Information Security and Cryptography Texts and Monographs

Information Security and Cryptography Texts and Monog raphs

Series Editors David Basin Ueli Maurer

Advisory Board Martín Abadi Ross Anderson Michael Backes Ronald Cramer Virgil D. Gligor Oded Goldreich Joshua D. Guttman Arjen K. Lenstra John C. Mitchell Tatsuaki Okamoto Kenny Paterson Bart Preneel

For further volumes: http://www.springer.com/series/4752

Alexander W. Dent · Yuliang Zheng Editors

Practical Signcryption

Foreword by Moti Yung

123 Editors Dr. Alexander W. Dent Prof. Yuliang Zheng Royal Holloway University of North Carolina, Charlotte University of London Dept. Software & Information Systems Information Security Group University City Blvd. 9201 TW20 0EX Egham, Surrey Charlotte, NC 28223 United Kingdom USA [email protected] [email protected]

Series Editors Prof. Dr. David Basin Prof. Dr. Ueli Maurer ETH Zürich Switzerland [email protected] [email protected]

ISSN 1619-7100 ISBN 978-3-540-89409-4 e-ISBN 978-3-540-89411-7 DOI 10.1007/978-3-540-89411-7 Springer Heidelberg Dordrecht London New York

Library of Congress Control Number: 2010935931

ACM Computing Classiﬁcation (1998): E.3, K.4.4

c Springer-Verlag Berlin Heidelberg 2010 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broad- casting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant pro- tective laws and regulations and therefore free for general use.

Cover design: KuenkelLopka GmbH, Heidelberg

Printed on acid-free paper

Springer is part of Springer Science+Business Media (www.springer.com) Foreword

Scientific exploration follows many directions, and this is as true for a technological science like “cryptography” as it is for any physical science. One central scientific direction involves finding new notions, new primitives, and new methods; defining them; implementing them; and then showing and proving the characteristics of these findings. In modern cryptography, the definition of new basic primitives and their security properties has been one of the primary activities of the last few decades (since the field was conceived in the later part of the twentieth century). Once a primitive is defined, a number of investigative directions take place: One direction is showing the basic tools (mathematical assumptions and basic cryptographic functions) that are necessary and sufficient for the primitive. A second direction involves finding more efficient implementations, where efficiency is measured in terms of the complexity of the primitive (such as the time it takes, the space it consumes, the messages used, the rounds of communication employed). A third direction is extending the properties of the basic primitive and modifying it to achieve other interesting important tasks, or making sure it operates in a different environment than it was originally intended for. Yet, a fourth direction is finding system’s needs and applications that crucially exploit the primitive (either inher- ently, as a functional enhancement of an application or as a contributor to efficiency improvement); this direction eventually leads to actual working systems that can be exploited by actual computing systems. Note that other directions for investigation are known, such as reductions between primitives, generalization of primitives into a super-primitive. Once a primitive is born, its development often progresses in quite unexpected and mysterious ways. Two of the cornerstones of modern cryptography are public-key encryption as implemented via public-key cryptosystems and digital signatures as implemented by signature schemes. Public-key cryptosystems are a concealment mechanism. Employing the cryptosystem enables a party (a sender) to encrypt a confidential message to a second party (a receiver) without the need to share an initial secret; the only thing needed is for the receiver to publicize the public portion of its key (the encryption key), while keeping secret the decryption key. Digital signatures, on the other hand, are an integrity mechanism. These enable a party to send a message with a signature tag that verifies the origin of the message (i.e., authenticates the

