SIGNCRYPTION

Seminar ID: 181

A Technical Seminar Report submitted in partial fulfillment of the requirements for the Degree of Bachelor of Technology Under Biju Patnaik Uni ersity of Technology By

Kishore Chandra Sahoo

Roll # IT200710098

!ebruary" #$%%

Under the guidance of

Mrs. Sasmita Padh

!"TI#!"$ I!STIT%T& #' SCI&!C& ( T&C)!#$#*+ Pal,r )ills- .erham/,r- #rissa 0 711008- India

".STR"CT
Signcryption is a new cryptographic primitive which simultaneously provides both confidentiality and authenticity. Previously, these two goals had been considered separately, with encryption schemes providing confidentiality and signature schemes providing authenticity. In cases where both were required, the encryption and signature operations were simply sequentially composed. In 1997, heng demonstrated that by combining both goals into a single primitive, it is possible to achieve significant savings both in computational and communication overhead. Since then, a wide variety of signcryption schemes have been proposed. Signcryption is a new cryptographic primitive, which simultaneously provides both confidentiality and authenticity. Previously, these two goals had been considered separately, with encryption scheme provide confidentiality and digital signature provides authenticity. In cases where both required, the encryption operations and digital signature operations were simply sequentially composed. In 199!, heng demonstrated that by combining both goals into a single primitive it is possible to achieve significant savings both in computational and communication overhead. Since a wide variety of signcryption schemes have been proposed. In this seminar we discuss one algorithm for signcryption and advantages and disadvantages of signcryption.

ii

"CK!#2$&D*&M&!T
It is my proud privilege to epitomi"e deepest sense of gratitude and indebtedness to my guide, Mrs. Sasmita Padhy for her valuable guidance, #een and sustained interest. I would li#e to than# Mr. Purnendu Mishra for his help and support towards our $.%ech %echnical seminar. I ac#nowledge with immense pleasure the sustained interest, encouraging attitude and constant inspiration rendered by Prof. Sangram Mudali, &irector, '.I.S.%. (is continued drive for better quality in everything that happens at '.I.S.%. and selfless inspiration has always helped us to move ahead.

KISHORE CHANDRA SAHOO

T".$& #' C#!T&!TS

A S!RAC! ......................................ii ACKNO"#ED$EMEN!............................................................................................i !A #E O% CON!EN!S............................................................................................ii #IS! O% %I$&RES....................................................................................................i' (. IN!ROD&C!ION....................................................................................................) 1.1. )hy Signcryption*..............................................................................................+ 1.1.1 $ased on discrete algorithm problem, ..........................................................+ 1.1., -sing .S/ cryptosystem..............................................................................+ *. SI$NCR+P!ION , HO" I! "ORKS.................................................................,.1 $asic /rchitecture................................................................................................! ,., Steps involved in -nsigncrypting a message.....................................................10 .. SI$NCR+P!ION %ROM !RAPDOOR PERM&!A!ION..............................(* 1.1 %rapdoor Permutation 2amilies..........................................................................1, 1.1.1 Synta3..........................................................................................................1, 1.1., Security........................................................................................................11 1., 4ryptography from %rapdoor Permutations.......................................................11 1.,.1 &rawbac#s...................................................................................................15 1.,., /dvantage....................................................................................................16 /. %EA!&RES AND SEC&RI!+ ASPEC!S O% SI$NCR+P!ION...................(0 5.1 2eatures..............................................................................................................1+ 5.1.1 -nique -nsigncryptability .........................................................................1+ 5.1., Security .......................................................................................................1+ 5.1.1 7fficiency....................................................................................................1+ 5., Security..............................................................................................................1+ 5.,.1 -nforgeability ............................................................................................1+ 5.,., 4onfidentiality.............................................................................................17 5.1 4omparisons.......................................................................................................17 ). AD1AN!A$ES AND DISAD1AN!A$ES O% DI$I!A# SI$NCR+P!ION(2 6.1 /dvantages.........................................................................................................1! 6.1.1 8ow computational cost..............................................................................1! 6.1., (igher security............................................................................................1!
ii

