Yang Song,Haiying Gao,Shiyu Wang,Chao Ma,Keshuo Sun

DOI: https://doi.org/10.1007/s11227-024-05962-9

IF: 3.3

2024-03-12

The Journal of Supercomputing

Abstract:Updatable encryption (UE) is a cryptosystem that allows clients to outsource encrypted data to untrusted servers and periodically rotating the encryption keys. The server can update the encrypted data from an old key to a new key using an update token generated by the client without revealing any information about the plaintext. In this paper, we propose a new security model for UE that considers the possibility of an adversary corrupting all update tokens and keys of the past epochs. We show that our security model is consistent with the actual application scenarios of UE. We construct the first UE scheme based on NTRU, named NTRU-UE. Our scheme employs the generalized key-switching technique to achieve backward-leak uni-directional key updates and uni-directional ciphertext updates. Additionally, we use the ciphertext-masking technique to achieve random-update. We prove that the new scheme satisfies the security requirements in our model. Furthermore, we evaluate the security levels of our scheme in both classical and quantum models. We also present the implementation efficiency of our scheme and the number of times the key can be updated under our recommended parameters. These results fill the long-term gap in theory and practical application of UE.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Vipin Singh Sehrawat,Yvo Desmedt

DOI: https://doi.org/10.1007/978-3-030-31578-8_1

2020-08-21

Abstract:We define a pseudorandom function (PRF) $F: \mathcal{K} \times \mathcal{X} \rightarrow \mathcal{Y}$ to be bi-homomorphic when it is fully Key homomorphic and partially Input Homomorphic (KIH), i.e., given $F(k_1, x_1)$ and $F(k_2, x_2)$, there is an efficient algorithm to compute $F(k_1 \oplus k_2, x_1 \ominus x_2)$, where $\oplus$ and $\ominus$ are (binary) group operations. The homomorphism on the input is restricted to a fixed subset of the input bits, i.e., $\ominus$ operates on some pre-decided $m$-out-of-$n$ bits, where $|x_1| = |x_2| = n$, and the remaining $n-m$ bits are identical in both inputs. In addition, the output length, $\ell$, of the operator $\ominus$ is not fixed and is defined as $n \leq \ell \leq 2n$, hence leading to Homomorphically induced Variable input Length (HVL) as $n \leq |x_1 \ominus x_2| \leq 2n$. We present a learning with errors (LWE) based construction for a HVL-KIH-PRF family. Our construction is inspired by the key homomorphic PRF construction due to Banerjee and Peikert (Crypto 2014). An updatable encryption scheme allows rotations of the encryption key, i.e., moving existing ciphertexts from old to new key. These updates are carried out via \emph{update tokens}, which can be used by an untrusted party since the update procedure does not involve decryption of the ciphertext. We use our novel PRF family to construct an updatable encryption scheme, named QPC-UE-UU, which is quantum-safe, post-compromise secure and supports unidirectional ciphertext updates, i.e., the update tokens can be used to perform ciphertext updates but they cannot be used to undo already completed updates. Our PRF family also leads to the first left/right key homomorphic constrained-PRF family with HVL.

Cryptography and Security

Xiwen Wang,Kai Zhang,Junqing Gong,Shi-Feng Sun,Jianting Ning

DOI: https://doi.org/10.1016/j.tcs.2023.114304

IF: 1.002

2024-01-01

Theoretical Computer Science

Abstract:Searchable symmetric encryption (SSE) allows a client to search over encrypted data. To address the real threat of key compromise in practice, this work initiates the study of key rotation for SSE and introduces the notion of updatable SSE (USSE). In USSE, a client can issue a single update token that permits the server to convert existing encrypted data from the old key to the new key. In particular, center dot we formalize the syntax of USSE and define the security model that captures the inference of key, search token, update token and encrypted data with bi-/uni-/no-directional key updates and bi-/uni-directional encrypted data updates. center dot we present a USSE scheme that supports conjunctive queries with sub -linear complexity, and prove its security with no -directional key update and bi-directional encrypted data update. We also give extensions for concerning different key/encrypted data updates. center dot we implement our USSE schemes and evaluate the performance with real -world dataset, which illustrates that our schemes achieve practically acceptable computational overhead and communication cost. Technically, our formalization of USSE is inspired by updatable encryption (UE); our USSE schemes are obtained by a semi -generic transformation from Cash et al.'s SSE and UE. The transformation itself only relies on DL and DBDH assumptions. We believe that the transformation is of independent interest and applicable to other scenarios where the SSE systems follow the structure of Cash et al.'s work.

