Hoon Wei Lim

On Identity-Based Cryptography and Grid Computing

In this exploratory paper we consider the use of Identity-Based Cryptography (IBC) in a Grid security architecture. IBC has properties that align well with the demands of Grid computing and we illustrate some trade-offs in deploying IBC within a Grid system.

A dynamic key infrastructure for GRID

This paper introduces the concept of a dynamic key infrastructure for Grid. It utilises the properties of Identity-based Cryptography (IBC) to simplify key management techniques used in current Public Key Infrastructure (PKI) settings for Grid. This approach can offer greater simplicity, flexibility, and enhanced computation trade-offs.

Revocable identity-based encryption from lattices

In this paper, we present an identity-based encryption (IBE) scheme from lattices with efficient key revocation. We adopt multiple trapdoors from the Agrawal-Boneh-Boyen and Gentry-Peikerty-Vaikuntanathan lattice IBE schemes to realize key revocation, which in turn, makes use of binary-tree data structure. Using our scheme, key update requires logarithmic complexity in the maximal number of users and linear in the number of revoked users for the relevant key authority. We prove that our scheme is selective secure in the standard model and under the LWE assumption, which is as hard as the worst-case approximating short vectors on arbitrary lattices.

User-friendly grid security architecture and protocols

We examine security protocols for the Grid Security Infrastructure (GSI) version 2 and identify a weakness of poor scalability as a result of GSI’s authentication framework requiring heavy interactions between a user-side client machine and resource suppliers. We improve the GSI architecture and protocols by proposing an alternative authentication framework for GSI, which uses dynamic public/private key pairs to avoid frequent communications to a significant extent. The improvement to the GSI security protocols is enabled by a novel application of an emerging cryptographic technique from bilinear pairings.

What can identity-based cryptography offer to web services?

Web services are seen as the enabler of service-oriented computing, a promising next generation distributed computing technology. Independently, identity-based cryptography is emerging as a serious contender to more conventional certificate-based public key cryptography. However, the application of identity-based cryptography in web services appears largely unexplored. This paper sets out to examine how identity-based cryptography might be used to secure web services. We show that identity-based cryptography has some attractive properties which naturally suit the message-level security needed by web services.

Combined public-key schemes: the case of ABE and ABS

In the context of public key cryptography, combined encryption and signature schemes have attractive properties and are sometimes used in practice. The topic of joint security of signature and encryption schemes has a fairly extensive history. In this paper, we focus on the combined public-key schemes in attribute-based setting. We present a security model for combined CP-ABE and ABS schemes in the joint security setting. An efficient concrete construction of CP-ABE and ABS based on Waterss CP-ABE scheme is proposed. Our scheme is proved to be selectively jointly secure in standard model under reasonable assumptions. Moreover, we consider the problem of how to build attribute-based signcryption (ABSC) and obtain an ABSC scheme and show that it is secure. We also give a general construction of combined ABSC, CP-ABE and ABS schemes from combined CP-ABE and ABS schemes.

Identity-based cryptography for grid security

The majority of current security architectures for grid systems use public key infrastructure (PKI) to authenticate identities of grid members and to secure resource allocation to these members. Identity-based cryptography (IBC) has some attractive properties that seem to align well with the demands of grid computing. This paper presents a comprehensive investigation into the use of identity-based techniques to provide an alternative grid security architecture. We propose a customised identity-based key agreement protocol, which fits nicely with the grid security infrastructure (GSI). We also present a delegation protocol, which is simpler and more efficient than existing delegation methods. Our study shows that properties of IBC can be exploited to provide grid security services in a more natural and clean way than more conventional public key cryptosystems, such as RSA.

Multi-key hierarchical identity-based signatures

We motivate and investigate a new cryptographic primitive that we call multi-key hierarchical identity-based signatures (multikey HIBS). Using this primitive, a user is able to prove possession of a set of identity-based private keys associated with nodes at arbitrary levels of a hierarchy when signing a message. Our primitive is related to, but distinct from, the notions of identity-based multi-signatures and aggregate signatures. We develop a security model for multi-key HIBS. We then present and prove secure an efficient multi-key HIBS scheme that is based on the Gentry-Silverberg hierarchical identity-based signature scheme.

Distributed Searchable Symmetric Encryption

Searchable Symmetric Encryption (SSE) allows a client to store encrypted data on a storage provider in such a way, that the client is able to search and retrieve the data selectively without the storage provider learning the contents of the data or the words being searched for. Practical SSE schemes usually leak (sensitive) information during or after a query (e.g., the search pattern). Secure schemes on the other hand are not practical, namely they are neither efficient in the computational search complexity, nor scalable with large data sets. To achieve efficiency and security at the same time, we introduce the concept of distributed SSE (DSSE), which uses a query proxy in addition to the storage provider. We give a construction that combines an inverted index approach (for efficiency) with scrambling functions used in private information retrieval (PIR) (for security). The proposed scheme, which is entirely based on XOR operations and pseudo-random functions, is efficient and does not leak the search pattern. For instance, a secure search in an index over one million documents and 500 keywords is executed in less than 1 second.

Cross-Domain Password-Based Authenticated Key Exchange Revisited

We revisit the problem of cross-domain secure communication between two users belonging to different security domains within an open and distributed environment. Existing approaches presuppose that either the users are in possession of public key certificates issued by a trusted certificate authority (CA), or the associated domain authentication servers share a long-term secret key. In this paper, we propose a four-party password-based authenticated key exchange (4PAKE) protocol that takes a different approach from previous work. The users are not required to have public key certificates, but they simply reuse their login passwords they share with their respective domain authentication servers. On the other hand, the authentication servers, assumed to be part of a standard PKI, act as ephemeral CAs that “certify” some key materials that the users can subsequently exchange and agree on a session key. Moreover, we adopt a compositional approach. That is, by treating any secure two-party password-based key exchange protocol and two-party asymmetric-key based key exchange protocol as black boxes, we combine them to obtain a generic and provably secure 4PAKE protocol.