Lin Lyu,Shengli Liu,Shuai Han

DOI: https://doi.org/10.1093/comjnl/bxx080

2017-01-01

Abstract:In a selective-opening, chosen-ciphertext attack (SO-CCA) against a public key encryption scheme (PKE scheme), a probabilistic polynomial time (PPT) adversary obtains a vector of challenge ciphertexts, has access to a decryption oracle, adaptively selects to open some of the challenge ciphertexts and sees the corresponding messages together with the random coins. The simulation-based, selective-opening security against chosen-ciphertext attacks (SIM-SO-CCA security) protects the security of the unopened messages in a semantic way, i.e. it requires that the output of the adversary can be simulated by a simulator who sees only the opened messages. In particular, all information that the adversary can get from the unopened messages can also be simulated from the opened messages alone by the simulator. All security proofs of the available PKEs achieving SIM-SO-CCA security are not tight, and the security loss depends either on the number of challenge ciphertexts or on the number of decryption queries. In this work, we present the first PKE scheme which achieves SIM-SO-CCA security with a tight reduction to standard assumptions. This partially solves the open problem proposed by Hofheinz in EuroCrypt 2012.

Lin Lyu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-76578-5_3

2018-01-01

Abstract:Selective opening security (SO security) is desirable for public key encryption (PKE) in a multi-user setting. In a selective opening attack, an adversary receives a number of ciphertexts for possibly correlated messages, then it opens a subset of them and gets the corresponding messages together with the randomnesses used in the encryptions. SO security aims at providing security for the unopened ciphertexts. Among the existing simulation-based, selective opening, chosen ciphertext secure (SIM-SO-CCA secure) PKEs, only one (Libert et al. Crypto'17) enjoys tight security, which is reduced to the Non-Uniform LWE assumption. However, their public key and ciphertext are not compact.In this work, we focus on constructing PKE with tight SIM-SO-CCA security based on standard assumptions. We formalize security notions needed for key encapsulation mechanism (KEM) and show how to transform these securities into SIM-SO-CCA security of PKE through a tight security reduction, while the construction of PKE from KEM follows the general framework proposed by Liu and Paterson (PKC'15). We present two KEM constructions with tight securities based on the Matrix Decision Diffie-Hellman assumption. These KEMs in turn lead to two tightly SIM-SO-CCA secure PKE schemes. One of them enjoys not only tight security but also compact public key.

Shengli Liu,Fangguo Zhang,Kefei Chen

DOI: https://doi.org/10.1002/cpe.3021

2013-01-01

Abstract:SUMMARYChosen‐ciphertext security has been well‐accepted as a standard security notion for public‐key encryption. But in a multi‐user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the plaintexts used to generate ciphertexts. The attack is named ‘selective opening attack’. We study how to achieve full‐fledged chosen‐ciphertext security in selective opening setting directly from the Decisional Diffie–Hellman assumption. Our construction is actually a tag‐based public‐key encryption scheme free of chameleon hashing and has a tight security reduction to the Decisional Diffie–Hellman assumption and the collision‐resistant assumption of hash functions. The tag for each ciphertext is generated in a flexible way to serve the chosen‐ciphertext security proof in selective opening settings. Copyright © 2013 John Wiley & Sons, Ltd.

Shengli Liu,Kenneth G. Paterson

DOI: https://doi.org/10.1007/978-3-662-46447-2_1

2015-01-01

Abstract:We study simulation-based, selective opening security against chosen-ciphertext attacks (SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext attack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptively chooses to open some of them, and obtains the corresponding plaintexts and random coins used in the creation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertexts with respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a ppt SO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the opened messages. Building on techniques used to achieve weak deniable encryption and non-committing encryption, Fehr et al. (Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE from extended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoretic primitive called Cross Authentication Codes (XACs). We generalize their approach by introducing a special type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO- CCA secure PKE. We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We also give three instantiations of our construction. The first uses hash proof systems, the second relies on the n-Linear assumption, and the third uses indistinguishability obfuscation (iO) in combination with extracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014). Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-way functions and iO. This result further highlights the simplicity and power of iO in constructing different cryptographic primitives.

