Security Vulnerabilities of Four Signature Schemes From NTRU Lattices and Pairings

Certiﬁcateless cryptography solves the certiﬁcate management problem in public-key cryptography and the key-escrow problem in identity-based cryptography. Xie et al. proposed a certiﬁcateless signature scheme using NTRU lattices. They proved that their scheme was existential unforgeable for Type I and Type II adversaries under the intractability of the Small Integer Solution (SIS) problem on NTRU lattices in the random oracle model. Subsequently, Hung et al. proposed a revocable certiﬁcateless signature scheme on NTRU lattices that gave a revocation method via public channels to revoke illegal or compromised users. They also proved that their scheme was existential unforgeable for Type I, Type II and Type III adversaries under the intractability of the SIS problem. Recently, Wang et al. proposed a certiﬁcateless aggregate signature scheme from bilinear pairings and Rezaeibagha et al. proposed a new lightweight certiﬁcateless scheme for Industrial Internet of Things from bilinear pairings. The security of their schemes was proven for Type I and Type II adversaries under the intractability of some mathematical problems. In this paper, we show that the two schemes on NTRU lattices are insecure against Type I or Type II adversaries. We also point out invalidity of Wang et al. ’s scheme and vulnerability of Rezaeibagha et al. ’s scheme against Type I attacks. We then suggest some improvements to prevent our attacks.


I. INTRODUCTION
Public-key cryptography using a random string as a public key needs authentication of the public key. The authentication of the public key is realized by a public key certificate issued from a Certificate Authority in Public-Key Infrastructure (PKI). PKI suffers from the certificate management problem including distribution, computational overhead for certificate verification and revocation. To solve the problem, Shamir [12] proposed the concept of identity (ID)-based cryptography, where users' public keys can be calculated from unique identity information. Since Key Generation Center (KGC) or Private Key Generator (PKG) with a master secret key generates users' private keys in ID-based schemes, the schemes cause the key-escrow problem. To solve the certificate management problem in public-key cryptography and the key-escrow problem identity-based cryptography, The associate editor coordinating the review of this manuscript and approving it for publication was Tyson Brooks .
Al-Riyami and Paterson [1] proposed a new concept of certificateless cryptography. Certificateless cryptography solves the problems by generating users' secret keys as the combination of some user-chosen secret values and secret information of KGC with a master secret key.
Signature schemes, GGH [4] and NTRUSign [5], using NTRU lattices were proposed, but were completely broken in [10] due to the leakage of some secret information for their lattice trapdoors. To prevent such a leakage, Gentry et al. [3] proposed a new signature scheme (GVP scheme) secure under the hardness assumptions of worstcase lattice problems. At Eurocrypt 2012, Lyubashevsky and Micciancio [8] gave an efficient signature scheme based on the Short Integer Solution (SIS) problem and the LWE problem with security reductions to the worst-case assumptions in general lattices. Lyubashevsky's scheme was constructed from the Fiat-Shamir transformation and its signing algorithm required sampling from discrete Gaussian. Lyubashevsky [9] proposed a more efficient signature scheme VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ using the rejection sampling technique for signing. There have been proposed ID-based signature schemes [13], [15] and a certificateless signature scheme [14] using the GPV scheme [3] to extract users' partial private keys. To improve efficiency, Xie et al. [18] proposed a new CLS scheme on NTRU lattices and proved its existential unforgeability against Type I and Type II adversaries under the intractability of the SIS problem on NTRU lattices in the random oracle model. Huang et al. [7] proposed a revocable CLS (RCLS) scheme on NTRU lattices that gave a revocation method via public channels to revoke illegal or compromised users.   [2] and a ring variant of Lyubashevsky's signature scheme [9].