6.1.1 9essage .ecovery.......................................................................................19 6., &isadvantages.....................................................................................................,0 0. POSSI #E APP#ICA!IONS O% DI$I!A# SI$NCR+P!ION......................*( +.1 89 Signcryption and its application in )%8S (andsha#e Protocol.................,1 +., -sing Signcryption in unforgeable #ey establishment over /%9 'etwor#s....,, -. CONC#&SION.......................................................................................................*. RE%ERENCES...........................................................................................................*/

iii

$IST #' 'I*%R&S

%igure *.( Sign3ry4tion 5 generating 6( and 6*........................................................2 %igure *.*7 Sign3ry4tion 5 generating 3om4onents 3 and r......................................8 %igure *..7 Sign3ry4tion 5 generating 3om4onent s..................................................8 %igure *./7 &nsign3ry4tion5 generating 3om4onent 6............................................(9 %igure *.)7 &nsign3ry4tion , o:taining the message m..........................................(9 %igure *.07 &nsign3ry4tion , 'erifi3ation of the message m..................................(( %igure ).(7 Se3urity of Com:ination of Algorithms...............................................(8 %igure ).*7 Disad'antage of Sign3ry4tion................................................................*9 %igure -.(7 %uture S3enario of Sign3ry4tion...........................................................*.

i3

SIGNCRYPTION

1. I!TR#D%CTI#!
In order to send a confidential letter in a way that it cannot be forged, it has been a common practice for the sender of the letter to sign it, put it in an envelope and then seal it before handing it over to be delivered. &iscovering Public #ey cryptography has made communication between people who have never met before over an open and insecure networ#, in a secure and authenticated way possible. $efore sending a message, the sender has to do the following: Sign it using a &igital Signature ;&S< scheme 7ncrypt the message and the signature using a private #ey encryption algorithm under randomly chosen message encryption #ey 7ncrypt the random message encryption #ey using the receiver=s public #ey Send the message following steps 1 to 1.

%his approach is #nows as signature>then>encryption. %he main disadvantage of this approach is that, digitally signing a message and then encrypting it, consumes more machine cycles and bloats the message by introducing e3tended bits to it. (ence, decrypting and verifying the message at the receiver=s end, a lot of computational power is used up. %hus you can say that the cost of delivering a message using signing>then>encryption is in effect the sum of the costs of both digital signatures and public #ey encryption. Signcryption is a new paradigm in public #ey cryptography that simultaneously fulfils both the functions of digital signature and public #ey encryption in a logically single step, and with a cost significantly lower than that required by the traditional signature followed by encryption.

SIGNCRYPTION

1.1. Why Signcryption?

1.1.1 Based on discrete algorith pro!le "

Signcryption costs 6!? less in average computation time and 70? less in message e3pansion than does signature then encryption. 1.1.# $sing RS% cryptosyste It costs on average 60? less in computation time and 91? less in message e3pansion than signature>then>encryption does.

SIGNCRYPTION

2. SI*!CR+PTI#! 0 )#2 IT 2#RKS

Signcryption can be defined as a combination of two schemes@ one of digital signatures and the other of public #ey encryption. Ane can implement Signcryption by using 7l Bamal=s shortened digital signature scheme, Schnorr=s signature scheme or any other digital signature schemes in conCunction with a public #ey encryption scheme li#e &7S, 1&7S or SP77&. %his choice would be made based on the level of security desired by the users. (ere we present the implementation of Signcryption using 7lBamal=s shortened signature scheme and a public #ey encryption algorithm denoted by 7 and &;7ncryption and &ecryption algorithms<. 4ompared with &SS, S&SS1 and S&SS, have the following advantages: 1. %heir signatures are shorter ,. 'o modular inversion or division is required in signature verification. 1. %hey both admit provable security, albeit in the random oracle model %hese are the parameters involved in the Signcryption algorithm: Parameters public to all p D a large prime number q D a large prime factor of p>1 g D an integer with order q modulo p chosen randomly from E1,F,p>1G (ash D a one> way hash function whose output has, say, at least 1,! bits H( D a #eyed one>way hash function ;7, &< %he encryption and decryption algorithms of a private #ey cipher /lice=s #eys 3a D /lice=s private #ey, chosen uniformly at random from E1,F,q>1G ya D /lice=s public #ey ;ya I g3a mod p< $ob=s #eys 3b D $ob=s private #ey, chosen uniformly at random from E1,F,q>1G yb D $ob=s public #ey ;yb I g3b mod p<

