Kwangsu Lee

Efficient revocable identity-based encryption via subset difference methods

Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user’s credential (or private key) can be expired or revealed. revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme of Naor, Naor and Lotspiech (CRYPTO 2001) for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme of Naor et al. instead of using the CS scheme to improve the size of update keys. Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has O(r) number of group elements in an update key where r is the number of revoked users. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the layered subset difference scheme of Halevy and Shamir (CRYPTO 2002) to reduce the size of a private key.

Fully secure hidden vector encryption under standard assumptions

Hidden Vector Encryption (HVE) is a special type of predicate encryption that can support conjunctive equality and range searches on encrypted data. All previous HVE schemes were proven to be either selectively secure or weakly attribute-hiding. In this paper, we first construct a new HVE scheme that is fully secure under standard assumptions. Our HVE scheme, which is based on bilinear maps (pairings), provides efficiency advantages in that it requires O(1)-sized private keys and O(1) pairing computations for decryption, regardless of both the number of conjunctives and the dimension of vectors. To achieve our goal, we develop a novel technique to realize a tag-based dual system encryption in prime-order groups and show how to hide vector components and compress tag values into one.

Public-Key Revocation and Tracing Schemes with Subset Difference Methods Revisited

Broadcast encryption is a very powerful primitive since it can send an encrypted message to a set of users excluding a set of revoked users. Public-key broadcast encryption PKBE is a special type of broadcast encryption such that anyone can run the encryption algorithm to create an encrypted message by using a public key. In this paper, we propose a new technique to construct an efficient PKBE scheme by using the subset cover framework. First, we introduce a new concept of public-key encryption named single revocation encryption SRE and propose an efficient SRE scheme in the random oracle model. A user in SRE is represented as a group that he belongs and a member in the group. In SRE, a sender can create a ciphertext for a specified group where one member in the group is revoked, and a receiver can decrypt the ciphertext if he belongs to the group in the ciphertext and he is not revoked in the group. Second, we show that the subset difference SD scheme or the layered subset difference LSD scheme and an SRE scheme can be combined to construct a public-key revocation encryption PKRE scheme such that a set of revoked users is specified in a ciphertext. Our PKRE scheme using the LSD scheme and our SRE scheme can reduce the size of private keys and public keys by logN factor compared with the previous scheme of Dodis and Fazio.

Sequential aggregate signatures made shorter

Sequential aggregate signature (SAS) is a special type of public-key signature that allows a signer to add his signature into a previous aggregate signature in sequential order. In this case, since many public keys are used and many signatures are employed and compressed, it is important to reduce the sizes of signatures and public keys. Recently, Lee et al. proposed an efficient SAS scheme with short public keys and proved its security without random oracles under static assumptions. In this paper, we propose an improved SAS scheme that has a shorter signature size compared with that of Lee et al.s SAS scheme. Our SAS scheme is also secure without random oracles under static assumptions. To achieve the improvement, we devise a new public-key signature scheme that supports multi-users and public re-randomization. Compared with the SAS scheme of Lee et al., our SAS scheme employs new techniques which allow us to reduce the size of signatures by increasing the size of the public keys (obviously, since signature compression is at the heart of aggregate signature this is a further step in understanding the aggregation capability of such schemes).

Patient-Controlled Attribute-Based Encryption for Secure Electronic Health Records System

In recent years, many countries have been trying to integrate electronic health data managed by each hospital to offer more efficient healthcare services. Since health data contain sensitive information of patients, there have been much research that present privacy preserving mechanisms. However, existing studies either require a patient to perform various steps to secure the data or restrict the patient to exerting control over the data. In this paper, we propose patient-controlled attribute-based encryption, which enables a patient (a data owner) to control access to the health data and reduces the operational burden for the patient, simultaneously. With our method, the patient has powerful control capability of his/her own health data in that he/she has the final say on the access with time limitation. In addition, our scheme provides emergency medical services which allow the emergency staffs to access the health data without the patient’s permission only in the case of emergencies. We prove that our scheme is secure under cryptographic assumptions and analyze its efficiency from the patient’s perspective.