SF Sun,Udaya Parampalli,TH Yuen,Yong Yu,Dawu Gu

2016-01-01

Abstract:© Springer International Publishing Switzerland 2016.Motivated by tampering attacks in practice, two different but related security notions, termed complete non-malleability and relatedkey attack security, have been proposed recently. In this work, we study their relations and present the first public key encryption scheme that is secure in both notions under standard assumptions. Moreover, by exploiting the technique for achieving complete non-malleability, we give a practical scheme for the related-key attack security. Precisely, the scheme is proven secure against polynomial functions of bounded degree d under a newly introduced hardness assumption called dmodified extended decisional bilinear Diffie-Hellman assumption. Since the schemes are constructed in a direct way instead of relying on the noninteractive zero knowledge proof or signature techniques, they not only achieve the strong security notions but also have better performances.

Xiujie Zhang,Chunxiang Xu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.08.040

2016-01-01

Abstract:The proposed forward-secure public-key encryption scheme with untrusted update has no provable security,so there is doubt about the security of the proposed schemes.This paper extended the forward-secure public-key encryption scheme and proposed the provable secure forward-secure public-key encryption scheme with untrusted update.It presented the definition of forward-secure public-key encryption scheme with untrusted update.According to the definition of scheme,it proposed the for-ward-secure public-key encryption scheme with untrusted update using bilinear mapping and efficient symmetric encryption scheme,and proved the security of the scheme based on random oracle.Through analysis,the proposed scheme is practicality as it has constant size ciphertext,constant size of private key,constant overhead of encryption and decryption algorithms,con-stant overhead of key update algorithm.

Zengpeng Li,Chunguang Ma,Ding Wang,Minghao Zhao,Qian Zhao,Lu Zhou

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.300

2017-01-01

Abstract:Proxy re-encryption (PRE) is an important cryptographic primitive used for private information sharing. However, the recent advance in quantum computer has potentially crippled its security, as the traditional decisional Diffie-Hellman (DDH)-based PRE is venerable to the quantum attack. Thus, learning with errors (LWE)-based PRE schemes, as a kind of latticebased construction with the inherent quantum-resistant property, has attracted special research interest. Unfortunately, the main drawback of lattice-based public key encryption scheme is noise management after multiplication evaluation. Many cryptographers have been devoted to controlling the expansion of noise. In this line of work, Dagdelen-Gajek-G̈opfert (DGG) put forth the notion of learning with errors in the exponent (LWEE) which is based on lattice and group-theoretic assumption, meanwhile demonstrated a paradigm for constructing efficient quantum resistance public key schemes. In this paper, on top of DGG, we construct a single-bit, single-hop and unidirectional LWEE- based PRE scheme with indistinguishable chosen plaintext attack (IND-CPA) security. To the best of our knowledge, our scheme is the first LWEE-based PRE scheme.

Jiacheng Zhou,Zhenhua Liu,Baocang Wang

DOI: https://doi.org/10.1002/nem.2304

2024-09-25

International Journal of Network Management

Abstract:We analyze the security of the first definitional framework of Updatable signature, which was proposed in PKC 2021 by Cini et al. (as the above image). We propose an improved updatable signature scheme that changes the generation mode of the update token (the details is shown below) to weaken it's power, and use the technique of indistinguishability obfuscation to make the token no‐directional key update and unidirectional signature update. Updatable signature (US) resists key compromise attacks and is integral in numerous fields that require authentication. However, previous US schemes granted excessive power to update token, which cannot achieve no‐directional key update. In this paper, we improve Cini et al.'s US scheme by weakening update token. The improvement lies in changing the mode of generating an update token, from the signer alone to the signer and the server cooperatively. Specifically, they first negotiate a secret value, which is then used by the signer to generate an update token. This mode ensures that only the entity who owns the secret value can use the update token to update a signature. Furthermore, we employ indistinguishability obfuscation to minimize information leakage through update token. These advancements make the improved updatable signature scheme achieve no‐directional key update and unidirectional signature update. Finally, we present an enhanced security model, where an adversary is permitted to freely corrupt update tokens and signing keys, except the signing key at challenge epoch, and then prove the improved scheme to be unforgeable based on CDH hardness.

