Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Yuliang Zheng
Applications of Signcryption
1
Goals
z To provide with
both confidentiality,
and authenticity
unforgeability &
non-repudiation
To hit 2 birds
using 1 boomerang !
2
Outline
To achieve: To achieve:
authenticity confidentiality
(unforgeability &
non-repudiation)
(C) 1997+ Yuliang Zheng 6
3
signature-then-
encryption
mod exp
m sig m sig k
4
Signature-then-Encryption
(based on RSA)
EXP=2+2
encrypted using
m a private key
cipher with k
sig
encrypted with
eb the receiver’s
k public key eb
comm. overhead
(C) 1997+ Yuliang Zheng 9
Signature-then-Encryption
(based on Discrete Logarithm or DL)
EXP=3+2.17
encrypted using
m a private key
cipher with k
sig
gx used by the
receiver to
reconstruct k
comm. overhead
(C) 1997+ Yuliang Zheng 10
5
Cost of
Signature-then-Encryption
C ost C om p C ost C om m O ve r he a d
Sc he m e s ( N o . o f e xp ) ( b it s )
R S A b a se d
s ig -t h e n -e n c 2 + 2 |n a | + |n b |
D L b a se d
S c h n o r r s ig + 3 + 2 .1 7 |h a s h | + |q | + |p |
E lG a m a l e n c (3 + 3 )
Why signature-then-encryption
can be a problem
z Consider a transaction/message of
5,120 bits (=640 chars, ≈ 8 lines)
that requires
high level security, or
to be transmitted in 2010
z Very large moduli, say of 5120 bits,
have to be used
6
Why signature-then-encryption
can be a problem (cnt’d)
Why signature-then-encryption
can be a problem (cnt’d)
7
signcryption
8
Signcryption --
public & secret parameters
z Public to all z Alice’s keys
p : a large prime x a : secret key
q : a large prime ya : public key
factor of p-1 (note :
g : 0<g<p & with ya = g x a mod p )
order q mod p
z Bob’s keys
hash: 1-way hash
xb : secret key
KH: key-ed 1-way hash
yb : public key
(E,D) :
private-key encryption &
(note :
decryption algorithms yb = g xb mod p )
KH k ( x ) ≡ hash( k , x )
9
Key-ed 1-way hash: examples
(cnt’d)
where x ∈R {1,Κ , q − 1}
k k k k1
1
k2 k2
r = KH k2 ( m ) m = Dk1 (c )
x
s= mod q output
r + xa
⎧ m if r = KH k2 ( m )
c = Ek1 ( m ) ⎨" invalid" if r ≠ KH ( m )
output (c,r,s) ⎩ k2
10
Signcryption -- 1st example
(focusing on unsigncryption)
Let This can be done in a smart way,
costing only 1.17 exponentiations
u = s ⋅ xb mod q, on average !
D. Knuth,
v = r ⋅ u mod q, Seminumerical Algorithms,
Vol. 2 of The Art of Computer
Then , Programming,
2nd edition, Addison-Wesley,
( ya ⋅ g r ) s⋅ xb mod p Exercise 27, Pages 465 & 637.
s⋅ xb
= ( ya ⋅ g r ⋅s⋅ xb ) mod p
= ( ya ⋅ g v ) mod p
u
where x ∈R {1,Κ , q − 1}
k k1 k k1
k2 k2
r = KH k2 ( m ) m = Dk1 (c )
x
s= mod q output
1 + xa ⋅ r
c = Ek1 ( m ) ⎧ m if r = KH k2 ( m )
⎨" invalid" if r ≠ KH ( m )
output (c,r,s) ⎩ k2
11
Signcryption -- 3rd example
m (c,r,s) (c,r,s) m
where x ∈R {1,Κ , q − 1}
k k1 k k1
k2 k2
r = KH k2 ( m ) m = Dk1 (c )
s = ( x − r ⋅ xa ) mod q output
c = Ek1 ( m ) ⎧ m if r = KH k2 ( m )
⎨" invalid" if r ≠ KH ( m )
output (c,r,s) ⎩ k2
Cost of Signcryption
Alice m (c,r,s)
Bob (c,r,s) m
12
Comp. & Comm. Cost of Signcryption
(based on Discrete Logarithm)
EXP=1+1.17
encrypted using
m a private key
cipher with k
sig
comm. overhead
13
Necessity of Binding a
Recipient’s Name
z Some schemes, s.a. SCS1 and SCS2,
may have a problem with “double-
payment” : bad & collusive friends
Bob
Alice
Cathy
z if xb and xc are related, say by
xb = w ⋅ x c mod q
z Why ?
