Authenticated encryption schemes with message linkages for message flows

Two efficient authenticated encryption schemes with message linkages are proposed. One is a basic scheme, that it has the better performance in comparison with the all previously proposed schemes in terms of the communication and the computation costs. However, it has a property as same as the previously proposed schemes, that the message blocks can be recovered only after the entire signature blocks have been received. Therefore, the basic scheme is applicable to encrypt all-or-nothing flow. Thus, we improve the basic scheme and also propose a generalized scheme, which allows the receiver to recover the partial message blocks before receiving the entire signature blocks. That is, the receiver may perform the receiving and the recovering processes simultaneously. Therefore, the generalized scheme is applicable to message flows. The generalized scheme requires smaller bandwidth and computational time as compared to the previously proposed authenticated encryption schemes with message linkages for message flows.     

A new convertible authenticated encryption scheme with message linkages

In this article, we present an authenticated encryption scheme with message linkages used to deliver a large message. To protect the receiver’s benefit, the receiver can easily convert the signature into an ordinary one that can be verified by anyone. Several feasible attacks will be discussed, and the security analysis will prove that none of them can successfully break the proposed scheme.     

Breaking the Shin-Shin-Rhee remotely keyed encryption schemes

Remotely keyed encryption (RKE) schemes provide fast symmetric encryption and decryption using a small-bandwidth security module and a powerful host. Such schemes keep the key inside the security module to prevent key compromise.Shin, Shin, and Rhee proposed a length-preserving as well as a length-increasing RKE scheme that both use only a single round of interaction between host and security module. With the length-preserving scheme they claim to answer an open problem of Blaze, Feigenbaum, and Naor.However, in the present paper we show that both their schemes are completely insecure. Further, we present heuristic arguments on why a one-round length-preserving RKE scheme might be impossible.     

Improvements of generalization of threshold signature and authenticated encryption for group communications

Recently, Wang et al. proposed a (t,n) threshold signature scheme with (k,l) threshold shared verification and a group-oriented authenticated encryption scheme with (k,l) threshold shared verification. However, this article will show that both the schemes violate the requirement of the (k,l) threshold shared verification. Further, two improvements are proposed to eliminate the pointed out security leaks inherent in the original schemes.     

Improved convertible authenticated encryption scheme with provable security

Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).     

Enhancements of authenticated multiple key exchange protocol based on bilinear pairings

Lee et al. [4] proposed two new authenticated multiple key exchange protocols based on Elliptic Curve Cryptography (ECC) and bilinear pairings. In this paper, we show an impersonation attack on their pairing-based authenticated key exchange protocol. We demonstrate that any attacker can impersonate an entity to share multiple session keys with another entity of his/her choice by using only the public key of the victim. Moreover, their protocol fails to provide perfect forward secrecy, despite of their claim to the contrary. Thus, we propose a simple modification to the original protocol which avoids our attack.     

A survey of certificateless encryption schemes and security models

This paper surveys the literature on certificateless encryption schemes. In particular, we examine the large number of security models that have been proposed to prove the security of certificateless encryption schemes and propose a new nomenclature for these models. This allows us to “rank” the notions of security for a certificateless encryption scheme against an outside attacker and a passive key generation centre, and we suggest which of these notions should be regarded as the “correct” model for a secure certificateless encryption scheme. We also examine the security models that aim to provide security against an actively malicious key generation centre and against an outside attacker who attempts to deceive a legitimate sender into using an incorrect public key (with the intention to deny the legitimate receiver that ability to decrypt the ciphertext). We note that the existing malicious key generation centre model fails to capture realistic attacks that a malicious key generation centre might make and propose a new model. Lastly, we survey the existing certificateless encryption schemes and compare their security proofs. We show that few schemes provide the “correct” notion of security without appealing to the random oracle model. The few schemes that do provide sufficient security guarantees are comparatively inefficient. Hence, we conclude that more research is needed before certificateless encryption schemes can be thought to be a practical technology.     

