signcryption parshuram budhathoki department of mathematical sciences florida atlantic university...

pbudhath@fau.edu

Signcryption

Parshuram BudhathokiDepartment of Mathematical Sciences

Florida Atlantic University

April 18, 2013

4/18/13

pbudhath@fau.edu

Motivation:

Confidentiality :

Integrity :

Authentication :

Nonrepudiation :

Keeping information secret from all other than those who are authorized to see it.

Ensuring that the information has not been altered by unauthorized entities.

The assurance that the communicating party is the one that it claims to be.

Preventing the denial of previous commitments or actions.

4/18/13

pbudhath@fau.edu

Motivation:

Confidential and Authenticate

Traditional Method “Signature- Then- Seal”

4/18/13

pbudhath@fau.edu

Motivation:

Confidentiality :

How do we get these things in modern cryptography ?

Signature Scheme

Encryption Scheme

Nonrepudiation :

Integrity :

Authentication :

4/18/13

pbudhath@fau.edu

Signature Scheme

RSA

Schnorr

DSS

Others …

Motivation:How do we get these things in modern cryptography ?

4/18/13

pbudhath@fau.edu

Encryption Scheme

RSA

ElGamal

Others …

Motivation:How do we get these things in modern cryptography ?

4/18/13

pbudhath@fau.edu

In 1997 Yulian Zheng proposed a separate primitive called Signcryption.

Is it possible to deliver messages of varying length in a secure and authenticated way with an expense less than that required by “Signature-Then-Encryption ” ?

Motivation:

4/18/13

pbudhath@fau.edu

Outline :

• Why Signcryption ?

• Signcryption

• Shortening ElGamal-Based Signatures.

• Secure Signcryption Scheme.

• Signcryption Scheme by Y. Zheng.

4/18/13

pbudhath@fau.edu

Why Signcryption ?

Cost of Signcryption < Cost of Signature + Cost of Encryption

1. Computational cost2. Communication overhead

4/18/13

pbudhath@fau.edu

1. Computational cost

We estimate computational cost by counting the number of operations involved :• Private key encryption and decryption • Hashing• addition• Multiplication• Division• Exponentiation

Why Signcryption ?

4/18/13

pbudhath@fau.edu

2. Communication overhead

In addition to computational cost, digital signature and encryption based on public key cryptography also require extra bits to be appended to a message. We call these extra redundant bits the communication overhead involved.

Why Signcryption ?

4/18/13

pbudhath@fau.edu

Signcryption

Gen Security Parameter

key-pair Public

Private

SC Private keysender , Message, RID

C= SCPrivate Key ( Message, RID )

DSC DSCPrivate Key ( C, SID )Private keyreceiver , C , SID

4/18/13

pbudhath@fau.edu

Shortening ElGamal-Based Signatures:

• Key Generation: Choose x randomly from {1, …, p-1} Public key = gx Private key = x

Let p is a large prime, q is a large prime factor of p-1 and g is an integer from {1, …, p-1}.

Let h: {1,..., p-1} x {0,1}* {1, ..., p-1} be a hash function.

4/18/13

pbudhath@fau.edu

• Sign : Choose y randomly from {1, …, p-1} r = h( gy mod p, M) s = y / ( r + x ) mod p , where M = message

Signature = < r, s >

Let p is a large prime, q is a large prime factor of p-1 and g is an integer from {1, …, p-1}.

Let h: {1,..., p-1} x {0,1}* {1, ..., p-1} be a hash function.

Shortening ElGamal-Based Signatures:

4/18/13

pbudhath@fau.edu

Let p is a large prime, q is a large prime factor of p-1 and g is an integer from {1, …, p-1}.

Let h: {1,..., p-1} x {0,1}* {1, ..., p-1} be a hash function.

• Verify : Compute k = ( gx ∙ gr )s mod p Accept if r = h( k, m)

Shortening ElGamal-Based Signatures:

4/18/13

pbudhath@fau.edu

Secure Scheme:

Secure Signature Scheme :

Unforgeable under adaptively chosen message attack.

Secure Encryption Scheme :

Indistinguishable against adaptively chosen cipher attack.

4/18/13

pbudhath@fau.edu

Unforgeable : It is computationally infeasible for an adaptive attacker to create a signcrypted text.

Non-repudiation : It is computationally feasible for a third party to settle a dispute between signer and receiver where signer denies the fact that he/she is the originator of a signcrypted text.

Confidential: It is computationally infeasible for an adaptive attacker to gain any partial information on the contents of a signcrypted text.

Secure Signcryption Scheme:

4/18/13

pbudhath@fau.edu

YZ- Signcryption Scheme:

Gen : Using this algorithm sender and receiver choose their key-pair. Let x, y from [1, ..., q-1] are sender’s and receiver’s private keys and S= gx and R= gy are their respective public keys.

p : a large prime ( public )q : a large prime factor of p-1 ( public )g : a ( random ) integer in [1, ..., p-1] with order q mod p ( public )h : a one-way hash function ( public )

4/18/13

pbudhath@fau.edu

YZ- Signcryption Scheme: p : a large prime ( public )q : a large prime factor of p-1 ( public )g : a ( random ) integer in [1, ..., p-1] with order q mod p ( public )h : a one-way hash function ( public )S : Sender’s public keyR : Receiver’s public key

SC : Pick r randomly from [1, ..., q-1] 1. compute k = Rr mod p. Split k into k1 and k2 of appropriate length. 2. n= h(M, k2 ), where M=message 3. s= r/( n + x ) mod q 4. c = E_k1 ( M ) , where E := Encryption in AES Signcrypted text = < c, n, s>

4/18/13

pbudhath@fau.edu

YZ- Signcryption Scheme:

DSC : Recover k from n, s, g, p, S and R: 1. k = ( S ∙ gh )s ・ y mod p 2. Split k into k1 and k2 3. M = D_k1 ( c ) , Where D := Decryption in AES 4. Accept M as a valid message if h(M, k2) = n

p : a large prime ( public )q : a large prime factor of p-1 ( public )g : a ( random ) integer in [1, ..., p-1] with order q mod p ( public )h : a one-way hash function ( public )S : Sender’s public keyR : Receiver’s public key

NOTE : D_k1 ( E_k1 (M)) = M4/18/13

pbudhath@fau.edu

Security parameters|p|, |q|, |h( . )|

Saving in comp. cost

Saving in comm. overhead

768, 152, 80 50% 76.8%

1024, 160, 80 50% 81.01%

2048, 192, 96 50% 87.7%

4096, 256, 128 50% 91.0%

8192, 320, 160 50% 94.0%

10240, 320, 160 50% 96.0%

Cost of Signcryption vs. Cost of Sign-Then-Encryption

4/18/13

pbudhath@fau.edu

Question ?

Thank You !!!

4/18/13