If (c, r , s) is from Alice to Bob, then
( c, r , w ⋅ s) is a valid msg from Alice to
Cathy!
(C) 1997+ Yuliang Zheng 27
from r = KH k 2 ( m)
to r = KH k 2 ( m, y b , etc)
14
signature-then-
encryption
v.s.
signcryption
(C) 1997+ Yuliang Zheng 29
m m m
sig sig
sig
eb gx
k
15
Cost of Signature-then-Encryption
v.s. Cost of Signcryption
A simplistic comparison:
C ost C om p C ost C om m O ve r he a d
Sc he m e s (N o. of e xp ) (b its)
R S A b a se d
sig -the n-e nc 2 +2 |n a | + |n b |
D L b a se d
Sc hnor r sig + 3 + 2 .1 7 |ha sh| + |q | + |p |
ElG a m a l e nc (3 + 3 )
D L b a se d 1 + 1 .1 7 |K H | + |q |
Sig nc r yp tion (1 + 2 )
z Why do this ?
the computing time of y x m od z
largely depends on the size of x
the sizes of RSA & DL exponents are
different
16
Signcryption v.s.
Schnorr Sig + ElGamal Enc
Signcryption v.s.
Schnorr Sig + ElGamal Enc (cnt’d)
|p | |q | |K H | sa vin g in sa ving in
c o m p c o st c o m m o ve r he a d
512 144 72 58 % 7 0 .3 %
768 152 80 58 % 7 6 .8 %
1024 160 80 58 % 8 1 .0 %
1536 176 88 58 % 8 5 .3 %
2048 192 96 58 % 8 7 .7 %
3072 224 112 58 % 9 0 .1 %
4096 256 128 58 % 9 1 .0 %
5120 288 144 58 % 9 2 .0 %
8192 320 160 58 % 9 4 .0 %
10240 320 160 58 % 9 6 .0 %
17
Signcryption v.s. RSA
|p |= |n a | |q | |K H | sa ving in sa ving in
=|n b | c om p c ost c om m ove r he a d
512 144 72 0 % 7 8 .9 %
768 152 80 1 4 .2 % 8 4 .9 %
1024 160 80 3 2 .3 % 8 8 .3 %
1536 176 88 5 0 .3 % 9 1 .4 %
2048 192 96 5 9 .4 % 9 3 .0 %
3072 224 112 6 8 .4 % 9 4 .0 %
4096 256 128 7 2 .9 % 9 5 .0 %
5120 288 144 7 5 .6 % 9 6 .0 %
8192 320 160 8 3 .1 % 9 7 .0 %
10240 320 160 8 6 .5 % 9 8 .0 %
18
DL Signcryption v.s.
sign-then-encrypt
# of multiplications
8000
7000
6000
5000
RSA sign-enc
4000
Schnorr + ELGamal
3000 DL Signcryption
2000
1000
0
1024 2048 4096 8190
|p|=|n|
(C) 1997+ Yuliang Zheng 37
DL Signcryption v.s.
sign-then-encrypt
comm. overhead
(# of bits)
25000
20000
15000
RSA sign-enc
Schnorr + ElGamal
10000 DL Signcryption
5000
0
1024 2048 4096 8190 |p|=|n|
(C) 1997+ Yuliang Zheng 38
19
DL Signcryption v.s.
RSA sign-encrypt
# of multiplications
8000
7000
6000
5000
2000
1000
0
1024 2048 4096 8190 |p|=|n|
DL Signcryption v.s.
RSA sign-encrypt
comm. overhead
(# of bits)
25000
20000
15000
RSA sign-enc
10000 DL Signcryption
5000
0
1024 2048 4096 8190 |p|=|n|
(C) 1997+ Yuliang Zheng 40
20
Why Can Signcryption Save Cost ?
a general method
for implementing
signcryption
21
Signcryption can be based on any
shortened ElGamal-like signatures
How to shorten ElGamal-like signatures:
z Calculation of r z Calculation of s
r = h a sh ( k , m ) if hash(m) is in the
original s :
where hash(m) --> 1
OR
k = g x m od p
r --> 1, hash(m) --> r
and x is a random otherwise if hash(m) is
number. not in the original s,
go to next step.
if s = (…)/x, then
change it to s = x/(…).
