Shengli Liu

Insight of the Protection for Data Security under Selective Opening Attacks

Abstract Data security and privacy protection issues are the primary restraints for adoption of cloud computing. Selective opening security (SOA security) focuses on such a scenario of cloud computing: Multiple senders encrypt their own data with the public key of a single receiver. Given the ciphertexts, the adversary is allowed to corrupt some of the senders, seeing not only their plaintexts but also the random coins used during the encryption. The security requirement of SOA security is that the privacy of the unopened data is preserved. On the other hand, non-malleability is also a very important security notion for data security in cloud computing and public-key cryptography. The security requirement of non-malleability is that given a challenge ciphertext, it should be infeasible to generate a ciphertext vector whose decryption is “meaningfully related” to the corresponding challenge plaintext. However, as far as we know, the relations between non-malleability and SOA security are still undiscovered, and the security notion of non-malleability under selective opening attacks has not yet been formally defined or researched. In this paper, we formalize the security notion of non-malleability under selective opening attacks (NM-SO security), and explore the relations between NM-SO security and the standard SOA security, the relations between NM-SO security and the standard non-malleability, and the relations among NM-SO security notions.

ID-based restrictive partially blind signatures and applications

Restrictive blind signatures allow a recipient to receive a blind signature on a message not known to the signer but the choice of message is restricted and must conform to certain rules. Partially blind signatures allow a signer to explicitly include necessary information (expiration date, collateral conditions, or whatever) in the resulting signatures under some agreement with receiver. Restrictive partially blind signatures incorporate the advantages of these two blind signatures. The existing restrictive partially blind signature scheme was constructed under certificate-based (CA-based) public key systems. In this paper we follow Brands construction to propose the first identity-based (ID-based) restrictive blind signature scheme from bilinear pairings. Furthermore, we first propose an ID-based restrictive partially blind signature scheme, which is provably secure in the random oracle model. As an application, we use the proposed signature scheme to build an untraceable off-line electronic cash system followed the Brands construction.

Attribute-Based Encryption With Efficient Verifiable Outsourced Decryption

Attribute-based encryption (ABE) with outsourced decryption not only enables fine-grained sharing of encrypted data, but also overcomes the efficiency drawback (in terms of ciphertext size and decryption cost) of the standard ABE schemes. In particular, an ABE scheme with outsourced decryption allows a third party (e.g., a cloud server) to transform an ABE ciphertext into a (short) El Gamal-type ciphertext using a public transformation key provided by a user so that the latter can be decrypted much more efficiently than the former by the user. However, a shortcoming of the original outsourced ABE scheme is that the correctness of the cloud servers transformation cannot be verified by the user. That is, an end user could be cheated into accepting a wrong or maliciously transformed output. In this paper, we first formalize a security model of ABE with verifiable outsourced decryption by introducing a verification key in the output of the encryption algorithm. Then, we present an approach to convert any ABE scheme with outsourced decryption into an ABE scheme with verifiable outsourced decryption. The new approach is simple, general, and almost optimal. Compared with the original outsourced ABE, our verifiable outsourced ABE neither increases the users and the cloud servers computation costs except some nondominant operations (e.g., hash computations), nor expands the ciphertext size except adding a hash value (which is <;20 byte for 80-bit security level). We show a concrete construction based on Green et al.s ciphertext-policy ABE scheme with outsourced decryption, and provide a detailed performance evaluation to demonstrate the advantages of our approach.

Leakage-resilient chosen-ciphertext secure public-key encryption from hash proof system and one-time lossy filter

We present a new generic construction of a public-key encryption (PKE) scheme secure against leakage-resilient chosen-ciphertext attacks (LR-CCA), from any Hash Proof System (HPS) and any one-time lossy filter (OT-LF). Efficient constructions of HPSs and OT-LFs from the DDH and DCR assumptions suggest that our construction is a practical approach to LR-CCA security. Most of practical PKEs with LR-CCA security, like variants of Cramer-Shoup scheme, rooted from Hash Proof Systems, but with leakage rates at most 1/4 − o(1) (defined as the ratio of leakage amount to secret-key size). The instantiations of our construction from the DDH and DCR assumptions result in LR-CCA secure PKEs with leakage rate of 1/2 − o(1). On the other hand, our construction also creates a new approach for constructing IND-CCA secure (leakage-free) PKE schemes, which may be of independent interest.

Efficient CCA-Secure PKE from identity-based techniques

Boneh, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure public key encryption (PKE) from any selective-ID CPA-secure identity-based encryption (IBE) schemes. Their approach treated IBE as a black box. Subsequently, Boyen, Mei, and Waters demonstrated how to build a direct CCA-secure PKE scheme from the Waters IBE scheme, which is adaptive-ID CPA secure. They made direct use of the underlying IBE structure, and required no cryptographic primitive other than the IBE scheme itself. However, their scheme requires long public key and the security reduction is loose. In this paper, we propose an efficient PKE scheme employing identity-based techniques. Our scheme requires short public key and is proven CCA-secure in the standard model (without random oracles) with a tight security reduction, under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. In addition, we show how to use our scheme to construct an efficient threshold public key encryption scheme and a public key encryption with non-interactive opening (PKENO) scheme.

