Atsuko Miyaji

A ciphertext-policy attribute-based encryption scheme with constant ciphertext length

An Attribute-Based Encryption (ABE) is an encryption scheme where users with some attributes can decrypt ciphertexts associated with these attributes. The length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. In our scheme, the number of pairing computations is also constant. In addition, the number of additional bits required from chosen plaintext attack-secure CP-ABE to chosen ciphertext attack-secure CP-ABE is reduced by 90% with respect to that of the previous scheme.

Efficient elliptic curve exponentiation

Elliptic curve cryptosystems, proposed by Koblitz([8]) and Miller([11]), can be constructed over a smaller definition field than the ElGamal cryptosystems([5]) or the RSA cryptosystems( [16]). This is why elliptic curve cryptosystems have begun to attract notice. There are mainly two types in elliptic curve cryptosystems, elliptic curves E over IF2r and E over IFp. Some current systems based on ElGamal or RSA may often use modulo arithmetic over IFp. Therefore it is convenient to construct fast elliptic curve cryptosystems over IFp. In this paper, we investigate how to implement elliptic curve cryptosystems on E/IFp.

Efficient Countermeasures against RPA, DPA, and SPA

In the execution on a smart card, side channel attacks such as simple power analysis (SPA) and the differential power analysis (DPA) have become serious threat [15]. Side channel attacks monitor power consumption and even exploit the leakage information related to power consumption to reveal bits of a secret key d although d is hidden inside a smart card. Almost public key cryptosystems including RSA, DLP-based cryptosystems, and elliptic curve cryptosystems execute an exponentiation algorithm with a secret-key exponent, and they thus suffer from both SPA and DPA. Recently, in the case of elliptic curve cryptosystems, DPA is improved to the Refined Power Analysis (RPA), which exploits a special point with a zero value and reveals a secret key [10]. RPA is further generalized to Zero-value Point Attack (ZPA) [2]. Both RPA and ZPA utilizes a special feature of elliptic curves that happens to have a special point or a register used in addition and doubling formulae with a zero value and that the power consumption of 0 is distinguishable from that of an non-zero element. To make the matters worse, some previous efficient countermeasures are neither resistant against RPA nor ZPA. Although a countermeasure to RPA is proposed, this is not universal countermeasure, gives each different method to each type of elliptic curves, and is still vulnerable against ZPA [30]. The possible countermeasures are ES [3] and the improved version [4]. This paper focuses on countermeasures against RPA, ZPA, DPA and SPA. We show a novel countermeasure resistant against RPA, ZPA, SPA and DPA without any pre-computed table. We also generalize the countermeasure to present more efficient algorithm with a pre-computed table.

Pairing-Based Cryptography - Pairing 2010

Efficient Software Implementation.- An Analysis of Affine Coordinates for Pairing Computation.- High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves.- Invited Talk 1.- Some Security Topics with Possible Applications for Pairing-Based Cryptography.- Digital Signatures.- A New Construction of Designated Confirmer Signature and Its Application to Optimistic Fair Exchange.- Anonymizable Signature and Its Construction from Pairings.- Identification of Multiple Invalid Pairing-Based Signatures in Constrained Batches.- Cryptographic Protocols.- Oblivious Transfer with Access Control : Realizing Disjunction without Duplication.- Increased Resilience in Threshold Cryptography: Sharing a Secret with Devices That Cannot Store Shares.- Shorter Verifier-Local Revocation Group Signature with Backward Unlinkability.- Key Agreement.- Strongly Secure Two-Pass Attribute-Based Authenticated Key Exchange.- Constructing Certificateless Encryption and ID-Based Encryption from ID-Based Key Agreement.- Ephemeral Key Leakage Resilient and Efficient ID-AKEs That Can Share Identities, Private and Master Keys.- Invited Talk 2.- Pairing-Based Non-interactive Zero-Knowledge Proofs.- Applications: Code Generation, Time-Released Encryption, Cloud Computing.- Designing a Code Generator for Pairing Based Cryptographic Functions.- Efficient Generic Constructions of Timed-Release Encryption with Pre-open Capability.- Optimal Authenticated Data Structures with Multilinear Forms.- Point Encoding and Pairing-Friendly Curves.- Deterministic Encoding and Hashing to Odd Hyperelliptic Curves.- Encoding Points on Hyperelliptic Curves over Finite Fields in Deterministic Polynomial Time.- A New Method for Constructing Pairing-Friendly Abelian Surfaces.- Generating More Kawazoe-Takahashi Genus 2 Pairing-Friendly Hyperelliptic Curves.- ID-Based Encryption Schemes.- New Identity-Based Proxy Re-encryption Schemes to Prevent Collusion Attacks.- Fully Secure Anonymous HIBE and Secret-Key Anonymous IBE with Short Ciphertexts.- Chosen-Ciphertext Secure Identity-Based Encryption from Computational Bilinear Diffie-Hellman.- Invited Talk 3.- A Survey of Local and Global Pairings on Elliptic Curves and Abelian Varieties.- Efficient Hardware, FPGAs, and Algorithms.- Compact Hardware for Computing the Tate Pairing over 128-Bit-Security Supersingular Curves.- A Variant of Millers Formula and Algorithm.- Pairing Computation on Elliptic Curves with Efficiently Computable Endomorphism and Small Embedding Degree.- High Speed Flexible Pairing Cryptoprocessor on FPGA Platform.

