Toshiyuki Isshiki

Proxy re-encryption in a stronger security model extended from CT-RSA2012

Proxy re-encryption (PRE) realizes delegation of decryption rights, enabling a proxy holding a re-encryption key to convert a ciphertext originally intended for Alice into an encryption of the same message for Bob, and cannot learn anything about the encrypted plaintext. PRE is a very useful primitive, having many applications in distributed file systems, outsourced filtering of encrypted spam, access control over network storage, confidential email, digital right management, and so on. In CT-RSA2012, Hanaoka et al. proposed a chosen-ciphertext (CCA) security definition for PRE, and claimed that it is stronger than all the previous works. Their definition is a somewhat strengthened variant of the replayable-CCA one, however, it does not fully capture the CCA security notion. In this paper, we present a full CCA security definition which is extended from theirs. We then propose the first PRE scheme with this security in the standard model (i.e. without the random oracle idealization). Our scheme is efficient and relies on mild complexity assumptions in bilinear groups.

Using group signatures for identity management and its implementation

We discuss the merits of using group signature technology in Identity Management. We propose a novel model of group signature scheme and introduce a new entity called User-Revocation manager. User-Revocation manager plays an independent role regarding user revocation which was previously covered by either Group manager or Issuing manager. We extend the idea of the Camenisch-Groth scheme and present an efficient revocation scheme where the cost of user revocation is smaller than that of the Camenisch-Groth scheme. We also discuss the details of our implementation.

Security of digital signature schemes in weakened random oracle models

We formalize the notion of several weakened random oracle models in order to capture which property of a hash function is crucial to prove the security of a cryptographic scheme. In particular, we focus on augmenting the random oracle with additional oracles that respectively return collisions, secondpreimages, and first-preimages. We study the security of the full domain hash signature scheme, as well as three variants thereof in the weakened random oracle models, leading to a separation result.

An ( n - t )-out-of-n threshold ring signature scheme

In CRYPTO2002, Bresson, Stern, and Szydlo proposed a threshold ring signature scheme. Their scheme uses the notion of fair partition and is provably secure in the random oracle model. Their scheme is efficient when the number t of signers is small compared with the number n of group members, i.e.,

Flexible architecture optimization and ASIC implementation of group signature algorithm using a customized HLS methodology

t={\mathcal O}(\log{n})

Attacks to the Proxy Re-Encryption Schemes from IWSEC2011

(we call this scheme BSS scheme). However, it is inefficient when t is ω(logn). In this paper, we propose a new threshold ring signature scheme which is efficient when the number of signers is large compared with the number n of group members, i.e., when the number t of non-signers in the group members is small compared with n. This scheme is very efficient when

Privacy-Preserving Fingerprint Authentication Resistant to Hill-Climbing Attacks

t={\mathcal O}(\log{n})

Factoring-Based Proxy Re-Encryption Schemes

. This scheme has a kind of dual structure of BSS scheme which is inefficient when the number of signers is large compared with the number of group members. In order to construct our scheme, we modify the trap-door one-way permutations in the ring signature scheme, and use the combinatorial notion of fair partition. This scheme is provably secure in the random oracle model.

DATABASE ENCRYPTION SYSTEM, METHOD, AND PROGRAM

Group signature is one of the main theme in recent digital signature studies. Typical signature algorithm is a combination of more than 70 elliptic curve (ECC), modular (RSA), long-bit integer and hash arithmetic functions. A full H/W IP core is strongly desired for the use of group signature in SoCs in slow-clock and low-power mobile devices and embedded systems. Flexible adjustment of H/W speed and size, depending on different systems and LSI process technologies, is also required. However, for designing and verifying H/W, the group signature algorithm is too complicated to use a standard RTL (Register Transfer Level) design methodology nor any recent HLS (High Level Synthesis). Therefore, we incorporated a two-level behavioral synthesis approach, where an optimized macro-architecture is explored by a custom-made scheduler, after a database of multiple number of microarchitectures are effectively constructed by conventional HLS. We implemented the signature algorithm on a low-cost 0.25um gate-array. The H/W size is approximately 1M gates and our chip can compute a group signature at the equivalent speed (0.135 seconds@100MHz clock) with 3GHz PC S/W, while the power consumption is two orders of magnitude lower (425mW@100MHz).

Anonymous authentication system and anonymous authentication method

Proxy re-encryption (PRE) allows a proxy to convert a ciphertext encrypted for Alice (delegator) into a ciphertext for Bob (delegatee) by using a re-encryption key generated by Alice. In PRE, non-transferability is a property that colluding proxies and delegatees cannot re-delegate decryption rights to a malicious user. In IWSEC 2011, Hayashi, Matsushita, Yoshida, Fujii, and Okada introduced the unforgeability of re-encryption keys against collusion attack (UFReKey-CA), which is a relaxed notion of the non-transferability. They also proposed a stronger security notion, the strong unforgeability of re-encryption keys against collusion attack (sUFReKey-CA). Since sUFReKey-CA implies UFReKey-CA and sUFReKey-CA is simpler (i.e. easier to treat) definition than UFReKey-CA, sUFReKey-CA is useful to prove UFReKey-CA. They then proposed two concrete constructions of PRE and claimed that they meet both replayable-CCA security and sUFReKey-CA under two new variants of the Diffi-Hellman inversion assumption. In this paper, we present two concrete attacks to their PRE schemes. The first attack is to the sUFReKey-CA property on their two schemes. The second attack is to the assumptions employed in the security proofs for sUFReKey-CA of their two schemes.