Signcryption:Signcryption:what, why and howwhat, why and how

Yevgeniy DodisYevgeniy Dodis

New York UniversityNew York University

Signature and Encryption

• Most basic cryptographic tools• Signature:

– Receiver is sure message came from sender

– Provides Authentication• Encryption:

– Only receiver can understand the message

– Provides Privacy

Common Design Wisdom

• Never mix things together• Make the design as modular as possible

– Have freedom to design independent privacy and authentication components

• When both are needed, combine known solutions– Encrypt-then-sign (EtS): Sig(Enc(m))– Sign-then-encrypt (StE): Enc(Sig(m))

• But given both are needed so often, shall we define/design tailored solutions?Signcryption???

• Maybe we can build significantly more efficient/secure solutions than EtS/StE?

• Are we sure EtS and StE are “secure”?– NO, if we are not careful ! (yes, if we are)

• Do we know exactly what we mean by “private authenticated communication”?– Definition is non-trivial !

Signcryption as a Primitive?

YES

• Maybe we can in fact simplify protocol design by having this high-level primitive?

Prior Work• Initial study of signcryption [Zheng97,…]

– Main motivation efficiency– Security arguments: no formal definitions/proofs

• Using authentication to go CPA->CCA– ElGamal Encryption [TY98,SJ00]– Symmetric setting [BN00,K01,BR00]

• Authenticated Encryption (symmetric setting)– Definitions [KY00,BN00,BR00]– Sequential Composition EtA/AtE [BN00,K01]

Called “good” if MAC helps CPA->CCA (justified but unnatural)

– Encrypt/encipher-with-redundancy [AB01,BR00]– New Block Cipher Modes (RFC,IAPM,OCB,SNCBC,…)

Our Results I [ADR02]• Formal definition(s) of signcryption

– Multi-user vs. Two-user setting– “Insider” vs. “Outsider” distinction

• EtS/StE are secure if modeled properly…

• Paradigm of parallel signcryption:– Performs expensive Enc and Sig in parallel– Commit-then-Encrypt-and-Sign (CtS&E)– Leads to fast On-line/Off-line Signcryption

• Definitional inadequacy of CCA security

Our Results II [DFW03]• More efficient parallel signcryption: Padding-

based Parallel Signcryption (PbPS)– Fully compatible with PKCS#1 standard

• Works with PSS-R, OAEP, OAEP+ & other paddings • Based on any TDP f (e.g., RSA)• Simple and flexible key management• Same f can be used to both send & receive data…

– Effortlessly supports associated data– Tight exact security and many more…

• New notion: universal two-padding schemes– New padding: PSEP, hybrid of PSS-R & OAEP

Our Results III [DA03]• General way to build signcryption on long

messages from that on short messages– Very simple and efficient– Couple with PbPS very practical signcryption !

• Utilizes a new primitive of independent interest:

Concealment• Strong version equivalent to CRHFs, weak

version can be built from UOWHFs (and, thus, OWFs)

• Remotely Keyed (Authenticated) Encryption– Formal definition and simple solution– Considerably simplifies/generalizes prior work

Love from Alice

Defining Signcryption

?

Ideal Functionality:

Implementation:• Each player P publishes key pair (SecP,PubP) • To send m from sender S to receiver R

– u = SigEnc(m; SecS, PubR); m = VerDec(u; PubS, SecR)

Example: EtS

But what if intervenes?

?

AliceAlice

Love from Alice

Example: EtS (cont)

?

AliceAlice

Love from Ugly

UglyUgly

from Alice???

Moral Need to use identitiesin multi-user setting!Both for syntax and constructions

Formal Definition (multi-user)

• When attacking U, adversary A(PubU) can:– Ask SigEnc(m; SecU, PubR), for any receiver R– Ask DecVer(; PubS, SecU), for any sender S

• To break authenticity, outputs new forgery:– (; SecR) s.t. DecVer(; PubU, SecR)– Note, allow A to choose receiver R !

• To break privacy, guesses b w/pr. > ½:– Chooses (m0, m1, SecS), for S of A’s choice !– SigEnc(mb; SecS, PubU), for random b

Two- vs. Multi-User Setting• Can formally define both settings

– Two-user is much simpler: no IDs !• Only sender S and receiver R• Shows no attacks on the scheme, only on IDs

– But multi-user needed in applications…• “Multi-User = Two-User + ID fraud

protection”• For all our schemes, some natural

“tricks” always work to go two-user multi-user– First describe two-user version– Then show how to get multi-user

Parallel Signcryption

• Apply expensive “encrypting” and “singing” on in parallel

• New alternative to sequential composition

• Can offer other advantages beside parallelism and efficiency– More flexible key management– Easier for tight security reductions– On-line/Off-line Signcryption– Aesthetics: more elegant

CtE&S m

d c

ψ = EncR(d) = SigS(c)

d = DecR(ψ) c = VerS()

m

Generic Parallel Signcryption

EtS

m

ψ = EncR(m

)

u = SigS(ψ)

ψ = VerS(u)

m = DecR(ψ)

StE

m

= SigS(m

)

u = EncR()

= DecR(u

)

m = VerS()

What properties on (c,d) are needed for CtE&S?

