Committing Encryption and Publicly-Verifiable SignCryption

Provable Security, 2010

Generic constructions of designated confirmer signatures follow one of the following two strategies; either produce a digital signature on the message to be signed, then encrypt the resulting signature, or produce a commitment on the message, encrypt the string used to generate the commitment and finally sign the latter. We study the second strategy by determining the exact security property needed in the encryption to achieve secure constructions. This study infers the exclusion of a useful type of encryption from the design due to an intrinsic weakness in the paradigm. Next, we propose a simple method to remediate to this weakness and we get efficient constructions which can be used with any digital signature.

Advances in Cryptology – CRYPTO 2020, 2020

In a recent work, Garg, Hajiabadi, Mahmoody, and Rahimi [GHMR18] introduced a new encryption framework, which they referred to as Registration-Based Encryption (RBE). The central motivation behind RBE was to provide a novel methodology for solving the well-known key-escrow problem in Identity-Based Encryption (IBE) systems [Sha85]. Informally, in an RBE system there is no private-key generator unlike IBE systems, but instead it is replaced with a public key accumulator. Every user in an RBE system samples its own public-secret key pair, and sends the public key to the accumulator for registration. The key accumulator has no secret state, and is only responsible for compressing all the registered user identity-key pairs into a short public commitment. Here the encryptor only requires the compressed parameters along with the target identity, whereas a decryptor requires supplementary key material along with the secret key associated with the registered public key. The initial construction in [GHMR18] based on standard assumptions only provided weak efficiency properties. In a follow-up work by Garg, Hajiabadi, Mahmoody, Rahimi, and Sekar [GHM + 19], they gave an efficient RBE construction from standard assumptions. However, both these works considered the key accumulator to be honest which might be too strong an assumption in real-world scenarios. In this work, we initiate a formal study of RBE systems with malicious key accumulators. To that end, we introduce a strengthening of the RBE framework which we call Verifiable RBE (VRBE). A VRBE system additionally gives the users an extra capability to obtain short proofs from the key accumulator proving correct (and unique) registration for every registered user as well as proving non-registration for any yet unregistered identity. We construct VRBE systems which provide succinct proofs of registration and non-registration from standard assumptions (such as CDH, Factoring, LWE). Our proof systems also naturally allow a much more efficient audit process which can be perfomed by any non-participating third party as well. A by-product of our approach is that we provide a more efficient RBE construction than that provided in the prior work of Garg et al. [GHM + 19]. And, lastly we initiate a study on extension of VRBE to a wider range of access and trust structures.

Progress in Cryptology …, 2010

Public-key encryption schemes with non-interactive opening (PKENO) allow a receiver to non-interactively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been proposed so far, starting from either identity-based encryption or public-key encryption with witness-recovering decryption (PKEWR). We show that the known transformation from PKEWR to PKENO fails to provide chosen-ciphertext security; only the transformation from identity-based encryption remains thus valid. Next, we prove that PKENO can alternatively be built out of robust non-interactive threshold public-key cryptosystems, a primitive that differs from identitybased encryption. Using the new transformation, we construct two efficient PKENO schemes: one based on the Decisional Diffie-Hellman assumption (in the Random-Oracle Model) and one based on the Decisional Linear assumption (in the standard model). Last but not least, we propose new applications of PKENO in protocol design. Motivated by these applications, we reconsider proof soundness for PKENO and put forward new definitions that are stronger than those considered so far. We give a taxonomy of all definitions and demonstrate them to be satisfiable.

Journal of Cryptology, 2007

Signcryption is an asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a low computational and communication overhead. In this paper we propose realistic security models for signcryption, which give the attacker power to choose both messages/signcryptexts as well as recipient/sender public keys when accessing the signcryption/unsigncryption oracles of attacked entities. We then show that Zheng's original signcryption scheme is secure in our confidentiality model relative to the Gap Diffie-Hellman problem and is secure in our unforgeability model relative to a Gap version of the discrete logarithm problem. All these results are shown in the random oracle model.

International Journal of Network Security & Its Applications, 2012

Signcryption is a cryptographic primitive which performs encryption and signature in a single logical step with the cost lower than signature-then-encryption approach. Recently, Li et al. [35] proposed the first provable secure identity based signcryption without random oracles. In their scheme sender signs the ciphertext. However, in [11] Boyen showed that non-repudiation is easily achieved if the sender sign the plaintext rather than ciphertext. In this paper we proposed an identity based signcryption scheme without random oracles, which provides the non-repudiation with respect to plaintext. We also proposed an identity based public verifiable signcryption scheme with third party verification in the standard model.

