Time-Specific Encryption with Constant-Size Secret-Keys Secure under Standard Assumption

In Time-Specific Encryption (TSE) [Paterson and Quaglia, SCN\u2710] system, each secret-key (resp. ciphertext) is associated with a time period t s.t. 0<=t<=T-1 (resp. a time interval [L,R] s.t. 0<=L<=R<=T-1. A ciphertext under [L,R] is correctly decrypted by any secret-key for any time t included in the interval, i.e., L<=t<=R. TSE\u27s generic construction from identity-based encryption (IBE) (resp. hierarchical IBE (HIBE)) from which we obtain a concrete TSE scheme with secret-keys of O(log T)|g| (resp. O(log^2 T)|g|) and ciphertexts of size O(log T)|g| (resp. O(1)|g|) has been proposed in [Paterson and Quaglia, SCN\u2710] (resp. [Kasamatsu et al., SCN\u2712]), where |g| denotes bit length of an element in a bilinear group G. In this paper, we propose another TSE\u27s generic construction from wildcarded identity-based encryption (WIBE). Differently from the original WIBE ([Abdalla et al., ICALP\u2706]), we consider WIBE w/o (hierarchical) key-delegatability. By instantiating the TSE\u27s generic construction, we obtain the first concrete scheme with constant-size secret-keys secure under a standard (static) assumption. Specifically, it has secret-keys of size O(1)|g| and ciphertexts of size O(log^2 T)|g|, and achieves security under the decisional bilinear Diffie-Hellman (DBDH) assumption

Generic Constructions of RIBE via Subset Difference Method

Revocable identity-based encryption (RIBE) is an extension of IBE which can support a key revocation mechanism, and it is important when deploying an IBE system in practice. Boneh and Franklin (Crypto\u2701) presented the first generic construction of RIBE, however, their scheme is not scalable where the size of key updates is linear in the number of users in the system. The first generic construction of RIBE is presented by Ma and Lin with complete subtree (CS) method by combining IBE and hierarchical IBE (HIBE) schemes. Recently, Lee proposed a new generic construction using the subset difference (SD) method by combining IBE,identity-based revocation (IBR), and two-level HIBE schemes. In this paper, we present a new primitive called Identity-Based Encryption with Ciphertext Delegation (CIBE) and propose a generic construction of RIBE scheme via subset difference method using CIBE and HIBE as building blocks. CIBE is a special type of Wildcarded IBE (WIBE) and Identity-Based Broadcast Encryption (IBBE). Furthermore, we show that CIBE can be constructed from IBE in a black-box way. Instantiating the underlying building blocks with different concrete schemes, we can obtain a RIBE scheme with constant-size public parameter, ciphertext, private key and $O(r)$ key updates in the selective-ID model. Additionally, our generic RIBE scheme can be easily converted to a sever-aided RIBE scheme which is more suitable for lightweight devices

Homomorphic Signatures for Subset and Superset Mixed Predicates and Its Applications

In homomorphic signatures for subset predicates (HSSB), each message (to be signed) is a set. Any signature on a set $M$ allows us to derive a signature on any subset $M\u27\subseteq M$. Its superset version, which should be called homomorphic signatures for superset predicates (HSSP), allows us to derive a signature on any superset $M\u27\supseteq M$. In this paper, we propose homomorphic signatures for subset and superset mixed predicates (HSSM) as a simple combination of HSSB and HSSP. In HSSM, any signature on a message of a set-pair $(M, W)$ allows us to derive a signature on any $(M\u27, W\u27)$ such that $M\u27\subseteq M$ and $W\u27\supseteq W$. We propose an original HSSM scheme which is unforgeable under the decisional linear assumption and completely context-hiding. We show that HSSM has various applications, which include disclosure-controllable HSSB, disclosure-controllable redactable signatures, (key-delegatable) superset/subset predicate signatures, and wildcarded identity-based signatures

Downgradable Identity-Based Signatures and Trapdoor Sanitizable Signatures from Downgradable Affine MACs