Shengli Liu,Fangguo Zhang,Kefei Chen

DOI: https://doi.org/10.1007/978-3-642-34601-9_8

2012-01-01

Abstract:Chosen-ciphertext security has been well-accepted as a standard security notion for public key encryption. But in a multi-user surrounding, it may not be sufficient, since the adversary may corrupt some users to get the random coins as well as the plaintexts used to generate ciphertexts. The attack is named "selective opening attack". We study how to achieve full-fledged chosen-ciphertext security in selective opening setting directly from the DDH assumption. Our construction is free of chameleon hashing, since tags are created for encryptions in a flexible way to serve the security proof.

Xianhui Lu,Jiang Zhang

DOI: https://doi.org/10.1093/nsr/nwab090

IF: 20.6

2021-05-24

National Science Review

Abstract:The invention of public-key cryptography (PKC) by Diffie and Hellman in 1976 is one of two milestones marking the beginning of modern cryptography. The security of a PKC system requires that it should be infeasible to compute the private key from a given public key, which in turn is typically guaranteed by the difficulty in solving some cryptographic-friendly mathematical problems. Among those problems, the integer factorization and discrete logarithm problems play pivotal roles in the development of public-key cryptography. In particular, the assumption that there is no polynomial time (classical) algorithm that solves the above two problems constitutes the basis for the security of almost all currently used public-key cryptosystems, such as RSA and ElGamal. However, Shor [1] found an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would destroy the security basis for most real deployed PKC systems if large-scale quantum computers become available. The rapid development of quantum technology in recent years suggests that we are getting closer to the quantum crisis of current PKC systems.

multidisciplinary sciences

Yi-Fan Tseng,Zi-Yuan Liu,Raylin Tso

DOI: https://doi.org/10.1007/s10623-023-01354-x

IF: 1.4

2024-01-21

Designs Codes and Cryptography

Abstract:With the rise of cloud computing, multi-user scenarios have become a common setting for data sharing nowadays. The conservative security notion might not be sufficient for such a data sharing model. As a response to this challenge, there has been significant research targeting security against receiver selective-opening (RSO) attacks. However, we found that none of these studies discuss RSO security specifically for predicate encryption (PE)—an encryption mechanism naturally designed for multi-user data sharing. This manuscript first formalizes the RSO security for PE. We then present a generic PE construction that achieves RSO security based on the simulation-based definition. Our work also features several instantiations for various predicate families, including attribute-based encryption for the monotone span program, which is known as one of the most expressive PE.

mathematics, applied,computer science, theory & methods

Shi-Feng Sun,Shuai Han,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1049/iet-ifs.2015.0195

2016-01-01

IET Information Security

Abstract:The authors present a new general construction of public key encryption (PKE) based on the restricted subset membership (RSM) assumption, which can achieve the bounded-memory leakage resilient security and the auxiliary-input leakage resilient security simultaneously. The construction is BHHO-type, as Brakerski et al. work, but the message space is much larger and the proof is more concise benefiting from the RSM assumption. Instantiating the construction with the QR assumption, the authors get the first QR-based auxiliary-input secure PKE with a larger message space than {0,1}. Moreover, the authors generalise the Goldreich-Levin theorem to large rings. This theorem helps to improve the construction to achieve the same security level with fewer public parameters and shorter ciphertexts compared with Brakerski et al. work. For the bounded-memory leakage resilient security, the construction can achieve leakage rate of 1-o(1) and avoid the dependence between the message length and the amount of leakage. Based on the general construction, the authors also can achieve both bounded-memory leakage resilient chosen ciphertext attack (CCA) security and the auxiliary-input leakage resilient CCA security via the well-known Naor-Yung paradigm.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-36334-4_5

2013-01-01

Abstract:In CT-RSA 2010, Yang et al. suggested a new category of probabilistic public-key encryption (PKE) schemes, called public-key encryption with equality test (PKET), which supports searching on ciphertexts without decrypting them. Typical applications include management of encrypted data in an outsourced database. They presented a construction in bilinear groups, and proved that it is one-way against chosen ciphertext attack (OW-CCA) in the random oracle model. We argue that OW-CCA security may be too weak for database applications, because partial information leakage from the ciphertext is not considered in the model. In this paper, we revisit the security models for PKET, and introduce a number of new security definitions. To remark, the weakest of our definitions is still stronger than OW-CCA. We then investigate relations among these security definitions. Finally, to illustrate the usefulness of our definitions, we analyze the security of a PKET scheme [24], showing the scheme actually provides much stronger security than that was proven previously.

