Policy-Based Sanitizable Signatures

Sanitizable signatures are a variant of signatures which allow a single, and signer-defined, sanitizer to modify signed messages in a controlled way without invalidating the respective signature. They turned out to be a versatile primitive, proven by different variants and extensions, e.g., allowing multiple sanitizers or adding new sanitizers one-by-one. However, existing constructions are very restricted regarding their flexibility in specifying potential sanitizers. We propose a different and more powerful approach: Instead of using sanitizers\u27 public keys directly, we assign attributes to them. Sanitizing is then based on policies, i.e., access structures defined over attributes. A sanitizer can sanitize, if, and only if, it holds a secret key to attributes satisfying the policy associated to a signature, while offering full-scale accountability

Generic construction of certificateless encryption

As the Internet becomes an indispensable element of modern life, PKC (Public Key Cryptography) is gaining a considerable attention because it can assure the security requirements of many applications. To guarantee the authenticity of public keys, traditional PKC requires certificates to be signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user's private key is inherent in identity-based PKC. Recently, a new PKC paradigm called the certificateless PKC was introduced. Certificateless PKC eliminates the need for unwieldy certificates and retains the desirable properties of identity-based PKC without the inherent key escrow problem. In this paper, we provide a generic secure construction of certificateless encryption. While previous schemes are based on the algebraic properties of bilinear mappings, our construction is built from general primitives. This result shows that certificateless encryption can be constructed in a more general way.X1163sciescopu

Identity-based cryptography in public key management

To guarantee the authenticity of public keys, traditional PKC (Public Key Cryptography) requires certificates signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user's private key is inherent in identity-based PKC. Recently, new PKC paradigms were introduced: certificate-less PKC and certificate-based PKC. They retain the desirable properties of identity-based PKC without the inherent key escrow problem. A certificate-less cryptosystem eliminates the need for unwieldy certificates and a certificate-based cryptosystem simplifies the public key revocation problem. In this paper, we present an equivalence theorem among identity-based encryption, certificate-less encryption, and certificate-based encryption. We demonstrate that the three paradigms are essentially equivalent.X1133sciescopu

Cryptanalysis of Yeh-Shen-Hwang's one-time password authentication scheme

Yeh, Shen, and Hwang recently proposed a secure one-time password authentication scheme using smart cards. They modified the famous S/KEY scheme to achieve security against preplay attacks and off-line dictionary attacks. However, this article shows that their scheme is vulnerable to preplay attacks.open115sciescopu

A distributed Online certificate status protocol based on GQ signature scheme

OCSP (Online Certificate Status Protocol) is the most popular mechanism for providing the real-time status of a certificate in PKI (Public Key Infrastructure). A major drawback of OCSP is the heavy load required by the CA (Certification Authority). Traditional D-OCSP (Distributed OCSP) can relieve the burden of the CA, but it increases the client's load. To solve this problem, D-OCSP-KIS (Distributed OCSP based on Key-Insulated Signature) was recently introduced. While multiple responders designated by the CA have different private keys, only a single public key is used in D-OCSP-KIS to reduce the client's load. However, the length of the single public key is in proportion to the number of responders. Hence, we propose D-OCSP-IBS (Distributed OCSP based on Identity-Based Signature), where the length of the single public key is constant and short. To give a concrete example, we present a D-OCSP-IBS system based on GQ (Guillou-Quisquater) signature scheme and discuss the advantages of D-OCSP-IBS.X112sciescopu

Efficient key updating signature schemes based on IBS

To mitigate the damage of secret key exposure, key updating signature schemes can be used such as a key-insulated signature scheme and an intrusion-resilient signature scheme. We propose efficient key updating signature schemes based on a secure identity-based signature (IBS) scheme. KUS-SKI is a strong (N - 1, N) key-insulated signature scheme with random-access key updates, and KUS-IR is a Type (1) intrusion-resilient signature scheme. We also provide an equivalence theorem between a secure identity-based signature scheme and a strong (N - 1, N) key-insulated signature scheme with random-access key up-dates.X114sciescopu

Efficient fair exchange from identity-based signature

A fair exchange scheme is a protocol by which two parties Alice and Bob exchange items or services without allowing either party to gain advantages by quitting prematurely or otherwise misbehaving. To this end, modem cryptographic solutions use a semi-trusted arbitrator who involves only in cases where one party attempts to cheat or simply crashes. We call such a fair exchange scheme optimistic. When no registration is required between the signer and the arbitrator, we say that the fair exchange scheme is setup-free. To date, the setup-free optimist fair exchange scheme under the standard RSA assumption was only possible from the generic construction of [12], which uses ring signatures. In this paper, we introduce a new setup-free optimistic fair exchange scheme under the standard RSA assumption. Our scheme uses the GQ identity-based signature and is more efficient than [ 12]. The construction can also be generalized by using various identity-based signature schemes. Our main technique is to allow each user to choose his (or her) own "random" public key in the identity-based signature scheme.open116sciescopu

Generic construction of certificateless signature

To provide the binding between a user and his public key, traditional digital signature schemes use certificates that are signed by a trusted third party. While Shamir's identity-based signature scheme can dispense with certificates, the key escrow of a user's private key is inherent in the identity-based signature scheme. In Asiacrypt 2003, a new digital signature paradigm called the certificateless signature was introduced. The certificateless signature eliminates the need for certificates and does not suffer from the inherent key escrow problem. In this paper, we provide a generic secure construction of a certificateless; signature. We also present an extended construction whose trust level is the same as that of a traditional public key signature scheme.X1195sciescopu

Sanitizable Signatures Reconsidered

A sanitizable signature scheme allows a semi-trusted party, designated by a signer, to modify pre-determined parts of a signed message without interacting with the original signer. To date, many sanitizable signature schemes have been proposed based on various cryptographic techniques. However, previous works are usually built upon the paradigm of dividing a message into submessages and applying a cryptographic primitive to each submessage. This methodology entails the computation time (and often signature length) in linear proportion to the number of sanitizable submessages. We present a new approach to constructing sanitizable signatures with constant overhead for signing and verification, irrespective of the number of submessages, both in computational cost and in signature size.open1112sciescopu

On the Average Cost of Order-Preserving Encryption Based on Hypergeometric Distribution

Order-preserving encryption (OPE) is a deterministic encryption scheme whose encryption function preserves numerical ordering of the plaintexts. The first provably-secure OPE scheme was constructed by Boldyreva, Chenette, Lee, and O'Neill. The BCLO scheme is based on a sampling algorithm for the hypergeometric distribution and is known to call the sampling algorithm at most 5 log M + 12 times on average where M is the size of the plaintext-space. We show that the BCLO scheme actually calls the sampling algorithm less than log M + 3 times on average. (C) 2011 Elsevier B.V. All rights reserved.X1122sciescopu