Yunlei Zhao

DOI: https://doi.org/10.1016/j.tcs.2021.11.014

IF: 1.002

2021-01-01

Theoretical Computer Science

Abstract:After two decades of research on signcryption, recently a new cryptographic primitive, named higncryption, was proposed at ACM CCS'16. Higncryption can be viewed as privacy-enhanced signcryption, which integrates public key encryption, digital signature and identity concealment (which is not achieved in signcryption) into a monolithic primitive. Here, identity concealment means that the transcript of protocol runs should not leak participants' identity information. In this work, we propose the first identity-based higncryption (IBHigncryption, for short). We present the formal security model for IBHigncryption, under which security proof of the proposed scheme is conducted. The most impressive feature of IBHigncryption, besides other desirable properties it offers, is its simplicity and efficiency, which might be somewhat surprising in retrospect. Our IBHigncryption has a much simpler setup stage with smaller public parameters and particularly no need of computing master public key. It is essentially as efficient as (if not more than) the fundamental CCA-secure Boneh-Franklin identity-based encryption scheme [14] , and has significant efficiency advantage over the IEEE 1363.3 standard of identity-based signcryption [8] .

Huanhuan Lian,Tianyu Pan,Huige Wang,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-030-88428-4_32

2021-01-01

Abstract:Identity-based authenticated key exchange (ID-AKE) allows two parties (whose identities are just their public keys) to agree on a shared session key over open channels. At ESORICS 2019, Tomida et al. proposed a highly efficient ID-AKE protocol, referred to as the TFNS19-protocol, under the motivation of providing authentication and secure communication for huge number of low-power IoT devices. The TFNS19-protocol currently stands for the most efficient ID-AKE based on bilinear pairings, where each user remarkably performs only a single pairing operation. But it does not consider users' identity privacy, and the security is based on relatively non-standard assumptions. In this work, we formulate and design identity-based identity-concealed AKE (IB-CAKE) protocols. Here, identity concealment means that the session transcript does not leak users' identity information. We present a simple and highly practical IB-CAKE protocol, which is computationally more efficient than the remarkable TFNS19-protocol in total. We present a new security model for IB-CAKE, and show it is stronger than the ID-eCK model used for the TFNS19-protocol. The security of our IB-CAKE protocol is proved under relatively standard assumptions in the random oracle model, assuming the security of the underlying authenticated encryption and the gap bilinear Diffie-Hellman (Gap-BDH) problem. Finally, we provide the implementation results for the proposed IB-CAKE scheme, and present performance benchmark.

Jianhua Yan,Licheng Wang,Mianxiong Dong,Yixian Yang,Wenbin Yao

DOI: https://doi.org/10.1002/sec.1297

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Signcryption as a cryptographic primitive can carry out signature and encryption simultaneously at a remarkably reduced cost. Identity-based cryptography is more convenient than public key infrastructure-based cryptography in certificate management. As a result, identity-based signcryption has been studied extensively, and many efficient and provably secure constructions have been proposed. However, most of these schemes are based on intractability assumptions from number theory, and these assumptions have been threatened by the booming quantum computation. Therefore, a recent trend in cryptography is to construct cryptosystems that are based on lattice-based intractability assumptions because of their plausible features of quantum attack resistance. In this paper, several identity-based signcryption schemes from lattice hardness assumptions are proposed. In the standard model, these schemes are indistinguishable against inner adaptively chosen ciphertext attacks (IND-CCA2) and strongly unforgeable against inner chosen message attacks. In our construction, it does not matter whether the original encryption scheme used to construct signcryption is deterministic or probabilistic; the resulted signcryption schemes can reach IND-CCA2 security. To achieve this, we carefully combine three techniques-the identity-based encryption from lattice due to Agrawal-Boneh-Boyen (EUROCRYPT 2010), the framework of lattice-based short signature due to Boyen (Public Key Cryptography 2010), and the Canetti-Halevi-Katz (abbr. CHK) technique, with necessary and tailored optimization-for transforming an (l + 1)-level indistinguishable under chosen plaintext attack secure hierarchical identity-based encryption (HIBE) into an l level IND-CCA2 secure HIBE scheme. In addition, our security proof also contains a more efficient simulation tool that might have separate interest in cryptographic applications. Copyright (C) 2015 John Wiley & Sons, Ltd.

