An Efficient Signcryption Scheme With Key Privacy IV
-
Upload
suganya-selvaraj -
Category
Documents
-
view
216 -
download
0
Transcript of An Efficient Signcryption Scheme With Key Privacy IV
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 1/29
An Efficient Signcryption
Scheme with Key Privacy
Speaker: Travis Chung Ki Li
MPhil Student in CS DepartmentCity University of Hong Kong
Joint work with: Duncan Wong, Guomin Yang,
Xiaotie Deng, Sherman S.M. Chow
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 2/29
Trigger
In IPL 2006 Tan pointed out the signcryption
scheme proposed by Yang, Wong and Deng
(ISC 2005) was flawed
Cannot provide confidentiality and anonymityas claimed
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 3/29
Trigger
Tan did not suggest any solutions to fix the
problems
If there exists any anonymous signcryption
scheme secure under Tan’s attack?
Still not known if the YWD scheme can be
improved to a secure one
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 4/29
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 5/29
Introduction
Signcryption was introduced by Zheng in
1997
Combines signature and encryption
Less computational complexity and lower
communication cost
Suitable for many application using resource
limited devices
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 6/29
Introduction
Baek et al. first defined a set of security
notions for Signcryption (2002)
The notions are similar to traditional
Indistinguishable against Chosen Ciphertext Attacks (IND-CCA2) & Existential
Unforgeable against Chosen Message
Attacks (EUF-CMA)
J. Beak, R. Steinfeld, and Y. Zheng. Formal proofs for the security of signcryption. In
PKC’02, pages 80–98. Springer-Verlag, 2002. LNCS 2274.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 7/29
Introduction
An et al. introduced a notion called “Insider
Security” (2002)
An adversary can access not only the public
keys of both sender and receiver
But also the private key of sender
J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In
Proc. EUROCRYPT 2002, pages 83 –107. Springer-Verlag, 2002. LNCS 2332.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 8/29
Introduction
Boyen proposed a new set of signcryption
security model under identity based
cryptographic setting (2003)
One of the them is called “Ciphertext
Anonymity”
X. Boyen. Multipurpose identity-based signcryption: A swiss army knife for identity-based
cryptography. In Proc. CRYPTO 2003, pages 383 –399. Springer-Verlag, 2003. LNCS 2729.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 9/29
Ciphertext Anonymity
An extension of “Key Privacy”, which
introduced by Bellare et al. (2001)
Ciphertext should hide the identity of both
sender and receiver
M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval. Key-privacy in public-key encryption. In Proc.
ASIACRYPT 2001, pages 566 –582. Springer-Verlag, 2001. LNCS 2248.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 10/29
Ciphertext Anonymity
Libert and Quisquater, proposed a
signcryption scheme (2004)
Claimed to be insider secure under IND-
CCA2, EUF-CMA and Ciphertext Anonymity
B. Libert and J.-J. Quisquater. Efficient signcryption with key privacy from gap Diffie-Hellman groups. In
PKC’04, pages 187–200. Springer-Verlag, 2004. LNCS 2947.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 11/29
Libert-Quisquater Scheme
Tan and Yang et al. independently showed
that Libert and Quisquater scheme is flawed.
Yang et al. also gave a modification (YWD
scheme), which supports parallel processing
C. H. Tan. On the security of signcryption scheme with key privacy. IEICE Trans. Fundam. Electron.
Commun. Comput. Sci., E88-A(4):1093 –1095, 2005.
G. Yang, D. S. Wong, and X. Deng. Analysis and improvement of a signcryption scheme with key
privacy. In 8th Information Security Conference (ISC’05), pages 218–232, 2005. LNCS 3650.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 12/29
YWD Scheme
Recently, Tan showed that YWD scheme is
not IND-CCA2 secure and does not satisfy
Ciphertext Anonymity (2006)
However, no improvement has been
proposed
C. H. Tan. Analysis of improved signcryption scheme with key privacy. Information
Processing Letters, 99(4):pp. 135 –138, August 2006.
