Raylin Tso

Strongly secure certificateless short signatures

Highlights? We introduce a new efficient and secure short certificateless signature scheme. ? It is strongly unforgeable. ? The security is based on the CDH assumption. ? The proposed scheme is provably secure against a relatively stronger adversary. Short certificateless signatures have come into limelight in recent years. On the one hand, the property of certificateless eliminates the certificate management problem in traditional PKI and the key-escrow problem in some ID-based signature schemes. On the other hand, due to the short signature length, short certificateless signatures can be applied to systems where signatures are typed in by human or systems with low-bandwidth channels and/or low-computation power, such as PDAs or cell phones. However, there has been a trade-off between short certificateless signature schemes and their security levels. All existing short certificateless signature schemes can only be proven secure against a normal type adversary rather than a stronger one, who can obtain valid certificateless signatures under public keys replaced by the adversary. In this paper, we solve this open problem by given an efficient strongly secure short certificateless signature scheme. The proposed scheme has the following features. Firstly, it is strongly unforgeable. Secondly, the security can be reduced to the Computational Diffie-Hellman (CDH) assumption - a classic complexity assumption. Lastly, the proposed scheme is provably secure against adversaries with access to a super signing oracle which generates valid certificateless signatures of messages and public keys chosen by the adversary (without providing the corresponding secret values).

Efficient and short certificateless signatures secure against realistic adversaries

The notion of certificateless cryptography is aimed to eliminate the use of certificates in traditional public key cryptography and also to solve the key-escrow problem in identity-based cryptography. Many kinds of security models have been designed for certificateless cryptography and many new schemes have been introduced based on the correspondence of the security models. In generally speaking, a stronger security model can ensure a certificateless cryptosystem with a higher security level, but a realistic model can lead to a more efficient scheme. In this paper, we focus on the efficiency of a certificateless signature (CLS) scheme and introduce an efficient CLS scheme with short signature size. On one hand, the security of the scheme is based on a realistic model. In this model, an adversary is not allowed to get any valid signature under false public keys. On the other hand, our scheme is as efficient as BLS short signature scheme in both communication and computation and, therefore, turns out to be more efficient than other CLS schemes proposed so far. We provide a rigorous security proof of our scheme in the random oracle model. The security of our scheme is based on the k-CAA hard problem and a new discovered hard problem, namely the modified k-CAA problem. Our scheme can be applied to systems where signatures are typed in by human or systems with low-bandwidth channels and/or low-computation power.

Efficient and Short Certificateless Signature

A certificateless signature (CLS) scheme with short signature size is proposed in this paper. Our scheme is as efficient as BLS short signature scheme in both communication and computation, and therefore turns out to be more efficient than other CLS schemes proposed so far. We provide a rigorous security proof of our scheme in the random oracle model. The security of our scheme is based on the k -CAA hard problem and a new discovered hard problem, namely, modified k -CAA problem. Our scheme can be applied to systems where signatures are typed in by human or systems with low-bandwidth channels and/or low-computation power, such as PDAs or cell phones.

Efficient ID-based digital signatures with message recovery

A digital signature with message recovery is a signature that the message itself is not required to be transmitted together with the signature. Comparing with other (non-short) digital signatures, it has the advantage of small data size of communication. This kind of signature schemes have been widely investigated a decade ago, but, no ID-based message recovery signature is proposed until 2005 by Zhang et al. Since, up to the present, no method can be used to shorten ID-based signatures directly, ID-based message recovery signatures are regarded as a useful method to shorten ID-based signatures, in contrast to proposing a short signature scheme. In this paper, two new ID-based signature schemes with message recovery are proposed. The first one can deal with messages of fixed length and the second one can deal with messages of arbitrary length. Similar to Zhang et al.s schemes, our schemes shows the idea of shortening ID-based signatures. However, our schemes are more efficient than Zhang et al.s schemes. In addition, after comparing with Boneh et al.s short signature (which is not ID-based), we find that although the communication cost is still a little larger than that of a short signature, the computational cost of our scheme is less than that of Boneh et al.s short signature in the verification phase and our schemes surpass a short signature scheme in the concept of ID-based property. Under the hardness of k-BDHI problem, our schemes are proven secure in the random oracle model.

