Signcryption --- The Road to an International Standard Yuliang Zheng University of North Carolina at Charlotte yzheng@uncc.edu July 31, 2013
Objectives of Cyber Security Confiden Integrity -tiality Availability 1
Goals of Cryptography: C + I • Confidentiality – Symmetric/private key encryption – Asymmetric/public key encryption • Integrity & Authenticity – Trusted parties --- symmetric/private key authentication – Untrusted parties --- asymmetric/public key authentication (digital signature, unforgeability) • Minimizing cost/overhead – Less computation (over large integers) Confiden – Smaller expansion in length Integrity -tiality (= less communication overhead) – Especially important for smartphones & portable devices w/ limited battery life Availability 2
In the Paper & Ink World: Signature followed by Seal To achieve: To achieve: authenticity confidentiality (unforgeability & non-repudiation) 3
In the Digital World: Digital Signature followed by Encryption • Step 1 --- Add Signature • Step 2 --- Do Encryption – Alice the sender signs a – Alice encrypts ( m , sig ) using message m using her secret AES with a random key k . key, i.e. creating sig on m . – Alice encrypts k using Bob’s public key. m mod exp mod exp m sig m sig k 4/65 4
Public Key Encryption Public Key Directory Bob’s Public Key (for encryption) Alice Bob Plain Text Cipher Text Cipher Text Plain Text Open E D Network Secret Key (for decryption) 5
Public Key Digital Signature Public Key Directory Bob’s Public Verification Key Cathy Bob Message Message 256 bits H 1-way hash H Open Network Accept S + 256 bits if satisfied Signature V Signature signature Secret generation Signing Key Public Key signature algorithm verification algorithm 6
Notable Public Key Techniques Public Key Encryption Digital Signature • Factorization based • Factorization based – RSA encryption – RSA signature – Rabin • Discrete log based • Discrete log based – ElGamal signature – Diffie-Hellman – DSA (US standard) – ElGamal encryption – Schnorr – Elliptic curve versions – Elliptic curve versions • Lattice based • Lattice based – NTRU encryption – NTRU signature 7
Signature-then-Encryption (based on Discrete Logarithm) EXP=3+2.17 encrypted using m a private key cipher with k sig g x used by the receiver to reconstruct k communication overhead 8
Cost of Signature-then-Encryption Cost Comp Cost Comm Overhead Schemes (No. of exp) (bits) RSA based sig-then-enc 2 + 2 |n a | + |n b | DL based Schnorr sig + 3 + 2.17 |hash| + |q| + |p| ElGamal enc (3 + 3) Both techniques require very high overhead! (your smartphone's battery runs out fast!) 9
Improving Efficiency • Can we do better than “signature followed by encryption” ? – For resource-constrained applications • Wireless mobile devices • Smart card applications • Can we learn from other disciplines such as – Coded modulation in communications (= error correcting codes + modulation) • Imai-Hirakawa block coded modulation • Ungerboeck trellis coded modulation 10
Communications System Source Security Error Corr Security Modulation Encoder (Authen) (Encoder) (Encryptor) Channel Source Security Error Corr Security Demodulation Decoder (Authen) (Decoder) (Decryptor) 11
Coded Modulation --- one of the hottest in 80’s Source Security Security Coded Modulation (encoder) Encoder (Authen) (Encryptor) Channel Source Security Security Coded Modulation (decoder) Decoder (Authen) (Decryptor) 12
Co-Design of Digital Signature and Public Key Encryption ? ? Source Security Security Coded Modulation (encoder) Encoder (Authen) (Encryptor) Channel ? Source Security Security Coded Modulation (decoder) Decoder (Authen) (Decryptor) 13
Goal: Signcryption (1996 @ Monash) • To achieve both – confidentiality – authenticity • unforgeability & • non-repudiation • With a significantly smaller comp. & comm. overhead: Cost (signcryption) << Cost (signature) + Cost (encryption) 14
