• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.5 no.3
• /
• pp.607-625
• /
• 2011

Two-party key exchange protocol is a mechanism in which two parties communicate with each other over an insecure channel and output the same session key. A key exchange protocol that is secure against an active adversary who can control and modify the exchanged messages is called authenticated key exchange (AKE) protocol. LaMacchia, Lauter and Mityagin presented a strong security definition for public key infrastructure (PKI) based two-pass protocol, which we call the extended Canetti-Krawczyk (eCK) security model, and some researchers have provided eCK-secure AKE protocols in recent years. However, almost all protocols are provably secure in the random oracle model or rely on a special implementation technique so-called the NAXOS trick. In this paper, we present a PKI-based two-pass AKE protocol that is secure in the eCK security model. The security of the proposed protocol is proven without random oracles (under three assumptions), and does not rely on implementation techniques such as the NAXOS trick.

• Bulletin of the Korean Mathematical Society
• /
• v.46 no.4
• /
• pp.743-769
• /
• 2009

An ID-based DNF signature scheme is an ID-based signature scheme with an access structure which is expressed as a disjunctive normal form (DNF) with literals of signer identities. ID-based DNF signature schemes are useful to achieve not only signer-privacy but also a multi-user access control. In this paper, we formally define a notion of a (non-interactive) ID-based DNF signature and propose the first noninteractive ID-based DNF signature schemes that are secure under the computational Diffie-Hellman and subgroup decision assumptions. Our first scheme uses random oracles, and our second one is designed without random oracles. To construct the second one, we use a novel technique that converts a non-interactive witness indistinguishable proof system of encryption of one bit into a corresponding proof system of encryption of a bit-string. This technique may be of independent interest. The second scheme straightforwardly yields the first ID-based ring signature that achieves anonymity against full key exposure without random oracles. We finally present two extensions of the proposed ID-based DNF signature schemes to support multiple KGCs and different messages.

• Journal of Communications and Networks
• /
• v.15 no.3
• /
• pp.252-257
• /
• 2013

To alleviate the damage caused by key exposures, Dodis et al. introduced the notion of key-insulated security where secret keys are periodically updated by using a physically insulated helper key. To decrease the risk of helper key exposures, Hanaoka et al. advocated parallel key-insulated mechanism where distinct helpers are independently used in key updates. In this paper, we propose the first parallel key-insulated signature scheme which is provably secure without resorting to the random oracle methodology. Our scheme not only allows frequent key updating, but also does not increase the risk of helper key exposures.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.7
• /
• pp.2532-2553
• /
• 2014

In Asiacrypt 2003, Al-Riyami and Paterson proposed the notion of certificateless cryptography, a technique to remove key escrow from traditional identity-based cryptography as well as circumvent the certificate management problem of traditional public key cryptography. Subsequently much research has been done in the realm of certificateless encryption and signature schemes, but little to no work has been done for the identification primitive until 2013 when Chin et al. rigorously defined certificateless identification and proposed a concrete scheme. However Chin et al.'s scheme was proven in the random oracle model and Canetti et al. has shown that certain schemes provable secure in the random oracle model can be insecure when random oracles are replaced with actual hash functions. Therefore while having a proof in the random oracle model is better than having no proof at all, a scheme to be proven in the standard model would provide stronger security guarantees. In this paper, we propose the first certificateless identification scheme that is both efficient and show our proof of security in the standard model, that is without having to assume random oracles exist.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.5 no.2
• /
• pp.428-439
• /
• 2011

The main challenge in building efficient broadcast systems is to encrypt messages with short ciphertexts. In this paper, we present a new construction based on the identity. Our construction contains the desirable features, such as constant size ciphertexts and private keys, short public keys and not fixing the total number of possible users in the setup. In addition, the proposed scheme achieves the full security which is stronger than the selective-identity security. Furthermore we show that the proof of security does not rely on the random oracles. To the best our knowledge, it is the first efficient scheme that is full security and achieves constant size ciphertexts and private keys which solve the trade-off between the ciphertext size and the private key size.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.3
• /
• pp.1502-1522
• /
• 2019

