1 / 17

Security of Hsu-Wu ’ s authenticated encryption scheme with (t,n) shared verification

This paper discusses the security of Hsu-Wu's authenticated encryption scheme with (t,n) shared verification, including attacks such as intercept and counterfeit commit value attacks.

pglenn
Download Presentation

Security of Hsu-Wu ’ s authenticated encryption scheme with (t,n) shared verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Hsu-Wu’s authenticated encryption scheme with (t,n) shared verification Author: Shin-Jia Hwang, Hao-Chih Liao Source: Application Math Comput. 167 (2005) 281-285 Presenter: 曾嘉祥

  2. Outline • Hsu-Wu’s authenticated encryption scheme with (t,n) shared verification • Attacks • Intercept attack • Counterfeit commit value attack • Conclusion

  3. Hsu-Wu’s authenticated encryption scheme with (t,n) shared verification • Four Phase • System initialization phase • Registration phase • Signature encryption phase • Message recovery phase

  4. System initialization phase • SA (system authority) selects two large public primes p and q such that q|p-1 • SA selects a public element g with order q in GF(p)

  5. Registration phase (1/3) • Suppose that A is the signer and the verifier group of n verifiers is denoted by G={U1,U2,…,Un} The identity of Ui is IDi≠0 • For the signer A, SA choose a random integer as A’s private key, the public key of A is

  6. Registration phase (2/3) • For the registration of the group G, SA choose a random integer as the verifier group’s private key, the public key of G is • To threshold sharing the group secret key, SA randomly generates a (t-1)-degree polynomial where each is a random integer

  7. Registration phase (3/3) • For each verifier Ui in G, SA computes the individual private key , and the corresponding public key • Then SA delivers each individual private key xi to its owner Ui in a secure manner All public keys are published by SA • SA keep no secrete after finishing the registration process

  8. Signature encryption Signer A wants to send message to G in a authenticated and secure manner • Signer A selects a random integer and generates the signature (r, s) for m, where • Signer A selects random integer and generates the ciphertext (c1,c2,c3) to G

  9. Message recovery phase (1/2) • Each Ui in W use his/her own individual commitment value where Each Ui broadcasts Ei to the other members in W

  10. Message recovery phase (2/2) • Each Ui in W cooperatively computes the product of all individual commitment values by • Each Ui recovers the signature (r,s) by and message m

  11. Attack • Intercept attack • Counterfeit commit value attack

  12. Intercept attack (1/3) • The goal of intercept attack that only the malicious verifier can obtain the message but the other in W cannot

  13. Intercept attack (2/3) Signer A The malicious verifier U1 Other verifiers

  14. Intercept attack (3/3) • U1 recovery the message m as:

  15. Counterfeit commit value attack (1/2) • In Hsu-Wu’s scheme, there is no verification on each individual commit value Ei in message recovery phase • The goal of counterfeit commit value attack is that the malicious verifier can obtains messages by broadcasting incorrect commit value to the other verifiers in W

  16. Counterfeit commit value attack (2/2) • For malicious verifier Ui, instead of honestly computing the commit value E1, he/she broadcasts a fake commit value • If the other verifier in W are honest, then only the malicious verifier U1 can compute the correct commit value E , in other words, only U1 can recovery the message m

  17. Conclusion • In real world, the honest verifier assumption is not practical • To overcome these two attacks, it is necessary to remove this impractical assumption in Hsu-Wu’s scheme

More Related