Zhengan Huang,Shengli Liu,Baodong Qin,Kefei Chen

DOI: https://doi.org/10.1109/INCoS.2013.69

2013-01-01

Abstract:There are two main approaches to achieve selective opening chosen-cipher text security (SO-CCA security): lossy encryption (including all-but-many lossy trapdoor functions) and sender-equivocable encryption. The second approach was proposed in Eurocrypt 2010 by Fehr et al., who proved that sender equivocability under chosen-cipher text attacks (NC-CCA security) implies SO-CCA security. They also proposed a new primitive called ``cross-authentication code'', and used it to construct a public-key encryption (PKE) scheme (the FHKW scheme) achieving NC-CCA security. However, recently in PKC 2013, Huang et al. pointed out that the properties of cross-authentication code cannot guarantee the NC-CCA security of the FHKW scheme, i.e., the security proof of the FHKW scheme is flawed. In this paper, we propose the notion of ``strong cross-authentication code'', which helps to fix the security proof of the FHKW scheme. This strong notion captures the ability of a cross-authentication code to efficiently generate a new key, based on all the other keys and the cross-authentication tag, such that the new key is statistically indistinguishable from the original key. With this code as a building block, we construct a new version of the FHKW scheme, and prove it to be NC-CCA secure for multi-bit plaintexts. Our work makes possible the instantiation of simulation-based SO-CCA secure PKE with a multi-bit message space from NC-CCA secure PKEs.

Qi Xie,Guilin Wang,Fubiao Xia,Deren Chen

DOI: https://doi.org/10.1002/cpe.3058

2013-01-01

Concurrency and Computation Practice and Experience

Abstract:By integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on discrete logarithm problem (DLP) in 2009. Though their schemes are claimed provably secure, we demonstrate that their schemes are existentially forgeable under adaptive chosen warrants, unconfidentiable and verifiable under adaptive chosen messages and designated verifiers. Then we propose a provably secure SP-CAE scheme in the random oracle model.

Linming Gong,Shundong Li,Qing Mao,Daoshun Wang,Jiawei Dou

DOI: https://doi.org/10.1016/j.tcs.2015.10.001

IF: 1.002

2016-01-01

Theoretical Computer Science

Abstract:In this study, we consider the problem of constructing a homomorphic encryption scheme that is secure against adaptive chosen ciphertext attack (CCA2). This type of scheme has many applications in secure multi-party computation, electronic voting, and cloud storage and computation. We present an encryption scheme, based on the composite degree residuosity classes, which can block CCA2 while maintaining homomorphism. Our cryptosystem, which is based on standard modular arithmetic, is provable with indistinguishable security under CCA2. An additional contribution of this study is a new definition of preventing CCA2 (or blocking CCA2).

Qi Xia,Chunxiang Xu

DOI: https://doi.org/10.1109/dasc.2009.144

2009-01-01

Abstract:Recently, Yu et al. proposed two identity based signcryption schemes, one is an identity based signcryption scheme for multiple receivers and the other is an identity based signcryption scheme without random oracles. They showed their former scheme is secure against adaptive chosen ciphertext attacks and unforgeable in the random oracle model, and the latter scheme is secure against adaptive chosen ciphertext attacks and unforgeable in the standard model. In this paper, however, we show that their first scheme is vulnerable to universal forgery attack and their second scheme is not secure against adaptive chosen ciphertext attack.

Qi Xia,Chunxiang Xu,Yong Yu

DOI: https://doi.org/10.3772/j.issn.1006-6748.2011.02.013

2011-01-01

Abstract:As a special kind of digital signature, verifiably encrypted signatures are used as a building block to construct optimistic fair exchange. Many verifiably encrypted signature schemes have been proposed so far and most of them were proven secure under certain complexity assumptions. In this paper, however, we find that although some schemes are secure in a single-user setting, they are not secure in a multi-user setting any more. We show that Zhang, et al.'s scheme, Gorantla, et al.'s scheme and Ming, et al.'s scheme are vulnerable to key substitution attacks, where an adversary can generate new keys satisfying legitimate verifiably encrypted signatures created by the legitimate users. We also show that this kind of attacks can breach the fairness when they are used in fair exchange in a multi-user setting. © by HIGH TECHNOLOGY LETTERS PRESS.