Leakage of secret keys may be the most devastating problem in public key cryptosystems because it means that all security guarantees are missing. The forward security mechanism allows users to update secret keys frequently without updating public keys. Meanwhile, it ensures that an attacker is unable to derive a user's secret keys for any past time, even if it compromises the user's current secret key. Therefore, it offers an effective cryptographic approach to address the private key leakage problem. As an extension of the forward security mechanism in certificate-based public key cryptography, forward-secure certificate-based signature (FS-CBS) has many appealing merits, such as no key escrow, no secure channel and implicit authentication. Until now, there is only one FS-CBS scheme that does not employ the random oracles. Unfortunately, our cryptanalysis indicates that the scheme is subject to the security vulnerability due to the existential forgery attack from the malicious CA. Our attack demonstrates that a CA can destroy its existential unforgeability by implanting trapdoors in system parameters without knowing the target user's secret key. Therefore, it is fair to say that to design a FS-CBS scheme secure against malicious CAs without lying random oracles is still an unsolved issue. To address this problem, we put forward an enhanced FS-CBS scheme without random oracles. Our FS-CBS scheme not only fixes the security weakness in the original scheme, but also significantly optimizes the scheme efficiency. In the standard model, we formally prove its security under the complexity assumption of the square computational Diffie-Hellman problem. In addition, the comparison with the original FS-CBS scheme shows that our scheme offers stronger security guarantee and enjoys better performance.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.6
• /
• pp.1512-1532
• /
• 2013

A convertible undeniable signature requires a verifier to interact with the signer to verify a signature and furthermore allows the signer to convert a valid one to publicly verifiable signature. In 2007, Yuen et al. proposed a convertible undeniable signature without random oracles in pairings. However, it is recently shown that Yuen et al.'s scheme is not invisible for the standard definition of invisibility. In this paper, we propose a new improvement by using extended Euclidean algorithm that can overcome the visibility attack. The proposed scheme has been evaluated based on computation and communication complexities and the performance comparisons of Yuen et al.'s scheme and various convertible undeniable signature schemes are provided. Moreover, it has been observed that the proposed algorithm reduces the computation and communication times significantly.

• Journal of KIISE:Information Networking
• /
• v.35 no.6
• /
• pp.465-473
• /
• 2008

The MQV protocol has been regarded as the most efficient authenticated Diffie- Hellman key exchange protocol, and standardized by many organizations including the US NSA. In Crypto 2005, Hugo Krawczyk showed vulnerabilities of MQV to several attacks and suggested a hashed variant of MQV, called HMQV, which provides the same superb performance of MQV and provable security in the random oracle model. In this paper we suggest an efficient authenticated Diffie-Hellman key exchange protocol providing the same functionalities and security of HMQV without random oracles. So far there are no authenticated Diffie-Hellman protocols which are provably secure without using random oracles and achieve the same level of security goals of HMQV efficiently yet.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.4
• /
• pp.2254-2275
• /
• 2017

In this paper, we present an IND-CCA2 secure certificateless proxy re-encryption scheme in the random oracle model. A certificateless public key cryptography simplifies the certificate management in a traditional public key infrastructure and the built-in key escrow feature in an identity-based public key cryptography. Our scheme shares the merits of certificateless public key encryption cryptosystems and proxy re-encryption cryptosystems. Our certificateless proxy re-encryption scheme has several practical and useful properties - namely, multi-use, unidirectionality, non-interactivity, non-transitivity and so on. The security of our scheme bases on the standard bilinear Diffie-Hellman and the decisional Bilinear Diffie-Hellman assumptions.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2007.02a
• /
• pp.154-157
• /
• 2007

It has been widely believed that one can obtain $\iota$-Hierarchical Identity Based Encryption (HIBE) scheme secure against chosen ciphetext attacks from ($\iota$+1)-HIBE scheme secure against chosen plaintext attacks. In this paper, however, we show that when applying two concrete HIBE schemes that Boneh et al. [1, 2] proposed, chosen ciphertext secure $\iota$-HIBE schemes are directly derived from chosen plaintext secure $\iota$-HIBE schemes. Our constructions are based on a one-time signature-based transformation that Canetti et at.[3] proposed. The security of our schemes is proved in the selective-ID suity model without using random oracles.