Shi-Feng Sun,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1002/sec.1429

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Due to the proliferation of side-channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary. Recently, there have been many identity-based encryption (IBE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security. As far as we know, Alwen et al.'s IBE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter and the message length m are subject to + m logp - (log), where and p denote the security parameter and the prime order of the underlying group, respectively. Beyond that, the leakage ratio in this scheme is very low, which can just reach 1/6. In this work, we put forward two new IBE schemes, both of which are -leakage-resilient CCA2 secure in the standard model. Specifically, the first construction is proposed based on Gentry's IBE, which is quite practical and almost as efficient as the original scheme. Moreover, its leakage parameter, logp - (log), is independent of the size of the message space. To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to (logp - (log))-bit leakage of the private key and its leakage parameter being independent of the message length. As to the second construction, it is proposed based on the scheme of Alwen et al., which has the same leakage parameter as Alwen et al., but has a better efficiency performance and a higher leakage ratio. As far as we know, it is the first practical and fully CCA2 secure leakage-resilient IBE scheme with leakage ratio up to 1/4. Copyright (c) 2016 John Wiley & Sons, Ltd.

Shengli Liu,Jian Weng,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-36095-4_6

2013-01-01

Abstract:Leakage-resilient public key encryption (PKE) schemes are designed to resist "memory attacks", i.e., the adversary recovers the cryptographic key in the memory adaptively, but subject to constraint that the total amount of leaked information about the key is bounded by some parameter λ. Among all the IND-CCA2 leakage-resilient PKE proposals, the leakage-resilient version of the Cramer-Shoup cryptosystem (CS-PKE), referred to as the KL-CS-PKE scheme proposed by Naor and Segev in Crypto09, is the most practical one. But, the key leakage parameter λ and plaintext length m of KL-CS-PKE are subject to λ+m≤logq−ω(logκ), where κ is security parameter and q is the prime order of the group on which the scheme is based. Such a dependence between λ and m is undesirable. For example, when λ (resp., m) approaches to logq, m (resp., λ) approaches to 0. In this paper, we designed a new variant of CS-PKE that is resilient to key leakage chosen ciphertext attacks. Our proposal is λ≤logq−ω(logκ) leakage-resilient, and the leakage parameter λ is independent of the plaintext space that has the constant size q (exactly the same as that in CS-PKE). The performance of our proposal is almost as efficient as the original CS-PKE. As far as we know, this is the first leakage-resilient CS-type cryptosystem whose plaintext length is independent of the key leakage parameter, and is also the most efficient IND-CCA2 PKE scheme resilient to up to logq−ω(logκ) leakage.

Shuai Han,Shengli Liu,Baodong Qin,Dawu Gu

DOI: https://doi.org/10.1007/s10623-017-0339-3

IF: 1.4

2017-01-01

Designs Codes and Cryptography

Abstract:Affine message authentication code (MAC) and delegatable affine MAC turn out to be useful tools for constructing identity-based encryption (IBE) and hierarchical IBE (HIBE), as shown in Blazy, Kiltz and Pan’s (BKP) creative work in CRYPTO (2014). An important result obtained by BKP is IBE of tight PR-ID-CPA security, i.e., tight IND-ID-CPA security together with ciphertext pseudorandomness (PR). However, the problem of designing tightly PR-ID-CCA2 secure IBE remains open. We note that the CHK transformation does not preserve ciphertext pseudorandomness when converting IND-ID-CPA secure 2-level HIBE to IND-ID-CCA2 secure IBE. In this paper, we solve this problem with a new approach. We introduce a new concept called De-randomized delegatable affine MAC and define for it weak APR-CMA security. We construct such a MAC with a tight security reduction to the Matrix DDH assumption, which includes the k-Linear and DDH assumptions. We present a paradigm for constructing PR-ID-CCA2 secure IBE, which enjoys both ciphertext pseudorandomness and IND-ID-CCA2 security, from De-randomized delegatable affine MAC and Chameleon hashing. The security reduction is tightness preserving. It provides another approach to IND-ID-CCA2 security besides the CHK transformation. By instantiating the paradigm with our specific De-randomized delegatable affine MAC, we obtain the first IBE of tight PR-ID-CCA2 security from the Matrix DDH assumption over pairing groups of prime order. Our IBE also serves as the first tightly IND-ID-CCA2 secure IBE with anonymous recipient (ANON-ID-CCA2) from the Matrix DDH assumption. Our IBE further implies the first tightly IND-ID-CCA2 secure extractable IBE based on the Matrix DDH assumption. The latter can be used to get IBE of simulation-based selective opening CCA2 (SIM-SO-CCA2) security (due to Lai et al. in EUROCRYPT, 2014). The tight security of our IBE leads to a tighter reduction of the SIM-SO-CCA2 security.

