A new convertible authenticated encryption scheme with message linkages

In this article, we present an authenticated encryption scheme with message linkages used to deliver a large message. To protect the receiver’s benefit, the receiver can easily convert the signature into an ordinary one that can be verified by anyone. Several feasible attacks will be discussed, and the security analysis will prove that none of them can successfully break the proposed scheme.     

Improvements of authenticated encryption schemes with message linkages for message flows

Recently, Tseng et al. proposed two authenticated encryption schemes (basic scheme and generalized scheme) with message linkages, which are efficient in terms of the communication and computation costs in comparison with all the previously proposed schemes. The basic authenticated encryption scheme suited for only after receiving the entire signature blocks, the recipient can then recover the message blocks. In order to allow the receiver to perform the receiving and the recovering processes simultaneously according to application requirements and the transmission efficiency of the network, the generalized authenticated encryption scheme was then proposed. In this paper, we show that both Tseng et al.’s authenticated encryption schemes do not achieve integrity and authentication. Improvements are then proposed to repair the weaknesses.     

Provably secure authenticated key exchange protocol under the CDH assumption

Constructing a secure key exchange protocol is one of the most challenging problems in information security. We propose a provably secure two-round two-party authenticated key exchange (2AKE) protocol based on the well-studied CDH assumption in eCK model to provide the strongest definition of security for key exchange protocol when using the matching session to define the partnership. The underlying hardness assumption (CDH assumption) of our protocol is weaker than these of four other provably secure 2AKE protocols in CK model or eCK model and the computational cost of our protocol is reasonable. We also present a three-round variant of our protocol to realize key conformation.     

Dynamic and efficient joint encryption scheme in the plain public key model

In this paper, we propose a joint encryption scheme (JES) based on discrete logarithms in the plain public key model, in which a sender can easily encrypt messages under the public keys of a group of recipients, so that only by collaborating together can all the recipients recover messages. Neither the size of the ciphertext nor the encryption computation depends on the number of the recipients. We show that the JES scheme is semantically secure against adaptive chosen ciphertext attacks in the random oracle model under the assumption of Computational Diffie-Hellman problems.     

Authenticated encryption schemes with message linkages for message flows

Two efficient authenticated encryption schemes with message linkages are proposed. One is a basic scheme, that it has the better performance in comparison with the all previously proposed schemes in terms of the communication and the computation costs. However, it has a property as same as the previously proposed schemes, that the message blocks can be recovered only after the entire signature blocks have been received. Therefore, the basic scheme is applicable to encrypt all-or-nothing flow. Thus, we improve the basic scheme and also propose a generalized scheme, which allows the receiver to recover the partial message blocks before receiving the entire signature blocks. That is, the receiver may perform the receiving and the recovering processes simultaneously. Therefore, the generalized scheme is applicable to message flows. The generalized scheme requires smaller bandwidth and computational time as compared to the previously proposed authenticated encryption schemes with message linkages for message flows.     

Provably secure identity-based authenticated key agreement protocols with malicious private key generators

Identity-based authenticated key agreement is a useful cryptographic primitive and has received a lot of attention. The security of an identity-based system relies on a trusted private key generator (PKG) that generates private keys for users. Unfortunately, the assumption of a trusted PKG (or a curious-but-honest PKG) is considered to be too strong in some situations. Therefore, achieving security without such an assumption has been considered in many cryptographic protocols. As a PKG knows the private keys of its users, man-in-the-middle attacks (MIMAs) from a malicious PKG is considered as the strongest attack against a key agreement protocol. Although securing a key agreement process against such attacks is desirable, all existent identity-based key agreement protocols are not secure under such attacks. In this paper, we, for the first time, propose an identity-based authenticated key agreement protocol resisting MIMAs from malicious PKGs that form a tree, which is a commonly used PKG structure for distributing the power of PKGs. Users are registered at a PKG in the tree and each holds a private key generated with all master keys of associated PKGs. This structure is much more efficient, in comparison with other existing schemes such as threshold-based schemes where a user has to register with all PKGs. We present our idea in two protocols. The first protocol is not secure against MIMAs from some kinds of malicious PKGs but holds all other desirable security properties. The second protocol is fully secure against MIMAs. We provide a complete security proof to our protocols.     

