Tung-Tso Tsai

Efficient Revocable ID-Based Encryption with a Public Channel

Over the last few years, identity (ID)-based encryption (IBE) without requiring certificate management offers a practical alternative to public key encryption. However, how to revoke misbehaving/compromised identities in ID-based public key setting becomes a new and critical issue. In the past, there was little work on studying this revocation problem. In 2008, Boldyreva et al. proposed a revocable IBE (RIBE) and its associated revocation solution that used a binary tree structure to reduce the authoritys periodic workload in Boneh and Franklins IBE. However, Boldyreva et al.s RIBE raised enormous computation costs for encryption and decryption procedures. Both IBEs require a secure channel between each user and the authority to transmit users periodic private keys, thus the authority and each user need to encrypt and decrypt the private keys for each period. In this article, we present an efficient RIBE with a public channel, which provides a practical alternative to the previously proposed revocation solutions, while it remains efficient for encryption and decryption. Under the bilinear Diffie–Hellman assumption, we demonstrate that our RIBE with a public channel is semantically secure against adaptive chosen plaintext attacks and adaptive chosen ciphertext attacks.

Provably secure revocable ID‐based signature in the standard model

A signature scheme is one of the important primitives in modern cryptography, which may offer functionalities of user identification, non-repudiation, and message authentication. With the advent of identity (ID)-based public key systems with bilinear pairings defined on elliptic curves, many ID-based signature schemes have been proposed. Like certificate-based public key systems, any ID-based public key system must provide a revocation method to revoke misbehaving users. There was little work on studying the revocation problem of ID-based public key systems, and no ID-based signature scheme deals with how to revoke the signing ability of misbehaving users. Quite recently, Tseng and Tsai presented a practical revocation mechanism using a public channel for ID-based public key systems. In this paper, we adopt Tseng and Tsais revocation concept to define the new framework and security notions of revocable ID-based signature (RIBS) scheme and propose the first RIBS scheme in the standard model. Under the computational Diffie–Hellman assumption, we demonstrate that the proposed RIBS scheme is provably secure while remaining efficient for signing and verification as compared with previously proposed ID-based signature schemes. Copyright

Efficient searchable ID-based encryption with a designated server

Public key encryption with keyword search (PEKS) is a mechanism that allows one to extract e-mails containing a particular keyword by providing a trapdoor corresponding to the keyword. And parties without the trapdoor are unable to learn any information about the extracted e-mails. Meanwhile, a PEKS scheme is also suitable to provide a secure storage system in cloud computing environment. However, in a PEKS scheme, a secure channel must be established to transmit trapdoors. A PEKS scheme with a designated server, termed dPEKS, removes the requirement of the secure channel while retaining the same functionality of PEKS. Up to date, the related studies on dPEKS are all based on the pairing-based public key system. No work focuses on dPEKS based on ID-based systems, termed dIBEKS. In this article, we propose the first dIBEKS scheme that possesses the advantage (removing certificate management) of ID-based systems. Security analysis is given to demonstrate that our scheme is provably secure and can resist off-line keyword guessing attacks. When compared with previously proposed dPEKS schemes, our scheme has better performance in terms of computational time.

List-Free ID-Based Mutual Authentication and Key Agreement Protocol for Multiserver Architectures

A multiserver architecture consisting of multiple servers provides resources and services for clients by way of open channels. Thus, a cryptographic protocol should be offered to ensure the legitimacy of both clients and servers, and to provide communication confidentiality. In the past, a large number of ID-based mutual authentication and key agreement (ID-MAKA) protocols have been proposed regarding this issue. Several circumstances require a revocation mechanism to revoke misbehaving/compromised clients and servers before their intended expiration dates. To do so, the existing ID-MAKA protocols generally adopt a black/white list to revoke/permit clients for access authorization. So far, no work addresses the revocation problem on servers in the sense that clients should be notified to avoid malicious services or applications provided by revoked servers. In this letter, we propose the first list-free ID-MAKA protocol with an efficient revocation mechanism for multiserver architectures. Compared with previously proposed protocols, our protocol possesses three main merits. First, it provides a simple revocation mechanism to solve the management problem of both compromised clients and servers. Second, neither clients nor servers need to keep any black/white list. Finally, it is well suitable for mobile clients by performance analysis and experimental data.

Revocable Certificateless Public Key Encryption

The concept of a certificateless public-key system (CL-PKS) was first introduced by Al-Riyami and Paterson. The CL-PKS not only solves the key escrow problem but also retains the merit of eliminating the required certificates in the identity-based PKS. Up to now, there was little work on studying the revocation problem in existing CL-PKS constructions. In this paper, we address the revocation problem and propose the first revocable certificateless public-key encryption (RCL-PKE). We define the new syntax and security notions of the RCL-PKE and propose a concrete RCL-PKE scheme. Compared with the previously proposed CL-PKE schemes, the proposed RCL-PKE scheme retains efficiency for encryption and decryption procedures while providing an efficient revocation alternative using a public channel. Under the computational and the bilinear Diffie-Hellman assumptions, we demonstrate that our RCL-PKE scheme is semantically secure against adaptive chosen-ciphertext attacks.

