Practical Signcryption (eBook)

Foreword 5
Preface 8
Contents 10
Contributors 15
Chapter 1 Introduction 17
1.1 Historical Development of Signcryption 17
1.1.1 Coded Modulation 17
1.1.2 Musings on Blending 18
1.1.3 Signcryption 21
1.1.4 Provably Secure Signcryption 23
1.2 Extensions, Standardization, and Future Research Directions 24
1.3 Notation and Security Notions 25
1.3.1 Algorithms and Assignment 26
1.3.2 Signature Schemes 27
1.3.3 Public Key Encryption 30
1.3.4 Symmetric Encryption 32
1.3.5 Message Authentication Codes 34
Part I Security Models for Signcryption 35
Chapter 2 Security for Signcryption: The Two-User Model 36
2.1 Introduction 36
2.2 Definition of Signcryption in the Two-User Setting 38
2.2.1 Two Security Notions in the Two-User Setting 38
2.2.2 Discussions on the Security Notions 43
2.3 Generic Compositions of Signature and Encryption 45
2.3.1 Construction 45
2.3.2 Security of the Parallel Composition Method 46
2.3.3 Security of the Sequential Composition Methods 47
2.4 Multi-user Setting 54
2.4.1 Syntax 54
2.4.2 Security 55
2.4.3 Extending Signcryption 55
Chapter 3 Security for Signcryption: The Multi-User Model 58
3.1 Introduction 58
3.2 The BSZ Model 59
3.2.1 Confidentiality of Signcryption in the Multi-User BSZ Model 59
3.2.2 Unforgeability of Signcryption in the Multi-User BSZ Model 62
3.2.3 Further Discussions on the Multi-User BSZ Model 65
3.3 Example: The Security of Zheng's Signcryption Scheme in the BSZ Model 66
Part II Signcryption Schemes 69
Chapter 4 Signcryption Schemes Based on the Diffie--Hellman Problem 70
4.1 Introduction 70
4.2 Diffie--Hellman Problems 71
4.3 Zheng's Construction and Its Variants 72
4.3.1 Zheng's Original Scheme 72
4.3.2 The Bao--Deng Modification 75
4.3.3 A Modification with Public Verifiability 75
4.4 An Encrypt-then-Sign Composition 76
4.5 A Scheme with Unforgeability Based on Factoring 77
4.6 Schemes with Non-repudiation 79
4.6.1 A DSA-Based Construction 79
4.6.2 A Scheme Built on Schnorr's Signature Scheme 80
4.7 The CM Scheme 81
Chapter 5 Signcryption Schemes Based on Bilinear Maps 83
5.1 Introduction 83
5.2 Bilinear Map Groups 84
5.3 Assumptions 85
5.4 Signcryption for Anonymous Communications 86
5.4.1 Message Privacy 87
5.4.2 Ciphertext Unforgeability and Signature Unforgeability 88
5.4.3 Anonymity 89
5.5 A Tightly Secure Scheme 90
5.5.1 The Scheme 90
5.5.2 Efficiency 91
5.5.3 Security 92
5.6 A Scheme with Short Detachable Signatures 98
5.6.1 Efficiency 100
5.6.2 Anonymous Communications 100
5.6.3 Security 101
Chapter 6 Signcryption Schemes Based on the RSA Problem 110
Alexander W. Dent and John Malone-Lee 110
6.1 Introduction 110
6.2 The RSA Transform 111
6.3 Dedicated RSA-Based Signcryption Schemes 112
6.4 Signcryption from Padding Schemes 113
6.4.1 Trapdoor Permutations 113
6.4.2 Extractable Commitments 113
6.4.3 Padding-Based Signcryption Schemes 115
6.4.4 Proof Intuition 120
6.5 Signcryption Based on RSA-TBOS 121
6.5.1 The TBOS Construction 121
6.5.2 Security Proof for the TBOS Signcryption Scheme 123
Part III Construction Techniques 129
Chapter 7 Hybrid Signcryption 130
7.1 Background 130
7.1.1 A Brief Word on Notation 132
7.2 Preliminaries 132
7.2.1 The Hybrid Framework 132
7.2.2 Security Criteria for Data Encapsulation Mechanisms 134
7.3 Hybrid Signcryption with Outsider Security 135
7.3.1 An Outsider-Secure Signcryption KEM 135
7.3.2 Security Criteria for Outsider-Secure SigncryptionKEMs 136