v vi Foreword sender) to any receiver; the only thing needed is for the sender to initially publicize its public verification key while keeping secret the corresponding signing key. There are a very high number of variations of the concepts of public-key cryptosystems and digital signature schemes. Many properties have been added, and the definition and characteristic of these primitive, as well as efficient implementations of them and their variations, have been thoroughly investigated. These primitives have also been implemented as important underlying components in various security protocols used to secure computing and communication infrastructures (the Internet, the Web, the mobile networks, and so on). The book “Practical Signcryption” by Alex Dent and Yuliang Zheng consid- ers a very interesting primitive, originally the brainchild of Yuliang Zheng, called “Signcryption.” The name of this primitive tells it all: It is a primitive that combines the functionality of digital signatures and that of public-key encryption. Often in science, when primitives are defined, there is an issue with their combination and interoperability. Note that in computer science in general, the notion of combination is very important, since complex structures need to be developed in pieces, and therefore modularity is a critical notion which enables the development of pieces which can be combined into more complete systems. Combination can be performed in many ways. For example, one can envision a simple concatenation of the primitives (i.e., performing the first and then the second); however, even such a simple combination presents a challenge in cryptographic research, since the combination may not preserve the security properties of each of the components. Signcryption is a result of realizing that often one wants to send a message that is concealed (readable only by the intended receiver) and authenticated (verified as originating from the specified sender). This combination is natural in numerous applications. The original motivation for “signcryption” (which is a much shorter word than the expression “signature and encryption”) was to gain efficiency, namely to allow both actions to be done more efficiently than just a serial composition of the two components (e.g., to get a shorter cryptogram representing both encryption and signature than is obtained merely by first encrypting the message into a ciphertext and then signing the ciphertext). Once the above was shown possible, at that very moment, a new primitive was born and the book covers the many aspects of developments around this primitive of signcryption. These developments include achieving efficient constructions, achieving provably secure constructions under various models, getting efficient schemes in various algebraic domains, getting new techniques to design the primitives in various settings, and getting applications and actual implementations of it. The book covers all these areas by chapters that are written by the world-renowned cryp- tographers who have been in the frontier of research and who have actually been responsible for many of these numerous interesting developments. Note further that the authors of the various chapter demonstrate, by their wide geographical spread, the global nature of advanced cryptographic research nowadays. The story of signcryption has taught us that “combining natural primitives” has strong research and development potential in many ways, and especially it has a good chance in reducing complexities when measured against a naive combination. Foreword vii

In fact, I learned this lesson myself and applied it a few years after signcryption had been conceived. Together with J. Katz, we studied the combination of private key encryption and message authentication codes (which is the “symmetric key cryptography” equivalent of what signcryption is in the “public-key cryptography” area). This primitive, now called “authenticated encryption,” which has also been studied by a number of other groups has found numerous applications and is an outcome of the approach pioneered by the notion of signcryption. The “Practical Signcryption” book can be a handbook on the state of the art of signcryption, specifically, and, at the same time, can serve as a way to historically view how this specific subject has evolved. On a more general level, the book can serve as an example how cryptographic primitives are conceived and how research in this general area evolves, going through various stages from the theoretical and mathematical development stage all the way to the practical stage (i.e., into systems and standardization). In other words, the book serves two purposes: (1) it is the definitive source on signcryption and (2) it is also a prototypical example to learn from how research on cryptographic primitives is performed by the cryptographic research community. Indeed, the book on combining cryptographic primitives, itself, combines these two purposes in a very elegant way! I think the book is, in fact, a fundamental and timely contribution to the cryptographic literature, and I congratulate Alex, Yuliang, and the various chapter authors for their unique achievement!

New York, NY Moti Yung April 2010

Preface

The concept for this book was initially created because we believe that signcryption is a fundamentally useful technology that is under-used in practical applications. It often seems bizarre to us that implementations will use complex modular exponen- tiation optimizations to achieve small efficiency improvements while ignoring the 50% efficiency saving that can be made by combining confidentiality and integrity protection operations into a single signcryption operation! We hope that the book will convince researchers, implementors, and standardization bodies to consider the use of efficient signcryption technologies in their work. This book is the result of a long project and we would like to thank all of the authors for their efforts and their patience. We would also like to thank Springer- Verlag for their patience. Yuliang Zheng would particularly like to thank Hideki Imai for his pioneer- ing work in coded modulation which inspired him to develop signcryption. The endeavor to develop signcryption came to fruition while Yuliang was with the beautiful Mornington Peninsula campus of Monash University in Australia. He is indebted to ex-colleagues at Monash for their support during the initial stage of development of signcryption. In addition to authors of chapters of this book, Yuliang would also like to thank those researchers whose work on signcryption could not be included into this book. Their contributions to the design and analysis, as well as practical applications, of signcryption techniques are equally significant. Further- more, Yuliang would like to extend his gratitude to colleagues at the University of North Carolina at Charlotte for numerous discussions on research over the past decade. Finally Yuliang would like to thank his wife Quinnie and two wonderful children for their continued love, support, and patience. Alex Dent would particularly like to thank the Information Security Group in Royal Holloway, University of London, for their support during the writing/editing of this book. It should also be acknowledged that part of the work of editing this book was undertaken while Alex was visiting the Computer Science Department of New York University and the Graduate Center of the City University of New York. He would like to thank them for the opportunity to visit their universities. Lastly, he would like to thank his family for their continued support and Carrie for being such a wonderful person.

