A Distributed Sign-and-Encryption for Anonymity Source: IEICE TRANS. FUNDAMENTALS, VOL.E87-A, NO.1 January 2004 Author: DongJin KWAK and SangJae MOON Speaker: Jin-Lin Hou Date: 11/08/2004

Outline Introduction Review Proposed Scheme Analysis Conclusion

Distributed encryption scheme …… xA xB xQ decrypt by xQ A B Q Encrypted message Manager Group Public Key

Distributed Signcryption (1/5) p : a prime number q : q | (p-1) ( q must be prime number? ) x1 - xn  Zq* P(x) = (x-x1)(x-x2) … (x-xn) = α0 + α1 x +… αn xn g : an order q element in Zp F(xi) = g P(xi) mod q ≡ 1 (mod p) , i = 1 , 2 , … , n

Distributed Signcryption (2/5) α’0 = α0 α’n = αn n-1 α’1 = α’2 = … = α’n-1 = ∑αi i=1 P’(x) = α’0 + α’1 x +… α’n xn Ai = P’(xi) F’(xi) = g –Ai g P’(xi) ≡ 1 (mod p)

Distributed Signcryption (3/5) γ  Zq* ρi = γAi mod q ( should be -γAi) Group Public Key: ( gα’0 , gα’1 , … , gα’n , gγ-1 mod q ) Send Secret Key ( xi , ρi ) to group member i by secure channel

Distributed Signcryption (4/5) Sender Alice: ( have ska , pka = gska ) choose x  Zq* k = gx mod p Splits k into k1 and k2 ( the split way is public ) r = Hk2(m) s = x ( k*r + ska )-1 mod q w = h(m) c1 = { gk*r gw*α’0 , gw*α’0 , … , gw*α’n , gw *γ-1 } c2 = Ek1(m) send ( c1 , c2 , r , s ) to Bob

Distributed Signcryption (5/5) Receiver Bob: k =(pka· gkr · gwα’0 · gwα’1 x i · … · gwα’n x in · gw γ-1ρi)s = gx mod p Splits k into k1 and k2 m ?= Dk1(c2)

Propose scheme (1/2) Sender Alice: ( have ska , pka = gska ) choose x  Zq* k = gx mod p Splits k into k1 and k2 ( the split way is public ) r = Hk2(m) s = x ( r + ska )-1 mod q w = h(m) c1 = { k · gw*α’0 , gw*α’0 , … , gw*α’n , gw *γ-1 } c2 = Ek1( m || r || s || Certa ) send ( c1 , c2 ) to Bob

Propose scheme (2/2) Receiver Bob: k = k · gwα’0 · gwα’1 x i · … · gwα’n x in · gw γ-1ρi Splits k into k1 and k2 Dk1(c2) = m || r || s || Certa r ?= Hk2(m) k ?≡ ( pka · gr )s ( ≡ gx (mod p) )

Analysis (1/2) Unforgeability Non-repudiation can’t get k by knowing k · gwα’0 so can’t compute Ek1(m’) can’t get a valid pair ( m’ , r’ , s’ ) because a valid s need ska to generate Non-repudiation if ( m , r , s ) is valid => sender must know ska => sender is Alice

Analysis (2/2) Anonymity Confidentiality because Certa is encrypted Confidentiality Need k to decrypt c2 , but need ( xi , ρi ) to compute k only valid user know ( xi , ρi )

Conclusion have many good properties like unforgeability , non-repudiation , anonymity , confidentiality does not involve any additional computational cost has potential applications in electronic commerce