NI Jianbing,YU Yong,Qi XIA,Lei NIU

2012-01-01

Journal of Information and Computational Science

Abstract:Public key encryption with keyword search (PEKS) is a novel cryptographic primitive enabling one to search encrypted data while keeping the security of the original data. Recently, Hu et al. found that the PEKS with a designated tester (dPEKS) due to Rhee et al. suffers from keyword guessing attack and proposed two enhanced schemes. These schemes were claimed as being provably secure against chosen keyword attack and off-line keyword guessing (KG) attack. However, in this paper, we demonstrate that Hu’s dPEKS is still insecure by demonstrating keyword guessing attack where a malicious server can guess the keyword with the trapdoor. We also discuss the impossibility to construct secure dPEKS schemes against a malicious server’s KG attack, when the candidate keywords are from some polynomial size of dictionary.

Junzuo Lai,Robert H. Deng,Shengli Liu,Jian Weng,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-55220-5_5

2015-01-01

Abstract:Security against selective opening attack (SOA) requires that in a multi-user setting, even if an adversary has access to all ciphertexts from users, and adaptively corrupts some fraction of the users by exposing not only their messages but also the random coins, the remaining unopened messages retain their privacy. Recently, Bellare, Waters and Yilek considered SOA-security in the identity-based setting, and presented the first identity-based encryption (IBE) schemes that are proven secure against selective opening chosen plaintext attack (SO-CPA). However, how to achieve SO-CCA security for IBE is still open. In this paper, we introduce a new primitive called extractable IBE and define its IND-ID-CCA security notion. We present a generic construction of SO-CCA secure IBE from an IND-ID-CCA secure extractable IBE with "One-Sided Public Openability"(1SPO), a collision-resistant hash function and a strengthened cross-authentication code. Finally, we propose two concrete constructions of extractable 1SPO-IBE schemes, resulting in the first simulation-based SO-CCA secure IBE schemes without random oracles.

Shuai Han,Shengli Liu,Lin Lyu,Dawu Gu

DOI: https://doi.org/10.1093/comjnl/bxy074

2018-01-01

Abstract:F-Related-Key Attacks (RKAs) allow an adversary to tamper the key k stored in a cryptographic device by specifying related-key deriving (RKD) functions f in F and subsequently learn the outcome of the device under related keys f (k). In this paper, we present RKA secure public-key encryption (PKE) and symmetric encryption (SE) schemes admitting a tight security reduction to the standard s-Linear assumption. The security loss depends only on the security parameter and is independent of the number of tampering queries made by the adversary. Our encryption schemes are resilient to RKAs w. r. t. the set of restricted affine functions F-raff, of which the set of linear functions. lin is a subset F-lin In particular, Our encryption schemes serve as the first ones possessing tight RKA security for a non-trivial RKD function class. under standard assumptions. Moreover, our encryption schemes enjoy tight super-strong RKA securities, which are the strongest ones among the existing RKA security notions.

Lixue Sun,Chunxiang Xu,Mingwu Zhang,Kefei Chen,Hongwei Li

DOI: https://doi.org/10.1007/s11432-017-9124-0

2017-01-01

Science China Information Sciences

Abstract:Public key encryption with keyword search (PEKS) enables one to search encrypted data containing some keyword without decrypting the data in public key setting.Boneh et al.[1] introduced the notion of PEKS,but later Byun et al.[2] showed the scheme in [1] is vulnerable to the outsider/insider kcyword guessing attacks (KGA).Many previous PEKS studies have tackled the problem of keyword privacy against outsider KGA,while how to ensure keyword privacy against insider KGA launched by an untrusted cloud sever receives little attention.Moreover,the majority of PEKS schemes assume that the cloud server is honest-but-curious.In other researches,the server will honestly execute the search protocol and only attempt to infer sensitive information about the users.However,it is not always the case in the real world.The cloud server may be malicious,which may not honestly perform the search operation.

