Baodong Qin,Shengli Liu,Kefei Chen

DOI: https://doi.org/10.1049/iet-ifs.2013.0173

2014-01-01

IET Information Security

Abstract:A leakage-resilient public-key encryption (PKE) scheme provides security even if an adversary obtains some information on the secret key. In recent years, much attention has been focused on designing provably secure PKE in the presence of key-leakage and almost all the constructions rely on an important building block namely hash proof system (HPS). However, in the setting of adaptive chosen-ciphertext attacks (CCA2), there are not many HPS-based leakage-resilient PKE schemes available. Moreover, most of them have an unsatisfactory leakage rate. In this study, the authors propose a new method of constructing leakage-resilient CCA2-secure PKE scheme from any tag-based strongly universal(2) HPS. The striking advantage of the authors scheme is the leakage rate, which is the best one among all known HPS-based indistinguishability key leakage CCA2-secure constructions. In particular, they present an instantiation under the n-linear assumption. In the cases of n = 1 (resp. n = 2), they actually obtain a decisional Diffie-Hellman (DDH)-based [resp. decisional linear (DLIN)-based] PKE scheme, where the leakage rate can be made to 1/4 (resp. 1/6). The authors DDH-based scheme achieves the best leakage rate among all known DDH-based (Cramer-Shoup-type) schemes. Their DLIN-based scheme is the first one that can achieve leakage of L/6 bits without pairing, where L is the length of the secret key.

Shuai Han,Shengli Liu,Lin Lyu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-26951-7_15

2019-01-01

Abstract:We propose the concept of quasi-adaptive hash proof system (QAHPS), where the projection key is allowed to depend on the specific language for which hash values are computed. We formalize leakage-resilient(LR)-ardency for QAHPS by defining two statistical properties, including LR-< L-0, L-1 >-universal and LR-< L-0, L-1 >-key-switching. We provide a generic approach to tightly leakage-resilient CCA (LR-CCA) secure public-key encryption (PKE) from LR-ardent QAHPS. Our approach is reminiscent of the seminal work of Cramer and Shoup (Eurocrypt'02), and employ three QAHPS schemes, one for generating a uniform string to hide the plaintext, and the other two for proving the well-formedness of the ciphertext. The LR-ardency of QAHPS makes possible the tight LR-CCA security. We give instantiations based on the standard k-Linear (k-LIN) assumptions over asymmetric and symmetric pairing groups, respectively, and obtain fully compact PKE with tight LR-CCA security. The security loss is O(log Q(e)) where Q(e) denotes the number of encryption queries. Specifically, our tightly LR-CCA secure PKE instantiation from SXDH has only 4 group elements in the public key and 7 group elements in the ciphertext, thus is the most efficient one.

Lin Lyu,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1016/j.tcs.2019.06.003

IF: 1.002

2019-01-01

Theoretical Computer Science

Abstract:Structure-preserving primitives are important building blocks in cryptographic protocols. Up to now, the only structure-preserving public-key encryption (SP-PKE) with CCA security over asymmetric pairing groups is based on the SXDH assumption, due to Libert et al. [18]. In this work, we propose a general framework of constructing SP-PKE with leakage-resilient CCA security (which implies the IND-CCA2 security). The corresponding instantiations result in the first leakage-resilient CCA secure SP-PKE from the Matrix Decision Diffie-Hellman (MDDH) assumption (including the SXDH and k-Linear assumptions) over asymmetric pairing groups. The ciphertext of our SP-PKE also enjoys the publicly verifiable property.

Xianhui Lu,Jiang Zhang

DOI: https://doi.org/10.1093/nsr/nwab090

IF: 20.6

2021-05-24

National Science Review

Abstract:The invention of public-key cryptography (PKC) by Diffie and Hellman in 1976 is one of two milestones marking the beginning of modern cryptography. The security of a PKC system requires that it should be infeasible to compute the private key from a given public key, which in turn is typically guaranteed by the difficulty in solving some cryptographic-friendly mathematical problems. Among those problems, the integer factorization and discrete logarithm problems play pivotal roles in the development of public-key cryptography. In particular, the assumption that there is no polynomial time (classical) algorithm that solves the above two problems constitutes the basis for the security of almost all currently used public-key cryptosystems, such as RSA and ElGamal. However, Shor [1] found an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would destroy the security basis for most real deployed PKC systems if large-scale quantum computers become available. The rapid development of quantum technology in recent years suggests that we are getting closer to the quantum crisis of current PKC systems.