A Convertible Multi-Authenticated Encryption scheme for group communications

Recently, Wu et al. proposed a Convertible Multi-Authenticated Encryption (CMAE) scheme, which allows a signing group with multiple signers to generate a multi-authenticated ciphertext signature on the chosen message so that only a designated verifier can recover and verify the message. In case of later dispute, the verifier can convert the multi-authenticated ciphertext signature into an ordinary one that can be verified by anyone. In this study, a CMAE scheme for group communications is proposed. This is presented by first reviewing the concepts of group-oriented encryption schemes and the merits of Wu et al.’s scheme. This shows that not only can a multi-authenticated ciphertext signature be generated by a signing group, but also the message can be recovered and verified by a verifying group with multiple verifiers. The security of the proposed scheme is based solely on the DDH problem, which provides higher security confidence than using the CDH problem in Wu et al.’s CMAE scheme.     

Signature scheme with message recovery and its application

Recently Chen, [K. Chen, Signature with message recovery, Electronics Letters, 34(20) (1998) 1934], proposed a signature with message recovery. But Mitchell and Yeun [C. J. Mitchell and C. Y. Yeun, Comment - signature with message recovery, Electronics Letters, 35(3) (1999) 217] observed that Chen's scheme is only an authenticated encryption scheme and not a signature scheme as claimed. In this article, we propose a new signature scheme in the sense of Mitchell and Yeun and with message recovery feature. The designated verifier signature is introduced by Jakobsson et al. [M. Jakobsson, K. Sako, R. Impagliazzo, Designated verifier proofs and their applications, Proc. of Eurocrypt’96, LNCS 1070 (1996) pp. 143–154]. We propose a designated verifier signature scheme with non-repudiation of origin. We also give a protocol for a convertible designated verifier signature scheme with non-repudiation of origin. Both of these schemes are based on our proposed signature scheme with message recovery.     

Cryptanalysis of tripartite and multi-party authenticated key agreement protocols

Al-Riyami and Paterson proposed four authenticated tripartite key agreement protocols which make use of the Weil pairing. Recently, Lee et al. extended the protocols to a multi-party setting assuming the existence of cryptographic multilinear forms. In this paper we show that the tripartite and multi-party authenticated key agreement protocols are insecure against several active attacks.     

Security of Wang et al.''s group-oriented (t,n) threshold signature schemes with traceable signers

This paper describes a new forgery attack on the group-oriented (t,n) threshold signature schemes proposed by Wang et al. Our attack is more fundamental than Tseng–Jan's attack in the sense that it cannot be recognized or blocked at the designated clerk level of the signature schemes.     

基于Oracle模型的可认证加密协议安全性分析

密码算法的安全定义研究以及定义间的深入理解已经成为现代密码学的主要研究领域.然而,当前多数可认证加密方案缺乏必要的安全性分析,为了分析协议安全性,在IND-CPA概念基础上,对加密与MAC组合与先MAC后加密两种对称式的可认证加密协议予以分析,并分别用Oracle机方法给出了IND-CPA攻击下的安全性证明.结果表明加密与MAC组合方式不能保证IND-CPA安全,但先MAC后加密方式则可实现IND-CPA安全.     

A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges

Based on the computational Diffie-Hellman problem, this paper proposes an identity-based authenticated key agreement protocol which removes bilinear pairings. Compared with previous protocols, the new protocol minimizes message exchange time with no extra cost. The protocol provides strong security guarantees including key compromise impersonation resilience, perfect forward secrecy, and master key forward secrecy. A security proof with the modular approach in the modified Bellare-Rogaway model is also provided.     

Lightweight authenticated encryption for embedded on-chip systems

ABSTRACT

Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their security is increasingly important. This, combined with the pressing requirement of deploying massive numbers of low-cost and low-energy embedded devices, stimulates the evolution of lightweight cryptography and other green-computing security mechanisms. New crypto-primitives are being proposed that offer moderate security and produce compact implementations. In this article, we present a lightweight authenticated encryption scheme based on the integrated hardware implementation of the lightweight block cipher PRESENT and the lightweight hash function SPONGENT. The presented combination of a cipher and a hash function is appropriate for implementing authenticated encryption schemes that are commonly utilized in one-way and mutual authentication protocols. We exploit their inner structure to discover hardware elements usable by both primitives, thus reducing the circuit’s size. The integrated versions demonstrate a 27% reduction in hardware area compared to the simple combination of the two primitives. The resulting solution is ported on a field-programmable gate array (FPGA) and a complete security application with input/output from a universal asynchronous receiver/transmitter (UART) gate is created. In comparison with similar implementations in hardware and software, the proposed scheme represents a better overall status.     

