Efficient IBE with Tight Reduction to Standard Assumption in the Multi-challenge Setting

In 2015, Hofheinz et al. [PKC, 2015] extended Chen and Wee\u27s almost-tight reduction technique for identity based encryptions (IBE) [CRYPTO, 2013] to the multi-instance, multi-ciphertext (MIMC, or multi-challenge) setting, where the adversary is allowed to obtain multiple challenge ciphertexts from multiple IBE instances, and gave the first almost-tightly secure IBE in this setting using composite-order bilinear groups. Several prime-order realizations were proposed lately. However there seems to be a dilemma of high system performance (involving ciphertext/key size and encryption/decryption cost) or weak/standard security assumptions. A natural question is: can we achieve high performance without relying on stronger/non-standard assumptions? In this paper, we answer the question in the affirmative by describing a prime-order IBE scheme with the same performance as the most efficient solutions so far but whose security still relies on the standard k-linear (k-Lin) assumption. Our technical start point is Blazy et al.\u27s almost-tightly secure IBE [CRYPTO, 2014]. We revisit their concrete IBE scheme and associate it with the framework of nested dual system group. This allows us to extend Blazy et al.\u27s almost-tightly secure IBE to the MIMC setting using Gong et al.\u27s method [PKC, 2016]. We emphasize that, when instantiating our construction by the Symmetric eXternal Diffie-Hellman assumption (SXDH = 1-Lin), we obtain the most efficient concrete IBE scheme with almost-tight reduction in the MIMC setting, whose performance is even comparable to the most efficient IBE in the classical model (i.e., the single-instance, single-ciphertext setting). Besides pursuing high performance, our IBE scheme also achieves a weaker form of anonymity pointed out by Attrapadung et al. [AsiaCrypt, 2015]

On Cryptographic Building Blocks and Transformations

Cryptographic building blocks play a central role in cryptography, e.g., encryption or digital signatures with their security notions. Further, cryptographic building blocks might be constructed modularly, i.e., emerge out of other cryptographic building blocks. Essentially, one cryptographically transforms the underlying block(s) and their (security) properties into the emerged block and its properties. This thesis considers cryptographic building blocks and new cryptographic transformations