computer science, information systems,telecommunications

Huige Wang,Kefei Chen,Baodong Qin,Xuejia Lai,Yunhua Wen

DOI: https://doi.org/10.1007/s11432-015-1037-2

2016-01-01

Science China Information Sciences

Abstract:We present a new primitive of randomized message-locked encryption(MLE) in this paper and define a new security model for it. The new primitive, named message-locked encryption3(hereafter referred as MLE3),is actually a variant of randomized message-locked encryption(Bellare et al. Eurocrypt’13). In order to prevent trivial attacks, our primitive admits a semi-trusted server, which is allowed to hold a secret key of public key encryption(PKE), to verify the correctness of a tag. The new security notion, called privacy chosen-distribution attacks3(PRV-CDA3), requires that a ciphertext generated by encrypting an unpredictable message and another ciphertext(possible invalid) chosen randomly from a ciphertext space are indistinguishable. Compared with the priori proposed security notion, privacy chosen-distribution attacks(PRV-CDA)(Bellare et al. Eurocrypt’13),which requires that two ciphertexts generated by encrypting two unpredictable messages are indistinguishable,the security notion we propose is much stronger. Based on the new primitive, under the blackbox reductions,we put forward a novel construction which achieves both privacy chosen-distribution attacks3(PRV-CDA3) and strong tag consistency(STC) securities in the standard model via universal computational extractors(UCEs)(Bellare et al. Crypto’13). In addition, our scheme also provides the validity-testing for ciphertext.

Zhiming Yin,Xiong Li,Kim-Kwang Raymond Choo,Yuzhen Liu,Wei Liang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00107

2022-01-01

Abstract:In dynamic searchable symmetric encryption, clients can search and update encrypted data stored on the server (assumed to be semi-honest). In such schemes, forward privacy guarantees that prior queries are not related to subsequent updated entries, while backward privacy ensures that the previously deleted files are not retrievable from the subsequent queries. However, most of the existing schemes have poor update efficiency, for example incurring significant computational and communication overheads since the use of the complex structures and cryptographic primitives used. Hence, we propose a Forward and Backward private searchable symmetric encryption scheme with Efficient uPdates, called FBEP. Specifically, FBEP achieves efficient updates based on Bloom filters and lightweight symmetric cryptographic primitives. It enables the client to remove file identifiers without interacting with the server and insert them efficiently, while maintaining high search efficiency. We precisely define the leakage of FBEP, and demonstrate that FBEP supports forward and Type-II backward privacy with formal security analysis. Besides, the experiments show that FBEP is much better than other related schemes in terms of comprehensive performance. Specially, the update efficiency of FBEP outperforms at least $1.6\times, 25\times, 525\times$ than Mitra, $\text{SD}_{d}$ and $\mathbf{Janus} ++$ , respectively, while the search time is at least $2\times, 702\times$ faster than Mitra and $\mathbf{Janus} ++$ , respectively.

Shi-Feng Sun,Joseph K. Liu,Yu,Baodong Qin,Dawu Gu

DOI: https://doi.org/10.1093/comjnl/bxw025

2016-01-01

Abstract:Related-key attacks (RKAs) are a flavor of powerful physical attacks, which allow an adversary to modify the secret key stored in a cryptographic device and subsequently observe the effect of such modifications on the output of the device. Designing secure encryption schemes against such attacks is a challenging task, especially for a large class of such physical attacks which are usually captured by related-key derivation functions. In this work, we achieve the security of public key encryptions (PKEs) against a new and broad function class that consists of almost all efficiently invertible functions in two different ways. Specifically, we first give a generic construction of PKE which is proven secure against such a broad function class under the standard chosen-ciphertext security. Moreover, we present two practical concrete constructions, both of which are shown to be secure against such function class under standard assumptions in the standard model. At last, we give a detailed performance analysis, which shows that our constructions can not only resist to a large class of RKAs but also achieve a good efficiency.

