John Malone-Lee

Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions

We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of [7] is computationally consistent, and provide a new scheme that is statistically consistent. We also provide a transform of an anonymous IBE scheme to a secure PEKS scheme that, unlike the previous one, guarantees consistency. Finally we suggest three extensions of the basic notions considered here, namely anonymous HIBE, public-key encryption with temporary keyword search, and identity-based encryption with keyword search.

Improved identity-based signcryption

Identity-based cryptography is form of public-key cryptography that does not require users to pre-compute key pairs and obtain certificates for their public keys. Instead, public keys can be arbitrary identifiers such as email addresses. This means that the corresponding private keys are derived, at any time, by a trusted private key generator. The idea of signcryption is to provide a method to encrypt and sign data together in a way that is more efficient than using an encryption scheme combined with a signature scheme. We present an identity-based signcryption solution that we believe is the most efficient, provably-secure scheme of its type proposed to date. Our scheme admits proofs of security in the random oracle model under the bilinear Diffie-Hellman assumption using the definitions proposed by Boyen.

Two birds one stone: signcryption using RSA

Identity-based public key encryption facilitates easy introduction of public key cryptography by allowing an entitys public key to be derived from an arbitrary identification value, such as name or email address.Th e main practical benefit of identity-based cryptography is in greatly reducing the need for, and reliance on, public key certificates. Although some interesting identity-based techniques have been developed in the past, none are compatible with popular public key encryption algorithms (such as El Gamal and RSA).Th is limits the utility of identity-based cryptography as a transitional step to full-blown public key cryptography. Furthermore, it is fundamentally difficult to reconcile fine-grained revocation with identity-based cryptography. Mediated RSA (mRSA) [9] is a simple and practical method of splitting a RSA private key between the user and a Security Mediator (SEM). Neither the user nor the SEM can cheat one another since each cryptographic operation (signature or decryption) involves both parties. mRSA allows fast and fine-grained control of users security privileges. However, mRSA still relies on conventional public key certificates to store and communicate public keys. In this paper, we present IB-mRSA, a simple variant of mRSA that combines identity-based and mediated cryptography. Under the random oracle model, IB-mRSA with OAEP [7] is shown as secure (against adaptive chosen ciphertext attack) as standard RSA with OAEP. Furthermore, IB-mRSA is simple, practical, and compatible with current public key infrastructures.

Generic Constructions of Identity-Based and Certificateless KEMs

Abstract We extend the concept of key encapsulation to the primitives of identity-based and certificateless encryption. We show that the natural combination of ID-KEMs or CL-KEMs with data encapsulation mechanisms results in encryption schemes that are secure in a strong sense. In addition, we give generic constructions of ID-KEMs and CL-KEMs that are provably secure in the random oracle model.

Flaws in Applying Proof Methodologies to Signature Schemes

Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks. We give more examples, showing that provable security is more subtle than it at first appears. Our examples are in the area of signature schemes: one is related to the security proof of ESIGN and the other two to the security proof of ECDSA. We found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one. Concerning ECDSA, both examples are based on the concept of duplication: one shows how to manufacture ECDSA keys that allow for two distinct messages with identical signatures, a duplicate signature; the other shows that from any message-signature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown [7] does not account for our first example while it surprisingly rules out malleability, thus offering a proof of a property, non-malleability, that the actual scheme does not possess.

Obfuscation for Cryptographic Purposes

Loosely speaking, an obfuscation O of a function f should satisfy two requirements: firstly, using O, it should be possible to evaluate f; secondly, O should not reveal anything about f that cannot be learnt from oracle access to f alone. Several definitions for obfuscation exist. However, most of them are very hard to satisfy, even when focusing on specific applications such as obfuscating a point function (e.g., for authentication purposes).In this work, we propose and investigate two new variants of obfuscation definitions. Our definitions are simulation-based (i.e., require the existence of a simulator that can efficiently generate fake obfuscations) and demand only security on average (over the choice of the obfuscated function). We stress that our notions are not free from generic impossibilities: there exist natural classes of function families that cannot be securely obfuscated. Hence we cannot hope for a general-purpose obfuscator with respect to our definition. However, we prove that there also exist several natural classes of functions for which our definitions yield interesting results.Specifically, we show that our definitions have the following properties: Usefulness:Securely obfuscating (the encryption function of) a secure private-key encryption scheme yields a secure public-key encryption scheme.Achievability:There exist obfuscatable private-key encryption schemes. Also, a point function chosen uniformly at random can easily be obfuscated with respect to the weaker one (but not the stronger one) of our definitions. (Previous work focused on obfuscating point functions from arbitrary distributions.)Generic impossibilities:There exist unobfuscatable private-key encryption schemes. Furthermore, pseudorandom functions cannot be obfuscated with respect to our definitions. Our results show that, while it is hard to avoid generic impossibilities, useful and reasonable obfuscation definitions are possible when considering specific tasks (i.e., function families).

Secure computation of the mean and related statistics

In recent years there has been massive progress in the development of technologies for storing and processing of data. If statistical analysis could be applied to such data when it is distributed between several organisations, there could be huge benefits. Unfortunately, in many cases, for legal or commercial reasons, this is not possible. The idea of using the theory of multi-party computation to analyse efficient algorithms for privacy preserving data-mining was proposed by Pinkas and Lindell. The point is that algorithms developed in this way can be used to overcome the apparent impasse described above: the owners of data can, in effect, pool their data while ensuring that privacy is maintained. Motivated by this, we describe how to securely compute the mean of an attribute value in a database that is shared between two parties. We also demonstrate that existing solutions in the literature that could be used to do this leak information, therefore underlining the importance of applying rigorous theoretical analysis rather than settling for ad hoc techniques.

Identity-Based encryption gone wild

In this paper we introduce the notion of identity based encryption with wildcards, or WIBE for short. This allows the encryption of messages to multiple parties with common fields in their identity strings, for example email groups in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion in the standard model and in the random oracle model

Signcryption with Non-interactive Non-repudiation

Signcryption [33] is a public key primitive that achieves the functionality of both an encryption scheme and a signature scheme simultaneously. It does this more efficiently than a composition of public key encryption and public key signature.We present a model of security for signcryption schemes that offer non-interactive non-repudiation. This is non-repudiation in which the judge settling a repudiation dispute does not have to get involved in an interactive zero-knowledge proof. Our model applies to many existing schemes in the literature Bao and Deng, [4] He and Wu, [22] Peterson and Michels, [28].We explain why the scheme proposed in Bao and Deng, [4] is insecure under any definition of privacy based on the idea of indistinguishable encryptions Goldwasser and Micali, [20]. We describe a modified scheme to overcome the problem. Proofs of security are given for the scheme in the random oracle model Bellare and Rogaway, [10].

A General Construction of IND-CCA2 Secure Public Key Encryption

We propose a general construction for public key encryption schemes that are IND-CCA2 secure in the random oracle model. We show that the scheme proposed in [1,2] fits our general framework and moreover that our method of analysis leads to a more efficient security reduction.