Shuhong WANG Guilin WANG Feng BAO Jie WANG
In 2000, Wang et al. proposed a (t,n) threshold signature scheme with (k,l) threshold shared verification, and a (t,n) threshold authenticated encryption scheme with (k,l) threshold shared verification. Later, Tseng et al. mounted some attacks against Wang et al.'s schemes. At the same, they also presented the improvements. In this paper, we first point out that Tseng et al.'s attacks are actually invalid due to their misunderstanding of Wang et al.'s Schemes. Then, we show that both Wang et al.'s schemes and Tseng et al.'s improvements are indeed insecure by demonstrating several effective attacks.
Ting-Yi CHANG Chou-Chen YANG Min-Shiang HWANG
Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability. The signer can generate a signature with message recovery for a specified recipient. With a dispute, the recipient has ability to convert the signature into an ordinary one that can be verified by anyone without divulging her/his private key and the message. However, we point out that any adversary can forge a converted signature in this article.
Junji SHIKATA Goichiro HANAOKA Yuliang ZHENG Tsutomu MATSUMOTO Hideki IMAI
In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.
Her-Tyan YEH Hung-Min SUN Cheng-Ta YANG Bing-Cheng CHEN Shin-Mu TSENG
Recently, Zhu et al. proposed an password-based authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in wireless networks. They claimed that the proposed scheme is secure against dictionary attacks. In this paper, we show that the scheme proposed by Zhu et al. is insecure against undetectable on-line password guessing attacks. Furthermore, we examine Zhu et al.'s protocol and find that Zhu et al.'s protocol does not achieve explicit key authentication. An improved version is then proposed to defeat the undetectable on-line password guessing attacks and also provide explicit key authentication.
Wang et al., in 2000, proposed a generalized group-oriented threshold signature scheme and a generalized authenticated encryption scheme with shared verification. Tseng et al., in 2001, showed that both schemes are insecure, because any attacker is able to reveal the group secret keys from two previously valid threshold signatures. They further presented two improvements on Wang et al.'s schemes to against the attacks. Unfortunately, this paper will show that the improved schemes are still breakable.
Yuh-Min TSENG Jinn-Ke JAN Hung-Yu CHIEN
In 2000, Wang et al. proposed a new (t,n) threshold signature scheme with (k,l) threshold shared verification. Meanwhile, integrating the idea of message recovery, they also proposed a (t,n) threshold authenticated encryption scheme with (k,l) threshold shared verification. However, this article will show that both proposed schemes are insecure, because any malicious attacker can obtain the group secret keys from two valid threshold signatures. Thus, the attacker may solely forge or verify a threshold signature. An improvement to overcome the attacks is proposed.
Ching-Te WANG Chin-Chen CHANG Chu-Hsing LIN
In this paper, we propose an idea of the generalization of threshold signature and authenticated encryption for group communications. The concept of the (t, n) threshold signature with (k, l) shared verification is implemented in group-oriented cryptosystems. In the system, any t members can represent a group to sign a message and any k verifiers can represent another group to authenticate the signature. By integrating the cryptographic techniques of data encryption, digital signature and message recovery, a group-oriented authenticated encryption scheme with (k, l) shared verification is also proposed. The message expansion and communication cost can also be reduced in our schemes.