Qiqi Lai,Feng-Hao Liu,Zhedong Wang

DOI: https://doi.org/10.1007/978-3-030-97131-1_8

IF: 1.4

2024-01-01

Designs Codes and Cryptography

Abstract:We derive the first adaptively secure IBE and ABE for t-CNF, and selectively secure ABE for general circuits from lattices, with 1-o(1) leakage rates, in the both relative leakage model and bounded retrieval model (BRM). To achieve this, we first identify a new fine-grained security notion for ABE - partially adaptive/selective security, and instantiate this notion from LWE. Then, by using this notion, we design a new key compressing mechanism for identity-based/attributed-based weak hash proof system (IB/AB-wHPS) for various policy classes, achieving (1) succinct secret keys and (2) adaptive/selective security matching the existing non-leakage resilient lattice-based designs. Using the existing connection between weak hash proof system and leakage resilient encryption, the succinct-key IB/AB-wHPS can yield the desired leakage resilient IBE/ABE schemes with the optimal leakage rates in the relative leakage model. Finally, by further improving the prior analysis of the compatible locally computable extractors, we can achieve the optimal leakage rates in the BRM.

Yu Chen,Song Luo,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-22348-8_22

2011-01-01

Abstract:We propose the first leakage-resilient Identity-Based Encryption (IBE) scheme with full domain hash structure. Our scheme is leakage-resilient in the relative leakage model and the random oracle model under the decisional bilinear Diffie-Hellman (DBDH) assumption.

Baodong Qin,Shengli Liu,Kefei Chen

DOI: https://doi.org/10.1049/iet-ifs.2013.0173

2014-01-01

IET Information Security

Abstract:A leakage-resilient public-key encryption (PKE) scheme provides security even if an adversary obtains some information on the secret key. In recent years, much attention has been focused on designing provably secure PKE in the presence of key-leakage and almost all the constructions rely on an important building block namely hash proof system (HPS). However, in the setting of adaptive chosen-ciphertext attacks (CCA2), there are not many HPS-based leakage-resilient PKE schemes available. Moreover, most of them have an unsatisfactory leakage rate. In this study, the authors propose a new method of constructing leakage-resilient CCA2-secure PKE scheme from any tag-based strongly universal(2) HPS. The striking advantage of the authors scheme is the leakage rate, which is the best one among all known HPS-based indistinguishability key leakage CCA2-secure constructions. In particular, they present an instantiation under the n-linear assumption. In the cases of n = 1 (resp. n = 2), they actually obtain a decisional Diffie-Hellman (DDH)-based [resp. decisional linear (DLIN)-based] PKE scheme, where the leakage rate can be made to 1/4 (resp. 1/6). The authors DDH-based scheme achieves the best leakage rate among all known DDH-based (Cramer-Shoup-type) schemes. Their DLIN-based scheme is the first one that can achieve leakage of L/6 bits without pairing, where L is the length of the secret key.

Shi-Feng Sun,Dawu Gu,Zhengan Huang

DOI: https://doi.org/10.1093/comjnl/bxu110

2014-01-01

Abstract:With the purpose of taking physical attacks into account in security proofs, leakage-resilient cryptography has been initiated. Recently, many leakage-resilient cryptographic primitives have been proposed. In this paper, we put forward the first leakage-resilient wicked identity-based encryption (wicked IBE) scheme. To achieve this goal, we first present a new wicked IBE scheme in the composite order groups. The security proof of this scheme is achieved via the dual system encryption technique. In contrast with existing wicked IBE schemes, the new proposal can be proved fully secure in the standard model, even when the maximum hierarchy depth is a polynomial in the security parameter. Moreover, its security is based on some standard assumptions in the composite groups, which are independent of the hierarchy depth of the scheme. Based on this newly proposed scheme, we then put forward a fully secure leakage-resilient wicked IBE scheme in the bounded memory-leakage model. The leakage here is not only allowed on the user's secret key, but also on the master secret key. Its security is proved in the standard model by a hybrid argument in a sequence of computationally indistinguishable games. To the best of our knowledge, this is the first wicked IBE scheme in the context of leakage resilience.

