On the security of a certificateless online/offline signcryption

for Internet of Things

Wenbo Shi & Neeraj Kumar & Peng Gong &
Naveen Chilamkurti & Hangbae Chang
Received: 2 January 2014 / Accepted: 14 January 2014
#Springer Science+Business Media New York 2014
Abstract With the development of the Internet of Things
(IOT) application, information security and user privacy pro-
tection in the IOT have attracted wide attention across the
globe. To solve this problem, Luo et al. proposed an efficient
certificateless online/offline signcryption (COOSC) scheme
for IOT. They have also demonstrated that their scheme is
provably in the random oracle model. However, in this paper,
we will show their scheme is vulnerable to the private key
compromised problem, i.e., an adversary could get a users
private key through an intercepted message. The analysis
show that Luo et al.s scheme is not suitable for the IOT.
Keywords Internet of Things
.
Certificateless cryptography
.
Online/offline signcryption
.
Bilinear pairing
1 Introduction
The Internet of Things (IOT) is the interconnection of highly
heterogeneous networked entities and networks, such as
human-to-human, human-to-thing, thing-to-thing, or thing-
to-things and so on [1]. With the development of communi-
cation technology, IOT been widely used in various fields like
military surveillance, medical care, industrial control and so
on.
With the wide applications of the IOT, how to provide
secure commutation has caused wide public concern. To solve
the problem, many schemes, such as key management schemes
[2], location privacy protection schemes [3] and signcryption
schemes [4], have been proposed for different applications.
Compared with other schemes, the online/offline signcryption
scheme is more suitable for the IOT since it could realize
authentication, confidentiality non-repudiation and integrity
simultaneously. Besides, its performance is much better since
most of the computation is finished in the offline manner.
The concept of signcryption scheme was proposed by
Zheng [5]. In such scheme, the user could sign and encrypt a
message simultaneously. Therefore, it is very suitable for low
power devices. Since then, many public key infrastructures
(PKI)-based and identity (ID)-based schemes [68] have been
proposed for different applications. To improve performance
further, Even [9] proposed the concept of offline/online
signcryption (OOSC) scheme. In the scheme, the whole pro-
cess is spited into two phases, i.e. offline phase and online
phase. In the first phase, most of complicated computations
are finished without knowing the message and the receivers
information. Only very light computations are finished in the
second phase. Therefore, the OOSC scheme is more suitable
for low power devices. Zhang et al. [10] proposed the first
PKI-based OOSC scheme with provable security. To satisfy
applications in ID-based environment, Sun et al. [11] pro-
posed the first ID-based OOSC scheme and show their
W. Shi
Department of Electronic Engineering, Northeastern University at
Qinhuangdao, Qinhuangdao, China
e-mail: swb319@hotmail.com
N. Kumar (*)
Computer Science & Engineering, Thapar University, Patiala, India
e-mail: neeraj.kumar@thapar.edu
P. Gong
National Key Laboratory of Mechatronic Engineering and Control,
School of Mechatronical Engineering, Beijing Institute of
Technology, Beijing, China
e-mail: penggong@bit.edu.cn
N. Chilamkurti
Department of Computer Science and Computer Engineering, La
Trobe University, Melbourne, Australia
e-mail: n.chilamkurti@latrobe.edu.au
H. Chang
Department of Business Administration, Sangmyung University,
Seoul, South Korea
e-mail: hbchang@smu.ac.kr
Peer-to-Peer Netw. Appl.
DOI 10.1007/s12083-014-0249-3
scheme is provably secure in the random oracle. Unfortunate-
ly, Liu [12] found that the previous schemes [911] are not
real OOSC scheme since the receivers public key or identity
is needed in the offline phase. To solve the problem, Liu et al.
also proposed an improved scheme. However, Selvi et al. [13]
pointed out Liu et al.s scheme cannot provide sender ano-
nymity. Li et al. [14] proposed a more efficient ID-based
OOSC scheme using pairings.
Recently, the certificateless public key cryptography was
studied widely, since it could overcome both of certificate
management problem in the PKI-based public key cryptogra-
phy and key escrow problem in the ID-based public key
cryptography. Many certificateless key agreement schemes
[1517], certificateless digital signature schemes [1821]
and certificateless encryption schemes [22,23] have been pro-
posed for different applications. To satisfy applications in
certificateless environment, Luo et al. [24] proposed the first
certificateless online/offline signcryption (COOSC) scheme
for the IOT. They demonstrated that their scheme is provably
secure in the random oracle. Unfortunately, in this paper, we
will point out that their scheme is vulnerable to the private key
compromised problem. The analysis shows their scheme is
not suitable for practical applications.
The organization of the paper is sketched as follows. Sec-
tion 2 gives some preliminaries of the bilinear pairing. Sec-
tion 3 gives a brief reviewof Luo et al.s scheme. The security
analysis of Luo et al.s scheme is shown in Section 4. Finally,
we give some conclusions in Section 5.
2 Preliminaries
Let G
1
and G
2
be a cyclic additive group and a multiplicative
group of a prime order pseparately. Let Pbe a generator of the
group G
1
. We call a map e:G
1
G
1
G
2
is a bilinear pairing if
it satisfy the following three properties.
1) Bilinearity: For any Q,RG
1
and a,bZ
p
*
, we have e(aQ,-
bR)=e(Q,R)
ab
.
2) Non-degeneracy: For the generator P of G
1
, we have
e P; P 1
G
2
.
3) Computability: For all Q, RG
1
, we have an efficient
method to compute e(Q,R).
It is well known that it is intractable to solve the following
problems within polynomial time.
Computational Diffie-Hellman (CDH) problem: Given
a generator P of the group G
1
and two random points aP,
bPG
1
, the task of CDH problem is to compute abPG
1
.
Bilinear Computational Diffie-Hellman (BCDH)
problem: Given a generator P of the group G
1
and three
random points aP,bP,cPG
1
, the task of BCDH problem
is to compute e(P,P)
abc
G
2
.
3 Review of Luo et al.s scheme
In this section, we will briefly review Luo et al.s COOSC
scheme. Their scheme consists of six algorithms: Setup,
PartialKeyGen, KeyGen, OffSigncrypt, OnSigncrypt and
UnSigncrypt. The details of these algorithms are described
as follows.
MasterKeyGen: Taking a security parameter k, the KGC
executes the following step to generate system
parameters.
1) Generate a cyclic additive group G
1
and a cyclic
multiplicative group G
2
of a prime order p.
2) Choose a generator Pof G
1
and a pairing e from G
1

