1 / 22

Signcryption

Signcryption. Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University. April 18, 2013. Motivation:. Confidentiality :. Keeping information secret from all other than those who are authorized to see it. Integrity :.

alisa-anderson
Download Presentation

Signcryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signcryption Parshuram BudhathokiDepartment of Mathematical Sciences Florida Atlantic University April 18, 2013 pbudhath@fau.edu

  2. Motivation: Confidentiality : Keeping information secret from all other than those who are authorized to see it. Integrity : Ensuring that the information has not been altered by unauthorized entities. Authentication : The assurance that the communicating party is the one that it claims to be. Nonrepudiation : Preventing the denial of previous commitments or actions. pbudhath@fau.edu

  3. Motivation: Confidential and Authenticate Traditional Method “Signature- Then- Seal” pbudhath@fau.edu

  4. Motivation: How do we get these things in modern cryptography ? Confidentiality : Encryption Scheme Integrity : Authentication : Signature Scheme Nonrepudiation : pbudhath@fau.edu

  5. Motivation: How do we get these things in modern cryptography ? • SignatureScheme RSASchnorr DSS Others … pbudhath@fau.edu

  6. Motivation: How do we get these things in modern cryptography ? • EncryptionScheme RSAElGamal Others … pbudhath@fau.edu

  7. Motivation: Is it possible to deliver messages of varying length in a secure and authenticated way with an expense less than that required by “Signature-Then-Encryption ” ? In 1997 Yulian Zheng proposed a separate primitive called Signcryption. pbudhath@fau.edu

  8. Outline : • Why Signcryption ? • Signcryption • Shortening ElGamal-Based Signatures. • Secure Signcryption Scheme. • Signcryption Scheme by Y. Zheng. pbudhath@fau.edu

  9. Why Signcryption ? Cost of Signcryption < Cost of Signature + Cost of Encryption Computational cost Communication overhead pbudhath@fau.edu

  10. Why Signcryption ? Computational cost • We estimate computational cost by counting the number of operations involved : • Private key encryption and decryption • Hashing • addition • Multiplication • Division • Exponentiation pbudhath@fau.edu

  11. Why Signcryption ? 2. Communication overhead In addition to computational cost, digital signature and encryption based on public key cryptography also require extra bits to be appended to a message. We call these extra redundant bits the communication overhead involved. pbudhath@fau.edu

  12. Signcryption Security Parameter Public Gen key-pair Private Private keysender , Message, RID SC C= SCPrivate Key ( Message, RID ) Private keyreceiver , C , SID DSC DSCPrivate Key ( C, SID ) pbudhath@fau.edu

  13. Shortening ElGamal-Based Signatures: Let p is a large prime, q is a large prime factor of p-1 and g is an integer from {1, …, p-1}.Let h: {1,..., p-1} x {0,1}* {1, ..., p-1} be a hash function. • Key Generation: Choose x randomly from {1, …, p-1} Public key = gx Private key = x pbudhath@fau.edu

  14. Shortening ElGamal-Based Signatures: Let p is a large prime, q is a large prime factor of p-1 and g is an integer from {1, …, p-1}.Let h: {1,..., p-1} x {0,1}* {1, ..., p-1} be a hash function. • Sign : Choose yrandomly from {1, …, p-1} r = h( gymod p, M) s = y / ( r + x) mod p , where M = message Signature = < r, s > pbudhath@fau.edu

  15. Shortening ElGamal-Based Signatures: Let p is a large prime, q is a large prime factor of p-1 and g is an integer from {1, …, p-1}.Let h: {1,..., p-1} x {0,1}* {1, ..., p-1} be a hash function. • Verify : Compute k = (gx∙ gr )s mod p Accept if r = h( k, m) pbudhath@fau.edu

  16. Secure Scheme: Secure Signature Scheme : Unforgeable under adaptively chosen message attack. Secure Encryption Scheme : Indistinguishable against adaptively chosen cipher attack. pbudhath@fau.edu

  17. Secure Signcryption Scheme: Unforgeable : It is computationally infeasible for an adaptive attacker to create a signcrypted text. Non-repudiation: It is computationally feasible for a third party to settle a dispute between signer and receiver where signer denies the fact that he/she is the originator of a signcrypted text. Confidential: It is computationally infeasible for an adaptive attacker to gain any partial information on the contents of a signcrypted text. pbudhath@fau.edu

  18. YZ- Signcryption Scheme: p : a large prime ( public )q : a large prime factor of p-1 ( public ) g : a ( random ) integer in [1, ..., p-1] with order q mod p ( public )h : a one-way hash function ( public ) Gen : Using this algorithm sender and receiver choose their key-pair. Let x, y from [1, ..., q-1] are sender’s and receiver’s private keys and S= gx and R= gy are their respective public keys. pbudhath@fau.edu

  19. YZ- Signcryption Scheme: p : a large prime ( public )q : a large prime factor of p-1 ( public ) g : a ( random ) integer in [1, ..., p-1] with order q mod p ( public )h : a one-way hash function ( public ) S : Sender’s public keyR : Receiver’s public key SC : Pick r randomly from [1, ..., q-1] 1. compute k = Rr mod p. Split k into k1 and k2 of appropriate length. 2. n= h(M, k2 ), where M=message 3. s= r/( n + x ) mod q 4. c = E_k1 ( M ) , where E := Encryption in AES Signcrypted text = < c, n, s> pbudhath@fau.edu

  20. YZ- Signcryption Scheme: p : a large prime ( public )q : a large prime factor of p-1 ( public ) g : a ( random ) integer in [1, ..., p-1] with order q mod p ( public )h : a one-way hash function ( public ) S : Sender’s public keyR : Receiver’s public key DSC : Recover k from n, s, g, p, S and R: 1. k = ( S ∙ gh )s・y mod p 2. Split k into k1 and k2 3. M = D_k1 ( c ) , Where D := Decryption in AES 4. Accept M as a valid message if h(M, k2) = n NOTE : D_k1 ( E_k1 (M)) = M pbudhath@fau.edu

  21. Cost of Signcryption vs. Cost of Sign-Then-Encryption pbudhath@fau.edu

  22. Question ? Thank You !!! pbudhath@fau.edu

More Related