SIGNCRYPTION

#.1 Basic %rchitect&re

)e are ta#ing an e3ample in which /lice is sender and bob is receiver. So /lice is having a message m, which wants to send to bob in an unsecured channel, hence he uses signcryption mechanism to send the message to bob so that message would remain safe. So below steps are discussed which are involved in Signcrypting the message.

'ig&re #.1 Signcryption ( generating )1 and )#

1. ,. 1. 5. 6.

/lice chooses a value 3 from the large range 1,F,q>1 She then uses $ob=s public #ey and the value 3 and computes the hash of it. %his will give her a 1,!>bit string. H I hash ;yb3 mod p< She then splits this 1,!>bit value H into two +5>bit halves. )e can name them as #1 and #, and refer to them as the #ey pair. 'e3t, /lice encrypts the message m using a public #ey encryption scheme 7 with the #ey #1. %his will give her the cipher te3t c. 3 I 7 #1 ;m< %hen, she uses the #ey #, in the one>way #eyed hash function H( to get a hash of the message m. %his will give her a 1,!>bit hash, which we will call r. %his process uses the S&SS /lgorithm. r I H( #, ;m<

+.

Just li#e in S&SS, /lice then computes the value of s. She does this using the value of 3, her private #ey 3a, the large prime number q and the value of r.
8

SIGNCRYPTION

s I 3 K ;r L 3a<mod q 7. /lice now has three different values, 3, r and s. She then has to get these three values to $ob in order to complete the transaction. She can do this in a couple of ways. She can send them all at one time. She can also send them at separately using secure transmission channels, which would increase security. %hus on her part, Signcryption of the message is done.

'ig&re #.#* Signcryption ( generating co

ponents c and r.

'ig&re #.+* Signcryption ( generating co

ponent s

SIGNCRYPTION

#.# Steps in,ol,ed in $nsigncrypting a

essage

'ig&re #.-* $nsigncryption( generating co

ponent )

1.

$ob receives the 1 values that /lice has sent him, 3, r and s. (e uses the values of r and s, his private #ey 3b, /lice=s public #ey ya and p and g to compute a hash which would give him 1,!>bit result. H I hash ;;ya M gr<s N 3b mod p< %his 1,!>bit hash result is then split into two +5>bit halves which would give him a #ey pair ;#1,#,<. %his #ey pair would be identical to the #ey pair that was generated while Signcrypting the message.

,.

$ob then uses the #ey, #1, to decrypt the cipher te3t c, which will give him the message m. m I &#1;c<

'ig&re #..* $nsigncryption / o!taining the

essage

10

SIGNCRYPTION

'ig&re #.0* $nsigncryption / ,eri1ication o1 the

essage

1.

'ow $ob does a one>way #eyed hash function on m using the #ey #, and compares the result with the value r he received from /lice. If they match, it means that the message m was indeed signed and sent by /lice, if not $ob will #now that the message was either not signed by /lice or was intercepted and modified by an intruder. %hus $ob accepts the message only if H(#,;m< I r.