1) HUNG et al.'s REVOCABLE CLS SCHEME
Huang et al. [7] constructed a revocable CLS (RCLS) scheme on NTRU lattices. In Hung et al.'s RCLS scheme, a user's private key consists of a partial private key, a secret value and a time update key. The user selects the secret value and KGC generates the partial private key from the user's identity. KGC also generates the time update keys periodically and transmits them to normal users through a public channel. If KGC wants to revoke illegal or compromised users then KGC stops producing new time update keys corresponding to the users. The scheme consisting of eight polynomial-time algorithms runs as follows: • Setup: For a security parameter N and three positive integers (s, σ, λ), -KGC selects a prime number q and performs TrapGen(q, N ) in [2] to get and a short basis -KGC selects a 1 , a 2 ∈ Z N q as a system public key and sets S KGC = B as a system secret key.
-KGC selects three collision-resistant hash functions -KGC publishes the public parameters as • Partial private key extract: For a user identity ID ∈ {0, 1} * , -KGC generates a partial private key D ID = (s 1 , s 2 ) such that and (s 1 , s 2 ) < s √ 2N by performing SampleGau(B, s, (P ID , 0)) in [2], where P ID is the first partial public key.
-Then KGC sends D ID = (s 1 , s 2 ) to the user securely.
• Time key update: For a time period t and a user identity ID, -KGC calculates a time update key such that and (s 2 , s 4 ) < s √ 2N by performing SampleGau(B, s, (T ID , 0)) in [2]. -Then, KGC transmits the time update key T ID,t = (s 3 , s 4 ) to the user through a secure channel.
• Set secret value: For an identity ID, -A user with ID selects random values (s 5 , s 6 ) uniformly from {−d, · · · , d} and sets S ID = (s 5 , s 6 ) as a secret value, where 1 ≤ d ≤ 31. -The user computes R ID = a 1 * s 5 + a 2 * s 6 as a second partial public key.
• Set private key: A user with ID sets SK ID = (D ID , T ID,t , S ID ) as the private key.
• Set public key: A user with ID sets PK ID = (P ID , R ID ) as the public key.
-If no such (z 1 , z 2 , z 3 , z 4 , z 5 , z 6 ) is generated, repeat this algorithm. This procedure is the rejection sampling technique. At last, a constant M = O(1) is determined so that a signature (z 1 , z 2 , z 3 , z 4 , z 5 , z 6 ) can be produced with probability , 1), as in the ring variant of Lyubashevsky's signature scheme [9], where • Verify: For a signature (z = (z 1 , z 2 , z 3 , z 4 , z 5 , z 6 ), c) on a message µ associated to ID, a verifier checks the following equality If it holds, output valid.

