S. Sree Vivek

Identity based public verifiable signcryption scheme

Signcryption as a cryptographic primitive that offers both confidentiality and authentication simultaneously. Generally, in signcryption schemes, the message is hidden and thus the validity of the signcryption can be verified only after the unsigncryption process. Thus, a third party will not be able to verify whether the signcryption is valid or not. Signcryption schemes that allow any one to verify the validity of signcryption without the knowledge of the message are called public verifiable signcryption schemes. Third party verifiable signcryption schemes allow the receiver of a signcryption, to convince a third party that the signcryption is valid, by providing some additional information along with the signcryption. This information can be anything other than the receivers private key and the verification may or may not require the exposure of the corresponding message. This paper shows the security weaknesses in two such existing schemes namely [14] and [4]. The scheme in [14] is Public Key Infrastructure (PKI) based scheme and the scheme in [4] is an identity based scheme. More specifically, [14] is based on elliptic curve digital signature algorithm (ECDSA). We also, provide a new identity based signcryption scheme that provides both public verifiability and third party verification. We formally prove the security of the newly proposed scheme in the random oracle model.

An Efficient Identity-Based Signcryption Scheme for Multiple Receivers

This paper puts forward a new efficient construction for Multi-Receiver Signcryption in the Identity-based setting. We consider a scenario where a user wants to securely send a message to a dynamically changing subset of the receivers in such a way that non-members of this subset cannot learn the message. One obvious solution is to signcrypt the message to each member of the subset and transmit it to each of them individually. This requires a very long transmission (the number of receivers times the length of the message) and high computation cost. Another simple solution is to provide a key for every possible subset of receivers. This requires every user to store a huge number of keys. In this case, the storage efficiency is compromised. The goal of this paper is to provide a solution which is efficient in all three measures i.e. transmission length, storage of keys and computation at both ends. We propose a new scheme that achieves both confidentiality and authenticity simultaneously in this setting and is the most efficient scheme to date, in the parameters described above. It breaks the barrier of ciphertext length of linear order in the number of receivers, and achieves constant sized ciphertext, independent of the size of the receiver set. This is the first Multi-receiver Signcryption scheme to do so. We support the scheme with security proofs in the random oracle model under precisely defined security model.

Identity Based Aggregate Signcryption Schemes

An identity-based signature scheme allows any pair of users to communicate securely and to verify each others signatures without exchanging public key certificates. For achieving both confidentiality and authenticity simultaneously, signcryption schemes are used. An aggregate signature scheme is a digital signature scheme that supports aggregation of individual signatures. Given n signatures on n distinct messages signed by n distinct users, it is possible to aggregate all these signatures into a single signature. This signature will convince the verifier that all the n signers have signed the corresponding n messages. In this paper, we introduce the concept of aggregate signcryption which achieves confidentiality, authentication and aggregation efficiently. This helps in improving the communication and the computation efficiency. Also, we extend the scheme to achieve public verifiability with very efficient aggregate verification, that uses fixed number of pairings.

Efficient and Provably Secure Certificateless Multi-receiver Signcryption

Certificateless cryptography aims at combining the advantages of identity based and public key cryptography, so as to avoid the key escrow problem inherent in the identity based system and cumbersome certificate management in public key infrastructure. Signcryption achieves confidentiality and authentication simultaneously in an efficient manner. Multi-receiver signcryption demands signcrypting the same message efficiently for a large number of receivers. In this paper, we propose the first efficient certificateless multi-receiver signcryption scheme and prove it secure in the random oracle model. Our scheme does not require pairing to signcrypt a message for any number of receivers. We are considering a more realistic adversarial model and proving the security against insider attacks, which guarantees non-repudiation and forward secrecy.

Cryptanalysis of certificateless signcryption schemes and an efficient construction without pairing

Certificateless cryptography introduced by Al-Riyami and Paterson eliminates the key escrow problem inherent in identity based cryptosystems. Even though building practical identity based signcryption schemes without bilinear pairing are considered to be almost impossible, it will be interesting to explore possibilities of constructing such systems in other settings like certificateless cryptography. Often for practical systems, bilinear pairings are considered to induce computational overhead. Signcryption is a powerful primitive that offers both confidentiality and authenticity to noteworthy messages. Though some prior attempts were made for designing certificateless signcryption schemes, almost all the known ones have security weaknesses. Specifically, in this paper we demonstrate the security weakness of the schemes in [2], [1] and [6]. We also present the first provably secure certificateless signcryption scheme without bilinear pairing and prove it in the random oracle model.

