Willy Susilo obtained his Bachelor Degree in Computer Science from Universitas Surabaya, Indonesia with a "Summa Cum Laude" predicate. He received his Master and Doctor of Philosophy degrees from UOW in 1996 and 2001, respectively.His main research interest include cryptography and computer security, in particular the design of signature schemes. He was promoted as a Professor in the School of Computer Science and Software Engineering, University of Wollongong in 2009. Prior to his prestigious ARC Future Fellow role, he was the Head of School of SCSSE, Deputy Director of ICT Research Institute and the Academic Program Director for UoW (Singapore). He is currently the Head of School of Computing and Information Technology. He is also the Director of Institute of Cybersecurity and Cryptology. Phone: +61-2-4221-5535 Address: School of Computer Science and Software Engineering University of Wollongong Northfields Avenue Wollongong NSW 2522 AUSTRALIA
In this paper, we investigate security of the KATAN family of block ciphers against differential ... more In this paper, we investigate security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault induction process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. Then, we determine suitable rounds for effective fault inductions by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. The complexity of our attack on KATAN32 is 2 59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2 55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively.
Personal Digital Assistants (PDAs) have become one of the important tools in our life. Their popu... more Personal Digital Assistants (PDAs) have become one of the important tools in our life. Their popularity are due to their small size and mobility which enable them to be carried anywhere. Along with their popularity, handheld devices are starting to become the target for the attackers, who are mainly interested in gaining the data stored in handheld devices. Therefore, security of handheld devices have attracted a lot of attention in an effort to protect the sensitive information stored in handheld devices. Securing handheld devices is a daunting task. It requires a careful design since the devices have very limited computational power and battery life. In this paper, we aim to review the security threats to handheld computers and propose several possible solutions. We performed some experiments to test our proposed solution in an iPaq Pocket PC.
Identity-based encryption with equality test supporting flexible authorization (IBEET-FA) allows ... more Identity-based encryption with equality test supporting flexible authorization (IBEET-FA) allows the equality test of underlying messages of two ciphertexts while strengthens privacy protection by allowing users (identities) to control the comparison of their ciphertexts with others. IBEET by itself has a wide range of useful applicable domain such as keyword search on encrypted data, database partitioning for efficient encrypted data management, personal health record systems, and spam filtering in encrypted email systems. The flexible authorization will enhance privacy protection of IBEET. In this paper, we propose an efficient construction of IBEET-FA system based on the hardness of learning with error (LWE) problem. Our security proof holds in the standard model.
The utmost important problem in identity-based cryptosystems is the issue of user revocation. One... more The utmost important problem in identity-based cryptosystems is the issue of user revocation. One of the existing solutions in the literature is to issue extra time keys periodically for every non-revoked user over public channels. Unfortunately, this solution is inefficient and very impractical when applying to the cloud. Because the scheme requires different time keys to allow data decryption for different time periods, and therefore the user has to keep a long list of time keys, which grows linearly with time. Furthermore, it is worth noting that ciphertexts produced prior to the revocation will remain available to the revoked users, which is undesirable for most application scenarios. To the best of our knowledge, there is no existing work that can solve both the aforementioned problems simultaneously in a practical manner. In this paper, we present an efficient solution called ciphertext evolution. The ciphertexts evolve to new ones with cloud's aid and the old ones are deleted. At any time, the data user has to utilize its current decryption key to decrypt ciphertexts in the cloud. So, all the past time keys become invalid and the user only needs to keep the current one. If the user is revoked, it cannot decrypt any ciphertext in the cloud because it does not have the current time key. We present generic and concrete constructions of revocable identity-based encryption with ciphertext evolution (RIBE-CE), which are proven based on the IND-CPA security model. Subsequently, we also extend RIBE-CE to the broadcast setting by giving generic and concrete constructions of revocable identitybased broadcast encryption with ciphertext evolution, which are secure under the IND-sID-CPA security model. Our schemes can be applied to the (group) data sharing, which is very practical and applicable to the cloud setting.