2) XIE et al.'s CLS SCHEME
Xie et al. [18] constructed a provably secure CLS scheme on NTRU lattices. Their CLS scheme consisting of seven polynomial-time algorithms runs as follows: • Setup: KGC generates a mater secret key and a master public key as in Hung et al.'s RCLS scheme.
-KGC sets msk = B as the master secret key and mpk = h as the master public key.
• Partial private key extract(msk, id): For a user identity id ∈ {0, 1} * , -KGC with the master secret key msk generates a partial private key (s 1 , s 2 ) by running Sample-Gau(B, s, (H (id), 0)) in [2]. Then KGC sends (s 1 , s 2 ) to the user via a secure way. -After receiving (s 1 , s 2 ), the user checks the following equations If they hold, the user accepts (s 1 , s 2 ) as the partial private key d id .
• Set secret value(id): A user with id picks random values s 1 , s 2 ∈ D Z n ,s and returns s id = (s 1 , s 2 ) as a secret value.
• Set private key(d id , s id ): A user with id is sets sk id = (d id , s id ) as a full private key.
• Set public key(sk id ): A user with id sets pk id = s 1 + s 2 * h as a public key.
• CL-Verify: Given a signature sig = (e, z = (z 1 , z 2 , z 1 , z 2 )) on a message µ for {id, pk id }, a verifier checks the following equalities If they hold then output valid. schemes. Adversaries in RCLS schemes consist of the following three Types [6], [16]: • Type I adversary (outsider): An adversary knows the secret value and the time update key of any user obtained by replacing the associated public key and listening to the public channel.
• Type II adversary (honest-but-curious KGC): An adversary knows the time update key and the partial private key of any user, but it cannot know the secret value associated to the user.
• Type III adversary (revoked user): An adversary knows the secret value and the partial private key of any user, but it cannot know the current time update key associated to the user. An RCLS scheme is existential unforgeable against adaptive chosen-message attacks if a polynomial-time adversary A wins the following RCLS-UF-ACMA game between A and a challenger C with a non-negligible advantage: • Setup. The challenger C generates the public parameters Parms and the system secret key S KGC which is kept secret for C.
-KGC is the challenger C for Type I and III adversaries. -The honest-but-curious KGC is a Type II adversary.
Thus, A knows the system secret key S KGC and can calculate the time update key and the partial private key of any user.
• Queries. A makes the following queries to C adaptively: -Partial private key extract queries (ID). For a query associated to a user identity ID, C returns the partial private key D ID to A after running the partial private key extract algorithm. -Time key update queries (ID, t). For a query associated to a time period t and a user identity ID, C returns the time update key T ID,t to A after running the time key update algorithm. -Secret value queries (ID). For a query associated to a user identity ID, C returns the user secret value S ID to A after running the set secret value algorithm. -Public key queries (ID). For a query associated to a user identity ID, C returns the user public key PK ID to A. -Public key replacement queries (ID, PK ID ). For a query associated to a user identity ID and a new public key PK ID , C keeps such replacement in the list. -Sign queries (ID, PK ID , m, t). For a query on a message m associated to a user identity ID, and a time period t, C runs the sign algorithm to generate a signature z on m and outputs z to A.
• Forgery. At last, the challenger C outputs (ID * , PK ID , m * , z * , t * ), where ID * is a target identity. C wins the RCLS-UF-ACMA game if the conditions are satisfied: -(ID * , m * , t * ) was never requested to the signing queries. -(ID * , PK ID , m * , z * , t * ) in the Verify algorithm is valid. -For a Type I adversary C, ID * was never requested to the partial private key extract queries. -For a Type II adversary C, ID * was never requested to the public key replacement queries and the secret value queries. -For a Type III adversary C, (ID * , t * ) was never requested to the time key update queries.
We first show that Hung et al.'s scheme is vulnerable to Type I attacks.
Type I Attacks on Hung et al.'s Scheme. Let A I be a Type I adversary who knows the time update key and the secret value of any user. After getting a signature (z, c) of a message µ for (ID, t, PK ID ) from a sign query, A I intends to generate a new signature (z , c) of the same message µ associated to (ID, t , PK ID ), where t is a new time period and PK ID is the replaced public key.
• Then, it is a valid certificateless signature on the message µ for (ID, t , PK ID ) since it passes the verification equation as = H 2 (y 1 + h * y 2 , y 3 + h * y 4 , a 1 * y 5 + a 2 * y 6 , µ). In fact, the above equation holds since the computed value in the inputs of the hash function in the two different signatures is the same as (y 1 + h * y 2 , y 3 + h * y 4 , a 1 * y 5 + a 2 * y 6 , µ). Thus, the hashed value c in the two signatures is the same.
• Consequently, the adversary A I succeeds in forging a certificateless signature of the same message µ associated to (ID, t , PK ID ) without using the partial private key related to ID. It is a valid forgery in the Game of Type I adversary since (ID, µ, t ) was never requested to the signing queries and ID was never requested to the partial private key extract queries.
Our attack is meaningful since signing on the same message for different time periods or different public keys can occur frequently. Our attack uses the fact that the value, y 1 + h * y 2 , y 3 + h * y 4 , a 1 * y 5 + a 2 * y 6 and µ being hashed are all the same in the signatures on the same message for different time periods or different public keys.
• The Type I adversary in our attack uses a signature z on µ for (ID, t, PK ID ) for generating a new signature on the same message and the same identity for the different time period and different public key, (ID, t , PK ID ).
• In the attack, despite the use of the different public key and the different time period, the values, y 1 + h * y 2 , y 3 + h * y 4 , a 1 * y 5 + a 2 * y 6 and the message µ, are the same in the resulting signatures. In secure CLS schemes, the adversaries cannot forge valid signatures on (µ, ID, t , PK ID ) from known signature on (µ, ID, t, PK ID ).

