1 / 16

Building Better Signcryption Schemes with Tag-KEMs

Building Better Signcryption Schemes with Tag-KEMs. Tor E. Bj ørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London, U.K. Signcryption. Introduced by Zheng in 1997. Combines the advantages of public-key encryption and digital signatures:

taylor
Download Presentation

Building Better Signcryption Schemes with Tag-KEMs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London, U.K.

  2. Signcryption • Introduced by Zheng in 1997. • Combines the advantages of public-key encryption and digital signatures: • Confidentiality • Integrity/Origin authentiction • Non-repudiation? • A relatively new type of primitive. • Two competing security models.

  3. Signcryption Common Parameter Generation Sender Key Generation Receiver Key Generation (pkS,skS) (pkR,skR) Signcryption of message m using pkR and skS Unsigncryption of signcryption C using pkS and skR

  4. Signcryption • An, Dodis and Rabin (2002) security model. • Two user model. • Outsider security • Security against attacks made by third parties, i.e. anyone who isn’t the sender or the receiver. • Insider security • Full security, prevents attacks against the integrity of the scheme made by the receiver. • Baek, Steinfeld and Zheng (2002) model.

  5. Signcryption • Confidentiality. No third party should be able to learn any information about the message from the signcryption. • IND security against attacker with encryption and decryption oracles. • Integrity. No party should be able to forge ciphertexts that purport to be from the sender. • Existential unforgability against attacker with the private key of the receiver and an encryption oracle.

  6. Hybrid Signcryption • Adapts a well-known technique in public-key encryption schemes. • Involves using symmetric algorithms as subroutines in public-key schemes. • Typically involves randomly generating a symmetric key and an asymmetric encryption of that key. • Formalised for an encryption scheme by Cramer and Shoup (1998).

  7. Hybrid Signcryption • Elegant solution for hybrid signcryption with outsider security proposed in ISC 2005. • Messy but workable solution for hybrid signcryption with insider security proposed in ACISP 2005. • Poor security reduction involving multiple terms • Confidentiality relies on the KEM being unforgeable. • We propose an elegant new solution using the Tag-KEM ideas of Abe et al (2005).

  8. Tag-KEMs pk tag • A public/private key generation algorithm. • A symmetric key generation algorithm. • An encapsulation algorithm. • A decapsulation algorithm. Sym Encap ω K C tag sk C Decap K

  9. Tag-KEMs • Combine with a (passively secure) symmetric encryption scheme to give a (strongly secure) asymmetric encryption scheme. Sym Encap ω C1 pk tag K ENC C2 m

  10. Tag-KEMs • Decryption works in the obvious way. • Note that C2is acting both as the tag that allows the recovery of K and as the encryption of m. sk C1 Decap C2 K DEC m

  11. Signcryption Tag-KEMs Sym Encap ω C1 pk tag K ENC C2 m

  12. Signcryption Tag-KEMs skS Sym Encap ω C1 pkR tag K Confidentiality proven in the same way as in for public-key encryption: it must be infeasible to gain any information about a symmetric key from its encapsulation. ENC To get integrity protection we must insist that it is infeasible to produce a pair (tag,C1) where C1 decapsulates properly to give a key K with the given tag – in other words C1 acts as a strongly secure signature on tag. C2 m

  13. Signcryption Tag-KEMs • Many existing signcryption schemes can be thought of as using SCTKs implicitly. • We show Zheng’s scheme can be proven secure as a signcryption Tag-KEM. • The security reduction for confidentiality is: • In the KEM case, this was:

  14. Signcryption Tag-KEMs • We also propose a new signcryption scheme based on the Chevallier-Mames signature scheme (2005). • This has the tightest security bounds of any signcryption scheme we could find: • Tight reduction to GDH for confidentiality • Tight reduction to CDH for integrity • Reasonably efficient.

  15. Open Problems • Non-repudiation presents an interesting challenge. Does the existence of the symmetric key K help with non-repudiation? • Signcryption Tag-KEMs are very similar to signature schemes. Can we find a method for turning a general signature scheme into a signcryption scheme? How about a Fiat-Shamir signature scheme?

  16. Conclusions • We presented a new paradigm for constructing signcryption schemes, which • Has all the advantages associated with hybrid encryption, • Does not have the disadvantages of previous attempts to produce hybrid signcryption paradigms. • We presented two schemes in this model, including a completely new scheme with the best known security bounds of any signcryption scheme. • We also discuss (in the paper) the use of SCTKs as a key agreement mechanism.

More Related