Keita Emura

A ciphertext-policy attribute-based encryption scheme with constant ciphertext length

An Attribute-Based Encryption (ABE) is an encryption scheme where users with some attributes can decrypt ciphertexts associated with these attributes. The length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. In our scheme, the number of pairing computations is also constant. In addition, the number of additional bits required from chosen plaintext attack-secure CP-ABE to chosen ciphertext attack-secure CP-ABE is reduced by 90% with respect to that of the previous scheme.

Revocable Identity-Based Encryption Revisited: Security Model and Construction ∗

In ACM CCS 2008, Boldyreva et al. proposed an elegant way of achieving an Identity-based Encryption (IBE) with efficient revocation, which we call revocable IBE (RIBE). One of the significant benefit of their construction is scalability, where the overhead of the trusted authority is logarithmically increased in the number of users, whereas that in the Boneh-Franklin naive revocation way is linearly increased. All subsequent RIBE schemes follow the Boldyreva et al. security model and syntax. In this paper, we first revisit the Boldyreva et al. security model, and aim at capturing the exact notion for the security of the naive but non-scalable Boneh-Franklin RIBE scheme. To this end, we consider a realistic threat, which we call decryption key exposure. We also show that all prior RIBE constructions except for the Boneh-Franklin one are vulnerable to decryption key exposure. As the second contribution, we revisit approaches to achieve (efficient and adaptively secure) scalable RIBE schemes, and propose a simple RIBE scheme, which is the first scalable RIBE scheme with decryption key exposure resistance, and is more efficient than previous (adaptively secure) scalable RIBE schemes. In particular, our construction has the shortest ciphertext size and the fastest decryption algorithm even compared with all scalable RIBE schemes without decryption key exposure resistance.

Efficient delegation of key generation and revocation functionalities in identity-based encryption

In the public key cryptosystems, revocation functionality is required when a secret key is corrupted by hacking or the period of a contract expires. In the public key infrastructure setting, numerous solutions have been proposed, and in the Identity Based Encryption (IBE) setting, a recent series of papers proposed revocable IBE schemes. Delegation of key generation is also an important functionality in cryptography from a practical standpoint since it allows reduction of excessive workload for a single key generation authority. Although efficient solutions for either revocation or delegation of key generation in IBE systems have been proposed, an important open problem is efficiently delegating both the key generation and revocation functionalities in IBE systems. Libert and Vergnaud, for instance, left this as an open problem in their CT-RSA 2009 paper. In this paper, we propose the first solution for this problem. We prove the selective-ID security of our proposal under the Decisional Bilinear Diffie-Hellman assumption in the standard model.

On the security of dynamic group signatures: preventing signature hijacking

We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the currently most efficient dynamic group signature scheme does not provide protection against this type of malicious behavior. To address this, we introduce the notion of opening soundness for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth (ASIACRYPT 2007, full version) which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions. We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

Group signatures with message-dependent opening

This paper introduces a new capability of the group signature, called message-dependent opening. It is intended to weaken the higher trust put on an opener, that is, no anonymity against an opener is provided by ordinary group signature. In a group signature system with message-dependent opening (GS-MDO), in addition to the opener, we set up the admitter which is not able to open any users identity but admits the opener to open signatures by specifying messages whose signatures should be opened. For any signature whose corresponding message is not specified by the admitter, the opener cannot extract the signers identity from it. In this paper, we present formal definitions and constructions of GS-MDO. Furthermore, we also show that GS-MDO implies identity-based encryption, and thus for designing a GS-MDO scheme, identity-based encryption is crucial. Actually, we propose a generic construction of GS-MDO from identity-based encryption and adaptive NIZK proofs, and its specific instantiation from the Groth-Sahai proof system by constructing a new (k-resilient) identity-based encryption scheme which is compatible to the Groth-Sahai proof.

