19 research outputs found
Signcryption schemes with threshold unsigncryption, and applications
The final publication is available at link.springer.comThe goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.Peer ReviewedPostprint (author's final draft
An Efficient and Provably Secure ID-Based Threshold Signcryption Scheme
Signcryption is a cryptographic primitive that performs digital
signature and public key encryption simultaneously, at a lower
computational costs and communication overheads than the
signature-then-encryption approach. Recently, two identity-based
threshold signcryption schemes[12],[26] have been
proposed by combining the concepts of identity-based threshold
signature and signcryption together. However, the formal models and
security proofs for both schemes are not considered. In this paper,
we formalize the concept of identity-based threshold signcryption
and give a new scheme based on the bilinear pairings. We prove its
confidentiality under the Decisional Bilinear Diffie-Hellman
assumption and its unforgeability under the Computational
Diffie-Hellman assumption in the random oracle model. Our scheme
turns out to be more efficient than the two previously proposed
schemes
Analysis and Improvement of Authenticatable Ring Signcryption Scheme
Ring signcryption is an anonymous signcryption which allows a user
to anonymously signcrypt a message on behalf of a set of users
including himself. In an ordinary ring signcryption scheme, even if
a user of the ring generates a signcryption, he also cannot prove
that the signcryption was produced by himself. In 2008, Zhang, Yang,
Zhu, and Zhang solve the problem by introducing an identity-based
authenticatable ring signcryption scheme (denoted as the ZYZZ
scheme). In the ZYZZ scheme, the actual signcrypter can prove that
the ciphertext is generated by himself, and the others cannot
authenticate it. However, in this paper, we show that the ZYZZ
scheme is not secure against chosen plaintext attacks. Furthermore,
we propose an improved scheme that remedies the weakness of the ZYZZ
scheme. The improved scheme has shorter ciphertext size than the
ZYZZ scheme. We then prove that the improved scheme satisfies
confidentiality,
unforgeability, anonymity and authenticatability
On the Security of Identity Based Threshold Unsigncryption Schemes
Signcryption is a cryptographic primitive that provides confidentiality and authenticity simultaneously at a cost significantly lower than that of the naive combination of encrypting and signing the message. Threshold signcryption is used when a message to be sent needs the authentication of a certain number of members in an organisation, and until and unless a given number of members (known as the threshold) join the signcyption process, a particular message cannot be signcrypted. Threshold unsigncryption is used when this constraint is applicable during the unsigncryption process. In this work, we cryptanalyze two threshold unsigncryption schemes. We show that both these schemes do not meet the stringent requirements of insider security and propose attacks on both confidentiality and unforgeability. We also propose an improved identity based threshold unsigncryption scheme and give the formal proof of security in a new stronger security model
Contributions to secret sharing and other distributed cryptosystems
The present thesis deals with primitives related to the eld of distributed cryptography. First, we study signcryption schemes, which provide at the same time the functionalities of encryption and signature, where the unsigncryption operation is distributed. We consider this primitive from a theoretical point of view and set a security framework for it. Then, we present two signcryption schemes with threshold unsigncryption, with di erent properties. Furthermore, we use their authenticity property to apply them in the development of a di erent primitive: digital signatures with distributed veri cation. The second block of the thesis deals with the primitive of multi-secret sharing schemes. After stating some e ciency limitations of multi-secret sharing schemes in an information-theoretic scenario, we present several
multi-secret sharing schemes with provable computational security. Finally, we use the results in multi-secret sharing schemes to generalize the traditional framework of distributed cryptography (with a single policy of authorized subsets) into a multipolicy setting, and we present both a multi-policy distributed decryption scheme and a multi-policy distributed signature scheme. Additionally, we give a short outlook on how to apply the presented multi-secret sharing schemes in the design of other multi-policy cryptosystems, like the signcryption schemes considered in this thesis.
For all the schemes proposed throughout the thesis, we follow the same formal structure. After de ning the protocols of the primitive and the corresponding security model, we propose the new scheme and formally prove its security, by showing a reduction to some computationally hard mathematical problem.Avui en dia les persones estan implicades cada dia més en diferents activitats digitals tant en la seva vida professional com en el seu temps lliure. Molts articles de paper, com diners i tiquets, estan sent reemplaçats més i més per objectes digitals. La criptografia juga un paper crucial en aquesta transformació, perquè proporciona seguretat en la comunicació entre els diferents participants que utilitzen un canal digital. Depenent de la situació específica, alguns requisits de seguretat en la comunicació poden incloure privacitat (o confidencialitat), autenticitat, integritat o no-repudi. En algunes situacions, repartir l'operació secreta entre un grup de participants fa el procés més segur i fiable que quan la informació secreta està centralitzada en un únic participant; la criptografia distribuïda és l’àrea de la criptografia que estudia aquestes situacions.
