Yz Scslides

How to Achieve
Cost(signature & encryption) <<

Cost(signature) + Cost(encryption)
Yuliang Zheng
Calyptix Security Corporation, and

UNC Charlotte
www. signcryption.net
(C) 1997+ Yuliang Zheng 1
Applications of Signcryption
z Bring to society huge savings in comp. &

comm. if used widely in
secure & authenticated message delivery /
storage
electronic commerce
secure & authenticated transactions !!!
secure & authenticated multicast (incl. video
conference, CSCW etc)
fast, compact, secure, unforgeable &
non-repudiated key transport
……
1
Goals
z To provide with
both confidentiality,
and authenticity
unforgeability &
non-repudiation
z but in an efficient way !
To hit 2 birds
using 1 boomerang !
2
Outline
z problems with sign-then-encrypt

z signcryption -- a new paradigm
z cost-savings of signcryption over
sign-then-encrypt
z properties of signcryption
confidentiality, unforgeability and
non-repudiation
z signcryption for multiple recipients
z applications
In the paper & ink world:

Signature-then-Seal
To achieve: To achieve:
authenticity confidentiality
(unforgeability &
non-repudiation)
3
signature-then-
encryption
In the digital world (Alice to Bob):

Signature-then-Encryption
z 1. Signature generation z 2. Encryption
Alice signs a Alice encrypts (m,sig)
message m using her using DES with k.
secret key, i.e. Alice creates another
creating sig on m. data so that Bob can
m recover k. (Typically,
Alice encrypts k using Bob’s
mod exp public key).
mod exp
m sig m sig k
4
(based on RSA)
EXP=2+2
encrypted using
m a private key
cipher with k
sig
encrypted with
eb the receiver’s
k public key eb
comm. overhead
(based on Discrete Logarithm or DL)
EXP=3+2.17
encrypted using
m a private key
cipher with k
sig
gx used by the
receiver to
reconstruct k
comm. overhead
5
Cost of
C ost C om p C ost C om m O ve r he a d
Sc he m e s ( N o . o f e xp ) ( b it s )
R S A b a se d
s ig -t h e n -e n c 2 + 2 |n a | + |n b |
D L b a se d
S c h n o r r s ig + 3 + 2 .1 7 |h a s h | + |q | + |p |
E lG a m a l e n c (3 + 3 )
where hash is a 1-way hash function.

Why signature-then-encryption
can be a problem
z Consider a transaction/message of
5,120 bits (=640 chars, ≈ 8 lines)
that requires
high level security, or
to be transmitted in 2010
z Very large moduli, say of 5120 bits,
have to be used
6
can be a problem (cnt’d)
z If RSA with a 5120-bit composite is

used
Comp. cost:
2+2=4 exponentiations mod a (very large !)
5120-bit integer
Comm. overhead:
10,240 bits (twice as large as the original
message !) 10,240 bits
5,120 bits 5,120 bits 5,120 bits
message sig k eb
can be a problem (cnt’d)
z If Schnorr sig & ElGamal enc with a

5120-bit prime are used
Comp. cost:
3+2.17=5.17 (3+3=6) exponentiations
mod a (very large !) 5120-bit integer
Comm. overhead:
>= 5560 bits >=5,560 bits
>=440
5,120 bits bits 5,120 bits
message sig gx
7
signcryption
Signcryption -- a new approach
z Achieves the functions of

digital signature
unforgeability & non-repudiation
encryption
confidentiality
z has a significantly smaller
comp. & comm. cost
Cost (signcryption) << Cost (signature)
+
Cost (encryption)
8
Signcryption --
public & secret parameters
z Public to all z Alice’s keys
p : a large prime x a : secret key
q : a large prime ya : public key
factor of p-1 (note :
g : 0<g<p & with ya = g x a mod p )
order q mod p
z Bob’s keys
hash: 1-way hash
xb : secret key
KH: key-ed 1-way hash
yb : public key
(E,D) :
private-key encryption &
(note :
decryption algorithms yb = g xb mod p )
Key-ed 1-way hash: examples
z efficient, but security properties are

less understood
KH k ( x ) ≡ hash( k , x )
where hash is a 1-way hash.
9
Key-ed 1-way hash: examples
(cnt’d)
z (slightly) less efficient, but some

