Laila El Aimani - Academia.edu (original) (raw)

Papers by Laila El Aimani

Research paper thumbnail of Multi-User Security

Hitherto, we have considered only a network of two users: signer/confirmer in case of confirmer s... more Hitherto, we have considered only a network of two users: signer/confirmer in case of confirmer signatures, and sender/receiver in the signcryption case. This setting is too simplistic to represent reality, where it is customary to have a network of many users that want to exchange signcrypted messages. Also, it is not uncommon in case of confirmer signatures, to have many signers that share the same confirmer, or conversely a signer who has many confirmers. We tackle in this chapter the issue of multi-user security; we first describe the concerns that arise in this extended model, then we formalize these issues in new security definitions, and finally, we give the new analogs of StE, CtEtS, and EtS in the multi-user setting.

Research paper thumbnail of Signcryption Method and Device and Corresponding Signcryption Verification Method and Device

Research paper thumbnail of Anonymity from Public Key Encryption to Undeniable Signatures

Lecture Notes in Computer Science, 2009

Research paper thumbnail of An Efficient Variant of StE

Verifiable Composition of Signature and Encryption, 2017

Research paper thumbnail of Design and Analysis of Opaque Signatures

... nat.) der Mathematisch-Naturwissenschaftlichen Fakultät der Rheinischen Friedrich-Wilhelms-Un... more ... nat.) der Mathematisch-Naturwissenschaftlichen Fakultät der Rheinischen Friedrich-Wilhelms-Universität Bonn vorgelegt von Laila El Aimani aus Marrakech, Marokko Bonn 2011 Page 2. Tag der Disputation: 29 April 2011 Promotionskommission: Prof. ...

Research paper thumbnail of Analysis of CtEaS

Verifiable Composition of Signature and Encryption, 2017

Efficient as the (new) StE is, it can only be used with a restricted class of signatures in order... more Efficient as the (new) StE is, it can only be used with a restricted class of signatures in order to allow effective verification. The Commit_then_Encrypt_and_Sign (CtEaS) paradigm has the merit of accepting any signature among its building blocks without compromising the verification protocols. In this chapter, we investigate this method by determining the exact security property needed for the encryption to achieve secure constructions. Our study, conducted for confirmer signatures, applies also to signcryption.

Research paper thumbnail of The Joint Signature and Encryption Revisited ∗

We study the Sign then Encrypt, Commit then Encrypt and Sign, and Encrypt then Sign paradigms in ... more We study the Sign then Encrypt, Commit then Encrypt and Sign, and Encrypt then Sign paradigms in the context of three cryptographic primitives, namely designated confirmer signatures, signcryption, and verifiably encrypted signatures. Our study identifies weaknesses in those paradigms which impose the use of expensive encryption (as a building block) in order to meet a reasonable security level. Next, we propose some optimizations which annihilate the found weaknesses and allow consequently cheap encryption without compromising the overall security. Our optimizations further enjoy verifiability, a property profoundly needed in many real-life applications of the studied primitives.

Research paper thumbnail of On Generic Constructions of Designated Confirmer Signatures (The “Encryption of a Signature ” Paradigm Revisited)

Abstract. Designated Confirmer signatures were introduced to limit the verification property inhe... more Abstract. Designated Confirmer signatures were introduced to limit the verification property inherent to digital signatures. In fact, the verification in these signatures is replaced by a confirmation/denial protocol between the designated confirmer and some verifier. An intuitive way to obtain such signatures consists in first generating a digital signature on the message to be signed, then encrypting the result using a suitable encryption scheme. This approach, referred to as the “encryption of a signature ” paradigm, requires the constituents (encryption and signature schemes) to meet the highest security notions in order to achieve secure constructions. In this paper, we revisit this method and establish the necessary and sufficient assumptions on the building blocks in order to attain secure confirmer signatures. Our study concludes that the paradigm, used in its basic form, cannot allow a class of encryption schemes, which is vital for the efficiency of the confirmation/denial...

Research paper thumbnail of Rheinischen Friedrich-Wilhelms-Universität Bonn

Research paper thumbnail of Wrap-Up

Verifiable Composition of Signature and Encryption, 2017

Research paper thumbnail of EtStE: A New Paradigm for Verifiable Signcryption

Verifiable Composition of Signature and Encryption, 2017

The new StE or CtEtS paradigms, proposed earlier, proved to provide very efficient confirmer sign... more The new StE or CtEtS paradigms, proposed earlier, proved to provide very efficient confirmer signatures. Unfortunately, when applied to verifiable signcryption, these paradigms fail to give similar results. The reason lies in the fact that encryptions are produced on the message, to be signcrypted, in addition to other strings (signatures or decommitments), which renders verification ineffective. The subject of this chapter is a new paradigm for verifiable signcryption which combines the merits of the classical paradigms while avoiding their drawbacks.