Fagen Li,Hui Zhang,Tsuyoshi Takagi

DOI: https://doi.org/10.1109/jsyst.2012.2221897

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Privacy and authentication are the two main security goals in secure communications. To solve the secure communications problem between two heterogeneous systems, we propose two efficient signcryption schemes that can simultaneously achieve confidentiality, integrity, authentication, and nonrepudiation in a logical single step. The first scheme allows a sender in a public key infrastructure (PKI) to send a message to a receiver in an identity-based cryptosystem (IBC) and the second scheme allows a sender in the IBC system to send a message to a receiver in the PKI system. We prove that the first scheme has indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) under the q-bilinear Diffie-Hellman inversion problem (q-BDHIP) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) under the Diffie-Hellman inversion problem in the random oracle model. We also prove that the second scheme has the IND-CCA2 property under the BDHIP and EUF-CMA property under the q-strong Diffie- Hellman problem (q-SDHP) in the random oracle model.

Andrew Chi-Chih Yao,Yunlei Zhao

DOI: https://doi.org/10.1145/2508859.2516695

2013-01-01

Abstract:Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in short) are a family of implicitly authenticated Diffie-Hellman key-exchange (DHKE) protocols that are among the most efficient and are widely standardized. In this work, from some new perspectives and under some new design rationales, and also inspired by the security analysis of HMQV, we develop a new family of practical implicitly authenticated DHKE (IA-DHKE) protocols, which enjoy notable performance among security, efficiency, privacy, fairness and easy deployment. We make detailed comparisons between our new protocols and (H)MQV, showing that the newly developed protocols outperform HMQV in most aspects. Very briefly speaking, we achieve: • The most efficient provably secure IA-DHKE protocol to date, and the first online-optimal provably secure IA-DHKE protocols. • The first IA-DHKE protocol that is provably secure, resilience to the leakage of DH components and exponents, under merely standard assumptions without additionally relying on the knowledge-of-exponent assumption (KEA). • The first provably secure privacy-preserving and computationally fair IA-DHKE protocol, with privacy-preserving properties of reasonable deniability and post-ID computability and the property of session-key computational fairness. Guided by our new design rationales, in this work we also formalize and introduce some new concept, say session-key computational fairness (as a complement to session-key security), to the literature.

Chao Liu,Zhongxiang Zheng,Keting Jia,Limin Tao

DOI: https://doi.org/10.1007/978-3-030-31919-9_1

2019-01-01

Abstract:Authenticated encryption (AE) is very suitable for a resources constrained environment for it needs less computational costs and AE has become one of the important technologies of modern communication security. Identity concealment is one of research focuses in design and analysis of current secure transport protocols (such as TLS1.3 and Google's QUIC). In this paper, we present a provably secure identity-concealed authenticated encryption in the public-key setting over ideal lattices, referred to as RLWE-ICAE. Our scheme can be regarded as a parallel extension of higncryption scheme proposed by Zhao (CCS 2016), but in the lattice-based setting. RLWE-ICAE can be viewed as a monolithic integration of public-key encryption, key agreement over ideal lattices, identity concealment and digital signature. The security of RLWE-ICAE is directly relied on the Ring Learning with Errors (RLWE) assumption. Two concrete choices of parameters are provided in the end.

Yuyang Zhou,Yuanfeng Guan,Zhiwei Zhang,Fagen Li

DOI: https://doi.org/10.1007/978-981-15-0818-9_3

2019-01-01

Abstract:The Snowden revelations show that powerful attackers can compromise user's machines to steal users' private information. At the same time, many of the encryption schemes that are proven to be secure in Random Oracle Model (ROM) may present undetectable vulnerabilities when implemented, and these vulnerabilities may reveal a users' secrets, e.g., the machine hides some backdoors without the user's awareness, and an attacker can steal the user's private information through these backdoors. Recently, Mironov and Stephens-Davidowitz proposed cryptographic reverse firewall (CRF) to solve this problem. However, there is no CRF for identity-based encryption (IBE) has been proposed. In this paper, we propose two CRF protocols for IBE. One is a one-round encryption protocol with CRF used on the receiver, and the other is a two-round encryption protocol with CRFs deployed on both sender and receiver. We prove that these two protocols can resist the exfiltration of secret information and one is only secure against a chosen plaintext attack (CPA), the other is semantically secure against an adaptive chosen ciphertext attack (IND-ID-CCA). Moreover, we use JPBC to implement our protocols. The experimental results indicate that our protocols have some advantages in communication cost. Under certain computation cost conditions, our protocols are efficient and practical.