11

SIGNCRYPTION

5. SI*!CR+PTI#! 'R#M TR"PD##R P&RM%T"TI#!

+.1 Trapdoor Per &tation 'a ilies

%rapdoor permutations are an important building bloc# of public #ey cryptography. / trapdoor permutation is simply a permutation f : S O S on some Pnite set S, which can be efficiently evaluated by anyone, but whose inverse permutation fQ1 : S O S can only be efficiently evaluated by using some secret trapdoor information. +.1.1 Synta2 9ore formally, we dePne a trapdoor permutation family as a triple of algorithms;%rap>Ben, 7val, Invert<: R %rap Ben is a randomi"ed algorithm which accepts 1#, where # is a Security parameter, and outputs a pair;f,fQ1<,where f is a permutation over some set S and fQ1 is its inverse permutation. %his Aperation is denoted by: ;f,fQ1< S %rap>Ben;1#<. R 7val is a deterministic algorithm which accepts permutation f generated by some y S. %his operation is denoted by: y S 7val;f,3<,or simply y S f;3<. R Invert is a deterministic algorithm which accepts some fQ1 generated by %rap>Ben and some y S, where S is the set over which f is 51dePned.Itoutputssome 3 S. %his operation is denoted by: 3 SInvert;fQ1,y<,or simply 3 S fQ1;y<. )here h at fQ1;f;3<<I 3 for all 3, and for all pairs;f,fQ1<generated by %rap> Ben. %his ensures both that f is a permutation, and that fQ1 is the inverse permutation of f. %rap> Ben, as well as some 3 S, where S is the set over which f is dePned. It outputs

12

SIGNCRYPTION

+.1.# Sec&rity /s the case for encryption, signature, and signcryption schemes, we dePne the security of at trapdoor permutation family in terms of the goal and capabilities of an adversary. )e will ta#e the goal of the adversary to be inverting a randomly chosen element. %o achieve this goal, the adversary / must win the following game: 1. ,. 1. ;f,fQ1< S %rap>Ben;1#< y S. S ;where S is the set over which f is dePned< 3 S/;f,y<.

/ wins in the case that 3 I fQ1;y<. /s for the capabilities of the adversary, we only give it access to the permutation f. )e require that a trapdoor Permutation family satisfy PrE/ winsG T negl;#<for any such adversary /. 'ote that we have chosen a particularly strong goal for the adversary, and given it particularly wea# capabilities. %his means that the security level provided by a trapdoor permutation family is quite wea#. (owever, it is still possible to build strongly secure encryption and signature schemes from trap door permutation families. /s we will see in this chapter, it is also possible to build strongly secure signcryption schemes from them. %hus their wea# notion of security is an advantage, ma#ing them easier to construct and analy"e.

+.# Cryptography 1ro

Trapdoor Per

&tations

Ariginally, trapdoor permutations were used directly as encryption and signature schemes. 2or e3ample, to encrypt a message m for a recipient $, one would simply compute c I f$;m<, where f$ is $=s trapdoor function. Af course, the recipient would then compute m I fQ1 $ ;c< using his secret trapdoor information. -nfortunately, this simple scheme does not provide indistinguishability, since anyone can distinguish between f;m0< and f;m1<, for any m0 and m1. Similarly, to sign a message m, a

15

SIGNCRYPTION

sender / would simply compute s I fQ1 / ;m<, and then anyone could verify that f/;s< I m. (owever, this does not provide unforgeability, since any user can compute valid messageKsignature pairs ;f/;s0<, s0< for any s0. %he solution to both of these problems is to first apply a padding function to the message, then apply the trapdoor permutation to some or all of the padded message. +.#.1 3ra4!ac)s %his scheme has the following drawbac#s: 7ach user must maintain two distinct trapdoor permutations: one for encrypting ;f<, and one for signing ;g<. %wo padding steps are required@ one for encryption, and one for signature. Since padding steps generally lengthen their inputs, this unnecessarily lengthens the input to the second trapdoor permutation, as well as the final cipherte3t output. %he identity of the recipient is appended before signing, and the identity of the sender is appended before encrypting. %his unnecessarily lengthens the inputs to the trapdoor permutations, as well as the final cipherte3t output. &odis, 2reedman, Jarec#i, and )alfish have proposed a series of trapdoor>based signcryption schemes which addresses all three of these problems. %heir schemes require each user to maintain only a single trapdoor permutation, which is used to achieve both confidentiality and authenticity. Anly a single padding step is required, which is applied Cust before the trapdoor permutations of the sender and recipient. %he identities of the sender and recipient are fed in as inputs to the padding step, but do not lengthen its output.

