Results 1  10
of
14
(Hierarchical) IdentityBased Encryption from Affine Message Authentication
"... We provide a generic transformation from any affine message authentication code (MAC) to an identitybased encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosenmessage attacks and, for example, the kLinear assump ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
We provide a generic transformation from any affine message authentication code (MAC) to an identitybased encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosenmessage attacks and, for example, the kLinear assumption holds, then the resulting IBE scheme is adaptively secure. Our security reduction is tightness preserving, i.e., if the MAC has a tight security reduction so has the IBE scheme. Furthermore, the transformation also extends to hierarchical identitybased encryption (HIBE). We also show how to construct affine MACs with a tight security reduction to standard assumptions. This, among other things, provides the first tightly secure HIBE in the standard model.
Tagged OneTime Signatures: Tight Security and Optimal Tag Size
 In PKC 2013, volume 7778 of LNCS
"... Abstract. We present an efficient structurepreserving tagged onetime signature scheme with tight security reductions to the decisionlinear assumption. Our scheme features short tags consisting of a single group element and gives rise to the currently most efficient structurepreserving signature ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present an efficient structurepreserving tagged onetime signature scheme with tight security reductions to the decisionlinear assumption. Our scheme features short tags consisting of a single group element and gives rise to the currently most efficient structurepreserving signature scheme based on the decisionliner assumption with constantsize signatures of only 14 group elements, where the recordsofar was 17 elements. To demonstrate the advantages of our scheme, we revisit the work by Hofheinz and Jager (CRYPTO 2012) and present the currently most efficient tightly secure publickey encryption scheme. We also obtain the first structurepreserving publickey encryption scheme featuring both tight security and public verifiability.
Unified, minimal and selectively randomizable structurepreserving signatures
 TCC, volume 8349 of LNCS
, 2014
"... Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key s ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key size. State of the art structurepreserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element. Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization. Our structurepreserving signature scheme unifies the different pairingbased settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structurepreserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.
NonMalleability from Malleability: SimulationSound QuasiAdaptive NIZK Proofs and CCA2Secure Encryption from Homomorphic Signatures
 In Cryptology ePrint Archive: Report 2013/691
"... Abstract. Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the FiatShamir heuristics. Since 2008, the GrothSahai techniques have been the most efficient in constructing noninteractive witness indistinguishable and zeroknowledge pr ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the FiatShamir heuristics. Since 2008, the GrothSahai techniques have been the most efficient in constructing noninteractive witness indistinguishable and zeroknowledge proofs for algebraic relations in the standard model. For the important task of proving membership in linear subspaces, Jutla and Roy (Asiacrypt 2013) gave significantly more efficient proofs in the quasiadaptive setting (QANIZK). For membership of the row space of a t×n matrix, their QANIZK proofs save Ω(t) group elements compared to GrothSahai. Here, we give QANIZK proofs made of a constant number group elements – regardless of the number of equations or the number of variables – and additionally prove them unbounded simulationsound. Unlike previous unbounded simulationsound GrothSahaibased proofs, our construction does not involve quadratic pairing product equations and does not rely on a chosenciphertextsecure encryption scheme. Instead, we build on structurepreserving signatures with homomorphic properties. We apply our methods to design new and improved CCA2secure encryption schemes. In particular, we build the first efficient threshold CCAsecure keyedhomomorphic encryption scheme (i.e., where homomorphic operations can only be carried out using a dedicated evaluation key) with publicly verifiable ciphertexts. 1
StronglyOptimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds?
"... Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairingproduct equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structurepreserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structurepreserving signatures within a userspecified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structurepreserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification. 1
Concise MultiChallenge CCASecure Encryption and Signatures with Almost Tight Security?
