Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

International audienceGroup encryption (GE) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), GE is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X ∈ Z m×n q , s ∈ Z n q and a small-norm e ∈ Z m which underlie a public vector b = X · s + e ∈ Z m q while simultaneously proving that the matrix X ∈ Z m×n q has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

International audienceA recent line of works – initiated by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010) – gave lattice-based realizations of privacy-preserving protocols allowing users to authenticate while remaining hidden in a crowd. Despite five years of efforts, known constructions remain limited to static populations of users, which cannot be dynamically updated. For example, none of the existing lattice-based group signatures seems easily extendable to the more realistic setting of dynamic groups. This work provides new tools enabling the design of anonymous authen-tication systems whereby new users can register and obtain credentials at any time. Our first contribution is a signature scheme with efficient protocols, which allows users to obtain a signature on a committed value and subsequently prove knowledge of a signature on a committed message. This construction, which builds on the lattice-based signature of Böhl et al. (Eurocrypt'13), is well-suited to the design of anonymous credentials and dynamic group signatures. As a second technical contribution, we provide a simple, round-optimal joining mechanism for introducing new members in a group. This mechanism consists of zero-knowledge arguments allowing registered group members to prove knowledge of a secret short vector of which the corresponding public syndrome was certified by the group manager. This method provides similar advantages to those of structure-preserving signatures in the realm of bilinear groups. Namely, it allows group members to generate their public key on their own without having to prove knowledge of the underlying secret key. This results in a two-round join protocol supporting concurrent enrollments, which can be used in other settings such as group encryption

Arke: Scalable and Byzantine Fault Tolerant Privacy-Preserving Contact Discovery

Contact discovery is a crucial component of social applications, facilitating interactions between registered contacts. This work introduces Arke, a novel approach to contact discovery that addresses the limitations of existing solutions in terms of privacy, scalability, and reliance on trusted third parties. Arke ensures the unlinkability of user interactions, mitigates enumeration attacks, and operates without single points of failure or trust. Notably, Arke is the first contact discovery system whose performance is independent of the total number of users and the first that can operate in a Byzantine setting. It achieves its privacy goals through an unlinkable handshake mechanism built on top of an identity-based non-interactive key exchange. By leveraging a custom distributed architecture, Arke forgoes the expense of consensus to achieve scalability while maintaining consistency in a Byzantine fault tolerant environment. Performance evaluations demonstrate that Arke can support enough throughput to operate at a planetary scale while maintaining sub-second latencies in a large geo-distributed setting

Downgradable Identity-Based Signatures and Trapdoor Sanitizable Signatures from Downgradable Affine MACs

Affine message authentication code (AMAC) (CRYPTO\u2714) is a group-based MAC with a specific algebraic structure. Downgradable AMAC (DAMAC) (CT-RSA\u2719) is an AMAC with a functionality that we can downgrade a message with an authentication tag while retaining validity of the tag. In this paper, we revisit DAMAC for two independent applications, namely downgradable identity-based signatures (DIBS) and trapdoor sanitizable signatures (TSS) (ACNS\u2708). DIBS are the digital signature analogue of downgradable identity-based encryption (CT-RSA\u2719), which allow us to downgrade an identity associated with a secret-key. In TSS, an entity given a trapdoor for a signed-message can partially modify the message while keeping validity of the signature. We show that DIBS can be generically constructed from DAMAC, and DIBS can be transformed into (wildcarded) hierarchical/wicked IBS. We also show that TSS can be generically constructed from DIBS. By instantiating them, we obtain the first wildcarded hierarchical/wicked IBS and the first invisible and/or unlinkable TSS. Moreover, we prove that DIBS are equivalent to not only TSS, but also their naive combination, named downgradable identity-based trapdoor sanitizable signatures

