Relations among Privacy Notions for Signcryption and Key Invisible “Sign-then-Encrypt”

Yang, Weijia; Manulis, Mark; Au, Man Ho; Susilo, Willy

doi:10.1007/978-3-642-39059-3_13

Cited by 7 publications

(5 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More formally, we assume that the system has a sealed sender encryption scheme Π ssenc . While Signal does not give a proof of security for the scheme it uses, for our constructions we will assume that Π ssenc is a signcryption scheme that satisfies ciphertext anonymity [35] and adopt the notation presented in [51] for its algorithms 6 . We say a sealed sender encryption scheme Π ssenc is a set of three algorithms:…”

Section: A Preliminariesmentioning

confidence: 99%

“…• SSEnc(m, sk s , pk r ) → c takes in a message m, the sender's secret key sk s and the receiver's public key pk r , and outputs a ciphertext c • SSDecVer(sk r , c) → {(m, pk s ), ⊥} takes in the receiver's private key sk r and a ciphertext c and either outputs a message m,and the public key of the sender pk s , or returns the error symbol ⊥. (Note that this actually constitutes decryption followed by verification in the notation of [51], returning ⊥ when either step fails. )…”

Section: A Preliminariesmentioning

confidence: 99%

“…Formal security definitions are given in [51]. In short, the scheme satisfies (1) message indistinguishability, (2) unforgeability, and (3) ciphertext anonymity, meaning the ciphertext reveals nothing about the sender or receiver.…”

Section: A Preliminariesmentioning

confidence: 99%

See 2 more Smart Citations

Improving Signal's Sealed Sender

Martiny¹,

Kaptchuk²,

Aviv³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The Signal messaging service recently deployed a sealed sender feature that provides sender anonymity by cryptographically hiding a message's sender from the service provider. We demonstrate, both theoretically and empirically, that this one-sided anonymity is broken when two parties send multiple messages back and forth; that is, the promise of sealed sender does not compose over a conversation of messages. Our attack is in the family of Statistical Disclosure Attacks (SDAs), and is made particularly effective by delivery receipts that inform the sender that a message has been successfully delivered, which are enabled by default on Signal. We show using theoretical and simulationbased models that Signal could link sealed sender users in as few as 5 messages. Our attack goes beyond tracking users via network-level identifiers by working at the application layer of Signal. This make our attacks particularly effective against users that employ Tor or VPNs as anonymity protections, who would otherwise be secure against network tracing. We present a range of practical mitigation strategies that could be employed to prevent such attacks, and we prove our protocols secure using a new simulation-based security definition for one-sided anonymity over any sequence of messages. The simplest provably-secure solution uses many of the same mechanisms already employed by the (flawed) sealed-sender protocol used by Signal, which means it could be deployed with relatively small overhead costs; we estimate that the extra cryptographic cost of running our most sophisticated solution in a system with millions of users would be less than $40 per month.

show abstract

Section: A Preliminariesmentioning

confidence: 99%

Section: A Preliminariesmentioning

confidence: 99%

See 1 more Smart Citation

Improving Signal's Sealed Sender

Martiny¹,

Kaptchuk²,

Aviv³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Signcryption was proposed for the asymmetric key algorithm [15] [16], which replaced a traditional encrypt and sign practice by integrating message signatures (similar to MD) as a part of an encryption process. Zheng et al's [15] work on the signcryption scheme is based on the theory that a combined computational cost of a signature (using hashing) and encryption will be less than their individual costs.…”

Section: Background and Literature Reviewmentioning

confidence: 99%

SCARS: Simplified cryptographic algorithm for RFID systems

Narayanaswamy

Sampangi

Sampalli

2014

2014 IEEE RFID Technology and Applications Conference (RFID-TA)

View full text Add to dashboard Cite

Radio Frequency Identification (RFID) is a technology made popular by the ability of RFID tags to uniquely represent objects. However, they are severely resource-constrained due to design restrictions. This limits their ability to perform complex computations for security. In RFID systems, the priority is to ensure the integrity of messages and entity authentication. We consider message integrity in our work. To ensure message integrity (i.e., the sent message must be the same as the received message), the actual message is usually hashed and transmitted to the receiver along with the encrypted message. However, it is a challenge for resource-constrained devices such as RFID systems to encrypt a message using different algorithms (such as encryption and hashing algorithm). In this paper, we propose a new symmetric key encryption approach that includes integrity as part of the encryption process for RFID systems. With this approach, we do not need to employ hash functions to achieve message integrity, thus leading to computational efficiency.

show abstract

“…Since the signcryption scheme was put forward in 1997, there have been several specific schemes based on different difficult assumptions ( [1,[4][5][6]). In addition to the basic security objectives, some new features are introduced in the study of signcryption schemes, such as identity-based signcryption scheme ( [6][7][8][9][10][11]), hybrid signcryption scheme [12], key encapsulation mechanism (KEM) and data encapsulation mechanism (DEM-)-based signcryption scheme [13], certificateless signcryption scheme [14], verifiable signcryption scheme [10], attributebased signcryption scheme ( [15,16]), functional signcryption scheme [17], or key invisible signcryption scheme [18].…”

Section: Introductionmentioning

confidence: 99%

An Elliptic Curve Signcryption Scheme and Its Application

Zhang

Chi

2022

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

Two basic security requirements in communication are confidentiality and authentication. Signcryption is an ideal technique to transmit encrypted and authenticated data. In view of the shortcomings of existing signcryption schemes and the high security of elliptic curve cryptography (ECC), we design a ECC-based signcryption scheme and evaluate it in terms of security, computational overhead, and communication overhead. Finally, we consider the application of our secure and efficient signcryption scheme in the smart lock key management system and analyze the bit-oriented performance of the designed key management scheme.

show abstract

Relations among Privacy Notions for Signcryption and Key Invisible “Sign-then-Encrypt”

Cited by 7 publications

References 25 publications

Improving Signal's Sealed Sender

Improving Signal's Sealed Sender

SCARS: Simplified cryptographic algorithm for RFID systems

An Elliptic Curve Signcryption Scheme and Its Application

Contact Info

Product

Resources

About