Signcryption: what, why and how
description
Transcript of Signcryption: what, why and how
Signcryption:Signcryption:what, why and howwhat, why and how
Yevgeniy DodisYevgeniy Dodis
New York UniversityNew York University
Signature and Encryption
• Most basic cryptographic tools• Signature:
– Receiver is sure message came from sender
– Provides Authentication• Encryption:
– Only receiver can understand the message
– Provides Privacy
Common Design Wisdom
• Never mix things together• Make the design as modular as possible
– Have freedom to design independent privacy and authentication components
• When both are needed, combine known solutions– Encrypt-then-sign (EtS): Sig(Enc(m))– Sign-then-encrypt (StE): Enc(Sig(m))
• But given both are needed so often, shall we define/design tailored solutions?Signcryption???
• Maybe we can build significantly more efficient/secure solutions than EtS/StE?
• Are we sure EtS and StE are “secure”?– NO, if we are not careful ! (yes, if we are)
• Do we know exactly what we mean by “private authenticated communication”?– Definition is non-trivial !
Signcryption as a Primitive?
YES
• Maybe we can in fact simplify protocol design by having this high-level primitive?
Prior Work• Initial study of signcryption [Zheng97,…]
– Main motivation efficiency– Security arguments: no formal definitions/proofs
• Using authentication to go CPA->CCA– ElGamal Encryption [TY98,SJ00]– Symmetric setting [BN00,K01,BR00]
• Authenticated Encryption (symmetric setting)– Definitions [KY00,BN00,BR00]– Sequential Composition EtA/AtE [BN00,K01]
Called “good” if MAC helps CPA->CCA (justified but unnatural)
– Encrypt/encipher-with-redundancy [AB01,BR00]– New Block Cipher Modes (RFC,IAPM,OCB,SNCBC,…)
Our Results I [ADR02]• Formal definition(s) of signcryption
– Multi-user vs. Two-user setting– “Insider” vs. “Outsider” distinction
• EtS/StE are secure if modeled properly…
• Paradigm of parallel signcryption:– Performs expensive Enc and Sig in parallel– Commit-then-Encrypt-and-Sign (CtS&E)– Leads to fast On-line/Off-line Signcryption
• Definitional inadequacy of CCA security
Our Results II [DFW03]• More efficient parallel signcryption: Padding-
based Parallel Signcryption (PbPS)– Fully compatible with PKCS#1 standard
• Works with PSS-R, OAEP, OAEP+ & other paddings • Based on any TDP f (e.g., RSA)• Simple and flexible key management• Same f can be used to both send & receive data…
– Effortlessly supports associated data– Tight exact security and many more…
• New notion: universal two-padding schemes– New padding: PSEP, hybrid of PSS-R & OAEP
Our Results III [DA03]• General way to build signcryption on long
messages from that on short messages– Very simple and efficient– Couple with PbPS very practical signcryption !
• Utilizes a new primitive of independent interest:
Concealment• Strong version equivalent to CRHFs, weak
version can be built from UOWHFs (and, thus, OWFs)
• Remotely Keyed (Authenticated) Encryption– Formal definition and simple solution– Considerably simplifies/generalizes prior work
Love from Alice
Defining Signcryption
?
Ideal Functionality:
Implementation:• Each player P publishes key pair (SecP,PubP) • To send m from sender S to receiver R
– u = SigEnc(m; SecS, PubR); m = VerDec(u; PubS, SecR)
Example: EtS
But what if intervenes?
?
AliceAlice
Love from Alice
Example: EtS (cont)
?
AliceAlice
Love from Ugly
UglyUgly
from Alice???
Moral Need to use identitiesin multi-user setting!Both for syntax and constructions
Formal Definition (multi-user)
• When attacking U, adversary A(PubU) can:– Ask SigEnc(m; SecU, PubR), for any receiver R– Ask DecVer(; PubS, SecU), for any sender S
• To break authenticity, outputs new forgery:– (; SecR) s.t. DecVer(; PubU, SecR)– Note, allow A to choose receiver R !