Database encryption is essential for cloud database systems. For a large database, decryption cou... more Database encryption is essential for cloud database systems. For a large database, decryption could take a lot of computational time. Therefore, verifying an encryption that contains a correct plaintext without decryption becomes significant for a large database system. Plaintext-checkable encryption (PCE) is a potential tool for such database systems, which is first proposed by Canard et al. in CT-RSA 2012. Although the generic PCE in the random oracle model has been studied intensively, the generic PCE in the standard model and its efficient implementation are still challenging problems. This paper presents the first generic PCE in the standard model using smooth projective hash function (SPHF) and prove its s-priv1-cca security, which is independent of current unlink security. Based on the instantiated SPHF from DDH assumption, we obtain the most efficient PCE in the standard model, without any pairing operation. Finally, we improve two existing generic constructions in the random oracle model so that they are secure under chosen ciphertext attack.
It is inevitable and evident that outsourcing complicated intensive tasks to public cloud vendors... more It is inevitable and evident that outsourcing complicated intensive tasks to public cloud vendors would be the primary option for resource-constrained clients in order to save cost. Unfortunately, the public cloud vendors are usually untrusted. They may inadvertently leak the data or misuse the user's data, compromise user's privacy or intentionally corrupt computational results to make the system unreliable. It is therefore important how to stop this happening whilst embracing the computational power of public cloud vendors. Non-negative matrix factorization (NMF) is a significant method for conducting data dimension reduction, which has been widely used in large-scale data processing. Nevertheless, due to its non-polynomial hardness, NMF cannot be conducted efficiently using local computation resources, especially when dealing with big data. Motivated by this issue, we address this by presenting a novel outsourced scheme for NMF (O-NMF), which aims to lessen clients' computing burden and tackle secure problems faced by outsourcing NMF. Particularly, based on two non-collusion servers, O-NMF exploits Paillier homomorphism to preserve data privacy. Additionally, O-NMF allows a verification mechanism to assist clients in verifying returned results with high probability. Security analysis and experimental evaluation demonstrates that the validity and practicality of O-NMF is also provided in this work.
IEEE Transactions on Information Forensics and Security, Mar 1, 2016
Comments on "public integrity auditing for dynamic data sharing with multiuser Comments on "publi... more Comments on "public integrity auditing for dynamic data sharing with multiuser Comments on "public integrity auditing for dynamic data sharing with multiuser modification" modification"
Abstract Tightly secure signature plays a significant role in the research of cryptography and ha... more Abstract Tightly secure signature plays a significant role in the research of cryptography and has been studied extensively in the literature. In this paper, we present a generic construction for tightly-secure signatures from the discrete log (DL) assumption in the existential-unforgeability against key only attacks (EUF-KOA) security model, where the adversary is allowed to obtain only the public key, but not any sample signature. Moreover, the generic construction can also be extended into the multi-user setting with corruptions (MU-C) model. Roughly speaking, given any signature scheme, we can efficiently convert it into a signature scheme that features tight security under the DL assumption in the MU-EUF-KOA-C security model with random oracles. Our transformation shows it is easy to construct a DL-equivalent signature in the EUF-KOA security model, although many known DL-based signatures are not equivalent to DL. If the given signature scheme is key-re-randomizable, the transformed scheme is also key-re-randomizable. Hence, our result provides a supplement to Bader et al.'s work (EUROCRYPT 2016).
Public key encryption with equality test (PKEET) can check whether two ciphertexts are encrypted ... more Public key encryption with equality test (PKEET) can check whether two ciphertexts are encrypted from the same message or not without decryption. This attribute enables PKEET to be increasingly utilized in cloud storage, where users store their encrypted data on the cloud. In traditional PKEET, the tester is authorized by the data receiver to perform equality test on its ciphertexts. However, the tester can only test one ciphertext or all ciphertexts of one receiver with one authorization. It means that the receiver cannot adaptively authorize the test right of any number of ciphertexts to the tester. A trivial solution is authorizing one ciphertext each time and repeating multiple times. The corresponding size of trapdoor in this method is linear with the number of authorized ciphertexts. This will incur storage burden for the tester. To solve the aforementioned problem, we propose the concept of PKEET supporting partial authentication (PKEET-PA). We then instantiate the concept to a lightweight PKEET-PA, which achieves constant-size trapdoor. Besides, we prove the security of our PKEET-PA scheme against two types of adversaries. Compared with other PKEET schemes that can be used in trivial solution, our PKEET-PA is more efficient in receivers’ computation and has lower trapdoor size.
