An Identity-based Broadcast Signcryption Scheme and Its Application to M edical Images Sharing Dang Thu Hien Faculty of Information Technology University of Engineering and Technology Vietnam National University, Hanoi Supervised by Associate Professor Trinh Nhat Tien A thesis submitted in fulfillm ent of the requirements for the degree of Master o f Computer Science May, 2010 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Table of C ontents A b stra ct ii Acknowledgem ent Ul L is t o f Figures V L is t o f Tables vi A b b re via tio n s v ii In tro d u c tio n 1.1 Overview and M otivation 1.2 Related w o r k 1.3 Our contributions 1.4 Thesis organization P relim inaries 2.1 Bilinear pairings 2.2 Computational assum ptions 2.3 General model of identity-based broadcast sigucryption 2.4 Requirements of I B B S 10 2.5 Security notions for IBBS 11 2.5.1 Message confidentiality 11 2.5.2 Existential unforgeability 13 Forking le m m a 13 2.6 Identity-B ased Broadcast S igncryption Scheme 15 3.1 Description of the s c h e m e 15 3.1.1 15 Setup LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com T A B L E OF C O N T E N T S 3.1.2 Extract 3.2 16 3.1.3 Signcryption 16 3.1.4 บ nsigncryption 17 A n a lysis 17 3.2.1 Consistency 18 3.2.2 18 Public ciphertext a u th e n tic ity 3.2.3 Public verifiability 3.3 19 Security p r o o f s 19 3.3.1 Message confidentiality 19 3.3.2 Existential unforgeability 25 3.4 Efficiency evaluation and com parison 30 E xp e rim e n ta tio n and A p p lic a tio n 4.1 IBBS E xperim en ts .33 4.1.1 Experimental se tu p 33 4.1.2 Results and comparison 4.2 33 34 Signcryption - Watermarking Model for Medical Image Sharing Conclusions and Future W o rk 3b 39 P ublications lis t 41 B ib lio g p h y 42 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com List of Figures 4.1 Broadcast Signcryption - Watermarking Model LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com List of Tables 3.1 C om putation costs comparison 31 3.2 Com m unication costs c o m p a ris o n 32 4.1 Experim ental results comparison 35 vii LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Abbreviations BE EHR EUF-sIBBS-CMA Broadcast Encryption Electronic Health Record Existential Unforgeability of identity-based broad­ cast signcryption scheme against selective identity chosen message attacks ex GDHE exponentiation General Diffie-Hellman Exponent 1BBS Identity-Based Broadcast Signcryption ID Identity Indistinguishability of identity-based broadcast IND-sIBBS-CCA signcryption scheme against selective identity cho­ M SIC mu sen ciphertext attacks Master Secret Key multiplication pa pairing evaluation VK PKG Public Key Private Key Generator PKI Public Key Infrastructure q - Strong Diffie-Hellman q-SDH SC UN Signciyption บ nsigncryption LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Chapter Introduction 1.1 Overview and M otivation Information is probably one of the most valuable possessions of mankind The loss, illegitimate disclosure and modification of information, especially sensitive one, could cause bad consequences and seriously affect oil related people On the other hand, the recent growth of digital technologies and computer networks have radi­ cally change the way we work and exchange ideas By providing low-cost, fast and accurate ways to access data in digital form, communication over networks is now becoming easier and increasingly popular However 1the advantages of digital infor­ mation and networked environment have also brought new challenges because they always contain vulnerability attacking weakness like eavesdropping, forgery, alter­ ation Therefore, the need of secure and authenticated data transmission is more and more important and critical Since the birth of public key cryptography in 1970s, the requirements of confi­ dentiality and authenticity are satisfied by using encryption and digital signature schemes respectively W ith public/private key pairs, two entities can share informa­ tion in a secure manner Public key cryptography has created a great evolution in cryptography but it cannot work efficiently without the support of certificate based public key infrastructures (PKI) Certificate binds a public key to its owner and PKI manages, distributes and revokes certificates In order to get rid of public key certificates，in 1984, Adi Shamir introduced Identity-based cryptosystems [Sha84] In this new paradigm, he suggested idea to use the user's unique and undeniable information as his/her public key whereas the LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 1.1 O verview and M otivation corresponding private key can only be derived by a trusted Private Key Generator (PKG) These public keys can come from the user， ร name, email address or what­ ever convenient data so that it refers unambiguously and undeniably only to one user This kind of information is denoted by Digital Identity Useťs identity must be acknowledged by everyone, so this removes the need to authenticate or prove the relationship between the identity and the owner or wasting time in looking up public key before sending out a secret message Consequently, identity-based cryptography promisingly provides a more convenient alternative to PKI Several practical identity-based cryptographic schemes have been devised but until 2001, there was only one satisfactory scheme [BFOlj Some others using parings were proposed after that [Pat02, CC02, Hes02] Traditional encryption just provides security for one-to-one communication Nowa­ days, there are many applications in which communication activities are one-tomany, where a user is not only able to send/receive data to/from another but also a group of users simultaneously Actually, senders (called broadcasters) may need methods to distribute securely a message to a target set of receivers and ensure that all members in the set get the correct message while non-members cannot eaves­ drop, forge or modify it W ith conventional public key cryptography techniques， the broadcaster has to encrypt and sign messages then transmit individual encrypted message to every each receiver Advantage of this solution is high security level be­ cause every user gets a different ciphertext and uses his own private key to decrypt However, this solution is really inefficient If there are I receivers, the broadcaster has to process I times on a same message to create I different ciphertexts It needs a lot of time，storage and transmission costs Thus, traditional public key cryptography is not a suitable approach for this problem To handle the requirement of privacy in information broadcasting, a cryp­ tography topic called Broadcast Encryption (BE) was introduced by Fiat and Naor in [АМ94] BE schemes allow senders to broadcast an encrypted message over an open channel to a target set of receivers In a secure BE system, any legitimate receiver can use his private key to decrypt the broadcast but illegitimate users (who are not in target set) can obtain nothing about the messages Today, because of its significant applications，broadcast encryption has gained considerable attention and deployed broadly For example, distribution of copy­ righted materials, access control in encrypted file systems [Refb], satellite TV sub­ scription services, etc Recent research indicates that broadcast encryption has wide LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 1.1 Overview and M otivation application prospect ill securing electronic health records (EHR) [SW06，НТН09] W ith the development of e-health, nowadays, the medial information are digital­ ized and stored for different purposes such as tele-medicine, cutting down the health care, long time storage, clinical research and epidemiological studies Consider a sit­ uation that is ill order to discuss and obtain second opinions or professional advices, an EHR is distributed online to physicians, researchers, students or other external users In medical field, the security of medical data is very important They should he kept intact in every circumstance because any manipulation and perversion could lead to wrong diagnostic On the other hand, EHRs contain sensitive patient infor­ mation which can influence on the patient’s health and even their lives so that they should be protected from unauthorized access and modification When a broadcast system such as a electronic health system consists of multiple broadcasters, each user can produce ciphertexts and deliver to others In that case, it opens an issue of authentication and non-repudiation Hence, along with information privacy, data origin authenticity is also a vital aspect For keeping message confidential and unforged, an already known approach named signature-then-encryption has been followed However, it has a main draw­ back: the cost of distributing a message is essentially the sum of the cost for digital signature and that for encryption In 1997, Zheng [Zhe97] addressed a question on reducing the cost of secure and authenticated message delivery and proposed a new cryptographic paradigm, called signcryption