Strongly Secure Revocable ID-based Signature without Random Oracles

In 2012, Tseng and Tsai presented a novel revocable ID (identity)-based public key setting that provides an efficient revocation mechanism with a public channel to revoke misbehaving or compromised users from public key systems. Subsequently, based on Tseng and Tsai’s revocable ID-based public key setting, Tsai et al. proposed a new revocable ID-based signature (RIBS) scheme in the standard model (without random oracles). However, their RIBS scheme possesses only existential unforgeability under adaptive chosen-message attacks. In the article, we propose the first strongly secure RIBS scheme without random oracles under the computational Diffie-Hellman and collision resistant assumptions. Comparisons with previously proposed schemes are made to demonstrate the advantages of our scheme in terms of revocable functionality and security property. DOI: http://dx.doi.org/10.5755/j01.itc.43.3.5718

Efficient Revocable Multi-Receiver ID-Based Encryption

Quite recently, Tseng and Tsai proposed a revocable identity (ID)-based encryption (RIBE) with a public channel, in which the private key generator (PKG) can efficiently revoke misbehaving/compromised users by using a public channel. Considering the problem where a sender would like to encrypt an identical message for n receivers, the sender must re-encrypt the message n times using Tseng and Tsai’s RIBE scheme. In such a case, n expensive pairing operations are required for the re-encrypting procedure. In this paper, for reducing the pairing operations, we extend Tseng and Tsai’s RIBE to propose an efficient revocable multi-receiver ID-based encryption (RMIBE) scheme. Our scheme only needs one pairing operation to encrypt an identical message for n receivers while remaining the merit of user revocability in Tseng and Tsai’s RIBE scheme. We demonstrate that the RMIBE scheme is semantically secure against adaptive chosen ciphertext attacks (CCA) in the random oracle model. DOI: http://dx.doi.org/10.5755/j01.itc.42.2.2244

Revocable ID-based Signature Scheme with Batch Verifications

Signature scheme is one of important primitives in modern cryptography, which may offer functionalities of user identification, non-repudiation, and message authentication. With the advent of identity (ID)-based public key system (IDPKS) with bilinear pairings, many cryptographic schemes and protocols based on the IDPKS system have been proposed. Though the IDPKS system has the advantage to eliminate certificate management, it is a critical issue to revoke misbehaving or compromised users in this system. Quite recently, Tseng and Tsai presented a practical revocation mechanism using a public channel for the IDPKS system. In this paper, we adopt Tseng and Tsais revocation concept to propose the first revocable ID-based signature scheme with batch verifications (RID-SBV). Meanwhile, we discuss the several cases of batch verifications. Under the computational Diffie-Hellman assumption, we demonstrate that the proposed RID-SBV scheme is a provably secure signature scheme.

A novel ID-Based authentication and key exchange protocol resistant to ephemeral-secret-leakage attacks for mobile devices

With the rapid development in wireless communications and cloud computing technologies, clients (users) often use handheld mobile devices to access remote servers via open network channels. To provide authentication and confidentiality between clients and servers, a large number of ID-based authentication and key exchange (ID-AKE) protocols have been proposed for mobile client-server environments. However, most of the existing ID-AKE protocols adopt the precomputation technique so that they become vulnerable to the ephemeral-secret-leakage (ESL) attacks, in the sense that an adversary could use the ephemeral secrets to reveal the private keys of clients from the corresponding exchange messages. In the paper, we propose a new ESL-secure ID-AKE protocol for mobile client-server environments. We formally prove that the proposed protocol satisfies the security requirements of both mutual authentication and key exchange while resisting the ESL attacks. When compared with previously proposed ID-AKE protocols, our protocol has higher security and retains computational performance, since it requires no bilinear pairing operation for mobile clients. Finally, we mention the possibility of adopting our protocol as an authentication method of the extensible authentication protocol (EAP) for wireless networks.

A Provably Secure Revocable ID-Based Authenticated Group Key Exchange Protocol with Identifying Malicious Participants

The existence of malicious participants is a major threat for authenticated group key exchange (AGKE) protocols. Typically, there are two detecting ways (passive and active) to resist malicious participants in AGKE protocols. In 2012, the revocable identity- (ID-) based public key system (R-IDPKS) was proposed to solve the revocation problem in the ID-based public key system (IDPKS). Afterwards, based on the R-IDPKS, Wu et al. proposed a revocable ID-based AGKE (RID-AGKE) protocol, which adopted a passive detecting way to resist malicious participants. However, it needs three rounds and cannot identify malicious participants. In this paper, we fuse a noninteractive confirmed computation technique to propose the first two-round RID-AGKE protocol with identifying malicious participants, which is an active detecting way. We demonstrate that our protocol is a provably secure AGKE protocol with forward secrecy and can identify malicious participants. When compared with the recently proposed ID/RID-AGKE protocols, our protocol possesses better performance and more robust security properties.