Xiujie Zhang,Chunxiang Xu,Wenzheng Zhang,Wanpeng Li

DOI: https://doi.org/10.1007/s11704-013-3051-0

IF: 2.6688

2013-01-01

Frontiers of Computer Science

Abstract:Threshold public key encryption allows a set of servers to decrypt a ciphertext if a given threshold of authorized servers cooperate. In the setting of threshold public key encryption, we consider the question of how to correctly decrypt a ciphertext where all servers continually leak information about their secret keys to an external attacker. Dodis et al. and Akavia et al. show two concrete schemes on how to store secrets on continually leaky servers. However, their constructions are only interactive between two servers. To achieve continual leakage security among more than two servers, we give the first threshold public key encryption scheme against adaptively chosen ciphertext attack in the continual leakage model under three static assumptions. In our model, the servers update their keys individually and asynchronously, without any communication between two servers. Moreover, the update procedure is re-randomized and the randomness can leak as well.

Yu Long,Kefei Chen

DOI: https://doi.org/10.1016/j.ins.2009.12.008

IF: 8.1

2010-01-01

Information Sciences

Abstract:As a practical extension of our previous work on certificateless threshold cryptosystem, this paper proposes the first direct certificateless threshold key encapsulation mechanism that inherits the same trust level of the original scheme and removes the length limitation of a traditional public key encryption. Security against threshold chosen-ciphertext attacks are proved in a random oracle model under a new assumption. It tolerates the Type I adversary that can replace public keys and the Type II adversary that has access to the system’s master key. The implied encapsulation scheme is very efficient when compared to the most efficient schemes in a traditional public key cryptosystem, and it is slightly more efficient in terms of key length and encapsulation speed when compared to the identity-based cryptosystems that have the same ciphertext overhead. Finally, we describe several potential modifications of our scheme.

Baodong Qin,Shengli Liu

DOI: https://doi.org/10.1002/sec.571

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTIn EUROCRYPT 2009, Hofheinz and Kiltz introduced a new practical chosen ciphertext secure public‐key encryption scheme under the assumption that factoring is intractable. They also proposed a variant that features a slightly more efficient decryption but unfortunately leads to large public key, of size about O(k), where k is a security parameter. In this paper, we propose a novel method to balance the efficiency and the key size of those previous two schemes. Although the public key in our scheme only consists of one RSA modulus and three group elements, it is still more efficient at decrypting than Hofheinz and Kiltz's scheme. By remarking that under certain assumptions factoring the modulus is still hard over much smaller subgroups of signed quadratic residues (i.e., semismooth subgroup), we were able to construct a new scheme that performs extremely efficient decryption. In fact, to date, this is the most efficient scheme for decryption among all public‐key encryption schemes (mainly including Hofheinz and Kiltz's schemes and their follow‐up works) whose security against chosen ciphertext attacks is based on the intractability of factoring in the standard model. Copyright © 2012 John Wiley & Sons, Ltd.

Dingyi Pei,Moti Yung,Dongdai Lin,Chuankun Wu

DOI: https://doi.org/10.1007/978-3-642-34704-7

2008-01-01

Abstract:Threshold cryptography aims at enhancing the availability and security of decryption and signature schemes by splitting private keys into several (say n) shares (typically, each of size comparable to the original secret key). In these schemes, a quorum of at least (d ≤ n) servers needs to act upon a message to produce the result (decrypted value or signature), while corrupting less than d servers maintains the scheme’s security. For about two decades, extensive study was dedicated to this subject, which created a number of notable results. So far, most practical threshold signatures, where servers act non-interactively, were analyzed in the limited static corruption model (where the adversary chooses which servers will be corrupted at the system’s initialization stage). Existing threshold encryption schemes that withstand the strongest combination of adaptive malicious corruptions (allowing the adversary to corrupt servers at any time based on its complete view), and chosenciphertext attacks (CCA) all require interaction (in the non-idealized model) and attempts to remedy this problem resulted only in relaxed schemes. The same is true for threshold signatures secure under chosenmessage attacks (CMA). It was open (for about 10 years) whether there are non-interactive threshold schemes providing the highest security (namely, CCA-secure encryption and CMA-secure signature) with scalable shares (i.e., as short as the original key) and adaptive security. This paper first surveys our ICALP 2011 work which answers this question affirmatively by presenting such efficient decryption and signature schemes within a unified algebraic framework. The paper then describes how to design on top of the surveyed system the first “forward-secure non-interactive threshold cryptosystem with adaptive security.”

