Blinding SelfCertified Key Issuing Protocols Using Elliptic Curves


 Thomasina Little
 2 years ago
 Views:
Transcription
1 Blinding SelfCertified Key Issuing Protocols Using Elliptic Curves Billy Bob Brumley Helsinki University of Technology Laboratory for Theoretical Computer Science Abstract SelfCertified keys provide an attractive alternative to traditional certificatebased public key infrastructures. Many selfcertified key issuing protocols strive to blind trusted third parties to users private keys. One such key issuing protocol is based on the NybergRueppel signature scheme, but requires a proof of knowledge to avoid impersonation attacks. This paper describes a version of this protocol that uses elliptic curves and eliminates the impersonation attacks and the proof of knowledge. KEYWORDS: elliptic curve cryptography, identitybased cryptography, selfcertified keys, key issuing protocols 1 Introduction In traditional certificatebased public key infrastructures, a user s public key is authenticated by means of a trusted third party s (TTP 1 ) explicit signature on the public key. Self Certified keys [6] are an efficient alternative in which the user s public key is extracted using the identity of the user and TTP s signature on this identity. addresses and IP addresses are two good examples of identities. Selfcertified keys are related to identitybased cryptography [16]. Unfortunately, many selfcertified schemes suffer from the key escrow problem, meaning that TTP gains access to the user s private key as well. Avoiding this problem is a desirable property of selfcertified key issuing protocols [15]. Related Work. Ateniese et al. [1] presented a selfcertified, identitybased (SCID) scheme which uses multiplicative groups and is based on the NybergRueppel signature scheme [14]. While a solution was presented to the key escrow problem by blinding TTP to the user s private key, this solution is susceptible to impersonation attacks and requires a proof of knowledge to be used securely. Contributions. The blind key issuing protocol using elliptic curve groups is presented, which does not require a proof of knowledge and is not susceptible to impersonation This work was supported in part by the project Packet Level Authentication funded by TEKES. Thanks to Prof. Kaisa Nyberg for suggestions and comments. Additionally, the author gratefully acknowledges those involved in the PLA project. Additional thanks goes to Tuomas Kivinen for useful comments. 1 The trusted third party will henceforth be referred to as the entity TTP. attacks. Eliminating the proof of knowledge is shown to reduce the complexity of the key issuing protocol. Applications. Selfcertified keys and identitybased schemes are wellsuited for dynamic networks, where efficient and compact authentication is needed (for example, [4]). Elliptic curves also provide small key and signature sizes, which can be an advantageous feature in dynamic networks. 2 Background Authentication is an important facet of computer security. Digital signatures are a common way of providing such authentication on networks. This section contains a brief review of digital signatures, selfcertified keys, and trust. These concepts are helpful in fully understanding the contributions of this paper. 2.1 The NybergRueppel Signature Scheme The NybergRueppel signature scheme is a variation of the ElGamal scheme [5] and similarly based on the Discrete Log Problem: given a generator g of large prime order and an element g k, finding k is infeasible. The NybergRueppel scheme is one of the few schemes present in many popular standards [9]. A version using multiplicative groups is outlined below; H is a collisionresistant hash function. Setup. Primes r, q such that r (q 1) are chosen, as well as a generator g of order r. Keygen. Alice generates a private key s and public key w by computing w = g s (mod q), where s Z r. (1) Sign. To generate a signature (c, d) on a message m, Alice calculates c = H(m)g k (mod q), where k R Z r d = k sc (mod r). (2) Verify. To verify the signature (c, d) on the message m, Bob checks that H(m) = cg d w c (mod q). (3)
