Man Ho Au

Malicious KGC attacks in certificateless cryptography

Identity-based cryptosystems have an inherent key escrow issue, that is, the Key Generation Center (KGC) always knows user secret key. If the KGC is malicious, it can always impersonate the user. Certificateless cryptography, introduced by Al-Riyami and Paterson in 2003, is intended to solve this problem. However, in all the previously proposed certificateless schemes, it is always assumed that the malicious KGC starts launching attacks (so-called Type II attacks) only after it has generated a master public/secret key pair honestly. In this paper, we propose new security models that remove this assumption for both certificateless signature and encryption schemes. Under the new models, we show that a class of certificateless encryption and signature schemes proposed previously are insecure. These schemes still suffer from the key escrow problem. On the other side, we also give new proofs to show that there are two generic constructions, one for certificateless signature and the other for certificateless encryption, proposed recently that are secure under our new models.

Separable linkable threshold ring signatures

A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In this paper, we present the first separable linkable ring signature scheme, which also supports an efficient thresholding option. We also present the security model and reduce the security of our scheme to well-known hardness assumptions. In particular, we introduce the security notions of accusatory linkability and non-slanderability to linkable ring signatures. Our scheme supports “event-oriented” linking. Applications to such linking criterion is discussed.

Self-Generated-Certificate Public Key Cryptography and certificateless signature/encryption scheme in the standard model: extended abstract

Certificateless Public Key Cryptography (CL-PKC) enjoys a number of features of Identity-Based Cryptography (IBC) while without having the problem of key escrow. However, it does suffer from an attack where the adversary, Carol, replaces Alices public key by someones public key so that Bob, who wants to send an encrypted message to Alice, uses Alices identity and others public key as the inputs to the encryption function. As a result, Alice cannot decrypt the message while Bob is unaware of this. We call it Denial-of-Decryption (DoD) Attack as its nature is similar to the well known Denial-of-Service (DoS) Attack. Based on CL-PKC, we propose a new paradigm called Self-Generated-Certificate Public Key Cryptography (SGC-PKC) that captures the DoD Attack. We also provide a generic construction of a self-generated-certificate public key encryption scheme in the standard model. Our generic construction uses certificateless signature and certificateless encryption as the building block. In addition, we further propose a certificateless signature and a certificateless encryption scheme with concrete implementation that are all provably secure in the standard model, which are the first in the literature regardless of the generic constructions by Yum and Lee which may contain security weaknesses as pointed out by others. We believe these concrete implementations are of independent interest.

Secure sharing and searching for real-time video data in mobile cloud

In this article we propose an infrastructure that allows mobile users to securely share and search for their real-time video data. Specifically, the proposed infrastructure takes the advantages of the cloud platform and 5G technology to achieve its goals, where mobile users (connected with some external video taking device) can share their real-time video with their friends or families through the cloud while any other user with no permission cannot get any information about the video. More importantly, the infrastructure security is guaranteed even if the cloud server is hacked. In addition, our infrastructure also allows secure searching within the users own video data. We believe our solution is practical to be deployed in the existing telecommunication platforms.

A secure and efficient Ciphertext-Policy Attribute-Based Proxy Re-Encryption for cloud data sharing

Proxy Re-Encryption (PRE) is a useful cryptographic primitive that allows a data owner to delegate the access rights of the encrypted data stored on a cloud storage system to others without leaking the information of the data to the honest-but-curious cloud server. It provides effectiveness for data sharing as the data owner even using limited resource devices (e.g. mobile devices) can offload most of the computational operations to the cloud. Since its introduction many variants of PRE have been proposed. A Ciphertext-Policy Attribute-Based Proxy Re-Encryption (CP-ABPRE), which is regarded as a general notion for PRE, employs the PRE technology in the attribute-based encryption cryptographic setting such that the proxy is allowed to convert an encryption under an access policy to another encryption under a new access policy. CP-ABPRE is applicable to many network applications, such as network data sharing. The existing CP-ABPRE systems, however, leave how to achieve adaptive CCA security as an interesting open problem. This paper, for the first time, proposes a new CP-ABPRE to tackle the problem by integrating the dual system encryption technology with selective proof technique. Although the new scheme supporting any monotonic access structures is built in the composite order bilinear group, it is proven adaptively CCA secure in the standard model without jeopardizing the expressiveness of access policy. We further make an improvement for the scheme to achieve more efficiency in the re-encryption key generation and re-encryption phases. This paper proposes a new Ciphertext-Policy Attribute-Based Proxy Re-Encryption scheme.The scheme is proved adaptively chosen ciphertext secure by leveraging dual system encryption technology and selective proof technique.The paper also proposes an improvement for re-encryption key generation and re-encryption phases so as to reduce computational and communication cost.

