1 / 40

Signcryption: what, why and how

Signcryption: what, why and how. Yevgeniy Dodis New York University. Signature and Encryption. Most basic cryptographic tools Signature : Receiver is sure message came from sender Provides Authentication Encryption : Only receiver can understand the message Provides Privacy.

qamar
Download Presentation

Signcryption: what, why and how

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signcryption: what, why and how Yevgeniy Dodis New York University

  2. Signature and Encryption • Most basic cryptographic tools • Signature: • Receiver is sure message came from sender • Provides Authentication • Encryption: • Only receiver can understand the message • Provides Privacy

  3. Common Design Wisdom • Never mix things together • Make the design as modular as possible • Have freedom to design independent privacy and authentication components • When both are needed, combine known solutions • Encrypt-then-sign (EtS): Sig(Enc(m)) • Sign-then-encrypt (StE): Enc(Sig(m)) • But given both are needed so often, shall we define/design tailored solutions? Signcryption???

  4. YES Signcryption as a Primitive? • Are we sureEtS and StE are “secure”? • NO, if we are not careful ! (yes, if we are) • Do we know exactly what we mean by “private authenticated communication”? • Definition is non-trivial ! • Maybe we can build significantly more efficient/secure solutions than EtS/StE? • Maybe we can in fact simplify protocol design by having this high-level primitive?

  5. Prior Work • Initial study of signcryption [Zheng97,…] • Main motivation efficiency • Security arguments: no formal definitions/proofs • Using authentication to go CPA->CCA • ElGamal Encryption [TY98,SJ00] • Symmetric setting [BN00,K01,BR00] • Authenticated Encryption (symmetric setting) • Definitions [KY00,BN00,BR00] • Sequential Composition EtA/AtE [BN00,K01] Called “good” if MAC helps CPA->CCA (justified but unnatural) • Encrypt/encipher-with-redundancy [AB01,BR00] • New Block Cipher Modes (RFC,IAPM,OCB,SNCBC,…)

  6. Our Results I [ADR02] • Formal definition(s) of signcryption • Multi-user vs. Two-user setting • “Insider” vs. “Outsider” distinction • EtS/StEare secure if modeled properly… • Paradigm of parallel signcryption: • Performs expensive Enc and Sig in parallel • Commit-then-Encrypt-and-Sign (CtS&E) • Leads to fast On-line/Off-line Signcryption • Definitional inadequacy of CCA security

  7. Our Results II [DFW03] • More efficient parallel signcryption: Padding-based Parallel Signcryption (PbPS) • Fully compatible with PKCS#1 standard • Works with PSS-R, OAEP, OAEP+ & other paddings • Based on any TDP f (e.g., RSA) • Simple and flexible key management • Same f can be used to both send & receive data… • Effortlessly supports associated data • Tight exact security and many more… • New notion: universal two-padding schemes • New padding: PSEP, hybrid of PSS-R & OAEP

  8. Our Results III [DA03] • General way to build signcryption on long messages from that on short messages • Very simple and efficient • Couple with PbPS  very practical signcryption ! • Utilizes a new primitive of independent interest: Concealment • Strong version equivalent to CRHFs, weak version can be built from UOWHFs (and, thus, OWFs) • Remotely Keyed (Authenticated) Encryption • Formal definition and simple solution • Considerably simplifies/generalizes prior work

  9. Love from Alice ? Defining Signcryption Ideal Functionality: • Implementation: • Each player P publishes key pair (SecP,PubP) • To send m from sender S to receiver R • u = SigEnc(m; SecS, PubR); m = VerDec(u; PubS, SecR)

  10. Love from Alice ? Alice But what if intervenes? Example: EtS

  11. Love from Ugly ? Ugly Alice  from Alice??? Example: EtS (cont) Moral Need to use identities in multi-user setting! Both for syntax and constructions

  12. Formal Definition (multi-user) • When attacking U, adversary A(PubU) can: • Ask SigEnc(m; SecU, PubR), for any receiver R • Ask DecVer(m; PubS,SecU), for any sender S • To break authenticity, outputs new forgery: • (m; SecR) s.t. DecVer(m; PubU,SecR) • Note, allow A to choose receiver R ! • To break privacy, guesses b w/pr. > ½: • Chooses (m0, m1,SecS), for S of A’s choice ! • m*SigEnc(mb; SecS, PubU), for random b