Research Philosophy of Modern Cryptography

Proposing novel cryptography schemes (e.g., encryption, signatures, and protocols) is one of the main research goals in modern cryptography. In this paper, based on more than 800 research papers since 1976 that we have surveyed, we introduce the research philosophy of cryptography behind these papers. We use ``benefits and ``novelty as the keywords to introduce the research philosophy of proposing new schemes, assuming that there is already one scheme proposed for a cryptography notion. Next, we introduce how benefits were explored in the literature and we have categorized the methodology into 3 ways for benefits, 6 types of benefits, and 17 benefit areas. As examples, we introduce 40 research strategies within these benefit areas that were invented in the literature. The introduced research strategies have covered most cryptography schemes published in top-tier cryptography conferences

Enhanced Security and Privacy for Blockchain-enabled Electronic Medical Records in eHealth.

PhD Theses.Electronic medical records (EMRs) as part of an eHealth system are vital assets centrally managed by medical institutions and used to maintain up to date patients' medical histories. Such centralised management of EMRs may result in an increased risk of EMR damage or loss to medical institutions. In addition, it is di cult to monitor and control who can access their EMRs and for what reasons as eHealth may increasingly involve the use of IoT devices such as eHealth wearables and distributed networks. Blockchain is proposed as a promising method applied to support distributed data storage to maintain and share EMRs using its inherent immutability (forgery resistance). However, the original blockchain design cannot restrict unauthenticated or unauthorised data access for use as part of EMR management. Therefore, two novel authorisation schemes to enhance the security and privacy of blockchain use for EMRs are proposed in this work. The rst one can omit the agent layer (gateway) to authorise users' access to blockchain-enabled EMRs with block level gran- ularity, whilst maintaining compatibility with the underlying Blockchain data structure. Then, an improved scheme is proposed to implement multiple levels of granularity autho- risation, whilst supporting exible data queries. This scheme dispenses with the need to use a public key infrastructure (PKI) in authorisation and hence reduces the resource cost of computation and communication. Furthermore, to realise privacy preservation during authorisation, a challenge-response anonymous authorisation is proposed that avoids the disclosure of users' credentials when authorising data access requests. Compared with the baseline schemes, the proposed authorisation schemes can decrease the time consumption of computation and data transmission and reduce the transmitted data size so that they can be used in low-resource IoT devices applied to blockchain- enabled EMRs as demonstrated in performance experiments. In addition, theoretical i validations of correctness demonstrate that the proposed authorisation schemes work correctly

Advances in signatures, encryption, and E-Cash from bilinear groups

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.Includes bibliographical references (p. 147-161).We present new formal definitions, algorithms, and motivating applications for three natural cryptographic constructions. Our constructions are based on a special type of algebraic group called bilinear groups. 1. Re-Signatures: We present the first public key signature scheme where a semi-trusted proxy, given special information, can translate Alice's signature on a message into Bob's signature on the same message. The special information, however, allows nothing else, i.e., the proxy cannot translate from Bob to Alice, nor can it sign on behalf of either Alice or Bob. We show that a path through a graph can be cheaply authenticated using this scheme, with applications to electronic passports. 2. Re-Encryption: We present the first public key cryptosystem where a semi-trusted proxy, given special information, can translate an encryption of a message under Alice's key into an encryption of the same message under Bob's key. Again, the special information allows nothing else, i.e. the proxy cannot translate from Bob to Alice, decrypt on behalf of either Alice or Bob, or learn anything else about the message. We apply this scheme to create a new mechanism for secure distributed storage.(cont.) 3. Compact; E-Cash with Tracing and Bounded-Anonymity: We present an offline e-cash system where 2 coins can be stored in O(e + k) bits and withdrawn or spent in 0(f + k) time, where k is the security parameter. The best previously known schemes required at least one of these complexities to be 0(2t . k). In our system, a user's transactions are anonymous and unlinkable, unless she performs a forbidden action, such as double-spending a coin. Performing a forbidden action reveals the identity of the user, and optionally allows to trace all of her past transactions. We provide solutions without using a trusted party. We argue why features of our system are likely to be crucial to the adoption of any e-cash system.by Susan Hohenberger.Ph.D