G
1
to G
2
.
3) Generate a random number sZ
p

as the master secret

key and compute the public key P
pub
=sP.
4) Choose three secure cryptographic hash functions
H
1
: {0,1}

Z
p

, H
2
: G
1
G
2
Z
p

and H
3
: {0,1}

G
1
G
1
G
1
G
1
Z
p

.
5) Publish the systemparameters {G
1
,G
2
,e,P,P
pub
,H
1
,H
2
,-
H
3
} and keep the master key secretly.
PartialKeyGen: Taking a user U identity ID
U
, the master
key and the he system parameters as inputs, the KGC
executes the following steps to generate Us partial pri-
vate key.
1) Compute h
U
=H
1
(ID
U
).
2) Compute the partial private key D
U
=(1/(h
U
+s))P and
party of the public key Q
U
=(h
U
+s)P=h
U
P+P
pub
.
KeyGen: Taking a user U identity ID
U
, the systemparam-
eters, the partial private key D
U
and party of public key
Q
U
as inputs, Uexecutes steps to generate his private key
and public key.
1) Generate a random number x
U
Z
p

and compute P
U
=
x
U
P.
2) Publish the public key (P
U
,Q
U
) and keep the private
key (x
U
,D
U
) secretly.
OffSigncrypt: Taking the system parameters and a sender
As private key (x
A
,D
A
) as inputs, Aexecutes the following
steps to generate an offline signcryption.
1) Generate a random number xZ
p