2) ATTACKS ON XIE et al.'s CLS SCHEME
We present Type II attacks on Xie et al.'s scheme.

Type II Attacks on Xie et al.'s Scheme.
Let A II be a Type II adversary with the master secret key msk. After getting a signature sig of a message µ for (id, pk id ), A I intends to generate a new signature sig of the same message µ for (î d, pk id ), whereî d is a new identity.
• Next, A II can compute since A II knows the partial private key (s 1 , s 2 ) such that s 1 + h * s 2 = H (id) from the master secret key msk.
• Then, it is a valid signature on the message µ for (î d, pk id ) since it passes the verification equation as = H 2 (y 1 + y 2 * h, y 1 + y 2 * e, µ). In fact, the above equation holds since the computed values in the inputs of the hash function in the two different signatures are the same as (y 1 + y 2 * h, y 1 + y 2 * e, µ). The hashed value e in the two different signatures is the same.
• Consequently, A II succeeds in forging a valid certificateless signature on the message µ for (î d, pk id ) without the knowledge of the user secret key. It is a valid forgery in the Game of Type II adversary since (î d, µ) was never requested to the signing queries andî d was never requested to the secret value queries and the public key replacement queries.

1) WANG et al.'s CLAS SCHEME
• Setup: Given a security parameter l, KGC performs as follows: -Choose an additive group G 1 and a multiplicative group G 2 with the same prime order q and P a generator of G 1 . -Choose a bilinear pairing e : G 1 × G 2 → G 2 and three cryptographic secure hash functions H 1 : -Choose a master secret key s as and calculate P pub = sP as a master public key, where s is used for partial key extraction. -Publish < l, q, e, G 1 , G 2 , P, H 1 , H 2 , H 3 , P pub > as the system parameters and store the master key s secretly. -DC generates its secret/public key as (S DC , PK DC ), where PK DC = S DC · P.
• UserRegistration: This algorithm generates the client C i 's public key and full private key.
-C i with an identity ID i chooses a secret key S i1 randomly and calculates a public key PK i1 = S i1 ·P.
Then C i sends (ID i , PK i1 ) to KGC via a secure channel. -After receiving (ID i , PK i1 ) from C i , KGC calculates PK i2 = H 1 (ID i , PK i1 ) and S i2 = sPK i2 . Then KGC stores the tuple (ID i , PK i1 , PK i2 , S i2 ) and sends (S i2 , PK i2 ) to C i through a secure way. After that C i sets (S i1 , S i2 ) as a private key.
• Signing: For healthsensing data m i and a private key (S i1 , S i2 ), C i does the followings: -Choose a random value k i and calculate • Verification: On the receipt of (U i , V i , SN i , m i , t i ) from C i , if t i is invalid then DC rejects it. Otherwise, DC does the followings: -DC first decrypts SN i by using s DC as D S DC (SN i ) = ID i ||W i and calculates PK i2 = H 1 (ID i , PK i1 ) and If it holds, output valid.
• Aggregation: After receiving < (U 1 , V 1 , SN 1 , m 1 , t 1 ), · · · , (U n , V n , SN n , m n , t n ) > from a set of identities {ID i } n i=1 and a set of public keys {PK i1 } n i=1 , an aggregator calculates Then (U , V , W , PK ) is an aggregate authentication message on all health sensing data {m i } n i=1 . • Aggregate Verification: From an aggregate signature (U , V , W , PK ), DC checks the equality e(U , P) = e(V , P pub )e(PK , W ).
It it is valid, DC uploads the data.

