Signcryption schemes with threshold unsigncryption, and applications

The final publication is available at link.springer.comThe goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.Peer ReviewedPostprint (author's final draft

Contributions to secret sharing and other distributed cryptosystems

The present thesis deals with primitives related to the eld of distributed cryptography. First, we study signcryption schemes, which provide at the same time the functionalities of encryption and signature, where the unsigncryption operation is distributed. We consider this primitive from a theoretical point of view and set a security framework for it. Then, we present two signcryption schemes with threshold unsigncryption, with di erent properties. Furthermore, we use their authenticity property to apply them in the development of a di erent primitive: digital signatures with distributed veri cation. The second block of the thesis deals with the primitive of multi-secret sharing schemes. After stating some e ciency limitations of multi-secret sharing schemes in an information-theoretic scenario, we present several multi-secret sharing schemes with provable computational security. Finally, we use the results in multi-secret sharing schemes to generalize the traditional framework of distributed cryptography (with a single policy of authorized subsets) into a multipolicy setting, and we present both a multi-policy distributed decryption scheme and a multi-policy distributed signature scheme. Additionally, we give a short outlook on how to apply the presented multi-secret sharing schemes in the design of other multi-policy cryptosystems, like the signcryption schemes considered in this thesis. For all the schemes proposed throughout the thesis, we follow the same formal structure. After de ning the protocols of the primitive and the corresponding security model, we propose the new scheme and formally prove its security, by showing a reduction to some computationally hard mathematical problem.Avui en dia les persones estan implicades cada dia més en diferents activitats digitals tant en la seva vida professional com en el seu temps lliure. Molts articles de paper, com diners i tiquets, estan sent reemplaçats més i més per objectes digitals. La criptografia juga un paper crucial en aquesta transformació, perquè proporciona seguretat en la comunicació entre els diferents participants que utilitzen un canal digital. Depenent de la situació específica, alguns requisits de seguretat en la comunicació poden incloure privacitat (o confidencialitat), autenticitat, integritat o no-repudi. En algunes situacions, repartir l'operació secreta entre un grup de participants fa el procés més segur i fiable que quan la informació secreta està centralitzada en un únic participant; la criptografia distribuïda és l’àrea de la criptografia que estudia aquestes situacions. Aquesta tesi tracta de primitives relacionades amb el camp de la criptografia distribuïda. Primer, estudiem esquemes “signcryption”, que ofereixen a la vegada les funcionalitats de xifrat i signatura, on l'operació de “unsigncryption” està distribuïda. Considerem aquesta primitiva des d’un punt de vista teòric i establim un marc de seguretat per ella. Llavors, presentem dos esquemes “signcryption” amb operació de “unsigncryption” determinada per una estructura llindar, cada un amb diferents propietats. A més, utilitzem la seva propietat d’autenticitat per desenvolupar una nova primitiva: signatures digitals amb verificació distribuïda. El segon bloc de la tesi tracta la primitiva dels esquemes de compartició de multi-secrets. Després de demostrar algunes limitacions en l’eficiència dels esquemes de compartició de multi-secrets en un escenari de teoria de la informació, presentem diversos esquemes de compartició de multi-secrets amb seguretat computacional demostrable. Finalment, utilitzem els resultats obtinguts en els esquemes de compartició de multi-secrets per generalitzar el paradigma tradicional de la criptografia distribuïda (amb una única política de subconjunts autoritzats) a un marc multi-política, i presentem un esquema de desxifrat distribuït amb multi-política i un esquema de signatura distribuïda amb multi-política. A més, donem indicacions de com es poden aplicar els nostres esquemes de compartició de multi-secrets en el disseny d’altres criptosistemes amb multi-política, com per exemple els esquemes “signcryption” considerats en aquesta tesi. Per tots els esquemes proposats al llarg d’aquesta tesi, seguim la mateixa estructura formal. Després de definir els protocols de la primitiva primitius i el model de seguretat corresponent, proposem el nou esquema i demostrem formalment la seva seguretat, mitjançant una reducció a algun problema matemàtic computacionalment difícil