张串绒,张玉清,李发根,肖鸿

DOI: https://doi.org/10.3969/j.issn.1000-436x.2010.03.003

2010-01-01

Abstract:At first, a new identity based signcryption algorithm was proposed; its security and efficiency were analyzed. As a result, its provable security in the random oracle model is proved; compared with the previous identity based sign- cryption algorithms, the new algorithm has lower computation cost and communication overhead. It is very suitable for secure communication protocols of key management and secure routing in ad hoc networks. Finally, for showing the ap- plication methods and significance of new identity based signcryption algorithm in ad hoc networks, a share refreshing protocol of a serve node’s system private key in threshold key management of ad hoc networks is given.

Fagen Li,Hu Xiong,YongJian Liao

DOI: https://doi.org/10.1109/ICCCAS.2009.5250509

2009-01-01

Abstract:Signcryption is a cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. In this paper, we propose the first generic construction of identity-based signcryption (GCIS) by using identity-based key encapsulation mechanism (ID-KEM), data encapsulation mechanism (DEM), and identity-based signature schemes (ID-SIG). We prove that our construction satisfies confidentiality and unforgeability. We describe an instantiation of our construction that is secure in the standard model. Our instantiation also solves an open problem proposed by Yuen and Wei.

Shufen Niu,Qi Liu,Wei Liu,Runyuan Dong,Peng Ge

DOI: https://doi.org/10.1016/j.jisa.2023.103589

IF: 4.96

2023-11-01

Journal of Information Security and Applications

Abstract:Network slicing is a logical network function that supports communication service requirements for specific usage scenarios or business models. It has become an essential factor in solving future network architecture. In recent years, heterogeneous network slicing between multiple autonomous domains has emerged, with significant limitations compared to single-domain networks. Data sharing in heterogeneous network slices challenge the confidentiality of sensitive data significantly. Preventing sensitive data from leaking and protecting core data have become urgent problems to be solved. Therefore, we propose a multi-party (multi-sender to multi-receiver) anonymous authentication scheme on certificateless cryptography(CLC) and identity-based cryptosystem(IBC) institutional domain Internet of Vehicles(IoV) to smart healthcare. Our scheme realizes heterogeneous communication between multiple senders and multiple receivers, and uses different system parameters for heterogeneous cryptographic systems. In this work, the limitation of one-to-many or many-to-one communication in existing heterogeneous networks is broken through. The proposed work utilizes the pseudo-identity generated by the trusted authority to communicate in IoV slices, ensuring the anonymity of the sender; The authorization Center TA can uniquely determine the true identity of the vehicle through pseudo-random values for traceability. What is more, the Lagrange interpolation formula is employed to prevent the leakage of the identities of smart healthcare slices, ensuring the anonymity of the receiver. Under the random oracle model, the proposed scheme has proved to satisfy unforgeability, confidentiality, and anonymity under the computational Diffie–Hellman problem. Experimental results indicate that our proposal achieves better performance than existing schemes.

computer science, information systems

Zhaoman Liu,Yanbo Chen,Jianting Ning,Yunlei Zhao

DOI: https://doi.org/10.1016/j.tcs.2024.114464

IF: 1.002

2024-01-01

Theoretical Computer Science

Abstract:In the multicast communication scenario, compared with broadcast encryption, broadcast signcryption or multi-receiver signcryption has additional ability to authenticate the source of the message. With the enhanced awareness of privacy preservation, ordinary users pay more attention to the identity leakage in the communication process. The primitive of anonymous broadcast signcryption has been proposed to solve this problem, which provides additional anonymity compared with the existing broadcast signcryption. However, most anonymous broadcast signcryption schemes only ensure the sender's identity concealment but ignore the anonymity of the receiver set. In this paper, we present a fully anonymous identity-based broadcast signcryption scheme, which meets insider unforgeability, outsider confidentiality, identity concealment of sender and full anonymity of the receiver set. In addition, our scheme has two further desirable characteristics. One is public verifiability which means any third party can verify the validity of the message source without knowing the private key provided by the receiver. The other is statelessness which means the user does not need to update the private key due to the join or revocation of other users. Moreover, our scheme has constant-size public parameters and private key as well as constant decryption complexity, which makes the scheme more suitable for deployment in devices with limited storage or low computing power such as IoT devices.