Aquesta tesi tracta de primitives relacionades amb el camp de la criptografia distribuïda. Primer, estudiem esquemes “signcryption”, que ofereixen a la vegada les funcionalitats de xifrat i signatura, on l'operació de “unsigncryption” està distribuïda. Considerem aquesta primitiva des d’un punt de vista teòric i establim un marc de seguretat per ella. Llavors, presentem dos esquemes “signcryption” amb operació de “unsigncryption” determinada per una estructura llindar, cada un amb diferents propietats. A més, utilitzem la seva propietat d’autenticitat per desenvolupar una nova primitiva: signatures digitals amb verificació distribuïda. El segon bloc de la tesi tracta la primitiva dels esquemes de compartició de multi-secrets. Després de demostrar algunes limitacions en l’eficiència dels esquemes de compartició de multi-secrets en un escenari de teoria de la informació, presentem diversos esquemes de compartició de multi-secrets amb seguretat computacional demostrable. Finalment, utilitzem els resultats obtinguts en els esquemes de compartició de multi-secrets per generalitzar el paradigma tradicional de la criptografia distribuïda (amb una única política de subconjunts autoritzats) a un marc multi-política, i presentem un esquema de desxifrat distribuït amb multi-política i un esquema de signatura distribuïda amb multi-política. A més, donem indicacions de com es poden aplicar els nostres esquemes de compartició de multi-secrets en el disseny d’altres criptosistemes amb multi-política, com per exemple els esquemes “signcryption” considerats en aquesta tesi.
Per tots els esquemes proposats al llarg d’aquesta tesi, seguim la mateixa estructura formal. Després de definir els protocols de la primitiva primitius i el model de seguretat corresponent, proposem el nou esquema i demostrem formalment la seva seguretat, mitjançant una reducció a algun problema matemàtic computacionalment difícil
Securing messaging services through efficient signcryption with designated equality test
National Research Foundation (NRF) Singapor
Cryptanalysis of Li et al.\u27s Identity-Based Threshold Signcryption Scheme
Signcryption is a cryptographic primitive that aims at providing confidentiality and authentication simultaneously. Recently in May
2008, a scheme for identity based threshold signcryption was
proposed by Fagen Li and Yong Yu. They have proved the
confidentiality of their scheme and have also claimed the
unforgeability without providing satisfactory proof. In this paper,
we show that in their signcryption scheme the secret key of the
sender is exposed(total break) to the clerk during sincryption and
hence insecure in the presence of malicious clerks. Further, we
propose a corrected version of the scheme and formally prove its
security under the existing security model for signcryption
Fast and Proven Secure Blind Identity-Based Signcryption from Pairings
We present the first blind identity-based signcryption (BIBSC).
We formulate its security model and define the security notions of blindness and parallel one-more unforgeability (p1m-uf). We present an efficient construction from pairings, then prove a security theorem that reduces its p1m-uf to Schnorr¡¦s ROS Problem in the random oracle model plus the generic group and pairing model. The latter model is an extension of the generic group model to add support for pairings, which we introduce in this paper. In the process, we also introduce a new security model for (non-blind) identity-based signcryption (IBSC) which is a strengthening of Boyen¡¦s. We construct the first IBSC scheme proven secure in the strenghened model which is also the fastest (resp. shortest) IBSC in this model or Boyen¡¦s model. The shortcomings of several existing IBSC schemes in the strenghened model are shown
Attribute-Based Signcryption : Signer Privacy, Strong Unforgeability and IND-CCA2 Security in Adaptive-Predicates Attack
An Attribute-Based Signcryption (ABSC) is a natural extension of Attribute-Based Encryption (ABE) and Attribute-Based Signature (ABS), where we have the message confidentiality and authenticity together. Since the signer privacy is captured in security of ABS, it is quite natural to expect that the signer privacy will also be preserved in ABSC. In this paper, first we propose an ABSC scheme which is \textit{weak existential unforgeable, IND-CCA2} secure in \textit{adaptive-predicates} attack and achieves \textit{signer privacy}. Secondly, by applying strongly unforgeable one-time signature (OTS), the above scheme is lifted to an ABSC scheme to attain \textit{strong existential unforgeability} in \textit{adaptive-predicates} model. Both the ABSC schemes are constructed on common setup, i.e the public parameters and key are same for both the encryption and signature modules. Our first construction is in the flavor of paradigm, except one extra component that will
be computed using both signature components and ciphertext components. The second proposed construction follows a new paradigm (extension of ), we call it ``Commit then Encrypt and Sign then Sign (). The last signature is done using a strong OTS scheme. Since the non-repudiation is achieved by paradigm, our systems also achieve the same