  13. Two- vs. Multi-User Setting • Can formally define both settings • Two-user is much simpler: no IDs ! • Only sender S and receiver R • Shows no attacks on the scheme, only on IDs • But multi-user needed in applications… • “Multi-User = Two-User + ID fraud protection” • For all our schemes, some natural “tricks” always work to go two-user  multi-user • First describe two-user version • Then show how to get multi-user

  14. Parallel Signcryption • Apply expensive “encrypting” and “singing” on in parallel • New alternative to sequential composition • Can offer other advantages beside parallelism and efficiency • More flexible key management • Easier for tight security reductions • On-line/Off-line Signcryption • Aesthetics: more elegant 

  15. Generic Parallel Signcryption CtE&S m d c ψ = EncR(d) s = SigS(c) d = DecR(ψ) c = VerS(s) m StE m s = SigS(m) u = EncR(s) s = DecR(u) m = VerS(s) EtS m ψ = EncR(m) u = SigS(ψ) ψ = VerS(u) m = DecR(ψ) What properties on (c,d) are needed for CtE&S?

  16. “hiding” “binding” COMMITMENT SCHEME!!! (“relaxed” commitment scheme is necessary and sufficient… see paper) Properties of c and d Recall, Signcrypt(m) = (Sig(c), Enc(d)) • [m (c,d)  m] should be fast • Privacy: c should not reveal “any information” about m • Indeed, c goes “in the clear” • Authenticity: should be hard to “reuse” Sig(c) • If find d’ such that (c,d’) is valid andd’d, then (Sig(c), Enc(d’)) is a new forgery

  17. Improving Generic Approach • Need IND-CCA Enc and sUF-CMA Sig • Expensive • What if implement in RO model? • Say, PSS for Sig, OAEP/OAEP+ for Enc… • Wasteful, need to “pad” twice ! • Poor exact security • Poor message bandwidth • Less efficient • Need to store two independent keys • Aesthetics: inelegant  • Can we do (much) better? YES!

  18. CtE&S PbPS m m Commit “Two-Pad” EncR SigS d c w s ψ σ ψ σ Padding-based Parallel Signcryption

  19. Advantages of PbPS • Replace expensive Enc and Sig by a TDP f and its inverse f-1(e.g., RSA) • Can reusef for sending and receiving • Entire PubU = f, SecU = f-1 • Consistent with current PKI infrastructure suggested by PKCS#1 • Better exact security • More efficient if “two-paddings” are fast • What are these “two-paddings”???

  20. Universal Two-Paddings • Invertible Pad(m) (w,s) s.t. for any TDP f • [f(w), s] is IND-CCA-secure encryption • [w, f–1(s)] is sUF-CMA-secure signature • In fact, holds even if reuse the samef for both signature and encryption • Lemma: if Pad is universal two-padding, then [fR(w), fS–1(s)] is a secure signcryption in the two-user setting • Later extend to multi-user setting

  21. Two-Padding Results • Note: must use Random Oracle Model as use TDPs • Give a wide variety of universal two-paddings: • Old: PSS-R, OAEP, OAEP+, SAP (“scramble all padding”) • New: many, most notably PSEP (mix of PSS-R & OAEP) • All are special cases of one general construction! • In particular, found generalization of most padding schemes commonly used for plain signature/encryption

  22. d c H w s Intuition Behind Construction • Most known padding schemes already naturally consist of two pieces (w,s) • Moreover, always have (w,s) = Feistel(d,c) for some pair (d,c). • Example: PSS-R • Have w = G(m,r), s = H(w)  (m,r). • Can write w = c, s = H(c)d, where c = G(m,r), d = (m,r) • What properties on (d,c) suffice??