Improvements and New Constructions of Digital Signatures

Ein digitales Signaturverfahren, oft auch nur digitale Signatur genannt, ist ein wichtiger und nicht mehr wegzudenkender Baustein in der Kryptographie. Es stellt das digitale Äquivalent zur klassischen handschriftlichen Signatur dar und liefert darüber hinaus noch weitere wünschenswerte Eigenschaften. Mit solch einem Verfahren kann man einen öffentlichen und einen geheimen Schlüssel erzeugen. Der geheime Schlüssel dient zur Erstellung von Signaturen zu beliebigen Nachrichten. Diese können mit Hilfe des öffentlichen Schlüssels von jedem überprüft und somit verifiziert werden. Desweiteren fordert man, dass das Verfahren "sicher" sein soll. Dazu gibt es in der Literatur viele verschiedene Begriffe und Definitionen, je nachdem welche konkreten Vorstellungen beziehungsweise Anwendungsgebiete man hat. Vereinfacht gesagt, sollte es für einen Angreifer ohne Kenntnis des geheimen Schlüssels nicht möglich sein eine gültige Signatur zu einer beliebigen Nachricht zu fälschen. Ein sicheres Signaturverfahren kann somit verwendet werden um die folgenden Ziele zu realisieren: - Authentizität: Jeder Empfänger kann überprüfen, ob die Nachricht von einem bestimmten Absender kommt. - Integrität der Nachricht: Jeder Empfänger kann feststellen, ob die Nachricht bei der Übertragung verändert wurde. - Nicht-Abstreitbarkeit: Der Absender kann nicht abstreiten die Signatur erstellt zu haben. Damit ist der Einsatz von digitalen Signaturen für viele Anwendungen in der Praxis sehr wichtig. Überall da, wo es wichtig ist die Authentizität und Integrität einer Nachricht sicherzustellen, wie beim elektronischen Zahlungsverkehr, Softwareupdates oder digitalen Zertifikaten im Internet, kommen digitale Signaturen zum Einsatz. Aber auch für die kryptographische Theorie sind digitale Signaturen ein unverzichtbares Hilfsmittel. Sie ermöglichen zum Beispiel die Konstruktion von stark sicheren Verschlüsselungsverfahren. Eigener Beitrag: Wie bereits erwähnt gibt es unterschiedliche Sicherheitsbegriffe im Rahmen von digitalen Signaturen. Ein Standardbegriff von Sicherheit, der eine recht starke Form von Sicherheit beschreibt, wird in dieser Arbeit näher betrachtet. Die Konstruktion von Verfahren, die diese Form der Sicherheit erfüllen, ist ein vielschichtiges Forschungsthema. Dazu existieren unterschiedliche Strategien in unterschiedlichen Modellen. In dieser Arbeit konzentrieren wir uns daher auf folgende Punkte. - Ausgehend von vergleichsweise realistischen Annahmen konstruieren wir ein stark sicheres Signaturverfahren im sogenannten Standardmodell, welches das realistischste Modell für Sicherheitsbeweise darstellt. Unser Verfahren ist das bis dahin effizienteste Verfahren in seiner Kategorie. Es erstellt sehr kurze Signaturen und verwendet kurze Schlüssel, beides unverzichtbar für die Praxis. - Wir verbessern die Qualität eines Sicherheitsbeweises von einem verwandten Baustein, der identitätsbasierten Verschlüsselung. Dies hat unter anderem Auswirkung auf dessen Effizienz bezüglich der empfohlenen Schlüssellängen für den sicheren Einsatz in der Praxis. Da jedes identitätsbasierte Verschlüsselungsverfahren generisch in ein digitales Signaturverfahren umgewandelt werden kann ist dies auch im Kontext digitaler Signaturen interessant. - Wir betrachten Varianten von digitalen Signaturen mit zusätzlichen Eigenschaften, sogenannte aggregierbare Signaturverfahren. Diese ermöglichen es mehrere Signaturen effizient zu einer zusammenzufassen und dabei trotzdem alle zugehörigen verschiedenen Nachrichten zu verifizieren. Wir geben eine neue Konstruktion von solch einem aggregierbaren Signaturverfahren an, bei der das Verfahren eine Liste aller korrekt signierten Nachrichten in einer aggregierten Signatur ausgibt anstatt, wie bisher üblich, nur gültig oder ungültig. Wenn eine aggregierte Signatur aus vielen Einzelsignaturen besteht wird somit das erneute Berechnen und eventuell erneute Senden hinfällig und dadurch der Aufwand erheblich reduziert

Tightly Secure Hierarchical Identity-Based Encryption

We construct the first tightly secure hierarchical identity-based encryption (HIBE) scheme based on standard assumptions, which solves an open problem from Blazy, Kiltz, and Pan (CRYPTO 2014). At the core of our constructions is a novel randomization technique that enables us to randomize user secret keys for identities with flexible length. The security reductions of previous HIBEs lose at least a factor of Q, which is the number of user secret key queries. Different to that, the security loss of our schemes is only dependent on the security parameter. Our schemes are adaptively secure based on the Matrix Diffie-Hellman assumption, which is a generalization of standard Diffie-Hellman assumptions such as k-Linear. We have two tightly secure constructions, one with constant ciphertext size, and the other with tighter security at the cost of linear ciphertext size. Among other things, our schemes imply the first tightly secure identity-based signature scheme by a variant of the Naor transformation