Tweakable enciphering schemes using only the encryption function of a block cipher

A new construction of block cipher based tweakable enciphering schemes (TES) is described. The major improvement over existing TESs is that the construction uses only the encryption function of the underlying block cipher. Consequently, this leads to substantial savings in the size of hardware implementation of TES applications such as disk encryption. This improvement is achieved without loss in efficiency of encryption and decryption compared to previously known schemes. We further show that the same idea can also be used with a stream cipher which supports an initialization vector (IV) leading to the first example of a TES from such a primitive.     

Universal forgery on Sekhar's signature scheme with message recovery

Owing to the abundance of electronic applications of digital signatures, many additional properties are needed. Recently, Sekhar [Sekhar, M. R. (2004). Signature scheme with message recovery and its application. Int. J. Comput. Math., 81(3), 285–289.] proposed three signature schemes with message recovery designed to protect the identity of the signer. In this setting, only a specific verifier can check the validity of a signature, and he can transmit this conviction to a third party. In this note, we show that this protocol is totally insecure, as it is universally forgeable under a no-message attack. In other words, we show that anyone can forge a valid signature of a user on an arbitrary message. The forged signatures are unconditionally indistinguishable (in an information theoretical sense) from properly formed signatures.     

两个公钥加密方案的安全性分析

广播加密和基于属性加密是两种重要的公钥加密方案,可将加密内容同时传送给多个用户,在付费电视、数字版权管理和资源访问控制等领域有重要应用。对一个基于身份广播加密方案进行了分析,表明攻击者只要得到某个用户的私钥,就可以计算其他任何用户的私钥。研究了一个基于属性加密方案,该方案并不能真正地隐藏访问结构,攻击者仅由密文就能得到对应的访问结构。     

Pirate decoder for the broadcast encryption schemes from Crypto 2005

In Crypto'05, Boneh et al. presented two broadcast encryption schemes. Their work has exciting achievements: the header (also called ciphertexts) and the private keys are of constant size. In their paper, they give an open question to construct a traitor tracing algorithm for their broadcast encryption schemes, and combine the two systems to obtain an efficient trace-and-revoke system. In this paper, we give a negative answer to their open question. More precisely, we show that three or more insider users are able to collude to forge a valid private key for pirate decoding against their schemes. Moreover, we prove that there exists no traitor tracing algorithm to identify the colluders. Our pirate decoding can also similarly be applied to Lee et al.'s broadcast encryption schemes in ISPEC'06.     

SEMD: Secure and efficient message dissemination with policy enforcement in VANET

Vehicular ad hoc network (VANET) is an increasing important paradigm, which not only provides safety enhancement but also improves roadway system efficiency. However, the security issues of data confidentiality, and access control over transmitted messages in VANET have remained to be solved. In this paper, we propose a secure and efficient message dissemination scheme (SEMD) with policy enforcement in VANET, and construct an outsourcing decryption of ciphertext-policy attribute-based encryption (CP-ABE) to provide differentiated access control services, which makes the vehicles delegate most of the decryption computation to nearest roadside unit (RSU). Performance evaluation demonstrates its efficiency in terms of computational complexity, space complexity, and decryption time. Security proof shows that it is secure against replayable choosen-ciphertext attacks (RCCA) in the standard model.     

Ciphertext verification security of symmetric encryption schemes

This paper formally discusses the security problem caused by the ciphertext verification,presenting a new security notion named IND-CVA(indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle,the new notion IND-CVA is slightly stronger than IND-CPA(indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA(indistinguisha...