A certificateless aggregate signature scheme saves cost from complicated certificate management i... more A certificateless aggregate signature scheme saves cost from complicated certificate management in PKI and compresses many signatures on different messages signed by different users to one single signature. It is originally required to be secure against a conspiring group of malicious signers (type I adversary) and against malicious KGC (type II adversary). In this paper, we define a novel fundamental type of adversary for certificateless aggregate signature schemes, type III adversary, called malicious KGC & Signers Coalition, who can break Zhang-Zhang scheme. We also propose two new certificateless aggregate schemes which are provably secure against all three types of adversary.
Clo d comp ting enjo s a "pa per se model for enabling-Cloud computing enjoys a "pay-per-use mode... more Clo d comp ting enjo s a "pa per se model for enabling-Cloud computing enjoys a "pay-per-use model for enabling available, convenient and on-demand network access to a shared pool of configurable computing resources (e.g., shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."-NIST NIST Cloud Storage Cloud Storage vs vs. Data Integrity. Data Integrity Data flow
In this paper, we propose an identity based strong designated verifier signature scheme. Firstly,... more In this paper, we propose an identity based strong designated verifier signature scheme. Firstly, we provide a generic construction of such schemes. We show that the generic construction satisfies all the requirements of identity based strong designated verifier ...
IEEE Transactions on Information Forensics and Security, Dec 1, 2015
To prevent illegal users accessing the database and protect users' privacy, oblivious transfer wi... more To prevent illegal users accessing the database and protect users' privacy, oblivious transfer with access control (AC-OT) was proposed. In an AC-OT scheme, the database provider can encrypt the records and publish corresponding access control lists (ACLs). Prior to accessing the records, a user needs to obtain anonymous credentials from the issuer. Subsequently, an authorized user can obtain the intended records without the database provider knowing its choices. Although AC-OT schemes have shown a lot of merits, there are some practical issues: (1) One of the inherited problems in anonymous credentials is timely revocation; (2) how to prevent malicious users overusing the records. In this paper, we propose an accountable AC-OT (AAC-OT) scheme to address these issues. In our scheme, an authorized user can access the protected records without the database provider knowing his personal information and choices if (1) he has obtained the required credentials listed in the ACLs; (2) the number of the access times for each record is no more than the specified bound. Notably, the database provider can trace and revoke the user who overused the records even in the lifetime of his credentials. To the best of our knowledge, it is the first AC-OT scheme where timely revocation and overuse detection are considered.
Attribute-based encryption (ABE) is an augmentation of public key encryption that allows users to... more Attribute-based encryption (ABE) is an augmentation of public key encryption that allows users to encrypt and decrypt messages based on users' attributes. In a (t, s) threshold ABE, users who can decrypt a ciphertext must hold at least t attributes among the s attributes specified by the encryptor. At PKC 2010, Herranz, Laguillaumie and Ràfols proposed the first threshold ABE with constant-size ciphertexts. In order to ensure the encryptor can flexibly select the attribute set and a threshold value, they use dummy attributes to satisfy the decryption requirement. The advantage of their scheme is that any addition or removal of the attributes will not require any change to users' private keys or public parameters. Unfortunately, the need for dummy attributes makes their scheme inefficient, since the computational cost of encryption is linear to the size of selected attribute set and dummy attribute set. In this work, we improve Herranz et al.'s work, and propose a new threshold ABE scheme which does not use any dummy attribute. Our scheme not only retains the nice feature of Herranz et al.'s scheme, but also offers two improvements in comparison to the previous work. Firstly, the computational costs of encryption and decryption are only linear in the size of the selected attribute set. Secondly, without any dummy attribute, most of the computations can be conducted without the knowledge of the threshold t. Hence, threshold change in the encryption phase does not require complete recomputation of the ciphertext.