2010

Signcryption as a cryptographic primitive that offers both confidentiality and authentication simultaneously. Generally, in signcryption schemes, the message is hidden and thus the validity of the signcryption can be verified only after the unsigncryption process. Thus, a third party will not be able to verify whether the signcryption is valid or not. Signcryption schemes that allow any one to verify the validity of signcryption without the knowledge of the message are called public verifiable signcryption schemes. Third party verifiable signcryption schemes allow the receiver of a signcryption, to convince a third party that the signcryption is valid, by providing some additional information along with the signcryption. This information can be anything other than the receiver’s private key and the verification may or may not require the exposure of the corresponding message. This paper shows the security weaknesses in two such existing schemes namely [14] and [4]. The scheme in [14] is Public Key Infrastructure (PKI) based scheme and the scheme in [4] is an identity based scheme. More specifically, [14] is based on elliptic curve digital signature algorithm (ECDSA). We also, provide a new identity based signcryption scheme that provides both public verifiability and third party verification. We formally prove the security of the newly proposed scheme in the random oracle model.

Lecture Notes in Computer Science, 2003

At Crypto'99, Fujisaki and Okamoto [8] presented a nice generic transformation from weak asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model. Two specific candidates for standardization were designed from this transformation: PSEC-2 [14] and EPOC-2 [7], based on El Gamal and Okamoto-Uchiyama primitives, respectively. Since then, several cryptanalysis of EPOC have been published, one in the Chosen Ciphertext Attack game, and others making use of a poor implementation that is vulnerable to reject timing attacks. The aim of this work is to prevent such attacks from generic transformation by identifying the properties that an asymmetric scheme must have in order to obtain a secure hybrid scheme. To achieve this, some ambiguities in the proof of the generic transformation [8] which could lead to false claims are described. As a result, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Secondly, the concept of Easy Verifiable Primitive is formalized, showing its connection with Gap problems. Using these ideas, a new security proof for the modified transformation is given. The good news is that the reduction is tight, improving the concrete security claimed in the original work for the Easy Verifiable Primitives. For the rest of primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the new conversion's resistance to reject timing attacks is addressed.

J. Inf. Hiding Multim. Signal Process., 2012

Signcryption scheme can efficiently perform encryption and signing procedures in a single step to obtain message confidentiality and non-reputation properties. As compared to the traditional public key system, identity (ID)-based public key system (IDPKS) can simplify the management of required certificates. However, how to revoke these compromised or misbehaving identities in the IDPKS becomes a critical problem. Recently, Tseng and Tsai proposed a novel construction in the IDPKS with revocation mechanism called revocable ID-based public key system (R-IDPKS). In this paper, we follow their R-IDPKS to propose an important cryptographic primitive ”signcryption”. Security analysis is made to demonstrate that the proposed scheme is provably secure and provides confidentiality and unforgeability.

Certificateless cryptography introduced by Al-Riyami and Paterson eliminates the key escrow problem inherent in identity based cryptosystems. Even though building practical identity based signcryption schemes without bilinear pairing are considered to be almost impossible, it will be interesting to explore possibilities of constructing such systems in other settings like certificateless cryptography. Often for practical systems, bilinear pairings are considered to induce computational overhead. Signcryption is a powerful primitive that offers both confidentiality and authenticity to noteworthy messages. Though some prior attempts were made for designing certificateless signcryption schemes, almost all the known ones have security weaknesses. Specifically, in this paper we demonstrate the security weakness of the schemes in [4], [2] and [14]. We also present the first provably secure certificateless signcryption scheme without bilinear pairing and prove it in the random oracle model.

International Journal of Computer Applications, 2017

This paper introduces a new scheme " A Public Verifiability Signcryption Scheme Without Pairings " , based on elliptic curve discrete logarithm problem (ECDLP) and in addition to achieve the functionality of the Signcryption schemes, unforgeability, confidentiality and nonrepudiation, it achieves forward security and public verifiability directly. Also, it uses a strong encryption key depends on random choose value and the sender's private key, although the proposed scheme is slower than the Zheng's signcryption scheme, it achieves saving in communication overhead reach to 50% with respect to the traditional approach signature then encryption. The proposed scheme has been verified using the Mathematica program.