Efficient Certificateless Signcryption Diego Aranha, Rafael Castro, - - PDF document

▶

Apr 27, 2023 122 likes •197 views

Efficient Certificateless Signcryption Diego Aranha, Rafael Castro, Julio L opez, Ricardo Dahab Institute of Computing - UNICAMP Funded by FAPESP, Grant No. 2007/06950-0 Diego Aranha, Rafael Castro, Julio L opez, Ricardo Dahab Efficient

SLIDE 1

Efficient Certificateless Signcryption

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Institute of Computing - UNICAMP

Funded by FAPESP, Grant No. 2007/06950-0

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

The problem

Providing confidentiality, authentication and non-repudiation to a message... Solution: Encrypt and sign! ...in a single efficient operation, preventing external influences. Solution: Signcrypt!

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

SLIDE 2

Public key cryptography models

Public Key Infrastructures (PKI) Certificate authority issues certificates; Users verify public key certificates; Problem: High computational and storage requirements. Identity-Based Cryptography (ID-PKC) Central authority (PKG) generates private keys; Public keys are identities (easy verification); Problem: Private key escrow. Certificateless Public Key Cryptography (CL-PKC) Central authority (KGC) issues partial private keys; Users combine partial keys with their own secrets; Advantages: No key escrow and reduced costs.

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

Certificateless Public Key Cryptography

Alice Key Generation Center Bob Bob generates and publishes his public key

Repository Alice sends the encrypted message to Bob

4 P

Bob extracts his partial private key

Alice obtains Bob's public key

Alice encrypts the message with Bob's public key

Bob combines his secret with the partial private key

Bob decrypts the message with his private key

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

SLIDE 3

CL-PKC Signcryption

There is already a CL-PKC signcryption protocol with a security reduction [Barbosa and Farshim], but it’s not very efficient. Contribution Efficient protocol for signcryption under the Certificateless Public Key Cryptography model.

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

Bilinear pairings

Let G1 and G2 be additive groups such that |G1| = |G2| = q and GT be a multiplicative group of order q. Let P be the generator of G1 and Q the generator of G2. A map e : G1 × G2 → GT is an admissible bilinear pairing if it satisfies:

1 Bilinerarity: given (V , W ) ∈ G1 × G2 and (a, b) ∈ Zq, we

have e(aV , bW ) = e(V , W )ab = e(abV , W ) = e(V , abW ).

2 Non-degeneracy: e(P, Q) = 1GT . 3 Efficiency: the map can be computed efficiently. Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

SLIDE 4

Proposed CL-PKC Signcryption

Let yE ∈ Z∗

q = H1(IDE).

Setup: KGC generates master key s, publishes P ∈ G1,Q ∈ G2,g = e(P, Q) and Ppub = sP; Extract: For user E, KGC issues the partial private key DE = (s + yE)−1Q; Keygen: User E generates secret xE and computes its private key SE = x−1

E DE and public key PE = xE(Ppub + yEP).

We have e(PE, SE) = g.

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

Proposed CL-PKC Signcryption

User A wants to signcrypt m for B. Signcrypt: A selects r ∈ Z∗

q and encrypts C = m ⊕ H2(gr−1);

A computes h = H3(C, rPA, IDA, r−1PB, IDB); A signs T = (r + h)−1SA; A sends (C, rPA, r−1PB, T) to B. Unsigncrypt: B receives (C, R, S, T); B computes h′ = H3(C, R, IDA, S, IDB); B decrypts m′ = C ⊕ H2(e(S, SB)); If e(R + h′PA, T) = g, B accepts m′.

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

SLIDE 5

Efficiency

Operations Algorithm Protocol e kP gx a−1 H Precomp. [Barbosa and Farshim] 1 Proposed Signcrypt [Barbosa and Farshim] 3 + σ† 1 3 Proposed 3 1 2 2 Unsigncrypt [Barbosa and Farshim] 4 1 3 Proposed 2 1 2

† Two of the scalar multiplications can be simultaneous Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption

Conclusions

The proposed protocol: is more efficient than [Barbosa and Farshim]; is transferable (supports public verification of signcrypted messages); does not have a security demonstration yet. The protocol [Barreto et al.]: is more efficient than the proposed protocol but not transferable; can be transferable with equivalent performance.

Diego Aranha, Rafael Castro, Julio L´

pez, Ricardo Dahab

Efficient Certificateless Signcryption