Kazuki Yoneyama

UC-Secure Dynamic Searchable Symmetric Encryption Scheme

In a dynamic searchable symmetric encryption (SSE) scheme, a client can add/modify/delete encrypted files. In this paper, we first prove a weak equivalence between the UC security and the stand alone security based on the previous work on static SSE schemes. We next show a more efficient UC secure dynamic SSE scheme than before by replacing the RSA accumulator with XOR-MAC to authenticate the index table.

Multi-cast Key Distribution: Scalable, Dynamic and Provably Secure Construction

In this paper, we propose a two-round dynamic multi-cast key distribution DMKD protocol under the star topology with a central authentication server. Users can share a common session key without revealing any information of the session key to the server, and can join/leave to/from the group at any time even after establishing the session key. Our protocol is scalable because communication and computation costs of each user are independent from the number of users. Also, our protocol is still secure if either private key or session-specific randomness of a user is exposed. Furthermore, time-based backward secrecy is guaranteed by renewing the session key for every time period even if the session key is exposed. We introduce the first formal security definition for DMKD under the star topology in order to capture such strong exposure resilience and time-based backward secrecy. We prove that our protocol is secure in our security model in the standard model.

Accumulable Optimistic Fair Exchange from Verifiably Encrypted Homomorphic Signatures

Let us consider a situation where a client (Alice) frequently buys a certain kind of product from a shop (Bob) (e.g., an online music service sells individual songs at the same price, and a client buys songs multiple times in a month). In this situation, Alice and Bob would like to aggregate the total transactions and pay once per month because individual payments are troublesome. Though optimistic fair exchange (OFE) has been considered in order to swap electronic items simultaneously, known OFE protocols cannot provide such aggregate function efficiently because various costs are bounded by the number of transactions in the period. In order to run this aggregation procedure efficiently, we introduce a new kind of OFE called accumulable OFE (AOFE) that allows clients to efficiently accumulate payments in each period. In AOFE, any memory costs, computational costs, and communication complexity of the payment round must be constant in terms of the number of transactions. Since a client usually has just a low power and poor memory device, these efficiencies are desirable in practice. Currently, known approaches (e.g., based on verifiably encrypted signature scheme) are not very successful for constructing AOFE. Thus, we consider a new approach based on a new cryptographic primitive called verifiably encrypted homomorphic signature scheme (VEHS). In this paper, we propose a generic construction of AOFE from VEHS and also present a concrete VEHS scheme over a composite-order bilinear group by using the dual-form signature techniques. This VEHS scheme is also of independent interest. Since we can prove the security of VEHS without random oracles, our AOFE protocol is also secure without random oracles. Finally, we implemented our AOFE protocol, and it is efficient enough for practical use.

Single Private-Key Generator Security Implies Multiple Private-Key Generators Security

This paper discusses the security of identity-based cryptography with multiple private-key generators (mPKG-IBC). Most mPKG-IBC schemes and protocols are statically secure where private-key generators (PKGs) cannot control a binding between a party and its PKG. We propose adaptive security notions for identity-based key encapsulation mechanism with multiple private-key generators, identity-based signature with multiple private-key generators, and identity-based authenticated key exchange with multiple private-key generators, respectively. In additions, we provide their generic constructions of those from identity-based key encapsulation mechanism, identity-based signature, and identity-based authenticated key exchange which are secure in a single PKG model, respectively.

Verification of LINE Encryption Version 1.0 Using ProVerif

LINE is currently the most popular messaging service in Japan. Communications using LINE are protected by the original encryption scheme, called LINE Encryption, and specifications of the client-to-server transport encryption protocol and the client-to-client message end-to-end encryption protocol are published by the Technical Whitepaper. Though a spoofing attack (i.e., a malicious client makes another client misunderstand the identity of the peer) and a reply attack (i.e., a message in a session is sent again in another session by a man-in-the-middle adversary, and the receiver accepts these messages) to the end-to-end protocol have been shown, no formal security analysis of these protocols is known.

Formal modeling of random oracle programmability and verification of signature unforgeability using task-PIOAs

The task-structured probabilistic I/O automata (task-PIOA) framework provides a method to formulate and to prove the computationally bounded security of non-sequential processing systems in a formal way. Formalizing non-sequential processes for strong adversaries is not easy. Actually, existing security analyses using the task-PIOA framework are for cryptographic protocols (e.g., the EGL oblivious transfer) only against simple adversaries (e.g., honest but curious adversary). For example, there is no case study for digital signature against strong active adversaries (i.e., EUF-CMA) in the task-PIOA framework. In this paper, we propose the first formalization of digital signature against EUF-CMA in the task-PIOA framework. To formalize the non-sequential process of EUF-CMA, we introduce a new technique for the iteration of an identical action in a single session. Using the task-PIOA framework allows us to verify security of signature schemes in the non-sequential scheduling manner. We show the validity and usefulness of our formulation by giving a formal security analysis of the FDH signature scheme. In order to prove the security, we also introduce a method to utilize the power of random oracles. As far as we know, this work is the first case study to clarify usefulness of random oracles in this framework.

