Shota Yamada

Generic constructions for chosen-ciphertext secure attribute based encryption

In this paper we propose generic conversions for transforming a chosen-plaintext (CPA) secure attribute-based encryption (ABE) to a chosen-ciphertext (CCA) secure ABE. The only known generic conversion, to the best of our knowledge, was presented by Goyal et al. in ACM-CCS 2006, which itself subsumes the well-known IBE-to-PKE conversion by Canetti, Halevi, and Katz proposed in Eurocrypt 2004. The method by Goyal et al. has some restrictions that it assumes the delegatability of the original ABE and can deal only with the key-policy type of ABE with large attribute universe. In contrast, our methodology is applicable also to those ABE schemes without known delegatability. Furthermore, it works for both key-policy or ciphertext-policy flavors of ABE and can deal with both small and large universe scheme. More precisely, our method assumes only either delegatability or a newly introduced property called verifiability of ABE. We then exhaustively check the verifiability of existing ABE schemes and found that most of them satisfy such a property, hence CCA-secure versions of these schemes can be obtained automatically.

Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert key-policy ABE (KP-ABE) into ciphertext-policy ABE (CP-ABE), and vice versa, for dually related predicates. It is generic in the sense that it can be applied to arbitrary predicates. On the other hand, it works only within the generic ABE framework recently proposed by Attrapadung (Eurocrypt’14), which provides a generic compiler that compiles a simple primitive called pair encodings into fully secure ABE. Inside this framework, Attrapadung proposed the first generic dual conversion that works only for subclass of encodings, namely, perfectly secure encodings. However, there are many predicates for which realizations of such encodings are not known, and hence the problems of constructing fully secure ABE for their dual predicates were left unsolved.

A Framework for Identity-Based Encryption with Almost Tight Security

We show a framework for constructing identity-based encryption IBE schemes that are almost tightly secure in the multi-challenge and multi-instance setting. In particular, we formalize a new notion called broadcast encoding, analogously to encoding notions by Attrapadung Eurocrypt 2014 and Wee TCC 2014. We then show that it can be converted into such an IBE. By instantiating the framework using several encoding schemes new or known ones, we obtain the following:We obtain almost tightly secure IBE in the multi-challenge, multi-instance setting, both in composite and prime-order groups. The latter resolves the open problem posed by Hofheinz et al. PKC 2015.We obtain the first almost tightly secure IBE with sub-linear size public parameters master public keys. In particular, we can set the size of the public parameters to constant at the cost of longer ciphertexts and private keys. This gives a partial solution to the open problem posed by Chen and Wee Crypto 2013. By applying a variant of the Canetti-Halevi-Katz transformation to our schemes, we obtain several CCA-secure PKE schemes with tight security in the multi-challenge, multi-instance setting. One of our schemes achieves very small ciphertext overhead, consisting of less than 12 group elements. This significantly improves the state-of-the-art construction by Libert et al.i¾?in ePrint Archive which requires 47 group elements. Furthermore, by modifying one of our IBE schemes obtained above, we can make it anonymous. This gives the first anonymous IBE whose security is almost tightly shown in the multi-challenge setting.

Verifiable predicate encryption and applications to CCA security and anonymous predicate authentication

In this paper, we focus on verifiability of predicate encryption. A verifiable predicate encryption scheme guarantees that all legitimate receivers of a ciphertext will obtain the same message upon decryption. While verifiability of predicate encryption might be a desirable property by itself, we furthermore show that this property enables interesting applications. Specifically, we provide two applications of verifiable predicate encryption. Firstly, we show that for a large class of verifiable predicate encryption schemes, it is always possible to convert a chosen-plaintext secure scheme into a chosen-ciphertext secure one. Secondly, we show that a verifiable predicate encryption scheme allows the construction of a deniable predicate authentication scheme . This primitive enables a user to authenticate a message to a verifier using a private key satisfying a specified relation while at the same time allowing the user to deny ever having interacted with the verifier. This scheme furthermore guarantees the anonymity of the user in the sense that the verifier will learn nothing about the users private key except that it satisfies the specified relation. Lastly, we show that many currently known predicate encryption schemes already provide verifiability, and furthermore demonstrate that many predicate encryption schemes which do not provide verifiability, can be easily converted into schemes providing verifiability. Our results not only highlight that verifiability is a very useful property of predicate encryption, but also show that efficient and practical schemes with this property can be obtained relatively easily.

Partitioning via Non-linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps

In this paper, we present new adaptively secure identity-based encryption IBE schemes. One of the distinguishing properties of the schemes is that it achieves shorter public parameters than previous schemes. Both of our schemes follow the general framework presented in the recent IBE scheme of Yamada Eurocrypt 2016, employed with novel techniques tailored to meet the underlying algebraic structure to overcome the difficulties arising in our specific setting. Specifically, we obtain the following: - Our first scheme is proven secure under the ring learning with errors RLWE assumption and achieves the best asymptotic space efficiency among existing schemes from the same assumption. The main technical contribution is in our new security proof that exploits the ring structure in a crucial way. Our technique allows us to greatly weaken the underlying hardness assumption e.g., we assume the hardness of RLWE with a fixed polynomial approximation factor whereas Yamadas scheme requires a super-polynomial approximation factor while improving the overall efficiency. - Our second IBE scheme is constructed on bilinear maps and is secure under the 3-computational bilinear Diffie-Hellman exponent assumption. This is the first IBE scheme based on the hardness of a computational/search problem, rather than a decisional problem such as DDH and DLIN on bilinear maps with sub-linear public parameter size.

Conversions Among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs

Predicate encryption is an advanced form of public-key encryption that yields high flexibility in terms of access control. In the literature, many predicate encryption schemes have been proposed such as fuzzy-IBE, KP-ABE, CP-ABE, doubly spatial encryption DSE, and ABE for arithmetic span programs. In this paper, we study relations among them and show that some of them are in fact equivalent by giving conversions among them. More specifically, our main contributions are as follows:We show that monotonic, small universe KP-ABE CP-ABE with bounds on the size of attribute sets and span programs or linear secret sharing matrix can be converted into DSE. Furthermore, we show that DSE implies non-monotonic CP-ABE and KP-ABE with the same bounds on parameters. This implies that monotonic/non-monotonic KP/CP-ABE with the bounds and DSE are all equivalent in the sense that one implies another.We also show that if we start from KP-ABE without bounds on the size of span programs but bounds on the size of attribute sets, we can obtain ABE for arithmetic span programs. The other direction is also shown: ABE for arithmetic span programs can be converted into KP-ABE. These results imply, somewhat surprisingly, KP-ABE without bounds on span program sizes is in fact equivalent to ABE for arithmetic span programs, which was thought to be more expressive or at least incomparable. By applying these conversions to existing schemes, we obtain many non-trivial consequences. We obtain the first non-monotonic, large universe CP-ABE that supports span programs with constant-size ciphertexts, the first KP-ABE with constant-size private keys, the first adaptively-secure, multi-use ABE for arithmetic span programs with constant-size ciphertexts, and more. We also obtain the first attribute-based signature scheme that supports non-monotone span programs and achieves constant-size signatures via our techniques.

Adaptively Secure Identity-Based Encryption from Lattices with Asymptotically Shorter Public Parameters

In this paper, we present two new adaptively secure identity-based encryption IBE schemes from lattices. The size of the public parameters, ciphertexts, and private keys are

Two-Dimensional representation of cover free families and its applications: short signatures and more

\tilde{O}n^2 \kappa ^{1/d}