Giuseppe Persiano

Public Key Encryption with Keyword Search

We study the problem of searching on data that is encrypted using a public key system. Consider user Bob who sends email to user Alice encrypted under Alice’s public key. An email gateway wants to test whether the email contains the keyword “urgent” so that it could route the email accordingly. Alice, on the other hand does not wish to give the gateway the ability to decrypt all her messages. We define and construct a mechanism that enables Alice to provide a key to the gateway that enables the gateway to test whether the word “urgent” is a keyword in the email without learning anything else about the email. We refer to this mechanism as Public Key Encryption with keyword Search. As another example, consider a mail server that stores various messages publicly encrypted for Alice by others. Using our mechanism Alice can send the mail server a key that will enable the server to identify all messages containing some specific keyword, but learn nothing else. We define the concept of public key encryption with keyword search and give several constructions.

Noninteractive zero-knowledge

This paper investigates the possibility of disposing of interaction between prover and verifier in a zero-knowledge proof if they share beforehand a short random string.Without any assumption, it i...

On the Achievability of Simulation-Based Security for Functional Encryption

This work attempts to clarify to what extent simulation-based security (SIM-security) is achievable for functional encryption (FE) and its relation to the weaker indistinguishability-based security (IND-security). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by Circuit-FE) meeting indistinguishability-based security (IND-security) to a Circuit-FE scheme meeting SIM-security, where:

Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model

In the bare public-key model (BPK in short), each verifier is assumed to have deposited a public key in a file that is accessible by all users at all times. In this model, introduced by Canetti et al. [STOC 2000], constant-round black-box concurrent and resettable zero knowledge is possible as opposed to the standard model for zero knowledge. As pointed out by Micali and Reyzin [Crypto 2001], the notion of soundness in this model is more subtle and complex than in the classical model and indeed four distinct notions have been introduced (from weakest to strongest): one-time, sequential, concurrent and resettable soundness.

Non-Interactive Zero-Knowledge Proof Systems

The intriguing notion of a Zero-Knowledge Proof System has been introduced by Goldwasser, Micali and Rackoff [GMR] and its wide applicability has been demonstrated by Goldreich, Micali and Wigderson [GMW1]-[GMW2|.Based on complexity theoretic assumptions, Zero-Knowledge Proof Systems exist, provided that (i) The prover and the verifier are allowed to talk back and forth. (ii) The verifier is allowed to flip coins whose result the prover cannot see.Blum, Feldman and Micali [BFM] have recently shown that, based on specific complexity theoretic assumption (the computational difficulty of distinguishing products of two primes from those product of three primes), both the requirements (i) and (ii) above are not necessary to the existence of Zero-Knowledge Proof Systems. Instead of (i), it is enough for the prover only to talk and for the verifier only to listen. Instead of (ii), it is enough that both the prover and verifier share a randomly selected string.We strengthen their result by showing that Non-Interactive Zero-Knowledge Proof Systems exist based on the weaker and well-known assumption that quadratic residuosity is hard.

Fully secure anonymous HIBE and secret-key anonymous IBE with short ciphertexts

Lewko and Waters [Eurocrypt 2010] presented a fully secure HIBE with short ciphertexts. In this paper we show how to modify their construction to achieve anonymity. We prove the security of our scheme under static (and generically secure) assumptions formulated in composite order bilinear groups. In addition, we present a fully secure Anonymous IBE in the secret-key setting. Secret-Key Anonymous IBE was implied by the work of [Shen-Shi-Waters - TCC 2009] which can be shown secure in the selective-id model. No previous fully secure construction of secret-key Anonymous IBE is known.

Branch-and-bound and backtrack search on mesh-connected arrays of processors

In this paper we investigate the parallel complexity of backtrack and branch-and-bound search on the mesh-connected array. We present an Ω(√dN/√logdN) lower bound for the time needed by arandomized algorithm to perform backtrack and branch-and-bound search of a tree of depthd on the √N × √N mesh, even when the depth of the tree is known in advance. The lower bound also holds for algorithms that are allowed to move tree-nodes and create multiple copies of the same tree-node.

Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations

Establishing relationships between primitives is an important area in the foundations of Cryptography. In this paper we consider the primitive of non-interactive zero-knowledge proofs of knowledge, namely, methods for writing a proof that on input x the prover knows y such that relation R(x, y) holds. These proofs have important applications for the construction of cryptographic protocols, as cryptosystems and signatures that are secure under strong types of attacks. They were first defined in [10], where a sufficient condition for the existence of such proofs for all NP relations was given. In this paper we show, perhaps unexpectedly, that such condition, based on a variant of publickey cryptosystems, is also necessary. Moreover, we present an alternative and natural condition, based on a variant of commitment schemes, which we show to be necessary and sufficient as well for the construction of such proofs. Such equivalence also allows us to improve known results on the construction of such proofs under the hardness of specific computational problems. Specifically, we show that assuming the hardness of factoring Blum integers is sufficient for such constructions.

Communication-efficient anonymous group identification

Identtication schemes allow a user to identi& herseMto a verifying authority in a secure way (i.e., without revealing her secret key). Group identification schemes allow a user to identi~ herself as a member of a group of users in a se cure and anonymous way (i.e., without revealing her identity nor her secret key). Several identification schemes and group identification schemes have been proposed in the literature. In this paper we consider the problem of constructing communication-eficient group identification schemes. Assuming factoring Blum integers is hard, we construct a secure and anonymous group identification scheme having communication complexity @ (m+n), where m is the size of the group and n is the security parameter (previous restits achieved complexity @(inn)). In fact, we show our protocol to be perfect zer~knowledge. We extend this scheme to the case of groups oft >1 users and obtain a protocol that improves on the communication complexity of previous protocoh even ● Dipartimento d] Informatica ed Appliczioni, Universit~ di Salerno, 84081 Baronissi (SA), Italy. Email: ads.giuper@dia.unisa.it. tComP”ter Science and Engineering Department, University of California San Diego, La Jolla, CA, 92093-0114, USA. Email: gio}anni~m.u~d. edu. for large values of the threshold t. Our protw COISefficiently extend the poptiar Fiat-Shamir identification scheme to solve the problem of anonymous group identification.

Efficient Wavelength Routing on Directed Fiber Trees

We address the issue of efficiently assigning wavelengths to communication requests in wavelength division multiplexing (WDM) optical networks. We consider directed tree and tree of rings topologies. These are topologies of concrete practical relevance for which undirected underlying graph models have been studied by Raghavan and Upfal [6]. Directed models were first studied by Mihail et al [4].