Prabhanjan Ananth,Alexander Poremba,Vinod Vaikuntanathan

2023-10-13

Abstract:Quantum cryptography leverages many unique features of quantum information in order to construct cryptographic primitives that are oftentimes impossible classically. In this work, we build on the no-cloning principle of quantum mechanics and design cryptographic schemes with key-revocation capabilities. We consider schemes where secret keys are represented as quantum states with the guarantee that, once the secret key is successfully revoked from a user, they no longer have the ability to perform the same functionality as before. We define and construct several fundamental cryptographic primitives with key-revocation capabilities, namely pseudorandom functions, secret-key and public-key encryption, and even fully homomorphic encryption, assuming the quantum subexponential hardness of the learning with errors problem. Central to all our constructions is our approach for making the Dual-Regev encryption scheme (Gentry, Peikert and Vaikuntanathan, STOC 2008) revocable.

Quantum Physics,Cryptography and Security

Huige Wang,Kefei Chen,Yu Long,Junyao Ye,Liangliang Wang

DOI: https://doi.org/10.1007/s12083-016-0488-6

IF: 3.488

2016-01-01

Peer-to-Peer Networking and Applications

Abstract:In this paper, we propose a new construction for randomized message-locked encryption (MLE) with privacy chosen-distribution attacks (PRV-CDA) and strong tag consistency (STC) securities in the standard model via UCEs. The new construction is based on \(\mathsf {UCE}[\mathsf {S}^{sup}\cap \mathsf {S}^{q\text {-}query}]\) secure family of hash functions, adaptively secure non-interactive zero knowledge proof system (NIZK) and indistinguishable chosen-plaintext attacks (IND-CPA) secure symmetric encryption (SE). Compared with existing randomized MLE schemes such as Bellare et al.’s XtESPKE scheme (Eurocrypt 2013), our scheme gives concrete instantiation and detailed security proofs. Although Abadi et al.’s construction for randomized MLE (Crypto 2013) achieves STC and PRV-CDA2, but their construction is designed in the random oracle model and cannot be instantiated, while our scheme can be instantiated in the standard model and achieves both STC and PRV-CDA securities.

Arthur Mehta,Anne Müller

2024-10-08

Abstract:In a functional encryption (FE) scheme, a user that holds a ciphertext and a function-key can learn the result of applying the function to the plaintext message. Security requires that the user does not learn anything beyond the function evaluation. On the other hand, unclonable encryption (UE) is a uniquely quantum primitive, which ensures that an adversary cannot duplicate a ciphertext to decrypt the same message multiple times. In this work we introduce unclonable quantum functional encryption (UFE), which both extends the notion of FE to the quantum setting and also possesses the unclonable security of UE. We give a construction for UFE that supports arbitrary quantum messages and polynomialy-sized circuit, and achieves unclonable-indistinguishable security for independently sampled function keys. In particular, our UFE guarantees that two parties cannot simultaneously recover the correct function outputs using two independently sampled function keys. Our construction combines quantum garbled circuits [BY22], and quantum-key unclonable encryption [AKY24], and leverages techniques from the plaintext expansion arguments in [Hir+23]. As an application we give the first construction for public-key UE with variable decryption keys. Lastly, we establish a connection between quantum indistinguishability obfuscation (qiO) and quantum functional encryption (QFE); Showing that any multi-input indistinguishability-secure quantum functional encryption scheme unconditionally implies the existence of qiO.