• To break privacy, guesses b w/pr. > ½:– Chooses (m0, m1, SecS), for S of A’s choice !– SigEnc(mb; SecS, PubU), for random b
Two- vs. Multi-User Setting• Can formally define both settings
– Two-user is much simpler: no IDs !• Only sender S and receiver R• Shows no attacks on the scheme, only on IDs
– But multi-user needed in applications…• “Multi-User = Two-User + ID fraud
protection”• For all our schemes, some natural
“tricks” always work to go two-user multi-user– First describe two-user version– Then show how to get multi-user
Parallel Signcryption
• Apply expensive “encrypting” and “singing” on in parallel
• New alternative to sequential composition
• Can offer other advantages beside parallelism and efficiency– More flexible key management– Easier for tight security reductions– On-line/Off-line Signcryption– Aesthetics: more elegant
CtE&S m
d c
ψ = EncR(d) = SigS(c)
d = DecR(ψ) c = VerS()
m
Generic Parallel Signcryption
EtS
m
ψ = EncR(m
)
u = SigS(ψ)
ψ = VerS(u)
m = DecR(ψ)
StE
m
= SigS(m
)
u = EncR()
= DecR(u
)
m = VerS()
What properties on (c,d) are needed for CtE&S?
Properties of c and dRecall, Signcrypt(m) = (Sig(c), Enc(d))1. [m (c,d) m] should be fast2. Privacy: c should not reveal “any
information” about m– Indeed, c goes “in the clear”
3. Authenticity: should be hard to “reuse” Sig(c)
– If find d’ such that (c,d’) is valid and d’d, then (Sig(c), Enc(d’)) is a new forgery
COMMITMENT SCHEME!!!(“relaxed” commitment scheme is necessary and sufficient… see paper)
“hiding”
“binding”
Improving Generic Approach
• Need IND-CCA Enc and sUF-CMA Sig– Expensive
• What if implement in RO model?– Say, PSS for Sig, OAEP/OAEP+ for Enc…
• Wasteful, need to “pad” twice !– Poor exact security– Poor message bandwidth– Less efficient– Need to store two independent keys– Aesthetics: inelegant
• Can we do (much) better? YES!
Padding-based Parallel Signcryption
m
Commit
d c
ψσ
EncR SigS
CtE&S PbPS
Rf1Sf
m
“Two-Pad”
w s
ψσ
Advantages of PbPS
• Replace expensive Enc and Sig by a TDP f and its inverse f-1 (e.g., RSA)
• Can reuse f for sending and receiving– Entire PubU = f, SecU = f-1
• Consistent with current PKI infrastructure suggested by PKCS#1
• Better exact security• More efficient if “two-paddings” are fast• What are these “two-paddings”???
Universal Two-Paddings
• Invertible Pad(m) (w,s) s.t. for any TDP f– [f(w), s] is IND-CCA-secure encryption– [w, f–1(s)] is sUF-CMA-secure signature– In fact, holds even if reuse the same f for both
signature and encryption
• Lemma: if Pad is universal two-padding, then [fR(w), fS
–1(s)] is a secure signcryption in the two-user setting– Later extend to multi-user setting
Two-Padding Results
• Note: must use Random Oracle Model as use TDPs
• Give a wide variety of universal two-paddings:– Old: PSS-R, OAEP, OAEP+, SAP (“scramble all padding”)
– New: many, most notably PSEP (mix of PSS-R & OAEP)
• All are special cases of one general construction!– In particular, found generalization of most padding
schemes commonly used for plain signature/encryption
Intuition Behind Construction
• Most known padding schemes already naturally consist of two pieces (w,s)
• Moreover, always have (w,s) = Feistel(d,c) for some pair (d,c).
d c
H
w s• Example: PSS-R
– Have w = G(m,r), s = H(w) (m,r).– Can write w = c, s = H(c) d, where c = G(m,r), d
= (m,r)
• What properties on (d,c) suffice??
Extractable CommitmentGiven by two properties:1. (Strong) Hiding: c(m) looks random, for any m
- usually holds anyway for any natural commitment
2. Extractability: using some “trapdoor” T, can find d from c.- There is Extract(c,T) d procedure s.t. for any A:
Pr[ (c,d) valid & Extract(c,T) d | (c,d) A ] = negl.- In the RO model, trapdoor T = RO queries made by A
• Note: extractability implies strong binding– Hard to find (c,d,d’) s.t. (c,d), (c,d’) are valid and d d’
Feistel Two-Paddings
• Theorem: If Commit(m) (c,d) is an extractable commitment then Pad(m) = (w = c, s = H(c) d) is a universal two-padding scheme
• Note: we will see that all natural commitments in the RO model are anyway extractable
• Thus, essentially show that applying one round
of Feistel to a pair (c,d) good for CtE&S, get a two-padding (w,s) good PbPS ! – Feistel allows to replace expensive Enc and Sig by a
TDP f and its inverse f-1 (e.g., RSA)
Examples• If c = G(m,r), d = (m,r) get PSS-R• If c = G(r)(m,0k), d = r get OAEP • If c = (G(r)m, G’(m,r)), d = r get OAEP+• If c = G(d)m2, d = (m1,r,G’(m2)) get SAP• Probabilistic Signature Encryption Padding
(PSEP): arbitrarily split m = m1||m2 and set c = (G(r)m1, G’(m2,r)), d = (m2,r)– if |m1|=0 get PSS-R, if |m2|=0 get OAEP– but now can achieve much higher bandwidth !