Research paper thumbnail of CtEtS: An Efficient Variant of CtEaS

The CtEaS paradigm suffers an intrinsic weakness consisting in the possibility of producing a con... more The CtEaS paradigm suffers an intrinsic weakness consisting in the possibility of producing a confirmer signature without knowledge of the signing key. This makes the paradigm rest on strong encryption (PCA secure), and rules out consequently homomorphic encryption which is known for propping up verification. In this chapter, we annihilate this weakness and demonstrate the efficiency of the resulting construction by describing many concrete instantiations. Our modification applies only to confirmer signatures (see Chap. 7 for the details). We further shed light on a special instance of CtEaS, namely Encrypt_then_Sign (EtS), which can be very useful in situations where a trusted party is available.

Research paper thumbnail of Verifiable Composition of Signature and Encryption

This chapter serves an elementary-level introduction for the book. Section 1.1 introduces the mos... more This chapter serves an elementary-level introduction for the book. Section 1.1 introduces the most basic cryptographic primitives, namely digital signatures, public-key encryption including hybrid encryption (key/data encapsulation mechanisms) and tag-based encryption, and finally commitment schemes. The presentation of the primitives provides also the formal security notions that are needed later in our study. The following two sections consider an important notion of modern cryptography that is reductionist security: Sect. 1.2 recalls the frequently used intractable problems in cryptography, and Sect. 1.3 carries on the presentation of the basic tools used to gain confidence in cryptographic systems. Finally, Sect. 1.4 tackles an important cryptographic mechanism, needed in many real-life applications, that allows to conduct proofs without revealing more than the veracity of the proven statement. 1.1 Cryptographic Primitives Notation Throughout the text, we will use a dot notation...

Research paper thumbnail of Analysis of StE

StE consists, in case of confirmer signatures, in first signing the message, then encrypting the ... more StE consists, in case of confirmer signatures, in first signing the message, then encrypting the resulting signature. In case of signcryption, the encryption is conducted on both the message and the produced signature. The construction was first formally (The idea without proof was already known, for instance, it was mentioned in Damgard and Pedersen (New convertible undeniable signature schemes. In: Maurer UM (ed) Advances in cryptology - EUROCRYPT’96. LNCS, vol 1070. Springer, Heidelberg, pp 372–386, 1996).) described for confirmer signatures in Camenisch and Michels (Confirmer signature schemes secure against adaptative adversaries. In: Preneel B (ed) Advances in cryptology - EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 243–258, 2000), and it suffered the resort to concurrent zero-knowledge (ZK) proofs of general NP statements in the confirmation/denial protocol (i.e. proving knowledge of the decryption of a ciphertext, and that this decryption forms a valid signature...

Research paper thumbnail of A New Approach for Finding Low-Weight Polynomial Multiples

Information Security and Cryptology, 2021

Research paper thumbnail of Preliminaries

Verifiable Composition of Signature and Encryption, 2017

Research paper thumbnail of Case-Study Primitives

Verifiable Composition of Signature and Encryption, 2017

This chapter introduces the primitives subject to the study, namely designated-confirmer signatur... more This chapter introduces the primitives subject to the study, namely designated-confirmer signatures and signcryption. The presentation covers the syntax of the mentioned primitives in addition to their security properties. Since establishing a formal security model for a cryptographic system is a real challenge and divergence between cryptographers, we subject the model we adhere to to an in-depth comparison with the already established ones; our goal is to have well-reasoned and stringent security properties which capture various attack scenarios.

Research paper thumbnail of Case-Study Primitives

Verifiable Composition of Signature and Encryption, 2017

This chapter introduces the primitives subject to the study, namely designated-confirmer signatur... more This chapter introduces the primitives subject to the study, namely designated-confirmer signatures and signcryption. The presentation covers the syntax of the mentioned primitives in addition to their security properties. Since establishing a formal security model for a cryptographic system is a real challenge and divergence between cryptographers, we subject the model we adhere to to an in-depth comparison with the already established ones; our goal is to have well-reasoned and stringent security properties which capture various attack scenarios.