Accumulable optimistic fair exchange from verifiably encrypted homomorphic signatures

Let us consider a situation where a client (Alice) frequently buys a certain kind of product from a shop (Bob) (e.g., an online music service sells individual songs at the same price, and a client buys songs multiple times in a month). In this situation, Alice and Bob would like to aggregate the total transactions and pay once per month because individual payments are troublesome. Though optimistic fair exchange (OFE) has been considered in order to swap electronic items simultaneously, known OFE protocols cannot provide such aggregate function efficiently because various costs are bounded by the number of transactions in the period. In order to run this aggregation procedure efficiently, we introduce a new kind of OFE called accumulable OFE (AOFE) that allows clients to efficiently accumulate payments in each period. In AOFE, any memory costs, computational costs, and communication complexity of the payment round must be constant in terms of the number of transactions. Since a client usually has just a low power and poor memory device, these efficiencies are desirable in practice. Currently, known approaches (e.g., based on verifiably encrypted signature scheme) are not very successful for constructing AOFE. Thus, we consider a new approach based on a new cryptographic primitive called verifiably encrypted homomorphic signature scheme (VEHS). In this paper, we propose a generic construction of AOFE from VEHS and also present a concrete VEHS scheme over a composite-order bilinear group by using the dual-form signature techniques. This VEHS scheme is also of independent interest. Since we can prove the security of VEHS without random oracles, our AOFE protocol is also secure without random oracles. Finally, we implemented our AOFE protocol, and it is efficient enough for practical use.

Multi-cast key distribution: scalable, dynamic and provably secure construction

In this paper, we propose a two-round dynamic multi-cast key distribution (DMKD) protocol under the star topology with a central authentication server. Users can share a common session key without revealing any information of the session key to the server and can join/leave to/from the group at any time even after establishing the session key. Our protocol is scalable because communication and computation costs of each user are independent from the number of users. Also, our protocol is still secure if either private key or session-specific randomness of a user is exposed. Furthermore, time-based backward secrecy is guaranteed by renewing the session key for every time period even if the session key is exposed. We introduce the first formal security definition for DMKD under the star topology in order to capture such strong exposure resilience and time-based backward secrecy. We prove that our protocol is secure in our security model in the standard model.

Verifiable and Forward Secure Dynamic Searchable Symmetric Encryption with Storage Efficiency

Searchable symmetric encryption (SSE) provides private searching over an encrypted database against an untrusted server. Though various SSE schemes have been studied, recently, it is shown that most of existing schemes are vulnerable to file injection attacks. At ACM CCS 2016, Bost proposed a forward secure SSE scheme to resist such attacks, called ({varSigma }{o}{phi }{o}{varsigma }). Besides the basic scheme (({varSigma }{o}{phi }{o}{varsigma })) secure against semi-honest servers, a verifiable scheme ( Open image in new window ) secure against malicious servers is also introduced. In Open image in new window , each client keeps hash values of indexes of documents corresponding to each keyword. Thus, the client storage cost is higher than for ({varSigma }{o}{phi }{o}{varsigma }), and the hash table must be reconstructed when a new document is added. Also, since any security definition and proof of security against malicious servers are not provided, what Open image in new window guarantees against malicious server is unclear. In this paper, we propose a new verifiable and forward secure SSE scheme against malicious servers. An advantage of our scheme to Open image in new window is the client storage cost; that is, our scheme only needs the same storage cost as ({varSigma }{o}{phi }{o}{varsigma }). Our key idea is to bind each index and keyword with a tag generated by an algebraic pseudo-random function, and to store the tag to the server as well as the encrypted index on an update phase. The client can efficiently check validity of answers to search queries by verifying the combined tag thanks to closed form efficiency of the algebraic pseudo-random function; and thus, the client does not need to keep the hash table. Also, we formally prove security against malicious servers. Specifically, we show that our scheme satisfies the strong reliability definition.

Compact public key encryption without full random oracles

Abstract Achieving shorter ciphertext length under weaker assumptions in chosen-ciphertext (CCA) secure public-key encryption (PKE) is one of the most important research topics in cryptography. However, it is also known that it is hard to construct a CCA-secure PKE whose ciphertext overhead is less than two group elements in the underlying prime-order group under non-interactive assumptions. A naive approach for achieving more compactness than the above bound is to use random oracles (ROs), but the full RO has various ideal properties like programmability. In this paper, we pursue how to achieve compact PKE only with a minimum ideal property of ROs. Specifically, only with observability, we can give three CCA-secure PKE schemes whose ciphertext overhead is less than two group elements. Our schemes are provably secure under standard assumptions such as the CDH and DDH assumptions. This study shows that ideal properties other than observability are not necessary to construct compact PKE beyond the bound.