Dae Hyun Yum

Generic Construction of Certificateless Signature

To provide the binding between a user and his public key, traditional digital signature schemes use certificates that are signed by a trusted third party. While Shamir’s identity-based signature scheme can dispense with certificates, the key escrow of a user’s private key is inherent in the identity-based signature scheme. In Asiacrypt 2003, a new digital signature paradigm called the certificateless signature was introduced. The certificateless signature eliminates the need for certificates and does not suffer from the inherent key escrow problem. In this paper, we provide a generic secure construction of a certificateless signature. We also present an extended construction whose trust level is the same as that of a traditional public key signature scheme.

Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing

We construct new multiparty signature schemes that allow multiple signers to sequentially produce a compact, fixed-length signature simultaneously attesting to the message(s) they want to sign. First, we introduce a new primitive that we call ordered multisignatures (OMS), which allow signers to attest to a common message as well as the order in which they signed. Our OMS construction substantially improves computational efficiency over any existing scheme with comparable functionality. Second, we design a new identity-based sequential aggregate signature scheme, where signers can attest to different messages and signature verification does not require knowledge of traditional public keys. The latter property permits savings on bandwidth and storage as compared to public-key solutions. In contrast to the only prior scheme to provide this functionality, ours offers improved security that does not rely on synchronized clocks or a trusted first signer. Security proofs according to the corresponding security definitions and under appropriate computational assumptions are provided for all the proposed schemes. We give several applications of our schemes to secure network routing, and we believe that they will find many other applications as well.

Generic Construction of Certificateless Encryption

As the Internet becomes an indispensable element of modern life, PKC (Public Key Cryptography) is gaining a considerable attention because it can assure the security requirements of many applications. To guarantee the authenticity of public keys, traditional PKC requires certificates to be signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user’s private key is inherent in identity-based PKC. Recently, a new PKC paradigm called the certificateless PKC was introduced. Certificateless PKC eliminates the need for unwieldy certificates and retains the desirable properties of identity-based PKC without the inherent key escrow problem. In this paper, we provide a generic secure construction of certificateless encryption. While previous schemes are based on the algebraic properties of bilinear mappings, our construction is built from general primitives. This result shows that certificateless encryption can be constructed in a more general way.

New Signcryption Schemes Based on KCDSA

A signcryption scheme is a cryptographic primitive that performs signature and encryption simultaneously, at less cost than is required by the traditional signature-then-encryption approach. We propose new signcryption schemes based on KCDSA. These are the first signcryption schemes that are based on a standardized signature scheme. We expect that these schemes will soon be applied to established KCDSA systems. We also propose a new signcryption scheme for multiple recipients which requires very small communication overhead.

Optimistic fair exchange in a multi-user setting

This paper addresses the security of optimistic fair exchange in a multi-user setting. While the security of public key encryption and public key signature schemes in a single-user setting guarantees the security in a multi-user setting, we show that the situation is different in the optimistic fair exchange. First, we show how to break, in the multi-user setting, an optimistic fair exchange scheme provably secure in the single-user setting. This example separates the security of optimistic fair exchange between the single-user setting and the multi-user setting. We then define the formal security model of optimistic fair exchange in the multi-user setting, which is the first complete security model of optimistic fair exchange in the multi-user setting. We prove the existence of a generic construction meeting our multi-user security based on one-way functions in the random oracle model and trapdoor one-way permutations in the standard model. Finally, we revisit two well-known methodologies of optimistic fair exchange, which are based on the verifiably encrypted signature and the sequential two-party multisignature, respectively. Our result shows that these paradigms remain valid in the multi-user setting.

Identity-Based Cryptography in Public Key Management

To guarantee the authenticity of public keys, traditional PKC (Public Key Cryptography) requires certificates signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user’s private key is inherent in identity-based PKC. Recently, new PKC paradigms were introduced: certificate-less PKC and certificate-based PKC. They retain the desirable properties of identity-based PKC without the inherent key escrow problem. A certificate-less cryptosystem eliminates the need for unwieldy certificates and a certificate-based cryptosystem simplifies the public key revocation problem. In this paper, we present an equivalence theorem among identity-based encryption, certificate-less encryption, and certificate-based encryption. We demonstrate that the three paradigms are essentially equivalent.

Timed-release encryption with pre-open capability and its application to certified e-mail system

We propose timed-release encryption with pre-open capability. In this model, the sender chooses a release time to open the message and a release key to pre-open, and encrypts the message using them. The receiver can decrypt the message only after the release time. When the sender wants the message to be opened before the release time, he may publish the release key. Then, the receiver can decrypt the message from his private key and the release key before the release time. However, an adversary cannot extract any information at any time even with the release key. We formalize the security model and provide an efficient construction secure under the BDH assumption in the random oracle model. In addition, we discuss the application of our schemes to efficient fair exchange systems such as a certified e-mail system.

Distance Bounding Protocol for Mutual Authentication

A distance bounding protocol enables one party to determine a practical upper bound on the distance to another party. It is an effective countermeasure against mafia fraud attacks (a.k.a. relay attacks) which do not alter messages between users but only relay messages. The main idea of distance bounding protocols is to repeat fast bit exchanges. One party sends a challenge bit and another party answers with a response bit and vice versa. By measuring the round-trip time between the challenge and the response, an upper bound on the distance between users can be calculated. If messages are relayed, the round-trip time increases and thus mafia fraud attacks can be detected. We introduce an efficient distance bounding protocol for mutual authentication. It enjoys a reduced false acceptance rate under mafia fraud attacks and does not require an extra confirmation message after the fast bit exchange phase.

Exact Formulae for Resilience in Random Key Predistribution Schemes

As wireless sensor networks are often deployed in adverse or hostile environments, key management schemes are required for sensor nodes. The random key predistribution (RKP) scheme is a probabilistic key management scheme where each node is preloaded with a subset of keys that are randomly selected from a pool of keys. If a pair of neighbor nodes have a common key, it can be used to establish a secure link between the nodes. The q-composite RKP scheme requires that a pair of neighbor nodes have at least q common keys for a secure link. In this article, we show that the previous security analysis (i.e., resilience against node capture) of the q-composite RKP scheme is inaccurate and present new formulae for resilience in the RKP scheme and the q-composite RKP scheme.

Trapdoor sanitizable signatures made easy

A sanitizable signature scheme allows a signer to partially delegate signing rights on a message to another party, called a sanitizer. After the message is signed, the sanitizer can modify pre-determined parts of the message and generate a new signature on the sanitized message without interacting with the signer. At ACNS 2008, Canard et al. introduced trapdoor sanitizable signatures based on identity-based chameleon hashes, where the power of sanitization for a given signed message can be delegated to possibly several entities, by giving a trapdoor issued by the signer at any time. We present a generic construction of trapdoor sanitizable signatures from ordinary signature schemes. The construction is intuitively simple and answers the basic theoretic question about the minimal computational complexity assumption under which a trapdoor sanitizable signature exists; one-way functions imply trapdoor sanitizable signatures.