.
2) Compute T=e(P,P)
x
, R=xP
pub
and S=x
1
(D
A
+P).
3) Return =(x,R,S,T) as the offline signcryption.
Peer-to-Peer Netw. Appl.
OnSigncrypt: Taking a message m, the system parame-
ters, a sender As public key (P
A
,Q
A
) and private key (x
A
,-
D
A
) and a receiver Bs public key (P
B
,Q
B
) as inputs, A
executes the following steps to generate a full
signcryption.
1) Compute the session key sk=H
2
(x
A
P
B
,T) and y=sk
m.
2) Compute h
B
=H
1
(ID
B
), h=H
3
(y,P
A
,P
B
,R,S), u=x(x
A
+
h)modp and v=xh
B
+x
A
modp.
3) Return the full signcryption =(y,u,v,R,S).
UnSigncrypt: Taking a full signcryption =(y,u,v,R,S), a
sender As public key (P
A
,Q
A
), a receiver Bs private key
(x
B
,D
B
) and public key (P
B
,Q
B
) as inputs, B executes the
following steps to output a plaintext mor the symbol if
is not a valid signcryption.
1) Compute h=H
3
(y,P
A
,P
B
,R,S).
2) Check if the equation e(S, uQ
A
)=e(P
A
+hP, P+Q
A
)=
e(P
A
, P+Q
A
)e(P, P+Q)
h
holds. If it does not hold,
return .
3) Compute W=e(vP+RP
A
,D
B
) and sk=H
2
(x
B
P
A
,W).
4) Return the plaintext m=sky.
4 Cryptanalysis of Luo et al.s scheme
In this section, we will analyze the security of Luo et al.s COOSC
scheme. Since the openness of the IOT, we could assume that the
adversary has total control over the channel between the sender
and the receiver, i.e., the adversary could freely intercept, modify,
delete, or insert any message in the channel.
There are two types of adversary in the COOSC
schemes, i.e. the Type I adversary A1 and Type II
adversary 2. The Type I adversary could replace a user
public key with at his will. The Type II adversary 2
could access the master secret key and computer partial
private key of any user. Luo et al. demonstrated that
their scheme is secure against both of the two types of
the adversary in the random oracle model. However, we
find that a general adversary C, who could neither
replace the sender As public key nor compute As partial
private key, could get As private key easily once he
gets a full signcryption. The details of the attacks are
described as follows.
1) C intercepts a full signcryption =(y,u,v,R,S) sent by the
sender A, where y=skm, u=x(x
A
+h)modp, v=xh
B
+x
A
modp, R=xP
pub
S=x
1
(D
A
+P), sk=H
2
(x
A
P
B
,T), T=e(P,P)
x
and h
B
=H
1
(ID
B
).
2) Since u=x(x
A
+h)modp and v=xh
B
+x
A
modp, C could get
h
B
u xh
B
x
A
h modp 1
and
v x
A
h xh
B
x
A
h x
A
x
A
h modp 2
From (1) and (2), C could get
v x
A
h h
B
u x
A
x
A
h modp 3
x
2
A
hv x
A
hvh
B
umodp 4
x
2
A
hv x
A
hv =2
2
hvh
B
u hv =2
2
modp
5
and
x
A
hv =2
2
hvh
B
u hv =2
2
modp
: 6
3) Using the algorithm for finding square roots modulo a
prime [25], Ccould get two roots z and z of the equation
z
2
=hvh
B
u+((hv)/2)
2
modp. Then, C could get the two
candidates x
A

