Katsuyuki Takashima

Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption

We present two fully secure functional encryption schemes: a fully secure attribute-based encryption (ABE) scheme and a fully secure (attribute-hiding) predicate encryption (PE) scheme for inner-product predicates. In both cases, previous constructions were only proven to be selectively secure. Both results use novel strategies to adapt the dual system encryption methodology introduced by Waters. We construct our ABE scheme in composite order bilinear groups, and prove its security from three static assumptions. Our ABE scheme supports arbitrary monotone access formulas. Our predicate encryption scheme is constructed via a new approach on bilinear pairings using the notion of dual pairing vector spaces proposed by Okamoto and Takashima.

Fully secure functional encryption with general relations from the decisional linear assumption

This paper presents a fully secure functional encryption scheme for a wide class of relations, that are specified by nonmonotone access structures combined with inner-product relations. The security is proven under a well-established assumption, the decisional linear (DLIN) assumption, in the standard model. The proposed functional encryption scheme covers, as special cases, (1) key-policy and ciphertext-policy attribute-based encryption with non-monotone access structures, and (2) (hierarchical) predicate encryption with inner-product relations and functional encryption with non-zero inner-product relations.

Efficient Attribute-Based Signatures for Non-Monotone Predicates in the Standard Model

This paper presents a fully secure (adaptive-predicate unforgeable and private) attribute-based signature (ABS) scheme in the standard model. The security of the proposed ABS scheme is proven under standard assumptions, the decisional linear (DLIN) assumption and the existence of collision resistant (CR) hash functions. The admissible predicates of the proposed ABS scheme are more general than those of the existing ABS schemes, i.e., the proposed ABS scheme is the first to support general non-monotone predicates, which can be expressed using NOT gates as well as AND, OR, and Threshold gates, while the existing ABS schemes only support monotone predicates. The proposed ABS scheme is comparably as efficient as (several times worse than) one of the most efficient ABS schemes, which is proven to be secure in the generic group model.

Homomorphic Encryption and Signatures from Vector Decomposition

This paper introduces a new concept, distortion eigenvector space; it is a (higher dimensional) vector space in which bilinear pairings and distortion maps are available. A distortion eigenvector space can be efficiently realized on a supersingular hyperelliptic curve or a direct product of supersingular elliptic curves. We also introduce an intractable problem (with trapdoor) on distortion eigenvector spaces, the higher dimensional generalization of the vector decomposition problem (VDP). We define several computational and decisional problems regarding VDP, and clarify the relations among them. A trapdoor bijective functionwith algebraically rich properties can be obtained from the VDP on distortion eigenvector spaces. This paper presents two applications of this trapdoor bijective function; one is multivariate homomorphic encryption as well as a two-party protocol to securely evaluate 2DNF formulas in a higher dimensional manner, and the other is various types of signatures such as ordinary signatures, blind signatures, generically (selectively and universally) convertible undeniable signatures and their combination.

Fully secure unbounded inner-product and attribute-based encryption

In this paper, we present the first inner-product encryption (IPE) schemes that are unbounded in the sense that the public parameters do not impose additional limitations on the predicates and attributes used for encryption and decryption keys. All previous IPE schemes were bounded, or have a bound on the size of predicates and attributes given public parameters fixed at setup. The proposed unbounded IPE schemes are fully (adaptively) secure and fully attribute-hiding in the standard model under a standard assumption, the decisional linear (DLIN) assumption. In our unbounded IPE schemes, the inner-product relation is generalized, where the two vectors of inner-product can be different sizes and it provides a great improvement of efficiency in many applications. We also present the first fully secure unbounded attribute-based encryption (ABE) schemes, and the security is proven under the DLIN assumption in the standard model. To achieve these results, we develop novel techniques, indexing and consistent randomness amplification, on the (extended) dual system encryption technique and the dual pairing vector spaces (DPVS).

