Takashi Nishide

Attribute-based encryption with partially hidden encryptor-specified access structures

We propose attribute-based encryption schemes where encryptor-specified access structures (also called ciphertext policies) are hidden. By using our schemes, an encryptor can encrypt data with a hidden access structure. A decryptor obtains her secret key associated with her attributes from a trusted authority in advance and if the attributes associated with the decryptors secret key do not satisfy the access structure associated with the encrypted data, the decryptor cannot decrypt the data or guess even what access structure was specified by the encryptor. We prove security of our construction based on the Decisional Bilinear Diffie-Hellman assumption and the Decision Linear assumption. In our security notion, even the legitimate decryptor cannot obtain the information about the access structure associated with the encrypted data more than the fact that she can decrypt the data.

Multiparty computation for interval, equality, and comparison without bit-decomposition protocol

Damgard et al. [11] showed a novel technique to convert a polynomial sharing of secret a into the sharings of the bits of a in constant rounds, which is called the bit-decomposition protocol. The bit-decomposition protocol is a very powerful tool because it enables bitoriented operations even if shared secrets are given as elements in the field. However, the bit-decomposition protocol is relatively expensive. In this paper, we present a simplified bit-decomposition protocol by analyzing the original protocol. Moreover, we construct more efficient protocols for a comparison, interval test and equality test of shared secrets without relying on the bit-decomposition protocol though it seems essential to such bit-oriented operations. The key idea is that we do computation on secret a with c and r where c = a + r, c is a revealed value, and r is a random bitwise-shared secret. The outputs of these protocols are also shared without being revealed. The realized protocols as well as the original protocol are constantround and run with less communication rounds and less data communication than those of [11]. For example, the round complexities are reduced by a factor of approximately 3 to 10.

Realizing fine-grained and flexible access control to outsourced data with attribute-based cryptosystems

We consider the problem of constructing a secure cloud storage service to which users outsource sensitive data for sharing with others where, in particular, the service provider is not completely trusted by the customer. Cloud storage service denotes an architectural shift toward thin clients and conveniently centralized provision of both computing and storage resources. When utilizing cloud storage for secure data sharing, one of the main motivating problems of this architecture is providing thin clients with both strong data confidentiality and flexible fine-grained access control without imposing additional cost on them (clients). To achieve this goal, we propose a novel data sharing protocol by combining and exploiting two of the latest attribute based cryptographic techniques, attribute-based encryption (ABE) and attribute-based signature (ABS). Furthermore, we also give a detailed comparison of our scheme with several latest existing schemes.

Distributed paillier cryptosystem without trusted dealer

We propose a distributed key generation protocol for the threshold Paillier cryptosystem. Often in the multiparty computation based on the threshold Paillier cryptosystem, the existence of a trusted dealer is assumed to distribute secret key shares, but it can be a single point of attack, so it is not preferable. Building on the threshold Paillier cryptosystem with a trusted dealer, we show how to eliminate the trusted dealer by robust distributed key generation without using safe primes.

Realizing Proxy Re-encryption in the Symmetric World

Proxy re-encryption is a useful concept and many proxy re-encryption schemes have been proposed in the asymmetric encryption setting. In the asymmetric encryption setting, proxy re-encryption can be beautifully implemented because many operations are available to directly transform a cipher to another cipher without the proxy needs to access the plaintexts. However, in many situations, for a better performance, the data is encrypted using symmetric ciphers. Most symmetric ciphers do not support proxy cryptography because of malleability (that is needed to implement the proxy re-encryption) is not a desired property in a secure encryption scheme. In this paper, we suggest an idea to implement a pure proxy re-encryption for the symmetric ciphers by first transforming the plaintext into a random sequence of blocks using an All or nothing transform (AONT). We show an example of the proxy re-encryption scheme using a weak encryption (i.e. simple permutation) that has a simple conversion function to convert a permutation to another. The encryption scheme exploits three characteristics of an AONT transformation: (1) the output of an AONT is a pseudorandom, (2) the output of an AONT cannot be transformed back if any parts is missing, and (3) the output of an AONT cannot be transformed back without having all blocks with correct position. We show security argument of the proposed scheme and its performance evaluation.