ix x Preface

Some of the individual chapter authors would also like to acknowledge the help that they have received. These include • John Malone-Lee (Chap. 6) would like to thank Wenbo Mao whose idea it was originally to use the RSA function for signcryption in this way. • Yevgeniy Dodis (Chap. 8) would like to thank Jee Hea An and Tal Rabin for their collaboration on the subject of signcryption. • Josef Pieprzyk (Chap. 9) was supported by Australian Research Council Discov- ery grants DP0663452 and DP0987734. • Xavier Boyen (Chap. 10) would like to thank Paulo Barreto for useful feedback on an early draft of the chapter. • Alex Dent (Chap. 11) would like to thank Colin Boyd for taking the time to read and comment on this chapter. These comments much improved the chapter.

London, UK Alexander W. Dent Charlotte, NC Yuliang Zheng May 2010 Contents

1 Introduction ...... 1 Yuliang Zheng 1.1 Historical Development of Signcryption ...... 1 1.1.1 Coded Modulation ...... 1 1.1.2 Musings on Blending ...... 2 1.1.3 Signcryption ...... 5 1.1.4 Provably Secure Signcryption ...... 7 1.2 Extensions, Standardization, and Future Research Directions ..... 8 1.3 Notation and Security Notions ...... 9 1.3.1 Algorithms and Assignment ...... 10 1.3.2 Signature Schemes ...... 11 1.3.3 Public Key Encryption ...... 14 1.3.4 Symmetric Encryption ...... 16 1.3.5 Message Authentication Codes ...... 18

Part I Security Models for Signcryption

2 Security for Signcryption: The Two-User Model ...... 21 Jee Hea An and Tal Rabin 2.1 Introduction ...... 21 2.2 Deﬁnition of Signcryption in the Two-User Setting ...... 23 2.2.1 Two Security Notions in the Two-User Setting ...... 23 2.2.2 Discussions on the Security Notions ...... 28 2.3 Generic Compositions of Signature and Encryption ...... 30 2.3.1 Construction ...... 30 2.3.2 Security of the Parallel Composition Method ...... 31 2.3.3 Security of the Sequential Composition Methods ...... 32 2.4 Multi-user Setting ...... 39 2.4.1 Syntax ...... 39 2.4.2 Security ...... 40 2.4.3 Extending Signcryption ...... 40

xi xii Contents

3 Security for Signcryption: The Multi-User Model ...... 43 Joonsang Baek and Ron Steinfeld 3.1 Introduction ...... 43 3.2 The BSZ Model ...... 44 3.2.1 Conﬁdentiality of Signcryption in the Multi-User BSZ Model ...... 44 3.2.2 Unforgeability of Signcryption in the Multi-User BSZ Model ...... 47 3.2.3 Further Discussions on the Multi-User BSZ Model ...... 50 3.3 Example: The Security of Zheng’s Signcryption Scheme in the BSZ Model ...... 51

Part II Signcryption Schemes

4 Signcryption Schemes Based on the Diffie–Hellman Problem ...... 57 Paulo S.L.M. Barreto, Benoît Libert, Noel McCullagh, and Jean-Jacques Quisquater 4.1 Introduction ...... 57 4.2 Diffie–Hellman Problems ...... 58 4.3 Zheng’s Construction and Its Variants ...... 59 4.3.1 Zheng’s Original Scheme ...... 59 4.3.2 The Bao–Deng Modification ...... 62 4.3.3 A Modification with Public Verifiability ...... 62 4.4 An Encrypt-then-Sign Composition ...... 63 4.5 A Scheme with Unforgeability Based on Factoring ...... 64 4.6 Schemes with Non-repudiation ...... 66 4.6.1 A DSA-Based Construction ...... 66 4.6.2 A Scheme Built on Schnorr’s Signature Scheme ...... 67 4.7 The CM Scheme ...... 68

5 Signcryption Schemes Based on Bilinear Maps ...... 71 Paulo S.L.M. Barreto, Benoît Libert, Noel McCullagh, and Jean-Jacques Quisquater 5.1 Introduction ...... 71 5.2 Bilinear Map Groups ...... 72 5.3 Assumptions ...... 73 5.4 Signcryption for Anonymous Communications ...... 74 5.4.1 Message Privacy ...... 75 5.4.2 Ciphertext Unforgeability and Signature Unforgeability .. 76 5.4.3 Anonymity ...... 77 5.5 A Tightly Secure Scheme ...... 78 5.5.1 The Scheme...... 78 Contents xiii