Yu Long,Kefei Chen,Shengli Liu

DOI: https://doi.org/10.15388/informatica.2006.152

2006-01-01

Informatica

Abstract:This paper proposes a threshold key escrow scheme from pairing. It tolerates the passive adversary to access any internal data of corrupted key escrow agents and the active adversary that can make corrupted servers to deviate from the protocol. The scheme is secure against threshold adaptive chosen-ciphertext attack. The formal proof of security is presented in the random oracle model, assuming the decision Bilinear Diffie-Hellman problem is computationally hard.

Changshe Ma,Kefei Chen,Dong Zheng,Shengli Liu

DOI: https://doi.org/10.1007/11556992_17

2005-01-01

Abstract:To make the system more secure and robust, threshold schemes are proposed to avoid single point failure. At the same time, there are more and more applications which utilize the two basic blocks encryption and digital signature to secure message delivery (such as SSL, SSH). Combining the three tools organically leads to an interesting security tool termed as threshold signcryption which can be used in distributed systems especially the mobile networks. In this paper, we present an efficient threshold signcryption scheme. The scheme is designed for an asynchronous network model which may better present practical distributed systems, especially Internet or mobile ad hoc networks. In order to resist mobile attacks, we add proactive property to our scheme. To the best of our knowledge, the proposed scheme is the first threshold signcryption scheme which is noninteractive, proactive and provably secure and works on asynchronous network models.

Yu Long,Kefei Chen

DOI: https://doi.org/10.1016/j.ins.2007.06.014

IF: 8.1

2007-01-01

Information Sciences

Abstract:This paper proposes the first certificateless threshold decryption scheme which avoids both the single point of failure in the distributed networks and the inherent key escrow problem in identity-based cryptosystem. The scheme is secure against threshold chosen-ciphertext attack. It tolerates the Type I adversary that can replace public key and the Type II adversary that has access to the system's master key. The formal proof of security is presented in the random oracle model, assuming some underlying problems closely related to the Bilinear Diffie-Hellman Problem are computationally hard.

Yu Long,Kefei Chen,Shengli Liu

DOI: https://doi.org/10.1016/j.compeleceng.2006.11.003

IF: 4.152

2007-01-01

Computers & Electrical Engineering

Abstract:This paper proposes an identity-based threshold decryption scheme IB-ThDec and reduces its security to the Bilinear Diffie–Hellman problem. Compared with previous work, this conceals two pairing computations in the ciphertext validity verification procedure. The formal proof of security of this scheme is provided in the random oracle model. Additionally, we show that IB-ThDec can be applied to the threshold key escrow and the mediated cryptosystems.

Shengli Liu,Fangguo Zhang,Kefei Chen

DOI: https://doi.org/10.1002/cpe.3021

2013-01-01

Abstract:SUMMARYChosen‐ciphertext security has been well‐accepted as a standard security notion for public‐key encryption. But in a multi‐user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the plaintexts used to generate ciphertexts. The attack is named ‘selective opening attack’. We study how to achieve full‐fledged chosen‐ciphertext security in selective opening setting directly from the Decisional Diffie–Hellman assumption. Our construction is actually a tag‐based public‐key encryption scheme free of chameleon hashing and has a tight security reduction to the Decisional Diffie–Hellman assumption and the collision‐resistant assumption of hash functions. The tag for each ciphertext is generated in a flexible way to serve the chosen‐ciphertext security proof in selective opening settings. Copyright © 2013 John Wiley & Sons, Ltd.

Chenchen Zhang,Yuan Luo,Guangtao Xue

DOI: https://doi.org/10.1016/j.ins.2016.05.008

IF: 8.1

2016-01-01

Information Sciences

Abstract:There have been many ways to construct a threshold cryptosystem. Most often they are constructed by combining original public encryption schemes with some methods such as Shamir's secret sharing. In this paper a new threshold cryptosystem based on RSA is presented, which is constructed by several RSA instances with chosen moduli and private keys. In fact, by computing the common private keys of some individual RSA instances and modifying the moduli, we combine those RSA instances and get a new threshold cryptosystem (hereinafter called combined RSA for simplification). First, it is proved that this system has similar security properties to the CRT-based (Chinese remainder theorem) threshold RSA while being convenient to implement, i.e., it only needs modular multiplication once to encrypt or decrypt respectively. Although the new system has the same security strength as the CRT-based RSA theoretically, it will provide fewer opportunities for adversaries in practical applications as there is only one step for encryption or decryption. Second, for complexity, as plain RSA is efficient, the combined RSA is also practical in computation. Therefore, if a plain RSA user wants to develop threshold decryption or threshold signature more conveniently and more securely, the combined RSA would be suitable. Finally, an application of the combined RSA is provided in this paper to realize distributed data access control with collusion-resistance.