A Dynamic Attribute-Based Group Signature Scheme and Its Application in an Anonymous Survey for the Collection of Attribute Statistics

Recently, cryptographic schemes based on the users attributes have been proposed. An Attribute-Based Group Signature (ABGS) scheme is a kind of group signature schemes, where a user with a set of attributes can prove anonymously whether she has these attributes or not. An access tree is applied to express the relationships among some attributes. However, previous schemes do not provide the changing an access tree. In this paper, we propose a Dynamic ABGS scheme that enables an access tree to be changed. Our ABGS is efficient in that re-issuing of the attribute certificate previously issued for each user is not necessary. Moreover, calculations depending on the number of attributes are calculated on the domain of a pairing. Therefore, the number of calculations in a pairing does not depend on the number of attributes associated with a signature. Finally, we discuss how our ABGS can be applied to an anonymous survey for collection of attribute statistics.

Dynamic attribute-based signcryption without random oracles

In SCN2010, Gagne, Narayan, and Safavi-Naini proposed attribute-based signcryption (ABSC) with threshold structure. As in ciphertext-policy attribute-based encryption (CP-ABE), an encryptor can specify the access structure of decryptors, and as in attribute-based signature (ABS), each decryptor can verify the encryptors attributes. In contrast to the access structure of decryptors, the access structure of the encryptor needs to be fixed in the setup phase. In this paper, we propose ABSC with dynamic property, where access structures of encryptor can be updated flexibly without re-issuing secret keys of users. We call this primitive dynamic attribute-based signcryption (DABSC). Our DABSC scheme is secure in the standard model under the decision bilinear Diffie-Hellman assumption and the computational Diffie-Hellman assumption.

Revocable Identity-Based Cryptosystem Revisited: Security Models and Constructions

Boneh and Franklin gave a naive revocation method in identity-based encryption (IBE) which imposes a huge overhead into the key generation center. Later, Boldyreva, Goyal, and Kumar proposed an elegant way of achieving an IBE with efficient revocation, called revocable IBE (RIBE). In this paper, we revisit RIBE from the viewpoint of both security models and constructions. First, we introduce a realistic threat, which we call decryption key exposure, and show that all prior RIBE constructions, except the Boneh-Franklin one, are vulnerable to decryption key exposure. Next, we propose the first scalable RIBE scheme with decryption key exposure resistance by combining the (adaptively secure) Waters IBE scheme and the (selectively secure) Boneh-Boyen IBE scheme, and show that our RIBE scheme is more efficient than all previous adaptively secure scalable RIBE schemes. In addition, we extend our interest into identity-based signatures; we introduce a new security definition of revocable identity-based signature (RIBS) with signing key exposure resistance, and propose the first scalable RIBS scheme based on the Paterson-Schuldt IBS. Finally, we provide implementation results of our schemes to adduce the feasibility of our schemes.

A Revocable Group Signature Scheme from Identity-Based Revocation Techniques: Achieving Constant-Size Revocation List

Any multi-user cryptographic primitives need revocation since a legitimate user may quit the organization, or may turn to be malicious, or the key may be leaked. In the group signature context, usually group manager publishes the revocation list that contains revocation tokens. Since signers/verifiers need to obtain the revocation list in each revocation epoch for generating/verifying a group signature, a small-size revocation list is really important in practice. However, all previous revocable group signatures require at least O(r)-size revocation list, where r is the number of revoked users. In this paper, we propose the first revocable group signature scheme with the constant size revocation list from identity-based revocation (IBR) techniques. We use an IBR scheme proposed by Attrapadung-Libert-Panafieu (PKC2011) as a building block. Although the maximum number of the revoked users needs to be fixed in the setup phase, however, the maximum number of group members is potentially unbounded (as in IBR). This property has not been achieved in the recent scalable revocable group signature schemes, and seems to be of independent interest.

Revocable Hierarchical Identity-Based Encryption: History-Free Update, Security Against Insiders, and Short Ciphertexts

In the context of Identity-Based Encryption (IBE), both revocation and delegation of key generation are important functionalities. Although a number of IBE schemes with either efficient revocation or efficient delegation of key generation functionality have been proposed, an important open problem is efficiently delegating both the key generation and revocation functionalities in IBE systems. Seo and Emura (CT-RSA 2013) proposed the first realization of Revocable Hierarchical IBE (RHIBE), a sole IBE scheme that achieves both functionalities simultaneously. However, their approach implements history-preserving updates, wherein a low-level user must know the history of key updates performed by ancestors in the current time period, and it renders the scheme very complex.