A tightly secure scheme has a reduction, where the reduction loss is a small constant. Identity-b... more A tightly secure scheme has a reduction, where the reduction loss is a small constant. Identity-based signature (IBS) is an important cryptographic primitive, and tightly secure IBS schemes enjoy the advantage that the security parameter can be optimal to achieve a certain security level. General constructions of IBS schemes (Bellare, M., Namprempre, C., and Neven, G. (2004) Security Proofs for Identity-Based Identification and Signature Schemes. In Proc. EUROCRYPT 2004, May 2–6, pp. 268–286. Springer, Berlin, Interlaken, Switzerland; Galindo, D., Herranz, J., and Kiltz, E. (2006) On the Generic Construction of Identity-Based Signatures With Additional Properties. In Proceedings of ASIACRYPT 2006, December 3–7, pp. 178–193. Springer, Berlin, Shanghai, China) and their security have been extensively studied. However, the security is not tight and how to generally construct a tightly secure IBS scheme remains unknown. In this paper, we concentrate on the general constructions of IBS schemes. We first take an insight into previous constructions and analyze the reason why it cannot achieve tight security. To further study possible tightly secure constructions, we propose another general construction, which could be seen as a different framework of IBS schemes. Our construction requires two traditional signature schemes, whereas the construction by Bellare et al. uses one scheme in a two-round iteration. There are no additional operations in our general construction. Its main advantage is providing the possibility of achieving tight security for IBS schemes in the random oracle model. Combining two known signature schemes, we present an efficient IBS scheme with tight security as an example.
Abstract We put forward a new cryptographic primitive called witness-based searchable encryption ... more Abstract We put forward a new cryptographic primitive called witness-based searchable encryption (WBSE), namely if w and x satisfy a witness relation, an encryption of (m, w) could be tested by a trapdoor of (m′, x) whether the keyword m′ is equal to m. The benefit of this primitive is to solve the challenging problem of keyword guessing attack in public-key searchable encryption. We construct a WBSE scheme in a generic way using smooth projective hash function (SPHF) as a building block and prove its WB-IND-CCA ciphertext security, WB-IND-TD trapdoor security and EUFT-CIA trapdoor unforgeability. Thanks to an efficient SPHF instantiation from Decisional Diffie–Hellman (DDH) assumption, we obtain an efficient WBSE instance without any pairing operation.
In this paper, we investigate security of the KATAN family of block ciphers against differential ... more In this paper, we investigate security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault induction process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. Then, we determine suitable rounds for effective fault inductions by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. The complexity of our attack on KATAN32 is 2 59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2 55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively.
Personal Digital Assistants (PDAs) have become one of the important tools in our life. Their popu... more Personal Digital Assistants (PDAs) have become one of the important tools in our life. Their popularity are due to their small size and mobility which enable them to be carried anywhere. Along with their popularity, handheld devices are starting to become the target for the attackers, who are mainly interested in gaining the data stored in handheld devices. Therefore, security of handheld devices have attracted a lot of attention in an effort to protect the sensitive information stored in handheld devices. Securing handheld devices is a daunting task. It requires a careful design since the devices have very limited computational power and battery life. In this paper, we aim to review the security threats to handheld computers and propose several possible solutions. We performed some experiments to test our proposed solution in an iPaq Pocket PC.
Identity-based encryption with equality test supporting flexible authorization (IBEET-FA) allows ... more Identity-based encryption with equality test supporting flexible authorization (IBEET-FA) allows the equality test of underlying messages of two ciphertexts while strengthens privacy protection by allowing users (identities) to control the comparison of their ciphertexts with others. IBEET by itself has a wide range of useful applicable domain such as keyword search on encrypted data, database partitioning for efficient encrypted data management, personal health record systems, and spam filtering in encrypted email systems. The flexible authorization will enhance privacy protection of IBEET. In this paper, we propose an efficient construction of IBEET-FA system based on the hardness of learning with error (LWE) problem. Our security proof holds in the standard model.