16

SIGNCRYPTION

+.#.# %d,antage %his mode has the advantage that the two trapdoor permutations can be applied in parallel, but the disadvantage that the minimum cipherte3t length is twice the output si"e of the trapdoor permutations. / further advantage is that f/ and f$ can be of different lengths. Se;uential mode7 u f$;fQ1 / ;wUUs<<. In this case, the trapdoor permutations must be applied sequentially, but the minimum cipherte3t length is half that of the parallel method. E<tended se;uential mode7 u f$;fQ1 / ;w<<UUs. %his mode is a slight modification of the sequential mode. Its minimum cipherte3t length is only slightly longer than that of the sequential method ;since s can be chosen to be very short<, while it admits a much tighter security proof.

14

SIGNCRYPTION

6. '&"T%R&S "!D S&C%RIT+ "SP&CTS #' SI*!CR+PTI#!

-.1 'eat&res
&igital Signcryption strives to do digital signature and public #ey encryption in one logical step, with a cost less than that required by each of those steps done separately. 8et us assume that S is the Signcryption algorithm and - is the -nsigncryption algorithm. %he following three aspects define the features of Signcryption: > -.1.1 $ni5&e $nsigncrypta!ility / message m of arbitrary length is Signcrypted using the algorithm S. %his will give a Signcrypted output c. %he receiver can apply -nsigncryption - on c to verify the message m. %his -nsigncryption is unique to the message m and the sender. -.1.# Sec&rity Since Signcryption is a combination of two security schemes, digital signatures as well as public #ey encryption, it is li#ely to be more secure and would ensure that the message sent couldn=t be forged, the contents of which are confidential and ensures non>repudiation. -.1.+ 611iciency %he cost of computation involved when applying the Signcryption and -nsigncryption algorithms as well as the communication overhead is much smaller than with signature>then>encryption schemes.

-.# Sec&rity
-.#.1 $n1orgea!ility $ob is in the best position to be able to forge any Signcrypted message from /lice as only he is in possession of his private #ey, 3b, which is required to directly verify
11

SIGNCRYPTION

/lice=s message. Biven the Signcrypted te3t of c, r and s, $ob can only obtain the message m by decrypting it using his private #ey 3b. /ny changes he then ma#es to the message m will reflect in the ne3t step of Signcryption, which will ensure that the one>way #eyed hash function on the message m, will not match the value r. %hus $ob, the prime candidate for this #ind of attac#, is prevented from forging /lice=s Signcrypted message. -.#.# Con1identiality Biven that an attac#er has obtained all three components of the Signcrypted message, c, r and s, he still would not be able to get any partial information of the message m because he would have to also #now $ob=s private #ey as well as the two large prime number p and its factorial q, #nown only to /lice and $ob. %his is not feasible, as we #now that deriving a factorial from a large prime number is not practical.

-.+ Co

parisons

%he advantage of signcryption over signature>then>encryption lies in the dramatic reduction of computational cost and communication overhead, which can be symboli"ed by the following inequality: 4ost ;Signcryption<T 4ost ;signature<L4ost ;encryption<

17

SIGNCRYPTION

4. "D7"!T"*&S "!D DIS"D7"!T"*&S #' DI*IT"$ SI*!CR+PTI#!

..1 %d,antages
..1.1 7o4 co p&tational cost

Signcryption is an efficient scheme as it does two steps at once during Signcryption and -nsigncryption. )hen you thin# of this in terms of one person sending a Signcrypted message to another person using a mobile device, computation cost does not really matter much. 4omputational power of processors has developed vastly these days, so if you were to consider Signcrypting networ# traffic between two stations or all of the traffic on a certain networ#, then computational power as well savings in bandwidth are maCor factors. ..1.# 8igher sec&rity Ane can argue the fact that whether the bringing together of two security schemes would increase or decrease security. In our group=s view, it would only increase security. )e base this on the fact that when you combine two security schemes, which by themselves are comple3 enough to withstand attac#s, it can only lead to added security. 4onsider the following: > N D/ny &igital Signature /lgorithm V D /ny 7ncryption /lgorithm N= D %otal 'umber of Signature /lgorithms #nown V= D %otal 'umber of 7ncryption /lgorithms #nown %herefore the combination of the schemes N and V would give you the Signcryption scheme S. S I N - V