Fagen Li,Fahad Bin Muhaya,Mingwu Zhang,Tsuyoshi Takagi

DOI: https://doi.org/10.1002/cpe.1823

2011-01-01

Abstract:Signcryption is a cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. Signcryption has been shown to be useful in many applications, such as electronic commerce, mobile communications and smart cards. Recently, three identity-based signcryption schemes in the standard model were proposed. However, the three schemes are broken soon. How to construct a secure identity-based signcryption scheme in the standard model is still an open problem. In this paper, we solve this problem and propose an efficient identity-based signcryption scheme in the standard model. We prove that our scheme has the indistinguishability against adaptive chosen ciphertext attacks under the modified decisional bilinear Diffie-Hellman assumption and the existential unforgeability against adaptive chosen messages attacks under the computational Diffie-Hellman assumption.

Haijiang Xie,Jizhong Zhao

DOI: https://doi.org/10.1007/s12083-014-0287-x

IF: 3.488

2014-01-01

Peer-to-Peer Networking and Applications

Abstract:The state of art authentication schemes are tightly linked with encryption or crypto systems, which provides concrete foundations to move towards the concept of access control by confirming the user identity. However the openness of the computer network makes the identity credentials vulnerable even transmitted as cipher text especially in lots of peer-to-peer (P2P) networks. The malicious attackers can possibly steal and fake the user identity by eavesdropping, hijacking, cryptanalysis and forging. In this paper, a novel identity authentication mechanism is proposed based on the reverse usage of the Network Covert Channel (NCC) which is originally designed by attackers to create stealth communication. Different from NCC, where the packet intervals can be exploited as the data carrier to transmit the unauthorized information, we exploit such capability in Network-Covert-Channel-based Identity Authentication (NCCIA) to transmit the identity tag. By validating user identity in a covert manner, we provide a more secure authentication method compared with many existing approaches. A NCCIA demo system is designed on a FTP Platform to verify our method. The experiments demonstrate the NCCIA can prevent the attackers from eavesdropping while maintaining transmission efficiency.

Fagen Li,Yupu Hu,Chuanrong Zhang

DOI: https://doi.org/10.1007/978-3-540-72738-5_24

2007-01-01

Abstract:As various applications of wireless ad hoc networks have been proposed, security has become one of the big research challenges and is receiving increasing attention. Recently, Several security schemes for wireless ad hoc networks have been proposed using identity-based signcryption schemes. However, almost all identity-based signcryption schemes that have been proposed until now are based on a single private key generator, which is not suitable for multi-domain ad hoc networks. In this paper, we propose a new identity-based signcryption scheme based on multiple private key generators, which is more suitable for multi-domain ad hoc networks. We prove its semantical security under the Decisional Bilinear Diffie-Hellman assumption in the random oracle model.

Yi Wang,Rongmao Chen,Xinyi Huang,Jianting Ning,Baosheng Wang,Moti Yung

DOI: https://doi.org/10.1007/978-3-030-92075-3_15

2021-01-01

Abstract:Our context is anonymous encryption schemes hiding their receiver, but in a setting which allows authorities to reveal the receiver when needed. While anonymous Identity-Based Encryption (IBE) is a natural candidate for such fair anonymity (it gives trusted authority access by design), the de facto security standard (a.k.a. IND-ID-CCA) is incompatible with the ciphertext rerandomizability which is crucial to anonymous communication. Thus, we seek to extend IND-ID-CCA security for IBE to a notion that can be meaningfully relaxed for rerandomizability while it still protects against active adversaries. To the end, inspired by the notion of replayable adaptive chosen-ciphertext attack (RCCA) security (Canetti et al., Crypto'03), we formalize a new security notion called Anonymous Identity-Based RCCA (ANON-ID-RCCA) security for rerandomizable IBE and propose the first construction with rigorous security analysis. The core of our scheme is a novel extension of the double-strand paradigm, which was originally proposed by Golle et al. (CT-RSA'04) and later extended by Prabhakaran and Rosulek (Crypto'07), to the well-known Gentry-IBE (Eurocrypt'06). Notably, our scheme is the first IBE that simultaneously satisfies adaptive security, rerandomizability, and recipient-anonymity to date. As the application of our new notion, we design a new universal mixnet in the identitybased setting that does not require public key distribution (with fair anonymity). More generally, our new notion is also applicable to most existing rerandomizable RCCA-secure applications to eliminate the need for public key distribution infrastructure while allowing fairness.

