Isamu Teranishi

k-Times Anonymous Authentication (Extended Abstract)

We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the allowable number, and that allow 2) anyone to trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Although identity escrow/group signature schemes allow users to be anonymously authenticated, the authorities in these schemes have the unnecessary ability to trace any user. Moreover, since it is only the authority who is able to trace users, one needs to make cumbersome inquiries to the authority to see how many times a user has been authenticated. Our scheme can be applied to e-voting, e-cash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users’ participation from protocols and guarantees that they will remain anonymous to everyone.

Signatures resilient to continual leakage on memory and computation

Recent breakthrough results by Brakerski et al and Dodis et al have shown that signature schemes can be made secure even if the adversary continually obtains information leakage from the secret key of the scheme. However, the schemes currently do not allow leakage on the secret key and randomness during signing, except in the random oracle model. Further, the random oracle based schemes require updates to the secret key in order to maintain security, even when no leakage during computation is present. We present the first signature scheme that is resilient to full continual leakage: memory leakage as well as leakage from processing during signing (both from the secret key and the randomness), in key generation, and in update. Our scheme can tolerate leakage of a 1 - o(1) fraction of the secret key between updates, and is proven secure in the standard model based on the symmetric external DDH (SXDH) assumption in bilinear groups. The time periods between updates are a function of the amount of leakage in the period (and nothing more). As an additional technical contribution, we introduce a new tool: independent pre-image resistant hash functions, which may be of independent interest.

k -times anonymous authentication with a constant proving cost

A k-Times Anonymous Authentication (k-TAA) scheme allows users to be authenticated anonymously so long as the number of times that they are authenticated is within an allowable number. Some promising applications are e-voting, e-cash, e-coupons, and trial browsing of contents. However, the previous schemes are not efficient in the case where the allowable number k is large, since they require both users and verifiers to compute O(k) exponentiation in each authentication. We propose a k-TAA scheme where the numbers of exponentiations required for the entities in an authentication are independent of k. Moreover, we propose a notion of public detectability in a k-TAA scheme and present an efficient publicly verifiable k-TAA scheme, where the number of modular exponentiations required for the entities is O(log(k)).

Efficient circuit-size independent public key encryption with KDM security

Key Dependent Message (KDM) secure encryption is a new area which has attracted much research in recent years. Roughly speaking, a KDM secure scheme w.r.t. a function set F provides security even if one encrypts a key dependent message f(sk) for any f ∈ F. We present a construction of an efficient public key encryption scheme which is KDM secure with respect to a large function set F. Our function set is a function computable by a polynomial-size Modular Arithmetic Circuit (MAC); we represent the set as Straight Line Programs computing multi-variable polynomials (an extended scheme includes all rational functions whose denominator and numerator are functions as above). Unlike previous schemes, our scheme is what we call flexible: the size of the ciphertext depends on the degree bound for the polynomials, and beyond this all parameters of the scheme are completely independent of the size of the function or the number of secret keys (users). We note that although KDM security has practical applications, all previous works in the standard model are either inefficient feasibility results when dealing with general circuits function sets, or are for a small set of functions such as linear functions. Efficiency of our scheme is dramatically improved compared to the previous feasibility results.

General conversion for obtaining strongly existentially unforgeable signatures

We say that a signature scheme is strongly existentially unforgeable if no adversary, given message/signature pairs adaptively, can generate a new signature on either a signature on a new message or a new signature on a previously signed message. Strongly existentially unforgeable signature schemes are used to construct many applications, such as an IND-CCA2 secure public-key encryption scheme and a group signature scheme. We propose two general and efficient conversions, both of which transform a secure signature scheme to a strongly existentially unforgeable signature scheme. There is a tradeoff between the two conversions. The first conversion requires the random oracle, but the signature scheme transformed by the first conversion has shorter signature length than the scheme transformed by the second conversion. The second conversion does not require the random oracle. Therefore, if the original signature scheme is of the standard model, the strongly existentially unforgeable property of the converted signature scheme is proved also in the standard model. Both conversions ensure tight security reduction to the underlying security assumptions. Moreover, the transformed schemes by the first or second conversion satisfy the on-line/off-line property. That is, signers can precompute almost all operations on the signing before they are given a message.

