An Efficient Signcryption Scheme With Key Privacy IV

7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV

http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 1/29

An Efficient Signcryption

Scheme with Key Privacy

Speaker: Travis Chung Ki Li

MPhil Student in CS DepartmentCity University of Hong Kong

Joint work with: Duncan Wong, Guomin Yang,

Xiaotie Deng, Sherman S.M. Chow



Trigger

In IPL 2006 Tan pointed out the signcryption

scheme proposed by Yang, Wong and Deng

(ISC 2005) was flawed

Cannot provide confidentiality and anonymityas claimed



Trigger

Tan did not suggest any solutions to fix the

problems

If there exists any anonymous signcryption

scheme secure under Tan’s attack?

Still not known if the YWD scheme can be

improved to a secure one



Introduction

Signcryption was introduced by Zheng in

1997

Combines signature and encryption

Less computational complexity and lower

communication cost

Suitable for many application using resource

limited devices



Introduction

Baek et al. first defined a set of security

notions for Signcryption (2002)

The notions are similar to traditional

Indistinguishable against Chosen Ciphertext Attacks (IND-CCA2) & Existential

Unforgeable against Chosen Message

Attacks (EUF-CMA)

J. Beak, R. Steinfeld, and Y. Zheng. Formal proofs for the security of signcryption. In

PKC’02, pages 80–98. Springer-Verlag, 2002. LNCS 2274.



Introduction

An et al. introduced a notion called “Insider

Security” (2002)

An adversary can access not only the public

keys of both sender and receiver

But also the private key of sender

J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In

Proc. EUROCRYPT 2002, pages 83 –107. Springer-Verlag, 2002. LNCS 2332.



Introduction

Boyen proposed a new set of signcryption

security model under identity based

cryptographic setting (2003)

One of the them is called “Ciphertext

Anonymity”

X. Boyen. Multipurpose identity-based signcryption: A swiss army knife for identity-based

cryptography. In Proc. CRYPTO 2003, pages 383 –399. Springer-Verlag, 2003. LNCS 2729.



Ciphertext Anonymity

An extension of “Key Privacy”, which

introduced by Bellare et al. (2001)

Ciphertext should hide the identity of both

sender and receiver

M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval. Key-privacy in public-key encryption. In Proc.

ASIACRYPT 2001, pages 566 –582. Springer-Verlag, 2001. LNCS 2248.



Ciphertext Anonymity

Libert and Quisquater, proposed a

signcryption scheme (2004)

Claimed to be insider secure under IND-

CCA2, EUF-CMA and Ciphertext Anonymity

B. Libert and J.-J. Quisquater. Efficient signcryption with key privacy from gap Diffie-Hellman groups. In

PKC’04, pages 187–200. Springer-Verlag, 2004. LNCS 2947.



Libert-Quisquater Scheme

Tan and Yang et al. independently showed

that Libert and Quisquater scheme is flawed.

Yang et al. also gave a modification (YWD

scheme), which supports parallel processing

C. H. Tan. On the security of signcryption scheme with key privacy. IEICE Trans. Fundam. Electron.

Commun. Comput. Sci., E88-A(4):1093 –1095, 2005.

G. Yang, D. S. Wong, and X. Deng. Analysis and improvement of a signcryption scheme with key

privacy. In 8th Information Security Conference (ISC’05), pages 218–232, 2005. LNCS 3650.



YWD Scheme

Recently, Tan showed that YWD scheme is

not IND-CCA2 secure and does not satisfy

Ciphertext Anonymity (2006)

However, no improvement has been

proposed

C. H. Tan. Analysis of improved signcryption scheme with key privacy. Information

Processing Letters, 99(4):pp. 135 –138, August 2006.



Our Result

We propose a modification of YWD scheme

Solve the security issues with improved

efficiency

Reduce the number of operations and prove

the scheme with more precise reduction

bound



Security Model for Signcryption

Confidentiality (SC-IND-CCA)

Unforgebility (SC-EUF-CMA)

Ciphertext Anonymity (SC-ANON-CCA)



Security Model with Key Privacy

1. The Challenger C (skR,0, pkR,0) & (skR,1, pkR,1) and

gives pkR,0, pkR,1 to Distinguisher D

2. D adaptively queries to Signcrypt (m, skR,c, pkR) and

Designcrypt (δ, skR,c

), where pkR

≠pkR,c,

for c = 0 or 1

3. D outputs two valid and distinct private keys skS,0 , sk S,1

and a plaintext m

4. C randomly chooses b, b’ in {0,1} and sends a

challenge ciphertext δ= Signcrypt (m, skS,b

pkR,b’

