Jung Yeon Hwang

Efficient Password-Based Group Key Exchange

Password-based authenticated group key exchange (denoted by PGKE) provides n parties holding a common human-memorable password with secure group communication. Most PGKE protocols proposed so far are inefficient since they require O(n) communication rounds where n is the number of group members. In the paper, we propose the first 2-round PGKE protocol with 3-exponentiations required per user and prove its security in the random oracle model and the ideal cipher model under the intractability of the decision Diffie-Hellman problem and computation Diffie-Hellman problem. The proposed protocol also provides forward secrecy.

ID-Based Authenticated Group Key Agreement Secure against Insider Attacks

In 2004, Choi et al. proposed an ID-based authenticated group key agreement. Unfortunately, their protocol was found to be vulnerable to the insider attacks by Zhang, Chen and Shim. To prevent insider attacks, Shim presented a modification of Choi et al.s protocol. In this letter, we first show that Shims modification is still insecure against insider attacks. We then present a modification of Choi et al.s protocol that resists insider attacks. The counter-measure uses an ID-based signature on transcripts in order to bind them in a session. This prevents any replay of transcripts. Especially, by applying ID-based batch verification, the proposed one still consists of two rounds and is computationally efficient.

Generic transformation for scalable broadcast encryption schemes

Broadcast encryption schemes allow a message sender to broadcast an encrypted data so that only legitimate receivers decrypt it. Because of the intrinsic nature of one-to-many communication in broadcasting, transmission length may be of major concern. Several broadcast encryption schemes with good transmission overhead have been proposed. But, these broadcast encryption schemes are not practical since they are greatly sacrificing performance of other efficiency parameters to achieve good performance in transmission length. In this paper we study a generic transformation method which transforms any broadcast encryption scheme to one suited to desired application environments while preserving security. Our transformation reduces computation overhead and/or user storage by slightly increasing transmission overhead of a given broadcast encryption scheme. We provide two transformed instances. The first instance is comparable to the results of the “stratified subset difference (SSD)” technique by Goodrich et al. and firstly achieves

Digital signature schemes with restriction on signing capability

\mathcal{O}(log n)

Identity-Based Ring Signature Schemes for Multiple Domains

storage,

Security weakness in an authenticated group key agreement protocol in two rounds

\mathcal{O}(log n)

An Anonymous Asymmetric Public Key Traitor Tracing Scheme

computation, and

Impersonation Attack on a Strong ID-Based Key Distribution

\mathcal{O}(\frac{log n}{log log n}r)

Constructing Strong Identity-Based Designated Verifier Signatures with Self-Unverifiability

transmission, at the same time, where n is the number of users and r is the number of revoked users. The second instance outperforms the “one-way chain based broadcast encryption” of Jho et al., which is the best known scheme achieving less than r transmission length with reasonable communication and storage overhead.

Scalable key exchange transformation: From two-party to group

In some practical circumstances, the ability of a signer should be restricted. In group signature schemes, a group member may be allowed to generate signatures up to a certain number of times according to his/her position in the group. In proxy signature schemes, an original signer may want to allow a proxy signer to generate a certain number of signatures on behalf of the original signer. In the paper, we discuss signature schemes, called c-times signature schemes, that restrict the signing ability of a signer up to c times for pre-defined value c at set-up. We formally define the notion and the security model of c-times signature schemes. In fact, c-times signature schemes can be classified into two types according to restriction features: one with an explicit limitation, called a c-times signature scheme, and the other with an implicit limitation, called an implicit c-times signature scheme. We present two instances of implicit c-times signature schemes and then give proofs of the security. For one instance we suggest cS which is a composition of a signature scheme S based on the discrete logarithm and Feldmans VSS. For the other we present cDSA based on DSA. Our basic approach can be applied to signature schemes such as HVZK based signature schemes.