E.g., with 1024-bit keys can fit 1600 bits of m
Associated Data Support• Associated data binds a public label L to m
– L is transmitted in the clear, together with “actual” signcryption of m
– Still, authentication applies to both L and m– Very useful in many contexts [Rogaway02]
• All our constructs easily support arbitrarily long associated data at nearly no cost !– Simply stick L into H during the Feistel round
• Simple two-user multi-user conversion– Add public keys of S and R as part of the label
Full PbPS scheme:1. short messages 2. long labels Commit
d c
H
w s
ψσ
Rf1Sf
m L
L
IDR IDS
Signcrypting Long Messages
• Main Question: given good signcryption SC on short messages m, how to signcryption arbitrarily long messages M?
• Approach: transform M (b,h) and setSC*(M) = (SC(b), h)
– (note: want to have |b| << |M| )
• Sub-Question: what transformations T are needed to make SC* secure?
• Answer: concealments !
ConcealmentsRecall, SC*(M) = (SC(b), h)1. |b| < |M| (non-triviality)2. Privacy: h should reveal “no
information” about M– Indeed, h goes “in the clear”
3. Authenticity: should be hard to “reuse” SC(b)
– If find h’ such that (b,h’) is valid and h’ h’, then (SC(b), h’) is a new forgeryCOMMITMENT SCHEME!!!
“hiding”
“binding”
CONCEALMENT SCHEME!!!(“relaxed” concealment scheme is necessary and sufficient… see paper)
Commitment vs. Concealment
• commitment c & decommitment d
• hider h &binder b
• both hiding and binding is on c
• hiding on h & binding on b
• always imply OWFs
• useful even when |c|>|m| (i.t. binding)
• trivial if |b|=|M|• otherwise imply
CRHFs
• (Sig(c), Enc(d)) • (h, Signcrypt(b))
Constructing Concealments
• Use one-time symmetric encryption (E,D)• Set h= Eτ(M), b = (τ, K(h)), where K is CRHF
– Hiding is obvious, binding is due to CRHF K– Notice, b is indeed short
• If SC supports (long) associated data, can set h = Eτ(M), b = τ and L = h (+extra label)– Binding since pair (b = τ, L = Eτ(M)) commits M
– Nicely applies to PbPS• Here is the final multi-user signcryption of
long messages with associated data
H
w s
LM
Commit
d c
IDR IDS
τ Eτ
π L
Full-fledged PbPS scheme:
ψσ
Rf1Sf
Lπ
Conclusions• Formally defined signcryption
– importance of IDs, multi-user security, …
• Parallel Signcryption & its advantages– generic CtS&E paradigm– big improvement: PbPS
• Two-padding schemes– general Feistel construction from commitments– get many old padding (PSS-R, OAEP, …) + new (PSEP)
• Concealment Primitive: define, construct + apps• Full-fledged signcryption of long messages
– flexibility, efficiency, simplicity, generality, security – consistent with existent standards/PKI
? Thank you
AliceAliceend
ZSCR TBOS StE/EtS CtE&S This Work
Standard Assumption? No Yes Yes Yes Yes
Exact Security? Poor Very poor Good Good Excellent
Insider Security? No No Yes Yes Yes
Multi-User Setting? Yes No Yes Yes Yes
CCA2 Security? Yes Yes Yes/No No Yes
Strong Unforgeability No No No/Yes No Yes
General Construction? No No Yes Yes Yes
Key Flexibility? No No Yes Yes Yes
Key Reuse (Short Key)? Yes No No No Yes
Avoid Special Set-up? No Yes Yes Yes Yes
Extract Plain Sig/Enc? No Only Sig Sig/Enc Yes Yes
Associated Data? No No No No Yes
Compatible to PKCS#1?
No Maybe Maybe Maybe Yes
Parallel Operations? n/a No No Yes Yes
ZSCR TBOS StE/EtS CtE&S This Work
Bit Expansion on Long Messages
4096 Expect > 1350
bits
Expect> 700 bits
Expect> 2900 bits
Can make < 450 bits
Max message can fit inside 4096 bits
0? 0? < 3000 bits < 1550 bits 3650 bits
Msg / Ciphertxt & Key in “native” scheme
n/a ? / 20484096
1550 / 23004096
1550 / 40964096
3650 / 40962048