On the Anonymity of Identity-Based Encryption

Anonymity of identity-based encryption (IBE) means that given a ciphertext, one cannot distinguish the target identity from a random identity. In this paper, we thoroughly discuss the anonymity of IBE systems. We found that the current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system. Furthermore, current definition cannot express the degree of anonymity. So we divide the degree of anonymity into weak anonymity and strong anonymity based on indistinguishability between different games. For weakly anonymous IBE systems, the target identity in a ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types. Type 1 means that a random tuple can be seen as a valid ciphertext, while type 2 cannot. Based on our new definitions, we show that three famous IBE systems, Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, have strong but different types of anonymity

Anonymous and Adaptively Secure Revocable IBE with Constant Size Public Parameters

In Identity-Based Encryption (IBE) systems, key revocation is non-trivial. This is because a user's identity is itself a public key. Moreover, the private key corresponding to the identity needs to be obtained from a trusted key authority through an authenticated and secrecy protected channel. So far, there exist only a very small number of revocable IBE (RIBE) schemes that support non-interactive key revocation, in the sense that the user is not required to interact with the key authority or some kind of trusted hardware to renew her private key without changing her public key (or identity). These schemes are either proven to be only selectively secure or have public parameters which grow linearly in a given security parameter. In this paper, we present two constructions of non-interactive RIBE that satisfy all the following three attractive properties: (i) proven to be adaptively secure under the Symmetric External Diffie-Hellman (SXDH) and the Decisional Linear (DLIN) assumptions; (ii) have constant-size public parameters; and (iii) preserve the anonymity of ciphertexts---a property that has not yet been achieved in all the current schemes

Dual System Encryption via Predicate Encodings

We introduce the notion of predicate encodings, an information-theoretic primitive reminiscent of linear secret-sharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptively-secure public-index predicate encryption schemes for a large class of predicates. Our framework relies on Waters’ dual system encryption methodology (Crypto ’09), and encompass the identity-based encryption scheme of Lewko and Waters (TCC ’10), and the attribute-based encryption scheme of Lewko et al. (Eurocrypt ’10). In addition, we obtain several concrete improvements over prior works. Our work offers a novel interpretation of dual system encryption as a methodology for amplifying a one-time private-key primitive (i.e. predicate encodings) into a many-time public-key primitive (i.e. predicate encryption)

Shorter Decentralized Attribute-Based Encryption via Extended Dual System Groups

Decentralized attribute-based encryption (ABE) is a special form of multiauthority ABE systems, in which no central authority and global coordination are required other than creating the common reference parameters. In this paper, we propose a new decentralized ABE in prime-order groups by using extended dual system groups. We formulate some assumptions used to prove the security of our scheme. Our proposed scheme is fully secure under the standard k-Lin assumption in random oracle model and can support any monotone access structures. Compared with existing fully secure decentralized ABE systems, our construction has shorter ciphertexts and secret keys. Moreover, fast decryption is achieved in our system, in which ciphertexts can be decrypted with a constant number of pairings

Fully, (Almost) Tightly Secure IBE from Standard Assumptions

We present the first fully secure Identity-Based Encryption scheme (IBE) from the standard assumptions where the security loss depends only on the security parameter and is independent of the number of secret key queries. This partially answers an open problem posed by Waters (Eurocrypt 2005). Our construction combines Waters\u27 dual system encryption methodology (Crypto 2009) with the Naor-Reingold pseudo-random function (J. ACM, 2004) in a novel way. The security of our scheme relies on the DLIN assumption in prime-order groups

Born and Raised Distributively: Fully Distributed Non-Interactive Adaptively-Secure Threshold Signatures with Short Shares

International audienceThreshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic public-key schemes. It does it by dividing private keys into $n$ shares handed out to distinct servers. In threshold signature schemes, a set of at least $t+1 \leq n$ servers is needed to produce a valid digital signature. Availability is assured by the fact that any subset of $t+1$ servers can produce a signature when authorized. At the same time, the scheme should remain robust (in the fault tolerance sense) and unforgeable (cryptographically) against up to $t$ corrupted servers; {\it i.e.}, it adds quorum control to traditional cryptographic services and introduces redundancy. Originally, most practical threshold signatures have a number of demerits: They have been analyzed in a static corruption model (where the set of corrupted servers is fixed at the very beginning of the attack), they require interaction, they assume a trusted dealer in the key generation phase (so that the system is not fully distributed), or they suffer from certain overheads in terms of storage (large share sizes). In this paper, we construct practical {\it fully distributed} (the private key is born distributed), non-interactive schemes -- where the servers can compute their partial signatures without communication with other servers -- with adaptive security ({\it i.e.}, the adversary corrupts servers dynamically based on its full view of the history of the system). Our schemes are very efficient in terms of computation, communication, and scalable storage (with private key shares of size $O(1)$, where certain solutions incur $O(n)$ storage costs at each server). Unlike other adaptively secure schemes, our schemes are erasure-free (reliable erasure is a hard to assure and hard to administer property in actual systems). To the best of our knowledge, such a fully distributed highly constrained scheme has been an open problem in the area. In particular, and of special interest, is the fact that Pedersen's traditional distributed key generation (DKG) protocol can be safely employed in the initial key generation phase when the system is born -- although it is well-known not to ensure uniformly distributed public keys. An advantage of this is that this protocol only takes one round optimistically (in the absence of faulty player)

Tools for simulating features of composite order bilinear groups in the prime order setting

In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate composite order schemes for which the prior techniques of Freeman were insufficient. Our techniques are typically applicable for composite order schemes relying on the canceling property and proven secure from variants of the subgroup decision assumption, and will result in prime order schemes that are proven secure from the decisional linear assumption. As an instructive example, we obtain a translation of the Lewko-Waters composite order IBE scheme. This provides a close analog of the Boneh-Boyen IBE scheme that is proven fully secure from the decisional linear assumption. We also provide a translation of the Lewko-Waters unbounded HIBE scheme.

Quasi-Adaptive NIZK for Linear Subspaces Revisited

Non-interactive zero-knowledge (NIZK) proofs for algebraic relations in a group, such as the Groth-Sahai proofs, are an extremely powerful tool in pairing-based cryptography. A series of recent works focused on obtaining very efficient NIZK proofs for linear spaces in a weaker quasi-adaptive model. We revisit recent quasi-adaptive NIZK constructions, providing clean, simple, and improved constructions via a conceptually different approach inspired by recent developments in identity-based encryption. We then extend our techniques also to linearly homomorphic structure-preserving signatures, an object both of independent interest and with many applications