which “simultaneously fulfils both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly lower than that required by the traditional signature fol­ lowed by encryption technique” The efficiency of signcryption technique has been pointed out in several proposed schemes [ZY98，MB04，M102, LQ03] which costs much less in average computation time and message expansion than signature-thenencryption does Since proposed, signcryption has been adapted to broadcast encryption to suffice the requirements of confidentiality and authenticity However, to date, the research oil broadcast signcryption is still very limited Most of proposed schemes need a particular component in ciphertext that corresponds to a designated receiver Thus, their ciphertext size is equivalent to the number of receivers In several other constructions with constant ciphertext size, the broadcaster has to negotiate a common secret value with all receivers beforehand Prom some point of view, these constructions are not more efficient and convenient than one-toone signcryption LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 1.2 R elated work Realizing that almost, current broadcast signcryption schemes not meet all of these properties, we aim to construct an efficient scheme which fulfils both se­ curity and efficiency Additionally, the question on how to incorporate broadcast signcryption in securing EHRs inspires us to bring it to a specific application named medial image sharing Since medical image is a special type of data in EHR, we con­ centrate on designing a model that combines the proposed broadcast signcryption scheme and watermarking technique to secure medical images sharing 1.2 R elated work There are many proposals of broadcast encryption systems In [KD98], Kurosawa and Desmedt presented a scheme in which public and private key are derived from secret polynomial of order k The security of this algorithm is determined by the order of polynomial k Each user learns a piece of information about the secret polynomial f(x ) from his private key Hence，a set of more than к users can collude to recover the polynomial and break the system Another scheme based on ID-based encryption algorithm of Boneh-Franklin [BF01] was introduced and analyzed in [YWCR07] In [BSNS05], Joonsang et.al built a scheme based 011 binary scheme of Canetti et al [CHкоз] The best known fully collusion is the scheme of Dan Boneh, Gentry and Water [BGW05] However, all these schemes result in a long size ciphertext In 2007，Celile [Del07] proposed the first ID-based broadcast signcryption scheme with constant size ciphertext and pri­ vate key This construction is based on the intractability of intractability of General Diffie-Hellman Exponent problem and its security is proved under random oracle model In signcryption domain, the first scheme was proposed by Zheng [Zhe97] After that, a lot of identity-based constructions have been introduced [M102, CML05, LQ03, МВ04] Until now，the most secure schemes are [CML05] and [МВ04] Although a lot of identity-based sigiicryption and broadcast encryption schemes lmve been devised，there were not many research ill broadcast signcryption In 2000， Y.Mu et al [MVOO] presented the first distributed signcryption scheme in which any user can signcrypt a message and deliver to a designated group of recipients After that, Li et al [LHL06] proposed a multi-receivers signcryption scheme based on bilinear parings Another scheme based on bilinear pairing is also presented by LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Chapter E xperim entation and A pplication In this chapter, experimental results of our proposed scheme are presented and appraised We also describe how this scheme can be used for a specific application of medical image sharing and construct a model that combines signcryption and watermarking technique for this application 4.1 IBBS Experim ents 4.1.1 E xperim ental setup We establish experiments on a 2.2GHz Pentium IV machine with UNIX operating systems A ll implementations are written in с language using PBC [Refa], ZEN [Ref비 and OpenSSL [Refe] libraries PBC is a free library built on GMP library which suDplies the mathematical operations beneath PBC was designed to be the backbone of implementations of pairing-based cryptosystems with high speed and portability It provides an abstract API to carry out group and pairing computations ZEN is a free с library that performs arithmetic operations in polynomial over finite field OpenSbL is an open source library which