2) REZAEIBAGHA et al.'s CLS SCHEME
Rezaeibagha et al. [11] proposed a new lightweight CLS scheme for Industrial Internet of Things (IIoT). They proved its unforgeability for the Type I and II adversities under the hardness assumption of the q-BSDH problem. The q-BSDH problem is: given g, g x , g x 2 , · · · , g x q , find (c, e(g, g) 1 x+c ). Their scheme runs as follows: • Set-Partial-Private-Key(params, msk, ID i ). From the master secret key s, params and a user's identity ID i and, KGC calculates Then d i is a partial private key for the user with ID i . If it satisfies the following equations then the user accepts it, e(d i , g) = e(g i , Y KGC ).
• Set-Secret-Value(ID i ). From params and a user's identity ID i , output a secret key SK i = x i for a random x i ∈ Z p .
• Set-Public-Key(x i , ID i ). From params, a user's identity ID i , the master secret key s and the secret value x i , output a user public key • CLS-Sign(params, SK i , d i , m). From params, the secret key (SK i , d i ) and a message m ∈ Z p , select r ∈ R Z p , calculate

1) INVALIDITY OF WANG et al.'s CLAS SCHEME
Wang et al. [17] claimed that their Aggregate Verification was correct as: = e(V , P pub )e(PK , W ). However, the above equality is not correct since n i=1 e(PK i1 , W i ) = e(PK , W ).
, e is bilinear map and P pub is a fixed point. However, in the calculation of e(PK , W ), we have from the bilinearity of e on the left side or from the bilinearity of e on the right side. Thus, Thus, A I knows the secret value x .
• After replacing the public key, A I obtains a signature σ = (r, S) on m from the signing oracle, where • Then A I can obtain the partial private key g s i by computing from the values x , r and S.
• At last, A I who knows the value g s i picks a random value r ∈ Z * p and generates a signature σ = (r , S ) on a new message m , where Then it is valid signature since it passes the verification equation as In our attack, since the random value r in the signature is known, the adversary who knows the secret key x can compute the partial private key g s i corresponding to ID i from the known signature. Therefore, the adversary who knows both the secret key x and the partial private key g s i can forge signatures on new messages. If the value r is hidden then our attack cannot work.

IV. SOME IMPROVEMENTS A. IMPROVEMENTS ON THE CLS SCHEMES FROM NTRU LATTICES
Now, we suggest an improved version of the RCLS scheme to prevent our attacks. Our attacks are meaningful since signing on the same message at different time periods or different public keys can occur frequently. The vulnerabilities of the CLS schemes against our attacks are due to the fact that the values, y 1 + h * y 2 , y 3 + h * y 4 , a 1 * y 5 + a 2 * y 6 and µ being hashed are all the same although different time periods and different public keys used in the signing on the same message. They can be prevented by binding a signature with the public key, the identity and the current time period to the input being hashed. It can be achieved by simple modifications in Sign and Verify of Huang et al.'s RCLS scheme as: • Sign: Given a message µ ∈ {0, 1} * , a signer with the private key chooses random values y 1 , y 2 , y 3 , y 4 , y 5 , y 6 by the distribution D N σ and computes c = H 2 (y 1 + h * y 2 , y 3 + h * y 4 , a 1 * y 5 + a 2 * y 6 , µ, ID, PK ID , t), z 1 = y 1 + s 1 * c, z 2 = y 2 + s 2 * c, z 3 = y 3 + s 3 * c, z 4 = y 4 + s 4 * c, z 5 = y 5 + s 5 * c, z 6 = y 6 + s 6 * c.
If it holds, output valid.
• Adding the related information (ID, t, PK ID ) into the input of the hash function H 2 plays an important role in binding a signature with the public key, the identity and the current time period. Thus, the hashed values for (µ, ID, t, PK ID ) and (µ, ID, t , PK ID ) are all different, so our attack cannot work any more. The same method can be applied to Xie et al.'s CLS scheme.

B. IMPROVEMENTS ON THE CLS SCHEMES FROM PAIRINGS
In our attack on Rezaeibagha et al.'s scheme, the known random value r in the signature makes the partial private key g s i recovered, thus, hiding r can prevent our attack. It can be achieved by simple modifications in Sign and Verify of the scheme as: If it is valid, accept the signature.

V. CONCLUSION
We showed that Huang et al. '