Using group signatures for identity management and its implementation

We discuss the merits of using group signature technology in Identity Management. We propose a novel model of group signature scheme and introduce a new entity called User-Revocation manager. User-Revocation manager plays an independent role regarding user revocation which was previously covered by either Group manager or Issuing manager. We extend the idea of the Camenisch-Groth scheme and present an efficient revocation scheme where the cost of user revocation is smaller than that of the Camenisch-Groth scheme. We also discuss the details of our implementation.

Order-Preserving Encryption Secure Beyond One-Wayness

Semantic-security of individual plaintext bits given the corresponding ciphertext is a fundamental notion in modern cryptography. We initiate the study of this basic problem for Order-Preserving Encryption (OPE), asking “what plaintext information can be semantically hidden by OPE encryptions?” OPE has gained much attention in recent years due to its usefulness for secure databases, and has received a thorough formal treamtment with innovative and useful security notions. However, all previous notions are one-way based, and tell us nothing about partial-plaintext indistinguishability (semantic security).

General Conversion for Obtaining Strongly Existentially Unforgeable Signatures

We say that a signature scheme is strongly existentially unforgeable (SEU) if no adversary, given message/signature pairs adaptively, can generate a signature on a new message or a new signature on a previously signed message. We propose a general and efficient conversion in the standard model that transforms a secure signature scheme to SEU signature scheme. In order to construct that conversion, we use a chameleon commitment scheme. Here a chameleon commitment scheme is a variant of commitment scheme such that one can change the committed value after publishing the commitment if one knows the secret key. We define the chosen message security notion for the chameleon commitment scheme, and show that the signature scheme transformed by our proposed conversion satisfies the SEU property if the chameleon commitment scheme is chosen message secure. By modifying the proposed conversion, we also give a general and efficient conversion in the random oracle model, that transforms a secure signature scheme into a SEU signature scheme. This second conversion also uses a chameleon commitment scheme but only requires the key only attack security for it.

Relationship between standard model plaintext awareness and message hiding

Recently, Bellare and Palacio succeeded in defining the plaintext awareness, which is also called PA2, in the standard model. They propose three valiants of the standard model PA2 named perfect, statistical, and computational PA2. In this paper, we study the relationship between the standard model PA2 and the property about message hiding, that is, IND-CPA. Although it seems that these two are independent notions at first glance, we show that all of the perfect, statistical, and computational PA2 in the standard model imply the IND-CPA security if the encryption function is oneway. By using this result, we also showed that “PA2 + Oneway IND-CCA2”. This result shows the “all-or-nothing” aspect of the PA2. That is, a standard model PA2 secure public-key encryption scheme either satisfies the strongest message hiding property, IND-CCA2, or does not satisfy even the weakest message hiding property, onewayness. We also showed that the computational PA2 notion is strictly stronger than the statistical one.

Relationship between Standard Model Plaintext Awareness and Message Hiding

Recently, Bellare and Palacio succeeded in defining the plaintext awareness, which is also called PA2, in the standard model. They propose three valiants of the standard model PA2 named perfect, statistical, and computational PA2. In this paper, we study the relationship between the standard model PA2 and the property about message hiding, that is, IND-CPA. Although it seems that these two are independent notions at first glance, we show that all of the perfect, statistical, and computational PA2 in the standard model imply the IND-CPA security if the encryption function is oneway. By using this result, we also showed that PA2 + Oneway => IND-CCA2. This result shows the all-or-nothing aspect of the PA2. That is, a standard model PA2 secure public-key encryption scheme either satisfies the strongest message hiding property. IND-CCA2, or does not satisfy even the weakest message hiding property, onewayness. We also showed that the computational PA2 notion is strictly stronger than the statistical one.