Verifiable Registration-Based Encryption

Journal of Information Processing, 2012

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. The typical application is the privacy-enhancing electronic ID (eID). Although a previously proposed system achieves the constant complexity in the number of finiteset attributes of the user, it requires the use of RSA. In this paper, we propose a pairing-based anonymous credential system excluding RSA that achieves the constant complexity. The key idea of our proposal is the adoption of a pairingbased accumulator that outputs a constant-size value from a large set of input values. Using zero-knowledge proofs of pairing-based certificates and accumulators, any AND and OR relation can be proved with the constant complexity in the number of finite-set attributes. We implement the proposed system using the fast pairing library, compare the efficiency with the conventional systems, and show the practicality in a mobile eID application.

2009

IFIP Advances in Information and Communication Technology, 1996

Data security in computer networks is becoming increasingly important due to the expanding role of distributed computation, distributed databases and tele-communication applications such as electronic mail and electronic funds transfer. For privacy, information which may be highly sensitive or privileged must be encrypted with secret keys which are shared by the communicating parties. These keys are generated by key agreement protocols. Traditionally such protocols were designed by trial and error. History has proven this method to be unreliable: many protocols were broken or serious flaws were exposed. In this paper we discuss the security aspects of key agreement protocols. In particular, we consider two models for provable security, one based on probabilistic encryption, the other on zero-knowledge. We propose a variant of the Diffie-Hellman key agreement protocol which is provably secure and efficient.

2007

One day, you suddenly find that a private key corresponding to your Identity is up for sale at e-Bay. Since you do not suspect a key compromise, perhaps it must be the PKG who is acting dishonestly and trying to make money by selling your key. How do you find out for sure and even prove it in a court of law? This paper introduces the concept of Traceable Identity based Encryption which is a new approach to mitigate the (inherent) key escrow problem in identity based encryption schemes. Our main goal is to restrict the ways in which the PKG can misbehave. In our system, if the PKG ever maliciously generates and distributes a decryption key for an Identity, it runs the risk of being caught and prosecuted. In contrast to other mitigation approaches, our approach does not require multiple key generation authorities.

2021

The recent work of Garg et al. from TCC’18 introduced the notion of registration based encryption (RBE). The principal motivation behind RBE is to address the key escrow issue of identity based encryption (IBE), where an IBE authority is trusted to generate private keys for all users in the system. Although RBE has excellent asymptotic properties, it is currently impractical; in our estimate, ciphertext size would be about 11 terabytes in an RBE deployment supporting 2 billion users. Motivated by this observation, our work attempts to reduce the concrete communication and computation cost of the current state-of-the-art construction. Our contribution is two-fold. First, we replace the usage of Merkle trees in RBE with crit-bit trees, a form of PATRICIA trie, without relaxing any of the original efficiency requirements introduced by Garg et al. This change reduces the ciphertext size by 15% and the computation cost of decryption by 30%. Second, we observe that increasing RBE’s public...

Theory of Cryptography, 2018

In this work, we introduce the notion of registration-based encryption (RBE for short) with the goal of removing the trust parties need to place in the private-key generator in an IBE scheme. In an RBE scheme, users sample their own public and secret keys. There will also be a "key curator" whose job is only to aggregate the public keys of all the registered users and update the "short" public parameter whenever a new user joins the system. Encryption can still be performed to a particular recipient using the recipient's identity and any public parameters released subsequent to the recipient's registration. Decryption requires some auxiliary information connecting users' public (and secret) keys to the public parameters. Because of this, as the public parameters get updated, a decryptor may need to obtain "a few" additional auxiliary information for decryption. More formally, if n is the total number of identities and κ is the security parameter, we require the following. Efficiency requirements: (1) A decryptor only needs to obtain updated auxiliary information for decryption at most O(log n) times in its lifetime, (2) each of these updates are computed by the key curator in time poly(κ, log n), and (3) the key curator updates the public parameter upon the registration of a new party in time poly(κ, log n). Properties (2) and (3) require the key curator to have random access to its data. Compactness requirements: (1) Public parameters are always at most poly(κ, log n) bit, and (2) the total size of updates a user ever needs for decryption is also at most poly(κ, log n) bits.