multidisciplinary sciences

Shengli Liu,Jian Weng,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-36095-4_6

2013-01-01

Abstract:Leakage-resilient public key encryption (PKE) schemes are designed to resist "memory attacks", i.e., the adversary recovers the cryptographic key in the memory adaptively, but subject to constraint that the total amount of leaked information about the key is bounded by some parameter λ. Among all the IND-CCA2 leakage-resilient PKE proposals, the leakage-resilient version of the Cramer-Shoup cryptosystem (CS-PKE), referred to as the KL-CS-PKE scheme proposed by Naor and Segev in Crypto09, is the most practical one. But, the key leakage parameter λ and plaintext length m of KL-CS-PKE are subject to λ+m≤logq−ω(logκ), where κ is security parameter and q is the prime order of the group on which the scheme is based. Such a dependence between λ and m is undesirable. For example, when λ (resp., m) approaches to logq, m (resp., λ) approaches to 0. In this paper, we designed a new variant of CS-PKE that is resilient to key leakage chosen ciphertext attacks. Our proposal is λ≤logq−ω(logκ) leakage-resilient, and the leakage parameter λ is independent of the plaintext space that has the constant size q (exactly the same as that in CS-PKE). The performance of our proposal is almost as efficient as the original CS-PKE. As far as we know, this is the first leakage-resilient CS-type cryptosystem whose plaintext length is independent of the key leakage parameter, and is also the most efficient IND-CCA2 PKE scheme resilient to up to logq−ω(logκ) leakage.

Shifeng Sun,Dawu Gu,Man Ho Au,Shuai Han,Yu Yu,Joseph K. Liu

DOI: https://doi.org/10.1007/978-3-030-21568-2_24

2019-01-01

Abstract:We revisit the problem of constructing public key encryption (PKE) secure against both key-leakage and tampering attacks. First, we present an enhanced security against both kinds of attacks, namely strong leakage and tamper-resilient chosen-ciphertext (sLTR-CCA) security, which imposes only minimal restrictions on the adversary's queries and thus captures the capability of the adversary in a more reasonable way. Then, we propose a generic paradigm achieving this security on the basis of a refined hash proof system (HPS) called public-key-malleable HPS. The paradigm can not only tolerate a large amount of bounded key-leakage, but also resist an arbitrary polynomial of restricted tampering attacks, even depending on the challenge phase. Moreover, the paradigm with slight adaptations can also be proven sLTR-CCA secure with respect to subexponentially hard auxiliary-input leakage. In addition, we instantiate our paradigm under certain standard number-theoretic assumptions, and thus, to our best knowledge, obtain the first efficient PKE schemes possessing the strong bounded/auxiliary-input leakage and tamper-resilient chosen-ciphertext security in the standard model.

Shi-Feng Sun,Shuai Han,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1049/iet-ifs.2015.0195

2016-01-01

IET Information Security

Abstract:The authors present a new general construction of public key encryption (PKE) based on the restricted subset membership (RSM) assumption, which can achieve the bounded-memory leakage resilient security and the auxiliary-input leakage resilient security simultaneously. The construction is BHHO-type, as Brakerski et al. work, but the message space is much larger and the proof is more concise benefiting from the RSM assumption. Instantiating the construction with the QR assumption, the authors get the first QR-based auxiliary-input secure PKE with a larger message space than {0,1}. Moreover, the authors generalise the Goldreich-Levin theorem to large rings. This theorem helps to improve the construction to achieve the same security level with fewer public parameters and shorter ciphertexts compared with Brakerski et al. work. For the bounded-memory leakage resilient security, the construction can achieve leakage rate of 1-o(1) and avoid the dependence between the message length and the amount of leakage. Based on the general construction, the authors also can achieve both bounded-memory leakage resilient chosen ciphertext attack (CCA) security and the auxiliary-input leakage resilient CCA security via the well-known Naor-Yung paradigm.

Shi-Feng Sun,Dawu Gu,Udaya Parampalli,Yu,Baodong Qin

DOI: https://doi.org/10.1016/j.jcss.2017.03.004

IF: 1.043

2017-01-01

Journal of Computer and System Sciences

Abstract:In this work, we investigate how to protect public key encryption from both key-leakage attacks and tampering attacks. First, we formalize the notions of chosen ciphertext (CCA) security against key-leakage and tampering attacks. To this goal, we then introduce the concept of key-homomorphic hash proof systems and present a generic construction of public key encryption based on this new primitive. Our construction, compared with previous works, realizes leakage-resilience and tampering-resilience simultaneously but completely independently, so it can tolerate a larger amount of bounded-memory leakage and be instantiated with more flexibility. Moreover, it allows for an unbounded number of affine-tampering queries, even after the challenge phase. With slight adaptations, our construction also achieves CCA security against subexponentially hard auxiliary-input leakage attacks and a polynomial of affine-tampering attacks. Thus, to the best of our knowledge, we get the first public key encryption scheme secure against both auxiliary-input leakage attacks and tampering attacks.