Random Oracles in a Quantum World

The interest in post-quantum cryptography - classical systems that remain secure in the presence of a quantum adversary - has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove post-quantum security one needs to prove security in the quantum-accessible random oracle model where the adversary can query the random oracle with quantum states. We begin by separating the classical and quantum-accessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantum-accessible random oracle model. We introduce the concept of a history-free reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore post-quantum secure. We conclude with a rich set of open problems in this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a related paper by Boneh and Zhandr

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model

In (STOC, 2008), Gentry, Peikert, and Vaikuntanathan proposed the first identity-based encryption (GPV-IBE) scheme based on a post-quantum assumption, namely, the learning with errors (LWE) assumption. Since their proof was only made in the random oracle model (ROM) instead of the quantum random oracle model (QROM), it remained unclear whether the scheme was truly post-quantum or not. In (CRYPTO, 2012), Zhandry developed new techniques to be used in the QROM and proved the security of GPV-IBE in the QROM, hence answering in the affirmative that GPV-IBE is indeed post-quantum. However, since the general technique developed by Zhandry incurred a large reduction loss, there was a wide gap between the concrete efficiency and security level provided by GPV-IBE in the ROM and QROM. Furthermore, regardless of being in the ROM or QROM, GPV-IBE is not known to have a tight reduction in the multi-challenge setting. Considering that in the real-world an adversary can obtain many ciphertexts, it is desirable to have a security proof that does not degrade with the number of challenge ciphertext. In this paper, we provide a much tighter proof for the GPV-IBE in the QROM in the single-challenge setting. In addition, we also show that a slight variant of the GPV-IBE has an almost tight reduction in the multi-challenge setting both in the ROM and QROM, where the reduction loss is independent of the number of challenge ciphertext. Our proof departs from the traditional partitioning technique and resembles the approach used in the public key encryption scheme of Cramer and Shoup (CRYPTO, 1998). Our proof strategy allows the reduction algorithm to program the random oracle the same way for all identities and naturally fits the QROM setting where an adversary may query a superposition of all identities in one random oracle query. Notably, our proofs are much simpler than the one by Zhandry and conceptually much easier to follow for cryptographers not familiar with quantum computation. Although at a high level, the techniques used for the single and multi-challenge setting are similar, the technical details are quite different. For the multi-challenge setting, we rely on the Katz-Wang technique (CCS, 2003) to overcome some obstacles regarding the leftover hash lemma

Tightly Secure IBE under Constant-size Master Public Key

International audienceChen and Wee [CRYPTO, 2013] proposed the first almost tightly and adaptively secure IBE in the standard model and left two open problems which called for a tightly secure IBE with (1) constant-size master public key and/or (2) constant security loss. In this paper, we propose an IBE scheme with constant-size master public key and tighter security reduction. This (partially) solves Chen and Wee's first open problem and makes progress on the second one. Technically, our IBE scheme is built based on Wee's petit IBE scheme [TCC, 2016] in the composite-order bilinear group whose order is product of four primes. The sizes of master public key, ciphertexts, and secret keys are not only constant but also nearly optimal as Wee's petit IBE. We can prove its adaptive security in the multi-instance, multi-ciphertext setting [PKC, 2015] based on the decisional subgroup assumption and a subgroup variant of DBDH assumption. The security loss is O(log q) where q is the upper bound of the total number of secret keys and challenge ciphertexts revealed to adversary in each single IBE instance. It's much smaller than those for all known adaptively secure IBE schemes in a concrete sense

Biometric Cryptosystems : Authentication, Encryption and Signature for Biometric Identities