2010

Signcryption as a cryptographic primitive that offers both confidentiality and authentication simultaneously. Generally, in signcryption schemes, the message is hidden and thus the validity of the signcryption can be verified only after the unsigncryption process. Thus, a third party will not be able to verify whether the signcryption is valid or not. Signcryption schemes that allow any one to verify the validity of signcryption without the knowledge of the message are called public verifiable signcryption schemes. Third party verifiable signcryption schemes allow the receiver of a signcryption, to convince a third party that the signcryption is valid, by providing some additional information along with the signcryption. This information can be anything other than the receiver’s private key and the verification may or may not require the exposure of the corresponding message. This paper shows the security weaknesses in two such existing schemes namely [14] and [4]. The scheme in [14] is Public Key Infrastructure (PKI) based scheme and the scheme in [4] is an identity based scheme. More specifically, [14] is based on elliptic curve digital signature algorithm (ECDSA). We also, provide a new identity based signcryption scheme that provides both public verifiability and third party verification. We formally prove the security of the newly proposed scheme in the random oracle model.

A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

2009

We propose a methodology to construct verifiable random functions from a class of identity based key encapsulation mechanisms (IB-KEM) that we call VRF suitable. Informally, an IB-KEM is VRF suitable if it provides what we call unique decryption (i.e. given a ciphertext C produced with respect to an identity ID, all the secret keys corresponding to identity ID , decrypt to the same value, even if ID = ID) and it satisfies an additional property that we call pseudorandom decapsulation. In a nutshell, pseudorandom decapsulation means that if one decrypts a ciphertext C, produced with respect to an identity ID, using the decryption key corresponding to any other identity ID the resulting value looks random to a polynomially bounded observer. Interestingly, we show that most known IB-KEMs already achieve pseudorandom decapsulation. Our construction is of interest both from a theoretical and a practical perspective. Indeed, apart from establishing a connection between two seemingly unrelated primitives, our methodology is direct in the sense that, in contrast to most previous constructions, it avoids the inefficient Goldreich-Levin hardcore bit transformation.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2008

Very recently, the concept of Traceable Identity-based Encryption (IBE) scheme (or Accountable Authority Identity based Encryption scheme) was introduced in Crypto 2007. This concept enables some mechanisms to reduce the trust of a private key generator (PKG) in an IBE system. The aim of this paper is threefold. First, we discuss some subtleties in the first traceable IBE scheme in the Crypto 2007 paper. Second, we present an extension to this work by having the PKG's master secret key retrieved automatically if more than one user secret key are released. This way, the user can produce a concrete proof of misbehaviour of the PKG in the court. In contrast to previous approach, our idea gives strong incentive for the PKG to strengthen the security of the system since if someone can successfully release a user's secret key, it means that his security is also compromised. We present a formal model to capture our idea. Third, we present an efficient construction based on Gentry's IBE that satisfies our model and prove its security. Our construction is proven secure in the random oracle model. Nevertheless, we should emphasize that the aim of this paper is to introduce the new model to strengthen the IBE system.

—Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared data provides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into account several issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to construct an anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be put into the cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI) setting becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the process of certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providing forward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remain valid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to re-authenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiation of our scheme, prove its security and provide an implementation to show its practicality.

The Computer Journal, 2012

We present a study of security in certificateless signatures. We divide potential adversaries according to their attack power, and for the first time, three new kinds of adversaries are introduced into certificateless signatures. They are Normal Adversary, Strong Adversary and Super Adversary (ordered by their attack power). Combined with the known Type IAdversary and Type IIAdversary in certificateless cryptography, we then define the security of certificateless signatures in different attack scenarios. Our new security models, together with others in the literature, provide a clear definition of the security in certificateless signatures. Two concrete schemes with different security levels are also proposed in this paper. The first scheme, which is proven secure (in the random oracle model) against Normal Type I and Super Type II adversaries, has the shortest signature length among all known certificateless signature schemes. The second scheme is secure (in the random oracle model) against Super Type I and Type II adversaries. Compared with another scheme that has a similar security level, our second scheme requires less operational cost but a little longer signature length. Two server-aided verification protocols are also proposed to reduce the verification cost on the verifier. 1 This is the revised and full version of an extended abstract presented at ACISP 2007 [1].