Changsong Jiang,Chunxiang Xu,Zhao Zhang,Kefei Chen

DOI: https://doi.org/10.1109/TCC.2023.3266459

IF: 5.697

2023-01-01

IEEE Transactions on Cloud Computing

Abstract:Public key encryption with keyword search (PEKS) provides secure searchable data encryption in cloud storage. Users can outsource encrypted data and keywords to a cloud server, and search target one without disclosing sensitive information. To achieve resistance against off-line keyword guessing attacks, existing practical PEKS schemes employ independent key server(s) to assist users in producing keywords to be encrypted (called server-derived keywords) in an online manner. In this article, we analyze server-aided PEKS schemes and reveal a potential threat: vulnerability against subversion attacks, where algorithms in server-aided PEKS might be maliciously implemented to undermine security. In a subverted encryption implementation, a subliminal channel is established to control randomness generation such that biased ciphertexts covertly leak plaintext information. We further present a specific subversion attack against generation of server-derived keywords to violate keywords’ confidentiality. To address these issues, we propose SR-PEKS, a subversion-resistant PEKS scheme based on cryptographic reverse firewalls (CRF). In SR-PEKS, CRF sanitizes messages transmitted in server-derived keyword generation to resist the presented subversion attack. CRF also participates in a collaborative randomness generation protocol to yield unbiased randomness for encryption, thereby eliminating the subliminal channel. Provable security and high efficiency of SR-PEKS are demonstrated by comprehensive analyses and performance evaluations.

Zhengan Huang,Shengli Liu,Baodong Qin,Kefei Chen

DOI: https://doi.org/10.1109/INCoS.2013.69

2013-01-01

Abstract:There are two main approaches to achieve selective opening chosen-cipher text security (SO-CCA security): lossy encryption (including all-but-many lossy trapdoor functions) and sender-equivocable encryption. The second approach was proposed in Eurocrypt 2010 by Fehr et al., who proved that sender equivocability under chosen-cipher text attacks (NC-CCA security) implies SO-CCA security. They also proposed a new primitive called ``cross-authentication code'', and used it to construct a public-key encryption (PKE) scheme (the FHKW scheme) achieving NC-CCA security. However, recently in PKC 2013, Huang et al. pointed out that the properties of cross-authentication code cannot guarantee the NC-CCA security of the FHKW scheme, i.e., the security proof of the FHKW scheme is flawed. In this paper, we propose the notion of ``strong cross-authentication code'', which helps to fix the security proof of the FHKW scheme. This strong notion captures the ability of a cross-authentication code to efficiently generate a new key, based on all the other keys and the cross-authentication tag, such that the new key is statistically indistinguishable from the original key. With this code as a building block, we construct a new version of the FHKW scheme, and prove it to be NC-CCA secure for multi-bit plaintexts. Our work makes possible the instantiation of simulation-based SO-CCA secure PKE with a multi-bit message space from NC-CCA secure PKEs.

Shi-Feng Sun,Joseph K. Liu,Yu,Baodong Qin,Dawu Gu

DOI: https://doi.org/10.1093/comjnl/bxw025

2016-01-01

Abstract:Related-key attacks (RKAs) are a flavor of powerful physical attacks, which allow an adversary to modify the secret key stored in a cryptographic device and subsequently observe the effect of such modifications on the output of the device. Designing secure encryption schemes against such attacks is a challenging task, especially for a large class of such physical attacks which are usually captured by related-key derivation functions. In this work, we achieve the security of public key encryptions (PKEs) against a new and broad function class that consists of almost all efficiently invertible functions in two different ways. Specifically, we first give a generic construction of PKE which is proven secure against such a broad function class under the standard chosen-ciphertext security. Moreover, we present two practical concrete constructions, both of which are shown to be secure against such function class under standard assumptions in the standard model. At last, we give a detailed performance analysis, which shows that our constructions can not only resist to a large class of RKAs but also achieve a good efficiency.

