Signcryption schemes with threshold unsigncryption, and applications

The final publication is available at link.springer.comThe goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.Peer ReviewedPostprint (author's final draft

Underlying Assumptions and Designated Verifier Signatures

In this paper, we define an underlying computational problem and its decisional problem. As an application of their problems, we propose an efficient designated verifier signature (DVS) scheme without random oracles (related to symmetric pairings). We formally redefine the (Strong) Privacy of Signature\u27s Identity, and prove our DVS scheme satisfying security based on the difficulty of the problems. Also we prove that the difficulty of the computational problem is tightly equivalent to the Strong Unforgeability of our proposed conventional signature scheme (without random oracles) related to asymmetric pairings. We believe that our underlying problems are profitable to propose many efficient cryptographic schemes

Formalizing group blind signatures and practical constructions without random oracles

Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. The primitive has been introduced with only informal definitions for its required security properties. In this paper, we offer two main contributions: first, we provide foundations for the primitive and present formal security definitions. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security definitions. Our second main contribution is a generic construction that yields practical schemes with a round-optimal signing protocol and constant-size signatures. Our constructions permit dynamic and concurrent enrollment of new members and satisfy strong security requirements. To the best of our knowledge, our schemes are the first provably secure constructions in the standard model. In addition, we introduce some new building blocks which may be of independent interest. © 2013 Springer-Verlag

Black-Box Constructions of Signature Schemes in the Bounded Leakage Setting

To simplify the certificate management procedures, Shamir introduced the concept of identity-based cryptography (IBC). However, the key escrow problem is inherent in IBC. To get rid of it, Al-Riyami and Paterson introduced in 2003 the notion of certificateless cryptography (CLC). However, if a cryptosystem is not perfectly implemented, adversaries would be able to obtain part of the system\u27s secret state via side-channel attacks, and thus may break the system. This is not considered in the security model of traditional cryptographic primitives. Leakage-resilient cryptography was then proposed to prevent adversaries from doing so. There are fruitful works on leakage-resilient encryption schemes, while there are not many on signature schemes in the leakage setting. In this work, we review the folklore generic constructions of identity-based signature and certificateless signature, and show that if the underlying primitives are leakage-resilient, so are the resulting identity-based signature scheme and certificateless signature scheme. The leakage rate follows the minimum one of the underlying primitives. We also show some instantiations of these generic constructions

Strongly Unforgeable Certificateless Signature Resisting Attacks from Malicious-But-Passive KGC

In digital signature, strong unforgeability requires that an attacker cannot forge a new signature on any previously signed/new messages, which is attractive in both theory and practice. Recently, a strongly unforgeable certificateless signature (CLS) scheme without random oracles was presented. In this paper, we firstly show that the scheme fails to achieve strong unforgeability by forging a new signature on a previously signed message under its adversarial model. Then, we point out that the scheme is also vulnerable to the malicious-but-passive key generation center (MKGC) attacks. Finally, we propose an improved strongly unforgeable CLS scheme in the standard model. The improved scheme not only meets the requirement of strong unforgeability but also withstands the MKGC attacks. To the best of our knowledge, we are the first to prove a CLS scheme to be strongly unforgeable against the MKGC attacks without using random oracles