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 13/29
Our Result
We propose a modification of YWD scheme
Solve the security issues with improved
efficiency
Reduce the number of operations and prove
the scheme with more precise reduction
bound
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 14/29
Security Model for Signcryption
Confidentiality (SC-IND-CCA)
Unforgebility (SC-EUF-CMA)
Ciphertext Anonymity (SC-ANON-CCA)
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 15/29
Security Model with Key Privacy
1. The Challenger C (skR,0, pkR,0) & (skR,1, pkR,1) and
gives pkR,0, pkR,1 to Distinguisher D
2. D adaptively queries to Signcrypt (m, skR,c, pkR) and
Designcrypt (δ, skR,c
), where pkR
≠pkR,c,
for c = 0 or 1
3. D outputs two valid and distinct private keys skS,0 , sk S,1
and a plaintext m
4. C randomly chooses b, b’ in {0,1} and sends a
challenge ciphertext δ= Signcrypt (m, skS,b
pkR,b’
) to D
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 16/29
Security Model with Key Privacy
5. D makes queries as step 2 except designcrypting the
challenge ciphertextδ
6. D outputs two bits (d, d’) and wins the game if (d , d’ ) =
(b, b’ )
Advanon-cca(D) = Pr[(d , d’ ) = (b, b’ )] – 1/4
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 17/29
YWD Scheme
Setting
H1:{0,1}n+2l G1
H2: G13 {0,1}l
H3: G1
3
{0,1}
n+l
Keygen
Private key xu Zq
Public key Yu = xuP
Sender (xS, YS)
Receiver (xR, YR)
Signcrypt
Message m in {0,1}n
Pick a random r in Zq, U=rP
V = xsH1(m, U, YR)W = V⊕ H2(U, YR, rYR)
Z = (m || YS)⊕ H3(U, YR, rYR)
The ciphertext is (U, W, Z)
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 18/29
YWD Scheme
Designcrypt
A ciphertext (U, W, Z)
V = W⊕ H2(U,YR,xRU)
(m||YS) = Z⊕
H3(U,YR,xRU)If e(YS,H1(m,U,YR)) = e(P, V)
output <m, (U, YR, V), YS>
Verify
<m, (U, YR, V)> & YS
If e(YS, H1(m,U,YR)) =
e(P,V)
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 19/29
Tan’s attack against adaptive chosen
ciphertext attack Adversary A determines which plaintext (m0,m1) is
encrypted in challenge ciphertext C* = (U*, W*, Z*)
A guess m0 is encrypted
Under the insider security notion
Reuse the randomness in U*
Form a new C’ = (U*, W’, Z’)
Recover m’ from C’ with the help of designcryption
oracle
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 20/29
Tan’s attack against adaptive chosen
ciphertext attack
Designcryption
Oracle
C*=(U*,W*,Z*)
YS’ = xS’P
V* = xSH1(m0, U*, YR)
V’ = xS’H1(m’, U*, YR)
W’ = (V’⊕ V*)⊕W*
Z’ = ((m’⊕ m0) || (YS’⊕ YS))⊕ Z*C’ = (U*, W’, Z’)
m” || YS” = Z’⊕ H3(U*, YR, xRU*)If m’’ = m’,
m0 is used,
else m1 is used
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 21/29
Tan’s attack against Ciphertext
Anonymity D distinguishes which private key (xS,0,xS,1) and
public key (YR,0,YR,1) are used in the challengeciphertext C* = (U*, W*, Z*)
D prepares a message m* and xS’ in Zq
Calculates C’i,j = (U*, W’i,j, Z’i) similar to CCA2attack
Submit C’i,j to designcryption oracle If the designcrypted message m”i,j = m* then D can
make the correct guess
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 22/29
Weakness of YWD Scheme
Since H1 does not involve any secret value
The component V can be easily
reconstructed under “insider security” notion
Attack through malleability of W and Z
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 23/29
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 24/29
Our Construction
Designcrypt
A ciphertext (U, Z)
D = xRU
(m||YS||V) = Z⊕H
2(U,Y
R,D)
If e(Ys, H) = e(P, V),
output <m, (U, YR, V, D),YS>
Verify
<m, (U, YR, V, D)> & YS
If e(YS,H1(m,U,YR,D)) =
e(P, V)
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 25/29
Security Analysis
Let k be a security parameter
Under random oracle model
If a PPT algorithm which can break the SC-
IND-CCA / SC-EUF-CMA / SC-ANON-CCA
security with advantage at least ρ(k)
There exists a PPT algorithm which can solve
the Gap Diffie-Hellman problem with non-negligible probability
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 26/29
Gap Diffie-Hellman Problem
Decisional Diffie-Hellman problem
Distinguish the distribution between
<P,aP,bP,abP> & <P,aP,bP,cP>
Computational Diffie-Hellman problem Compute abP from <P,aP,bP>
Gap Diffie-Hellman problem
Solve a CDH problem with DDH oracle e(P,cP) = e(aP,bP) cP = abP
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 27/29
Proof Sketch
Prove by contradiction
There exist an adversary A who wins the SC-
IND-CCA / SC-EUF-CMA / SC-ANON-CCA
game with non-negligible advantage
With the help of a DDH solver
Construct an algorithm B by running A to
solve CDH problem in G1
7/27/2019 An Efficient Signcryption Scheme With Key Privacy IV
http://slidepdf.com/reader/full/an-efficient-signcryption-scheme-with-key-privacy-iv 28/29
Conclusion
Provide a solution to Tan’s attack
A signcryption scheme proven secure in
confidentiality, unforgeability, ciphertext
anonymity
Under the assumption of GDH problem in
random oracle model
Efficient and requires even less operationsthan YWD scheme