5.5.2 Efﬁciency ...... 79 5.5.3 Security ...... 80 5.6 A Scheme with Short Detachable Signatures ...... 86 5.6.1 Efﬁciency ...... 88 5.6.2 Anonymous Communications ...... 88 5.6.3 Security ...... 89

6 Signcryption Schemes Based on the RSA Problem ...... 99 Alexander W. Dent and John Malone-Lee 6.1 Introduction ...... 99 6.2 The RSA Transform ...... 100 6.3 Dedicated RSA-Based Signcryption Schemes ...... 101 6.4 Signcryption from Padding Schemes ...... 102 6.4.1 Trapdoor Permutations...... 102 6.4.2 Extractable Commitments ...... 102 6.4.3 Padding-Based Signcryption Schemes ...... 104 6.4.4 Proof Intuition ...... 109 6.5 Signcryption Based on RSA-TBOS ...... 110 6.5.1 The TBOS Construction ...... 110 6.5.2 Security Proof for the TBOS Signcryption Scheme ...... 112

Part III Construction Techniques

7 Hybrid Signcryption ...... 121 Tor E. Bjørstad 7.1 Background ...... 121 7.1.1 A Brief Word on Notation ...... 123 7.2 Preliminaries ...... 123 7.2.1 The Hybrid Framework ...... 123 7.2.2 Security Criteria for Data Encapsulation Mechanisms . . . . 125 7.3 Hybrid Signcryption with Outsider Security ...... 126 7.3.1 An Outsider-Secure Signcryption KEM ...... 126 7.3.2 Security Criteria for Outsider-Secure Signcryption KEMs ...... 127 7.3.3 Security of the SKEM + DEM Construction ...... 130 7.3.4 Outsider-Secure Hybrid Signcryption in Practice ...... 133 7.4 Hybrid Signcryption with Insider Security ...... 136 7.4.1 From Outsider to Insider Security ...... 136 7.4.2 Signcryption Tag-KEMs ...... 138 7.4.3 Security Criteria for Signcryption Tag-KEMs ...... 140 7.4.4 Security of the SCTK+DEM Construction ...... 143 7.4.5 Insider-Secure Hybrid Signcryption in Practice ...... 146 xiv Contents

8 Concealment and Its Applications to Authenticated Encryption .....149 Yevgeniy Dodis 8.1 Introduction ...... 149 8.1.1 Domain Extension of Authenticated Encryption ...... 150 8.1.2 Remotely Keyed Authenticated Encryption ...... 152 8.2 Deﬁnition of Concealment ...... 155 8.2.1 Syntax ...... 155 8.2.2 Security of Concealment ...... 156 8.2.3 Relaxed Concealments ...... 157 8.2.4 Super-Relaxed Concealments ...... 157 8.2.5 Comparison to Commitment ...... 157 8.3 Constructing Concealment Schemes ...... 158 8.3.1 Achieving Hiding ...... 158 8.3.2 Achieving Binding ...... 159 8.3.3 Necessity of Assumptions ...... 162 8.4 Applications to Authenticated Encryption ...... 163 8.4.1 Deﬁnition of Authenticated Encryption ...... 164 8.4.2 Authenticated Encryption of Long Messages ...... 166 8.4.3 Remotely Keyed Authenticated Encryption ...... 169

9 Parallel Signcryption ...... 175 Josef Pieprzyk and David Pointcheval 9.1 Introduction ...... 175 9.2 Concept of Parallel Signcryption ...... 175 9.3 Overview of Constructions ...... 176 9.4 Generic Parallel Signcryption...... 178 9.4.1 Description of the Scheme...... 178 9.4.2 Security Analysis ...... 180 9.5 Optimal Parallel Signcryption ...... 185 9.5.1 Description of the Scheme...... 185 9.5.2 Security Analysis ...... 187

Part IV Extensions of Signcryption

10 Identity-Based Signcryption ...... 195 Xavier Boyen 10.1 Introduction ...... 195 10.1.1 Identity-Based Cryptography ...... 195 10.1.2 Advantages and Disadvantages ...... 197 10.1.3 From IBE to Signcryption ...... 199 10.1.4 Specifying an IBSC System ...... 200 10.1.5 Concrete IBSC from Pairings ...... 201 10.2 The Identity-Based Signcryption Primitive ...... 202 Contents xv