  23. Extractable Commitment Given by two properties: • (Strong) Hiding: c(m) looks random, for any m • usually holds anyway for any natural commitment • Extractability: using some “trapdoor” T, can find d from c. • There is Extract(c,T)  d procedure s.t. for any A: Pr[ (c,d) valid & Extract(c,T) d | (c,d)  A ] = negl. • In the RO model, trapdoor T = RO queries made by A • Note: extractability implies strong binding • Hard to find (c,d,d’) s.t. (c,d), (c,d’) are valid and d  d’

  24. Feistel Two-Paddings • Theorem: If Commit(m) (c,d) is an extractable commitment then Pad(m) = (w = c, s = H(c)  d) is a universal two-padding scheme • Note: we will see that all natural commitments in the RO model are anyway extractable • Thus, essentially show that applying one round of Feistel to a pair (c,d) good forCtE&S, get a two-padding (w,s) good PbPS ! • Feistel allows to replace expensive Enc and Sig by a TDP f and its inverse f-1(e.g., RSA)

  25. Examples • If c = G(m,r), d = (m,r) get PSS-R • If c = G(r)(m,0k), d = r get OAEP • If c = (G(r)m, G’(m,r)), d = r get OAEP+ • If c = G(d)m2, d = (m1,r,G’(m2)) get SAP • Probabilistic Signature Encryption Padding (PSEP): arbitrarily split m = m1||m2 and set c = (G(r)m1, G’(m2,r)), d = (m2,r) • if |m1|=0 get PSS-R, if |m2|=0 get OAEP • but now can achieve much higher bandwidth ! E.g., with 1024-bit keys can fit 1600 bits of m

  26. Associated Data Support • Associated data binds a public label L to m • L is transmitted in the clear, together with “actual” signcryption of m • Still, authentication applies to bothL and m • Very useful in many contexts [Rogaway02] • All our constructs easily support arbitrarily long associated data at nearly no cost ! • Simply stick L into H during the Feistel round • Simple two-user  multi-user conversion • Add public keys of S and R as part of the label

  27. m L IDR IDS Commit Full PbPSscheme: • short messages • long labels d c H w s L ψ σ

  28. Signcrypting Long Messages • Main Question: given good signcryption SC on short messages m, how to signcryption arbitrarily long messages M? • Approach: transform M (b,h) and set SC*(M) = (SC(b), h) • (note: want to have |b| << |M| ) • Sub-Question: what transformations T are needed to make SC* secure? • Answer: concealments !

  29. “hiding” “binding” CONCEALMENT SCHEME!!! (“relaxed” concealment scheme is necessary and sufficient… see paper) COMMITMENT SCHEME!!! Concealments Recall, SC*(M) = (SC(b), h) • |b| < |M| (non-triviality) • Privacy: h should reveal “no information” about M • Indeed, h goes “in the clear” • Authenticity: should be hard to “reuse” SC(b) • If find h’ such that (b,h’) is valid and h’ h’, then (SC(b), h’) is a new forgery

  30. both hiding and binding is on c • hiding on h & binding on b • always imply OWFs • useful even when |c|>|m| (i.t. binding) • trivial if |b|=|M| • otherwise imply CRHFs • (Sig(c), Enc(d)) • (h, Signcrypt(b)) Commitment vs. Concealment • hiderh & • binder b • commitmentc & decommitmentd

  31. Constructing Concealments • Use one-time symmetric encryption (E,D) • Set h= Eτ(M), b = (τ, K(h)), where K is CRHF • Hiding is obvious, binding is due to CRHF K • Notice, b is indeed short • If SC supports (long) associated data, can set h = Eτ(M), b = τ and L = h (+extra label) • Binding since pair (b = τ, L = Eτ(M)) commits M • Nicely applies to PbPS • Here is the final multi-user signcryption of long messages with associated data

  32. M L Eτ τ Commit IDR IDS π L d c H w s π L ψ σ Full-fledged PbPSscheme:

  33. Conclusions • Formally defined signcryption • importance of IDs, multi-user security, … • Parallel Signcryption & its advantages • generic CtS&E paradigm • big improvement: PbPS • Two-padding schemes • general Feistel construction from commitments • get many old padding (PSS-R, OAEP, …) + new (PSEP) • Concealment Primitive: define, construct + apps • Full-fledged signcryption of long messages • flexibility, efficiency, simplicity, generality, security • consistent with existent standards/PKI

  34. Thank you ? end Alice

More Related