properties can be proven
NMAC:
KH k1 , k2 ( x ) ≡ Fk1 ( Fk2 ( x ))
where Fk ( x) is the same as hash, except
that IV used by hash is now replaced by k.
HMAC:
KH k ( x ) ≡ hash ( k' ⊕ opad , hash ( k' ⊕ ipad , x ))
where k’ is a 0-padded version of k,
opad=x36…36, ipad=x5c…5c
Signcryption -- 1st example

m (c,r,s) (c,r,s) m
z Signcrypt by Alice z Unsigncrypt by Bob

k = hash ( y b x mod p ) r s⋅ x
k = hash (( y a ⋅ g ) mod p )
b
where x ∈R {1,Κ , q − 1}
k k k k1
1
k2 k2

r = KH k2 ( m ) m = Dk1 (c )
x
s= mod q output
r + xa
⎧ m if r = KH k2 ( m )
c = Ek1 ( m ) ⎨" invalid" if r ≠ KH ( m )
output (c,r,s) ⎩ k2
10
Signcryption -- 1st example
(focusing on unsigncryption)
Let This can be done in a smart way,
costing only 1.17 exponentiations
u = s ⋅ xb mod q, on average !
D. Knuth,
v = r ⋅ u mod q, Seminumerical Algorithms,
Vol. 2 of The Art of Computer
Then , Programming,
2nd edition, Addison-Wesley,
( ya ⋅ g r ) s⋅ xb mod p Exercise 27, Pages 465 & 637.
s⋅ xb
= ( ya ⋅ g r ⋅s⋅ xb ) mod p
= ( ya ⋅ g v ) mod p
u
Signcryption -- 2nd example

m (c,r,s) (c,r,s) m

k = hash ( y b mod p )
x
k = hash (( g ⋅ ya r ) s⋅x mod p )
b
where x ∈R {1,Κ , q − 1}
k k1 k k1
k2 k2
r = KH k2 ( m ) m = Dk1 (c )
x
s= mod q output
1 + xa ⋅ r
c = Ek1 ( m ) ⎧ m if r = KH k2 ( m )
⎨" invalid" if r ≠ KH ( m )
11
Signcryption -- 3rd example
m (c,r,s) (c,r,s) m

x
k = hash (( g s ⋅ ya ) x mod p )
r b
where x ∈R {1,Κ , q − 1}
k k1 k k1
k2 k2
r = KH k2 ( m ) m = Dk1 (c )
s = ( x − r ⋅ xa ) mod q output
c = Ek1 ( m ) ⎧ m if r = KH k2 ( m )
Cost of Signcryption
Alice m (c,r,s)
Bob (c,r,s) m
z Comp. cost z Comm. overhead

by Alice :
1 exponentiation |r|+|s| bits
modulo p
by Bob : ( note: |m| = |c| )
1.17 exponentiations
modulo p (using
Shamir’s technique)
total=2.17 exp mod p
12
Comp. & Comm. Cost of Signcryption
(based on Discrete Logarithm)
EXP=1+1.17
encrypted using
m a private key
cipher with k
sig
comm. overhead
“Magic” Signcryption Envelope
13
Necessity of Binding a
Recipient’s Name
z Some schemes, s.a. SCS1 and SCS2,
may have a problem with “double-
payment” : bad & collusive friends
Bob
Alice
Cathy
z if xb and xc are related, say by
xb = w ⋅ x c mod q
z Why ?
If (c, r , s) is from Alice to Bob, then
( c, r , w ⋅ s) is a valid msg from Alice to
Cathy!
How to Tie a Recipient’s name

to a Signcrypted Text ?
z Simply include data on Bob’s ID, s.a.

his public key/certificate, into the
computation of r,
z Namely, change r
from r = KH k 2 ( m)
to r = KH k 2 ( m, y b , etc)
14
signature-then-
encryption
v.s.
signcryption
Signcryption v.s. Signature-then-