Certificateless undeniable signature scheme

In this paper, we present the first certificateless undeniable signature scheme. The scheme does not suffer from the key escrow problem, which is inherent in identity based cryptosystems. Also it can avoid the onerous management of certificates. Particularly, by using some cryptographic and mathematical techniques, we guarantee that the scheme’s two component protocols satisfy the properties of zero-knowledge proofs. To address the security issues, we extend security notions of undeniable signatures to the complex certificateless setting, and consider two different types of adversaries. Based on these formally defined security notions, we prove that in the random oracle model, the certificateless undeniable signature scheme is secure in the sense of existential unforgeability under the Bilinear Diffie-Hellman assumption, and is secure in the sense of invisibility under the Decisional Bilinear Diffie-Hellman assumption.     

New (t, n) threshold directed signature scheme with provable security

Directed signature scheme allows only a designated verifier to check the validity of the signature issued to him; and at the time of trouble or if necessary, any third party can verify the signature with the help of the signer or the designated verifier as well. Due to its merits, directed signature scheme is widely used in situations where the receiver’s privacy should be protected. Threshold directed signature is an extension of the standard directed signature, in which several signers may be required to cooperatively sign messages for sharing the responsibility and authority. To the best of our knowledge, threshold directed signature has not been well studied till now. Therefore, in this paper, we would like to formalize the threshold directed signature and its security model, then present a new (t, n) threshold directed signature scheme from bilinear pairings and use the techniques from provable security to analyze its security.     

An efficient ID-based cryptographic encryption based on discrete logarithm problem and integer factorization problem

ID-based encryption (identity-based) is a very useful tool in cryptography. It has many potential applications. The security of traditional ID-based encryption scheme wholly depends on the security of secret keys. Exposure of secret keys requires reissuing all previously assigned encryptions. This limitation becomes more obvious today as key exposure is more common with increasing use of mobile and unprotected devices. Under this background, mitigating the damage of key exposure in ID-based encryption is an important problem. To deal with this problem, we propose to integrate forward security into ID-based encryption. In this paper, we propose a new construction of ID-based encryption scheme based on integer factorization problem and discrete logarithm problem is semantically secure against chosen plaintext attack (CPA) in random oracle model. We demonstrate that our scheme outperforms the other existing schemes in terms of security, computational cost and the length of public key.     

Relations between semantic security and anonymity in identity-based encryption

Semantic security and anonymity are the two main properties that an identity-based encryption scheme can satisfy. Such properties can be defined in either an adaptive or a selective scenario, which differ on the moment where the attacker chooses the identity/ies that are the target of the attack. There are well-known separations between selective and adaptive semantic security on the one hand, and between selective and adaptive anonymity on the other hand.In this paper we investigate the relations between these selective and adaptive notions, for identity-based encryption schemes enjoying at the same time some security and anonymity properties. On the negative side, we prove that there is a separation between selective and adaptive anonymity even for schemes which enjoy adaptive semantic security. On the positive side, we prove that selective semantic security and adaptive anonymity imply adaptive semantic security.     

一种可证明安全的有效无证书签密方案

无证书密码体制消除了基于身份密码系统中固有的密钥托管问题,同时又克服了传统公钥密码系统中复杂的证书管理问题,它具有两者的优点。签密是一个通过数字签名和公钥加密而同时实现认证和保密的密码学原语,而它却比分别签名和加密具有更低的计算量。提出了一种可证安全的无证书签密方案,其只在解签密阶段需要两个双线性对计算,因而具有较高的效率。最后,在随机预言模型下利用困难问题假设证明了方案满足适应性选择密文攻击下的不可区分性以及适应性选择消息和身份攻击下的存在不可伪造性。     

改进同态图像秘密共享ElGamal ECC加密体制

针对Li等人提出的ElGamal椭圆加密体制进行改进,该方案不需要增加计算开销就能提高接收者验证图像正确性的能力.一旦接收者发现加密图像的某些块被污染或者窜改,可立即丢掉这个图像,不需要等到整个图像完全解密出来后才判断出此图像已损坏.结果表明本方案能够对图像快速处理,提高验证速度,减少计算开销.     

