A Sealed-bid Auction with Fund Binding: Preventing Maximum Bidding Price Leakage

In an open-bid auction, a bidder can know the budgets of other bidders. Thus, a sealed-bid auction that hides bidding prices is desirable. However, in previous sealed-bid auction protocols, it has been difficult to provide a ``fund binding'' property, which would guarantee that a bidder has funds more than or equal to the bidding price and that the funds are forcibly withdrawn when the bidder wins. Thus, such protocols are vulnerable to false bidding. As a solution, many protocols employ a simple deposit method in which each bidder sends a deposit to a smart contract, which is greater than or equal to the bidding price, before the bidding phase. However, this deposit reveals the maximum bidding price, and it is preferable to hide this information. In this paper, we propose a sealed-bid auction protocol that provides a fund binding property. Our protocol not only hides the bidding price and a maximum bidding price, but also provides fund binding, simultaneously. For hiding the maximum bidding price, we pay attention to the fact that usual Ethereum transactions and transactions for sending funds to a one-time address have the same transaction structure, and it seems that they are indistinguishable. We discuss how much bidding transactions are hidden. We also employ DECO (Zhang et al,. CCS 2020) that proves the validity of the data to a verifier in which the data are taken from a source without showing the data itself. Finally, we give our implementation which shows transaction fees required and compare it to a sealed-bid auction protocol employing the simple deposit method

Verifiable Functional Encryption using Intel SGX

Most functional encryption schemes implicitly assume that inputs to decryption algorithms, i.e., secret keys and ciphertexts, are generated honestly. However, they may be tampered by malicious adversaries. Thus, verifiable functional encryption (VFE) was proposed by Badrinarayanan et al. in ASIACRYPT 2016 where anyone can publicly check the validity of secret keys and ciphertexts. They employed indistinguishability-based (IND-based) security due to an impossibility result of simulation-based (SIM-based) VFE even though SIM-based security is more desirable. In this paper, we propose a SIM-based VFE scheme. To bypass the impossibility result, we introduce a trusted setup assumption. Although it appears to be a strong assumption, we demonstrate that it is reasonable in a hardware-based construction, e.g., Fisch et al. in ACM CCS 2017. Our construction is based on a verifiable public-key encryption scheme (Nieto et al. in SCN 2012), a signature scheme, and a secure hardware scheme, which we refer to as VFE-HW. Finally, we discuss an our implementation of VFE-HW using Intel Software Guard Extensions (Intel SGX)

Generic Constructions of Secure-Channel Free Searchable Encryption with Adaptive Security

For searching keywords against encrypted data, the public key encryption scheme with keyword search (PEKS), and its an extension called secure-channel free PEKS (SCF-PEKS) have been proposed. In SCF-PEKS, a receiver makes a trapdoor for a keyword, and uploads it on a server. A sender computes an encrypted keyword, and sends it to the server. The server executes the searching procedure (called the test algorithm, which takes as inputs an encrypted keyword, trapdoor, and secret key of the server). In this paper, we extend the security of SCF-PEKS, calling it adaptive SCF-PEKS, wherein an adversary (modeled as a ``malicious-but-legitimate receiver) is allowed to issue test queries \emph{adaptively}, and show that adaptive SCF-PEKS can be generically constructed by anonymous identity-based encryption (anonymous IBE) only. That is, for constructing adaptive SCF-PEKS we need not require any additional cryptographic primitive when compared to the Abdalla et al. PEKS construction (J. Cryptology 2008), even though adaptive SCF-PEKS requires additional functionalities. Note that our generic construction needs to apply the KEM/DEM framework (a.k.a. hybrid encryption), where KEM stands for key encapsulation mechanism, and DEM stands for data encapsulation mechanism. We also show that there is a class of anonymous IBE that can be applied for constructing adaptive SCF-PEKS without using hybrid encryption, and propose an adaptive SCF-PEKS construction based on this IBE. Although our second construction is not fully generic, it is efficient compared to the first, since we can exclude the DEM part. Finally, we instantiate an adaptive SCF-PEKS scheme (via our second construction) that achieves a similar level of efficiency for the costs of the test procedure and encryption, compared to the (non-adaptive secure) SCF-PEKS scheme by Fang et al. (CANS2009)

Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions

This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes

Self-healing wireless sensor networks

Availability is very important for long-term use of wireless sensor networks (WSNs), assuming the presence of an attacker. It is thus important to achieve secure communication among WSNs even if some sensor nodes are compromised. Self-healing WSNs possess the feature that a network automatically self-heals after node-capture attacks in order to achieve availability. The self-healing means that the ratio of compromised links decreases with time, even if the attacker corrupts sensor nodes of the network. In this paper, three kinds of self-healing schemes for WSNs are described, a polynomial-based self-healing scheme, a simple random key pre-distribution scheme with self-healing, and a proactive co-operative link self-healing scheme. Our contributions are the self-healing schemes with security evaluation, in which we conduct analytical evaluation and a simulation experiment of our schemes, and results obtained from both analysis and simulations indicate that our schemes are effective in self-healing. Furthermore, comparing three schemes, we clarify each difference and discuss optimal scheme under each different environments

Practical and Secure Recovery of Disk Encryption Key Using Smart Cards

In key-recovery methods using smart cards, a user can recover the disk encryption key in cooperation with the system administrator, even if the user has lost the smart card including the disk encryption key. However, the disk encryption key is known to the system administrator in advance in most key-recovery methods. Hence user's disk data may be read by the system administrator. Furthermore, if the disk encryption key is not known to the system administrator in advance, it is difficult to achieve a key authentication. In this paper, we propose a scheme which enables to recover the disk encryption key when the user's smart card is lost. In our scheme, the disk encryption key is not preserved anywhere and then the system administrator cannot know the key before key-recovery phase. Only someone who has a user's smart card and knows the user's password can decrypt that user's disk data. Furthermore, we measured the processing time required for user authentication in an experimental environment using a virtual machine monitor. As a result, we found that this processing time is short enough to be practical

An anonymous auction protocol with a single non-trusted center using binary trees

Some works about an electronic auction protocol have been proposed[2, 3, 4, 5, 6 , 8 , 11 , 12]. An electronic auction protocol should satisfy the following seven properties: (a)Fair of bidders; (b)Security of bids; (c)Anonymity; (d)Validity of winning bids; (e)Non-repudiation; (f)Robustness; and (g)Efficient bidding points. As for anonymity, previous protocols assume some entities like a dealer or plural centers to be trusted. In this paper, anonymity is realized without a trusted center, maintaining both computational and round complexity low. Furthermore, we represent a bid efficiently by using binary trees: for 2^k bidding points, the size of the representation of bids is just k. Previous works investigating a sealed-bid auction aim at "efficiency" but not "entertainment" seen in English auction[2, 4, 5, 6, 11, 12]. We introduce a new idea of entertainment to the opening phase by decreasing winner candidates little by little. Our protocol has the following three main features in addition to the above seven properties: perfect anonymity(a single non-trusted center), efficient bidding points and entertainment.Information security : third international workshop, ISW 2000, Wollongong, Australia, December 20-21, 2000 : proceedings / Josef Pieprzyk, Eiji Okamoto, Jennifer Seberry (eds.)