Research paper thumbnail of Group Encryption Methods and Devices

Research paper thumbnail of (Michels-Petersen-Horster Convertible Undeniable Signatures Revisited)

In 1990, Boyar, Chaum, Damgû ard and Pedersen introduced convertible undeniable signatures which ... more In 1990, Boyar, Chaum, Damgû ard and Pedersen introduced convertible undeniable signatures which limit the self-authenticating prop- erty of digital signatures but can be converted by the signer to ordi- nary signatures. Michels, Petersen and Horster presented, in 1996, an attack on the El Gamal-based seminal scheme of Boyar et al. and pro- posed a repaired version without formal security

Research paper thumbnail of Multi-User Security

Hitherto, we have considered only a network of two users: signer/confirmer in case of confirmer s... more Hitherto, we have considered only a network of two users: signer/confirmer in case of confirmer signatures, and sender/receiver in the signcryption case. This setting is too simplistic to represent reality, where it is customary to have a network of many users that want to exchange signcrypted messages. Also, it is not uncommon in case of confirmer signatures, to have many signers that share the same confirmer, or conversely a signer who has many confirmers. We tackle in this chapter the issue of multi-user security; we first describe the concerns that arise in this extended model, then we formalize these issues in new security definitions, and finally, we give the new analogs of StE, CtEtS, and EtS in the multi-user setting.

Research paper thumbnail of Signcryption Method and Device and Corresponding Signcryption Verification Method and Device

Research paper thumbnail of Anonymity from Public Key Encryption to Undeniable Signatures

Lecture Notes in Computer Science, 2009

Research paper thumbnail of An Efficient Variant of StE

Verifiable Composition of Signature and Encryption, 2017

Research paper thumbnail of Design and Analysis of Opaque Signatures

... nat.) der Mathematisch-Naturwissenschaftlichen Fakultät der Rheinischen Friedrich-Wilhelms-Un... more ... nat.) der Mathematisch-Naturwissenschaftlichen Fakultät der Rheinischen Friedrich-Wilhelms-Universität Bonn vorgelegt von Laila El Aimani aus Marrakech, Marokko Bonn 2011 Page 2. Tag der Disputation: 29 April 2011 Promotionskommission: Prof. ...

Research paper thumbnail of Analysis of CtEaS

Verifiable Composition of Signature and Encryption, 2017

Efficient as the (new) StE is, it can only be used with a restricted class of signatures in order... more Efficient as the (new) StE is, it can only be used with a restricted class of signatures in order to allow effective verification. The Commit_then_Encrypt_and_Sign (CtEaS) paradigm has the merit of accepting any signature among its building blocks without compromising the verification protocols. In this chapter, we investigate this method by determining the exact security property needed for the encryption to achieve secure constructions. Our study, conducted for confirmer signatures, applies also to signcryption.

Research paper thumbnail of The Joint Signature and Encryption Revisited ∗

We study the Sign then Encrypt, Commit then Encrypt and Sign, and Encrypt then Sign paradigms in ... more We study the Sign then Encrypt, Commit then Encrypt and Sign, and Encrypt then Sign paradigms in the context of three cryptographic primitives, namely designated confirmer signatures, signcryption, and verifiably encrypted signatures. Our study identifies weaknesses in those paradigms which impose the use of expensive encryption (as a building block) in order to meet a reasonable security level. Next, we propose some optimizations which annihilate the found weaknesses and allow consequently cheap encryption without compromising the overall security. Our optimizations further enjoy verifiability, a property profoundly needed in many real-life applications of the studied primitives.

Research paper thumbnail of On Generic Constructions of Designated Confirmer Signatures (The “Encryption of a Signature ” Paradigm Revisited)

Abstract. Designated Confirmer signatures were introduced to limit the verification property inhe... more Abstract. Designated Confirmer signatures were introduced to limit the verification property inherent to digital signatures. In fact, the verification in these signatures is replaced by a confirmation/denial protocol between the designated confirmer and some verifier. An intuitive way to obtain such signatures consists in first generating a digital signature on the message to be signed, then encrypting the result using a suitable encryption scheme. This approach, referred to as the “encryption of a signature ” paradigm, requires the constituents (encryption and signature schemes) to meet the highest security notions in order to achieve secure constructions. In this paper, we revisit this method and establish the necessary and sufficient assumptions on the building blocks in order to attain secure confirmer signatures. Our study concludes that the paradigm, used in its basic form, cannot allow a class of encryption schemes, which is vital for the efficiency of the confirmation/denial...

Research paper thumbnail of Rheinischen Friedrich-Wilhelms-Universität Bonn

Research paper thumbnail of Wrap-Up

Verifiable Composition of Signature and Encryption, 2017

Research paper thumbnail of EtStE: A New Paradigm for Verifiable Signcryption

Verifiable Composition of Signature and Encryption, 2017

The new StE or CtEtS paradigms, proposed earlier, proved to provide very efficient confirmer sign... more The new StE or CtEtS paradigms, proposed earlier, proved to provide very efficient confirmer signatures. Unfortunately, when applied to verifiable signcryption, these paradigms fail to give similar results. The reason lies in the fact that encryptions are produced on the message, to be signcrypted, in addition to other strings (signatures or decommitments), which renders verification ineffective. The subject of this chapter is a new paradigm for verifiable signcryption which combines the merits of the classical paradigms while avoiding their drawbacks.