18

SIGNCRYPTION

'ig&re ..1* Sec&rity o1 Co

!ination o1 %lgorith

If you consider the fact that both N and V involve comple3 mathematical functions, it is only logical to assume that S, which is a combination of both N and V will involve the combination of the comple3ities of both N and V and thus be more comple3. 9ore the comple3ity, more the harder it is for cryptanalysis. /nother point to be noted here is that N, the digital signature algorithm, can be chosen from a large range of e3isting digital signature algorithms, N=. Similarly the encryption algorithm for V can be chosen from any encryption algorithm li#e 1&7S, &7S, etc from the range V=. %hus the Signcryption algorithm can be implemented using any of the values in N= and V=. %his would ma#e it very difficult for a cryptanalyst to figure out which implementation was used in the Signcrypting algorithm. $asically he would have N= 3 V= WI N= X V= i.e. the cryptanalyst would have to decide between the number of total digital signature algorithms times the number of encryption algorithms, which is greater or equal to either the number of N= or V=. ..1.+ 9essage Reco,ery 4onsider the following scenario: /lice signs and encrypts a message and sends it to $ob. / while later, she wants to use the contents of the message again. %o satisfy /liceYs requirement, her electronic mail system has to store some data related to the message sent. /nd depending on cryptographic algorithms used, /liceYs electronic mail system may either Z #eep a copy of the signed and encrypted message as evidence of transmission, or Z in addition to the above copy, #eep a copy of the
19

SIGNCRYPTION

original message, either in clear or encrypted form. / cryptographic algorithm or protocol is said to provide a past recovery ability if /lice can recover the message from the signed and encrypted message using only her private #ey. )hile both Signcryption and [signature>then>encryption>with>astatic>#ey\ provide past recovery, [signature>then>encryption\ does not. Ane may view [signature>then>encryption\ as an information [blac# hole\ with respect to /lice the sender: whatsoever /lice drops in the [blac# hole\ will never be retrievable to her, unless a separate copy is #ept properly.

..# 3isad,antages

'ig&re ..#* 3isad,antage o1 Signcryption

%he way Signcryption algorithm wor#s currently, /lice has to use $ob=s public #ey to signcrypt a message. %his has a disadvantage when you consider the need to broadcast a Signcrypted te3t. Imagine a ban# needs to send a Signcrypted message to a number of share traders. )ith the current algorithm, it needs to signcrypt the message with each of it=s intended recipient=s public #eys and send them separately to each one of them. %his approach is redundant in terms of bandwidth consumption and computational resource usage. %here is a research going on to solve this by introducing a group #ey between the ban# and the clients that it intends to send Signcrypted te3t and use that to broadcast Signcrypted messages.

20

SIGNCRYPTION

1. P#SSI.$& "PP$IC"TI#!S #' DI*IT"$ SI*!CR+PTI#!

0.1 79 Signcryption and its application in WT7S 8andsha)e Protocol
%he mobile telecommunications business is booming. %iny digital telephones and slee# poc#etsi"e P&/s ;personal digital assistants< are now more than Cust fashion accessories. %he ability to connect to the Internet is a maCor feature that attracts people to them. It means that mobile communication devices and client mobile devices are now ready to access the )eb. %his scenario has given rise to a big question in the minds of users, is it secure* /ccordingly, operators and manufactures have responded by establishing the )/P ;)ireless /pplication Protocol< forum. %he )/P forum has already developed )%8S ;)ireless %ransport 8ayer Security< layer for secured communication in the )/P environment. %he primary goal of )%8S is to provide privacy, data integrity and /H/ ;/uthentication and Hey /greement< between communication entities. /uthenticity and confidentiality must be provided by a suitable encryption scheme in case of mobile communication. Ane way to implement this is to first digitally sign the message and encrypt it. %his is commonly #nown as Signature>thenencryption. %he other is vice>versa, called encryption>then>signature. 4urrently, the )%8S handsha#e protocol is used for secure communication through mobile devices. %his handsha#e uses /H/ protocol with an end>to>end connection. In handsha#e message flow, user certificate is sent to the recipient without encryption or another cryptographic scheme. In this scenario an attac#er can get the certificate by eavesdropping on the transmission interface and can figure out user information from the certificate. %his can provide the attac#er with the userYs location and activity. If Signcryption is used to send messages with mobile devices it will rectify this gap by providing stronger security. $y the use of Signcryption, bandwidth use can be reduced and computational load can be decreased without compromising on the security of the message.
21