Preserving integrity and confidentiality of a directed acyclic graph model of provenance

This paper describes how to preserve integrity and confidentiality of a directed acyclic graph (DAG) model of provenance database. We show a method to preserve integrity by using digital signature where both of the provenance owner and the process executors (i.e. contributors) sign the nodes and the relationships between nodes in the provenance graph so that attacks to integrity can be detected by checking the signatures. To preserve confidentiality of the nodes and edges in the provenance graph we propose an access control model based on paths on the provenance graph because an auditor who need to audit a result normally need to access all nodes that have causal relationship with the result (i.e. all nodes that have a path to the result). We also complement the path-based access control with a compartment-based access control where each node is classified into compartments and the auditor is not allowed to access the nodes included in a compartment that can not be accessed by him/her (because of the sensitivity of the compartment). We implement the path-based access control by encrypting the nodes and later store encrypted encryptions keys in the children of the nodes. The compartment-based access control is implemented by encrypting the nodes in different compartments with different keys.We developed a prototype of the model and performed experiments to measure the overhead of digital signature and the double encryptions.

Secure keyword search using bloom filter with specified character positions

There are encryption schemes called searchable encryption which enable keyword searches. Traditional symmetric ones support only full keyword matches. Therefore, both a data owner and data searcher have to enumerate all possible keywords to realize a variety of searches. It causes increases of data size and run time. We propose searchable symmetric encryption which can check characters in the specified position as we perform search on plaintexts. Our scheme realizes a variety of searches such as fuzzy keyword search, wildcard search, and so on.

Multi-party Computation with Small Shuffle Complexity Using Regular Polygon Cards

It is well-known that a protocol for any function can be constructed using only cards and various shuffling techniques this is referred to as a card-based protocol. In this paper, we propose a new type of cards called regular polygon cards. These cards enable a new encoding for multi-valued inputs while the previous works can only handle binary inputs. We furthermore propose a new technique for constructing a card-based protocol for any n-ary function with small shuffle complexity. This is the first general construction in which the shuffle complexity is independent of the complexity size/depth of the desired functionality, although being directly proportional to the number of inputs. The construction furthermore supports a wide range of cards and encodings, including previously proposed types of cards. Our techniques provide a method for reducing the number of shuffles in card-based protocols.

Anonymous encryption with partial-order subset delegation functionality

We present a general encryption model with partial order delegation ability, which is a generalized extension for hierarchical identity-based encryption, broadcast encryption and delegatable functional encryption, etc. We also construct a concrete anonymous encryption scheme with constant-size ciphertext which may perform key derivation with partial-order subset delegation functionality, and prove its security in the standard model including semantic security, anonymity, and delegation indistinguishability. We give some practical application scenarios and deployments for our scheme.

Secure Multi-Party Computation Using Polarizing Cards

It is known that, using just a deck of cards, an arbitrary number of parties with private inputs can securely compute the output of any function of their inputs. In 2009, Mizuki and Sone constructed a six-card COPY protocol, a four-card XOR protocol, and a six-card AND protocol, based on a commonly used encoding scheme in which each input bit is encoded using two cards. However, up until now, it has remained an open problem to construct a set of COPY, XOR, and AND protocols based on a two-cards-per-bit encoding scheme, which all can be implemented using only four cards. In this paper, we show that it is possible to construct four-card COPY, XOR, and AND protocols using polarizing plates as cards and a corresponding two-cards-per-bit encoding scheme. Our protocols are optimal in the setting of two-cards-per-bit encoding schemes since four cards are always required to encode the inputs. As applications of our protocols, we show constructions of optimal input-preserving XOR and AND protocols, which we combine to obtain optimal half-adder, full-adder, voting protocols, and more.