The utmost important problem in identity-based cryptosystems is the issue of user revocation. One... more The utmost important problem in identity-based cryptosystems is the issue of user revocation. One of the existing solutions in the literature is to issue extra time keys periodically for every non-revoked user over public channels. Unfortunately, this solution is inefficient and very impractical when applying to the cloud. Because the scheme requires different time keys to allow data decryption for different time periods, and therefore the user has to keep a long list of time keys, which grows linearly with time. Furthermore, it is worth noting that ciphertexts produced prior to the revocation will remain available to the revoked users, which is undesirable for most application scenarios. To the best of our knowledge, there is no existing work that can solve both the aforementioned problems simultaneously in a practical manner. In this paper, we present an efficient solution called ciphertext evolution. The ciphertexts evolve to new ones with cloud's aid and the old ones are deleted. At any time, the data user has to utilize its current decryption key to decrypt ciphertexts in the cloud. So, all the past time keys become invalid and the user only needs to keep the current one. If the user is revoked, it cannot decrypt any ciphertext in the cloud because it does not have the current time key. We present generic and concrete constructions of revocable identity-based encryption with ciphertext evolution (RIBE-CE), which are proven based on the IND-CPA security model. Subsequently, we also extend RIBE-CE to the broadcast setting by giving generic and concrete constructions of revocable identitybased broadcast encryption with ciphertext evolution, which are secure under the IND-sID-CPA security model. Our schemes can be applied to the (group) data sharing, which is very practical and applicable to the cloud setting.
Database encryption is essential for cloud database systems. For a large database, decryption cou... more Database encryption is essential for cloud database systems. For a large database, decryption could take a lot of computational time. Therefore, verifying an encryption that contains a correct plaintext without decryption becomes significant for a large database system. Plaintext-checkable encryption (PCE) is a potential tool for such database systems, which is first proposed by Canard et al. in CT-RSA 2012. Although the generic PCE in the random oracle model has been studied intensively, the generic PCE in the standard model and its efficient implementation are still challenging problems. This paper presents the first generic PCE in the standard model using smooth projective hash function (SPHF) and prove its s-priv1-cca security, which is independent of current unlink security. Based on the instantiated SPHF from DDH assumption, we obtain the most efficient PCE in the standard model, without any pairing operation. Finally, we improve two existing generic constructions in the random oracle model so that they are secure under chosen ciphertext attack.
It is inevitable and evident that outsourcing complicated intensive tasks to public cloud vendors... more It is inevitable and evident that outsourcing complicated intensive tasks to public cloud vendors would be the primary option for resource-constrained clients in order to save cost. Unfortunately, the public cloud vendors are usually untrusted. They may inadvertently leak the data or misuse the user's data, compromise user's privacy or intentionally corrupt computational results to make the system unreliable. It is therefore important how to stop this happening whilst embracing the computational power of public cloud vendors. Non-negative matrix factorization (NMF) is a significant method for conducting data dimension reduction, which has been widely used in large-scale data processing. Nevertheless, due to its non-polynomial hardness, NMF cannot be conducted efficiently using local computation resources, especially when dealing with big data. Motivated by this issue, we address this by presenting a novel outsourced scheme for NMF (O-NMF), which aims to lessen clients' computing burden and tackle secure problems faced by outsourcing NMF. Particularly, based on two non-collusion servers, O-NMF exploits Paillier homomorphism to preserve data privacy. Additionally, O-NMF allows a verification mechanism to assist clients in verifying returned results with high probability. Security analysis and experimental evaluation demonstrates that the validity and practicality of O-NMF is also provided in this work.