2 This computation is consistent: cg d w c = H(m)g k g k sc g sc = H(m)g k k sc+sc = H(m) The main operation for signing and verifying is modular exponentiation, which can be computed very efficiently using the SquareandMultiply Method [11]. If two messages have the same hash value, existential forgery is possible. The signature of the former message can be attached to latter message, which the user may not have signed. But since the hash values are the same, the signature will still verify. This is the reason H must be collisionresistant. Certificates provide a method for verifying public keys. Certificates are generated by TTP by signing the user s public key. This is a common type of Public Key Infrastructure (PKI). While this does provide a method for verifying the included public key, it requires the certificate to be transmitted with signed messages, causing excess storage and computation requirements. 2.2 SelfCertified Keys Selfcertified keys are an efficient alternative to certificatebased PKI. Instead of verifying public keys using an explicit signature on a user s public key, the public key is extracted directly from TTP s signature on the user s identity. This reduces the storage and computational requirements. While the extracted public key cannot be explicitly verified, resulting signatures will not verify unless the extracted key is authentic. If the message signature fails to verify, it is unknown whether the user s signature on the message is invalid or the extracted public key is invalid (or both). 2.3 Trust The concept of a trusted third party can be fairly vague when discussing selfcertified keys. To better define the notion of trust, Girault [6] introduced three distinct trust levels. Trust Level 1. TTP knows the user s private key and can therefore impersonate the user without being detected. Trust Level 2. TTP does not know the user s private key, but can still impersonate the user without being detected. Trust Level 3. TTP does not know the user s private key, but can impersonate the user. However, such impersonation can be detected. Detected means that if TTP tries to impersonate a user, the user can prove it; for example, providing two different signatures from TTP on the same identity. Trust Level 1 is inadequate for many reasons, one being that it usually requires a secure key escrow. Reaching Trust Level 3 is generally the goal; consider the following scenario. An Internet Service Provider (ISP, the user s TTP) charges based on bandwidth usage. Each packet is digitally signed by the user, providing assurance that the ISP is billing in an honest manner. If the ISP can impersonate the user in an undetectable manner, the ISP can generate false traffic from the user to increase the charges. Trust Levels 1 and 2 are therefore inadequate. This is just one example of why Trust Level 3 is desirable. 3 A NybergRueppel SCID Scheme A SCID scheme based on the NybergRueppel signature scheme was presented in [1] where the focus is on provable security. As such, exponentiation of separate generators to the power of the hash values from H takes place. No such exponentiation is present here, as the focus is on efficiency and practicality. While it was noted that elliptic curve groups provide an efficient setting, all of the notation therein is for multiplicative groups. The scheme is presented below. Let k (i) be random integers in Z r. Setup. Primes r, q such that r (q 1) are chosen, as well as a generator g of order r. TTP generates a private key s T and public key w T using (1). Keygen. To generate a key pair on user Alice s identity ID A, TTP calculates r A = g k (mod q) s A = k s T r A (mod r) (4) and escrows (r A, s A ) to Alice. Extract. To extract Alice s public key w A = g sa on identity ID A given public value r A, Bob calculates w A = H(ID A) w ra D r A (mod q) (5) The key issuing protocol Keygen only reaches Trust Level 1. Note that (r A, s A ) is simply a NybergRueppel signature by TTP on the message ID A. Alice s private key is s A while r A is used by other users to reconstruct Alice s public key as shown in