Alexander W. Dent

A survey of certificateless encryption schemes and security models

This paper surveys the literature on certificateless encryption schemes. In particular, we examine the large number of security models that have been proposed to prove the security of certificateless encryption schemes and propose a new nomenclature for these models. This allows us to “rank” the notions of security for a certificateless encryption scheme against an outside attacker and a passive key generation centre, and we suggest which of these notions should be regarded as the “correct” model for a secure certificateless encryption scheme. We also examine the security models that aim to provide security against an actively malicious key generation centre and against an outside attacker who attempts to deceive a legitimate sender into using an incorrect public key (with the intention to deny the legitimate receiver that ability to decrypt the ciphertext). We note that the existing malicious key generation centre model fails to capture realistic attacks that a malicious key generation centre might make and propose a new model. Lastly, we survey the existing certificateless encryption schemes and compare their security proofs. We show that few schemes provide the “correct” notion of security without appealing to the random oracle model. The few schemes that do provide sufficient security guarantees are comparatively inefficient. Hence, we conclude that more research is needed before certificateless encryption schemes can be thought to be a practical technology.

Certificateless encryption schemes strongly secure in the standard model

This paper presents the first constructions for certificateless encryption (CLE) schemes that are provably secure against strong adversaries in the standard model. It includes both a generic construction for a strongly secure CLE scheme from any passively secure scheme as well as a concrete construction based on the Waters identity-based encryption scheme.

Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model

The generic group model has recently been used to prove the security of certain asymmetric encryption and signature schemes. This paper presents results that show that there exist problems in that are provably hard in the generic group model but easy to solve whenever the random encoding function is replaced with a specific encoding function (or one drawn from a specific set of encoding functions). In particular we show that there exist cryptographic schemes that are provably hard in the generic group model but easy to break in practice.

Hybrid signcryption schemes with outsider security

This paper expands the notion of a KEM–DEM hybrid encryption scheme to the signcryption setting by introducing the notion of a signcryption KEM, a signcryption DEM and a hybrid signcryption scheme. We present the security criteria that a signcryption KEM and DEM must satisfy in order that the overall signcryption scheme is secure against outsider attacks. We also present ECISS–KEM — a simple, efficient and provably secure example of a signcryption KEM. Lastly, we briefly discuss the problems associated with using KEMs in key establishment protocols.

A Designer’s Guide to KEMs

A generic or KEM-DEM hybrid construction is a formal method for combining asymmetric and symmetric encryption techniques to give an efficient, provably secure public-key encryption scheme. This method combines an asymmetric key encapsulation mechanism (KEM) with a symmetric data encapsulation mechanism (DEM). A KEM is a probabilistic algorithm that produces a random symmetric key and an asymmetric encryption of that key. A DEM is a deterministic algorithm that takes a message and a symmetric key and encrypts the message under that key. Each of these components must satisfy its own security conditions if the overall scheme is to be secure. In this paper we describe generic constructions for provably secure KEMs based on weak encryption algorithms. We analyse the two most popular techniques for constructing a KEM and note that they are either overly complex or based on needlessly strong assumptions about the security of the underlying trapdoor function. Hence we propose two new, simple methods for constructing a KEM where the security of the KEM is based on weak assumptions about the underlying function. Lastly we propose a new KEM based on the Rabin function that is both efficient and secure, and is the first KEM to be proposed whose security depends upon the intractability of factoring.

Identity-Based encryption gone wild

In this paper we introduce the notion of identity based encryption with wildcards, or WIBE for short. This allows the encryption of messages to multiple parties with common fields in their identity strings, for example email groups in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion in the standard model and in the random oracle model

The cramer-shoup encryption scheme is plaintext aware in the standard model

In this paper we examine the notion of plaintext awareness as it applies to hybrid encryption schemes. We apply this theory to the Cramer-Shoup hybrid scheme acting on fixed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of fully plaintext-aware encryption schemes.

Building better signcryption schemes with Tag-KEMs

Signcryption schemes aim to provide all of the advantages of simultaneously signing and encrypting a message. Recently, Dent [8, 9]and Bjorstad [4] investigated the possibility of constructing provably secure signcryption schemes using hybrid KEM-DEM techniques [7]. We build on this work by showing that more efficient insider secure hybrid signcryption schemes can be built using tag-KEMs [1]. To prove the effectiveness of this construction, we will provide several examples of secure signcryption tag-KEMs, including a brand new construction based on the Chevallier-Mames signature scheme [5] which has the tightest known security reductions for both confidentiality and unforgeability.

Hidden pairings and trapdoor DDH groups

This paper suggests a new building block for cryptographic protocols and gives two instantiations of it. The concept is to generate two descriptions of the same group: a public description that allows a user to perform group operations, and a private description that allows a user to also compute a bilinear pairing on the group. A user who has the private information can therefore solve decisional Diffie-Hellman (DDH) problems, and potentially also discrete logarithm problems. Some cryptographic applications of this idea are given. Both instantiations are based on elliptic curves. The first relies on the factoring assumption for hiding the pairing. The second relies on the difficulty of solving a system of multivariate equations. The second method also potentially gives rise to a practical trapdoor discrete logarithm system.

Revisiting the security model for timed-release encryption with pre-open capability

The concept of timed-released encryption with preopen capability (TRE-PC) was introduced by Hwang, Yum and Lee. In a TRE-PC scheme, a message is encrypted in such a way that it can only be decrypted at a certain point in time or if the sender releases a piece of trapdoor information known as a pre-open key. This paper examines the security model for a TRE-PC scheme, demonstrates that a TRE-PC scheme can be constructed using a KEM-DEM approach, and provides an efficient example of a TRE-PC scheme.