An Efficient Signcryption Scheme with Key Privacy

1
An Efficient Signcryption Scheme with Key Privacy

• Speaker Travis Chung Ki Li
• MPhil Student in CS Department
• City University of Hong Kong
• Joint work with Duncan Wong, Guomin Yang,
• Xiaotie Deng, Sherman S.M. Chow

2
Trigger

• In IPL 2006 Tan pointed out the signcryption
  scheme proposed by Yang, Wong and Deng (ISC 2005)
  was flawed
• Cannot provide confidentiality and anonymity as
  claimed

3
Trigger

• Tan did not suggest any solutions to fix the
  problems
• If there exists any anonymous signcryption scheme
  secure under Tans attack?
• Still not known if the YWD scheme can be improved
  to a secure one

4
Agenda

• Introduction
• Yang Wong Deng Scheme
• Tans Attack
• Our Construction
• Security Analysis

5
Introduction

• Signcryption was introduced by Zheng in 1997
• Combines signature and encryption
• Less computational complexity and lower
  communication cost
• Suitable for many application using resource
  limited devices

6
Introduction

• Baek et al. first defined a set of security
  notions for Signcryption (2002)
• The notions are similar to traditional
  Indistinguishable against Chosen Ciphertext
  Attacks (IND-CCA2) Existential Unforgeable
  against Chosen Message Attacks (EUF-CMA)

J. Beak, R. Steinfeld, and Y. Zheng. Formal
proofs for the security of signcryption. In
PKC02, pages 8098. Springer-Verlag, 2002. LNCS
2274.
7
Introduction

• An et al. introduced a notion called Insider
  Security (2002)
• An adversary can access not only the public keys
  of both sender and receiver
• But also the private key of sender

J. H. An, Y. Dodis, and T. Rabin. On the security
of joint signature and encryption. In Proc.
EUROCRYPT 2002, pages 83107. Springer-Verlag,
2002. LNCS 2332.
8
Introduction

• Boyen proposed a new set of signcryption security
  model under identity based cryptographic setting
  (2003)
• One of the them is called Ciphertext Anonymity

X. Boyen. Multipurpose identity-based
signcryption A swiss army knife for
identity-based cryptography. In Proc. CRYPTO
2003, pages 383399. Springer-Verlag, 2003. LNCS
2729.
9
Ciphertext Anonymity

• An extension of Key Privacy, which introduced
  by Bellare et al. (2001)
• Ciphertext should hide the identity of both
  sender and receiver

M. Bellare, A. Boldyreva, A. Desai, and D.
Pointcheval. Key-privacy in public-key
encryption. In Proc. ASIACRYPT 2001, pages
566582. Springer-Verlag, 2001. LNCS 2248.
10
Ciphertext Anonymity

• Libert and Quisquater, proposed a signcryption
  scheme (2004)
• Claimed to be insider secure under IND-CCA2,
  EUF-CMA and Ciphertext Anonymity

B. Libert and J.-J. Quisquater. Efficient
signcryption with key privacy from gap
Diffie-Hellman groups. In PKC04, pages 187200.
Springer-Verlag, 2004. LNCS 2947.
11
Libert-Quisquater Scheme

• Tan and Yang et al. independently showed that
  Libert and Quisquater scheme is flawed.
• Yang et al. also gave a modification (YWD
  scheme), which supports parallel processing

C. H. Tan. On the security of signcryption scheme
with key privacy. IEICE Trans. Fundam. Electron.
Commun. Comput. Sci., E88-A(4)10931095, 2005.
G. Yang, D. S. Wong, and X. Deng. Analysis and
improvement of a signcryption scheme with key
privacy. In 8th Information Security Conference
(ISC05), pages 218232, 2005. LNCS 3650.
12
YWD Scheme

• Recently, Tan showed that YWD scheme is not
  IND-CCA2 secure and does not satisfy Ciphertext
  Anonymity (2006)
• However, no improvement has been proposed

C. H. Tan. Analysis of improved signcryption
scheme with key privacy. Information Processing
Letters, 99(4)pp. 135138, August 2006.
13
Our Result