=z (hv)/2 and x
A

A
=z (hv)/2 of the
variable x
A
.
4) C checks whether the equation x
A

P=P
A
holds. If the equa-
tion holds, x
A
s value is x
A

; otherwise, x
A
s value is x
A

. C
could also compute x=h
B
1
(vx
A
)modp since v=xh
B
+x
A
modp.
5) Since S=x
1
(D
A
+P), C could get As partial private key by
computing D
A
=xSP. Then, C gets As private key
(x
A
,D
A
).
From the above description, we know that the adver-
sary C could get the sender As private key (x
A
,D
A
).
Besides, C could get the plaintext by computing T=
e(P,P)
x
, sk=H
2
(x
A
P
B
, T) and m=sky. Therefore, Luo
et al.s COOSC scheme is not secure for practical
applications.
5 Conclusion
Recently, Luo et al. proposed an efficient COOSC scheme for
the Internet of Things. They claimed that their scheme is
provably secure in the random oracle mode. However, after
reviewing of their scheme and analyzing its security, we dem-
onstrate that their scheme is vulnerable to the private key
compromised problem. The analysis shows their scheme is
not secure at all. We still have no idea about the method to
Peer-to-Peer Netw. Appl.
overcoming weakness in their scheme since it is not easy to
design a secure COOSC scheme. We hope we could finish the
task the near future.
Acknowledgments The authors thank the editors and the anonymous
reviewers for their valuable comments. This research was supported by
National Natural Science Foundation of China (nos.61202447), Natural
Science Foundation of Hebei Province of China (no. F2013501066),
Northeastern University at Qinhuangdao Science and Technology Sup-
port Program (no. xnk201307), Beijing Natural Science Foundation (no.
4132055), and Excellent Young Scholars Research Fund of Beijing
Institute of Technology.
Conflict of Interest The author(s) declare(s) that there is no conflict of
interests regarding the publication of this article.
References
1. Heer T, Garcia-Morchon O, Hummen R et al (2011) Security chal-
lenges in the IP-based Internet of Things. Wirel Pers Commun 61(3):
527542
2. Yan T, Wen QY (2012) A Trust-third-party based key management
protocol for secure mobile RFID service based on the Internet of
Things. Advances in intelligent and soft computing, LNCS, vol 135.
Springer-Verlag, Berlin, pp 201208
3. Liu J, Hu X, Wei ZQ, et al (2012) Location privacy protect model
based on positioning middleware among the Internet of Things. In
Proceedings of the Computer Science and Electronics Engineering,
Hang zhou, China 288291
4. Zhou X, Jin Z, Fu Yet al (2011) Short signcryption scheme for the
Internet of Things. Informatica 35:521530
5. Zheng Y (1997) Digital signcryption or how to achieve cost (signature
and encryption) 6 cost (signature) + cost(encryption). In: Goos G,
Hartmanis J, van Leeuwen J (eds) Advances in Cryptology-Crypto
1997, LNCS, vol 1294. Springer-Verlag, Berlin, pp 291312
6. An JH, Dodis Y, Rabin T (2002) On the security of joint signature and
encryption. In: Knudsen LR (ed) Advances in Cryptology-Eurocrypt
2002, LNCS, vol 2332. Springer-Verlag, Berlin, pp 83107
7. Malone-Lee J (2002) Identity based signcryption, Cryptologry ePrint
Archive, Report 2002/098, <http://eprint.iacr.org/2002/098>
8. Libert B, Quisquater JJ (2003) A new identity based signcryption
schemes from pairings. In: 2003 I.E. information theory workshop,
Paris, France 155158
9. Even S, Goldreich O, Micali S (1996) On-line/off-line digital signa-
tures. J Cryptol 9(1):3567
10. Zhang F, Mu Y, Susilo W (2005) Reducing security overhead for
mobile networks. In Proceedings of the Advanced information net-
working and applications, Taipei, Taiwan 398403
11. Sun D, Huang X, Mu Y, Susilo W (2008) Identity-based online/off-
line signcryption. In Proceedings of the Network and parallel com-
puting, Shanghai, China 3441
12. Liu JK, Baek J, Zhou JY (2011) Online/offline identity-based
signcryption re-visited. In: Proceedings of the Information Security
and Cryptology, LNCS, vol 6584. Berlin, Springer-Verlag, pp 3651
13. Selvi SSD, Vivek SS, Rangan CP (2010) Identity based online/offline
signcryption scheme. Cryptology ePrint Archive. Available at: http://
eprint.iacr.org/2010/376.pdf
14. Li FG, Khan MK, Alghathbar K, Takagi T (2012) Identity-based
online/offline signcryption for low power devices. J Netw Comput
Appl 35:340347
15. He D, Chen Y, Chen J et al (2011) A new two-round certificateless
authenticated key agreement protocol without bilinear pairings. Math
Comput Model 54(11):31433152
16. He D, Chen J, Hu J (2012) Apairingfree certificateless authenticated
key agreement protocol. Int J Commun Syst 25(2):221230
17. He D, Padhye S, Chen J (2012) An efficient certificateless two-party
authenticated key agreement protocol. Comput Math Appl 64(6):
19141926
18. He D, Chen J (2013) An efficient certificateless designated verifier
signature scheme. Int Arab J Inf Technol 10(4):317324
19. He D, Chen Y, Chen J (2013) An efficient certificateless proxy signature
