Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of Tseng et al.’s authenticated encrption schemes

Published byGülistan Uyanık Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptanalysis of Tseng et al.’s authenticated encrption schemes"— Presentation transcript:

1 Cryptanalysis of Tseng et al.’s authenticated encrption schemes
Source: Applied Mathematics and Computation 158(2004) 1-5 Authors: Qi Xie, Xiu Yuan Yu Speaker: Hao-Wen Huang Date: 2004/12/15

2 Outline Brief review of the Tseng et al.’s authenticated encrption scheme with message linkages Cryptanalysis and improvement Conclusion

3 §2. Tseng et al.’s scheme Initialization phase
Signature generation phase Message recovery phase

4 §2.1. System initialization phase
1> p and q are large primes s.t. p=2 p’ +1 and q =2 q’ +1,where p’ and q’ are still primes. 2>compute N= pq Let g be a generator of a multiplicative subgroup with order p’ q’ h() is a one-way hash function. Notation: green  secret red  public There are signer A (IDA) ,a specified verifier B(IDB) and one trusted center. 3>PA=gxA mod N and PB=gxB mod N, where XA and XB are w.r.t. A’s and B’s secret key. 4>PA, PB  trusted center 5>center publishes YA=(PA-IDA) h(IDA) -1 and YB=(PB-IDB) h(IDB) -1 w.r.t. A’s and B’s public key.

5 §2.2. Signature generation phase
Message M={M1,M2,…,Mn} 1>r0=0 and select a random number k. 2>Compute t=(YB h(IDB) + IDB)k mod N 3>Compute ri=Mi*h(ri-1⊕ t) mod N for i=1,2,…..,n. 4>Compute s=k- XA r, where r = h(r1||r2||…||rn) 5>A----(r, s, r1, r2 ,…… ,rn) B

6 §2.3. Message recovery phase
1>B computes r’= h(r1||r2||…||rn) ,check r’ ?= r 2>solve t by following procedure: [step1] gk= gs(YA h(IDA) + IDA)r mod N [step2] t = (gk)xB mod N 3>Recover the message {M1,M2,…,Mn} Mi = ri *h(ri-1⊕ t)-1 mod N

7 §3. Cryptanalysis and improvement(1/3)
Case 1: If the specified verifier B substitutes XB , he can forge the signature for any message. Suppose B wants to forge the signature for message E={E1,E2,….,En} 1>Compute σi=Ei*h(σi-1⊕ t) mod N for i=1,2,…..,n and σ0=0 σ = h(σ1||σ2||…||σn) 2>slove x’B from rXB = σx’B then slove s’ from sXB = s’x’B 3>compute P’B = gx’B mond N,then B asks the trusted center publishes a new public key Y’ B.

8 §3. Cryptanalysis and improvement(2/3)
Case 1: If the specified verifier B substitutes XB , he can forge the signature for any message. 4>(σ, s’, σ1, σ2 ,…… , σn) is the valid signature blocks. pf: [gs’(YA h(IDA) + IDA)σ] x’B mod N = gs’ x’B (YA h(IDA) + IDA)σx’B mod N = gs xB (YA h(IDA) + IDA)r xB mod N = (gk)xB mod N = t mod N

9 §3. Cryptanalysis and improvement(3/3)
Case 2: If the signer A generates the signature with this scheme for two or more specified verifiers, thy can cooperate to forge the signature for any message. Improved approach: signature blocks (r, s, r1, r2 ,…… ,rn) ---- (r, s, gk,r1, r2 ,…… ,rn)

10 Conclusion Tseng et al.’s scheme is not secure and give out a small modification to improve their scheme.

Download ppt "Cryptanalysis of Tseng et al.’s authenticated encrption schemes"

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Computer and Information Security 期末報告 學號 92321501 姓名 莊玉麟.

Computer and Information Security 期末報告 學號 姓名 莊玉麟.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp. 723-728,

An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp ,
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:

Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:
1 一個新的代理簽章法 A New Proxy Signature Scheme 作 者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡 報 告者 : 郭淑娟.

1 一個新的代理簽章法 A New Proxy Signature Scheme 作 者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡 報 告者 : 郭淑娟.
Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee

Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.

Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
DIGITAL SIGNATURE. A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.

DIGITAL SIGNATURE. A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
ECE-8843 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: GCATT Bldg.

ECE Prof. John A. Copeland fax Office: GCATT Bldg.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

Similar presentations

Ads by Google