Practical Anonymous Divisible E-Cash from Bounded Accumulators

We present an efficient off-line divisible e-cash scheme which is truly anonymouswithout a trusted third party. This is the second scheme in the literature which achieves full unlinkability and anonymity, after the seminal work proposed by Canard and Gouget. The main trick of our scheme is the use of a bounded accumulator in combination with the classical binary tree approach. The aims of this paper are twofold. Firstly, we analyze Canard and Gougets seminal work on the efficient off-line divisible e-cash. We point out some subtleties on the parameters generation of their scheme. Moreover, spending a coin of small value requires computation of several hundreds of multi-based exponentiations, which is very costly. In short, although this seminal work provides a new approach of achieving a truly anonymous divisible e-cash, unfortunately it is rather impractical. Secondly, we present our scheme that uses a novel approach of incorporating a bounded accumulator. In terms of time and space complexities, our scheme is 50 to 100 times more efficient than Canard and Gougets work in the spend protocol at the cost of an 10 to 500 (the large range is due to whether pre-processing is taken into account and the probabilistic nature of our withdrawal protocol) times less efficient withdrawal protocol. We believe this trade-off between the withdrawal protocol and the spend protocol is reasonable as the former protocol is to be executed much less frequent than the latter. Nonetheless, while their scheme provides an affirmative answer to whether divisible e-cash can be truly anonymous, our result puts it a step further and we show that truly anonymous divisible e-cash can be practical.

Identity-Based Remote Data Integrity Checking With Perfect Data Privacy Preserving for Cloud Storage

Remote data integrity checking (RDIC) enables a data storage server, say a cloud server, to prove to a verifier that it is actually storing a data owner’s data honestly. To date, a number of RDIC protocols have been proposed in the literature, but most of the constructions suffer from the issue of a complex key management, that is, they rely on the expensive public key infrastructure (PKI), which might hinder the deployment of RDIC in practice. In this paper, we propose a new construction of identity-based (ID-based) RDIC protocol by making use of key-homomorphic cryptographic primitive to reduce the system complexity and the cost for establishing and managing the public key authentication framework in PKI-based RDIC schemes. We formalize ID-based RDIC and its security model, including security against a malicious cloud server and zero knowledge privacy against a third party verifier. The proposed ID-based RDIC protocol leaks no information of the stored data to the verifier during the RDIC process. The new construction is proven secure against the malicious server in the generic group model and achieves zero knowledge privacy against a verifier. Extensive security analysis and implementation results demonstrate that the proposed protocol is provably secure and practical in the real-world applications.

A DFA-Based Functional Proxy Re-Encryption Scheme for Secure Public Cloud Data Sharing

In this paper, for the first time, we define a general notion for proxy re-encryption (PRE), which we call deterministic finite automata-based functional PRE (DFA-based FPRE). Meanwhile, we propose the first and concrete DFA-based FPRE system, which adapts to our new notion. In our scheme, a message is encrypted in a ciphertext associated with an arbitrary length index string, and a decryptor is legitimate if and only if a DFA associated with his/her secret key accepts the string. Furthermore, the above encryption is allowed to be transformed to another ciphertext associated with a new string by a semitrusted proxy to whom a re-encryption key is given. Nevertheless, the proxy cannot gain access to the underlying plaintext. This new primitive can increase the flexibility of users to delegate their decryption rights to others. We also prove it as fully chosen-ciphertext secure in the standard model.

Remote data possession checking with enhanced security for cloud storage

Cloud storage allows users to enjoy the on-demand and high quality data storage services without the load of local data maintenance. However, the cloud server providers are not fully trusted. Whether the data over cloud servers are intact becomes a major concern of data owners. To offer cloud users with the capacity of data integrity verification, recently, Chen proposed a remote data possession checking (RDPC) protocol from algebraic signatures which achieves many desirable features such as high efficiency, short length of challenges and responses, non-block verification. Unfortunately, in this paper, we find that the protocol is vulnerable to replay attack and deletion attack launched by a dishonest server. Specifically, the server can deceive the users to believe that their data are well hold by replaying a previous evidence or re-constructing the deleted data blocks from the corresponding tags in the integrity checking process, while their data have been partially discarded in fact. Then, we present an improved scheme to fix the security flaws of the original protocol. Both the theoretical analysis and the implementation results show that the improvement is secure and practical. Analyze the security of a remote data possession checking protocol.Show the protocol is vulnerable to replay attack and deletion attack.Propose an improvement to resist the attacks.Prove the security of the improvement.Report the performance of the improvement by implementing it.

Enhanced privacy of a remote data integrity-checking protocol for secure cloud storage

Remote data integrity checking (RDIC) enables a server to prove to an auditor the integrity of a stored file. It is a useful technology for remote storage such as cloud storage. The auditor could be a party other than the data owner; hence, an RDIC proof is based usually on publicly available information. To capture the need of data privacy against an untrusted auditor, Hao et al. formally defined “privacy against third party verifiers” as one of the security requirements and proposed a protocol satisfying this definition. However, we observe that all existing protocols with public verifiability supporting data update, including Hao et al.’s proposal, require the data owner to publish some meta-data related to the stored data. We show that the auditor can tell whether or not a client has stored a specific file and link various parts of those files based solely on the published meta-data in Hao et al.’s protocol. In other words, the notion “privacy against third party verifiers” is not sufficient in protecting data privacy, and hence, we introduce “zero-knowledge privacy” to ensure the third party verifier learns nothing about the client’s data from all available information. We enhance the privacy of Hao et al.’s protocol, develop a prototype to evaluate the performance and perform experiment to demonstrate the practicality of our proposal.