Extract. The public key is correct: w ra D r A = g st ra g k = 1 g k sa+k = gsa As with NybergRueppel signatures, existential forgery is still possible. In this case, if two users have identities that hash to the same value, they can impersonate the other user. 3.1 A More Secure Key Issuing Protocol A key issuing protocol that reaches Trust Level 3 was also presented in [1] and appears below. Keygen. The following protocol is used to generate a key pair on user Alice s identity ID A. TTP Alice: g ka (mod q) Alice TTP: CHAL TTP Alice: SIG ka (CHAL) TTP: V ER g k A (SIG ka (CHAL)) { r A = g ka g kt (mod q) Alice TTP: s A = k T x T r A (mod r) (6)
3 Alice s private key is s A = s A k A (mod r). The public key g sa extracts correctly: g xt ra g ka g kt = 1 g kt sa+sa sa+kt = gsa The first few steps of the protocol involves a proof of knowledge by Alice. This is done to prevent impersonation attacks as described below. TTP issues a challenge message CHAL. Alice then signs this message using key k A and TTP verifies this signature using key g ka P Q R R 3.2 Impersonation Attacks The threat of an impersonation attack was noted in [1]. However, it is not immediately clear how the attack is carried out, as different generators are used in exponentiation to the power of the hashes. As mentioned, no such exponentiation takes place here; for this case, the attack it is outlined below. Consider a malicious user Malice attempting to obtain a valid signature from TTP on Alice s identity using (6) where no proof of knowledge is performed. Malice (identity ID M ) needs to choose some difference d such that dg ka g kt H(ID M ) = g ka g kt d = H(ID A) H(ID M ). (7) That is, Malice can choose parameters in the following manner. TTP Malice: gka (mod q) H(ID M ) r A = gk A H(ID A)g k T H(ID M) Scalar multiplication, H(ID M) (mod q) Malice TTP: = g ka g kt s A = k T x T r A (mod r) (8) kp = Malice now has a valid signature from TTP on Alice s identity and can freely impersonate Alice. To use this protocol securely, the user must prove knowledge of the discrete log of g ka to the base g (given g ka, the user proves that k A is known) as shown in (6). 4 Using Elliptic Curves Elliptic curves are defined by their Weierstrass equation: y 2 = x 3 + ax + b. (9) Taken over R, these curves have the interesting property that given two points P, Q such that P Q, the line between them intersects the curve at exactly one other point. The reflection of this point on the xaxis is also on the curve, R. This operation is called point addition, denoted P + Q = R. If P = Q, the line tangent to the curve at P is used. In this case, the operation is called point doubling, denoted 2P = R. Algebraically, these points form an abelian group. In cryptography [13, 12], these curves are defined over a finite field F q, where q = p (a prime finite field) or q = 2 m (a binary finite field 2 ) [9]. That is, all x, y F q. 2 The elliptic curve and point addition equations are slightly different when using binary fields Figure 1: Elliptic curve y 2 = x 3 x over R. Point addition and doubling. The sum of two points P = (x 1, y 1 ) and Q = (x 2, y 2 ) is calculated as follows. x 3 = λ 2 x 1 x 2 y 3 = λ(x 1 x 3 ) y 1, where (10) y 2 y 1 if P Q x λ = 2 x 1 3x a if P = Q 2y 1 Note that λ is the slope. This calculation is largely dominated by the cost of the single field inversion present. denoted kp, is the elliptic curve analogue of exponentiation. It is used to compute k multiples of a point. k times { }} { P + P P This can be carried out efficiently by combining point additions and doublings using the DoubleandAdd Method (Alg. 1), which is analogous to the squareandmultiply method for exponentiation. As with exponentiation, There are much more efficient methods [7]. Algorithm 1: Scalar multiplication, DoubleandAdd. Input: integer k, point P E(F q ) Output: kp Q /* identity element */ while k > 0 do if k is odd then Q Q + P /* k & 1 */ k k/2 /* right shift by one */ P 2P /* point doubling */ end return Q Digital signatures using elliptic curves. Most digital signature schemes that use multiplicative groups (including El Gamal variations) can also use elliptic curve groups. Table 1 from [9] outlines the analogous operations and settings. In