Biometrics have been used for secure identification and authentication for more than two decades since biometric data is unique, non-transferable, unforgettable, and always with us. Recently, biometrics has pervaded other aspects of security applications that can be listed under the topic of ``Biometric Cryptosystems''. Although the security of some of these systems is questionable when they are utilized alone, integration with other technologies such as digital signatures or Identity Based Encryption (IBE) schemes results in cryptographically secure applications of biometrics. It is exactly this field of biometric cryptosystems that we focused in this thesis. In particular, our goal is to design cryptographic protocols for biometrics in the framework of a realistic security model with a security reduction. Our protocols are designed for biometric based encryption, signature and remote authentication. We first analyze the recently introduced biometric remote authentication schemes designed according to the security model of Bringer et al.. In this model, we show that one can improve the database storage cost significantly by designing a new architecture, which is a two-factor authentication protocol. This construction is also secure against the new attacks we present, which disprove the claimed security of remote authentication schemes, in particular the ones requiring a secure sketch. Thus, we introduce a new notion called ``Weak-identity Privacy'' and propose a new construction by combining cancelable biometrics and distributed remote authentication in order to obtain a highly secure biometric authentication system. We continue our research on biometric remote authentication by analyzing the security issues of multi-factor biometric authentication (MFBA). We formally describe the security model for MFBA that captures simultaneous attacks against these systems and define the notion of user privacy, where the goal of the adversary is to impersonate a client to the server. We design a new protocol by combining bipartite biotokens, homomorphic encryption and zero-knowledge proofs and provide a security reduction to achieve user privacy. The main difference of this MFBA protocol is that the server-side computations are performed in the encrypted domain but without requiring a decryption key for the authentication decision of the server. Thus, leakage of the secret key of any system component does not affect the security of the scheme as opposed to the current biometric systems involving cryptographic techniques. We also show that there is a tradeoff between the security level the scheme achieves and the requirement for making the authentication decision without using any secret key. In the second part of the thesis, we delve into biometric-based signature and encryption schemes. We start by designing a new biometric IBS system that is based on the currently most efficient pairing based signature scheme in the literature. We prove the security of our new scheme in the framework of a stronger model compared to existing adversarial models for fuzzy IBS, which basically simulates the leakage of partial secret key components of the challenge identity. In accordance with the novel features of this scheme, we describe a new biometric IBE system called as BIO-IBE. BIO-IBE differs from the current fuzzy systems with its key generation method that not only allows for a larger set of encryption systems to function for biometric identities, but also provides a better accuracy/identification of the users in the system. In this context, BIO-IBE is the first scheme that allows for the use of multi-modal biometrics to avoid collision attacks. Finally, BIO-IBE outperforms the current schemes and for small-universe of attributes, it is secure in the standard model with a better efficiency compared to its counterpart. Another contribution of this thesis is the design of biometric IBE systems without using pairings. In fact, current fuzzy IBE schemes are secure under (stronger) bilinear assumptions and the decryption of each message requires pairing computations almost equal to the number of attributes defining the user. Thus, fuzzy IBE makes error-tolerant encryption possible at the expense of efficiency and security. Hence, we design a completely new construction for biometric IBE based on error-correcting codes, generic conversion schemes and weakly secure anonymous IBE schemes that encrypt a message bit by bit. The resulting scheme is anonymous, highly secure and more efficient compared to pairing-based biometric IBE, especially for the decryption phase. The security of our generic construction is reduced to the security of the anonymous IBE scheme, which is based on the Quadratic Residuosity assumption. The binding of biometric features to the user's identity is achieved similar to BIO-IBE, thus, preserving the advantages of its key generation procedure

Identity-based Encryption Tightly Secure under Chosen-ciphertext Attacks

We propose the first identity-based encryption (IBE) scheme that is (almost) tightly secure against chosen-ciphertext attacks. Our scheme is efficient, in the sense that its ciphertext overhead is only seven group elements, three group elements more than that of the state-of-the-art passively (almost) tightly secure IBE scheme. Our scheme is secure in a multi-challenge setting, i.e., in face of an arbitrary number of challenge ciphertexts. The security of our scheme is based upon the standard symmetric external Diffie-Hellman assumption in pairing-friendly groups, but we also consider (less efficient) generalizations under weaker assumptions

Advances in Functional Encryption

Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control and selective computation on encrypted data, as is necessary to protect big, complex data in the cloud. In this thesis, I provide a brief introduction to functional encryption, and an overview of my contributions to the area