User-Controlled Computations in Untrusted Computing Environments

Computing infrastructures are challenging and expensive to maintain. This led to the growth of cloud computing with users renting computing resources from centralized cloud providers. There is also a recent promise in providing decentralized computing resources from many participating users across the world. The compute on your own server model hence is no longer prominent. But, traditional computer architectures, which were designed to give a complete power to the owner of the computing infrastructure, continue to be used in deploying these new paradigms. This forces users to completely trust the infrastructure provider on all their data. The cryptography and security community research two different ways to tackle this problem. The first line of research involves developing powerful cryptographic constructs with formal security guarantees. The primitive of functional encryption (FE) formalizes the solutions where the clients do not interact with the sever during the computation. FE enables a user to provide computation-specific secret keys which the server can use to perform the user specified computations (and only those) on her encrypted data. The second line of research involves designing new hardware architectures which remove the infrastructure owner from the trust base. The solutions here tend to have better performance but their security guarantees are not well understood. This thesis provides contributions along both lines of research. In particular, 1) We develop a (single-key) functional encryption construction where the size of secret keys do not grow with the size of descriptions of the computations, while also providing a tighter security reduction to the underlying computational assumption. This construction supports the computation class of branching programs. Previous works for this computation class achieved either short keys or tighter security reductions but not both. 2) We formally model the primitive of trusted hardware inspired by Intel's Software Guard eXtensions (SGX). We then construct an FE scheme in a strong security model using this trusted hardware primitive. We implement this construction in our system Iron and evaluate its performance. Previously, the constructions in this model relied on heavy cryptographic tools and were not practical. 3) We design an encrypted database system StealthDB that provides complete SQL support. StealthDB is built on top of Intel SGX and designed with the usability and security limitations of SGX in mind. The StealthDB implementation on top of Postgres achieves practical performance (30% overhead over plaintext evaluation) with strong leakage profile against adversaries who get snapshot access to the memory of the system. It achieves a more gradual degradation in security against persistent adversaries than the prior designs that aimed at practical performance and complete SQL support. We finally survey the research on providing security against quantum adversaries to the building blocks of SGX

Stock Market Integration Between the Hong Kong SAR and the People's Republic of China - the Use of a Revised 'H' Share Model and Enhanced Institutional Support

PhDBilateral, multilateral and regional linkages between stock exchanges generate increased sources of funds, investor return and product choice. Such associations can also lower transaction costs in both initial listing and subsequent trading, increase liquidity more generally in the secondary market and enhance investor protection and confidence in the stability and reputation of the market and the status of companies listed on the market. This thesis argues that the integration of the stock markets between The Special Administrative Region of Hong Kong ("Hong Kong") and the People's Republic of China (CTRC) is therefore a desirable objective and investigates how a more successful and substantial degree of integration could be achieved in this area. Integration, in particular, requires harmonization of laws and regulations. In 1993,H shares issued by PRC companies were first allowed to cross-list on the Hong Kong Stock Exchange. This listing was made possible by the introduction of a new set of legal and operational rules promulgated in both the PRC and Hong Kong. This thesis expounds four models of integration, the H Share Model, the System Harmonization Model, the Mixed Harmonization and Mutual Recognition Model, and the Full Harmonization Model and argues that H share regulations are an effective way to further integration despite problems inherited from the PRC's 'pre-open door' policy. In considering other potential models, the European Union and the United States capital market are also considered as potential models for further integration of the PRC and Hong Kong stock markets despite the inherent limitations of the latter model. It is also proposed that enhanced institutional support can be used as an effective means of accelerating the integration process. Investigating both the feasibility and possible implementation of market integration within an appropriate institutional framework ensures an autonomous, legal and independent environment separate from the political realm