Cryptanalysis of Tseng et al.’s authenticated encrption schemes

Slides:



Advertisements
Similar presentations
E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Advertisements

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Computer and Information Security 期末報告 學號 姓名 莊玉麟.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp ,
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Public Key Model 8. Cryptography part 2.
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:
1 一個新的代理簽章法 A New Proxy Signature Scheme 作 者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡 報 告者 : 郭淑娟.
Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
DIGITAL SIGNATURE. A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
ECE Prof. John A. Copeland fax Office: GCATT Bldg.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
An Efficient and Practical Authenticated Communication Scheme for Vehicular Ad Hoc Networks Source: IEEE Transactions on Vehicular Technology, Reviewing.
Public-Key Cryptography ElGamal Public-Key Crypto-System
Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514
Reporter :Chien-Wen Huang
Proxy Blind Signature Scheme
A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme
Cryptanalyses and improvements of two cryptographic key assignment schemes for dynamic access control in a user hierarchy Source: Computer & Security,
Author:YongBin Zhou, ZhenFeng Zhang, and DengGuo Feng Presenter:戴士桀
Key Substitution Attacks on Some Provably Secure Signature Schemes
Author : Guilin Wang Source : Information Processing Letters
Public-Key Cryptography RSA Rivest-Shamir-Adelmann Public-Key System
第四章 數位簽章.
第四章 數位簽章.
Cryptanalysis on Mu–Varadharajan's e-voting schemes
A new ring signature scheme with signer-admission property
A secure and traceable E-DRM system based on mobile device
RSA Public-Key Secrecy and Signature
DH Public-Key Exchange
An efficient threshold RSA digital signature scheme
Source: IEEE Communications Letters, Vol. 8, No. 3, March 2004
CS480 Cryptography and Information Security
Efficient password authenticated key agreement using smart cards
SAKAWP: Simple Authenticated Key Agreement Protocol Based on Weil Pairing Authors: Eun-Jun Yoon and Kee-Young Yoo Src: International Conference on Convergence.
Chapter 9 Security 9.1 The security environment
Chapters 14,15 Security.
IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985
Digital signatures.
Practical E-Payment Scheme
Cryptography Lecture 26.
PKEX Alternatives Date: Authors: Acknowledgements:
PKEX Alternatives Date: Authors: Acknowledgements:
ICS 454 Principles of Cryptography
ICS 454 Principles of Cryptography
Digital Signatures…!.
Key Management Network Systems Security
An efficient biometric based remote user authentication scheme for secure internet of things environment Source: Journal of Intelligent & Fuzzy Systems.
Date:2011/09/28 報告人:向峻霈 出處: Ren-Chiun Wang  Wen-Shenq Juang 
Chapters 14,15 Security.
A New Provably Secure Certificateless Signature Scheme
Chapter 13 Digital Signature
Chapter 3 - Public-Key Cryptography & Authentication
Cryptology Design Fundamentals
Cryptology Design Fundamentals
Published in 2016 International Computer Symposium (ICS) Authors
Cryptography Lecture 22.
Improvement of Chien et al
Network Security Tutorial-16 Design Fundamentals PGP ET-IDA-082
Network Security Tutorial-16 Design Fundamentals PGP ET-IDA-082
Cryptology Design Fundamentals
Improved Authenticated Multiple-Key Agreement Protocol
Presentation transcript:

Cryptanalysis of Tseng et al.’s authenticated encrption schemes Source: Applied Mathematics and Computation 158(2004) 1-5 Authors: Qi Xie, Xiu Yuan Yu Speaker: Hao-Wen Huang Date: 2004/12/15

Outline Brief review of the Tseng et al.’s authenticated encrption scheme with message linkages Cryptanalysis and improvement Conclusion

§2. Tseng et al.’s scheme Initialization phase Signature generation phase Message recovery phase

§2.1. System initialization phase 1> p and q are large primes s.t. p=2 p’ +1 and q =2 q’ +1,where p’ and q’ are still primes. 2>compute N= pq Let g be a generator of a multiplicative subgroup with order p’ q’ h() is a one-way hash function. Notation: green  secret red  public There are signer A (IDA) ,a specified verifier B(IDB) and one trusted center. 3>PA=gxA mod N and PB=gxB mod N, where XA and XB are w.r.t. A’s and B’s secret key. 4>PA, PB  trusted center 5>center publishes YA=(PA-IDA) h(IDA) -1 and YB=(PB-IDB) h(IDB) -1 w.r.t. A’s and B’s public key.

§2.2. Signature generation phase Message M={M1,M2,…,Mn} 1>r0=0 and select a random number k. 2>Compute t=(YB h(IDB) + IDB)k mod N 3>Compute ri=Mi*h(ri-1⊕ t) mod N for i=1,2,…..,n. 4>Compute s=k- XA r, where r = h(r1||r2||…||rn) 5>A----(r, s, r1, r2 ,…… ,rn)-------B

§2.3. Message recovery phase 1>B computes r’= h(r1||r2||…||rn) ,check r’ ?= r 2>solve t by following procedure: [step1] gk= gs(YA h(IDA) + IDA)r mod N [step2] t = (gk)xB mod N 3>Recover the message {M1,M2,…,Mn} Mi = ri *h(ri-1⊕ t)-1 mod N

§3. Cryptanalysis and improvement(1/3) Case 1: If the specified verifier B substitutes XB , he can forge the signature for any message. Suppose B wants to forge the signature for message E={E1,E2,….,En} 1>Compute σi=Ei*h(σi-1⊕ t) mod N for i=1,2,…..,n and σ0=0 σ = h(σ1||σ2||…||σn) 2>slove x’B from rXB = σx’B then slove s’ from sXB = s’x’B 3>compute P’B = gx’B mond N,then B asks the trusted center publishes a new public key Y’ B.

§3. Cryptanalysis and improvement(2/3) Case 1: If the specified verifier B substitutes XB , he can forge the signature for any message. 4>(σ, s’, σ1, σ2 ,…… , σn) is the valid signature blocks. pf: [gs’(YA h(IDA) + IDA)σ] x’B mod N = gs’ x’B (YA h(IDA) + IDA)σx’B mod N = gs xB (YA h(IDA) + IDA)r xB mod N = (gk)xB mod N = t mod N

§3. Cryptanalysis and improvement(3/3) Case 2: If the signer A generates the signature with this scheme for two or more specified verifiers, thy can cooperate to forge the signature for any message. Improved approach: signature blocks (r, s, r1, r2 ,…… ,rn) ---- (r, s, gk,r1, r2 ,…… ,rn)

Conclusion Tseng et al.’s scheme is not secure and give out a small modification to improve their scheme.