Fagen Li,Hu Xiong,Xuyun Nie

DOI: https://doi.org/10.1109/icccas.2009.5250510

2009-01-01

Abstract:Multi-receiver signcryption is very useful to secure group communications. In 2007, Yu et al. proposed an efficient multi-receiver identity-based signcryption scheme. However, Selvi et al. showed that Yu et al.'s scheme does not satisfy the unforgeability, and presented an improved scheme. In this paper, we show that both Yu et al.'s scheme and Selvi et al.'s scheme do not satisfy the confidentiality. Then we propose a new multi-receiver identity-based signcryption scheme. We prove its semantical security under the q-Bilinear Diffie-Hellman Inversion problem assumption and its unforgeability under the q-Strong Diffie-Hellman problem assumption in the random oracle model. This new scheme turns out to be more efficient than all other schemes proposed to date.

Shengli Liu,Fangguo Zhang,Kefei Chen

DOI: https://doi.org/10.1002/cpe.3021

2013-01-01

Abstract:SUMMARYChosen‐ciphertext security has been well‐accepted as a standard security notion for public‐key encryption. But in a multi‐user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the plaintexts used to generate ciphertexts. The attack is named ‘selective opening attack’. We study how to achieve full‐fledged chosen‐ciphertext security in selective opening setting directly from the Decisional Diffie–Hellman assumption. Our construction is actually a tag‐based public‐key encryption scheme free of chameleon hashing and has a tight security reduction to the Decisional Diffie–Hellman assumption and the collision‐resistant assumption of hash functions. The tag for each ciphertext is generated in a flexible way to serve the chosen‐ciphertext security proof in selective opening settings. Copyright © 2013 John Wiley & Sons, Ltd.

Hu Xiong,Jian-bin Hu,Zhong Chen

DOI: https://doi.org/10.6633/ijns.201307.15(4).12

2013-01-01

Abstract:Signcryption is a cryptographic primitive that performs digital signature and public key encryption simultaneously, at lower computational costs and communication overhead than signing and encrypting separately. Recently, Chung et al. proposed an anonymous ECC-based signcryption scheme. We show that their scheme is not secure even against a chosen-plaintext attack.

Shi-Feng Sun,Udaya Parampalli,Tsz Hon Yuen,Yu,Dawu Gu

DOI: https://doi.org/10.1145/2897845.2897921

2016-01-01

Abstract:Non-malleability is an important and intensively studied security notion for many cryptographic primitives. In the context of public key encryption, this notion means it is infeasible for an adversary to transform an encryption of some message m into one of a related message m' under the given public key. Although it has provided a strong security property for many applications, it still does not suffice for some scenarios like the system where the users could issue keys on-the-fly. In such settings, the adversary may have the power to transform the given public key and the ciphertext. To withstand such attacks, Fischlin introduced a stronger notion, known as complete non-malleability, which requires that the non-malleability property be preserved even for the adversaries attempting to produce a ciphertext of some related message under the transformed public key. To date, many schemes satisfying this stronger security have been proposed, but they are either inefficient or proved secure in the random oracle model. In this work, we put forward a new encryption scheme in the common reference string model. Based on the standard DBDH assumption, the proposed scheme is proved completely non-malleable secure against adaptive chosen ciphertext attacks in the standard model. In our scheme, the well-formed public keys and ciphertexts could be publicly recognized without drawing support from unwieldy techniques like non-interactive zero knowledge proofs or one-time signatures, thus achieving a better performance.

Zi-Yuan Liu,Raylin Tso

DOI: https://doi.org/10.48550/arXiv.2311.08813

2023-11-15

Cryptography and Security

Abstract:Recently, Yang et al. introduced an efficient searchable encryption scheme titled "Dynamic Consensus Committee-Based for Secure Data Sharing With Authorized Multi-Receiver Searchable Encryption (DCC-SE)," published in IEEE Transactions on Information Forensics and Security (DOI: 10.1109/TIFS.2023.3305183). According to the authors, DCC-SE meets various security requirements, especially the keyword trapdoor indistinguishability against chosen keyword attacks (KT-IND-CKA). In this letter, however, we reveal a significant vulnerability of DCC-SE: any users involved in the system can execute attacks against KT-IND-CKA security. This flaw potentially results in the unintended disclosure of sensitive keyword information related to the documents. We present a detailed cryptanalysis on DCC-SE. In addition, to address this vulnerability, we discuss the root cause and identify a flaw in the security proof of DCC-SE. Subsequently, we provide a solution that effectively addresses this concern without significantly increasing computational overhead.