A Generic Construction for Intrusion-Resilient Public-Key Encryption

In an intrusion-resilient cryptosystem [10], two entities (a user and a base) jointly evolve a secret decryption key; this provides very strong protection against an active attacker who can break into the user and base repeatedly and even simultaneously. Recently, a construction of an intrusion-resilient public-key encryption scheme based on specific algebraic assumptions has been shown [6]. We generalize this previous work and present a more generic construction for intrusion-resilient public-key encryption from any forward-secure public-key encryption scheme satisfying a certain homomorphic property.

A Practical English Auction with One-Time Registration

An English auction is the most familiar type of auctions. Generally, an electronic auction has mainly two entities, the registration manager(RM) who treats the registration of bidders, and the auction manager(AM) who holds auctions. Before starting an auction, a bidder who wants to participate in English auction is registered to RM with her/his information. An electronic English auction protocol should satisfy the following nine properties, (a)Anonymity, (b)Traceability, (c)No framing, (d)Unforgeability, (e)Fairness, (f)Verifiability, (g)Unlikability among different auctions, (h)Linkability in an auction, and (i)Efficiency of bidding. Furthermore from the practical point of view we add two properties (j)One-time registration and (k)Easy revocation. A group signature is adapted to an English auction in order to satisfy (a), (b), and (f)[18]. However such a direct adoption suffers from the most critical drawbacks of efficiency in group signatures. In this paper we propose more realistic electronic English auction scheme, which satisfies all of these properties. Four notable features of our scheme are: (1) both of bidding and verification of bids are done quite efficiently by introducing a bulletin board, (2) anonymity for RM, AM and any participant can be realized to plural auctions by only one-time registration, (3) RM can easily revoke a bidder, and (4) nobody can impersonate any bidder.

Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic

In 2007, Meloni introduced a new type of arithmetic on elliptic curves when adding projective points sharing the same Z-coordinate. This paper presents further co-Z addition formulæ (and register allocations) for various point additions on Weierstraß elliptic curves. It explains how the use of conjugate point addition and other implementation tricks allow one to develop efficient scalar multiplication algorithms making use of co-Z arithmetic. Specifically, this paper describes efficient co-Z based versions of Montgomery ladder, Joye’s double-add algorithm, and certain signed-digit algorithms, as well as faster (X, Y)-only variants for left-to-right versions. Further, the proposed implementations are regular, thereby offering a natural protection against a variety of implementation attacks.

Characterization of Elliptic Curve Traces under FR-Reduction

Elliptic curve cryptosystems([19,25]) are based on the elliptic curve discrete logarithm problem (ECDLP). If elliptic curve cryptosystems avoid FR-reduction([11,17]) and anomalous elliptic curve over Fq ([34,3,36]), then with current knowledge we can construct elliptic curve cryptosystems over a smaller definition field. ECDLP has an interesting property that the security deeply depends on elliptic curve traces rather than definition fields, which does not occur in the case of the discrete logarithm problem (DLP). Therefore it is important to characterize elliptic curve traces explicitly from the security point of view. As for FR-reduction, supersingular elliptic curves or elliptic curve E/Fq with trace 2 have been reported to be vulnerable. However unfortunately these have been only results that characterize elliptic curve traces explicitly for FR- or MOV-reductions. More importantly, the secure trace against FR-reduction has not been reported at all. Elliptic curves with the secure trace means that the reduced extension degree is always higher than a certain level.In this paper, we aim at characterizing elliptic curve traces by FR-reduction and investigate explicit conditions of traces vulnerable or secure against FR-reduction. We show new explicit conditions of elliptic curve traces for FR-reduction. We also present algorithms to construct such elliptic curves, which have relation to famous number theory problems.

Intrusion-resilient public-key encryption

This paper provides a comprehensive treatment of forward-security in the context of shared-key based cryptographic primitives, as a practical means to mitigate the damage caused by key-exposure. We provide definitions of security, practical proven-secure constructions, and applications for the main primitives in this area. We identify forward-secure pseudorandom bit generators as the central primitive, providing several constructions and then showing how forward-secure message authentication schemes and symmetric encryption schemes can be built based on standard schemes for these problems coupled with forward-secure pseudorandom bit generators. We then apply forward-secure message authentication schemes to the problem of maintaining secure access logs in the presence of break-ins.

A Message Recovery Signature Scheme Equivalent to DSA over Elliptic Curves

The ElGamal signature([3]) is based on the difficulty of the discrete logarithm problem(DLP). For the ElGamal signature scheme, many variants like the NIST Digital Signature Algorithm(DSA)([10]) and a new signature with a message recovery feature([12]) are proposed. The message recovery feature has the advantage of small signed message length, which is effective especially in applications like identity-based public key system([4]) and the key exchange protocol([2]). However, its security is not widely accepted because it has been only a few years since the scheme was proposed. Even the relative security between the new message recovery scheme and already-existing schemes is scarcely known. In this paper, we make a strict definition of the conception of equivalent classes([14]) between signature schemes. According to this definition, we discuss the security relation between signature schemes. The reason why the Bleichenbacher-attack([1]) works for ElGamal but not for DSA can be also explained well by the conception. We show that an elliptic curve gives the message recovery signature equivalent to DSA. Furthermore we investigate the new attack over elliptic curves and present its new trapdoor generating algorithm. We also show that the trapdoor does not exist in the particular kind of elliptic curves.