一个可证明安全的代理签名方案

代理签名是一方将自己签名的能力授权给另一方,是一种很重要的密码协议,目前已知的可证明安全的代理签名还很少。该文利用间隙Diffie—Hellman（GDH）群的特点构造了一个新的代理签名方案,新方案在随机预言模型下是可证明安全的。     

A note on an IND-CCA2 secure Paillier-based cryptosystem

Recently an IND-CCA2 secure Paillier-based cryptosystem has been proposed (Das and Adhikari, 2012 [1]). In this note we show that Das and Adhikari do not present any original result: their scheme is a rewriting of the well-known Fujisaki–Okamoto IND-CPA to IND-CCA2 transformation applied to the Paillier scheme.     

A design for cloud-assisted Fair-Play Management System of online contests with provable security

Contest hosting faces more fairness challenges and security risks from real to virtual. Malicious competitors are easier to perform false starts without preventing unfairness. Eavesdroppers have higher possibility to obtain any contest file without the intended right. The leakage of competitors’ identities is with higher probability. However online contest is popular for the convenience. It performs with diverse forms such as auctions, games and exams.With incremental requirements on fair-play, we build a new security model and propose the generally designed framework of Fair-Play Management System (FPMS) over clouds. Involving “cloud” as public storage will release much burden of real-time transmissions in networks, though it may double the security risks from outside. Moreover it is harder to guarantee to all competitors the synchronical start of a contest under inside attacks such as false starts. Facing challenges on confidentiality, anonymity and fairness simultaneously, we find that public-key encryption is more effective than symmetric-key encryption to support multiple data owners in a cloud. By leveraging a Randomness-reused Identity-Based Encryption (RIBE) scheme, FPMS can resist all mentioned attacks within a cloud-assisted environment, and support security towards multiple data owners that respectively host multiple contests. As a complement, the analysis on the provable security of FPMS is given finally, as well as a further analysis on the fair-play performance. Though transmission delay is hardly avoided under provable security requirements, the FPMP performs quasi synchronical with ignorable delay differences to deliver the start order.     

Signature scheme with message recovery and its application

Recently Chen, [K. Chen, Signature with message recovery, Electronics Letters, 34(20) (1998) 1934], proposed a signature with message recovery. But Mitchell and Yeun [C. J. Mitchell and C. Y. Yeun, Comment - signature with message recovery, Electronics Letters, 35(3) (1999) 217] observed that Chen's scheme is only an authenticated encryption scheme and not a signature scheme as claimed. In this article, we propose a new signature scheme in the sense of Mitchell and Yeun and with message recovery feature. The designated verifier signature is introduced by Jakobsson et al. [M. Jakobsson, K. Sako, R. Impagliazzo, Designated verifier proofs and their applications, Proc. of Eurocrypt’96, LNCS 1070 (1996) pp. 143–154]. We propose a designated verifier signature scheme with non-repudiation of origin. We also give a protocol for a convertible designated verifier signature scheme with non-repudiation of origin. Both of these schemes are based on our proposed signature scheme with message recovery.     

A provably secure short signature scheme based on discrete logarithms

We propose a short signature scheme whose security is closely related to the discrete logarithm assumption in the random oracle model. The new scheme offers a better security guarantee than existing discrete-logarithm-based signature schemes. The main advantage of this scheme over the DSA signature scheme is that it has a one-fourth reduction in both the signature length and the verification computation; the level of security is preserved. The new short signatures are needed to low-bandwidth communication, low-storage and low-computation environments, and particularly applicable to smart cards and wireless devices.     

Verifiable shuffles: a formal model and a Paillier-based three-round construction with provable security

A shuffle takes a list of ciphertexts and outputs a permuted list of re-encryptions of the input ciphertexts. Mix-nets, a popular method for anonymous routing, can be constructed from a sequence of shuffles and decryption. We propose a formal model for security of verifiable shuffles and a new verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed dmodel. The model is general and can be extended to provide provable security for verifiable shuffle decryption.This paper is the extended version of the paper [37] presented at ACNS ‘04.