4 practice, an elliptic curve E is used with a base point generator G of prime order r. It is very difficult to solve the Elliptic Curve Discrete Log Problem: given the generator G of large prime order and some other point kg, finding k is infeasible. Multiplicative Groups Elliptic Curve Groups Setting F q curve E over F q Basic operation multiplication in F q addition of points Main operation exponentiation scalar multiplication Base element generator g base point G Base element order prime r prime r Private key s (integer mod r) s (integer mod r) Public key w (element of F q) W (point on E) Table 1: Elliptic curve and multiplicative group analogues. Elliptic curves are often used when small public keys and signatures are needed. Table 2 from [10] shows an equivalent level of security; using elliptic curve cryptography (ECC) requires much fewer bits. Symmetric ECC DSA/RSA Table 2: Comparable key sizes (in bits). Point compression. Public keys (or any point on E, a group element) are made up of (x, y) coordinates, but the y coordinate can be compressed; given an xcoordinate, there are either two or zero solutions to (9). Therefore, it suffices to store x and a compression bit b (determines which solution to take). This point compression is accomplished using the function COMPRESS. Point decompression. DECOMPRESS yields a point P given x and compression bit b. The complexity depends on the underlying field. In the prime case, this involves computing a square root in a prime field, not a trivial operation. In the binary case, a quadratic equation is solved. This depends on the representation of the binary field elements. When using a normal basis representation, this is accomplished very quickly and involves only a few field multiplications and some bit rotations. For more on the basics of ECC, see [8]. 4.1 An Elliptic Curve SCID Scheme The SCID scheme (Sec. 3) as well as the blind key issuing protocol (6) can be modified to use elliptic curve groups. The analogous steps are presented below, with minor modifications 3. The proof of knowledge is not performed. Setup. Elliptic curve E is chosen with base point generator G of prime order r where r #E. TTP generates a domain private key s T R Z r and domain public key W T = s T G. 3 Some signs have been changed. This does not affect the principles. Also, the point k A G can be compressed if needed. TTP then publishes W T. Keygen. The following protocol (elliptic curve analogue of (6)) is used to generate a key pair on user Alice s identity ID A. It reaches Trust Level 3. TTP Alice: k A G TTP: (r A, b A ) = COMPRESS(k A G + k T G) r A = r A + s A = k T r A s T (mod r) Alice TTP: (r A, b A, s A ) (11) Alice s private key is s A = k A + s A (mod r). Extract. To extract Alice s public key W A = s A G on identity ID A given public values (r A, b A ), Bob calculates W A = DECOMPRESS(r A, b A ) r A W T (12) The extracted public key is correct (W A = s A G): W A = DECOMPRESS(r A, b A ) r A W T = DECOMPRESS(r A +, b A ) r A W T = k A G + k T G r A s T G = (k A + k T r A s T )G = (k A + s A )G = s A G 4.2 Attempting Impersonation Attacks Consider Malice attempting to obtain a valid signature from TTP on Alice s identity using (11). Malice must send an element of the group; more specifically, a point in the main subgroup (a multiple of the point G). TTP can and should verify this. As in (7), Malice needs to choose some difference d such that [(k A + d)g + k T G] x + H(ID M ) = [k A G + k T G] x +. (13) This seems to be very unlikely, as Malice does not know TTP s random value k T. 5 Results & Conclusions In an attempt to quantify the likelihood of impersonation success, an experiment was run using an implementation in Java. As such an experiment requires every point on the curve to be computed, only small, toy curves can be examined, as standard curves for cryptographic use have too many points. A few different curves over prime fields were examined. The results suggest the probability