One-Way and two-party authenticated ID-Based key agreement protocols using pairing

Cryptography is the ancient science of encrypting messages so that only the sender and receiver can recover them. To achieve this goal, an agreed key between the sender and receiver is required. In asymmetric cryptosytems, so far, only a few ID-based key agreement protocols are one-way and most of them can only provide authentication for only one entity to the other. In this paper, two ID-based one-way key agreement protocols are proposed. The advantage of our protocols is that the authentication of the sender and receiver is established at the same time although the key distribution is only one pass. In addition, transmitted data size in our schemes is very small and the parameter for key agreement consists of just one. In this paper, an additional security attribute for key agreement protocols is defined and the rigorous security of our protocols is estimated. The performance evaluation is also analyzed by comparing our schemes with the previous schemes.

Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol

Three-party password-authenticated key exchange (3PAKE) protocols allow two clients to establish secure communication channels over a public network merely by sharing a human-memorable (low-entropy) password with a trusted server. In this paper, we first show that the 3PAKE protocol introduced by Chang, Hwang, and Yang is insecure against even passive attackers. Thereafter, we propose two kinds of improvement that can remedy the security flaw in their protocol. Finally, we present simulations to measure the execution time to show the efficiency of our two improvements.

Practical strong designated verifier signature schemes based on double discrete logarithms

We notice that a strong designated verifier signature (SDVS) scheme can easily be realized by any secure one-way and two-party authenticated key agreement scheme. So any SDVS scheme without lower communication/computation cost or enhanced security comparing to these one-way and two-party authenticated key agreement schemes may have less advantage in practical use. In this paper, we introduce an SDVS scheme which realizes low communication/computation cost and is more efficient than current one-way key agreement schemes and SDVS schemes. In addition, we show how to remove a hash function used in this scheme where in this modified scheme, an enhanced security will be provided such that the consistency of a signature cannot be ascertained by any third party even if the signer’s private key is revealed. We will prove the security of our schemes using random oracle models.

Certificateless aggregate signature with efficient verification

Certificateless public key cryptography CL-PKC is a cryptosystem solving the key escrow problem of identity-based cryptography. One of the applications of CL-PKC is certificateless aggregate signature CLAS that in practice can be used to efficiently verify concealed data aggregation in wireless sensor networks. CLAS is referred to as an extension of certificateless signature, which in particular performs verification for many signatures efficiently. Therefore, not only plenty of CLAS schemes have been proposed but also the security models of CLAS were introduced in the literature. Recently, some CLAS schemes are extended from specific certificateless signature CLS schemes. However, we found that two certificateless signature CLS and their corresponding CLAS schemes are not secure. In this paper, we simplify the relation of security definitions of CLS and CLAS. Then, a new CLAS scheme is proposed, which leads to the advantages of both certificateless cryptography and aggregate signature. Moreover, our scheme only depends on constant pairing operations to verify a large number of signatures per time, because pairing is a complicated operation with high cost in computations. Copyright

An Improved Signcryption Scheme and Its Variation

Signcryption is a new cryptographic primitive which simultaneously provides both confidentiality and authenticity. This paper proposes an improved signcryption scheme and a variant scheme providing message recovery. The first scheme is revised from an authenticated encryption scheme which has been found to have a security-flaw. Our scheme solves the security-flaw and provides an additional property called the public verifiability of the signature. The second scheme is a message recovery type. It surpasses most of the current signcryption schemes on the size of the signcrypted ciphertext. That is, in our second scheme, we require only two parameters, (r, s), with r epsi Zp and s epsi Z q while most signcryption schemes require three parameters (c, r, s) with the additional parameter c epsi Zp. This second scheme is modified from an authenticated encryption scheme with message recovery and surpasses the based authenticated encryption scheme on the property of non-repudiation of the origin

A New Algorithm for Searching a Consistent Set of Shares in a Threshold Scheme with Cheaters

In a (k,n) Shamir’s threshold scheme, if one or more of the n shares are fake, then the secret may not be reconstructed correctly by some sets of k shares. Supposing that at most t of the n shares are fake, Rees et al. (1999) described two algorithms to determine consistent sets of shares so that the secret can be reconstructed correctly from k shares in any of these consistent sets. In their algorithms, no honest participant can be absent and at least n-t shares should be pooled during the secret reconstruction phase. In this paper, we propose a modified algorithm for this problem so that the number of participants taking part in the secret reconstruction can be reduced to k+2t and the shares need to be pooled can be reduced to, in the best case, k+t, and less than or equal to k+2t in the others. Its efficiency is also investigated.