Quantum Physics,Cryptography and Security

Puwen Wei,Yuliang Zheng,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-28368-0_14

2012-01-01

Cryptography and Security

Abstract:We investigate public key encryption that allows the originator of a ciphertext to retrieve a "forgotten" plaintext from the ciphertext. This type of public key encryption with "backward recovery" contrasts more widely analyzed public key encryption with "forward secrecy". We advocate that together they form the two sides of a whole coin, whereby offering complementary roles in data security, especially in cloud computing, 3G/4G communications and other emerging computing and communication platforms. We formalize the notion of public key encryption with backward recovery, and present two construction methods together with formal analyses of their security. The first method embodies a generic public key encryption scheme with backward recovery using the "encrypt then sign" paradigm, whereas the second method provides a more efficient scheme that is built on Hofheinz and Kiltz's public key encryption in conjunction with target collision resistant hashing. Security of the first method is proved in a two-user setting, whereas the second is in a more general multi-user setting.

You Lyu,Shengli Liu,Shuai Han

DOI: https://doi.org/10.1007/978-3-031-58754-2_5

2024-01-01

Abstract:In this paper, we construct the first password authenticated key exchange (PAKE) scheme from isogenies with Universal Composable (UC) security in the random oracle model (ROM). We also construct the first two PAKE schemes with UC security in the quantum random oracle model (QROM), one is based on the learning with error (LWE) assumption, and the other is based on the group-action decisional Diffie-Hellman (GA-DDH) assumption in the isogeny setting. To obtain our UC-secure PAKE scheme in ROM, we propose a generic construction of PAKE from basic lossy public key encryption (LPKE) and CCA-secure PKE. We also introduce a new variant of LPKE, named extractable LPKE (eLPKE). By replacing the basic LPKE with eLPKE, our generic construction of PAKE achieves UC security in QROM. The LPKE and eLPKE have instantiations not only from LWE but also from GA-DDH, which admit four specific PAKE schemes with UC security in ROM or QROM, based on LWE or GA-DDH.

Xinwei Gao,Jintai Ding,Lin Li,Jiqiang Liu

DOI: https://doi.org/10.1109/tc.2018.2808527

IF: 3.183

2018-01-01

IEEE Transactions on Computers

Abstract:Ring Learning With Errors (RLWE)-based key exchange is one of the most efficient and secure primitive for post-quantum cryptography. One common approach to achieve key exchange over RLWE is error reconciliation. Recently, an efficient attack against reconciliation-based RLWE key exchange protocols with reused keys was proposed. This attack can recover a long-term private key if a key pair is reused. We also know that in the real world, key reuse is commonly adopted in applications like the Transport Layer Security (TLS) protocol to improve performance. Directly motivated by this attack, we construct a new randomized RLWE-based key exchange protocol against this attack. Our lightweight approach incorporates an additional ephemeral public error term into key exchange materials, so that this attack no longer works. With the same attack, we practically show that the signal value of our protocol is indistinguishable from uniform random, therefore, this attack no longer works. We explain how the attack fails, present 200-bit classic and 80-bit quantum secure parameter choice, efficient implementations, comparisons and discussion. Benchmark shows our protocol is truly efficient and even faster than related vulnerable protocols.

Shi-Feng Sun,Shuai Han,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1049/iet-ifs.2015.0195

2016-01-01

IET Information Security

Abstract:The authors present a new general construction of public key encryption (PKE) based on the restricted subset membership (RSM) assumption, which can achieve the bounded-memory leakage resilient security and the auxiliary-input leakage resilient security simultaneously. The construction is BHHO-type, as Brakerski et al. work, but the message space is much larger and the proof is more concise benefiting from the RSM assumption. Instantiating the construction with the QR assumption, the authors get the first QR-based auxiliary-input secure PKE with a larger message space than {0,1}. Moreover, the authors generalise the Goldreich-Levin theorem to large rings. This theorem helps to improve the construction to achieve the same security level with fewer public parameters and shorter ciphertexts compared with Brakerski et al. work. For the bounded-memory leakage resilient security, the construction can achieve leakage rate of 1-o(1) and avoid the dependence between the message length and the amount of leakage. Based on the general construction, the authors also can achieve both bounded-memory leakage resilient chosen ciphertext attack (CCA) security and the auxiliary-input leakage resilient CCA security via the well-known Naor-Yung paradigm.