Constant-size threshold attribute based SignCryption for cloud applications

In this paper, we propose a novel constant-size threshold attribute-based signcryption scheme for securely sharing data through public clouds. Our proposal has several advantages. First, it provides flexible cryptographic access control, while preserving users’ privacy as the identifying information for satisfying the access control policy are not revealed. Second, the proposed scheme guarantees both data origin authentication and anonymity thanks to the novel use of attribute based signcryption mechanism, while ensuring the unlinkability between the different access sessions. Third, the proposed signcryption scheme has efficient computation cost and constant communication overhead whatever the number of involved attributes. Finally, our scheme satisfies strong security properties in the random oracle model, namely Indistinguishability against the Adaptive Chosen Ciphertext Attacks (IND-CCA2), Existential Unforgeability against Chosen Message Attacks (EUFCMA) and privacy preservation of the attributes involved in the signcryption process, based on the assumption that the augmented Multi-Sequence of Exponents Decisional Diffie-Hellman (aMSE-DDH) problem and the Computational Diffie Hellman Assumption (CDH) are hard

Studies on the Security of Selected Advanced Asymmetric Cryptographic Primitives

The main goal of asymmetric cryptography is to provide confidential communication, which allows two parties to communicate securely even in the presence of adversaries. Ever since its invention in the seventies, asymmetric cryptography has been improved and developed further, and a formal security framework has been established around it. This framework includes different security goals, attack models, and security notions. As progress was made in the field, more advanced asymmetric cryptographic primitives were proposed, with other properties in addition to confidentiality. These new primitives also have their own definitions and notions of security. This thesis consists of two parts, where the first relates to the security of fully homomorphic encryption and related primitives. The second part presents a novel cryptographic primitive, and defines what security goals the primitive should achieve. The first part of the thesis consists of Article I, II, and III, which all pertain to the security of homomorphic encryption schemes in one respect or another. Article I demonstrates that a particular fully homomorphic encryption scheme is insecure in the sense that an adversary with access only to the public material can recover the secret key. It is also shown that this insecurity mainly stems from the operations necessary to make the scheme fully homomorphic. Article II presents an adaptive key recovery attack on a leveled homomorphic encryption scheme. The scheme in question claimed to withstand precisely such attacks, and was the only scheme of its kind to do so at the time. This part of the thesis culminates with Article III, which is an overview article on the IND-CCA1 security of all acknowledged homomorphic encryption schemes. The second part of the thesis consists of Article IV, which presents Vetted Encryption (VE), a novel asymmetric cryptographic primitive. The primitive is designed to allow a recipient to vet who may send them messages, by setting up a public filter with a public verification key, and providing each vetted sender with their own encryption key. There are three different variants of VE, based on whether the sender is identifiable to the filter and/or the recipient. Security definitions, general constructions and comparisons to already existing cryptographic primitives are provided for all three variants.Doktorgradsavhandlin

Secure Equality Test Technique Using Identity-Based Signcryption for Telemedicine Systems

For telemedicine, wireless body area network (WBAN) offers enormous benefits where a patient can be remotely monitored without compromising the mobility of remote treatments. With the advent of high capacity and reliable wireless networks, WBANs are used in several remote monitoring systems, limiting the COVID-19 spread. The sensitivity of telemedicine applications mandates confidentiality and privacy requirements. In this article, we propose a secure WBAN-19 telemedicine system to overcome the pervasiveness of contagious deceases utilizing a novel aggregate identity-based signcryption scheme with an equality test feature. We demonstrate a security analysis regarding indistinguishable adaptive chosen-ciphertext attack (IND-CCA2), one-way security against adaptive chosen-ciphertext attack (OW-CCA2), and unforgeability against adaptive chosen-message attack (EUF-CMA) under the random oracle model. The security analysis of the scheme is followed by complexity evaluations where the computation cost and communication overhead are measured. The evaluation demonstrates that the proposed model is efficient and applicable in telemedicine systems with high-performance capacities