Jakir Hossain,Chunxiang Xu,Chuang Li

DOI: https://doi.org/10.1109/ICCWAMTIP51612.2020.9317383

2020-01-01

Abstract:Authentication schemes employing identity-based encryption are widely used in mobile cloud computing environments. It enables users to get umpteen services from different cloud servers by registering only once with a third-party. However, in existing schemes, the security against chosen-ciphertext attacks and malicious private key generator is not well-considered. These security pitfalls may cause security and privacy issues in some application scenarios since an active attacker can send a number of adaptively chosen ciphertext and tries to distinguish the target ciphertext; succeeds may cause the exposure of the underlying secret key. In this paper, we propose a secure and efficient authentication scheme for mobile cloud computing with security against chosen-ciphertext attacks and malicious private key generator based on adaptive one-wayness trapdoor function and learning-parity with noise hardness assumption. Our comprehensive security proof demonstrates that our scheme is indistinguishable against chosen-ciphertext attacks.

Fagen Li,Zhiguang Qin

DOI: https://doi.org/10.4103/0256-4602.62781

2010-01-01

Abstract:A convertible authenticated encryption scheme allows a designated recipient to retrieve an authenticated ciphertext and convert the authenticated ciphertext into an ordinary signature. Recently, Lee, Hwang, and Tzeng proposed a new convertible authenticated encryption scheme based on the ElGamal cryptosystem. In this paper, we show that the Lee-Hwang-Tzeng scheme is not secure against chosen plaintext attacks. In addition, we give a solution to repair it.

Han Shen,Jianhua Chen,Debiao He,Jian Shen

DOI: https://doi.org/10.1007/s11277-017-4438-2

IF: 2.017

2017-01-01

Wireless Personal Communications

Abstract:Recently, Sharma et al. (Wirel Pers Commun, 2015. doi: 10.1007/s11277-0152698- 2) proposed a pairing-free certificateless ring signcryption scheme (PF-CLRSC) and used it for the environment of wireless sensor networks. They claimed that their scheme was provably secure. Unfortunately, we present two concrete attacks to demonstrate that their scheme can provide neither confidentiality nor unforgeability against Type I adversary. The analysis shows that Sharma et al.' s PF-CLRSC scheme is not suitable for practical applications.

guobin zhu,hu xiong,ruijin wang,zhiguang qin

DOI: https://doi.org/10.1007/978-81-322-1759-6_12

2014-01-01

Abstract:As one of the fundamental cryptographic primitives, signcryption can achieve unforgeability and confidentiality simultaneously at the cost significantly lower than the signature-then-encryption approach in terms of computational costs and communication overheads. In view of the damage caused by the secret key leakage, Chen et al. proposed an efficient identity-based key-insulated signcryption (ID-KI-SC) scheme secure in the standard model recently. However, in this paper, we show that their scheme does not achieve the indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2) and existential unforgeability against adaptively chosen message attacks (EUF-CMA). Furthermore, we propose an improved scheme that remedies the weakness of Chen et al.' s scheme.

Huige Wang,Kefei Chen,Tianyu Pan,Yunlei Zhao

DOI: https://doi.org/10.1155/2020/8823788

IF: 1.968

2020-01-01

Security and Communication Networks

Abstract:Functional encryption (FE) can implement fine-grained control to encrypted plaintext via permitting users to compute only some specified functions on the encrypted plaintext using private keys with respect to those functions. Recently, many FEs were put forward; nonetheless, most of them cannot resist chosen-ciphertext attacks (CCAs), especially for those in the secret-key settings. This changed with the work, i.e., a generic transformation of public-key functional encryption (PK-FE) from chosen-plaintext (CPA) to chosen-ciphertext (CCA), where the underlying schemes are required to have some special properties such as restricted delegation or verifiability features. However, examples for such underlying schemes with these features have not been found so far. Later, a CCA-secure functional encryption from projective hash functions was proposed, but their scheme only applies to inner product functions. To construct such a scheme, some nontrivial techniques will be needed. Our key contribution in this work is to propose CCA-secure functional encryptions in the PKE and SK environment, respectively. In the existing generic transformation from (adaptively) simulation-based CPA- (SIM-CPA-) secure ones for deterministic functions to (adaptively) simulation-based CCA- (SIM-CCA-) secure ones for randomized functions, whether the schemes were directly applied to CCA settings for deterministic functions is not implied. We give an affirmative answer and derive a SIM-CCA-secure scheme for deterministic functions by making some modifications on it. Again, based on this derived scheme, we also propose an (adaptively) indistinguishable CCA- (IND-CCA-) secure SK-FE for deterministic functions. The final results show that our scheme can be instantiated under both nonstandard assumptions (e.g., hard problems on multilinear maps and indistinguishability obfuscation (IO)) and under standard assumptions (e.g., DDH, RSA, LWE, and LPN).

