Bagus Santoso

Verifiable predicate encryption and applications to CCA security and anonymous predicate authentication

In this paper, we focus on verifiability of predicate encryption. A verifiable predicate encryption scheme guarantees that all legitimate receivers of a ciphertext will obtain the same message upon decryption. While verifiability of predicate encryption might be a desirable property by itself, we furthermore show that this property enables interesting applications. Specifically, we provide two applications of verifiable predicate encryption. Firstly, we show that for a large class of verifiable predicate encryption schemes, it is always possible to convert a chosen-plaintext secure scheme into a chosen-ciphertext secure one. Secondly, we show that a verifiable predicate encryption scheme allows the construction of a deniable predicate authentication scheme . This primitive enables a user to authenticate a message to a verifier using a private key satisfying a specified relation while at the same time allowing the user to deny ever having interacted with the verifier. This scheme furthermore guarantees the anonymity of the user in the sense that the verifier will learn nothing about the users private key except that it satisfies the specified relation. Lastly, we show that many currently known predicate encryption schemes already provide verifiability, and furthermore demonstrate that many predicate encryption schemes which do not provide verifiability, can be easily converted into schemes providing verifiability. Our results not only highlight that verifiability is a very useful property of predicate encryption, but also show that efficient and practical schemes with this property can be obtained relatively easily.

Factorization of square-free integers with high bits known

In this paper we propose an algorithm of factoring any integer N which has k different prime factors with the same bit-length, when high-order bits of each prime factor are given. For a fixed e, the running time of our algorithm is heuristic polynomial in (logN). Our factoring algorithm is based on a new lattice-based algorithm of solving any k-variate polynomial equation over ℤ, which might be an independent interest.

Refining Identification Scheme based on Isomorphism of Polynomials with Two Secrets: a New Theoretical and Practical Analysis

The isomorphism of polynomials with two secret (IP2S) problem is one candidate of computational assumptions for post- quantum cryptography. The only identification scheme based on IP2S is introduced in 1996 by Patarin. However, the security of the scheme has not been formally proven and we discover that the originally proposed parameters are no longer secure based on the most recent research. In this paper, we present the first formal security proof of identification scheme based on IP2S against impersonation under passive attack, sequential active attack, and concurrent active attack. We propose new secure parameters and methods to reduce the implementation cost. Using the proposed methods, we are able to cut the storage cost and average communication cost in a drastic way that the scheme is implementable even on the lightweight devices in the current market.

Factorization of Square-Free Integers with High Bits Known

In this paper we propose an algorithm of factoring any integer N which has k different prime factors with the same bit-length, when about (1/k+2 + e/k-1)log2N high-order bits of each prime factor are given. For a fixed e, the running time of our algorithm is heuristic polynomial in (log2N). Our factoring algorithm is based on a lattice-based algorithm of solving any k-variate polynomial equation over Z, which might be an independent interest.

Entanglement Between Hash Encodings and Signatures from ID Schemes with Non-binary Challenges: A Case Study on Lightweight Code-Based Signatures

We are interested in investigating the following issue which rises during the implementation of signature schemes derived from identification (ID) schemes via Fiat-Shamir (FS) transform. In FS transform, the “challenge” part of the ID scheme is substituted with the output of a hash function. However, the“challenge” part of several ID schemes, such as Stern’s code-based ID scheme, is a ternary sequence \((\{0, 1, 2\}^*)\), while all standard hash functions, e.g., SHA-256, outputs a binary sequence. Hence, we have to apply an encoding to transform the binary sequence of the hash functions’ outputs into the ternary sequence. A naive encoding method is to store the whole outputs of the hash function in memory and then convert them into ternary afterwards. Although this naive encoding method seems sufficient, it is an interesting question whether we can have better encoding options with lower computing and storage costs, especially when we deal with implementation on lightweight devices with critical resources.

Provable Secure Post-Quantum Signature Scheme Based on Isomorphism of Polynomials in Quantum Random Oracle Model

Since a quantum adversary is supposed to be able to perform hash computation with superposition of the quantum bits, it is natural that in random oracle model, the reduction algorithm for security proof should allow the quantum adversary to query random oracle in superposition of quantum bits. However, due to physical nature of quantum states, any observation on a superposition of quantum bits will be noticed by quantum adversaries. Hence, to simulate the true random oracle, the reduction algorithm has to answer the queries without observing their content. This makes the classical reduction algorithms fail to properly perform rewinding and random oracle programming against quantum adversaries and it has been shown recently that several signature schemes generated by Fiat-Shamir transformation might be insecure against quantum adversaries although they have been proven secure in classical setting against classical adversaries.

Privacy amplification of distributed encrypted sources with correlated keys

In this paper, we consider a system where multiple sources are encrypted in separated nodes and sent through their respective public communication channels into a joint sink node. We are interested at the problem on protecting the security of an already existing system such above, which is found out to have correlated encryption keys. In particular, we focus on finding a solution without introducing additional secret keys and with minimal modification to minimize the cost and the risk of bringing down an already running system. We propose a solution under a security model where an eavesdropper obtains all ciphertexts, i.e., encrypted sources, by accessing available public communication channels. Our main technique is to use encoders of certain linear codes to encode the ciphertexts before sending them to public communication channels. We show that if the rates of linear codes are within a certain rate region: (1) the success probability of any eavesdropper to extract the original sources from the encoded ciphertexts without the keys is negligible, while (2) one who has legitimate keys is able to retrieve the original source data with negligible error probability.