Download presentation
Presentation is loading. Please wait.
1
A Distributed Sign-and-Encryption for Anonymity
Source: IEICE TRANS. FUNDAMENTALS, VOL.E87-A, NO.1 January 2004 Author: DongJin KWAK and SangJae MOON Speaker: Jin-Lin Hou Date: 11/08/2004
2
Outline Introduction Review Proposed Scheme Analysis Conclusion
3
Distributed encryption scheme
…… xA xB xQ decrypt by xQ A B Q Encrypted message Manager Group Public Key
4
Distributed Signcryption (1/5)
p : a prime number q : q | (p-1) ( q must be prime number? ) x1 - xn Zq* P(x) = (x-x1)(x-x2) … (x-xn) = α0 + α1 x +… αn xn g : an order q element in Zp F(xi) = g P(xi) mod q ≡ 1 (mod p) , i = 1 , 2 , … , n
5
Distributed Signcryption (2/5)
α’0 = α0 α’n = αn n-1 α’1 = α’2 = … = α’n-1 = ∑αi i=1 P’(x) = α’0 + α’1 x +… α’n xn Ai = P’(xi) F’(xi) = g –Ai g P’(xi) ≡ 1 (mod p)
6
Distributed Signcryption (3/5)
γ Zq* ρi = γAi mod q ( should be -γAi) Group Public Key: ( gα’0 , gα’1 , … , gα’n , gγ-1 mod q ) Send Secret Key ( xi , ρi ) to group member i by secure channel
7
Distributed Signcryption (4/5)
Sender Alice: ( have ska , pka = gska ) choose x Zq* k = gx mod p Splits k into k1 and k2 ( the split way is public ) r = Hk2(m) s = x ( k*r + ska )-1 mod q w = h(m) c1 = { gk*r gw*α’0 , gw*α’0 , … , gw*α’n , gw *γ-1 } c2 = Ek1(m) send ( c1 , c2 , r , s ) to Bob
8
Distributed Signcryption (5/5)
Receiver Bob: k =(pka· gkr · gwα’0 · gwα’1 x i · … · gwα’n x in · gw γ-1ρi)s = gx mod p Splits k into k1 and k2 m ?= Dk1(c2)
9
Propose scheme (1/2) Sender Alice: ( have ska , pka = gska )
choose x Zq* k = gx mod p Splits k into k1 and k2 ( the split way is public ) r = Hk2(m) s = x ( r + ska )-1 mod q w = h(m) c1 = { k · gw*α’0 , gw*α’0 , … , gw*α’n , gw *γ-1 } c2 = Ek1( m || r || s || Certa ) send ( c1 , c2 ) to Bob
10
Propose scheme (2/2) Receiver Bob:
k = k · gwα’0 · gwα’1 x i · … · gwα’n x in · gw γ-1ρi Splits k into k1 and k2 Dk1(c2) = m || r || s || Certa r ?= Hk2(m) k ?≡ ( pka · gr )s ( ≡ gx (mod p) )
11
Analysis (1/2) Unforgeability Non-repudiation
can’t get k by knowing k · gwα’0 so can’t compute Ek1(m’) can’t get a valid pair ( m’ , r’ , s’ ) because a valid s need ska to generate Non-repudiation if ( m , r , s ) is valid => sender must know ska => sender is Alice
12
Analysis (2/2) Anonymity Confidentiality
because Certa is encrypted Confidentiality Need k to decrypt c2 , but need ( xi , ρi ) to compute k only valid user know ( xi , ρi )
13
Conclusion have many good properties like unforgeability , non-repudiation , anonymity , confidentiality does not involve any additional computational cost has potential applications in electronic commerce
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.