Junzuo Lai,Robert H. Deng,Shengli Liu,Weidong Kou

DOI: https://doi.org/10.1007/978-3-642-11925-5_10

2010-01-01

Abstract:Boneh, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure public key encryption (PKE) from any selective-ID CPA-secure identity-based encryption (IBE) schemes. Their approach treated IBE as a black box. Subsequently, Boyen, Mei, and Waters demonstrated how to build a direct CCA-secure PKE scheme from the Waters IBE scheme, which is adaptive-ID CPA secure. They made direct use of the underlying IBE structure, and required no cryptographic primitive other than the IBE scheme itself. However, their scheme requires long public key and the security reduction is loose. In this paper, we propose an efficient PKE scheme employing identity-based techniques. Our scheme requires short public key and is proven CCA-secure in the standard model (without random oracles) with a tight security reduction, under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. In addition, we show how to use our scheme to construct an efficient threshold public key encryption scheme and a public key encryption with non-interactive opening (PKENO) scheme.

Shuai Han,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-57728-4_1

2024-01-01

Abstract:In this paper, we study the design of efficient signature and public-key encryption (PKE) schemes in the presence of both leakage and tampering attacks. Firstly, we formalize the strong leakage and tamper-resilient (sLTR) security model for signature, which provides strong existential unforgeability, and deals with bounded leakage and restricted tampering attacks, as a counterpart to the sLTR security introduced by Sun et al. (ACNS 2019) for PKE. Then, we present direct constructions of signature and chosen-ciphertext attack (CCA) secure PKE schemes in the sLTR model, based on the matrix decisional Diffie-Hellman (MDDH) assumptions (which covers the standard symmetric external DH (SXDH) and k-Linear assumptions) over asymmetric pairing groups. Our schemes avoid the use of heavy building blocks such as the true-simulation extractable non-interactive zero-knowledge proofs (tSE-NIZK) proposed by Dodis et al. (ASIACRYPT 2010), which are usually needed in constructing schemes with leakage and tamper-resilience. Especially, our SXDH-based signature and PKE schemes are more efficient than the existing schemes in the leakage and tamper-resilient setting: our signature scheme has only 4 group elements in the signature, which is about 5x similar to 8x shorter, and our PKE scheme has only 6 group elements in the ciphertext, which is about 1.3x similar to 3.3x shorter. Finally, we note that our signature scheme is the first one achieving strong existential unforgeability in the leakage and tamper-resilient setting, where strong existential unforgeability has important applications in building more complex primitives such as signcryption and authenticated key exchange.

Shuai Han,Shengli Liu,Lin Lyu

DOI: https://doi.org/10.1155/2017/2148534

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages f(sk) which are closely related to the secret key sk, where f∈F, even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM[Faff]-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM[Fpolyd]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.

Shifeng Sun,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1007/978-3-319-04873-4_9

2013-01-01

Abstract:Due to the proliferation of side-channel attacks, lots of efforts have been made to construct cryptographic systems that are still secure even if part of the secret information is leaked to the adversary. Recently, many identity-based encryption IBE schemes have been proposed in this context, almost all of which, however, are only proved CPA secure. As far as we know, the IBE scheme presented by Alwen et al. is the unique CCA secure and the most practical one in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter λ and the message length m are subject to λ + m ≤log p - ω log ï ź , where ï ź is the security parameter and p is the prime order of the underlying group. To overcome this drawback, we designed a new IBE scheme based on Gentry's IBE in this paper, which is λ -leakage resilient CCA2 secure in the standard model where λ ≤log p - ω log ï ź . In contrast, the leakage parameter λ in our proposal is independent of the size of the message space. Moreover, our scheme is quite practical and almost as efficient as the original scheme. To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to log p - ω log ï ź -bit leakage of the private key, the leakage parameter of which is independent of the message length.