Jianting Ning,Jia Xu,Kaitai Liang,Fan Zhang,Ee-Chien Chang

DOI: https://doi.org/10.1109/tifs.2018.2866321

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Searchable encryption (SE) provides a privacy-preserving mechanism for data users to search over encrypted data stored on a remote server. Researchers have designed a number of SE schemes with high efficiency yet allowing some degree of leakage profile to the remote server. The leakage, however, should be further measured to allow us to understand what types of attacks an SE scheme would encounter. This paper considers passive attacks that make inferences based on prior knowledge and observations on queries issued by users. This is in contrast to previously studied active attacks that adaptively inject files and queries. We consider several assumptions on the types or prior knowledge the attacker possessed and propose a few passive attacks. In particular, under the "full-fledged" assumption, the keyword recovery rate of our attack is optimal in the sense that it is equal to the theoretical upper bound. We further present several enhanced attacks under other weaker assumptions on various levels of the prior knowledge that the attacker can obtain, in which the keyword recovery rates are optimal or nearly optimal (i.e., approaching the theoretical upper bound). In addition, we provide extensive experiments to show the "power" of our passive attacks. This paper highlights the importance of minimizing the prior knowledge of a server and the leakage of search queries. It also shows that simply distorting the frequency of the keyword to hold against our passive attacks may not scale well.

Shifeng Sun,Dawu Gu,Man Ho Au,Shuai Han,Yu Yu,Joseph K. Liu

DOI: https://doi.org/10.1007/978-3-030-21568-2_24

2019-01-01

Abstract:We revisit the problem of constructing public key encryption (PKE) secure against both key-leakage and tampering attacks. First, we present an enhanced security against both kinds of attacks, namely strong leakage and tamper-resilient chosen-ciphertext (sLTR-CCA) security, which imposes only minimal restrictions on the adversary's queries and thus captures the capability of the adversary in a more reasonable way. Then, we propose a generic paradigm achieving this security on the basis of a refined hash proof system (HPS) called public-key-malleable HPS. The paradigm can not only tolerate a large amount of bounded key-leakage, but also resist an arbitrary polynomial of restricted tampering attacks, even depending on the challenge phase. Moreover, the paradigm with slight adaptations can also be proven sLTR-CCA secure with respect to subexponentially hard auxiliary-input leakage. In addition, we instantiate our paradigm under certain standard number-theoretic assumptions, and thus, to our best knowledge, obtain the first efficient PKE schemes possessing the strong bounded/auxiliary-input leakage and tamper-resilient chosen-ciphertext security in the standard model.

Shuai Han,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-57728-4_1

2024-01-01

Abstract:In this paper, we study the design of efficient signature and public-key encryption (PKE) schemes in the presence of both leakage and tampering attacks. Firstly, we formalize the strong leakage and tamper-resilient (sLTR) security model for signature, which provides strong existential unforgeability, and deals with bounded leakage and restricted tampering attacks, as a counterpart to the sLTR security introduced by Sun et al. (ACNS 2019) for PKE. Then, we present direct constructions of signature and chosen-ciphertext attack (CCA) secure PKE schemes in the sLTR model, based on the matrix decisional Diffie-Hellman (MDDH) assumptions (which covers the standard symmetric external DH (SXDH) and k-Linear assumptions) over asymmetric pairing groups. Our schemes avoid the use of heavy building blocks such as the true-simulation extractable non-interactive zero-knowledge proofs (tSE-NIZK) proposed by Dodis et al. (ASIACRYPT 2010), which are usually needed in constructing schemes with leakage and tamper-resilience. Especially, our SXDH-based signature and PKE schemes are more efficient than the existing schemes in the leakage and tamper-resilient setting: our signature scheme has only 4 group elements in the signature, which is about 5x similar to 8x shorter, and our PKE scheme has only 6 group elements in the ciphertext, which is about 1.3x similar to 3.3x shorter. Finally, we note that our signature scheme is the first one achieving strong existential unforgeability in the leakage and tamper-resilient setting, where strong existential unforgeability has important applications in building more complex primitives such as signcryption and authenticated key exchange.

D DOLEV,AC YAO

DOI: https://doi.org/10.1109/tit.1983.1056650

IF: 2.5

1983-01-01

IEEE Transactions on Information Theory

Abstract:Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.