Improvements and New Constructions of Digital Signatures

Ein digitales Signaturverfahren, oft auch nur digitale Signatur genannt, ist ein wichtiger und nicht mehr wegzudenkender Baustein in der Kryptographie. Es stellt das digitale Äquivalent zur klassischen handschriftlichen Signatur dar und liefert darüber hinaus noch weitere wünschenswerte Eigenschaften. Mit solch einem Verfahren kann man einen öffentlichen und einen geheimen Schlüssel erzeugen. Der geheime Schlüssel dient zur Erstellung von Signaturen zu beliebigen Nachrichten. Diese können mit Hilfe des öffentlichen Schlüssels von jedem überprüft und somit verifiziert werden. Desweiteren fordert man, dass das Verfahren "sicher" sein soll. Dazu gibt es in der Literatur viele verschiedene Begriffe und Definitionen, je nachdem welche konkreten Vorstellungen beziehungsweise Anwendungsgebiete man hat. Vereinfacht gesagt, sollte es für einen Angreifer ohne Kenntnis des geheimen Schlüssels nicht möglich sein eine gültige Signatur zu einer beliebigen Nachricht zu fälschen. Ein sicheres Signaturverfahren kann somit verwendet werden um die folgenden Ziele zu realisieren: - Authentizität: Jeder Empfänger kann überprüfen, ob die Nachricht von einem bestimmten Absender kommt. - Integrität der Nachricht: Jeder Empfänger kann feststellen, ob die Nachricht bei der Übertragung verändert wurde. - Nicht-Abstreitbarkeit: Der Absender kann nicht abstreiten die Signatur erstellt zu haben. Damit ist der Einsatz von digitalen Signaturen für viele Anwendungen in der Praxis sehr wichtig. Überall da, wo es wichtig ist die Authentizität und Integrität einer Nachricht sicherzustellen, wie beim elektronischen Zahlungsverkehr, Softwareupdates oder digitalen Zertifikaten im Internet, kommen digitale Signaturen zum Einsatz. Aber auch für die kryptographische Theorie sind digitale Signaturen ein unverzichtbares Hilfsmittel. Sie ermöglichen zum Beispiel die Konstruktion von stark sicheren Verschlüsselungsverfahren. Eigener Beitrag: Wie bereits erwähnt gibt es unterschiedliche Sicherheitsbegriffe im Rahmen von digitalen Signaturen. Ein Standardbegriff von Sicherheit, der eine recht starke Form von Sicherheit beschreibt, wird in dieser Arbeit näher betrachtet. Die Konstruktion von Verfahren, die diese Form der Sicherheit erfüllen, ist ein vielschichtiges Forschungsthema. Dazu existieren unterschiedliche Strategien in unterschiedlichen Modellen. In dieser Arbeit konzentrieren wir uns daher auf folgende Punkte. - Ausgehend von vergleichsweise realistischen Annahmen konstruieren wir ein stark sicheres Signaturverfahren im sogenannten Standardmodell, welches das realistischste Modell für Sicherheitsbeweise darstellt. Unser Verfahren ist das bis dahin effizienteste Verfahren in seiner Kategorie. Es erstellt sehr kurze Signaturen und verwendet kurze Schlüssel, beides unverzichtbar für die Praxis. - Wir verbessern die Qualität eines Sicherheitsbeweises von einem verwandten Baustein, der identitätsbasierten Verschlüsselung. Dies hat unter anderem Auswirkung auf dessen Effizienz bezüglich der empfohlenen Schlüssellängen für den sicheren Einsatz in der Praxis. Da jedes identitätsbasierte Verschlüsselungsverfahren generisch in ein digitales Signaturverfahren umgewandelt werden kann ist dies auch im Kontext digitaler Signaturen interessant. - Wir betrachten Varianten von digitalen Signaturen mit zusätzlichen Eigenschaften, sogenannte aggregierbare Signaturverfahren. Diese ermöglichen es mehrere Signaturen effizient zu einer zusammenzufassen und dabei trotzdem alle zugehörigen verschiedenen Nachrichten zu verifizieren. Wir geben eine neue Konstruktion von solch einem aggregierbaren Signaturverfahren an, bei der das Verfahren eine Liste aller korrekt signierten Nachrichten in einer aggregierten Signatur ausgibt anstatt, wie bisher üblich, nur gültig oder ungültig. Wenn eine aggregierte Signatur aus vielen Einzelsignaturen besteht wird somit das erneute Berechnen und eventuell erneute Senden hinfällig und dadurch der Aufwand erheblich reduziert

Public key encryption with keyword search secure against keyword guessing attacks without random oracle

The notion of public key encryption with keyword search (PEKS) was put forth by Boneh et al. to enable a server to search from a collection of encrypted emails given a “trapdoor” (i.e., an encrypted keyword) provided by the receiver. The nice property in this scheme allows the server to search for a keyword, given the trapdoor. Hence, the verifier can merely use an untrusted server, which makes this notion very practical. Following Boneh et al.’s work, there have been subsequent works that have been proposed to enhance this notion. Two important notions include the so-called keyword guessing attack and secure channel free, proposed by Byun et al. and Baek et al., respectively. The former realizes the fact that in practice, the space of the keywords used is very limited, while the latter considers the removal of secure channel between the receiver and the server to make PEKS practical. Unfortunately, the existing construction of PEKS secure against keyword guessing attack is only secure under the random oracle model, which does not reflect its security in the real world. Furthermore, there is no complete definition that captures secure channel free PEKS schemes that are secure against chosen keyword attack, chosen ciphertext attack, and against keyword guessing attacks, even though these notions seem to be the most practical application of PEKS primitives. In this paper, we make the following contributions. First, we define the strongest model of PEKS which is secure channel free and secure against chosen keyword attack, chosen ciphertext attack, and keyword guessing attack. In particular, we present two important security notions namely IND-SCF-CKCA and IND-KGA. The former is to capture an inside adversary, while the latter is to capture an outside adversary. Intuitively, it should be clear that IND-SCF-CKCA captures a more stringent attack compared to IND-KGA. Second, we present a secure channel free PEKS scheme secure without random oracle under the well known assumptions, namely DLP, DBDH, SXDH and truncated q-ABDHE assumption. Our contributions fill the gap in the literature and hence, making the notion of PEK

Efficient Revocable ID-Based Signature With Cloud Revocation Server

Over the last few years, identity-based cryptosystem (IBC) has attracted widespread attention because it avoids the high overheads associated with public key certificate management. However, an unsolved but critical issue about IBC is how to revoke a misbehaving user. There are some revocable identity-based encryption schemes that have been proposed recently, but little work on the revocation problem of identity-based signature has been undertaken so far. One approach for revocation in identity-based settings is to update users\u27 private keys periodically, which is usually done by the key generation center (KGC). But with this approach, the load on the KGC will increase quickly when the number of users increases. In this paper, we propose an efficient revocable identity-based signature (RIBS) scheme in which the revocation functionality is outsourced to a cloud revocation server (CRS). In our proposed approach, most of the computations needed during key-updates are offloaded to the CRS. We describe the new framework and the security model for the RIBS scheme with CRS and we prove that the proposed scheme is existentially unforgeable against adaptively chosen messages and identity attacks in the random oracle model. Furthermore, we monstrate that our scheme outperforms previous IBS schemes in terms of lower computation and communication costs