) to D



Security Model with Key Privacy

5. D makes queries as step 2 except designcrypting the

challenge ciphertextδ

6. D outputs two bits (d, d’) and wins the game if (d , d’ ) =

(b, b’ )

Advanon-cca(D) = Pr[(d , d’ ) = (b, b’ )] – 1/4



YWD Scheme

Setting

H1:{0,1}n+2l G1

H2: G13 {0,1}l

H3: G1

3

{0,1}

n+l

Keygen

Private key xu Zq

Public key Yu = xuP

Sender (xS, YS)

Receiver (xR, YR)

Signcrypt

Message m in {0,1}n

Pick a random r in Zq, U=rP

V = xsH1(m, U, YR)W = V⊕ H2(U, YR, rYR)

Z = (m || YS)⊕ H3(U, YR, rYR)

The ciphertext is (U, W, Z)



YWD Scheme

Designcrypt

A ciphertext (U, W, Z)

V = W⊕ H2(U,YR,xRU)

(m||YS) = Z⊕

H3(U,YR,xRU)If e(YS,H1(m,U,YR)) = e(P, V)

output <m, (U, YR, V), YS>

Verify

<m, (U, YR, V)> & YS

If e(YS, H1(m,U,YR)) =

e(P,V)



Tan’s attack against adaptive chosen

ciphertext attack Adversary A determines which plaintext (m0,m1) is

encrypted in challenge ciphertext C* = (U*, W*, Z*)

A guess m0 is encrypted

Under the insider security notion

Reuse the randomness in U*

Form a new C’ = (U*, W’, Z’)

Recover m’ from C’ with the help of designcryption

oracle



Tan’s attack against adaptive chosen

ciphertext attack

Designcryption

Oracle

C*=(U*,W*,Z*)

YS’ = xS’P

V* = xSH1(m0, U*, YR)

V’ = xS’H1(m’, U*, YR)

W’ = (V’⊕ V*)⊕W*

Z’ = ((m’⊕ m0) || (YS’⊕ YS))⊕ Z*C’ = (U*, W’, Z’)

m” || YS” = Z’⊕ H3(U*, YR, xRU*)If m’’ = m’,

m0 is used,

else m1 is used



Tan’s attack against Ciphertext

Anonymity D distinguishes which private key (xS,0,xS,1) and

public key (YR,0,YR,1) are used in the challengeciphertext C* = (U*, W*, Z*)

D prepares a message m* and xS’ in Zq

Calculates C’i,j = (U*, W’i,j, Z’i) similar to CCA2attack

Submit C’i,j to designcryption oracle If the designcrypted message m”i,j = m* then D can

make the correct guess



Weakness of YWD Scheme

Since H1 does not involve any secret value

The component V can be easily

reconstructed under “insider security” notion

Attack through malleability of W and Z



Our Construction

Designcrypt

A ciphertext (U, Z)

D = xRU

(m||YS||V) = Z⊕H

2(U,Y

R,D)

If e(Ys, H) = e(P, V),

output <m, (U, YR, V, D),YS>

Verify

<m, (U, YR, V, D)> & YS

If e(YS,H1(m,U,YR,D)) =

e(P, V)



Security Analysis

Let k be a security parameter

Under random oracle model

If a PPT algorithm which can break the SC-

IND-CCA / SC-EUF-CMA / SC-ANON-CCA

security with advantage at least ρ(k)

There exists a PPT algorithm which can solve

the Gap Diffie-Hellman problem with non-negligible probability



Gap Diffie-Hellman Problem

Decisional Diffie-Hellman problem

Distinguish the distribution between

<P,aP,bP,abP> & <P,aP,bP,cP>

Computational Diffie-Hellman problem Compute abP from <P,aP,bP>

Gap Diffie-Hellman problem

Solve a CDH problem with DDH oracle e(P,cP) = e(aP,bP) cP = abP



Proof Sketch

Prove by contradiction

There exist an adversary A who wins the SC-

IND-CCA / SC-EUF-CMA / SC-ANON-CCA

game with non-negligible advantage

With the help of a DDH solver

Construct an algorithm B by running A to

solve CDH problem in G1



Conclusion

Provide a solution to Tan’s attack

A signcryption scheme proven secure in

confidentiality, unforgeability, ciphertext

anonymity

Under the assumption of GDH problem in

random oracle model

Efficient and requires even less operationsthan YWD scheme



Thank you!

An Efficient Signcryption Scheme With Key Privacy IV

Documents

Transcript of An Efficient Signcryption Scheme With Key Privacy IV