An Efficient Signcryption Scheme with Key Privacy - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

An Efficient Signcryption Scheme with Key Privacy

Description:

MPhil Student in CS Department. City University of Hong Kong ... J. Beak, R. Steinfeld, and Y. Zheng. Formal proofs for the security of signcryption. ... – PowerPoint PPT presentation

Number of Views:389
Avg rating:3.0/5.0
Slides: 30
Provided by: trav2
Category:

less

Transcript and Presenter's Notes

Title: An Efficient Signcryption Scheme with Key Privacy


1
An Efficient Signcryption Scheme with Key Privacy
  • Speaker Travis Chung Ki Li
  • MPhil Student in CS Department
  • City University of Hong Kong
  • Joint work with Duncan Wong, Guomin Yang,
  • Xiaotie Deng, Sherman S.M. Chow

2
Trigger
  • In IPL 2006 Tan pointed out the signcryption
    scheme proposed by Yang, Wong and Deng (ISC 2005)
    was flawed
  • Cannot provide confidentiality and anonymity as
    claimed

3
Trigger
  • Tan did not suggest any solutions to fix the
    problems
  • If there exists any anonymous signcryption scheme
    secure under Tans attack?
  • Still not known if the YWD scheme can be improved
    to a secure one

4
Agenda
  • Introduction
  • Yang Wong Deng Scheme
  • Tans Attack
  • Our Construction
  • Security Analysis

5
Introduction
  • Signcryption was introduced by Zheng in 1997
  • Combines signature and encryption
  • Less computational complexity and lower
    communication cost
  • Suitable for many application using resource
    limited devices

6
Introduction
  • Baek et al. first defined a set of security
    notions for Signcryption (2002)
  • The notions are similar to traditional
    Indistinguishable against Chosen Ciphertext
    Attacks (IND-CCA2) Existential Unforgeable
    against Chosen Message Attacks (EUF-CMA)

J. Beak, R. Steinfeld, and Y. Zheng. Formal
proofs for the security of signcryption. In
PKC02, pages 8098. Springer-Verlag, 2002. LNCS
2274.
7
Introduction
  • An et al. introduced a notion called Insider
    Security (2002)
  • An adversary can access not only the public keys
    of both sender and receiver
  • But also the private key of sender

J. H. An, Y. Dodis, and T. Rabin. On the security
of joint signature and encryption. In Proc.
EUROCRYPT 2002, pages 83107. Springer-Verlag,
2002. LNCS 2332.
8
Introduction
  • Boyen proposed a new set of signcryption security
    model under identity based cryptographic setting
    (2003)
  • One of the them is called Ciphertext Anonymity

X. Boyen. Multipurpose identity-based
signcryption A swiss army knife for
identity-based cryptography. In Proc. CRYPTO
2003, pages 383399. Springer-Verlag, 2003. LNCS
2729.
9
Ciphertext Anonymity
  • An extension of Key Privacy, which introduced
    by Bellare et al. (2001)
  • Ciphertext should hide the identity of both
    sender and receiver

M. Bellare, A. Boldyreva, A. Desai, and D.
Pointcheval. Key-privacy in public-key
encryption. In Proc. ASIACRYPT 2001, pages
566582. Springer-Verlag, 2001. LNCS 2248.
10
Ciphertext Anonymity
  • Libert and Quisquater, proposed a signcryption
    scheme (2004)
  • Claimed to be insider secure under IND-CCA2,
    EUF-CMA and Ciphertext Anonymity

B. Libert and J.-J. Quisquater. Efficient
signcryption with key privacy from gap
Diffie-Hellman groups. In PKC04, pages 187200.
Springer-Verlag, 2004. LNCS 2947.
11
Libert-Quisquater Scheme
  • Tan and Yang et al. independently showed that
    Libert and Quisquater scheme is flawed.
  • Yang et al. also gave a modification (YWD
    scheme), which supports parallel processing

C. H. Tan. On the security of signcryption scheme
with key privacy. IEICE Trans. Fundam. Electron.
Commun. Comput. Sci., E88-A(4)10931095, 2005.
G. Yang, D. S. Wong, and X. Deng. Analysis and
improvement of a signcryption scheme with key
privacy. In 8th Information Security Conference
(ISC05), pages 218232, 2005. LNCS 3650.
12
YWD Scheme
  • Recently, Tan showed that YWD scheme is not
    IND-CCA2 secure and does not satisfy Ciphertext
    Anonymity (2006)
  • However, no improvement has been proposed

