Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,

Slides:



Advertisements
Similar presentations
Hybrid Signcryption with Insider Security Alexander W. Dent.
Advertisements

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptographic Technologies
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dr Alejandra Flores-Mosri Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the.
Hybrid Signcryption with Outsider Security
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
Encryption Methods By: Michael A. Scott
Network Security Sorina Persa Group 3250 Group 3250.
Introduction to Public Key Cryptography
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
Bob can sign a message using a digital signature generation algorithm
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Dr. Khalid A. Kaabneh Amman Arab University
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
Network Security Lecture 17 Presented by: Dr. Munam Ali Shah.
Public-Key Cryptography CS110 Fall Conventional Encryption.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Cryptography Lecture 9 Stefan Dziembowski
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
24-Nov-15Security Cryptography Cryptography is the science and art of transforming messages to make them secure and immune to attacks. It involves plaintext,
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
Prepared by Dr. Lamiaa Elshenawy
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Secure Messenger Protocol using AES (Rijndael) Sang won, Lee
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
Fundamentals of Network Security Ravi Mukkamala SCI 101 October 6, 2003.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Security through Encryption
SIGNCRYPTION Dr. Attila A. Yavuz.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Lecture 25.
Cryptography Lecture 23.
Digital Signatures Network Security.
Presentation transcript:

Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London, U.K.

2 Signcryption Introduced by Zheng in Combines the advantages of public-key encryption and digital signatures: – Confidentiality – Integrity/Origin authentiction – Non-repudiation? A relatively new type of primitive. Two competing security models.

3 Signcryption Common Parameter Generation Sender Key Generation Receiver Key Generation (pk S,sk S )(pk R,sk R ) Signcryption of message m using pk R and sk S Unsigncryption of signcryption C using pk S and sk R

4 Signcryption An, Dodis and Rabin (2002) security model. Two user model. Outsider security – Security against attacks made by third parties, i.e. anyone who isn’t the sender or the receiver. Insider security – Full security, prevents attacks against the integrity of the scheme made by the receiver. Baek, Steinfeld and Zheng (2002) model.

5 Signcryption Confidentiality. No third party should be able to learn any information about the message from the signcryption. – IND security against attacker with encryption and decryption oracles. Integrity. No party should be able to forge ciphertexts that purport to be from the sender. – Existential unforgability against attacker with the private key of the receiver and an encryption oracle.

6 Hybrid Signcryption Adapts a well-known technique in public-key encryption schemes. Involves using symmetric algorithms as subroutines in public-key schemes. Typically involves randomly generating a symmetric key and an asymmetric encryption of that key. Formalised for an encryption scheme by Cramer and Shoup (1998).

7 Hybrid Signcryption Elegant solution for hybrid signcryption with outsider security proposed in ISC Messy but workable solution for hybrid signcryption with insider security proposed in ACISP Poor security reduction involving multiple terms – Confidentiality relies on the KEM being unforgeable. – We propose an elegant new solution using the Tag- KEM ideas of Abe et al (2005).

8 Tag-KEMs A public/private key generation algorithm. A symmetric key generation algorithm. An encapsulation algorithm. A decapsulation algorithm. Sym pk K ω Encap tag C Decap tag C sk K

9 Tag-KEMs Sym pk K ω Encap tag C1C1 ENC m C2C2 Combine with a (passively secure) symmetric encryption scheme to give a (strongly secure) asymmetric encryption scheme.

10 Tag-KEMs Decap C1C1 sk K DEC C2C2 m Decryption works in the obvious way. Note that C 2 is acting both as the tag that allows the recovery of K and as the encryption of m.

11 Signcryption Tag-KEMs Sym pk K ω Encap tag C1C1 ENC m C2C2

12 Signcryption Tag-KEMs Sym sk S K ω Encap tag C1C1 ENC m C2C2 pk R Confidentiality proven in the same way as in for public-key encryption: it must be infeasible to gain any information about a symmetric key from its encapsulation. To get integrity protection we must insist that it is infeasible to produce a pair (tag,C 1 ) where C 1 decapsulates properly to give a key K with the given tag – in other words C 1 acts as a strongly secure signature on tag.

13 Signcryption Tag-KEMs Many existing signcryption schemes can be thought of as using SCTKs implicitly. We show Zheng’s scheme can be proven secure as a signcryption Tag-KEM. – The security reduction for confidentiality is: – In the KEM case, this was:

14 Signcryption Tag-KEMs We also propose a new signcryption scheme based on the Chevallier-Mames signature scheme (2005). This has the tightest security bounds of any signcryption scheme we could find: – Tight reduction to GDH for confidentiality – Tight reduction to CDH for integrity Reasonably efficient.

15 Open Problems Non-repudiation presents an interesting challenge. Does the existence of the symmetric key K help with non-repudiation? Signcryption Tag-KEMs are very similar to signature schemes. Can we find a method for turning a general signature scheme into a signcryption scheme? How about a Fiat- Shamir signature scheme?

16 Conclusions We presented a new paradigm for constructing signcryption schemes, which – Has all the advantages associated with hybrid encryption, – Does not have the disadvantages of previous attempts to produce hybrid signcryption paradigms. We presented two schemes in this model, including a completely new scheme with the best known security bounds of any signcryption scheme. We also discuss (in the paper) the use of SCTKs as a key agreement mechanism.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.