supports cryptographic func­ tions such as hash functions (MD5 ，SHA 1) and symmetric encryption algorithms (AES, DES) For implementing IBBS scheme, the pairing used is constructed on the curve y2 = X3 + X over the field Fq with q is 512 bit length and the order p of groups is 160 bit length 33 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 4.1 IBBS Experim ents 34 q = 878071079966331252243778198475404981580688319941420821102865339926 6475630880222957078625179422662221423155858769582317459277713367317481324 925129998224791 p = 730750818665451621361119245571504901405976559617 The symmetric algorithm used is AES with key of 256 bits Email addresses are used as users’ identities 4.1-2 Results and com parison In this sectk)iii we present the experimental results of proposed IBBS scheme with previously chosen parameters as in section 4.1.1 The broadcaster в with identity broadcaster@gmail com wants to signcrypt a plaintext file M to a set of I receivers Both broadcaster and receivers have their own private keys that were provided by PKG through extract phase To signcrypt plaintext file My broadcaster в runs signcrypt procedure as described in signcryption phase of IBBS scheme to output a signcrypted ciphertext file that has following format: • The first line contains the number of intended receivers (/) • Next I continuing lines, each of them contains the identity of one receiver • Next continuing lines contain the values of ร, T\ z, Y respectively • The remaining part of file contains the content of c When an user receives this signcrypted ciphertext file, he runs the unsigncrypt, procedure to recover plaintext file This procudre first checks that whether receiver identity is in the list of receivers If yes, it collects ， T\ 7i、 Y) с from the signcrypted ciphertext file and follows the steps in unsigncryption phase of IBBS scheme to verify and decrypt the ciphertext Finally, it outputs a file that contain the original content of M In order to collate the experimental results of proposed scheme with that of several established ones, we also implement three other schemes As discussed in chapter 3，it seems that the scheme of Boyen [ВоуОЗ] is the most expensive whereas [EA09] is the cheapest and [YYHZ07] is in the middle in terms of computation and communication costs Thus，we choose them to implement Implementations are LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 4.1 IBBS Experim ents 35 made according t.0 their original description with the same input parameters of curve and p in setup phase Since the performance varies conformable to the number of receivers, we run the simulation with a same plaintext file M with size of 100KB and changing number of receiver Table 4.1 summaries the processing time (in milliseconds) and size of ciphertext (in KB) Table 4.1: Experimental results comparison l - 100 l - 500 I = 1000 - 5000 Schemes Boyen [ВоуОЗ] Yu et al.[YYHZ07 Hassan et al.[EA09 Ours Boyen [ВоуОЗ] Yu et al.[YYHZ07 Hassan et al EA09 Ours Boyen [ВоуОЗ] Yu et al.[YYHZ07 Hassan et al EA09 Ours Boven [ВоуОЗ] Yu et ฟ (YYHZ07 Hassan et al.[EA09 Ours Processing time (milliseconds) Unsigncryption 436 158 126 1414 1762 20368 310 18066 853 13514 5529 10539 41029 3039 417 36458 30137 1230 11204 16991 230046 15100 1117 206750 141Ö00 1348 62345 73954 Signcryption 4582 3948 2734 1192 Ciphertext size (KB) Total 5018 4106 2860 2606 22310 18376 14367 16068 44068 36875 31367 28195 245146 207867 142948 136299 193 162 161 106 564 406 405 125 1025 712 711 149 4855 3238 3233 340 From above table, it is easily realized that the difference in size between the ciphertext of our scheme and the origiiml plaintext is really small while others’ are much bigger, especially when the quantity of users increases Recounting when I = 100, the difference between ciphertext and plaintext length of our scheme is only 106 — 100 = (KB) while others’ are 93，62 and 61 (KB) respectively; when I = 5000, the difference of our scheme is 240 KB whereas others，are 4755, 3128 and 3133 (KB) respectively Signcryption time of our scheme costs much less than others while unsigncryption LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 4.2 Signcryption - W aterm arking M odel for Medical Im age Sharing 36 time is longer This can be explained that in unsigncryption phase, our scheme involves computing l 一 multiplication while the others just involve one or two However, count in total processing time，our scheme seems to be the fastest one W ith these characteristics, our scheme is suitable for applications