Signcryption -- Public & Private Parameters • Public to all • Alice’s keys – Private key: 𝒚 𝒃 ∈ 𝑺 𝒂 𝒓 – p : a large prime – Public key: – q : a large prime 𝒛 𝒃 = 𝒉 𝒚 𝒃 𝐧𝐩𝐞 𝒒 factor of p-1 – g : 0<g<p & with order q mod p – Two 1-way hash functions: • Bob ’s keys • 𝑯: {𝟏, 𝟐} ∗ → {𝟏, 𝟐} 𝟑𝟔𝟕 – Private key: 𝒚 𝒄 ∈ 𝑺 𝒂 𝒓 • 𝑰: {𝟏, 𝟐} ∗ → 𝒂 𝒓 – Public key: – ( E,D ) : 𝒛 𝒄 = 𝒉 𝒚 𝒄 𝐧𝐩𝐞 𝒒 private-key encryption & decryption algorithms, with 256-bit keys 15
Signcryption Algorithm Signcryption by Alice: Unsigncryption by Bob: 𝒏 ⟹ (𝒅, 𝒔, 𝒕) (𝒅, 𝒔, 𝒕) ⟹ 𝒏 • Pick 𝒚 ∈ 𝑺 {𝟐, 𝟑, … , 𝒓 − 𝟐} • Recover 𝑼 : 𝑼 = 𝒛 𝒃 ∙ 𝒉 𝒔 𝒕∙𝒚 𝒄 𝐧𝐩𝐞 𝒒 • 𝑼 = 𝒛 𝒄𝒚 𝐧𝐩𝐞 𝒒 • 𝒍 = 𝑯(𝑼, 𝒛 𝒃 , 𝒛 𝒄 ) • 𝒔 = 𝑰(𝑼, 𝒏, 𝒛 𝒃 , 𝒛 𝒄 ) • 𝒏 = 𝑬 𝒍 (𝒅) • If 𝒔 + 𝒚 𝒃 = 𝟏 𝐧𝐩𝐞 𝒓 , • 𝒔′ = 𝑰(𝑼, 𝒏, 𝒛 𝒃 , 𝒛 𝒄 ) then start over again 𝒚 • if 𝒔′ = 𝒔 , then accept 𝒏 ; • 𝒕 = 𝒔+𝒚 𝒃 𝐧𝐩𝐞 𝒓 otherwise reject 𝒏 & • 𝒍 = 𝑯(𝑼, 𝒛 𝒃 , 𝒛 𝒄 ) indicate ERROR • 𝒅 = 𝑭 𝒍 (𝒏) • Send (𝒅, 𝒔, 𝒕) to Bob 16
Signcryption: Savings in Computation Computational Cost (# of multiplications, the smaller the better) 8000 7000 6000 5000 RSA sign-enc 4000 Schnorr + ELGamal 3000 DL Signcryption 2000 1000 0 1024 2048 4096 8190 |p|=|n| 17
Signcryption: Savings in Communication Communication Overhead (# of bits, the smaller the better) 25000 20000 15000 RSA sign-enc Schnorr + ElGamal 10000 DL Signcryption 5000 0 1024 2048 4096 8190 18
Signcryption as a “Magic” Envelope 19
The End Result Kill two birds with one stone 20
Security Model & Proofs • Security proofs in 2002, with Joonsang Baek & Ron Steinfeld – 1 st security model – 1 st mathematical proofs 21 Joonsang Ron
Applications of Signcryption • Efficient “drop - in” replacement of “signing - then- encrypting” – Smartphones & other battery powered devices • Ad hoc/sensor network security • Secure SIP for VOIP • Efficient key establishment • Many more 22
Further Developments • Extensions: pairing, factorization, …… • Add “bells and whistles” – Multi-recipients, proxy, blind, threshold, ring, ID based, certificateless , …… • Authenticated encryption (Authencryption) – Co-design of shared key authentication and encryption • New PhD theses (C) Y. Zheng 23
Typical Cycle of Research Find problem Publish Secure papers funds Solve problem 24
Add Commercialization Find problem Secure Standardize funds (Int'l / Nat.) Apply for patents Start-up Solve company problem Publish papers 25
Commercialization of Signcryption Standardize Apply for patents Start-up company 26
Signcryption Patents • Patents • Support from Prof. Cliff Bellamy – Applied in 1996 – Received both in Australia and USA 27
Transfer of Patent Rights • 2007 – Sold to • IV – Established by ex-Microsoft executive Nathan Myhrvold – One of the top 5 patent holders in the US 28
Signcryption Standards • In 2006, ISO --- International Standardization Organization --- Standardize started to look into establishing uniform Apply for standard for various patents signcryption techniques Start-up company • I was notified in 2008 – Accepted invitation to help the standard 29
ISO Standardization Process • ISO/IEC JTC1/SC27, “Information technology— Security techniques —Signcryption” • ISO – JTC1, SC 27, WG 2 – 2006, proposal to standardize signcryption – Proposal approved in Spring 2008 – Project #29150 started at ISO Kyoto meeting, April 2008 – Completed at the end of 2011 (after 4 years work) 30
ISO Process • ISO ≈ mini UN – 1 country 1 vote • "textbook" algorithms not adequate – Need to be transformed into robust techniques for real-world use • Face-to-face meetings: twice a year • Lot of online & offline discussions/telemeetings • Min. # of stags = 6 • Min. # of years = 4 31
Personal experience • Overcoming challenges – Time commitments – Funding for travelling to meetings – Skills to work with delegates from various countries – Understanding important non-technical aspects • Usability, simplicity, compatibility, acceptability • Great satisfaction – Help industrial experts include best-of-breed crypto techniques into int'l standards – Turn "textbook" algorithms into industrial standards – Identify problems of practical importance which tend to be ignored in academic research • Standards bodies embracing expert advice – Urge you to consider participation 32
33
signcryption.org 34
Recommend
More recommend