Sequential aggregate signatures with short public keys without random oracles

Abstract The notion of aggregate signature has been motivated by applications and it enables any user to compress different signatures signed by different signers on different messages into a short signature. Sequential aggregate signature, in turn, is a special kind of aggregate signature that only allows a signer to add his signature into an aggregate signature in sequential order. This latter scheme has applications in diversified settings such as in reducing bandwidth of certificate chains and in secure routing protocols. Lu, Ostrovsky, Sahai, Shacham, and Waters (EUROCRYPT 2006) presented the first sequential aggregate signature scheme in the standard model. The size of their public key, however, is quite large (i.e., the number of group elements is proportional to the security parameter), and therefore, they suggested as an open problem the construction of such a scheme with short keys. In this paper, we propose the first sequential aggregate signature schemes with short public keys (i.e., a constant number of group elements) in prime order (asymmetric) bilinear groups that are secure under static assumptions in the standard model. Furthermore, our schemes employ a constant number of pairing operations per message signing and message verification operation. Technically, we start with a public-key signature scheme based on the recent dual system encryption technique of Lewko and Waters (TCC 2010). This technique cannot directly provide an aggregate signature scheme since, as we observed, additional elements should be published in a public key to support aggregation. Thus, our constructions are careful augmentation techniques for the dual system technique to allow it to support sequential aggregate signature schemes. We also propose a multi-signature scheme with short public parameters in the standard model.

Security analysis of an identity-based strongly unforgeable signature scheme

Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any identity string ID can be used for the public key of a user. Although an IBS scheme can be constructed from any PKS scheme by using the certificate paradigm, it is still important to construct an efficient IBS scheme with short signature under the standard assumption without relying on random oracles. Recently, Kwon proposed an IBS scheme and claimed its strong unforgeability under the computational Diffie-Hellman (CDH) assumption. In this paper, we show that the security proof of Kwon is seriously flawed. To show the flaws, we first show that there exists a distinguisher that can distinguish the distribution of simulated signatures from that of real signatures. Next, we also show that the simulator of Kwons security argument cannot extract the solution of the CDH problem even if there exists an adversary that forges the signature. Therefore, the security of the Kwons IBS scheme is not related to the hardness of the CDH assumption.

Multi-Client Order-Revealing Encryption

Order-revealing encryption is a useful cryptographic primitive that provides range queries on encrypted data since anyone can compare the order of plaintexts by running a public comparison algorithm. Most studies on order-revealing encryption focus only on comparing ciphertexts generated by a single client, and there is no study on comparing ciphertexts generated by multiple clients. In this paper, we propose the concept of multi-client order-revealing encryption that supports comparisons not only on ciphertexts generated by one client but also on ciphertexts generated by multiple clients. We also define a simulation-based security model for the multi-client order-revealing encryption. The security model is defined with respect to the leakage function which quantifies how much information is leaked from the scheme. Next, we present two specific multi-client order-revealing encryption schemes with different leakage functions in bilinear maps and prove their security in the random oracle model. Finally, we give the implementation of the proposed schemes and suggest methods to improve the performance of ciphertext comparisons.

Revocable hierarchical identity-based encryption with shorter private keys and update keys

Revocable hierarchical identity-based encryption (RHIBE) is an extension of HIBE that supports the revocation of user’s private keys to manage the dynamic credentials of users in a system. Many different RHIBE schemes were proposed previously, but they are not efficient in terms of the private key size and the update key size since the depth of a hierarchical identity is included as a multiplicative factor. In this paper, we propose efficient RHIBE schemes with shorter private keys and update keys and small public parameters by removing this multiplicative factor. To achieve our goals, we first present a new HIBE scheme with the different generation of private keys such that a private key can be simply derived from a short intermediate private key. Next, we show that two efficient RHIBE schemes can be built by combining our HIBE scheme, an IBE scheme, and a tree based broadcast encryption scheme in a modular way.

New chosen-ciphertext secure identity-based encryption with tight security reduction to the bilinear Diffie-Hellman problem

We propose a new identity-based encryption (IBE) system that achieves a tight security reduction to the bilinear Diffie-Hellman (BDH) problem in the random oracle model. Tightness indicates that some level of IBE system security can be straightforwardly based on the hardness of the BDH problem at the same security level. Achieving such tightness requires two strategies: (1) a key generation technique for all identities, and (2) a searching method for the solution to the BDH problem. To implement the first strategy, our system relies on a key generation paradigm recently introduced with the Park-Lee IBE system. To implement the second strategy, we base our system on the strong twin BDH problem that includes access to a decision oracle. We compare the efficiency of our system with that of the previous Nishioka IBE system (based on the Katz-Wang key generation paradigm) combined with another tight variant of the Fujisaki-Okamoto transform.