m (m,r,s) m (m,r,s)
z Shortened DSS -- type 1 z Shortened DSS -- type 2
k = g m od p k = g m od p
x x
r = hash ( k , m ) r = hash ( k , m )
x x
s= mod q s= mod q
r + xa 1 + xa ⋅ r
output (m,r,s) output (m,r,s)
22
A generic signcryption scheme
based on any shortened signature
s = s ( x , r , x a , q, Κ ) output
c = Ek1 ( m ) ⎧ m if r = KH k2 ( m )
⎨" invalid" if r ≠ KH ( m )
output (c,r,s) ⎩ k2
unforgeability
non-repudiation
&
confidentiality
(C) 1997+ Yuliang Zheng 46
23
Unforgeability of Signcryption
z How to prove it ?
in the random oracle model
use Pointcheval & Stern’s
Eurocrypt96 proof technique
Non-repudiation of Signcryption
24
Non-repudiation of Signcryption
(cnt’d)
Non-repudiation of Signcryption
(cnt’d)
25
Repudiation Settlement
Methods
z Simple if
a trusted tamper-resistant device is
used, or
the judge is 100% trusted
z Using a ZK interactive protocol (s.a.
Bellare-Jakobsson-Yung Protocol
presented at Eurocrypt97) if Bob does not
trust the judge
Bob “guides” the judge to verify the origin
of a message, without revealing his private
key xb
(C) 1997+ Yuliang Zheng 51
gz mod p uz mod p
y’b hash(.) k2
?y
y’b = k1
b
D
m’ KHk2(m’)
r’
? m’
m= ? r
r’ =
26
Repudiation Settlement for
Signature-then-Encryption
Judge
1 move
Alice Bob of data
Judge
4 move ZK
Alice Bob protocol
27
Confidentiality of Signcryption
Confidentiality of Signcryption
(cnt’d)
z How to prove it ?
an attacker for a signcryption scheme
m → (c, r, s)
can be translated into one for a secure
encryption scheme defined by
m → ( c, u , r )
where
c = E k1 ( m ), u = g x mod p , r = KH k 2 ( m )
k1 || k 2 = hash ( y bx mod p )
28
Other aspects of
signcryption v.s. sign-then-enc
Attribute forward past static key Repudi. “group”
secrecy recovery manage. Settle. orient.
paradigm w.r.t. Alice
signcryption
for multiple
recipients
29
Signature-then-Encryption
for Multi-Recipients (RFC1421, RSA)
EXP=(t+1) + 2t
encrypted using
m a private key
cipher with k
sig
encrypted with
e1 the receiver R1’s
k public key e1
Signature-then-Encryption for
Multi-Recipients (based on DL)
EXP=(2t+1) + 2.17t
encrypted using
a private key
m cipher with k
encrypted using
sig a private key
cipher with k1
used by the receiver R1
g x1 k
to reconstruct k1
encrypted using
xt k a private key
g cipher with kt
comm. used by the receiver Rt
overhead to reconstruct kt
(C) 1997+ Yuliang Zheng 60
30
Signcryption for Multi-Recipients
(based on DL)
EXP= t + 1.17t
encrypted using
m a private key
cipher with k
KHk(m)
encrypted using
sig1 k a private key
cipher with k1,1
encrypted using
sigt k a private key
comm.
overhead cipher with kt,1
31
Signcryption by Alice
for recipients R1,…,Rt
Unsigncryption by each
recipient Ri , i=1,…,t
z find out ( c , ci , ri , si ) in ( c , d 1 , r1 , s1 , Κ , ct , rt , st )
k i = hash (( y a ⋅ g ri ) si ⋅ xi mod p )
z ki ki,1
ki,2
k = Dki ,1 ( ci )
z w = Dk ( c ) w m
h
⎧ m if h = KH k ( m) and ri = KH ki , 2 ( w)
z output ⎨
⎩" invalid" otherwise
32
Signcryption v.s. Signature-then-Encryption
for Multi-Recipients
m m m
sig
KHk(m)
sig
sig1 k g x1 k
e1
k
sigt k g xt k
k et
(a) Signcryption (b) Signature-then-Encryption (c) Signature-then-Encryption
based on DL
(C) 1997+ Yuliang Zheng
based on RSA based on DL 65
33
applications
etc
Applications of Signcryption
34
Secure and authenticated key
transport in a single ATM cell
c = E k1 ( key , TQ)
r = KH k2 ( key , TQ, other )
c r s x
s= mod q
r + xa
144 bits 80 bits 160 bits
35
Extensions
36
Summary
37