Decentralized Attribute-Based Signatures

We present the first decentralized multi-authority attribute-based signature (DMA-ABS) scheme, in which no central authority and no trusted setup are required. The proposed DMA-ABS scheme for a large class of (non-monotone) predicates is fully secure (adaptive-predicate unforgeable and perfectly private) under a standard assumption, the decisional linear (DLIN) assumption, in the random oracle model. Our DMA-ABS scheme is comparably as efficient as the most efficient ABS scheme. As a by-product, this paper also presents an adaptively secure DMA functional encryption (DMA-FE) scheme under the DLIN assumption.

Expressive Attribute-Based Encryption with Constant-Size Ciphertexts from the Decisional Linear Assumption

We propose a key-policy attribute-based encryption (KP-ABE) scheme with constant-size ciphertexts, whose selective security is proven under the decisional linear (DLIN) assumption in the standard model. The proposed scheme also has semi-adaptively security, which is a recently proposed notion of security. The access structure is expressive, that is given by non-monotone span programs. It also has fast decryption, i.e., a decryption includes only a constant number of pairing operations. As an application of our KP-ABE construction, we also propose a fully secure attribute-based signatures with constant-size secret (signing) keys from the DLIN. For achieving the above results, we employ a hierarchical reduction technique on dual pairing vector spaces and a modified form of pairwise independence lemma specific to our proposed schemes.

Scaling Security of Elliptic Curves with Fast Pairing Using Efficient Endomorphisms*This work was partially presented at SCIS 2006, held in Hiroshima.

Cryptosystems using pairing computation on elliptic curves have various applications including ID-based encryption ([9], [29], [30] etc.). Scott [33] proposed a scaling method of security by a change of the embedding degree k. On the other hand, he also presented an efficient pairing computation method on an ordinary (non-supersingular) elliptic curve over a large prime field p ([34]). In this paper, we present an implementation method of the pairing computation with both of the security scaling in [33] and the efficiency in [34]. First, we will investigate the mathematical nature of the set of the paremeter r (the order of cyclic group used) so as to support many ks. Then, based on it, we will suggest some modification to the algorithm of Scott in [34] to achieve flexible scalability of security level.

A New Type of Fast Endomorphisms on Jacobians of Hyperelliptic Curves and Their Cryptographic Application*This work was partially presented at the 7th International Conference on Information Security and Cryptology (ICISC 2004), held in Seoul, Korea.

The Gallant-Lambert-Vanstone method [14] (GLV method for short) is a scalar multiplication method for elliptic curve cryptography (ECC). In WAP WTLS [49], SEC 2 [44], ANSI X9.62 [1] and X9.63 [2], several domain parameters for applications of the GLV method are described. Curves with those parameters have efficiently-computable endomorphisms. Recently the GLV method for Jacobians of hyperelliptic curve (HEC) has also been studied. In this paper, we discuss applications of the GLV method to curves with real multiplication (RM). It is the first time to use RM for efficient scalar multiplication as far as we know. We describe the general algorithm for using such RM, and we show that some genus 2 curves with RM have enough effciency to be used in the GLV method as in the previous CM case. Moreover, we will see that such RM curves can be obtained abundantly unlike the previously proposed CM curves of genus 2.

Provably-Secure Cancelable Biometrics Using 2-DNF Evaluation

Biometric authentication has been attracting much attention because it is more user-friendly than other authentication methods such as password-based and token-based authentications. However, it intrinsically comprises problems of privacy and revocability. To address these issues, new techniques called cancelable biometrics have been proposed and their properties have been analyzed extensively. Nevertheless, only a few considered provable security, and provably secure schemes known to date had to sacrifice user-friendliness because users have to carry tokens so that they can securely access their secret keys. In this paper, we propose two cancelable biometric protocols each of which is provably secure and requires no secret key access of users. We use as an underlying component the Boneh-Goh-Nissim cryptosystem proposed in TCC 2005 and the Okamoto-Takashima cryptosystem proposed in Pairing 2008 in order to evaluate 2-DNF (disjunctive normal form) predicate on encrypted feature vectors. We define a security model in a semi-honest manner and give a formal proof which shows that our protocols are secure in that model. The revocation process of our protocols can be seen as a new way of utilizing the veiled property of the underlying cryptosystems, which may be of independent interest.