Properties of c and dRecall, Signcrypt(m) = (Sig(c), Enc(d))1. [m (c,d) m] should be fast2. Privacy: c should not reveal “any

information” about m– Indeed, c goes “in the clear”

3. Authenticity: should be hard to “reuse” Sig(c)

– If find d’ such that (c,d’) is valid and d’d, then (Sig(c), Enc(d’)) is a new forgery

COMMITMENT SCHEME!!!(“relaxed” commitment scheme is necessary and sufficient… see paper)

“hiding”

“binding”

Improving Generic Approach

• Need IND-CCA Enc and sUF-CMA Sig– Expensive

• What if implement in RO model?– Say, PSS for Sig, OAEP/OAEP+ for Enc…

• Wasteful, need to “pad” twice !– Poor exact security– Poor message bandwidth– Less efficient– Need to store two independent keys– Aesthetics: inelegant

• Can we do (much) better? YES!

Padding-based Parallel Signcryption

m

Commit

d c

ψσ

EncR SigS

CtE&S PbPS

Rf1Sf

m

“Two-Pad”

w s

ψσ

Advantages of PbPS

• Replace expensive Enc and Sig by a TDP f and its inverse f-1 (e.g., RSA)

• Can reuse f for sending and receiving– Entire PubU = f, SecU = f-1

• Consistent with current PKI infrastructure suggested by PKCS#1

• Better exact security• More efficient if “two-paddings” are fast• What are these “two-paddings”???

Universal Two-Paddings

• Invertible Pad(m) (w,s) s.t. for any TDP f– [f(w), s] is IND-CCA-secure encryption– [w, f–1(s)] is sUF-CMA-secure signature– In fact, holds even if reuse the same f for both

signature and encryption

• Lemma: if Pad is universal two-padding, then [fR(w), fS

–1(s)] is a secure signcryption in the two-user setting– Later extend to multi-user setting

Two-Padding Results

• Note: must use Random Oracle Model as use TDPs

• Give a wide variety of universal two-paddings:– Old: PSS-R, OAEP, OAEP+, SAP (“scramble all padding”)

– New: many, most notably PSEP (mix of PSS-R & OAEP)

• All are special cases of one general construction!– In particular, found generalization of most padding

schemes commonly used for plain signature/encryption

Intuition Behind Construction

• Most known padding schemes already naturally consist of two pieces (w,s)

• Moreover, always have (w,s) = Feistel(d,c) for some pair (d,c).

d c

H

w s• Example: PSS-R

– Have w = G(m,r), s = H(w) (m,r).– Can write w = c, s = H(c) d, where c = G(m,r), d

= (m,r)

• What properties on (d,c) suffice??

Extractable CommitmentGiven by two properties:1. (Strong) Hiding: c(m) looks random, for any m

- usually holds anyway for any natural commitment

2. Extractability: using some “trapdoor” T, can find d from c.- There is Extract(c,T) d procedure s.t. for any A:

Pr[ (c,d) valid & Extract(c,T) d | (c,d) A ] = negl.- In the RO model, trapdoor T = RO queries made by A

• Note: extractability implies strong binding– Hard to find (c,d,d’) s.t. (c,d), (c,d’) are valid and d d’

Feistel Two-Paddings

• Theorem: If Commit(m) (c,d) is an extractable commitment then Pad(m) = (w = c, s = H(c) d) is a universal two-padding scheme

• Note: we will see that all natural commitments in the RO model are anyway extractable

• Thus, essentially show that applying one round

of Feistel to a pair (c,d) good for CtE&S, get a two-padding (w,s) good PbPS ! – Feistel allows to replace expensive Enc and Sig by a

TDP f and its inverse f-1 (e.g., RSA)

Examples• If c = G(m,r), d = (m,r) get PSS-R• If c = G(r)(m,0k), d = r get OAEP • If c = (G(r)m, G’(m,r)), d = r get OAEP+• If c = G(d)m2, d = (m1,r,G’(m2)) get SAP• Probabilistic Signature Encryption Padding

(PSEP): arbitrarily split m = m1||m2 and set c = (G(r)m1, G’(m2,r)), d = (m2,r)– if |m1|=0 get PSS-R, if |m2|=0 get OAEP– but now can achieve much higher bandwidth !

