Goichiro Hanaoka

Public-Key Cryptography – PKC 2013

In this short note we observe that the Peikert-Vaikuntanathan-Waters (PVW) method of packing many plaintext elements in a single Regev-type ciphertext, can be used for performing SIMD homomorphic operations on packed ciphertext. This provides an alternative to the Smart-Vercauteren (SV) ciphertextpacking technique that relies on polynomial-CRT. While the SV technique is only applicable to schemes that rely on ring-LWE (or other hardness assumptions in ideal lattices), the PVW method can be used also for cryptosystems whose security is based on standard LWE (or more broadly on the hardness of “GeneralLWE”). Although using the PVW method with LWE-based schemes leads to worse asymptotic efficiency than using the SV technique with ring-LWE schemes, the simplicity of this method may still offer some practical advantages. Also, the two techniques can be used in tandem with “general-LWE” schemes, suggesting yet another tradeoff that can be optimized for different settings.

A Framework and Compact Constructions for Non-monotonic Attribute-Based Encryption

In this paper, we propose new non-monotonic attribute-based encryption schemes with compact parameters. The first three schemes are key-policy attribute-based encryption KP-ABE and the fourth scheme is ciphertext-policy attribute-based encryption CP-ABE scheme. n nOur first scheme achieves the shortest ciphertext overhead in the literature. Compared to the scheme by Attrapadung et al. PKC2011, which is the best scheme in terms of the ciphertext overhead, our scheme shortens ciphertext overhead by 33%. The scheme also reduces the size of the master public key to about half.Our second scheme is proven secure under the decisional bilinear Diffie-Hellman DBDH assumption, which is one of the most standard assumptions in bilinear groups. Compared to the non-monotonic KP-ABE scheme from the same assumption by Ostrovsky et al. ACM-CCS07, our scheme reduces the size of the master public key and the ciphertext to about half.Our third scheme is the first non-monotonic KP-ABE scheme that can deal with unbounded size of set and access policies. That is, there is no restriction on the size of attribute sets and the number of allowed repetition of the same attributes which appear in an access policy. The master public key of our scheme consists of only constant number of group elements.Our fourth scheme is the first non-monotonic CP-ABE scheme that can deal with unbounded size of set and access policies. The master public key of the scheme consists of only constant number of group elements. n nWe construct our KP-ABE schemes in a modular manner. We first introduce special type of predicate encryption that we call two-mode identity based broadcast encryption TIBBE. Then, we show that any TIBBE scheme that satisfies certain condition can be generically converted into non-monotonic KP-ABE scheme. Finally, we construct efficient TIBBE schemes and apply this conversion to obtain the above new non-monotonic KP-ABE schemes.

On the security of dynamic group signatures: preventing signature hijacking

We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the currently most efficient dynamic group signature scheme does not provide protection against this type of malicious behavior. n nTo address this, we introduce the notion of opening soundness for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth (ASIACRYPT 2007, full version) which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions. n nWe believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

Verifiable predicate encryption and applications to CCA security and anonymous predicate authentication

In this paper, we focus on verifiability of predicate encryption. A verifiable predicate encryption scheme guarantees that all legitimate receivers of a ciphertext will obtain the same message upon decryption. While verifiability of predicate encryption might be a desirable property by itself, we furthermore show that this property enables interesting applications. n nSpecifically, we provide two applications of verifiable predicate encryption. Firstly, we show that for a large class of verifiable predicate encryption schemes, it is always possible to convert a chosen-plaintext secure scheme into a chosen-ciphertext secure one. Secondly, we show that a verifiable predicate encryption scheme allows the construction of a deniable predicate authentication scheme . This primitive enables a user to authenticate a message to a verifier using a private key satisfying a specified relation while at the same time allowing the user to deny ever having interacted with the verifier. This scheme furthermore guarantees the anonymity of the user in the sense that the verifier will learn nothing about the users private key except that it satisfies the specified relation. n nLastly, we show that many currently known predicate encryption schemes already provide verifiability, and furthermore demonstrate that many predicate encryption schemes which do not provide verifiability, can be easily converted into schemes providing verifiability. n nOur results not only highlight that verifiability is a very useful property of predicate encryption, but also show that efficient and practical schemes with this property can be obtained relatively easily.

On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups

In this paper, we discuss the impossibility of constructing chosen ciphertext secure CCA secure key encapsulation mechanisms KEMs with low ciphertext overhead. More specifically, we rule out the existence of algebraic black-box reductions from the bounded CCA security of a natural class of KEMs to any non-interactive problem. The class of KEMs captures the structure of the currently most efficient KEMs defined in standard prime order groups, but restricts an encapsulation to consist of a single group element and a string. This result suggests that we cannot rely on existing techniques to construct a CCA secure KEM in standard prime order groups with a ciphertext overhead lower than two group elements. Furthermore, we show how the properties of an algebraic programmable hash function can be used to construct a simple, efficient and CCA secure KEM based on the hardness of the decisional Diffie-Hellman problem with a ciphertext overhead of just a single group element. Since this KEM construction is covered by the above mentioned impossibility result, this enables us to derive a lower bound on the hash key size of an algebraic programmable hash function, and rule out the existence of algebraic poly, n-programmable hash functions in prime order groups for any integer n. The latter result answers an open question posed by Hofheinz and Kiltz CRYPTO08 in the case of algebraic programmable hash functions in prime order groups.

Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can ‘‘freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, a homomorphic transitional universal hash family, and present a number of KH-PKE schemes through hash proof systems. We also present a practical construction of KH-PKE from the DDH assumption. For l-bit security, our DDH-based scheme yields only l-bit longer ciphertext size than that of the Cramer-Shoup PKE scheme.

Group signature implies public-key encryption with non-interactive opening

In this paper, we show that public-key encryption with non-interactive opening (PKENO) can be constructed from an arbitrary group signature (GS) scheme which is secure in the dynamic group setting and provides opening soundness. Moreover, the resulting PKENO construction is efficient if the underlying GS scheme is efficient and the message space of the PKENO scheme is restricted to short messages. Hence, our result not only shows that the existence of this type of GS implies the existence of PKENO, but also that designing a practical GS scheme is as difficult as designing a practical PKENO scheme. Our transform is constructed by carefully investigating the relationship between the functionalities of GS and that of PKENO, and developing a novel (but specific) multiple encryption technique. This multiple encryption technique plays an important role for simultaneously achieving both practical efficiency and security.

Space efficient signature schemes from the RSA assumption

Signature schemes from the RSA assumption are very important because of their highly reliable security. Despite their importance, only a few digital signature schemes from the RSA assumption are currently known. Thus, improvement of efficiency in this area seems to be very important. In this paper, we propose various signature schemes from the RSA assumption. First, we propose a scheme that simultaneously provides the shortest signatures and public key length among the known schemes. Compared with the known best schemes, the signature size is the same as that of the scheme proposed recently by Hofheinz, Jager, and Kiltz, whereas the public key size is about the half that of the Hohenberger-Waters scheme. The drawback of the scheme is its heavy signing and verification algorithms. Second, we also propose a scheme whose public key is longer than our first scheme, but the signing and verification cost is more efficient. The scheme can be seen as a generalization of our first scheme and the Hofheinz-Jager-Kiltz scheme. Finally, we propose a scheme whose signing and verification algorithms are more efficient than our first and second schemes, whereas the signature size is longer. All these schemes are constructed based on a new observation about the relation between m -time signature schemes and short signature schemes.

Key Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited

In CRYPTO 2010, Wee proposed the notion of ‘‘extractable hash proof systems” (XHPS), and its richer version, ‘‘all-but-one XHPS” (ABO-XHPS), and showed that chosen ciphertext secure (CCA secure) key encapsulation mechanisms (KEM) can be constructed from them. This elegantly explains several recently proposed practical KEMs constructed based on the ‘‘all-but-one” simulation paradigm in a unified framework. Somewhat frustratingly, however, there still exist popular KEMs whose construction and security proofs are not captured by this framework. In this paper, we revisit the framework of the ABO-XHPS-based KEM. Firstly, we show that to prove CCA security of the ABO-XHPS-based KEM, some requirements can be relaxed. This relaxation widens the applicability of the original framework, and explains why many known practical KEMs can be proved CCA secure. Moreover, we introduce new properties for ABO-XHPS, and show how one of the properties leads to KEMs that achieve ‘‘constrained” CCA security, which is a useful security notion of KEMs for obtaining CCA secure public key encryption via hybrid encryption. Thirdly, we investigate the relationships among computational properties that we introduce in this paper, and derive a useful theorem that enables us to understand the structure of KEMs of a certain type in a modular manner. Finally, we show that the ABO-XHPS-based KEM can be extended to efficient multi-recipient KEMs. Our results significantly extend the framework for constructing a KEM from ABO-XHPS, enables us to capture and explain more existing practical CCA secure schemes (most notably those based on the decisional Diffie-Hellman assumption) in the framework, and leads to a number of new instantiations of (single- and multi-recipient) KEMs.

Towards restricting plaintext space in public key encryption

This paper investigates methods that allow a third-party authority to control contents transmitted using a public key infrastructure. Since public key encryption schemes are normally designed not to leak even partial information of plaintext, traditional public key encryption schemes do not allow such controlling by an authority. In the proposed schemes, an authority specifies some set of forbidden messages, and anyone can detect a ciphertext that encrypts one of the forbidden messages. The syntax of public key encryption with such a functionality (restrictive public key encryption), formal definitions of security requirement for restrictive public key encryption schemes, and an efficient construction of restrictive public key encryption are given. n nIn principle, restrictive public key encryption schemes can be constructed by adding an NIZK proof that proves whether the encrypted messages are not prohibited. However if one uses the general NIZK technique to construct such a noninteractive proof, the scheme becomes extremely inefficient. In order to avoid such an inefficient construction, the construction given in this paper uses techniques of Teranishi et al., Boudot, and Nakanishi et al. n nOne of the possible applications of restrictive public key encryption is protecting a public key infrastructure from abuse by terrorists by disallowing encryption of crime-related keywords. Another example is to perform format-check of a ballot in an electronic voting, by disallowing encryption of irregular format voting.