Baodong Qin,Shengli Liu,Kefei Chen

DOI: https://doi.org/10.1049/iet-ifs.2013.0173

2014-01-01

IET Information Security

Abstract:A leakage-resilient public-key encryption (PKE) scheme provides security even if an adversary obtains some information on the secret key. In recent years, much attention has been focused on designing provably secure PKE in the presence of key-leakage and almost all the constructions rely on an important building block namely hash proof system (HPS). However, in the setting of adaptive chosen-ciphertext attacks (CCA2), there are not many HPS-based leakage-resilient PKE schemes available. Moreover, most of them have an unsatisfactory leakage rate. In this study, the authors propose a new method of constructing leakage-resilient CCA2-secure PKE scheme from any tag-based strongly universal(2) HPS. The striking advantage of the authors scheme is the leakage rate, which is the best one among all known HPS-based indistinguishability key leakage CCA2-secure constructions. In particular, they present an instantiation under the n-linear assumption. In the cases of n = 1 (resp. n = 2), they actually obtain a decisional Diffie-Hellman (DDH)-based [resp. decisional linear (DLIN)-based] PKE scheme, where the leakage rate can be made to 1/4 (resp. 1/6). The authors DDH-based scheme achieves the best leakage rate among all known DDH-based (Cramer-Shoup-type) schemes. Their DLIN-based scheme is the first one that can achieve leakage of L/6 bits without pairing, where L is the length of the secret key.

Xiujie Zhang,Chunxiang Xu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.08.040

2016-01-01

Abstract:The proposed forward-secure public-key encryption scheme with untrusted update has no provable security,so there is doubt about the security of the proposed schemes.This paper extended the forward-secure public-key encryption scheme and proposed the provable secure forward-secure public-key encryption scheme with untrusted update.It presented the definition of forward-secure public-key encryption scheme with untrusted update.According to the definition of scheme,it proposed the for-ward-secure public-key encryption scheme with untrusted update using bilinear mapping and efficient symmetric encryption scheme,and proved the security of the scheme based on random oracle.Through analysis,the proposed scheme is practicality as it has constant size ciphertext,constant size of private key,constant overhead of encryption and decryption algorithms,con-stant overhead of key update algorithm.

MEI Qi-xiang,HE Da-ke,ZHENG Yu

DOI: https://doi.org/10.3969/j.issn.0258-2724.2005.06.003

2005-01-01

Abstract:To improve the decryption efficiency of the Baek-Zheng scheme, a new threshold scheme was proposed based on Pairing. In the new scheme, the dot product operation in the Baek-Zheng scheme is replaced by an inversion operation to design the verifying process. Because the verifying process needs only one pairing operation, the efficiency of threshold decryption is increased nearly one time, and the new scheme has the same encryption efficiency and the sizes of the ciphertext or the decryption shares, compared with that in the Baek-Zheng scheme. The new scheme was proved secure against chosen ciphertext attacks under the Oracle-Diffie-Hellman assumption.

hongwei li,haomiao yang,fan li

DOI: https://doi.org/10.1109/ICCCAS.2009.5250508

2009-01-01

Abstract:Standard identity-based encryption schemes typically rely on the assumption that secret keys are kept perfectly secure. However, with more and more cryptographic primitives are deployed on insecure devices, key exposure seems inevitable. In this paper, we propose an Identity-based encryption scheme with forward security. In the scheme, secret keys are updated at regular periods of time; furthermore, exposure of a secret key corresponding to a given time period does not enable an adversary to break the scheme for any prior time period. The scheme achieves security against chosen ciphertext attacks under the bilinear Diffie-Hellman assumption in the random oracle model.

Yuyang Zhou,Jing Guo,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101754

IF: 5.836

2020-01-01

Journal of Systems Architecture

Abstract:The Snowden incident shows that powerful attackers can compromise users' machines to steal users' private information. Currently, many encryption schemes that have proven to be secure cannot detect vulnerabilities. These vulnerabilities may reveal users' secrets, e.g., a machine hides some backdoors without a user's awareness, and an attacker can steal the user's private information through these backdoors. In 2015, Mironov and Stephens-Davidowitz proposed a new framework for solving this problem: cryptographic reverse firewall (CRF). However, their protocols can't protect certificateless public key encryption (CL-PKE). In this paper, we design a CRF protocol for CL-PKE, which is a one-round CL-PKE with CRFs (CL-PKE-CRF) deployed on a receiver and a key generating centre (KGC). This protocol is proved to achieve indistinguishability against chosen plaintext attack (IND-CPA). Compared with existing protocol with CRFs and two CL-PKE schemes, our protocol has the least communication cost. Meanwhile, we use JPBC library to implement our one-round CL-PKE-CRF. The experimental results indicate that under high security levels, our protocol has a advantage in the percentage of the running time. Since our protocol can resist exfiltration attacks from internal attackers, it is efficient and practical. Finally, we apply the same method to design a secure and effective one-round certificateless public key signature with a CRF (CL-PKS-CRF). This means that our protocol is not only targeted at a single CL-PKE scheme, but also can inspire the design of other certificateless public key cryptography schemes with CRFs.

