International Journal of Network Security, Vol.17, No.2, PP.224-228, Mar. 2015 224
Cryptanalysis of Attribute-based Ring
Signcryption Scheme
Hu Xiong, Ji Geng, Zhiguang Qin, and Guobin Zhu
(Corresponding author: Hu Xiong)
School of Computer Science and Engineering & University of Electronic Science and Technology of China
1
No. 4, North Jianshe Road, Chenghua District, Chengdu, Sichuan 610054, China
(Email: xionghu.uestc@gmail.com)
(Received Apr. 8, 2013; revised and accepted Nov. 3, 2014)
Abstract
Signcryption can offer authentication and confidential-
ity simultaneously with better efficiency than traditional
signature-then-encryption approach. Ring signature en-
ables a user to conscribe arbitrarily a group of ring mem-
bers and sign a message on behalf of the ring (which in-
cludes himself) without revealing his real identity. By
integrating the notion of signcryption and ring signature,
ring signcryption has been initialized to leak secrets in
an authenticated and confidential way anonymously. Re-
cently, Guo et al. (Guo Z, Li M, Fan X. Attribute-based
ring signcryption scheme. Security and Communication
Networks, vol. 6, no. 6, pp. 790-796, 2013) proposed a
ring signcryption scheme in attribute-based cryptography.
Furthermore, they claimed that their scheme can satisfy
confidentiality and unforgeability in the random oracle
model. Unfortunately, by giving concrete attacks, we in-
dicate that Guo et al.’s attribute-based ring signcryption
scheme doesn’t provide confidentiality and unforgeability.
Keywords: Attribute-based cryptography; cryptanalysis;
ring signcryption; provable security
1 Introduction
To offer authenticity and confidentiality simultane-
ously with better efficiency than traditional “sign-then-
encrypt” approach, Zheng [24] initially formalized the
notion of signcryption. Since Zheng’s pioneering work,
dozens of signcryption schemes have been proposed fol-
lowing various research lines. Firstly, the existing sign-
cryption scheme can be classified as RSA-based [10], IF-
based [20], elliptic curves-based [21, 25], pairing-based [4],
lattice-based [12] according to the underlying keys. Sec-
ondly, ID-based [3, 5, 6], certificateless [2, 7], self-
certified [13] and certificate-based [15] signcryption also
have b een proposed to simplify the public key certificates
in the traditional public key infrastructure. Thirdly, the
extensions of signcryption have been proposed by inte-
grating the pure signcryption with other cryptographic
primitives, such as ring signcryption [1, 22], group sign-
cryption [11], threshold unsigncryption [14, 23] and proxy
signcryption [17, 18]. The survey of signcryption and re-
lated applications can be found in [8].
As one of the extension of signcryption, ring signcryp-
tion was initially formalized by Huang et al. [1] and al-
lows a signer conscripts a group of ring members and
signcrypts one message on behalf of the ring without
revealing his real identity. Furthermore, the procedure
of signcryption does not need the cooperation of other
ring members. Thus, ring signcryption can be applied in
some concrete applications where authenticity, confiden-
tiality and anonymity receive concern simultaneously. On
the other hand, to use biometric-based identities in the
Identity-based cryptosystem, attribute-based cryptogra-
phy has been proposed in 2005 [19]. Recently, Guo et
al. [9] introduced ring signcryption in the attribute-based
cryptography by integrating the notion of attribute-based
ring signature [16] and attribute-based encryption [19]. In
an attribute-based signcryption, a signer can get its pri-
vate key for attributes set ω from a trusted private key
generator. Then, this signer can signcrypt message on
behalf of a subset ω
0
⊆ ω. Here, all users with this at-
tributes subset ω
0
can be considered as the ring. After
that, a concrete attribute-based ring signcryption based
on bilinear pairings has also been suggested in this paper.
They claimed that their scheme can achieve unforgeability
and confidentiality in the random oracle model. However,
in this paper, we show that their scheme cannot provide
confidentiality and unforgeability at all by giving concrete
attacks. Furthermore, the basic reason behind our attack
has also been analyzed.
The rest of this paper is organized as follows. In Sec-
tion 2, we review the Guo-Li-Fan attribute-based ring
signcryption scheme. After that, we explain why their
scheme can not provide unforgeability and confidentiality
in Sections 3 and 4 respectively. Finally, the conclusions
are given in Section 5.