Security weaknesses of a signature scheme and authenticated key agreement protocols

At ACISP 2012, a novel deterministic identity-based (aggregate) signature scheme was proposed that does not rely on bilinear pairing. The scheme was formally proven to be existentially unforgeable under an adaptive chosen message and identity attack. The security was proven under the strong RSA assumption in the random oracle model. In this paper, unfortunately, we show that the signature scheme is universally forgeable, i.e., an adversary can recover the private key of a user and use it to generate forged signatures on any messages of its choice having on average eight genuine signatures. This means, that realizing a deterministic identity-based signature scheme in composite order groups is still an open problem. In addition, we show that a preliminary version of the authenticated key exchange protocol proposed by Okamoto in his invited talk at ASIACRYPT 2007 is vulnerable to the key-compromise impersonation attack and therefore cannot be secure in the eCK model. We also show that the two-party identity-based key agreement protocol of Holbl et al. is vulnerable to the unknown key-share attack. (C) 2013 Elsevier B.V. All rights reserved.