On the Joint Security of Encryption and Signature, Revisited

概要

論文の詳細を見る
The folklore principle of key separation dictates using different keys for different cryptographic operations. While this is well-motivated by real-world, security engineering concerns, there are still situations where it is desirable to use the same key for multiple operations. In the context of public key cryptography, using the same keypair for both encryption and signature primitives can reduce storage requirements (for certificates as well as keys), reduce the cost of key certification and the time taken to verify certificates, and reduce the footprint of cryptographic code. These savings may be critical in embedded systems and low-end smart card applications. As a prime example, the globally-deployed EMV standard for authenticating credit and debit card transactions allows the same keypair to be reused for encryption and signatures for precisely these reasons. However, this approach of reusing keys is not without its problems. For example, there is the issue that encryption and signature keypairs may have different lifetimes, or that the private keys may require different levels of protection. Most importantly of all, there is the question of whether it is secure to use the same keypair in two (or more) different primitives. The formal study of the security of key reuse was initiated by Haber and Pinkas (ACM CCS 2001) with their introduction of combined public key schemes. However, while their approach can be made to work in the random oracle model, it does not naturally extend to the standard model, and there currently exist no fully satisfactory standard model solutions. We revisit the problem of how to construct combined public key schemes which are secure in the standard model. Naturally, for reasons of practical efficiency, we are interested in minimising the size of keys (both public and private), ciphertexts, and signatures in such schemes. Firstly, we then present a construction for a combined public key scheme using an IBE scheme as a component. The trick here is to use the IBE scheme in the Naor transform and the CHK transform simultaneously to create a combined public key scheme that is jointly secure, under rather weak requirements on the starting IBE scheme. This construction extends easily to the (hierarchical) identity-based setting. Secondly, we provide a more efficient direct construction for a combined scheme with joint security. This construction is based on the signature scheme of Boneh and Boyen (EUROCRYPT 2004) and a KEM obtained by applying the techniques by Boyen, Mei and Waters (ACM CCS 2005) to the second IBE scheme of Boneh and Boyen (EUROCRYPT 2004). Lastly, we show how our ideas can be applied to signcryption. Specifically, we show that a combined public key scheme can be used to construct a signcryption scheme that is secure in the strongest security model for signcryption. Instantiating this construction with our concrete combined public key scheme effectively solves a challenge implicitly laid down by Dodis, Freedman, Jarecki and Walfish (ACM CCS 2004) to construct an efficient standard model signcryption scheme in which a single short keypair can securely be used for both sender and receiver functions.
2012-05-11

On the Joint Security of Encryption and Signature, Revisited

スポンサーリンク

概要

著者

関連論文

スポンサーリンク