Results 1  10
of
83
Improved proxy reencryption schemes with applications to secure distributed storage
 IN NDSS
, 2005
"... In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy reencryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure reencryption will become increasingly popu ..."
Abstract

Cited by 190 (16 self)
 Add to MetaCart
In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy reencryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure reencryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the widespread adoption of BBS reencryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis, we present new reencryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy reencryption as a method of adding access control to the SFS readonly file system. Performance measurements of our experimental file system demonstrate that proxy reencryption can work effectively in practice.
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 154 (6 self)
 Add to MetaCart
(Show Context)
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
Efficient Signcryption with Key Privacy from Gap DiffieHellman Groups
 PKC 2004. LNCS
, 2004
"... This paper proposes a new public key authenticated encryption (signcryption) scheme based on the DiffieHellman problem in Gap DiffieHellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
(Show Context)
This paper proposes a new public key authenticated encryption (signcryption) scheme based on the DiffieHellman problem in Gap DiffieHellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness into this signature to increase its level of security in the random oracle model and to reuse that randomness to perform encryption. This results in a signcryption protocol that is more efficient than any combination of that signature with an El Gamal like encryption scheme. The new scheme is also shown to satisfy really strong security notions and its strong unforgeability is tightly related to the DiffieHellman assumption in Gap DiffieHellman groups.
Two birds one stone: signcryption using RSA
 In: CTRSA 2003, LNCS 2612
, 2003
"... Abstract. Signcryption is a public key primitive proposed by Zheng [14] to achieve the combined functionality of digital signature and encryption in an efficient manner. We present a signcryption scheme based on RSA and provide proofs of security in the random oracle model [6] for its privacy and un ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Signcryption is a public key primitive proposed by Zheng [14] to achieve the combined functionality of digital signature and encryption in an efficient manner. We present a signcryption scheme based on RSA and provide proofs of security in the random oracle model [6] for its privacy and unforgeability. Both proofs are under the assumption that inverting the RSA function is hard. Our scheme has two appealing aspects to it. First of all it produces compact ciphertexts. Secondly it offers nonrepudiation in a very straightforward manner. 1
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
Efficient and Provably Secure Certificateless Signcryption from Bilinear Maps
"... Abstract. Signcryption is a cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signaturethenencryption approach. In 2008, Barbosa and Farshim introduced the noti ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Signcryption is a cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signaturethenencryption approach. In 2008, Barbosa and Farshim introduced the notion of certificateless signcryption (CLSC) and proposed the first CLSC scheme [3], but which requires six pairing operations in the signcrypt and unsigncrypt phases. In this paper, aimed at designing an efficient CLSC scheme, we propose a new efficient CLSC scheme from bilinear maps, which requires only two pairing operations in the signcrypt and unsigncrypt phases and is more efficient than all the schemes available.
Building better signcryption schemes with TagKEMs
 PROCEEDINGS OF THE 9TH INTERNATIONAL CONFERENCE ON THEORY AND PRACTICE OF PUBLICKEY CRYPTOGRAPHY, PKC 2006, VOLUME 3958 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2006
"... Signcryption schemes aim to provide all of the advantages of simultaneously signing and encrypting a message. Recently, Dent [8, 9] and Bjørstad [4] investigated the possibility of constructing provably secure signcryption schemes using hybrid KEMDEM techniques [7]. We build on this work by showin ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Signcryption schemes aim to provide all of the advantages of simultaneously signing and encrypting a message. Recently, Dent [8, 9] and Bjørstad [4] investigated the possibility of constructing provably secure signcryption schemes using hybrid KEMDEM techniques [7]. We build on this work by showing that more efficient insider secure hybrid signcryption schemes can be built using tagKEMs [1]. To prove the effectiveness of this construction, we will provide several examples of secure signcryption tagKEMs, including a brand new construction based on the ChevallierMames signature scheme [5] which has the tightest known security reductions for both confidentiality and unforgeability.
Hybrid signcryption schemes with insider security
 Proceedings of 10th Australasian Conference on Information Security and Privacy, volume 3574 of Lecture Notes in Computer Science
, 2005
"... Abstract. The question of constructing a hybrid signcryption scheme with outside security was considered by Dent [7]. That paper also demonstrated that the basic hybrid construction formalised by Cramer and Shoup [5, 9] is incapable of producing a signcryption scheme with insider security. This pape ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The question of constructing a hybrid signcryption scheme with outside security was considered by Dent [7]. That paper also demonstrated that the basic hybrid construction formalised by Cramer and Shoup [5, 9] is incapable of producing a signcryption scheme with insider security. This paper provides a paradigm for constructing signcryption schemes with insider security based on the ideas of hybrid cryptography. 1
Versatile padding schemes for joint signature and encryption
 In Proceedings of Eleventh ACM Conference on Computer and Communication Security (CCS2004
, 2004
"... We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptima ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptimal exact security, flexible and adhoc key management, key reuse for sending/receiving data, optimallylow message expansion, “backward ” use for plain signature/encryption, long message and associated data support, the strongestknown qualitative security and, finally, complete compatibility with the PKCS#1 infrastructure. Similar to the design of plain RSAbased signature and encryption schemes, such as RSAFDH and RSAOAEP, our signcryption schemes are constructed by designing appropriate padding schemes suitable for use with trapdoor permutations. We build a general and flexible framework for the design and analysis of secure Feistelbased padding schemes, as well as three composition paradigms for using such paddings to build optimized signcryption schemes. To unify many secure padding options offered as special cases of our framework, we construct a single versatile padding scheme PSEP which, by simply adjusting the parameters, can work optimally with any of the three composition paradigms for either signature, encryption, or signcryption. We illustrate the utility of our signcryption schemes by applying them to build a secure keyexchange protocol, with performance results showing 3x–5x speedup compared to standard protocols.
Cryptanalysis of an Elliptic Curvebased Signcryption Scheme
 INTERNATIONAL JOURNAL OF NETWORK SECURITY
, 2010
"... The signcryption is a relatively new cryptographic technique that is supposed to fulfill the functionalities of encryption and digital signature in a single logical step. Although several signcryption schemes are proposed over the years, some of them are proved to have security problems. In this pap ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
The signcryption is a relatively new cryptographic technique that is supposed to fulfill the functionalities of encryption and digital signature in a single logical step. Although several signcryption schemes are proposed over the years, some of them are proved to have security problems. In this paper, the security of Han et al.’s signcryption scheme is analyzed, and it is proved that it has many security flaws and shortcomings. Several devastating attacks are also introduced to the mentioned scheme whereby it fails all the desired and essential security attributes of a signcryption scheme.