Shengli Liu,Kenneth G. Paterson

DOI: https://doi.org/10.1007/978-3-662-46447-2_1

2015-01-01

Abstract:We study simulation-based, selective opening security against chosen-ciphertext attacks (SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext attack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptively chooses to open some of them, and obtains the corresponding plaintexts and random coins used in the creation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertexts with respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a ppt SO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the opened messages. Building on techniques used to achieve weak deniable encryption and non-committing encryption, Fehr et al. (Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE from extended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoretic primitive called Cross Authentication Codes (XACs). We generalize their approach by introducing a special type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO- CCA secure PKE. We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We also give three instantiations of our construction. The first uses hash proof systems, the second relies on the n-Linear assumption, and the third uses indistinguishability obfuscation (iO) in combination with extracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014). Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-way functions and iO. This result further highlights the simplicity and power of iO in constructing different cryptographic primitives.

Lin Lyu,Shengli Liu,Shuai Han

DOI: https://doi.org/10.1093/comjnl/bxx080

2017-01-01

Abstract:In a selective-opening, chosen-ciphertext attack (SO-CCA) against a public key encryption scheme (PKE scheme), a probabilistic polynomial time (PPT) adversary obtains a vector of challenge ciphertexts, has access to a decryption oracle, adaptively selects to open some of the challenge ciphertexts and sees the corresponding messages together with the random coins. The simulation-based, selective-opening security against chosen-ciphertext attacks (SIM-SO-CCA security) protects the security of the unopened messages in a semantic way, i.e. it requires that the output of the adversary can be simulated by a simulator who sees only the opened messages. In particular, all information that the adversary can get from the unopened messages can also be simulated from the opened messages alone by the simulator. All security proofs of the available PKEs achieving SIM-SO-CCA security are not tight, and the security loss depends either on the number of challenge ciphertexts or on the number of decryption queries. In this work, we present the first PKE scheme which achieves SIM-SO-CCA security with a tight reduction to standard assumptions. This partially solves the open problem proposed by Hofheinz in EuroCrypt 2012.

Zheng Yang,Shuangqing Li

DOI: https://doi.org/10.1016/j.ipl.2015.08.006

IF: 0.851

2016-01-01

Information Processing Letters

Abstract:In this paper, we revisit the security result of an authenticated key exchange (AKE) scheme proposed in AsiaCCS'14 by Alawatugoda, Stebila and Boyd (which is referred to as ASB scheme). The ASB scheme is proved to be secure in a new bounded (continuous) after-the-fact leakage extended Canetti–Krawczyk (B(C)AFL-eCK) model without random oracles, where the B(C)AFL-eCK is extended from the eCK model. However we disprove their security results. We first show an attack against ASB scheme in the eCK model. This also implies that the insecurity of ASB scheme in the B(C)AFL-eCK model. Secondly we point out that the security of ASB scheme is incorrectly reduced to DDH assumption. A solution is proposed to fix the problem of ASB scheme with minimum changes, which yields a new ASB' scheme. We prove the eCK security of ASB' in the random oracle model under Gap Diffie–Hellman assumption.

Jing Yang,Shu-Tao Xia,Xianfang Wang,Can Xiang,Fang-Wei Fu

DOI: https://doi.org/10.1109/isit57864.2024.10619081

2024-01-01

Abstract:At present, existing multi-receiver authentication (MRA) schemes can only handle situations where the capabilities of all receivers are the same. However, in reality, different receivers may need to have different storage capabilities. In this paper, inspired by the secret sharing scheme based on the Chinese Remainder Theorem (CRT) for polynomial rings where distinct participants save shares with distinct sizes, we propose a new unconditionally secure MRA scheme for multiple messages by the same technique. As far as we know, our MRA scheme is the first MRA scheme with different storage capacities for different receivers and the first one based on the CRT for polynomial rings supporting general access structures. In contrast to the existing general MRA scheme, although our MRA scheme has more communication complexity, it has less computation complexity.

Fagen Li,Hui Zhang,Tsuyoshi Takagi

DOI: https://doi.org/10.1109/jsyst.2012.2221897

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Privacy and authentication are the two main security goals in secure communications. To solve the secure communications problem between two heterogeneous systems, we propose two efficient signcryption schemes that can simultaneously achieve confidentiality, integrity, authentication, and nonrepudiation in a logical single step. The first scheme allows a sender in a public key infrastructure (PKI) to send a message to a receiver in an identity-based cryptosystem (IBC) and the second scheme allows a sender in the IBC system to send a message to a receiver in the PKI system. We prove that the first scheme has indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) under the q-bilinear Diffie-Hellman inversion problem (q-BDHIP) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) under the Diffie-Hellman inversion problem in the random oracle model. We also prove that the second scheme has the IND-CCA2 property under the BDHIP and EUF-CMA property under the q-strong Diffie- Hellman problem (q-SDHP) in the random oracle model.