HYH is vulnerable to the Unknown Key-Share
(UKS) attack. In an UKS attack [16], two parties
(c) UU should satisfy the defining equation of E.
compute the same session key but have different views
of their peers in the key exchange. In an UKS attack, an
Traditionally, the public key validation is not adversary interferes with Alice's and Bob's
considered in the PKI standards (such as [14] and [15]), communication so that Alice correctly believes that her
and the Certificate Authority (CA) just performs a proof session key is shared with Bob, while Bob mistakenly
of possession by checking the user's signature over a believes that the session key is shared with another
message of a predetermined format so it is feasible to entity. This can be accomplished whenever Mallory can
get a certificate for an invalid public key if the public convince one of the honest parties that he has the
key validation is not considered. Antipa et al. [13] knowledge of the session key. Further issues on the
demonstrated how to get a certificate for an invalid practical attack scenarios and the significance of the
public key when CA uses the ECDSA. In HYH, the CA UKS attack is provided in [17]. The UKS attack is
does not verify whether each entity really possesses the feasible when a key exchange protocol fails to provide
corresponding private key of its claimed public key or an authenticated binding between the session key and
not. Such shortcoming exposes it to the mentioned identifiers of the honest entities. Since the private key
vulnerability. and identifier of Alice are not involved in the session
key derivation function of the HYH, it does not have
5) The delivery confirmation or a receipt from the any resilience to the UKS attack.
recipient is necessary for some applications. Although
HYH is a one-pass scheme, the implementer may add a 7) Domain parameters of HYH are not exactly selected.
confirmation step in which Bob sends Alice a Practically, there are some considerations that should be
confirmation message perhaps in addition to a Message taken into account in selecting the domain parameters
Authentication Code (MAC) in which the session key of of elliptic curves, in order to thwart several potential
encryption is used as the key. Since the validity attacks to elliptic curve-based schemes [18]. Such
verification of ephemeral public key (i.e. the point R) is considerations are not considered in domain parameters'
not included in the unsigncryption phase of the HYH, it specifications of the HYH that can make it vulnerable to
can be misused for an invalid-curve attack [13] several kinds of attacks if the implementer
whereby Alice is capable of deducing the long-term unconsciously selects the domain parameters in the
private key of Bob. Here is how the attack works. Alice range of such non-stated conditions. Indeed, to thwart
chooses an invalid-curve containing a point Wi of small the small subgroup attacks [7], the point G should be of

4
prime order n and we should have n  4 q [9] but key cryptography. There are also other shortcomings
that were explained throughout the paper.
they are not considered in HYH that can make it
vulnerable to the small subgroup attack. Furthermore,
to protect against other known attacks to special classes References
i
of elliptic curves, n should not divide q  1 for all
[1] Y. Zheng, “Digital signcryption or how to achieve
1  i  f ( f  20 suffices in practice [19]), n  q Cost (Signature & Encryption) << Cost
should be satisfied, and the curve should be non- (Signature) + Cost (Encryption),” Advances in
supersingular [9]. Such considerations are not also Cryptology–CRYPTO'97, LNCS 1294, pp.165-
considered in HYH. 179, Springer-Verlag, 1997.
[2] H.Y. Jung, K.S. Chang, D.H. Lee, and J.I. Lim,
8) There is not any provision for the key control in “Signcryption schemes with forward secrecy,”
HYH so the plaintext may be encrypted with a weak or Proceeding of Information Security Application-
even a full-zero key. There is also no checking for WISA 2001, pp.403-475, 2001.
K O. [3] Y. Zheng, and H. Imai, “How to construct
efficient signcryption schemes on elliptic curves,”
9) Although it is not claimed in [4] that HYH provides Information Processing Letters, Vol.68, pp.227-
the forward secrecy of message confidentiality, we 233, Elsevier Inc., 1998.
found it noteworthy to specify that HYH does not [4] Y. Han, X. Yang, and Y. Hu, “Signcryption Based
provide such an attribute. The outsider and insider on Elliptic Curve and Its Multi-Party Schemes”,
security are two notions of security that are usually Proceedings of the 3rd ACM International
considered in the signcryption. While the outsider Conference on Information Security
security assumes that the adversary is neither sender nor (InfoSecu'04), pp.216-217, 2004.
the recipient, the insider security allows the adversary to [5] J. Baek, R. Steinfeld, Y. Zheng, “Formal Proofs
be sender or recipient. The forward secrecy of message for the Security of Signcryption,” Journal of
confidentiality is an attribute that is provided through Cryptology, Vol.20, pp.203-235, 2007.