which require small ciphertext size and speedy signcryption operation 4.2 Signcryption - W atermarking M odel for M ed­ ical Im age Sharing The undisputable benefits of identity-baeed broadcast signcryption bring it to var­ ious applications, such as file sharing in encrypted file systems, secure content de­ livery, etc In this section, we address a specific application called medical image sharing ШКІ construct a model to apply IBBS in secure delivery of medical image along with patient health information As mentioned in chapter 1，security of electronic health record has been a grow­ ing concern in healthcare services Considering that a group is composed of multiple doctors, specialists, physicians, patients and students Each of them wants to dis­ tribute, by network, a medical image along with patient health information to several receivers In order to secure these documents, it should be made in a safe way More­ over, in this circumstance, once a receiver receives several ciphertexts from different senders, it is desirable to achieve data confidentiality, data integrity and authen­ ticity simultaneously Additionally, since a medical image is always belonged to a patient and relates with some diagnosis comments, the demand of connecting these materials such that they are not mismatched is needed To handle above issues, the idea of incorporating encryption and watermarking for secure medical images has been used in [NBKU04, Sri07, ВВ05] In that, the pa­ tient health information is encrypted before embedding in the image This solution not only provides patienťs privacy but also stores patient information and image in a single unit, so that it avoids the risks in which a patient health information profile is matched with another’s medical image Nevertheless, all these proposals used traditional encryption algorithms When a sender wants to deliver to I receivers, he must create I corresponding ciphertexts and embed them individually, then send each particular watermarked image to its right receiver In order to remove this disadvantage, broadcast signcryption can be used instead of traditional encryption LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 4.2 Signcryption - W aterm arking M odel for M edical Image Sharing 37 Combining the IBBS scheme presented in previous section and watermarking tech­ nique, we can design a very efficient solution that realizes privacy, authentication, consistency and integrity requirements The work diagram of broadcast signcryption - watermarking model is depicted in figure 4.1 There are two main processes in this model: Signcryption-Watermarking and Extraction-Unsigncryption S igncryption - W a te rm a rkin g step Assume that a doctor Л wants to distribute a medical image to multiple receivers He firstly chooses the set of receivers and takes their identities as the their public keys Note that the number of receivers is not greater than the maxinml size of receivers in the IBBS scheme He then follows steps below: Signcryption: The doctor signcrypts patient health information that relate to LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 4.2 Signcryption - W aterm arking M odel for M edical Im age Sharing 38 the medical image by the signcryption procedure of IBBS scheme The output of this step is a signcrypted ciphertext file a Watermarking: The content of signcrypted ciphertext file Ơ is embedded in the medical image by employing some watermarking techniques It outputs a watermarked image The doctor now distributes the watermarked image to the receivers Since patient health information has been signcrypted and embedded in the image， it could be transmitted in a open network without caring about the eavesdrop­ ping, forging or any other attack E x tra c tio n - บ n sig n cryp tio n step When a specialist в in the designated group of receivers receives a medical image from doctor A, he does as follows to extract and unsigncrypt the information from image: Extraction: В first extracts the watermark from the image to recover original image and signcrypted ciphertext Ơ by employing the watermarking technique that has been used in interleaving step of Signcryption - Watermarking process บ nsigncryption: В verifies the authenticity of Ơ and uses his private key to decrypt the ciphertext as in unsigncryption phase of IBBS scheme Eventually, if verification and decryption are successful, в obtains the plaintext of patient health information This model provides an préfiguration of the potential of this approach It not only