Yong Yu,Fagen Li,Chunxiang Xu,Ying Sun

DOI: https://doi.org/10.1007/s11859-008-0607-1

2008-01-01

Abstract:Signcryption is a cryptographic primitive that performs encryption and signature in a single logical step more efficiently than sign-then-encrypt approach. Till now, various kinds of signcryption schemes have been proposed. Among them, the requirement of signcrypter’s privacy protection is needful in some practical applications. In this paper, a new identity-based anonymous signcryption scheme from bilinear pairings, which is the organic combination of identity-based ring signature and encryption scheme, is proposed. The proposed scheme is indistinguishable against the chosen ciphertext attack under the Decisional Bilinear Diffie-Hellman assumption in the random oracle model. Its unforgeability relies on the computational Diffie-Hellman problem. Compared with the previous schemes, the new scheme is more efficient in computation.

Fagen Li,Masaaki Shirase,Tsuyoshi Takagi

DOI: https://doi.org/10.1109/ares.2009.44

2009-01-01

Abstract:Signcryption is a cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. In this paper, we address a question whether it is possible to construct a hybrid signcryption scheme in identity-based setting. This question seems to have never been addressed in the literature. We answer the question positively in this paper. In particular, we extend the concept of signcryption key encapsulation mechanism to the identity-based setting. We show that an identity-based signcryption scheme can be constructed by combining an identity-based signcryption key encapsulation mechanism with a data encapsulation mechanism. We also give an example of identity-based signcryption key encapsulation mechanism.

guobin zhu,hu xiong,ruijin wang,zhiguang qin

DOI: https://doi.org/10.1007/978-81-322-1759-6_12

2014-01-01

Abstract:As one of the fundamental cryptographic primitives, signcryption can achieve unforgeability and confidentiality simultaneously at the cost significantly lower than the signature-then-encryption approach in terms of computational costs and communication overheads. In view of the damage caused by the secret key leakage, Chen et al. proposed an efficient identity-based key-insulated signcryption (ID-KI-SC) scheme secure in the standard model recently. However, in this paper, we show that their scheme does not achieve the indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2) and existential unforgeability against adaptively chosen message attacks (EUF-CMA). Furthermore, we propose an improved scheme that remedies the weakness of Chen et al.' s scheme.

Ou Ruan,Yuanyuan Zhang,Mingwu Zhang,Jing Zhou,Lein Harn

DOI: https://doi.org/10.1109/jsyst.2017.2685524

IF: 4.802

2018-01-01

IEEE Systems Journal

Abstract:Authenticated key exchange (AKE) scheme is one of the most widely used cryptographic primitives in practice, even in the Internet-of-Things (IoT) environments. In order to resist side-channel attacks, several works have been proposed for defining leakage-resilient (LR) security models and constructing LR-AKE protocols. However, all these LR-AKE schemes employed the traditional X.509 certificate-based public-key infrastructure authentication framework, where the online transmission and verification of the public-key certificate are the major drawbacks. In this paper, we first propose a general framework for constructing identity-based AKE protocols in the bounded after-the-fact LR extended-Canetti–Krawczyk security model, and show a formal proof in the standard model. Our proposed scheme offers a flexible approach to simplify the certificate management. Moreover, our result could be extended to the bounded-retrieval model, yielding the first LR-AKE protocol in this model.

Mingwu Zhang,Bo Yang,Shenglin Zhu,Wenzheng Zhang

DOI: https://doi.org/10.1007/978-3-540-69304-8_14

2008-01-01

Abstract:Three of the most important services offered by cryptography are confidential, private and authenticatability in distributed systems, such as P2P, trust negotiation and decentralized trust management. Information provider secretly encrypts a message with a hidden approach to protect message security and his privacy. Ring signcryption is an important way to realize full anonymity where the signcrypter cannot verify that this ciphertext was produced by himself. In this paper, we propose a novel construction of efficient secret authenticatable anonymous signcryption scheme in which only the actual signcrypter can authenticate that the ciphertext was produced by himself. The receiver cannot distinguish who the actual signcrypter is in the group even though he obtains all group members' private keys. Proposed scheme has the following properties: semantic security, signcrypter anonymity, signcrypter secret authenticatability, and unforgeability. We prove its security in the random oracle model under the DBDH assumption.