Homomorphic signcryption with public plaintext-result checkability

Signcryption originally proposed by Zheng (CRYPTO \u27 97) is a useful cryptographic primitive that provides strong confidentiality and integrity guarantees. This article addresses the question whether it is possible to homomorphically compute arbitrary functions on signcrypted data. The answer is affirmative and a new cryptographic primitive, homomorphic signcryption (HSC) with public plaintext-result checkability is proposed that allows both to evaluate arbitrary functions over signcrypted data and makes it possible for anyone to publicly test whether a given ciphertext is the signcryption of the message under the key. Two notions of message privacy are also investigated: weak message privacy and message privacy depending on whether the original signcryptions used in the evaluation are disclosed or not. More precisely, the contributions are two-fold: (i) two different definitions of HSC with public plaintext-result checkability is provided for arbitrary functions in terms of syntax, unforgeability and message privacy depending on if the homomorphic computation is performed in a private or in a public evaluation setting, (ii) two HSC constructions are proposed: one for a public evaluation setting and another for a private evaluation setting and security is formally proved

Towards Cyber Security for Low-Carbon Transportation: Overview, Challenges and Future Directions

In recent years, low-carbon transportation has become an indispensable part as sustainable development strategies of various countries, and plays a very important responsibility in promoting low-carbon cities. However, the security of low-carbon transportation has been threatened from various ways. For example, denial of service attacks pose a great threat to the electric vehicles and vehicle-to-grid networks. To minimize these threats, several methods have been proposed to defense against them. Yet, these methods are only for certain types of scenarios or attacks. Therefore, this review addresses security aspect from holistic view, provides the overview, challenges and future directions of cyber security technologies in low-carbon transportation. Firstly, based on the concept and importance of low-carbon transportation, this review positions the low-carbon transportation services. Then, with the perspective of network architecture and communication mode, this review classifies its typical attack risks. The corresponding defense technologies and relevant security suggestions are further reviewed from perspective of data security, network management security and network application security. Finally, in view of the long term development of low-carbon transportation, future research directions have been concerned.Comment: 34 pages, 6 figures, accepted by journal Renewable and Sustainable Energy Review

Combined schemes for signature and encryption: The public-key and the identity-based setting

Consider a scenario in which parties use a public-key encryption scheme and a signature scheme with a single public key/private key pair-so the private key sk is used for both signing and decrypting. Such a simultaneous use of a key is in general considered poor cryptographic practice, but from an efficiency point of view looks attractive. We offer security notions to analyze such violations of key separation. For both the identity-and the non-identity-based setting, we show that-although being insecure in general-for schemes of interest the resulting combined scheme can offer strong security guarantees.First and last author were supported by the Spanish Ministerio de Economía y Competitividad through the project grant MTM-2012-15167

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Multi-message multi-receiver signcryption scheme based on blockchain

In conventional message communication systems, the practice of multi-message multi-receiver signcryption communication encounters several challenges, including the vulnerability to Key Generation Center (KGC) attacks, privacy breaches and excessive communication data volume. The KGC necessitates a secure channel to transmit partial private keys, thereby rendering the security of these partial private keys reliant on the integrity of the interaction channel. This dependence introduces concerns regarding the confidentiality of the private keys. Our proposal advocates for the substitution of the KGC in traditional certificateless schemes with blockchain and smart contract technology. Parameters are publicly disclosed on the blockchain, leveraging its tamper-proof property to ensure security. Furthermore, this scheme introduces conventional encryption techniques to achieve user identity privacy in the absence of a secure channel, effectively resolving the issue of user identity disclosure inherent in blockchain-based schemes and enhancing communication privacy. Moreover, users utilize smart contract algorithms to generate a portion of the encrypted private key, thereby minimizing the possibility of third-party attacks. In this paper, the scheme exhibits resilience against various attacks, including KGC leakage attacks, internal privilege attacks, replay attacks, distributed denial of service attacks and Man-in-the-Middle (MITM) attacks. Additionally, it possesses desirable security attributes such as key escrow security and non-repudiation. The proposed scheme has been theoretically and experimentally analyzed under the random oracle model, based on the computational Diffie-Hellman problem and the discrete logarithm problem. It has been proven to possess confidentiality and unforgeability. Compared with similar schemes, our scheme has lower computational cost and shorter ciphertext length. It has obvious advantages in communication and time overhead