Lin Lyu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-76578-5_3

2018-01-01

Abstract:Selective opening security (SO security) is desirable for public key encryption (PKE) in a multi-user setting. In a selective opening attack, an adversary receives a number of ciphertexts for possibly correlated messages, then it opens a subset of them and gets the corresponding messages together with the randomnesses used in the encryptions. SO security aims at providing security for the unopened ciphertexts. Among the existing simulation-based, selective opening, chosen ciphertext secure (SIM-SO-CCA secure) PKEs, only one (Libert et al. Crypto'17) enjoys tight security, which is reduced to the Non-Uniform LWE assumption. However, their public key and ciphertext are not compact.In this work, we focus on constructing PKE with tight SIM-SO-CCA security based on standard assumptions. We formalize security notions needed for key encapsulation mechanism (KEM) and show how to transform these securities into SIM-SO-CCA security of PKE through a tight security reduction, while the construction of PKE from KEM follows the general framework proposed by Liu and Paterson (PKC'15). We present two KEM constructions with tight securities based on the Matrix Decision Diffie-Hellman assumption. These KEMs in turn lead to two tightly SIM-SO-CCA secure PKE schemes. One of them enjoys not only tight security but also compact public key.

Dung Hoang Duong,Partha Sarathi Roy,Willy Susilo,Kazuhide Fukushima,Shinsaku Kiyomoto,Arnaud Sipasseuth

DOI: https://doi.org/10.48550/arXiv.2005.03178

2020-05-07

Cryptography and Security

Abstract:With the rapid growth of cloud storage and cloud computing services, many organisations and users choose to store the data on a cloud server for saving costs. However, due to security concerns, data of users would be encrypted before sending to the cloud. However, this hinders a problem of computation on encrypted data in the cloud, especially in the case of performing data matching in various medical scenarios. Public key encryption with equality test (PKEET) is a powerful tool that allows the authorized cloud server to check whether two ciphertexts are generated by the same message. PKEET has then become a promising candidate for many practical applications like efficient data management on encrypted databases. Lee et al. (Information Sciences 2020) proposed a generic construction of PKEET schemes in the standard model and hence it is possible to yield the first instantiation of post-quantum PKEET schemes based on lattices. At ACISP 2019, Duong et al. proposed a direct construction of PKEET over integer lattices in the standard model. However, their scheme does not reach the CCA2-security. In this paper, we propose an efficient CCA2-secure PKEET scheme based on ideal lattices. In addition, we present a modification of the scheme by Duong et al. over integer lattices to attain the CCA2-security. Both schemes are proven secure in the standard model, and they enjoy the security in the upcoming quantum computer era.

Shuai Han,Shengli Liu,Lin Lyu

DOI: https://doi.org/10.1007/978-3-662-53890-6_11

2016-01-01

Abstract:KDM[F]-CCA secure public-key encryption (PKE) protects the security of message f(sk), with f. F, that is computed directly from the secret key, even if the adversary has access to a decryption oracle. An efficient KDM[F-aff]-CCA secure PKE scheme for affine functions was proposed by Lu, Li and Jia (LLJ, EuroCrypt2015). We point out that their security proof cannot go through based on the DDH assumption. In this paper, we introduce a new concept Authenticated Encryption with Auxiliary-Input AIAE and define for it new security notions dealing with related-key attacks, namely IND-RKA security and weak INT-RKA security. We also construct such an AIAE w.r.t. a set of restricted affine functions from the DDH assumption. With our AIAE,- we construct the first efficient KDM[F-aff]-CCA secure PKE w.r.t. affine functions with compact ciphertexts, which consist only of a constant number of group elements;- we construct the first efficient KDM[F-poly(d)]-CCA secure PKE w.r.t. polynomial functions of bounded degree d with almost compact ciphertexts, and the number of group elements in a ciphertext is polynomial in d, independent of the security parameter.Our PKEs are both based on the DDH & DCR assumptions, free of NIZK and free of pairing.

