Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,"— Presentation transcript:

1 Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London, U.K.

2 2 Signcryption Introduced by Zheng in 1997. Combines the advantages of public-key encryption and digital signatures: – Confidentiality – Integrity/Origin authentiction – Non-repudiation? A relatively new type of primitive. Two competing security models.

3 3 Signcryption Common Parameter Generation Sender Key Generation Receiver Key Generation (pk S,sk S )(pk R,sk R ) Signcryption of message m using pk R and sk S Unsigncryption of signcryption C using pk S and sk R

4 4 Signcryption An, Dodis and Rabin (2002) security model. Two user model. Outsider security – Security against attacks made by third parties, i.e. anyone who isn’t the sender or the receiver. Insider security – Full security, prevents attacks against the integrity of the scheme made by the receiver. Baek, Steinfeld and Zheng (2002) model.

5 5 Signcryption Confidentiality. No third party should be able to learn any information about the message from the signcryption. – IND security against attacker with encryption and decryption oracles. Integrity. No party should be able to forge ciphertexts that purport to be from the sender. – Existential unforgability against attacker with the private key of the receiver and an encryption oracle.

6 6 Hybrid Signcryption Adapts a well-known technique in public-key encryption schemes. Involves using symmetric algorithms as subroutines in public-key schemes. Typically involves randomly generating a symmetric key and an asymmetric encryption of that key. Formalised for an encryption scheme by Cramer and Shoup (1998).

7 7 Hybrid Signcryption Elegant solution for hybrid signcryption with outsider security proposed in ISC 2005. Messy but workable solution for hybrid signcryption with insider security proposed in ACISP 2005. Poor security reduction involving multiple terms – Confidentiality relies on the KEM being unforgeable. – We propose an elegant new solution using the Tag- KEM ideas of Abe et al (2005).

8 8 Tag-KEMs A public/private key generation algorithm. A symmetric key generation algorithm. An encapsulation algorithm. A decapsulation algorithm. Sym pk K ω Encap tag C Decap tag C sk K

9 9 Tag-KEMs Sym pk K ω Encap tag C1C1 ENC m C2C2 Combine with a (passively secure) symmetric encryption scheme to give a (strongly secure) asymmetric encryption scheme.

10 10 Tag-KEMs Decap C1C1 sk K DEC C2C2 m Decryption works in the obvious way. Note that C 2 is acting both as the tag that allows the recovery of K and as the encryption of m.

11 11 Signcryption Tag-KEMs Sym pk K ω Encap tag C1C1 ENC m C2C2

12 12 Signcryption Tag-KEMs Sym sk S K ω Encap tag C1C1 ENC m C2C2 pk R Confidentiality proven in the same way as in for public-key encryption: it must be infeasible to gain any information about a symmetric key from its encapsulation. To get integrity protection we must insist that it is infeasible to produce a pair (tag,C 1 ) where C 1 decapsulates properly to give a key K with the given tag – in other words C 1 acts as a strongly secure signature on tag.

13 13 Signcryption Tag-KEMs Many existing signcryption schemes can be thought of as using SCTKs implicitly. We show Zheng’s scheme can be proven secure as a signcryption Tag-KEM. – The security reduction for confidentiality is: – In the KEM case, this was:

14 14 Signcryption Tag-KEMs We also propose a new signcryption scheme based on the Chevallier-Mames signature scheme (2005). This has the tightest security bounds of any signcryption scheme we could find: – Tight reduction to GDH for confidentiality – Tight reduction to CDH for integrity Reasonably efficient.

15 15 Open Problems Non-repudiation presents an interesting challenge. Does the existence of the symmetric key K help with non-repudiation? Signcryption Tag-KEMs are very similar to signature schemes. Can we find a method for turning a general signature scheme into a signcryption scheme? How about a Fiat- Shamir signature scheme?

16 16 Conclusions We presented a new paradigm for constructing signcryption schemes, which – Has all the advantages associated with hybrid encryption, – Does not have the disadvantages of previous attempts to produce hybrid signcryption paradigms. We presented two schemes in this model, including a completely new scheme with the best known security bounds of any signcryption scheme. We also discuss (in the paper) the use of SCTKs as a key agreement mechanism.

Download ppt "Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,"

Similar presentations

Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptographic Technologies

Cryptographic Technologies
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Similar presentations

Ads by Google