Affine message authentication code (AMAC) (CRYPTO\u2714) is a group-based MAC with a specific algebraic structure. Downgradable AMAC (DAMAC) (CT-RSA\u2719) is an AMAC with a functionality that we can downgrade a message with an authentication tag while retaining validity of the tag. In this paper, we revisit DAMAC for two independent applications, namely downgradable identity-based signatures (DIBS) and trapdoor sanitizable signatures (TSS) (ACNS\u2708). DIBS are the digital signature analogue of downgradable identity-based encryption (CT-RSA\u2719), which allow us to downgrade an identity associated with a secret-key. In TSS, an entity given a trapdoor for a signed-message can partially modify the message while keeping validity of the signature. We show that DIBS can be generically constructed from DAMAC, and DIBS can be transformed into (wildcarded) hierarchical/wicked IBS. We also show that TSS can be generically constructed from DIBS. By instantiating them, we obtain the first wildcarded hierarchical/wicked IBS and the first invisible and/or unlinkable TSS. Moreover, we prove that DIBS are equivalent to not only TSS, but also their naive combination, named downgradable identity-based trapdoor sanitizable signatures

Efficient Identity-Based Encryption with Hierarchical Key-Insulation from HIBE

Hierarchical key-insulated identity-based encryption (HKIBE) is identity-based encryption (IBE) that allows users to update their secret keys to achieve (hierarchical) key-exposure resilience, which is an important notion in practice. However, existing HKIBE constructions have limitations in efficiency: sizes of ciphertexts and secret keys depend on the hierarchical depth. In this paper, we first triumph over the barrier by proposing simple but effective design methodologies to construct efficient HKIBE schemes. First, we show a generic construction from any hierarchical IBE (HIBE) scheme that satisfies a special requirement, called MSK evaluatability introduced by Emura et al. (Designs, Codes and Cryptography, 2021). It provides several new and efficient instantiations since most pairing-based HIBE schemes satisfy the requirement. It is worth noting that it preserves all parameters\u27 sizes of the underlying HIBE scheme, and hence we obtain several efficient HKIBE schemes under the $k$-linear assumption in the standard model. Since MSK evaluatability is dedicated to pairing-based HIBE schemes, the first construction restricts pairing-based instantiations. To realize efficient instantiation from various assumptions, we next propose a generic construction of an HKIBE scheme from any plain HIBE scheme. It is based on Hanaoka et al.\u27s HKIBE scheme (Asiacrypt 2005), and does not need any special properties. Therefore, we obtain new efficient instantiations from various assumptions other than pairing-oriented ones. Though the sizes of secret keys and ciphertexts are larger than those of the first construction, it is more efficient than Hanaoka et al.\u27s scheme in the sense of the sizes of master public/secret keys

素因数分解に基づく暗号における新たな手法

学位の種別: 課程博士審査委員会委員 : （主査）東京大学准教授 國廣 昇, 東京大学教授 山本 博資, 東京大学教授 津田 宏治, 東京大学講師 佐藤 一誠, 東京工業大学教授 田中 圭介University of Tokyo(東京大学

The development of a discovery and control environment for networked audio devices based on a study of current audio control protocols

This dissertation develops a standard device model for networked audio devices and introduces a novel discovery and control environment that uses the developed device model. The proposed standard device model is derived from a study of current audio control protocols. Both the functional capabilities and design principles of audio control protocols are investigated with an emphasis on Open Sound Control, SNMP and IEC-62379, AES64, CopperLan and UPnP. An abstract model of networked audio devices is developed, and the model is implemented in each of the previously mentioned control protocols. This model is also used within a novel discovery and control environment designed around a distributed associative memory termed an object space. This environment challenges the accepted notions of the functionality provided by a control protocol. The study concludes by comparing the salient features of the different control protocols encountered in this study. Different approaches to control protocol design are considered, and several design heuristics for control protocols are proposed

Local Coordination for Interpersonal Communication Systems

The decomposition of complex applications into modular units is anacknowledged design principle for creating robust systems and forenabling the flexible re-use of modules in new applicationcontexts. Typically, component frameworks provide mechanisms and rulesfor developing software modules in the scope of a certain programmingparadigm or programming language and a certain computing platform. Forexample, the JavaBeans framework is a component framework for thedevelopment of component-based systems -- in the Java environment.In this thesis, we present a light-weight, platform-independentapproach that views a component-based application as a set of ratherloosely coupled parallel processes that can be distributed on multiplehosts and are coordinated through a protocol. The core of ourframework is the Message Bus (Mbus): an asynchronous, message-orientedcoordination protocol that is based on Internet technologies andprovides group communication between application components.Based on this framework, we have developed a local coordinationarchitecture for decomposed multimedia conferencing applications thatis designed for endpoint and gateway applications. One element of thisarchitecture is an Mbus-based protocol for the coordination of callcontrol components in conferencing applications