Junzuo Lai,Robert H. Deng,Shengli Liu,Weidong Kou

DOI: https://doi.org/10.1007/978-3-642-11925-5_10

2010-01-01

Abstract:Boneh, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure public key encryption (PKE) from any selective-ID CPA-secure identity-based encryption (IBE) schemes. Their approach treated IBE as a black box. Subsequently, Boyen, Mei, and Waters demonstrated how to build a direct CCA-secure PKE scheme from the Waters IBE scheme, which is adaptive-ID CPA secure. They made direct use of the underlying IBE structure, and required no cryptographic primitive other than the IBE scheme itself. However, their scheme requires long public key and the security reduction is loose. In this paper, we propose an efficient PKE scheme employing identity-based techniques. Our scheme requires short public key and is proven CCA-secure in the standard model (without random oracles) with a tight security reduction, under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. In addition, we show how to use our scheme to construct an efficient threshold public key encryption scheme and a public key encryption with non-interactive opening (PKENO) scheme.

Ting Wang,Guoqiang Han,Jianping Yu,Peng Zhang,Xiaoqiang Sun

DOI: https://doi.org/10.1007/s11277-017-3979-8

IF: 2.017

2017-01-01

Wireless Personal Communications

Abstract:In order to construct efficient public-key encryption scheme that is secure against adaptive chosen-ciphertext attacks (CCA), an efficient signature scheme and an identity-based encryption (IBE) scheme from the learning with errors over rings are presented firstly in this paper, whose security are reducible to the hardness of the shortest vector problem in the worst case on ideal lattices. Secondly, a CCA-secure public key cryptosystem is constructed on the basis of the IBE and signature proposed above. The efficiency analysis indicates the proposed signature and encryption schemes are much more efficient than correlative cryptosystems. The security analysis shows that the IBE scheme is secure against chosen-plaintext attacks, and the public-key encryption scheme is CCA-secure in the random oracle model.

Baodong Qin,Shengli Liu

DOI: https://doi.org/10.1007/978-3-642-54631-0_2

2014-01-01

Abstract:In AsiaCrypt 2013, Qin and Liu proposed a new approach to CCA-security of Public-Key Encryption (PKE) in the presence of bounded key-leakage, from any universal hash proof system (due to Cramer and Shoup) and any one-time lossy filter (a simplified version of lossy algebraic filters, due to Hofheinz). They presented two instantiations under the DDH and DCR assumptions, which result in leakage rate (defined as the ratio of leakage amount to the secret-key length) of 1/2 - o(1). In this paper, we extend their work to broader assumptions and to flexible leakage rate, more specifically to leakage rate of 1 - o(1).-We introduce the Refined Subgroup Indistinguishability (RSI) assumption, which is a subclass of subgroup indistinguishability assumptions, including many standard number-theoretical assumptions, like the quadratic residuosity assumption, the decisional composite residuosity assumption and the subgroup decision assumption over a group of known order defined by Boneh et al.-We show that universal hash proof (UHP) system and one-time lossy filter (OT-LF) can be simply and efficiently constructed from the RSI assumption. Applying Qin and Liu's paradigm gives simple and efficient PKE schemes under the RSI assumption.-With the RSI assumption over a specific group (free of pairing), public parameters of UHP and OT-LF can be chosen in a flexible way, resulting in a leakage-flexible CCA-secure PKE scheme. More specifically, we get the first CCA-secure PKE with leakage rate of 1 - o(1) without pairing.

Junzuo Lai,Robert H. Deng,Shengli Liu,Jian Weng,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-55220-5_5

2015-01-01

Abstract:Security against selective opening attack (SOA) requires that in a multi-user setting, even if an adversary has access to all ciphertexts from users, and adaptively corrupts some fraction of the users by exposing not only their messages but also the random coins, the remaining unopened messages retain their privacy. Recently, Bellare, Waters and Yilek considered SOA-security in the identity-based setting, and presented the first identity-based encryption (IBE) schemes that are proven secure against selective opening chosen plaintext attack (SO-CPA). However, how to achieve SO-CCA security for IBE is still open. In this paper, we introduce a new primitive called extractable IBE and define its IND-ID-CCA security notion. We present a generic construction of SO-CCA secure IBE from an IND-ID-CCA secure extractable IBE with "One-Sided Public Openability"(1SPO), a collision-resistant hash function and a strengthened cross-authentication code. Finally, we propose two concrete constructions of extractable 1SPO-IBE schemes, resulting in the first simulation-based SO-CCA secure IBE schemes without random oracles.