the insider security. One may think that HYH provides [6] M. Toorani, and A.A. Beheshti Shirazi,
such an attribute since its message confidentiality relies “Cryptanalysis of an efficient signcryption scheme
on two secret factors: the long-term private key of Alice with forward secrecy based on elliptic curve,”
( d A ), and the ephemeral random number r. However, Proceedings of 2008 International Conference on
anyone who has d B can simply recover the signcrypted Computer and Electrical Engineering (ICCEE'08),
pp.428-432, IEEE Computer Society, Phuket,
text and deduce the corresponding random number r as
Thailand, Dec. 2008.
r  s 1 ( H ( M )  x R d A ) mod n . When d A is revealed, [7] D. Hankerson, A. Menezes, and Scott Vanstone,
Mallory who could obtain d A may also request Bob to “Guide to Elliptic Curve Cryptography,” Springer-
compute the corresponding r for him so he can simply Verlag, New York, 2004.
recover the signcrypted text without any need for [8] M. Toorani, and A.A. Beheshti Shirazi, “LPKI - A
knowledge of d B . Regardless of its practical benefits, Lightweight Public Key Infrastructure for the
Mobile Environments,” Proceedings of the 11th
this invalidates the definition of forward secrecy of
IEEE International Conference on Communication
message confidentiality.
Systems (IEEE ICCS'08), pp.162-166,
Guangzhou, China, Nov. 2008.
4. Conclusions [9] L. Law, A. Menezes, M. Qu, J. Solinas, and S.
Vanstone, “An efficient Protocol for
The security of Han et al.'s signcryption scheme [4] is Authenticated Key Agreement”, Journal of
analyzed in this paper, and it is proved that it has many Designs, Codes and Cryptography, Vol.28,
security flaws. Several devastating attacks are also pp.119-134, 2003.
introduced to the mentioned scheme whereby it fails all [10] H. Krawczyk, “HMQV: A high-performance
the desired and essential security attributes of a secure Diffie-Hellman protocol,” Advances in
signcryption scheme. It is proved that the most Cryptology – CRYPTO'05, LNCS 3621, pp.546-
important security vulnerability of Han et al.'s scheme is 566, Springer-Verlag, 2005.
due to its weak session key establishment while it [11] M. Bellare, M. Bellare, A. Desai, D. Pointcheval,
encrypts messages by a simple XOR, and the case that it P. Rogaway, “Relations among notions of security
does not consider many essential considerations that for public-key encryption schemes”, Advances in
should be taken into account in elliptic curve and public

5
 Cryptology– CRYPTO'98, LNCS 1462, pp. 26-46,
Springer-Verlag, 1998.
[12] D.R. Stinson, “Cryptography-Theory and
Practice,” 3rd edition, Chapman & Hall/CRC,
2006.
[13] A. Antipa, D. Brown, A. Menezes, R. Struik, and
S. Vanstone, “Validation of elliptic curve public
keys,” Advances in Cryptology–PKC'03, LNCS
2567, pp.211-223, Springer-Verlag, 2003.
[14] C. Adams, and S. Farrell, “Internet X.509 Public
Key Infrastructure: Certificate Management
Protocols,” RFC 2510, March 1999. Available at:
http://www.ietf.org/rfc/rfc2510.txt
[15] M. Myers, C. Adams, D. Solo, and D. Kemp,
“Internet X.509 Certificate Request Message
Format,” RFC 2511, March 1999. Available at:
http://www.ietf.org/rfc/rfc2511.txt
[16] S. Blake-Wilson, and A. Menezes, “Unknown
Key-Share Attacks on the Station-to-Station (STS)
Protocol,” Advances in Cryptology–PKC’99,
LNCS 1560, pp.154-170, Springer-Verlag, 1999.
[17] B. Kaliski, “An unknown key-share attack on the
MQV key agreement protocol”, ACM
Transactions on Information and System Security
(TISSEC), Vol.4, No.3, pp. 275-288, 2001.
[18] M. Toorani, and A.A. Beheshti Shirazi, “SSMS -
A Secure SMS Messaging Protocol for the M-
payment Systems,” Proceedings of the 13th IEEE
Symposium on Computers and Communications
(ISCC'08), pp.700-705, July 2008.
[19] ANSI X9.62, “The Elliptic Curve Digital
Signature Algorithm (ECDSA),” 1999.