"... Abstract. To gain strong confidence in the security of a publickey scheme, it is most desirable for the security proof to feature a tight reduction between the adversary and the algorithm solving the underlying hard problem. Recently, Chen and Wee (Crypto ’13) described the first IdentityBased En ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. To gain strong confidence in the security of a publickey scheme, it is most desirable for the security proof to feature a tight reduction between the adversary and the algorithm solving the underlying hard problem. Recently, Chen and Wee (Crypto ’13) described the first IdentityBased Encryption scheme with almost tight security under a standard assumption. Here, “almost tight ” means that the security reduction only loses a factor O(λ) – where λ is the security parameter – instead of a factor proportional to the number of adversarial queries. Chen and Wee also gave the shortest signatures whose security almost tightly relates to a simple assumption in the standard model. Also recently, Hofheinz and Jager (Crypto ’12) constructed the first CCAsecure publickey encryption scheme in the multiuser setting with tight security. These constructions give schemes that are significantly less efficient in length (and thus, processing) when compared with the earlier schemes with loose reductions in their proof of security. Hofheinz and Jager’s scheme has a ciphertext of a few hundreds of group elements, and they left open the problem of finding truly efficient constructions. Likewise, Chen and Wee’s signatures and IBE schemes are somewhat less efficient than previous constructions with loose reductions from the same assumptions. In this paper, we consider spaceefficient schemes with security almost tightly related to standard assumptions. As a step in solving the open question by Hofheinz and Jager, we construct an ef
Compactly Hiding Linear Spans Tightly Secure ConstantSize SimulationSound QANIZK Proofs and Applications
"... Abstract. Quasiadaptive noninteractive zeroknowledge (QANIZK) proofs is a recent paradigm, suggested by Jutla and Roy (Asiacrypt ’13), which is motivated by the GrothSahai seminal techniques for efficient noninteractive zeroknowledge (NIZK) proofs. In this paradigm, the common reference strin ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Quasiadaptive noninteractive zeroknowledge (QANIZK) proofs is a recent paradigm, suggested by Jutla and Roy (Asiacrypt ’13), which is motivated by the GrothSahai seminal techniques for efficient noninteractive zeroknowledge (NIZK) proofs. In this paradigm, the common reference string may depend on specific language parameters, a fact that allows much shorter proofs in important cases. It even makes certain standard model applications competitive with the FiatShamir heuristic in the Random Oracle idealization. Such QANIZK proofs were recently optimized to constant size by Jutla and Roy (Crypto ’14) and Libert et al. (Eurocrypt ’14) for the important case of proving that a vector of group elements belongs to a linear subspace. While the QANIZK arguments of Libert et al. provide unbounded simulationsoundness and constant proof length, their simulationsoundness is only loosely related to the underlying assumption (with a gap proportional to the number of adversarial queries) and it is unknown how to alleviate
Identitybased encryption with (almost) tight security in the multiinstance, multiciphertext setting
 In PublicKey Cryptography–PKC 2015
, 2015
"... We construct an identitybased encryption (IBE) scheme that is tightly secure in a very strong sense. Specifically, we consider a setting with many instances of the scheme and many encryptions per instance. In this setting, we reduce the security of our scheme to a variant of a simple assumption use ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
We construct an identitybased encryption (IBE) scheme that is tightly secure in a very strong sense. Specifically, we consider a setting with many instances of the scheme and many encryptions per instance. In this setting, we reduce the security of our scheme to a variant of a simple assumption used for a similar purpose by Chen and Wee (Crypto 2013). The security loss of our reduction is O(k) (where k is the security parameter). Our scheme is the first IBE scheme to achieve this strong flavor of tightness under a simple assumption. Technically, our scheme is a variation of the IBE scheme by Chen and Wee. However, in order to “lift ” their results to the multiinstance, multiciphertext case, we need to develop new ideas. In particular, while we build on (and extend) their highlevel proof strategy, we deviate significantly in the lowlevel proof steps. 1
Encrypted Secret Sharing and Analysis by Plaintext Randomization ∗
, 2013
"... In this paper we consider the problem of secret sharing where shares are encrypted using a publickey encryption (PKE) scheme and ciphertexts are publicly available. While intuition tells us that the secret should be protected if the PKE is secure against chosenciphertext attacks (i.e., CCAsecure) ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
In this paper we consider the problem of secret sharing where shares are encrypted using a publickey encryption (PKE) scheme and ciphertexts are publicly available. While intuition tells us that the secret should be protected if the PKE is secure against chosenciphertext attacks (i.e., CCAsecure), formally proving this reveals some subtle and nontrivial challenges. We isolate the problems that this raises, and devise a new analysis technique called “plaintext randomization ” that can successfully overcome these challenges, resulting in the desired proof. The encryption of different shares can use one key or multiple keys, with natural applications in both scenarios. 1
Déjà Q All Over Again: Tighter and Broader Reductions of qType Assumptions
"... Abstract In this paper, we demonstrate that various cryptographic constructions including ones for broadcast, attributebased, and hierarchical identitybased encryption can rely for security on only the static subgroup hiding assumption when instantiated in compositeorder bilinear groups, as op ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract In this paper, we demonstrate that various cryptographic constructions including ones for broadcast, attributebased, and hierarchical identitybased encryption can rely for security on only the static subgroup hiding assumption when instantiated in compositeorder bilinear groups, as opposed to the dynamic qtype assumptions on which their security previously was based. This specific goal is accomplished by more generally extending the recent Déjà Q framework (Chase and Meiklejohn, Eurocrypt 2014) in two main directions. First, by teasing out common properties of existing reductions, we expand the qtype assumptions that can be covered by the framework; i.e., we demonstrate broader classes of assumptions that can be reduced to subgroup hiding. Second, while the original framework applied only to asymmetric compositeorder bilinear groups, we provide a reduction to subgroup hiding that works in symmetric (as well as asymmetric) compositeorder groups. As a bonus, our new reduction achieves a tightness of log(q) rather than q.