• We propose a modification of YWD scheme
• Solve the security issues with improved
  efficiency
• Reduce the number of operations and prove the
  scheme with more precise reduction bound

14
Security Model for Signcryption

• Confidentiality (SC-IND-CCA)
• Unforgebility (SC-EUF-CMA)
• Ciphertext Anonymity (SC-ANON-CCA)

15
Security Model with Key Privacy

• The Challenger C (skR,0, pkR,0) (skR,1,
  pkR,1) and gives pkR,0, pkR,1 to Distinguisher D
• D adaptively queries to Signcrypt(m, skR,c, pkR)
  and Designcrypt(d, skR,c), where pkR?pkR,c, for c
  0 or 1
• D outputs two valid and distinct private keys
  skS,0 , sk S,1 and a plaintext m
• C randomly chooses b, b in 0,1 and sends a
  challenge ciphertext d Signcrypt(m, skS,b
  pkR,b) to D

16
Security Model with Key Privacy

• D makes queries as step 2 except designcrypting
  the challenge ciphertextd
• D outputs two bits (d, d) and wins the game if
  (d, d) (b, b)
• Advanon-cca(D) Pr(d, d) (b, b) 1/4

17
YWD Scheme
18
YWD Scheme
19
Tans attack against adaptive chosen ciphertext
attack

• Adversary A determines which plaintext (m0,m1) is
  encrypted in challenge ciphertext C (U, W,
  Z)
• A guess m0 is encrypted
• Under the insider security notion
• Reuse the randomness in U
• Form a new C (U, W, Z)
• Recover m from C with the help of
  designcryption oracle

20
Tans attack against adaptive chosen ciphertext
attack
YS xSP V xSH1(m0, U, YR) V xSH1(m,
U, YR) W (V ? V) ? W Z ((m ? m0)
(YS ? YS)) ? Z C (U, W, Z)
C(U,W,Z)
Designcryption Oracle
m YS Z ? H3(U, YR, xRU)
If m m, m0 is used, else m1 is used
21
Tans attack against Ciphertext Anonymity

• D distinguishes which private key (xS,0,xS,1) and
  public key (YR,0,YR,1) are used in the challenge
  ciphertext C (U, W, Z)
• D prepares a message m and xS in Zq
• Calculates Ci,j (U, Wi,j, Zi) similar to
  CCA2 attack
• Submit Ci,j to designcryption oracle
• If the designcrypted message mi,j m then D
  can make the correct guess

22
Weakness of YWD Scheme

• Since H1 does not involve any secret value
• The component V can be easily reconstructed under
  insider security notion
• Attack through malleability of W and Z

23
Our Construction
24
Our Construction
25
Security Analysis

• Let k be a security parameter
• Under random oracle model
• If a PPT algorithm which can break the SC-IND-CCA
  / SC-EUF-CMA / SC-ANON-CCA security with
  advantage at least ?(k)
• There exists a PPT algorithm which can solve the
  Gap Diffie-Hellman problem with non-negligible
  probability

26
Gap Diffie-Hellman Problem

• Decisional Diffie-Hellman problem
• Distinguish the distribution between
  ltP,aP,bP,abPgt ltP,aP,bP,cPgt
• Computational Diffie-Hellman problem
• Compute abP from ltP,aP,bPgt
• Gap Diffie-Hellman problem
• Solve a CDH problem with DDH oracle
• e(P,cP) e(aP,bP) cP abP

27
Proof Sketch

• Prove by contradiction
• There exist an adversary A who wins the
  SC-IND-CCA / SC-EUF-CMA / SC-ANON-CCA game with
  non-negligible advantage
• With the help of a DDH solver
• Construct an algorithm B by running A to solve
  CDH problem in G1

28
Conclusion

• Provide a solution to Tans attack
• A signcryption scheme proven secure in
  confidentiality, unforgeability, ciphertext
  anonymity
• Under the assumption of GDH problem in random
  oracle model
• Efficient and requires even less operations than
  YWD scheme

29
Thank you!