of impersonation success is extremely low, only slightly higher than guessing a private key on the curve. This suggests that as the size of the curve increases, the probability of success of such an impersonation attack shrinks to an insignificant amount. Table 3 compares the storage and computation requirements when verifying message signatures using traditional certificatebased PKI and when using selfcertified keys. Not only is there one less elliptic scalar multiplication (ESM) present, but the three can be done simultaneously [3] very efficiently. In conclusion, a modification to an existing blind selfcertified key issuing protocol has been presented for use with
5 CertificateBased PKI SelfCertified signature (2r) signature (2r) public key (q + 1) selfcertified public key (q + 1) TTP signature on public key (2r)  verify public key (2 ESM s) extract public key (1 ESM) verify signature (2 ESM s) verify signature (2 ESM s) Table 3: Storage and computation requirements. elliptic curves (11). This is much less complex than its multiplicative group analogue (6), as no proof of knowledge is needed. 5.1 Future Work Although experimental results suggest impersonation is not a serious threat in (11), the true upperbound on the probability of impersonation success is an open question. Future work is planned. In the area of small and short signatures, probably the most active area of research is pairingbased cryptography [2], which also uses elliptic curves. However, pairings are generally considered much more expensive to compute than scalar multiplications. Efficient settings and methods for calculating pairings could be a topic of research. References [1] G. Ateniese and B. de Medeiros. A provably secure NybergRueppel signature variant with applications. Cryptology eprint Archive, Report 2004/093, [2] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In ASIACRYPT 01: Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security, pages , London, UK, Springer Verlag. [8] D. Hankerson, A. Menezes, and S. Vanstone. Guide to elliptic curve cryptography. Springer, New York, [9] IEEE. Standard specifications for publickey cryptography. Technical Report P1363 / D13, Institute of Electrical and Electronics Engineers (IEEE), November [10] IETF. ECC cipher suites for TLS. Technical report, TLS Working Group, Internet Engineering Task Force (IETF), October [11] D. E. Knuth. The Art of Computer Programming: Seminumerical Algorithms, volume 2. Addison Wesley, Reading, MA, 3rd edition, [12] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48: , [13] V. S. Miller. Use of elliptic curves in cryptography. In CRYPTO 85: Advances in Cryptology, pages , London, UK, SpringerVerlag. [14] K. Nyberg and R. A. Rueppel. A new signature scheme based on the DSA giving message recovery. In CCS 93: Proceedings of the 1st ACM conference on Computer and communications security, pages 58 61, New York, NY, USA, ACM Press. [15] H. Petersen and P. Horster. SelfCertified Keys: Concepts and Applications. In Proceedings of the Third International Conference on Communications and Multimedia Security, pages , London, Chapman & Hall. [16] A. Shamir. Identitybased cryptosystems and signature schemes. In Proceedings of CRYPTO 84 on Advances in cryptology, pages 47 53, New York, NY, USA, SpringerVerlag New York, Inc. [3] B. B. Brumley. Efficient threeterm simultaneous elliptic scalar multiplication with applications. In V. Fåk, editor, Proceedings of the 11th Nordic Workshop on Secure IT Systems (NordSec 2006), pages , Linköping, Sweden, [4] C. Candolin, J. Lundberg, and H. Kari. Packet level authentication in military networks. In Proceedings of the 6th Australian Information Warfare & IT Security Conference, Geelong, Australia, November [5] T. ElGamal. A PublicKey Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, IT31(4): , [6] M. Girault. Selfcertified public keys. In D. W. Davies, editor, Advances in Cryptology  EuroCrypt 91, pages , Berlin, SpringerVerlag. Lecture Notes in Computer Science Volume 547. [7] D. M. Gordon. A survey of fast exponentiation methods. J. Algorithms, 27(1): , 1998.
