Hybrid Signcryption with Insider Security Alexander W. Dent.

Slides:

Advertisements

Similar presentations

Sri Lanka Institute of Information Technology

Advertisements

Cryptography and Network Security

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

Digital Signatures and Hash Functions. Digital Signatures.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Cryptographic Technologies

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Cryptography and Network Security Chapter 11. Chapter 11 – Message Authentication and Hash Functions At cats' green on the Sunday he took the message.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Hybrid Signcryption with Outsider Security

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

8. Data Integrity Techniques

Bob can sign a message using a digital signature generation algorithm

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Cryptography Lecture 9 Stefan Dziembowski

Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Digital Signatures, Message Digest and Authentication Week-9.

Lecture 2: Introduction to Cryptography

Prepared by Dr. Lamiaa Elshenawy

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

S EMINAR P RESENTATION ON N OTIONS OF S ECURITY 1 S M Masud Karim January 18, 2008 Bonn, Germany.

A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.

COM 5336 Lecture 8 Digital Signatures

Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Cryptography and Network Security Chapter 13

Cryptographic Hash Function

Authenticated encryption

Cryptography Lecture 26.

Chapter 11 – Message Authentication and Hash Functions

Cryptography Lecture 25.

Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS

Topic 13: Message Authentication Code

Cryptography Lecture 21.

Cryptography Lecture 25.

Digital Signatures Network Security.

Presentation transcript:

Hybrid Signcryption with Insider Security Alexander W. Dent

2 Signcryption Introduced by Zheng Combines advantages of PKE and signatures: – Confidentiality – Integrity/Origin authentication – Non-repudiation? A relatively new type of primitive. We haven’t even agreed a security model yet.

3 Signcryption A common parameter generation algorithm. A receiver key-pair (pk R,sk R ) generation algorithm. A sender key-pair (pk S,sk S ) generation algorithm. A generation-encryption algorithm. A verification-decryption algorithm.

4 Signcryption An, Dodis and Rabin (2002) security model. This is a two user model. Outsider security – Security against all third parties, i.e. anyone who isn’t the sender or receiver. Insider security – Full security, including integrity protection against attacks made by the receiver. Baek, Steinfeld and Zheng (2002) model.

5 Signcryption: confidentiality No third party can distinguish between a signcryption of one message and a signcryption of another message. Normal IND criteria, except that we must provide the attacker with encryption and decryption oracles. We do not consider forward security (with can be expressed using the Baek et al. model).

6 Signcryption: integrity Attacker in possession of the receiver’s private key must attempt to forge a signcryption from the sender. Normal existential unforgeability game. Attacker has access to an encryption oracle for the sender.

7 Signcryption: non-repudiation The ability for a third party to check that a given signcryption is a proper signcryption of a given message. Not required for most applications. Most signcryption schemes “cheat” and use NIZK proofs. A trend that we will continue. See Malone-Lee (2004).

8 Hybrid encryption Involves the use of black-box symmetric algorithms with certain security properties. Very popular trick: – ECIES/DHAES – Fujisaki-Okamoto and related transforms. Most use the same “trick” of encrypting a random symmetric key with the asymmetric algorithm. Formalised by Cramer and Shoup (2004).

9 Hybrid encryption KEM DEM pk m C2C2 C1C1 K Provides the confidentiality service (against active attackers). Controls the security service by generating random symmetric keys.

10 Hybrid signcryption KEM DEM pk m C2C2 C1C1 K

11 Hybrid signcryption KEM DEM pk R m C2C2 C1C1 K sk S

12 Hybrid signcryption KEM DEM pk S mC2C2 C1C1 K sk R The attacker finds a valid signcryption (C 1,C 2 ). Recovers the key K associated with C 1. Computes C 2 ’=DEM K (m’). (C 1,C 2 ) is a forgery. There must be a binding between the message m, the encapsulation C 1 and the symmetric key K.

13 Hybrid signcryption KEM DEM pk R m C2C2 C1C1 K sk S

14 Hybrid signcryption KEM DEM pk R m C2C2 C1C1 K sk S

15 Hybrid signcryption KEM DEM pk S m C2C2 C1C1 K sk R VER m pk R sk S m

16 Hybrid signcryption Note that the KEM necessarily provides a signature on the message, where – The signing algorithm is given by KEM. – The verification algorithm is given by VER. Therefore, the KEM provides the integrity service......and the DEM only has to provide a confidentiality service. Arguably closer to Fujisaki-Okamoto than Cramer-Shoup.

17 Hybrid signcryption: confidentiality KEM DEM pk R m C2C2 C1C1 K sk S The KEM must be IND secure, i.e. produces keys that look random to the attacker. The DEM must be IND secure, i.e. it must be impossible to tell which message a ciphertext is an encryption of. Since the KEM is providing integrity protection, the DEM only needs to be passively secure. The KEM must be INP secure, i.e. it must be impossible to tell which message an encapsulation is associated with.

18 Hybrid signcryption: integrity KEM DEM pk S m C2C2 C1C1 K sk R VER pk R sk S m Must be existentially unforgeable, i.e. it must be impossible for any attacker to find a message/encapsulation pair that the VER algorithm accepts as valid.

19 Hybrid signcryption Need to present a scheme to demonstrate practicality of this construction paradigm. Many schemes already exist in the literature. In particular, the Baek et al. variant of Zheng’s original signcryption scheme is provably secure as a hybrid signcryption scheme. Note that efficiency can be gained by re-using in the VER variables calculated in the KEM.

20 Open problems Can we use this framework to prove the security of previously unproven schemes? Can we use this framework to develop new schemes? Schemes with better non-repudiation properties?

21 Open problems No satisfactory model for multi-user security. Multi-user model should allow the attacker to initiate users, replace public keys, corrupt users, make test queries, force users to encrypt messages, force users to decrypt signcryptions. Similar to Certificateless PKE security model. Should be easy for outsider security!

22 Open problems KEYENC DEC pktag KC1C1 K skC1C1 tag state Tag-KEM construction for PKE introduced by Abe, Gennaro and Kurosawa (2005). Implicit link between the message (in the form of the DEM encryption C 2 ) and the symmetric key used to encrypt it! Great potential for more efficient insider secure hybrid signcryption schemes.

23 Conclusions Signcryption schemes can be built using a hybrid approach, separating the scheme into independent building blocks. Most known schemes have implicitly used this construction. However, more work can be done in this particularly under-researched area.