Pil Joong Lee

Public key encryption with conjunctive keyword search and its extension to a multi-user system

We study the problem of a public key encryption with conjunctive keyword search (PECK). The keyword searchable encryption enables a user to outsource his data to the storage of an untrusted server and to have the ability to selectively search his data without leaking information. The PECK scheme provides the document search containing each of several keywords over a public key setting. First, we construct an efficient PECK scheme whose security is proven over a decisional linear Diffie-Hellman assumption in the random oracle model. In comparison with previous schemes, our scheme has the shortest ciphertext size and private key size, and requires a comparable computation overhead. Second, we discuss problems related to the security proof of previous schemes and show they cannot guarantee complete security. Finally, we introduce a new concept called a multi-user PECK scheme, which can achieve an efficient computation and communication overhead and effectively manage the storage in a server for a number of users.

More Flexible Exponentiation with Precomputation

A new precomputation method is presented for computing gR for a fixed element g and a randomly chosen exponent R in a given group. Our method is more efficient and flexible than the previously proposed methods, especially in the case where the amount of storage available is very small or quite large. It is also very efficient in computing gRyB for a small size E and variable number y, which occurs in the verification of Schnorrs identification scheme or its variants. Finally it is shown that our method is well-suited for parallel processing as well.

Generic Construction of Certificateless Signature

To provide the binding between a user and his public key, traditional digital signature schemes use certificates that are signed by a trusted third party. While Shamir’s identity-based signature scheme can dispense with certificates, the key escrow of a user’s private key is inherent in the identity-based signature scheme. In Asiacrypt 2003, a new digital signature paradigm called the certificateless signature was introduced. The certificateless signature eliminates the need for certificates and does not suffer from the inherent key escrow problem. In this paper, we provide a generic secure construction of a certificateless signature. We also present an extended construction whose trust level is the same as that of a traditional public key signature scheme.

Public key encryption with conjunctive field keyword search

In a public key encryption, we may want to enable someone to test whether something is a keyword in a given document without leaking anything else about the document. An email gateway, for example, may be desired to test whether the email contains a keyword “urgent” so that it could route the email accordingly, without leaking any content to the gateway. This mechanism was referred as public key encryption with keyword search [4]. Similarly, a user may want to enable an email gateway to search keywords conjunctively, such as “urgent” email from “Bob” about “finance”, without leaking anything else about the email. We refer to this mechanism as public key encryption with conjunctive field keyword search. In this paper, we define the security model of this mechanism and propose two efficient schemes whose security is proved in the random oracle model.

Generic Construction of Certificateless Encryption

As the Internet becomes an indispensable element of modern life, PKC (Public Key Cryptography) is gaining a considerable attention because it can assure the security requirements of many applications. To guarantee the authenticity of public keys, traditional PKC requires certificates to be signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user’s private key is inherent in identity-based PKC. Recently, a new PKC paradigm called the certificateless PKC was introduced. Certificateless PKC eliminates the need for unwieldy certificates and retains the desirable properties of identity-based PKC without the inherent key escrow problem. In this paper, we provide a generic secure construction of certificateless encryption. While previous schemes are based on the algebraic properties of bilinear mappings, our construction is built from general primitives. This result shows that certificateless encryption can be constructed in a more general way.

New Signcryption Schemes Based on KCDSA

A signcryption scheme is a cryptographic primitive that performs signature and encryption simultaneously, at less cost than is required by the traditional signature-then-encryption approach. We propose new signcryption schemes based on KCDSA. These are the first signcryption schemes that are based on a standardized signature scheme. We expect that these schemes will soon be applied to established KCDSA systems. We also propose a new signcryption scheme for multiple recipients which requires very small communication overhead.

Optimistic fair exchange in a multi-user setting

This paper addresses the security of optimistic fair exchange in a multi-user setting. While the security of public key encryption and public key signature schemes in a single-user setting guarantees the security in a multi-user setting, we show that the situation is different in the optimistic fair exchange. First, we show how to break, in the multi-user setting, an optimistic fair exchange scheme provably secure in the single-user setting. This example separates the security of optimistic fair exchange between the single-user setting and the multi-user setting. We then define the formal security model of optimistic fair exchange in the multi-user setting, which is the first complete security model of optimistic fair exchange in the multi-user setting. We prove the existence of a generic construction meeting our multi-user security based on one-way functions in the random oracle model and trapdoor one-way permutations in the standard model. Finally, we revisit two well-known methodologies of optimistic fair exchange, which are based on the verifiably encrypted signature and the sequential two-party multisignature, respectively. Our result shows that these paradigms remain valid in the multi-user setting.

Security and Performance of Server-Aided RSA Computation Protocols

This paper investigates various security issues and provides possible improvements on server-aided RSA computation schemes, mainly focused on the two-phase protocols, RSA-SIM and RSA-S2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final result is not checked. A server-aided protocol is then proposed in which the client can check the computed signature in at most six multiplications irrespective of the size of the public exponent. Next we consider multi-round active attacks on the protocol with correctness check and show that parameter restrictions cannot defeat such attacks. We thus assume that the secret exponent is newly decomposed in each run of the protocol and discuss some means of speeding up this preprocessing step. Finally, considering the implementation-dependent attack, we propose a new method for decomposing the secret and performing the required computation efficiently.

Identity-Based Cryptography in Public Key Management

To guarantee the authenticity of public keys, traditional PKC (Public Key Cryptography) requires certificates signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user’s private key is inherent in identity-based PKC. Recently, new PKC paradigms were introduced: certificate-less PKC and certificate-based PKC. They retain the desirable properties of identity-based PKC without the inherent key escrow problem. A certificate-less cryptosystem eliminates the need for unwieldy certificates and a certificate-based cryptosystem simplifies the public key revocation problem. In this paper, we present an equivalence theorem among identity-based encryption, certificate-less encryption, and certificate-based encryption. We demonstrate that the three paradigms are essentially equivalent.

Another method for attaining security against adaptively chosen ciphertext attacks

Practical approaches to constructing public key cryptosystems secure against chosen ciphertext attacks were first initiated by Damgard and further extended by Zheng and Seberry. In this paper we first point out that in some cryptosystems proposed by Zheng and Seberry the method for adding authentication capability may fail just under known plaintext attacks. Next, we present a new method for immunizing public key cryptosystems against adaptively chosen ciphertext attacks. In the proposed immunization method, the deciphering algorithm first checks that the ciphertext is legitimate and then outputs the matching plaintext only when the check is successful. This is in contrast with the Zheng and Seberrys methods, where the deciphering algorithm first recovers the plaintext and then outputs it only when the checking condition on it is satisfied. Such a ciphertext-based validity check will be particularly useful for an application to group-oriented cryptosystems, where almost all deciphering operations are performed by third parties, not by the actual receiver.