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationImplementation of Elliptic Curve Digital Signature Algorithm
Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationConstructing PairingFriendly Elliptic Curves with Embedding Degree 10
with Embedding Degree 10 University of California, Berkeley, USA ANTSVII, 2006 Outline 1 Introduction 2 The CM Method: The Basic Construction The CM Method: Generating Families of Curves 3 Outline 1 Introduction
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationAn Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of publickey cryptography is its dependence on a publickey infrastructure
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationSECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationA SOFTWARE COMPARISON OF RSA AND ECC
International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 97413 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138
More informationA New Efficient Digital Signature Scheme Algorithm based on Block cipher
IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 22780661, ISBN: 22788727Volume 7, Issue 1 (Nov.  Dec. 2012), PP 4752 A New Efficient Digital Signature Scheme Algorithm based on Block cipher 1
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elaine Brow, December 2010 Math 189A: Algebraic Geometry 1. Introduction to Public Key Cryptography To understand the motivation for elliptic curve cryptography, we must first
More informationSoftware Implementation of GongHarn Publickey Cryptosystem and Analysis
Software Implementation of GongHarn Publickey Cryptosystem and Analysis by Susana Sin A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationCryptography and Network Security Chapter 10
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA DiffieHellman Key Exchange Public key and
More informationEfficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks
Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks J. M. BAHI, C. GUYEUX, and A. MAKHOUL Computer Science Laboratory LIFC University of FrancheComté Journée thématique
More informationLecture Note 5 PUBLICKEY CRYPTOGRAPHY. Sourav Mukhopadhyay
Lecture Note 5 PUBLICKEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security  MA61027 Modern/Publickey cryptography started in 1976 with the publication of the following paper. W. Diffie
More informationIMPLEMENTATION AND PERFORMANCE ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM
NABI ET AL: IMPLEMENTATION AND PERFORMANCE ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM 28 IMPLEMENTATION AND PERFORMANCE ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM Mohammad Noor
More informationAn Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method
An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method E.Sathiyamoorthy 1, S.S.Manivannan 2 1&2 School of Information Technology and Engineering
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationNotes on Network Security Prof. Hemant K. Soni
Chapter 9 Public Key Cryptography and RSA PrivateKey Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications
More informationAn Approach to Shorten Digital Signature Length
Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based
More informationTHE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION
T OPICS IN WIRELESS SECURITY THE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION Q 2 = R 1 Q 2 R 1 R 1 As the wireless industry explodes, it faces
More informationComputer Science 308547A Cryptography and Data Security. Claude Crépeau
Computer Science 308547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308647A)
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita Rotaru
More informationTwin Signatures: an Alternative to the HashandSign Paradigm
Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the HashandSign Paradigm
More informationImplementing Network Security Protocols
Implementing Network Security Protocols based on Elliptic Curve Cryptography M. Aydos, E. Savaş, and Ç. K. Koç Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331, USA {aydos,savas,koc}@ece.orst.edu
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationA NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION
A NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION Prof. Dr. Alaa Hussain Al Hamami, Amman Arab University for Graduate Studies Alaa_hamami@yahoo.com Dr. Mohammad Alaa Al
More informationA blind digital signature scheme using elliptic curve digital signature algorithm
A blind digital signature scheme using elliptic curve digital signature algorithm İsmail BÜTÜN * and Mehmet DEMİRER *Department of Electrical Engineering, University of South Florida, Tampa, FL, USA Department
More informationNetwork Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography
More informationAn Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC
An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC Laxminath Tripathy 1 Nayan Ranjan Paul 2 1Department of Information technology, Eastern Academy of Science and
More informationTELECOMMUNICATION NETWORKS
THE USE OF INFORMATION TECHNOLOGY STANDARDS TO SECURE TELECOMMUNICATION NETWORKS John Snare * Manager Telematic and Security Systems Section Telecom Australia Research Laboratories Victoria TELECOMMUNICATIONS
More informationPublic Key Cryptography. c Eli Biham  March 30, 2011 258 Public Key Cryptography
Public Key Cryptography c Eli Biham  March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known apriori to all the users, before they can encrypt
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIENCHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationLUC: A New Public Key System
LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of
More informationCryptography and Network Security
Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA PrivateKey Cryptography traditional private/secret/single key cryptography uses one key shared
More informationA Novel Approach for Signing Multiple Messages: Hash Based Signature
International Journal of Information & Computation Technology. ISSN 09742239 Volume 4, Number 15 (2014), pp. International Research Publications House http://www. irphouse.com A Novel Approach for Signing
More informationIdentity Based Encryption. Terence Spies VP Engineering terence@voltage.com
Identity Based Encryption Terence Spies VP Engineering terence@voltage.com Voltage Security Overview Breakthrough technology for encryption and access control Based on work of Dr. Boneh at Stanford and
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationImplementation and Comparison of Various Digital Signature Algorithms. Nazia Sarang Boise State University
Implementation and Comparison of Various Digital Signature Algorithms Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationMasao KASAHARA. Public Key Cryptosystem, ErrorCorrecting Code, ReedSolomon code, CBPKC, McEliece PKC.