Lin Lyu,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1016/j.tcs.2019.06.003

IF: 1.002

2019-01-01

Theoretical Computer Science

Abstract:Structure-preserving primitives are important building blocks in cryptographic protocols. Up to now, the only structure-preserving public-key encryption (SP-PKE) with CCA security over asymmetric pairing groups is based on the SXDH assumption, due to Libert et al. [18]. In this work, we propose a general framework of constructing SP-PKE with leakage-resilient CCA security (which implies the IND-CCA2 security). The corresponding instantiations result in the first leakage-resilient CCA secure SP-PKE from the Matrix Decision Diffie-Hellman (MDDH) assumption (including the SXDH and k-Linear assumptions) over asymmetric pairing groups. The ciphertext of our SP-PKE also enjoys the publicly verifiable property.

WANG Ziqing,TANG Dianhua,LI Fagen

DOI: https://doi.org/10.12178/1001-0548.2022007

2022-01-01

Abstract:Identity-based encryption (IBE) is very attractive because it does not have certificate management issues. However, the IBEs based on the bilinear Diffie-Hellman problem cannot resist quantum attacks. In order to ensure security under quantum attacks, lattice-based IBE is proposed. However, the existing lattice-based IBEs usually not only have a large ciphertext size but also can only encrypt a few bits of plaintext information in one ciphertext. In this paper, we propose a new lattice-based IBE scheme based on learning with errors (LWE) and its ring version. For the setting l=n , our scheme can encrypt the plaintext twice long of other schemes in one ciphertext. Then we prove that our scheme can achieve the indistinguishability of ciphertexts against adaptively chosen identity and chosen plaintext attack (IND-ID-CPA) in the random oracle.

Yi Wang,Rongmao Chen,Xinyi Huang,Jianting Ning,Baosheng Wang,Moti Yung

DOI: https://doi.org/10.1007/978-3-030-92075-3_15

2021-01-01

Abstract:Our context is anonymous encryption schemes hiding their receiver, but in a setting which allows authorities to reveal the receiver when needed. While anonymous Identity-Based Encryption (IBE) is a natural candidate for such fair anonymity (it gives trusted authority access by design), the de facto security standard (a.k.a. IND-ID-CCA) is incompatible with the ciphertext rerandomizability which is crucial to anonymous communication. Thus, we seek to extend IND-ID-CCA security for IBE to a notion that can be meaningfully relaxed for rerandomizability while it still protects against active adversaries. To the end, inspired by the notion of replayable adaptive chosen-ciphertext attack (RCCA) security (Canetti et al., Crypto'03), we formalize a new security notion called Anonymous Identity-Based RCCA (ANON-ID-RCCA) security for rerandomizable IBE and propose the first construction with rigorous security analysis. The core of our scheme is a novel extension of the double-strand paradigm, which was originally proposed by Golle et al. (CT-RSA'04) and later extended by Prabhakaran and Rosulek (Crypto'07), to the well-known Gentry-IBE (Eurocrypt'06). Notably, our scheme is the first IBE that simultaneously satisfies adaptive security, rerandomizability, and recipient-anonymity to date. As the application of our new notion, we design a new universal mixnet in the identitybased setting that does not require public key distribution (with fair anonymity). More generally, our new notion is also applicable to most existing rerandomizable RCCA-secure applications to eliminate the need for public key distribution infrastructure while allowing fairness.

Mei Qi-xiang,He Da-ke,Yu Zheng

2006-01-01

Abstract:In Eurocrypt 2004, Canetti, Halevi and Katz proposed a method for constructing Chosen Ciphertext secure ( ie., CCA secure) public key encryption from any Selective-ID secure ID-Based Encryption (IBE). However, this method needs one time signature and thus adds noticeable overhead to the underling scheme. In this paper, a new CCA secure public key cryptosystem is constructed from the Adaptive-ID secure IBE scheme proposed by Waters. Here, the "identity" is the hash of the first two parts of the ciphertext, and the bilinear map is used to test the ciphertext validity. The proposal is much more efficient than those obtained from the general CHK. method. The security of the new scheme is proved under the standard Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Shi-Feng Sun,Udaya Parampalli,Tsz Hon Yuen,Yu,Dawu Gu

DOI: https://doi.org/10.1145/2897845.2897921

2016-01-01

Abstract:Non-malleability is an important and intensively studied security notion for many cryptographic primitives. In the context of public key encryption, this notion means it is infeasible for an adversary to transform an encryption of some message m into one of a related message m' under the given public key. Although it has provided a strong security property for many applications, it still does not suffice for some scenarios like the system where the users could issue keys on-the-fly. In such settings, the adversary may have the power to transform the given public key and the ciphertext. To withstand such attacks, Fischlin introduced a stronger notion, known as complete non-malleability, which requires that the non-malleability property be preserved even for the adversaries attempting to produce a ciphertext of some related message under the transformed public key. To date, many schemes satisfying this stronger security have been proposed, but they are either inefficient or proved secure in the random oracle model. In this work, we put forward a new encryption scheme in the common reference string model. Based on the standard DBDH assumption, the proposed scheme is proved completely non-malleable secure against adaptive chosen ciphertext attacks in the standard model. In our scheme, the well-formed public keys and ciphertexts could be publicly recognized without drawing support from unwieldy techniques like non-interactive zero knowledge proofs or one-time signatures, thus achieving a better performance.