Information Sciences, 2019

Distributed private key generators (PKGs) in identity-based encryption (IBE) is a viable approach to mitigate the inherent key escrow problem, where the user's private key is generated by multiple PKGs, and hence, there is no single PKG can impersonate the user. Nevertheless, these PKGs can still collude to generate a user's private key and auction it without the risk of being caught. In the traditional IBE setting, accountable IBE can identify the creator of a pirated private key between the user and the PKG. Unfortunately, the similar problem in IBE with distributed PKGs remains an open research problem. To fill this gap, we concentrate on adding accountability to IBE with distributed PKGs. Specifically, we propose the formal definition of A-IBE with distributed PKGs (A-dIBE) and the corresponding security models. Subsequently, we present a concrete construction with the corresponding security proof. This cryptographic primitive enjoys the advantages of both the IBE with distributed PKGs and A-IBE. Specifically, it distributes the power to multiple PKGs, while preserving the traceability that could give a convincing judgment to identify the suspect between the user and the PKGs. Furthermore, our construction could be easily extended to achieve IND-ID-CCA security and the revocation of the PKGs is efficient.

Proceedings of the 6th ETSI Annual Security Workshop, January 19 – 20, 2011, Sophia Antipolis, France. docbox.etsi.org, 2011

The notion of identity-based cryptography was put forth by Shamir to simplify the authentication of a public key by merely using an identity string as the public key. From the verifier’s or the encryptor’s point of view, only the identity of the other party is required. Hence, there is no necessity to ensure the validity of the public key. Due this nice property, a series of identity-based schemes have subsequently been proposed including identity-based signatures, identity-based encryption, and hierarchical identity-based cryptography. In these identity-based cryptosystems, there is a trusted party called the private key generator (PKG) who generates the secret key for each user identity. As the PKG generates and holds the secret key for all users, a complete trust must be placed on the PKG. However, this may not be a desirable approach in a real world scenario, where a malicious PKG can sell users’ keys, sign messages or decrypt ciphertexts on behalf of users without being confronted in a court of law. This is known as the key escrow problem. This problem seems to be inherent in identity-based cryptosystems. Some propositions have been made for employing multiple PKGs to solve this problem. The master secret key is jointly computed by a number of PKGs, such that no single PKG has the knowledge of it. However, this approach requires an extra infrastructure and communication cost between users and different PKGs. A user needs to run the key extraction protocol with different PKGs by proving his identity to them. Furthermore, maintaining multiple PKGs for a commercially used infrastructure is a daunting task. In this work, we introduce the concept of escrow-free identity-based signatures to reduce the trust in the PKG. In this model, each signer has his own public key and secret key. The PKG generates the identity-based secret key for the signer with respect to the user public key. Then the signer uses both secret keys to sign a message. Therefore, the signer is protected against a malicious PKG that may attempt to release a signature by itself on the behalf of the user. To verify the signature, it only requires the signer’s identity and the message. This is the main difference between the proposed protocol with existing certificate-based signatures (CBS), certificate-less signatures (CLS), self-certificated signatures (SCS). The verification protocols of these currently existing schemes require signer’s public key to be verified. The proposed protocol is therefore an identity-based signature (IBS) scheme and solves the key escrow problem. We also show that the proposed escrow-free IBS is more efficient than CBS, CLS and SCS since the user public key is not involved and is not sent to the verifier. """

Lecture Notes in Computer Science, 1998

A publicly verifiable secret sharing (PVSS) scheme, named by Stadler in [Sta96], is a special VSS scheme in which anyone, not only the shareholders, can verify that the secret shares are correctly distributed. The property of public verifiability is what the first proposed VSS scheme [CGMA85] incorporated but later protocols [GMW87, Fe187, Ped91] failed to include. PVSS can provide some interesting properties in the systems using VSS. For instance, it gives a practical solution to (k, /)-threshold VSS assuming no broadcast channel. Stadler proposed two PVSS protocols: one is as secure as the Decision-Diffie-Hellman problem and the other is not formally discussed about security. This paper presents a practical and provably secure PVSS scheme which is O([v[) times more efficient than Stadler's PVSS schemes where Iv[ denotes the size of the secret. It can be incorporated into various cryptosystems based on the factoring and the discrete logarithm to transform them into publicly verifiable key escrow (PVKE) systems. In addition, those key escrow cryptosystems can be easily modified into the verifiable partial key escrow (VPKE) ones with the property of delayed recovery [BG97]. To the best of our knowledge, this is the first realization of a VPKE cryptosystem based on the factoring with the delayed recovery.