Matthieu Lequesne,Jean-Pierre Tillich

DOI: https://doi.org/10.48550/arXiv.1802.06157

2018-02-17

Abstract:The key encapsulation mechanism Edon-K was proposed in response to the call for post-quantum cryptography standardization issued by the National Institute of Standards and Technologies (NIST). This scheme is inspired by the McEliece scheme but uses another family of codes defined over $\mathbb{F}_{2^{128}}$ instead of $\mathbb{F}_2$ and is not based on the Hamming metric. It allows significantly shorter public keys than the McEliece scheme. In this paper, we give a polynomial time algorithm that recovers the encapsulated secret. This attack makes the scheme insecure for the intended use. We obtain this result by observing that recovering the error in the McEliece scheme corresponding to Edon-K can be viewed as a decoding problem for the rank-metric. We show that the code used in Edon-K is in fact a super-code of a Low Rank Parity Check (LRPC) code of very small rank (1 or 2). A suitable parity-check matrix for the super-code of such low rank can be easily derived from for the public key. We then use this parity-check matrix in a decoding algorithm that was devised for LRPC codes to recover the error. Finally we explain how we decapsulate the secret once we have found the error.

Cryptography and Security

Shifeng Sun,Dawu Gu,Man Ho Au,Shuai Han,Yu Yu,Joseph K. Liu

DOI: https://doi.org/10.1007/978-3-030-21568-2_24

2019-01-01

Abstract:We revisit the problem of constructing public key encryption (PKE) secure against both key-leakage and tampering attacks. First, we present an enhanced security against both kinds of attacks, namely strong leakage and tamper-resilient chosen-ciphertext (sLTR-CCA) security, which imposes only minimal restrictions on the adversary's queries and thus captures the capability of the adversary in a more reasonable way. Then, we propose a generic paradigm achieving this security on the basis of a refined hash proof system (HPS) called public-key-malleable HPS. The paradigm can not only tolerate a large amount of bounded key-leakage, but also resist an arbitrary polynomial of restricted tampering attacks, even depending on the challenge phase. Moreover, the paradigm with slight adaptations can also be proven sLTR-CCA secure with respect to subexponentially hard auxiliary-input leakage. In addition, we instantiate our paradigm under certain standard number-theoretic assumptions, and thus, to our best knowledge, obtain the first efficient PKE schemes possessing the strong bounded/auxiliary-input leakage and tamper-resilient chosen-ciphertext security in the standard model.

Shuai Han,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-92075-3_17

2021-01-01

Abstract:For Key Encapsulation Mechanism (KEM) deployed in a multi-user setting, an adversary may corrupt some users to learn their secret keys, and obtain some encapsulated keys due to careless key managements of users. To resist such attacks, we formalize Enhanced security against Chosen Plaintext/Ciphertext Attack (ECPA/ECCA), which ask the pseudorandomness of unrevealed encapsulated keys under uncorrupted users. This enhanced security for KEM serves well for the security of a class of Authenticated Key Exchange protocols built from KEM. In this paper, we study the achievability of tight ECPA and ECCA security for KEM in the multi-user setting, and present an impossibility result and an optimal security loss factor that can be obtained. The existing meta-reduction technique due to Bader et al. (EUROCRYPT 2016) rules out some KEMs, but many well-known KEMs, e.g., Cramer-Shoup KEM (SIAM J. Comput. 2003), Kurosawa-Desmedt KEM (CRYPTO 2004), run out. To solve this problem, we develop a new technique tool named rank of KEM and a new secret key partitioning strategy for meta-reduction. With this new tool and new strategy, we prove that KEM schemes with polynomially-bounded ranks have no tight ECPA and ECCA security from non-interactive complexity assumptions, and the security loss is at least linear in the number n of users. This impossibility result covers lots of well-known KEMs, including the CramerShoup KEM, Kurosawa-Desmedt KEM and many others. Moreover, we show that the linear security loss is optimal by presenting concrete KEMs with security loss T(n). This is justified by a non-trivial security reduction with linear loss factor from ECPA/ECCA security to the traditional multi-challenge CPA/CCA security.