scheme without pairing. Math Comput Model 57(910):25102518
20. He D, Huang B, Chen J (2013) New certificateless short signature
scheme. IET Inf Secur 7(2):113117
21. He D, Chen J, Zhang R (2012) An efficient and provably-secure
certificateless signature scheme without bilinear pairings. Int J
Commun Syst 25(11):14321442
22. Sun Y, Zhang F (2010) Secure certificateless encryption with short
ciphertext. Chin J Electron 19(2):313318
23. Sun Y, Li H (2010) Short-ciphertext and BDH-based CCA2 secure
certificateless encryption. SCIENCE CHINA Inf Sci 53(10):2005
2015
24. Luo M, Tu M, Xu J (2013) A security communication model based
on certificateless online/offline signcryption for Internet of Things,
Security and Communication Networks doi:10.1002/Sec.836
25. Turner SM (1994) Square roots mod p. Am Math Mon 101(5):443449
Peng Gong is with the National Key Laboratory of Mechatronic
Engineering and Control, School of Mechatronical Engineering,
Beijing Institute of Technology, Beijing, China. (e-mail:
penggong@bi t . edu. cn). He recei ved t he B. S. degree i n
Mechantronic Engineering from Beijing Institute of Technology,
Beijing, China, in 2004, and the M.S. and Ph.D. degrees from the
Inha University, Korea, in 2006 and 2010, respectively. In July
2010, he joined School of Mechatronical Engineering , Beijing
Institute of Technology, China. His research interests include
link/system level performance evaluation and radio resource man-
agement in wireless systems, network security, and the next gen-
eration wireless systems such as 3GPP LTE, UWB, MIMO, Cog-
nitive radio and so on.
Peer-to-Peer Netw. Appl.
Wenbo Shi received the M.S. degree from the Inha University, Incheon,
South Korea, in 2007 and the Ph.D. degree from the Inha University,
Incheon, South Korea, in 2010. Later, he joined School of computer and
communication engineering, Northeastern University at Qinhuangdao,
China. His main research interests include cryptography, network security
and so on.
Dr. Neeraj Kumar is working as Assistant Professor in Department of
Computer Science and Engineering, Thapar University, Patiala Punjab
(India). He received his Ph.D. in CSE from Shri Mata Vaishno Devi
University, Katra (India) and PDF from UK. He has more than 100
publications in peer reviewed journals and conferences including IEEE,
Elsevier, and Springer. His research is focused on mobile computing,
parallel/distributed computing, multiagent systems, service oriented com-
puting, routing and security issues in wireless adhoc, sensor and mesh
networks. He is leading the Mobile Computing and Distributed System
Research Group. Prior to joining SMVDU, Katra he has worked with
HEC Jagadhri and MMEC Mullana, Ambala, Haryana, India. He has
delivered invited talks and lectures in various IEEE international confer-
ences in India and abroad. He has organized various special sessions in
international conferences in his area of expertise in India and abroad. He
is TPC of various IEEE sponsored conferences in India and abroad. He is
reviewer/ editorial board of various international journals of repute. He is
guest editor of special issue of more than six international journals. He is
senior member of ACEEE and IACSIT.
Naveen Chilamkurti is currently working as a Senior Lecturer at Depart-
ment of Computer Science and Computer Engineering, La Trobe University,
Australia. He received his PhD from La Trobe University. He is also the
Inaugural Editor-in-Chief for International Journal of Wireless Networks and
Broadband Technologies launched in July 2011. He has published about 125
journal and conference papers. His current research areas include intelligent
transport systems (ITS), wireless multimedia, wireless sensor networks,
vehicle to infrastructure, vehicle to vehicle communications, health informat-
ics, mobile communications, WiMAX, mobile security, mobile handover, and
RFID. He currently serves oneditorial boards of several international journals.
He is a senior member of IEEE. He is also an Associate Editor for Wiley
IJCS, SCN, Inderscience JETWI, and IJIPT.
Hangbae Chang is a professor at Sangmyung University. He received
his Ph. D. in Information System Management from Graduate School of
Information at Yonsei University, Korea. He has published many research
papers in international journals and conferences. He has been served as
chairs, program committee or organizing committee for many interna-
tional conferences and workshops; FutureTech, WCC, ITCS, CSAand so
on. His works have been published in journals such as Journal of Super
Computing, Electronic Commerce Research, EURASIP Journal On
Wireless Communications and Networking, Mobile Information Sys-
tems, Personal and Ubiquitous Computing and Journal of Internet Tech-
nology. His research interests include issues related to Security Manage-
ment and System in Internet of Things Environment.
Peer-to-Peer Netw. Appl.