Encryption
EXP=1+1.17 EXP=2+2 EXP=3+2.17
m m m
sig sig
sig
eb gx
k
(a) Signcryption (b) Signature-then-Encryption (c) Signature-then-Encryption

based on DL based on RSA based on DL
15
Cost of Signature-then-Encryption
v.s. Cost of Signcryption
A simplistic comparison:
C ost C om p C ost C om m O ve r he a d
Sc he m e s (N o. of e xp ) (b its)
R S A b a se d
sig -the n-e nc 2 +2 |n a | + |n b |
D L b a se d
Sc hnor r sig + 3 + 2 .1 7 |ha sh| + |q | + |p |
ElG a m a l e nc (3 + 3 )
D L b a se d 1 + 1 .1 7 |K H | + |q |
Sig nc r yp tion (1 + 2 )
A more detailed comparison
z Why do this ?
the computing time of y x m od z
largely depends on the size of x
the sizes of RSA & DL exponents are
different
DL exponent --- [1,…,q ]

RSA public exponent e --- can be small
RSA secret exponent d --- |n| bits, BBIIGG !
16
Signcryption v.s.
Schnorr Sig + ElGamal Enc
z Saving in comp. cost by signcryption

(5.17 - 2.17) modulo exp
= = 58%
5.17 modolo exp
z Saving in comm. overhead by

signcryption (assuming |hash|=|KH|)
| p|
=
| KH⋅ (⋅)|+| q|+| p|
Signcryption v.s.
Schnorr Sig + ElGamal Enc (cnt’d)
|p | |q | |K H | sa vin g in sa ving in
c o m p c o st c o m m o ve r he a d
512 144 72 58 % 7 0 .3 %
768 152 80 58 % 7 6 .8 %
1024 160 80 58 % 8 1 .0 %
1536 176 88 58 % 8 5 .3 %
2048 192 96 58 % 8 7 .7 %
3072 224 112 58 % 9 0 .1 %
4096 256 128 58 % 9 1 .0 %
5120 288 144 58 % 9 2 .0 %
8192 320 160 58 % 9 4 .0 %
10240 320 160 58 % 9 6 .0 %
17
Signcryption v.s. RSA
z Adv. in comp. cost by signcryption

0.375(|na |+|n |) - 325
. |q|
= b
0.375(|na |+|n |)
b
(Assuming small RSA public exponents & CRT
are used !)
z Adv. in comm. overhead by
signcryption
| na |+| nb |−[ KH⋅ (⋅) +| q|]
=
| na |+| nb ||
Signcryption v.s. RSA
|p |= |n a | |q | |K H | sa ving in sa ving in
=|n b | c om p c ost c om m ove r he a d
512 144 72 0 % 7 8 .9 %
768 152 80 1 4 .2 % 8 4 .9 %
1024 160 80 3 2 .3 % 8 8 .3 %
1536 176 88 5 0 .3 % 9 1 .4 %
2048 192 96 5 9 .4 % 9 3 .0 %
3072 224 112 6 8 .4 % 9 4 .0 %
4096 256 128 7 2 .9 % 9 5 .0 %
5120 288 144 7 5 .6 % 9 6 .0 %
8192 320 160 8 3 .1 % 9 7 .0 %
10240 320 160 8 6 .5 % 9 8 .0 %
18
DL Signcryption v.s.
sign-then-encrypt
# of multiplications
8000
7000
6000
5000
RSA sign-enc
4000
Schnorr + ELGamal
3000 DL Signcryption
2000
1000
0
1024 2048 4096 8190
|p|=|n|
sign-then-encrypt
comm. overhead
(# of bits)
25000
20000
15000
RSA sign-enc
Schnorr + ElGamal
5000
0
1024 2048 4096 8190 |p|=|n|
19
RSA sign-encrypt
# of multiplications
8000
7000
6000
5000
4000 RSA sign-enc

