Junqing Gong

Fully-secure and practical sanitizable signatures

Sanitizable signatures have been introduced recently to provide a means for the signer to authorize a censor to modify some parts of the signed message without the help of the original signer. This paper presents the following three contributions. (1) We point out the weaknesses of Brzuska et al.s (PKC 2009) and Canard et al.s (CT-RSA 2010) constructions respectively. Namely we show that their constructions are not signer-accountable. (2) We point out the weakness of Brzuska et al.s security model (PKC 2009) for sanitizable signatures by showing some potential attacks neglected in their original model. (3) We present a stronger security model based on Brzuska et al.s model and a fullysecure construction based on both Brzuska et al.s and Canard et al.s constructions. We must note that our proposed construction is much more practical than prior ones. In detail, the computation costs of signing, sanitizing and verification algorithm are constant and the signature size is constant as well.

Extended Nested Dual System Groups, Revisited

The notion of extended nested dual system groups ENDSG was recently proposed by Hofheinz et al.i¾?[PKC 2015] for constructing almost-tight identity based encryptions IBE in the multi-instance, multi-ciphertext MIMC setting. However only a composite-order instantiation was proposed and more efficient prime-order instantiations are absent. The paper fills the blank by presenting two constructions. We revise the definition of ENDSG and realize it using prime-order bilinear groups based on Chen and Wees prime-order instantiation of nested dual system groups [CRYPTO 2013]. This yields the first almost-tight IBE in the prime-order setting achieving weak adaptive security in MIMC scenario under the d-linear d-Lin assumption. We further enhanced the revised ENDSG to capture stronger security notions for IBE, including B-weak adaptive security and full adaptive security. We show that our prime-order instantiation is readily B-weak adaptive secure and full adaptive secure without introducing extra assumption. We then try to find better solutions by fine-tuning ENDSG again and realizing it using the technique of Chen, Gay, and Wee [EUROCRYPT 2015]. This leads to an almost-tight secure IBE in the same setting with better performance than our first result, but the security relies on a non-standard assumption, d-linear assumption with auxiliary input d-LinAI for an even positive integer d. However we note that, the 2-LinAI assumption is implied by the external decisional linear XDLIN assumption. This concrete instantiation could also be realized using symmetric bilinear groups under standard decisional linear assumption.

Efficient IBE with Tight Reduction to Standard Assumption in the Multi-challenge Setting

In 2015, Hofheinz et al. [PKC, 2015] extended Chen and Wees almost-tight reduction technique for identity based encryptions IBE [CRYPTO, 2013] to the multi-instance, multi-ciphertext MIMC, or multi-challenge setting, where the adversary is allowed to obtain multiple challenge ciphertexts from multiple IBE instances, and gave the first almost-tightly secure IBE in this setting using composite-order bilinear groups. Several prime-order realizations were proposed lately. However there seems to be a dilemma of high system performance involving ciphertext/key size and encryption/decryption cost or weak/standard security assumptions. A natural question is: can we achieve high performance without relying on stronger/non-standard assumptions? In this paper, we answer the question in the affirmative by describing a prime-order IBE scheme with the same performance as the most efficient solutions so far but whose security still relies on the standardk-linear k-Lin assumption. Our technical start point is Blazy et al.s almost-tightly secure IBE [CRYPTO, 2014]. We revisit their concrete IBE scheme and associate it with the framework of nested dual system group. This allows us to extend Blazy et al.s almost-tightly secure IBE to the MIMC setting using Gong et al.s method [PKC, 2016]. We emphasize that, when instantiating our construction by the Symmetric eXternal Diffie-Hellman assumption SXDH = 1-Lin, we obtain the most efficient concrete IBE scheme with almost-tight reduction in the MIMC setting, whose performance is even comparable to the most efficient IBE in the classical model i.e., the single-instance, single-ciphertext setting. Besides pursuing high performance, our IBE scheme also achieves a weaker form of anonymity pointed out by Attrapadung et al. [AsiaCrypt, 2015].

Tightly Secure IBE Under Constant-Size Master Public Key

Chen and Wee [CRYPTO, 2013] proposed the first almost tightly and adaptively secure IBE in the standard model and left two open problems which called for a tightly secure IBE with (1) constant-size master public key and/or (2) constant security loss. In this paper, we propose an IBE scheme with constant-size master public key and tighter security reduction. This (partially) solves Chen and Wee’s first open problem and makes progress on the second one. Technically, our IBE scheme is built based on Wee’s petit IBE scheme [TCC, 2016] in the composite-order bilinear group whose order is product of four primes. The sizes of master public key, ciphertexts, and secret keys are not only constant but also nearly optimal as Wee’s petit IBE. We can prove its adaptive security in the multi-instance, multi-ciphertext setting [PKC, 2015] based on the decisional subgroup assumption and a subgroup variant of DBDH assumption. The security loss is \({\mathcal {O}}(\log q)\) where q is the upper bound of the total number of secret keys and challenge ciphertexts per instance. It’s much smaller than those for all known adaptively secure IBE schemes in a concrete sense.

