Wenbo Mao

Two birds one stone: signcryption using RSA

Identity-based public key encryption facilitates easy introduction of public key cryptography by allowing an entitys public key to be derived from an arbitrary identification value, such as name or email address.Th e main practical benefit of identity-based cryptography is in greatly reducing the need for, and reliance on, public key certificates. Although some interesting identity-based techniques have been developed in the past, none are compatible with popular public key encryption algorithms (such as El Gamal and RSA).Th is limits the utility of identity-based cryptography as a transitional step to full-blown public key cryptography. Furthermore, it is fundamentally difficult to reconcile fine-grained revocation with identity-based cryptography. Mediated RSA (mRSA) [9] is a simple and practical method of splitting a RSA private key between the user and a Security Mediator (SEM). Neither the user nor the SEM can cheat one another since each cryptographic operation (signature or decryption) involves both parties. mRSA allows fast and fine-grained control of users security privileges. However, mRSA still relies on conventional public key certificates to store and communicate public keys. In this paper, we present IB-mRSA, a simple variant of mRSA that combines identity-based and mediated cryptography. Under the random oracle model, IB-mRSA with OAEP [7] is shown as secure (against adaptive chosen ciphertext attack) as standard RSA with OAEP. Furthermore, IB-mRSA is simple, practical, and compatible with current public key infrastructures.

Invisibility and anonymity of undeniable and confirmer signatures

A proxy signature enables the original signer to delegate her signing capability to a proxy entity, who signs a message on behalf of the original signer. In this paper, we discuss the necessity of a secure channel in proxy signatures. Though establishing a secure channel has much influence on the efficiency of the scheme, to the best of our knowledge, this topic has not been discussed before. All known proxy signatures used a secure channel to deliver a signed warrant except one which used a 3-pass weak blind signature. However, the KPW scheme [2] appeared to be secure without the secure channel. We think that our result can contribute to designing more efficient proxy signature scheme.

Key Agreement Using Statically Keyed Authenticators

A family of authenticators based on static shared keys is identified and proven secure. The authenticators can be used in a variety of settings, including identity-based ones. Application of the authenticators to Diffie-Hellman variants in appropriate groups leads to authenticated key agreement protocols which have attractive properties in comparison with other proven-secure protocols. We explore two key agreement protocols that result.

On a limitation of BAN logic

In the past few years a lot of attention has been paid to the use of special logics to analyse cryptographic protocols, foremost among these being the logic of Burrows, Abadi and Needham (the BAN logic). These logics have been successful in finding weaknesses in various examples. In this paper a limitation of the BAN logic is illustrated with two examples. These show that it is easy for the BAN logic to approve protocols that are in practice unsound.

Towards formal analysis of security protocols

The pioneering and well-known work of M. Burrows, M. Abadi and R. Needham (1989), (the BAN logic) which dominates the area of security protocol analysis is shown to take an approach which is not fully formal and which consequently permits approval of dangerous protocols. Measures to make the BAN logic formal are then proposed. The formalisation is found to be desirable not only for its potential in providing rigorous analysis of security protocols, but also for its readiness for supporting a computer-aided fashion of analysis.<<ETX>>

RSA-Based Undeniable Signatures for General Moduli

Gennaro, Krawczyk and Rabin gave the first undeniable signature scheme based on RSA signatures. However, their solution required the use of RSA moduli which are a product of safe primes. This paper gives techniques which allow RSA-based undeniable signatures for general moduli.

Timed-Release Cryptography

Let n be a large composite number. Without factoring n, the computation of a2t (mod n) given a, t with gcd(a, n) = 1 and t < n can be done in t squarings modulo n. For t ≪ n (e.g., n ≥ 21024 and t < 2100), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log2 t standard crypto operations, the correctness of (ae)2t (mod n) with respect to ae where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as a2t M (mod n) with the assertion that the correct decryption of the RSA ciphertext Me (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously.

Deniable authenticated key establishment for internet protocols

We propose two public-key schemes to achieve “deniable authentication” for the Internet Key Exchange (IKE). Our protocols can be implemented using different concrete mechanisms and we discuss different options; in particular we suggest solutions based on elliptic curve pairings. The protocol designs use the modular construction method of Canetti and Krawczyk which provides the basis for a proof of security. Our schemes can, in some situations, be more efficient than existing IKE protocols as well as having stronger deniability properties.

Guaranteed Correct Sharing of Integer Factorization with Off-Line Shareholders

A fair public-key cryptosystem consists of multi-party protocols in which a plural number of participants (shareholders) are involved in receiving and verifying distributed shares. It will be desirable if multiparty protocols can be streamlined into two-party ones without lowering the quality of fairness: secret is still shared among many (more than two) parties. In this paper we propose a scheme that distributes secret shares of the factorization of an integer to multi-parties without their participation in the protocols for share distribution and verification. A single verifier suffices to verify the correctness of the shares using the public keys of the off-line shareholders. Due to the universal verifiability, a guaranteed correctness of secret sharing is achieved without relying on the honesty of the verifier.

User-friendly grid security architecture and protocols

We examine security protocols for the Grid Security Infrastructure (GSI) version 2 and identify a weakness of poor scalability as a result of GSI’s authentication framework requiring heavy interactions between a user-side client machine and resource suppliers. We improve the GSI architecture and protocols by proposing an alternative authentication framework for GSI, which uses dynamic public/private key pairs to avoid frequent communications to a significant extent. The improvement to the GSI security protocols is enabled by a novel application of an emerging cryptographic technique from bilinear pairings.