A New Class of Public Key Cryptosystems Constructed Based on ReedSolomon Codes, K(XII)SEPKC. Along with a presentation of K(XII)SEPKC over the extension field F 2 8 extensively used for present day various
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationMATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction
MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key
More informationDigital Signature Standard (DSS)
FIPS PUB 1864 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute
More informationSession Initiation Protocol Attacks and Challenges
2012 IACSIT Hong Kong Conferences IPCSIT vol. 29 (2012) (2012) IACSIT Press, Singapore Session Initiation Protocol Attacks and Challenges Hassan Keshavarz +, Mohammad Reza Jabbarpour Sattari and Rafidah
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationARCHIVED PUBLICATION
ARCHIVED PUBLICATION The attached publication, FIPS Publication 1863 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBCMAC Digital signatures 2 Encryption/Decryption
More information1720  Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720  Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for Onekey Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationPertinent Side Channel Attacks on Elliptic Curve Cryptographic Systems
Pertinent Side Channel Attacks on Elliptic Curve Cryptographic Systems Stanford University CS259c/MATH250: Elliptic Curves in Cryptography December 15, 2011 1 Introduction Elliptic curve cryptosystems
More informationPublic Key (asymmetric) Cryptography
PublicKey Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationLukasz Pater CMMS Administrator and Developer
Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? Oneway functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign
More informationPublic Key Cryptography Overview
Ch.20 PublicKey Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 16301830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic
More information36 Toward Realizing PrivacyPreserving IPTraceback
36 Toward Realizing PrivacyPreserving IPTraceback The IPtraceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationSecure LargeScale Bingo
Secure LargeScale Bingo Antoni MartínezBallesté, Francesc Sebé and Josep DomingoFerrer Universitat Rovira i Virgili, Dept. of Computer Engineering and Maths, Av. Països Catalans 26, E43007 Tarragona,
More informationA Survey of the Elliptic Curve Integrated Encryption Scheme
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME, ISSUE, AUGUST 010 A Survey of the Elliptic Curve Integrated Encryption Scheme 7 V. Gayoso Martínez, L. Hernández Encinas, and C. Sánchez Ávila Abstract
More informationSecurity Strength of RSA and Attribute Based Encryption for Data Security in Cloud Computing
Security Strength of RSA and Attribute Based Encryption for Data Security in Cloud Computing S.Hemalatha, Dr.R.Manickachezian Ph.D Research Scholar, Department of Computer Science, N.G.M College, Pollachi,
More informationCommunications security
University of Roma Sapienza DIET Communications security Lecturer: Andrea Baiocchi DIET  University of Roma La Sapienza Email: andrea.baiocchi@uniroma1.it URL: http://net.infocom.uniroma1.it/corsi/index.htm
More informationA One Round Protocol for Tripartite
A One Round Protocol for Tripartite Diffie Hellman Antoine Joux SCSSI, 18, rue du Dr. Zamenhoff F92131 IssylesMx Cedex, France Antoine.Joux@ens.fr Abstract. In this paper, we propose a three participants
More informationSchnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania
Schnorr Signcryption Combining public key encryption with Schnorr digital signature Laura Savu, University of Bucharest, Romania IT Security for the Next Generation European Cup, Prague 1719 February,
More informationThe Journal of Systems and Software
The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DLbased certificateless
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationSecure Network Communication Part II II Public Key Cryptography. Public Key Cryptography
Kommunikationssysteme (KSy)  Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 20002001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem
More informationCRC Press has granted the following specific permissions for the electronic version of this book:
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationLecture 6  Cryptography
Lecture 6  Cryptography CSE497b  Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497bs07 Question 2 Setup: Assume you and I don t know anything about
More informationA novel deniable authentication protocol using generalized ElGamal signature scheme
Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme WeiBin Lee a, ChiaChun Wu a, WoeiJiunn Tsaur
More informationBreaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and
Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES. Daniela Bojan and Sidonia Vultur
ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES Daniela Bojan and Sidonia Vultur Abstract.The new services available on the Internet have born the necessity of a permanent
More informationCRYPTOG NETWORK SECURITY
CRYPTOG NETWORK SECURITY PRINCIPLES AND PRACTICES FOURTH EDITION William Stallings Prentice Hall Upper Saddle River, NJ 07458 'jkfetmhki^^rij^jibwfcmf «MMr""'^.;
More informationSecurity in Electronic Payment Systems
Security in Electronic Payment Systems Jan L. Camenisch, JeanMarc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH8092 Zurich email: {camenisch, stadler}@inf.ethz.ch
More informationAn Introduction to Digital Signature Schemes
An Introduction to Digital Signature Schemes Mehran Alidoost Nia #1, Ali Sajedi #2, Aryo Jamshidpey #3 #1 Computer Engineering Department, University of GuilanRasht, Iran m.alidoost@hotmail.com #2 Software
More informationMetered Signatures  How to restrict the Signing Capability 
JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL.?, NO.?, 1 Metered Signatures  How to restrict the Signing Capability  WooHwan Kim, HyoJin Yoon, and Jung Hee Cheon Abstract: We propose a new notion of metered
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 81
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 81 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationA SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS ABSTRACT Greeshma Sarath 1, Devesh C Jinwala 2 and Sankita Patel 3 1,2,3 Department of Computer Engineering, SVNIT, Surat greeshmasarath88@gmail.com,
More information2. Cryptography 2.4 Digital Signatures
DIFCTUNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 20102011 2. Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures
More informationIntroduction to Computer Security
Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors
More informationOn the Difficulty of Software Key Escrow
On the Difficulty of Software Key Escrow Lars R. Knudsen and Torben P. Pedersen Katholieke Universiteit Leuven, Belgium, email: knudsen@esat.kuleuven.ac.be Cryptomathic, Denmark, email: tpp@cryptomathic.aau.dk
More informationSECRET sharing schemes were introduced by Blakley [5]
206 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006 Secret Sharing Schemes From Three Classes of Linear Codes Jin Yuan Cunsheng Ding, Senior Member, IEEE Abstract Secret sharing has
More informationTextbooks: Matt Bishop, Introduction to Computer Security, AddisonWesley, November 5, 2004, ISBN 0321247442.
CSET 4850 Computer Network Security (4 semester credit hours) CSET Elective IT Elective Current Catalog Description: Theory and practice of network security. Topics include firewalls, Windows, UNIX and
More informationElliptic Curve Hash (and Sign)
Elliptic Curve Hash (and Sign) (and the 1up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 2224 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43
More informationA Proposal for Authenticated Key Recovery System 1
A Proposal for Authenticated Key Recovery System 1 Tsuyoshi Nishioka a, Kanta Matsuura a, Yuliang Zheng b,c, and Hideki Imai b a Information & Communication Business Div. ADVANCE Co., Ltd. 57 Nihombashi
More informationELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM
ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM DANIEL PARKER Abstract. This paper provides a foundation for understanding Lenstra s Elliptic Curve Algorithm for factoring large numbers. We give
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationPublic Key Cryptography. Performance Comparison and Benchmarking
Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What
More informationFAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION
FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION INTRODUCTION GANESH ESWAR KUMAR. P Dr. M.G.R University, Maduravoyal, Chennai. Email: geswarkumar@gmail.com Every day, millions of people
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationStrengthen Cloud Computing Security with Federal Identity Management Using Hierarchical IdentityBased Cryptography
Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical IdentityBased Cryptography Liang Yan, Chunming Rong, and Gansen Zhao University of Stavanger, Norway {liang.yan,chunming.rong}@uis.no
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More information