Shengli Liu,Kenneth G. Paterson

DOI: https://doi.org/10.1007/978-3-662-46447-2_1

2015-01-01

Abstract:We study simulation-based, selective opening security against chosen-ciphertext attacks (SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext attack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptively chooses to open some of them, and obtains the corresponding plaintexts and random coins used in the creation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertexts with respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a ppt SO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the opened messages. Building on techniques used to achieve weak deniable encryption and non-committing encryption, Fehr et al. (Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE from extended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoretic primitive called Cross Authentication Codes (XACs). We generalize their approach by introducing a special type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO- CCA secure PKE. We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We also give three instantiations of our construction. The first uses hash proof systems, the second relies on the n-Linear assumption, and the third uses indistinguishability obfuscation (iO) in combination with extracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014). Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-way functions and iO. This result further highlights the simplicity and power of iO in constructing different cryptographic primitives.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-36334-4_5

2013-01-01

Abstract:In CT-RSA 2010, Yang et al. suggested a new category of probabilistic public-key encryption (PKE) schemes, called public-key encryption with equality test (PKET), which supports searching on ciphertexts without decrypting them. Typical applications include management of encrypted data in an outsourced database. They presented a construction in bilinear groups, and proved that it is one-way against chosen ciphertext attack (OW-CCA) in the random oracle model. We argue that OW-CCA security may be too weak for database applications, because partial information leakage from the ciphertext is not considered in the model. In this paper, we revisit the security models for PKET, and introduce a number of new security definitions. To remark, the weakest of our definitions is still stronger than OW-CCA. We then investigate relations among these security definitions. Finally, to illustrate the usefulness of our definitions, we analyze the security of a PKET scheme [24], showing the scheme actually provides much stronger security than that was proven previously.

Zhen Liu,Xiaoyuan Yang

DOI: https://doi.org/10.1109/incos.2013.108

2013-01-01

Abstract:The cipher text consistency check that can be implemented publicly has practical significance, and it is always an interested studying aspect to construct cryptographic algorithm without pairings in the field of cryptographic. On the other hand, it is one of the most important research topics to design CCA-secure PKE schemes with weaker assumptions. Especially, there have been no CCA-secure PKE scheme under factoring assumption, except for a recent work by Hofheinz, D., Kiltz, E. A fly in the ointment is that HK09's scheme is not a public verifiable construction. Using the Gap quality that the Decisional Diffie-Hellman problem is easy but the Computational Diffie-Hellman problem is difficult as factoring, we instantiated HK09's scheme over the group of signed quadratic residues, and realized public verifiable construct. It will be used to construct threshold schemes.

Dung Hoang Duong,Kazuhide Fukushima,Shinsaku Kiyomoto,Partha Sarathi Roy,Arnaud Sipasseuth,Willy Susilo

DOI: https://doi.org/10.48550/arXiv.2005.05308

2020-05-10

Abstract:Public key encryption with equality test (PKEET) supports to check whether two ciphertexts encrypted under different public keys contain the same message or not. PKEET has many interesting applications such as keyword search on encrypted data, encrypted data partitioning for efficient encrypted data management, personal health record systems, spam filtering in encrypted email systems and so on. However, the PKEET scheme lacks an authorization mechanism for a user to control the comparison of its ciphertexts with others. In 2015, Ma et al. introduce the notion of PKEET with flexible authorization (PKEET-FA) which strengthens privacy protection. Since 2015, there are several follow-up works on PKEET-FA. But, all are secure in the random-oracle model. Moreover, all are vulnerable to quantum attacks. In this paper, we provide three constructions of quantum-safe PKEET-FA secure in the standard model. Proposed constructions are secure based on the hardness assumptions of integer lattices and ideal lattices. Finally, we implement the PKEET-FA scheme over ideal lattices.

Cryptography and Security

Baodong Qin,Shengli Liu,Kefei Chen,Manuel Charlemagne

DOI: https://doi.org/10.1145/2484389.2484393

2013-01-01

Abstract:ABSTRACTLossy Trapdoor Functions (LTFs) was introduced by Peikert and Waters in 2008. The importance of the LTFs was justified by their numerous cryptographic applications, like the construction of injective one-way trapdoor functions, CCA-secure public-key encryption, etc. However, little research on application of LTFs to key-leakage resilient public-key encryption was done. In this article we introduce a new variant of LTFs featuring leakage-resilience, namely lrLTFs and give a realization of lrLTFs with leakage rate 1/Θ(κ) (where κ is the security parameter) under the Decisional Diffie-Hellman (DDH) assumption. We further improve the leakage rate to 1-o(1) over a composite-order group in which the Decisional Composite Residuosity (DCR) assumption holds. We also introduce a new notion of key-leakage attacks, which we call weak key-leakage attacks, for bridging the adaptive and non-adaptive key-leakage attacks in the setting of public-key cryptosystem. In this model, the leakage adversary only gets a part of public key before accessing to a leakage oracle. We show that lrLTFs imply public-key encryption schemes secure against chosen-ciphertext weak key-leakage attacks in a black-box sense.