Certificateless KEM and hybrid signcryption schemes revisited

Often authentication and confidentiality are required as simultaneous key requirements in many cryptographic applications. The cryptographic primitive called signcryption effectively implements the same and while most of the public key based systems are appropriate for small messages, hybrid encryption (KEM-DEM) provides an efficient and practical way to securely communicate very large messages. The concept of certificateless hybrid signcryption has evolved by combining the ideas of signcryption based on tag-KEM and certificateless cryptography. Recently, Lippold et al. [14] proposed a certificateless KEM in the standard model and the first certificateless hybrid signcryption scheme was proposed by Fagen Li et al. [16]. In this paper, we show that [14] is not Type-I CCA secure and [16] is existentially forgeable. We also propose an improved certificateless hybrid signcryption scheme and formally prove the security of the improved scheme against both adaptive chosen ciphertext attack and existential forgery in the appropriate security model for certificateless hybrid signcryption.

Identity-based deterministic signature scheme without forking-lemma

Since the discovery of identity based cryptography, a number of identity based signature schemes were reported in the literature. Although, a lot of identity based signature schemes were proposed, the only identity based deterministic signature scheme was given by Javier Herranz. This signature scheme uses Schnorr signature scheme for generating the private key of the users and uses BLS short signature scheme for generating users signature. The security of this scheme was proved in the random oracle model using forking lemma. In this paper, we introduce a new identity based deterministic signature scheme and prove the security of the scheme in the random oracle model, without the aid of forking lemma. Hence, our scheme offers tighter security reduction to the underlying hard problem than the existing identity based deterministic signature scheme.

Identity based online/offline encryption and signcryption schemes revisited

Consider the situation where a low power device with limited computational power has to perform cryptographic operation in order to do secure communication to the base station where the computational power is not limited. The most obvious way is to split each and every cryptographic operations into resource consuming, heavy operations and the fast light weight operations. This concept can be efficiently implemented through online/offline cryptography. In this paper, we show the security weakness of an identity based online offline encryption scheme proposed in ACNS 09 by Liu et al. [9]. The scheme in [9] is the first identity based online offline encryption scheme in the random oracle model, in which the message and recipient are not known during the offline phase. We have shown that this scheme is not CCA secure. We have also proposed a new identity based online offline encryption scheme in which the message and receiver are not known during the offline phase and is efficient than the scheme in [9]. Online/Offline signcryption is a cryptographic primitive where the signcryption process is divided into two phases - online and offline phase. To the best of our knowledge there exists three online/offline signcryption schemes in the literature: we propose various attacks on two of the existing schemes. Then, we present an efficient and provably secure identity based online/offline signcryption scheme. We formally prove the security of the new scheme in the random oracle model.

Conditional Proxy Re-Encryption - A More Efficient Construction

In a proxy re-encryption (PRE) scheme, Alice gives a special information to a proxy that allows it to transform messages encrypted under Alice’s public key into a encryption under Bob’s public key such that the message is not revealed to the proxy. In [14], Jian Weng and others introduced the notion of conditional proxy re-encryption (C-PRE) and proposed a system using bilinear pairings. Later, a break for the same was published in [17] and a new C-PRE scheme with bilinear pairings was introduced. In C-PRE, the proxy also needs to have the right condition key to transform the ciphertext (associated with a condition set by Alice) under Alice’s public key into ciphertext under Bob’s public key, so that Bob can decrypt it. In this paper, we propose an efficient C-PRE scheme which uses substantially less number of bilinear pairings when compared to the existing one [17]. We then prove its chosen-ciphertext security under modified Computational Diffie-Hellman (mCDH) and modified Computational Bilinear Diffie-Hellman (mCBDH) assumptions in the random oracle model.

On the Security of Identity Based Ring Signcryption Schemes

Signcryption is a cryptographic primitive which offers authentication and confidentiality simultaneously with a cost lower than signing and encrypting the message independently. Ring signcryption enables a user to signcrypt a message along with the identities of a set of potential senders (that includes him) without revealing which user in the set has actually produced the signcryption. Thus a ring signcrypted message has anonymity in addition to authentication and confidentiality. Ring signcryption schemes have no group managers, no setup procedures, no revocation procedures and no coordination: any user can choose any set of users (ring), that includes himself and signcrypt any message by using his private and public key as well as other users (in the ring) public keys, without getting any approval or assistance from them. Ring Signcryption is useful for leaking trustworthy secrets in an anonymous, authenticated and confidential way. To the best of our knowledge, seven identity based ring signcryption schemes are reported in the literature. Two of them were already proved to be insecure in [1] and [2]. In this paper, we show that four among the remaining five schemes do not provide confidentiality, to be specific, two schemes are not secure against chosen plaintext attack and other two schemes do not provide adaptive chosen ciphertext security. We then propose a new scheme and formally prove the security of the new scheme in the random oracle model. A comparison of our scheme with the only existing correct scheme by Huang et al. shows that our scheme is much more efficient than the scheme by Huang et al.