Building Better Signcryption Schemes with TagKEMs Tor E
Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London, U. K.
Signcryption l l Introduced by Zheng in 1997. Combines the advantages of public-key encryption and digital signatures: – – – l l Confidentiality Integrity/Origin authentiction Non-repudiation? A relatively new type of primitive. Two competing security models. 2
Signcryption Common Parameter Generation Sender Key Generation (pk. S, sk. S) Signcryption of message m using pk. R and sk. S Receiver Key Generation (pk. R, sk. R) Unsigncryption of signcryption C using pk. S and sk. R 3
Signcryption l l l An, Dodis and Rabin (2002) security model. Two user model. Outsider security – l Insider security – l Security against attacks made by third parties, i. e. anyone who isn’t the sender or the receiver. Full security, prevents attacks against the integrity of the scheme made by the receiver. Baek, Steinfeld and Zheng (2002) model. 4
Signcryption l Confidentiality. No third party should be able to learn any information about the message from the signcryption. – l IND security against attacker with encryption and decryption oracles. Integrity. No party should be able to forge ciphertexts that purport to be from the sender. – Existential unforgability against attacker with the private key of the receiver and an encryption oracle. 5
Hybrid Signcryption l l Adapts a well-known technique in public-key encryption schemes. Involves using symmetric algorithms as subroutines in public-key schemes. Typically involves randomly generating a symmetric key and an asymmetric encryption of that key. Formalised for an encryption scheme by Cramer and Shoup (1998). 6
Hybrid Signcryption l l l Elegant solution for hybrid signcryption with outsider security proposed in ISC 2005. Messy but workable solution for hybrid signcryption with insider security proposed in ACISP 2005. Poor security reduction involving multiple terms – – Confidentiality relies on the KEM being unforgeable. We propose an elegant new solution using the Tag. KEM ideas of Abe et al (2005). 7
Tag-KEMs l l A public/private key generation algorithm. A symmetric key generation algorithm. An encapsulation algorithm. A decapsulation algorithm. pk Sym K tag ω C tag sk Encap C Decap K 8
Tag-KEMs l Combine with a (passively secure) symmetric encryption scheme to give a (strongly secure) asymmetric encryption scheme. pk Sym K m ENC ω Encap C 1 tag C 2 9
Tag-KEMs l l Decryption works in the obvious way. Note that C 2 is acting both as the tag that allows the recovery of K and as the encryption of m. sk C 1 C 2 Decap K DEC m 10
Signcryption Tag-KEMs pk Sym K m ENC ω Encap C 1 tag C 2 11
Signcryption Tag-KEMs sk. S pk. R Sym K ω Encap C 1 tag Confidentiality proven in the same way as in for C 2 it is Tom get integrity. ENC protection wepublic-key must insist that encryption: it infeasible to produce a pair (tag, C ) where Cto must be 1 infeasible 1 gain decapsulates properly to give any a key K with theabout given a information tag – in other words C 1 acts as a strongly secure symmetric key from its signature on tag. encapsulation. 12
Signcryption Tag-KEMs l l Many existing signcryption schemes can be thought of as using SCTKs implicitly. We show Zheng’s scheme can be proven secure as a signcryption Tag-KEM. – The security reduction for confidentiality is: – In the KEM case, this was: 13
Signcryption Tag-KEMs l l We also propose a new signcryption scheme based on the Chevallier-Mames signature scheme (2005). This has the tightest security bounds of any signcryption scheme we could find: – – l Tight reduction to GDH for confidentiality Tight reduction to CDH for integrity Reasonably efficient. 14
Open Problems l l Non-repudiation presents an interesting challenge. Does the existence of the symmetric key K help with non-repudiation? Signcryption Tag-KEMs are very similar to signature schemes. Can we find a method for turning a general signature scheme into a signcryption scheme? How about a Fiat-Shamir signature scheme? 15
Conclusions l We presented a new paradigm for constructing signcryption schemes, which – – l l Has all the advantages associated with hybrid encryption, Does not have the disadvantages of previous attempts to produce hybrid signcryption paradigms. We presented two schemes in this model, including a completely new scheme with the best known security bounds of any signcryption scheme. We also discuss (in the paper) the use of SCTKs as a key agreement mechanism. 16
- Slides: 16