10.3 Security Deﬁnitions ...... 203 10.3.1 Message Conﬁdentiality ...... 206 10.3.2 Signature Non-repudiation ...... 207 10.3.3 Ciphertext Unlinkability ...... 208 10.3.4 Ciphertext Authentication ...... 209 10.3.5 Ciphertext Anonymity ...... 210 10.4 A Concrete IBSC Scheme ...... 211 10.4.1 The Boneh–Franklin Framework ...... 211 10.4.2 Fully Secure IBSC Construction ...... 212 10.4.3 A Performance/Security Trade-Off...... 215 10.4.4 Signcrypting for Multiple Recipients ...... 215

11 Key Establishment Using Signcryption Techniques ...... 217 Alexander W. Dent 11.1 Introduction ...... 217 11.2 Formal Security Models for Key Establishment ...... 219 11.2.1 Motivation ...... 219 11.2.2 Sessions ...... 220 11.2.3 The Formal Security Model ...... 221 11.2.4 Entity Authentication ...... 223 11.2.5 Forward Secrecy ...... 224 11.2.6 Key Compromise Impersonation Attacks ...... 224 11.2.7 Notation ...... 224 11.3 Key Transport...... 225 11.4 Key Establishment Based on Zheng’s Signcryption Scheme ...... 226 11.5 Key Agreement Based on Signcryption KEMs ...... 227 11.5.1 Key Agreement Based on Signcryption KEMs ...... 229 11.5.2 Key Agreement Based on Signcryption Tag-KEMs ...... 230 11.5.3 Security Proof for the Bjørstad–Dent Protocol ...... 232 11.6 Key Establishment Based on Timestamps...... 239

12 Applications of Signcryption ...... 241 Yang Cui and Goichiro Hanaoka 12.1 Application Fields of Signcryption ...... 241 12.2 Example Applications of Signcryption ...... 242 12.2.1 Secure Multicasting Over the Internet ...... 243 12.2.2 Authenticated Key Recovery ...... 246 12.2.3 Secure ATM Networks...... 248 12.2.4 Secure Routing for Mobile Ad Hoc Networks ...... 249 12.2.5 Encrypted and Authenticated E-mail by Firewalls ...... 251 12.2.6 Signcryption in Secure VoIP ...... 252 12.2.7 Applications to Electronic Payment ...... 253

References ...... 257

Index ...... 269

Contributors

Jee Hea An San Diego, CA, USA Joonsang Baek Cryptography and Security Department, Institute for Infocomm Research (I2R), Singapore, Singapore, [email protected] Paulo S. L. M. Barreto Architecture and Networking Lab (LARC), Department of Computer and Digital Systems Engineering (PCS), Escola Politécnica, University of São Paulo, São Paulo, Brazil, [email protected] Tor E. Bj¿rstad Department of Informatics, The Selmer Center, University of Bergen, Bergen, Norway, [email protected] Xavier Boyen Chair of Cryptography and Information Security, Monteﬁore Institute, Université de Liège, Liège, Belgium, [email protected] Yang Cui National Institute of Advanced Industrial Science and Technology (AIST), Research Center for Information Security (RCIS), Tokyo, Japan, [email protected] Alexander W. Dent Information Security Group, University of London, Egham TW20 0EX, Surrey, UK, [email protected] Yevgeniy Dodis Cryptography Group, Department of Computer Science, New York University, New York, NY, USA, [email protected] Goichiro Hanaoka National Institute of Advanced Industrial Science and Technology (AIST), Research Center for Information Security (RCIS), Tokyo, Japan Benoît Libert Crypto Group, Microelectronics Laboratory, Université catholique de Louvain, Louvain, Belgium, [email protected] John Malone-Lee Torus Insurance, London, UK Noel McCullagh School of Computing, Dublin City University, Dublin, Ireland Josef Pieprzyk Department of Computing, Center for Advanced Computing – Algorithms and Cryptography, Macquarie University, Sydney, Australia, [email protected]

xvii xviii Contributors

David Pointcheval CNRS, ENS and INRIA, Paris, France, [email protected] Jean-Jacques Quisquater Crypto Group, Microelectronics Laboratory, Université catholique de Louvain, Louvain, Belgium Tal Rabin IBM T. J. Watson Research Center, Hawthorne, NY, USA, talr@us.ibm.com Ron Steinfeld Department of Computing, Center for Advanced Computing – Algorithms and Cryptography, Macquarie University, Sydney, Australia, [email protected] Yuliang Zheng University of North Carolina, Charlotte, NC, USA, [email protected]