E.g., with 1024-bit keys can fit 1600 bits of m

Associated Data Support• Associated data binds a public label L to m

– L is transmitted in the clear, together with “actual” signcryption of m

– Still, authentication applies to both L and m– Very useful in many contexts [Rogaway02]

• All our constructs easily support arbitrarily long associated data at nearly no cost !– Simply stick L into H during the Feistel round

• Simple two-user multi-user conversion– Add public keys of S and R as part of the label

Full PbPS scheme:1. short messages 2. long labels Commit

d c

H

w s

ψσ

Rf1Sf

m L

L

IDR IDS

Signcrypting Long Messages

• Main Question: given good signcryption SC on short messages m, how to signcryption arbitrarily long messages M?

• Approach: transform M (b,h) and setSC*(M) = (SC(b), h)

– (note: want to have |b| << |M| )

• Sub-Question: what transformations T are needed to make SC* secure?

• Answer: concealments !

ConcealmentsRecall, SC*(M) = (SC(b), h)1. |b| < |M| (non-triviality)2. Privacy: h should reveal “no

information” about M– Indeed, h goes “in the clear”

3. Authenticity: should be hard to “reuse” SC(b)

– If find h’ such that (b,h’) is valid and h’ h’, then (SC(b), h’) is a new forgeryCOMMITMENT SCHEME!!!

“hiding”

“binding”

CONCEALMENT SCHEME!!!(“relaxed” concealment scheme is necessary and sufficient… see paper)

Commitment vs. Concealment

• commitment c & decommitment d

• hider h &binder b

• both hiding and binding is on c

• hiding on h & binding on b

• always imply OWFs

• useful even when |c|>|m| (i.t. binding)

• trivial if |b|=|M|• otherwise imply

CRHFs

• (Sig(c), Enc(d)) • (h, Signcrypt(b))

Constructing Concealments

• Use one-time symmetric encryption (E,D)• Set h= Eτ(M), b = (τ, K(h)), where K is CRHF

– Hiding is obvious, binding is due to CRHF K– Notice, b is indeed short

• If SC supports (long) associated data, can set h = Eτ(M), b = τ and L = h (+extra label)– Binding since pair (b = τ, L = Eτ(M)) commits M

– Nicely applies to PbPS• Here is the final multi-user signcryption of

long messages with associated data

H

w s

LM

Commit

d c

IDR IDS

τ Eτ

π L

Full-fledged PbPS scheme:

ψσ

Rf1Sf

Lπ

Conclusions• Formally defined signcryption

– importance of IDs, multi-user security, …

• Parallel Signcryption & its advantages– generic CtS&E paradigm– big improvement: PbPS

• Two-padding schemes– general Feistel construction from commitments– get many old padding (PSS-R, OAEP, …) + new (PSEP)

• Concealment Primitive: define, construct + apps• Full-fledged signcryption of long messages

– flexibility, efficiency, simplicity, generality, security – consistent with existent standards/PKI

? Thank you

AliceAliceend

ZSCR TBOS StE/EtS CtE&S This Work

Standard Assumption? No Yes Yes Yes Yes

Exact Security? Poor Very poor Good Good Excellent

Insider Security? No No Yes Yes Yes

Multi-User Setting? Yes No Yes Yes Yes

CCA2 Security? Yes Yes Yes/No No Yes

Strong Unforgeability No No No/Yes No Yes

General Construction? No No Yes Yes Yes

Key Flexibility? No No Yes Yes Yes

Key Reuse (Short Key)? Yes No No No Yes

Avoid Special Set-up? No Yes Yes Yes Yes

Extract Plain Sig/Enc? No Only Sig Sig/Enc Yes Yes

Associated Data? No No No No Yes

Compatible to PKCS#1?

No Maybe Maybe Maybe Yes

Parallel Operations? n/a No No Yes Yes

ZSCR TBOS StE/EtS CtE&S This Work

Bit Expansion on Long Messages

4096 Expect > 1350

bits

Expect> 700 bits

Expect> 2900 bits

Can make < 450 bits

Max message can fit inside 4096 bits

0? 0? < 3000 bits < 1550 bits 3650 bits

Msg / Ciphertxt & Key in “native” scheme

n/a ? / 20484096

1550 / 23004096

1550 / 40964096

3650 / 40962048