DL Signcryption
3000
2000
1000
0
1024 2048 4096 8190 |p|=|n|
RSA sign-encrypt
comm. overhead
(# of bits)
25000
20000
15000
RSA sign-enc
5000
0
1024 2048 4096 8190 |p|=|n|
20
Why Can Signcryption Save Cost ?
z For Bob to successfully recoverx

a
message, he needs to know g mod p
from which he can compute
k = hash ( g x⋅ xb mod p )
z With signcryption, Bob can derive
g x mod p from r, s, g, p and ya.
That is, there is NO need for Alice to
explicitly send Bob g x mod p
a general method
for implementing
signcryption
21
Signcryption can be based on any
shortened ElGamal-like signatures
How to shorten ElGamal-like signatures:
z Calculation of r z Calculation of s
r = h a sh ( k , m ) if hash(m) is in the
original s :
where hash(m) --> 1
OR
k = g x m od p
r --> 1, hash(m) --> r
and x is a random otherwise if hash(m) is
number. not in the original s,
go to next step.
if s = (…)/x, then
change it to s = x/(…).
Shortened DSS (for Alice)
m (m,r,s) m (m,r,s)
z Shortened DSS -- type 1 z Shortened DSS -- type 2
k = g m od p k = g m od p
x x
where x ∈R {1,Κ , q − 1} where x ∈R {1,Κ , q − 1}
r = hash ( k , m ) r = hash ( k , m )
x x
s= mod q s= mod q
r + xa 1 + xa ⋅ r
output (m,r,s) output (m,r,s)
22
A generic signcryption scheme
based on any shortened signature

x
k = hash ( k ( g , r , s, xb , ya , p,Κ ))
where x ∈R {1,Κ , q − 1}
k k1 k k1
k2 k2
r = KH k2 ( m ) m = Dk (c )
1
s = s ( x , r , x a , q, Κ ) output
c = Ek1 ( m ) ⎧ m if r = KH k2 ( m )
unforgeability
non-repudiation
&
confidentiality
23
Unforgeability of Signcryption
z No body, even Bob the recipient, can

forge a valid & signcryted text from
Alice
z How to prove it ?
in the random oracle model
use Pointcheval & Stern’s
Eurocrypt96 proof technique
Non-repudiation of Signcryption
z With signature-then-encryption, the

origin of a decrypted message can
be universally verified.
z The origin of an unsigncrypted
message, however, can be directly
verified only by Bob the recipient
(using his secret key).
It does NOT satisfy “universal
verifiability”.
24
(cnt’d)
z “Direct verifiability by the recipient

only” is exactly what Alice and Bob
want in normal situations !
z It is also a main reason (aside from
security consideration) why
traditionally one uses
“signature-then-encryption”
rather than
“encryption-then-signature” !!
(cnt’d)
z Alice cannot deny the fact that

she is the originator of a
signcrypted text.
z When requested by Bob, a judge
can settle a dispute through
interactions with Bob.
25
Repudiation Settlement
Methods
z Simple if
a trusted tamper-resistant device is
used, or
the judge is 100% trusted
z Using a ZK interactive protocol (s.a.
Bellare-Jakobsson-Yung Protocol
presented at Eurocrypt97) if Bob does not
trust the judge
Bob “guides” the judge to verify the origin
of a message, without revealing his private
key xb
Circuit for ZK Interactive

Repudiation Settlement
yb p g z m c u p r
gz mod p uz mod p
y’b hash(.) k2
?y
y’b = k1
b
D
m’ KHk2(m’)
r’
? m’
m= ? r
r’ =
(C) 1997+ Yuliang Zheng True / False 52
26
Repudiation Settlement for
Judge
1 move
Alice Bob of data
Repudiation Settlement for

Signcryption
Judge
4 move ZK
Alice Bob protocol
27
Confidentiality of Signcryption
z A third party cannot obtain

information on a message m sealed
by a signcryption scheme,
if all the underlying primitives are
secure (incl: <E,D>, KH, DH, etc)
Confidentiality of Signcryption
(cnt’d)
z How to prove it ?
an attacker for a signcryption scheme
m → (c, r, s)
can be translated into one for a secure
encryption scheme defined by
m → ( c, u , r )
where
c = E k1 ( m ), u = g x mod p , r = KH k 2 ( m )
k1 || k 2 = hash ( y bx mod p )
28
Other aspects of
signcryption v.s. sign-then-enc
Attribute forward past static key Repudi. “group”
secrecy recovery manage. Settle. orient.
paradigm w.r.t. Alice
signcryption no yes n/a Inter- yes