C. H. Tan. Analysis of improved signcryption
scheme with key privacy. Information Processing
Letters, 99(4)pp. 135138, August 2006.
13
Our Result
  • We propose a modification of YWD scheme
  • Solve the security issues with improved
    efficiency
  • Reduce the number of operations and prove the
    scheme with more precise reduction bound

14
Security Model for Signcryption
  • Confidentiality (SC-IND-CCA)
  • Unforgebility (SC-EUF-CMA)
  • Ciphertext Anonymity (SC-ANON-CCA)

15
Security Model with Key Privacy
  • The Challenger C (skR,0, pkR,0) (skR,1,
    pkR,1) and gives pkR,0, pkR,1 to Distinguisher D
  • D adaptively queries to Signcrypt(m, skR,c, pkR)
    and Designcrypt(d, skR,c), where pkR?pkR,c, for c
    0 or 1
  • D outputs two valid and distinct private keys
    skS,0 , sk S,1 and a plaintext m
  • C randomly chooses b, b in 0,1 and sends a
    challenge ciphertext d Signcrypt(m, skS,b
    pkR,b) to D

16
Security Model with Key Privacy
  • D makes queries as step 2 except designcrypting
    the challenge ciphertextd
  • D outputs two bits (d, d) and wins the game if
    (d, d) (b, b)
  • Advanon-cca(D) Pr(d, d) (b, b) 1/4

17
YWD Scheme
18
YWD Scheme
19
Tans attack against adaptive chosen ciphertext
attack
  • Adversary A determines which plaintext (m0,m1) is
    encrypted in challenge ciphertext C (U, W,
    Z)
  • A guess m0 is encrypted
  • Under the insider security notion
  • Reuse the randomness in U
  • Form a new C (U, W, Z)
  • Recover m from C with the help of
    designcryption oracle

20
Tans attack against adaptive chosen ciphertext
attack
YS xSP V xSH1(m0, U, YR) V xSH1(m,
U, YR) W (V ? V) ? W Z ((m ? m0)
(YS ? YS)) ? Z C (U, W, Z)
C(U,W,Z)
Designcryption Oracle
m YS Z ? H3(U, YR, xRU)
If m m, m0 is used, else m1 is used
21
Tans attack against Ciphertext Anonymity
  • D distinguishes which private key (xS,0,xS,1) and
    public key (YR,0,YR,1) are used in the challenge
    ciphertext C (U, W, Z)
  • D prepares a message m and xS in Zq
  • Calculates Ci,j (U, Wi,j, Zi) similar to
    CCA2 attack
  • Submit Ci,j to designcryption oracle
  • If the designcrypted message mi,j m then D
    can make the correct guess

22
Weakness of YWD Scheme
  • Since H1 does not involve any secret value
  • The component V can be easily reconstructed under
    insider security notion
  • Attack through malleability of W and Z

23
Our Construction
24
Our Construction
25
Security Analysis
  • Let k be a security parameter
  • Under random oracle model
  • If a PPT algorithm which can break the SC-IND-CCA
    / SC-EUF-CMA / SC-ANON-CCA security with
    advantage at least ?(k)
  • There exists a PPT algorithm which can solve the
    Gap Diffie-Hellman problem with non-negligible
    probability

26
Gap Diffie-Hellman Problem
  • Decisional Diffie-Hellman problem
  • Distinguish the distribution between
    ltP,aP,bP,abPgt ltP,aP,bP,cPgt
  • Computational Diffie-Hellman problem
  • Compute abP from ltP,aP,bPgt
  • Gap Diffie-Hellman problem
  • Solve a CDH problem with DDH oracle
  • e(P,cP) e(aP,bP) cP abP

27
Proof Sketch
  • Prove by contradiction
  • There exist an adversary A who wins the
    SC-IND-CCA / SC-EUF-CMA / SC-ANON-CCA game with
    non-negligible advantage
  • With the help of a DDH solver
  • Construct an algorithm B by running A to solve
    CDH problem in G1

28
Conclusion
  • Provide a solution to Tans attack
  • A signcryption scheme proven secure in
    confidentiality, unforgeability, ciphertext
    anonymity
  • Under the assumption of GDH problem in random
    oracle model
  • Efficient and requires even less operations than
    YWD scheme

29
Thank you!
Write a Comment
User Comments (0)
About PowerShow.com