Shi-Feng Sun,Dawu Gu,Udaya Parampalli,Yu,Baodong Qin

DOI: https://doi.org/10.1016/j.jcss.2017.03.004

IF: 1.043

2017-01-01

Journal of Computer and System Sciences

Abstract:In this work, we investigate how to protect public key encryption from both key-leakage attacks and tampering attacks. First, we formalize the notions of chosen ciphertext (CCA) security against key-leakage and tampering attacks. To this goal, we then introduce the concept of key-homomorphic hash proof systems and present a generic construction of public key encryption based on this new primitive. Our construction, compared with previous works, realizes leakage-resilience and tampering-resilience simultaneously but completely independently, so it can tolerate a larger amount of bounded-memory leakage and be instantiated with more flexibility. Moreover, it allows for an unbounded number of affine-tampering queries, even after the challenge phase. With slight adaptations, our construction also achieves CCA security against subexponentially hard auxiliary-input leakage attacks and a polynomial of affine-tampering attacks. Thus, to the best of our knowledge, we get the first public key encryption scheme secure against both auxiliary-input leakage attacks and tampering attacks.

Yanli Ren,Dawu Gu,Shuozhong Wang,Xinpeng Zhang

DOI: https://doi.org/10.15388/informatica.2010.296

2010-01-01

Informatica

Abstract:In a fuzzy identity-based encryption (IBE) scheme, a user with the secret key for an identity ID is able to decrypt a ciphertext encrypted with another identity ID' if and only if ID and ID' are within a certain distance of each other as judged by some metric. Fuzzy IBE also allows to encrypt a document to all users that have a certain set of attributes. In 2005, Sahai and Waters first proposed the notion of fuzzy IBE and proved the security of their scheme under the selective-ID model. Currently, there is no fuzzy IBE scheme available that is fully CCA2 secure in the standard model. In this paper, we propose a new fuzzy IBE scheme which achieves IND-FID-CCA2 security in the standard model with a tight reduction. Moreover, the size of public parameters is independent of the number of attributes associated with an identity.

Pengtao Liu,Chengyu Hu,Shanqing Guo,Yilei Wang

DOI: https://doi.org/10.1109/waina.2015.27

2017-01-01

International Journal of High Performance Computing and Networking

Abstract:Memory attacks, inspired by recent realistic physical attacks, have broken many cryptographic schemes which were considered secure. In this paper, we consider the memory leakage resilience in anonymous identity-based encryption schemes. We construct a leakage-resilient anonymous identity based encryption scheme based on dual system encryption. Inspired by Lewko et al.'s techniques, our scheme is built in composite order groups which have four prime order subgroups and blind the public parameters and cipher texts using the random elements of same subgroup to achieve the anonymity. Moreover, we analyze the security of our scheme in the full adaptive-ID model rather than the selective-ID model.

Qiqi Lai,Feng-Hao Liu,Zhedong Wang

DOI: https://doi.org/10.1007/s10623-024-01358-1

IF: 1.4

2024-02-25

Designs Codes and Cryptography

Abstract:We derive the first adaptively secure identity-based encryption ( ) and attribute-based encryption ( ) for t -conjunctive normal form formula (t-CNF), and selectively secure for general circuits from lattices, with leakage rates, in the both relative leakage model and bounded retrieval model ( ). To achieve this, we first identify a new fine-grained security notion for —partially adaptive/selective security, and instantiate this notion from the learning with errors ( ) assumption. Then, by using this notion, we design a new key compressing mechanism for identity-based/attributed-based weak hash proof system ( / - ) for various policy classes, achieving (1) succinct secret keys and (2) adaptive/selective security matching the existing non-leakage resilient lattice-based designs. Using the existing connection between weak hash proof system and leakage resilient encryption, the succinct-key / -  can yield the desired leakage resilient / schemes with the optimal leakage rates in the relative leakage model. Finally, by further improving the prior analysis of the compatible locally computable extractors, we can achieve the optimal leakage rates in the .

mathematics, applied,computer science, theory & methods