Sanjit Chatterjee

Trading time for space: towards an efficient IBE scheme with short(er) public parameters in the standard model

At Eurocrypt 2005, Brent Waters proposed an efficient Identity Based Encryption scheme which is secure in the standard model. One drawback of this scheme is that the number of elements in the public parameter is rather large. Here we propose a generalisation of Waters scheme. In particular, we show that there is an interesting trade-off between the tightness of the security reduction and smallness of the public parameter. For a given security level, this implies that if one reduces the number of elements in public parameter then there is a corresponding increase in the computational cost due to the increase in group size. This introduces a flexibility in choosing the public parameter size without compromising in security. In concrete terms, to achieve 80-bit security for 160-bit identities we show that compared to Waters protocol the public parameter size can be reduced by almost 90 % while increasing the computation cost by 30%. Our construction is proven secure in the standard model without random oracles. Additionally, we show that CCA security can also be achieved through the reduction to oracle decision bilinear Diffie-Hellman problem (OBDH).

On cryptographic protocols employing asymmetric pairings — The role of Ψ revisited

Asymmetric pairings e : G1 × G2 ! GT for which an efficiently-computable isomorphism : G2 ! G1 is known are called Type 2 pairings; if such an isomorphism is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance.

Multi-receiver identity-based key encapsulation with shortened ciphertext

This paper describes two identity based encryption (IBE) protocols in the multi-receiver setting. The first protocol is secure in the selective-ID model while the second protocol is secure in the full model. The proofs do not depend on the random oracle heuristic. The main interesting feature of both protocols is that the ciphertext size is |S|/N, where S is the intended set of receivers and N is a parameter of the protocol. To the best of our knowledge, in the multi-receiver IBE setting, these are the first protocols to achieve sub-linear ciphertext sizes. There are three previous protocols for this problem – two using the random oracle heuristic and one without. We make a detailed comparison to these protocols and highlight the advantages of the new constructions.

Identity-Based Encryption

Identity Based Encryption (IBE) is a type of public key encryption and has been intensely researched in the past decade. Identity-Based Encryption summarizes the available research for IBE and the main ideas that would enable users to pursue further work in this area. This book will also cover a brief background on Elliptic Curves and Pairings, security against chosen Cipher text Attacks, standards and more. Advanced-level students in computer science and mathematics who specialize in cryptology, and the general community of researchers in the area of cryptology and data security will find Identity-Based Encryption a useful book. Practitioners and engineers who work with real-world IBE schemes and need a proper understanding of the basic IBE techniques, will also find this book a valuable asset.

Another look at tightness

We examine a natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting. If security parameters for the MAC scheme are selected without accounting for the non-tightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multi-user setting. We find similar deficiencies in the security assurances provided by non-tight proofs when we analyze some protocols in the literature including ones for network authentication and aggregate MACs. Our observations call into question the practical value of non-tight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multi-user setting.

Efficient computation of tate pairing in projective coordinate over general characteristic fields

We consider the use of Jacobian coordinates for Tate pairing over general characteristics. The idea of encapsulated double-and-line computation and add-and-line computation has been introduced. We also describe the encapsulated version of iterated doubling. Detailed algorithms are presented in each case and memory requirement has been considered. The inherent parallelism in each of the algorithms have been identified leading to optimal two-multiplier algorithm. The cost comparison of our algorithm with previously best known algorithms shows an efficiency improvement of around 33% in the general case and an efficiency improvement of 20% for the case of the curve parameter a = –3.

Comparing two pairing-based aggregate signature schemes

In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provably-secure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairing-based aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from Barreto–Naehrig (BN) elliptic curves are employed.

Progress in Cryptology – INDOCRYPT 2011

This book constitutes the refereed proceedings of the 12th International Conference on Cryptology in India, INDOCRYPT 2011, held in Chennai, India, in December 2011. The 22 revised full papers presented together with the abstracts of 3 invited talks and 3 tutorials were carefully reviewed and selected from 127 submissions. The papers are organized in topical sections on side-channel attacks, secret-key cryptography, hash functions, pairings, and protocols.

Generalization of the Selective-ID security model for HIBE protocols

We generalize the selective-ID security model for HIBE by introducing two new security models. Both these models allow the adversary to commit to a set of identities and in the challenge phase choose any one of the previously committed identities. Two constructions of HIBE are presented which are secure in the two models. One of the HIBE constructions supports an unbounded number of levels, i.e., the maximum number of levels does not need to be specified during the set-up. Further, we show that this HIBE can be modified to obtain a multiple receiver IBE which is secure in the selective-ID model without the random oracle assumption.

New constructions of constant size ciphertext HIBE without random oracle

At Eurocrypt 2005, Boneh-Boyen-Goh presented an interesting and important construction of a constant size ciphertext HIBE. The HIBE was proven to be secure in the selective-ID model. In this paper, we present two variants of the BBG-HIBE secure in more general security models. The first variant is proved to be secure in a generalization of the selective-ID model while the second variant is proved to be secure in the full security model. Our constructions are not straightforward modifications of the BBG-HIBE. Several techniques have to be suitably combined to obtain the required proofs.