Anonymous password-based key exchange with low resources consumption and better user-friendliness

Anonymous password authenticated key exchange (APAKE) protocols allow the server to authenticate its clients without revealing their identities. In this paper, we first construct a basic protocol SAPAKE by using the homomorphic encryption scheme and an auxiliary memory device. Compared with the previous ones, SAPAKE is more suitable for those privacy-sensitive applications (e.g., cloud computing) where reducing server payload and improving user experience are both essential. Furthermore, we refine SAPAKE by removing the use of the memory device to gain an enhanced extension SAPAKE+ without increasing the resources consumption. SAPAKE+ achieves better user-friendliness than SAPAKE while it requires publishing more public parameters. Both of our protocols are practical due to their low (computation and communication) resources consumption and better user-friendliness, and achieve provable security in the random oracle model. Copyright

Traceable CP-ABE with Short Ciphertexts: How to Catch People Selling Decryption Devices on eBay Efficiently

Ciphertext-policy attribute-based encryption (CP-ABE) is a highly promising solution for cloud computing, which has been widely applied to provide fine-grained access control in cloud storage services recently. However, for CP-ABE based cloud storage systems, if a decryption device appears on eBay described and advertised to be able to decrypt any ciphertexts with policies satisfied by an attribute set or even with a specific access policy only, no one can trace the malicious user(s) who built such a decryption device using their private key(s). This has been known as a major obstacle to deploying CP-ABE systems in real-world commercial applications. Due to the one-to-many encryption mechanism of CP-ABE, the same decryption privilege is shared by multiple users who have the same attributes. It is difficult to identity the malicious user(s) who built such a decryption device. To track people selling decryption devices on eBay efficiently, in this paper, we develop a new methodology for constructing traitor tracing functionality, and present the first black-box traceable CP-ABE (BT-CP-ABE) with short ciphertexts which are independent of the number of users \(\mathcal {N}\). The black-box traceability is public, fully collusion-resistant, and adaptively traceable against both key-like decryption black-box and policy-specific decryption black-box.

Unbounded ABE via Bilinear Entropy Expansion, Revisited

We present simpler and improved constructions of unbounded attribute-based encryption (ABE) schemes with constant-size public parameters under static assumptions in bilinear groups. Concretely, we obtain: a simple and adaptively secure unbounded ABE scheme in composite-order groups, improving upon a previous construction of Lewko and Waters (Eurocrypt ’11) which only achieves selective security; an improved adaptively secure unbounded ABE scheme based on the k-linear assumption in prime-order groups with shorter ciphertexts and secret keys than those of Okamoto and Takashima (Asiacrypt ’12); the first adaptively secure unbounded ABE scheme for arithmetic branching programs under static assumptions.

ABE with Tag Made Easy

Among all existing identity-based encryption (IBE) schemes in the bilinear group, \(\mathsf {Wat}\)-\(\mathsf {IBE}\) proposed by Waters [CRYPTO, 2009] and \(\mathsf {JR}\)-\(\mathsf {IBE}\) proposed by Jutla and Roy [AsiaCrypt, 2013] are quite special. A secret key and/or ciphertext in these two schemes consist of several group elements and an integer which is usually called tag. A series of prior work was devoted to extending them towards more advanced attribute-based encryption (ABE) including inner-product encryption (IPE), hierarchical IBE (HIBE). Recently, Kim et al. [SCN, 2016] introduced the notion of tag-based encoding and presented a generic framework for extending \(\mathsf {Wat}\)-\(\mathsf {IBE}\). We may call these ABE schemes ABE with tag or tag-based ABE. Typically, a tag-based ABE construction is more efficient than its counterpart without tag. However the research on tag-based ABE severely lags—We do not know how to extend \(\mathsf {JR}\)-\(\mathsf {IBE}\) in a systematic way and there is no tag-based ABE for boolean span program even with Kim et al.’s generic framework.

Practical and Efficient Attribute-Based Encryption with Constant-Size Ciphertexts in Outsourced Verifiable Computation

In cloud computing, computationally weak users are always willing to outsource costly computations to a cloud, and at the same time they need to check the correctness of the result provided by the cloud. Such activities motivate the occurrence of verifiable computation (VC). Recently, Parno, Raykova and Vaikuntanathan showed any VC protocol can be constructed from an attribute-based encryption (ABE) scheme for a same class of functions. In this paper, we propose two practical and efficient semi-adaptively secure key-policy attribute-based encryption (KP-ABE) schemes with constant-size ciphertexts. The semi-adaptive security requires that the adversary designates the challenge attribute set after it receives public parameters but before it issues any secret key query, which is stronger than selective security guarantee. Our first construction deals with small universe while the second one supports large universe. Both constructions employ the technique underlying the prime-order instantiation of nested dual system groups, which are based on the

Extended dual system group and shorter unbounded hierarchical identity based encryption

d