7.3.3 Security of the SKEM + DEM Construction 139
7.3.4 Outsider-Secure Hybrid Signcryption in Practice 142
7.4 Hybrid Signcryption with Insider Security 145
7.4.1 From Outsider to Insider Security 145
7.4.2 Signcryption Tag-KEMs 147
7.4.3 Security Criteria for Signcryption Tag-KEMs 149
7.4.4 Security of the SCTK+DEM Construction 152
7.4.5 Insider-Secure Hybrid Signcryption in Practice 155
Chapter 8 Concealment and Its Applications to Authenticated Encryption 157
8.1 Introduction 157
8.1.1 Domain Extension of Authenticated Encryption 158
8.1.2 Remotely Keyed Authenticated Encryption 160
8.2 Definition of Concealment 163
8.2.1 Syntax 163
8.2.2 Security of Concealment 164
8.2.3 Relaxed Concealments 165
8.2.4 Super-Relaxed Concealments 165
8.2.5 Comparison to Commitment 165
8.3 Constructing Concealment Schemes 166
8.3.1 Achieving Hiding 166
8.3.2 Achieving Binding 167
8.3.3 Necessity of Assumptions 170
8.4 Applications to Authenticated Encryption 171
8.4.1 Definition of Authenticated Encryption 172
8.4.2 Authenticated Encryption of Long Messages 174
8.4.3 Remotely Keyed Authenticated Encryption 177
Chapter 9 Parallel Signcryption 182
9.1 Introduction 182
9.2 Concept of Parallel Signcryption 182
9.3 Overview of Constructions 183
9.4 Generic Parallel Signcryption 185
9.4.1 Description of the Scheme 185
9.4.2 Security Analysis 187
9.5 Optimal Parallel Signcryption 192
9.5.1 Description of the Scheme 192
9.5.2 Security Analysis 194
Part IV Extensions of Signcryption 200
Chapter 10 Identity-Based Signcryption 201
10.1 Introduction 201
10.1.1 Identity-Based Cryptography 201
10.1.2 Advantages and Disadvantages 203
10.1.3 From IBE to Signcryption 205
10.1.4 Specifying an IBSC System 206
10.1.5 Concrete IBSC from Pairings 207
10.2 The Identity-Based Signcryption Primitive 208
10.3 Security Definitions 209
10.3.1 Message Confidentiality 212
10.3.2 Signature Non-repudiation 213
10.3.3 Ciphertext Unlinkability 214
10.3.4 Ciphertext Authentication 215
10.3.5 Ciphertext Anonymity 216
10.4 A Concrete IBSC Scheme 217
10.4.1 The Boneh--Franklin Framework 217
10.4.2 Fully Secure IBSC Construction 218
10.4.3 A Performance/Security Trade-Off 221
10.4.4 Signcrypting for Multiple Recipients 221
Chapter 11 Key Establishment Using Signcryption Techniques 223
11.1 Introduction 223
11.2 Formal Security Models for Key Establishment 225
11.2.1 Motivation 225
11.2.2 Sessions 226
11.2.3 The Formal Security Model 227
11.2.4 Entity Authentication 229
11.2.5 Forward Secrecy 230
11.2.6 Key Compromise Impersonation Attacks 230
11.2.7 Notation 230
11.3 Key Transport 231
11.4 Key Establishment Based on Zheng's Signcryption Scheme 232
11.5 Key Agreement Based on Signcryption KEMs 233
11.5.1 Key Agreement Based on Signcryption KEMs 235
11.5.2 Key Agreement Based on Signcryption Tag-KEMs 236
11.5.3 Security Proof for the Bjørstad--Dent Protocol 238
11.6 Key Establishment Based on Timestamps 245
Chapter 12 Applications of Signcryption 247
12.1 Application Fields of Signcryption 247
12.2 Example Applications of Signcryption 248
12.2.1 Secure Multicasting Over the Internet 249
12.2.2 Authenticated Key Recovery 252
12.2.3 Secure ATM Networks 254
12.2.4 Secure Routing for Mobile Ad Hoc Networks 255
12.2.5 Encrypted and Authenticated E-mail by Firewalls 257
12.2.6 Signcryption in Secure VoIP 258
12.2.7 Applications to Electronic Payment 259
References 263
Index 275