Puwen Wei,Xiaoyun Wang,Yuliang Zheng

DOI: https://doi.org/10.1016/j.compeleceng.2012.02.001

2009-01-01

Abstract:In this paper, we report our success in identifying an efficient public key encryption scheme whose formal security proof does not require a random oracle. Specifically, we focus our attention on a universal hash based public key encryption scheme proposed by Zheng and Seberry at Crypto'92. Although Zheng and Seberry's encryption scheme is very simple and efficient, its reductionist security proof has not been provided. We show how to tweak the Zheng-Seberry scheme so that the resultant scheme not only preserves the efficiency of the original scheme but also admits provable security against adaptive chosen ciphertext attack without random oracle. For the security proof, our first attempt is based on a strong assumption called the oracle Diffie-Hellman^+ assumption. This is followed by a more challenging proof that employs a weaker assumption called the adaptive decisional Diffie-Hellman assumption, which is in alignment with adaptively secure assumptions advocated by Pandey, Pass and Vaikuntanathan.

Yu Long,Ke-fei Chen,Xian-ping Mao

DOI: https://doi.org/10.1007/s12204-014-1520-8

2014-01-01

Abstract:This study deals with the dynamic property of threshold cryptosystem. A dynamic threshold cryptosystem allows the sender to choose the authorized decryption group and the threshold value for each message dynamically. We first introduce an identity based dynamic threshold cryptosystem, and then use the Canetti-Halevi-Katz (CHK) transformation to transform it into a fully secure system in the traditional public key setting. Finally, the elegant dual system encryption technique is applied to constructing a fully secure dynamic threshold cryptosystem with adaptive security.

Li Su,Muxiang Yang,Jun Li,Guohua Cui

DOI: https://doi.org/10.1109/wicom.2006.202

2006-01-01

Abstract:The (t, n) threshold cryptography is an important method for sharing a group secret message in dynamic groups such as ad hoc groups. Using subliminal channel, one can send a secret message to an authorized receiver and the message cannot be discovered by any unauthorized receivers; it satisfies different requirements of different kind of users. We discussed the security of HCW scheme and proposed a secure anonymous threshold subliminal channel. The proposed scheme has not any setup phase and allows mixture use of discrete-logarithm-type keys and RSA-type keys. Furthermore, the proposed scheme only has a simple initialization phase, thus, it is flexible and suitable for ad hoc environments. The new scheme can resist forgery and conspiracy attacks; the subliminal message sender is indistinguishable to others except the authorized users. Performance analysis and experiments show that the new scheme is more efficient in general

Shi-Feng Sun,Dawu Gu,Udaya Parampalli,Yu,Baodong Qin

DOI: https://doi.org/10.1016/j.jcss.2017.03.004

IF: 1.043

2017-01-01

Journal of Computer and System Sciences

Abstract:In this work, we investigate how to protect public key encryption from both key-leakage attacks and tampering attacks. First, we formalize the notions of chosen ciphertext (CCA) security against key-leakage and tampering attacks. To this goal, we then introduce the concept of key-homomorphic hash proof systems and present a generic construction of public key encryption based on this new primitive. Our construction, compared with previous works, realizes leakage-resilience and tampering-resilience simultaneously but completely independently, so it can tolerate a larger amount of bounded-memory leakage and be instantiated with more flexibility. Moreover, it allows for an unbounded number of affine-tampering queries, even after the challenge phase. With slight adaptations, our construction also achieves CCA security against subexponentially hard auxiliary-input leakage attacks and a polynomial of affine-tampering attacks. Thus, to the best of our knowledge, we get the first public key encryption scheme secure against both auxiliary-input leakage attacks and tampering attacks.

Peeter Laud,Alisa Pankova,Jelizaveta Vakarjuk

2024-10-25

Abstract:In this paper, we consider encryption systems with two-out-of-two threshold decryption, where one of the parties (the client) initiates the decryption and the other one (the server) assists. Existing threshold decryption schemes disclose to the server the ciphertext that is being decrypted. We give a construction, where the identity of the ciphertext is not leaked to the server, and the client's privacy is thus preserved. While showing the security of this construction, we run into the issue of defining the security of a scheme with blindly assisted decryption. We discuss previously proposed security definitions for similar cryptographic functionalities and argue why they do not capture the expected meaning of security. We propose an ideal functionality for the encryption with server-supported blind threshold decryption in the universal composability model, carefully balancing between the meaning of privacy, and the ability to implement it. We construct a protocol and show that it is a secure implementation of the proposed functionality in the random oracle model.

Cryptography and Security