solves the problem of discrepancy but also combines the advantages of data security with efficient storage and bandwidth utilization Such benefits make it suitable for practical applications LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Chapter Conclusions and Future Work Improving the security and efficiency of broadcasting to multiple recipients over distributed networks is an important issue Several broadcast signcryption schemes had been proposed However, some of them are shown to lack of security In all remaining secure schemes, there are drawbacks associated with communication and computation costs because they need to maintain a specific component for every receiver in ciphertext Ill this dissertation, we have presented an efficient identity-based broadcast signcryption scheme which allows a broadcaster to distribute signcrypted ciphertext to a group of users in a safe way Any member in the group can independently unsigncrypt to get the plaintext The scheme is provably secure in the random oracle model under computational assumptions The scheme achieves public ciphertext authenticity which capacitates any third party from verifying the validity and the origin of the ciphertext without knowledge of plaintext and getting any support from designated receivers This property is very useful for applications which re­ quire firewall or gateway authentication of ciphertext before accepting the message Another outstanding advantage of proposed scheme is that it has cheap computa­ tion and communication costs because the number of pairing evaluations is three and the signcrypted ciphertext size is constant This characteristic elevates its use in applications which have low capacity of storage and processor Experimental results offered the performance in terms of computational expense and bandwidth requirement We see from these results that our scheme is better than most of existing ones We discussed applicable possibility of this scheme and designed a model to secure medical image sharing It was shown that this model can 39 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 40 provide a lot of advantages such as privacy, authenticity, consistency and integrity for medical image and patient information delivery Although achieve many promising properties, there still exists limitations in proposed scheme Firstly，in order to gain the constant signcrypted ciphertext size, t he size of system public key must be linear with the maximal number of receivers Secondly，similar with other identity-based signcryption scheme, our construction is just secure gainst selective attacks The question of building a scheme with the same parameters as ours which is secure against adaptive attacks is still an open problem On the other hand, all users’ private keys in Olir scheme are derived from a common trusted authority This is not convenient for applications w ith a large quantity of users and organizations In future, we will focus our attention on finding hierarchial ID-based broadcast signcryption schemes that allow users of a system to communicate with others who not depend on the same authority LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Publications list Dang Thu Hien, TVinh Nhat Tien, Truong Thi Thu Hien An Efficient Identity- based Broadcast Signcryption Scheme The Second International Conference oil Knowledge and Systems Engineering, KSE 2010，Hanoi, Vietnam, (ac­ cepted) Đang Thu Hien, Trinh Nhat Tien, Truong Thi Thu Hien, An Application of Watermarking and identity-based encryption fo r sharing medical image Jour­ nal of Science, Natural Science and Technology, Vietnam National University, Hanoi 2009, vol 25 ，no 4, pp 211-218 Nguyen Ngoc Hoa，Dang Thu Hien, Tran Thi Thuy Trang Mutual Authen­ tication of RFID Taq~Reader using Elliptic Curve Cryptography Journal of Science, Natural Science and Technology，Vietnam National University ，Hanoi 20081vol 24，no 1, pp 36-43 41 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Bibliography [AM94Ị Fiat A and Naor м Broadcast encryption, Stinson, D.R (ed.) CRYPTO 1993 LNCS, vol 773，pp 480-491 Springer, Heidelberg, 1994，1994 [BB04a] Dan Boneh and Xavier Boyen, Efficient selective-id secure identity-based encryption without random orncles, Advances in Cryptology - EƯROCRYPT 2004, Lecture Notes in Computer Science, vol 3027, Springer， 2004, pp 223 238 [BB04b] ， Short signatures without random oracles, Advances in Cryp­ tology - EƯROCRYPT 2004，Lecture Notes in Computer Science, vol 3027，Springer, 2004, pp 56 73 [BB05] Sarnia Boucherkha and Mohamed Benmohamed，A lossles watermark­ ing based authentication system fo r medical images, World Academy of Science, Engineering and Technology, vol 1，2005 [BBG05] Dan Boneh, Xavier Boyen, and Eu-Jin Goh, Hierarchical identity-based encryption with constant ciphertext, In Proceedings of EƯROCRYPT 2005，2005，pp 440 456 [BF01] Dan Boneh and Matthew K Franklin, Identity-based encryption from the weil pairing, CRYPTO ’01: Proceedings of the 21st Annual Inter­ national Cryptology Conference on Advances in Cryptology, SpringerVerlag, 2001, pp 213-229 [BGW05] Dan Boneh, Craig Gentry, and Brent Waters, Collusion resistant broad­ cast encryption with short ciphertexts and private keys, CRYPTO (Vic­ tor Shoup，ed.), Lecture Notes in Computer Science, vol 3621，Springer, 2005, pp 258 275 42 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 43 Bibliography [BLMQ05Ị Paulo ร L M Barreto, Bent Libert Noel McCullagh，and JeanJacques Quisquater，Efficient and provably-secure identity-based signa' lures and signcryption from bilinear maps, Advances in cryptology ASIACRYPT05, Lecture Notes in Computer Science 3778，Springer-Verlag, 2005, pp 515-532 [BM04] Muhammad Bohio and Ali M iri, An authenticated broadcasting scheme for wireless ad hoc network다Second Annual Conference on Communi­ cation Networks and Services Research (CNSR， 04)，2004, pp 69-74 [bMAhL07] Chun bo MA, Jun AO，and Jian hua LI, How to signcrypt a message to designated group, The Journal of China Universities of Posts and Telecommunications 14 (2007), no 4, 57 63 [ВоуОЗ] Xavier Boyen ，Multipurpose identity-based signcryption - a SWISS army knife fo r identity-based cryptography、 In Proc CRYPTO 2003, SpringerVerlag, 2003, pp 383 399 [BSNS05] J Baek, R Safavi-Naini, and พ Sušilo, Efficient multi-receiver identity-based encryption and its application to broadcast encryption, Proc of the 8th International Workshop on Practice and Theory in Public Key Cryptography (PKC 2005), LNCS 3386, Springer-Verlag (2005)，380 397 [CC02] Jae Choon Cha and Jung Нее Cheon，An identity-based signature from gap diffie-hellm an groups, Public Key C ryptography - P K C 2003，LNCS 2139, Springer-Verlag, 2002，pp 18 30 [CHK03] R Canetti, ร Halevi, and J Katz, A forward secure public key encryp­ tion scheme，In Proceedings of EƯROCRYPT 2003，2003, pp 255-271 [CML05] Liqun Chen and John Malone-Lee, Improved identity-based signcryp- tion, Proceedings of 8th International Workshop on Theory and Prac­ tice in Public Key Cryptography, Lecture Notes in Computer Science, Springer, 2005, pp 362 379 [DC06] ร Duan and z Cao, Efficient and provably secure multi- receiver identity-based signcryption, Information Secuirty and Privacy- LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Bibliography Bibliography ACISP'06，Lecture Notes in Computer Science, Springer-Verlag, vol 4058，2006，pp 195 206 [Del()7] Cecile Delerablee, Identity-based broadcast encryption with constant size ciphertext and priavate keys、Lecture Notes in Computer Science, Springer-Verlag 4833 (2007), 200 215 [EA09] H Elkamchouchi and Y Abouelseoud，Midscyk: An efficient provably secure multi-recipient identity-based signcryption scheme，International Conference on Networking and Media Convergence, 2009 ICNM 2009， 2009，pp 70 75, [ENI09] H Elkamchouchi, M Nasr, and Roayat Ismail，A new efficient multi­ ple broadcasters signcryption scheme (mbss) fo r secure distributed net­ works, International conference on Networking and Services (2009)， 204 209 [Hes02] Florian Hess, Efficient identity based signature schemes based on pair- ings, SAC 2002，LNCS 2595，Springer-Verlag, 2002，pp 310 324 [HTH09] Dang Thu Hien，Trinh Nhat Tien, and Truong Thi Thu Hien，A n appli­ cation o f watermarking and identity-based encryption fo r sharing medi­ cal unageyJournal of Science, Natural Science and Technology, Vietnam National University, Hanoi 25 (2009)，no 4，211 218 [KD98] Kaoru Kurosawa and Y VO Desmedt, Optimum traitor tracing and asym- metnc schemes, EUROCRYPT ，1998, pp 145 157 [LHL06Ị Fagen Li, Yupu Hu, and Shuanggen Liu, Efficient and provably secure multi-recipient signcryption from bilinear pairingSy Cryptology ePrint Archive, Report 2006/238，2006 [LQ03] Benot Libert and Jean-Jacques Quisquater, A new identity based sign- cryption scheme from pairingもIn IEEE Information Theory Workshop, 2003, pp 155 158 [LXH08] Fagen Li, Xiangjun Xin, and Yupu Hu, Indentity-based broadcast sign- cryption, Comput Stand Interfaces 30 (2008), no 1-2，89 94 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 