International Association for Cryptologic Research

International Association
for Cryptologic Research


Xiaoyuan YANG


Cryptanalysis of Two Efficient HIBE Schemes in the Standard Model
Xu An Wang Xiaoyuan Yang
In Informatica 32 (2008), Ren and Gu proposed an anonymous hierarchical identity based encryption scheme based on the q-ABDHE problem with full security in the standard model. Later in Indocrypt'08, they proposed another secure hierarchical identity based encryption scheme based on the q-TBDHE problem with full security in the standard model. They claimed that their schemes have short parameters, high efficiency and tight reduction. However, in this paper we give attacks to show their schemes are insecure at all. Concretely, from any first level private key, the adversary can easily derive a proper ``private key'' which can decrypt any ciphertexts for the target identity. That is to say, one key generation query on any first level identity excluding the target's first level identity, is enough to break their schemes.
On Security Notions for Verifiable Encrypted Signature
Xu-An Wang Xiaoyuan Yang Yiliang Han
First we revisit three - BGLS, MBGLS and GZZ verifiably encrypted signature schemes[2,3,6].We find that they are all not strong unforgeable.We remark that the notion of existential unforgeable is not sufficient for fair exchange protocols in most circumstances.So we propose three new - NBGLS, MBGLS and NGZZ verifiably encrypted signature schemes which are strong unforgeable. Also we reconsider other two - ZSS and CA verifiably encrypted signature schemes[4,8], we find that they both cannot resist replacing public key attack. So we strongly suggest that strong unforgeable for verifiably encrypted signature maybe a better notion than existential unforgeable and checking adjudicator knowing its private key is a necessary step for secure verifiably encrypted signature scheme.
On the Role of KGC for Proxy Re-encryption in Identity Based Setting
Xu an Wang Xiaoyuan Yang
In 1998, Blaze, Bleumer, and Strauss proposed a kind of cryptographic primitive called proxy re-encryption\cite{Blaze:98}. In proxy re-encryption, a proxy can transform a ciphertext computed under Alice's public key into one that can be opened under Bob's decryption key. They predicated that proxy re-encryption and re-signature will play an important role in our life. In 2007, Matsuo proposed the concept of four types of re-encryption schemes: CBE to IBE(type 1), IBE to IBE(type 2), IBE to CBE (type 3), CBE to CBE (type 4)\cite{Matsuo:07}. Now CBE to IBE and IBE to IBE proxy re-encryption schemes are being standardized by IEEEP1363.3 working group\cite{P1363.3:08}. In this paper, based on \cite{Matsuo:07} we pay attention to the role of KGC for proxy re-encryption in identity based setting. We find that if we can introduce the KGC in the process of generating re-encryption key for proxy re-encryption in identity based setting, many open problems can be solved. Our main results are as following: 1. One feature of proxy re-encryption from CBE to IBE scheme in \cite{Matsuo:07} is that it inherits the key escrow problem from IBE, that is, KGC can decrypt every re-encrypted ciphertext for IBE users. We ask question like this: is it possible that the malicious KGC can not decrypt the re-encryption ciphertext? Surprisingly, the answer is affirmative.We construct such a scheme and prove its security in the standard model. 2. We propose a proxy re-encryption scheme from IBE to CBE. To the best of our knowledge, this is the first type 3 scheme. We give the security model for proxy re-encryption scheme from IBE to CBE and prove our scheme's security in this model without random oracle. 3. In \cite{Matsuo:08} there was a conclusion that it is hard to construct proxy re-encryption scheme based on BF and SK IBE. When considering KGC in the proxy key generation, we can construct a proxy re-encryption scheme based on SK IBE. Interestingly, this proxy re-encryption even can achieve IND-Pr-ID-CCA2 secure, which makes it is a relative efficient proxy re-encryption scheme using pairing which can achieve CCA2 secure in the literature.
Provable Secure Generalized Signcryption
Xu-an Wang Xiaoyuan Yang Yiliang Han
Generalized Signcryption is a new cryptographic primitive which can work as an encryption scheme, a signature scheme or a signcryption scheme. We give security notions of Generalized Signcryption and improve a Generalized Signcryption scheme proposed by Han et al.We give the formal attacking model of this new cryptographic primitive in the framework of theory of provable security. At last, we give formal proofs for this new improved Generalized Signcryption in our attacking model.
ECGSC: Elliptic Curve based Generalized Signcryption Scheme
Yiliang Han Xiaoyuan Yang
Signcryption is a new cryptographic primitive that simultaneously fulfills both the functions of signature and encryption. The definition of generalized signcryption is proposed in the paper firstly. Generalized signcryption has a special feature that provides confidentiality or authenticity separately under the condition of specific inputs. So it is more useful than common ones. Based on ECDSA, a signcryption scheme called ECGSC is designed. It will be equivalent to an AtE(OTP$,MAC) encryption scheme or ECDSA when one of party is absent. A third party can verify the signcryption text publicly in the method of ECDSA. Security properties are proven based on Random Oracle mode: confidentiality (CUF-CPA), unforgeability (UF-CMA) and non-repudiation. Compared with the others, ECGSC presents a 78% reduction in computational cost for typical security parameters for high level security applications.
Elliptic Curve based Signcryption and its Multi-party Schemes
Yiliang HAN Xiaoyuan YANG
Signcryption is a novel public key primitive to achieve the combined functionality of authentication and confidentiality in an efficient manner. A new Elliptic Curve Cryptosystems based Signcryption which combines ECDSA and PSCE-1 is presented in the paper. The signcryption scheme is a publicly verifiable scheme which can be verified by the third party after the specific recipient removes his key information. Analysis shows that the proposed scheme is secure against the adaptive chosen ciphertext attack. The signcryption saves the communication cost at least 1.25 times and enhances computation cost 1.19 times over ECDSA-then-PSCE-1. Compared with other signcryption schemes, such as Y.Zheng??s ECSCS, the new signcryption uses a uniform elliptic curve cryptosystem platform instead of four kinds of cryptosystem components: hash function, keyed hash function, symmetric cipher and elliptic curve. While keeping high security and efficiency, the scheme can be implemented in software and hardware at low price because of above advantages. Base on the signcryption, a broadcast scheme for multiple recipients and a threshold scheme with key distributed generation for multiple senders are also proposed.