active
sign-then-enc yes
(but, no n/a non-inter- no
forgeable) active
sign-then-enc distrib/ yes
with a static no yes derivation/ non-inter- (in most
key storage active cases)
signcryption
for multiple
recipients
29
for Multi-Recipients (RFC1421, RSA)
EXP=(t+1) + 2t
encrypted using
m a private key
cipher with k
sig
encrypted with
e1 the receiver R1’s
k public key e1
comm. encrypted with

overhead et
k the receiver Rt’s
public key et
Signature-then-Encryption for
Multi-Recipients (based on DL)
EXP=(2t+1) + 2.17t
encrypted using
a private key
m cipher with k
encrypted using
sig a private key
cipher with k1
used by the receiver R1
g x1 k
to reconstruct k1
encrypted using
xt k a private key
g cipher with kt
comm. used by the receiver Rt
overhead to reconstruct kt
30
Signcryption for Multi-Recipients
(based on DL)
EXP= t + 1.17t
encrypted using
m a private key
cipher with k
KHk(m)
encrypted using
sig1 k a private key
cipher with k1,1
encrypted using
sigt k a private key
comm.
overhead cipher with kt,1
Signcryption for multiple recipients --

public & secret parameters
z Public to all z Alice’s keys

p : a large prime x a: secret key
q : a large prime ya: public key
factor of p-1 (note :
g : 0<g<p & with ya = g x a mod p )
order q mod p
hash : 1-way hash z Recipient Ri’s keys
KH : key-ed 1-way hash xi : secret key
(E,D) : yi : public key
private-key encryption (note :
& decryption yi = g xi mod p )
algorithms
31
Signcryption by Alice
for recipients R1,…,Rt
c = E k ( m h ), where h = KH k ( m ) and k is a random key

z for i = 1,…,t
k i = hash ( y i vi mod p ) with v i ∈R {1, Κ , q − 1}
ki ki,1
ki,2
ci = E k i , 1 ( k )
ri = KH ki , 2 ( m, h )
si = vi / (ri + x a ) mod q
z broadcast ( c , c1 , r1 , s1 ,Κ , ct , rt , st )
Unsigncryption by each
recipient Ri , i=1,…,t
z find out ( c , ci , ri , si ) in ( c , d 1 , r1 , s1 , Κ , ct , rt , st )
k i = hash (( y a ⋅ g ri ) si ⋅ xi mod p )
z ki ki,1
ki,2
k = Dki ,1 ( ci )
z w = Dk ( c ) w m
h
⎧ m if h = KH k ( m) and ri = KH ki , 2 ( w)
z output ⎨
⎩" invalid" otherwise
32
Signcryption v.s. Signature-then-Encryption
for Multi-Recipients
EXP= t + 1.17t EXP=(t+1) + 2t EXP=(2t+1) + 2.17t
m m m
sig
KHk(m)
sig
sig1 k g x1 k
e1
k
sigt k g xt k
k et
(a) Signcryption (b) Signature-then-Encryption (c) Signature-then-Encryption
based on DL
(C) 1997+ Yuliang Zheng
based on RSA based on DL 65
Cost-saving of signcryption for

t recipients
Cost comp. Cost comm. overhead
Schemes (no. of exp.) (bits)
Schnorr signature
+ Alice: 2t + 1
ElGamal encryption Ri: 2.17
t ⋅ (| k |+ | p|) + | KH |+ | q |
RFC1421 (RSA) Alice: t + 1

Ri: 2 | n a |+ ∑ |n |
i = 1,Κ ,t
i
signcryption Alice: t t ⋅ (| k|+| KH|+|q|)+| KH|