SIGNCRYPTION

0.# $sing esta!lish

Signcryption in &n1orgea!le ent o,er %T9 Net4or)s

)ey

%he asynchronous transfer mode ;/%9< is a high speed networ#ing technique for public networ#s capable of supporting many classes of traffic. It is essentially a pac#et>switching technique that uses short fi3ed length pac#ets called cells. 2i3ed length cells simplify the design of an /%9 switch at the high switching speeds involved. %he selection of a short fi3ed length cell reduces the delay. /%9 is capable of supporting a wide range of traffic types such as voice, video, image and various data traffic. In /%9 networ#s data pac#ets are typically 61 bytes. Anly 5! bytes out of 61 bytes in an /%9 cell can be used for transmitting data, as the remaining 6 bytes are reserved for storing control information. %hus transmitting encryption #ey materials of more than 1!5 bits ;5! bytes< over an /%9 networ# would require two or more /%9 cells. In a fast networ# such as /%9, if data pac#ets are divided then there could be considerable delay due to pac#eti"ation, buffering and reassembling data units. So, the need of the hour is to design an authenticated #ey establishment protocol that does not rely on a #ey distribution system, has low resource requirements, message is as short as possible and offers unforgeability and non>repudiation.

In such a scenario, Signcryption or a modified usage of Signcryption can solve the problem by minimi"ing message si"e as well as ensuring unforgeability and nonrepudiation. 73tensive research is going on in use of Signcryption in #ey establishment over /%9 networ#s. It is e3pected that within a few years it will actually be implemented.

22

SIGNCRYPTION

7. C#!C$%SI#!
Signcryption is a very novel idea that, if implemented in the right way, can be very useful.

'ig&re :.1* '&t&re Scenario o1 Signcryption

In life, it is human nature to try and do two things at once, or to ]#ill two birds in one stone=. (umans do this to ma#e shortcuts, save on time and resources. Is this best approach to do things* In terms of computer security, li#e we e3plained before, we believe that by combining two comple3 mathematical functions, you will increase the comple3ity and in turn increase security. Signcryption still has a long way to go before it can be implemented effectively and research is still going on in various parts of the world to try to come up with a much more effective way of implementing this.

25

SIGNCRYPTION

R&'&R&!C&S
E1G E,G E1G E5G E6G E+G E7G ^http:KKwww.signcryption.orgKintroductionK ^http:KKcoitweb.uncc.eduK_y"hengKpublicationsK ^http:KKwww.uow.edu.auK_guilinKbibleKsigncryption.htm http:KKportal.acm.orgKcitation.cfm*idI1+11!05.1+15!!0 /le3 &ent and Vuliang heng: Practical Signcryption, a volume in Information Security and 4ryptography, Springer>Xerlag, $erlin, )enbo 9ao, 9odern 4ryptography: %heory and Practice, Prentice (all P%.. Jee(ea/n, Vevgeniy &odis ,and %al.abin. An the security of Coint signature and encryption. In 8...Hnudsen, editor, Proc.of7urocrypt=0,, volume ,11, of 8'4S, pages!1D107. Springer>Xerlag,,00,. -pdated versionavailableat: http:KKtheory.lcs.mit.eduKyevgenKpsKsigncrypt.

26