A Practical Protocol for Advantage Distillation and Information Reconciliation

Information-theoretic secret key agreement generally consists of three phases, namely, advantage distillation information reconciliation and privacy amplification. Advantage distillation is needed in the case when two legitimate users, Alice and Bob, start in a situation which is inferior to that of the adversary Eve. The aim for them is to gain advantage over Eve in terms of mutual information between each other. Information reconciliation enables Alice and Bob to arrive at a common string by error correction techniques. Finally they distill a highly secret string from the common string in the privacy amplification phase. For the scenario where Alice and Bob as well as Eve have access to the output of a binary symmetric source by means of (three) binary symmetric channels, there are several advantage distillation and information reconciliation protocols proposed.In this paper, we present a general protocol to implement both advantage distillation and information reconciliation. Simulation results are compared with known protocols. A connection between our protocol and the known protocols is given.

Identity-based key-insulated signature with secure key-updates

Standard identity-based (ID-based) signature schemes typically rely on the assumption that secret keys are kept perfectly secure. However, with more and more cryptographic primitives are deployed on insecure devices (e.g. mobile devices), key-exposure seems inevitable. This problem is perhaps the most devastating attack on a cryptosystem since it typically means that security is entirely lost. To minimize the damage caused by key-exposure in ID-based signatures scenarios, Zhou et al. [32] applied Dodis et al.s key-insulation mechanism [12] and proposed an ID-based key-insulated signature (IBKIS) scheme. However, their scheme is not strong key-insulated, i.e, if an adversary compromises the helper key, he can derive all the temporary secret keys and sign messages on behalf the legitimate user. In this paper, we re-formalize the definition and security notions for IBKIS schemes, and then propose a new IBKIS scheme with secure key-updates. The proposed scheme is strong key-insulated and perfectly key-insulated. Our scheme also enjoys desirable properties such as unbounded number of time periods and random-access key-updates.

Identity-based parallel key-insulated encryption without random oracles: security notions and construction

In this paper, we apply the parallel key-insulation mechanism to identity-based encryption (IBE) scenarios, and minimize the damage caused by key-exposure in IBE systems. We first formalize the definition and security notions for ID-based parallel key-insulated encryption (IBPKIE) systems, and then propose an IBPKIE scheme based on Waters IBE scheme. To the best of our knowledge, this is the first IBPKIE scheme up to now. Our scheme enjoys two attractive features: (i) it is provably secure without random oracles; (ii) it not only allows frequent key updating, but also does not increase the risk of helper key-exposure.

Identity-based threshold key-insulated encryption without random oracles

With more and more cryptosystems being deployed on insecure environments such as mobile devices, key exposures appear to be unavoidable. This is perhaps the most devastating attack on a cryptosystem, since it typically means that security is entirely lost. This problem is especially hard to tackle in identity-based encryption (IBE) settings, where the public key is determined as a users identity and is not desirable to be changed. In this paper, we extend Dodis et al.s key-insulation idea and present a new paradigm named threshold key-insulation. The new paradigm not only greatly enhances the security of the system, but also provides flexibility and efficiency. To deal with the key-exposure problem in IBE settings, we further propose an identity-based threshold key-insulated encryption (IBTKIE) scheme. The proposed scheme is proved to be semantically secure without random oracles.

Continuous Non-malleable Key Derivation and Its Application to Related-Key Security

Related-Key Attacks (RKAs) allow an adversary to observe the outcomes of a cryptographic primitive under not only its original secret key e.g., \(s\), but also a sequence of modified keys \(\phi (s)\), where \(\phi \) is specified by the adversary from a class \(\varPhi \) of so-called Related-Key Derivation (RKD) functions. This paper extends the notion of non-malleable Key Derivation Functions (nm-KDFs), introduced by Faust et al. (EUROCRYPT’14), to continuous nm-KDFs. Continuous nm-KDFs have the ability to protect against any a-priori unbounded number of RKA queries, instead of just a single time tampering attack as in the definition of nm-KDFs. Informally, our continuous non-malleability captures the scenario where the adversary can tamper with the original secret key repeatedly and adaptively. We present a novel construction of continuous nm-KDF for any polynomials of bounded degree over a finite field. Essentially, our result can be extended to richer RKD function classes possessing properties of high output entropy and input-output collision resistance. The technical tool employed in the construction is the one-time lossy filter (Qin et al. ASIACRYPT’13) which can be efficiently obtained under standard assumptions, e.g., DDH and DCR. We propose a framework for constructing \(\varPhi \)-RKA-secure IBE, PKE and signature schemes, using a continuous nm-KDF for the same \(\varPhi \)-class of RKD functions. Applying our construction of continuous nm-KDF to this framework, we obtain the first RKA-secure IBE, PKE and signature schemes for a class of polynomial RKD functions of bounded degree under standard assumptions. While previous constructions for the same class of RKD functions all rely on non-standard assumptions, e.g., \(d\)-extended DBDH assumption.