45 Bibliogmphy [MB04] Noel McCullagh and Paulo ร L M Barreto, Efficient and forward- secure identity-based signcryption, Cryptology ePrint Archive, Report 2004/117 (2004) [M102] John Malone-lee, Identity-based signcryption, In Proceedings of Public Key Cryptography - PKC 2005, LNCS 3386, Springer, 2002’ pp 362 379, [MV00] Yi Mu and Vijay Varadharajan, Distributed signcryptioTiy IN- DOCRYPT ’00: Proceedings of the First International Conference on Progress in Cryptology，Springer-Verlag, 2000, pp 155 164 [NBKU04] Jagadish Nayak, p Subbanna Bhat, M Sathish Kumar, and Rajendra Achayra บ, Reliable and robust transmission and storage of medical images with patient information^ In Proceedings of International Con­ ference on Signal Processing and Communication, 2004，2004 [Pat.02] Kenneth G Paterson, Id-based signatures from pairings on elliptic curves, Electronics Letters 38 (2002), 1025 1026 [PS00] David Pointcheval and Jacques Stern, Security arguments fo r digital signatures and blind signatures^ JOURNAL OF CRYPTOLOGY 13 (2000), 361 396 [Refaj http://crypto.Stanford,edu/pbc/ [R('fl)] http:// technet.microsoft com/ [Refe] http://vm w openssi o rg / [Reid] http://zenfacLsourceforge.net/ [Sha84] A Shamir, Identity-based cryptosystems and signature schemes, In Ad­ vances in Cryptology - Crypto ’84，Lecture Notes in Computer Science, Springer-Verlag, vol 196，1984, pp 47 53 [Sri()7] Srihari Sridharan, Application o f cryptography and randomized spatial domain steganoyraphy fo r in form ation hiding in medical images、2007 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com Bibliography Bibliography [SVK 08] ร Sharmila Deva Selvi, ร Sree Vivek, Naga Naresh K aru t uri, Ragavendran Gopalakrishnan，and Pandu Rangan Chandrasekaran，Cryptanal- ysừ of bohio et al ’s id-based broadcast signcryption (ibbsc) scheme fo r wireless ad-hoc networks, PST ’08: Proceedings of the 2008 Sixth An­ nual Conference on Privacy, Security and Trust, IEEE Computer Soci­ ety, 2008, pp 109 120 [SVSR09] ร Sharmila Deva Seivi, ร Sree Vivek, Rahul Srinivasan，and c Pandu Rangan, An efficient identity-based signcryption scheme fo r multiple receivers, Proceedings of the 4th International Workshop on Security, 2009，pp 71 88 [SWOG] Willy Susilo and Khin Than W in ，Securing electronic health records with broadcast encryption schemes, International Journal of Electronic Healthcare (2006)，no 2, 175-184 [Tan08| Chik-Hoพ Tan7 On the security of pwvably secure multi-receiver id- based signcrypticm sehcmey IEICE Trans Fundam Electron Commun Comput Sci E91-A (2008)，no 7，1836 1838 [XX09] Qi Xia and Chunxiang Xu, Cryptanalysis of two identity based signcryp- tion schemes, Dependable, Autonomic and Secure Computing, IEEE International Symposium on (2009)，292 294 [YWCR07] Geng Yang, Jiangtao Wang, Hongbing Cheng, and Chunming Rong, An identity-based encryption scheme fo r broadcasting^ NPC ไ07: Proceed­ ings of International Conference on Network and Parallel Computing Workshops, IEEE Computer Society，2007，pp 123 126 [YYHZ07] Y Yu, B Yang, X Y Huang, and M พ Zhang, Efficient identity-based siqncryption scheme fo r multiple receivers^ Lecture Notes in Computer Science, Springer Berlin /Heidelberg 4610 (2007), 13 21 [ZG09] Jianhong Zhang and Qin Geng, Comment on an id-based broadcast sign- cryption scheme, International Conference on Networking and Digital Society (2009), 37 40 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com 47 B ihliogrnphy [Zlio97] Y Zheng, Digital siqncryption or how to achieve cost (signature & en­ cryption) 《 cost (signature) -h cost (encryption), Advances in CryptologyCRYPTO ， 97, LNCS 1294，vol 1，1997 [ZY98] Zheng and Yuliang, Signcryption and its applications in efficient public key solutions、 ISW '97: Proceedings of the First International Workshop on Information Security, Springer-Verlag, 1998, pp 291 312 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com ... Srihari Sridharan, Application o f cryptography and randomized spatial domain steganoyraphy fo r in form ation hiding in medical images? ??2007 LUAN VAN CHAT LUONG download : add luanvanchat@agmail.com... of identity- based broadcast signcryption Broadcast signcryption schemes serve scenarios in which one person can distribute inform ation to I other people confidentially and authentically An identity- based. .. proposed scheme are presented and appraised We also describe how this scheme can be used for a specific application of medical image sharing and construct a model that combines signcryption and watermarking