Research paper thumbnail of CtEtS: An Efficient Variant of CtEaS

The CtEaS paradigm suffers an intrinsic weakness consisting in the possibility of producing a con... more The CtEaS paradigm suffers an intrinsic weakness consisting in the possibility of producing a confirmer signature without knowledge of the signing key. This makes the paradigm rest on strong encryption (PCA secure), and rules out consequently homomorphic encryption which is known for propping up verification. In this chapter, we annihilate this weakness and demonstrate the efficiency of the resulting construction by describing many concrete instantiations. Our modification applies only to confirmer signatures (see Chap. 7 for the details). We further shed light on a special instance of CtEaS, namely Encrypt_then_Sign (EtS), which can be very useful in situations where a trusted party is available.

Research paper thumbnail of Verifiable Composition of Signature and Encryption

This chapter serves an elementary-level introduction for the book. Section 1.1 introduces the mos... more This chapter serves an elementary-level introduction for the book. Section 1.1 introduces the most basic cryptographic primitives, namely digital signatures, public-key encryption including hybrid encryption (key/data encapsulation mechanisms) and tag-based encryption, and finally commitment schemes. The presentation of the primitives provides also the formal security notions that are needed later in our study. The following two sections consider an important notion of modern cryptography that is reductionist security: Sect. 1.2 recalls the frequently used intractable problems in cryptography, and Sect. 1.3 carries on the presentation of the basic tools used to gain confidence in cryptographic systems. Finally, Sect. 1.4 tackles an important cryptographic mechanism, needed in many real-life applications, that allows to conduct proofs without revealing more than the veracity of the proven statement. 1.1 Cryptographic Primitives Notation Throughout the text, we will use a dot notation...

Research paper thumbnail of Analysis of StE

StE consists, in case of confirmer signatures, in first signing the message, then encrypting the ... more StE consists, in case of confirmer signatures, in first signing the message, then encrypting the resulting signature. In case of signcryption, the encryption is conducted on both the message and the produced signature. The construction was first formally (The idea without proof was already known, for instance, it was mentioned in Damgard and Pedersen (New convertible undeniable signature schemes. In: Maurer UM (ed) Advances in cryptology - EUROCRYPT’96. LNCS, vol 1070. Springer, Heidelberg, pp 372–386, 1996).) described for confirmer signatures in Camenisch and Michels (Confirmer signature schemes secure against adaptative adversaries. In: Preneel B (ed) Advances in cryptology - EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 243–258, 2000), and it suffered the resort to concurrent zero-knowledge (ZK) proofs of general NP statements in the confirmation/denial protocol (i.e. proving knowledge of the decryption of a ciphertext, and that this decryption forms a valid signature...

Research paper thumbnail of A New Approach for Finding Low-Weight Polynomial Multiples

Information Security and Cryptology, 2021

Research paper thumbnail of Preliminaries

Verifiable Composition of Signature and Encryption, 2017

Research paper thumbnail of Case-Study Primitives

Verifiable Composition of Signature and Encryption, 2017

This chapter introduces the primitives subject to the study, namely designated-confirmer signatur... more This chapter introduces the primitives subject to the study, namely designated-confirmer signatures and signcryption. The presentation covers the syntax of the mentioned primitives in addition to their security properties. Since establishing a formal security model for a cryptographic system is a real challenge and divergence between cryptographers, we subject the model we adhere to to an in-depth comparison with the already established ones; our goal is to have well-reasoned and stringent security properties which capture various attack scenarios.

Research paper thumbnail of Case-Study Primitives

Verifiable Composition of Signature and Encryption, 2017

This chapter introduces the primitives subject to the study, namely designated-confirmer signatur... more This chapter introduces the primitives subject to the study, namely designated-confirmer signatures and signcryption. The presentation covers the syntax of the mentioned primitives in addition to their security properties. Since establishing a formal security model for a cryptographic system is a real challenge and divergence between cryptographers, we subject the model we adhere to to an in-depth comparison with the already established ones; our goal is to have well-reasoned and stringent security properties which capture various attack scenarios.

Research paper thumbnail of Group Encryption Methods and Devices

Research paper thumbnail of (Michels-Petersen-Horster Convertible Undeniable Signatures Revisited)

In 1990, Boyar, Chaum, Damgû ard and Pedersen introduced convertible undeniable signatures which ... more In 1990, Boyar, Chaum, Damgû ard and Pedersen introduced convertible undeniable signatures which limit the self-authenticating prop- erty of digital signatures but can be converted by the signer to ordi- nary signatures. Michels, Petersen and Horster presented, in 1996, an attack on the El Gamal-based seminal scheme of Boyar et al. and pro- posed a repaired version without formal security