IEEE Transactions on Information Forensics and Security, Mar 1, 2016
Comments on "public integrity auditing for dynamic data sharing with multiuser Comments on "publi... more Comments on "public integrity auditing for dynamic data sharing with multiuser Comments on "public integrity auditing for dynamic data sharing with multiuser modification" modification"
Abstract Tightly secure signature plays a significant role in the research of cryptography and ha... more Abstract Tightly secure signature plays a significant role in the research of cryptography and has been studied extensively in the literature. In this paper, we present a generic construction for tightly-secure signatures from the discrete log (DL) assumption in the existential-unforgeability against key only attacks (EUF-KOA) security model, where the adversary is allowed to obtain only the public key, but not any sample signature. Moreover, the generic construction can also be extended into the multi-user setting with corruptions (MU-C) model. Roughly speaking, given any signature scheme, we can efficiently convert it into a signature scheme that features tight security under the DL assumption in the MU-EUF-KOA-C security model with random oracles. Our transformation shows it is easy to construct a DL-equivalent signature in the EUF-KOA security model, although many known DL-based signatures are not equivalent to DL. If the given signature scheme is key-re-randomizable, the transformed scheme is also key-re-randomizable. Hence, our result provides a supplement to Bader et al.'s work (EUROCRYPT 2016).
Public key encryption with equality test (PKEET) can check whether two ciphertexts are encrypted ... more Public key encryption with equality test (PKEET) can check whether two ciphertexts are encrypted from the same message or not without decryption. This attribute enables PKEET to be increasingly utilized in cloud storage, where users store their encrypted data on the cloud. In traditional PKEET, the tester is authorized by the data receiver to perform equality test on its ciphertexts. However, the tester can only test one ciphertext or all ciphertexts of one receiver with one authorization. It means that the receiver cannot adaptively authorize the test right of any number of ciphertexts to the tester. A trivial solution is authorizing one ciphertext each time and repeating multiple times. The corresponding size of trapdoor in this method is linear with the number of authorized ciphertexts. This will incur storage burden for the tester. To solve the aforementioned problem, we propose the concept of PKEET supporting partial authentication (PKEET-PA). We then instantiate the concept to a lightweight PKEET-PA, which achieves constant-size trapdoor. Besides, we prove the security of our PKEET-PA scheme against two types of adversaries. Compared with other PKEET schemes that can be used in trivial solution, our PKEET-PA is more efficient in receivers’ computation and has lower trapdoor size.
A certificateless aggregate signature scheme saves cost from complicated certificate management i... more A certificateless aggregate signature scheme saves cost from complicated certificate management in PKI and compresses many signatures on different messages signed by different users to one single signature. It is originally required to be secure against a conspiring group of malicious signers (type I adversary) and against malicious KGC (type II adversary). In this paper, we define a novel fundamental type of adversary for certificateless aggregate signature schemes, type III adversary, called malicious KGC & Signers Coalition, who can break Zhang-Zhang scheme. We also propose two new certificateless aggregate schemes which are provably secure against all three types of adversary.
Clo d comp ting enjo s a "pa per se model for enabling-Cloud computing enjoys a "pay-per-use mode... more Clo d comp ting enjo s a "pa per se model for enabling-Cloud computing enjoys a "pay-per-use model for enabling available, convenient and on-demand network access to a shared pool of configurable computing resources (e.g., shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."-NIST NIST Cloud Storage Cloud Storage vs vs. Data Integrity. Data Integrity Data flow
In this paper, we propose an identity based strong designated verifier signature scheme. Firstly,... more In this paper, we propose an identity based strong designated verifier signature scheme. Firstly, we provide a generic construction of such schemes. We show that the generic construction satisfies all the requirements of identity based strong designated verifier ...
IEEE Transactions on Information Forensics and Security, Dec 1, 2015
To prevent illegal users accessing the database and protect users' privacy, oblivious transfer wi... more To prevent illegal users accessing the database and protect users' privacy, oblivious transfer with access control (AC-OT) was proposed. In an AC-OT scheme, the database provider can encrypt the records and publish corresponding access control lists (ACLs). Prior to accessing the records, a user needs to obtain anonymous credentials from the issuer. Subsequently, an authorized user can obtain the intended records without the database provider knowing its choices. Although AC-OT schemes have shown a lot of merits, there are some practical issues: (1) One of the inherited problems in anonymous credentials is timely revocation; (2) how to prevent malicious users overusing the records. In this paper, we propose an accountable AC-OT (AAC-OT) scheme to address these issues. In our scheme, an authorized user can access the protected records without the database provider knowing his personal information and choices if (1) he has obtained the required credentials listed in the ACLs; (2) the number of the access times for each record is no more than the specified bound. Notably, the database provider can trace and revoke the user who overused the records even in the lifetime of his credentials. To the best of our knowledge, it is the first AC-OT scheme where timely revocation and overuse detection are considered.
