Hybrid Signcryption with Outsider Security

Slides:

Advertisements

Similar presentations

Public Key Cryptosystem

Advertisements

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Off-the-Record Communication, or, Why Not To Use PGP

Cryptography and Network Security

Hybrid Signcryption with Insider Security Alexander W. Dent.

Digital Signatures and Hash Functions. Digital Signatures.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Computer Science Public Key Management Lecture 5.

8. Data Integrity Techniques

Chapter 31 Network Security

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.

Bob can sign a message using a digital signature generation algorithm

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

Key Agreement Guilin Wang School of Computer Science 12 Nov

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Cryptography Lecture 9 Stefan Dziembowski

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013

Digital Signatures, Message Digest and Authentication Week-9.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Prepared by Dr. Lamiaa Elshenawy

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.

Ch 13 Trustworthiness Myungchul Kim

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

A New Provably Secure Certificateless Signature Scheme Date： Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications.

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.

Key Management Network Systems Security Mort Anvari.

Weaknesses in the Generic Group Model

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Cryptography CS 555 Topic 34: SSL/TLS.

Authenticated encryption

Group theory exercise.

Cryptography Lecture 26.

Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS

Cryptography Lecture 22.

Cryptography Lecture 25.

Presentation transcript:

Hybrid Signcryption with Outsider Security Alexander W. Dent

Signcryption Introduced by Zheng 1997. Combines advantages of PKE and signatures: Confidentiality Integrity/Origin authentication Non-repudiation? A relatively new type of primitive. We haven’t even agreed a security model yet.

Signcryption A common parameter generation algorithm. A receiver key-pair (pkR,skR) generation algorithm. A sender key-pair (pkS,skS) generation algorithm. A generation-encryption algorithm. A verification-decryption algorithm.

Signcryption An, Dodis and Rabin (2002) security model. This is a two user model. Outsider security Security against all third parties, i.e. anyone who isn’t the sender or receiver. Insider security Full security, including integrity protection against attacks made by the receiver. Baek, Steinfeld and Zheng (2002) model.

Signcryption: confidentiality No third party can distinguish between a signcryption of one message and a signcryption of another message. Normal IND criteria, except that we must provide the attacker with encryption and decryption oracles. We do not consider forward security (with can be expressed using the Baek et al. model).

Signcryption: integrity An outside attack is one in which a third party attempts to forge a signcryption from the sender to the receiver. Normal existential unforgeability game, except that the attacker has access to encryption and decryption oracles. It has a similar security guarantee to a MAC. This is satisfactory for most applications (but gives simpler schemes).

Signcryption: non-repudiation The ability for a third party to check that a given signcryption is a proper signcryption of a given message. Not required for most applications. Schemes which are outsider secure can never provide non-repudiation. Most signcryption schemes “cheat” and use NIZK proofs.

Hybrid encryption Involves the use of black-box symmetric algorithms with certain security properties. Very popular trick: ECIES/DHAES Fujisaki-Okamoto and related transforms. Most use the same “trick” of encrypting a random symmetric key with the asymmetric algorithm. Formalised by Cramer and Shoup (2004).

Hybrid encryption KEM pk C1 Provides the confidentiality service (against active attackers). Controls the security service by generating random symmetric keys. K DEM m C2

Hybrid signcryption KEM pk C1 K DEM m C2

Hybrid signcryption pkR KEM C1 skS K DEM m C2

Hybrid signcryption C1 pkS KEM skR K DEM C2 m

Hybrid signcryption: confidentiality IND security as a KEM: Given an encapsulation, it should be impossible to tell the difference between the real key and a completely random one. pkR KEM C1 skS IND security as a DEM: It should be able to resist active attacks against its confidentiality (when used with a random key). K DEM m C2

Hybrid signcryption: integrity LoR security for a KEM: It must be impossible to distinguish the real KEM from an “ideal” version, in which every valid encapsulation is associated with a completely randomly generated key. C1 INT security for a DEM: It should be impossible to forge a ciphertext that decrypts to give a message (using a random key). pkS KEM skR K Not enough just to claim that you cannot fake a KEM ciphertext that decapsulates to give a valid key which the attacker knows. DEM C2 m All practical (encryption) DEMs are INT and IND secure!

Hybrid signcryption Very easy to “bolt on” outsider secure hybrid signcryption to hybrid encryption schemes. The paper contains a practical signcryption KEM which we call ECISS-KEM: Encryption: One exponentiation (and one pre-computed group exponentiation). Decryption: One group multiplication (and one pre-computed group exponentiation).

Hybrid signcryption The attacker finds a valid signcryption (C1,C2). Recovers the key K associated with C1. Computes C2’=DEMK(m’). (C1,C2’) is a forgery. C1 pkS KEM skR There must be a binding between the message m, the encapsulation C1 and the symmetric key K. K DEM C2 m

Key agreement using KEMs KEMs and key agreement mechanisms have a lot in common... ...but KEMs can only be thought of as the most basic method of agreeing a key. No authentication or freshness guarantees. Signcryption KEMs go part of the way to solving this problem by allowing the users to authenticate each other.

Key agreement using KEMs Alice uses a signcryption KEM to compute a (K,C) pair. Use the key K to compute the MAC of a timestamp t. Sends (C,t,MAC) to Bob. Bob checks the timestamp t is current. Recovers the key K using the signcryption KEM. Checks the authenticity of the MAC on the timestamp. Vulnerable to a known-key attack!

Insider security A paper appeared in ACISP 2005 describing a construction paradigm for a hybrid signcryption scheme with insider security. A paper is currently being prepared which improves on this result using tag-KEMs. This also allows us to build key agreement mechanisms.

Open problems Can we use this framework to develop new schemes?

Open problems No satisfactory model for multi-user security. Multi-user model should allow the attacker to initiate users, replace public keys?, corrupt users, make test queries, force users to encrypt messages, force users to decrypt signcryptions. Similar to Certificateless PKE security model. Should be easy for outsider security!

Conclusions Signcryption schemes are easy to build if we recognise that outsider security is all that is required for a lot of applications. It’s easy to build efficient, provably secure hybrid signcryption schemes. However, more work can be done in this particularly under-researched area.