Ri: 1.17
33
applications
etc
Applications of Signcryption
z Bring to society huge savings in

comp. & comm. if used widely in
secure & authenticated message
delivery / storage
electronic commerce
secure & authenticated transactions !!!
secure & authenticated multicast (incl.
video conference, CSCW etc)
fast, compact, secure, unforgeable &
non-repudiated key transport
34
Secure and authenticated key
transport in a single ATM cell
ATM Cell | p| ≥ 512, | q| ≥ 160, | KH ⋅ (⋅)| ≥ 80
5 bytes 48 bytes (384 bits) ( k 1 , k 2 ) = hash( yb x mod p)

header payload (data) with x ∈R [1,Κ , q − 1]
| k 1 | ≥ 64, | k 2 | ≥ 64
c = E k1 ( key , TQ)
r = KH k2 ( key , TQ, other )
c r s x
s= mod q
r + xa
144 bits 80 bits 160 bits
Signcryption cannot be achieved

with a shared secret key alone
z Alice and Bob may use a shared

secret key, such as g x ⋅ x mod p or a b
a KPS key, to carry out secure and

efficient communications with
content integrity.
z But, without a tamper-proof device
and/or a trusted 3rd party, such
communications may not achieve
unforgeability or non-repudiation.
35
Extensions
z Signcryption can be built on other

versions of the discrete logarithm,
such as those on elliptic curves.
z Lenstra’s new sub-groups presented
at ACISP’97 can also be used in
signcryption.
Stop Press, May 2000
z We have recently succeeded in

implementing signcryption schemes
based on factoring RSA moduli
(details are available upon request).
z Thus, signcryption can now be based
on
Discrete Log on finite fields
Elliptic curves
Factoring
36
Summary
z introduced “digital signcryption” that

achieves
confidentiality
unforgeability & non-repudiation
z proposed concrete implementations
z analysed the significant saving of
signcryption over “signature-then-
encryption”
37

Yz Scslides

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Yz Scslides

Caricato da

Copyright:

Formati disponibili

How to Achieve

Cost(signature & encryption) <<

Calyptix Security Corporation, and

z Bring to society huge savings in comp. &

(C) 1997+ Yuliang Zheng 2

z but in an efficient way !

(C) 1997+ Yuliang Zheng 3

(C) 1997+ Yuliang Zheng 4

z problems with sign-then-encrypt

In the paper & ink world:

(C) 1997+ Yuliang Zheng 7

In the digital world (Alice to Bob):

(C) 1997+ Yuliang Zheng 8

where hash is a 1-way hash function.

(C) 1997+ Yuliang Zheng 12

z If RSA with a 5120-bit composite is

z If Schnorr sig & ElGamal enc with a

(C) 1997+ Yuliang Zheng 14

(C) 1997+ Yuliang Zheng 15

Signcryption -- a new approach

z Achieves the functions of

(C) 1997+ Yuliang Zheng 17

Key-ed 1-way hash: examples

z efficient, but security properties are

where hash is a 1-way hash.

(C) 1997+ Yuliang Zheng 18

z (slightly) less efficient, but some

(C) 1997+ Yuliang Zheng 19

Signcryption -- 1st example

z Signcrypt by Alice z Unsigncrypt by Bob

(C) 1997+ Yuliang Zheng 20

(C) 1997+ Yuliang Zheng 21

Signcryption -- 2nd example

z Signcrypt by Alice z Unsigncrypt by Bob

(C) 1997+ Yuliang Zheng 22

z Signcrypt by Alice z Unsigncrypt by Bob

(C) 1997+ Yuliang Zheng 23

z Comp. cost z Comm. overhead

(C) 1997+ Yuliang Zheng 24

(C) 1997+ Yuliang Zheng 25

“Magic” Signcryption Envelope

(C) 1997+ Yuliang Zheng 26

How to Tie a Recipient’s name

z Simply include data on Bob’s ID, s.a.

(C) 1997+ Yuliang Zheng 28

Signcryption v.s. Signature-then-

EXP=1+1.17 EXP=2+2 EXP=3+2.17

(a) Signcryption (b) Signature-then-Encryption (c) Signature-then-Encryption

(C) 1997+ Yuliang Zheng 30

(C) 1997+ Yuliang Zheng 31

A more detailed comparison

DL exponent --- [1,…,q ]

(C) 1997+ Yuliang Zheng 32

z Saving in comp. cost by signcryption

z Saving in comm. overhead by

(C) 1997+ Yuliang Zheng 33

(C) 1997+ Yuliang Zheng 34

z Adv. in comp. cost by signcryption

Signcryption v.s. RSA

(C) 1997+ Yuliang Zheng 36

4000 RSA sign-enc

(C) 1997+ Yuliang Zheng 39

DL exponent --- [1,…,q ]