Attribute-based encryption (ABE) is an augmentation of public key encryption that allows users to... more Attribute-based encryption (ABE) is an augmentation of public key encryption that allows users to encrypt and decrypt messages based on users' attributes. In a (t, s) threshold ABE, users who can decrypt a ciphertext must hold at least t attributes among the s attributes specified by the encryptor. At PKC 2010, Herranz, Laguillaumie and Ràfols proposed the first threshold ABE with constant-size ciphertexts. In order to ensure the encryptor can flexibly select the attribute set and a threshold value, they use dummy attributes to satisfy the decryption requirement. The advantage of their scheme is that any addition or removal of the attributes will not require any change to users' private keys or public parameters. Unfortunately, the need for dummy attributes makes their scheme inefficient, since the computational cost of encryption is linear to the size of selected attribute set and dummy attribute set. In this work, we improve Herranz et al.'s work, and propose a new threshold ABE scheme which does not use any dummy attribute. Our scheme not only retains the nice feature of Herranz et al.'s scheme, but also offers two improvements in comparison to the previous work. Firstly, the computational costs of encryption and decryption are only linear in the size of the selected attribute set. Secondly, without any dummy attribute, most of the computations can be conducted without the knowledge of the threshold t. Hence, threshold change in the encryption phase does not require complete recomputation of the ciphertext.
A tightly secure scheme has a reduction, where the reduction loss is a small constant. Identity-b... more A tightly secure scheme has a reduction, where the reduction loss is a small constant. Identity-based signature (IBS) is an important cryptographic primitive, and tightly secure IBS schemes enjoy the advantage that the security parameter can be optimal to achieve a certain security level. General constructions of IBS schemes (Bellare, M., Namprempre, C., and Neven, G. (2004) Security Proofs for Identity-Based Identification and Signature Schemes. In Proc. EUROCRYPT 2004, May 2–6, pp. 268–286. Springer, Berlin, Interlaken, Switzerland; Galindo, D., Herranz, J., and Kiltz, E. (2006) On the Generic Construction of Identity-Based Signatures With Additional Properties. In Proceedings of ASIACRYPT 2006, December 3–7, pp. 178–193. Springer, Berlin, Shanghai, China) and their security have been extensively studied. However, the security is not tight and how to generally construct a tightly secure IBS scheme remains unknown. In this paper, we concentrate on the general constructions of IBS schemes. We first take an insight into previous constructions and analyze the reason why it cannot achieve tight security. To further study possible tightly secure constructions, we propose another general construction, which could be seen as a different framework of IBS schemes. Our construction requires two traditional signature schemes, whereas the construction by Bellare et al. uses one scheme in a two-round iteration. There are no additional operations in our general construction. Its main advantage is providing the possibility of achieving tight security for IBS schemes in the random oracle model. Combining two known signature schemes, we present an efficient IBS scheme with tight security as an example.
Abstract We put forward a new cryptographic primitive called witness-based searchable encryption ... more Abstract We put forward a new cryptographic primitive called witness-based searchable encryption (WBSE), namely if w and x satisfy a witness relation, an encryption of (m, w) could be tested by a trapdoor of (m′, x) whether the keyword m′ is equal to m. The benefit of this primitive is to solve the challenging problem of keyword guessing attack in public-key searchable encryption. We construct a WBSE scheme in a generic way using smooth projective hash function (SPHF) as a building block and prove its WB-IND-CCA ciphertext security, WB-IND-TD trapdoor security and EUFT-CIA trapdoor unforgeability. Thanks to an efficient SPHF instantiation from Decisional Diffie–Hellman (DDH) assumption, we obtain an efficient WBSE instance without any pairing operation.
Uploads
Papers by Willy Susilo