18 research outputs found
Special Signature Schemes and Key Agreement Protocols
This thesis is divided into two distinct parts. The first part of
the thesis explores various deniable signature schemes and their
applications. Such schemes do not bind a unique public key to a
message, but rather specify a set of entities that could have
created the signature, so each entity involved in the signature can
deny having generated it. The main deniable signature schemes we
examine are ring signature schemes.
Ring signatures can be used to construct designated verifier
signature schemes, which are closely related to designated verifier
proof systems. We provide previously lacking formal definitions and
security models for designated verifier proofs and signatures and
examine their relationship to undeniable signature schemes.
Ring signature schemes also have applications in the context of fair
exchange of signatures. We introduce the notion of concurrent
signatures, which can be constructed using ring signatures, and
which provide a "near solution" to the problem of fair exchange.
Concurrent signatures are more efficient than traditional solutions
for fair exchange at the cost of some of the security guaranteed by
traditional solutions.
The second part of the thesis is concerned with the security of
two-party key agreement protocols. It has traditionally been
difficult to prove that a key agreement protocol satisfies a formal
definition of security. A modular approach to constructing provably
secure key agreement protocols was proposed, but the approach
generally results in less efficient protocols.
We examine the relationships between various well-known models of
security and introduce a modular approach to the construction of
proofs of security for key agreement protocols in such security
models. Our approach simplifies the proof process, enabling us to
provide proofs of security for several efficient key agreement
protocols in the literature that were previously unproven
Identity Based Authenticated Key Agreement
identity based cryptography, authenticated key agreement, pairings, trusted authority forward secrecy We investigate a number of issues related to identity based authenticated key agreement protocols in the Diffie-Hellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) that issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the Bellare-Rogaway model). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property
Identity Based Authenticated Key Agreement Protocols from Pairings
We investigate a number of issues related to identity based authenticated key agreement protocols in the Diffie-Hellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol [Sm02]. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the model defined in [BJM97]). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property
Background
Abstract. The security of key agreement protocols has traditionally been notoriously hard to establish. In this paper we present a modular approach to the construction of proofs of security for a large class of key agreement protocols. By following a modular approach to proof construction, we hope to enable simpler and less error-prone analysis and proof generation for such key agreement protocols. The technique is compatible with Bellare-Rogaway style models as well as the more recent models of Bellare et al. and Canetti and Krawczyk. In particular, we show how the use of a decisional oracle can aid the construction of proofs of security for this class of protocols and how the security of these protocols commonly reduces to some form of Gap assumption
Non-interactive Designated Verifier Proofs and Undeniable Signatures
Abstract. Non-interactive designated verifier (NIDV) proofs were first introduced by Jakobsson et al. and have widely been used as confirmation and denial proofs for undeniable signature schemes. There appears to be no formal security modelling for NIDV undeniable signatures or for NIDV proofs in general. Indeed, recent work by Wang has shown the original NIDV undeniable signature scheme of Jakobsson et al. to be flawed. We argue that NIDV proofs may have applications outside of the context of undeniable signatures and are therefore of independent interest. We therefore present two security models, one for general NIDV proof systems, and one specifically for NIDV undeniable signatures. We go on to repair the NIDV proofs of Jakobsson et al., producing secure NIDV proofs suited to combination with Chaum’s original undeniable signature scheme resulting in a secure and efficient concrete NIDV undeniable signature scheme.
Concurrent Signatures
Abstract. We introduce the concept of concurrent signatures. These allow two entities to produce two signatures in such a way that, from the point of view of any third party, both signatures are ambiguous with respect to the identity of the signing party until an extra piece of information (the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently. Concurrent signatures fall just short of providing a full solution to the problem of fair exchange of signatures, but we discuss some applications in which concurrent signatures suffice. Concurrent signatures are highly efficient and require neither a trusted arbitrator nor a high degree of interaction between parties. We provide a model of security for concurrent signatures, and a concrete scheme which we prove secure in the random oracle model under the discrete logarithm assumption
On Proofs of Security for Certificateless Cryptosystems
Certificateless public-key encryption has recently been proposed as an attractive alternative to certificate-based and identity-based encryption schemes. The attraction of certificateless PKE is that it combines the implicit public key authentication of an identity-based scheme with the escrow-free property of a certificate-based scheme. However, all the certificateless schemes that have been thusfar presented have either had the security proved in a reduced security model, or have relied on the random oracle model. Indeed, some authors have gone as far as suggesting that it is impossible to prove the full security of a certificateless scheme in the standard model. This paper examines this claim and comes to the conclusion that, while some provable security techniques may be denied to us, there is no reason why the security of a certificateless scheme cannot be proven in the standard model